3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
Size

89KB
MD5

796bd2fa644bcc8c6cb93a42fcc6298f
SHA1

1189271d1aab6239c6d6921368b1199b981dd007
SHA256

3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd
SHA512

25bb9c61acb6f436958312f71348264af94c0e4963e3eb5db37ac90011879b28aaaa044fa00332175c845e1084f3b15d0f63e40e97b0b91ff4fe6df30cf3532c
SSDEEP

768:Qvw9816vhKQLrof4/wQRNrfrunMxVFA3b7glL:YEGh0ofl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}	{98728223-048A-495e-A82D-96796CCAF77B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6C37513-812B-4aba-B502-20E85E721724}	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68BB7508-748E-4a7b-9135-6CF43371D8FD}	{3F541788-4CB4-4460-987C-424473A6C61B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{858A2136-8C02-4c0e-9586-2A1271E5AC2A}	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{858A2136-8C02-4c0e-9586-2A1271E5AC2A}\stubpath = "C:\\Windows\\{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe"	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE50C717-B706-4a6d-AEEB-BE23293A40E7}\stubpath = "C:\\Windows\\{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe"	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}\stubpath = "C:\\Windows\\{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe"	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6C37513-812B-4aba-B502-20E85E721724}\stubpath = "C:\\Windows\\{E6C37513-812B-4aba-B502-20E85E721724}.exe"	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68BB7508-748E-4a7b-9135-6CF43371D8FD}\stubpath = "C:\\Windows\\{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe"	{3F541788-4CB4-4460-987C-424473A6C61B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F195FD9-ABAD-4552-9C06-3C2630811F1F}	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98728223-048A-495e-A82D-96796CCAF77B}	{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}\stubpath = "C:\\Windows\\{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe"	{98728223-048A-495e-A82D-96796CCAF77B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F541788-4CB4-4460-987C-424473A6C61B}\stubpath = "C:\\Windows\\{3F541788-4CB4-4460-987C-424473A6C61B}.exe"	{E6C37513-812B-4aba-B502-20E85E721724}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE50C717-B706-4a6d-AEEB-BE23293A40E7}	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}\stubpath = "C:\\Windows\\{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe"	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F541788-4CB4-4460-987C-424473A6C61B}	{E6C37513-812B-4aba-B502-20E85E721724}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F195FD9-ABAD-4552-9C06-3C2630811F1F}\stubpath = "C:\\Windows\\{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe"	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98728223-048A-495e-A82D-96796CCAF77B}\stubpath = "C:\\Windows\\{98728223-048A-495e-A82D-96796CCAF77B}.exe"	{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6C7638D-1E19-4eac-912F-8FCC00C65238}	{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6C7638D-1E19-4eac-912F-8FCC00C65238}\stubpath = "C:\\Windows\\{A6C7638D-1E19-4eac-912F-8FCC00C65238}.exe"	{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe

Deletes itself 1 IoCs

pid	Process
588	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2336	{E6C37513-812B-4aba-B502-20E85E721724}.exe
2844	{3F541788-4CB4-4460-987C-424473A6C61B}.exe
2704	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe
2852	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe
824	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe
536	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe
2020	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe
1852	{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe
2936	{98728223-048A-495e-A82D-96796CCAF77B}.exe
1624	{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe
1616	{A6C7638D-1E19-4eac-912F-8FCC00C65238}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E6C37513-812B-4aba-B502-20E85E721724}.exe	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
File created	C:\Windows\{3F541788-4CB4-4460-987C-424473A6C61B}.exe	{E6C37513-812B-4aba-B502-20E85E721724}.exe
File created	C:\Windows\{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe	{3F541788-4CB4-4460-987C-424473A6C61B}.exe
File created	C:\Windows\{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe
File created	C:\Windows\{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe
File created	C:\Windows\{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe
File created	C:\Windows\{98728223-048A-495e-A82D-96796CCAF77B}.exe	{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe
File created	C:\Windows\{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe	{98728223-048A-495e-A82D-96796CCAF77B}.exe
File created	C:\Windows\{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe
File created	C:\Windows\{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe
File created	C:\Windows\{A6C7638D-1E19-4eac-912F-8FCC00C65238}.exe	{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6C37513-812B-4aba-B502-20E85E721724}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A6C7638D-1E19-4eac-912F-8FCC00C65238}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{98728223-048A-495e-A82D-96796CCAF77B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F541788-4CB4-4460-987C-424473A6C61B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2388	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
Token: SeIncBasePriorityPrivilege	2336	{E6C37513-812B-4aba-B502-20E85E721724}.exe
Token: SeIncBasePriorityPrivilege	2844	{3F541788-4CB4-4460-987C-424473A6C61B}.exe
Token: SeIncBasePriorityPrivilege	2704	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe
Token: SeIncBasePriorityPrivilege	2852	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe
Token: SeIncBasePriorityPrivilege	824	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe
Token: SeIncBasePriorityPrivilege	536	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe
Token: SeIncBasePriorityPrivilege	2020	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe
Token: SeIncBasePriorityPrivilege	1852	{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe
Token: SeIncBasePriorityPrivilege	2936	{98728223-048A-495e-A82D-96796CCAF77B}.exe
Token: SeIncBasePriorityPrivilege	1624	{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2336	2388	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	31
PID 2388 wrote to memory of 2336	2388	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	31
PID 2388 wrote to memory of 2336	2388	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	31
PID 2388 wrote to memory of 2336	2388	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	31
PID 2388 wrote to memory of 588	2388	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	32
PID 2388 wrote to memory of 588	2388	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	32
PID 2388 wrote to memory of 588	2388	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	32
PID 2388 wrote to memory of 588	2388	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	32
PID 2336 wrote to memory of 2844	2336	{E6C37513-812B-4aba-B502-20E85E721724}.exe	33
PID 2336 wrote to memory of 2844	2336	{E6C37513-812B-4aba-B502-20E85E721724}.exe	33
PID 2336 wrote to memory of 2844	2336	{E6C37513-812B-4aba-B502-20E85E721724}.exe	33
PID 2336 wrote to memory of 2844	2336	{E6C37513-812B-4aba-B502-20E85E721724}.exe	33
PID 2336 wrote to memory of 2864	2336	{E6C37513-812B-4aba-B502-20E85E721724}.exe	34
PID 2336 wrote to memory of 2864	2336	{E6C37513-812B-4aba-B502-20E85E721724}.exe	34
PID 2336 wrote to memory of 2864	2336	{E6C37513-812B-4aba-B502-20E85E721724}.exe	34
PID 2336 wrote to memory of 2864	2336	{E6C37513-812B-4aba-B502-20E85E721724}.exe	34
PID 2844 wrote to memory of 2704	2844	{3F541788-4CB4-4460-987C-424473A6C61B}.exe	35
PID 2844 wrote to memory of 2704	2844	{3F541788-4CB4-4460-987C-424473A6C61B}.exe	35
PID 2844 wrote to memory of 2704	2844	{3F541788-4CB4-4460-987C-424473A6C61B}.exe	35
PID 2844 wrote to memory of 2704	2844	{3F541788-4CB4-4460-987C-424473A6C61B}.exe	35
PID 2844 wrote to memory of 2788	2844	{3F541788-4CB4-4460-987C-424473A6C61B}.exe	36
PID 2844 wrote to memory of 2788	2844	{3F541788-4CB4-4460-987C-424473A6C61B}.exe	36
PID 2844 wrote to memory of 2788	2844	{3F541788-4CB4-4460-987C-424473A6C61B}.exe	36
PID 2844 wrote to memory of 2788	2844	{3F541788-4CB4-4460-987C-424473A6C61B}.exe	36
PID 2704 wrote to memory of 2852	2704	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe	37
PID 2704 wrote to memory of 2852	2704	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe	37
PID 2704 wrote to memory of 2852	2704	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe	37
PID 2704 wrote to memory of 2852	2704	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe	37
PID 2704 wrote to memory of 2600	2704	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe	38
PID 2704 wrote to memory of 2600	2704	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe	38
PID 2704 wrote to memory of 2600	2704	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe	38
PID 2704 wrote to memory of 2600	2704	{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe	38
PID 2852 wrote to memory of 824	2852	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe	39
PID 2852 wrote to memory of 824	2852	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe	39
PID 2852 wrote to memory of 824	2852	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe	39
PID 2852 wrote to memory of 824	2852	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe	39
PID 2852 wrote to memory of 1744	2852	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe	40
PID 2852 wrote to memory of 1744	2852	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe	40
PID 2852 wrote to memory of 1744	2852	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe	40
PID 2852 wrote to memory of 1744	2852	{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe	40
PID 824 wrote to memory of 536	824	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe	41
PID 824 wrote to memory of 536	824	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe	41
PID 824 wrote to memory of 536	824	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe	41
PID 824 wrote to memory of 536	824	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe	41
PID 824 wrote to memory of 2392	824	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe	42
PID 824 wrote to memory of 2392	824	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe	42
PID 824 wrote to memory of 2392	824	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe	42
PID 824 wrote to memory of 2392	824	{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe	42
PID 536 wrote to memory of 2020	536	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe	43
PID 536 wrote to memory of 2020	536	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe	43
PID 536 wrote to memory of 2020	536	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe	43
PID 536 wrote to memory of 2020	536	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe	43
PID 536 wrote to memory of 1996	536	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe	44
PID 536 wrote to memory of 1996	536	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe	44
PID 536 wrote to memory of 1996	536	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe	44
PID 536 wrote to memory of 1996	536	{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe	44
PID 2020 wrote to memory of 1852	2020	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe	45
PID 2020 wrote to memory of 1852	2020	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe	45
PID 2020 wrote to memory of 1852	2020	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe	45
PID 2020 wrote to memory of 1852	2020	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe	45
PID 2020 wrote to memory of 2672	2020	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe	46
PID 2020 wrote to memory of 2672	2020	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe	46
PID 2020 wrote to memory of 2672	2020	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe	46
PID 2020 wrote to memory of 2672	2020	{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe	46

C:\Users\Admin\AppData\Local\Temp\3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
"C:\Users\Admin\AppData\Local\Temp\3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\{E6C37513-812B-4aba-B502-20E85E721724}.exe
  C:\Windows\{E6C37513-812B-4aba-B502-20E85E721724}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\{3F541788-4CB4-4460-987C-424473A6C61B}.exe
    C:\Windows\{3F541788-4CB4-4460-987C-424473A6C61B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe
      C:\Windows\{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe
        
        C:\Windows\{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe
        
        C:\Windows\{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe
        
        C:\Windows\{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe
        
        C:\Windows\{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe
        
        C:\Windows\{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\{98728223-048A-495e-A82D-96796CCAF77B}.exe
        
        C:\Windows\{98728223-048A-495e-A82D-96796CCAF77B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe
        
        C:\Windows\{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\{A6C7638D-1E19-4eac-912F-8FCC00C65238}.exe
        
        C:\Windows\{A6C7638D-1E19-4eac-912F-8FCC00C65238}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15A09~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98728~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F195~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C98D9~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95A7B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE50C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{858A2~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68BB7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3F541~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E6C37~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3C6148~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15A09F49-E6E1-4c8d-8E9B-26930AE6C12C}.exe

Filesize
89KB

MD5
0e4c66513d6990dbf9fb39b2fc4698fa

SHA1
654c7b2e6b6d4ec110efe5b99f637b88123a51aa

SHA256
2141f4223c8b04ff52264332ad3446fbf287f4309af68b8bc84fb8c128449fe5

SHA512
145881cabb4b3955887107204c091ed1dae520eee960ae2ee316d6bd544fba94568d706d3e7a15c3ea0559ac668b6b2fc00a47cc36459ce002fa4269016d57f3

Download Submit
C:\Windows\{2F195FD9-ABAD-4552-9C06-3C2630811F1F}.exe

Filesize
89KB

MD5
ac1f67ccb1babe5b5c7f4113968cfbc6

SHA1
7e33cb9e8398b82f4890bc73def06f1ecf6030e6

SHA256
dc7078104f4b3999d31bded55eff0291b4d411cc0e8ddb1bcb509cd2009d31f3

SHA512
912b6005978740cc99f823b51268eabe39bfab70e71a7fd1e7bc921c87c9a5d59742f12a9bb07f3e2f39be4101d16fc3e17ca486bbf21c5710a79e68238a1819

Download Submit
C:\Windows\{3F541788-4CB4-4460-987C-424473A6C61B}.exe

Filesize
89KB

MD5
f8ef6bca3b27806dbc6169717278a893

SHA1
785ed3212de176fb6c7ba97673378dc78a63ef98

SHA256
07556834057bb050c3b54e0af4a227c346076add8188890110d6dfb7c80ac469

SHA512
81112150fc0e3ecc71036c5dd594b0fc1fdcb067157191fc6a43cd14d0c8be775ac180c210b656b422d1123708fec8e1e2a4e79fe4c7d6a93fff92c70326a1a8

Download Submit
C:\Windows\{68BB7508-748E-4a7b-9135-6CF43371D8FD}.exe

Filesize
89KB

MD5
7f8d71a6c17204e6b0cde791551322b2

SHA1
94aea752283c6e4ba8e1fa8612efab6b3aad4e11

SHA256
8901c15b54ace62c123d46de599d221764339d6c38ad5208037a1b96f923ceb5

SHA512
720a3e347422f0d7dc1c2edf1bf00b5e222392737854058056a2e7a684659be28601189c27af346c8fbcfb66243811a8f02936171a7f5ce83d8ed8dddf11ccb3

Download Submit
C:\Windows\{858A2136-8C02-4c0e-9586-2A1271E5AC2A}.exe

Filesize
89KB

MD5
f619cd8af964d85b732ea5f1f0107639

SHA1
74d27680e02e856d80f71103c29f7ea967aa552f

SHA256
c5ed179573baba9e21065b873c343538cdb332c82ce61b5fc90e025c2ec77f5b

SHA512
0b5aa01b12cd4559d6544787bef6dbe17e78aae7e552ff234430eef6919ff68f584c9c6747d4d20849d898301594204f544bc0375c5b710ebd94d88d9ca999bb

Download Submit
C:\Windows\{95A7BB69-72BD-4ea2-8A2D-3ED0FA1F052E}.exe

Filesize
89KB

MD5
fa742aead89dcf8b9033837386ca0bab

SHA1
290af40fc41289fdeac22925272c0cd926b881e9

SHA256
9f6e6407241b3aad6cb55fd59f46eaa72834377974569b8310617d36505f15a9

SHA512
a4d1e3fde183c686d075f8e3eb36666a75849f9f572330d0eda2ebf2354aa7ebfe25683ef4bbae14316f59f844f70af32bc8fbc58dd30170253298b9fa4c581d

Download Submit
C:\Windows\{98728223-048A-495e-A82D-96796CCAF77B}.exe

Filesize
89KB

MD5
0d0aba6d8d7383e943405d148a33e7e0

SHA1
09f54ad26594d6beb84e5491de8cde81eb8ad72d

SHA256
ed4ac071f263400948897fe808442f1a796696d630b70cd518b6088ba03a4dca

SHA512
22d9cb119f1f6dde108b47ed0ed2c3a69bee9c00d8240efbcfb4c4f8b0277287c4192d83aece96754a568479e8996db77d079d8aa9c2e9dc23e9b9c26065aa12

Download Submit
C:\Windows\{A6C7638D-1E19-4eac-912F-8FCC00C65238}.exe

Filesize
89KB

MD5
857d0ea665c32e87232294b637459781

SHA1
d6959582b34b4f93105eda9ac86d6070bd43a0c5

SHA256
2a3e5304d9015c9952ba363dddf35428f42e5d801c31b53e2f64815c6eb7aca6

SHA512
def4113991c0ad04a1f83be4f78adec7c70628d058f78a80ebc09af39c992ec122c8cb878bc6c4ef638b312fc7a0091934bb4252ef5fdc9f56eb179ecdbe2112

Download Submit
C:\Windows\{AE50C717-B706-4a6d-AEEB-BE23293A40E7}.exe

Filesize
89KB

MD5
2b5ae1366fc95d95b1b9f4599eb50971

SHA1
fac8ac0d3e6e6f573c3ab5dd0005357bd902f99a

SHA256
c4763212440f2615f506367aba2db89b43a38a9cc99103cae2399ef74b85c484

SHA512
cf463dbef9f0a3fa0f28a54a7d98172237b642e6c266bb8b2059695570c67566dc35e319640364e88f356bda9a952aa516533d3088542168507ff229cf629028

Download Submit
C:\Windows\{C98D991A-FE93-4814-8188-FAD7BB3CA9F3}.exe

Filesize
89KB

MD5
8f90b8de555fdaa3628ee99cd96ca86d

SHA1
f499adcb1a5f18b3dc20447ecdb916d7785da0eb

SHA256
2ecd435ae9f749a69d82496305889ad4f1d29ef42267c23af01b76a8bf9a5395

SHA512
2c4adc9f344ca519c765b96b04babf608be23602be4fbf159debfabbdf5257348c5aff87b9d0aa9fa1958c3ed8fa0d1f372c5f693b6a8f9f27d8661acd47f315

Download Submit
C:\Windows\{E6C37513-812B-4aba-B502-20E85E721724}.exe

Filesize
89KB

MD5
42d248b500ff7c4c20b3852c4e7989b2

SHA1
dfd1cc2026d4193039c15424e9f57b915f3bbfe7

SHA256
31a095ee37eef8644973b4a2b79447b0d03c9280a8db365ac11deca1ac1c3888

SHA512
02adb740f6059e5973ed0743463a6f8d30c163d45a68a720d1eb17214aa167b8cdd038f5f66dc3deb8f657f51ea8a32ab0c8adbb6cebb3426ba36d294a1ad26b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads