748c6594e869d2b87b6d6db08842045b42acfd7448f9461a554204d3e4866899

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d267e230e2351bada78c3bf62667570N.exe
Size

90KB
MD5

0d267e230e2351bada78c3bf62667570
SHA1

ae3ff6512b4fe24c41451e81ed76f882c431688e
SHA256

748c6594e869d2b87b6d6db08842045b42acfd7448f9461a554204d3e4866899
SHA512

b3bcddfcf0dcd4b73a5cd3557427998e21d89beebf70670c98d1344db6b0259d0447cc97dfed3b3642302e269775a9bbe1f28fcc6dfe87e3b4a8a47a394cf563
SSDEEP

768:Qvw9816vhKQLro74/wQRNrfrunMxVFA3b7glw:YEGh0o7l2unMxVS3Hg

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64AB1021-CCA0-4a28-84EB-310AAB0701C2}\stubpath = "C:\\Windows\\{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe"	0d267e230e2351bada78c3bf62667570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A3D220A-D07C-490c-8410-E53BA427CC19}	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A3D220A-D07C-490c-8410-E53BA427CC19}\stubpath = "C:\\Windows\\{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe"	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DDA8168-A0D3-4a75-87DA-45742AF70956}\stubpath = "C:\\Windows\\{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe"	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2144132-6025-4583-8666-AF10A4530E57}\stubpath = "C:\\Windows\\{C2144132-6025-4583-8666-AF10A4530E57}.exe"	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64AB1021-CCA0-4a28-84EB-310AAB0701C2}	0d267e230e2351bada78c3bf62667570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B113D8-6DDE-423a-A28E-D8934AB17199}	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9B113D8-6DDE-423a-A28E-D8934AB17199}\stubpath = "C:\\Windows\\{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe"	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}	{13357041-5365-4d60-9476-3EB88E48621A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C5906ED-92EF-4a0a-B045-02DD527988CF}	{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}\stubpath = "C:\\Windows\\{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe"	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2144132-6025-4583-8666-AF10A4530E57}	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13357041-5365-4d60-9476-3EB88E48621A}\stubpath = "C:\\Windows\\{13357041-5365-4d60-9476-3EB88E48621A}.exe"	{C2144132-6025-4583-8666-AF10A4530E57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}\stubpath = "C:\\Windows\\{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe"	{13357041-5365-4d60-9476-3EB88E48621A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DDA8168-A0D3-4a75-87DA-45742AF70956}	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13357041-5365-4d60-9476-3EB88E48621A}	{C2144132-6025-4583-8666-AF10A4530E57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C5906ED-92EF-4a0a-B045-02DD527988CF}\stubpath = "C:\\Windows\\{6C5906ED-92EF-4a0a-B045-02DD527988CF}.exe"	{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe

Deletes itself 1 IoCs

pid	Process
2336	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1784	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe
2844	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe
2872	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe
1700	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe
1716	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe
1152	{C2144132-6025-4583-8666-AF10A4530E57}.exe
1428	{13357041-5365-4d60-9476-3EB88E48621A}.exe
2032	{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe
2436	{6C5906ED-92EF-4a0a-B045-02DD527988CF}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{C2144132-6025-4583-8666-AF10A4530E57}.exe	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe
File created	C:\Windows\{13357041-5365-4d60-9476-3EB88E48621A}.exe	{C2144132-6025-4583-8666-AF10A4530E57}.exe
File created	C:\Windows\{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe	0d267e230e2351bada78c3bf62667570N.exe
File created	C:\Windows\{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe
File created	C:\Windows\{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe
File created	C:\Windows\{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe	{13357041-5365-4d60-9476-3EB88E48621A}.exe
File created	C:\Windows\{6C5906ED-92EF-4a0a-B045-02DD527988CF}.exe	{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe
File created	C:\Windows\{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe
File created	C:\Windows\{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C5906ED-92EF-4a0a-B045-02DD527988CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d267e230e2351bada78c3bf62667570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{13357041-5365-4d60-9476-3EB88E48621A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C2144132-6025-4583-8666-AF10A4530E57}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2156	0d267e230e2351bada78c3bf62667570N.exe
Token: SeIncBasePriorityPrivilege	1784	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe
Token: SeIncBasePriorityPrivilege	2844	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe
Token: SeIncBasePriorityPrivilege	2872	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe
Token: SeIncBasePriorityPrivilege	1700	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe
Token: SeIncBasePriorityPrivilege	1716	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe
Token: SeIncBasePriorityPrivilege	1152	{C2144132-6025-4583-8666-AF10A4530E57}.exe
Token: SeIncBasePriorityPrivilege	1428	{13357041-5365-4d60-9476-3EB88E48621A}.exe
Token: SeIncBasePriorityPrivilege	2032	{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1784	2156	0d267e230e2351bada78c3bf62667570N.exe	31
PID 2156 wrote to memory of 1784	2156	0d267e230e2351bada78c3bf62667570N.exe	31
PID 2156 wrote to memory of 1784	2156	0d267e230e2351bada78c3bf62667570N.exe	31
PID 2156 wrote to memory of 1784	2156	0d267e230e2351bada78c3bf62667570N.exe	31
PID 2156 wrote to memory of 2336	2156	0d267e230e2351bada78c3bf62667570N.exe	32
PID 2156 wrote to memory of 2336	2156	0d267e230e2351bada78c3bf62667570N.exe	32
PID 2156 wrote to memory of 2336	2156	0d267e230e2351bada78c3bf62667570N.exe	32
PID 2156 wrote to memory of 2336	2156	0d267e230e2351bada78c3bf62667570N.exe	32
PID 1784 wrote to memory of 2844	1784	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe	33
PID 1784 wrote to memory of 2844	1784	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe	33
PID 1784 wrote to memory of 2844	1784	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe	33
PID 1784 wrote to memory of 2844	1784	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe	33
PID 1784 wrote to memory of 2900	1784	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe	34
PID 1784 wrote to memory of 2900	1784	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe	34
PID 1784 wrote to memory of 2900	1784	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe	34
PID 1784 wrote to memory of 2900	1784	{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe	34
PID 2844 wrote to memory of 2872	2844	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe	35
PID 2844 wrote to memory of 2872	2844	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe	35
PID 2844 wrote to memory of 2872	2844	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe	35
PID 2844 wrote to memory of 2872	2844	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe	35
PID 2844 wrote to memory of 2856	2844	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe	36
PID 2844 wrote to memory of 2856	2844	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe	36
PID 2844 wrote to memory of 2856	2844	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe	36
PID 2844 wrote to memory of 2856	2844	{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe	36
PID 2872 wrote to memory of 1700	2872	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe	37
PID 2872 wrote to memory of 1700	2872	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe	37
PID 2872 wrote to memory of 1700	2872	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe	37
PID 2872 wrote to memory of 1700	2872	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe	37
PID 2872 wrote to memory of 2584	2872	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe	38
PID 2872 wrote to memory of 2584	2872	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe	38
PID 2872 wrote to memory of 2584	2872	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe	38
PID 2872 wrote to memory of 2584	2872	{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe	38
PID 1700 wrote to memory of 1716	1700	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe	39
PID 1700 wrote to memory of 1716	1700	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe	39
PID 1700 wrote to memory of 1716	1700	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe	39
PID 1700 wrote to memory of 1716	1700	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe	39
PID 1700 wrote to memory of 3048	1700	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe	40
PID 1700 wrote to memory of 3048	1700	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe	40
PID 1700 wrote to memory of 3048	1700	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe	40
PID 1700 wrote to memory of 3048	1700	{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe	40
PID 1716 wrote to memory of 1152	1716	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe	41
PID 1716 wrote to memory of 1152	1716	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe	41
PID 1716 wrote to memory of 1152	1716	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe	41
PID 1716 wrote to memory of 1152	1716	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe	41
PID 1716 wrote to memory of 1524	1716	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe	42
PID 1716 wrote to memory of 1524	1716	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe	42
PID 1716 wrote to memory of 1524	1716	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe	42
PID 1716 wrote to memory of 1524	1716	{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe	42
PID 1152 wrote to memory of 1428	1152	{C2144132-6025-4583-8666-AF10A4530E57}.exe	43
PID 1152 wrote to memory of 1428	1152	{C2144132-6025-4583-8666-AF10A4530E57}.exe	43
PID 1152 wrote to memory of 1428	1152	{C2144132-6025-4583-8666-AF10A4530E57}.exe	43
PID 1152 wrote to memory of 1428	1152	{C2144132-6025-4583-8666-AF10A4530E57}.exe	43
PID 1152 wrote to memory of 1360	1152	{C2144132-6025-4583-8666-AF10A4530E57}.exe	44
PID 1152 wrote to memory of 1360	1152	{C2144132-6025-4583-8666-AF10A4530E57}.exe	44
PID 1152 wrote to memory of 1360	1152	{C2144132-6025-4583-8666-AF10A4530E57}.exe	44
PID 1152 wrote to memory of 1360	1152	{C2144132-6025-4583-8666-AF10A4530E57}.exe	44
PID 1428 wrote to memory of 2032	1428	{13357041-5365-4d60-9476-3EB88E48621A}.exe	45
PID 1428 wrote to memory of 2032	1428	{13357041-5365-4d60-9476-3EB88E48621A}.exe	45
PID 1428 wrote to memory of 2032	1428	{13357041-5365-4d60-9476-3EB88E48621A}.exe	45
PID 1428 wrote to memory of 2032	1428	{13357041-5365-4d60-9476-3EB88E48621A}.exe	45
PID 1428 wrote to memory of 1752	1428	{13357041-5365-4d60-9476-3EB88E48621A}.exe	46
PID 1428 wrote to memory of 1752	1428	{13357041-5365-4d60-9476-3EB88E48621A}.exe	46
PID 1428 wrote to memory of 1752	1428	{13357041-5365-4d60-9476-3EB88E48621A}.exe	46
PID 1428 wrote to memory of 1752	1428	{13357041-5365-4d60-9476-3EB88E48621A}.exe	46

C:\Users\Admin\AppData\Local\Temp\0d267e230e2351bada78c3bf62667570N.exe
"C:\Users\Admin\AppData\Local\Temp\0d267e230e2351bada78c3bf62667570N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe
  C:\Windows\{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe
    C:\Windows\{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe
      C:\Windows\{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe
        
        C:\Windows\{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe
        
        C:\Windows\{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\{C2144132-6025-4583-8666-AF10A4530E57}.exe
        
        C:\Windows\{C2144132-6025-4583-8666-AF10A4530E57}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{13357041-5365-4d60-9476-3EB88E48621A}.exe
        
        C:\Windows\{13357041-5365-4d60-9476-3EB88E48621A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe
        
        C:\Windows\{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{6C5906ED-92EF-4a0a-B045-02DD527988CF}.exe
        
        C:\Windows\{6C5906ED-92EF-4a0a-B045-02DD527988CF}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C434~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13357~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2144~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9B11~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BA3D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DDA8~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0A3D2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{64AB1~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0D267E~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A3D220A-D07C-490c-8410-E53BA427CC19}.exe

Filesize
90KB

MD5
a9e206a1148e6f9f0ed4ba750dc59768

SHA1
75b68d572f60220cd6105da6b8b5a0a386e7ab20

SHA256
796106eb2b5d05dc7d47b143587b3bcde9031a36b693b28c8a1fe6371f00b985

SHA512
7894e6b5376652360f19cd0f043c1f4e4ab43467638f0de3078849408fd07219ab884c122f8325259e426b80918f8b399efbbb7578ac399182b06a1f3b54a251

Download Submit
C:\Windows\{13357041-5365-4d60-9476-3EB88E48621A}.exe

Filesize
90KB

MD5
69a7683b0aedc7afcf032401ff42c0d6

SHA1
a28ab104a8a86273d72c49d2399ef9e59e23fd9c

SHA256
9b8f8bf615399ec853b9e1a42c1a26ddf912f270e41b6f703287b9c64b21932d

SHA512
54b005370a544a00ad1e0da6a0275abd623a95715298f4f47245283f074b89c18c5e3347e1fa4c32341321a8411be42f628a5290f42e1deb3b6f39e0067c6bb1

Download Submit
C:\Windows\{4C4347AD-AED5-414d-AF56-2DE7B0FFE117}.exe

Filesize
90KB

MD5
0c8945c49980b0faccd1ba0f9c382585

SHA1
bf1334f98b04b827069753779765c371bcca6e0b

SHA256
494c6fccab74e0e1796bd742a27ea140d1fb69e3be69c163226cec7d51bf136f

SHA512
a62d19ac5ef54c79e9fc11a6b53eab42e4e3fc528744b36c70dcb601a97f0e844a2261bcb9d766e6893948c9ecd307f36e3d9b4bf63540e2b071ebc109b1df44

Download Submit
C:\Windows\{64AB1021-CCA0-4a28-84EB-310AAB0701C2}.exe

Filesize
90KB

MD5
05e23fc9edcbf7e47d9d8efc01771a21

SHA1
0728d1b2401965867b49c9c4f44426fdf8a65b2b

SHA256
46d8f41293386ab5c08b1d4565cf615278798922b976e6d4f385dd6939f98d85

SHA512
12d2792bc4daa6867af7a5bbc4180d28c6ec79208972004d6acf9d7b5a80cca233aecfe0c38f46c13b0bf0a9782e2bba7cedc74e78a2da9cd8c111ee5eace584

Download Submit
C:\Windows\{6C5906ED-92EF-4a0a-B045-02DD527988CF}.exe

Filesize
90KB

MD5
e7540954f10cd369e6c69d70b578ba8c

SHA1
d54564832a8a6335238e884b37195d3466c67f28

SHA256
f23fc2d732238ba2eb71c8f42a31039e073fde8cd67546664315be3a0ffb594a

SHA512
7004282aabea939c6c2dee2fa6a3fa85c531954da0ba319efa41113a25f2d775f1b1ad905345254ba0e77ebdac3f427408e132321d78ba3f990c586aa8f05ceb

Download Submit
C:\Windows\{6DDA8168-A0D3-4a75-87DA-45742AF70956}.exe

Filesize
90KB

MD5
be8b5f94554baf44647354f99bb10aec

SHA1
c6837089838586f7d978bda12d27e5bb532c48f0

SHA256
9729527f3b58950c80002859bebf52dd31be04442d9f07e92aab8e50d7e0ea68

SHA512
6c11bd40e7c4b36e155fb36ab32f770cdbb3d3b673a8e475fcf22df411cb07bc6328158ecfc846a915d0b96be5232c63316f949b2185aad28b6fd37b686b7980

Download Submit
C:\Windows\{8BA3DA17-20E0-4e10-BD9B-FB97E8C1F4EF}.exe

Filesize
90KB

MD5
f3219b0b7a8796d1bd07dbd894091c2d

SHA1
de04237a0bffa0a3a4b5a316b59bab4a3d797107

SHA256
9fff58a08eb5a80f97a5f96ee3f006a929c89f562518a8e893c002403fb23da7

SHA512
8efee30976fbf277aa7c2aa45d35c6ab8a39ae6910f95ab10dc390ec3e57c52ef37c5bfa720c7b2563756d1b8bbba2e5946c45cc6feaafbfbd531b6d7798a0f5

Download Submit
C:\Windows\{C2144132-6025-4583-8666-AF10A4530E57}.exe

Filesize
90KB

MD5
b7cb16c34c22e3452ed62c1f35ae5f37

SHA1
67e88d2c9a0098013165b2995055637bb7e6b778

SHA256
366c9eeeb1b2326c59bcdad729063a9bccb57352b14ca317dbe67911eb3ad074

SHA512
940fb87bb77c15c4e5fb029b3c683365d82c1c372866db186029897c2304784faa559f4a842a202ef904d39eb77ef510e91580093b8df528caea98899603f2fc

Download Submit
C:\Windows\{C9B113D8-6DDE-423a-A28E-D8934AB17199}.exe

Filesize
90KB

MD5
7630ddf46fa7fb681d628c217712216f

SHA1
bc938681355c00de10fe8c8e4ea9898e4cb5fc2d

SHA256
46e53c09fc09c10417bd3d4355e58bea1e50cd120f9659ce8a1475b9de7c24d7

SHA512
34de37da4032d31ebc2f90adb990023a76deed12caa47e635aaa55b5d44fbcc4c50f938f029a95872d415ff7249950b2a5e8459e4f556ac710d5b329171e564a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads