bb4dbc1970756e3e5ae037fb2475d369d5ea095ce0dc6de72a7a706322974e0d

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 04:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4edf5d20f78244beb73b70ee2328fb70N.exe
Size

90KB
MD5

4edf5d20f78244beb73b70ee2328fb70
SHA1

3345978e9d915ae55828b23b87d295f7a39f4204
SHA256

bb4dbc1970756e3e5ae037fb2475d369d5ea095ce0dc6de72a7a706322974e0d
SHA512

2cc8c18f0a3ece8456ad28b2e1672b5efba17d80b4f13fa4491bbf0f139eb85c4a00a9c668e56fdb9b96180a074bc7a0eec5980395ed1beabb84cfed18c1e98d
SSDEEP

768:Qvw9816vhKQLroi44/wQRNrfrunMxVFA3b7gl/:YEGh0oi4l2unMxVS3HgR

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E1F660-7A43-4269-86BF-E11B94846DA3}\stubpath = "C:\\Windows\\{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe"	{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}\stubpath = "C:\\Windows\\{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe"	{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFE5845C-4001-4ac3-B2ED-418D2409D73E}	{B588602C-B2F5-4183-A745-C59B85F68504}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}\stubpath = "C:\\Windows\\{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe"	4edf5d20f78244beb73b70ee2328fb70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}	{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}\stubpath = "C:\\Windows\\{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe"	{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1922F0D-5077-497d-9F12-F1FB9741D31C}\stubpath = "C:\\Windows\\{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe"	{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{160AD759-D2D4-4f27-9778-F8618B56B34D}	{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{160AD759-D2D4-4f27-9778-F8618B56B34D}\stubpath = "C:\\Windows\\{160AD759-D2D4-4f27-9778-F8618B56B34D}.exe"	{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{803BBEA4-43D7-46ba-8521-323E1847FE11}	{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E1F660-7A43-4269-86BF-E11B94846DA3}	{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1922F0D-5077-497d-9F12-F1FB9741D31C}	{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B588602C-B2F5-4183-A745-C59B85F68504}	{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFE5845C-4001-4ac3-B2ED-418D2409D73E}\stubpath = "C:\\Windows\\{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe"	{B588602C-B2F5-4183-A745-C59B85F68504}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}	4edf5d20f78244beb73b70ee2328fb70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{803BBEA4-43D7-46ba-8521-323E1847FE11}\stubpath = "C:\\Windows\\{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe"	{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}	{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B588602C-B2F5-4183-A745-C59B85F68504}\stubpath = "C:\\Windows\\{B588602C-B2F5-4183-A745-C59B85F68504}.exe"	{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe

Executes dropped EXE 9 IoCs

pid	Process
1272	{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe
828	{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe
2868	{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe
4944	{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe
4196	{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe
4108	{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe
4032	{B588602C-B2F5-4183-A745-C59B85F68504}.exe
2988	{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe
4556	{160AD759-D2D4-4f27-9778-F8618B56B34D}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe	{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe
File created	C:\Windows\{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe	{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe
File created	C:\Windows\{B588602C-B2F5-4183-A745-C59B85F68504}.exe	{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe
File created	C:\Windows\{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe	4edf5d20f78244beb73b70ee2328fb70N.exe
File created	C:\Windows\{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe	{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe
File created	C:\Windows\{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe	{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe
File created	C:\Windows\{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe	{B588602C-B2F5-4183-A745-C59B85F68504}.exe
File created	C:\Windows\{160AD759-D2D4-4f27-9778-F8618B56B34D}.exe	{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe
File created	C:\Windows\{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe	{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{160AD759-D2D4-4f27-9778-F8618B56B34D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B588602C-B2F5-4183-A745-C59B85F68504}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4edf5d20f78244beb73b70ee2328fb70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1480	4edf5d20f78244beb73b70ee2328fb70N.exe
Token: SeIncBasePriorityPrivilege	1272	{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe
Token: SeIncBasePriorityPrivilege	828	{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe
Token: SeIncBasePriorityPrivilege	2868	{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe
Token: SeIncBasePriorityPrivilege	4944	{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe
Token: SeIncBasePriorityPrivilege	4196	{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe
Token: SeIncBasePriorityPrivilege	4108	{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe
Token: SeIncBasePriorityPrivilege	4032	{B588602C-B2F5-4183-A745-C59B85F68504}.exe
Token: SeIncBasePriorityPrivilege	2988	{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1272	1480	4edf5d20f78244beb73b70ee2328fb70N.exe	94
PID 1480 wrote to memory of 1272	1480	4edf5d20f78244beb73b70ee2328fb70N.exe	94
PID 1480 wrote to memory of 1272	1480	4edf5d20f78244beb73b70ee2328fb70N.exe	94
PID 1480 wrote to memory of 2368	1480	4edf5d20f78244beb73b70ee2328fb70N.exe	95
PID 1480 wrote to memory of 2368	1480	4edf5d20f78244beb73b70ee2328fb70N.exe	95
PID 1480 wrote to memory of 2368	1480	4edf5d20f78244beb73b70ee2328fb70N.exe	95
PID 1272 wrote to memory of 828	1272	{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe	96
PID 1272 wrote to memory of 828	1272	{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe	96
PID 1272 wrote to memory of 828	1272	{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe	96
PID 1272 wrote to memory of 1196	1272	{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe	97
PID 1272 wrote to memory of 1196	1272	{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe	97
PID 1272 wrote to memory of 1196	1272	{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe	97
PID 828 wrote to memory of 2868	828	{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe	100
PID 828 wrote to memory of 2868	828	{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe	100
PID 828 wrote to memory of 2868	828	{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe	100
PID 828 wrote to memory of 3628	828	{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe	101
PID 828 wrote to memory of 3628	828	{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe	101
PID 828 wrote to memory of 3628	828	{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe	101
PID 2868 wrote to memory of 4944	2868	{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe	102
PID 2868 wrote to memory of 4944	2868	{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe	102
PID 2868 wrote to memory of 4944	2868	{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe	102
PID 2868 wrote to memory of 2984	2868	{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe	103
PID 2868 wrote to memory of 2984	2868	{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe	103
PID 2868 wrote to memory of 2984	2868	{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe	103
PID 4944 wrote to memory of 4196	4944	{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe	104
PID 4944 wrote to memory of 4196	4944	{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe	104
PID 4944 wrote to memory of 4196	4944	{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe	104
PID 4944 wrote to memory of 4408	4944	{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe	105
PID 4944 wrote to memory of 4408	4944	{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe	105
PID 4944 wrote to memory of 4408	4944	{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe	105
PID 4196 wrote to memory of 4108	4196	{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe	106
PID 4196 wrote to memory of 4108	4196	{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe	106
PID 4196 wrote to memory of 4108	4196	{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe	106
PID 4196 wrote to memory of 1356	4196	{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe	107
PID 4196 wrote to memory of 1356	4196	{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe	107
PID 4196 wrote to memory of 1356	4196	{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe	107
PID 4108 wrote to memory of 4032	4108	{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe	108
PID 4108 wrote to memory of 4032	4108	{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe	108
PID 4108 wrote to memory of 4032	4108	{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe	108
PID 4108 wrote to memory of 764	4108	{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe	109
PID 4108 wrote to memory of 764	4108	{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe	109
PID 4108 wrote to memory of 764	4108	{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe	109
PID 4032 wrote to memory of 2988	4032	{B588602C-B2F5-4183-A745-C59B85F68504}.exe	110
PID 4032 wrote to memory of 2988	4032	{B588602C-B2F5-4183-A745-C59B85F68504}.exe	110
PID 4032 wrote to memory of 2988	4032	{B588602C-B2F5-4183-A745-C59B85F68504}.exe	110
PID 4032 wrote to memory of 412	4032	{B588602C-B2F5-4183-A745-C59B85F68504}.exe	111
PID 4032 wrote to memory of 412	4032	{B588602C-B2F5-4183-A745-C59B85F68504}.exe	111
PID 4032 wrote to memory of 412	4032	{B588602C-B2F5-4183-A745-C59B85F68504}.exe	111
PID 2988 wrote to memory of 4556	2988	{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe	112
PID 2988 wrote to memory of 4556	2988	{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe	112
PID 2988 wrote to memory of 4556	2988	{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe	112
PID 2988 wrote to memory of 1916	2988	{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe	113
PID 2988 wrote to memory of 1916	2988	{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe	113
PID 2988 wrote to memory of 1916	2988	{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe	113

C:\Users\Admin\AppData\Local\Temp\4edf5d20f78244beb73b70ee2328fb70N.exe
"C:\Users\Admin\AppData\Local\Temp\4edf5d20f78244beb73b70ee2328fb70N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe
  C:\Windows\{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe
    C:\Windows\{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe
      C:\Windows\{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe
        
        C:\Windows\{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4944
      - C:\Windows\{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe
        
        C:\Windows\{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe
        
        C:\Windows\{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\{B588602C-B2F5-4183-A745-C59B85F68504}.exe
        
        C:\Windows\{B588602C-B2F5-4183-A745-C59B85F68504}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe
        
        C:\Windows\{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{160AD759-D2D4-4f27-9778-F8618B56B34D}.exe
        
        C:\Windows\{160AD759-D2D4-4f27-9778-F8618B56B34D}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFE58~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5886~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1922~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FCFF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B38C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13E1F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{803BB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4ED6D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4EDF5D~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B38C28F-B386-4f96-84BD-15E8EFB9CAD0}.exe

Filesize
90KB

MD5
5689d339f61febfe16ecddf32b934ff8

SHA1
0538c54ac79d286c8f1464ef0b980238b18574cb

SHA256
9b1d23b99662eaf0acecf3181b161209ba941ad3217584f2ab1a536d71f7f04b

SHA512
2e26420860910153798fbe8501a59fb999167b5770a4ce7d40ad0c11452a3a6580a015759e944ef4bbfc4998e26846fdb069f3d9236bc5f8b0f26c07a535b94e

Download Submit
C:\Windows\{13E1F660-7A43-4269-86BF-E11B94846DA3}.exe

Filesize
90KB

MD5
b888c9321010df2772d39da042c84bbb

SHA1
02b09b0feb82e00c8a4979884ab37f1e5459c92d

SHA256
f8ef08c5dafdbe1f3c13580ea8a9330541cf14b7e1a353918cfe86325e451efb

SHA512
e001b4db9fded992abdb94e8048e4a5be1dbfeaa4f9dc54933050d38527e2eafd1f4b4a66e381a0e91e5cc34364dcd856fabeab9f410a2df2fbe6d10d697198e

Download Submit
C:\Windows\{160AD759-D2D4-4f27-9778-F8618B56B34D}.exe

Filesize
90KB

MD5
729e013e56d27b9e30abbdc52876e93f

SHA1
c04d7a72ec6f860edba4f8d4621a7df7d9fc248f

SHA256
d7764b89c2e7fc8262b39ba77adeaf868c22793032eb8ac5465d696010b93767

SHA512
3322e52a01b64f1695a4da5222836c6822de3529bfbed583011816b00bdaaf284449a578987f2175d1aabf5b763c9a54cd03a3e8cb886c4a02831e56169f7ec6

Download Submit
C:\Windows\{4ED6D208-FDF2-4c83-A847-6D7DF9EE0807}.exe

Filesize
90KB

MD5
bc9e5a1a130010ff60fef1fc6cdc0024

SHA1
2449cd1cd4701b54b9f237f163116d01fa9e2c38

SHA256
5302a0937ca3d8fcb12f6300557353b86fc9a91f4ccca061e385ad0f054217c4

SHA512
7f3de0c1dad2e8ae2f30e1d636178d2d8fa9b317bb4d4a7c0b3fab023a95694b520cbe2603fa76ea7471326a8645ed05cccad3c259590b509f4039abbe9662fd

Download Submit
C:\Windows\{6FCFFCA1-CFD4-427b-B9F3-9827EDBBC090}.exe

Filesize
90KB

MD5
9483723760e744263501c191b9135161

SHA1
31ebad082b5be51cd11951b56e9f09084eab467a

SHA256
9ae3a11da62f9ada6b47d68fa45b3d8f13dfce2b7b54b1b26f6ad790ad5d69e3

SHA512
809b34624efb4d01fbb23ce5fd85313e4e65142e9aff528920b36286f72a7c29af9cab223bf3639799d85b776dba1f28047fbe0aa16908449a964f7648484913

Download Submit
C:\Windows\{803BBEA4-43D7-46ba-8521-323E1847FE11}.exe

Filesize
90KB

MD5
6139d510667b30addba54208b7b9bb7c

SHA1
b5fda9641c3d8b828bac3f7ed054019e706a4d70

SHA256
b244b84b55c1106d49f7646f7ab67ffc5f430ce5079016d82f28774f9d616a9d

SHA512
21f67cba024cd00a695d8c70c3b7701d5f48e0bebeb4c5f70b3a4a26492c26adab37bba13f9dc065e1f7d93ac5a0eebb93bb6b47b25b81086f708b55e1f86f32

Download Submit
C:\Windows\{A1922F0D-5077-497d-9F12-F1FB9741D31C}.exe

Filesize
90KB

MD5
835f529b6e95ec6f08ad4d53c16fe266

SHA1
e8965c3e8501149248c1a11bcd4000608bd041d1

SHA256
14d15893fb5fb8a100bcefef5b9a4dfaaa81a3228c2d9867ac023fe707fc0dba

SHA512
48c781f024b01d5fcadd8a9de0bec43ae56c3a7dd9cb57376d9d374dd8c3dd2a09370b739a6b35b666a3780fe25eba5a8fefdac1f8b2aef8669f12bb65b6ece9

Download Submit
C:\Windows\{B588602C-B2F5-4183-A745-C59B85F68504}.exe

Filesize
90KB

MD5
a54bc9991aa9363bea1ae3bbdeb2fc75

SHA1
b8a44398d2520da42576cddf9b3cbd48211e1420

SHA256
f952532aedbc3812ecffdb978434b10fb0ddb42ff0b988a392ae26a1629addc0

SHA512
443b6fa685c9c5ee44ffa1d58672b5442314ae4f034677d0591d241c8c70f89af4833f75d35b130cc6506d2aff67fa3a8c8fa0b9ffdc8c4ffaf129cfe0f08e3d

Download Submit
C:\Windows\{FFE5845C-4001-4ac3-B2ED-418D2409D73E}.exe

Filesize
90KB

MD5
89b767892ff0ba8b0ff544acbec4ac34

SHA1
8a77d8b32fe60200eecf8b47c1d3e8305ca766dc

SHA256
cbb16798cec2875dc0a8e32901e67b9ea60e97459c5f0d24d71b25c9689a21db

SHA512
6b3857f905cb16dcac480d1d56bf3891d8e8fe08d7ee997292e70f25772baeefaa3d632453200c0288924981d40c94bf13bbb1eff8ebe811669dfa3625ff223b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads