7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9f

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe
Size

90KB
MD5

42de156d06f627d52495f19fe577a8d0
SHA1

fe5f8ea217a4f41c6606f1f3285bf6485ad2c123
SHA256

7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9f
SHA512

454b65e67a78a5be89bfe84e348dae2644aa9cc3641eaffbeff4c44bf0354107926430b29635ddcb99448439246d44dcf01b1295050b0952062e33ff3404d420
SSDEEP

768:Qvw9816vhKQLro04/wQRNrfrunMxVFA3b7glw:YEGh0o0l2unMxVS3Hg

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}\stubpath = "C:\\Windows\\{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe"	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54B25483-026F-4f8c-AA62-E6EB17CD6612}\stubpath = "C:\\Windows\\{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe"	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}\stubpath = "C:\\Windows\\{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe"	{DE84068F-99DC-4d89-B130-1023044AD358}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E35F9050-F76F-4b57-A55A-20644B5C36A3}	7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}\stubpath = "C:\\Windows\\{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe"	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54B25483-026F-4f8c-AA62-E6EB17CD6612}	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE84068F-99DC-4d89-B130-1023044AD358}\stubpath = "C:\\Windows\\{DE84068F-99DC-4d89-B130-1023044AD358}.exe"	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6878AD0B-9401-4e70-95F8-47F2E36E6168}\stubpath = "C:\\Windows\\{6878AD0B-9401-4e70-95F8-47F2E36E6168}.exe"	{A9DEF19C-1A49-4862-8B51-AD0F11FABF07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E35F9050-F76F-4b57-A55A-20644B5C36A3}\stubpath = "C:\\Windows\\{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe"	7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE84068F-99DC-4d89-B130-1023044AD358}	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}	{DE84068F-99DC-4d89-B130-1023044AD358}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9DEF19C-1A49-4862-8B51-AD0F11FABF07}\stubpath = "C:\\Windows\\{A9DEF19C-1A49-4862-8B51-AD0F11FABF07}.exe"	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6878AD0B-9401-4e70-95F8-47F2E36E6168}	{A9DEF19C-1A49-4862-8B51-AD0F11FABF07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}\stubpath = "C:\\Windows\\{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe"	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9DEF19C-1A49-4862-8B51-AD0F11FABF07}	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe

Deletes itself 1 IoCs

pid	Process
1148	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2332	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe
2764	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe
2972	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe
2792	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe
3044	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe
812	{DE84068F-99DC-4d89-B130-1023044AD358}.exe
1824	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe
1160	{A9DEF19C-1A49-4862-8B51-AD0F11FABF07}.exe
2808	{6878AD0B-9401-4e70-95F8-47F2E36E6168}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe	{DE84068F-99DC-4d89-B130-1023044AD358}.exe
File created	C:\Windows\{A9DEF19C-1A49-4862-8B51-AD0F11FABF07}.exe	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe
File created	C:\Windows\{6878AD0B-9401-4e70-95F8-47F2E36E6168}.exe	{A9DEF19C-1A49-4862-8B51-AD0F11FABF07}.exe
File created	C:\Windows\{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe
File created	C:\Windows\{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe
File created	C:\Windows\{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe
File created	C:\Windows\{DE84068F-99DC-4d89-B130-1023044AD358}.exe	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe
File created	C:\Windows\{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe	7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe
File created	C:\Windows\{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE84068F-99DC-4d89-B130-1023044AD358}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6878AD0B-9401-4e70-95F8-47F2E36E6168}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9DEF19C-1A49-4862-8B51-AD0F11FABF07}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2128	7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe
Token: SeIncBasePriorityPrivilege	2332	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe
Token: SeIncBasePriorityPrivilege	2764	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe
Token: SeIncBasePriorityPrivilege	2972	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe
Token: SeIncBasePriorityPrivilege	2792	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe
Token: SeIncBasePriorityPrivilege	3044	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe
Token: SeIncBasePriorityPrivilege	812	{DE84068F-99DC-4d89-B130-1023044AD358}.exe
Token: SeIncBasePriorityPrivilege	1824	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe
Token: SeIncBasePriorityPrivilege	1160	{A9DEF19C-1A49-4862-8B51-AD0F11FABF07}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2332	2128	7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe	31
PID 2128 wrote to memory of 2332	2128	7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe	31
PID 2128 wrote to memory of 2332	2128	7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe	31
PID 2128 wrote to memory of 2332	2128	7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe	31
PID 2128 wrote to memory of 1148	2128	7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe	32
PID 2128 wrote to memory of 1148	2128	7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe	32
PID 2128 wrote to memory of 1148	2128	7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe	32
PID 2128 wrote to memory of 1148	2128	7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe	32
PID 2332 wrote to memory of 2764	2332	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe	33
PID 2332 wrote to memory of 2764	2332	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe	33
PID 2332 wrote to memory of 2764	2332	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe	33
PID 2332 wrote to memory of 2764	2332	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe	33
PID 2332 wrote to memory of 2852	2332	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe	34
PID 2332 wrote to memory of 2852	2332	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe	34
PID 2332 wrote to memory of 2852	2332	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe	34
PID 2332 wrote to memory of 2852	2332	{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe	34
PID 2764 wrote to memory of 2972	2764	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe	35
PID 2764 wrote to memory of 2972	2764	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe	35
PID 2764 wrote to memory of 2972	2764	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe	35
PID 2764 wrote to memory of 2972	2764	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe	35
PID 2764 wrote to memory of 2876	2764	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe	36
PID 2764 wrote to memory of 2876	2764	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe	36
PID 2764 wrote to memory of 2876	2764	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe	36
PID 2764 wrote to memory of 2876	2764	{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe	36
PID 2972 wrote to memory of 2792	2972	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe	37
PID 2972 wrote to memory of 2792	2972	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe	37
PID 2972 wrote to memory of 2792	2972	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe	37
PID 2972 wrote to memory of 2792	2972	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe	37
PID 2972 wrote to memory of 1748	2972	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe	38
PID 2972 wrote to memory of 1748	2972	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe	38
PID 2972 wrote to memory of 1748	2972	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe	38
PID 2972 wrote to memory of 1748	2972	{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe	38
PID 2792 wrote to memory of 3044	2792	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe	39
PID 2792 wrote to memory of 3044	2792	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe	39
PID 2792 wrote to memory of 3044	2792	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe	39
PID 2792 wrote to memory of 3044	2792	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe	39
PID 2792 wrote to memory of 1984	2792	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe	40
PID 2792 wrote to memory of 1984	2792	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe	40
PID 2792 wrote to memory of 1984	2792	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe	40
PID 2792 wrote to memory of 1984	2792	{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe	40
PID 3044 wrote to memory of 812	3044	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe	41
PID 3044 wrote to memory of 812	3044	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe	41
PID 3044 wrote to memory of 812	3044	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe	41
PID 3044 wrote to memory of 812	3044	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe	41
PID 3044 wrote to memory of 2864	3044	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe	42
PID 3044 wrote to memory of 2864	3044	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe	42
PID 3044 wrote to memory of 2864	3044	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe	42
PID 3044 wrote to memory of 2864	3044	{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe	42
PID 812 wrote to memory of 1824	812	{DE84068F-99DC-4d89-B130-1023044AD358}.exe	43
PID 812 wrote to memory of 1824	812	{DE84068F-99DC-4d89-B130-1023044AD358}.exe	43
PID 812 wrote to memory of 1824	812	{DE84068F-99DC-4d89-B130-1023044AD358}.exe	43
PID 812 wrote to memory of 1824	812	{DE84068F-99DC-4d89-B130-1023044AD358}.exe	43
PID 812 wrote to memory of 1680	812	{DE84068F-99DC-4d89-B130-1023044AD358}.exe	44
PID 812 wrote to memory of 1680	812	{DE84068F-99DC-4d89-B130-1023044AD358}.exe	44
PID 812 wrote to memory of 1680	812	{DE84068F-99DC-4d89-B130-1023044AD358}.exe	44
PID 812 wrote to memory of 1680	812	{DE84068F-99DC-4d89-B130-1023044AD358}.exe	44
PID 1824 wrote to memory of 1160	1824	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe	45
PID 1824 wrote to memory of 1160	1824	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe	45
PID 1824 wrote to memory of 1160	1824	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe	45
PID 1824 wrote to memory of 1160	1824	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe	45
PID 1824 wrote to memory of 2040	1824	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe	46
PID 1824 wrote to memory of 2040	1824	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe	46
PID 1824 wrote to memory of 2040	1824	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe	46
PID 1824 wrote to memory of 2040	1824	{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe	46

C:\Users\Admin\AppData\Local\Temp\7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe
"C:\Users\Admin\AppData\Local\Temp\7bba1b2da24f61a88efe08a155162640cbb1c3ed3f8d2fc5de1cbc0703dc3d9fN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe
  C:\Windows\{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe
    C:\Windows\{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe
      C:\Windows\{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe
        
        C:\Windows\{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe
        
        C:\Windows\{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\{DE84068F-99DC-4d89-B130-1023044AD358}.exe
        
        C:\Windows\{DE84068F-99DC-4d89-B130-1023044AD358}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe
        
        C:\Windows\{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{A9DEF19C-1A49-4862-8B51-AD0F11FABF07}.exe
        
        C:\Windows\{A9DEF19C-1A49-4862-8B51-AD0F11FABF07}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\{6878AD0B-9401-4e70-95F8-47F2E36E6168}.exe
        
        C:\Windows\{6878AD0B-9401-4e70-95F8-47F2E36E6168}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9DEF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AB92~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE840~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54B25~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4D2E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53F0F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{15FD7~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E35F9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7BBA1B~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15FD7A17-BFD8-40b7-A943-D88171F0DFAE}.exe

Filesize
90KB

MD5
a17b1043f03499361495517325448676

SHA1
3ea33ac7d6835410808394be4e820e636e6d7477

SHA256
20444e327a31f32c3bfeaae2597aa1ee86f154ccef894c49d1485787ce3e25da

SHA512
f6a5136bddf33a6b98d2f31290642a134fd74ea75f84066c7013a7a0a896af7a2114346e6f2e4a2afe6ef34b30ad4752d78bd2f75db80491445ae255e60d73e5

Download Submit
C:\Windows\{53F0FCB8-B1F5-4616-81CD-CCE24B910D3D}.exe

Filesize
90KB

MD5
352892c83e0bc9c9e8e729a43d4bda85

SHA1
2fb51f4db32209472c5658ce471fab8d2302226c

SHA256
e43084d14b4c8baa0cb4983f021b28235c0d795c0e1f7a6c17de97ef1f612934

SHA512
8ed38bda67ad1c3fadc344ede25b64fc88f2a69d750a308ff7a50fc44757b2c558409f6ac0e1cbc2e47b03bdfe81cdbb060e14f59a19ae05d749faed3c37f93c

Download Submit
C:\Windows\{54B25483-026F-4f8c-AA62-E6EB17CD6612}.exe

Filesize
90KB

MD5
19cd32e68daee9797e0388f7c9d69e61

SHA1
c503c8280ab21213494998078107066fcf03e5e6

SHA256
2e3f5fe17363ca6c42c8ec116d51dfe5b2c26c38d415fe827c82dd1ee606e3d7

SHA512
b0513a25c6c8f6caa7eecec41f005744b6b993388552a6870d8c17ddac54c99993ec803f24f7146e45bc0d030d4b64f11d76cde9445ad82a232a0a217029f10a

Download Submit
C:\Windows\{5AB92C30-C50B-4fbc-B762-33FEE8EF969A}.exe

Filesize
90KB

MD5
e478f9a606813c459b8921b38641c212

SHA1
65bb951502ba5e6b1a75f89bc28f1bc57f3e170e

SHA256
1aead4266f6fa2aa39a7bf378488e1a0428da67469fa6b0dd5b3840c6ae61d34

SHA512
a73d2fcd3aa1cbcde526392be8d56200ae9d8648a0af0d3bf7ea51ec2a1cf0de636b6ab72885d5075ce25d75e6851cea5fec398d46a44e8d89de2f9a1c7b765e

Download Submit
C:\Windows\{6878AD0B-9401-4e70-95F8-47F2E36E6168}.exe

Filesize
90KB

MD5
6b0ed14795ba827c9414c8f3e9895f8b

SHA1
817868d9f8c37fa95091c3dec8dc83e365cd5435

SHA256
7c928bc33e3e5356d70c6daf4c5d1c607911ff6cf0881d6e95f00be548f8d57e

SHA512
90cda5d7410224556cf496cf19d63efd44f6bfe063989aee0985cdf85bb054159bcaf546d70be5ee2a8b552dc0fd8679625a8c960b7e2ddd0c6cec5dd621598b

Download Submit
C:\Windows\{A9DEF19C-1A49-4862-8B51-AD0F11FABF07}.exe

Filesize
90KB

MD5
edb19a905d6beb9c9f16898616383f9c

SHA1
7726a7c7d6c81785f78d16e2a94f34d3f4d5198b

SHA256
70376b40b784818c1754adf3836c003c20e759fe510038417a47e492888f1f63

SHA512
0a3ca14f1926e9a1c7ec35d63622505d148b40f0bec49d093da88cdc15621deac2319e5d64229462c8350671a66dc90cad405679c396224bf5870a13515003c5

Download Submit
C:\Windows\{DE84068F-99DC-4d89-B130-1023044AD358}.exe

Filesize
90KB

MD5
faf8a31c2ee5874518ead2977e9fa7ec

SHA1
c9a54329596f80c35049b6f6db1e65955695c8b9

SHA256
3878d3391a122d1fe227d165e904baadfa167985945f1da55834ac8437833c2f

SHA512
5432c8f72c292692c9c21db3fc02f566ab41d3c368f20c74b347b06acd745a26e4a4fc9e201619932522463bab4a3cc1b5f62c87f7e62d68f5c4da91d85b0b11

Download Submit
C:\Windows\{E35F9050-F76F-4b57-A55A-20644B5C36A3}.exe

Filesize
90KB

MD5
8a13a7c47293b2f37ef75980d35cb361

SHA1
57387b5d64901cad3a7a0580d2fc754de1c414c4

SHA256
3f58e80e4a6ff894a6331588726ecf9eabf3d93729b9f842f26bd357dc086467

SHA512
4ecf82e609ee6b3644b5bced5f7803bee0e2ca20bba6b46d9582aa487943821ea4207fa0dad4a6bef6d4a96ba1ec294535af25b2c5a23a8bc323bc3c0209fac6

Download Submit
C:\Windows\{F4D2E97C-8617-44fc-B6B6-A130B14B4FFB}.exe

Filesize
90KB

MD5
e26845cea9c999ff0523fb3e204990e4

SHA1
dd85cca46d1f93d6b9fb7131232c2fa7a1718da3

SHA256
8c101945e506e411fbbff0eeb114b0c8d6dc50d80bf6736ceb4a3d2d04a8b970

SHA512
497ef904fccb4aceef3ce8bc329ae70cc8b3e3a4af2ae51142626d3bd5284629a78788e7d972c6782d2a755380bf0b5a11e7744042c6c37205e03f2b596f3e86

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads