0633dfca2eb45694056fc913bad4bcd2493e8dc4b411be57b2e51ce3bccce78a

Analysis

max time kernel
118s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

901135b6ae30718829bd5808db1151b0N.exe
Size

89KB
MD5

901135b6ae30718829bd5808db1151b0
SHA1

9e0b82b7683be33a737890b3b566c70974ed74aa
SHA256

0633dfca2eb45694056fc913bad4bcd2493e8dc4b411be57b2e51ce3bccce78a
SHA512

89927add284defece492475e7d91ce2dcb33bfe20ca2665a5be5a8faa11249b1ae29b62060adf91469b08d2192a8041cd3815bc104c20de97a37f114d19ff36b
SSDEEP

768:5vw9816thKQLrol4/wQkNrfrunMxVFA3k:lEG/0ollbunMxVS3k

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF44F53B-45DF-4bd2-8411-84657E01D3A4}	{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29583405-E666-426f-8C17-3057F48645C7}\stubpath = "C:\\Windows\\{29583405-E666-426f-8C17-3057F48645C7}.exe"	{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}\stubpath = "C:\\Windows\\{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe"	{29583405-E666-426f-8C17-3057F48645C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}	{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A993997E-D738-47ea-A8DD-1DE3A4267B66}	{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}	{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}\stubpath = "C:\\Windows\\{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe"	{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}	{29583405-E666-426f-8C17-3057F48645C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C428E05-1BB4-471e-8F41-A15562DF1714}\stubpath = "C:\\Windows\\{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe"	901135b6ae30718829bd5808db1151b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}	{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29583405-E666-426f-8C17-3057F48645C7}	{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C428E05-1BB4-471e-8F41-A15562DF1714}	901135b6ae30718829bd5808db1151b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF44F53B-45DF-4bd2-8411-84657E01D3A4}\stubpath = "C:\\Windows\\{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe"	{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}\stubpath = "C:\\Windows\\{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe"	{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A2B0EB1-F1F3-4c8e-97BA-64EC1D7EACED}	{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A2B0EB1-F1F3-4c8e-97BA-64EC1D7EACED}\stubpath = "C:\\Windows\\{4A2B0EB1-F1F3-4c8e-97BA-64EC1D7EACED}.exe"	{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A993997E-D738-47ea-A8DD-1DE3A4267B66}\stubpath = "C:\\Windows\\{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe"	{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}\stubpath = "C:\\Windows\\{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe"	{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe

Executes dropped EXE 9 IoCs

pid	Process
2888	{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe
5052	{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe
1144	{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe
1192	{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe
2012	{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe
2080	{29583405-E666-426f-8C17-3057F48645C7}.exe
3224	{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe
4408	{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe
1972	{4A2B0EB1-F1F3-4c8e-97BA-64EC1D7EACED}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe	901135b6ae30718829bd5808db1151b0N.exe
File created	C:\Windows\{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe	{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe
File created	C:\Windows\{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe	{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe
File created	C:\Windows\{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe	{29583405-E666-426f-8C17-3057F48645C7}.exe
File created	C:\Windows\{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe	{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe
File created	C:\Windows\{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe	{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe
File created	C:\Windows\{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe	{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe
File created	C:\Windows\{29583405-E666-426f-8C17-3057F48645C7}.exe	{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe
File created	C:\Windows\{4A2B0EB1-F1F3-4c8e-97BA-64EC1D7EACED}.exe	{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A2B0EB1-F1F3-4c8e-97BA-64EC1D7EACED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	901135b6ae30718829bd5808db1151b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29583405-E666-426f-8C17-3057F48645C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4832	901135b6ae30718829bd5808db1151b0N.exe
Token: SeIncBasePriorityPrivilege	2888	{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe
Token: SeIncBasePriorityPrivilege	5052	{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe
Token: SeIncBasePriorityPrivilege	1144	{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe
Token: SeIncBasePriorityPrivilege	1192	{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe
Token: SeIncBasePriorityPrivilege	2012	{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe
Token: SeIncBasePriorityPrivilege	2080	{29583405-E666-426f-8C17-3057F48645C7}.exe
Token: SeIncBasePriorityPrivilege	3224	{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe
Token: SeIncBasePriorityPrivilege	4408	{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 2888	4832	901135b6ae30718829bd5808db1151b0N.exe	93
PID 4832 wrote to memory of 2888	4832	901135b6ae30718829bd5808db1151b0N.exe	93
PID 4832 wrote to memory of 2888	4832	901135b6ae30718829bd5808db1151b0N.exe	93
PID 4832 wrote to memory of 1640	4832	901135b6ae30718829bd5808db1151b0N.exe	94
PID 4832 wrote to memory of 1640	4832	901135b6ae30718829bd5808db1151b0N.exe	94
PID 4832 wrote to memory of 1640	4832	901135b6ae30718829bd5808db1151b0N.exe	94
PID 2888 wrote to memory of 5052	2888	{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe	95
PID 2888 wrote to memory of 5052	2888	{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe	95
PID 2888 wrote to memory of 5052	2888	{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe	95
PID 2888 wrote to memory of 5088	2888	{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe	96
PID 2888 wrote to memory of 5088	2888	{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe	96
PID 2888 wrote to memory of 5088	2888	{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe	96
PID 5052 wrote to memory of 1144	5052	{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe	99
PID 5052 wrote to memory of 1144	5052	{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe	99
PID 5052 wrote to memory of 1144	5052	{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe	99
PID 5052 wrote to memory of 2576	5052	{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe	100
PID 5052 wrote to memory of 2576	5052	{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe	100
PID 5052 wrote to memory of 2576	5052	{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe	100
PID 1144 wrote to memory of 1192	1144	{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe	101
PID 1144 wrote to memory of 1192	1144	{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe	101
PID 1144 wrote to memory of 1192	1144	{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe	101
PID 1144 wrote to memory of 4876	1144	{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe	102
PID 1144 wrote to memory of 4876	1144	{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe	102
PID 1144 wrote to memory of 4876	1144	{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe	102
PID 1192 wrote to memory of 2012	1192	{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe	103
PID 1192 wrote to memory of 2012	1192	{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe	103
PID 1192 wrote to memory of 2012	1192	{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe	103
PID 1192 wrote to memory of 4020	1192	{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe	104
PID 1192 wrote to memory of 4020	1192	{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe	104
PID 1192 wrote to memory of 4020	1192	{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe	104
PID 2012 wrote to memory of 2080	2012	{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe	105
PID 2012 wrote to memory of 2080	2012	{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe	105
PID 2012 wrote to memory of 2080	2012	{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe	105
PID 2012 wrote to memory of 396	2012	{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe	106
PID 2012 wrote to memory of 396	2012	{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe	106
PID 2012 wrote to memory of 396	2012	{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe	106
PID 2080 wrote to memory of 3224	2080	{29583405-E666-426f-8C17-3057F48645C7}.exe	107
PID 2080 wrote to memory of 3224	2080	{29583405-E666-426f-8C17-3057F48645C7}.exe	107
PID 2080 wrote to memory of 3224	2080	{29583405-E666-426f-8C17-3057F48645C7}.exe	107
PID 2080 wrote to memory of 4840	2080	{29583405-E666-426f-8C17-3057F48645C7}.exe	108
PID 2080 wrote to memory of 4840	2080	{29583405-E666-426f-8C17-3057F48645C7}.exe	108
PID 2080 wrote to memory of 4840	2080	{29583405-E666-426f-8C17-3057F48645C7}.exe	108
PID 3224 wrote to memory of 4408	3224	{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe	109
PID 3224 wrote to memory of 4408	3224	{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe	109
PID 3224 wrote to memory of 4408	3224	{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe	109
PID 3224 wrote to memory of 4852	3224	{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe	110
PID 3224 wrote to memory of 4852	3224	{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe	110
PID 3224 wrote to memory of 4852	3224	{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe	110
PID 4408 wrote to memory of 1972	4408	{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe	111
PID 4408 wrote to memory of 1972	4408	{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe	111
PID 4408 wrote to memory of 1972	4408	{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe	111
PID 4408 wrote to memory of 2132	4408	{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe	112
PID 4408 wrote to memory of 2132	4408	{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe	112
PID 4408 wrote to memory of 2132	4408	{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe	112

C:\Users\Admin\AppData\Local\Temp\901135b6ae30718829bd5808db1151b0N.exe
"C:\Users\Admin\AppData\Local\Temp\901135b6ae30718829bd5808db1151b0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe
  C:\Windows\{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe
    C:\Windows\{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe
      C:\Windows\{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Windows\{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe
        
        C:\Windows\{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Windows\{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe
        
        C:\Windows\{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\{29583405-E666-426f-8C17-3057F48645C7}.exe
        
        C:\Windows\{29583405-E666-426f-8C17-3057F48645C7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe
        
        C:\Windows\{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe
        
        C:\Windows\{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\{4A2B0EB1-F1F3-4c8e-97BA-64EC1D7EACED}.exe
        
        C:\Windows\{4A2B0EB1-F1F3-4c8e-97BA-64EC1D7EACED}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CF64~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B09F2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29583~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF44F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA73D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C772~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A9939~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2C428~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\901135~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CF64F99-71E4-41e3-B19C-7DBFAE2213A3}.exe

Filesize
89KB

MD5
66708bcc23cb2f15305588ece14fb18e

SHA1
7a43630add943a44e4fc603ffc9dce183ab5c7cd

SHA256
5766037938d08a0561f7d3a9013e32a8080ee73cc86d7292ec65f516533de362

SHA512
3e1d46171c13439f616ce8ee3083027f59a909de859919fa6cc8b459389ec6a3e831a50673495a0f5cf7b30564723bf9fbb24cf44de0546e547a782a0a589a86

Download Submit
C:\Windows\{29583405-E666-426f-8C17-3057F48645C7}.exe

Filesize
89KB

MD5
5a1d1309421680456dc33bb86c869a5a

SHA1
78d77463e8daaa534269ec600d8c43236355939b

SHA256
72e9b88068c753086a584b9b58fe61c4f39b5694a3fa738ed7e91471f19a9357

SHA512
aac5757d795618068697a453481e61f1645431a31f2048690d70af9b2154c1cf5e1c0c3cb185b3fe74435b0b7e3106db9a92bc6d97fece31c5e5b8d184d59d9e

Download Submit
C:\Windows\{2C428E05-1BB4-471e-8F41-A15562DF1714}.exe

Filesize
89KB

MD5
a43c24ed69ce603ffe7e511a3c2819a1

SHA1
1aa28e15c9cbaa99d1644f7c3c04fe40e19909d5

SHA256
ec2c7d14b923726c9b6254459b7793db4135cb0821ed5796e724c3608e2f6337

SHA512
d38da369b921708737330204d27202a5134b4a56acba68ef97f5b4a9eac0c5de62584d6ddf71d7645c4921c4dabd105f01085745946532f1ad0615a1b8756d9d

Download Submit
C:\Windows\{4A2B0EB1-F1F3-4c8e-97BA-64EC1D7EACED}.exe

Filesize
89KB

MD5
7d2cbc5a4b5683779d20eb09624212d3

SHA1
a79cbf41263d8474b7a958d0b7421a669b284314

SHA256
029e7d5f3ee19a91f2c9c878bf10587bdb6a88ae14265f78abdf247f8b291266

SHA512
45e74a6a7f26606208e4f88f492771a4da095e8357d051ee2eaff87caece686c1d8dcae83df35b921e743918bd39a25b7579d8a45971e7d26b048f3c6b0977fd

Download Submit
C:\Windows\{9C77202F-3DE5-4803-89F1-0A71D65FC5C1}.exe

Filesize
89KB

MD5
63ddf836338b9f0ff7abb0f863ed0458

SHA1
2a75fc4396a898e219f5de9306b0c5c93e6c2164

SHA256
b8891c13b315be23c8e8ce3f6447be0192a08712a8825b85b28e433d90ba304a

SHA512
28b1416418fc3eaaa06cf7341a96c274c25e4664cc31dd88eea69dfd07d72f3be3d76c976dc2a71692929d851df4d1f8323b2e151c3d07394a04dc86da628f59

Download Submit
C:\Windows\{A993997E-D738-47ea-A8DD-1DE3A4267B66}.exe

Filesize
89KB

MD5
5f3230903aaf6b0b06011a67c24ace7e

SHA1
624d061450a70bc55abd33a891eeafb09bb81719

SHA256
e574213e000b8087f04fef394a5b585578be4ffef106138fa4a4ecf691be2244

SHA512
37cf96303e014c8d62ae236697688c617f7d3f1f99bc8550fbbdeb8383392eb8d8fde18d5f5c80250d4f10ac593311fe406fd88830baae94d56b93f946b13f62

Download Submit
C:\Windows\{AF44F53B-45DF-4bd2-8411-84657E01D3A4}.exe

Filesize
89KB

MD5
42f3e2719ac55b3b972b9ebe0dd180bb

SHA1
18ac52a0569dc59813d5c8de3c845df3e5af06b7

SHA256
d82e7878c52afbbb71e1be8894bb0802047462a23d1e106b57766ce2df6abdaf

SHA512
39404f235e6b2279127e0d152058f19cc586c6e700b48f286e87aca626e8cf7348ef9deca88ae334d6070136b3b7511c1cd1c87bfbe5c634368c3c97bae47085

Download Submit
C:\Windows\{B09F2F9C-C840-45b6-BF9C-3F76E2D4428B}.exe

Filesize
89KB

MD5
306de3826aa654e714ff75cfc3532ebd

SHA1
e9843da4c9ae864ac6684c54ce4209d7ca56ee2b

SHA256
198ed97a1970ad8e5d5e980504a19254b23e15876a8a041ac74beb5a0d8c26f1

SHA512
e18683835261d0968b06c91b5b7a946fffef955890a48c563c3a2b4cd420a42bdbc14979be8925b9455fa4f0f655caba287531a5da64ee50d84894619ba4b9e9

Download Submit
C:\Windows\{EA73D826-DEE5-4f0a-9A33-9AA27F19311A}.exe

Filesize
89KB

MD5
a9c58804a836752a94140d5124a9b35f

SHA1
1d8702565286a9796dfacb27a1f6a2267b87064a

SHA256
ebbc28649254f9c8d1186ca6be573f892bd8011cc77d441adc514608c2e1fe35

SHA512
dcb8b3f025c05863957a6f39ec88024e34668b3defb4a431cbb46c3e04dc436bc6202a1b6cf25966530057a5352e5a1ed341cc26b16a370c2f1bd06a2b49713f

Download Submit
memory/1144-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1144-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1192-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1192-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1972-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2012-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2012-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2080-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2080-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2888-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2888-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2888-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3224-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3224-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4408-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4408-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4832-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4832-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4832-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5052-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5052-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads