6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe
Size

89KB
MD5

20706fd3835359fc7fd032bc41f8050c
SHA1

27a15cd5b3359f743d21b2dc789478c4d0c81c2c
SHA256

6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6
SHA512

bff23b3c830c77487a385308260512235e59baad06f1c303de5ece12bb73d7c4cb19066e9e7873454a3ef279f8648fb03bb6d2452c0acd329dd6819d848bbc7c
SSDEEP

768:Qvw9816vhKQLrov4/wQRNrfrunMxVFA3b7glL:YEGh0ovl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}	6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}\stubpath = "C:\\Windows\\{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe"	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F8201C3-7692-469c-B07F-3C68F586C1E6}	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F8201C3-7692-469c-B07F-3C68F586C1E6}\stubpath = "C:\\Windows\\{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe"	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C2F558D-E2AE-43dd-ACFD-1D84C585D4AB}	{8F809A49-067A-4854-B575-DE49BADC0E54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186BBD09-435C-4efc-B9CC-9DF046F93BDB}	{4C2F558D-E2AE-43dd-ACFD-1D84C585D4AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D47C93C5-97F1-461d-A674-CD5544EDD689}	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49946274-890E-4b2f-B97B-334DE4A1FED4}	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C2F558D-E2AE-43dd-ACFD-1D84C585D4AB}\stubpath = "C:\\Windows\\{4C2F558D-E2AE-43dd-ACFD-1D84C585D4AB}.exe"	{8F809A49-067A-4854-B575-DE49BADC0E54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186BBD09-435C-4efc-B9CC-9DF046F93BDB}\stubpath = "C:\\Windows\\{186BBD09-435C-4efc-B9CC-9DF046F93BDB}.exe"	{4C2F558D-E2AE-43dd-ACFD-1D84C585D4AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F809A49-067A-4854-B575-DE49BADC0E54}\stubpath = "C:\\Windows\\{8F809A49-067A-4854-B575-DE49BADC0E54}.exe"	{49946274-890E-4b2f-B97B-334DE4A1FED4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AF1010E-DAF7-472e-ADC9-6F8B96674541}	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}\stubpath = "C:\\Windows\\{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe"	6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D47C93C5-97F1-461d-A674-CD5544EDD689}\stubpath = "C:\\Windows\\{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe"	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3575458F-94D8-42d3-B22B-61DF05D8ED66}	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3575458F-94D8-42d3-B22B-61DF05D8ED66}\stubpath = "C:\\Windows\\{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe"	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}\stubpath = "C:\\Windows\\{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe"	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AF1010E-DAF7-472e-ADC9-6F8B96674541}\stubpath = "C:\\Windows\\{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe"	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49946274-890E-4b2f-B97B-334DE4A1FED4}\stubpath = "C:\\Windows\\{49946274-890E-4b2f-B97B-334DE4A1FED4}.exe"	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F809A49-067A-4854-B575-DE49BADC0E54}	{49946274-890E-4b2f-B97B-334DE4A1FED4}.exe

Deletes itself 1 IoCs

pid	Process
2324	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
800	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe
2752	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe
2556	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe
2724	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe
2984	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe
1712	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe
1648	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe
1512	{49946274-890E-4b2f-B97B-334DE4A1FED4}.exe
2732	{8F809A49-067A-4854-B575-DE49BADC0E54}.exe
2384	{4C2F558D-E2AE-43dd-ACFD-1D84C585D4AB}.exe
448	{186BBD09-435C-4efc-B9CC-9DF046F93BDB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe
File created	C:\Windows\{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe
File created	C:\Windows\{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe	6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe
File created	C:\Windows\{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe
File created	C:\Windows\{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe
File created	C:\Windows\{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe
File created	C:\Windows\{49946274-890E-4b2f-B97B-334DE4A1FED4}.exe	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe
File created	C:\Windows\{8F809A49-067A-4854-B575-DE49BADC0E54}.exe	{49946274-890E-4b2f-B97B-334DE4A1FED4}.exe
File created	C:\Windows\{4C2F558D-E2AE-43dd-ACFD-1D84C585D4AB}.exe	{8F809A49-067A-4854-B575-DE49BADC0E54}.exe
File created	C:\Windows\{186BBD09-435C-4efc-B9CC-9DF046F93BDB}.exe	{4C2F558D-E2AE-43dd-ACFD-1D84C585D4AB}.exe
File created	C:\Windows\{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{49946274-890E-4b2f-B97B-334DE4A1FED4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C2F558D-E2AE-43dd-ACFD-1D84C585D4AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{186BBD09-435C-4efc-B9CC-9DF046F93BDB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F809A49-067A-4854-B575-DE49BADC0E54}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2972	6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe
Token: SeIncBasePriorityPrivilege	800	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe
Token: SeIncBasePriorityPrivilege	2752	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe
Token: SeIncBasePriorityPrivilege	2556	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe
Token: SeIncBasePriorityPrivilege	2724	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe
Token: SeIncBasePriorityPrivilege	2984	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe
Token: SeIncBasePriorityPrivilege	1712	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe
Token: SeIncBasePriorityPrivilege	1648	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe
Token: SeIncBasePriorityPrivilege	1512	{49946274-890E-4b2f-B97B-334DE4A1FED4}.exe
Token: SeIncBasePriorityPrivilege	2732	{8F809A49-067A-4854-B575-DE49BADC0E54}.exe
Token: SeIncBasePriorityPrivilege	2384	{4C2F558D-E2AE-43dd-ACFD-1D84C585D4AB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 800	2972	6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe	31
PID 2972 wrote to memory of 800	2972	6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe	31
PID 2972 wrote to memory of 800	2972	6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe	31
PID 2972 wrote to memory of 800	2972	6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe	31
PID 2972 wrote to memory of 2324	2972	6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe	32
PID 2972 wrote to memory of 2324	2972	6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe	32
PID 2972 wrote to memory of 2324	2972	6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe	32
PID 2972 wrote to memory of 2324	2972	6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe	32
PID 800 wrote to memory of 2752	800	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe	33
PID 800 wrote to memory of 2752	800	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe	33
PID 800 wrote to memory of 2752	800	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe	33
PID 800 wrote to memory of 2752	800	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe	33
PID 800 wrote to memory of 2780	800	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe	34
PID 800 wrote to memory of 2780	800	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe	34
PID 800 wrote to memory of 2780	800	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe	34
PID 800 wrote to memory of 2780	800	{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe	34
PID 2752 wrote to memory of 2556	2752	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe	35
PID 2752 wrote to memory of 2556	2752	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe	35
PID 2752 wrote to memory of 2556	2752	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe	35
PID 2752 wrote to memory of 2556	2752	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe	35
PID 2752 wrote to memory of 2668	2752	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe	36
PID 2752 wrote to memory of 2668	2752	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe	36
PID 2752 wrote to memory of 2668	2752	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe	36
PID 2752 wrote to memory of 2668	2752	{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe	36
PID 2556 wrote to memory of 2724	2556	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe	37
PID 2556 wrote to memory of 2724	2556	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe	37
PID 2556 wrote to memory of 2724	2556	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe	37
PID 2556 wrote to memory of 2724	2556	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe	37
PID 2556 wrote to memory of 2820	2556	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe	38
PID 2556 wrote to memory of 2820	2556	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe	38
PID 2556 wrote to memory of 2820	2556	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe	38
PID 2556 wrote to memory of 2820	2556	{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe	38
PID 2724 wrote to memory of 2984	2724	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe	39
PID 2724 wrote to memory of 2984	2724	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe	39
PID 2724 wrote to memory of 2984	2724	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe	39
PID 2724 wrote to memory of 2984	2724	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe	39
PID 2724 wrote to memory of 2488	2724	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe	40
PID 2724 wrote to memory of 2488	2724	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe	40
PID 2724 wrote to memory of 2488	2724	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe	40
PID 2724 wrote to memory of 2488	2724	{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe	40
PID 2984 wrote to memory of 1712	2984	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe	41
PID 2984 wrote to memory of 1712	2984	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe	41
PID 2984 wrote to memory of 1712	2984	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe	41
PID 2984 wrote to memory of 1712	2984	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe	41
PID 2984 wrote to memory of 1900	2984	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe	42
PID 2984 wrote to memory of 1900	2984	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe	42
PID 2984 wrote to memory of 1900	2984	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe	42
PID 2984 wrote to memory of 1900	2984	{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe	42
PID 1712 wrote to memory of 1648	1712	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe	43
PID 1712 wrote to memory of 1648	1712	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe	43
PID 1712 wrote to memory of 1648	1712	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe	43
PID 1712 wrote to memory of 1648	1712	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe	43
PID 1712 wrote to memory of 2032	1712	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe	44
PID 1712 wrote to memory of 2032	1712	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe	44
PID 1712 wrote to memory of 2032	1712	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe	44
PID 1712 wrote to memory of 2032	1712	{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe	44
PID 1648 wrote to memory of 1512	1648	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe	45
PID 1648 wrote to memory of 1512	1648	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe	45
PID 1648 wrote to memory of 1512	1648	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe	45
PID 1648 wrote to memory of 1512	1648	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe	45
PID 1648 wrote to memory of 2536	1648	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe	46
PID 1648 wrote to memory of 2536	1648	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe	46
PID 1648 wrote to memory of 2536	1648	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe	46
PID 1648 wrote to memory of 2536	1648	{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe	46

C:\Users\Admin\AppData\Local\Temp\6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe
"C:\Users\Admin\AppData\Local\Temp\6d2168a577cfac4c1190477d89c0beddae501f0dd231d5358016671085c093a6.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe
  C:\Windows\{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe
    C:\Windows\{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe
      C:\Windows\{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe
        
        C:\Windows\{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe
        
        C:\Windows\{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe
        
        C:\Windows\{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe
        
        C:\Windows\{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\{49946274-890E-4b2f-B97B-334DE4A1FED4}.exe
        
        C:\Windows\{49946274-890E-4b2f-B97B-334DE4A1FED4}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\{8F809A49-067A-4854-B575-DE49BADC0E54}.exe
        
        C:\Windows\{8F809A49-067A-4854-B575-DE49BADC0E54}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\{4C2F558D-E2AE-43dd-ACFD-1D84C585D4AB}.exe
        
        C:\Windows\{4C2F558D-E2AE-43dd-ACFD-1D84C585D4AB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\{186BBD09-435C-4efc-B9CC-9DF046F93BDB}.exe
        
        C:\Windows\{186BBD09-435C-4efc-B9CC-9DF046F93BDB}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C2F5~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F809~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49946~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F820~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AF10~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E02D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35754~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACA2A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D47C9~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3DCFD~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6D2168~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{186BBD09-435C-4efc-B9CC-9DF046F93BDB}.exe

Filesize
89KB

MD5
09da269a7eb25bc6983b3b38c6c6b0e8

SHA1
456e9e22f682091fad1c669181f27198ab6759bd

SHA256
b46b508cefa817e6b9994371394a37fb58c80f8f2044ab5cb849c766486d0346

SHA512
094ed3e29cad0b483a5afea08ae7a5b83d4d760946dde404b1cee0255587183949d9f04d16728c66d5eda72f984fe70fa85a755b1a6d3d8cdac297a3196ca1ac

Download Submit
C:\Windows\{3575458F-94D8-42d3-B22B-61DF05D8ED66}.exe

Filesize
89KB

MD5
9bef8541061223a14f63685052d63a9c

SHA1
810c82f41dd12d4626b11b8a276fb82b1937823c

SHA256
0ef2892e30c2ca6929d508feac087be3930ccf4fcff6ee878ddd67964820db4e

SHA512
87ad6990632832ce7418be8eefb721d42b0737f35d959fcd89d5b93575128d059596b89d44127aeefb793d604983ddb03a6f3e65831cf7be8ff3ea42a7416dd0

Download Submit
C:\Windows\{3DCFDB0E-7C16-4537-BE36-0573F8C2C4CC}.exe

Filesize
89KB

MD5
60951c5b473f968dd445f951d9b11482

SHA1
17a5727359014e695c5307e61a89863e92aaf789

SHA256
7c843720ef896c93ca65ff1d75e462da270b436285363193034a7dba8491ea24

SHA512
892266544887f6e5427d33d9b59bdb112762257b98926e193f7f6747192ce977fc2417bd50cbd62c262338a6d6b411e43d91fdbf088d43f6fc728374d505f658

Download Submit
C:\Windows\{49946274-890E-4b2f-B97B-334DE4A1FED4}.exe

Filesize
89KB

MD5
6e4aacda8ea702926b822e074195dfb5

SHA1
6b23ee12ce4ecd0f13e50feab6e1fa06af985f3c

SHA256
c2129a03dcb90de70706d05293a2f6ba69b4e4dc2582f0a7eeacde2a09e5a660

SHA512
2bbaeb2e3f32b53c78d57682d4cb899191ad81eb1fe7e2e8293021935d614544ef193e1b8b9189d45d9925f58f022dbb97f743190cc3131628814e5e083ddbb7

Download Submit
C:\Windows\{4C2F558D-E2AE-43dd-ACFD-1D84C585D4AB}.exe

Filesize
89KB

MD5
6a687522403302e96e0111b6721a7579

SHA1
c00bbcd0c1cd929782fe8b569bfeacd16e893dca

SHA256
0d87854d7c969dc26ccc91a22dff5867aef57fe771aac45925b71485bcbbbd8d

SHA512
8bdaf7679058e473f98db30dbb8c42f592b00be931eff84dea36da45dcb9831b68aae1deb252ab649f29b97375ba707e9b67f49a9a1b31f17a0ca40650b1c700

Download Submit
C:\Windows\{4E02D4FE-F5B3-4eb2-8720-422145AB6CA1}.exe

Filesize
89KB

MD5
61231f226e9fd84df915270e7aaf967f

SHA1
c1e85b9a3a5fb473a1b56fe27b0a8e0235e006a0

SHA256
5e0ed40452aa0ee97866ab65b10ec1a7c829232a68518347fb60a853ae5ab4f8

SHA512
ed59a8e83d6eeb95d59b1cc4b1e963cbeaffc15798a10f0e8c581184882fa0b0e44a685a64079127e6436c1f30c1122184960adbf142bed63b71fe7cdc075672

Download Submit
C:\Windows\{5AF1010E-DAF7-472e-ADC9-6F8B96674541}.exe

Filesize
89KB

MD5
afadf6c4b5d5407d11e565a170377cc5

SHA1
f5b8d88336924c56ecf5c4a355035d092ab89ea3

SHA256
b796b99e7a83a4719a3133acc4959adddd788cf9f45a72d440aa56bd50938ec6

SHA512
759196ac435050df8cb5137d21a3c02ad1ccdce9d625ac0657dd7f1961a68efb584c603fd0dbdd509c9dbcb363d6ec53fd6a474e0816968f65724f5daabbc8fb

Download Submit
C:\Windows\{8F809A49-067A-4854-B575-DE49BADC0E54}.exe

Filesize
89KB

MD5
9dab95888a440fb11ee799a777df0040

SHA1
6b2ee06b73bc1dce1826d648f4ce517d0520c1c3

SHA256
c56a96bf9282c46420ad4d3d61ceedcdcbd2b04ebf550a23138e45c6815a8f02

SHA512
243f724fc143f9f0a22f6f0580b1b5b5d000c61f718e531daa90fe66eb9ff8842f374fdac798a5ed2f5911bbcdc0eacad7055f42d2f3111ac013bffcf6fd3445

Download Submit
C:\Windows\{8F8201C3-7692-469c-B07F-3C68F586C1E6}.exe

Filesize
89KB

MD5
c92e0e4da381c2795801a33b321f67c8

SHA1
88812d09a6e90c6bb9cc6d71c0ea2955edd248e2

SHA256
3e759cee5f93ec014d1e8f79dc1792f6a402635cad1b786ae9edd50dff4cea2b

SHA512
cc981c2c21f07877e59a0d051428ca758eefcaf8d264d7b9e6b8b4f109440de725d566f470ac325116f8038a757911dcfd7d2603ad74c00de8d97fa9a440dc5e

Download Submit
C:\Windows\{ACA2A66C-642C-4cd5-BFE9-F21601F42E23}.exe

Filesize
89KB

MD5
c960a83904efc7855028361cc28270e8

SHA1
7a650ba181ec56a35f7e8d1a82935991dce84e68

SHA256
dc06273665773a04b26fc9b5a1e42e78cc14cc8b43fa68f1a71e92c90a359061

SHA512
3b36fe703875ee65c34e6550b297e129ca073d769a0cea7a4162fb670648062093e43586b610afb20309465c667196e133641b5e877e6d0e79081eda9807a8c8

Download Submit
C:\Windows\{D47C93C5-97F1-461d-A674-CD5544EDD689}.exe

Filesize
89KB

MD5
a824fcd657fe9acee70c24f6098bdcc2

SHA1
53dfb9f10c1660091d74fc2027f47192e58a16f9

SHA256
42d8573d7c84c1ffcceda4aa1e9669d720a2b6f8a2988e46bf477ca9d50d5501

SHA512
0e53c32f6d29c52faaf7f27676cf638128f79dd910fa4f7c10aacc1d12fc6c7918f8812dd59a90be4b4aca237a1e7f2e3618451ad3180f8be1f7848f34ae1311

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads