366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4e

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
Size

80KB
MD5

122194ffd7c0dd1928e28efe103a3ba0
SHA1

202388f74fd3689e01cc357b0c87a0d88bf8cac7
SHA256

366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4e
SHA512

f0a40418469b618b8fbda0092841eb0558c57dc0e6298d533f31c43f77e4d85a163b2ff9ab4468e7bf8b86b6bb1a350939858d7f80dac7f7e46a3baf23dd355a
SSDEEP

768:evU9816vhKQLro4tVWhxf3nbcuyD7UuXCRINrfrunMxVFA3b7glwRjMlfwGxEI56:q4Gh0o4T0p3nouy8QbunMxVS3HgdoKjm

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72B44418-F3C6-4494-A195-48413D1E49F5}\stubpath = "C:\\Windows\\{72B44418-F3C6-4494-A195-48413D1E49F5}.exe"	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84CD6E46-0752-4d51-8D95-4280B859502F}	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF678ACA-E20C-4b9a-8F2C-629641545A49}	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF678ACA-E20C-4b9a-8F2C-629641545A49}\stubpath = "C:\\Windows\\{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe"	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}\stubpath = "C:\\Windows\\{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe"	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{744041A6-F5C1-4f00-BC63-4B92EBD9B0D7}	{C255E6A9-0704-45bc-BE08-47BA8B0B57C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{744041A6-F5C1-4f00-BC63-4B92EBD9B0D7}\stubpath = "C:\\Windows\\{744041A6-F5C1-4f00-BC63-4B92EBD9B0D7}.exe"	{C255E6A9-0704-45bc-BE08-47BA8B0B57C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B085E7D-8083-4b53-A4AE-476587904746}	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37AC0925-8CC7-41ab-949A-0A949B739973}\stubpath = "C:\\Windows\\{37AC0925-8CC7-41ab-949A-0A949B739973}.exe"	{8B085E7D-8083-4b53-A4AE-476587904746}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C255E6A9-0704-45bc-BE08-47BA8B0B57C9}	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C255E6A9-0704-45bc-BE08-47BA8B0B57C9}\stubpath = "C:\\Windows\\{C255E6A9-0704-45bc-BE08-47BA8B0B57C9}.exe"	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84CD6E46-0752-4d51-8D95-4280B859502F}\stubpath = "C:\\Windows\\{84CD6E46-0752-4d51-8D95-4280B859502F}.exe"	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B085E7D-8083-4b53-A4AE-476587904746}\stubpath = "C:\\Windows\\{8B085E7D-8083-4b53-A4AE-476587904746}.exe"	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72B44418-F3C6-4494-A195-48413D1E49F5}	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37AC0925-8CC7-41ab-949A-0A949B739973}	{8B085E7D-8083-4b53-A4AE-476587904746}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}\stubpath = "C:\\Windows\\{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe"	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe

Deletes itself 1 IoCs

pid	Process
3028	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1080	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe
2692	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe
2868	{8B085E7D-8083-4b53-A4AE-476587904746}.exe
2548	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe
372	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe
596	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe
1276	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe
2508	{C255E6A9-0704-45bc-BE08-47BA8B0B57C9}.exe
3044	{744041A6-F5C1-4f00-BC63-4B92EBD9B0D7}.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2872-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2872-1-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2872-4-0x00000000002A0000-0x00000000002B3000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-7.dat	upx
behavioral1/memory/1080-10-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2872-9-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1080-19-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000c00000001227e-20.dat	upx
behavioral1/memory/2692-21-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2692-22-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-30.dat	upx
behavioral1/memory/2692-29-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2868-31-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2868-39-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000d00000001227e-40.dat	upx
behavioral1/memory/2868-35-0x0000000001C20000-0x0000000001C33000-memory.dmp	upx
behavioral1/memory/2548-41-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2548-49-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0006000000004ed7-50.dat	upx
behavioral1/memory/2548-45-0x00000000003E0000-0x00000000003F3000-memory.dmp	upx
behavioral1/memory/372-51-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/372-55-0x00000000003A0000-0x00000000003B3000-memory.dmp	upx
behavioral1/memory/372-59-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000e00000001227e-60.dat	upx
behavioral1/memory/596-61-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0007000000004ed7-68.dat	upx
behavioral1/memory/596-71-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1276-70-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1276-72-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1276-75-0x00000000003E0000-0x00000000003F3000-memory.dmp	upx
behavioral1/files/0x000f00000001227e-80.dat	upx
behavioral1/memory/1276-81-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2508-82-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2508-85-0x0000000000360000-0x0000000000373000-memory.dmp	upx
behavioral1/files/0x0008000000004ed7-90.dat	upx
behavioral1/memory/2508-91-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{37AC0925-8CC7-41ab-949A-0A949B739973}.exe	{8B085E7D-8083-4b53-A4AE-476587904746}.exe
File created	C:\Windows\{72B44418-F3C6-4494-A195-48413D1E49F5}.exe	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe
File created	C:\Windows\{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe
File created	C:\Windows\{C255E6A9-0704-45bc-BE08-47BA8B0B57C9}.exe	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe
File created	C:\Windows\{84CD6E46-0752-4d51-8D95-4280B859502F}.exe	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
File created	C:\Windows\{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe
File created	C:\Windows\{8B085E7D-8083-4b53-A4AE-476587904746}.exe	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe
File created	C:\Windows\{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe
File created	C:\Windows\{744041A6-F5C1-4f00-BC63-4B92EBD9B0D7}.exe	{C255E6A9-0704-45bc-BE08-47BA8B0B57C9}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C255E6A9-0704-45bc-BE08-47BA8B0B57C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B085E7D-8083-4b53-A4AE-476587904746}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{744041A6-F5C1-4f00-BC63-4B92EBD9B0D7}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2872	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
Token: SeIncBasePriorityPrivilege	1080	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe
Token: SeIncBasePriorityPrivilege	2692	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe
Token: SeIncBasePriorityPrivilege	2868	{8B085E7D-8083-4b53-A4AE-476587904746}.exe
Token: SeIncBasePriorityPrivilege	2548	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe
Token: SeIncBasePriorityPrivilege	372	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe
Token: SeIncBasePriorityPrivilege	596	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe
Token: SeIncBasePriorityPrivilege	1276	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe
Token: SeIncBasePriorityPrivilege	2508	{C255E6A9-0704-45bc-BE08-47BA8B0B57C9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1080	2872	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	31
PID 2872 wrote to memory of 1080	2872	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	31
PID 2872 wrote to memory of 1080	2872	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	31
PID 2872 wrote to memory of 1080	2872	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	31
PID 2872 wrote to memory of 3028	2872	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	32
PID 2872 wrote to memory of 3028	2872	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	32
PID 2872 wrote to memory of 3028	2872	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	32
PID 2872 wrote to memory of 3028	2872	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	32
PID 1080 wrote to memory of 2692	1080	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe	33
PID 1080 wrote to memory of 2692	1080	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe	33
PID 1080 wrote to memory of 2692	1080	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe	33
PID 1080 wrote to memory of 2692	1080	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe	33
PID 1080 wrote to memory of 2824	1080	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe	34
PID 1080 wrote to memory of 2824	1080	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe	34
PID 1080 wrote to memory of 2824	1080	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe	34
PID 1080 wrote to memory of 2824	1080	{84CD6E46-0752-4d51-8D95-4280B859502F}.exe	34
PID 2692 wrote to memory of 2868	2692	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe	35
PID 2692 wrote to memory of 2868	2692	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe	35
PID 2692 wrote to memory of 2868	2692	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe	35
PID 2692 wrote to memory of 2868	2692	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe	35
PID 2692 wrote to memory of 2880	2692	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe	36
PID 2692 wrote to memory of 2880	2692	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe	36
PID 2692 wrote to memory of 2880	2692	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe	36
PID 2692 wrote to memory of 2880	2692	{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe	36
PID 2868 wrote to memory of 2548	2868	{8B085E7D-8083-4b53-A4AE-476587904746}.exe	37
PID 2868 wrote to memory of 2548	2868	{8B085E7D-8083-4b53-A4AE-476587904746}.exe	37
PID 2868 wrote to memory of 2548	2868	{8B085E7D-8083-4b53-A4AE-476587904746}.exe	37
PID 2868 wrote to memory of 2548	2868	{8B085E7D-8083-4b53-A4AE-476587904746}.exe	37
PID 2868 wrote to memory of 2608	2868	{8B085E7D-8083-4b53-A4AE-476587904746}.exe	38
PID 2868 wrote to memory of 2608	2868	{8B085E7D-8083-4b53-A4AE-476587904746}.exe	38
PID 2868 wrote to memory of 2608	2868	{8B085E7D-8083-4b53-A4AE-476587904746}.exe	38
PID 2868 wrote to memory of 2608	2868	{8B085E7D-8083-4b53-A4AE-476587904746}.exe	38
PID 2548 wrote to memory of 372	2548	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe	39
PID 2548 wrote to memory of 372	2548	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe	39
PID 2548 wrote to memory of 372	2548	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe	39
PID 2548 wrote to memory of 372	2548	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe	39
PID 2548 wrote to memory of 1732	2548	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe	40
PID 2548 wrote to memory of 1732	2548	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe	40
PID 2548 wrote to memory of 1732	2548	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe	40
PID 2548 wrote to memory of 1732	2548	{37AC0925-8CC7-41ab-949A-0A949B739973}.exe	40
PID 372 wrote to memory of 596	372	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe	41
PID 372 wrote to memory of 596	372	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe	41
PID 372 wrote to memory of 596	372	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe	41
PID 372 wrote to memory of 596	372	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe	41
PID 372 wrote to memory of 1996	372	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe	42
PID 372 wrote to memory of 1996	372	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe	42
PID 372 wrote to memory of 1996	372	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe	42
PID 372 wrote to memory of 1996	372	{72B44418-F3C6-4494-A195-48413D1E49F5}.exe	42
PID 596 wrote to memory of 1276	596	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe	44
PID 596 wrote to memory of 1276	596	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe	44
PID 596 wrote to memory of 1276	596	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe	44
PID 596 wrote to memory of 1276	596	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe	44
PID 596 wrote to memory of 1856	596	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe	45
PID 596 wrote to memory of 1856	596	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe	45
PID 596 wrote to memory of 1856	596	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe	45
PID 596 wrote to memory of 1856	596	{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe	45
PID 1276 wrote to memory of 2508	1276	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe	46
PID 1276 wrote to memory of 2508	1276	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe	46
PID 1276 wrote to memory of 2508	1276	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe	46
PID 1276 wrote to memory of 2508	1276	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe	46
PID 1276 wrote to memory of 676	1276	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe	47
PID 1276 wrote to memory of 676	1276	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe	47
PID 1276 wrote to memory of 676	1276	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe	47
PID 1276 wrote to memory of 676	1276	{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe	47

C:\Users\Admin\AppData\Local\Temp\366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
"C:\Users\Admin\AppData\Local\Temp\366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\{84CD6E46-0752-4d51-8D95-4280B859502F}.exe
  C:\Windows\{84CD6E46-0752-4d51-8D95-4280B859502F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe
    C:\Windows\{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\{8B085E7D-8083-4b53-A4AE-476587904746}.exe
      C:\Windows\{8B085E7D-8083-4b53-A4AE-476587904746}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\{37AC0925-8CC7-41ab-949A-0A949B739973}.exe
        
        C:\Windows\{37AC0925-8CC7-41ab-949A-0A949B739973}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\{72B44418-F3C6-4494-A195-48413D1E49F5}.exe
        
        C:\Windows\{72B44418-F3C6-4494-A195-48413D1E49F5}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe
        
        C:\Windows\{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Windows\{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe
        
        C:\Windows\{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\{C255E6A9-0704-45bc-BE08-47BA8B0B57C9}.exe
        
        C:\Windows\{C255E6A9-0704-45bc-BE08-47BA8B0B57C9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\{744041A6-F5C1-4f00-BC63-4B92EBD9B0D7}.exe
        
        C:\Windows\{744041A6-F5C1-4f00-BC63-4B92EBD9B0D7}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C255E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34B9F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5EF4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72B44~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37AC0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B085~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BF678~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{84CD6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\366E59~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{34B9F8D2-8B5A-4d21-9C92-0DEB836034E0}.exe

Filesize
80KB

MD5
ef82e34653cb4ad645517a574d47903c

SHA1
91dc66da65376d2a52ae46c17a18bcbfdfbdfa8c

SHA256
7bb079fbd15fb53e490688d77d6d33a0c2fba5878a88a0a7e9caee2a63cbe8a5

SHA512
4cb64acf54b7b87e2608060109b022faf2a80ff00344a844b324edd6ae048dd5523e8450f98d82abd46c854ba308b7aa16d8a10bb64c5a499b8b9a9d0e38debb

Download Submit
C:\Windows\{37AC0925-8CC7-41ab-949A-0A949B739973}.exe

Filesize
80KB

MD5
118bcc89978fea23044bd35d930934e9

SHA1
271af4a5673f03f94c53e12fafc74439427f4453

SHA256
5b9525f00d16e70a0f7b916c9c6d138e27d4020cb8d029ce3ed731f3d2f26a68

SHA512
0cc011b61c2e9c4e5fd058d5aa56baf07c2d26b5149565e5acac2f2c385168bad1134aee52cb711f7d4e99db227ad7312200836e602d2931730bc967d65bb855

Download Submit
C:\Windows\{72B44418-F3C6-4494-A195-48413D1E49F5}.exe

Filesize
80KB

MD5
f1c26da133adaf2adfe6beb7c239459f

SHA1
ff02d544bcde6863e0e7a5d137c0dbd8ffe9a692

SHA256
b6f654ce2b62fd088ccc4e0419cda2d01bb373d0285a2cf765163dddbfb823f9

SHA512
e27675c57618560afc0cfe7a9208691e4e57ea0e67745bb93e878cc1d7a7128b4b23b5c8557e7267bd4c4322b8c5a3e7b017407d4985a35a313aa3836163b403

Download Submit
C:\Windows\{744041A6-F5C1-4f00-BC63-4B92EBD9B0D7}.exe

Filesize
80KB

MD5
19bb9838a079ec23588c929dd1eb7cb8

SHA1
bbe793c9f54f4fe5976d092fe4fd639d55d57271

SHA256
81952974a3149536de3925ead4b0a3bec2b161757de172da04cd0693892da70d

SHA512
5ae84d63ae4e16cc550460238a3529afbc3c39c9153d954c2122aa72a8dc7eaa0abd0758aa8e405bae44937a706a47cfd61204cd9d87d4333cda87d04b7f8969

Download Submit
C:\Windows\{84CD6E46-0752-4d51-8D95-4280B859502F}.exe

Filesize
80KB

MD5
0804bbcd6afeaf269c5d7220b8db141c

SHA1
8150ef6f721d15ef0922d7fbd4125c2fdd9d09cb

SHA256
b06b9931de40830b3548f47c661266a07f1ce1719549b156dbe7725ce94fb82b

SHA512
412b17ec0e0a154e87d87ec6bd82f48b6ccf948774efa1de381bacc0add93e92a16bcf87d56334ed262f6ec8a1c8911c5de0c73c14d4a53bde0245fbd0accff1

Download Submit
C:\Windows\{8B085E7D-8083-4b53-A4AE-476587904746}.exe

Filesize
80KB

MD5
570a81815927706612b55596f7642275

SHA1
8aceb114b83792cc74a16e636dedbd4fdb9b5038

SHA256
4edfad25ea5041af84faaf2f11ad3b4a0366046f00bc6d6106f70ae46fb09562

SHA512
3147dd8defa0e5662ffce25badb808809727616a648550ff939c203bc931b006aa1c6e8f5af9dff04a707eb5f9a3ef9707f3854d42d3672e69606176b96a0406

Download Submit
C:\Windows\{BF678ACA-E20C-4b9a-8F2C-629641545A49}.exe

Filesize
80KB

MD5
7640f0b51eca55a38f5921410842ba10

SHA1
2a38e4063e00ff0f1d421a9e56040fec1bf781d3

SHA256
50f594e0db64a36b5b601d8fa7c27e87bc1eaf4f880ea7825fe9f9524717682e

SHA512
bf3594b9112a0e5f570e325a8ca3b86cc723e2bd34deef0e03c5a7553a34dd9ab632a93d3138257acb7f589a24312b5eaf33efb46b7614d6b5f283c1a075ebe7

Download Submit
C:\Windows\{C255E6A9-0704-45bc-BE08-47BA8B0B57C9}.exe

Filesize
80KB

MD5
d97df65da2f511eb028840302d3a4c1c

SHA1
2d88316e56f6c1c1d6edc004343c927f368c43a1

SHA256
645ddb22004d8678e00f43926a1489c84eaadffdd458c1b033a9c47e19f0cb71

SHA512
624b205b41773271e376ea03bc19b9a9225461dac3202bfa13cff1f850203d26d25b787cf02976dba03664ff046e555350f699edada81b51ae4d467921a0a3b4

Download Submit
C:\Windows\{E5EF4EF9-9BEF-4a24-AD31-77426C4EC834}.exe

Filesize
80KB

MD5
beb60057f0d2ffb57bf75826e237440b

SHA1
36cb3d1fd7e7f95e611369989c1fd6c6f73f45ee

SHA256
46e714e1247ef562db741c36506a54401b95c014b2af22256536b2a0c4ab2063

SHA512
762e6b0eabd4172ad71bd186ab096e24d5f429b96a23ea7e2d84cefefa46ae9807cf7980255d356050060531f84608ed00c246512421d2d4a5b9bbf85a07240e

Download Submit
memory/372-55-0x00000000003A0000-0x00000000003B3000-memory.dmp

Filesize
76KB

Download
memory/372-51-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/372-59-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/596-61-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/596-71-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/596-69-0x00000000002A0000-0x00000000002B3000-memory.dmp

Filesize
76KB

Download
memory/1080-19-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1080-17-0x00000000003B0000-0x00000000003C3000-memory.dmp

Filesize
76KB

Download
memory/1080-18-0x00000000003B0000-0x00000000003C3000-memory.dmp

Filesize
76KB

Download
memory/1080-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1276-72-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1276-75-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/1276-70-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1276-81-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2508-82-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2508-85-0x0000000000360000-0x0000000000373000-memory.dmp

Filesize
76KB

Download
memory/2508-91-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2548-41-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2548-45-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/2548-49-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2692-29-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2692-22-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2692-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2868-35-0x0000000001C20000-0x0000000001C33000-memory.dmp

Filesize
76KB

Download
memory/2868-39-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2868-31-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2872-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2872-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2872-4-0x00000000002A0000-0x00000000002B3000-memory.dmp

Filesize
76KB

Download
memory/2872-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads