3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe
Size

89KB
MD5

0d0fbd64b0015e9a99e1462c9276c050
SHA1

1c2a60ec872e3aa7c79325748512bec390f1ffc2
SHA256

3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684
SHA512

4903f02c33fc27ab9e6619e8f6a8b02136c53f2c4343cd4fa6c0018d86765c13aef5897d4ea46a2476a8157b662878e78087d633aed6a64578a5b913b0b3a6d9
SSDEEP

768:Qvw9816vhKQLroH4/wQRNrfrunMxVFA3b7gl5:YEGh0oHl2unMxVS3HgX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62E94708-29FD-438b-BFED-B0D1B3D640AE}	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5103F05-B9C2-4d7b-A710-A14C6EFA896A}\stubpath = "C:\\Windows\\{A5103F05-B9C2-4d7b-A710-A14C6EFA896A}.exe"	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A705847-47D4-4c9b-9FEF-11B82F665E78}	3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A705847-47D4-4c9b-9FEF-11B82F665E78}\stubpath = "C:\\Windows\\{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe"	3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62E94708-29FD-438b-BFED-B0D1B3D640AE}\stubpath = "C:\\Windows\\{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe"	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5103F05-B9C2-4d7b-A710-A14C6EFA896A}	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5A524A4-19F9-49aa-B038-FB84536773D9}	{A5103F05-B9C2-4d7b-A710-A14C6EFA896A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FD68840-75ED-4cce-B958-AE637F58B390}\stubpath = "C:\\Windows\\{5FD68840-75ED-4cce-B958-AE637F58B390}.exe"	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D3D8421-EE24-4229-9074-E384F4DEA31A}	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D3D8421-EE24-4229-9074-E384F4DEA31A}\stubpath = "C:\\Windows\\{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe"	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}\stubpath = "C:\\Windows\\{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe"	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FD68840-75ED-4cce-B958-AE637F58B390}	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}\stubpath = "C:\\Windows\\{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe"	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}\stubpath = "C:\\Windows\\{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe"	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5A524A4-19F9-49aa-B038-FB84536773D9}\stubpath = "C:\\Windows\\{B5A524A4-19F9-49aa-B038-FB84536773D9}.exe"	{A5103F05-B9C2-4d7b-A710-A14C6EFA896A}.exe

Deletes itself 1 IoCs

pid	Process
2064	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1064	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe
2828	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe
2784	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe
2620	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe
2944	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe
556	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe
1660	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe
764	{A5103F05-B9C2-4d7b-A710-A14C6EFA896A}.exe
3008	{B5A524A4-19F9-49aa-B038-FB84536773D9}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{A5103F05-B9C2-4d7b-A710-A14C6EFA896A}.exe	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe
File created	C:\Windows\{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe	3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe
File created	C:\Windows\{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe
File created	C:\Windows\{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe
File created	C:\Windows\{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe
File created	C:\Windows\{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe
File created	C:\Windows\{B5A524A4-19F9-49aa-B038-FB84536773D9}.exe	{A5103F05-B9C2-4d7b-A710-A14C6EFA896A}.exe
File created	C:\Windows\{5FD68840-75ED-4cce-B958-AE637F58B390}.exe	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe
File created	C:\Windows\{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B5A524A4-19F9-49aa-B038-FB84536773D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A5103F05-B9C2-4d7b-A710-A14C6EFA896A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2084	3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe
Token: SeIncBasePriorityPrivilege	1064	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe
Token: SeIncBasePriorityPrivilege	2828	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe
Token: SeIncBasePriorityPrivilege	2784	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe
Token: SeIncBasePriorityPrivilege	2620	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe
Token: SeIncBasePriorityPrivilege	2944	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe
Token: SeIncBasePriorityPrivilege	556	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe
Token: SeIncBasePriorityPrivilege	1660	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe
Token: SeIncBasePriorityPrivilege	764	{A5103F05-B9C2-4d7b-A710-A14C6EFA896A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1064	2084	3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe	30
PID 2084 wrote to memory of 1064	2084	3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe	30
PID 2084 wrote to memory of 1064	2084	3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe	30
PID 2084 wrote to memory of 1064	2084	3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe	30
PID 2084 wrote to memory of 2064	2084	3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe	31
PID 2084 wrote to memory of 2064	2084	3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe	31
PID 2084 wrote to memory of 2064	2084	3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe	31
PID 2084 wrote to memory of 2064	2084	3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe	31
PID 1064 wrote to memory of 2828	1064	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe	32
PID 1064 wrote to memory of 2828	1064	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe	32
PID 1064 wrote to memory of 2828	1064	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe	32
PID 1064 wrote to memory of 2828	1064	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe	32
PID 1064 wrote to memory of 2992	1064	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe	33
PID 1064 wrote to memory of 2992	1064	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe	33
PID 1064 wrote to memory of 2992	1064	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe	33
PID 1064 wrote to memory of 2992	1064	{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe	33
PID 2828 wrote to memory of 2784	2828	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe	34
PID 2828 wrote to memory of 2784	2828	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe	34
PID 2828 wrote to memory of 2784	2828	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe	34
PID 2828 wrote to memory of 2784	2828	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe	34
PID 2828 wrote to memory of 2728	2828	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe	35
PID 2828 wrote to memory of 2728	2828	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe	35
PID 2828 wrote to memory of 2728	2828	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe	35
PID 2828 wrote to memory of 2728	2828	{5FD68840-75ED-4cce-B958-AE637F58B390}.exe	35
PID 2784 wrote to memory of 2620	2784	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe	36
PID 2784 wrote to memory of 2620	2784	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe	36
PID 2784 wrote to memory of 2620	2784	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe	36
PID 2784 wrote to memory of 2620	2784	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe	36
PID 2784 wrote to memory of 2244	2784	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe	37
PID 2784 wrote to memory of 2244	2784	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe	37
PID 2784 wrote to memory of 2244	2784	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe	37
PID 2784 wrote to memory of 2244	2784	{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe	37
PID 2620 wrote to memory of 2944	2620	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe	38
PID 2620 wrote to memory of 2944	2620	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe	38
PID 2620 wrote to memory of 2944	2620	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe	38
PID 2620 wrote to memory of 2944	2620	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe	38
PID 2620 wrote to memory of 2800	2620	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe	39
PID 2620 wrote to memory of 2800	2620	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe	39
PID 2620 wrote to memory of 2800	2620	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe	39
PID 2620 wrote to memory of 2800	2620	{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe	39
PID 2944 wrote to memory of 556	2944	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe	40
PID 2944 wrote to memory of 556	2944	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe	40
PID 2944 wrote to memory of 556	2944	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe	40
PID 2944 wrote to memory of 556	2944	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe	40
PID 2944 wrote to memory of 1600	2944	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe	41
PID 2944 wrote to memory of 1600	2944	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe	41
PID 2944 wrote to memory of 1600	2944	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe	41
PID 2944 wrote to memory of 1600	2944	{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe	41
PID 556 wrote to memory of 1660	556	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe	42
PID 556 wrote to memory of 1660	556	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe	42
PID 556 wrote to memory of 1660	556	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe	42
PID 556 wrote to memory of 1660	556	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe	42
PID 556 wrote to memory of 2948	556	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe	43
PID 556 wrote to memory of 2948	556	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe	43
PID 556 wrote to memory of 2948	556	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe	43
PID 556 wrote to memory of 2948	556	{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe	43
PID 1660 wrote to memory of 764	1660	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe	44
PID 1660 wrote to memory of 764	1660	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe	44
PID 1660 wrote to memory of 764	1660	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe	44
PID 1660 wrote to memory of 764	1660	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe	44
PID 1660 wrote to memory of 464	1660	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe	45
PID 1660 wrote to memory of 464	1660	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe	45
PID 1660 wrote to memory of 464	1660	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe	45
PID 1660 wrote to memory of 464	1660	{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe	45

C:\Users\Admin\AppData\Local\Temp\3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe
"C:\Users\Admin\AppData\Local\Temp\3fbcc5d5735daec411232bb5fcf468768abb48677def66d6737c531800e44684N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe
  C:\Windows\{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\{5FD68840-75ED-4cce-B958-AE637F58B390}.exe
    C:\Windows\{5FD68840-75ED-4cce-B958-AE637F58B390}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe
      C:\Windows\{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe
        
        C:\Windows\{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe
        
        C:\Windows\{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe
        
        C:\Windows\{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe
        
        C:\Windows\{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{A5103F05-B9C2-4d7b-A710-A14C6EFA896A}.exe
        
        C:\Windows\{A5103F05-B9C2-4d7b-A710-A14C6EFA896A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\{B5A524A4-19F9-49aa-B038-FB84536773D9}.exe
        
        C:\Windows\{B5A524A4-19F9-49aa-B038-FB84536773D9}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5103~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62E94~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC07D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76E0B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1FB1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D3D8~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5FD68~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5A705~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3FBCC5~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5A705847-47D4-4c9b-9FEF-11B82F665E78}.exe

Filesize
89KB

MD5
d23c6eece4fdf391d94a281c1ee6fba3

SHA1
53fbc2d75ff52368317d0257c323d9ba24a721fa

SHA256
f613eb73fc4217441294b1a20d9a5bd80ca6057bc822e4902acf9f5b4a153322

SHA512
4205d0d557b8ed003a9093aae9cdb01bd2caca13aacd312a4af1c3a62909759a53fca7e093289a09b85054acb8f5329ae60ebecfac7c39828c20b7da3c325525

Download Submit
C:\Windows\{5FD68840-75ED-4cce-B958-AE637F58B390}.exe

Filesize
89KB

MD5
0b7a8e5299c2fdd4a9df1ba464cca6e6

SHA1
4eef19459ebb2bcea1b6e74aa61911becf53302b

SHA256
e346d8a7e4c6fff1b43fff1dcf8e2f29aee38e8e2b9a640c7699f25a8198c58c

SHA512
82205c4277309d31cd12866b1d93abc7d6566f5586be321290a1cff99714d655dae0d987a1e510a0ecc0c1ba555d843984e9ebddfc135d22ddb9a4fa041d3603

Download Submit
C:\Windows\{62E94708-29FD-438b-BFED-B0D1B3D640AE}.exe

Filesize
89KB

MD5
5ec815d2e1f9ec487cd22406fad8cd80

SHA1
572192cd8e7354b41016b754ac34c41230b8e457

SHA256
2aed020c969f4d21788dcecafef6b3309e87c5295cfe1dd10266b8ced65977ec

SHA512
b31bb7edef7aa3549bcf5a61f28aa84ee8e192a821ce5f2c82271e39090cdfcd83df52c57ee8ea3d62821d4f224541c1182fd8a432df3c1a8cda5a6540a51f51

Download Submit
C:\Windows\{6D3D8421-EE24-4229-9074-E384F4DEA31A}.exe

Filesize
89KB

MD5
28fa035a853704b8f495c1d57cc3211b

SHA1
1816e08fddd1462641eba77fb6d70865c18a977e

SHA256
b4d8227753ac58479c961b5e6b1342cac7667dc22bcb13435e730e5cb1ac13ec

SHA512
b7cedfd3344f7f42cffe8715358314fcd1d0918512829d3a6304d65020fef68b4dd52378574f1aac5a706fb0ceffa1b887720629ba0872a9c82cfe566628c635

Download Submit
C:\Windows\{76E0B69F-B8B5-4c5e-895C-29AFC26CF7FF}.exe

Filesize
89KB

MD5
1e1ad849d4789131854cc72e9e58bc90

SHA1
e5635fa7e02369e892ef71b27eb205ba994f5684

SHA256
cab5dd9bb16b8019ea1dffbc439b23e1526477695daf3c059da604efe10b189c

SHA512
99ca23bd17018a054bcc5a5b60e59f0654d7d70e8e4f8757059faf80ef50dc7b820d517a61dd49fcec4f78b69e0025c33f46f358193fcba1b05981c4144faef7

Download Submit
C:\Windows\{A5103F05-B9C2-4d7b-A710-A14C6EFA896A}.exe

Filesize
89KB

MD5
8b02b3b2b9b005c3c98e3680fdb3dd2d

SHA1
96f700e54a862322ccf96498237c25483ec3da86

SHA256
b5e455001fe06387db670ebee51f74b6e5c0b74651ab6f52be4ff2aa00a4355f

SHA512
3bb54b91893006999c3523ce7e4fd0b72e6db7ba283bb817d9388eb9e87555275f5a595aeec5049ec8122bc3a1e4c4b6a817cc5586d64acba04f98b8df3981c1

Download Submit
C:\Windows\{B1FB1A02-80B5-47d3-871D-7B643BFDDA4B}.exe

Filesize
89KB

MD5
e04d5090607cea463efe4516f886d348

SHA1
693e319a4c95f264c8c2dd4b962176174f78b69b

SHA256
1fc0e7baee607e4d90015e4d034cb10e5cb85a13dca13d30559bd90d36fb70e6

SHA512
54a317c3f38ea8bdfff6df3f2547d78851e38b4630fc77b2a405a75e88768c51e290e1189063947cfe9ba3cb70f24b783717317ef8b17705a9b213e188e7bc52

Download Submit
C:\Windows\{B5A524A4-19F9-49aa-B038-FB84536773D9}.exe

Filesize
89KB

MD5
f0a01b25ee8df258f91d535696b860d3

SHA1
cab769672db9b5c97081499a71a48f85c2ea3c39

SHA256
6359e97a0695d848a22a21c195b605c527d3064173a4f4e5e163f90a00a182bf

SHA512
b9ede67a680a8106116189791768d31c353734f8c7d85b989b5df9d7ac8429f80c5b2044e3118a31f910fc0bb67536e4a71a761b2e69216b364555a2b18784ff

Download Submit
C:\Windows\{DC07D41C-8010-4bec-85A1-9B7DE61B1C52}.exe

Filesize
89KB

MD5
39ab2b2d46774f4aa6b157552d0b3b67

SHA1
f02c19847901a7b8c6e615ca034ee9e4c5b0a5f4

SHA256
cf119aae50a054d5db279d3f72ab6ca63dfeaab397a7e114e67e225e8e5436d9

SHA512
1fb6c630660ac94dcbdbdb4f206baf5304f845bf9a9ad229bf14c2483f9d0dff67ddf189fc319d3776997da425a776c84c07241679425750a01109f60223a0d4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads