cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe
Size

90KB
MD5

0a3a1326fa543046f979e192ac48c87a
SHA1

664cc9b088355bdfd05752bd113944f2c501e386
SHA256

cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde
SHA512

6184a894104f6af3e8901c74fd796fb1a73896594c30bfbf3fff2c338b4d74f235661cff35c6467652e0ac9979655f6f9d72d6b8a87c99c35fd898fec4bc0481
SSDEEP

768:Qvw9816vhKQLrox4/wQRNrfrunMxVFA3b7glw:YEGh0oxl2unMxVS3Hg

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71F44783-00D3-4928-B200-F2C6C3D4CE90}\stubpath = "C:\\Windows\\{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe"	cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}	{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC7DDB4A-98B5-4b1a-B0BA-DEECEFBEC3BD}\stubpath = "C:\\Windows\\{FC7DDB4A-98B5-4b1a-B0BA-DEECEFBEC3BD}.exe"	{9C2335C8-F83C-4625-9429-688807B07FD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C2335C8-F83C-4625-9429-688807B07FD1}	{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC7DDB4A-98B5-4b1a-B0BA-DEECEFBEC3BD}	{9C2335C8-F83C-4625-9429-688807B07FD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FE71546-333B-44ef-A4A9-94D4B58119DB}\stubpath = "C:\\Windows\\{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe"	{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}\stubpath = "C:\\Windows\\{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe"	{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C27DA13-5A58-4817-BE13-A63586A2ACFE}	{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C27DA13-5A58-4817-BE13-A63586A2ACFE}\stubpath = "C:\\Windows\\{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe"	{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E25C2A83-9264-4a4d-894A-7BE0D8428925}	{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75E73F91-82AC-40be-A72F-1FED416DF9F5}	{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71F44783-00D3-4928-B200-F2C6C3D4CE90}	cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}	{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E25C2A83-9264-4a4d-894A-7BE0D8428925}\stubpath = "C:\\Windows\\{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe"	{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75E73F91-82AC-40be-A72F-1FED416DF9F5}\stubpath = "C:\\Windows\\{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe"	{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF8EF158-1688-4a03-BAD8-0866D907E2BC}	{FC7DDB4A-98B5-4b1a-B0BA-DEECEFBEC3BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF8EF158-1688-4a03-BAD8-0866D907E2BC}\stubpath = "C:\\Windows\\{FF8EF158-1688-4a03-BAD8-0866D907E2BC}.exe"	{FC7DDB4A-98B5-4b1a-B0BA-DEECEFBEC3BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C2335C8-F83C-4625-9429-688807B07FD1}\stubpath = "C:\\Windows\\{9C2335C8-F83C-4625-9429-688807B07FD1}.exe"	{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FE71546-333B-44ef-A4A9-94D4B58119DB}	{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}	{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}\stubpath = "C:\\Windows\\{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe"	{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}\stubpath = "C:\\Windows\\{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe"	{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}	{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}\stubpath = "C:\\Windows\\{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe"	{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe

Executes dropped EXE 12 IoCs

pid	Process
1664	{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe
2892	{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe
224	{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe
2540	{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe
2616	{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe
4924	{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe
800	{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe
2504	{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe
4048	{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe
4436	{9C2335C8-F83C-4625-9429-688807B07FD1}.exe
3928	{FC7DDB4A-98B5-4b1a-B0BA-DEECEFBEC3BD}.exe
1656	{FF8EF158-1688-4a03-BAD8-0866D907E2BC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe	{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe
File created	C:\Windows\{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe	{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe
File created	C:\Windows\{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe	{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe
File created	C:\Windows\{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe	{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe
File created	C:\Windows\{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe	{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe
File created	C:\Windows\{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe	{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe
File created	C:\Windows\{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe	{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe
File created	C:\Windows\{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe	cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe
File created	C:\Windows\{9C2335C8-F83C-4625-9429-688807B07FD1}.exe	{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe
File created	C:\Windows\{FC7DDB4A-98B5-4b1a-B0BA-DEECEFBEC3BD}.exe	{9C2335C8-F83C-4625-9429-688807B07FD1}.exe
File created	C:\Windows\{FF8EF158-1688-4a03-BAD8-0866D907E2BC}.exe	{FC7DDB4A-98B5-4b1a-B0BA-DEECEFBEC3BD}.exe
File created	C:\Windows\{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe	{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF8EF158-1688-4a03-BAD8-0866D907E2BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC7DDB4A-98B5-4b1a-B0BA-DEECEFBEC3BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C2335C8-F83C-4625-9429-688807B07FD1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4796	cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe
Token: SeIncBasePriorityPrivilege	1664	{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe
Token: SeIncBasePriorityPrivilege	2892	{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe
Token: SeIncBasePriorityPrivilege	224	{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe
Token: SeIncBasePriorityPrivilege	2540	{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe
Token: SeIncBasePriorityPrivilege	2616	{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe
Token: SeIncBasePriorityPrivilege	4924	{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe
Token: SeIncBasePriorityPrivilege	800	{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe
Token: SeIncBasePriorityPrivilege	2504	{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe
Token: SeIncBasePriorityPrivilege	4048	{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe
Token: SeIncBasePriorityPrivilege	4436	{9C2335C8-F83C-4625-9429-688807B07FD1}.exe
Token: SeIncBasePriorityPrivilege	3928	{FC7DDB4A-98B5-4b1a-B0BA-DEECEFBEC3BD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 1664	4796	cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe	92
PID 4796 wrote to memory of 1664	4796	cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe	92
PID 4796 wrote to memory of 1664	4796	cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe	92
PID 4796 wrote to memory of 548	4796	cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe	93
PID 4796 wrote to memory of 548	4796	cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe	93
PID 4796 wrote to memory of 548	4796	cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe	93
PID 1664 wrote to memory of 2892	1664	{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe	94
PID 1664 wrote to memory of 2892	1664	{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe	94
PID 1664 wrote to memory of 2892	1664	{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe	94
PID 1664 wrote to memory of 2996	1664	{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe	95
PID 1664 wrote to memory of 2996	1664	{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe	95
PID 1664 wrote to memory of 2996	1664	{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe	95
PID 2892 wrote to memory of 224	2892	{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe	98
PID 2892 wrote to memory of 224	2892	{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe	98
PID 2892 wrote to memory of 224	2892	{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe	98
PID 2892 wrote to memory of 1892	2892	{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe	99
PID 2892 wrote to memory of 1892	2892	{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe	99
PID 2892 wrote to memory of 1892	2892	{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe	99
PID 224 wrote to memory of 2540	224	{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe	100
PID 224 wrote to memory of 2540	224	{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe	100
PID 224 wrote to memory of 2540	224	{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe	100
PID 224 wrote to memory of 2684	224	{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe	101
PID 224 wrote to memory of 2684	224	{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe	101
PID 224 wrote to memory of 2684	224	{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe	101
PID 2540 wrote to memory of 2616	2540	{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe	102
PID 2540 wrote to memory of 2616	2540	{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe	102
PID 2540 wrote to memory of 2616	2540	{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe	102
PID 2540 wrote to memory of 5016	2540	{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe	103
PID 2540 wrote to memory of 5016	2540	{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe	103
PID 2540 wrote to memory of 5016	2540	{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe	103
PID 2616 wrote to memory of 4924	2616	{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe	104
PID 2616 wrote to memory of 4924	2616	{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe	104
PID 2616 wrote to memory of 4924	2616	{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe	104
PID 2616 wrote to memory of 2956	2616	{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe	105
PID 2616 wrote to memory of 2956	2616	{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe	105
PID 2616 wrote to memory of 2956	2616	{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe	105
PID 4924 wrote to memory of 800	4924	{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe	106
PID 4924 wrote to memory of 800	4924	{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe	106
PID 4924 wrote to memory of 800	4924	{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe	106
PID 4924 wrote to memory of 1568	4924	{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe	107
PID 4924 wrote to memory of 1568	4924	{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe	107
PID 4924 wrote to memory of 1568	4924	{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe	107
PID 800 wrote to memory of 2504	800	{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe	108
PID 800 wrote to memory of 2504	800	{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe	108
PID 800 wrote to memory of 2504	800	{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe	108
PID 800 wrote to memory of 4128	800	{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe	109
PID 800 wrote to memory of 4128	800	{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe	109
PID 800 wrote to memory of 4128	800	{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe	109
PID 2504 wrote to memory of 4048	2504	{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe	110
PID 2504 wrote to memory of 4048	2504	{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe	110
PID 2504 wrote to memory of 4048	2504	{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe	110
PID 2504 wrote to memory of 208	2504	{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe	111
PID 2504 wrote to memory of 208	2504	{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe	111
PID 2504 wrote to memory of 208	2504	{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe	111
PID 4048 wrote to memory of 4436	4048	{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe	112
PID 4048 wrote to memory of 4436	4048	{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe	112
PID 4048 wrote to memory of 4436	4048	{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe	112
PID 4048 wrote to memory of 4852	4048	{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe	113
PID 4048 wrote to memory of 4852	4048	{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe	113
PID 4048 wrote to memory of 4852	4048	{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe	113
PID 4436 wrote to memory of 3928	4436	{9C2335C8-F83C-4625-9429-688807B07FD1}.exe	114
PID 4436 wrote to memory of 3928	4436	{9C2335C8-F83C-4625-9429-688807B07FD1}.exe	114
PID 4436 wrote to memory of 3928	4436	{9C2335C8-F83C-4625-9429-688807B07FD1}.exe	114
PID 4436 wrote to memory of 2212	4436	{9C2335C8-F83C-4625-9429-688807B07FD1}.exe	115

C:\Users\Admin\AppData\Local\Temp\cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe
"C:\Users\Admin\AppData\Local\Temp\cb31e461918de6e4340094595946bdac4c76c3fe91015693136f64ea85504dde.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe
  C:\Windows\{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe
    C:\Windows\{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe
      C:\Windows\{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Windows\{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe
        
        C:\Windows\{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe
        
        C:\Windows\{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe
        
        C:\Windows\{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe
        
        C:\Windows\{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe
        
        C:\Windows\{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe
        
        C:\Windows\{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\{9C2335C8-F83C-4625-9429-688807B07FD1}.exe
        
        C:\Windows\{9C2335C8-F83C-4625-9429-688807B07FD1}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{FC7DDB4A-98B5-4b1a-B0BA-DEECEFBEC3BD}.exe
        
        C:\Windows\{FC7DDB4A-98B5-4b1a-B0BA-DEECEFBEC3BD}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Windows\{FF8EF158-1688-4a03-BAD8-0866D907E2BC}.exe
        
        C:\Windows\{FF8EF158-1688-4a03-BAD8-0866D907E2BC}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC7DD~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C233~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75E73~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E25C2~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0CFB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C27D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F71C3~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42DB1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45EFE~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6FE71~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{71F44~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CB31E4~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C27DA13-5A58-4817-BE13-A63586A2ACFE}.exe

Filesize
90KB

MD5
afc72c548c63d3fa6985496e802f5796

SHA1
efb6a648d01ec1b9c1318301ad13d592176041b5

SHA256
2ff806b97bc32113647340e553f02499cd611ddd2ced8329e74e30249961dd9b

SHA512
153db201a9e9f069eb4e612bc267c375e3a22c22093028d265e07af761d7a77d011dda0bed1202a7068fed795cbae88db2491e4d4bd34f1ce2a4aacbe3c03de2

Download Submit
C:\Windows\{42DB13F7-3D12-49be-A5BC-B8D68C6F5105}.exe

Filesize
90KB

MD5
8109fab03a53882d45a863dbde70446e

SHA1
baac19017ea7106f16c340e898457b8d57c9aedc

SHA256
eb7b79e352ace7148b5a6a0cfaf27baed5833f7386e8996f688257a730a322b9

SHA512
3714c7194d9ad6b41485a732226db55da210973fe832f9f6cb6f0c152f56516dd445720fe2b7d15839bc16ea34a684514aeee0033c2cc7003c5c6876c97170f2

Download Submit
C:\Windows\{45EFEED6-CAAC-4432-8D3F-BB422AAD6074}.exe

Filesize
90KB

MD5
8aac532d77376f9ee3ce2fad2bf429d3

SHA1
e0dcc3a591f898e3d201d5d7aac9426c5000cd63

SHA256
c8a3817f4df2b89c638561dd51d0c7099940a310787f99bd7f359acf7ea605f0

SHA512
a7d0984acd436db107c9ebe098e96f5b6f0e79dae51e3833cfbc56c7a461a75ee8e3846e1199650a6eff5c0e3774cd208229313de9d11730ebc0f6b1d3af0afc

Download Submit
C:\Windows\{6FE71546-333B-44ef-A4A9-94D4B58119DB}.exe

Filesize
90KB

MD5
633bd5d57391f9d4237b823aca997a94

SHA1
c7bda6ff80d1107beca51cbe4b8a80c375c146e1

SHA256
ba4a0ff890760f23bf2af4a87feae4442bcc00f9abe0d56ddd107cbc7cb12925

SHA512
49722084c3a45cf68a335c25098b7a5a737a68792ddefaf1fd81c09a9fba987c60cd9f7667f6d403ee2a84d9c7cccb7fc96faedf8b7c8b9e84053ff201de1e65

Download Submit
C:\Windows\{71F44783-00D3-4928-B200-F2C6C3D4CE90}.exe

Filesize
90KB

MD5
3b1827d677f5e4c60091a985d8daecc5

SHA1
910ec6f0d11275374542724e1e2b6369228e8132

SHA256
430922be8b3208a9bdacf82c336de28104d0cd250317bd5aeb0e5c2b840a61f8

SHA512
f861cfddad4182e8943aa01a2d790ba573386d30e5d65c1e50ec75d00c6c721e1d7d11c01c26a91a05bb321e9128a33be26fe5f1df155f1eb07497d0a3c3e58f

Download Submit
C:\Windows\{75E73F91-82AC-40be-A72F-1FED416DF9F5}.exe

Filesize
90KB

MD5
06e1ff943538c5d8d9ae7268efa53055

SHA1
38353248040a7f48511988f4fd579837f1f788a7

SHA256
cc031f2e02f8f2bb2e1fed13be6f067e041cf6600da56d39e1db6219ee332637

SHA512
b57da68472391ecae7c70214fef58f5c02112a8df3e423f4bf57b39e703a2900f67a4efa5c1ddc14edb68fe7abf76a8ab61f7be1d81332950010c9664d30de5e

Download Submit
C:\Windows\{9C2335C8-F83C-4625-9429-688807B07FD1}.exe

Filesize
90KB

MD5
bc74d10ed9a20fe9aae9655d687ec781

SHA1
ab4b6ec2fd8946ca56a7cfb31384a11aa9f98541

SHA256
c5c40b6f0409a65415cf857b586f0bccb4be5d1fc72476014f13161c6c725fc4

SHA512
b4565e36045c74ecc491ac3c9dc399e8615f439161c435e49368b9ba8c33950a9ff5deffa45dd39e893599e92bcec5d8cae2a57eed3fd40ce3a90b759c4d6de2

Download Submit
C:\Windows\{E25C2A83-9264-4a4d-894A-7BE0D8428925}.exe

Filesize
90KB

MD5
aa4ae6f6159a0325a2bc5204974fc473

SHA1
860b9d1f6ff3471b26967ca94b6d0df98beeee21

SHA256
aed091137a564f4a8305dd839dbff2e9ea2626db430998fa0068598901cb1d06

SHA512
ce2484ca1b990ed94242f1794f2ed952e1f23c853637858fca6d07689f74c2058c5d5eba40df15f924d97c2322adeffc3fe02e2203544067ff7dc1ed8469a431

Download Submit
C:\Windows\{F0CFB7B4-7576-4979-BBC7-7693FF4CC34E}.exe

Filesize
90KB

MD5
ecd94936ef1db5d913f8b0530798dfdf

SHA1
bbd7fbb2a63e8ba9a5223c03cc70351fad8392a5

SHA256
808f0af3e0805a8be92b6eb6ddcb296334836bfce2d192b37d0581845e39c22a

SHA512
9ec9087c8864dfbb958866ba5231e7b057ca8abf7667209a0137664ef078e654b3a5d6e91171272887b46c091729e520303d1d67bd6c69de27baf064e1fc7f53

Download Submit
C:\Windows\{F71C3AAD-B730-4363-A29A-D4CA6EBCEEE4}.exe

Filesize
90KB

MD5
3b7270285eac6c552ac0d30c02312cff

SHA1
af8ccb9562438b5e6c0d57038bac58787697c0b9

SHA256
5f32710053c5d8aff7dbf31485d339e2a20b9e085dbfbfe64bc745ce0e250598

SHA512
2432668457ef9b36ab469ae36237794aefa3d0e6bb697ac6cfa36a22da362f81707bdc4862969a81eac1fc2d8b318f7bba3620174926ffd83d1a63b0330a4bb6

Download Submit
C:\Windows\{FC7DDB4A-98B5-4b1a-B0BA-DEECEFBEC3BD}.exe

Filesize
90KB

MD5
859fd9d06266b48d921ef22e4618b666

SHA1
dad4de3592ebe8b0aa7c4fb7dbc01698bd092440

SHA256
1d234a155738138124c429ea63256b11622ada5690133b58e91d94db4426063b

SHA512
60ca44e5fa19c0c9ee410437a3730ff4a5b6090b26b821da6a746c50ffbd5451a482f4b33a5de608579307ae75c68750e6659f40d183f98de907e05ef7dfd68f

Download Submit
C:\Windows\{FF8EF158-1688-4a03-BAD8-0866D907E2BC}.exe

Filesize
90KB

MD5
99f038437dc7bf92f4169274856f9de2

SHA1
da926461ef9eb6e6226ccc4e96b9c1c7c4be67e9

SHA256
fc5a42ed2378ffe50b8ba02236753b4a8bff4c0b3f85480522f1cb35bce24d33

SHA512
34eeda0eed0bb340e4bf6a4d99aa730c053e8510b43d638cf6902f519913470251422d5014eae086da9a0dbd57b00a11d858341f4c4f5801cd36c597cba9817a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads