eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
Size

88KB
MD5

10d976d8213afa0fc844f5f415bf2e38
SHA1

424a63ff49b73134c11f1ae2c9017bc9b251d2f8
SHA256

eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f
SHA512

d81cf205608da8d7dc50fd6d82fb1f11b8be70f61deada3d38c980f77f513042d316e7e8c9c45f81cfe4ee4418729cb34643eff85fcec65ce83ec4ce9ee67919
SSDEEP

768:5vw9816thKQLro2Z4/wQkNrfrunMxVFA3V:lEG/0o2ZlbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}\stubpath = "C:\\Windows\\{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe"	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E458751B-ABB9-4f2a-B784-B14AED2322CE}	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{029673D2-E53D-4e74-BAA4-610800F5D250}	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{029673D2-E53D-4e74-BAA4-610800F5D250}\stubpath = "C:\\Windows\\{029673D2-E53D-4e74-BAA4-610800F5D250}.exe"	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52BE7B21-033D-448e-9C82-EC23D5B01E06}\stubpath = "C:\\Windows\\{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe"	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112D7C4D-C371-44bf-8904-BB483BE53057}	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8120FDB-E641-40af-8EB5-577290D610D2}	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8120FDB-E641-40af-8EB5-577290D610D2}\stubpath = "C:\\Windows\\{C8120FDB-E641-40af-8EB5-577290D610D2}.exe"	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBE57460-4E51-4a90-8F8F-84FF6D3D73B1}	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F56E843D-C424-4bf8-A4E8-CA36DAFC7F3A}\stubpath = "C:\\Windows\\{F56E843D-C424-4bf8-A4E8-CA36DAFC7F3A}.exe"	{B0AE2390-9EEA-407f-8F3A-36AE07C7341B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E458751B-ABB9-4f2a-B784-B14AED2322CE}\stubpath = "C:\\Windows\\{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe"	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}\stubpath = "C:\\Windows\\{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe"	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBE57460-4E51-4a90-8F8F-84FF6D3D73B1}\stubpath = "C:\\Windows\\{BBE57460-4E51-4a90-8F8F-84FF6D3D73B1}.exe"	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F56E843D-C424-4bf8-A4E8-CA36DAFC7F3A}	{B0AE2390-9EEA-407f-8F3A-36AE07C7341B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52BE7B21-033D-448e-9C82-EC23D5B01E06}	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112D7C4D-C371-44bf-8904-BB483BE53057}\stubpath = "C:\\Windows\\{112D7C4D-C371-44bf-8904-BB483BE53057}.exe"	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6568BBE-7F78-4175-80D9-EFFB3AB32B19}	{BBE57460-4E51-4a90-8F8F-84FF6D3D73B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6568BBE-7F78-4175-80D9-EFFB3AB32B19}\stubpath = "C:\\Windows\\{A6568BBE-7F78-4175-80D9-EFFB3AB32B19}.exe"	{BBE57460-4E51-4a90-8F8F-84FF6D3D73B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0AE2390-9EEA-407f-8F3A-36AE07C7341B}	{A6568BBE-7F78-4175-80D9-EFFB3AB32B19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0AE2390-9EEA-407f-8F3A-36AE07C7341B}\stubpath = "C:\\Windows\\{B0AE2390-9EEA-407f-8F3A-36AE07C7341B}.exe"	{A6568BBE-7F78-4175-80D9-EFFB3AB32B19}.exe

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2324	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe
2760	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe
2876	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe
2192	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe
1040	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe
352	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe
1440	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe
2700	{BBE57460-4E51-4a90-8F8F-84FF6D3D73B1}.exe
1016	{A6568BBE-7F78-4175-80D9-EFFB3AB32B19}.exe
972	{B0AE2390-9EEA-407f-8F3A-36AE07C7341B}.exe
1928	{F56E843D-C424-4bf8-A4E8-CA36DAFC7F3A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe
File created	C:\Windows\{C8120FDB-E641-40af-8EB5-577290D610D2}.exe	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe
File created	C:\Windows\{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe
File created	C:\Windows\{A6568BBE-7F78-4175-80D9-EFFB3AB32B19}.exe	{BBE57460-4E51-4a90-8F8F-84FF6D3D73B1}.exe
File created	C:\Windows\{B0AE2390-9EEA-407f-8F3A-36AE07C7341B}.exe	{A6568BBE-7F78-4175-80D9-EFFB3AB32B19}.exe
File created	C:\Windows\{F56E843D-C424-4bf8-A4E8-CA36DAFC7F3A}.exe	{B0AE2390-9EEA-407f-8F3A-36AE07C7341B}.exe
File created	C:\Windows\{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
File created	C:\Windows\{029673D2-E53D-4e74-BAA4-610800F5D250}.exe	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe
File created	C:\Windows\{BBE57460-4E51-4a90-8F8F-84FF6D3D73B1}.exe	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe
File created	C:\Windows\{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe
File created	C:\Windows\{112D7C4D-C371-44bf-8904-BB483BE53057}.exe	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A6568BBE-7F78-4175-80D9-EFFB3AB32B19}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B0AE2390-9EEA-407f-8F3A-36AE07C7341B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BBE57460-4E51-4a90-8F8F-84FF6D3D73B1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F56E843D-C424-4bf8-A4E8-CA36DAFC7F3A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2384	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
Token: SeIncBasePriorityPrivilege	2324	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe
Token: SeIncBasePriorityPrivilege	2760	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe
Token: SeIncBasePriorityPrivilege	2876	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe
Token: SeIncBasePriorityPrivilege	2192	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe
Token: SeIncBasePriorityPrivilege	1040	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe
Token: SeIncBasePriorityPrivilege	352	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe
Token: SeIncBasePriorityPrivilege	1440	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe
Token: SeIncBasePriorityPrivilege	2700	{BBE57460-4E51-4a90-8F8F-84FF6D3D73B1}.exe
Token: SeIncBasePriorityPrivilege	1016	{A6568BBE-7F78-4175-80D9-EFFB3AB32B19}.exe
Token: SeIncBasePriorityPrivilege	972	{B0AE2390-9EEA-407f-8F3A-36AE07C7341B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2324	2384	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	31
PID 2384 wrote to memory of 2324	2384	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	31
PID 2384 wrote to memory of 2324	2384	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	31
PID 2384 wrote to memory of 2324	2384	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	31
PID 2384 wrote to memory of 2848	2384	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	32
PID 2384 wrote to memory of 2848	2384	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	32
PID 2384 wrote to memory of 2848	2384	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	32
PID 2384 wrote to memory of 2848	2384	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	32
PID 2324 wrote to memory of 2760	2324	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe	33
PID 2324 wrote to memory of 2760	2324	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe	33
PID 2324 wrote to memory of 2760	2324	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe	33
PID 2324 wrote to memory of 2760	2324	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe	33
PID 2324 wrote to memory of 880	2324	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe	34
PID 2324 wrote to memory of 880	2324	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe	34
PID 2324 wrote to memory of 880	2324	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe	34
PID 2324 wrote to memory of 880	2324	{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe	34
PID 2760 wrote to memory of 2876	2760	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe	35
PID 2760 wrote to memory of 2876	2760	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe	35
PID 2760 wrote to memory of 2876	2760	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe	35
PID 2760 wrote to memory of 2876	2760	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe	35
PID 2760 wrote to memory of 2652	2760	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe	36
PID 2760 wrote to memory of 2652	2760	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe	36
PID 2760 wrote to memory of 2652	2760	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe	36
PID 2760 wrote to memory of 2652	2760	{029673D2-E53D-4e74-BAA4-610800F5D250}.exe	36
PID 2876 wrote to memory of 2192	2876	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe	37
PID 2876 wrote to memory of 2192	2876	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe	37
PID 2876 wrote to memory of 2192	2876	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe	37
PID 2876 wrote to memory of 2192	2876	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe	37
PID 2876 wrote to memory of 2464	2876	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe	38
PID 2876 wrote to memory of 2464	2876	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe	38
PID 2876 wrote to memory of 2464	2876	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe	38
PID 2876 wrote to memory of 2464	2876	{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe	38
PID 2192 wrote to memory of 1040	2192	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe	39
PID 2192 wrote to memory of 1040	2192	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe	39
PID 2192 wrote to memory of 1040	2192	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe	39
PID 2192 wrote to memory of 1040	2192	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe	39
PID 2192 wrote to memory of 2592	2192	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe	40
PID 2192 wrote to memory of 2592	2192	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe	40
PID 2192 wrote to memory of 2592	2192	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe	40
PID 2192 wrote to memory of 2592	2192	{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe	40
PID 1040 wrote to memory of 352	1040	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe	41
PID 1040 wrote to memory of 352	1040	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe	41
PID 1040 wrote to memory of 352	1040	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe	41
PID 1040 wrote to memory of 352	1040	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe	41
PID 1040 wrote to memory of 604	1040	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe	42
PID 1040 wrote to memory of 604	1040	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe	42
PID 1040 wrote to memory of 604	1040	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe	42
PID 1040 wrote to memory of 604	1040	{112D7C4D-C371-44bf-8904-BB483BE53057}.exe	42
PID 352 wrote to memory of 1440	352	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe	43
PID 352 wrote to memory of 1440	352	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe	43
PID 352 wrote to memory of 1440	352	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe	43
PID 352 wrote to memory of 1440	352	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe	43
PID 352 wrote to memory of 1764	352	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe	44
PID 352 wrote to memory of 1764	352	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe	44
PID 352 wrote to memory of 1764	352	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe	44
PID 352 wrote to memory of 1764	352	{C8120FDB-E641-40af-8EB5-577290D610D2}.exe	44
PID 1440 wrote to memory of 2700	1440	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe	45
PID 1440 wrote to memory of 2700	1440	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe	45
PID 1440 wrote to memory of 2700	1440	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe	45
PID 1440 wrote to memory of 2700	1440	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe	45
PID 1440 wrote to memory of 2548	1440	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe	46
PID 1440 wrote to memory of 2548	1440	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe	46
PID 1440 wrote to memory of 2548	1440	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe	46
PID 1440 wrote to memory of 2548	1440	{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe	46

C:\Users\Admin\AppData\Local\Temp\eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
"C:\Users\Admin\AppData\Local\Temp\eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe
  C:\Windows\{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\{029673D2-E53D-4e74-BAA4-610800F5D250}.exe
    C:\Windows\{029673D2-E53D-4e74-BAA4-610800F5D250}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe
      C:\Windows\{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe
        
        C:\Windows\{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\{112D7C4D-C371-44bf-8904-BB483BE53057}.exe
        
        C:\Windows\{112D7C4D-C371-44bf-8904-BB483BE53057}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\{C8120FDB-E641-40af-8EB5-577290D610D2}.exe
        
        C:\Windows\{C8120FDB-E641-40af-8EB5-577290D610D2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe
        
        C:\Windows\{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\{BBE57460-4E51-4a90-8F8F-84FF6D3D73B1}.exe
        
        C:\Windows\{BBE57460-4E51-4a90-8F8F-84FF6D3D73B1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\{A6568BBE-7F78-4175-80D9-EFFB3AB32B19}.exe
        
        C:\Windows\{A6568BBE-7F78-4175-80D9-EFFB3AB32B19}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\{B0AE2390-9EEA-407f-8F3A-36AE07C7341B}.exe
        
        C:\Windows\{B0AE2390-9EEA-407f-8F3A-36AE07C7341B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\{F56E843D-C424-4bf8-A4E8-CA36DAFC7F3A}.exe
        
        C:\Windows\{F56E843D-C424-4bf8-A4E8-CA36DAFC7F3A}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0AE2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6568~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBE57~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FBC5~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8120~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{112D7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32E8C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52BE7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{02967~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E4587~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EEE158~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{029673D2-E53D-4e74-BAA4-610800F5D250}.exe

Filesize
88KB

MD5
4db03323a26533f7559988bd27cc1d47

SHA1
89f0a160b4f70bc52fb28a50dcba4e1c8cbc855f

SHA256
720435b4586d96e71d5050c9d4b366eaee13ff9f355b2dffc46e9488b521f8f7

SHA512
a2e1d75ead2798d2a9c17111b78fc343e64c30a3b1c438bd423cb6ad67e413c1e041e8a41eba1bc8bbaddefdca29de395075f20cfa7bf240e38b91ac488a4c3a

Download Submit
C:\Windows\{112D7C4D-C371-44bf-8904-BB483BE53057}.exe

Filesize
88KB

MD5
b2a91b1c867c7e802407ab1d4b1f5236

SHA1
fb5022a6de59ad761d2cb03e4ea086535b2f93c9

SHA256
d0c60f8433ecc75a015f62d771a369ba0cf490c78fafeed680c2826818e79a7f

SHA512
ea466c3ca4c52f1a9ff529889262f954b3a70238b6166c8f5f24ccf71318a0aa2e783ac5ba79ccdb23dfc4156921c68ae705a7272bec62f5c6bad5adb4e64523

Download Submit
C:\Windows\{32E8C178-FA18-48da-98C1-E74EF6B8F9A0}.exe

Filesize
88KB

MD5
a64a10576b618da6ce774c2285006437

SHA1
6fbb4fa2b401ad359ebdb313b7febc8f5524bc65

SHA256
cd5171f42bf987578b7992953f2892f74f0bef422f537cb9f6e92d6fdc7d60e6

SHA512
88be0d159d59b14bf2cb104039ab8f2ac9ff7090d6faa45c2bf39d7e68f54d0f911bc0eebc3fb468ca4f2d853913db78cf25b17f1d25154dea1cfd67aacd3040

Download Submit
C:\Windows\{3FBC5327-A369-4d7a-BFCA-A87D577D0CA2}.exe

Filesize
88KB

MD5
b21eaa7788960ea9ba2bf11d27515de8

SHA1
56bb912e93c62b367a1a4952e3cc490731f3891a

SHA256
370bff3b620bf63877d62fc88ac22ad2267ab2bb2e45823d5091a66239860cc8

SHA512
fbe6b417e1c74f5fe62abe3c6df34a8a18cb9e0c0e4317ba09602aa7b65a76d2a299dbacee999480ecadcca58a45f832a255fe16ec67d8e9b913f3321a3cbe8f

Download Submit
C:\Windows\{52BE7B21-033D-448e-9C82-EC23D5B01E06}.exe

Filesize
88KB

MD5
660e36b9bbc82188f9b28d29a0c71a18

SHA1
713ed4cd86da28e438a2690ea449ed8027dfc2a0

SHA256
b7758d9c7514dc39a76244d7f82fa5634a300d61ed4028dad97a7173cd0ac0c2

SHA512
40ad89a8bb2511e8d22514f83505c192d076ef706ebfec15adca187770b98b993217d26633502e9004d9ceaad0f6226286faf678fd6ee0a6012f5fcff65a4b29

Download Submit
C:\Windows\{A6568BBE-7F78-4175-80D9-EFFB3AB32B19}.exe

Filesize
88KB

MD5
e2cede87257b4cfc0ce00a76d467a4f4

SHA1
833f70e1c7a4b15767a8ff93f20a20f84873c603

SHA256
c9bb226ca4c2645fb56b28d883cfe13473a8f51af9a1676162635bfbd1aa9b8d

SHA512
4aaa3c1a71a84c3fe46c9ab4d668bd522961d9f170d7bc94388741756165efd28ec5722e66854c1a2ddecc61702f8edcc5ee80781f7e1e0e45b20c868593ce92

Download Submit
C:\Windows\{B0AE2390-9EEA-407f-8F3A-36AE07C7341B}.exe

Filesize
88KB

MD5
08ab19802f99d1c6f30bd6adcd41b015

SHA1
3f2d9e405e9d3a5fd3d1cae5522fcebb545e412a

SHA256
1614673ba17fdc748b097d3054a18c8ec100ca2ae3292855b68f0ddd9638459e

SHA512
975bacec0205a553c3d36fb5c6cd89ee45af222ebb76bc01b73a4dd016d11cbae4ced290f4b3c3f5f92ca6457772cda36c826c40909e8f050a7dda512a57f754

Download Submit
C:\Windows\{BBE57460-4E51-4a90-8F8F-84FF6D3D73B1}.exe

Filesize
88KB

MD5
210db933a5ef4de3169ee8a0d78bf66c

SHA1
31526cc8615ab882cb49fd7074a1027c40ed880b

SHA256
1d5c7a339077ad01ceaf4a9a1e22ff5ddc98667f630b16d0d905f53a4fc9d74a

SHA512
1f17afce693204eb904b1fdbff8c6b042ef511c375ec8e68116a423b89cf04ed6f6f502f2855a3ea59ed3e35afd72d5e5d9aaeef26f6f4c2649bfc03e82d96b7

Download Submit
C:\Windows\{C8120FDB-E641-40af-8EB5-577290D610D2}.exe

Filesize
88KB

MD5
e23e4d697a34b97728cd7e26a5ccaef4

SHA1
d5830e79025781258b4dd1fb3800443b35d4dcb3

SHA256
c24ac639a15dc73f936e8983a8d87e9233d817699f973257c50d63211f00c28c

SHA512
53c105c9d6e0fb73bc73edc04255592d2ee6ad63531fce6b6f79433fa0f79772afdf119ac7f8591d0bece022b77fd7ec84391a08c1e0e138709d1e21ce85d59c

Download Submit
C:\Windows\{E458751B-ABB9-4f2a-B784-B14AED2322CE}.exe

Filesize
88KB

MD5
ada9bc4dc71933f9bf0c671d4db86e8d

SHA1
85859339a617d58464767349b67cdd3454490fdd

SHA256
88fb9c51f24426a7fbdece788e5512c872d9341733d82b5bbb3f548cecf6ead0

SHA512
338d25d2ed94d4445655f21fd237d79f73013787946c6145a95f9d18fd7b32950366030bdd890df4fc1fcc54d97bd6ced8b6751e9e2a552a0a60ebba93ff9241

Download Submit
C:\Windows\{F56E843D-C424-4bf8-A4E8-CA36DAFC7F3A}.exe

Filesize
88KB

MD5
753fcb111a691a2032511314bda38999

SHA1
eac0cc868dccb035f5c618e53f5d2539ac4b44bc

SHA256
847806639b5b99a96368a1a766b69ba70ffefdb71b4d3687523c44b08f5ffa84

SHA512
ab468c995dda72bc4c7885ad7488b35671ab2b1468f596fe16bdafbb4b26b8abe39c8443bdd5d31ce0160ddc714ef346b90d5749909652afb9e2922b4f4c7878

Download Submit
memory/352-72-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/352-74-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/352-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/352-76-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/972-113-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/972-115-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/972-114-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/1016-105-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1016-104-0x0000000001D00000-0x0000000001D11000-memory.dmp

Filesize
68KB

Download
memory/1016-103-0x0000000001D00000-0x0000000001D11000-memory.dmp

Filesize
68KB

Download
memory/1040-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1040-62-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/1040-63-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/1440-84-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/1440-80-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/1440-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2192-53-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2192-49-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2192-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2324-20-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/2324-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2324-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2324-16-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/2324-21-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2384-9-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2384-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2384-4-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2384-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2384-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2700-90-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2700-94-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2700-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2760-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2760-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2760-32-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/2760-31-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/2760-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2876-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2876-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2876-43-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/2876-42-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads