a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe
Size

90KB
MD5

34d2230862898cc463ba6bc61999004b
SHA1

c8b4b4e7d5a3141bf8e029a99ebc07b36fb1a080
SHA256

a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560
SHA512

2378310101a30cbef75fb4bf4ac8bd7c5069c5cbd5250637794c1b4fdd23f8b0488fc66f9fef1f14390dc003a9e6824e6999945941566e17126912da41e0c1fb
SSDEEP

768:5vw9816thKQLroW4/wQkNrfrunMxVFA3bA:lEG/0oWlbunMxVS3c

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}\stubpath = "C:\\Windows\\{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe"	a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A24E3EE-8822-441e-98F5-23055FE10739}\stubpath = "C:\\Windows\\{0A24E3EE-8822-441e-98F5-23055FE10739}.exe"	{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59BCDBB3-8331-4b48-B893-0E977CC10B56}\stubpath = "C:\\Windows\\{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe"	{0A24E3EE-8822-441e-98F5-23055FE10739}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0F04B28-899F-4682-8E6D-BE37D45839B8}\stubpath = "C:\\Windows\\{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe"	{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F87D66C-4BE3-40bd-BB89-4F5959F23613}	{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5E84459-A79B-471e-9A5A-C10407DBB537}\stubpath = "C:\\Windows\\{A5E84459-A79B-471e-9A5A-C10407DBB537}.exe"	{B8EC1A37-00C8-4001-945A-62F1332B78DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}	a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59BCDBB3-8331-4b48-B893-0E977CC10B56}	{0A24E3EE-8822-441e-98F5-23055FE10739}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}	{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7053EA5B-060C-4e01-9C11-B3CB79331839}	{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8EC1A37-00C8-4001-945A-62F1332B78DC}\stubpath = "C:\\Windows\\{B8EC1A37-00C8-4001-945A-62F1332B78DC}.exe"	{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0F04B28-899F-4682-8E6D-BE37D45839B8}	{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}	{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}\stubpath = "C:\\Windows\\{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe"	{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18F876DD-5370-4a8d-A193-FBA5526FDF6E}\stubpath = "C:\\Windows\\{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe"	{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7053EA5B-060C-4e01-9C11-B3CB79331839}\stubpath = "C:\\Windows\\{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe"	{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB90AB06-EB74-4c18-90C5-8F71B412CC52}	{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A24E3EE-8822-441e-98F5-23055FE10739}	{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}\stubpath = "C:\\Windows\\{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe"	{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F87D66C-4BE3-40bd-BB89-4F5959F23613}\stubpath = "C:\\Windows\\{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe"	{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18F876DD-5370-4a8d-A193-FBA5526FDF6E}	{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB90AB06-EB74-4c18-90C5-8F71B412CC52}\stubpath = "C:\\Windows\\{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe"	{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8EC1A37-00C8-4001-945A-62F1332B78DC}	{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5E84459-A79B-471e-9A5A-C10407DBB537}	{B8EC1A37-00C8-4001-945A-62F1332B78DC}.exe

Executes dropped EXE 12 IoCs

pid	Process
3320	{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe
1000	{0A24E3EE-8822-441e-98F5-23055FE10739}.exe
4016	{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe
1312	{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe
1564	{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe
244	{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe
3020	{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe
3284	{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe
2960	{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe
1156	{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe
2372	{B8EC1A37-00C8-4001-945A-62F1332B78DC}.exe
1568	{A5E84459-A79B-471e-9A5A-C10407DBB537}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe	a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe
File created	C:\Windows\{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe	{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe
File created	C:\Windows\{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe	{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe
File created	C:\Windows\{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe	{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe
File created	C:\Windows\{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe	{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe
File created	C:\Windows\{A5E84459-A79B-471e-9A5A-C10407DBB537}.exe	{B8EC1A37-00C8-4001-945A-62F1332B78DC}.exe
File created	C:\Windows\{0A24E3EE-8822-441e-98F5-23055FE10739}.exe	{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe
File created	C:\Windows\{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe	{0A24E3EE-8822-441e-98F5-23055FE10739}.exe
File created	C:\Windows\{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe	{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe
File created	C:\Windows\{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe	{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe
File created	C:\Windows\{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe	{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe
File created	C:\Windows\{B8EC1A37-00C8-4001-945A-62F1332B78DC}.exe	{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A5E84459-A79B-471e-9A5A-C10407DBB537}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A24E3EE-8822-441e-98F5-23055FE10739}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B8EC1A37-00C8-4001-945A-62F1332B78DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1044	a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe
Token: SeIncBasePriorityPrivilege	3320	{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe
Token: SeIncBasePriorityPrivilege	1000	{0A24E3EE-8822-441e-98F5-23055FE10739}.exe
Token: SeIncBasePriorityPrivilege	4016	{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe
Token: SeIncBasePriorityPrivilege	1312	{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe
Token: SeIncBasePriorityPrivilege	1564	{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe
Token: SeIncBasePriorityPrivilege	244	{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe
Token: SeIncBasePriorityPrivilege	3020	{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe
Token: SeIncBasePriorityPrivilege	3284	{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe
Token: SeIncBasePriorityPrivilege	2960	{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe
Token: SeIncBasePriorityPrivilege	1156	{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe
Token: SeIncBasePriorityPrivilege	2372	{B8EC1A37-00C8-4001-945A-62F1332B78DC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 3320	1044	a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe	94
PID 1044 wrote to memory of 3320	1044	a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe	94
PID 1044 wrote to memory of 3320	1044	a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe	94
PID 1044 wrote to memory of 5060	1044	a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe	95
PID 1044 wrote to memory of 5060	1044	a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe	95
PID 1044 wrote to memory of 5060	1044	a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe	95
PID 3320 wrote to memory of 1000	3320	{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe	96
PID 3320 wrote to memory of 1000	3320	{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe	96
PID 3320 wrote to memory of 1000	3320	{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe	96
PID 3320 wrote to memory of 4000	3320	{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe	97
PID 3320 wrote to memory of 4000	3320	{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe	97
PID 3320 wrote to memory of 4000	3320	{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe	97
PID 1000 wrote to memory of 4016	1000	{0A24E3EE-8822-441e-98F5-23055FE10739}.exe	100
PID 1000 wrote to memory of 4016	1000	{0A24E3EE-8822-441e-98F5-23055FE10739}.exe	100
PID 1000 wrote to memory of 4016	1000	{0A24E3EE-8822-441e-98F5-23055FE10739}.exe	100
PID 1000 wrote to memory of 3352	1000	{0A24E3EE-8822-441e-98F5-23055FE10739}.exe	101
PID 1000 wrote to memory of 3352	1000	{0A24E3EE-8822-441e-98F5-23055FE10739}.exe	101
PID 1000 wrote to memory of 3352	1000	{0A24E3EE-8822-441e-98F5-23055FE10739}.exe	101
PID 4016 wrote to memory of 1312	4016	{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe	102
PID 4016 wrote to memory of 1312	4016	{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe	102
PID 4016 wrote to memory of 1312	4016	{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe	102
PID 4016 wrote to memory of 1756	4016	{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe	103
PID 4016 wrote to memory of 1756	4016	{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe	103
PID 4016 wrote to memory of 1756	4016	{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe	103
PID 1312 wrote to memory of 1564	1312	{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe	104
PID 1312 wrote to memory of 1564	1312	{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe	104
PID 1312 wrote to memory of 1564	1312	{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe	104
PID 1312 wrote to memory of 4856	1312	{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe	105
PID 1312 wrote to memory of 4856	1312	{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe	105
PID 1312 wrote to memory of 4856	1312	{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe	105
PID 1564 wrote to memory of 244	1564	{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe	106
PID 1564 wrote to memory of 244	1564	{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe	106
PID 1564 wrote to memory of 244	1564	{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe	106
PID 1564 wrote to memory of 2144	1564	{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe	107
PID 1564 wrote to memory of 2144	1564	{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe	107
PID 1564 wrote to memory of 2144	1564	{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe	107
PID 244 wrote to memory of 3020	244	{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe	108
PID 244 wrote to memory of 3020	244	{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe	108
PID 244 wrote to memory of 3020	244	{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe	108
PID 244 wrote to memory of 3224	244	{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe	109
PID 244 wrote to memory of 3224	244	{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe	109
PID 244 wrote to memory of 3224	244	{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe	109
PID 3020 wrote to memory of 3284	3020	{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe	110
PID 3020 wrote to memory of 3284	3020	{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe	110
PID 3020 wrote to memory of 3284	3020	{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe	110
PID 3020 wrote to memory of 4600	3020	{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe	111
PID 3020 wrote to memory of 4600	3020	{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe	111
PID 3020 wrote to memory of 4600	3020	{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe	111
PID 3284 wrote to memory of 2960	3284	{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe	112
PID 3284 wrote to memory of 2960	3284	{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe	112
PID 3284 wrote to memory of 2960	3284	{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe	112
PID 3284 wrote to memory of 5096	3284	{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe	113
PID 3284 wrote to memory of 5096	3284	{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe	113
PID 3284 wrote to memory of 5096	3284	{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe	113
PID 2960 wrote to memory of 1156	2960	{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe	114
PID 2960 wrote to memory of 1156	2960	{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe	114
PID 2960 wrote to memory of 1156	2960	{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe	114
PID 2960 wrote to memory of 3472	2960	{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe	115
PID 2960 wrote to memory of 3472	2960	{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe	115
PID 2960 wrote to memory of 3472	2960	{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe	115
PID 1156 wrote to memory of 2372	1156	{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe	116
PID 1156 wrote to memory of 2372	1156	{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe	116
PID 1156 wrote to memory of 2372	1156	{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe	116
PID 1156 wrote to memory of 1120	1156	{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe	117

C:\Users\Admin\AppData\Local\Temp\a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe
"C:\Users\Admin\AppData\Local\Temp\a763c1594d3ba32295ecfb5c9170962ea8d96ace37ec24ae956c11b55acd5560.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe
  C:\Windows\{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\{0A24E3EE-8822-441e-98F5-23055FE10739}.exe
    C:\Windows\{0A24E3EE-8822-441e-98F5-23055FE10739}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe
      C:\Windows\{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Windows\{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe
        
        C:\Windows\{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Windows\{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe
        
        C:\Windows\{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe
        
        C:\Windows\{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:244
        
        C:\Windows\{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe
        
        C:\Windows\{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe
        
        C:\Windows\{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe
        
        C:\Windows\{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe
        
        C:\Windows\{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\{B8EC1A37-00C8-4001-945A-62F1332B78DC}.exe
        
        C:\Windows\{B8EC1A37-00C8-4001-945A-62F1332B78DC}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\{A5E84459-A79B-471e-9A5A-C10407DBB537}.exe
        
        C:\Windows\{A5E84459-A79B-471e-9A5A-C10407DBB537}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8EC1~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB90A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7053E~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18F87~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F87D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CC71~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE080~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0F04~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59BCD~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0A24E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{85519~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A763C1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A24E3EE-8822-441e-98F5-23055FE10739}.exe

Filesize
90KB

MD5
38be145e22bd29a2e249ab43739baf14

SHA1
245d24a663e25e7f527595e60cedb6800677f638

SHA256
60e1064fa2e300fa805807f7cb45f4fdf2fc244df55697b43e7bbf1cc7eabca6

SHA512
fe4e8e9d4175a19a3cc987a76b49a56f40cb998f5b7a87f8a63bf1c134edc4d13823691c17d5eb12525b4adcf7091141d01ab759362b39edfd0816c8fcfe2bc2

Download Submit
C:\Windows\{18F876DD-5370-4a8d-A193-FBA5526FDF6E}.exe

Filesize
90KB

MD5
69dfc52b119e74f6fd831767c34b2d45

SHA1
6c94b72745b81026a7274e6a80caf48d841eaa00

SHA256
58597b075d2ef62780bb89be1006925ccab725f2b6fbeca7c0dcc918716da66e

SHA512
03fdd66ef8c38c4b196c16f0dac2f5f70353aa72c24191b6446e8055530c9fffb4d447e4fe280ec81b73907c9335cc2b614ce759f91f022ea70932f1ba1913c5

Download Submit
C:\Windows\{59BCDBB3-8331-4b48-B893-0E977CC10B56}.exe

Filesize
90KB

MD5
350b9bc6cc9e660d34fbca1dd7d1e564

SHA1
f3611b93bc4f3b72d39ed4de484f587ee68d3879

SHA256
8e45b6f76add761234458fdcde7f216b04717f2754d5cb783eb61d216d8e9835

SHA512
8b86fa5666f36df3b26934b1638961ba9273b0af97e1b3b64a3760a4342bd9bfd11d68042e6a4462fe92245e57ad378522fde02478dda5fbc8c3445e975e2325

Download Submit
C:\Windows\{6CC71F8B-0D3B-46ad-B536-3CBD824250A1}.exe

Filesize
90KB

MD5
cefea463ef87f6badb85ec0a0b8b3de2

SHA1
c08c6e6819a30f0b318be711e1c9c08eb8a042cd

SHA256
c748512a001c05eb1adbd3fc8b5930a89d6a6c4a3c674ebb2b8087292053c109

SHA512
ab32baa6999d3b2e33690d17d86121ecedfbca8715946c375a90a5da1604974ca9d207f561639dcc080142030cbc3bc572f1b25a4ef9b303bb45da6b44042099

Download Submit
C:\Windows\{7053EA5B-060C-4e01-9C11-B3CB79331839}.exe

Filesize
90KB

MD5
026e3b749b288cfaac0edab3291f8243

SHA1
52d5b2a95a84b106931c3968de6113162a6b37f9

SHA256
3ffcf1485a5e01bdcb2cb935b0aa12d4f6c2eb82aebeed0b5f2c7da1f51a3a5d

SHA512
c1fd1c09f660bb5bfb193fdec75fd250baeac176a6f37d4c6eb43a658044f2e4d07117d42e9ce13bda315fb3f6525ff329af659e3edc79ce8011ac3a458826bc

Download Submit
C:\Windows\{85519AC1-6F76-44b0-9B3E-2B4A86A5E138}.exe

Filesize
90KB

MD5
e0423af3d0d6fd21af4529ae9394ff76

SHA1
5782180788fe90ffdec947c9137a50f84fcc7760

SHA256
34966ea07f90a2d16a81cdfcb91edc6eb84e84cbc83382335080937f39d03bdf

SHA512
b7a26fe615cead593fe4ad8623c0317f873456642425970e55cac2b6cd1622320abf43b4128771742745b3f44b58dae5ad7eaa101b8b06eeb561dd84860d77a9

Download Submit
C:\Windows\{9F87D66C-4BE3-40bd-BB89-4F5959F23613}.exe

Filesize
90KB

MD5
c89f6086d8854c158f9970e358001af7

SHA1
b03c1e5f452dbdccd701f1d64cc0e04064ae162f

SHA256
e0c91e4dddbe109d740705048885a2924d989792c559ed3c5d46f285e289e1e1

SHA512
c3b9dfd62e0f927cec1951b03e0c2cac6997d2a9dee3542169b6a0d913802eec5552eba3795f6226d9438460bcd4f9ce128db217ef9bbcead023e0d2eb86a03e

Download Submit
C:\Windows\{A5E84459-A79B-471e-9A5A-C10407DBB537}.exe

Filesize
90KB

MD5
2e394fb758a95f9236655ae6656f2d2a

SHA1
486f37d28a7b962c283ff20cfa39b31fab635c94

SHA256
089809a56f1888f39f7f77db6591e7ce3af5e8f716faa2bd8f000e14d4d0af9b

SHA512
38180fc63d5a0cb6980118d6a37ed55f76559859b3b9a8a7f81a8b0f5153653e48621cee681b3da12fd268748eac1a4348f834ddaf5c3cb46683172c76960a9f

Download Submit
C:\Windows\{B8EC1A37-00C8-4001-945A-62F1332B78DC}.exe

Filesize
90KB

MD5
5c52bd77b5089454633713456747d9ab

SHA1
98d96a605fa6e21f70ced10409316f059c39cb94

SHA256
0003e1101260b90472ba046dceff4be5cd9c2d302eaf26589fe84ea24efe0178

SHA512
0f98f95f098cc318831ab40768b49d51e3934eae39213e36856462e50a64ebf524699b826a8632888c5ae0e866379132a64a7fe4e22da34e76ee590badc0979c

Download Submit
C:\Windows\{CE08040D-994E-4f4b-A5CE-D5D8BF830D0F}.exe

Filesize
90KB

MD5
fb8d5e6cf747a3cbc0664daab28436e0

SHA1
c7b4726be756398f7d57db1b2e52d2fa232201e0

SHA256
23fda548b99bff4a8eba2d1fa4fc95ae96ad415d3300d87d5492305f99027a36

SHA512
e112d9797f2704331ded356dc4f282bc17b7e219d05fef7f7c79947a28930ff4a5489402c9b999c85454c742159385c4bc8b8be99f458e6a9fd1c1e76d44aff3

Download Submit
C:\Windows\{E0F04B28-899F-4682-8E6D-BE37D45839B8}.exe

Filesize
90KB

MD5
20cc87861797c3cff1c92d5ad6560962

SHA1
6af301f3522b2f22a801edf541ad7c1a44b1e586

SHA256
eca72ffd9c2a98e3cd2688f60e3589e9013be24067dbc3b1d165b185a1bc0633

SHA512
bbbaf60cf727a39512548455ff0a87bf3d5f528ef1c8c18d6ec2524e23347377e34054ed8d174032834bd041a03d1765ab426f7eefb24fc101cf43e6b0f95081

Download Submit
C:\Windows\{FB90AB06-EB74-4c18-90C5-8F71B412CC52}.exe

Filesize
90KB

MD5
f2660383f6f41dd6a2f1435bd05fd5fd

SHA1
dec828716cdb2b362a299124bd66987fdeb2c6b0

SHA256
a71bf5a06651c2ebc1b00ca2a37abf199965edb4d3a2bbd53153ddf3742cad14

SHA512
75c2e8847aeba314d9a07ab664c7b44003fc13c91283c7472081d363bd6c45f4ded916f00a6ed6bc3ebcd1ebd91e92e47120bc771bd6991474513763b8c25f43

Download Submit
memory/244-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/244-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1000-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1000-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1000-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1044-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1044-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1044-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1156-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1156-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1312-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1564-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1564-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1568-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2372-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2372-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2960-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2960-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3020-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3020-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3284-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3284-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3320-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3320-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4016-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4016-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads