6c5610b1bbc577a0d0ab9f45d3030449a3e7b67636c53271f86bb1ed68cff52d

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc45a49e7db6309658aa088cfab04850N.exe
Size

90KB
MD5

bc45a49e7db6309658aa088cfab04850
SHA1

22643f7cddd9a26489f3053345250bf132373139
SHA256

6c5610b1bbc577a0d0ab9f45d3030449a3e7b67636c53271f86bb1ed68cff52d
SHA512

cbcb42f7126d1553341ac2a59491bf8f8dce921f5a6520ca220432ecba05e43736b093696295ac97baa84a462cd654868222e5595762bd1c83c8d7c3bed4de99
SSDEEP

768:Qvw9816vhKQLroUL4/wQRNrfrunMxVFA3b7glws:YEGh0oULl2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAB949B8-345B-4df1-9D16-7136B836ACA0}	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5274249-7BAE-4941-859D-B53F16D988B1}	{224ED57C-F7E9-49ec-8908-8079E7101FF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B567BFC-A17E-49d7-B35C-3D31880F2941}	bc45a49e7db6309658aa088cfab04850N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80DF1B2E-CDEC-43c0-926C-206BE396E78F}	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80DF1B2E-CDEC-43c0-926C-206BE396E78F}\stubpath = "C:\\Windows\\{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe"	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}\stubpath = "C:\\Windows\\{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe"	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAB949B8-345B-4df1-9D16-7136B836ACA0}\stubpath = "C:\\Windows\\{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe"	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6A54BFC-6463-4f61-B794-9BD64CE25733}\stubpath = "C:\\Windows\\{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe"	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5274249-7BAE-4941-859D-B53F16D988B1}\stubpath = "C:\\Windows\\{A5274249-7BAE-4941-859D-B53F16D988B1}.exe"	{224ED57C-F7E9-49ec-8908-8079E7101FF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B567BFC-A17E-49d7-B35C-3D31880F2941}\stubpath = "C:\\Windows\\{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe"	bc45a49e7db6309658aa088cfab04850N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}\stubpath = "C:\\Windows\\{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe"	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF151410-FD55-46d1-ABEE-AE694FAB3007}\stubpath = "C:\\Windows\\{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe"	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{224ED57C-F7E9-49ec-8908-8079E7101FF5}\stubpath = "C:\\Windows\\{224ED57C-F7E9-49ec-8908-8079E7101FF5}.exe"	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF151410-FD55-46d1-ABEE-AE694FAB3007}	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6A54BFC-6463-4f61-B794-9BD64CE25733}	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{224ED57C-F7E9-49ec-8908-8079E7101FF5}	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe

Deletes itself 1 IoCs

pid	Process
2452	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2404	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe
2748	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe
3028	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe
2772	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe
2332	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe
1616	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe
2844	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe
1528	{224ED57C-F7E9-49ec-8908-8079E7101FF5}.exe
2996	{A5274249-7BAE-4941-859D-B53F16D988B1}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe
File created	C:\Windows\{224ED57C-F7E9-49ec-8908-8079E7101FF5}.exe	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe
File created	C:\Windows\{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe
File created	C:\Windows\{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe
File created	C:\Windows\{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe
File created	C:\Windows\{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe
File created	C:\Windows\{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe
File created	C:\Windows\{A5274249-7BAE-4941-859D-B53F16D988B1}.exe	{224ED57C-F7E9-49ec-8908-8079E7101FF5}.exe
File created	C:\Windows\{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe	bc45a49e7db6309658aa088cfab04850N.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc45a49e7db6309658aa088cfab04850N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{224ED57C-F7E9-49ec-8908-8079E7101FF5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A5274249-7BAE-4941-859D-B53F16D988B1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1380	bc45a49e7db6309658aa088cfab04850N.exe
Token: SeIncBasePriorityPrivilege	2404	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe
Token: SeIncBasePriorityPrivilege	2748	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe
Token: SeIncBasePriorityPrivilege	3028	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe
Token: SeIncBasePriorityPrivilege	2772	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe
Token: SeIncBasePriorityPrivilege	2332	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe
Token: SeIncBasePriorityPrivilege	1616	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe
Token: SeIncBasePriorityPrivilege	2844	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe
Token: SeIncBasePriorityPrivilege	1528	{224ED57C-F7E9-49ec-8908-8079E7101FF5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 2404	1380	bc45a49e7db6309658aa088cfab04850N.exe	31
PID 1380 wrote to memory of 2404	1380	bc45a49e7db6309658aa088cfab04850N.exe	31
PID 1380 wrote to memory of 2404	1380	bc45a49e7db6309658aa088cfab04850N.exe	31
PID 1380 wrote to memory of 2404	1380	bc45a49e7db6309658aa088cfab04850N.exe	31
PID 1380 wrote to memory of 2452	1380	bc45a49e7db6309658aa088cfab04850N.exe	32
PID 1380 wrote to memory of 2452	1380	bc45a49e7db6309658aa088cfab04850N.exe	32
PID 1380 wrote to memory of 2452	1380	bc45a49e7db6309658aa088cfab04850N.exe	32
PID 1380 wrote to memory of 2452	1380	bc45a49e7db6309658aa088cfab04850N.exe	32
PID 2404 wrote to memory of 2748	2404	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe	33
PID 2404 wrote to memory of 2748	2404	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe	33
PID 2404 wrote to memory of 2748	2404	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe	33
PID 2404 wrote to memory of 2748	2404	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe	33
PID 2404 wrote to memory of 2816	2404	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe	34
PID 2404 wrote to memory of 2816	2404	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe	34
PID 2404 wrote to memory of 2816	2404	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe	34
PID 2404 wrote to memory of 2816	2404	{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe	34
PID 2748 wrote to memory of 3028	2748	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe	35
PID 2748 wrote to memory of 3028	2748	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe	35
PID 2748 wrote to memory of 3028	2748	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe	35
PID 2748 wrote to memory of 3028	2748	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe	35
PID 2748 wrote to memory of 2912	2748	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe	36
PID 2748 wrote to memory of 2912	2748	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe	36
PID 2748 wrote to memory of 2912	2748	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe	36
PID 2748 wrote to memory of 2912	2748	{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe	36
PID 3028 wrote to memory of 2772	3028	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe	37
PID 3028 wrote to memory of 2772	3028	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe	37
PID 3028 wrote to memory of 2772	3028	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe	37
PID 3028 wrote to memory of 2772	3028	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe	37
PID 3028 wrote to memory of 2904	3028	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe	38
PID 3028 wrote to memory of 2904	3028	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe	38
PID 3028 wrote to memory of 2904	3028	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe	38
PID 3028 wrote to memory of 2904	3028	{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe	38
PID 2772 wrote to memory of 2332	2772	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe	39
PID 2772 wrote to memory of 2332	2772	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe	39
PID 2772 wrote to memory of 2332	2772	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe	39
PID 2772 wrote to memory of 2332	2772	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe	39
PID 2772 wrote to memory of 2460	2772	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe	40
PID 2772 wrote to memory of 2460	2772	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe	40
PID 2772 wrote to memory of 2460	2772	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe	40
PID 2772 wrote to memory of 2460	2772	{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe	40
PID 2332 wrote to memory of 1616	2332	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe	41
PID 2332 wrote to memory of 1616	2332	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe	41
PID 2332 wrote to memory of 1616	2332	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe	41
PID 2332 wrote to memory of 1616	2332	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe	41
PID 2332 wrote to memory of 2976	2332	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe	42
PID 2332 wrote to memory of 2976	2332	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe	42
PID 2332 wrote to memory of 2976	2332	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe	42
PID 2332 wrote to memory of 2976	2332	{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe	42
PID 1616 wrote to memory of 2844	1616	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe	43
PID 1616 wrote to memory of 2844	1616	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe	43
PID 1616 wrote to memory of 2844	1616	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe	43
PID 1616 wrote to memory of 2844	1616	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe	43
PID 1616 wrote to memory of 1860	1616	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe	44
PID 1616 wrote to memory of 1860	1616	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe	44
PID 1616 wrote to memory of 1860	1616	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe	44
PID 1616 wrote to memory of 1860	1616	{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe	44
PID 2844 wrote to memory of 1528	2844	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe	45
PID 2844 wrote to memory of 1528	2844	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe	45
PID 2844 wrote to memory of 1528	2844	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe	45
PID 2844 wrote to memory of 1528	2844	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe	45
PID 2844 wrote to memory of 1868	2844	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe	46
PID 2844 wrote to memory of 1868	2844	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe	46
PID 2844 wrote to memory of 1868	2844	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe	46
PID 2844 wrote to memory of 1868	2844	{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe	46

C:\Users\Admin\AppData\Local\Temp\bc45a49e7db6309658aa088cfab04850N.exe
"C:\Users\Admin\AppData\Local\Temp\bc45a49e7db6309658aa088cfab04850N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe
  C:\Windows\{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe
    C:\Windows\{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe
      C:\Windows\{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe
        
        C:\Windows\{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe
        
        C:\Windows\{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe
        
        C:\Windows\{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe
        
        C:\Windows\{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{224ED57C-F7E9-49ec-8908-8079E7101FF5}.exe
        
        C:\Windows\{224ED57C-F7E9-49ec-8908-8079E7101FF5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\{A5274249-7BAE-4941-859D-B53F16D988B1}.exe
        
        C:\Windows\{A5274249-7BAE-4941-859D-B53F16D988B1}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{224ED~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6A54~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAB94~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF151~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{848C0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9880~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{80DF1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2B567~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BC45A4~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{224ED57C-F7E9-49ec-8908-8079E7101FF5}.exe

Filesize
90KB

MD5
cc75fdfaa9be705006e5b9416db66a92

SHA1
e82c7112071d50f81fce62f6ad5261c8145ce732

SHA256
a77f91c265ff02cf6c07f3e2f900e0176138b0867a91ec496a1925cc1618558d

SHA512
eb9d54d859bcc2768359efa7dc3d1722dd68032181bfe5abaf6cf25025f659bdf6d16f4e9b8c3b4721c89a3e08143c10ae18eae5547e80f1e5b6dc921f2c8b95

Download Submit
C:\Windows\{2B567BFC-A17E-49d7-B35C-3D31880F2941}.exe

Filesize
90KB

MD5
9ea78f33b9c9e0afde9bd7547d31ad20

SHA1
2b59123833f9874a7e75fcbbdd5055879e4463af

SHA256
c187d0162623254074fbeb5dc771efeac78f76281a8a8a06fb5da92f57573212

SHA512
2830b49b02b35af7ed3df1ada16396e34555d642c4bd42548a799705588aab16dd04f6ed4bdb91a8db27a88890c48765b27c929deec55fc614a0fc8dbc81c012

Download Submit
C:\Windows\{80DF1B2E-CDEC-43c0-926C-206BE396E78F}.exe

Filesize
90KB

MD5
96086f684d068ce93d2f19a82e58b3f0

SHA1
8e26dce61a5e02f5ecb782b226adf30bf0fb37a7

SHA256
36cbea9953aa8cfac867df8906af940f6844d03f173ec4834f180ed3a4ded624

SHA512
3ce0b4a4567165acd507c6dbba9adff6dfcf6d4eada138cf70c11210941571136f067899a6aaf0a10c9f720bc7181bca5c8c28cf2cdd4db34695a643b148facf

Download Submit
C:\Windows\{848C0C4E-6D6A-4874-95C3-1C16E6E627BF}.exe

Filesize
90KB

MD5
95725e2f6e21ccd1b257b6ad47a4f3eb

SHA1
1e57b01fed8c8ff5a8ee16473fd6fbc07958003f

SHA256
65e626db3ff2002578e268ae853363c37094651e632746e0e24c495352b4ac78

SHA512
5f378967572659cd7e354e645a4bd9768b7cfcaaf6600a551e820e42d83db89554d49b236abd3a818b1d7aa2925f95acf74ee51d6b29af6141046b68d667ab77

Download Submit
C:\Windows\{A5274249-7BAE-4941-859D-B53F16D988B1}.exe

Filesize
90KB

MD5
7318ea7f780050b216bb38976c69dfb8

SHA1
590580f374836c08e0db1453d66fe498274b704c

SHA256
e1d5896ca1f9381e35f77e44a6e1b24904a1bf4e74dea2a633362bc8ebb41add

SHA512
5275da35b8bcbabeded2f760d456f74135a23b9c15df67ce283eb87a9949669ba2b047a39c6ddcf5bb03f404ec150bd575f9cb4eeac766135aefc340c10aebdc

Download Submit
C:\Windows\{A6A54BFC-6463-4f61-B794-9BD64CE25733}.exe

Filesize
90KB

MD5
a2114474c69e045be6bf5c73a8357326

SHA1
45f532452296f91703c381155687a43a3f5be449

SHA256
8e0c005f350510c458dd9487ec9287948a9ccc8aa797617969b0ac56cc30aaa4

SHA512
c06145d84611d31a3e6ba068f3da1e47487c94c35ef284f7f69405dd4d7ead3a65a093d5c7d24e909e6a6ccdfa8802c64b835eb730e075db2ef8b16e1227b98c

Download Submit
C:\Windows\{BAB949B8-345B-4df1-9D16-7136B836ACA0}.exe

Filesize
90KB

MD5
3065a1ae68f46f91f5fc70a8402bb3cf

SHA1
ad4126e578ddca947dfdf49e00a17249f95a72bf

SHA256
d7d0f0584377f7e708dc471aba9239036527cb53b09d0ed3a55cbfe18dbc59bf

SHA512
5b414c75ba6a9bbad40d710a4d1df0fe670e3ba87b5226039fa235248c41d0b7eb639d9e1691548028fe11ed9976065300b6005c91ef2741e318e4e240fa5e82

Download Submit
C:\Windows\{DF151410-FD55-46d1-ABEE-AE694FAB3007}.exe

Filesize
90KB

MD5
71b8001a9dd71f5e68716024ae6c01c3

SHA1
8e0a2cc56cbbaa639b899bfe1420eb623ab4a1dc

SHA256
814b5208180261aedd9d7ab8ac94f9c0403a48f3d51d9630270ac18620f3826a

SHA512
35c5d53556e93d245d9054716db93f3853a7c8a199e0004ccffd8314173664c01fce461413be82bcaab9f9ba8fae8fc48be492d2b3618a553fccabd4877712c7

Download Submit
C:\Windows\{F9880CED-31E6-47bc-89B7-9CFD8A1A1A93}.exe

Filesize
90KB

MD5
a2a1853472965a89878890f4943d1b2d

SHA1
1fce9454cd0baf219cda965f6343a27d3ef6eb21

SHA256
de75542e854cdfc7bac4a6f7c4ea141af5221ecae5ac625fb6b11fb13a1e3cc0

SHA512
f2cbc17917260f52321f7751b7990061ebc0897f445d142a50de31c96fc4f3fc15885b9e68f6079c48952cc6108fb54899fc9cafda920fed1bf83537fcb13c4b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads