ce2ea6d168ea7eb04038aab032b3b75c7daac77fbf2e598b16009f57510eff44

Analysis

max time kernel
118s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7178dd8ca080c80128a929d68e86830N.exe
Size

79KB
MD5

f7178dd8ca080c80128a929d68e86830
SHA1

ca8ed4e11cf96a37c03e1359abd6235d2dda7d14
SHA256

ce2ea6d168ea7eb04038aab032b3b75c7daac77fbf2e598b16009f57510eff44
SHA512

6222d86503eac31b4beda6ec164a46a2cadc0e69de7a3795ef0cadbcbaddd23e9e51007fea8efb774ffd4f9e8d30ab72e41dac492b8be1db24680a7fc12c416a
SSDEEP

768:4vw9816vhKQLroL4/wQzXOQ69zbjlAAX5e9zz:wEGh0oLlGizbR9Xwzz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}	f7178dd8ca080c80128a929d68e86830N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E59D070F-0E68-43a7-9029-0C122ABFFFC0}\stubpath = "C:\\Windows\\{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe"	{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAABB88B-2188-4fba-91C1-BA4FF449B92E}\stubpath = "C:\\Windows\\{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe"	{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A39B4D9-4E37-4269-9E06-BF7B3AA5A135}\stubpath = "C:\\Windows\\{6A39B4D9-4E37-4269-9E06-BF7B3AA5A135}.exe"	{87D9D421-F396-48c7-8379-61438298FE84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87D9D421-F396-48c7-8379-61438298FE84}\stubpath = "C:\\Windows\\{87D9D421-F396-48c7-8379-61438298FE84}.exe"	{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}\stubpath = "C:\\Windows\\{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe"	f7178dd8ca080c80128a929d68e86830N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{533F8DD8-C7D9-48e5-B884-D47046870E2E}	{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A98668FC-5529-4ed3-87FC-53D3188AC848}	{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87D9D421-F396-48c7-8379-61438298FE84}	{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAABB88B-2188-4fba-91C1-BA4FF449B92E}	{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A39B4D9-4E37-4269-9E06-BF7B3AA5A135}	{87D9D421-F396-48c7-8379-61438298FE84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56196025-9997-46aa-9CE4-7C9A67DD0FB0}	{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32323184-9100-43ef-B4CD-6A9B48A53FCA}	{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32323184-9100-43ef-B4CD-6A9B48A53FCA}\stubpath = "C:\\Windows\\{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe"	{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A98668FC-5529-4ed3-87FC-53D3188AC848}\stubpath = "C:\\Windows\\{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe"	{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56196025-9997-46aa-9CE4-7C9A67DD0FB0}\stubpath = "C:\\Windows\\{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe"	{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{533F8DD8-C7D9-48e5-B884-D47046870E2E}\stubpath = "C:\\Windows\\{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe"	{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E59D070F-0E68-43a7-9029-0C122ABFFFC0}	{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe

Executes dropped EXE 9 IoCs

pid	Process
3452	{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe
1472	{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe
3108	{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe
3100	{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe
4180	{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe
3152	{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe
1200	{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe
2336	{87D9D421-F396-48c7-8379-61438298FE84}.exe
4288	{6A39B4D9-4E37-4269-9E06-BF7B3AA5A135}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe	{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe
File created	C:\Windows\{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe	{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe
File created	C:\Windows\{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe	{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe
File created	C:\Windows\{6A39B4D9-4E37-4269-9E06-BF7B3AA5A135}.exe	{87D9D421-F396-48c7-8379-61438298FE84}.exe
File created	C:\Windows\{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe	f7178dd8ca080c80128a929d68e86830N.exe
File created	C:\Windows\{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe	{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe
File created	C:\Windows\{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe	{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe
File created	C:\Windows\{87D9D421-F396-48c7-8379-61438298FE84}.exe	{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe
File created	C:\Windows\{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe	{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7178dd8ca080c80128a929d68e86830N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{87D9D421-F396-48c7-8379-61438298FE84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A39B4D9-4E37-4269-9E06-BF7B3AA5A135}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4596	f7178dd8ca080c80128a929d68e86830N.exe
Token: SeIncBasePriorityPrivilege	3452	{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe
Token: SeIncBasePriorityPrivilege	1472	{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe
Token: SeIncBasePriorityPrivilege	3108	{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe
Token: SeIncBasePriorityPrivilege	3100	{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe
Token: SeIncBasePriorityPrivilege	4180	{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe
Token: SeIncBasePriorityPrivilege	3152	{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe
Token: SeIncBasePriorityPrivilege	1200	{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe
Token: SeIncBasePriorityPrivilege	2336	{87D9D421-F396-48c7-8379-61438298FE84}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3452	4596	f7178dd8ca080c80128a929d68e86830N.exe	94
PID 4596 wrote to memory of 3452	4596	f7178dd8ca080c80128a929d68e86830N.exe	94
PID 4596 wrote to memory of 3452	4596	f7178dd8ca080c80128a929d68e86830N.exe	94
PID 4596 wrote to memory of 2372	4596	f7178dd8ca080c80128a929d68e86830N.exe	95
PID 4596 wrote to memory of 2372	4596	f7178dd8ca080c80128a929d68e86830N.exe	95
PID 4596 wrote to memory of 2372	4596	f7178dd8ca080c80128a929d68e86830N.exe	95
PID 3452 wrote to memory of 1472	3452	{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe	96
PID 3452 wrote to memory of 1472	3452	{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe	96
PID 3452 wrote to memory of 1472	3452	{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe	96
PID 3452 wrote to memory of 3628	3452	{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe	97
PID 3452 wrote to memory of 3628	3452	{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe	97
PID 3452 wrote to memory of 3628	3452	{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe	97
PID 1472 wrote to memory of 3108	1472	{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe	100
PID 1472 wrote to memory of 3108	1472	{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe	100
PID 1472 wrote to memory of 3108	1472	{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe	100
PID 1472 wrote to memory of 1772	1472	{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe	101
PID 1472 wrote to memory of 1772	1472	{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe	101
PID 1472 wrote to memory of 1772	1472	{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe	101
PID 3108 wrote to memory of 3100	3108	{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe	102
PID 3108 wrote to memory of 3100	3108	{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe	102
PID 3108 wrote to memory of 3100	3108	{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe	102
PID 3108 wrote to memory of 3320	3108	{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe	103
PID 3108 wrote to memory of 3320	3108	{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe	103
PID 3108 wrote to memory of 3320	3108	{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe	103
PID 3100 wrote to memory of 4180	3100	{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe	104
PID 3100 wrote to memory of 4180	3100	{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe	104
PID 3100 wrote to memory of 4180	3100	{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe	104
PID 3100 wrote to memory of 1152	3100	{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe	105
PID 3100 wrote to memory of 1152	3100	{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe	105
PID 3100 wrote to memory of 1152	3100	{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe	105
PID 4180 wrote to memory of 3152	4180	{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe	106
PID 4180 wrote to memory of 3152	4180	{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe	106
PID 4180 wrote to memory of 3152	4180	{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe	106
PID 4180 wrote to memory of 4572	4180	{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe	107
PID 4180 wrote to memory of 4572	4180	{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe	107
PID 4180 wrote to memory of 4572	4180	{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe	107
PID 3152 wrote to memory of 1200	3152	{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe	108
PID 3152 wrote to memory of 1200	3152	{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe	108
PID 3152 wrote to memory of 1200	3152	{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe	108
PID 3152 wrote to memory of 4380	3152	{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe	109
PID 3152 wrote to memory of 4380	3152	{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe	109
PID 3152 wrote to memory of 4380	3152	{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe	109
PID 1200 wrote to memory of 2336	1200	{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe	110
PID 1200 wrote to memory of 2336	1200	{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe	110
PID 1200 wrote to memory of 2336	1200	{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe	110
PID 1200 wrote to memory of 3496	1200	{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe	111
PID 1200 wrote to memory of 3496	1200	{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe	111
PID 1200 wrote to memory of 3496	1200	{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe	111
PID 2336 wrote to memory of 4288	2336	{87D9D421-F396-48c7-8379-61438298FE84}.exe	112
PID 2336 wrote to memory of 4288	2336	{87D9D421-F396-48c7-8379-61438298FE84}.exe	112
PID 2336 wrote to memory of 4288	2336	{87D9D421-F396-48c7-8379-61438298FE84}.exe	112
PID 2336 wrote to memory of 8	2336	{87D9D421-F396-48c7-8379-61438298FE84}.exe	113
PID 2336 wrote to memory of 8	2336	{87D9D421-F396-48c7-8379-61438298FE84}.exe	113
PID 2336 wrote to memory of 8	2336	{87D9D421-F396-48c7-8379-61438298FE84}.exe	113

C:\Users\Admin\AppData\Local\Temp\f7178dd8ca080c80128a929d68e86830N.exe
"C:\Users\Admin\AppData\Local\Temp\f7178dd8ca080c80128a929d68e86830N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe
  C:\Windows\{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe
    C:\Windows\{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe
      C:\Windows\{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Windows\{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe
        
        C:\Windows\{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
      - C:\Windows\{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe
        
        C:\Windows\{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe
        
        C:\Windows\{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe
        
        C:\Windows\{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\{87D9D421-F396-48c7-8379-61438298FE84}.exe
        
        C:\Windows\{87D9D421-F396-48c7-8379-61438298FE84}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\{6A39B4D9-4E37-4269-9E06-BF7B3AA5A135}.exe
        
        C:\Windows\{6A39B4D9-4E37-4269-9E06-BF7B3AA5A135}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87D9D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAABB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9866~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E59D0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{533F8~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32323~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{56196~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E4E74~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F7178D~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{32323184-9100-43ef-B4CD-6A9B48A53FCA}.exe

Filesize
79KB

MD5
8ad22aacb1b5d8c505ac5e6b5903f2c3

SHA1
d0c61ba92f025d292bdeebc0074d2379328357d7

SHA256
d9e984896b4b00028bb528c66650404719f82d31b80fdaddb1082459e2612403

SHA512
ef070715e1f187812af74910df260abd4f58a3c1991d813fd1506a5e4a02a9464dd5cd7cd3bdde8ce0ab2ae08518a8f1cfada5832a1466d0ba74e9cba18295ef

Download Submit
C:\Windows\{533F8DD8-C7D9-48e5-B884-D47046870E2E}.exe

Filesize
79KB

MD5
c291c3c5418e3f9621c5d5c3e7fbd723

SHA1
4fcabab51333267a97b6a8fad7a46000385f3fc8

SHA256
0914c67b6a03ad8f3ad51e9dc7947b8de446ce4ecd23196b970feeef7dfa1cd5

SHA512
e44bd08b199b0f9dbe47cc1604112918d3b8dd884bc12855d744e3f50a451512f86b4ce6acb8e31e08a36707cc8770f7ec469c73c5aee15da082e459d55b59cd

Download Submit
C:\Windows\{56196025-9997-46aa-9CE4-7C9A67DD0FB0}.exe

Filesize
79KB

MD5
350bb71a4f12063fb21d7d026af8135b

SHA1
2a1c746c2d617be621d7595ddf277fbdcab80bfb

SHA256
8f28704aa29ee3bdc72c15c0c3d7be4658997090629502b565d599c2135c4156

SHA512
7b2d35e7e71baf1df0d11c9d8d3f894e321ac87b43f95b3d203cd445410132346063859f3951e55a7c0a8ed1bc938cb8b8077fde2e1e76e944c7a675ad6cb2c0

Download Submit
C:\Windows\{6A39B4D9-4E37-4269-9E06-BF7B3AA5A135}.exe

Filesize
79KB

MD5
735e4f2c092094e4f942b968eba18d59

SHA1
ad48530e8629f841b3e75d799ed3fed6cf506707

SHA256
622632d5d8f1f1e6ca74471e485c589536384b30bc38597027509083f88031e4

SHA512
93113f1213180763349b40d1c78997bb065d3dee97a0cc408d50035a0933d28279098eda38a88e7b290fbfeb2927f6c4abb74fc8232850b81928150d878f1348

Download Submit
C:\Windows\{87D9D421-F396-48c7-8379-61438298FE84}.exe

Filesize
79KB

MD5
4163cab64950b16e24429943dc6ce7a0

SHA1
fb66ed10a7b5c1c96fa00c8d8e98176f54b8bcba

SHA256
21fa2db34406acf653d07639df345d2e6cbda4ebd8018c45eb858447ada5b7db

SHA512
f216c64330d68275a7d3988412dfdaa56df6f485688f15fb80843fa7ab3aaacafba8855bc247c61b48afb9a4ddf2f83f01dccb55d7f9081a7982a90e7c652ca2

Download Submit
C:\Windows\{A98668FC-5529-4ed3-87FC-53D3188AC848}.exe

Filesize
79KB

MD5
4bcfba9ebfa91d67e92544894fe20179

SHA1
f8baf6c5594420389b9c4b826577fef5fb8c6b64

SHA256
9726895c88dbd36250d9885d44f633cd4372486c825e251c16efe402e8d21a10

SHA512
76edd0680c2c75c2034fa794bfa625be26dd8b2eede734a1b96e8eaa182b4446cd8142a1a900c00d258e6bc88b7f9b560b33fffb3957427402de80dd419ae1f3

Download Submit
C:\Windows\{BAABB88B-2188-4fba-91C1-BA4FF449B92E}.exe

Filesize
79KB

MD5
aeac5bdfbf5684f5159523f26c850827

SHA1
c4dc5e74f70f4dc4216d73d3a5d7779cb076cc64

SHA256
6033425496112f7952162c50cbb26f36f4fcdb7fcce51e4f37467d071ff1fc94

SHA512
2f95d47a2c062fd7f951b6e11345a33fb1d3f5d28c055c885c495446a92d763d1334c3857786afa061fb5d8fe32af68fbbde514b6f3c9e674791856f4b08764b

Download Submit
C:\Windows\{E4E74C38-DCFB-4a16-999D-4CE1570E12B5}.exe

Filesize
79KB

MD5
f9671b15d89a12eddeaf7facdfe0f8a5

SHA1
620e02daded298eafd10fb4abcf4d5564703f510

SHA256
6f71839d08965fd57a3686b74d54f5b96fd037f040644993e8b5d033214e1e0f

SHA512
19ec202d06148269bfac9a0444f706e5b2600e8a1301c8827e1de77197bc4eac1da64e8aa232f10df0b8625e236eb6a0130faa1d4a5a6d52d447b969dcfe00f3

Download Submit
C:\Windows\{E59D070F-0E68-43a7-9029-0C122ABFFFC0}.exe

Filesize
79KB

MD5
0d44cfac0ec31d882df1fdaa58a6e3c3

SHA1
e4db6c45b36ea38102732ada605669b0729490c9

SHA256
2a60ac990e4d5acd4242b07a50f1b9ba8c7c333a95cc23c6ed6237a40bbbb486

SHA512
e8df4019fa17349bea7ace492acdf8e655198bd976ca4b3fdd22ea5aaa83fe013ebb367b1381dc52065068d8ae00a9b4f5820a9e62cf51af2e590118fede5450

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads