e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/09/2024, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe
Size

80KB
MD5

b9a807bb90216fe77c18ebb45bfc2a80
SHA1

09446d1a8cd5feef190c256b819f2731303aa7b3
SHA256

e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9
SHA512

f73df8e7e755f4a8153d9ef717e7146cee19b173ee3cc0da77ea8f8fb2ea4afa5f2880f484294836c53e18a0314cd5f8782d92dc54fa06ad0bb387fd1f7ea69b
SSDEEP

768:evU9816vhKQLro4aVWhxf3nbcuyD7UuXCRINrfrunMxVFA3b7glwRjMlfwGxEI56:q4Gh0o440p3nouy8QbunMxVS3HgdoKjm

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16696E9D-3849-4fae-A772-693807FA9CAE}	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16696E9D-3849-4fae-A772-693807FA9CAE}\stubpath = "C:\\Windows\\{16696E9D-3849-4fae-A772-693807FA9CAE}.exe"	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18CC547B-89A6-4ab2-985F-102E5B42CB86}\stubpath = "C:\\Windows\\{18CC547B-89A6-4ab2-985F-102E5B42CB86}.exe"	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFDBB89D-247D-429c-B4CE-FBFCB497C8D1}\stubpath = "C:\\Windows\\{CFDBB89D-247D-429c-B4CE-FBFCB497C8D1}.exe"	{18CC547B-89A6-4ab2-985F-102E5B42CB86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}	e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}\stubpath = "C:\\Windows\\{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe"	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFDBB89D-247D-429c-B4CE-FBFCB497C8D1}	{18CC547B-89A6-4ab2-985F-102E5B42CB86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{948233E0-5072-444a-B468-CFC305815A2F}	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{760E3419-12E9-4857-BF8A-E8963F30144C}	{948233E0-5072-444a-B468-CFC305815A2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}\stubpath = "C:\\Windows\\{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe"	e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}\stubpath = "C:\\Windows\\{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe"	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{948233E0-5072-444a-B468-CFC305815A2F}\stubpath = "C:\\Windows\\{948233E0-5072-444a-B468-CFC305815A2F}.exe"	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{760E3419-12E9-4857-BF8A-E8963F30144C}\stubpath = "C:\\Windows\\{760E3419-12E9-4857-BF8A-E8963F30144C}.exe"	{948233E0-5072-444a-B468-CFC305815A2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18CC547B-89A6-4ab2-985F-102E5B42CB86}	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}\stubpath = "C:\\Windows\\{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe"	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe

Deletes itself 1 IoCs

pid	Process
492	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2908	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe
2632	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe
2792	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe
3056	{948233E0-5072-444a-B468-CFC305815A2F}.exe
2052	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe
1104	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe
1584	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe
2152	{18CC547B-89A6-4ab2-985F-102E5B42CB86}.exe
2804	{CFDBB89D-247D-429c-B4CE-FBFCB497C8D1}.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2400-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2400-1-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2400-4-0x00000000003E0000-0x00000000003F3000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-8.dat	upx
behavioral1/memory/2400-9-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2908-10-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2908-19-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2908-17-0x0000000000290000-0x00000000002A3000-memory.dmp	upx
behavioral1/files/0x0009000000016cf6-20.dat	upx
behavioral1/memory/2632-21-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2632-25-0x00000000003D0000-0x00000000003E3000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-29.dat	upx
behavioral1/memory/2632-30-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2792-31-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2792-35-0x00000000003B0000-0x00000000003C3000-memory.dmp	upx
behavioral1/memory/2792-39-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000a000000016cf6-40.dat	upx
behavioral1/memory/3056-41-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/3056-50-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0006000000004ed7-51.dat	upx
behavioral1/memory/2052-52-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2052-53-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2052-62-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1104-64-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000b000000016cf6-63.dat	upx
behavioral1/memory/1104-65-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1104-69-0x0000000000320000-0x0000000000333000-memory.dmp	upx
behavioral1/memory/1104-73-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0009000000016d02-74.dat	upx
behavioral1/memory/1584-75-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1584-79-0x00000000003D0000-0x00000000003E3000-memory.dmp	upx
behavioral1/memory/1584-83-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000c000000016cf6-84.dat	upx
behavioral1/memory/2152-85-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2152-89-0x00000000003E0000-0x00000000003F3000-memory.dmp	upx
behavioral1/memory/2152-93-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000a000000016d02-94.dat	upx
behavioral1/memory/2804-95-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe
File created	C:\Windows\{16696E9D-3849-4fae-A772-693807FA9CAE}.exe	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe
File created	C:\Windows\{18CC547B-89A6-4ab2-985F-102E5B42CB86}.exe	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe
File created	C:\Windows\{760E3419-12E9-4857-BF8A-E8963F30144C}.exe	{948233E0-5072-444a-B468-CFC305815A2F}.exe
File created	C:\Windows\{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe
File created	C:\Windows\{CFDBB89D-247D-429c-B4CE-FBFCB497C8D1}.exe	{18CC547B-89A6-4ab2-985F-102E5B42CB86}.exe
File created	C:\Windows\{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe	e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe
File created	C:\Windows\{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe
File created	C:\Windows\{948233E0-5072-444a-B468-CFC305815A2F}.exe	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CFDBB89D-247D-429c-B4CE-FBFCB497C8D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{18CC547B-89A6-4ab2-985F-102E5B42CB86}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{948233E0-5072-444a-B468-CFC305815A2F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2400	e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe
Token: SeIncBasePriorityPrivilege	2908	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe
Token: SeIncBasePriorityPrivilege	2632	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe
Token: SeIncBasePriorityPrivilege	2792	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe
Token: SeIncBasePriorityPrivilege	3056	{948233E0-5072-444a-B468-CFC305815A2F}.exe
Token: SeIncBasePriorityPrivilege	2052	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe
Token: SeIncBasePriorityPrivilege	1104	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe
Token: SeIncBasePriorityPrivilege	1584	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe
Token: SeIncBasePriorityPrivilege	2152	{18CC547B-89A6-4ab2-985F-102E5B42CB86}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2908	2400	e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe	31
PID 2400 wrote to memory of 2908	2400	e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe	31
PID 2400 wrote to memory of 2908	2400	e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe	31
PID 2400 wrote to memory of 2908	2400	e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe	31
PID 2400 wrote to memory of 492	2400	e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe	32
PID 2400 wrote to memory of 492	2400	e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe	32
PID 2400 wrote to memory of 492	2400	e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe	32
PID 2400 wrote to memory of 492	2400	e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe	32
PID 2908 wrote to memory of 2632	2908	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe	33
PID 2908 wrote to memory of 2632	2908	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe	33
PID 2908 wrote to memory of 2632	2908	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe	33
PID 2908 wrote to memory of 2632	2908	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe	33
PID 2908 wrote to memory of 2512	2908	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe	34
PID 2908 wrote to memory of 2512	2908	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe	34
PID 2908 wrote to memory of 2512	2908	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe	34
PID 2908 wrote to memory of 2512	2908	{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe	34
PID 2632 wrote to memory of 2792	2632	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe	35
PID 2632 wrote to memory of 2792	2632	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe	35
PID 2632 wrote to memory of 2792	2632	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe	35
PID 2632 wrote to memory of 2792	2632	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe	35
PID 2632 wrote to memory of 2624	2632	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe	36
PID 2632 wrote to memory of 2624	2632	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe	36
PID 2632 wrote to memory of 2624	2632	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe	36
PID 2632 wrote to memory of 2624	2632	{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe	36
PID 2792 wrote to memory of 3056	2792	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe	37
PID 2792 wrote to memory of 3056	2792	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe	37
PID 2792 wrote to memory of 3056	2792	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe	37
PID 2792 wrote to memory of 3056	2792	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe	37
PID 2792 wrote to memory of 3064	2792	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe	38
PID 2792 wrote to memory of 3064	2792	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe	38
PID 2792 wrote to memory of 3064	2792	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe	38
PID 2792 wrote to memory of 3064	2792	{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe	38
PID 3056 wrote to memory of 2052	3056	{948233E0-5072-444a-B468-CFC305815A2F}.exe	39
PID 3056 wrote to memory of 2052	3056	{948233E0-5072-444a-B468-CFC305815A2F}.exe	39
PID 3056 wrote to memory of 2052	3056	{948233E0-5072-444a-B468-CFC305815A2F}.exe	39
PID 3056 wrote to memory of 2052	3056	{948233E0-5072-444a-B468-CFC305815A2F}.exe	39
PID 3056 wrote to memory of 2044	3056	{948233E0-5072-444a-B468-CFC305815A2F}.exe	40
PID 3056 wrote to memory of 2044	3056	{948233E0-5072-444a-B468-CFC305815A2F}.exe	40
PID 3056 wrote to memory of 2044	3056	{948233E0-5072-444a-B468-CFC305815A2F}.exe	40
PID 3056 wrote to memory of 2044	3056	{948233E0-5072-444a-B468-CFC305815A2F}.exe	40
PID 2052 wrote to memory of 1104	2052	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe	41
PID 2052 wrote to memory of 1104	2052	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe	41
PID 2052 wrote to memory of 1104	2052	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe	41
PID 2052 wrote to memory of 1104	2052	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe	41
PID 2052 wrote to memory of 844	2052	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe	42
PID 2052 wrote to memory of 844	2052	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe	42
PID 2052 wrote to memory of 844	2052	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe	42
PID 2052 wrote to memory of 844	2052	{760E3419-12E9-4857-BF8A-E8963F30144C}.exe	42
PID 1104 wrote to memory of 1584	1104	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe	43
PID 1104 wrote to memory of 1584	1104	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe	43
PID 1104 wrote to memory of 1584	1104	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe	43
PID 1104 wrote to memory of 1584	1104	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe	43
PID 1104 wrote to memory of 1368	1104	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe	44
PID 1104 wrote to memory of 1368	1104	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe	44
PID 1104 wrote to memory of 1368	1104	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe	44
PID 1104 wrote to memory of 1368	1104	{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe	44
PID 1584 wrote to memory of 2152	1584	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe	45
PID 1584 wrote to memory of 2152	1584	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe	45
PID 1584 wrote to memory of 2152	1584	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe	45
PID 1584 wrote to memory of 2152	1584	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe	45
PID 1584 wrote to memory of 2144	1584	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe	46
PID 1584 wrote to memory of 2144	1584	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe	46
PID 1584 wrote to memory of 2144	1584	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe	46
PID 1584 wrote to memory of 2144	1584	{16696E9D-3849-4fae-A772-693807FA9CAE}.exe	46

C:\Users\Admin\AppData\Local\Temp\e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe
"C:\Users\Admin\AppData\Local\Temp\e8ae026a6ed076292d473a579d6f15f0966bad82affc404a5503883228c289b9N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe
  C:\Windows\{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe
    C:\Windows\{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe
      C:\Windows\{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\{948233E0-5072-444a-B468-CFC305815A2F}.exe
        
        C:\Windows\{948233E0-5072-444a-B468-CFC305815A2F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\{760E3419-12E9-4857-BF8A-E8963F30144C}.exe
        
        C:\Windows\{760E3419-12E9-4857-BF8A-E8963F30144C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe
        
        C:\Windows\{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\{16696E9D-3849-4fae-A772-693807FA9CAE}.exe
        
        C:\Windows\{16696E9D-3849-4fae-A772-693807FA9CAE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\{18CC547B-89A6-4ab2-985F-102E5B42CB86}.exe
        
        C:\Windows\{18CC547B-89A6-4ab2-985F-102E5B42CB86}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\{CFDBB89D-247D-429c-B4CE-FBFCB497C8D1}.exe
        
        C:\Windows\{CFDBB89D-247D-429c-B4CE-FBFCB497C8D1}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18CC5~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16696~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A78CA~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{760E3~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94823~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E72B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F15C9~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4D8B4~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E8AE02~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16696E9D-3849-4fae-A772-693807FA9CAE}.exe

Filesize
80KB

MD5
fbe2760aa35014dd8248449ac5ebdd1d

SHA1
418f80a274ceb715f0817bfba89f1e16f2cb2c5f

SHA256
ae2da5dac77ccc462e5d58bc4f05d847852ebff091a217ee89819cbdf20c83a7

SHA512
fc8ac0dbe7dcb827308b27af42c687aa6c51afec76539281f5bb2892c8948b653e159be78c5cbe0c025a31fd92f5904621ba0e0b9ffb6fc42f6d9aefecc91e35

Download Submit
C:\Windows\{18CC547B-89A6-4ab2-985F-102E5B42CB86}.exe

Filesize
80KB

MD5
5c3ba0846ee09617bfe2bf58d9488399

SHA1
0359b7e34d8a38371cb2d8bf468bd669fa437225

SHA256
53d1903703ca0afa669806f7c701c5d8b503fde1a231b06aa11bcc8eab5d5cef

SHA512
ab934ed95ea82758748b35bd86948c31146368fb8d1607b3bacd0655b32c263cf25bb883220474a691b4e9241327cd650b93269706a6b8ac5af7f7fbef2796ee

Download Submit
C:\Windows\{4D8B4658-E9AB-4bc0-B60D-7D73DC41FD9F}.exe

Filesize
80KB

MD5
537b46644e7b591915bc0b8a7bf856ac

SHA1
4fc3d0ccb9c96c6e7faf08d56032bcd35e01be60

SHA256
9ef0b63510a0b1c6bba920022ba49657fd619a8f0c912127fe5c77712c0b3d20

SHA512
48468580eca8d00fd277a12d23325eb40b7ddb7c17e8e58a1131686f6b8fb47b2da09b4a86143cb8cdab4b1719ffab608ab8cb824af8367a139375d371fe98c4

Download Submit
C:\Windows\{6E72B0E2-FB6B-4a73-A3A7-18A7C6D07B91}.exe

Filesize
80KB

MD5
ca8b8f1766da349eb5b6c81e64710b01

SHA1
60ffbd4b6767063bb39c0c41537caaeb4da486ad

SHA256
8bd2537e08279f30d77ce88f4c8892665787eed0f01db59a23b38491cbedbe86

SHA512
06299b53817f77507d8623f6a26588863492b755f2db141a251db0d09b6e3203ea90787475597dec4047f4854d8a365ccf3f43b4858442babe6c05705da7e010

Download Submit
C:\Windows\{760E3419-12E9-4857-BF8A-E8963F30144C}.exe

Filesize
80KB

MD5
69237d2381b6f6a018c8d6f5a3bebd8d

SHA1
f72ac924e1192c83e58c321999a13688a5a6c265

SHA256
cf4cfdc3c79b793a9ea17451fbeedeb2672e5eaf4eda7b6ff122ca2027c0db8f

SHA512
894677e3106db4232cbd392b211351020d6703cb2942d0f88829c9c0375c0319bc886b0ab4f3d3debedde98bb476223881a0e9ec82d8bafb3362174457b4da48

Download Submit
C:\Windows\{948233E0-5072-444a-B468-CFC305815A2F}.exe

Filesize
80KB

MD5
ab379af5b74ea6eefb70b88c39e3c31d

SHA1
3682d47b45f750d883d16183c531732cd7b6a7a8

SHA256
dc1ce4ab2aa908bf09d6fce97fa64806d86bfc4d2e90c3b5f18f4b1f22b1f869

SHA512
ac4dcf0ad9e2c0e6dd190a46dcd423140b170538ec62113982f62350360256a9f6103dafb5fe93f417d3c76fdd0de676a81cb4feeefb8f3ab762b4670d7fce83

Download Submit
C:\Windows\{A78CA657-ACCD-4c5d-AAAB-1D6DFCF24D85}.exe

Filesize
80KB

MD5
0a7d4cc928f63cc2d22c289c1b5d0822

SHA1
c554ffa275f65d7ee87440bf419be8c5db9b22c6

SHA256
3c1c11a7616be3f0f230dc2313e5651c191ed2112ca0dc3f5ceb7973d5a19dbf

SHA512
05cf5bb7b13b6590a0793cf18a987ca28a2a61d27827126ede2a20619dda4c1acc68300af6728221bcf2cf50ef0835144d3a8867ea993eb0d55e5cc3b0533cc8

Download Submit
C:\Windows\{CFDBB89D-247D-429c-B4CE-FBFCB497C8D1}.exe

Filesize
80KB

MD5
57991f46c17ca307d29dba9de70be297

SHA1
24dad34ef81dae0128ea44033f37e7bd4fb38f00

SHA256
342f90f50d0e51678fd5a73c711a7529c2857ee4fbc7d6a3bdbe6708d86368ef

SHA512
540a8a82d482d96802662e5023680524deec0a31b59e8c069502a45eacf63a774a4e9559f746455e2291578a72194c35ff989d18e99979ad773237ae4ca5fd8d

Download Submit
C:\Windows\{F15C9DB5-4D50-4d71-AD13-F0D892C0B6AC}.exe

Filesize
80KB

MD5
fa43b1ae49ee05a98bee549b5b2c86a3

SHA1
f6fdd1a78ac8bd4d6aa56186afaab2c745d4e8eb

SHA256
0ae1b8b54939c37dcc927e07edd84b68c3b7768ce45e778717546c3d2cf609ea

SHA512
2fa9b39267b25641f1dc39467dac870ee7d5bcbbda7ef4a76d5c691406147634d1a962a77d20448e922851019efdf16fe32eab7966a7a62a2f6cddebebde39d2

Download Submit
memory/1104-64-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1104-73-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1104-69-0x0000000000320000-0x0000000000333000-memory.dmp

Filesize
76KB

Download
memory/1104-65-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1584-79-0x00000000003D0000-0x00000000003E3000-memory.dmp

Filesize
76KB

Download
memory/1584-75-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1584-83-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2052-52-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2052-60-0x0000000000420000-0x0000000000433000-memory.dmp

Filesize
76KB

Download
memory/2052-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2052-61-0x0000000000420000-0x0000000000433000-memory.dmp

Filesize
76KB

Download
memory/2052-53-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2152-85-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2152-93-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2152-89-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/2400-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2400-4-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/2400-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2400-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-25-0x00000000003D0000-0x00000000003E3000-memory.dmp

Filesize
76KB

Download
memory/2632-30-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2792-31-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2792-39-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2792-35-0x00000000003B0000-0x00000000003C3000-memory.dmp

Filesize
76KB

Download
memory/2804-95-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2908-17-0x0000000000290000-0x00000000002A3000-memory.dmp

Filesize
76KB

Download
memory/2908-19-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2908-18-0x0000000000290000-0x00000000002A3000-memory.dmp

Filesize
76KB

Download
memory/2908-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3056-41-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3056-49-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/3056-50-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3056-48-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads