f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe
Size

79KB
MD5

d4d3e9c0ccf1e6fbdc820e4b2b53a2ed
SHA1

511e44b9928870f6626b5a16b8cb709235c298fc
SHA256

f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2
SHA512

e2913092e573703fd8265a2a666b5b2afc901d34373ec43f6217ca40a3dced0d917433ed573adf9a08abb4cf27d6614c1080fba3dca887390d9fa20199187bec
SSDEEP

768:4vw9816vhKQLroD4/wQpWMZ3XOQ69zbjlAAX5e9zz:wEGh0oDloWMZ3izbR9Xwzz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}\stubpath = "C:\\Windows\\{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe"	f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06DA679D-D071-452e-96D0-F460C7AC907E}	{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6938806B-BB02-49f3-958B-68A98B2F4FAB}\stubpath = "C:\\Windows\\{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe"	{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{347A1696-E651-434c-B255-658A314D0B4B}	{845B98AB-8F41-421a-840E-63320B26A17A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDE311BD-2034-46b8-A18E-9901D4B01CEE}	{347A1696-E651-434c-B255-658A314D0B4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06DA679D-D071-452e-96D0-F460C7AC907E}\stubpath = "C:\\Windows\\{06DA679D-D071-452e-96D0-F460C7AC907E}.exe"	{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ED60267-0B36-4217-9FD5-86F9731548FC}	{06DA679D-D071-452e-96D0-F460C7AC907E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ED60267-0B36-4217-9FD5-86F9731548FC}\stubpath = "C:\\Windows\\{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe"	{06DA679D-D071-452e-96D0-F460C7AC907E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACBE1426-DF8E-4536-B9F9-B525A9660402}	{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACBE1426-DF8E-4536-B9F9-B525A9660402}\stubpath = "C:\\Windows\\{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe"	{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{845B98AB-8F41-421a-840E-63320B26A17A}	{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{845B98AB-8F41-421a-840E-63320B26A17A}\stubpath = "C:\\Windows\\{845B98AB-8F41-421a-840E-63320B26A17A}.exe"	{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{347A1696-E651-434c-B255-658A314D0B4B}\stubpath = "C:\\Windows\\{347A1696-E651-434c-B255-658A314D0B4B}.exe"	{845B98AB-8F41-421a-840E-63320B26A17A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDE311BD-2034-46b8-A18E-9901D4B01CEE}\stubpath = "C:\\Windows\\{DDE311BD-2034-46b8-A18E-9901D4B01CEE}.exe"	{347A1696-E651-434c-B255-658A314D0B4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}	f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{188953A8-4028-46ac-BF9A-51F3166894A6}	{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{188953A8-4028-46ac-BF9A-51F3166894A6}\stubpath = "C:\\Windows\\{188953A8-4028-46ac-BF9A-51F3166894A6}.exe"	{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEB88FFE-8733-4b21-B253-FFC0D4F1D0B0}	{DDE311BD-2034-46b8-A18E-9901D4B01CEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6938806B-BB02-49f3-958B-68A98B2F4FAB}	{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}	{188953A8-4028-46ac-BF9A-51F3166894A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}\stubpath = "C:\\Windows\\{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe"	{188953A8-4028-46ac-BF9A-51F3166894A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{063446E4-CF09-4bee-BEFB-986F64229D2D}	{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{063446E4-CF09-4bee-BEFB-986F64229D2D}\stubpath = "C:\\Windows\\{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe"	{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEB88FFE-8733-4b21-B253-FFC0D4F1D0B0}\stubpath = "C:\\Windows\\{EEB88FFE-8733-4b21-B253-FFC0D4F1D0B0}.exe"	{DDE311BD-2034-46b8-A18E-9901D4B01CEE}.exe

Executes dropped EXE 12 IoCs

pid	Process
3964	{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe
3836	{06DA679D-D071-452e-96D0-F460C7AC907E}.exe
5092	{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe
4700	{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe
3932	{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe
3648	{188953A8-4028-46ac-BF9A-51F3166894A6}.exe
1792	{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe
1632	{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe
4912	{845B98AB-8F41-421a-840E-63320B26A17A}.exe
952	{347A1696-E651-434c-B255-658A314D0B4B}.exe
2288	{DDE311BD-2034-46b8-A18E-9901D4B01CEE}.exe
4648	{EEB88FFE-8733-4b21-B253-FFC0D4F1D0B0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DDE311BD-2034-46b8-A18E-9901D4B01CEE}.exe	{347A1696-E651-434c-B255-658A314D0B4B}.exe
File created	C:\Windows\{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe	f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe
File created	C:\Windows\{06DA679D-D071-452e-96D0-F460C7AC907E}.exe	{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe
File created	C:\Windows\{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe	{06DA679D-D071-452e-96D0-F460C7AC907E}.exe
File created	C:\Windows\{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe	{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe
File created	C:\Windows\{845B98AB-8F41-421a-840E-63320B26A17A}.exe	{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe
File created	C:\Windows\{347A1696-E651-434c-B255-658A314D0B4B}.exe	{845B98AB-8F41-421a-840E-63320B26A17A}.exe
File created	C:\Windows\{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe	{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe
File created	C:\Windows\{188953A8-4028-46ac-BF9A-51F3166894A6}.exe	{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe
File created	C:\Windows\{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe	{188953A8-4028-46ac-BF9A-51F3166894A6}.exe
File created	C:\Windows\{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe	{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe
File created	C:\Windows\{EEB88FFE-8733-4b21-B253-FFC0D4F1D0B0}.exe	{DDE311BD-2034-46b8-A18E-9901D4B01CEE}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{188953A8-4028-46ac-BF9A-51F3166894A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06DA679D-D071-452e-96D0-F460C7AC907E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{845B98AB-8F41-421a-840E-63320B26A17A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DDE311BD-2034-46b8-A18E-9901D4B01CEE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EEB88FFE-8733-4b21-B253-FFC0D4F1D0B0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{347A1696-E651-434c-B255-658A314D0B4B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1672	f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe
Token: SeIncBasePriorityPrivilege	3964	{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe
Token: SeIncBasePriorityPrivilege	3836	{06DA679D-D071-452e-96D0-F460C7AC907E}.exe
Token: SeIncBasePriorityPrivilege	5092	{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe
Token: SeIncBasePriorityPrivilege	4700	{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe
Token: SeIncBasePriorityPrivilege	3932	{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe
Token: SeIncBasePriorityPrivilege	3648	{188953A8-4028-46ac-BF9A-51F3166894A6}.exe
Token: SeIncBasePriorityPrivilege	1792	{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe
Token: SeIncBasePriorityPrivilege	1632	{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe
Token: SeIncBasePriorityPrivilege	4912	{845B98AB-8F41-421a-840E-63320B26A17A}.exe
Token: SeIncBasePriorityPrivilege	952	{347A1696-E651-434c-B255-658A314D0B4B}.exe
Token: SeIncBasePriorityPrivilege	2288	{DDE311BD-2034-46b8-A18E-9901D4B01CEE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 3964	1672	f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe	89
PID 1672 wrote to memory of 3964	1672	f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe	89
PID 1672 wrote to memory of 3964	1672	f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe	89
PID 1672 wrote to memory of 5024	1672	f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe	90
PID 1672 wrote to memory of 5024	1672	f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe	90
PID 1672 wrote to memory of 5024	1672	f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe	90
PID 3964 wrote to memory of 3836	3964	{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe	91
PID 3964 wrote to memory of 3836	3964	{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe	91
PID 3964 wrote to memory of 3836	3964	{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe	91
PID 3964 wrote to memory of 1948	3964	{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe	92
PID 3964 wrote to memory of 1948	3964	{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe	92
PID 3964 wrote to memory of 1948	3964	{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe	92
PID 3836 wrote to memory of 5092	3836	{06DA679D-D071-452e-96D0-F460C7AC907E}.exe	95
PID 3836 wrote to memory of 5092	3836	{06DA679D-D071-452e-96D0-F460C7AC907E}.exe	95
PID 3836 wrote to memory of 5092	3836	{06DA679D-D071-452e-96D0-F460C7AC907E}.exe	95
PID 3836 wrote to memory of 4228	3836	{06DA679D-D071-452e-96D0-F460C7AC907E}.exe	96
PID 3836 wrote to memory of 4228	3836	{06DA679D-D071-452e-96D0-F460C7AC907E}.exe	96
PID 3836 wrote to memory of 4228	3836	{06DA679D-D071-452e-96D0-F460C7AC907E}.exe	96
PID 5092 wrote to memory of 4700	5092	{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe	97
PID 5092 wrote to memory of 4700	5092	{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe	97
PID 5092 wrote to memory of 4700	5092	{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe	97
PID 5092 wrote to memory of 1988	5092	{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe	98
PID 5092 wrote to memory of 1988	5092	{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe	98
PID 5092 wrote to memory of 1988	5092	{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe	98
PID 4700 wrote to memory of 3932	4700	{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe	99
PID 4700 wrote to memory of 3932	4700	{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe	99
PID 4700 wrote to memory of 3932	4700	{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe	99
PID 4700 wrote to memory of 4532	4700	{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe	100
PID 4700 wrote to memory of 4532	4700	{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe	100
PID 4700 wrote to memory of 4532	4700	{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe	100
PID 3932 wrote to memory of 3648	3932	{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe	101
PID 3932 wrote to memory of 3648	3932	{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe	101
PID 3932 wrote to memory of 3648	3932	{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe	101
PID 3932 wrote to memory of 1484	3932	{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe	102
PID 3932 wrote to memory of 1484	3932	{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe	102
PID 3932 wrote to memory of 1484	3932	{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe	102
PID 3648 wrote to memory of 1792	3648	{188953A8-4028-46ac-BF9A-51F3166894A6}.exe	103
PID 3648 wrote to memory of 1792	3648	{188953A8-4028-46ac-BF9A-51F3166894A6}.exe	103
PID 3648 wrote to memory of 1792	3648	{188953A8-4028-46ac-BF9A-51F3166894A6}.exe	103
PID 3648 wrote to memory of 3580	3648	{188953A8-4028-46ac-BF9A-51F3166894A6}.exe	104
PID 3648 wrote to memory of 3580	3648	{188953A8-4028-46ac-BF9A-51F3166894A6}.exe	104
PID 3648 wrote to memory of 3580	3648	{188953A8-4028-46ac-BF9A-51F3166894A6}.exe	104
PID 1792 wrote to memory of 1632	1792	{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe	105
PID 1792 wrote to memory of 1632	1792	{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe	105
PID 1792 wrote to memory of 1632	1792	{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe	105
PID 1792 wrote to memory of 4512	1792	{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe	106
PID 1792 wrote to memory of 4512	1792	{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe	106
PID 1792 wrote to memory of 4512	1792	{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe	106
PID 1632 wrote to memory of 4912	1632	{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe	107
PID 1632 wrote to memory of 4912	1632	{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe	107
PID 1632 wrote to memory of 4912	1632	{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe	107
PID 1632 wrote to memory of 4356	1632	{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe	108
PID 1632 wrote to memory of 4356	1632	{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe	108
PID 1632 wrote to memory of 4356	1632	{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe	108
PID 4912 wrote to memory of 952	4912	{845B98AB-8F41-421a-840E-63320B26A17A}.exe	109
PID 4912 wrote to memory of 952	4912	{845B98AB-8F41-421a-840E-63320B26A17A}.exe	109
PID 4912 wrote to memory of 952	4912	{845B98AB-8F41-421a-840E-63320B26A17A}.exe	109
PID 4912 wrote to memory of 412	4912	{845B98AB-8F41-421a-840E-63320B26A17A}.exe	110
PID 4912 wrote to memory of 412	4912	{845B98AB-8F41-421a-840E-63320B26A17A}.exe	110
PID 4912 wrote to memory of 412	4912	{845B98AB-8F41-421a-840E-63320B26A17A}.exe	110
PID 952 wrote to memory of 2288	952	{347A1696-E651-434c-B255-658A314D0B4B}.exe	111
PID 952 wrote to memory of 2288	952	{347A1696-E651-434c-B255-658A314D0B4B}.exe	111
PID 952 wrote to memory of 2288	952	{347A1696-E651-434c-B255-658A314D0B4B}.exe	111
PID 952 wrote to memory of 4876	952	{347A1696-E651-434c-B255-658A314D0B4B}.exe	112

C:\Users\Admin\AppData\Local\Temp\f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe
"C:\Users\Admin\AppData\Local\Temp\f0a949956d7fad8b3b73d84bd63b3a71a35d44e8900d7df3de42dbc116fcd1e2.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe
  C:\Windows\{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\{06DA679D-D071-452e-96D0-F460C7AC907E}.exe
    C:\Windows\{06DA679D-D071-452e-96D0-F460C7AC907E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Windows\{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe
      C:\Windows\{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe
        
        C:\Windows\{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4700
      - C:\Windows\{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe
        
        C:\Windows\{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\{188953A8-4028-46ac-BF9A-51F3166894A6}.exe
        
        C:\Windows\{188953A8-4028-46ac-BF9A-51F3166894A6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe
        
        C:\Windows\{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe
        
        C:\Windows\{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{845B98AB-8F41-421a-840E-63320B26A17A}.exe
        
        C:\Windows\{845B98AB-8F41-421a-840E-63320B26A17A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\{347A1696-E651-434c-B255-658A314D0B4B}.exe
        
        C:\Windows\{347A1696-E651-434c-B255-658A314D0B4B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\{DDE311BD-2034-46b8-A18E-9901D4B01CEE}.exe
        
        C:\Windows\{DDE311BD-2034-46b8-A18E-9901D4B01CEE}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\{EEB88FFE-8733-4b21-B253-FFC0D4F1D0B0}.exe
        
        C:\Windows\{EEB88FFE-8733-4b21-B253-FFC0D4F1D0B0}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDE31~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{347A1~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{845B9~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06344~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21ABA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18895~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69388~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACBE1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2ED60~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{06DA6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7D15B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F0A949~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{063446E4-CF09-4bee-BEFB-986F64229D2D}.exe

Filesize
79KB

MD5
244d043a1dfd9b18b39d68c9140bfbc5

SHA1
75d230ec432a22fd4119d4fc1b92789dfe8abfdd

SHA256
4048dcbbe65a437a8f4debad6227494d4d63063f287cf7434af11de5246a1a19

SHA512
b49034f71159ee2ab022a3b0af442d34fd7aff83e9ce9334dc7120d273429b21e50e13f8018c2d46bef7bee2c5e21a5693928fe7c23d5ef72823824ffb9c2729

Download Submit
C:\Windows\{06DA679D-D071-452e-96D0-F460C7AC907E}.exe

Filesize
79KB

MD5
cc8df57d2cb6fb06dd32c3944fec4c8a

SHA1
6c6f75cb3339466961dc2162e10d1cf38849c1ce

SHA256
3c2e8b053480357fa151bb5b3df9ac475eda949b89f3903dd507da869fa3e180

SHA512
6edfed82a9156ff5eb8978bec944cb5a86d59666ab2e48d5b7f935444c88e186ba300e5d5de40a1818b03225cd342fdcde70772dec278073d264c697c9220b33

Download Submit
C:\Windows\{188953A8-4028-46ac-BF9A-51F3166894A6}.exe

Filesize
79KB

MD5
295c3dfe01eab6a03dc32b7d948c27d8

SHA1
75df6cfdb80f47c84df2001daeb861ff61286431

SHA256
44678d7f253629fbb39e6da405503cc1e2853557fc7e522e05729f9bbdcaad4d

SHA512
72e277e0587204e0c21ecb70a1baaf1f213c87675f5f05de38c936adaf4f980bb105bd835281809989b732417fb4c9f5b630a251c3d518835be1cb2a8aaa46da

Download Submit
C:\Windows\{21ABAC17-6BDE-48c9-ADB2-AD7A2F670DEB}.exe

Filesize
79KB

MD5
98ee8584e8f48aa4548d3c3711f02c5b

SHA1
32d12f980e5484f4166f30c3917b09c7d11ea792

SHA256
28b62928f9d9a06c4642fa38b271a033412c4d1e902c96de78d0ef925737070c

SHA512
dc4a01b537774fe59fa1f40eceb7b32ac0a237bee396ac84c2bd53855ed48794be67e1ba1a169342629e36af3ab71ced1cd64c15450bffe8730d4b0e22a5415a

Download Submit
C:\Windows\{2ED60267-0B36-4217-9FD5-86F9731548FC}.exe

Filesize
79KB

MD5
db74eb385735e2e97fb5449c3fc6bdef

SHA1
99f338cfe7d4cf39530df654583c0c769ded4dc8

SHA256
7bd469f6bb7d4b059851fdd0308a0aa40379baae79277cbee70df49d75a549a4

SHA512
6988c0ff934d1d5ed88bcc0a2cfbc33c93b9bf7ce826bdf14c2232dd6728af2abc017da94db8ef7eb83a19ab12cf18dc99c8c93e5b3546697a29f0dd3839fd46

Download Submit
C:\Windows\{347A1696-E651-434c-B255-658A314D0B4B}.exe

Filesize
79KB

MD5
5f7012caecf01f26b7b2264e1830f006

SHA1
b7317df63735643303116654d25987617001ab05

SHA256
48e942e78a98d0c96a6c6c761277198678afb4176046f25cc9a9078d8b71c4c3

SHA512
dfe5ee2420cc902fe9d3776650da991832f0a90cb6f453a1a0f788ee90e1b85078a07156ca5c2f0b8f6284b2c0e223552213c29651a5a621750e19a00e71c71c

Download Submit
C:\Windows\{6938806B-BB02-49f3-958B-68A98B2F4FAB}.exe

Filesize
79KB

MD5
5f3ed9e894d02a51a9a4d0742454e810

SHA1
3d4f09745c7c5bd48560c23564fbd3029b388fcf

SHA256
533d63e9e08f193e5a2af1e0588a88dd1f5f82b2567c4316e395aaf8202a1abf

SHA512
8357563eb848d2f4b2d513b77c46786a9f255a4012de49900ae44193b89e283487412a343bc0082c14b216249bc59d2706c0be2190d74f07008824a0229d3700

Download Submit
C:\Windows\{7D15BC42-BBC4-4e08-BC7C-B1EC719D2A1F}.exe

Filesize
79KB

MD5
59c21ff51608899b65ecc24bc83cc975

SHA1
cf5295f49be7d52bb947138e4c074201e745cd1c

SHA256
28a70daa5e7ef08a1f362b6c0f16a52f240baa076989827e3b9acd923503de82

SHA512
86fcf84344ffeb7521247685d618475bb4323451bd81150a990c14e3fffac3dd89193f9e095d435583b5e06545620c2f6ee3062524ea2424b3785c2bc6578cb6

Download Submit
C:\Windows\{845B98AB-8F41-421a-840E-63320B26A17A}.exe

Filesize
79KB

MD5
9ba073a93166357a784396d78ae4af88

SHA1
f04f9e174d1bdc2a1bddbc266642589fe8b69a83

SHA256
5119077bc29377b920c2f5d6e63fe1368ca62099c75d2252a21258c953db7489

SHA512
a66c9f9224a994636e92955e18dbdb99bc33377a6373c68a17843f4e244dd9f532dca02c586650e4079998fd0a02b2f00067bcc6bb2ff694ab710e5449532f47

Download Submit
C:\Windows\{ACBE1426-DF8E-4536-B9F9-B525A9660402}.exe

Filesize
79KB

MD5
255677b68d4388c2027e5eda30fdd2eb

SHA1
d67b4e616e4e23847dc0678f753e4b4b1facfeea

SHA256
141f837382728cf247d0b08812d43b63541810fc8c4bb1657547991e473a31aa

SHA512
8aa8d86c209b700b5e89d79a7d48a8d3f126d2382142bf5a05d898ed4510aa2f2790a43331217c46a2092e77dac4d0598e60aaf76335f47c996ada24aa6b3516

Download Submit
C:\Windows\{DDE311BD-2034-46b8-A18E-9901D4B01CEE}.exe

Filesize
79KB

MD5
ac1c1e7f41de171434ad86f3dcc7c2b0

SHA1
7478fd379dd63a851f5680d5a83453c8531a6615

SHA256
0ce58a8a47a79790268016cf5a4476f3a934e8f478b09873a4687b0e961059c7

SHA512
49df0fe619953cd5740c2848dbf76b09ead73fba7e6a25a0cb7b62664994c86a05ec0954604e9659e9e79c3d40a77ad77e7aaada0693cbb06c79796d6fd2508b

Download Submit
C:\Windows\{EEB88FFE-8733-4b21-B253-FFC0D4F1D0B0}.exe

Filesize
79KB

MD5
a55da6f3279421bcc0fb1e34dd57d61d

SHA1
163cfcddd79d82fb5bf0481f1faad5eb0d478e17

SHA256
e630d1e872681d11ea6f94520a257568c6390544bffb368519f2be970b57a11f

SHA512
a648ad2d0274be44c7aaa6ea948db61505106ed282dfb29b4c41159f2205e6c09face9754a128318d01d5d549257aa8e8cfd329fd558286e5a8a3edbd72304e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads