ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 02:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
Size

60KB
MD5

4113fade3d2e3a7cb4fd9ab8f3079c8b
SHA1

35d13be358add2dd6fbf1ae2d107888a1e643f4f
SHA256

ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640
SHA512

92d3f8e2a515446f763b12bce7d39ce6cd64bbc09d53b9852409493f3382f7743d2c6fad358a7a71966a7a547635cd3853f73e3498df0f793ddb2a59047d9e27
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwpfY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroz4/CFsrd

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DEB035D-F786-4ba4-AED3-6E8B291BE68E}	{AEB1843E-DEED-4816-AED9-40447A63711F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE861C1D-D697-4c08-86D3-D27921773FAA}	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}\stubpath = "C:\\Windows\\{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe"	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}\stubpath = "C:\\Windows\\{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe"	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38A1ACCD-D7F1-4f04-8778-587398771D83}	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEB1843E-DEED-4816-AED9-40447A63711F}	{A2868CEA-C18E-4860-B729-B81BA940B5B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2868CEA-C18E-4860-B729-B81BA940B5B7}\stubpath = "C:\\Windows\\{A2868CEA-C18E-4860-B729-B81BA940B5B7}.exe"	{38A1ACCD-D7F1-4f04-8778-587398771D83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DEB035D-F786-4ba4-AED3-6E8B291BE68E}\stubpath = "C:\\Windows\\{3DEB035D-F786-4ba4-AED3-6E8B291BE68E}.exe"	{AEB1843E-DEED-4816-AED9-40447A63711F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B01A65D3-D3BD-4d9d-9018-FD7021689747}	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}\stubpath = "C:\\Windows\\{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe"	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7899212C-485E-4aab-B1B8-FDF94E56AB65}	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2868CEA-C18E-4860-B729-B81BA940B5B7}	{38A1ACCD-D7F1-4f04-8778-587398771D83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B01A65D3-D3BD-4d9d-9018-FD7021689747}\stubpath = "C:\\Windows\\{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe"	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE861C1D-D697-4c08-86D3-D27921773FAA}\stubpath = "C:\\Windows\\{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe"	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38A1ACCD-D7F1-4f04-8778-587398771D83}\stubpath = "C:\\Windows\\{38A1ACCD-D7F1-4f04-8778-587398771D83}.exe"	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEB1843E-DEED-4816-AED9-40447A63711F}\stubpath = "C:\\Windows\\{AEB1843E-DEED-4816-AED9-40447A63711F}.exe"	{A2868CEA-C18E-4860-B729-B81BA940B5B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7899212C-485E-4aab-B1B8-FDF94E56AB65}\stubpath = "C:\\Windows\\{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe"	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4135090-556F-4609-9AAE-3D18D422E7C6}	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4135090-556F-4609-9AAE-3D18D422E7C6}\stubpath = "C:\\Windows\\{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe"	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe

Deletes itself 1 IoCs

pid	Process
2668	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2424	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe
2188	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe
2612	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe
3060	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe
2128	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe
2780	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe
2920	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe
1976	{38A1ACCD-D7F1-4f04-8778-587398771D83}.exe
1804	{A2868CEA-C18E-4860-B729-B81BA940B5B7}.exe
444	{AEB1843E-DEED-4816-AED9-40447A63711F}.exe
1656	{3DEB035D-F786-4ba4-AED3-6E8B291BE68E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe
File created	C:\Windows\{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe
File created	C:\Windows\{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe
File created	C:\Windows\{38A1ACCD-D7F1-4f04-8778-587398771D83}.exe	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe
File created	C:\Windows\{AEB1843E-DEED-4816-AED9-40447A63711F}.exe	{A2868CEA-C18E-4860-B729-B81BA940B5B7}.exe
File created	C:\Windows\{3DEB035D-F786-4ba4-AED3-6E8B291BE68E}.exe	{AEB1843E-DEED-4816-AED9-40447A63711F}.exe
File created	C:\Windows\{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
File created	C:\Windows\{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe
File created	C:\Windows\{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe
File created	C:\Windows\{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe
File created	C:\Windows\{A2868CEA-C18E-4860-B729-B81BA940B5B7}.exe	{38A1ACCD-D7F1-4f04-8778-587398771D83}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3DEB035D-F786-4ba4-AED3-6E8B291BE68E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{38A1ACCD-D7F1-4f04-8778-587398771D83}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AEB1843E-DEED-4816-AED9-40447A63711F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A2868CEA-C18E-4860-B729-B81BA940B5B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2344	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
Token: SeIncBasePriorityPrivilege	2424	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe
Token: SeIncBasePriorityPrivilege	2188	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe
Token: SeIncBasePriorityPrivilege	2612	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe
Token: SeIncBasePriorityPrivilege	3060	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe
Token: SeIncBasePriorityPrivilege	2128	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe
Token: SeIncBasePriorityPrivilege	2780	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe
Token: SeIncBasePriorityPrivilege	2920	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe
Token: SeIncBasePriorityPrivilege	1976	{38A1ACCD-D7F1-4f04-8778-587398771D83}.exe
Token: SeIncBasePriorityPrivilege	1804	{A2868CEA-C18E-4860-B729-B81BA940B5B7}.exe
Token: SeIncBasePriorityPrivilege	444	{AEB1843E-DEED-4816-AED9-40447A63711F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2424	2344	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	30
PID 2344 wrote to memory of 2424	2344	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	30
PID 2344 wrote to memory of 2424	2344	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	30
PID 2344 wrote to memory of 2424	2344	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	30
PID 2344 wrote to memory of 2668	2344	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	31
PID 2344 wrote to memory of 2668	2344	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	31
PID 2344 wrote to memory of 2668	2344	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	31
PID 2344 wrote to memory of 2668	2344	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	31
PID 2424 wrote to memory of 2188	2424	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe	32
PID 2424 wrote to memory of 2188	2424	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe	32
PID 2424 wrote to memory of 2188	2424	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe	32
PID 2424 wrote to memory of 2188	2424	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe	32
PID 2424 wrote to memory of 2872	2424	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe	33
PID 2424 wrote to memory of 2872	2424	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe	33
PID 2424 wrote to memory of 2872	2424	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe	33
PID 2424 wrote to memory of 2872	2424	{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe	33
PID 2188 wrote to memory of 2612	2188	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe	34
PID 2188 wrote to memory of 2612	2188	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe	34
PID 2188 wrote to memory of 2612	2188	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe	34
PID 2188 wrote to memory of 2612	2188	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe	34
PID 2188 wrote to memory of 2568	2188	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe	35
PID 2188 wrote to memory of 2568	2188	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe	35
PID 2188 wrote to memory of 2568	2188	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe	35
PID 2188 wrote to memory of 2568	2188	{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe	35
PID 2612 wrote to memory of 3060	2612	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe	36
PID 2612 wrote to memory of 3060	2612	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe	36
PID 2612 wrote to memory of 3060	2612	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe	36
PID 2612 wrote to memory of 3060	2612	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe	36
PID 2612 wrote to memory of 3068	2612	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe	37
PID 2612 wrote to memory of 3068	2612	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe	37
PID 2612 wrote to memory of 3068	2612	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe	37
PID 2612 wrote to memory of 3068	2612	{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe	37
PID 3060 wrote to memory of 2128	3060	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe	38
PID 3060 wrote to memory of 2128	3060	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe	38
PID 3060 wrote to memory of 2128	3060	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe	38
PID 3060 wrote to memory of 2128	3060	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe	38
PID 3060 wrote to memory of 1624	3060	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe	39
PID 3060 wrote to memory of 1624	3060	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe	39
PID 3060 wrote to memory of 1624	3060	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe	39
PID 3060 wrote to memory of 1624	3060	{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe	39
PID 2128 wrote to memory of 2780	2128	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe	40
PID 2128 wrote to memory of 2780	2128	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe	40
PID 2128 wrote to memory of 2780	2128	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe	40
PID 2128 wrote to memory of 2780	2128	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe	40
PID 2128 wrote to memory of 1756	2128	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe	41
PID 2128 wrote to memory of 1756	2128	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe	41
PID 2128 wrote to memory of 1756	2128	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe	41
PID 2128 wrote to memory of 1756	2128	{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe	41
PID 2780 wrote to memory of 2920	2780	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe	43
PID 2780 wrote to memory of 2920	2780	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe	43
PID 2780 wrote to memory of 2920	2780	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe	43
PID 2780 wrote to memory of 2920	2780	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe	43
PID 2780 wrote to memory of 1616	2780	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe	44
PID 2780 wrote to memory of 1616	2780	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe	44
PID 2780 wrote to memory of 1616	2780	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe	44
PID 2780 wrote to memory of 1616	2780	{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe	44
PID 2920 wrote to memory of 1976	2920	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe	45
PID 2920 wrote to memory of 1976	2920	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe	45
PID 2920 wrote to memory of 1976	2920	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe	45
PID 2920 wrote to memory of 1976	2920	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe	45
PID 2920 wrote to memory of 2220	2920	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe	46
PID 2920 wrote to memory of 2220	2920	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe	46
PID 2920 wrote to memory of 2220	2920	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe	46
PID 2920 wrote to memory of 2220	2920	{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe	46

C:\Users\Admin\AppData\Local\Temp\ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
"C:\Users\Admin\AppData\Local\Temp\ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe
  C:\Windows\{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe
    C:\Windows\{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe
      C:\Windows\{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe
        
        C:\Windows\{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Windows\{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe
        
        C:\Windows\{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe
        
        C:\Windows\{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe
        
        C:\Windows\{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{38A1ACCD-D7F1-4f04-8778-587398771D83}.exe
        
        C:\Windows\{38A1ACCD-D7F1-4f04-8778-587398771D83}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\{A2868CEA-C18E-4860-B729-B81BA940B5B7}.exe
        
        C:\Windows\{A2868CEA-C18E-4860-B729-B81BA940B5B7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\{AEB1843E-DEED-4816-AED9-40447A63711F}.exe
        
        C:\Windows\{AEB1843E-DEED-4816-AED9-40447A63711F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Windows\{3DEB035D-F786-4ba4-AED3-6E8B291BE68E}.exe
        
        C:\Windows\{3DEB035D-F786-4ba4-AED3-6E8B291BE68E}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEB18~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2868~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38A1A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5B81~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F5EB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE861~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4135~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78992~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7BDC7~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B01A6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EC879D~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2F5EB9B4-8B6D-43b1-A6F2-0CD459B60432}.exe

Filesize
60KB

MD5
53ad143c2da67ec3e5b962a6bc140b3f

SHA1
74de00573cda7f1d715a728883711cf2579f8bef

SHA256
218dd9b413c1aeb1ff61cb0e9c0bf574a5ffe99c82dec7f01e2f4a8f6729206f

SHA512
a129aa81a6ba58d63e6de2e5ec25772d86bc8c4260a209b83adb0bd4ce551eddadb508949cb95ca283a0722712c2c3ffcb2ce476380f07a0229f6ee7badbebdd

Download Submit
C:\Windows\{38A1ACCD-D7F1-4f04-8778-587398771D83}.exe

Filesize
60KB

MD5
4def2f831cdade30a47b581c64b472de

SHA1
ab17401b59b587478b1d109b8a509789303f8e99

SHA256
8600bf35d191478833fd660da61e5d5da134d08ace5c10b6c627cd78578d9cfd

SHA512
97ca1f6cea995357a20bdb907c2e49c5ab85b409d74519108726f18f9cf0ff3dc79bb0fd6954d4fae9b8b8784dbde4cc073f4b2432c8f61b20ac420cd9e248b8

Download Submit
C:\Windows\{3DEB035D-F786-4ba4-AED3-6E8B291BE68E}.exe

Filesize
60KB

MD5
9e6dc0fc1158fb165baed5ddd39d8acb

SHA1
8d9d08761fff8a3e9675fd21c0da64db39806927

SHA256
211df347c4225210e380eb5110988893dbae3d55ce02fe1c4368348cd69c0a5f

SHA512
9996a03d0fbaffc57db43e1ad990def950787db0ef725896c7c312c467b521b1a5a0e318f82de6af56ba2f6252bf168fe3b1ac820b24f530a46c87ef95083a0b

Download Submit
C:\Windows\{7899212C-485E-4aab-B1B8-FDF94E56AB65}.exe

Filesize
60KB

MD5
3070bee40e00c72b3b7a356656fb3564

SHA1
b472312ba604a4f8f3d68a1f5916c6a89a3b22a9

SHA256
a8c11a0fffce2f00ee767f3938f80eb92fbae6abce5ae5a913fd992ed53bd8cc

SHA512
d469aab69d76cfa82eab26e39b8ca646a8aeb6c787df7016a9e0e0882fb056b9800076053df33c485f6637b16390e32bc851ab586269ebb2909565cdf9e3c78c

Download Submit
C:\Windows\{7BDC755F-E285-4e4f-9E21-457F3E48F1C2}.exe

Filesize
60KB

MD5
a80e1365e8244880c938a49d7b4ef401

SHA1
97500c6f340bea8e46294b0d117a1ccb1582cac3

SHA256
340f726f28239825c90c486d3f46846e6d38022f0ce5a612adc895d793f9750d

SHA512
31f313475392e1741888e386826d6ccca26d78ef656c7840d1acccd9c356b584db86ea38948132ee8506d4f2dafa058c9bfcdb8a5535587af92cc60313309a06

Download Submit
C:\Windows\{A2868CEA-C18E-4860-B729-B81BA940B5B7}.exe

Filesize
60KB

MD5
404c00f81f1631773831dace88144d11

SHA1
d647c563b0cf446acf822b0f635ed4add9ddccd1

SHA256
cbfe36848a25cde42b337d82ff4be4c96c553ba82d20ffeacf7ba6395db0e996

SHA512
70c7f8f95f86d02d4fb7f17e6767bf46eaa57ac0c989c19b48a9ca24ba0e3714b8c85a8805288a11f4ba06317131d72adc27d57e6cfeaace079a7f4f9f1d07f5

Download Submit
C:\Windows\{AEB1843E-DEED-4816-AED9-40447A63711F}.exe

Filesize
60KB

MD5
1fcf7a52bf3ed91b7c9f27320141fb65

SHA1
4860f624072b5d9f73512b7a5ee8a96b53bad885

SHA256
4f5a9e1b6d711ac6f580c62a17033999180fcd7c08fa3b5885f751e9b06e22a9

SHA512
0b29216b790bdf0fd26006ee9939d2cfa26eaf4a7ce52c83f5e16d28dd308acddb199f43726cbe15b09026c1957c67e64b190aaf3526329025e48a41774aea6c

Download Submit
C:\Windows\{B01A65D3-D3BD-4d9d-9018-FD7021689747}.exe

Filesize
60KB

MD5
a79010cc67cffc8c452d2bd0a8682590

SHA1
91169da9fa5637726b06f34731f0f6143a6de1a5

SHA256
ef6a318b1953c1100225bdb9b5ecb122444545e654489004f73b725f03deecbf

SHA512
9b5618a44abcee9122012f6577dc64b6277e110898d0d01cf1c50d12d44d2873a11d195bb09f0a76898867f24b439e8ecd406efb2336687e153d9e47c4b351c6

Download Submit
C:\Windows\{D4135090-556F-4609-9AAE-3D18D422E7C6}.exe

Filesize
60KB

MD5
37dfbefe688a7440011717e21da35320

SHA1
a77779c51f7db7681a9b32cc6043359b8e866760

SHA256
e31f25e5c0ec521b79cb115ae734ccddd1a5a9255e7e411d95e588957ba11897

SHA512
a55216786a67930489633474fb1c497e2b99a8e9ae459a82f647a136d0e6a300d1b349ea070d9ca9f4683dc35cbdcbac7d172a684ce15f1068d31368641d0908

Download Submit
C:\Windows\{E5B81B1E-187C-47a2-8DB6-5E8EC20CC79D}.exe

Filesize
60KB

MD5
4ea1ebae5cfc32bdba78f7ccd468d9a8

SHA1
8a60c4c13358f03b087a6b18f89988663f29643a

SHA256
edca958f0dfc943b812142996c2ac29100241ba6eecb9c0b3384970320779350

SHA512
291c269d415048751a2d22e18224f27b7327be8a3a504439ef1a9181e935880f7ebafcabdb95813fc7534d26372786624ccb78ea2a6bce1f222f931cf2e95f47

Download Submit
C:\Windows\{FE861C1D-D697-4c08-86D3-D27921773FAA}.exe

Filesize
60KB

MD5
f5ed5bbc7ec96c8b7c0c1cce6bb78fc7

SHA1
0a6769c10a0fde7d0d5ffd3dbb14e48dce42dffa

SHA256
6fc6e75ced4f244f53c3c27c8abcfde26ed69d5a88e82b2dc952e4471fd07379

SHA512
d9399b2cb793556728bfa40112053d659bcc93de58f927ab2094257ae7c2b627426f909673a923299e94efce1fbab11409377a055e01d81b881f66cc1bec64f9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads