0633dfca2eb45694056fc913bad4bcd2493e8dc4b411be57b2e51ce3bccce78a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

901135b6ae30718829bd5808db1151b0N.exe
Size

89KB
MD5

901135b6ae30718829bd5808db1151b0
SHA1

9e0b82b7683be33a737890b3b566c70974ed74aa
SHA256

0633dfca2eb45694056fc913bad4bcd2493e8dc4b411be57b2e51ce3bccce78a
SHA512

89927add284defece492475e7d91ce2dcb33bfe20ca2665a5be5a8faa11249b1ae29b62060adf91469b08d2192a8041cd3815bc104c20de97a37f114d19ff36b
SSDEEP

768:5vw9816thKQLrol4/wQkNrfrunMxVFA3k:lEG/0ollbunMxVS3k

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A7E12DE-0F46-4bac-8EFA-CA889B109544}	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D74860D-FC5C-4efa-BF67-B04D36410670}\stubpath = "C:\\Windows\\{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe"	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}\stubpath = "C:\\Windows\\{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe"	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F527B67F-F72D-44f4-992E-CEA95724DFAF}\stubpath = "C:\\Windows\\{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe"	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1D1A128-1079-4f18-8F50-1B427E0D0D3E}\stubpath = "C:\\Windows\\{E1D1A128-1079-4f18-8F50-1B427E0D0D3E}.exe"	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}\stubpath = "C:\\Windows\\{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe"	901135b6ae30718829bd5808db1151b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58B93C18-1A9F-4bba-B2A4-A92179A507A4}	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58B93C18-1A9F-4bba-B2A4-A92179A507A4}\stubpath = "C:\\Windows\\{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe"	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D74860D-FC5C-4efa-BF67-B04D36410670}	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}\stubpath = "C:\\Windows\\{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe"	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F527B67F-F72D-44f4-992E-CEA95724DFAF}	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A7E12DE-0F46-4bac-8EFA-CA889B109544}\stubpath = "C:\\Windows\\{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe"	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}	901135b6ae30718829bd5808db1151b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D842C83E-88D7-484b-B1FE-27FAEF0B4391}	{E1D1A128-1079-4f18-8F50-1B427E0D0D3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D842C83E-88D7-484b-B1FE-27FAEF0B4391}\stubpath = "C:\\Windows\\{D842C83E-88D7-484b-B1FE-27FAEF0B4391}.exe"	{E1D1A128-1079-4f18-8F50-1B427E0D0D3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1D1A128-1079-4f18-8F50-1B427E0D0D3E}	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2676	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe
2548	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe
2816	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe
2584	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe
2280	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe
2852	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe
2208	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe
2112	{E1D1A128-1079-4f18-8F50-1B427E0D0D3E}.exe
1188	{D842C83E-88D7-484b-B1FE-27FAEF0B4391}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe
File created	C:\Windows\{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe
File created	C:\Windows\{E1D1A128-1079-4f18-8F50-1B427E0D0D3E}.exe	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe
File created	C:\Windows\{D842C83E-88D7-484b-B1FE-27FAEF0B4391}.exe	{E1D1A128-1079-4f18-8F50-1B427E0D0D3E}.exe
File created	C:\Windows\{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe	901135b6ae30718829bd5808db1151b0N.exe
File created	C:\Windows\{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe
File created	C:\Windows\{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe
File created	C:\Windows\{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe
File created	C:\Windows\{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	901135b6ae30718829bd5808db1151b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D842C83E-88D7-484b-B1FE-27FAEF0B4391}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E1D1A128-1079-4f18-8F50-1B427E0D0D3E}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2692	901135b6ae30718829bd5808db1151b0N.exe
Token: SeIncBasePriorityPrivilege	2676	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe
Token: SeIncBasePriorityPrivilege	2548	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe
Token: SeIncBasePriorityPrivilege	2816	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe
Token: SeIncBasePriorityPrivilege	2584	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe
Token: SeIncBasePriorityPrivilege	2280	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe
Token: SeIncBasePriorityPrivilege	2852	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe
Token: SeIncBasePriorityPrivilege	2208	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe
Token: SeIncBasePriorityPrivilege	2112	{E1D1A128-1079-4f18-8F50-1B427E0D0D3E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2676	2692	901135b6ae30718829bd5808db1151b0N.exe	31
PID 2692 wrote to memory of 2676	2692	901135b6ae30718829bd5808db1151b0N.exe	31
PID 2692 wrote to memory of 2676	2692	901135b6ae30718829bd5808db1151b0N.exe	31
PID 2692 wrote to memory of 2676	2692	901135b6ae30718829bd5808db1151b0N.exe	31
PID 2692 wrote to memory of 2704	2692	901135b6ae30718829bd5808db1151b0N.exe	32
PID 2692 wrote to memory of 2704	2692	901135b6ae30718829bd5808db1151b0N.exe	32
PID 2692 wrote to memory of 2704	2692	901135b6ae30718829bd5808db1151b0N.exe	32
PID 2692 wrote to memory of 2704	2692	901135b6ae30718829bd5808db1151b0N.exe	32
PID 2676 wrote to memory of 2548	2676	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe	33
PID 2676 wrote to memory of 2548	2676	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe	33
PID 2676 wrote to memory of 2548	2676	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe	33
PID 2676 wrote to memory of 2548	2676	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe	33
PID 2676 wrote to memory of 2608	2676	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe	34
PID 2676 wrote to memory of 2608	2676	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe	34
PID 2676 wrote to memory of 2608	2676	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe	34
PID 2676 wrote to memory of 2608	2676	{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe	34
PID 2548 wrote to memory of 2816	2548	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe	35
PID 2548 wrote to memory of 2816	2548	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe	35
PID 2548 wrote to memory of 2816	2548	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe	35
PID 2548 wrote to memory of 2816	2548	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe	35
PID 2548 wrote to memory of 2920	2548	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe	36
PID 2548 wrote to memory of 2920	2548	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe	36
PID 2548 wrote to memory of 2920	2548	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe	36
PID 2548 wrote to memory of 2920	2548	{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe	36
PID 2816 wrote to memory of 2584	2816	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe	37
PID 2816 wrote to memory of 2584	2816	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe	37
PID 2816 wrote to memory of 2584	2816	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe	37
PID 2816 wrote to memory of 2584	2816	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe	37
PID 2816 wrote to memory of 2060	2816	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe	38
PID 2816 wrote to memory of 2060	2816	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe	38
PID 2816 wrote to memory of 2060	2816	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe	38
PID 2816 wrote to memory of 2060	2816	{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe	38
PID 2584 wrote to memory of 2280	2584	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe	39
PID 2584 wrote to memory of 2280	2584	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe	39
PID 2584 wrote to memory of 2280	2584	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe	39
PID 2584 wrote to memory of 2280	2584	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe	39
PID 2584 wrote to memory of 2728	2584	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe	40
PID 2584 wrote to memory of 2728	2584	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe	40
PID 2584 wrote to memory of 2728	2584	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe	40
PID 2584 wrote to memory of 2728	2584	{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe	40
PID 2280 wrote to memory of 2852	2280	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe	41
PID 2280 wrote to memory of 2852	2280	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe	41
PID 2280 wrote to memory of 2852	2280	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe	41
PID 2280 wrote to memory of 2852	2280	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe	41
PID 2280 wrote to memory of 2916	2280	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe	42
PID 2280 wrote to memory of 2916	2280	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe	42
PID 2280 wrote to memory of 2916	2280	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe	42
PID 2280 wrote to memory of 2916	2280	{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe	42
PID 2852 wrote to memory of 2208	2852	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe	44
PID 2852 wrote to memory of 2208	2852	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe	44
PID 2852 wrote to memory of 2208	2852	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe	44
PID 2852 wrote to memory of 2208	2852	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe	44
PID 2852 wrote to memory of 1948	2852	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe	45
PID 2852 wrote to memory of 1948	2852	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe	45
PID 2852 wrote to memory of 1948	2852	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe	45
PID 2852 wrote to memory of 1948	2852	{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe	45
PID 2208 wrote to memory of 2112	2208	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe	46
PID 2208 wrote to memory of 2112	2208	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe	46
PID 2208 wrote to memory of 2112	2208	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe	46
PID 2208 wrote to memory of 2112	2208	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe	46
PID 2208 wrote to memory of 2416	2208	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe	47
PID 2208 wrote to memory of 2416	2208	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe	47
PID 2208 wrote to memory of 2416	2208	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe	47
PID 2208 wrote to memory of 2416	2208	{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe	47

C:\Users\Admin\AppData\Local\Temp\901135b6ae30718829bd5808db1151b0N.exe
"C:\Users\Admin\AppData\Local\Temp\901135b6ae30718829bd5808db1151b0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe
  C:\Windows\{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe
    C:\Windows\{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe
      C:\Windows\{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe
        
        C:\Windows\{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe
        
        C:\Windows\{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe
        
        C:\Windows\{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe
        
        C:\Windows\{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{E1D1A128-1079-4f18-8F50-1B427E0D0D3E}.exe
        
        C:\Windows\{E1D1A128-1079-4f18-8F50-1B427E0D0D3E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{D842C83E-88D7-484b-B1FE-27FAEF0B4391}.exe
        
        C:\Windows\{D842C83E-88D7-484b-B1FE-27FAEF0B4391}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1D1A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A7E1~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F527B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{714F5~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22DBC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D748~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58B93~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0F64A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\901135~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F64A2B7-EEF7-48f5-BA12-8CD1D9D6075C}.exe

Filesize
89KB

MD5
e7c94dc0c5646437705bcb50bdb84c06

SHA1
e0cda50848d2be76f31b67b9d08045d59cf4aa48

SHA256
0bc0fde06cc69c019d9742d44670fbcd707521b65ca9262f232414f92a859199

SHA512
1af420ccce7870827b653df283e2fc793d51f4652fe339e986df5f5364a5eda8f0fb2c6bd3a5bc2efa4792d7bd16f2b537249a72f3d4d8a7cb4088a0c33d4096

Download Submit
C:\Windows\{22DBC14B-2AB5-4fad-AB00-0FAC24FBEC87}.exe

Filesize
89KB

MD5
3aceb1af0ff321b3be03babafd34c8d8

SHA1
ad8c420609ae81b89e461bb4191458ee9f660fba

SHA256
1b4acb32941c0d1f7a79757966b83186e7a8d8269e4642bd5fc0f65c0147bac0

SHA512
1ceb294e0b379129081c4daf84e88a8e8a621676f388425579bd36861a119fe1efcdaeae876408eea43e4a5f25d8466856da820b60c854e302e5db1fff5cd6ba

Download Submit
C:\Windows\{58B93C18-1A9F-4bba-B2A4-A92179A507A4}.exe

Filesize
89KB

MD5
b5128a0286d648e30fd84a25bb86a93d

SHA1
5316213ed7a8aa6bc42cd31277684bd2e5fea39d

SHA256
44f7d3937b76da13c4af1df996f5c633c74a7ec5800bd321897aaca088de450a

SHA512
c24073954fbf5ea954e96c066cc9e3e8abafff4cdca2946ff971a750b432e8bd2706fb8f54d373f2854079e07b4db1a0396cb3f982f71f826f7631d94fdd97a7

Download Submit
C:\Windows\{714F5AFD-53B4-4f6d-82E2-268BEBE4BDD7}.exe

Filesize
89KB

MD5
caee3eff60f0248350f0e3c72084a803

SHA1
b7b9433adda80bf9da5ccdd230e735850f7d6f82

SHA256
02c2017736e9c7df3688b5d518098d03f5d2614aeca656996b788b9e1b211554

SHA512
7ca467b2f0c2cd5aa1f0c001d77319df0a632d6afbfa971498cb18b7f9a086eb37dabb311a146c9fe2ae1f07914cdc0d480ccf43bd46e8a29157c968c163175e

Download Submit
C:\Windows\{8A7E12DE-0F46-4bac-8EFA-CA889B109544}.exe

Filesize
89KB

MD5
a58b1b0226d9756cba16674b970f68ca

SHA1
61ff231383fcf93b01d6629173f0ebb6a3563764

SHA256
360191d58271f3ff092c20e751ba1dd9169c48662f03e2f992065f37bbb6d257

SHA512
561de50e88a8eca6cc2fdc2fb3dec179e7a422254e51bb1d8dff83fe741d65a258fa374b4726000582e01f9120c3d55f83e61c3ef06df6432a7ee4bb0b602281

Download Submit
C:\Windows\{8D74860D-FC5C-4efa-BF67-B04D36410670}.exe

Filesize
89KB

MD5
4561201139e73c0134bfaebd29502b4a

SHA1
c2512477409ee3d95b236ec2512881a06cb486ea

SHA256
9e84b6b79791e465c38cc6850a1286e6644842cd8be2d0aec3eae15417ac6cd7

SHA512
8c218afc0b015e49c3ffb4f75ebab60d6e2b7a14b9e5676566aae7e5451d92774330ee4318b9b7897167275f2023e7ba9fdcdc79f3fa52cd07c0b39bfe951811

Download Submit
C:\Windows\{D842C83E-88D7-484b-B1FE-27FAEF0B4391}.exe

Filesize
89KB

MD5
3c574ffabebd623e110fd1770db33673

SHA1
a42d69ec8ac7d0b251cfbbdc032a8ea1335f562d

SHA256
3e4882d1c6a912fcee645441f3c00c23fad9ee823adc8d333ecdb0f66ccf90e3

SHA512
17ad82fb3d525c10e80e1b88becfccfaa85525525c1997e5888f88971215785a68f9a6a8d832a020f9af5973333b233b4eb1b6b9c7b81376e2f2fc1f6756cf1f

Download Submit
C:\Windows\{E1D1A128-1079-4f18-8F50-1B427E0D0D3E}.exe

Filesize
89KB

MD5
914f0f48e5c97bf47dde32908fd8843f

SHA1
5e8361b70a41e00f19523081a5f70727b4229e88

SHA256
c14c81eff5fdb452d27e3fa7484087b82696db0060ca4794b196863dbba90a64

SHA512
273990b4b6414b7efa756ff1aeebc7f506d70d47d1993ace1e937d49acd175eb79bab09f73717920f83458a2863f20d1044f7eccde2da123f226575c0d105636

Download Submit
C:\Windows\{F527B67F-F72D-44f4-992E-CEA95724DFAF}.exe

Filesize
89KB

MD5
024b19a01ec3368af3aed37a015f67d4

SHA1
527780fea34e8824610a3333478ec14061d49824

SHA256
3b6233dbf70b9b40b2fefc9dd5769d40faa48ab3e34f20888557fe9c51d790de

SHA512
4bed02b71663a7a1b7874d198162eb29e2c551db60b32766a04b0c6760008cf14fb34b093d90d53be4013c8834ca9927c3c237aea97ed81f19eb4267b4601c5d

Download Submit
memory/2112-85-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/2112-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2112-81-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/2208-72-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2208-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2280-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2280-54-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2548-21-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2548-24-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2548-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2584-44-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2584-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2676-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2676-15-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/2676-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2676-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2692-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2692-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2692-4-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2692-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2816-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2816-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2816-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2816-35-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2852-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2852-62-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads