8b5ada69b7a5ba5519c4e18611115ef8948c94d74e4e0aa531a0f0812f4e6dc7

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 06:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9b4c06cf64096a7c45046ed4c55d4fa0N.exe
Size

90KB
MD5

9b4c06cf64096a7c45046ed4c55d4fa0
SHA1

d4ad7f11adbaf79eeb80eb5979eec591f331db32
SHA256

8b5ada69b7a5ba5519c4e18611115ef8948c94d74e4e0aa531a0f0812f4e6dc7
SHA512

5833a8afa64c5e50a5aeb102176ea16dd28aea14545930860e44f6243faa09e67e8a58a46c2eb36548317f2cf41c0708d09827f75ef0da13e11b2eb495f00f28
SSDEEP

768:5vw9816thKQLroR4/wQkNrfrunMxVFA3bA:lEG/0oRlbunMxVS3c

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F0C135D-4196-4f4f-A2E7-90C3FC613116}	9b4c06cf64096a7c45046ed4c55d4fa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE93A24D-5235-496a-9F86-AAA8BF627944}\stubpath = "C:\\Windows\\{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe"	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA2699D7-7092-438d-A032-362EDE9C1DFD}\stubpath = "C:\\Windows\\{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe"	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C5B90B3-4A27-4de2-ADCA-4406164489E5}	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E706CC9D-51A6-46b5-994B-BCBD6542564A}\stubpath = "C:\\Windows\\{E706CC9D-51A6-46b5-994B-BCBD6542564A}.exe"	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19A0A877-95FB-466c-9E2E-6144B9861B87}\stubpath = "C:\\Windows\\{19A0A877-95FB-466c-9E2E-6144B9861B87}.exe"	{E706CC9D-51A6-46b5-994B-BCBD6542564A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA2699D7-7092-438d-A032-362EDE9C1DFD}	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{861C7AB6-4967-4066-93E7-45194FDD580D}	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E706CC9D-51A6-46b5-994B-BCBD6542564A}	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{861C7AB6-4967-4066-93E7-45194FDD580D}\stubpath = "C:\\Windows\\{861C7AB6-4967-4066-93E7-45194FDD580D}.exe"	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C5B90B3-4A27-4de2-ADCA-4406164489E5}\stubpath = "C:\\Windows\\{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe"	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}\stubpath = "C:\\Windows\\{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe"	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19A0A877-95FB-466c-9E2E-6144B9861B87}	{E706CC9D-51A6-46b5-994B-BCBD6542564A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F0C135D-4196-4f4f-A2E7-90C3FC613116}\stubpath = "C:\\Windows\\{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe"	9b4c06cf64096a7c45046ed4c55d4fa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE93A24D-5235-496a-9F86-AAA8BF627944}	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}\stubpath = "C:\\Windows\\{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe"	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe

Deletes itself 1 IoCs

pid	Process
2900	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2552	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe
2836	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe
2860	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe
2628	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe
856	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe
2144	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe
468	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe
2856	{E706CC9D-51A6-46b5-994B-BCBD6542564A}.exe
1700	{19A0A877-95FB-466c-9E2E-6144B9861B87}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe	9b4c06cf64096a7c45046ed4c55d4fa0N.exe
File created	C:\Windows\{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe
File created	C:\Windows\{861C7AB6-4967-4066-93E7-45194FDD580D}.exe	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe
File created	C:\Windows\{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe
File created	C:\Windows\{E706CC9D-51A6-46b5-994B-BCBD6542564A}.exe	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe
File created	C:\Windows\{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe
File created	C:\Windows\{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe
File created	C:\Windows\{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe
File created	C:\Windows\{19A0A877-95FB-466c-9E2E-6144B9861B87}.exe	{E706CC9D-51A6-46b5-994B-BCBD6542564A}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19A0A877-95FB-466c-9E2E-6144B9861B87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b4c06cf64096a7c45046ed4c55d4fa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E706CC9D-51A6-46b5-994B-BCBD6542564A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2252	9b4c06cf64096a7c45046ed4c55d4fa0N.exe
Token: SeIncBasePriorityPrivilege	2552	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe
Token: SeIncBasePriorityPrivilege	2836	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe
Token: SeIncBasePriorityPrivilege	2860	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe
Token: SeIncBasePriorityPrivilege	2628	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe
Token: SeIncBasePriorityPrivilege	856	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe
Token: SeIncBasePriorityPrivilege	2144	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe
Token: SeIncBasePriorityPrivilege	468	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe
Token: SeIncBasePriorityPrivilege	2856	{E706CC9D-51A6-46b5-994B-BCBD6542564A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2552	2252	9b4c06cf64096a7c45046ed4c55d4fa0N.exe	31
PID 2252 wrote to memory of 2552	2252	9b4c06cf64096a7c45046ed4c55d4fa0N.exe	31
PID 2252 wrote to memory of 2552	2252	9b4c06cf64096a7c45046ed4c55d4fa0N.exe	31
PID 2252 wrote to memory of 2552	2252	9b4c06cf64096a7c45046ed4c55d4fa0N.exe	31
PID 2252 wrote to memory of 2900	2252	9b4c06cf64096a7c45046ed4c55d4fa0N.exe	32
PID 2252 wrote to memory of 2900	2252	9b4c06cf64096a7c45046ed4c55d4fa0N.exe	32
PID 2252 wrote to memory of 2900	2252	9b4c06cf64096a7c45046ed4c55d4fa0N.exe	32
PID 2252 wrote to memory of 2900	2252	9b4c06cf64096a7c45046ed4c55d4fa0N.exe	32
PID 2552 wrote to memory of 2836	2552	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe	33
PID 2552 wrote to memory of 2836	2552	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe	33
PID 2552 wrote to memory of 2836	2552	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe	33
PID 2552 wrote to memory of 2836	2552	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe	33
PID 2552 wrote to memory of 2948	2552	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe	34
PID 2552 wrote to memory of 2948	2552	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe	34
PID 2552 wrote to memory of 2948	2552	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe	34
PID 2552 wrote to memory of 2948	2552	{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe	34
PID 2836 wrote to memory of 2860	2836	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe	35
PID 2836 wrote to memory of 2860	2836	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe	35
PID 2836 wrote to memory of 2860	2836	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe	35
PID 2836 wrote to memory of 2860	2836	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe	35
PID 2836 wrote to memory of 484	2836	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe	36
PID 2836 wrote to memory of 484	2836	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe	36
PID 2836 wrote to memory of 484	2836	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe	36
PID 2836 wrote to memory of 484	2836	{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe	36
PID 2860 wrote to memory of 2628	2860	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe	37
PID 2860 wrote to memory of 2628	2860	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe	37
PID 2860 wrote to memory of 2628	2860	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe	37
PID 2860 wrote to memory of 2628	2860	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe	37
PID 2860 wrote to memory of 2680	2860	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe	38
PID 2860 wrote to memory of 2680	2860	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe	38
PID 2860 wrote to memory of 2680	2860	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe	38
PID 2860 wrote to memory of 2680	2860	{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe	38
PID 2628 wrote to memory of 856	2628	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe	39
PID 2628 wrote to memory of 856	2628	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe	39
PID 2628 wrote to memory of 856	2628	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe	39
PID 2628 wrote to memory of 856	2628	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe	39
PID 2628 wrote to memory of 1072	2628	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe	40
PID 2628 wrote to memory of 1072	2628	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe	40
PID 2628 wrote to memory of 1072	2628	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe	40
PID 2628 wrote to memory of 1072	2628	{861C7AB6-4967-4066-93E7-45194FDD580D}.exe	40
PID 856 wrote to memory of 2144	856	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe	41
PID 856 wrote to memory of 2144	856	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe	41
PID 856 wrote to memory of 2144	856	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe	41
PID 856 wrote to memory of 2144	856	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe	41
PID 856 wrote to memory of 1220	856	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe	42
PID 856 wrote to memory of 1220	856	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe	42
PID 856 wrote to memory of 1220	856	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe	42
PID 856 wrote to memory of 1220	856	{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe	42
PID 2144 wrote to memory of 468	2144	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe	43
PID 2144 wrote to memory of 468	2144	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe	43
PID 2144 wrote to memory of 468	2144	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe	43
PID 2144 wrote to memory of 468	2144	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe	43
PID 2144 wrote to memory of 1728	2144	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe	44
PID 2144 wrote to memory of 1728	2144	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe	44
PID 2144 wrote to memory of 1728	2144	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe	44
PID 2144 wrote to memory of 1728	2144	{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe	44
PID 468 wrote to memory of 2856	468	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe	45
PID 468 wrote to memory of 2856	468	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe	45
PID 468 wrote to memory of 2856	468	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe	45
PID 468 wrote to memory of 2856	468	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe	45
PID 468 wrote to memory of 608	468	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe	46
PID 468 wrote to memory of 608	468	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe	46
PID 468 wrote to memory of 608	468	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe	46
PID 468 wrote to memory of 608	468	{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe	46

C:\Users\Admin\AppData\Local\Temp\9b4c06cf64096a7c45046ed4c55d4fa0N.exe
"C:\Users\Admin\AppData\Local\Temp\9b4c06cf64096a7c45046ed4c55d4fa0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe
  C:\Windows\{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe
    C:\Windows\{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe
      C:\Windows\{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\{861C7AB6-4967-4066-93E7-45194FDD580D}.exe
        
        C:\Windows\{861C7AB6-4967-4066-93E7-45194FDD580D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe
        
        C:\Windows\{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe
        
        C:\Windows\{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe
        
        C:\Windows\{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\{E706CC9D-51A6-46b5-994B-BCBD6542564A}.exe
        
        C:\Windows\{E706CC9D-51A6-46b5-994B-BCBD6542564A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\{19A0A877-95FB-466c-9E2E-6144B9861B87}.exe
        
        C:\Windows\{19A0A877-95FB-466c-9E2E-6144B9861B87}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E706C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E4FF~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FF0D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C5B9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1220
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{861C7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA269~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EE93A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0F0C1~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9B4C06~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F0C135D-4196-4f4f-A2E7-90C3FC613116}.exe

Filesize
90KB

MD5
0e78d706992f761cc1213889f5ba9de1

SHA1
493fc60942aabd1382e9fa4fda24f78bb6bdd762

SHA256
8fd89f7d445938193b106dde5b7446d98841de364fbc3ce76a2dabc5e83461e7

SHA512
502f2f3c5e40eeb8f35922dc48be899032e38226946864f7c01671e6d1a6604483cecb8b3ffa247ae0ef1cf7bad539380d27c4f040b93cb7464bb06ba2d4b820

Download Submit
C:\Windows\{0FF0DBC4-9AE5-4ecd-9CB6-2695A0BF646B}.exe

Filesize
90KB

MD5
44488685c1521816e9d3c0d8e2abfd70

SHA1
d8dc2dfdc845c4156883af026214e07ba5b669a8

SHA256
39f7564c76bd45763beba47478b8647e4feea8c7b549c781603de2af45ff75e1

SHA512
710adb522971ce5d7b42ff5b628173392bfdbd767f9d41e0abd46d4c9a08bad8fcadb9c6d470734da64feec26b9f07a16dbd08834df1cc2d618ecc4594ff0d89

Download Submit
C:\Windows\{19A0A877-95FB-466c-9E2E-6144B9861B87}.exe

Filesize
90KB

MD5
282175347b60334ba9ca250a5c7dd2b1

SHA1
121ee95472891ec236e4e4a8294db8bd890a79ad

SHA256
042672edb64924e64ad99ad4889d14b35495e6955390e9178ed7ca53474eee03

SHA512
ea7d72c0b0d7d0de7710a0836131b35e8adece367379189d2df23fee408fc88d01152ed42d8b330b1f708cb8edf15466931461259d7160c0d354887d8234aa40

Download Submit
C:\Windows\{1C5B90B3-4A27-4de2-ADCA-4406164489E5}.exe

Filesize
90KB

MD5
21beca6732662f066622864b2d5eaba4

SHA1
0a7c51818be315ec6f483bf0b49d7db3ac567fb5

SHA256
f24c3b0064bb386ce65195dd084214dad8aeae54e7a3027f05c24e86c57c8b7c

SHA512
2409a7627218e4f0e565265f34310f82a62529fa6b70f0f816e04df5be864120888c098731950c99b13fe17add137c66eb68a364fefcc2af71d8e8a29b3cf27c

Download Submit
C:\Windows\{1E4FF6F5-BDA1-49fe-94BE-FDEE0BD797D0}.exe

Filesize
90KB

MD5
af956a4ae1aa7b5f0a4f04f888f432ac

SHA1
d08c47ffe93429449249457a925c3a38e97b17b4

SHA256
3ad4d6c84c567395e12f3d205df3f0200d2591fb9cd140df1204aa0ecd613672

SHA512
54904fb08568ec62e5817e89c94424d4e1df6ffa2befc66c46b30343151654e0bb959092241a7e355ea1355441e405ea7149a309aded2aa036ea25e7eaaca04e

Download Submit
C:\Windows\{861C7AB6-4967-4066-93E7-45194FDD580D}.exe

Filesize
90KB

MD5
98957946c8fe4cd68b8adcf75114f828

SHA1
5880ba57848702995589665ef2a8b2626d43db52

SHA256
f97fcf8f211b23d4be92d907fb4e542ababf67561eef52e9639707bec4a6f0d7

SHA512
703f3c5d74987f48c9d275e4ed9c5ef53b3bc84bdf31154bbcdf6796b9b40de88a92278072f74c07584e93ff209b99017daa1fadf79f311c16b33ead4b0206bb

Download Submit
C:\Windows\{AA2699D7-7092-438d-A032-362EDE9C1DFD}.exe

Filesize
90KB

MD5
adc25255680edd98b129671d48e75f8a

SHA1
0339487109383587b42ba339d2a52b64dbc94c77

SHA256
43cdb2d405ff83025a73383e6eb29aec9395fd5cdab61af645c3bde5c57c23cf

SHA512
e7c3ba4268840f268b49ff05b6df6ba22185bca4c6ef88fa0a299fafb3fca77f0050d520e3e77f29b876b8471f2d26b37d15f5922b9849455cc2f818cda9d7e9

Download Submit
C:\Windows\{E706CC9D-51A6-46b5-994B-BCBD6542564A}.exe

Filesize
90KB

MD5
5417cac900b0f354ebccb422a1deabb2

SHA1
bcfb3852103426495cf911a11859f6679f062cc0

SHA256
900d6088f95876cb179cc656ca25eb7fbcc32d0ea6f9e09c15c5afe636e7d399

SHA512
8baf49b0b7b3330186ce21ae98c8e5e81ea6b86555ce051c8bdaa4a6a57ddd09f949a9e9ec5482ce6c31a308ad6f2f081bdbd7c9f21b3c7d6d93d7d624db849d

Download Submit
C:\Windows\{EE93A24D-5235-496a-9F86-AAA8BF627944}.exe

Filesize
90KB

MD5
9dc0cefe54a4735521467dd177c09be1

SHA1
60c4f43572ff942ab82d1801caa0340f92a1901f

SHA256
0e3996a05c86649d46d74358bbde87d742084428b40ccdf1615d71a050c0ed09

SHA512
112fe97426862217375b558c2f6c437feaa6879793550af849d7f2890780eded5d9a80fee1590179a3d6663a0bac0293a6bbeec485b16c94e323de9d2ea38cc2

Download Submit
memory/468-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/468-74-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/856-51-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/856-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2144-64-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2144-60-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2144-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2252-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2252-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2252-3-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/2552-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2552-15-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2552-16-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2628-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2628-42-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2836-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2836-23-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2836-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2856-79-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/2856-83-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2860-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2860-35-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2860-36-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads