c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64

Analysis

max time kernel
118s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe
Size

60KB
MD5

be21c669edc51f80375725f29c426df0
SHA1

d73329c6068088ec2291a3bdeee905bec910e9b4
SHA256

c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64
SHA512

770775ccdca40b58474b51928da82eef450b65e879a12370b24fd614d455644c615f6e4237491496b381a7e798fdeac38688f068579eb2d61dfa901bc041b138
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwPjlY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroLX4/CFsrd

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F2B47C2-4225-4ecd-8F53-D96B8430A242}	{A7DA6F40-8932-49b3-A080-160A05620056}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80F8863C-6F58-46f8-9F6C-95533A63F753}	{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80F8863C-6F58-46f8-9F6C-95533A63F753}\stubpath = "C:\\Windows\\{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe"	{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}	{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}	{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7DA6F40-8932-49b3-A080-160A05620056}\stubpath = "C:\\Windows\\{A7DA6F40-8932-49b3-A080-160A05620056}.exe"	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6999230B-394C-4256-8B54-D382FBB87C92}	{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}\stubpath = "C:\\Windows\\{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe"	{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2C5693C-D7FB-445a-9505-B8D9D57A1665}	{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F2B47C2-4225-4ecd-8F53-D96B8430A242}\stubpath = "C:\\Windows\\{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe"	{A7DA6F40-8932-49b3-A080-160A05620056}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}\stubpath = "C:\\Windows\\{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe"	{6999230B-394C-4256-8B54-D382FBB87C92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}\stubpath = "C:\\Windows\\{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe"	{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B500E3E-8FB7-46f6-9959-0A2218F7F707}	{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B500E3E-8FB7-46f6-9959-0A2218F7F707}\stubpath = "C:\\Windows\\{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe"	{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6999230B-394C-4256-8B54-D382FBB87C92}\stubpath = "C:\\Windows\\{6999230B-394C-4256-8B54-D382FBB87C92}.exe"	{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}	{6999230B-394C-4256-8B54-D382FBB87C92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2C5693C-D7FB-445a-9505-B8D9D57A1665}\stubpath = "C:\\Windows\\{F2C5693C-D7FB-445a-9505-B8D9D57A1665}.exe"	{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7DA6F40-8932-49b3-A080-160A05620056}	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe

Executes dropped EXE 9 IoCs

pid	Process
4852	{A7DA6F40-8932-49b3-A080-160A05620056}.exe
4948	{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe
4508	{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe
228	{6999230B-394C-4256-8B54-D382FBB87C92}.exe
3836	{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe
2560	{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe
1428	{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe
4016	{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe
2256	{F2C5693C-D7FB-445a-9505-B8D9D57A1665}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe	{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe
File created	C:\Windows\{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe	{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe
File created	C:\Windows\{A7DA6F40-8932-49b3-A080-160A05620056}.exe	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe
File created	C:\Windows\{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe	{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe
File created	C:\Windows\{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe	{6999230B-394C-4256-8B54-D382FBB87C92}.exe
File created	C:\Windows\{F2C5693C-D7FB-445a-9505-B8D9D57A1665}.exe	{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe
File created	C:\Windows\{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe	{A7DA6F40-8932-49b3-A080-160A05620056}.exe
File created	C:\Windows\{6999230B-394C-4256-8B54-D382FBB87C92}.exe	{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe
File created	C:\Windows\{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe	{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6999230B-394C-4256-8B54-D382FBB87C92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7DA6F40-8932-49b3-A080-160A05620056}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F2C5693C-D7FB-445a-9505-B8D9D57A1665}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3388	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe
Token: SeIncBasePriorityPrivilege	4852	{A7DA6F40-8932-49b3-A080-160A05620056}.exe
Token: SeIncBasePriorityPrivilege	4948	{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe
Token: SeIncBasePriorityPrivilege	4508	{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe
Token: SeIncBasePriorityPrivilege	228	{6999230B-394C-4256-8B54-D382FBB87C92}.exe
Token: SeIncBasePriorityPrivilege	3836	{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe
Token: SeIncBasePriorityPrivilege	2560	{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe
Token: SeIncBasePriorityPrivilege	1428	{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe
Token: SeIncBasePriorityPrivilege	4016	{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 4852	3388	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	93
PID 3388 wrote to memory of 4852	3388	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	93
PID 3388 wrote to memory of 4852	3388	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	93
PID 3388 wrote to memory of 404	3388	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	94
PID 3388 wrote to memory of 404	3388	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	94
PID 3388 wrote to memory of 404	3388	c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe	94
PID 4852 wrote to memory of 4948	4852	{A7DA6F40-8932-49b3-A080-160A05620056}.exe	96
PID 4852 wrote to memory of 4948	4852	{A7DA6F40-8932-49b3-A080-160A05620056}.exe	96
PID 4852 wrote to memory of 4948	4852	{A7DA6F40-8932-49b3-A080-160A05620056}.exe	96
PID 4852 wrote to memory of 1244	4852	{A7DA6F40-8932-49b3-A080-160A05620056}.exe	97
PID 4852 wrote to memory of 1244	4852	{A7DA6F40-8932-49b3-A080-160A05620056}.exe	97
PID 4852 wrote to memory of 1244	4852	{A7DA6F40-8932-49b3-A080-160A05620056}.exe	97
PID 4948 wrote to memory of 4508	4948	{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe	102
PID 4948 wrote to memory of 4508	4948	{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe	102
PID 4948 wrote to memory of 4508	4948	{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe	102
PID 4948 wrote to memory of 2892	4948	{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe	103
PID 4948 wrote to memory of 2892	4948	{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe	103
PID 4948 wrote to memory of 2892	4948	{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe	103
PID 4508 wrote to memory of 228	4508	{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe	104
PID 4508 wrote to memory of 228	4508	{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe	104
PID 4508 wrote to memory of 228	4508	{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe	104
PID 4508 wrote to memory of 2180	4508	{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe	105
PID 4508 wrote to memory of 2180	4508	{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe	105
PID 4508 wrote to memory of 2180	4508	{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe	105
PID 228 wrote to memory of 3836	228	{6999230B-394C-4256-8B54-D382FBB87C92}.exe	106
PID 228 wrote to memory of 3836	228	{6999230B-394C-4256-8B54-D382FBB87C92}.exe	106
PID 228 wrote to memory of 3836	228	{6999230B-394C-4256-8B54-D382FBB87C92}.exe	106
PID 228 wrote to memory of 1976	228	{6999230B-394C-4256-8B54-D382FBB87C92}.exe	107
PID 228 wrote to memory of 1976	228	{6999230B-394C-4256-8B54-D382FBB87C92}.exe	107
PID 228 wrote to memory of 1976	228	{6999230B-394C-4256-8B54-D382FBB87C92}.exe	107
PID 3836 wrote to memory of 2560	3836	{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe	109
PID 3836 wrote to memory of 2560	3836	{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe	109
PID 3836 wrote to memory of 2560	3836	{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe	109
PID 3836 wrote to memory of 3692	3836	{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe	110
PID 3836 wrote to memory of 3692	3836	{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe	110
PID 3836 wrote to memory of 3692	3836	{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe	110
PID 2560 wrote to memory of 1428	2560	{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe	111
PID 2560 wrote to memory of 1428	2560	{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe	111
PID 2560 wrote to memory of 1428	2560	{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe	111
PID 2560 wrote to memory of 3380	2560	{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe	112
PID 2560 wrote to memory of 3380	2560	{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe	112
PID 2560 wrote to memory of 3380	2560	{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe	112
PID 1428 wrote to memory of 4016	1428	{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe	115
PID 1428 wrote to memory of 4016	1428	{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe	115
PID 1428 wrote to memory of 4016	1428	{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe	115
PID 1428 wrote to memory of 1872	1428	{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe	116
PID 1428 wrote to memory of 1872	1428	{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe	116
PID 1428 wrote to memory of 1872	1428	{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe	116
PID 4016 wrote to memory of 2256	4016	{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe	123
PID 4016 wrote to memory of 2256	4016	{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe	123
PID 4016 wrote to memory of 2256	4016	{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe	123
PID 4016 wrote to memory of 2404	4016	{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe	124
PID 4016 wrote to memory of 2404	4016	{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe	124
PID 4016 wrote to memory of 2404	4016	{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe	124

C:\Users\Admin\AppData\Local\Temp\c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe
"C:\Users\Admin\AppData\Local\Temp\c5a86ba9def40fe4f313fa19c1db24d053cad1834f62d804cb83dd904e97ef64N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\{A7DA6F40-8932-49b3-A080-160A05620056}.exe
  C:\Windows\{A7DA6F40-8932-49b3-A080-160A05620056}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe
    C:\Windows\{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe
      C:\Windows\{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4508
    - - C:\Windows\{6999230B-394C-4256-8B54-D382FBB87C92}.exe
        
        C:\Windows\{6999230B-394C-4256-8B54-D382FBB87C92}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
      - C:\Windows\{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe
        
        C:\Windows\{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe
        
        C:\Windows\{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe
        
        C:\Windows\{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe
        
        C:\Windows\{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\{F2C5693C-D7FB-445a-9505-B8D9D57A1665}.exe
        
        C:\Windows\{F2C5693C-D7FB-445a-9505-B8D9D57A1665}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B500~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4924A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DB6A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0BF4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69992~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80F88~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6F2B4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7DA6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C5A86B~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3DB6AEF3-EDEC-4b8e-92F5-BAB5D07EC320}.exe

Filesize
60KB

MD5
0157d4c3336acd1fe897a4ba7dd7bdbb

SHA1
5cbbfdf624585b87c3c111b424fbcafd5fd9ee69

SHA256
b75d6cdfcdc4c9f2b0166282ba71805776e1179364cfc6460cb7743ebf0db727

SHA512
00e57a0a7b7c250805d157f5819cd14c55e370f4c1c6961f34657be5867a017c05f9b96a3e5fd77e14d1895065009b143d8a2940c574dc241d20a738135af1a4

Download Submit
C:\Windows\{4924A6F4-ED8C-4868-A9D3-4DD22D311E28}.exe

Filesize
60KB

MD5
6b23909143f49443a59298180a15d8da

SHA1
068f1d10d3d361ea310aeed66fbe03a63ea90f73

SHA256
02125181a6b0294511be4cb0099f94d1db6c81322af1cfdbc475023d1fbe9314

SHA512
96de52a7b54a6455a49c13d7466dfa5acc7d335ebe24c4709e1762f585dabdbd72d80e40b1292d9470698cfef93e92ebbe36c38826bd5ed5ed59f9437848028f

Download Submit
C:\Windows\{6999230B-394C-4256-8B54-D382FBB87C92}.exe

Filesize
60KB

MD5
4d62dfff1fe72813b44ab7fabc86a079

SHA1
ece51af428381cc806dede99597c081145bf8d40

SHA256
8a2fb07b2507f88cb4a0cc846bc2ba7b034e6b88563c8949258ce1fd433d3919

SHA512
dfb4aa85591d286bbc9f55b0cef71fb13135b1d130cee55754712ba15e5e6553f0e423abbd5f17941f0b2867efe06529bf0bc84212b9d0482499428c2858f48d

Download Submit
C:\Windows\{6F2B47C2-4225-4ecd-8F53-D96B8430A242}.exe

Filesize
60KB

MD5
b9c38602e8cc26c91bf8a90d9f8ff784

SHA1
6b1d9cd3d4391de9b8dbe13bad1c7857bb00cc2c

SHA256
f2d496896c454c84dda27056d263cb8a3601e6a43971e992b056d41de7186308

SHA512
aaea3dfaf258ae5cd208b056fd2d6cc874718da03aac1c075bcdd2e5e73334b262554b5860b6082ed253a5bc0105d2c9280cf634d937124728ea96dbad5a27d1

Download Submit
C:\Windows\{80F8863C-6F58-46f8-9F6C-95533A63F753}.exe

Filesize
60KB

MD5
04b7a64a403cab6e283b38c4c67fe71a

SHA1
3fa2acdd04671a68aef83641914ba3a6086dd047

SHA256
1da4c131460f5c32c2e8fdebb09c5b41b667809a728a5f3f9cb8dbf45bae308d

SHA512
4ae3c0b9bfd11ab77c23d139405b17be2416f404aa0eb741c088a343832aa744f81e18e1f499e9bedfb668ab8337cf26ef5db1d6d09a05765c47ce608a275ef4

Download Submit
C:\Windows\{9B500E3E-8FB7-46f6-9959-0A2218F7F707}.exe

Filesize
60KB

MD5
df0f41c77531da1dd222a1d50193ad4a

SHA1
aef967f507155a25dd9de52f0558e307a1b98820

SHA256
5fd3c7e6dcd300b168249b4496159bec67544214935923ad6eb185fab98d5a3f

SHA512
60e41deaf5f70112ed0ab1824788b3bdf6beaf9c6e48405e47b90b7c6a875171995990a97fbf65255d2489e2c4a287ed2b15b7a5bb602989bc4fd22a59ae986d

Download Submit
C:\Windows\{A0BF47E6-3B14-4eb8-AE43-2303FB8F3BBC}.exe

Filesize
60KB

MD5
0620b1fa5355b527cff96ddfa85447d9

SHA1
58f9fe5e70b5dea6046b2ebdecc8aa9d43a9666d

SHA256
2ca90dacdb9445f9b8d45ba44975fe439ebd6b7528754e20e361a12f39773a95

SHA512
f340a6dbc953fdebb145794a71b138055bdc5eefc40ff493d4519e93e24d9694bd6b30d4af766039b9921b01c30a86339e45b0f9ebfa573c0292ebd2dc0925ca

Download Submit
C:\Windows\{A7DA6F40-8932-49b3-A080-160A05620056}.exe

Filesize
60KB

MD5
ec412983d2c106058c8f48c3b86e04bb

SHA1
9ca7c1c4cb7d1dbff9aff1055fc3aeca18e08fa2

SHA256
8acd733e62324a558e36732646df4515e3a644a427c1eabd07fbf70b45e959dc

SHA512
44c5068b24c99c20c5f10ae9b9bc649a180d481a4c6c2c3e8d33c56a33da7abf052287e5c550887c0eba993d46dcea180f8d389b9fd5bd555696ffc637c61bfa

Download Submit
C:\Windows\{F2C5693C-D7FB-445a-9505-B8D9D57A1665}.exe

Filesize
60KB

MD5
db6fd1eb33eab18a19aa2e511fdab9db

SHA1
dc20735b7f6eaf0cd3b427b08c3a6057a6e698db

SHA256
411d4634fb8732053a52920e883c46bb6cafbeb250afbc54002afae211691157

SHA512
e1ac71e7caccc068b371ffefbc59e4e27c786342b30a20c59b4ea0c2f5ff1ed48c7eec9cae4d840613105e7daeccf3247416d67bb2cec5afdf3acee61b0edc11

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads