add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850f

Analysis

max time kernel
118s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe
Size

89KB
MD5

fcacc05eaf8ac32143c8e43ef0776480
SHA1

64dfe537b7086f2fa40225ee4c9622ea6fae3f3f
SHA256

add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850f
SHA512

64daad46ce05dc3be99ec74c804701a40dbcac8343f7e0a3a8f35f6224beaa659d5894be09ab09538a3e4e6f72e165a8e6b060c3c782de7f4a7ddd60d556ee2e
SSDEEP

768:5vw9816thKQLrov4/wQkNrfrunMxVFA3k:lEG/0ovlbunMxVS3k

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}\stubpath = "C:\\Windows\\{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe"	{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{039808AC-595C-4e8d-9290-3C85ED870605}\stubpath = "C:\\Windows\\{039808AC-595C-4e8d-9290-3C85ED870605}.exe"	{529230BB-83AB-4095-BD57-717AE5F6A731}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{154023FD-07F7-47a0-B109-0B85BD3400D6}	{039808AC-595C-4e8d-9290-3C85ED870605}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBF36EFE-60DB-4d10-8EF8-4D5C19AA98AD}	{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBF36EFE-60DB-4d10-8EF8-4D5C19AA98AD}\stubpath = "C:\\Windows\\{CBF36EFE-60DB-4d10-8EF8-4D5C19AA98AD}.exe"	{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}	{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}	{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{154023FD-07F7-47a0-B109-0B85BD3400D6}\stubpath = "C:\\Windows\\{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe"	{039808AC-595C-4e8d-9290-3C85ED870605}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}\stubpath = "C:\\Windows\\{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe"	{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9157F22D-DBD6-4088-BD82-BC08B7538990}	add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{529230BB-83AB-4095-BD57-717AE5F6A731}	{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}	{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}\stubpath = "C:\\Windows\\{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe"	{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{529230BB-83AB-4095-BD57-717AE5F6A731}\stubpath = "C:\\Windows\\{529230BB-83AB-4095-BD57-717AE5F6A731}.exe"	{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87FB8FB3-630C-48d6-9883-005F6F36CC5D}	{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87FB8FB3-630C-48d6-9883-005F6F36CC5D}\stubpath = "C:\\Windows\\{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe"	{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9157F22D-DBD6-4088-BD82-BC08B7538990}\stubpath = "C:\\Windows\\{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe"	add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{039808AC-595C-4e8d-9290-3C85ED870605}	{529230BB-83AB-4095-BD57-717AE5F6A731}.exe

Executes dropped EXE 9 IoCs

pid	Process
4532	{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe
5092	{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe
5008	{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe
4064	{529230BB-83AB-4095-BD57-717AE5F6A731}.exe
3404	{039808AC-595C-4e8d-9290-3C85ED870605}.exe
4036	{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe
3764	{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe
816	{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe
3864	{CBF36EFE-60DB-4d10-8EF8-4D5C19AA98AD}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe	add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe
File created	C:\Windows\{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe	{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe
File created	C:\Windows\{039808AC-595C-4e8d-9290-3C85ED870605}.exe	{529230BB-83AB-4095-BD57-717AE5F6A731}.exe
File created	C:\Windows\{CBF36EFE-60DB-4d10-8EF8-4D5C19AA98AD}.exe	{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe
File created	C:\Windows\{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe	{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe
File created	C:\Windows\{529230BB-83AB-4095-BD57-717AE5F6A731}.exe	{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe
File created	C:\Windows\{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe	{039808AC-595C-4e8d-9290-3C85ED870605}.exe
File created	C:\Windows\{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe	{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe
File created	C:\Windows\{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe	{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{039808AC-595C-4e8d-9290-3C85ED870605}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CBF36EFE-60DB-4d10-8EF8-4D5C19AA98AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{529230BB-83AB-4095-BD57-717AE5F6A731}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	408	add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe
Token: SeIncBasePriorityPrivilege	4532	{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe
Token: SeIncBasePriorityPrivilege	5092	{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe
Token: SeIncBasePriorityPrivilege	5008	{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe
Token: SeIncBasePriorityPrivilege	4064	{529230BB-83AB-4095-BD57-717AE5F6A731}.exe
Token: SeIncBasePriorityPrivilege	3404	{039808AC-595C-4e8d-9290-3C85ED870605}.exe
Token: SeIncBasePriorityPrivilege	4036	{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe
Token: SeIncBasePriorityPrivilege	3764	{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe
Token: SeIncBasePriorityPrivilege	816	{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 4532	408	add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe	89
PID 408 wrote to memory of 4532	408	add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe	89
PID 408 wrote to memory of 4532	408	add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe	89
PID 408 wrote to memory of 896	408	add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe	90
PID 408 wrote to memory of 896	408	add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe	90
PID 408 wrote to memory of 896	408	add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe	90
PID 4532 wrote to memory of 5092	4532	{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe	91
PID 4532 wrote to memory of 5092	4532	{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe	91
PID 4532 wrote to memory of 5092	4532	{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe	91
PID 4532 wrote to memory of 868	4532	{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe	92
PID 4532 wrote to memory of 868	4532	{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe	92
PID 4532 wrote to memory of 868	4532	{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe	92
PID 5092 wrote to memory of 5008	5092	{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe	95
PID 5092 wrote to memory of 5008	5092	{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe	95
PID 5092 wrote to memory of 5008	5092	{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe	95
PID 5092 wrote to memory of 4576	5092	{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe	96
PID 5092 wrote to memory of 4576	5092	{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe	96
PID 5092 wrote to memory of 4576	5092	{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe	96
PID 5008 wrote to memory of 4064	5008	{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe	97
PID 5008 wrote to memory of 4064	5008	{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe	97
PID 5008 wrote to memory of 4064	5008	{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe	97
PID 5008 wrote to memory of 5096	5008	{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe	98
PID 5008 wrote to memory of 5096	5008	{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe	98
PID 5008 wrote to memory of 5096	5008	{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe	98
PID 4064 wrote to memory of 3404	4064	{529230BB-83AB-4095-BD57-717AE5F6A731}.exe	99
PID 4064 wrote to memory of 3404	4064	{529230BB-83AB-4095-BD57-717AE5F6A731}.exe	99
PID 4064 wrote to memory of 3404	4064	{529230BB-83AB-4095-BD57-717AE5F6A731}.exe	99
PID 4064 wrote to memory of 4112	4064	{529230BB-83AB-4095-BD57-717AE5F6A731}.exe	100
PID 4064 wrote to memory of 4112	4064	{529230BB-83AB-4095-BD57-717AE5F6A731}.exe	100
PID 4064 wrote to memory of 4112	4064	{529230BB-83AB-4095-BD57-717AE5F6A731}.exe	100
PID 3404 wrote to memory of 4036	3404	{039808AC-595C-4e8d-9290-3C85ED870605}.exe	101
PID 3404 wrote to memory of 4036	3404	{039808AC-595C-4e8d-9290-3C85ED870605}.exe	101
PID 3404 wrote to memory of 4036	3404	{039808AC-595C-4e8d-9290-3C85ED870605}.exe	101
PID 3404 wrote to memory of 3952	3404	{039808AC-595C-4e8d-9290-3C85ED870605}.exe	102
PID 3404 wrote to memory of 3952	3404	{039808AC-595C-4e8d-9290-3C85ED870605}.exe	102
PID 3404 wrote to memory of 3952	3404	{039808AC-595C-4e8d-9290-3C85ED870605}.exe	102
PID 4036 wrote to memory of 3764	4036	{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe	103
PID 4036 wrote to memory of 3764	4036	{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe	103
PID 4036 wrote to memory of 3764	4036	{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe	103
PID 4036 wrote to memory of 5036	4036	{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe	104
PID 4036 wrote to memory of 5036	4036	{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe	104
PID 4036 wrote to memory of 5036	4036	{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe	104
PID 3764 wrote to memory of 816	3764	{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe	105
PID 3764 wrote to memory of 816	3764	{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe	105
PID 3764 wrote to memory of 816	3764	{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe	105
PID 3764 wrote to memory of 3984	3764	{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe	106
PID 3764 wrote to memory of 3984	3764	{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe	106
PID 3764 wrote to memory of 3984	3764	{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe	106
PID 816 wrote to memory of 3864	816	{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe	107
PID 816 wrote to memory of 3864	816	{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe	107
PID 816 wrote to memory of 3864	816	{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe	107
PID 816 wrote to memory of 1676	816	{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe	108
PID 816 wrote to memory of 1676	816	{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe	108
PID 816 wrote to memory of 1676	816	{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe	108

C:\Users\Admin\AppData\Local\Temp\add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe
"C:\Users\Admin\AppData\Local\Temp\add9b007e113fab385191cd265e743a6720790241b050704f68c29bc9437850fN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe
  C:\Windows\{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe
    C:\Windows\{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe
      C:\Windows\{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Windows\{529230BB-83AB-4095-BD57-717AE5F6A731}.exe
        
        C:\Windows\{529230BB-83AB-4095-BD57-717AE5F6A731}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4064
      - C:\Windows\{039808AC-595C-4e8d-9290-3C85ED870605}.exe
        
        C:\Windows\{039808AC-595C-4e8d-9290-3C85ED870605}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe
        
        C:\Windows\{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe
        
        C:\Windows\{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe
        
        C:\Windows\{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\{CBF36EFE-60DB-4d10-8EF8-4D5C19AA98AD}.exe
        
        C:\Windows\{CBF36EFE-60DB-4d10-8EF8-4D5C19AA98AD}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE554~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87FB8~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15402~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03980~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52923~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B1D1~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F5EEC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9157F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\ADD9B0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{039808AC-595C-4e8d-9290-3C85ED870605}.exe

Filesize
89KB

MD5
65c89531ba9848181044d1dd1ee47e37

SHA1
02ce3b8f3a0c4680ae6cb84c93062a93a01d0366

SHA256
942f99aea81465ba549877ca57095fc03164c28d373069d81d503e40abf96aef

SHA512
8fefc334f1a35ffe49c7a301cf5fe34d0e361b0fac30a59cde386c1af17b360e96820e632b6850e9b3f81a1b5d8cb822f71a3ad9e651a8983f47fa69fa38a10f

Download Submit
C:\Windows\{154023FD-07F7-47a0-B109-0B85BD3400D6}.exe

Filesize
89KB

MD5
fe66ac184e06b805f4d5849e6f04671d

SHA1
0bc2ad3e9cc4a1888c95cc016178b1f9aef0eb8f

SHA256
433a76815039e6441f51fc739ab83d6d69cd8cf92d3975624bd027628e827d7c

SHA512
23a871ab00b1b9f48c7e58baecda0720bbec6fac366a825cfd08ac34c45e6e5cf2ebf2d704dec9f24b89e58078b46e224205f91ad1a58f9e5782375b0d8a03d7

Download Submit
C:\Windows\{2B1D1143-77FC-4eb1-A95F-F3DC518574A5}.exe

Filesize
89KB

MD5
fbd3a859ec09ff571efbb8efa9039ae1

SHA1
287962aa04ca373a871bbab7a777f0b7db21e8eb

SHA256
3a2ebaf104446c4a61bd412c8a9b18484aee1dcdd4af43285ece9582b5828349

SHA512
58f4cd80b34b1e95d7de0112cdc342d7a659107b0329d9f091b4b73288dced6284c3df156491b5aeb0b4216f784d13d3d9b9e262c7f69857a2f0db83e0310ba6

Download Submit
C:\Windows\{529230BB-83AB-4095-BD57-717AE5F6A731}.exe

Filesize
89KB

MD5
29b1951f0db616c4dfbca50b937644ec

SHA1
dd629b5a6d7d29a73715c82c83e073ee9ead9dc1

SHA256
63bb886940952d8b933209d82f7893a602e812e899d529f6844626cf5dec2759

SHA512
76f346dda69d4e2a243c22ad7a3eae1427a19de817d74c56c5d92f2c569ec55e56cda6541f4e82335e4e4c653880eef983151473da02018765e5087853d84d4d

Download Submit
C:\Windows\{87FB8FB3-630C-48d6-9883-005F6F36CC5D}.exe

Filesize
89KB

MD5
95eef65d016a45579b6a55ea34e7e59d

SHA1
47014653116d5b0dfa606d2f68b06fa9202a5d57

SHA256
3ed6baf248d1241864d3fc20f325706cfa06fbd3cc684ae8d3f80d0c8fd85364

SHA512
22b5b3c17abb3bf8cebc350da3c87de52f070037f6a89ffb87030a3275794a34a72bab96add671c73abb57b1e3d7dabf91ffcb24fad903a87fab0356b5d34b0c

Download Submit
C:\Windows\{9157F22D-DBD6-4088-BD82-BC08B7538990}.exe

Filesize
89KB

MD5
dd8a4248b1794b6a36b2534c74048ecb

SHA1
4e1abf162858ddf2df33bfaf447b8a429f386f8e

SHA256
7ed6b31547c3c6e0184274c5a36628ed6cf2a402210682845af20b53e69f6cc8

SHA512
73772f9ef7f2ccaa2a4bf022f71501a66cb90f4e43bc7bf47590743b7ebd7b24618bd6ac783010617fa5d596475cd582688eac1c939491a58aca0525d981381b

Download Submit
C:\Windows\{CBF36EFE-60DB-4d10-8EF8-4D5C19AA98AD}.exe

Filesize
89KB

MD5
37ba4b99e13bdff33ffba19f5515beaf

SHA1
40fff72ba1ba0a694e5359f13c41e7a5d15a8a7e

SHA256
cd57a7da1ec2e35deb62619b871db2f05b7cdb65e6a76c32e75113697f655ec9

SHA512
469601d0620a4730978df589da0ff06a17054a2fa4b5c21014a6f5091d49731433d7c21493a3f5f9a04f5581e2c5369edd83a07ad23f1418c05ebfe4b8627436

Download Submit
C:\Windows\{F5EEC602-7A9C-4806-935A-0B3E3CCD4BD9}.exe

Filesize
89KB

MD5
121fdf3a7a76ccc7b9bed9f46e082dff

SHA1
adf29b5ed42cf0f1535cf71360fc49094a6c868a

SHA256
64227b4b4b6989ade7dbc617030639c850749813f2ae9086d24efaf7246b7eed

SHA512
b610a6103e92cb5f01dc2ba53c6646dc863dd74b564ed256d7855760e2f2c48fe9d53750cc53d324ea204cb08b729626198102c37a453817ffe2dabbbf8d4024

Download Submit
C:\Windows\{FE5547C6-A6D2-4a28-82E0-FEC147F75E97}.exe

Filesize
89KB

MD5
44dc8f722c2446cd3b9ca268246486fb

SHA1
c849b90cbfe361b8b788fead0edc9730599f3527

SHA256
5570d0e4f4b1e81304d8b81b45c730786b3e56a86a2e1fd3cc7eb3e63b323e67

SHA512
08f4968e45f4b5b1093ac366ae85a336780a89222650e442f797fe7926cbd18d3d1209159fc4a0b34fe28fa7e10ac70826a93a4833c70d7d9f21dc01d4def6e3

Download Submit
memory/408-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/408-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/408-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/816-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/816-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3404-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3404-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3764-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3764-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3864-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4036-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4036-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4064-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4532-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4532-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4532-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5008-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5008-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5092-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5092-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads