748c6594e869d2b87b6d6db08842045b42acfd7448f9461a554204d3e4866899

Analysis

max time kernel
118s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d267e230e2351bada78c3bf62667570N.exe
Size

90KB
MD5

0d267e230e2351bada78c3bf62667570
SHA1

ae3ff6512b4fe24c41451e81ed76f882c431688e
SHA256

748c6594e869d2b87b6d6db08842045b42acfd7448f9461a554204d3e4866899
SHA512

b3bcddfcf0dcd4b73a5cd3557427998e21d89beebf70670c98d1344db6b0259d0447cc97dfed3b3642302e269775a9bbe1f28fcc6dfe87e3b4a8a47a394cf563
SSDEEP

768:Qvw9816vhKQLro74/wQRNrfrunMxVFA3b7glw:YEGh0o7l2unMxVS3Hg

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}\stubpath = "C:\\Windows\\{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe"	{92680027-65BC-4051-8236-F5A064A517CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}\stubpath = "C:\\Windows\\{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe"	{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}	0d267e230e2351bada78c3bf62667570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}\stubpath = "C:\\Windows\\{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe"	0d267e230e2351bada78c3bf62667570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73A29C1C-1DF1-4567-ACAD-90A82E618C63}	{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A70138BF-CD4F-4c70-8EE7-5F210423C19F}	{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A70138BF-CD4F-4c70-8EE7-5F210423C19F}\stubpath = "C:\\Windows\\{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe"	{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92680027-65BC-4051-8236-F5A064A517CF}	{97C92693-1963-4b18-9547-CC8A4106E39F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}	{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{254A76F7-B1B2-44f5-92E7-B4E9480B3767}	{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}	{92680027-65BC-4051-8236-F5A064A517CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}\stubpath = "C:\\Windows\\{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe"	{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92680027-65BC-4051-8236-F5A064A517CF}\stubpath = "C:\\Windows\\{92680027-65BC-4051-8236-F5A064A517CF}.exe"	{97C92693-1963-4b18-9547-CC8A4106E39F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}	{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73A29C1C-1DF1-4567-ACAD-90A82E618C63}\stubpath = "C:\\Windows\\{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe"	{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{254A76F7-B1B2-44f5-92E7-B4E9480B3767}\stubpath = "C:\\Windows\\{254A76F7-B1B2-44f5-92E7-B4E9480B3767}.exe"	{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97C92693-1963-4b18-9547-CC8A4106E39F}	{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97C92693-1963-4b18-9547-CC8A4106E39F}\stubpath = "C:\\Windows\\{97C92693-1963-4b18-9547-CC8A4106E39F}.exe"	{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe

Executes dropped EXE 9 IoCs

pid	Process
4332	{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe
4972	{97C92693-1963-4b18-9547-CC8A4106E39F}.exe
5104	{92680027-65BC-4051-8236-F5A064A517CF}.exe
1812	{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe
4744	{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe
1192	{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe
4020	{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe
3612	{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe
1620	{254A76F7-B1B2-44f5-92E7-B4E9480B3767}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe	0d267e230e2351bada78c3bf62667570N.exe
File created	C:\Windows\{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe	{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe
File created	C:\Windows\{97C92693-1963-4b18-9547-CC8A4106E39F}.exe	{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe
File created	C:\Windows\{92680027-65BC-4051-8236-F5A064A517CF}.exe	{97C92693-1963-4b18-9547-CC8A4106E39F}.exe
File created	C:\Windows\{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe	{92680027-65BC-4051-8236-F5A064A517CF}.exe
File created	C:\Windows\{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe	{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe
File created	C:\Windows\{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe	{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe
File created	C:\Windows\{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe	{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe
File created	C:\Windows\{254A76F7-B1B2-44f5-92E7-B4E9480B3767}.exe	{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{92680027-65BC-4051-8236-F5A064A517CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{97C92693-1963-4b18-9547-CC8A4106E39F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{254A76F7-B1B2-44f5-92E7-B4E9480B3767}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d267e230e2351bada78c3bf62667570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3316	0d267e230e2351bada78c3bf62667570N.exe
Token: SeIncBasePriorityPrivilege	4332	{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe
Token: SeIncBasePriorityPrivilege	4972	{97C92693-1963-4b18-9547-CC8A4106E39F}.exe
Token: SeIncBasePriorityPrivilege	5104	{92680027-65BC-4051-8236-F5A064A517CF}.exe
Token: SeIncBasePriorityPrivilege	1812	{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe
Token: SeIncBasePriorityPrivilege	4744	{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe
Token: SeIncBasePriorityPrivilege	1192	{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe
Token: SeIncBasePriorityPrivilege	4020	{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe
Token: SeIncBasePriorityPrivilege	3612	{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 4332	3316	0d267e230e2351bada78c3bf62667570N.exe	94
PID 3316 wrote to memory of 4332	3316	0d267e230e2351bada78c3bf62667570N.exe	94
PID 3316 wrote to memory of 4332	3316	0d267e230e2351bada78c3bf62667570N.exe	94
PID 3316 wrote to memory of 3064	3316	0d267e230e2351bada78c3bf62667570N.exe	95
PID 3316 wrote to memory of 3064	3316	0d267e230e2351bada78c3bf62667570N.exe	95
PID 3316 wrote to memory of 3064	3316	0d267e230e2351bada78c3bf62667570N.exe	95
PID 4332 wrote to memory of 4972	4332	{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe	96
PID 4332 wrote to memory of 4972	4332	{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe	96
PID 4332 wrote to memory of 4972	4332	{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe	96
PID 4332 wrote to memory of 2268	4332	{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe	97
PID 4332 wrote to memory of 2268	4332	{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe	97
PID 4332 wrote to memory of 2268	4332	{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe	97
PID 4972 wrote to memory of 5104	4972	{97C92693-1963-4b18-9547-CC8A4106E39F}.exe	100
PID 4972 wrote to memory of 5104	4972	{97C92693-1963-4b18-9547-CC8A4106E39F}.exe	100
PID 4972 wrote to memory of 5104	4972	{97C92693-1963-4b18-9547-CC8A4106E39F}.exe	100
PID 4972 wrote to memory of 1548	4972	{97C92693-1963-4b18-9547-CC8A4106E39F}.exe	101
PID 4972 wrote to memory of 1548	4972	{97C92693-1963-4b18-9547-CC8A4106E39F}.exe	101
PID 4972 wrote to memory of 1548	4972	{97C92693-1963-4b18-9547-CC8A4106E39F}.exe	101
PID 5104 wrote to memory of 1812	5104	{92680027-65BC-4051-8236-F5A064A517CF}.exe	102
PID 5104 wrote to memory of 1812	5104	{92680027-65BC-4051-8236-F5A064A517CF}.exe	102
PID 5104 wrote to memory of 1812	5104	{92680027-65BC-4051-8236-F5A064A517CF}.exe	102
PID 5104 wrote to memory of 2872	5104	{92680027-65BC-4051-8236-F5A064A517CF}.exe	103
PID 5104 wrote to memory of 2872	5104	{92680027-65BC-4051-8236-F5A064A517CF}.exe	103
PID 5104 wrote to memory of 2872	5104	{92680027-65BC-4051-8236-F5A064A517CF}.exe	103
PID 1812 wrote to memory of 4744	1812	{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe	104
PID 1812 wrote to memory of 4744	1812	{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe	104
PID 1812 wrote to memory of 4744	1812	{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe	104
PID 1812 wrote to memory of 2520	1812	{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe	105
PID 1812 wrote to memory of 2520	1812	{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe	105
PID 1812 wrote to memory of 2520	1812	{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe	105
PID 4744 wrote to memory of 1192	4744	{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe	106
PID 4744 wrote to memory of 1192	4744	{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe	106
PID 4744 wrote to memory of 1192	4744	{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe	106
PID 4744 wrote to memory of 4692	4744	{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe	107
PID 4744 wrote to memory of 4692	4744	{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe	107
PID 4744 wrote to memory of 4692	4744	{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe	107
PID 1192 wrote to memory of 4020	1192	{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe	108
PID 1192 wrote to memory of 4020	1192	{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe	108
PID 1192 wrote to memory of 4020	1192	{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe	108
PID 1192 wrote to memory of 2348	1192	{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe	109
PID 1192 wrote to memory of 2348	1192	{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe	109
PID 1192 wrote to memory of 2348	1192	{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe	109
PID 4020 wrote to memory of 3612	4020	{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe	110
PID 4020 wrote to memory of 3612	4020	{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe	110
PID 4020 wrote to memory of 3612	4020	{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe	110
PID 4020 wrote to memory of 2300	4020	{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe	111
PID 4020 wrote to memory of 2300	4020	{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe	111
PID 4020 wrote to memory of 2300	4020	{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe	111
PID 3612 wrote to memory of 1620	3612	{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe	112
PID 3612 wrote to memory of 1620	3612	{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe	112
PID 3612 wrote to memory of 1620	3612	{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe	112
PID 3612 wrote to memory of 4052	3612	{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe	113
PID 3612 wrote to memory of 4052	3612	{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe	113
PID 3612 wrote to memory of 4052	3612	{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe	113

C:\Users\Admin\AppData\Local\Temp\0d267e230e2351bada78c3bf62667570N.exe
"C:\Users\Admin\AppData\Local\Temp\0d267e230e2351bada78c3bf62667570N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe
  C:\Windows\{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\{97C92693-1963-4b18-9547-CC8A4106E39F}.exe
    C:\Windows\{97C92693-1963-4b18-9547-CC8A4106E39F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\{92680027-65BC-4051-8236-F5A064A517CF}.exe
      C:\Windows\{92680027-65BC-4051-8236-F5A064A517CF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Windows\{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe
        
        C:\Windows\{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Windows\{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe
        
        C:\Windows\{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe
        
        C:\Windows\{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe
        
        C:\Windows\{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe
        
        C:\Windows\{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\{254A76F7-B1B2-44f5-92E7-B4E9480B3767}.exe
        
        C:\Windows\{254A76F7-B1B2-44f5-92E7-B4E9480B3767}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7013~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73A29~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3F3C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F67B8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ED1C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92680~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{97C92~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3FABF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0D267E~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{254A76F7-B1B2-44f5-92E7-B4E9480B3767}.exe

Filesize
90KB

MD5
641653c8d3d40a6da5aa04f7ad9c7ea4

SHA1
342407eebbf67c96410ff01a2f63809ace03ffda

SHA256
eb401ec0aa3a7fdbc6d1aecb53c7cc93d5fffef12fc688a0e6391b500f48a599

SHA512
fc4d80dd166ef55be9985700cc2bc2865c3b4570607e4895a68bbe1b7203227d5e0ddce4f17da4ae802dbd10836bdb8c244605c8f52bc53bc265766cada026cd

Download Submit
C:\Windows\{3FABFFEF-9565-4d9c-A91F-BAF8A063C1B7}.exe

Filesize
90KB

MD5
e3e191e6dd474ab1085c96bd9d1c4dcb

SHA1
55a6ce309ffa8a6a531ebe0a5f7891bd89a78a49

SHA256
331fa8ac8df98e5f922f735047c7658ddfb0351db581143892df27950225ed96

SHA512
09569a5443639e86487799392d96a4b5b1afb1200c0a159d94a795851cda556eca13e284f3d7ad0ba52944a7b7339bb382350b1305cf5db1e9284be0a5f6100c

Download Submit
C:\Windows\{6ED1C8D9-4FE0-456a-A303-E011A6169B6B}.exe

Filesize
90KB

MD5
5a01dd90562835927c1201fa785bfd1d

SHA1
2b4814ad10a412de721818e7e5bc651f26ee4a06

SHA256
72216f7fdf4de28acbe2b6cfc06f713d2847744251def3d88ad442971a270397

SHA512
b4784167b3fb4086ea88769306f06e915354b2790826cc9995f99f2b2e6829fa5660a9d06a24b4a48fe5ec54cc3e882c272ea931b3fad940c8218fcdb7e0a02a

Download Submit
C:\Windows\{73A29C1C-1DF1-4567-ACAD-90A82E618C63}.exe

Filesize
90KB

MD5
468bcd52cc0d2ac485635b275316b2d2

SHA1
5433dc5c322a1ce44f943af0043640d29851e86d

SHA256
044958f77b3edb77d16bed28b3dd023e0f20107ebbe8e78225420e0c2008ec36

SHA512
97f263c910aa70535be0cc28ce5a40e4f02118f40e48a9faf5de4bdcdf5f9b5df39756457f5d1b893998baaa732e2786ca4498abd9e7af9ee9476034ba21ffac

Download Submit
C:\Windows\{92680027-65BC-4051-8236-F5A064A517CF}.exe

Filesize
90KB

MD5
04ab5bd9494703e6d12225b691a645f4

SHA1
b0ef11466a87aaa3e7846df8633c93cc4c11df13

SHA256
0f7a9ceb2b89b7d0c19a9befc3b37ceebd166cce0d8176abb37d1f1118f7d202

SHA512
cf5d58da0403b2144c22ca145887bf2c5c0b61bf9671f5e21a6848b015073d09aec04e2f3bc56937f631d022d285e4550c87516de7c05a532d8bf3d96cdd2153

Download Submit
C:\Windows\{97C92693-1963-4b18-9547-CC8A4106E39F}.exe

Filesize
90KB

MD5
8b18e0a642958f902fa3bb57e2047696

SHA1
de334695f37b64a4c9e76d8df5852a3700da50fd

SHA256
6ca4fb18777b705fc3d9a4117f0d436e58fec58dc7914b67c3807183b84526b0

SHA512
f65f1587e265add4291b50db12189e9e15e3d859a8aed6297354470e398ac81c78eb3a771160ce15763b1c807b5ae274371b17f02f45914b4a57dd1d9731c3f5

Download Submit
C:\Windows\{A70138BF-CD4F-4c70-8EE7-5F210423C19F}.exe

Filesize
90KB

MD5
1ac342cb0e892cd9d7163038c64b1a3e

SHA1
cdaab3fa86e3f57a08a3465afce504a632600c44

SHA256
d61201f30e8c21bfad528e6bbade4e9efdceefac45a0ce28b462b8583dcbcc4f

SHA512
16b311f6e33d39dd06b517e9bec0dd80482bed2af856c5ec71b351cf5a794dae7cee68abf33d43865d01aa6874b033b8ccc54406dfb757ae3ad9a935a4a7cac1

Download Submit
C:\Windows\{C3F3CF7C-4B27-4bdd-B6B1-69E5A18D2508}.exe

Filesize
90KB

MD5
6f3f5d387a93db817d3ebfd379803828

SHA1
ae07937fbc44b85bb7d4b734145a78651a3d3b74

SHA256
29d38288feaa9c860b00bfd5a614746219f4557ee9468ac1f2f6f3e3ae86a720

SHA512
e51fe60eb4a76261af86206b1b8c85ee5b266dcaf1d230926ce8ca362ec7540c60610cee47b698d34c7a5a5637ba39a9dcbc737fab018047baf1f3ec2b8d9e48

Download Submit
C:\Windows\{F67B83C0-87A0-407f-9A8D-4E22BD7265D8}.exe

Filesize
90KB

MD5
0172a74d130e1d773c928006a869e8ff

SHA1
1aa278efa7933cd43e02bdf7c551c6dba30bc287

SHA256
b181c2ca9195dff66eeac829eec66d721756396595005ebf0b8b1de951e19d29

SHA512
f7d43816f557dd32d8299e45400bd359b0609eaab057a7167157ba5d6e7a6e5f64e368fb3b3b61e115f3f4d3435a72713ecec8690807bfad9ce8d16bccff011e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads