c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe
Size

60KB
MD5

be21c669edc51f80375725f29c426df0
SHA1

d73329c6068088ec2291a3bdeee905bec910e9b4
SHA256

c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64
SHA512

770775ccdca40b58474b51928da82eef450b65e879a12370b24fd614d455644c615f6e4237491496b381a7e798fdeac38688f068579eb2d61dfa901bc041b138
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwPjlY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroLX4/CFsrd

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D90179D-DE1F-460d-A68E-FF766C56327D}\stubpath = "C:\\Windows\\{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe"	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D158662C-EEC3-40b3-9129-A0901111CBFE}\stubpath = "C:\\Windows\\{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe"	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{594C29E7-70E4-4b05-9196-B864E254AABA}\stubpath = "C:\\Windows\\{594C29E7-70E4-4b05-9196-B864E254AABA}.exe"	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B248718B-E77C-454b-9D96-971714E1BCC9}	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DB0AEF0-35D7-4287-ACBA-0FCC3F6F64A7}	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BB464F-33C8-48cb-93A7-A7181D47CFB5}\stubpath = "C:\\Windows\\{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe"	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABCBBD27-788A-4947-833E-7BBB9685A0C9}\stubpath = "C:\\Windows\\{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe"	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DB0AEF0-35D7-4287-ACBA-0FCC3F6F64A7}\stubpath = "C:\\Windows\\{9DB0AEF0-35D7-4287-ACBA-0FCC3F6F64A7}.exe"	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DF378AD-794F-4ef9-8B80-97FA5E909366}\stubpath = "C:\\Windows\\{5DF378AD-794F-4ef9-8B80-97FA5E909366}.exe"	{9DB0AEF0-35D7-4287-ACBA-0FCC3F6F64A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D90179D-DE1F-460d-A68E-FF766C56327D}	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABCBBD27-788A-4947-833E-7BBB9685A0C9}	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}\stubpath = "C:\\Windows\\{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe"	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D158662C-EEC3-40b3-9129-A0901111CBFE}	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BB464F-33C8-48cb-93A7-A7181D47CFB5}	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{594C29E7-70E4-4b05-9196-B864E254AABA}	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B248718B-E77C-454b-9D96-971714E1BCC9}\stubpath = "C:\\Windows\\{B248718B-E77C-454b-9D96-971714E1BCC9}.exe"	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DF378AD-794F-4ef9-8B80-97FA5E909366}	{9DB0AEF0-35D7-4287-ACBA-0FCC3F6F64A7}.exe

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2076	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe
2704	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe
2488	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe
3020	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe
1488	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe
2876	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe
1280	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe
1264	{9DB0AEF0-35D7-4287-ACBA-0FCC3F6F64A7}.exe
1872	{5DF378AD-794F-4ef9-8B80-97FA5E909366}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe
File created	C:\Windows\{9DB0AEF0-35D7-4287-ACBA-0FCC3F6F64A7}.exe	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe
File created	C:\Windows\{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe
File created	C:\Windows\{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe
File created	C:\Windows\{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe
File created	C:\Windows\{B248718B-E77C-454b-9D96-971714E1BCC9}.exe	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe
File created	C:\Windows\{5DF378AD-794F-4ef9-8B80-97FA5E909366}.exe	{9DB0AEF0-35D7-4287-ACBA-0FCC3F6F64A7}.exe
File created	C:\Windows\{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe
File created	C:\Windows\{594C29E7-70E4-4b05-9196-B864E254AABA}.exe	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9DB0AEF0-35D7-4287-ACBA-0FCC3F6F64A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5DF378AD-794F-4ef9-8B80-97FA5E909366}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1120	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe
Token: SeIncBasePriorityPrivilege	2076	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe
Token: SeIncBasePriorityPrivilege	2704	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe
Token: SeIncBasePriorityPrivilege	2488	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe
Token: SeIncBasePriorityPrivilege	3020	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe
Token: SeIncBasePriorityPrivilege	1488	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe
Token: SeIncBasePriorityPrivilege	2876	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe
Token: SeIncBasePriorityPrivilege	1280	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe
Token: SeIncBasePriorityPrivilege	1264	{9DB0AEF0-35D7-4287-ACBA-0FCC3F6F64A7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2076	1120	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	28
PID 1120 wrote to memory of 2076	1120	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	28
PID 1120 wrote to memory of 2076	1120	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	28
PID 1120 wrote to memory of 2076	1120	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	28
PID 1120 wrote to memory of 3068	1120	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	29
PID 1120 wrote to memory of 3068	1120	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	29
PID 1120 wrote to memory of 3068	1120	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	29
PID 1120 wrote to memory of 3068	1120	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	29
PID 2076 wrote to memory of 2704	2076	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe	30
PID 2076 wrote to memory of 2704	2076	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe	30
PID 2076 wrote to memory of 2704	2076	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe	30
PID 2076 wrote to memory of 2704	2076	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe	30
PID 2076 wrote to memory of 2680	2076	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe	31
PID 2076 wrote to memory of 2680	2076	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe	31
PID 2076 wrote to memory of 2680	2076	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe	31
PID 2076 wrote to memory of 2680	2076	{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe	31
PID 2704 wrote to memory of 2488	2704	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe	34
PID 2704 wrote to memory of 2488	2704	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe	34
PID 2704 wrote to memory of 2488	2704	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe	34
PID 2704 wrote to memory of 2488	2704	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe	34
PID 2704 wrote to memory of 2564	2704	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe	35
PID 2704 wrote to memory of 2564	2704	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe	35
PID 2704 wrote to memory of 2564	2704	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe	35
PID 2704 wrote to memory of 2564	2704	{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe	35
PID 2488 wrote to memory of 3020	2488	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe	36
PID 2488 wrote to memory of 3020	2488	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe	36
PID 2488 wrote to memory of 3020	2488	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe	36
PID 2488 wrote to memory of 3020	2488	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe	36
PID 2488 wrote to memory of 528	2488	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe	37
PID 2488 wrote to memory of 528	2488	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe	37
PID 2488 wrote to memory of 528	2488	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe	37
PID 2488 wrote to memory of 528	2488	{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe	37
PID 3020 wrote to memory of 1488	3020	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe	38
PID 3020 wrote to memory of 1488	3020	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe	38
PID 3020 wrote to memory of 1488	3020	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe	38
PID 3020 wrote to memory of 1488	3020	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe	38
PID 3020 wrote to memory of 572	3020	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe	39
PID 3020 wrote to memory of 572	3020	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe	39
PID 3020 wrote to memory of 572	3020	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe	39
PID 3020 wrote to memory of 572	3020	{594C29E7-70E4-4b05-9196-B864E254AABA}.exe	39
PID 1488 wrote to memory of 2876	1488	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe	40
PID 1488 wrote to memory of 2876	1488	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe	40
PID 1488 wrote to memory of 2876	1488	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe	40
PID 1488 wrote to memory of 2876	1488	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe	40
PID 1488 wrote to memory of 2968	1488	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe	41
PID 1488 wrote to memory of 2968	1488	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe	41
PID 1488 wrote to memory of 2968	1488	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe	41
PID 1488 wrote to memory of 2968	1488	{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe	41
PID 2876 wrote to memory of 1280	2876	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe	42
PID 2876 wrote to memory of 1280	2876	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe	42
PID 2876 wrote to memory of 1280	2876	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe	42
PID 2876 wrote to memory of 1280	2876	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe	42
PID 2876 wrote to memory of 2344	2876	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe	43
PID 2876 wrote to memory of 2344	2876	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe	43
PID 2876 wrote to memory of 2344	2876	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe	43
PID 2876 wrote to memory of 2344	2876	{B248718B-E77C-454b-9D96-971714E1BCC9}.exe	43
PID 1280 wrote to memory of 1264	1280	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe	44
PID 1280 wrote to memory of 1264	1280	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe	44
PID 1280 wrote to memory of 1264	1280	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe	44
PID 1280 wrote to memory of 1264	1280	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe	44
PID 1280 wrote to memory of 2352	1280	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe	45
PID 1280 wrote to memory of 2352	1280	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe	45
PID 1280 wrote to memory of 2352	1280	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe	45
PID 1280 wrote to memory of 2352	1280	{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe	45

C:\Users\Admin\AppData\Local\Temp\c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe
"C:\Users\Admin\AppData\Local\Temp\c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe
  C:\Windows\{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe
    C:\Windows\{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe
      C:\Windows\{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\{594C29E7-70E4-4b05-9196-B864E254AABA}.exe
        
        C:\Windows\{594C29E7-70E4-4b05-9196-B864E254AABA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe
        
        C:\Windows\{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\{B248718B-E77C-454b-9D96-971714E1BCC9}.exe
        
        C:\Windows\{B248718B-E77C-454b-9D96-971714E1BCC9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe
        
        C:\Windows\{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\{9DB0AEF0-35D7-4287-ACBA-0FCC3F6F64A7}.exe
        
        C:\Windows\{9DB0AEF0-35D7-4287-ACBA-0FCC3F6F64A7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Windows\{5DF378AD-794F-4ef9-8B80-97FA5E909366}.exe
        
        C:\Windows\{5DF378AD-794F-4ef9-8B80-97FA5E909366}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DB0A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2568A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2487~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABCBB~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{594C2~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95BB4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D1586~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4D901~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C5A86B~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2568A60A-2E0D-4b8f-A0C1-9A43D1DBDDD3}.exe

Filesize
60KB

MD5
c7bdc7929996bccd069ac10a2660c1c0

SHA1
b670bb34a82dc7dd9b6cf413cd864bd9996ed65a

SHA256
7891574fc9b997b10757687c3905d4e67d3ed3834f5d7dc322fc221f5b3a30de

SHA512
c6131caae092ce30b21dd23c8abea35b6debfdcd0b9a953e9880560f5b7bb3b5f732f99e0f3ed5ab40de7895a9d11326c18fecc194eb78dde6cb4bccbc17eab6

Download Submit
C:\Windows\{4D90179D-DE1F-460d-A68E-FF766C56327D}.exe

Filesize
60KB

MD5
c55c4b491fc0a18478ad7cc50b94d730

SHA1
e06e7b171084c8770c9b2cdde8821894f740b970

SHA256
68854dc1c7ca5ddc063649d46f6288dea9d5a983ee04cc48cc59b875568ea074

SHA512
b08eb68a5751c9fba727d6a1f6cb4d26645aa3fec02db21a86b074c1c48a196d3edf3d22243dbf154e027a858f497532e3b17b163d238cb3af6a4225835b8041

Download Submit
C:\Windows\{594C29E7-70E4-4b05-9196-B864E254AABA}.exe

Filesize
60KB

MD5
d3df01980cdc86d630ffef48dbaa2f38

SHA1
cefc32ebfef703016339b7616abcd3caca5997f1

SHA256
52e5bd7d2c68e27311f8b3aeb63d507e4dec7d26f951927f80ace2961fd4c90c

SHA512
88559540286cd11892bcc5c183a09a008369f1f399b268152a865458204d5c8c2e281ad385a42e7a5d93527bf2e4fddde0700853c058f4fc1864a264cd0eb215

Download Submit
C:\Windows\{5DF378AD-794F-4ef9-8B80-97FA5E909366}.exe

Filesize
60KB

MD5
078351335a0c38c9a6c541dffeda2dfc

SHA1
b766740fc3d84c8feddc599b24272cfeee9e6871

SHA256
008b6c1ac8e188363654b0937f0020916e28135728d80e55cbbe529c0e19205d

SHA512
3428b5b3f3fad8f17434f2490687a2c517e79eb454ec1982a81bf84b6de8133b0108d040a13523848338b23ca4f8abd087a14f5f7e12a5c7a1ac885f2575218b

Download Submit
C:\Windows\{95BB464F-33C8-48cb-93A7-A7181D47CFB5}.exe

Filesize
60KB

MD5
6e814eec7589f0ba6dad005b396992b7

SHA1
a4b80992c01bfed4d6901c29dcfd2eaf93864d37

SHA256
f46cc2e2cf091f99c46c13af01a4aac19c1e955c799743ee2dc4ef51ca429965

SHA512
73c6214355d6a34455d9f5401a87a150128c2e6600acbafdd71a7e9a64e686cd1e89801f3720a03de47a86632db33a0be90ecdefb301e0b42f8dd7c6c2004ee3

Download Submit
C:\Windows\{9DB0AEF0-35D7-4287-ACBA-0FCC3F6F64A7}.exe

Filesize
60KB

MD5
568db03cf837c284fc35d243a11f8c05

SHA1
3e416d0d646e2b9ffc806389977ec7b3bf1887ea

SHA256
ff190c57b7fb80a5aaf170a510278921506451e8b48b68afb42c8715749f2bb3

SHA512
812192930f3addc7a58b8c37d0abcb2538ec0724722e52ac89dcae866c69b132902eda1ecee96911f5d368da945a26d0bcc1d3ad6efec2c96a6ad3eba724ab43

Download Submit
C:\Windows\{ABCBBD27-788A-4947-833E-7BBB9685A0C9}.exe

Filesize
60KB

MD5
23847b6ca92107bf93c5aa080a20b0ef

SHA1
a50fdd6f2ab242b8b72bfa06684185006aff07d4

SHA256
64c9d170863f2ff1a64836a42f0329c078280f2c4aacd4efe97ef9ba2b2b24a7

SHA512
ae65b8bb008c2282aae9c04b7992b1b79af7358da8e347de06d5be68c387cd656ee01bd9061eb8a8849f3737420fc68d8cbca45bac483b6145c5dd392e439a9a

Download Submit
C:\Windows\{B248718B-E77C-454b-9D96-971714E1BCC9}.exe

Filesize
60KB

MD5
a772b3967808b4fa1aa9a9dd2e330182

SHA1
f2d0bf1f4956b0af8cdd7efe10e6c034abba08a4

SHA256
eb1d4124c3e20c0b85cfaa148dca1b7678dacfba40519e5ce00d556927bf6f7f

SHA512
bb79aff4033ea4ca24485555589210e48c6c472ac7313778a52458432b4bae5f4e5742063b1ef6c2564b959b739cc80e9f7d204c58ed5bb64ddceaa456988c37

Download Submit
C:\Windows\{D158662C-EEC3-40b3-9129-A0901111CBFE}.exe

Filesize
60KB

MD5
ebc8bd1abe9d0e017c30a7f4f97b93a2

SHA1
027560f9294b5028f2d3c5551ee556b2005c2496

SHA256
2f58ced18cc81221083ea7574fe88c27a55c0e9b913adb0e859f43c0a7293d9c

SHA512
b5a874ea6b0e2f01bd381b62ed6273c7b2e6cf969659d42669cc364cd3fd6c94809dbb629bcb84ba29a5c7ebb1043839d897b0c98fa78e8e47ccaa587b685ae8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads