8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed

Analysis

max time kernel
144s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
Size

90KB
MD5

93fa62e4a0d19fdbc2979a148e5b5d29
SHA1

363cdb4038c36e8bdc6988a392a002627cd5c972
SHA256

8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed
SHA512

661add87641e6ac3788bd95bbd48ae86355d5aae2bea7c2957353c5a03018f51e99225b7c1e993d6729533376087f66b6af5faac5b457bb0846185c2edff5667
SSDEEP

768:5vw9816thKQLroV4/wQkNrfrunMxVFA3bA:lEG/0oVlbunMxVS3c

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45976717-96A0-4651-BDBF-D9C73F7A2AD0}\stubpath = "C:\\Windows\\{45976717-96A0-4651-BDBF-D9C73F7A2AD0}.exe"	{EE2C8600-3A60-42dd-B79F-98372D13BEC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ECD8225-28EC-4054-9368-101F989C095D}	{45976717-96A0-4651-BDBF-D9C73F7A2AD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31C950BF-EDA3-4e22-9680-97EFC05AA57B}	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31C950BF-EDA3-4e22-9680-97EFC05AA57B}\stubpath = "C:\\Windows\\{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe"	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5442C55E-F3BE-4311-B381-A544EA600177}\stubpath = "C:\\Windows\\{5442C55E-F3BE-4311-B381-A544EA600177}.exe"	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70A6EA72-E111-4c60-AA0C-50BBA34A2665}	{5442C55E-F3BE-4311-B381-A544EA600177}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE2C8600-3A60-42dd-B79F-98372D13BEC8}	{70A6EA72-E111-4c60-AA0C-50BBA34A2665}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB8BE6A-1D38-405c-87F6-995B352BCB98}	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5442C55E-F3BE-4311-B381-A544EA600177}	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45976717-96A0-4651-BDBF-D9C73F7A2AD0}	{EE2C8600-3A60-42dd-B79F-98372D13BEC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A355A315-863B-408f-B7CE-6F90C2DB4E7D}\stubpath = "C:\\Windows\\{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe"	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70A6EA72-E111-4c60-AA0C-50BBA34A2665}\stubpath = "C:\\Windows\\{70A6EA72-E111-4c60-AA0C-50BBA34A2665}.exe"	{5442C55E-F3BE-4311-B381-A544EA600177}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4ECD8225-28EC-4054-9368-101F989C095D}\stubpath = "C:\\Windows\\{4ECD8225-28EC-4054-9368-101F989C095D}.exe"	{45976717-96A0-4651-BDBF-D9C73F7A2AD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}\stubpath = "C:\\Windows\\{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe"	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}\stubpath = "C:\\Windows\\{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe"	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCF6B245-3C70-487c-AEBA-870748C54B98}	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCF6B245-3C70-487c-AEBA-870748C54B98}\stubpath = "C:\\Windows\\{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe"	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A355A315-863B-408f-B7CE-6F90C2DB4E7D}	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BB8BE6A-1D38-405c-87F6-995B352BCB98}\stubpath = "C:\\Windows\\{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe"	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE2C8600-3A60-42dd-B79F-98372D13BEC8}\stubpath = "C:\\Windows\\{EE2C8600-3A60-42dd-B79F-98372D13BEC8}.exe"	{70A6EA72-E111-4c60-AA0C-50BBA34A2665}.exe

Deletes itself 1 IoCs

pid	Process
824	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2776	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe
2704	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe
2732	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe
2988	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe
2072	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe
1936	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe
2428	{5442C55E-F3BE-4311-B381-A544EA600177}.exe
2980	{70A6EA72-E111-4c60-AA0C-50BBA34A2665}.exe
2040	{EE2C8600-3A60-42dd-B79F-98372D13BEC8}.exe
2512	{45976717-96A0-4651-BDBF-D9C73F7A2AD0}.exe
2000	{4ECD8225-28EC-4054-9368-101F989C095D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe
File created	C:\Windows\{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe
File created	C:\Windows\{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe
File created	C:\Windows\{70A6EA72-E111-4c60-AA0C-50BBA34A2665}.exe	{5442C55E-F3BE-4311-B381-A544EA600177}.exe
File created	C:\Windows\{45976717-96A0-4651-BDBF-D9C73F7A2AD0}.exe	{EE2C8600-3A60-42dd-B79F-98372D13BEC8}.exe
File created	C:\Windows\{4ECD8225-28EC-4054-9368-101F989C095D}.exe	{45976717-96A0-4651-BDBF-D9C73F7A2AD0}.exe
File created	C:\Windows\{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
File created	C:\Windows\{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe
File created	C:\Windows\{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe
File created	C:\Windows\{5442C55E-F3BE-4311-B381-A544EA600177}.exe	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe
File created	C:\Windows\{EE2C8600-3A60-42dd-B79F-98372D13BEC8}.exe	{70A6EA72-E111-4c60-AA0C-50BBA34A2665}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4ECD8225-28EC-4054-9368-101F989C095D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5442C55E-F3BE-4311-B381-A544EA600177}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70A6EA72-E111-4c60-AA0C-50BBA34A2665}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE2C8600-3A60-42dd-B79F-98372D13BEC8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45976717-96A0-4651-BDBF-D9C73F7A2AD0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	376	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
Token: SeIncBasePriorityPrivilege	2776	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe
Token: SeIncBasePriorityPrivilege	2704	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe
Token: SeIncBasePriorityPrivilege	2732	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe
Token: SeIncBasePriorityPrivilege	2988	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe
Token: SeIncBasePriorityPrivilege	2072	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe
Token: SeIncBasePriorityPrivilege	1936	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe
Token: SeIncBasePriorityPrivilege	2428	{5442C55E-F3BE-4311-B381-A544EA600177}.exe
Token: SeIncBasePriorityPrivilege	2980	{70A6EA72-E111-4c60-AA0C-50BBA34A2665}.exe
Token: SeIncBasePriorityPrivilege	2040	{EE2C8600-3A60-42dd-B79F-98372D13BEC8}.exe
Token: SeIncBasePriorityPrivilege	2512	{45976717-96A0-4651-BDBF-D9C73F7A2AD0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 2776	376	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	30
PID 376 wrote to memory of 2776	376	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	30
PID 376 wrote to memory of 2776	376	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	30
PID 376 wrote to memory of 2776	376	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	30
PID 376 wrote to memory of 824	376	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	31
PID 376 wrote to memory of 824	376	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	31
PID 376 wrote to memory of 824	376	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	31
PID 376 wrote to memory of 824	376	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	31
PID 2776 wrote to memory of 2704	2776	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe	32
PID 2776 wrote to memory of 2704	2776	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe	32
PID 2776 wrote to memory of 2704	2776	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe	32
PID 2776 wrote to memory of 2704	2776	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe	32
PID 2776 wrote to memory of 2044	2776	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe	33
PID 2776 wrote to memory of 2044	2776	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe	33
PID 2776 wrote to memory of 2044	2776	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe	33
PID 2776 wrote to memory of 2044	2776	{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe	33
PID 2704 wrote to memory of 2732	2704	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe	34
PID 2704 wrote to memory of 2732	2704	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe	34
PID 2704 wrote to memory of 2732	2704	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe	34
PID 2704 wrote to memory of 2732	2704	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe	34
PID 2704 wrote to memory of 2832	2704	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe	35
PID 2704 wrote to memory of 2832	2704	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe	35
PID 2704 wrote to memory of 2832	2704	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe	35
PID 2704 wrote to memory of 2832	2704	{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe	35
PID 2732 wrote to memory of 2988	2732	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe	36
PID 2732 wrote to memory of 2988	2732	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe	36
PID 2732 wrote to memory of 2988	2732	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe	36
PID 2732 wrote to memory of 2988	2732	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe	36
PID 2732 wrote to memory of 2376	2732	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe	37
PID 2732 wrote to memory of 2376	2732	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe	37
PID 2732 wrote to memory of 2376	2732	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe	37
PID 2732 wrote to memory of 2376	2732	{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe	37
PID 2988 wrote to memory of 2072	2988	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe	38
PID 2988 wrote to memory of 2072	2988	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe	38
PID 2988 wrote to memory of 2072	2988	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe	38
PID 2988 wrote to memory of 2072	2988	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe	38
PID 2988 wrote to memory of 804	2988	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe	39
PID 2988 wrote to memory of 804	2988	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe	39
PID 2988 wrote to memory of 804	2988	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe	39
PID 2988 wrote to memory of 804	2988	{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe	39
PID 2072 wrote to memory of 1936	2072	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe	40
PID 2072 wrote to memory of 1936	2072	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe	40
PID 2072 wrote to memory of 1936	2072	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe	40
PID 2072 wrote to memory of 1936	2072	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe	40
PID 2072 wrote to memory of 1984	2072	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe	41
PID 2072 wrote to memory of 1984	2072	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe	41
PID 2072 wrote to memory of 1984	2072	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe	41
PID 2072 wrote to memory of 1984	2072	{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe	41
PID 1936 wrote to memory of 2428	1936	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe	42
PID 1936 wrote to memory of 2428	1936	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe	42
PID 1936 wrote to memory of 2428	1936	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe	42
PID 1936 wrote to memory of 2428	1936	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe	42
PID 1936 wrote to memory of 1380	1936	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe	43
PID 1936 wrote to memory of 1380	1936	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe	43
PID 1936 wrote to memory of 1380	1936	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe	43
PID 1936 wrote to memory of 1380	1936	{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe	43
PID 2428 wrote to memory of 2980	2428	{5442C55E-F3BE-4311-B381-A544EA600177}.exe	45
PID 2428 wrote to memory of 2980	2428	{5442C55E-F3BE-4311-B381-A544EA600177}.exe	45
PID 2428 wrote to memory of 2980	2428	{5442C55E-F3BE-4311-B381-A544EA600177}.exe	45
PID 2428 wrote to memory of 2980	2428	{5442C55E-F3BE-4311-B381-A544EA600177}.exe	45
PID 2428 wrote to memory of 2212	2428	{5442C55E-F3BE-4311-B381-A544EA600177}.exe	46
PID 2428 wrote to memory of 2212	2428	{5442C55E-F3BE-4311-B381-A544EA600177}.exe	46
PID 2428 wrote to memory of 2212	2428	{5442C55E-F3BE-4311-B381-A544EA600177}.exe	46
PID 2428 wrote to memory of 2212	2428	{5442C55E-F3BE-4311-B381-A544EA600177}.exe	46

C:\Users\Admin\AppData\Local\Temp\8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
"C:\Users\Admin\AppData\Local\Temp\8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe
  C:\Windows\{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe
    C:\Windows\{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe
      C:\Windows\{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe
        
        C:\Windows\{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe
        
        C:\Windows\{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe
        
        C:\Windows\{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\{5442C55E-F3BE-4311-B381-A544EA600177}.exe
        
        C:\Windows\{5442C55E-F3BE-4311-B381-A544EA600177}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{70A6EA72-E111-4c60-AA0C-50BBA34A2665}.exe
        
        C:\Windows\{70A6EA72-E111-4c60-AA0C-50BBA34A2665}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\{EE2C8600-3A60-42dd-B79F-98372D13BEC8}.exe
        
        C:\Windows\{EE2C8600-3A60-42dd-B79F-98372D13BEC8}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\{45976717-96A0-4651-BDBF-D9C73F7A2AD0}.exe
        
        C:\Windows\{45976717-96A0-4651-BDBF-D9C73F7A2AD0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\{4ECD8225-28EC-4054-9368-101F989C095D}.exe
        
        C:\Windows\{4ECD8225-28EC-4054-9368-101F989C095D}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45976~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE2C8~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70A6E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5442C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31C95~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A355A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCF6B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BB9F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5BB8B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AC25D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8D9B3E~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{31C950BF-EDA3-4e22-9680-97EFC05AA57B}.exe

Filesize
90KB

MD5
14f56986032c82df1194dfe1e14c9107

SHA1
4aabd96448b03c00883c2f4e4b1338e9b3f75bb1

SHA256
7e0f3ceed44819f553284d768dd2721796389e050079b944a5068da1b22161a3

SHA512
20b7b253bfab7656d45cf2ed653a7c36aa1d07d478f4137be22736ebfd018473e4c36d15157e2f89e0d922806d702663761f69ab00bfbde2edb86e7177d96459

Download Submit
C:\Windows\{45976717-96A0-4651-BDBF-D9C73F7A2AD0}.exe

Filesize
90KB

MD5
7c409622a7622018e2bf6cfce7502003

SHA1
411cf2ee8fe3f9fd8e721851d9bff224ac7b68ff

SHA256
900aa3e9e3c1d19fa9a5ef5134a6914a7c8a5f35d7a46955fffa5f4cb73ed7ab

SHA512
00319af53abc73d5f5674739a7aaf729945dabbf898fd37157815a10f300a5ba1c9e281ce8dea86b87a1c41c906b1b44d6f399d01723b6cc3ed9850fc5c261b6

Download Submit
C:\Windows\{4ECD8225-28EC-4054-9368-101F989C095D}.exe

Filesize
90KB

MD5
5ea20dd8ed84a011831d71f336a9de71

SHA1
b310cce7814c65a93d997b506069d67c78f97086

SHA256
5a546d34cd05645c1dd0440494280abf896205be8a93dd0f75bb9e3218d974ab

SHA512
c2bbf4e94ddc66d882b9af9bd11735a7f5f3d3cd4f48623eef6ff75027e08215ab21f2c74f9062b6f637c6d50875b40d6664b65631ae9c1c4d715de71dc99274

Download Submit
C:\Windows\{5442C55E-F3BE-4311-B381-A544EA600177}.exe

Filesize
90KB

MD5
54ae3c173aa682717f8d593b6ba0129a

SHA1
a556d8bfb691d384f904770724a0880552fd6f58

SHA256
57144bca82bde1e253e8eb6ace0f8ad3a8a9913768eb09e89d28195f8acfcc42

SHA512
028355ba77c1663411a718d3d927f695788f677d9d422bc14f52af1fc2b65919c0d952940fd0a0c7ceb87d7d2f1c518d5d14958726e132e2ffe197c4d1ec56ac

Download Submit
C:\Windows\{5BB8BE6A-1D38-405c-87F6-995B352BCB98}.exe

Filesize
90KB

MD5
23e77f9285bbfbcd233c2257b3647962

SHA1
9c958a7d131687d90e494299e753e1ee9c71a712

SHA256
0a0ceb427572ae149f9491da384d0bbe662b21323adcdfaf0ab469e37bab3584

SHA512
ab4c0ed71ad6f67d14945ae6c436a9c80c9b5407cada83be77042e2ef212c88f0d348efc6e41adab9f712ec0aad8857db6f63afed2bec469bf2198e5ab4e5e4f

Download Submit
C:\Windows\{70A6EA72-E111-4c60-AA0C-50BBA34A2665}.exe

Filesize
90KB

MD5
dab947ecfaff492d2ba5c5a51fb996e3

SHA1
495bc199e9b165474cffe981508e089b22ee4276

SHA256
5a9df6cc2136b32dcda0c6f36ea27160dbdaff026ab2af840d08b612913854f2

SHA512
863db39b5a991e1fb18e7a39b5f06a633df7ae8bb07122e7df3588e42cf9c9aafa8bddae61dafd763e744327ba92c40cd5dd05c64eea7af8de7e2dd9917f15f5

Download Submit
C:\Windows\{7BB9FE83-5E8D-4ea3-9E75-E59CD76ADCB7}.exe

Filesize
90KB

MD5
eef3a32172e4ece4176310a9b8ba51dd

SHA1
d56b0b3321b9641df3d82e5e1b0ec0fac1b569d3

SHA256
7d170b71b663d032af430bf590b94e167ecb38a7a2fb80178529eff579cfe6ea

SHA512
328ef219a4bc79a9e67630d0d3305786af7649db00d1c49b5c1d1d67f3d3dfeb62f4a5055b8783e693076ed607b99f58997aadc8cb764db48b76e9a4e91402e7

Download Submit
C:\Windows\{A355A315-863B-408f-B7CE-6F90C2DB4E7D}.exe

Filesize
90KB

MD5
22f764991e39c7fc471b821ce4a197b0

SHA1
1e98488b5e48c5bcbddf5d4f309d74e0704e254d

SHA256
34d1f88481fb478e7068cf908495944581ca8fd7c81d298a500047f74920f28f

SHA512
114c80625f54efaebd65ec83cf2f7ac776561b88a892e3dfee5583476c7be804d66da01212c8a7776d64489eb80d7d7263178032371c14d44355473ce45dd86b

Download Submit
C:\Windows\{AC25DF99-B8F4-4aa5-9D61-E6C292D4F02E}.exe

Filesize
90KB

MD5
cee445da9cba55636a8f73f9c3cbd280

SHA1
ffe54ee5e4ba40455d49b5626b00faa0d81bf1c8

SHA256
f2a926e36e69880ba12ee3ecff767d3e201b02bd244721be508a40325bca99f3

SHA512
78edb58f631513b4fc9cb6484b12bdd4e7ada2d89a4222bfcebd75f13c4c2bf29d202881a0b6b9584db96d61440758a914f859cdd953c2d4b46bcb519ccab98c

Download Submit
C:\Windows\{DCF6B245-3C70-487c-AEBA-870748C54B98}.exe

Filesize
90KB

MD5
3bc88197bdcfd700552afcd289cd7a48

SHA1
ad442f8349c31918fc4be7baf558594833b1a211

SHA256
5e4bbaf5f55b1a8dcb3eda22609a6706474bac549c77a30998b78058b719b045

SHA512
a0e9a3cc3b31cc200d00ef725b6dd5f2aac15e0c71206bd3f4deae07428537dc150e9ba2c0b3008c283807fc7862c454f7f7f6f58f4f71fbb5ad7234f61dc39a

Download Submit
C:\Windows\{EE2C8600-3A60-42dd-B79F-98372D13BEC8}.exe

Filesize
90KB

MD5
7bcd241b97577e56aeadd6094742eab5

SHA1
4b5b03bc72c81c7160f41353aace28ceb3f3e0f5

SHA256
1cba9cf84211f54845c28f7be357159d871837b198b3716ad5b12c2f124e47f9

SHA512
276da4eb74e47e69ab22822eb6bd4132eb03d312eee873b902ba8ff182cb15a4e59d379aeaeec1ed54b3e616cba415eb47727928d8c97da2030ceb4714729d78

Download Submit
memory/376-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/376-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/376-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/376-4-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/1936-60-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/1936-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2040-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2040-94-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/2040-95-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/2040-87-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2072-52-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/2072-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2428-76-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2428-69-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2428-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2512-98-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2512-107-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2512-106-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2512-102-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2704-23-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2704-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2704-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2704-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2732-32-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2732-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2776-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2776-12-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2980-83-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/2980-84-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/2980-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2988-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2988-42-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/2988-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads