0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe
Size

88KB
MD5

b5b72c0c2bb52f657abfc233281f3220
SHA1

09de6b54317b406f984dcaf45d6b08dda2a46fd8
SHA256

0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672
SHA512

8b5c584058e7df57170c6be10dc9a68da35eb9a2ee3761d8db69dbbf8f552e6cddfe1d148a8c1cf6a344669af704af30118d4c5776970f3bb74e262d171a7b0d
SSDEEP

768:5vw9816thKQLroD4/wQkNrfrunMxVFA3V:lEG/0oDlbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A102268-7B38-416f-BD3B-56C25043EC98}	0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A102268-7B38-416f-BD3B-56C25043EC98}\stubpath = "C:\\Windows\\{7A102268-7B38-416f-BD3B-56C25043EC98}.exe"	0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC031A26-2303-4626-BED6-81E536D7B6D3}	{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC031A26-2303-4626-BED6-81E536D7B6D3}\stubpath = "C:\\Windows\\{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe"	{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}	{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}	{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91C86F71-9D07-4102-BA53-EBA4E85B832A}	{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97AD1054-D100-4052-8966-1CAEBF256A29}	{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97AD1054-D100-4052-8966-1CAEBF256A29}\stubpath = "C:\\Windows\\{97AD1054-D100-4052-8966-1CAEBF256A29}.exe"	{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}\stubpath = "C:\\Windows\\{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe"	{97AD1054-D100-4052-8966-1CAEBF256A29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}\stubpath = "C:\\Windows\\{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe"	{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{843E19AB-F622-4475-A788-1B8B732600A2}	{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{843E19AB-F622-4475-A788-1B8B732600A2}\stubpath = "C:\\Windows\\{843E19AB-F622-4475-A788-1B8B732600A2}.exe"	{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}	{7A102268-7B38-416f-BD3B-56C25043EC98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91C86F71-9D07-4102-BA53-EBA4E85B832A}\stubpath = "C:\\Windows\\{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe"	{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}\stubpath = "C:\\Windows\\{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe"	{7A102268-7B38-416f-BD3B-56C25043EC98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}	{97AD1054-D100-4052-8966-1CAEBF256A29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}\stubpath = "C:\\Windows\\{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe"	{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe

Executes dropped EXE 9 IoCs

pid	Process
4600	{7A102268-7B38-416f-BD3B-56C25043EC98}.exe
2652	{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe
4624	{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe
2972	{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe
2200	{97AD1054-D100-4052-8966-1CAEBF256A29}.exe
2220	{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe
1228	{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe
4040	{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe
184	{843E19AB-F622-4475-A788-1B8B732600A2}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe	{7A102268-7B38-416f-BD3B-56C25043EC98}.exe
File created	C:\Windows\{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe	{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe
File created	C:\Windows\{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe	{97AD1054-D100-4052-8966-1CAEBF256A29}.exe
File created	C:\Windows\{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe	{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe
File created	C:\Windows\{843E19AB-F622-4475-A788-1B8B732600A2}.exe	{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe
File created	C:\Windows\{7A102268-7B38-416f-BD3B-56C25043EC98}.exe	0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe
File created	C:\Windows\{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe	{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe
File created	C:\Windows\{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe	{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe
File created	C:\Windows\{97AD1054-D100-4052-8966-1CAEBF256A29}.exe	{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{843E19AB-F622-4475-A788-1B8B732600A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{97AD1054-D100-4052-8966-1CAEBF256A29}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A102268-7B38-416f-BD3B-56C25043EC98}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4808	0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe
Token: SeIncBasePriorityPrivilege	4600	{7A102268-7B38-416f-BD3B-56C25043EC98}.exe
Token: SeIncBasePriorityPrivilege	2652	{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe
Token: SeIncBasePriorityPrivilege	4624	{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe
Token: SeIncBasePriorityPrivilege	2972	{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe
Token: SeIncBasePriorityPrivilege	2200	{97AD1054-D100-4052-8966-1CAEBF256A29}.exe
Token: SeIncBasePriorityPrivilege	2220	{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe
Token: SeIncBasePriorityPrivilege	1228	{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe
Token: SeIncBasePriorityPrivilege	4040	{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4600	4808	0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe	89
PID 4808 wrote to memory of 4600	4808	0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe	89
PID 4808 wrote to memory of 4600	4808	0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe	89
PID 4808 wrote to memory of 4124	4808	0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe	90
PID 4808 wrote to memory of 4124	4808	0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe	90
PID 4808 wrote to memory of 4124	4808	0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe	90
PID 4600 wrote to memory of 2652	4600	{7A102268-7B38-416f-BD3B-56C25043EC98}.exe	91
PID 4600 wrote to memory of 2652	4600	{7A102268-7B38-416f-BD3B-56C25043EC98}.exe	91
PID 4600 wrote to memory of 2652	4600	{7A102268-7B38-416f-BD3B-56C25043EC98}.exe	91
PID 4600 wrote to memory of 1680	4600	{7A102268-7B38-416f-BD3B-56C25043EC98}.exe	92
PID 4600 wrote to memory of 1680	4600	{7A102268-7B38-416f-BD3B-56C25043EC98}.exe	92
PID 4600 wrote to memory of 1680	4600	{7A102268-7B38-416f-BD3B-56C25043EC98}.exe	92
PID 2652 wrote to memory of 4624	2652	{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe	95
PID 2652 wrote to memory of 4624	2652	{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe	95
PID 2652 wrote to memory of 4624	2652	{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe	95
PID 2652 wrote to memory of 4456	2652	{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe	96
PID 2652 wrote to memory of 4456	2652	{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe	96
PID 2652 wrote to memory of 4456	2652	{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe	96
PID 4624 wrote to memory of 2972	4624	{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe	97
PID 4624 wrote to memory of 2972	4624	{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe	97
PID 4624 wrote to memory of 2972	4624	{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe	97
PID 4624 wrote to memory of 4312	4624	{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe	98
PID 4624 wrote to memory of 4312	4624	{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe	98
PID 4624 wrote to memory of 4312	4624	{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe	98
PID 2972 wrote to memory of 2200	2972	{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe	99
PID 2972 wrote to memory of 2200	2972	{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe	99
PID 2972 wrote to memory of 2200	2972	{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe	99
PID 2972 wrote to memory of 1988	2972	{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe	100
PID 2972 wrote to memory of 1988	2972	{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe	100
PID 2972 wrote to memory of 1988	2972	{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe	100
PID 2200 wrote to memory of 2220	2200	{97AD1054-D100-4052-8966-1CAEBF256A29}.exe	101
PID 2200 wrote to memory of 2220	2200	{97AD1054-D100-4052-8966-1CAEBF256A29}.exe	101
PID 2200 wrote to memory of 2220	2200	{97AD1054-D100-4052-8966-1CAEBF256A29}.exe	101
PID 2200 wrote to memory of 3012	2200	{97AD1054-D100-4052-8966-1CAEBF256A29}.exe	102
PID 2200 wrote to memory of 3012	2200	{97AD1054-D100-4052-8966-1CAEBF256A29}.exe	102
PID 2200 wrote to memory of 3012	2200	{97AD1054-D100-4052-8966-1CAEBF256A29}.exe	102
PID 2220 wrote to memory of 1228	2220	{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe	103
PID 2220 wrote to memory of 1228	2220	{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe	103
PID 2220 wrote to memory of 1228	2220	{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe	103
PID 2220 wrote to memory of 2552	2220	{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe	104
PID 2220 wrote to memory of 2552	2220	{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe	104
PID 2220 wrote to memory of 2552	2220	{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe	104
PID 1228 wrote to memory of 4040	1228	{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe	105
PID 1228 wrote to memory of 4040	1228	{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe	105
PID 1228 wrote to memory of 4040	1228	{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe	105
PID 1228 wrote to memory of 2664	1228	{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe	106
PID 1228 wrote to memory of 2664	1228	{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe	106
PID 1228 wrote to memory of 2664	1228	{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe	106
PID 4040 wrote to memory of 184	4040	{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe	107
PID 4040 wrote to memory of 184	4040	{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe	107
PID 4040 wrote to memory of 184	4040	{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe	107
PID 4040 wrote to memory of 2008	4040	{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe	108
PID 4040 wrote to memory of 2008	4040	{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe	108
PID 4040 wrote to memory of 2008	4040	{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe	108

C:\Users\Admin\AppData\Local\Temp\0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe
"C:\Users\Admin\AppData\Local\Temp\0029d5608a9f5f9678052c58ed7ff7e1ce9f7757df4a31aa6ccd5b8e6b8b1672N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\{7A102268-7B38-416f-BD3B-56C25043EC98}.exe
  C:\Windows\{7A102268-7B38-416f-BD3B-56C25043EC98}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe
    C:\Windows\{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe
      C:\Windows\{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Windows\{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe
        
        C:\Windows\{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Windows\{97AD1054-D100-4052-8966-1CAEBF256A29}.exe
        
        C:\Windows\{97AD1054-D100-4052-8966-1CAEBF256A29}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe
        
        C:\Windows\{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe
        
        C:\Windows\{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe
        
        C:\Windows\{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\{843E19AB-F622-4475-A788-1B8B732600A2}.exe
        
        C:\Windows\{843E19AB-F622-4475-A788-1B8B732600A2}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B77D3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A07B5~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACB6B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97AD1~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91C86~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC031~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C4559~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A102~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0029D5~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{7A102268-7B38-416f-BD3B-56C25043EC98}.exe

Filesize
88KB

MD5
310a77cc6ae24d2d9edb69c6768d0c38

SHA1
d3bc47c64644565b902ba6e80dd0ade2176ff67a

SHA256
836810d55a814607d3b393513c214ff20f9389835970fcaaeeae7a4c11d158a5

SHA512
bd990988f607a7c5cc355da24e291692b4b782cb3c9927f3b3ab57990983d3653746b6973752cf42b550740c21621f17f5443908af56b6678ebe3bc6e0629afb

Download Submit
C:\Windows\{843E19AB-F622-4475-A788-1B8B732600A2}.exe

Filesize
88KB

MD5
de249d3a5d48a216e725a01338e4f842

SHA1
d92a2ae6656596886f3c4a4089de38fd4a5f5531

SHA256
b539839d93b2d83be849f813fc1048b827ebe7214144b77ed6a026eb0cb2cf92

SHA512
ba849984948aba68459d162b4335dd12c5ad308a1185c12e85d65948467d9083838223b788dcb90a12ae833450f1c6db80f3e319e498a3b144c6822f9f9c15d3

Download Submit
C:\Windows\{91C86F71-9D07-4102-BA53-EBA4E85B832A}.exe

Filesize
88KB

MD5
775c56a78caf90fb06fb2a59ba705785

SHA1
23f9946566bb5b035c988a21e33afd3fd1f01adf

SHA256
9b4f5210930e6251a1a3aea5dd0c319f9a6b443f8d798a408b9cd56ce3216ead

SHA512
f1c68c4d11d0be162b47d283f498283406fd47c550e91c76fb0ada185336cb126fc19cf57173078e737d123b2c1161ceae967d2c316c83f6126374c1ecc397d8

Download Submit
C:\Windows\{97AD1054-D100-4052-8966-1CAEBF256A29}.exe

Filesize
88KB

MD5
1d057feccc9b66c9793e3db5ff27def2

SHA1
de78a6bc3bd968997c9dfc25ee57a3b9b3faf307

SHA256
a09c2341040b45c3bb00ec8994656b2a7d0a5b36b61b7b61b72b343a26801601

SHA512
2d4b846fb09ef50cbdc360378cf397226e4d039299a48d015a73770641f4c07fa9a6ec6106ba9e9fe21dd8489eed517ff75b81813eeee26d58b64c3c7c0fc4ca

Download Submit
C:\Windows\{A07B5918-7EA7-4217-9A5C-07CDC6BED8C9}.exe

Filesize
88KB

MD5
5af805efade3ba46caaddc0056a56061

SHA1
253b0a9cbdbcbae737ddabcf8ba0074846082890

SHA256
62ef990458029237659ccdcb937bf4b4d795631f60a36a5dd80ffffe0c55ead2

SHA512
35a73ccb4d5abe1af66617dd46b4064b0376f0b4eb2af512b6d9f16021fe7d6c43a7d7cbd23ebe0c79d3a98aaf57681af061e923f6cd80864bfc7de547377121

Download Submit
C:\Windows\{ACB6BF80-9FA3-44c4-A1D4-A036C4629C0B}.exe

Filesize
88KB

MD5
bea6fa6bd3b28f9997420d560a82af2f

SHA1
6d0b5aba136d52b0e06938263cd3d96e02dcc3b1

SHA256
b927a202063cbc0fd0612361c7caa332e3a39fdd7e7d053569bdafe4bb85ef29

SHA512
b21edf6b1edb954d7de489e4b34ee36691d062f514b2c6d1416a315ad3d9882005a5dda3a8d6fe62f0d446a7ca0952662d8db1dec638c6c8d2cae4cedee42502

Download Submit
C:\Windows\{B77D35A2-4E5A-4240-B9D1-6FBDDD8229C0}.exe

Filesize
88KB

MD5
1f79f3d39780909ddb2b1c4430e4a5c4

SHA1
a2092cc35839d55f97ded830f3857350c0c5d70b

SHA256
5b5d299b3746b0d56854af0e9df8707ed5e6d07ceac78b9fb7bf90f48345287b

SHA512
af780a20c170c20cf76733b623473f02664bd8d565b03537a98c8771f8ae67907b860ae005c25e103c6774a9d635dece50244f0afd0645ed768710e6dde2a83a

Download Submit
C:\Windows\{BC031A26-2303-4626-BED6-81E536D7B6D3}.exe

Filesize
88KB

MD5
feb0df067a60c254e2ad720deb316554

SHA1
558d76c15933da2398238a6207c9f016325deed7

SHA256
65453758f33eebd17e8ff636b2e63768f0df19394541ff49a217ac6e33d60258

SHA512
5328213d94a34c3c3823b8a9aa4d493c8da096222fe61ab7300dcb73b9cc527228a6da8861b385afcb2834db02c298d3e845a98107c14fa0049c02c1026b15da

Download Submit
C:\Windows\{C45599CD-88B3-4aab-A5DE-0ABEEDA6B359}.exe

Filesize
88KB

MD5
65bb4e35faaad727df2f7280280855e7

SHA1
abf68b981125aeab7967b5d8f1cb6052f7cf589f

SHA256
b4125c2112213ea3a3f20b2af7c48f62d8baa3c882b7375c155f875cdb0f64b6

SHA512
f941d7504780ee8d58c777a88770b0c686a12e2399932058426cd2543e26287a6bc04ec025e0998ff60cfb1716f71a315bca515053a5a640e792acaaecb9fe31

Download Submit
memory/184-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1228-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1228-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2200-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2200-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2220-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2220-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2652-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2652-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2972-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2972-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4040-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4040-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4600-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4600-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4600-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4624-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4624-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4808-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4808-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4808-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads