5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020

Analysis

max time kernel
118s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe
Size

88KB
MD5

f86fa0d27deb73c487e76c9d43271030
SHA1

0ceb762af2a9568079f89759768c1a84d6a940b5
SHA256

5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020
SHA512

a113a2b0efa577da703f9e099211732cabdea71c20bb89007523fed415470c6a14e1ac3d408fb003d55dde114b901ff73173b9dae2e418de7d3e00c2581326fe
SSDEEP

768:5vw9816thKQLrox4/wQkNrfrunMxVFA3V:lEG/0oxlbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C1C60C1-BDD0-4ebc-9903-D43184951003}\stubpath = "C:\\Windows\\{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe"	{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}\stubpath = "C:\\Windows\\{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe"	{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}	{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B2495FF-BFDB-4021-A741-193701CAD59E}	{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C1C60C1-BDD0-4ebc-9903-D43184951003}	{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C39A900-3DE7-4a39-9D4E-F601F57AC493}	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C39A900-3DE7-4a39-9D4E-F601F57AC493}\stubpath = "C:\\Windows\\{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe"	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}	{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BA76D01-1B63-4873-9BE7-B504283EAB22}	{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A46B5536-84E3-4011-A55D-963C30137750}\stubpath = "C:\\Windows\\{A46B5536-84E3-4011-A55D-963C30137750}.exe"	5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}	{A46B5536-84E3-4011-A55D-963C30137750}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B2495FF-BFDB-4021-A741-193701CAD59E}\stubpath = "C:\\Windows\\{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe"	{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}\stubpath = "C:\\Windows\\{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe"	{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}	{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}\stubpath = "C:\\Windows\\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe"	{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BA76D01-1B63-4873-9BE7-B504283EAB22}\stubpath = "C:\\Windows\\{3BA76D01-1B63-4873-9BE7-B504283EAB22}.exe"	{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A46B5536-84E3-4011-A55D-963C30137750}	5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}\stubpath = "C:\\Windows\\{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe"	{A46B5536-84E3-4011-A55D-963C30137750}.exe

Executes dropped EXE 9 IoCs

pid	Process
1560	{A46B5536-84E3-4011-A55D-963C30137750}.exe
2688	{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe
3708	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
3016	{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe
1756	{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe
5088	{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe
336	{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe
1144	{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe
448	{3BA76D01-1B63-4873-9BE7-B504283EAB22}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{3BA76D01-1B63-4873-9BE7-B504283EAB22}.exe	{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe
File created	C:\Windows\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe
File created	C:\Windows\{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
File created	C:\Windows\{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe	{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe
File created	C:\Windows\{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe	{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe
File created	C:\Windows\{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe	{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe
File created	C:\Windows\{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe	{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe
File created	C:\Windows\{A46B5536-84E3-4011-A55D-963C30137750}.exe	5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe
File created	C:\Windows\{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe	{A46B5536-84E3-4011-A55D-963C30137750}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A46B5536-84E3-4011-A55D-963C30137750}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3BA76D01-1B63-4873-9BE7-B504283EAB22}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2664	5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe
Token: SeIncBasePriorityPrivilege	1560	{A46B5536-84E3-4011-A55D-963C30137750}.exe
Token: SeIncBasePriorityPrivilege	2688	{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe
Token: SeIncBasePriorityPrivilege	3708	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
Token: SeIncBasePriorityPrivilege	3016	{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe
Token: SeIncBasePriorityPrivilege	1756	{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe
Token: SeIncBasePriorityPrivilege	5088	{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe
Token: SeIncBasePriorityPrivilege	336	{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe
Token: SeIncBasePriorityPrivilege	1144	{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1560	2664	5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe	89
PID 2664 wrote to memory of 1560	2664	5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe	89
PID 2664 wrote to memory of 1560	2664	5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe	89
PID 2664 wrote to memory of 3916	2664	5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe	90
PID 2664 wrote to memory of 3916	2664	5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe	90
PID 2664 wrote to memory of 3916	2664	5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe	90
PID 1560 wrote to memory of 2688	1560	{A46B5536-84E3-4011-A55D-963C30137750}.exe	91
PID 1560 wrote to memory of 2688	1560	{A46B5536-84E3-4011-A55D-963C30137750}.exe	91
PID 1560 wrote to memory of 2688	1560	{A46B5536-84E3-4011-A55D-963C30137750}.exe	91
PID 1560 wrote to memory of 2300	1560	{A46B5536-84E3-4011-A55D-963C30137750}.exe	92
PID 1560 wrote to memory of 2300	1560	{A46B5536-84E3-4011-A55D-963C30137750}.exe	92
PID 1560 wrote to memory of 2300	1560	{A46B5536-84E3-4011-A55D-963C30137750}.exe	92
PID 2688 wrote to memory of 3708	2688	{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe	95
PID 2688 wrote to memory of 3708	2688	{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe	95
PID 2688 wrote to memory of 3708	2688	{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe	95
PID 2688 wrote to memory of 3740	2688	{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe	96
PID 2688 wrote to memory of 3740	2688	{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe	96
PID 2688 wrote to memory of 3740	2688	{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe	96
PID 3708 wrote to memory of 3016	3708	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	97
PID 3708 wrote to memory of 3016	3708	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	97
PID 3708 wrote to memory of 3016	3708	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	97
PID 3708 wrote to memory of 1492	3708	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	98
PID 3708 wrote to memory of 1492	3708	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	98
PID 3708 wrote to memory of 1492	3708	{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe	98
PID 3016 wrote to memory of 1756	3016	{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe	99
PID 3016 wrote to memory of 1756	3016	{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe	99
PID 3016 wrote to memory of 1756	3016	{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe	99
PID 3016 wrote to memory of 3128	3016	{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe	100
PID 3016 wrote to memory of 3128	3016	{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe	100
PID 3016 wrote to memory of 3128	3016	{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe	100
PID 1756 wrote to memory of 5088	1756	{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe	101
PID 1756 wrote to memory of 5088	1756	{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe	101
PID 1756 wrote to memory of 5088	1756	{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe	101
PID 1756 wrote to memory of 1160	1756	{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe	102
PID 1756 wrote to memory of 1160	1756	{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe	102
PID 1756 wrote to memory of 1160	1756	{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe	102
PID 5088 wrote to memory of 336	5088	{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe	103
PID 5088 wrote to memory of 336	5088	{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe	103
PID 5088 wrote to memory of 336	5088	{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe	103
PID 5088 wrote to memory of 2308	5088	{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe	104
PID 5088 wrote to memory of 2308	5088	{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe	104
PID 5088 wrote to memory of 2308	5088	{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe	104
PID 336 wrote to memory of 1144	336	{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe	105
PID 336 wrote to memory of 1144	336	{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe	105
PID 336 wrote to memory of 1144	336	{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe	105
PID 336 wrote to memory of 4652	336	{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe	106
PID 336 wrote to memory of 4652	336	{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe	106
PID 336 wrote to memory of 4652	336	{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe	106
PID 1144 wrote to memory of 448	1144	{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe	107
PID 1144 wrote to memory of 448	1144	{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe	107
PID 1144 wrote to memory of 448	1144	{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe	107
PID 1144 wrote to memory of 2276	1144	{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe	108
PID 1144 wrote to memory of 2276	1144	{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe	108
PID 1144 wrote to memory of 2276	1144	{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe	108

C:\Users\Admin\AppData\Local\Temp\5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe
"C:\Users\Admin\AppData\Local\Temp\5e5a3a9c1f5ab3b930e5c7066838bb5b5d356db3b0c2495cbf18d576656ee020N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\{A46B5536-84E3-4011-A55D-963C30137750}.exe
  C:\Windows\{A46B5536-84E3-4011-A55D-963C30137750}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe
    C:\Windows\{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
      C:\Windows\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Windows\{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe
        
        C:\Windows\{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe
        
        C:\Windows\{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe
        
        C:\Windows\{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe
        
        C:\Windows\{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe
        
        C:\Windows\{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\{3BA76D01-1B63-4873-9BE7-B504283EAB22}.exe
        
        C:\Windows\{3BA76D01-1B63-4873-9BE7-B504283EAB22}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7CBC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BB69~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C1C6~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B249~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C39A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1AAC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{63927~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A46B5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5E5A3A~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B2495FF-BFDB-4021-A741-193701CAD59E}.exe

Filesize
88KB

MD5
5d8fa538c78777d1ce6d98afc945cfba

SHA1
db5f04d757a2cc23ce131872cdd34916b5c59d06

SHA256
a8b75cdce0bcee447695872b7e229f8786fb5aa925a12dcc14331a29c6d433ed

SHA512
371a71e4540caf67784d13041aa6e5163f44bd7ad17023d6372443b103270a8654bbe9253d87382c7c026543a8cccee6da05cdf7a4c34aee22854c7b891904a0

Download Submit
C:\Windows\{1C39A900-3DE7-4a39-9D4E-F601F57AC493}.exe

Filesize
88KB

MD5
32dff4d0d4b944de7fd7a44a7e8a1407

SHA1
a52c215283ed324b6b0da6369f535afc09d28400

SHA256
1f390fee892af2e83e0122905e4a76e8b8415240a4b28f4f281603bc23747563

SHA512
db24666d2f94d3788c759ad62532208dd80789353dceacec2e3e948628d1df6bfa4facdb026a13a0e79c3e3411b3ca8f9e83f2818ba26d210b0f32d5257028f0

Download Submit
C:\Windows\{3BA76D01-1B63-4873-9BE7-B504283EAB22}.exe

Filesize
88KB

MD5
57fff6a41d94f3342b80276b69120e60

SHA1
01f8575eda4c119ec3c3fdaca208521697a105dc

SHA256
c0d565cc5ad088e0a412ee514e742c927118510b29cb7db885fcf5ec1cbff700

SHA512
a6c53ec0c9604c84bb1f298017d858e8ecc8048ca501588e6d100dcf33a7fd903609b9b8313669904a5aee265436ee8751f61c54ae8b62281f5d9c8968944188

Download Submit
C:\Windows\{3C1C60C1-BDD0-4ebc-9903-D43184951003}.exe

Filesize
88KB

MD5
0e89797616fb8c691f0adf9d1eeea111

SHA1
887ec3825f88820cadb1a7d217d7d10b712d8d53

SHA256
10f0534aa6047fa3b3913cc43fc3694b197c300d884db8bc8d66f4a63e3abd6c

SHA512
9314d87b7d79c04d85c308b58e3c2dcfd09ad49ae88459067bb596b1f816f647f73e503a93b71d9f41c22c50da1c7baadf2946dfa09b603bc23d8115be07b2a2

Download Submit
C:\Windows\{63927EFE-87CA-4b94-9A3E-5C6EB9A21DF4}.exe

Filesize
88KB

MD5
528d9aad0f5e061284f363a065bfd263

SHA1
5e33b2ce85925717859c2647bacc0cd23ab19ffe

SHA256
d34ae70ab7e6522d1876a373ff882b85422684fa0d9d0a3004648b6d07b548a6

SHA512
b3f195071074896af9c7755a176cf85c155484e274401df44c41a756ad2ae7517adc60d94afdcdcbd5f446d0ef532c8e486b25b1fe53ad2e1bbcb515b0e20b0a

Download Submit
C:\Windows\{7BB69DDD-6921-4949-AC7C-912E6BAB4F17}.exe

Filesize
88KB

MD5
660695876bf8bef7c8852327bdb99b88

SHA1
c25b9c6724d96f78953df2ac6537b3317d688cee

SHA256
236832128970c68dd17256257ec53d8fb5ecd8872848e4c82a844c6da8279f4a

SHA512
b39dc4f5ddbe6a3676b36c4d302ef1dbc118c95571ca89df6dc15184338baaa2a3f7c0f1516b25564a2c97810023ed255bcb6bca3b6b6dc3a7b636284d4a5bee

Download Submit
C:\Windows\{A46B5536-84E3-4011-A55D-963C30137750}.exe

Filesize
88KB

MD5
fd95bbcaeca1975e7ec6e7e30afd7004

SHA1
ec807b802bf20490f053727bd908959ec3370f9a

SHA256
84999a35b72774e629ddcb617d58ff2c69e3e9530e25c0bc54af1a0f6e51f9f7

SHA512
82a30937c6deedcc569f66fa7c31097558d8eeaefe02afe0ad73091fdcfc435a41d64cd5c023229e4e705fafdfa8cce8e2f6bb29c12da399b8c95cdc7b4e73e0

Download Submit
C:\Windows\{B7CBC22F-FB5D-4a26-A9AF-52B81693F7E5}.exe

Filesize
88KB

MD5
85f9406055ae529ff99cc3e8c3d65287

SHA1
60f18a4c4bf04d0a617319095b7c36136e1bd692

SHA256
207f2086f907f41661d9fffaf67eb1b92f745428a3ceb3889a72d6915357c295

SHA512
a5426df98006cecc4efc12d1ffb0b67e406fcd344232d15905431126cd727dd653c7678516dc81194eee2829f669730e7c8f08e8b9f81a42bc7bb01339bdd046

Download Submit
C:\Windows\{F1AACC47-E821-4f07-8D63-4D9F17CDEE3B}.exe

Filesize
88KB

MD5
720dee73c34191ac27f9780182bab1a5

SHA1
2e96d0fc1fcb2a9bb9250ad4661b7f21ffe67f50

SHA256
d99541b2d61467619a7eb66e47643a68baa42daf668f4e2d9f097704a6e47961

SHA512
01ea1e2a01a5ea86c67b7b14dfd93638469904c27adffa45ec4114e97471ff172faa58fe9e7d8b9618d8104fb2c1bd1066b608187408f5d477dd8b1a79de6801

Download Submit
memory/336-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/336-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/448-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1144-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1144-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1560-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1560-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1756-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1756-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2664-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2664-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2664-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2688-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2688-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2688-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3016-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3016-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3708-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5088-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5088-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads