c6578de95df5f9c03987e5780543b4c10ca1235bfe304bce9f01cc4c2e9d26eb

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03d01744fec2852ae75a0ed49292ec40N.exe
Size

76KB
MD5

03d01744fec2852ae75a0ed49292ec40
SHA1

8ff036840927a847b31a2212dc455ac52629cf21
SHA256

c6578de95df5f9c03987e5780543b4c10ca1235bfe304bce9f01cc4c2e9d26eb
SHA512

c53460563f8aec06b8b3b34f5007cb93a69bd1085d7ab0c5ea0501840cba7c2ef61994b8caeeccfb5cdb32720a2a3298a0f42c96850c83f0953801323254b49c
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLrok4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwU1:vvw9816vhKQLrok4/wQRNrfrunMxVD

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D25B781-5C2D-44fa-A1E4-BF45C2535154}	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD2A63FB-7C4F-486f-B52E-2054F30323A8}\stubpath = "C:\\Windows\\{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe"	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}	03d01744fec2852ae75a0ed49292ec40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D25B781-5C2D-44fa-A1E4-BF45C2535154}\stubpath = "C:\\Windows\\{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe"	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}\stubpath = "C:\\Windows\\{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe"	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD2A63FB-7C4F-486f-B52E-2054F30323A8}	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6A04355-0F06-4d2c-9D59-C7DED9EF9DFB}	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6A04355-0F06-4d2c-9D59-C7DED9EF9DFB}\stubpath = "C:\\Windows\\{A6A04355-0F06-4d2c-9D59-C7DED9EF9DFB}.exe"	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CB71EB5-99A4-45b0-80E8-68074E5219BA}\stubpath = "C:\\Windows\\{3CB71EB5-99A4-45b0-80E8-68074E5219BA}.exe"	{A6A04355-0F06-4d2c-9D59-C7DED9EF9DFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{024D459B-7801-42e6-9257-FD1B626D01CE}\stubpath = "C:\\Windows\\{024D459B-7801-42e6-9257-FD1B626D01CE}.exe"	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}\stubpath = "C:\\Windows\\{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe"	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}\stubpath = "C:\\Windows\\{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe"	03d01744fec2852ae75a0ed49292ec40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}\stubpath = "C:\\Windows\\{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe"	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{024D459B-7801-42e6-9257-FD1B626D01CE}	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CB71EB5-99A4-45b0-80E8-68074E5219BA}	{A6A04355-0F06-4d2c-9D59-C7DED9EF9DFB}.exe

Deletes itself 1 IoCs

pid	Process
2588	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2440	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe
2952	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe
2612	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe
2608	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe
2860	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe
2548	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe
2280	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe
536	{A6A04355-0F06-4d2c-9D59-C7DED9EF9DFB}.exe
2028	{3CB71EB5-99A4-45b0-80E8-68074E5219BA}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe
File created	C:\Windows\{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe
File created	C:\Windows\{3CB71EB5-99A4-45b0-80E8-68074E5219BA}.exe	{A6A04355-0F06-4d2c-9D59-C7DED9EF9DFB}.exe
File created	C:\Windows\{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe	03d01744fec2852ae75a0ed49292ec40N.exe
File created	C:\Windows\{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe
File created	C:\Windows\{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe
File created	C:\Windows\{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe
File created	C:\Windows\{024D459B-7801-42e6-9257-FD1B626D01CE}.exe	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe
File created	C:\Windows\{A6A04355-0F06-4d2c-9D59-C7DED9EF9DFB}.exe	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03d01744fec2852ae75a0ed49292ec40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A6A04355-0F06-4d2c-9D59-C7DED9EF9DFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3CB71EB5-99A4-45b0-80E8-68074E5219BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	848	03d01744fec2852ae75a0ed49292ec40N.exe
Token: SeIncBasePriorityPrivilege	2440	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe
Token: SeIncBasePriorityPrivilege	2952	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe
Token: SeIncBasePriorityPrivilege	2612	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe
Token: SeIncBasePriorityPrivilege	2608	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe
Token: SeIncBasePriorityPrivilege	2860	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe
Token: SeIncBasePriorityPrivilege	2548	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe
Token: SeIncBasePriorityPrivilege	2280	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe
Token: SeIncBasePriorityPrivilege	536	{A6A04355-0F06-4d2c-9D59-C7DED9EF9DFB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2440	848	03d01744fec2852ae75a0ed49292ec40N.exe	28
PID 848 wrote to memory of 2440	848	03d01744fec2852ae75a0ed49292ec40N.exe	28
PID 848 wrote to memory of 2440	848	03d01744fec2852ae75a0ed49292ec40N.exe	28
PID 848 wrote to memory of 2440	848	03d01744fec2852ae75a0ed49292ec40N.exe	28
PID 848 wrote to memory of 2588	848	03d01744fec2852ae75a0ed49292ec40N.exe	29
PID 848 wrote to memory of 2588	848	03d01744fec2852ae75a0ed49292ec40N.exe	29
PID 848 wrote to memory of 2588	848	03d01744fec2852ae75a0ed49292ec40N.exe	29
PID 848 wrote to memory of 2588	848	03d01744fec2852ae75a0ed49292ec40N.exe	29
PID 2440 wrote to memory of 2952	2440	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe	30
PID 2440 wrote to memory of 2952	2440	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe	30
PID 2440 wrote to memory of 2952	2440	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe	30
PID 2440 wrote to memory of 2952	2440	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe	30
PID 2440 wrote to memory of 1136	2440	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe	31
PID 2440 wrote to memory of 1136	2440	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe	31
PID 2440 wrote to memory of 1136	2440	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe	31
PID 2440 wrote to memory of 1136	2440	{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe	31
PID 2952 wrote to memory of 2612	2952	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe	32
PID 2952 wrote to memory of 2612	2952	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe	32
PID 2952 wrote to memory of 2612	2952	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe	32
PID 2952 wrote to memory of 2612	2952	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe	32
PID 2952 wrote to memory of 2660	2952	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe	33
PID 2952 wrote to memory of 2660	2952	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe	33
PID 2952 wrote to memory of 2660	2952	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe	33
PID 2952 wrote to memory of 2660	2952	{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe	33
PID 2612 wrote to memory of 2608	2612	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe	34
PID 2612 wrote to memory of 2608	2612	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe	34
PID 2612 wrote to memory of 2608	2612	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe	34
PID 2612 wrote to memory of 2608	2612	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe	34
PID 2612 wrote to memory of 2512	2612	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe	35
PID 2612 wrote to memory of 2512	2612	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe	35
PID 2612 wrote to memory of 2512	2612	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe	35
PID 2612 wrote to memory of 2512	2612	{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe	35
PID 2608 wrote to memory of 2860	2608	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe	36
PID 2608 wrote to memory of 2860	2608	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe	36
PID 2608 wrote to memory of 2860	2608	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe	36
PID 2608 wrote to memory of 2860	2608	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe	36
PID 2608 wrote to memory of 2640	2608	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe	37
PID 2608 wrote to memory of 2640	2608	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe	37
PID 2608 wrote to memory of 2640	2608	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe	37
PID 2608 wrote to memory of 2640	2608	{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe	37
PID 2860 wrote to memory of 2548	2860	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe	38
PID 2860 wrote to memory of 2548	2860	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe	38
PID 2860 wrote to memory of 2548	2860	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe	38
PID 2860 wrote to memory of 2548	2860	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe	38
PID 2860 wrote to memory of 2672	2860	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe	39
PID 2860 wrote to memory of 2672	2860	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe	39
PID 2860 wrote to memory of 2672	2860	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe	39
PID 2860 wrote to memory of 2672	2860	{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe	39
PID 2548 wrote to memory of 2280	2548	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe	40
PID 2548 wrote to memory of 2280	2548	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe	40
PID 2548 wrote to memory of 2280	2548	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe	40
PID 2548 wrote to memory of 2280	2548	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe	40
PID 2548 wrote to memory of 2772	2548	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe	41
PID 2548 wrote to memory of 2772	2548	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe	41
PID 2548 wrote to memory of 2772	2548	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe	41
PID 2548 wrote to memory of 2772	2548	{024D459B-7801-42e6-9257-FD1B626D01CE}.exe	41
PID 2280 wrote to memory of 536	2280	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe	42
PID 2280 wrote to memory of 536	2280	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe	42
PID 2280 wrote to memory of 536	2280	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe	42
PID 2280 wrote to memory of 536	2280	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe	42
PID 2280 wrote to memory of 468	2280	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe	43
PID 2280 wrote to memory of 468	2280	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe	43
PID 2280 wrote to memory of 468	2280	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe	43
PID 2280 wrote to memory of 468	2280	{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe	43

C:\Users\Admin\AppData\Local\Temp\03d01744fec2852ae75a0ed49292ec40N.exe
"C:\Users\Admin\AppData\Local\Temp\03d01744fec2852ae75a0ed49292ec40N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe
  C:\Windows\{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe
    C:\Windows\{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe
      C:\Windows\{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe
        
        C:\Windows\{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe
        
        C:\Windows\{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{024D459B-7801-42e6-9257-FD1B626D01CE}.exe
        
        C:\Windows\{024D459B-7801-42e6-9257-FD1B626D01CE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe
        
        C:\Windows\{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\{A6A04355-0F06-4d2c-9D59-C7DED9EF9DFB}.exe
        
        C:\Windows\{A6A04355-0F06-4d2c-9D59-C7DED9EF9DFB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\{3CB71EB5-99A4-45b0-80E8-68074E5219BA}.exe
        
        C:\Windows\{3CB71EB5-99A4-45b0-80E8-68074E5219BA}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6A04~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{036A8~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{024D4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{195BF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD2A6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E823~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7D25B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6832A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\03D017~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{024D459B-7801-42e6-9257-FD1B626D01CE}.exe

Filesize
76KB

MD5
e37c71e7f66d9fa0b126eb14605e8fb1

SHA1
ad7eee9f762638415f10ff4e613427ac76f13bd5

SHA256
769da25d3de93c4b3e6d5499b6d7cf6c035c326bd5252902ecef3d4712c5052f

SHA512
0b231dce20ba4d8e0b8b00ea2850f6f0896fbcb743dcc070f8f0bb68693c9e8e549b86130e31cd7a0569c69cc38c98cc7944d0f10e1d3d8f7e74b318a70246f7

Download Submit
C:\Windows\{036A8C69-B5DA-442b-9CE6-3AE729C5B77D}.exe

Filesize
76KB

MD5
597cba31be9aa40130d146abe80d7bef

SHA1
9ba45c0d869e521c0997a82777ff81ab2787a2bc

SHA256
a3eb1e87adf4b59f67cd8f0ac6ad67cc653b7ff40d461bf074a772b6f43b68f3

SHA512
a9215214657590ed81d883f41312add0d19a1080b13b5a37de151ffedf694bf5811b9771f076620825ec691938698658d8e5dac1f5f5c44be308ccb5de4b0227

Download Submit
C:\Windows\{195BF46C-49F8-4fc2-BA3D-5627B3B43FC3}.exe

Filesize
76KB

MD5
2deae89cedd3f6cbf7894ec341f5871e

SHA1
1755707698707bf7d116daaecab936c45c455553

SHA256
c18531dc17e7b7843c39034cfbbf3aa8bd599ddc6bab40ab7af33df8fac18dec

SHA512
7396323f9a166741404ae26216f5264609e619f9e4a3366b9c878504967a7f95dca5551398f280727faee649ff2c49c54d3addf86689444e6f811ab1e6ad7c05

Download Submit
C:\Windows\{2E823E3D-01A9-45b0-83FD-CC5C9F25775A}.exe

Filesize
76KB

MD5
20ac39955e0d4ff77bf61aabb3fcf4bc

SHA1
8417e103a753dce16c664b9661938509f7482759

SHA256
4e537c0a84eea60624caf54034b5cb3d8295dc4732ea4aced2c8075e9c72cf6e

SHA512
0a3b45e2ce93ddc9d86a185d2715679c29070b5613d0340da4d15547fe81e724a5b4bce47274d9f07761242c29eb5e4e52191d9569d4a5a6e387a36479f0c046

Download Submit
C:\Windows\{3CB71EB5-99A4-45b0-80E8-68074E5219BA}.exe

Filesize
76KB

MD5
27b49854eef9c5c92b378eaf5fe935ef

SHA1
3f129a61d17efdba291fc7b9f0abbe90f562b06a

SHA256
8f05500d82813f1b75e76f3b03754cae741347e8eea4ec40523032b65ce83dda

SHA512
9e606a9e5d5e94f4fd464b6078144c250c30dd0e60dd33e74dfff9e29c6c26b0cd819db2583543f7add85b0f379fa008fc99e3db8974374a1839acab972d964e

Download Submit
C:\Windows\{6832A1C5-F9BB-47b1-9B5B-224A23BF5A7C}.exe

Filesize
76KB

MD5
aaede7f9d037b46f56c2fbbecf1c10e4

SHA1
a76b500fe1a748f196c65882c4330035b340c150

SHA256
aeb0a07ef01ded67f83f9733f47ae366ae4253c19887e06ce703a59046eb1f4c

SHA512
619c0dc581d0da34fab5c6727dd303c35b1a657c513cdc25b486a8c0adfa8258c3696f17714b70ec2ed629de4272ff4b74e09bdaf9e05d096b686ef9fb120ae2

Download Submit
C:\Windows\{7D25B781-5C2D-44fa-A1E4-BF45C2535154}.exe

Filesize
76KB

MD5
4303f5657ed8566933a574b4eaf8c59c

SHA1
7a04a41d82f27e5c088d774f431687975cb23c67

SHA256
93c649e448fa74603ee6d3efa29cbcab6c48b2786f8246a38643b91abb49513c

SHA512
ce24de0e91b704d4dbcd81e496bfa7fc358f42ee0c5ae6be8932424b8519262ef49dcc584a9cf0d251a791e930640736603e75a100ad6f0a2ff377fc798d5450

Download Submit
C:\Windows\{A6A04355-0F06-4d2c-9D59-C7DED9EF9DFB}.exe

Filesize
76KB

MD5
30829946a2211366e58c2044c39ae1a0

SHA1
07416020b784a3c9c53f949173130a1ac41ab1e1

SHA256
bff04b8e14f33860603db6175e5a9427301358352e071f9694afaedfe1a0a10d

SHA512
7b880a4f86643554361b59f18887219bfc6156f66a1240781c76eb4733e47c599945e53ebfe1ed0e6ee4f52df0f68736b5c2d16972a71cb6a8e1e8f5af2d034b

Download Submit
C:\Windows\{AD2A63FB-7C4F-486f-B52E-2054F30323A8}.exe

Filesize
76KB

MD5
6254bdf794933b5ffac10c3ecccf6304

SHA1
2b7d3b81374ee525f70253f377a655317c451cd9

SHA256
9803c8e8fd127901149613b8b3ebfcb5714866a59f65b6bf0c90882df1a1051e

SHA512
e6eef58e0a273f3f2fa0846a280a9f23dea881362861e37346dde79cf2484bb5b1c4b4c84b38b4b406b428d26ef970a90f74b1bb4b66fc40211e518316096710

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads