e7c24c87e807e70c6e22982368b3caf8e1a0877730c856f3d5d3fc70a4a10967

Analysis

max time kernel
118s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a6044d74688986491f21d842878d610N.exe
Size

89KB
MD5

0a6044d74688986491f21d842878d610
SHA1

6882c7b0930884261f54c47303a294f1c8f0b69d
SHA256

e7c24c87e807e70c6e22982368b3caf8e1a0877730c856f3d5d3fc70a4a10967
SHA512

428807a2d43ee09f5526bbd7b98daadd2f3b78ed0e30a54ff528abe0996fc9814a2d656447646831f4cbed5e0a3b1de50f32126c25862dad7c8ef2b32eb42eda
SSDEEP

768:Qvw9816vhKQLroS4/wQRNrfrunMxVFA3b7glL:YEGh0oSl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}\stubpath = "C:\\Windows\\{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe"	{097BE697-DB04-481f-9D44-AC5C24371261}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0417038-B87D-4ca1-85C4-13833815E7BF}\stubpath = "C:\\Windows\\{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe"	{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}\stubpath = "C:\\Windows\\{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe"	{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}\stubpath = "C:\\Windows\\{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe"	{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F92BE920-AD2D-4d52-B1FE-06B9A5CCF21A}	{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{097BE697-DB04-481f-9D44-AC5C24371261}\stubpath = "C:\\Windows\\{097BE697-DB04-481f-9D44-AC5C24371261}.exe"	{5E457E3F-E539-461b-AF53-8226B895A663}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E833FD90-EB0F-4e3d-9007-B94D631950E3}\stubpath = "C:\\Windows\\{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe"	{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0417038-B87D-4ca1-85C4-13833815E7BF}	{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F92BE920-AD2D-4d52-B1FE-06B9A5CCF21A}\stubpath = "C:\\Windows\\{F92BE920-AD2D-4d52-B1FE-06B9A5CCF21A}.exe"	{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E833FD90-EB0F-4e3d-9007-B94D631950E3}	{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{097BE697-DB04-481f-9D44-AC5C24371261}	{5E457E3F-E539-461b-AF53-8226B895A663}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}	{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}	{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E457E3F-E539-461b-AF53-8226B895A663}	0a6044d74688986491f21d842878d610N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}	{097BE697-DB04-481f-9D44-AC5C24371261}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}\stubpath = "C:\\Windows\\{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe"	{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}	{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E457E3F-E539-461b-AF53-8226B895A663}\stubpath = "C:\\Windows\\{5E457E3F-E539-461b-AF53-8226B895A663}.exe"	0a6044d74688986491f21d842878d610N.exe

Executes dropped EXE 9 IoCs

pid	Process
112	{5E457E3F-E539-461b-AF53-8226B895A663}.exe
3480	{097BE697-DB04-481f-9D44-AC5C24371261}.exe
4460	{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe
2952	{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe
2732	{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe
2832	{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe
436	{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe
776	{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe
4768	{F92BE920-AD2D-4d52-B1FE-06B9A5CCF21A}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{097BE697-DB04-481f-9D44-AC5C24371261}.exe	{5E457E3F-E539-461b-AF53-8226B895A663}.exe
File created	C:\Windows\{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe	{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe
File created	C:\Windows\{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe	{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe
File created	C:\Windows\{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe	{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe
File created	C:\Windows\{5E457E3F-E539-461b-AF53-8226B895A663}.exe	0a6044d74688986491f21d842878d610N.exe
File created	C:\Windows\{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe	{097BE697-DB04-481f-9D44-AC5C24371261}.exe
File created	C:\Windows\{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe	{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe
File created	C:\Windows\{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe	{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe
File created	C:\Windows\{F92BE920-AD2D-4d52-B1FE-06B9A5CCF21A}.exe	{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a6044d74688986491f21d842878d610N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E457E3F-E539-461b-AF53-8226B895A663}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F92BE920-AD2D-4d52-B1FE-06B9A5CCF21A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{097BE697-DB04-481f-9D44-AC5C24371261}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5096	0a6044d74688986491f21d842878d610N.exe
Token: SeIncBasePriorityPrivilege	112	{5E457E3F-E539-461b-AF53-8226B895A663}.exe
Token: SeIncBasePriorityPrivilege	3480	{097BE697-DB04-481f-9D44-AC5C24371261}.exe
Token: SeIncBasePriorityPrivilege	4460	{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe
Token: SeIncBasePriorityPrivilege	2952	{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe
Token: SeIncBasePriorityPrivilege	2732	{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe
Token: SeIncBasePriorityPrivilege	2832	{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe
Token: SeIncBasePriorityPrivilege	436	{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe
Token: SeIncBasePriorityPrivilege	776	{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 112	5096	0a6044d74688986491f21d842878d610N.exe	87
PID 5096 wrote to memory of 112	5096	0a6044d74688986491f21d842878d610N.exe	87
PID 5096 wrote to memory of 112	5096	0a6044d74688986491f21d842878d610N.exe	87
PID 5096 wrote to memory of 5000	5096	0a6044d74688986491f21d842878d610N.exe	88
PID 5096 wrote to memory of 5000	5096	0a6044d74688986491f21d842878d610N.exe	88
PID 5096 wrote to memory of 5000	5096	0a6044d74688986491f21d842878d610N.exe	88
PID 112 wrote to memory of 3480	112	{5E457E3F-E539-461b-AF53-8226B895A663}.exe	89
PID 112 wrote to memory of 3480	112	{5E457E3F-E539-461b-AF53-8226B895A663}.exe	89
PID 112 wrote to memory of 3480	112	{5E457E3F-E539-461b-AF53-8226B895A663}.exe	89
PID 112 wrote to memory of 4672	112	{5E457E3F-E539-461b-AF53-8226B895A663}.exe	90
PID 112 wrote to memory of 4672	112	{5E457E3F-E539-461b-AF53-8226B895A663}.exe	90
PID 112 wrote to memory of 4672	112	{5E457E3F-E539-461b-AF53-8226B895A663}.exe	90
PID 3480 wrote to memory of 4460	3480	{097BE697-DB04-481f-9D44-AC5C24371261}.exe	96
PID 3480 wrote to memory of 4460	3480	{097BE697-DB04-481f-9D44-AC5C24371261}.exe	96
PID 3480 wrote to memory of 4460	3480	{097BE697-DB04-481f-9D44-AC5C24371261}.exe	96
PID 3480 wrote to memory of 4788	3480	{097BE697-DB04-481f-9D44-AC5C24371261}.exe	97
PID 3480 wrote to memory of 4788	3480	{097BE697-DB04-481f-9D44-AC5C24371261}.exe	97
PID 3480 wrote to memory of 4788	3480	{097BE697-DB04-481f-9D44-AC5C24371261}.exe	97
PID 4460 wrote to memory of 2952	4460	{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe	101
PID 4460 wrote to memory of 2952	4460	{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe	101
PID 4460 wrote to memory of 2952	4460	{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe	101
PID 4460 wrote to memory of 1072	4460	{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe	102
PID 4460 wrote to memory of 1072	4460	{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe	102
PID 4460 wrote to memory of 1072	4460	{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe	102
PID 2952 wrote to memory of 2732	2952	{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe	103
PID 2952 wrote to memory of 2732	2952	{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe	103
PID 2952 wrote to memory of 2732	2952	{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe	103
PID 2952 wrote to memory of 3196	2952	{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe	104
PID 2952 wrote to memory of 3196	2952	{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe	104
PID 2952 wrote to memory of 3196	2952	{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe	104
PID 2732 wrote to memory of 2832	2732	{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe	105
PID 2732 wrote to memory of 2832	2732	{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe	105
PID 2732 wrote to memory of 2832	2732	{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe	105
PID 2732 wrote to memory of 2060	2732	{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe	106
PID 2732 wrote to memory of 2060	2732	{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe	106
PID 2732 wrote to memory of 2060	2732	{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe	106
PID 2832 wrote to memory of 436	2832	{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe	107
PID 2832 wrote to memory of 436	2832	{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe	107
PID 2832 wrote to memory of 436	2832	{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe	107
PID 2832 wrote to memory of 4244	2832	{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe	108
PID 2832 wrote to memory of 4244	2832	{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe	108
PID 2832 wrote to memory of 4244	2832	{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe	108
PID 436 wrote to memory of 776	436	{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe	109
PID 436 wrote to memory of 776	436	{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe	109
PID 436 wrote to memory of 776	436	{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe	109
PID 436 wrote to memory of 648	436	{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe	110
PID 436 wrote to memory of 648	436	{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe	110
PID 436 wrote to memory of 648	436	{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe	110
PID 776 wrote to memory of 4768	776	{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe	111
PID 776 wrote to memory of 4768	776	{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe	111
PID 776 wrote to memory of 4768	776	{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe	111
PID 776 wrote to memory of 1496	776	{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe	112
PID 776 wrote to memory of 1496	776	{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe	112
PID 776 wrote to memory of 1496	776	{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe	112

C:\Users\Admin\AppData\Local\Temp\0a6044d74688986491f21d842878d610N.exe
"C:\Users\Admin\AppData\Local\Temp\0a6044d74688986491f21d842878d610N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\{5E457E3F-E539-461b-AF53-8226B895A663}.exe
  C:\Windows\{5E457E3F-E539-461b-AF53-8226B895A663}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\{097BE697-DB04-481f-9D44-AC5C24371261}.exe
    C:\Windows\{097BE697-DB04-481f-9D44-AC5C24371261}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Windows\{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe
      C:\Windows\{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Windows\{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe
        
        C:\Windows\{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe
        
        C:\Windows\{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe
        
        C:\Windows\{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe
        
        C:\Windows\{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe
        
        C:\Windows\{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\{F92BE920-AD2D-4d52-B1FE-06B9A5CCF21A}.exe
        
        C:\Windows\{F92BE920-AD2D-4d52-B1FE-06B9A5CCF21A}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58274~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3035B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC7B2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0417~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E833F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10F6E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{097BE~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5E457~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0A6044~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{097BE697-DB04-481f-9D44-AC5C24371261}.exe

Filesize
89KB

MD5
08a9979087fc8e0a75457746d65a53aa

SHA1
206e9018c390adc52ad20888d392720c6887eaa2

SHA256
7e2072f5ef5f86a387dac807187c079213583776640e37c50af693f03a6f0768

SHA512
13cf4f9f9596a56080dc4ab92ff2e8afae526dc7732c690aad289c53a46873bdb07c74a85b9e04f8c3a87e2ecbf2bf2b7d0d76a172d861fdc1e65f24af8675fd

Download Submit
C:\Windows\{10F6E51C-A9B8-405a-A85B-45169CE1A2B9}.exe

Filesize
89KB

MD5
fdf4ba1d8164e23ea94116ea104c02d3

SHA1
e9e59e4e6a30c08ee0ff8077a933f5b21fe3e2d7

SHA256
12f01e25f7f5fbd018ecef33e61c88c79da84ec00f0f2e169fc2c8af84e573b1

SHA512
66695bdca2b82812a087fb1b5ec99b42ec38597937bdc0fd5145db1f749ff124d009d5bae91d9cd0814cbf5fa8c4f55c6c6dfb57f6a83cdf48d4712c14b30195

Download Submit
C:\Windows\{3035BF0C-92BD-41d7-AAEC-721D1EB5092F}.exe

Filesize
89KB

MD5
51ff1988101d8f367799efec46bb3ea5

SHA1
91c512bd0b1291da81fbb3bf857369c25143ef63

SHA256
938f665f5971aefc05d969cc480ef4000ede5859ea3760b020ff57db30f70605

SHA512
14706c0696abca4e33e9effd8a83636bf4ec8272b2cc57627ab3e90769414a47b972d1715dadb536b8fbb4c716d600bbad5cbc61bd727cc33bfb89e0578664fa

Download Submit
C:\Windows\{58274D39-3C8A-4506-A2B5-910DB6F2BBBB}.exe

Filesize
89KB

MD5
e08222bdc1d4b23b6a187e4fd354347f

SHA1
d9ef0170bc8f9069d52d137e7ffdc3c50624e3d6

SHA256
49c30d58762d9aa9ff6e3a170546c7fcd88c919c72f9ccb40afed467bd52ca54

SHA512
3ae6b1686b2aac3d97ffb8ec562031b5c94d8e3135dfa935948eddae4bd91dee8cf31e1eb2ace8726830907d3fc403fc9a112a5b0b385382c3f0b5f63a720228

Download Submit
C:\Windows\{5E457E3F-E539-461b-AF53-8226B895A663}.exe

Filesize
89KB

MD5
8dc4ced9917b6fab56cf682d0d35cb6e

SHA1
4a44c7f9db4ecb39533cfc2ce0e95eb470dca1ba

SHA256
f6514fc1ce84925b266ef1bb0eff0ff5005b0ed1a98bd79c689913e72f6d5ebb

SHA512
21ababa4b6b2a44ff269d9ab86e0fab7fe46cc9345f97d66dd2326c6482592260c7d19caa77584f7dc7b55432d4caeca97a314899adfbe648eb1e9f3764ce3fc

Download Submit
C:\Windows\{D0417038-B87D-4ca1-85C4-13833815E7BF}.exe

Filesize
89KB

MD5
ec0afb914df3fe8b9cc253dfd8604844

SHA1
29c43e49ffdad82cdc39ca53620a8deae6b4e4c7

SHA256
20da094d5b544f6f8d89648025c4ce99ac5dae77487e38b3357634a630b50945

SHA512
e5d42463432e6dd5d68010ffd1b2c7c6cacc45470eab7df8b092c695f32fa1f3bdbefd63e09f22e14d04f360327cba36a5fa0ad938a16fdb337847979008ce8a

Download Submit
C:\Windows\{DC7B22FA-2E2D-4d3b-BE01-B5A83E53C568}.exe

Filesize
89KB

MD5
7319819f3d6ca1e959446b545a0fe4e2

SHA1
77a660464ddd3f83c76889c4de3927f0f25e5fc5

SHA256
4ce12d8e88a5ca36d66e58cd268de443e52239db1d522f644a7087c4795019a4

SHA512
fbdc931da4ca352f9ec21f95cb7dcaf34184ec7844fbfc13860e27732ef7d301a8134d40a2914faf02ae705f813c0ffce4b76cf5ebb7a91bf318eccc72583a1a

Download Submit
C:\Windows\{E833FD90-EB0F-4e3d-9007-B94D631950E3}.exe

Filesize
89KB

MD5
acfe87696daaf3fae0dad416a886f2d2

SHA1
8575d01e8c5f84be9bc8c8fa0b31e2e2608511b0

SHA256
9973be25ac5c6ec16a3f7e097e3130e13c096282d0d4668c705afbf0b7f7ae5a

SHA512
5b03ec6cca41725422897eb35ac2edc794bfe49b9cad0153d87ba60b87b1d73a3cb73372a3255dd15f9a7b24c1470436b1cc67c6efae16be2008b0b1b0cba2cc

Download Submit
C:\Windows\{F92BE920-AD2D-4d52-B1FE-06B9A5CCF21A}.exe

Filesize
89KB

MD5
67b5475269ee702565d62488ddc8867f

SHA1
80820ac2462cf09d15ad348e81fe18caafcc74e3

SHA256
ffc0f1306bfe0fbcbfb78f03301ce0c0f0eb076ee873fdd11e4e27bc457a11eb

SHA512
9366807ef9e98cc75effc259e33f5e6d33fce26388f06252d27d771877e83a167125f2e4577ed94e319683c06e332041cc9f0195e32705a6e9dbc9d53729eb83

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads