343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3

Analysis

max time kernel
119s
max time network
15s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
Size

88KB
MD5

1952da201837e633a68990f307c98280
SHA1

05787a9a764a96e5af585460696f9ad8b60a0743
SHA256

343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3
SHA512

caf82b9b7bdf3dc2c923d0775897c0ada0f1ad3534440119664895f806d08e8b0f1e4650570b192e7920cb2a902c6648da90aa32b588689a227aca5c5131ff81
SSDEEP

768:5vw9816thKQLroQ4/wQUNrfrunMxVFA3d:lEG/0oQlrunMxVS3d

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B590D3A-829A-40e9-9C47-2A48294D7BBA}	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B590D3A-829A-40e9-9C47-2A48294D7BBA}\stubpath = "C:\\Windows\\{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe"	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9508E638-576C-45cd-8478-6BC8B4FEEC8F}\stubpath = "C:\\Windows\\{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe"	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{242FE56B-16CE-4834-963C-3DB86A6A5C7B}	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{242FE56B-16CE-4834-963C-3DB86A6A5C7B}\stubpath = "C:\\Windows\\{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe"	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}\stubpath = "C:\\Windows\\{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe"	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01F345BE-0987-4ec9-AABF-B8BEECB76093}	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01F345BE-0987-4ec9-AABF-B8BEECB76093}\stubpath = "C:\\Windows\\{01F345BE-0987-4ec9-AABF-B8BEECB76093}.exe"	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}\stubpath = "C:\\Windows\\{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe"	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BD340FD-9BA9-4400-AE58-5A00A06C2771}	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BD340FD-9BA9-4400-AE58-5A00A06C2771}\stubpath = "C:\\Windows\\{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe"	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}\stubpath = "C:\\Windows\\{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe"	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9508E638-576C-45cd-8478-6BC8B4FEEC8F}	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C78AF86-05E6-4703-BD2F-9063DECD8559}	{01F345BE-0987-4ec9-AABF-B8BEECB76093}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C78AF86-05E6-4703-BD2F-9063DECD8559}\stubpath = "C:\\Windows\\{9C78AF86-05E6-4703-BD2F-9063DECD8559}.exe"	{01F345BE-0987-4ec9-AABF-B8BEECB76093}.exe

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2704	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe
2584	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe
2588	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe
2540	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe
2896	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe
2308	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe
2416	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe
2100	{01F345BE-0987-4ec9-AABF-B8BEECB76093}.exe
280	{9C78AF86-05E6-4703-BD2F-9063DECD8559}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{01F345BE-0987-4ec9-AABF-B8BEECB76093}.exe	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe
File created	C:\Windows\{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe
File created	C:\Windows\{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe
File created	C:\Windows\{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe
File created	C:\Windows\{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe
File created	C:\Windows\{9C78AF86-05E6-4703-BD2F-9063DECD8559}.exe	{01F345BE-0987-4ec9-AABF-B8BEECB76093}.exe
File created	C:\Windows\{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
File created	C:\Windows\{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe
File created	C:\Windows\{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{01F345BE-0987-4ec9-AABF-B8BEECB76093}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C78AF86-05E6-4703-BD2F-9063DECD8559}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3020	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
Token: SeIncBasePriorityPrivilege	2704	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe
Token: SeIncBasePriorityPrivilege	2584	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe
Token: SeIncBasePriorityPrivilege	2588	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe
Token: SeIncBasePriorityPrivilege	2540	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe
Token: SeIncBasePriorityPrivilege	2896	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe
Token: SeIncBasePriorityPrivilege	2308	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe
Token: SeIncBasePriorityPrivilege	2416	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe
Token: SeIncBasePriorityPrivilege	2100	{01F345BE-0987-4ec9-AABF-B8BEECB76093}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2704	3020	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	30
PID 3020 wrote to memory of 2704	3020	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	30
PID 3020 wrote to memory of 2704	3020	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	30
PID 3020 wrote to memory of 2704	3020	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	30
PID 3020 wrote to memory of 2808	3020	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	31
PID 3020 wrote to memory of 2808	3020	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	31
PID 3020 wrote to memory of 2808	3020	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	31
PID 3020 wrote to memory of 2808	3020	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	31
PID 2704 wrote to memory of 2584	2704	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe	32
PID 2704 wrote to memory of 2584	2704	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe	32
PID 2704 wrote to memory of 2584	2704	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe	32
PID 2704 wrote to memory of 2584	2704	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe	32
PID 2704 wrote to memory of 2596	2704	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe	33
PID 2704 wrote to memory of 2596	2704	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe	33
PID 2704 wrote to memory of 2596	2704	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe	33
PID 2704 wrote to memory of 2596	2704	{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe	33
PID 2584 wrote to memory of 2588	2584	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe	34
PID 2584 wrote to memory of 2588	2584	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe	34
PID 2584 wrote to memory of 2588	2584	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe	34
PID 2584 wrote to memory of 2588	2584	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe	34
PID 2584 wrote to memory of 2676	2584	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe	35
PID 2584 wrote to memory of 2676	2584	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe	35
PID 2584 wrote to memory of 2676	2584	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe	35
PID 2584 wrote to memory of 2676	2584	{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe	35
PID 2588 wrote to memory of 2540	2588	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe	36
PID 2588 wrote to memory of 2540	2588	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe	36
PID 2588 wrote to memory of 2540	2588	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe	36
PID 2588 wrote to memory of 2540	2588	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe	36
PID 2588 wrote to memory of 1836	2588	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe	37
PID 2588 wrote to memory of 1836	2588	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe	37
PID 2588 wrote to memory of 1836	2588	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe	37
PID 2588 wrote to memory of 1836	2588	{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe	37
PID 2540 wrote to memory of 2896	2540	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe	38
PID 2540 wrote to memory of 2896	2540	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe	38
PID 2540 wrote to memory of 2896	2540	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe	38
PID 2540 wrote to memory of 2896	2540	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe	38
PID 2540 wrote to memory of 3056	2540	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe	39
PID 2540 wrote to memory of 3056	2540	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe	39
PID 2540 wrote to memory of 3056	2540	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe	39
PID 2540 wrote to memory of 3056	2540	{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe	39
PID 2896 wrote to memory of 2308	2896	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe	40
PID 2896 wrote to memory of 2308	2896	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe	40
PID 2896 wrote to memory of 2308	2896	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe	40
PID 2896 wrote to memory of 2308	2896	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe	40
PID 2896 wrote to memory of 2236	2896	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe	41
PID 2896 wrote to memory of 2236	2896	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe	41
PID 2896 wrote to memory of 2236	2896	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe	41
PID 2896 wrote to memory of 2236	2896	{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe	41
PID 2308 wrote to memory of 2416	2308	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe	42
PID 2308 wrote to memory of 2416	2308	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe	42
PID 2308 wrote to memory of 2416	2308	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe	42
PID 2308 wrote to memory of 2416	2308	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe	42
PID 2308 wrote to memory of 884	2308	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe	43
PID 2308 wrote to memory of 884	2308	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe	43
PID 2308 wrote to memory of 884	2308	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe	43
PID 2308 wrote to memory of 884	2308	{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe	43
PID 2416 wrote to memory of 2100	2416	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe	44
PID 2416 wrote to memory of 2100	2416	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe	44
PID 2416 wrote to memory of 2100	2416	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe	44
PID 2416 wrote to memory of 2100	2416	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe	44
PID 2416 wrote to memory of 2220	2416	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe	45
PID 2416 wrote to memory of 2220	2416	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe	45
PID 2416 wrote to memory of 2220	2416	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe	45
PID 2416 wrote to memory of 2220	2416	{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe	45

C:\Users\Admin\AppData\Local\Temp\343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
"C:\Users\Admin\AppData\Local\Temp\343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe
  C:\Windows\{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe
    C:\Windows\{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe
      C:\Windows\{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe
        
        C:\Windows\{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe
        
        C:\Windows\{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe
        
        C:\Windows\{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe
        
        C:\Windows\{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\{01F345BE-0987-4ec9-AABF-B8BEECB76093}.exe
        
        C:\Windows\{01F345BE-0987-4ec9-AABF-B8BEECB76093}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\{9C78AF86-05E6-4703-BD2F-9063DECD8559}.exe
        
        C:\Windows\{9C78AF86-05E6-4703-BD2F-9063DECD8559}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01F34~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9508E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6921~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ACCE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BD34~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{242FE~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4E952~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8B590~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\343259~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01F345BE-0987-4ec9-AABF-B8BEECB76093}.exe

Filesize
88KB

MD5
5c54f90d686d22f9ef36cf1f39efb51a

SHA1
1b0785c1ee1f95ede5edaae6b4ce8e6a8d2db453

SHA256
c8313fcb124a6ffc6e6f0ea7ad0d7992ad5b09e3663f67ef68806a21fb8db727

SHA512
473585072e9c639431e541079bca1bbaa90cd4cd40ed33f80e15ea2fabcaee0b4e641978461d1dac9803b536a89d72f88b162f651bfdcbdb8f57929dad409e28

Download Submit
C:\Windows\{242FE56B-16CE-4834-963C-3DB86A6A5C7B}.exe

Filesize
88KB

MD5
5307ae1c310b142d6f2ee5605968a6fb

SHA1
c1377fe7fcf2fef15f6b48cb2d3e3f5e5382f39c

SHA256
5f7a168a3a8750970be8c6374b4b592b7592023d96fb2eb601412acabad9f81f

SHA512
a7dfe476d745980042e8ca74662e7c697c2ce9af0b781f264844b828965b5a14e10872014f660162e3e1f12738dcd50894807951a5c31d1f60e1b0aa637e5f02

Download Submit
C:\Windows\{4E952D3A-F7AA-4cf6-A8FF-C46270E30AC0}.exe

Filesize
88KB

MD5
26f3035849ac647be231c14e55decd6f

SHA1
7acbec86f10f41cb68c67a9667f4de18718739cd

SHA256
ac1a26e2017763d78f18555326e7bae0af8cc8eef245e142d450bbdb8c4b99aa

SHA512
8c15eeaae14fcad496de5ee017628eaa5f211e9f8c54a3aec971d0d0c914b2ac3fa0ccade41f0276e86b75e4239a0c1726fa2070e33c0cef87803f0b0cc92d75

Download Submit
C:\Windows\{6ACCE681-AF2A-46ba-B30C-132FD3CC0F5C}.exe

Filesize
88KB

MD5
796c41d6fa71a37f2d027c0b0c31be81

SHA1
9b77edad8542b0a1d1fd2b659eddf22197b47906

SHA256
79a527a7a6d927caf71cd5ae680c44bdefd13d3e5a9ffa59a3b85eb16377a793

SHA512
f8fdd3ab917df213fb939cf5ce65d6b396a0321de20918c4b57f6dba146ae6b8a0d2b287a8f2ea4498c9ddb220c760824a57e7cd2d2b63c794f662fba0e73ea6

Download Submit
C:\Windows\{8B590D3A-829A-40e9-9C47-2A48294D7BBA}.exe

Filesize
88KB

MD5
47c71e2ad4c7e73aea37b5f13658b1a4

SHA1
8a6a9d1d262bb09350fd12ebaba228062f298ff9

SHA256
797499013646344d882e330c1c33f90b1e0300d1748d8b999041124b310114c4

SHA512
37215b5c18b8ceee8e61b7eb26238163b1c039b08c16e8fb5dde662dea86d091a9f957302b517cc789f0d1d8ebbbefa4e3532f942188daa45422787074a4f187

Download Submit
C:\Windows\{8BD340FD-9BA9-4400-AE58-5A00A06C2771}.exe

Filesize
88KB

MD5
beeec7fac276e194ab7ddd56571d7ae9

SHA1
bcc896b95823ff4a499b04fdf60cbd55e5a8ac86

SHA256
f4a02b837c8b9bdd9320dc1f0d89ef755690de7f105bbff2d224b97718e9bdd2

SHA512
34a9bde8f6603d546c6c9df18b18b474fb9d9978be78e4ffe8abd4a36a9d337482ab33c7ea3ab08d9533fac55ce62e0cffdd8667acdd195d5c695baa64919802

Download Submit
C:\Windows\{9508E638-576C-45cd-8478-6BC8B4FEEC8F}.exe

Filesize
88KB

MD5
cbbd7907765a93b1676ca9e3213ef99e

SHA1
c6ef0ee9c4d2f8f3d8a631d1e958e2b6a9bd8b20

SHA256
49854c749aa9b47ff28d1f42dcc4e046896b5789b044ceb7f945a3e20281fe41

SHA512
2780bbed825abb576ca010c36ac2e8d4eab2e5ce221ecfcbb6fac081631d351c50c9aa95fa4b55aba140cf919d36a97199a5975714481c66bec3d35dfe5a454e

Download Submit
C:\Windows\{9C78AF86-05E6-4703-BD2F-9063DECD8559}.exe

Filesize
88KB

MD5
ec735f29e8df420ff0a4ef9bc2a59554

SHA1
2e42ca8c046541484f8356c7c38279e8cc83d273

SHA256
3768f3b4d0bdbdea996375c94406f3c79e99191ca32fc447586b4c222563094b

SHA512
7c72268ea275c7fb016ed47219a39903a8f56e404bdf994b0f67b9096c81f233b18b2e2c9da5b21be5aa6eba70fa268abb928982da8ea36b34aaf0ec6f692f55

Download Submit
C:\Windows\{B6921D2C-1DE8-4bc4-B176-E07764ED4E95}.exe

Filesize
88KB

MD5
58e61e02f143a42a3266fff8c66d7f94

SHA1
d5f3394d2d14518b78b0feea45bce314dac06285

SHA256
b23657354815a376b5a8914700d39dabee503d35e27599f7aed1e39757b30c56

SHA512
2bec1f95e65695c172170b0ba30a149cd631676870cadbca06501c81897aa5cccd8ee6cc0169f8a466bdd3f9f10c4e78421a78ab56ee78d15f8f1a2e331d33d0

Download Submit
memory/2100-84-0x0000000000340000-0x0000000000351000-memory.dmp

Filesize
68KB

Download
memory/2100-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2308-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2308-64-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/2308-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2308-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2416-74-0x0000000000830000-0x0000000000841000-memory.dmp

Filesize
68KB

Download
memory/2416-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2416-78-0x0000000000830000-0x0000000000841000-memory.dmp

Filesize
68KB

Download
memory/2540-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2540-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2584-24-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2584-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2584-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2588-37-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2588-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2588-38-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2588-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2704-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2704-14-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2704-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2896-56-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2896-57-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2896-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3020-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3020-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3020-4-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/3020-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads