3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
Size

89KB
MD5

796bd2fa644bcc8c6cb93a42fcc6298f
SHA1

1189271d1aab6239c6d6921368b1199b981dd007
SHA256

3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd
SHA512

25bb9c61acb6f436958312f71348264af94c0e4963e3eb5db37ac90011879b28aaaa044fa00332175c845e1084f3b15d0f63e40e97b0b91ff4fe6df30cf3532c
SSDEEP

768:Qvw9816vhKQLrof4/wQRNrfrunMxVFA3b7glL:YEGh0ofl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}	{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}\stubpath = "C:\\Windows\\{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe"	{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFC45A51-114D-431d-A6C0-68EB1B45F0D8}	{50C7391B-6631-4f63-8CCA-11556228CC2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFC45A51-114D-431d-A6C0-68EB1B45F0D8}\stubpath = "C:\\Windows\\{DFC45A51-114D-431d-A6C0-68EB1B45F0D8}.exe"	{50C7391B-6631-4f63-8CCA-11556228CC2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}\stubpath = "C:\\Windows\\{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe"	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}\stubpath = "C:\\Windows\\{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe"	{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}	{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40EA12CA-133B-4064-B3B8-01B05EB9EF15}	{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40EA12CA-133B-4064-B3B8-01B05EB9EF15}\stubpath = "C:\\Windows\\{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe"	{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{156395C6-C129-48e8-9E17-E928026DE365}\stubpath = "C:\\Windows\\{156395C6-C129-48e8-9E17-E928026DE365}.exe"	{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C486114-8A9E-4c75-A108-6E5190DA2170}	{156395C6-C129-48e8-9E17-E928026DE365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C486114-8A9E-4c75-A108-6E5190DA2170}\stubpath = "C:\\Windows\\{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe"	{156395C6-C129-48e8-9E17-E928026DE365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{085A3F8E-CEBA-423d-BDE3-A55634544E87}\stubpath = "C:\\Windows\\{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe"	{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50C7391B-6631-4f63-8CCA-11556228CC2A}\stubpath = "C:\\Windows\\{50C7391B-6631-4f63-8CCA-11556228CC2A}.exe"	{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}	{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}\stubpath = "C:\\Windows\\{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe"	{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1F21ED6-202A-418d-9E8C-49831BD721A9}	{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1F21ED6-202A-418d-9E8C-49831BD721A9}\stubpath = "C:\\Windows\\{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe"	{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50C7391B-6631-4f63-8CCA-11556228CC2A}	{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C14F682-7320-4ec8-B15B-F34D756CFB14}	{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C14F682-7320-4ec8-B15B-F34D756CFB14}\stubpath = "C:\\Windows\\{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe"	{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{156395C6-C129-48e8-9E17-E928026DE365}	{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{085A3F8E-CEBA-423d-BDE3-A55634544E87}	{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe

Executes dropped EXE 12 IoCs

pid	Process
928	{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe
2956	{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe
4608	{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe
4512	{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe
4072	{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe
1924	{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe
4440	{156395C6-C129-48e8-9E17-E928026DE365}.exe
3720	{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe
3272	{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe
116	{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe
4880	{50C7391B-6631-4f63-8CCA-11556228CC2A}.exe
4820	{DFC45A51-114D-431d-A6C0-68EB1B45F0D8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{156395C6-C129-48e8-9E17-E928026DE365}.exe	{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe
File created	C:\Windows\{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe	{156395C6-C129-48e8-9E17-E928026DE365}.exe
File created	C:\Windows\{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe	{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe
File created	C:\Windows\{50C7391B-6631-4f63-8CCA-11556228CC2A}.exe	{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe
File created	C:\Windows\{DFC45A51-114D-431d-A6C0-68EB1B45F0D8}.exe	{50C7391B-6631-4f63-8CCA-11556228CC2A}.exe
File created	C:\Windows\{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe	{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe
File created	C:\Windows\{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe	{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe
File created	C:\Windows\{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe	{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe
File created	C:\Windows\{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe	{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe
File created	C:\Windows\{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe	{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe
File created	C:\Windows\{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe	{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe
File created	C:\Windows\{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFC45A51-114D-431d-A6C0-68EB1B45F0D8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{50C7391B-6631-4f63-8CCA-11556228CC2A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{156395C6-C129-48e8-9E17-E928026DE365}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5108	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
Token: SeIncBasePriorityPrivilege	928	{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe
Token: SeIncBasePriorityPrivilege	2956	{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe
Token: SeIncBasePriorityPrivilege	4608	{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe
Token: SeIncBasePriorityPrivilege	4512	{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe
Token: SeIncBasePriorityPrivilege	4072	{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe
Token: SeIncBasePriorityPrivilege	1924	{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe
Token: SeIncBasePriorityPrivilege	4440	{156395C6-C129-48e8-9E17-E928026DE365}.exe
Token: SeIncBasePriorityPrivilege	3720	{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe
Token: SeIncBasePriorityPrivilege	3272	{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe
Token: SeIncBasePriorityPrivilege	116	{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe
Token: SeIncBasePriorityPrivilege	4880	{50C7391B-6631-4f63-8CCA-11556228CC2A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 928	5108	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	94
PID 5108 wrote to memory of 928	5108	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	94
PID 5108 wrote to memory of 928	5108	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	94
PID 5108 wrote to memory of 2940	5108	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	95
PID 5108 wrote to memory of 2940	5108	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	95
PID 5108 wrote to memory of 2940	5108	3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe	95
PID 928 wrote to memory of 2956	928	{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe	96
PID 928 wrote to memory of 2956	928	{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe	96
PID 928 wrote to memory of 2956	928	{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe	96
PID 928 wrote to memory of 3772	928	{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe	97
PID 928 wrote to memory of 3772	928	{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe	97
PID 928 wrote to memory of 3772	928	{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe	97
PID 2956 wrote to memory of 4608	2956	{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe	100
PID 2956 wrote to memory of 4608	2956	{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe	100
PID 2956 wrote to memory of 4608	2956	{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe	100
PID 2956 wrote to memory of 4240	2956	{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe	101
PID 2956 wrote to memory of 4240	2956	{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe	101
PID 2956 wrote to memory of 4240	2956	{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe	101
PID 4608 wrote to memory of 4512	4608	{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe	102
PID 4608 wrote to memory of 4512	4608	{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe	102
PID 4608 wrote to memory of 4512	4608	{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe	102
PID 4608 wrote to memory of 668	4608	{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe	103
PID 4608 wrote to memory of 668	4608	{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe	103
PID 4608 wrote to memory of 668	4608	{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe	103
PID 4512 wrote to memory of 4072	4512	{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe	104
PID 4512 wrote to memory of 4072	4512	{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe	104
PID 4512 wrote to memory of 4072	4512	{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe	104
PID 4512 wrote to memory of 388	4512	{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe	105
PID 4512 wrote to memory of 388	4512	{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe	105
PID 4512 wrote to memory of 388	4512	{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe	105
PID 4072 wrote to memory of 1924	4072	{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe	106
PID 4072 wrote to memory of 1924	4072	{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe	106
PID 4072 wrote to memory of 1924	4072	{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe	106
PID 4072 wrote to memory of 4244	4072	{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe	107
PID 4072 wrote to memory of 4244	4072	{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe	107
PID 4072 wrote to memory of 4244	4072	{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe	107
PID 1924 wrote to memory of 4440	1924	{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe	108
PID 1924 wrote to memory of 4440	1924	{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe	108
PID 1924 wrote to memory of 4440	1924	{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe	108
PID 1924 wrote to memory of 2960	1924	{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe	109
PID 1924 wrote to memory of 2960	1924	{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe	109
PID 1924 wrote to memory of 2960	1924	{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe	109
PID 4440 wrote to memory of 3720	4440	{156395C6-C129-48e8-9E17-E928026DE365}.exe	110
PID 4440 wrote to memory of 3720	4440	{156395C6-C129-48e8-9E17-E928026DE365}.exe	110
PID 4440 wrote to memory of 3720	4440	{156395C6-C129-48e8-9E17-E928026DE365}.exe	110
PID 4440 wrote to memory of 4740	4440	{156395C6-C129-48e8-9E17-E928026DE365}.exe	111
PID 4440 wrote to memory of 4740	4440	{156395C6-C129-48e8-9E17-E928026DE365}.exe	111
PID 4440 wrote to memory of 4740	4440	{156395C6-C129-48e8-9E17-E928026DE365}.exe	111
PID 3720 wrote to memory of 3272	3720	{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe	112
PID 3720 wrote to memory of 3272	3720	{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe	112
PID 3720 wrote to memory of 3272	3720	{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe	112
PID 3720 wrote to memory of 784	3720	{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe	113
PID 3720 wrote to memory of 784	3720	{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe	113
PID 3720 wrote to memory of 784	3720	{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe	113
PID 3272 wrote to memory of 116	3272	{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe	114
PID 3272 wrote to memory of 116	3272	{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe	114
PID 3272 wrote to memory of 116	3272	{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe	114
PID 3272 wrote to memory of 1956	3272	{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe	115
PID 3272 wrote to memory of 1956	3272	{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe	115
PID 3272 wrote to memory of 1956	3272	{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe	115
PID 116 wrote to memory of 4880	116	{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe	116
PID 116 wrote to memory of 4880	116	{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe	116
PID 116 wrote to memory of 4880	116	{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe	116
PID 116 wrote to memory of 1404	116	{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe	117

C:\Users\Admin\AppData\Local\Temp\3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe
"C:\Users\Admin\AppData\Local\Temp\3c6148059eb425ec2512d1cdc51b96c41097f78e39b1c1d0b555aaa2f9909dbd.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe
  C:\Windows\{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe
    C:\Windows\{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe
      C:\Windows\{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Windows\{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe
        
        C:\Windows\{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Windows\{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe
        
        C:\Windows\{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe
        
        C:\Windows\{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{156395C6-C129-48e8-9E17-E928026DE365}.exe
        
        C:\Windows\{156395C6-C129-48e8-9E17-E928026DE365}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe
        
        C:\Windows\{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe
        
        C:\Windows\{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe
        
        C:\Windows\{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{50C7391B-6631-4f63-8CCA-11556228CC2A}.exe
        
        C:\Windows\{50C7391B-6631-4f63-8CCA-11556228CC2A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\{DFC45A51-114D-431d-A6C0-68EB1B45F0D8}.exe
        
        C:\Windows\{DFC45A51-114D-431d-A6C0-68EB1B45F0D8}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50C73~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{085A3~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2BFA~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C486~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15639~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40EA1~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1F21~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C14F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CC9A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CAAA9~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{75FB4~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3C6148~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{085A3F8E-CEBA-423d-BDE3-A55634544E87}.exe

Filesize
89KB

MD5
816fd32a7cf4c42bae524f5e36d6acac

SHA1
78510a8407e4f3276a1e5cfa1195836ea28d1d59

SHA256
851d9d2a158d3a499deb745af35e68d6f2e9e437b15461839c67e2b02cd56101

SHA512
ecd6bedb724754b8ba0e268d822604a975daad9be7d4ef89b571ae4552d411a54d2b9e03d35cabe81d4940a7f44b1e3152ff5432ba808b75e87d33848b471df8

Download Submit
C:\Windows\{0C14F682-7320-4ec8-B15B-F34D756CFB14}.exe

Filesize
89KB

MD5
e5b7841cbef7a1b02b82e810061a0cef

SHA1
e4f3d9746cfbadd922c9b7d6b163d7febe649a84

SHA256
05e5d0581f5ff808eaa4242bbd4424707cc9652b569ac56f9ca2c9745ece2dd6

SHA512
6640cd8ddadafdcb0feb07db5df372baa1ed72954f3b2de3ea32cfe18478ff9e7b864fd9aba706f84b0f7835c4a1a85d7bdaac85e9cf88b55067255fe560bba3

Download Submit
C:\Windows\{156395C6-C129-48e8-9E17-E928026DE365}.exe

Filesize
89KB

MD5
d08155ab4b380fad03db8699e4258e4a

SHA1
62c8a30ee2ac8fa4a7fbfbec0ed9fde42eda1637

SHA256
6a1aeebbc7e320f2df278b80cd09d578216bb4818c3215e1a97a09774233269e

SHA512
c8f914e781013955ea8c90defb44fa7e8c1a7bd41eb2cfe436d0c57169cb2c89744027982ba05b4e94fca6cb77ab1a434e92dcef65827d0e0d58470a2e4dd05f

Download Submit
C:\Windows\{40EA12CA-133B-4064-B3B8-01B05EB9EF15}.exe

Filesize
89KB

MD5
39b9cbd7a37251ff8d9b78134870f520

SHA1
89f052d72091cec3f66407bcc4027bca2ae28a57

SHA256
a5353692ed4c805f0f628a4bf083c48732bfab783ad369fd5f68d5963a1cbc9e

SHA512
237ad4ec47a2d6d5e6c9fc9fbcce71c59c92b787e5297b6bcf8aaa05e65b7574321a1f77b32b3340dded70667936ff0db6ae3b39cb0cbb09f307b4bd0b7985f8

Download Submit
C:\Windows\{4CC9A1F7-901A-4591-9852-2D8B5AE38C2E}.exe

Filesize
89KB

MD5
80559c3e837778946ed1422f72b3f195

SHA1
362555f0c54948b17d2f7e943d422ed749f9c2a5

SHA256
d2eba26cb47b7f1467566779717a3f223f40c40a539b08b02966cf125cb1fdd6

SHA512
4cc84d956c4910ec0ad93021cdd067d268e36b5cf567650d3173ed9d7a755bd874584206f14c1ae21a262733b8a831e4bf9e0c8f4005533e3831d64c6ced2be9

Download Submit
C:\Windows\{50C7391B-6631-4f63-8CCA-11556228CC2A}.exe

Filesize
89KB

MD5
07bbfc03a716b7c9a8d28507a4947c7a

SHA1
50be1161717a252712c3ab839eed707ffa169f62

SHA256
f74f7eb94d3f0836edf5b0ff8d790ec9c59c48ffb3344397de908dd2607d2008

SHA512
694e21fbae3d51d2dcc46430f0d55693bfc9a1160d1f30c4363a2c6d387aaba6b0485cb2611187f81853060ffc02e54a367ddd6f215fafc4f695c47d325c8106

Download Submit
C:\Windows\{75FB40D0-6D87-4b8b-9CCF-80366F406A9C}.exe

Filesize
89KB

MD5
3bdd6daff0fbf88d401d3bc79ed746c7

SHA1
8d2f58cde31e9f42a66f6cef8330d36d3f5477fc

SHA256
8a82d6c70c17cfc60fbdb5bae7aabeabc38ceb509a5dba4a0bbff7bd31f6fd3c

SHA512
87534fbdd9672fecfaec72e35052d62d2f61e79a166bc8b7eae99ca8b2dd4622df6583f533c71138c1fcbe5649d21bfa55f0bfb16cd1f0e85cf7d99dd3d604ef

Download Submit
C:\Windows\{7C486114-8A9E-4c75-A108-6E5190DA2170}.exe

Filesize
89KB

MD5
f811ffe2c0c8689f5ae65c273e06c9ce

SHA1
0a18240cd92dd7914ea6fee736a3ba63e957bc1b

SHA256
2e1c572b4fff1c7fd1284e6d5f120d9d7c737f2cf848debdf8153b78e561a141

SHA512
8da291aa7a754e1fc2b7f5f7294fd118096be84325d2f604670b02f1a6b36de4461b16db1c434736b06195abbeb45aa754caf7eae7063dd6d32548143d4c3e50

Download Submit
C:\Windows\{B2BFACFA-6B3C-4e58-AE65-698DC5B13521}.exe

Filesize
89KB

MD5
9f3c0ddea2cfa0dd2c520b0666a179b0

SHA1
7770c849a87e0b7632a7f4dd3c408eed0eb58e8f

SHA256
432e79911de24e80439e72a218278c8b8fbdf160cf41749fa0801bb750c84f92

SHA512
97155c2e07b90b3b36a9509e2739088c3e58ef3b02bf5ba07c50fd7afef95a218079b70a99dccd8bca80b63b3562c8c79bb1090b3ed378546c908ff90ed8f72b

Download Submit
C:\Windows\{CAAA90DD-E20E-40a7-B962-B5CF68B66A49}.exe

Filesize
89KB

MD5
d323da0027f8e23c4bbdd3f6fb770ed7

SHA1
db32353cfbc434a1186346969cbf792f246b0939

SHA256
4299e3f6794085d85d0cd595d44a42c64eac619129325fca96122ff6a981e272

SHA512
e6654f4595c3100e6bddba108dedc6887aa201cdb176c5c97a84bd3216050b22acda8e6191cf806c311f850ebe699ae40f38407a6b6efd49cc4e8cde38b66759

Download Submit
C:\Windows\{DFC45A51-114D-431d-A6C0-68EB1B45F0D8}.exe

Filesize
89KB

MD5
05d92991f8d5dd5da3845279377af916

SHA1
3eda49c0d759b33e9c2400a0e128fa3d3ae6f081

SHA256
55344ea590e4cfbd08d031a8b098b943a94ccba6517b9c922aa0878c6b7c6edc

SHA512
df06d08e2b3b8eb77e8ef3876c136b76f79c07c5aae4afbc319a6b3a5bb9d4e78d8b877300469a717410aee00ff14dfa84be317f9bc04fec1c4268458a9050c7

Download Submit
C:\Windows\{F1F21ED6-202A-418d-9E8C-49831BD721A9}.exe

Filesize
89KB

MD5
7da6d7db2f38e2833c1626991b29c7cc

SHA1
903629fe8b84d109524d477d980fd474a94829f4

SHA256
e19f5ae9f5f5e6dadd5f7cf8c3618f185161f45dda26aa460e6ddcb8780a6f51

SHA512
43e6ec664545ad9d9f9d19281cf1350e9c2601bab92ed57c501a79fd7172578367890fd50cb41c11edf590256bf036c8b52a884906962bf9f82a1e3351b65b6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads