c8911e229034edb96557d4cc3009d5b9ccfadff4080c04f3f1cf49919561d1da

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f286418428ff4cdc71faf6538b918960N.exe
Size

89KB
MD5

f286418428ff4cdc71faf6538b918960
SHA1

0bb1972dc509db36c7dc286b08fed4dc28cab3b8
SHA256

c8911e229034edb96557d4cc3009d5b9ccfadff4080c04f3f1cf49919561d1da
SHA512

947e8eb2d47b357395f886d86af0987509e28eed6c680cf7329024f141980831c90271f781a3caba02612349f148ff0172929125e91997b62e33abfab87328ee
SSDEEP

768:Qvw9816vhKQLroH4/wQRNrfrunMxVFA3b7gl5:YEGh0oHl2unMxVS3HgX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{999A2358-F217-4332-A85D-49317BF1BE32}\stubpath = "C:\\Windows\\{999A2358-F217-4332-A85D-49317BF1BE32}.exe"	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}	{999A2358-F217-4332-A85D-49317BF1BE32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}\stubpath = "C:\\Windows\\{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe"	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFE995D2-2A86-4bac-9985-F0CE377AD69D}	{6DBD0572-9CFD-4bc2-A2CC-B1F671564E9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFE995D2-2A86-4bac-9985-F0CE377AD69D}\stubpath = "C:\\Windows\\{FFE995D2-2A86-4bac-9985-F0CE377AD69D}.exe"	{6DBD0572-9CFD-4bc2-A2CC-B1F671564E9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{999A2358-F217-4332-A85D-49317BF1BE32}	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}\stubpath = "C:\\Windows\\{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe"	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DBD0572-9CFD-4bc2-A2CC-B1F671564E9A}	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DBD0572-9CFD-4bc2-A2CC-B1F671564E9A}\stubpath = "C:\\Windows\\{6DBD0572-9CFD-4bc2-A2CC-B1F671564E9A}.exe"	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}\stubpath = "C:\\Windows\\{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe"	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}\stubpath = "C:\\Windows\\{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe"	{999A2358-F217-4332-A85D-49317BF1BE32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C417C804-EA88-4c31-972A-F5D499CB1994}\stubpath = "C:\\Windows\\{C417C804-EA88-4c31-972A-F5D499CB1994}.exe"	f286418428ff4cdc71faf6538b918960N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}\stubpath = "C:\\Windows\\{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe"	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C417C804-EA88-4c31-972A-F5D499CB1994}	f286418428ff4cdc71faf6538b918960N.exe

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2552	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe
2636	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe
2684	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe
2896	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe
2160	{999A2358-F217-4332-A85D-49317BF1BE32}.exe
1800	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe
2192	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe
588	{6DBD0572-9CFD-4bc2-A2CC-B1F671564E9A}.exe
2940	{FFE995D2-2A86-4bac-9985-F0CE377AD69D}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe
File created	C:\Windows\{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe
File created	C:\Windows\{6DBD0572-9CFD-4bc2-A2CC-B1F671564E9A}.exe	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe
File created	C:\Windows\{FFE995D2-2A86-4bac-9985-F0CE377AD69D}.exe	{6DBD0572-9CFD-4bc2-A2CC-B1F671564E9A}.exe
File created	C:\Windows\{C417C804-EA88-4c31-972A-F5D499CB1994}.exe	f286418428ff4cdc71faf6538b918960N.exe
File created	C:\Windows\{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe
File created	C:\Windows\{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe
File created	C:\Windows\{999A2358-F217-4332-A85D-49317BF1BE32}.exe	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe
File created	C:\Windows\{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe	{999A2358-F217-4332-A85D-49317BF1BE32}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f286418428ff4cdc71faf6538b918960N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{999A2358-F217-4332-A85D-49317BF1BE32}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DBD0572-9CFD-4bc2-A2CC-B1F671564E9A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FFE995D2-2A86-4bac-9985-F0CE377AD69D}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1544	f286418428ff4cdc71faf6538b918960N.exe
Token: SeIncBasePriorityPrivilege	2552	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe
Token: SeIncBasePriorityPrivilege	2636	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe
Token: SeIncBasePriorityPrivilege	2684	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe
Token: SeIncBasePriorityPrivilege	2896	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe
Token: SeIncBasePriorityPrivilege	2160	{999A2358-F217-4332-A85D-49317BF1BE32}.exe
Token: SeIncBasePriorityPrivilege	1800	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe
Token: SeIncBasePriorityPrivilege	2192	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe
Token: SeIncBasePriorityPrivilege	588	{6DBD0572-9CFD-4bc2-A2CC-B1F671564E9A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2552	1544	f286418428ff4cdc71faf6538b918960N.exe	29
PID 1544 wrote to memory of 2552	1544	f286418428ff4cdc71faf6538b918960N.exe	29
PID 1544 wrote to memory of 2552	1544	f286418428ff4cdc71faf6538b918960N.exe	29
PID 1544 wrote to memory of 2552	1544	f286418428ff4cdc71faf6538b918960N.exe	29
PID 1544 wrote to memory of 2660	1544	f286418428ff4cdc71faf6538b918960N.exe	30
PID 1544 wrote to memory of 2660	1544	f286418428ff4cdc71faf6538b918960N.exe	30
PID 1544 wrote to memory of 2660	1544	f286418428ff4cdc71faf6538b918960N.exe	30
PID 1544 wrote to memory of 2660	1544	f286418428ff4cdc71faf6538b918960N.exe	30
PID 2552 wrote to memory of 2636	2552	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe	31
PID 2552 wrote to memory of 2636	2552	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe	31
PID 2552 wrote to memory of 2636	2552	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe	31
PID 2552 wrote to memory of 2636	2552	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe	31
PID 2552 wrote to memory of 2792	2552	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe	32
PID 2552 wrote to memory of 2792	2552	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe	32
PID 2552 wrote to memory of 2792	2552	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe	32
PID 2552 wrote to memory of 2792	2552	{C417C804-EA88-4c31-972A-F5D499CB1994}.exe	32
PID 2636 wrote to memory of 2684	2636	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe	33
PID 2636 wrote to memory of 2684	2636	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe	33
PID 2636 wrote to memory of 2684	2636	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe	33
PID 2636 wrote to memory of 2684	2636	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe	33
PID 2636 wrote to memory of 2408	2636	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe	34
PID 2636 wrote to memory of 2408	2636	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe	34
PID 2636 wrote to memory of 2408	2636	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe	34
PID 2636 wrote to memory of 2408	2636	{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe	34
PID 2684 wrote to memory of 2896	2684	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe	35
PID 2684 wrote to memory of 2896	2684	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe	35
PID 2684 wrote to memory of 2896	2684	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe	35
PID 2684 wrote to memory of 2896	2684	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe	35
PID 2684 wrote to memory of 2912	2684	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe	36
PID 2684 wrote to memory of 2912	2684	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe	36
PID 2684 wrote to memory of 2912	2684	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe	36
PID 2684 wrote to memory of 2912	2684	{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe	36
PID 2896 wrote to memory of 2160	2896	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe	37
PID 2896 wrote to memory of 2160	2896	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe	37
PID 2896 wrote to memory of 2160	2896	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe	37
PID 2896 wrote to memory of 2160	2896	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe	37
PID 2896 wrote to memory of 1028	2896	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe	38
PID 2896 wrote to memory of 1028	2896	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe	38
PID 2896 wrote to memory of 1028	2896	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe	38
PID 2896 wrote to memory of 1028	2896	{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe	38
PID 2160 wrote to memory of 1800	2160	{999A2358-F217-4332-A85D-49317BF1BE32}.exe	39
PID 2160 wrote to memory of 1800	2160	{999A2358-F217-4332-A85D-49317BF1BE32}.exe	39
PID 2160 wrote to memory of 1800	2160	{999A2358-F217-4332-A85D-49317BF1BE32}.exe	39
PID 2160 wrote to memory of 1800	2160	{999A2358-F217-4332-A85D-49317BF1BE32}.exe	39
PID 2160 wrote to memory of 2308	2160	{999A2358-F217-4332-A85D-49317BF1BE32}.exe	40
PID 2160 wrote to memory of 2308	2160	{999A2358-F217-4332-A85D-49317BF1BE32}.exe	40
PID 2160 wrote to memory of 2308	2160	{999A2358-F217-4332-A85D-49317BF1BE32}.exe	40
PID 2160 wrote to memory of 2308	2160	{999A2358-F217-4332-A85D-49317BF1BE32}.exe	40
PID 1800 wrote to memory of 2192	1800	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe	41
PID 1800 wrote to memory of 2192	1800	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe	41
PID 1800 wrote to memory of 2192	1800	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe	41
PID 1800 wrote to memory of 2192	1800	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe	41
PID 1800 wrote to memory of 1848	1800	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe	42
PID 1800 wrote to memory of 1848	1800	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe	42
PID 1800 wrote to memory of 1848	1800	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe	42
PID 1800 wrote to memory of 1848	1800	{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe	42
PID 2192 wrote to memory of 588	2192	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe	43
PID 2192 wrote to memory of 588	2192	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe	43
PID 2192 wrote to memory of 588	2192	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe	43
PID 2192 wrote to memory of 588	2192	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe	43
PID 2192 wrote to memory of 316	2192	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe	44
PID 2192 wrote to memory of 316	2192	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe	44
PID 2192 wrote to memory of 316	2192	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe	44
PID 2192 wrote to memory of 316	2192	{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe	44

C:\Users\Admin\AppData\Local\Temp\f286418428ff4cdc71faf6538b918960N.exe
"C:\Users\Admin\AppData\Local\Temp\f286418428ff4cdc71faf6538b918960N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\{C417C804-EA88-4c31-972A-F5D499CB1994}.exe
  C:\Windows\{C417C804-EA88-4c31-972A-F5D499CB1994}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe
    C:\Windows\{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe
      C:\Windows\{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe
        
        C:\Windows\{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\{999A2358-F217-4332-A85D-49317BF1BE32}.exe
        
        C:\Windows\{999A2358-F217-4332-A85D-49317BF1BE32}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe
        
        C:\Windows\{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe
        
        C:\Windows\{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\{6DBD0572-9CFD-4bc2-A2CC-B1F671564E9A}.exe
        
        C:\Windows\{6DBD0572-9CFD-4bc2-A2CC-B1F671564E9A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\{FFE995D2-2A86-4bac-9985-F0CE377AD69D}.exe
        
        C:\Windows\{FFE995D2-2A86-4bac-9985-F0CE377AD69D}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DBD0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7804~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCB69~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{999A2~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DE15~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{508AF~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CA871~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C417C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F28641~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3DE15B01-0D46-4835-80E3-EFF6AC6CF830}.exe

Filesize
89KB

MD5
9b2995d4c205dd89d64e69348cf0cb7b

SHA1
e12caa4a32cfaf48b57d9f211dd081e70a1b739c

SHA256
d0a0ee1b8cb0227da3b3445a77fe2a19fde708cdfe5d52f51a19344ed3dfa9f5

SHA512
8a940d7e8db55d41714edea366412f32c5d6d943184e8ae2fef347501b7236c0507ce80cb64eb05388ba585b1651679c29d2fe873b2263d0a1db5a1d02b29838

Download Submit
C:\Windows\{508AF445-4522-4e42-9C57-4DBA6F8DD7EF}.exe

Filesize
89KB

MD5
d31160fbee9f0d8f234285d732476e12

SHA1
85d63795758ead6bcdd4f90d0ff1068c65dd3fe3

SHA256
da202786bc44bcde7b94deb1438bd958e8fb6716cca06c58368b08cf80dc2ec3

SHA512
a2e19f2f62bfcb220c911f1ff193684f86702389b8bd78035c64d52e0aff324599a1327f8690a5fbdbf3e0f5b22a216c75a804348f20c7560fc4b0d0d382ffa9

Download Submit
C:\Windows\{6DBD0572-9CFD-4bc2-A2CC-B1F671564E9A}.exe

Filesize
89KB

MD5
251a498ec4435c0d2457bfe3e1f0bb44

SHA1
5600dd7327d73f8a6b602ad7ef3cd770ed6275be

SHA256
1a388c47b5ca225d0eb2d8c9b92dde3966c47bd223c71ffe14d080341c15ba9a

SHA512
e6a0f0c94b71bbd7394930c6a91da608e9716eaee1ab94ee9533cc8aea16bb44ef7fbab11af79cdce80aeb709c51a79ea7c7d34a0a36996caefaee596c5899a0

Download Submit
C:\Windows\{999A2358-F217-4332-A85D-49317BF1BE32}.exe

Filesize
89KB

MD5
f184afa419e877e566461a259d0312b5

SHA1
4115377df2bec4cf23627f26e9c43d8a9a5a07a5

SHA256
929c5678d725431f6b4dd346d8bd3dc4c77cf14d81390b4ba812dba5b23510a6

SHA512
d6de10aba65648c6a6c917afaadc1028193c042c2060865f53659cf07f1e350e2794cb86fb3304769abdc2fb62c219b9f73eff27f36645bb16ba4c6f22db5380

Download Submit
C:\Windows\{C417C804-EA88-4c31-972A-F5D499CB1994}.exe

Filesize
89KB

MD5
2668968626fb152a5c1192cd0a00c72b

SHA1
6f803a739d041e5d0ea06408600f89b5cf30baf4

SHA256
53dbf8df0e7e9863a6b7a8bace4b8478b85a2bb9e36d54f8f6e181617a30df97

SHA512
f1667b36523bf11c8ecb7d5ae4dafcbf9595fa0894e5d9675b61a5ba9e80bac9519fdeb98441672118afdddfe2e1314a34c9ce9ec9989e9a025cd0dad8e81b8e

Download Submit
C:\Windows\{CA871052-FBD4-4e2f-B7F0-FD832A8C0515}.exe

Filesize
89KB

MD5
08162ca027a0338a19ed76ad05f339ee

SHA1
da4d0676d6dfe82f153bfba6c5dd83145c8cee4f

SHA256
84a5b08f524000185bd4243d6d3ed23066b22a38db8b1630334b94db3be59f20

SHA512
fc100397221cdef509092866f7a0308cae059001b0a1022d29087181916c82d1555b0def6252f6ea68355051919e1bb395e4320d01de6fc746b5bc4d7e19baaf

Download Submit
C:\Windows\{CCB6956D-C397-47b4-A5B9-96A961D7E0C7}.exe

Filesize
89KB

MD5
69725febe1f6eb87332253f8bad966f6

SHA1
c4f9c11800f47aa5b640629b8d499c1aa5cd1821

SHA256
db6e1160e1bea9d1838e0574c1f6f0c4e097a1a2fdc49d6dd25ac29c4b29335b

SHA512
a9823260abc0bb04e9c11513376b7aaec5b542dddd670307f88b8465d13bf5a5588fde9bfac2c1ba1adf8194e1abb7daea46c94d8811e8e48c1971f502e2157a

Download Submit
C:\Windows\{E7804BA6-7DB4-4227-9263-4D7EA4778DB7}.exe

Filesize
89KB

MD5
79698f6327bd3aa16495df0ab92ec439

SHA1
1e3fefe8fec489ed9826456c3432b8cc7e9f3574

SHA256
46c572f66e153877972d7d63863bd139d40c2b7fc315d680bc11450c2da52842

SHA512
76346f0adebe369dd91baa3ea55c0139772afebe590cfb0d0b39c76ae57d7c72d4c8f1af25274e0f6ef0a50f36852db401b34234f43f168775b0a43aa2707c81

Download Submit
C:\Windows\{FFE995D2-2A86-4bac-9985-F0CE377AD69D}.exe

Filesize
89KB

MD5
7b4860e3a90fd307ed943b03e9d586af

SHA1
81f765a04857d7acf189d0a7f348f9542b0ac114

SHA256
eec1f3a96cec2c9f65ad17cd7f0a489158ad915c2a5a129c3a766fde9d813629

SHA512
6167885d38c79d267d27a38411f5497e969d9d428e55c61aece7488cf6bcb27260dfa08131d5815e672261237ad6e3b63a4284b37bf4a8a3c76043aa89ca6e7e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads