366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4e

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
Size

80KB
MD5

122194ffd7c0dd1928e28efe103a3ba0
SHA1

202388f74fd3689e01cc357b0c87a0d88bf8cac7
SHA256

366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4e
SHA512

f0a40418469b618b8fbda0092841eb0558c57dc0e6298d533f31c43f77e4d85a163b2ff9ab4468e7bf8b86b6bb1a350939858d7f80dac7f7e46a3baf23dd355a
SSDEEP

768:evU9816vhKQLro4tVWhxf3nbcuyD7UuXCRINrfrunMxVFA3b7glwRjMlfwGxEI56:q4Gh0o4T0p3nouy8QbunMxVS3HgdoKjm

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB97329D-EB71-4fa4-926E-2407FC3DA65F}	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}\stubpath = "C:\\Windows\\{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe"	{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82705317-3FCA-4d37-8C14-BDA97A626789}\stubpath = "C:\\Windows\\{82705317-3FCA-4d37-8C14-BDA97A626789}.exe"	{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}\stubpath = "C:\\Windows\\{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe"	{82705317-3FCA-4d37-8C14-BDA97A626789}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}	{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}	{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F1019DD-16D5-49a8-84B9-75475F919E5D}	{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{501D1468-91DF-487d-8843-E038B5494158}\stubpath = "C:\\Windows\\{501D1468-91DF-487d-8843-E038B5494158}.exe"	{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CB37726-E1A4-4396-BDA1-E95515E9966B}	{501D1468-91DF-487d-8843-E038B5494158}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}\stubpath = "C:\\Windows\\{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe"	{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{501D1468-91DF-487d-8843-E038B5494158}	{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82705317-3FCA-4d37-8C14-BDA97A626789}	{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E95238EC-E104-45c6-B92E-B4DE9D507A4A}	{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB97329D-EB71-4fa4-926E-2407FC3DA65F}\stubpath = "C:\\Windows\\{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe"	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F1019DD-16D5-49a8-84B9-75475F919E5D}\stubpath = "C:\\Windows\\{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe"	{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CB37726-E1A4-4396-BDA1-E95515E9966B}\stubpath = "C:\\Windows\\{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe"	{501D1468-91DF-487d-8843-E038B5494158}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}	{82705317-3FCA-4d37-8C14-BDA97A626789}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E95238EC-E104-45c6-B92E-B4DE9D507A4A}\stubpath = "C:\\Windows\\{E95238EC-E104-45c6-B92E-B4DE9D507A4A}.exe"	{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe

Executes dropped EXE 9 IoCs

pid	Process
1236	{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe
3968	{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe
2856	{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe
4076	{501D1468-91DF-487d-8843-E038B5494158}.exe
3052	{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe
3596	{82705317-3FCA-4d37-8C14-BDA97A626789}.exe
4532	{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe
3264	{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe
1252	{E95238EC-E104-45c6-B92E-B4DE9D507A4A}.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1376-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1376-1-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1236-5-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000700000002362d-3.dat	upx
behavioral2/memory/1376-7-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1236-8-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0008000000023621-11.dat	upx
behavioral2/memory/3968-14-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1236-12-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3968-15-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0008000000023634-16.dat	upx
behavioral2/memory/2856-21-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3968-20-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2856-26-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4076-27-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0009000000023621-25.dat	upx
behavioral2/memory/4076-28-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4076-32-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3052-33-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0011000000020196-31.dat	upx
behavioral2/memory/3052-35-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3052-39-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3596-40-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0002000000021cea-38.dat	upx
behavioral2/memory/3596-42-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4532-47-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0012000000020196-46.dat	upx
behavioral2/memory/3596-45-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4532-49-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x00050000000004e7-52.dat	upx
behavioral2/memory/3264-55-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4532-54-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3264-56-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x00030000000006df-59.dat	upx
behavioral2/memory/1252-62-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3264-61-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
File created	C:\Windows\{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe	{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe
File created	C:\Windows\{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe	{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe
File created	C:\Windows\{501D1468-91DF-487d-8843-E038B5494158}.exe	{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe
File created	C:\Windows\{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe	{501D1468-91DF-487d-8843-E038B5494158}.exe
File created	C:\Windows\{E95238EC-E104-45c6-B92E-B4DE9D507A4A}.exe	{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe
File created	C:\Windows\{82705317-3FCA-4d37-8C14-BDA97A626789}.exe	{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe
File created	C:\Windows\{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe	{82705317-3FCA-4d37-8C14-BDA97A626789}.exe
File created	C:\Windows\{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe	{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E95238EC-E104-45c6-B92E-B4DE9D507A4A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{501D1468-91DF-487d-8843-E038B5494158}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{82705317-3FCA-4d37-8C14-BDA97A626789}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1376	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
Token: SeIncBasePriorityPrivilege	1236	{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe
Token: SeIncBasePriorityPrivilege	3968	{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe
Token: SeIncBasePriorityPrivilege	2856	{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe
Token: SeIncBasePriorityPrivilege	4076	{501D1468-91DF-487d-8843-E038B5494158}.exe
Token: SeIncBasePriorityPrivilege	3052	{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe
Token: SeIncBasePriorityPrivilege	3596	{82705317-3FCA-4d37-8C14-BDA97A626789}.exe
Token: SeIncBasePriorityPrivilege	4532	{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe
Token: SeIncBasePriorityPrivilege	3264	{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1236	1376	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	97
PID 1376 wrote to memory of 1236	1376	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	97
PID 1376 wrote to memory of 1236	1376	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	97
PID 1376 wrote to memory of 1088	1376	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	98
PID 1376 wrote to memory of 1088	1376	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	98
PID 1376 wrote to memory of 1088	1376	366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe	98
PID 1236 wrote to memory of 3968	1236	{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe	99
PID 1236 wrote to memory of 3968	1236	{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe	99
PID 1236 wrote to memory of 3968	1236	{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe	99
PID 1236 wrote to memory of 1332	1236	{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe	100
PID 1236 wrote to memory of 1332	1236	{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe	100
PID 1236 wrote to memory of 1332	1236	{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe	100
PID 3968 wrote to memory of 2856	3968	{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe	103
PID 3968 wrote to memory of 2856	3968	{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe	103
PID 3968 wrote to memory of 2856	3968	{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe	103
PID 3968 wrote to memory of 4488	3968	{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe	104
PID 3968 wrote to memory of 4488	3968	{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe	104
PID 3968 wrote to memory of 4488	3968	{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe	104
PID 2856 wrote to memory of 4076	2856	{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe	105
PID 2856 wrote to memory of 4076	2856	{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe	105
PID 2856 wrote to memory of 4076	2856	{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe	105
PID 2856 wrote to memory of 4992	2856	{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe	106
PID 2856 wrote to memory of 4992	2856	{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe	106
PID 2856 wrote to memory of 4992	2856	{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe	106
PID 4076 wrote to memory of 3052	4076	{501D1468-91DF-487d-8843-E038B5494158}.exe	107
PID 4076 wrote to memory of 3052	4076	{501D1468-91DF-487d-8843-E038B5494158}.exe	107
PID 4076 wrote to memory of 3052	4076	{501D1468-91DF-487d-8843-E038B5494158}.exe	107
PID 4076 wrote to memory of 3688	4076	{501D1468-91DF-487d-8843-E038B5494158}.exe	108
PID 4076 wrote to memory of 3688	4076	{501D1468-91DF-487d-8843-E038B5494158}.exe	108
PID 4076 wrote to memory of 3688	4076	{501D1468-91DF-487d-8843-E038B5494158}.exe	108
PID 3052 wrote to memory of 3596	3052	{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe	109
PID 3052 wrote to memory of 3596	3052	{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe	109
PID 3052 wrote to memory of 3596	3052	{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe	109
PID 3052 wrote to memory of 5076	3052	{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe	110
PID 3052 wrote to memory of 5076	3052	{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe	110
PID 3052 wrote to memory of 5076	3052	{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe	110
PID 3596 wrote to memory of 4532	3596	{82705317-3FCA-4d37-8C14-BDA97A626789}.exe	111
PID 3596 wrote to memory of 4532	3596	{82705317-3FCA-4d37-8C14-BDA97A626789}.exe	111
PID 3596 wrote to memory of 4532	3596	{82705317-3FCA-4d37-8C14-BDA97A626789}.exe	111
PID 3596 wrote to memory of 1732	3596	{82705317-3FCA-4d37-8C14-BDA97A626789}.exe	112
PID 3596 wrote to memory of 1732	3596	{82705317-3FCA-4d37-8C14-BDA97A626789}.exe	112
PID 3596 wrote to memory of 1732	3596	{82705317-3FCA-4d37-8C14-BDA97A626789}.exe	112
PID 4532 wrote to memory of 3264	4532	{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe	113
PID 4532 wrote to memory of 3264	4532	{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe	113
PID 4532 wrote to memory of 3264	4532	{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe	113
PID 4532 wrote to memory of 4168	4532	{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe	114
PID 4532 wrote to memory of 4168	4532	{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe	114
PID 4532 wrote to memory of 4168	4532	{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe	114
PID 3264 wrote to memory of 1252	3264	{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe	115
PID 3264 wrote to memory of 1252	3264	{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe	115
PID 3264 wrote to memory of 1252	3264	{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe	115
PID 3264 wrote to memory of 1384	3264	{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe	116
PID 3264 wrote to memory of 1384	3264	{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe	116
PID 3264 wrote to memory of 1384	3264	{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe	116

C:\Users\Admin\AppData\Local\Temp\366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe
"C:\Users\Admin\AppData\Local\Temp\366e59dbab18c4d6dca959c4d267adcec3dd9c1815dcc33b86aa4c4df7a6bd4eN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe
  C:\Windows\{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe
    C:\Windows\{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe
      C:\Windows\{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\{501D1468-91DF-487d-8843-E038B5494158}.exe
        
        C:\Windows\{501D1468-91DF-487d-8843-E038B5494158}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
      - C:\Windows\{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe
        
        C:\Windows\{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\{82705317-3FCA-4d37-8C14-BDA97A626789}.exe
        
        C:\Windows\{82705317-3FCA-4d37-8C14-BDA97A626789}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe
        
        C:\Windows\{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe
        
        C:\Windows\{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\{E95238EC-E104-45c6-B92E-B4DE9D507A4A}.exe
        
        C:\Windows\{E95238EC-E104-45c6-B92E-B4DE9D507A4A}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4ADC7~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C605B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82705~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CB37~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{501D1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F101~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7E745~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BB973~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\366E59~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4ADC77BB-8388-4f60-9051-15AC8FC69FD3}.exe

Filesize
80KB

MD5
931a3358ccd72b6ab55894a1bf7c09ef

SHA1
020235eff8de36652710a3d4298f1a2a701ad8df

SHA256
0ac4434b0518c0cb9e87bee61101d788e5717d3775ef37f6b27330d44767cf36

SHA512
5d0d0491f06f97120fec6296a228c10d27c446ffd527ceb044a2d2053ffbf06f6c2fbd7ccd2bebf3e2447b67a43d5c13f7753b78227eda9742fe94c0d2a16178

Download Submit
C:\Windows\{501D1468-91DF-487d-8843-E038B5494158}.exe

Filesize
80KB

MD5
d90300041d0e4a5341625fe9ca877c7d

SHA1
21b629c1c161415f65d935761e3413b0e69b0f5f

SHA256
0956eb2f1f429adc6887c11cf5763f32430299ac76a23ee191b4227734ebd3f7

SHA512
6571ac22201446e7ee688e781f8271747759af293291e19cf92cc30528dbebecec065a8b527531f56f3c8d414fadcfe3273d0daea0084f6d6ee1cd5e9342274d

Download Submit
C:\Windows\{6CB37726-E1A4-4396-BDA1-E95515E9966B}.exe

Filesize
80KB

MD5
6419fac87845e89723243325267de5a8

SHA1
7aa4c12b9ec9fb897e064394ce9c1c1a654c7da4

SHA256
f51cb14a8ee21b1646d4f5151f25c4a25254d787b4f69da86320fe8615d2bbd7

SHA512
28c280afec66ab03b4cbc8b0b3b24ba018637565b7adad30ba4295bd35d2d12d510022e0ff4c833f2aab019efcb217f0c250f346be3ca52bf5045c54bf401ae0

Download Submit
C:\Windows\{6F1019DD-16D5-49a8-84B9-75475F919E5D}.exe

Filesize
80KB

MD5
e992fbae4ad66870c35c17c8678096c3

SHA1
5ebf21d1a5cc93c5eca8405c600400a671a12284

SHA256
9a249d04f7d1f6dcc8d4b94b7725cdd57c1cb24a9f6e245b71cf0576a23b47ce

SHA512
386043f8cfd05643cacbaf1c7f944be6b35cfd9ca9279656a5a48a534ba2746e71904ad9136c84ca94f5d4653ad28991be2ab0d29952dd688efbede7080d4d25

Download Submit
C:\Windows\{7E7450D4-5324-40ef-85A2-FA3CC0E7F772}.exe

Filesize
80KB

MD5
174417e7a3c721128865ec8ec9b23d4f

SHA1
4dc7ec351ed44422198b93fd2f784a2a4c6acbb6

SHA256
8dc5bfe2b8e609fb346a3cd61c5e4c3e4510567b8a710c2ba7de7fa12a7793fb

SHA512
6b7bd5d3fd717a8d9b28d81aa523439acf6a7a47216c165470bf269f032b86256a377d3e5d822adc14c775117a3ad313668bd4a618cd7e0749b3863a65b55d74

Download Submit
C:\Windows\{82705317-3FCA-4d37-8C14-BDA97A626789}.exe

Filesize
80KB

MD5
d638124d33f062bae2d10b8f82e07f47

SHA1
3d8839fea1802c82041a127d62e264e67492a610

SHA256
de4a56af0d1324b225a22d02aa4dff87406b4f21e94377c883b43b62f13dfd91

SHA512
a17f219020cc8d9e55a4d9b26d576075816dad65015aaa0f5ff675d03b121e265fc3ec6939177c4d6e2efc0323582b694a297cd2b1cd28ec42505d26ba0ffb63

Download Submit
C:\Windows\{BB97329D-EB71-4fa4-926E-2407FC3DA65F}.exe

Filesize
80KB

MD5
96cb1c5e32c2a507e2267fea0ffdde4a

SHA1
4444e85c9bb634de52d80d77db43632d69977afc

SHA256
cbd932785d7dc2dd7b342f43b94bcf2a3c0da5c3018dd4bdb11e60b1d277bc89

SHA512
f4bbb86a8632410106084560a35517480e1c0b56c117b15ba3fb6314c438198c736b304dc2c374b70e41d036f58dffd3ca0924fb05dd3c48fa5dec0ff4022193

Download Submit
C:\Windows\{C605B3BA-A2E1-4bdc-91AF-80B6DBF8D5F2}.exe

Filesize
80KB

MD5
3f61e563f0610c8c69c486f374391242

SHA1
54a4c30cfa8334f6fbcf33855481fb6075701dd6

SHA256
f469ec2938d15034085b537d91aaa14f0417cb3c7a8ec984c157d9f4a579485d

SHA512
6cf1d1bfce9fe4b8bfb20b8624d6165fee40ca78d810874021ebe688bc22be499d569cb7ffefe23fe3871f746612dee135194b5d39e1d403fcb9963a785ff45d

Download Submit
C:\Windows\{E95238EC-E104-45c6-B92E-B4DE9D507A4A}.exe

Filesize
80KB

MD5
b529c310968b46484da308ca88b2b705

SHA1
3ecdbfe2280fa21e3425c56e62add0a23fce7b6c

SHA256
093c06b06a5d020b3da5347c13dbf3821ce76a5e1b84ea3f299a1bb676cba696

SHA512
d842494763d9426cee0ed813e5a90acaed23fbbd4c81b72720bd32b54587fca1c7b4f838482a78edc1046f46863015e9810737ec6040538701220308221e8d26

Download Submit
memory/1236-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1236-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1236-5-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1252-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1376-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1376-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1376-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2856-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2856-26-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3052-33-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3052-35-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3052-39-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3264-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3264-56-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3264-61-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3596-45-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3596-42-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3596-40-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3968-20-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3968-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3968-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4076-32-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4076-28-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4076-27-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4532-47-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4532-49-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4532-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads