f18009dc2b6a94a2e982e72c4fe886f3eb7f2322374e8600ef18bf608cbb6cda

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45091dcc4a103eb84069e7e8cddb66a0N.exe
Size

83KB
MD5

45091dcc4a103eb84069e7e8cddb66a0
SHA1

171971b49ff6102c41bd066aab434bb91fb8e562
SHA256

f18009dc2b6a94a2e982e72c4fe886f3eb7f2322374e8600ef18bf608cbb6cda
SHA512

90b3d5de07ea5d66e0408fb7dcfa7ecf46f95ee6a2eab230196ff4b4871cec06b12f8c8f86416030b5320f64bb373d369b9d2690f271c85cc0acc5f354f9866f
SSDEEP

1536:q4Gh0o4n0p3nouy8QbunMxVS3HgdoKjhLJh731xvsr:q4Gh0o4n05outQCMUyNjhLJh731xvsr

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF031698-DD3D-4e99-ABC1-047AF521D2B5}\stubpath = "C:\\Windows\\{DF031698-DD3D-4e99-ABC1-047AF521D2B5}.exe"	{854AF056-85D2-4409-B838-B75552C08E22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{005A83FB-2B81-4e32-ABBD-6B88BBACAB1A}\stubpath = "C:\\Windows\\{005A83FB-2B81-4e32-ABBD-6B88BBACAB1A}.exe"	{DF031698-DD3D-4e99-ABC1-047AF521D2B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}\stubpath = "C:\\Windows\\{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe"	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868708F3-C476-4011-970A-6E3BAFA97965}	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE58E6EA-2D6B-4052-8086-96ED62D74E33}	{868708F3-C476-4011-970A-6E3BAFA97965}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}\stubpath = "C:\\Windows\\{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe"	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF031698-DD3D-4e99-ABC1-047AF521D2B5}	{854AF056-85D2-4409-B838-B75552C08E22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}\stubpath = "C:\\Windows\\{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe"	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{854AF056-85D2-4409-B838-B75552C08E22}	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}	45091dcc4a103eb84069e7e8cddb66a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868708F3-C476-4011-970A-6E3BAFA97965}\stubpath = "C:\\Windows\\{868708F3-C476-4011-970A-6E3BAFA97965}.exe"	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE58E6EA-2D6B-4052-8086-96ED62D74E33}\stubpath = "C:\\Windows\\{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe"	{868708F3-C476-4011-970A-6E3BAFA97965}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{854AF056-85D2-4409-B838-B75552C08E22}\stubpath = "C:\\Windows\\{854AF056-85D2-4409-B838-B75552C08E22}.exe"	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}\stubpath = "C:\\Windows\\{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe"	45091dcc4a103eb84069e7e8cddb66a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{005A83FB-2B81-4e32-ABBD-6B88BBACAB1A}	{DF031698-DD3D-4e99-ABC1-047AF521D2B5}.exe

Deletes itself 1 IoCs

pid	Process
2096	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1144	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe
2872	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe
2720	{868708F3-C476-4011-970A-6E3BAFA97965}.exe
2616	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe
2820	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe
932	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe
1612	{854AF056-85D2-4409-B838-B75552C08E22}.exe
1236	{DF031698-DD3D-4e99-ABC1-047AF521D2B5}.exe
2516	{005A83FB-2B81-4e32-ABBD-6B88BBACAB1A}.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1232-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1232-1-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1232-4-0x00000000003E0000-0x00000000003F3000-memory.dmp	upx
behavioral1/files/0x00090000000173c2-8.dat	upx
behavioral1/memory/1232-10-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1144-11-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1144-15-0x00000000002A0000-0x00000000002B3000-memory.dmp	upx
behavioral1/memory/2872-21-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1144-19-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-20.dat	upx
behavioral1/files/0x000a0000000173c2-30.dat	upx
behavioral1/memory/2872-31-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2720-32-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2720-39-0x0000000000550000-0x0000000000563000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-42.dat	upx
behavioral1/memory/2720-41-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2616-43-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2616-52-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000b0000000173c2-53.dat	upx
behavioral1/memory/2820-54-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0006000000004ed7-64.dat	upx
behavioral1/memory/932-65-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2820-63-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000c0000000173c2-75.dat	upx
behavioral1/memory/932-74-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1612-76-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1612-83-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0007000000004ed7-84.dat	upx
behavioral1/memory/1236-85-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1236-92-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000d0000000173c2-93.dat	upx
behavioral1/memory/2516-94-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe
File created	C:\Windows\{868708F3-C476-4011-970A-6E3BAFA97965}.exe	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe
File created	C:\Windows\{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe	{868708F3-C476-4011-970A-6E3BAFA97965}.exe
File created	C:\Windows\{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe
File created	C:\Windows\{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe
File created	C:\Windows\{854AF056-85D2-4409-B838-B75552C08E22}.exe	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe
File created	C:\Windows\{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe	45091dcc4a103eb84069e7e8cddb66a0N.exe
File created	C:\Windows\{DF031698-DD3D-4e99-ABC1-047AF521D2B5}.exe	{854AF056-85D2-4409-B838-B75552C08E22}.exe
File created	C:\Windows\{005A83FB-2B81-4e32-ABBD-6B88BBACAB1A}.exe	{DF031698-DD3D-4e99-ABC1-047AF521D2B5}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF031698-DD3D-4e99-ABC1-047AF521D2B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{005A83FB-2B81-4e32-ABBD-6B88BBACAB1A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45091dcc4a103eb84069e7e8cddb66a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{854AF056-85D2-4409-B838-B75552C08E22}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{868708F3-C476-4011-970A-6E3BAFA97965}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1232	45091dcc4a103eb84069e7e8cddb66a0N.exe
Token: SeIncBasePriorityPrivilege	1144	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe
Token: SeIncBasePriorityPrivilege	2872	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe
Token: SeIncBasePriorityPrivilege	2720	{868708F3-C476-4011-970A-6E3BAFA97965}.exe
Token: SeIncBasePriorityPrivilege	2616	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe
Token: SeIncBasePriorityPrivilege	2820	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe
Token: SeIncBasePriorityPrivilege	932	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe
Token: SeIncBasePriorityPrivilege	1612	{854AF056-85D2-4409-B838-B75552C08E22}.exe
Token: SeIncBasePriorityPrivilege	1236	{DF031698-DD3D-4e99-ABC1-047AF521D2B5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1144	1232	45091dcc4a103eb84069e7e8cddb66a0N.exe	31
PID 1232 wrote to memory of 1144	1232	45091dcc4a103eb84069e7e8cddb66a0N.exe	31
PID 1232 wrote to memory of 1144	1232	45091dcc4a103eb84069e7e8cddb66a0N.exe	31
PID 1232 wrote to memory of 1144	1232	45091dcc4a103eb84069e7e8cddb66a0N.exe	31
PID 1232 wrote to memory of 2096	1232	45091dcc4a103eb84069e7e8cddb66a0N.exe	32
PID 1232 wrote to memory of 2096	1232	45091dcc4a103eb84069e7e8cddb66a0N.exe	32
PID 1232 wrote to memory of 2096	1232	45091dcc4a103eb84069e7e8cddb66a0N.exe	32
PID 1232 wrote to memory of 2096	1232	45091dcc4a103eb84069e7e8cddb66a0N.exe	32
PID 1144 wrote to memory of 2872	1144	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe	33
PID 1144 wrote to memory of 2872	1144	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe	33
PID 1144 wrote to memory of 2872	1144	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe	33
PID 1144 wrote to memory of 2872	1144	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe	33
PID 1144 wrote to memory of 2892	1144	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe	34
PID 1144 wrote to memory of 2892	1144	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe	34
PID 1144 wrote to memory of 2892	1144	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe	34
PID 1144 wrote to memory of 2892	1144	{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe	34
PID 2872 wrote to memory of 2720	2872	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe	35
PID 2872 wrote to memory of 2720	2872	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe	35
PID 2872 wrote to memory of 2720	2872	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe	35
PID 2872 wrote to memory of 2720	2872	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe	35
PID 2872 wrote to memory of 2800	2872	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe	36
PID 2872 wrote to memory of 2800	2872	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe	36
PID 2872 wrote to memory of 2800	2872	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe	36
PID 2872 wrote to memory of 2800	2872	{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe	36
PID 2720 wrote to memory of 2616	2720	{868708F3-C476-4011-970A-6E3BAFA97965}.exe	37
PID 2720 wrote to memory of 2616	2720	{868708F3-C476-4011-970A-6E3BAFA97965}.exe	37
PID 2720 wrote to memory of 2616	2720	{868708F3-C476-4011-970A-6E3BAFA97965}.exe	37
PID 2720 wrote to memory of 2616	2720	{868708F3-C476-4011-970A-6E3BAFA97965}.exe	37
PID 2720 wrote to memory of 2668	2720	{868708F3-C476-4011-970A-6E3BAFA97965}.exe	38
PID 2720 wrote to memory of 2668	2720	{868708F3-C476-4011-970A-6E3BAFA97965}.exe	38
PID 2720 wrote to memory of 2668	2720	{868708F3-C476-4011-970A-6E3BAFA97965}.exe	38
PID 2720 wrote to memory of 2668	2720	{868708F3-C476-4011-970A-6E3BAFA97965}.exe	38
PID 2616 wrote to memory of 2820	2616	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe	39
PID 2616 wrote to memory of 2820	2616	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe	39
PID 2616 wrote to memory of 2820	2616	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe	39
PID 2616 wrote to memory of 2820	2616	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe	39
PID 2616 wrote to memory of 1660	2616	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe	40
PID 2616 wrote to memory of 1660	2616	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe	40
PID 2616 wrote to memory of 1660	2616	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe	40
PID 2616 wrote to memory of 1660	2616	{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe	40
PID 2820 wrote to memory of 932	2820	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe	41
PID 2820 wrote to memory of 932	2820	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe	41
PID 2820 wrote to memory of 932	2820	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe	41
PID 2820 wrote to memory of 932	2820	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe	41
PID 2820 wrote to memory of 2832	2820	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe	42
PID 2820 wrote to memory of 2832	2820	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe	42
PID 2820 wrote to memory of 2832	2820	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe	42
PID 2820 wrote to memory of 2832	2820	{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe	42
PID 932 wrote to memory of 1612	932	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe	43
PID 932 wrote to memory of 1612	932	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe	43
PID 932 wrote to memory of 1612	932	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe	43
PID 932 wrote to memory of 1612	932	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe	43
PID 932 wrote to memory of 2024	932	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe	44
PID 932 wrote to memory of 2024	932	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe	44
PID 932 wrote to memory of 2024	932	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe	44
PID 932 wrote to memory of 2024	932	{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe	44
PID 1612 wrote to memory of 1236	1612	{854AF056-85D2-4409-B838-B75552C08E22}.exe	45
PID 1612 wrote to memory of 1236	1612	{854AF056-85D2-4409-B838-B75552C08E22}.exe	45
PID 1612 wrote to memory of 1236	1612	{854AF056-85D2-4409-B838-B75552C08E22}.exe	45
PID 1612 wrote to memory of 1236	1612	{854AF056-85D2-4409-B838-B75552C08E22}.exe	45
PID 1612 wrote to memory of 2328	1612	{854AF056-85D2-4409-B838-B75552C08E22}.exe	46
PID 1612 wrote to memory of 2328	1612	{854AF056-85D2-4409-B838-B75552C08E22}.exe	46
PID 1612 wrote to memory of 2328	1612	{854AF056-85D2-4409-B838-B75552C08E22}.exe	46
PID 1612 wrote to memory of 2328	1612	{854AF056-85D2-4409-B838-B75552C08E22}.exe	46

C:\Users\Admin\AppData\Local\Temp\45091dcc4a103eb84069e7e8cddb66a0N.exe
"C:\Users\Admin\AppData\Local\Temp\45091dcc4a103eb84069e7e8cddb66a0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe
  C:\Windows\{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe
    C:\Windows\{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\{868708F3-C476-4011-970A-6E3BAFA97965}.exe
      C:\Windows\{868708F3-C476-4011-970A-6E3BAFA97965}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe
        
        C:\Windows\{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe
        
        C:\Windows\{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe
        
        C:\Windows\{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\{854AF056-85D2-4409-B838-B75552C08E22}.exe
        
        C:\Windows\{854AF056-85D2-4409-B838-B75552C08E22}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{DF031698-DD3D-4e99-ABC1-047AF521D2B5}.exe
        
        C:\Windows\{DF031698-DD3D-4e99-ABC1-047AF521D2B5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\{005A83FB-2B81-4e32-ABBD-6B88BBACAB1A}.exe
        
        C:\Windows\{005A83FB-2B81-4e32-ABBD-6B88BBACAB1A}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF031~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{854AF~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4652~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4159B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE58E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86870~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{37243~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{41DB7~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\45091D~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{005A83FB-2B81-4e32-ABBD-6B88BBACAB1A}.exe

Filesize
83KB

MD5
6746b8f3d250cc34ce086afd4650158e

SHA1
688c7913b68a8253cf751e2f129131d33cc561a2

SHA256
5768741f3c87506449a6a7d925e6d726eacdc19a1489c85748c2aaf2c9716094

SHA512
8f613998ca3ea486d9c56d576b8cb0b00adcf54723b7e87e0f43d0a1c49f25e564e51fd1b7d39f850fa1d68c8d251f2330107a4eedb5e71cb23795a278d27326

Download Submit
C:\Windows\{37243D7E-FF71-4c75-86E9-7AE94B0A77CB}.exe

Filesize
83KB

MD5
2c503590ce94788cf45f3d734e9654e9

SHA1
a2ebeb1110240e7c3a5f689708abcda63e581433

SHA256
17d470b679e995d171ac00bd6b8a7eb6c3aa079d891056d40f6b553c706e7b86

SHA512
3fc2a98298e18957ae09500e6ea4be345ef22968d6dcdff674edd1cc553955dff041c862d06d39f337546c5a4aad5c306d47c42c314113b4ed5097222268b257

Download Submit
C:\Windows\{4159B14E-4949-4402-AC2A-7DC9BEFC77A0}.exe

Filesize
83KB

MD5
c5875ae36bfe5612f540a9fd1556e142

SHA1
1856f4ed90944834e75ea42a826446cb9a7e02bd

SHA256
6c3e4df83c54f448652cd9c729aec9071a92b7f8c81d347a5183956a23b4291b

SHA512
d9763018ce2897d7a8d719cceae524e04909624690888a4380da9d66b31d91ea9807100821165fc86798441c004302f2c1546662967fb63ce2f0fbd9f3a5359e

Download Submit
C:\Windows\{41DB7123-75ED-4480-9DE4-A7FA1D65A48C}.exe

Filesize
83KB

MD5
420d1c7d9f99ae38d9f144019ea2110b

SHA1
1afa3c25ba827c64477c23d96664e3f4ab237bed

SHA256
f4e1a834bd619c84ea2cf09d4b416f611b5354dd5821f38faf00d8079567a83d

SHA512
05b939f19b24a47e3294bdb00efb207a26c8b54fb7a1da607958b54ab49b567402abd77eb20d60640a6505ab98be15a20c99b98ee8ae06e1e2eab5eadb051daf

Download Submit
C:\Windows\{854AF056-85D2-4409-B838-B75552C08E22}.exe

Filesize
83KB

MD5
37b1a6c627b78e9bd24dd608d930ee78

SHA1
799f0e4883ba07144ebd8613975c375c2bbfdb03

SHA256
c417f40e5070b725dd7aad1d3ebc5c674a021c932d38a10b4d6de01866148618

SHA512
fb573cfed26705fe1f981e33994e0625e467be25c1637cfc52eaf8ef6bac732a5dab8aa93e5d1db80dccc5a49b7c2d866a9eeaba0371250d17f2b19a30009628

Download Submit
C:\Windows\{868708F3-C476-4011-970A-6E3BAFA97965}.exe

Filesize
83KB

MD5
91bc3ac1a04617379e7910b5f1a62f1a

SHA1
697bd492e0cea2611695b9e09a6a7422493d320f

SHA256
15da0f0d0b3225283959a1b4bfd443c5f61bfd890bba80cee1ff410529797a65

SHA512
9f3ee951cb703c21d1fe46f042cf02bba9841b97b8286f2bef3af2847232cf7d268961d09beadea8a33af58835bc097f202934c926a667b3b9b840ecdd838528

Download Submit
C:\Windows\{DF031698-DD3D-4e99-ABC1-047AF521D2B5}.exe

Filesize
83KB

MD5
aac8fa2d37367f74a057362bfde39cb3

SHA1
310ae0a04ff22fcd6a374bb37a623f35d257efbe

SHA256
133af9ae16f16a5cb1817a2bf123ab5be530a00db2bd09755f2143db7f6cbb36

SHA512
1db65d26753e0b288c1b73abf0f269dadd223fe2f2551f86da2bb5873b3a98deaf60328f373770d234141d87db2681c7f21daf2b81b9ef61d41ab4337480feaf

Download Submit
C:\Windows\{E4652A8C-EEB1-4bb0-A5D0-B62407C6B225}.exe

Filesize
83KB

MD5
a50986a2dc9e397f05122ea58115fb45

SHA1
405138a77481c8116249519351ffdefec5c9d480

SHA256
a0a36788f5659b19c178abc548657fd4b8c05e6a7e9b3f9ca12bc20b80f83c1b

SHA512
959f9b461ebe7697568ae21f70457b347899feeaad4f1094f3e40dbf1a5b9c032cc5e16421de8cbc9d5bab15b61282394eeb719c62152d8f06d323b59288f782

Download Submit
C:\Windows\{FE58E6EA-2D6B-4052-8086-96ED62D74E33}.exe

Filesize
83KB

MD5
813eb5750baffdc42397f52501a3880d

SHA1
4de76393e5c351a1094083352dd7aa161c88b878

SHA256
f62b8425256ec13c3232059fb2e85fb764a9e4310bfbbb69706a21c6baf7e15b

SHA512
77cdebdf4b1c5c06492f02d7bd18fa0d4ca0a4f85476213eaf005311e5d4138b600fa59a3c60cd3d367222cebda4a1ebe67b1a3b81e333d1e9313a5817f8bceb

Download Submit
memory/932-65-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/932-73-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/932-72-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/932-74-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1144-15-0x00000000002A0000-0x00000000002B3000-memory.dmp

Filesize
76KB

Download
memory/1144-11-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1144-19-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1232-9-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/1232-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1232-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1232-4-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/1232-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1236-92-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1236-85-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1612-76-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1612-83-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2516-94-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2616-43-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2616-52-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2616-50-0x0000000000390000-0x00000000003A3000-memory.dmp

Filesize
76KB

Download
memory/2616-49-0x0000000000390000-0x00000000003A3000-memory.dmp

Filesize
76KB

Download
memory/2720-39-0x0000000000550000-0x0000000000563000-memory.dmp

Filesize
76KB

Download
memory/2720-41-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2720-40-0x0000000000550000-0x0000000000563000-memory.dmp

Filesize
76KB

Download
memory/2720-32-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2820-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2820-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2820-62-0x0000000000390000-0x00000000003A3000-memory.dmp

Filesize
76KB

Download
memory/2820-61-0x0000000000390000-0x00000000003A3000-memory.dmp

Filesize
76KB

Download
memory/2872-28-0x0000000001BF0000-0x0000000001C03000-memory.dmp

Filesize
76KB

Download
memory/2872-29-0x0000000001BF0000-0x0000000001C03000-memory.dmp

Filesize
76KB

Download
memory/2872-31-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2872-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads