5f251260a5c406ac446459cd515c78f6f769aa396c3252ca0858516a5335c24d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efa16d4fe3e1d09cf2fbde61533a54f0N.exe
Size

64KB
MD5

efa16d4fe3e1d09cf2fbde61533a54f0
SHA1

8242770a1c6bba119c32c6ea3edaed0b401a90e9
SHA256

5f251260a5c406ac446459cd515c78f6f769aa396c3252ca0858516a5335c24d
SHA512

ef5cc9f41662c14cba96b0a765f569486f2dff5f77286232eb6675a70ad26508a51012bc3bf6093807678d6838f16987d6d58338138354357e182930a1ea6d1e
SSDEEP

384:ObLwOs8AHsc42MfwhKQLroI4/CFsrdHWMZE:Ovw981EvhKQLroI4/wQpWMZE

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B371E387-F55E-469f-82D4-128962E9BA8B}\stubpath = "C:\\Windows\\{B371E387-F55E-469f-82D4-128962E9BA8B}.exe"	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A34BFC1-1417-4bbd-A281-B44AF23BDF6F}	{A9E58C89-DB2D-4ee7-BA81-87E20D28E83C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEED57F0-401D-42aa-8F1A-59386489DE21}	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1199F232-D522-45a7-B116-DBB07811B446}\stubpath = "C:\\Windows\\{1199F232-D522-45a7-B116-DBB07811B446}.exe"	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F568FDF6-D773-445d-AF84-55B9D4B98131}	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4788CB5-C61A-439e-AA29-465C8E17B03F}	efa16d4fe3e1d09cf2fbde61533a54f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}\stubpath = "C:\\Windows\\{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe"	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E58C89-DB2D-4ee7-BA81-87E20D28E83C}\stubpath = "C:\\Windows\\{A9E58C89-DB2D-4ee7-BA81-87E20D28E83C}.exe"	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DBE6155-5AF5-46da-B381-92504D086C29}	{1199F232-D522-45a7-B116-DBB07811B446}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F568FDF6-D773-445d-AF84-55B9D4B98131}\stubpath = "C:\\Windows\\{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe"	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B371E387-F55E-469f-82D4-128962E9BA8B}	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E58C89-DB2D-4ee7-BA81-87E20D28E83C}	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4788CB5-C61A-439e-AA29-465C8E17B03F}\stubpath = "C:\\Windows\\{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe"	efa16d4fe3e1d09cf2fbde61533a54f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEED57F0-401D-42aa-8F1A-59386489DE21}\stubpath = "C:\\Windows\\{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe"	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1199F232-D522-45a7-B116-DBB07811B446}	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DBE6155-5AF5-46da-B381-92504D086C29}\stubpath = "C:\\Windows\\{9DBE6155-5AF5-46da-B381-92504D086C29}.exe"	{1199F232-D522-45a7-B116-DBB07811B446}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A34BFC1-1417-4bbd-A281-B44AF23BDF6F}\stubpath = "C:\\Windows\\{0A34BFC1-1417-4bbd-A281-B44AF23BDF6F}.exe"	{A9E58C89-DB2D-4ee7-BA81-87E20D28E83C}.exe

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2144	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe
2736	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe
1720	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe
2224	{1199F232-D522-45a7-B116-DBB07811B446}.exe
988	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe
608	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe
1044	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe
2984	{A9E58C89-DB2D-4ee7-BA81-87E20D28E83C}.exe
1748	{0A34BFC1-1417-4bbd-A281-B44AF23BDF6F}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe	efa16d4fe3e1d09cf2fbde61533a54f0N.exe
File created	C:\Windows\{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe
File created	C:\Windows\{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe
File created	C:\Windows\{1199F232-D522-45a7-B116-DBB07811B446}.exe	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe
File created	C:\Windows\{B371E387-F55E-469f-82D4-128962E9BA8B}.exe	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe
File created	C:\Windows\{A9E58C89-DB2D-4ee7-BA81-87E20D28E83C}.exe	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe
File created	C:\Windows\{9DBE6155-5AF5-46da-B381-92504D086C29}.exe	{1199F232-D522-45a7-B116-DBB07811B446}.exe
File created	C:\Windows\{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe
File created	C:\Windows\{0A34BFC1-1417-4bbd-A281-B44AF23BDF6F}.exe	{A9E58C89-DB2D-4ee7-BA81-87E20D28E83C}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A34BFC1-1417-4bbd-A281-B44AF23BDF6F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efa16d4fe3e1d09cf2fbde61533a54f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1199F232-D522-45a7-B116-DBB07811B446}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9E58C89-DB2D-4ee7-BA81-87E20D28E83C}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2360	efa16d4fe3e1d09cf2fbde61533a54f0N.exe
Token: SeIncBasePriorityPrivilege	2144	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe
Token: SeIncBasePriorityPrivilege	2736	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe
Token: SeIncBasePriorityPrivilege	1720	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe
Token: SeIncBasePriorityPrivilege	2224	{1199F232-D522-45a7-B116-DBB07811B446}.exe
Token: SeIncBasePriorityPrivilege	988	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe
Token: SeIncBasePriorityPrivilege	608	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe
Token: SeIncBasePriorityPrivilege	1044	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe
Token: SeIncBasePriorityPrivilege	2984	{A9E58C89-DB2D-4ee7-BA81-87E20D28E83C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2144	2360	efa16d4fe3e1d09cf2fbde61533a54f0N.exe	31
PID 2360 wrote to memory of 2144	2360	efa16d4fe3e1d09cf2fbde61533a54f0N.exe	31
PID 2360 wrote to memory of 2144	2360	efa16d4fe3e1d09cf2fbde61533a54f0N.exe	31
PID 2360 wrote to memory of 2144	2360	efa16d4fe3e1d09cf2fbde61533a54f0N.exe	31
PID 2360 wrote to memory of 2756	2360	efa16d4fe3e1d09cf2fbde61533a54f0N.exe	32
PID 2360 wrote to memory of 2756	2360	efa16d4fe3e1d09cf2fbde61533a54f0N.exe	32
PID 2360 wrote to memory of 2756	2360	efa16d4fe3e1d09cf2fbde61533a54f0N.exe	32
PID 2360 wrote to memory of 2756	2360	efa16d4fe3e1d09cf2fbde61533a54f0N.exe	32
PID 2144 wrote to memory of 2736	2144	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe	33
PID 2144 wrote to memory of 2736	2144	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe	33
PID 2144 wrote to memory of 2736	2144	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe	33
PID 2144 wrote to memory of 2736	2144	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe	33
PID 2144 wrote to memory of 2620	2144	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe	34
PID 2144 wrote to memory of 2620	2144	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe	34
PID 2144 wrote to memory of 2620	2144	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe	34
PID 2144 wrote to memory of 2620	2144	{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe	34
PID 2736 wrote to memory of 1720	2736	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe	35
PID 2736 wrote to memory of 1720	2736	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe	35
PID 2736 wrote to memory of 1720	2736	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe	35
PID 2736 wrote to memory of 1720	2736	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe	35
PID 2736 wrote to memory of 2668	2736	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe	36
PID 2736 wrote to memory of 2668	2736	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe	36
PID 2736 wrote to memory of 2668	2736	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe	36
PID 2736 wrote to memory of 2668	2736	{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe	36
PID 1720 wrote to memory of 2224	1720	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe	37
PID 1720 wrote to memory of 2224	1720	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe	37
PID 1720 wrote to memory of 2224	1720	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe	37
PID 1720 wrote to memory of 2224	1720	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe	37
PID 1720 wrote to memory of 2168	1720	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe	38
PID 1720 wrote to memory of 2168	1720	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe	38
PID 1720 wrote to memory of 2168	1720	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe	38
PID 1720 wrote to memory of 2168	1720	{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe	38
PID 2224 wrote to memory of 988	2224	{1199F232-D522-45a7-B116-DBB07811B446}.exe	39
PID 2224 wrote to memory of 988	2224	{1199F232-D522-45a7-B116-DBB07811B446}.exe	39
PID 2224 wrote to memory of 988	2224	{1199F232-D522-45a7-B116-DBB07811B446}.exe	39
PID 2224 wrote to memory of 988	2224	{1199F232-D522-45a7-B116-DBB07811B446}.exe	39
PID 2224 wrote to memory of 708	2224	{1199F232-D522-45a7-B116-DBB07811B446}.exe	40
PID 2224 wrote to memory of 708	2224	{1199F232-D522-45a7-B116-DBB07811B446}.exe	40
PID 2224 wrote to memory of 708	2224	{1199F232-D522-45a7-B116-DBB07811B446}.exe	40
PID 2224 wrote to memory of 708	2224	{1199F232-D522-45a7-B116-DBB07811B446}.exe	40
PID 988 wrote to memory of 608	988	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe	41
PID 988 wrote to memory of 608	988	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe	41
PID 988 wrote to memory of 608	988	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe	41
PID 988 wrote to memory of 608	988	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe	41
PID 988 wrote to memory of 2912	988	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe	42
PID 988 wrote to memory of 2912	988	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe	42
PID 988 wrote to memory of 2912	988	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe	42
PID 988 wrote to memory of 2912	988	{9DBE6155-5AF5-46da-B381-92504D086C29}.exe	42
PID 608 wrote to memory of 1044	608	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe	43
PID 608 wrote to memory of 1044	608	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe	43
PID 608 wrote to memory of 1044	608	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe	43
PID 608 wrote to memory of 1044	608	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe	43
PID 608 wrote to memory of 1988	608	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe	44
PID 608 wrote to memory of 1988	608	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe	44
PID 608 wrote to memory of 1988	608	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe	44
PID 608 wrote to memory of 1988	608	{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe	44
PID 1044 wrote to memory of 2984	1044	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe	45
PID 1044 wrote to memory of 2984	1044	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe	45
PID 1044 wrote to memory of 2984	1044	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe	45
PID 1044 wrote to memory of 2984	1044	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe	45
PID 1044 wrote to memory of 2096	1044	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe	46
PID 1044 wrote to memory of 2096	1044	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe	46
PID 1044 wrote to memory of 2096	1044	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe	46
PID 1044 wrote to memory of 2096	1044	{B371E387-F55E-469f-82D4-128962E9BA8B}.exe	46

C:\Users\Admin\AppData\Local\Temp\efa16d4fe3e1d09cf2fbde61533a54f0N.exe
"C:\Users\Admin\AppData\Local\Temp\efa16d4fe3e1d09cf2fbde61533a54f0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe
  C:\Windows\{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe
    C:\Windows\{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe
      C:\Windows\{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Windows\{1199F232-D522-45a7-B116-DBB07811B446}.exe
        
        C:\Windows\{1199F232-D522-45a7-B116-DBB07811B446}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\{9DBE6155-5AF5-46da-B381-92504D086C29}.exe
        
        C:\Windows\{9DBE6155-5AF5-46da-B381-92504D086C29}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe
        
        C:\Windows\{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\{B371E387-F55E-469f-82D4-128962E9BA8B}.exe
        
        C:\Windows\{B371E387-F55E-469f-82D4-128962E9BA8B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\{A9E58C89-DB2D-4ee7-BA81-87E20D28E83C}.exe
        
        C:\Windows\{A9E58C89-DB2D-4ee7-BA81-87E20D28E83C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\{0A34BFC1-1417-4bbd-A281-B44AF23BDF6F}.exe
        
        C:\Windows\{0A34BFC1-1417-4bbd-A281-B44AF23BDF6F}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9E58~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B371E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F568F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DBE6~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1199F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C943~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CEED5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B4788~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EFA16D~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A34BFC1-1417-4bbd-A281-B44AF23BDF6F}.exe

Filesize
64KB

MD5
344ba98f99172a478eb02a3962ac9b51

SHA1
0a50bc815ba453032f372e4c744e55a240572716

SHA256
2e768e1878fccaf691221eec16bbc36d3b3f8e16a34f8935adba1dba5546d3fe

SHA512
7d4243141a950eb42e3efc8f78d77118728e0ad6151e40d6bb87e14ae268659968fbfe0a71700f2101e83a6c563f7277e433711130fc77f28903f65edd6fd409

Download Submit
C:\Windows\{1199F232-D522-45a7-B116-DBB07811B446}.exe

Filesize
64KB

MD5
acc54d724db8c281e01212bb3ddbf0d7

SHA1
8049baeb5861ad6e3189d0c04a01b2529182543f

SHA256
264321b5e28647c94819f8e3c9cc5b375203b6a033744c30e552bd7363fcf645

SHA512
c03dfb76c249d8c429ce0094b76f9e8e3bafe11097908a84b6b95ab5b6114a39abbcf344bd34f621c32ff67b13b6d0ef99ca8148ab35469e3f13335ecb9ccb07

Download Submit
C:\Windows\{5C94352D-1B5F-4171-AE6D-3EBD88C879C4}.exe

Filesize
64KB

MD5
4bab88998fd6a72a8021ef88b482f1da

SHA1
bb63123a65f861b4c3c3d191c99cbb5ced347c27

SHA256
86a2e407a1cb28a6ff5c25b8114b6d9d1eddcebd2eb0c0e5cc538e09e1951db6

SHA512
34c3e6d5034a276a67a1dff075267633ff53b17a40263c7d86c174e61ad9dbea92c31e4156dd2ac5f9d900029b030473863b3993dac4f6a8c770c6e7ceb5d39f

Download Submit
C:\Windows\{9DBE6155-5AF5-46da-B381-92504D086C29}.exe

Filesize
64KB

MD5
bc3441769d766de74e4f2191fb5084eb

SHA1
7efdbf3a797fbe9399f5d6d5b2f2068374a8ec79

SHA256
6d8ed3f90d41116a7bc914718a5ba6533fce216c038a61f100454b7f7f608227

SHA512
386ea641e63eb8c6f79d3fd99f6e2beeea8185d8754ebb50ca2723fcd1957d3c9757ffccfb5cc0874245ed3e1190ab08ad78c5a35de1447d438e6f4ab0aa665a

Download Submit
C:\Windows\{A9E58C89-DB2D-4ee7-BA81-87E20D28E83C}.exe

Filesize
64KB

MD5
d9a3224a227d6c5178e1aa762abb184b

SHA1
06fb7da413f6afd3ee8ccd4f2c74492206f9e365

SHA256
503da11a91950c1823181b736b24985f31202dd166d3966e3b99bb3f6a8f7782

SHA512
6bbb23f542bff3d25a7333d8eed17843d605579cd0a0bbcd9857290bb938e8929c5651880ee375370794cfeb953933ad658336e66b517e8a20847fca14abd4ee

Download Submit
C:\Windows\{B371E387-F55E-469f-82D4-128962E9BA8B}.exe

Filesize
64KB

MD5
eca3bff3634232cc83e7f6dde98775be

SHA1
dbe25a1043287b7e3ddac0be539568516b40ab87

SHA256
f937d67313738c8492c5933228f95c933137b46d8f5bf2d6bb11aad608759295

SHA512
52556097a2e44077e8dd9ec9b09c5c7f7c069820df9683e521d39141e123f22b0c50b8bc6369531f7018989ee90acd85c8e349fa0ee0a7bccdb0d7f3198f2b13

Download Submit
C:\Windows\{B4788CB5-C61A-439e-AA29-465C8E17B03F}.exe

Filesize
64KB

MD5
08fd4df690447e42b917f75a1c6115bf

SHA1
07119ff8a59c74e281a59cf439b7e4935748c6ab

SHA256
352667d505609533890fbc3fca25dc49502a1f550ac7151b0e1d61740c94966c

SHA512
5069227db0548ec4a05c3d117396129c41e3c57eeec5e6d4c0098da285d396ab29e7251d8671176a14c859799d080ca523d0116277feee04e4e63cfecd81fc81

Download Submit
C:\Windows\{CEED57F0-401D-42aa-8F1A-59386489DE21}.exe

Filesize
64KB

MD5
6c24bc3c4f7196a73953eec59afab46f

SHA1
ea8f1abfed92d244da22b9d406c1c474a803e352

SHA256
dd4d6fdf09ddcd864c66028e992ef32a8bffed561a9dbcd07c71c947a5892f3e

SHA512
553eb2b7334f0936d314eaaf41386e25c3b050c3889f0619f77c656e55eae56257aa4320242de087f03bce73bc2ff1231476aed38fe83c87a6e4b3b7b9371337

Download Submit
C:\Windows\{F568FDF6-D773-445d-AF84-55B9D4B98131}.exe

Filesize
64KB

MD5
b655e9c29936c75a4760a8ea7deb3f3d

SHA1
8266d247c47e98993df9202831ab6e100d2d8971

SHA256
e6ae03b6b27fc465a7b3a06ecb5001ff15c289949aeb989f76c9df7a122e59b4

SHA512
008a48c8e981cb9dd15e1c569510977001a104ea0fcccbe654ee9aa47b9b74087a6d0d9eded5377e919a2a73db1956afa4b95490134bde914f2cd8b4ae87893b

Download Submit
memory/608-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/608-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/988-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/988-54-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1044-72-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1044-76-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1720-31-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1720-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1720-35-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1748-87-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2144-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2144-15-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2144-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2224-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2224-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2224-49-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2360-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2360-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2360-9-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2360-4-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2360-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2736-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2736-25-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2736-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2984-80-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/2984-85-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads