204a8848fe4ac7372fcaf6d5991d3307b2a830cdb512a101bb98bdc76c4ae0f9

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61f6f1ce2c200de6548715b00bf883b0N.exe
Size

88KB
MD5

61f6f1ce2c200de6548715b00bf883b0
SHA1

d163e12718ca0f7e393bc2d90a1abec58e4b0f2c
SHA256

204a8848fe4ac7372fcaf6d5991d3307b2a830cdb512a101bb98bdc76c4ae0f9
SHA512

97fdf30958f1ac59e3dd8e7c7034ec11938bc489942c121b2c78a478d8b43093738ab512750ba2d9ff65d25573d032fb6352841c91291029554044f4abaeca50
SSDEEP

768:5vw9816thKQLron4/wQkNrfrunMxVFA3V:lEG/0onlbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF71F8B2-8D6B-4023-9A03-405AD78EF288}\stubpath = "C:\\Windows\\{BF71F8B2-8D6B-4023-9A03-405AD78EF288}.exe"	{1941AF8E-6756-42f7-827B-7E532ADA42CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}\stubpath = "C:\\Windows\\{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe"	61f6f1ce2c200de6548715b00bf883b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D03D7767-E00B-423a-993D-222A23CD358C}\stubpath = "C:\\Windows\\{D03D7767-E00B-423a-993D-222A23CD358C}.exe"	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}\stubpath = "C:\\Windows\\{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe"	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF71F8B2-8D6B-4023-9A03-405AD78EF288}	{1941AF8E-6756-42f7-827B-7E532ADA42CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}	61f6f1ce2c200de6548715b00bf883b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D03D7767-E00B-423a-993D-222A23CD358C}	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1941AF8E-6756-42f7-827B-7E532ADA42CC}	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}\stubpath = "C:\\Windows\\{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe"	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}\stubpath = "C:\\Windows\\{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe"	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}\stubpath = "C:\\Windows\\{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe"	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A7504D5-6D46-425e-9D18-24D3786F5BF3}	{D03D7767-E00B-423a-993D-222A23CD358C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A7504D5-6D46-425e-9D18-24D3786F5BF3}\stubpath = "C:\\Windows\\{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe"	{D03D7767-E00B-423a-993D-222A23CD358C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1941AF8E-6756-42f7-827B-7E532ADA42CC}\stubpath = "C:\\Windows\\{1941AF8E-6756-42f7-827B-7E532ADA42CC}.exe"	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe

Deletes itself 1 IoCs

pid	Process
1516	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2276	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe
2684	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe
2996	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe
2856	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe
2104	{D03D7767-E00B-423a-993D-222A23CD358C}.exe
1940	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe
1432	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe
1768	{1941AF8E-6756-42f7-827B-7E532ADA42CC}.exe
2124	{BF71F8B2-8D6B-4023-9A03-405AD78EF288}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe	61f6f1ce2c200de6548715b00bf883b0N.exe
File created	C:\Windows\{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe
File created	C:\Windows\{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe
File created	C:\Windows\{1941AF8E-6756-42f7-827B-7E532ADA42CC}.exe	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe
File created	C:\Windows\{BF71F8B2-8D6B-4023-9A03-405AD78EF288}.exe	{1941AF8E-6756-42f7-827B-7E532ADA42CC}.exe
File created	C:\Windows\{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe
File created	C:\Windows\{D03D7767-E00B-423a-993D-222A23CD358C}.exe	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe
File created	C:\Windows\{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe	{D03D7767-E00B-423a-993D-222A23CD358C}.exe
File created	C:\Windows\{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1941AF8E-6756-42f7-827B-7E532ADA42CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f6f1ce2c200de6548715b00bf883b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BF71F8B2-8D6B-4023-9A03-405AD78EF288}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D03D7767-E00B-423a-993D-222A23CD358C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2412	61f6f1ce2c200de6548715b00bf883b0N.exe
Token: SeIncBasePriorityPrivilege	2276	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe
Token: SeIncBasePriorityPrivilege	2684	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe
Token: SeIncBasePriorityPrivilege	2996	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe
Token: SeIncBasePriorityPrivilege	2856	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe
Token: SeIncBasePriorityPrivilege	2104	{D03D7767-E00B-423a-993D-222A23CD358C}.exe
Token: SeIncBasePriorityPrivilege	1940	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe
Token: SeIncBasePriorityPrivilege	1432	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe
Token: SeIncBasePriorityPrivilege	1768	{1941AF8E-6756-42f7-827B-7E532ADA42CC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2276	2412	61f6f1ce2c200de6548715b00bf883b0N.exe	31
PID 2412 wrote to memory of 2276	2412	61f6f1ce2c200de6548715b00bf883b0N.exe	31
PID 2412 wrote to memory of 2276	2412	61f6f1ce2c200de6548715b00bf883b0N.exe	31
PID 2412 wrote to memory of 2276	2412	61f6f1ce2c200de6548715b00bf883b0N.exe	31
PID 2412 wrote to memory of 1516	2412	61f6f1ce2c200de6548715b00bf883b0N.exe	32
PID 2412 wrote to memory of 1516	2412	61f6f1ce2c200de6548715b00bf883b0N.exe	32
PID 2412 wrote to memory of 1516	2412	61f6f1ce2c200de6548715b00bf883b0N.exe	32
PID 2412 wrote to memory of 1516	2412	61f6f1ce2c200de6548715b00bf883b0N.exe	32
PID 2276 wrote to memory of 2684	2276	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe	33
PID 2276 wrote to memory of 2684	2276	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe	33
PID 2276 wrote to memory of 2684	2276	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe	33
PID 2276 wrote to memory of 2684	2276	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe	33
PID 2276 wrote to memory of 2848	2276	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe	34
PID 2276 wrote to memory of 2848	2276	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe	34
PID 2276 wrote to memory of 2848	2276	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe	34
PID 2276 wrote to memory of 2848	2276	{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe	34
PID 2684 wrote to memory of 2996	2684	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe	35
PID 2684 wrote to memory of 2996	2684	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe	35
PID 2684 wrote to memory of 2996	2684	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe	35
PID 2684 wrote to memory of 2996	2684	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe	35
PID 2684 wrote to memory of 2916	2684	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe	36
PID 2684 wrote to memory of 2916	2684	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe	36
PID 2684 wrote to memory of 2916	2684	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe	36
PID 2684 wrote to memory of 2916	2684	{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe	36
PID 2996 wrote to memory of 2856	2996	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe	37
PID 2996 wrote to memory of 2856	2996	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe	37
PID 2996 wrote to memory of 2856	2996	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe	37
PID 2996 wrote to memory of 2856	2996	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe	37
PID 2996 wrote to memory of 2548	2996	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe	38
PID 2996 wrote to memory of 2548	2996	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe	38
PID 2996 wrote to memory of 2548	2996	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe	38
PID 2996 wrote to memory of 2548	2996	{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe	38
PID 2856 wrote to memory of 2104	2856	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe	39
PID 2856 wrote to memory of 2104	2856	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe	39
PID 2856 wrote to memory of 2104	2856	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe	39
PID 2856 wrote to memory of 2104	2856	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe	39
PID 2856 wrote to memory of 1684	2856	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe	40
PID 2856 wrote to memory of 1684	2856	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe	40
PID 2856 wrote to memory of 1684	2856	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe	40
PID 2856 wrote to memory of 1684	2856	{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe	40
PID 2104 wrote to memory of 1940	2104	{D03D7767-E00B-423a-993D-222A23CD358C}.exe	41
PID 2104 wrote to memory of 1940	2104	{D03D7767-E00B-423a-993D-222A23CD358C}.exe	41
PID 2104 wrote to memory of 1940	2104	{D03D7767-E00B-423a-993D-222A23CD358C}.exe	41
PID 2104 wrote to memory of 1940	2104	{D03D7767-E00B-423a-993D-222A23CD358C}.exe	41
PID 2104 wrote to memory of 2592	2104	{D03D7767-E00B-423a-993D-222A23CD358C}.exe	42
PID 2104 wrote to memory of 2592	2104	{D03D7767-E00B-423a-993D-222A23CD358C}.exe	42
PID 2104 wrote to memory of 2592	2104	{D03D7767-E00B-423a-993D-222A23CD358C}.exe	42
PID 2104 wrote to memory of 2592	2104	{D03D7767-E00B-423a-993D-222A23CD358C}.exe	42
PID 1940 wrote to memory of 1432	1940	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe	43
PID 1940 wrote to memory of 1432	1940	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe	43
PID 1940 wrote to memory of 1432	1940	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe	43
PID 1940 wrote to memory of 1432	1940	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe	43
PID 1940 wrote to memory of 1176	1940	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe	44
PID 1940 wrote to memory of 1176	1940	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe	44
PID 1940 wrote to memory of 1176	1940	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe	44
PID 1940 wrote to memory of 1176	1940	{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe	44
PID 1432 wrote to memory of 1768	1432	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe	45
PID 1432 wrote to memory of 1768	1432	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe	45
PID 1432 wrote to memory of 1768	1432	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe	45
PID 1432 wrote to memory of 1768	1432	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe	45
PID 1432 wrote to memory of 2900	1432	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe	46
PID 1432 wrote to memory of 2900	1432	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe	46
PID 1432 wrote to memory of 2900	1432	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe	46
PID 1432 wrote to memory of 2900	1432	{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe	46

C:\Users\Admin\AppData\Local\Temp\61f6f1ce2c200de6548715b00bf883b0N.exe
"C:\Users\Admin\AppData\Local\Temp\61f6f1ce2c200de6548715b00bf883b0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe
  C:\Windows\{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe
    C:\Windows\{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe
      C:\Windows\{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe
        
        C:\Windows\{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\{D03D7767-E00B-423a-993D-222A23CD358C}.exe
        
        C:\Windows\{D03D7767-E00B-423a-993D-222A23CD358C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe
        
        C:\Windows\{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe
        
        C:\Windows\{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\{1941AF8E-6756-42f7-827B-7E532ADA42CC}.exe
        
        C:\Windows\{1941AF8E-6756-42f7-827B-7E532ADA42CC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\{BF71F8B2-8D6B-4023-9A03-405AD78EF288}.exe
        
        C:\Windows\{BF71F8B2-8D6B-4023-9A03-405AD78EF288}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1941A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAD12~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A750~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D03D7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAF3B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEEE7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CE0DA~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1BFBB~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\61F6F1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1941AF8E-6756-42f7-827B-7E532ADA42CC}.exe

Filesize
88KB

MD5
28de44d744010391c0f7f3364fee8ff7

SHA1
ea8e5e46b71e46ced7fd0f4a6ee5d6a0f9b4b4d4

SHA256
c177802eadaa39a2026b2b19d4934d9a7dd7df3291461df1991a60d35955069c

SHA512
21812c3c1bbd2ac0d0f66cb35390d3dfdcd910fdad7a19d69c2525b49e5a885ef72cce90cf1831da26d54d83e43873c6e7d65007017aca49bf300777784b0a35

Download Submit
C:\Windows\{1A7504D5-6D46-425e-9D18-24D3786F5BF3}.exe

Filesize
88KB

MD5
4592d8ddc8758a05d07dee7c7c0718cf

SHA1
39b225d0e0cb195079c3cdfc5caa97673da11290

SHA256
859b0ff68db2a7a68d7acd732e66021c9e81f5f1525fbc87b4c051511ab16481

SHA512
92827d4e6bac839fd79e040d52323cb866b6619757dae506be13db91970698f734e4f9d5fbae3dda5bae78f89c50abf01c0e1dde6fcb25b412c780691706eb37

Download Submit
C:\Windows\{1BFBB940-9ED2-4445-9D68-EC5CA12E4F71}.exe

Filesize
88KB

MD5
c6cec44040fd73eb13c26eb60911f46e

SHA1
6091d061b13561b45b434d1e1eb0d462d4ac7fa0

SHA256
03f4f8e296016f2f840ab8ff9f694df442c9d776b98fe4c4ac2f7fe80f9763fc

SHA512
118042a803aeaddaea2e571deced9d66520c6be1ae87507304b213f2d59b8963053fcff546a6ca93bbf33b8a2ef3c856fde6e770eea2175ec71ff351e7404522

Download Submit
C:\Windows\{AAD12AA3-8B11-45de-99CA-C10D49C2BF74}.exe

Filesize
88KB

MD5
f3c39da28ca0394cccfe93a2cb04980a

SHA1
291619bffbdef1092a9c79fa89df9aa678b3dc17

SHA256
f58ce34eaf3acc0efa21bb92d85aeb57a09204156ca4e1c41ae2cdd9aed87e12

SHA512
959d13a60b6bd38030a7acf8e67b4676951de52db1d13eeb3a8a76643cc132e268e81d94d346403db3fe92e8775534e60f4ff00efc63ebc1c626d777696872ba

Download Submit
C:\Windows\{AEEE759E-37A1-4ac5-885C-BAC152CDD8D3}.exe

Filesize
88KB

MD5
fbe85bc5a4fb3da1fbb19d66bc9af755

SHA1
9dc585c6976ec6e038fbc5a93c111e55fa733e7f

SHA256
4600f851d295ab7e8266061cf99717c7ac12c5c9e65ef4ed3ba8179c28c53a83

SHA512
077e9408d974453a92ee6307bec23af8406e8082ed8682a536b412d88ff9b310bacf648a25bae95cb0f1da05d49909f3f877f4ec72a92338796eccf38fd9e82f

Download Submit
C:\Windows\{BF71F8B2-8D6B-4023-9A03-405AD78EF288}.exe

Filesize
88KB

MD5
55a7e86787cfb3646ca1128a3f7420b7

SHA1
1d3df8a5cf391c6432b0381b1f36ad9f21c3bd14

SHA256
73a21b30e030a573d30a54ca86986c0f7968e3624885559af5bc5d4d4ab9d737

SHA512
286cafa064efe7b9fde901ba28d88387b4cabc697402ce90f7df32660c7b2155cb372b8e171e0244d24e1cbc3baff56c82a26d0aefad4577ca3f14d2e8a744ec

Download Submit
C:\Windows\{CE0DA1F0-4738-4325-A2FB-F00AB9112E91}.exe

Filesize
88KB

MD5
61e561badf8ae979b5f1061cbc427648

SHA1
8f5b98bc7bf94f1e432cd14051f49193c5ac1f44

SHA256
487b30d808a6fec2f7f9089dac191c0f91c66cc3a8e0de4f409667c899cd53ad

SHA512
44fb27fa1bbf614104584dc47d065c7f60b6382ed26969e063dbb23d93292bae989031564be2c27095e02195f3d31f0c488a4c9be5dd30621d0c28b6a7682ece

Download Submit
C:\Windows\{D03D7767-E00B-423a-993D-222A23CD358C}.exe

Filesize
88KB

MD5
8e53ff5454614270f2fc5777f486c677

SHA1
25c8533e07066caab25076005693d4f4cf4b5ece

SHA256
679e849a15c057f10989aa0c045380012a763a16698f80fb1d8dc132d6c13b05

SHA512
494cd60b4afa156b517d770036aff99e53857f277f3b608a3c5d0ffb8b602fc1b3a2a81b8c2aa7e027a6dd158be9da6f9dc5582bb04e085d9b96dd7db780fc92

Download Submit
C:\Windows\{EAF3BF2C-AA17-40a1-880F-CD3B3B5EDF31}.exe

Filesize
88KB

MD5
13e9fef9f51b7befb4d90eef38949326

SHA1
2c0cdc33f15b72514616d094573834ed07726dba

SHA256
7c53e62d317e41dd13c685073690cc728ed11a793a3bdf4db81d27134f1c60fe

SHA512
99149256ba3e3c7b50cfe11a0f274c0a840fb04772747ce3b3f3047fbbb547188984c0a31d820241c7172d4b3ea54aa0a184fe17d69ed897c9ae20c9b68087ed

Download Submit
memory/1432-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1432-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1432-71-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/1432-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1768-84-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1768-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1940-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1940-60-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/2104-50-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2104-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2124-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2276-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2276-13-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2412-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2412-3-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2412-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2412-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2684-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2684-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2684-27-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/2684-23-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/2856-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2856-42-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2996-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2996-33-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads