b6426abedc38f91c789d592432db0dec5952565137662f84a2920d1986c2fe23

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

445e30045f080b95dc89bd25872be6d0N.exe
Size

89KB
MD5

445e30045f080b95dc89bd25872be6d0
SHA1

42a7b44c9921591719d7a8809724c252548c72c9
SHA256

b6426abedc38f91c789d592432db0dec5952565137662f84a2920d1986c2fe23
SHA512

3c6a3a4df4fa56ff045af504e530ba13b48b3ca104f0ea62042a071b79b7e1984fc0269b2b2cbc2ef8687c2951bbd1ffc4ea179e00253593830e940a997ab7f7
SSDEEP

768:5vw9816thKQLroD4/wQkNrfrunMxVFA3k:lEG/0oDlbunMxVS3k

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4813E667-BC62-4cab-9E93-FBFF1B043E55}	{6741CE14-267B-40ed-8398-90B4569141B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4C5B626-99EF-40f5-B279-BC904B85A2F2}	{E78D1CF9-6F15-4f07-83A9-3BE61E347EF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4C5B626-99EF-40f5-B279-BC904B85A2F2}\stubpath = "C:\\Windows\\{F4C5B626-99EF-40f5-B279-BC904B85A2F2}.exe"	{E78D1CF9-6F15-4f07-83A9-3BE61E347EF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26F053EE-1A62-4971-93E6-960C6E3EC0B2}	445e30045f080b95dc89bd25872be6d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A28884F-3CD2-4280-89BA-FB4158AD1A56}	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6741CE14-267B-40ed-8398-90B4569141B7}\stubpath = "C:\\Windows\\{6741CE14-267B-40ed-8398-90B4569141B7}.exe"	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4813E667-BC62-4cab-9E93-FBFF1B043E55}\stubpath = "C:\\Windows\\{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe"	{6741CE14-267B-40ed-8398-90B4569141B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78D1CF9-6F15-4f07-83A9-3BE61E347EF3}	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A28884F-3CD2-4280-89BA-FB4158AD1A56}\stubpath = "C:\\Windows\\{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe"	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}\stubpath = "C:\\Windows\\{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe"	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7294A331-017F-433f-AA39-44F7F5057E4C}	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7294A331-017F-433f-AA39-44F7F5057E4C}\stubpath = "C:\\Windows\\{7294A331-017F-433f-AA39-44F7F5057E4C}.exe"	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8916572-C01F-4584-BC6C-19982B2535A9}	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8916572-C01F-4584-BC6C-19982B2535A9}\stubpath = "C:\\Windows\\{A8916572-C01F-4584-BC6C-19982B2535A9}.exe"	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26F053EE-1A62-4971-93E6-960C6E3EC0B2}\stubpath = "C:\\Windows\\{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe"	445e30045f080b95dc89bd25872be6d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6741CE14-267B-40ed-8398-90B4569141B7}	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E78D1CF9-6F15-4f07-83A9-3BE61E347EF3}\stubpath = "C:\\Windows\\{E78D1CF9-6F15-4f07-83A9-3BE61E347EF3}.exe"	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe

Deletes itself 1 IoCs

pid	Process
1956	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1532	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe
2372	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe
2836	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe
2544	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe
1092	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe
2424	{6741CE14-267B-40ed-8398-90B4569141B7}.exe
756	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe
2628	{E78D1CF9-6F15-4f07-83A9-3BE61E347EF3}.exe
2416	{F4C5B626-99EF-40f5-B279-BC904B85A2F2}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe	445e30045f080b95dc89bd25872be6d0N.exe
File created	C:\Windows\{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe
File created	C:\Windows\{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe
File created	C:\Windows\{A8916572-C01F-4584-BC6C-19982B2535A9}.exe	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe
File created	C:\Windows\{E78D1CF9-6F15-4f07-83A9-3BE61E347EF3}.exe	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe
File created	C:\Windows\{7294A331-017F-433f-AA39-44F7F5057E4C}.exe	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe
File created	C:\Windows\{6741CE14-267B-40ed-8398-90B4569141B7}.exe	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe
File created	C:\Windows\{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe	{6741CE14-267B-40ed-8398-90B4569141B7}.exe
File created	C:\Windows\{F4C5B626-99EF-40f5-B279-BC904B85A2F2}.exe	{E78D1CF9-6F15-4f07-83A9-3BE61E347EF3}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E78D1CF9-6F15-4f07-83A9-3BE61E347EF3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6741CE14-267B-40ed-8398-90B4569141B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	445e30045f080b95dc89bd25872be6d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F4C5B626-99EF-40f5-B279-BC904B85A2F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2616	445e30045f080b95dc89bd25872be6d0N.exe
Token: SeIncBasePriorityPrivilege	1532	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe
Token: SeIncBasePriorityPrivilege	2372	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe
Token: SeIncBasePriorityPrivilege	2836	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe
Token: SeIncBasePriorityPrivilege	2544	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe
Token: SeIncBasePriorityPrivilege	1092	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe
Token: SeIncBasePriorityPrivilege	2424	{6741CE14-267B-40ed-8398-90B4569141B7}.exe
Token: SeIncBasePriorityPrivilege	756	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe
Token: SeIncBasePriorityPrivilege	2628	{E78D1CF9-6F15-4f07-83A9-3BE61E347EF3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1532	2616	445e30045f080b95dc89bd25872be6d0N.exe	31
PID 2616 wrote to memory of 1532	2616	445e30045f080b95dc89bd25872be6d0N.exe	31
PID 2616 wrote to memory of 1532	2616	445e30045f080b95dc89bd25872be6d0N.exe	31
PID 2616 wrote to memory of 1532	2616	445e30045f080b95dc89bd25872be6d0N.exe	31
PID 2616 wrote to memory of 1956	2616	445e30045f080b95dc89bd25872be6d0N.exe	32
PID 2616 wrote to memory of 1956	2616	445e30045f080b95dc89bd25872be6d0N.exe	32
PID 2616 wrote to memory of 1956	2616	445e30045f080b95dc89bd25872be6d0N.exe	32
PID 2616 wrote to memory of 1956	2616	445e30045f080b95dc89bd25872be6d0N.exe	32
PID 1532 wrote to memory of 2372	1532	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe	33
PID 1532 wrote to memory of 2372	1532	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe	33
PID 1532 wrote to memory of 2372	1532	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe	33
PID 1532 wrote to memory of 2372	1532	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe	33
PID 1532 wrote to memory of 2684	1532	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe	34
PID 1532 wrote to memory of 2684	1532	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe	34
PID 1532 wrote to memory of 2684	1532	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe	34
PID 1532 wrote to memory of 2684	1532	{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe	34
PID 2372 wrote to memory of 2836	2372	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe	35
PID 2372 wrote to memory of 2836	2372	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe	35
PID 2372 wrote to memory of 2836	2372	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe	35
PID 2372 wrote to memory of 2836	2372	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe	35
PID 2372 wrote to memory of 2816	2372	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe	36
PID 2372 wrote to memory of 2816	2372	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe	36
PID 2372 wrote to memory of 2816	2372	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe	36
PID 2372 wrote to memory of 2816	2372	{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe	36
PID 2836 wrote to memory of 2544	2836	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe	37
PID 2836 wrote to memory of 2544	2836	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe	37
PID 2836 wrote to memory of 2544	2836	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe	37
PID 2836 wrote to memory of 2544	2836	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe	37
PID 2836 wrote to memory of 2608	2836	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe	38
PID 2836 wrote to memory of 2608	2836	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe	38
PID 2836 wrote to memory of 2608	2836	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe	38
PID 2836 wrote to memory of 2608	2836	{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe	38
PID 2544 wrote to memory of 1092	2544	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe	39
PID 2544 wrote to memory of 1092	2544	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe	39
PID 2544 wrote to memory of 1092	2544	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe	39
PID 2544 wrote to memory of 1092	2544	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe	39
PID 2544 wrote to memory of 896	2544	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe	40
PID 2544 wrote to memory of 896	2544	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe	40
PID 2544 wrote to memory of 896	2544	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe	40
PID 2544 wrote to memory of 896	2544	{7294A331-017F-433f-AA39-44F7F5057E4C}.exe	40
PID 1092 wrote to memory of 2424	1092	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe	41
PID 1092 wrote to memory of 2424	1092	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe	41
PID 1092 wrote to memory of 2424	1092	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe	41
PID 1092 wrote to memory of 2424	1092	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe	41
PID 1092 wrote to memory of 812	1092	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe	42
PID 1092 wrote to memory of 812	1092	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe	42
PID 1092 wrote to memory of 812	1092	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe	42
PID 1092 wrote to memory of 812	1092	{A8916572-C01F-4584-BC6C-19982B2535A9}.exe	42
PID 2424 wrote to memory of 756	2424	{6741CE14-267B-40ed-8398-90B4569141B7}.exe	44
PID 2424 wrote to memory of 756	2424	{6741CE14-267B-40ed-8398-90B4569141B7}.exe	44
PID 2424 wrote to memory of 756	2424	{6741CE14-267B-40ed-8398-90B4569141B7}.exe	44
PID 2424 wrote to memory of 756	2424	{6741CE14-267B-40ed-8398-90B4569141B7}.exe	44
PID 2424 wrote to memory of 2788	2424	{6741CE14-267B-40ed-8398-90B4569141B7}.exe	45
PID 2424 wrote to memory of 2788	2424	{6741CE14-267B-40ed-8398-90B4569141B7}.exe	45
PID 2424 wrote to memory of 2788	2424	{6741CE14-267B-40ed-8398-90B4569141B7}.exe	45
PID 2424 wrote to memory of 2788	2424	{6741CE14-267B-40ed-8398-90B4569141B7}.exe	45
PID 756 wrote to memory of 2628	756	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe	46
PID 756 wrote to memory of 2628	756	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe	46
PID 756 wrote to memory of 2628	756	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe	46
PID 756 wrote to memory of 2628	756	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe	46
PID 756 wrote to memory of 2140	756	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe	47
PID 756 wrote to memory of 2140	756	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe	47
PID 756 wrote to memory of 2140	756	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe	47
PID 756 wrote to memory of 2140	756	{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe	47

C:\Users\Admin\AppData\Local\Temp\445e30045f080b95dc89bd25872be6d0N.exe
"C:\Users\Admin\AppData\Local\Temp\445e30045f080b95dc89bd25872be6d0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe
  C:\Windows\{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe
    C:\Windows\{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe
      C:\Windows\{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\{7294A331-017F-433f-AA39-44F7F5057E4C}.exe
        
        C:\Windows\{7294A331-017F-433f-AA39-44F7F5057E4C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\{A8916572-C01F-4584-BC6C-19982B2535A9}.exe
        
        C:\Windows\{A8916572-C01F-4584-BC6C-19982B2535A9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\{6741CE14-267B-40ed-8398-90B4569141B7}.exe
        
        C:\Windows\{6741CE14-267B-40ed-8398-90B4569141B7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe
        
        C:\Windows\{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\{E78D1CF9-6F15-4f07-83A9-3BE61E347EF3}.exe
        
        C:\Windows\{E78D1CF9-6F15-4f07-83A9-3BE61E347EF3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\{F4C5B626-99EF-40f5-B279-BC904B85A2F2}.exe
        
        C:\Windows\{F4C5B626-99EF-40f5-B279-BC904B85A2F2}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E78D1~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4813E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6741C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8916~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7294A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26A1C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4A288~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{26F05~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\445E30~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{26A1C6A4-12FB-4fdf-A570-1452AF56DE06}.exe

Filesize
89KB

MD5
009969231512f50ba9849aa8f0280482

SHA1
c734774fba596da69316f2f91c3f8a2e79836fe8

SHA256
f6c49d5e9d0958b227720729757af3396a8ef784e1e08cb41665bd3bc8c110f4

SHA512
e00e98df44b24d098da82f4ea7e83656f5c14c3eb63e78eaf86b5cc2b20a03ad40b3de24a7110afd915b3f32bcccc0c54fe301d2570546dd901fb3b8a665122f

Download Submit
C:\Windows\{26F053EE-1A62-4971-93E6-960C6E3EC0B2}.exe

Filesize
89KB

MD5
dbcce8d364e3494a3445a42ba868eb6c

SHA1
fedb07658ce1735a6154fe3004a3276ae6c6723a

SHA256
c9fda04d2080a08816dddce888abb84fab346095ff90fd5f76d29b9f3072a223

SHA512
a3ad6ab9c5179329698ea6667231383cb81d0dbcffb1924afe5c4bd35613a6cc4d0d8f741fe84cd058afa63ec260eb6140d3a0ca2cc9343a1c77b8186b477b0d

Download Submit
C:\Windows\{4813E667-BC62-4cab-9E93-FBFF1B043E55}.exe

Filesize
89KB

MD5
8327d5a84071b21cbb0bc7ebd117f027

SHA1
edb8766ad683f536431657c97c0177578bdee552

SHA256
0bba73b5cf70d182119c4bf4ef4ae0395178c9c0c60ee75325e2ac30c38c35aa

SHA512
eee5b728f659b44105ce0e178b4a4c9a1b6779b66cd80a28ff519ef048d16cd46ecd8b5315ff10826c3a3a6796ddd4a5031b7e554826153da6d9c735226095dd

Download Submit
C:\Windows\{4A28884F-3CD2-4280-89BA-FB4158AD1A56}.exe

Filesize
89KB

MD5
18d0cdf8841ceb17860c384e3fabde85

SHA1
253d510620d005cc08b91c3f04fe18f8ef8d9419

SHA256
0c349f74dcf4c3ff1abeb6c3badb277f1e392ea78492ec4c2fb740178febf9be

SHA512
0815d494ddccf4afe80b3a0bfaca2d840f34a868c33b19e9db3e4e275b8026c5a4e80c3b425836d4d9841243c9377cb818e6407c2648b35b7a06ec34f77ad7b1

Download Submit
C:\Windows\{6741CE14-267B-40ed-8398-90B4569141B7}.exe

Filesize
89KB

MD5
2ffb1149c5ddeaf510d8341c0ae2322b

SHA1
c73e6a8e3ca0dafde02a2b135368f108e85def9c

SHA256
b8f0f4a9afb85485c7326893fa1d1ac22a2d2da45c287fba8d5e9edcf3703c9f

SHA512
94bf1bed407b0b4bee6f88ad3f403a605fa2f0374a04d05093c5eefaea2a33eaf414f6a0fb1f474df6684809cc71027eeac583fab3131ecfa6c0f0d65cc7c6b6

Download Submit
C:\Windows\{7294A331-017F-433f-AA39-44F7F5057E4C}.exe

Filesize
89KB

MD5
f10d3af79996f3fefdea6d270ae39985

SHA1
b124a4ed978150a5e8a2661ccc42af287c11b008

SHA256
7968690838aea680151ea8774044fdfdeec5248060ecd23a55173682086f5074

SHA512
a0b8441d45e9b867c80405311418fb324b66331fe03cf5f04b1caddbc2c580bcdda9a61e3407b7dd393a737a16efa528a09b4a253ef44a10aafa0194941f3646

Download Submit
C:\Windows\{A8916572-C01F-4584-BC6C-19982B2535A9}.exe

Filesize
89KB

MD5
e0ea7890eb00482e31f1318c4f21360b

SHA1
1a9f70950947b1d94961d4ddda0782387db28cd8

SHA256
f35471acaf3293b7eb7c9abf4c9e56a225d04220bd0c7911be039af1bd0ce700

SHA512
faae479ecf8b1a00950421b7ebae405d85780adfbf615194a9d59c867127cd4b5e9e5487d91097aac5a6ac25e8fc5f85047c1eb21d62bbf5cbd63d15360dead0

Download Submit
C:\Windows\{E78D1CF9-6F15-4f07-83A9-3BE61E347EF3}.exe

Filesize
89KB

MD5
d3c31ed1b07890e8f61e5c7d3d0b821e

SHA1
385af166c565a66f319fe1fcad782c9d6b22c712

SHA256
a2478fe2173438394020505f964674295fa51f1c914d34c41e73d6b91e52d6d7

SHA512
0fd0ee2c2b26e6234e74947709e7120e16757faef932e94feb26dc45c087482f81d2259d7c4e8d972206ae1508c689ffc34286de1a9be416b3843fb42956970b

Download Submit
C:\Windows\{F4C5B626-99EF-40f5-B279-BC904B85A2F2}.exe

Filesize
89KB

MD5
c6d0a0eb9f7a4d83465d9f36b9d5623a

SHA1
503e20b02c9e886f4719f58fd9f273d7051cdf44

SHA256
de0743e856a0b86cba179b7f65ab6c3af41f70586dad409afbc950943c93e33c

SHA512
7e2063f6b7738d020dec58ced3abb3959fa39c37fb9a62ca123ff691207109d5b7e0dd73d5dd7c22335e190308587ef70639c158e270723f412eaf21e207e45e

Download Submit
memory/756-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/756-73-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/756-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1092-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1092-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1092-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1092-53-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/1532-13-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1532-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2372-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2372-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2372-23-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2424-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2424-62-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2544-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2544-42-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/2544-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-8-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/2616-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-4-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/2616-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2628-79-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2628-87-0x00000000004B0000-0x00000000004C1000-memory.dmp

Filesize
68KB

Download
memory/2628-86-0x00000000004B0000-0x00000000004C1000-memory.dmp

Filesize
68KB

Download
memory/2628-88-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2836-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2836-32-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads