57e3518c0dad4630e6b706f103c85b59f7767b40c5c6fc350dbdd3399e3b4743

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da1844ed7927c687acb282db6b1a88d0N.exe
Size

380KB
MD5

da1844ed7927c687acb282db6b1a88d0
SHA1

cfd876ade42b10cb503e32ffee3f70402fdb0c70
SHA256

57e3518c0dad4630e6b706f103c85b59f7767b40c5c6fc350dbdd3399e3b4743
SHA512

ba22e2b52b4565cbbfe292624e941109413cddd3b28af554329636639305653744788511f80c2cdd1f4a00911aa9d766a5ee054494b0d50ec10c2e760a222b13
SSDEEP

3072:mEGh0owlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGul7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20C4225F-699B-4017-85A2-A98032DE1C81}\stubpath = "C:\\Windows\\{20C4225F-699B-4017-85A2-A98032DE1C81}.exe"	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B731E9E-9BF7-40ad-A45A-EF13A0773DA5}\stubpath = "C:\\Windows\\{8B731E9E-9BF7-40ad-A45A-EF13A0773DA5}.exe"	{31E27613-5F53-429e-B7F9-474623D0C4CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19063D98-1E49-41af-9B5F-F095C3EF2B5F}	da1844ed7927c687acb282db6b1a88d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A86522B1-6D18-4eb3-9CED-557B5ECF2437}	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A86522B1-6D18-4eb3-9CED-557B5ECF2437}\stubpath = "C:\\Windows\\{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe"	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{473EFF4F-BBB3-4391-BE2E-050F9695D973}\stubpath = "C:\\Windows\\{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe"	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}\stubpath = "C:\\Windows\\{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe"	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19063D98-1E49-41af-9B5F-F095C3EF2B5F}\stubpath = "C:\\Windows\\{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe"	da1844ed7927c687acb282db6b1a88d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B731E9E-9BF7-40ad-A45A-EF13A0773DA5}	{31E27613-5F53-429e-B7F9-474623D0C4CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{473EFF4F-BBB3-4391-BE2E-050F9695D973}	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}\stubpath = "C:\\Windows\\{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe"	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE45A7F3-B19C-493f-B07F-5D492F526B40}	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE45A7F3-B19C-493f-B07F-5D492F526B40}\stubpath = "C:\\Windows\\{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe"	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20C4225F-699B-4017-85A2-A98032DE1C81}	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31E27613-5F53-429e-B7F9-474623D0C4CF}	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31E27613-5F53-429e-B7F9-474623D0C4CF}\stubpath = "C:\\Windows\\{31E27613-5F53-429e-B7F9-474623D0C4CF}.exe"	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe

Deletes itself 1 IoCs

pid	Process
2904	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2628	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe
2696	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe
2644	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe
2068	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe
2084	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe
2004	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe
1824	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe
2504	{31E27613-5F53-429e-B7F9-474623D0C4CF}.exe
2212	{8B731E9E-9BF7-40ad-A45A-EF13A0773DA5}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe	da1844ed7927c687acb282db6b1a88d0N.exe
File created	C:\Windows\{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe
File created	C:\Windows\{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe
File created	C:\Windows\{8B731E9E-9BF7-40ad-A45A-EF13A0773DA5}.exe	{31E27613-5F53-429e-B7F9-474623D0C4CF}.exe
File created	C:\Windows\{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe
File created	C:\Windows\{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe
File created	C:\Windows\{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe
File created	C:\Windows\{20C4225F-699B-4017-85A2-A98032DE1C81}.exe	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe
File created	C:\Windows\{31E27613-5F53-429e-B7F9-474623D0C4CF}.exe	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B731E9E-9BF7-40ad-A45A-EF13A0773DA5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{31E27613-5F53-429e-B7F9-474623D0C4CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da1844ed7927c687acb282db6b1a88d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2652	da1844ed7927c687acb282db6b1a88d0N.exe
Token: SeIncBasePriorityPrivilege	2628	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe
Token: SeIncBasePriorityPrivilege	2696	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe
Token: SeIncBasePriorityPrivilege	2644	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe
Token: SeIncBasePriorityPrivilege	2068	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe
Token: SeIncBasePriorityPrivilege	2084	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe
Token: SeIncBasePriorityPrivilege	2004	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe
Token: SeIncBasePriorityPrivilege	1824	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe
Token: SeIncBasePriorityPrivilege	2504	{31E27613-5F53-429e-B7F9-474623D0C4CF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2628	2652	da1844ed7927c687acb282db6b1a88d0N.exe	31
PID 2652 wrote to memory of 2628	2652	da1844ed7927c687acb282db6b1a88d0N.exe	31
PID 2652 wrote to memory of 2628	2652	da1844ed7927c687acb282db6b1a88d0N.exe	31
PID 2652 wrote to memory of 2628	2652	da1844ed7927c687acb282db6b1a88d0N.exe	31
PID 2652 wrote to memory of 2904	2652	da1844ed7927c687acb282db6b1a88d0N.exe	32
PID 2652 wrote to memory of 2904	2652	da1844ed7927c687acb282db6b1a88d0N.exe	32
PID 2652 wrote to memory of 2904	2652	da1844ed7927c687acb282db6b1a88d0N.exe	32
PID 2652 wrote to memory of 2904	2652	da1844ed7927c687acb282db6b1a88d0N.exe	32
PID 2628 wrote to memory of 2696	2628	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe	33
PID 2628 wrote to memory of 2696	2628	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe	33
PID 2628 wrote to memory of 2696	2628	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe	33
PID 2628 wrote to memory of 2696	2628	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe	33
PID 2628 wrote to memory of 2580	2628	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe	34
PID 2628 wrote to memory of 2580	2628	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe	34
PID 2628 wrote to memory of 2580	2628	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe	34
PID 2628 wrote to memory of 2580	2628	{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe	34
PID 2696 wrote to memory of 2644	2696	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe	35
PID 2696 wrote to memory of 2644	2696	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe	35
PID 2696 wrote to memory of 2644	2696	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe	35
PID 2696 wrote to memory of 2644	2696	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe	35
PID 2696 wrote to memory of 2984	2696	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe	36
PID 2696 wrote to memory of 2984	2696	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe	36
PID 2696 wrote to memory of 2984	2696	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe	36
PID 2696 wrote to memory of 2984	2696	{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe	36
PID 2644 wrote to memory of 2068	2644	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe	37
PID 2644 wrote to memory of 2068	2644	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe	37
PID 2644 wrote to memory of 2068	2644	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe	37
PID 2644 wrote to memory of 2068	2644	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe	37
PID 2644 wrote to memory of 2704	2644	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe	38
PID 2644 wrote to memory of 2704	2644	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe	38
PID 2644 wrote to memory of 2704	2644	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe	38
PID 2644 wrote to memory of 2704	2644	{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe	38
PID 2068 wrote to memory of 2084	2068	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe	39
PID 2068 wrote to memory of 2084	2068	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe	39
PID 2068 wrote to memory of 2084	2068	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe	39
PID 2068 wrote to memory of 2084	2068	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe	39
PID 2068 wrote to memory of 2620	2068	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe	40
PID 2068 wrote to memory of 2620	2068	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe	40
PID 2068 wrote to memory of 2620	2068	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe	40
PID 2068 wrote to memory of 2620	2068	{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe	40
PID 2084 wrote to memory of 2004	2084	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe	41
PID 2084 wrote to memory of 2004	2084	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe	41
PID 2084 wrote to memory of 2004	2084	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe	41
PID 2084 wrote to memory of 2004	2084	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe	41
PID 2084 wrote to memory of 2332	2084	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe	42
PID 2084 wrote to memory of 2332	2084	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe	42
PID 2084 wrote to memory of 2332	2084	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe	42
PID 2084 wrote to memory of 2332	2084	{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe	42
PID 2004 wrote to memory of 1824	2004	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe	44
PID 2004 wrote to memory of 1824	2004	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe	44
PID 2004 wrote to memory of 1824	2004	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe	44
PID 2004 wrote to memory of 1824	2004	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe	44
PID 2004 wrote to memory of 1552	2004	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe	45
PID 2004 wrote to memory of 1552	2004	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe	45
PID 2004 wrote to memory of 1552	2004	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe	45
PID 2004 wrote to memory of 1552	2004	{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe	45
PID 1824 wrote to memory of 2504	1824	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe	46
PID 1824 wrote to memory of 2504	1824	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe	46
PID 1824 wrote to memory of 2504	1824	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe	46
PID 1824 wrote to memory of 2504	1824	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe	46
PID 1824 wrote to memory of 2336	1824	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe	47
PID 1824 wrote to memory of 2336	1824	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe	47
PID 1824 wrote to memory of 2336	1824	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe	47
PID 1824 wrote to memory of 2336	1824	{20C4225F-699B-4017-85A2-A98032DE1C81}.exe	47

C:\Users\Admin\AppData\Local\Temp\da1844ed7927c687acb282db6b1a88d0N.exe
"C:\Users\Admin\AppData\Local\Temp\da1844ed7927c687acb282db6b1a88d0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe
  C:\Windows\{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe
    C:\Windows\{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe
      C:\Windows\{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe
        
        C:\Windows\{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe
        
        C:\Windows\{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe
        
        C:\Windows\{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{20C4225F-699B-4017-85A2-A98032DE1C81}.exe
        
        C:\Windows\{20C4225F-699B-4017-85A2-A98032DE1C81}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{31E27613-5F53-429e-B7F9-474623D0C4CF}.exe
        
        C:\Windows\{31E27613-5F53-429e-B7F9-474623D0C4CF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\{8B731E9E-9BF7-40ad-A45A-EF13A0773DA5}.exe
        
        C:\Windows\{8B731E9E-9BF7-40ad-A45A-EF13A0773DA5}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31E27~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20C42~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE45A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F2BA~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A6EC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{473EF~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A8652~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{19063~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\DA1844~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19063D98-1E49-41af-9B5F-F095C3EF2B5F}.exe

Filesize
380KB

MD5
dbce2b6ad043c736b24c26cb8fceb797

SHA1
13d893d5243382e0cf1f6f9562c9125e72770b02

SHA256
a16f77d2675d81e3048bd143041ceb67a6ba12491c786c65b3e5054f91a68e60

SHA512
ce3d1e9014c00d2ea23f0ad503cae0b61036e01242cdfe26752ba6447c187c24025628256058a29461f20b3ecf068e7fa7a8cdaa6211634a454a1fc226d32ec3

Download Submit
C:\Windows\{20C4225F-699B-4017-85A2-A98032DE1C81}.exe

Filesize
380KB

MD5
24ba3d3312ac2de2e89d7680dc65368a

SHA1
7ed15e3020634ea1b5d62c926a545674c56422c3

SHA256
69fc8370ebf5e65d1188b9ba800974f54ba57a735a6f3af22ec96dbf413c3cd8

SHA512
64f9807f6807e8339af62ee8b33d36330778f1ca6f19a66805548cf8e01586848dded881bc81a12c1e011cd826c27033f5ed8078ab682a1fcfc9a3dfc9df645f

Download Submit
C:\Windows\{31E27613-5F53-429e-B7F9-474623D0C4CF}.exe

Filesize
380KB

MD5
7abad55a6c4f6199a09648b372e0be44

SHA1
329679675e065634852b0fa775c8272509846acd

SHA256
94ef88c878f631dfc92ebdb0057d50ef557c288664055c6c28b24c3b6fd41fe9

SHA512
adec9e7f8085d8912e9f7a371f0af2ed9623cc8daca604e8c20f32b2e51f30fc0364dd68328151cd80916346445dc1bd7dded6413560d69a17709cf92d03632b

Download Submit
C:\Windows\{473EFF4F-BBB3-4391-BE2E-050F9695D973}.exe

Filesize
380KB

MD5
0276667aa7ce199e6a766ead642f48c7

SHA1
d9359073d257e46470f46f97eecd6061837668cf

SHA256
7d420897e3ecca27a02e7e3b7ce90af1c69ccfa7254f4badccad19c2492721c7

SHA512
e29b761d4007ab585a8f3f7430940e4378672d7d49694cfccea57316db17a38e40a1649467b5853c4c6c77ce9ab07f81a770441b5bf8a8aab2b1dfdedfd45ba4

Download Submit
C:\Windows\{6F2BA3D1-54CF-41f2-9211-5C4519F673F8}.exe

Filesize
380KB

MD5
4bf32f7d719a9aa719252ad7697b7b57

SHA1
98d5b08a13ca158b1b0d4d69456433d4bfe2bb44

SHA256
f620276128d9a0697f082f854689ccb7bc1db299395a57a81fee54a01cdc1037

SHA512
7dfe0f17ea044266cce1f8b2384166158b13c0a0e741334fe18a5bf84f79d8c97650653e9ffee07e21f13617b6bff10c2425ee1b29820a8117ed3d30e2c774f7

Download Submit
C:\Windows\{7A6EC9A0-8E1B-49cc-AA39-EFD6B8F7D8ED}.exe

Filesize
380KB

MD5
462605434eca6565da62657bafaf0c8c

SHA1
5b3ba44ba5c8a577483b91a52076a723cca3c437

SHA256
1c79cc85dc89e831390573670103bb787b79b9283718da950c11356fbe5cf762

SHA512
aa0124e0c5efd5607d894969f84b2987fa5c327c6717b6e59270ce7b06928b00897f3b65b642470d5ee8aa7708bce1a8564071720d270564999acc9219a8587e

Download Submit
C:\Windows\{8B731E9E-9BF7-40ad-A45A-EF13A0773DA5}.exe

Filesize
380KB

MD5
acacdd31ce346bc6e97b83b06c9c711f

SHA1
7424bb2c8e83e90bcf797d78957f611095d060c8

SHA256
1f08825dfca61c64496c3a02b582a1eafb4f4c69fce444a6d07945d0bde0e0b9

SHA512
abed8bde04169c5da9a445b9dbb076235661b84d4eb179236abe907d4bb6afa681c85d465a27275fa252e1b6bafb1df97c121145939633452ccb15e8d3c919d2

Download Submit
C:\Windows\{A86522B1-6D18-4eb3-9CED-557B5ECF2437}.exe

Filesize
380KB

MD5
3f57000d3707908ea097408b24359822

SHA1
0612444e5ebe35f7d100d001f6ce2e596fb239c0

SHA256
a71d7574e0fbeaa126a5aaacd9c3563a28deb1893c3d44b6ae33b9dc6c5fab2f

SHA512
a81708f7329be96824cae904578338751ebe8274977a9ac950b90034c891a6c301c6b58dab90b17c8bcca0150714c029282de37cdbece8bfbdc8caf73c1c6d6d

Download Submit
C:\Windows\{EE45A7F3-B19C-493f-B07F-5D492F526B40}.exe

Filesize
380KB

MD5
5d66b9432796a38e107c171d6d6596b1

SHA1
608440147513921f47e5722ed262d3a4617eb3c9

SHA256
71a9945373831a07d23206cd39009aceb99bc4f62d14d8bce151ba16b4b96a37

SHA512
9edc1fe98444094982e24a0aa6a4e352f3d52c95d7bcfdae90a5105ecfe8e156c87438ff7b7f8099279e19ac5e7722f9f117d20e0e6054df2a97cbc028de2c1f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads