8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 00:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe
Size

88KB
MD5

0c177329844006ca35f6b047b04b47a0
SHA1

9b46f040e4e49822d7fabacfd848947eef34f546
SHA256

8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7
SHA512

3d54a6c15c97852ec7735972fcf373f4e1012fba7110b34f80e5e6aa0dc29873aec6983a2810995493e35f03b3fb6a9badac17632dae3d823d3fedf6f021aa19
SSDEEP

768:5vw9816thKQLrob/4/wQkNrfrunMxVFA3V:lEG/0ojlbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8297B712-9A0B-4015-882C-13B3D09B5933}	{995950C3-9DA6-4348-9796-08D682687EFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B1236BF-00CC-43f8-8602-943BB98C8637}	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C10CC4C-CD46-4fe0-BBCD-4D4DA584F85A}	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C10CC4C-CD46-4fe0-BBCD-4D4DA584F85A}\stubpath = "C:\\Windows\\{3C10CC4C-CD46-4fe0-BBCD-4D4DA584F85A}.exe"	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{020B22ED-6D58-4096-9B93-8354F760C11F}	8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8297B712-9A0B-4015-882C-13B3D09B5933}\stubpath = "C:\\Windows\\{8297B712-9A0B-4015-882C-13B3D09B5933}.exe"	{995950C3-9DA6-4348-9796-08D682687EFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81054105-450F-43ff-98E6-5108E02D711A}	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81054105-450F-43ff-98E6-5108E02D711A}\stubpath = "C:\\Windows\\{81054105-450F-43ff-98E6-5108E02D711A}.exe"	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}	{81054105-450F-43ff-98E6-5108E02D711A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}\stubpath = "C:\\Windows\\{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe"	{81054105-450F-43ff-98E6-5108E02D711A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{995950C3-9DA6-4348-9796-08D682687EFD}	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{995950C3-9DA6-4348-9796-08D682687EFD}\stubpath = "C:\\Windows\\{995950C3-9DA6-4348-9796-08D682687EFD}.exe"	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E10A209C-BD80-4036-B7E9-8458F5523F5C}\stubpath = "C:\\Windows\\{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe"	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B1236BF-00CC-43f8-8602-943BB98C8637}\stubpath = "C:\\Windows\\{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe"	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3DB44A9-4713-45f3-8DD3-DCDD49D6F3AD}	{3C10CC4C-CD46-4fe0-BBCD-4D4DA584F85A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{020B22ED-6D58-4096-9B93-8354F760C11F}\stubpath = "C:\\Windows\\{020B22ED-6D58-4096-9B93-8354F760C11F}.exe"	8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E10A209C-BD80-4036-B7E9-8458F5523F5C}	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3DB44A9-4713-45f3-8DD3-DCDD49D6F3AD}\stubpath = "C:\\Windows\\{F3DB44A9-4713-45f3-8DD3-DCDD49D6F3AD}.exe"	{3C10CC4C-CD46-4fe0-BBCD-4D4DA584F85A}.exe

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1716	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe
2760	{81054105-450F-43ff-98E6-5108E02D711A}.exe
2136	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe
3044	{995950C3-9DA6-4348-9796-08D682687EFD}.exe
2924	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe
3040	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe
1200	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe
2072	{3C10CC4C-CD46-4fe0-BBCD-4D4DA584F85A}.exe
1692	{F3DB44A9-4713-45f3-8DD3-DCDD49D6F3AD}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{020B22ED-6D58-4096-9B93-8354F760C11F}.exe	8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe
File created	C:\Windows\{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe	{81054105-450F-43ff-98E6-5108E02D711A}.exe
File created	C:\Windows\{995950C3-9DA6-4348-9796-08D682687EFD}.exe	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe
File created	C:\Windows\{8297B712-9A0B-4015-882C-13B3D09B5933}.exe	{995950C3-9DA6-4348-9796-08D682687EFD}.exe
File created	C:\Windows\{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe
File created	C:\Windows\{3C10CC4C-CD46-4fe0-BBCD-4D4DA584F85A}.exe	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe
File created	C:\Windows\{F3DB44A9-4713-45f3-8DD3-DCDD49D6F3AD}.exe	{3C10CC4C-CD46-4fe0-BBCD-4D4DA584F85A}.exe
File created	C:\Windows\{81054105-450F-43ff-98E6-5108E02D711A}.exe	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe
File created	C:\Windows\{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F3DB44A9-4713-45f3-8DD3-DCDD49D6F3AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81054105-450F-43ff-98E6-5108E02D711A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{995950C3-9DA6-4348-9796-08D682687EFD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C10CC4C-CD46-4fe0-BBCD-4D4DA584F85A}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2960	8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe
Token: SeIncBasePriorityPrivilege	1716	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe
Token: SeIncBasePriorityPrivilege	2760	{81054105-450F-43ff-98E6-5108E02D711A}.exe
Token: SeIncBasePriorityPrivilege	2136	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe
Token: SeIncBasePriorityPrivilege	3044	{995950C3-9DA6-4348-9796-08D682687EFD}.exe
Token: SeIncBasePriorityPrivilege	2924	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe
Token: SeIncBasePriorityPrivilege	3040	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe
Token: SeIncBasePriorityPrivilege	1200	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe
Token: SeIncBasePriorityPrivilege	2072	{3C10CC4C-CD46-4fe0-BBCD-4D4DA584F85A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1716	2960	8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe	30
PID 2960 wrote to memory of 1716	2960	8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe	30
PID 2960 wrote to memory of 1716	2960	8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe	30
PID 2960 wrote to memory of 1716	2960	8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe	30
PID 2960 wrote to memory of 2744	2960	8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe	31
PID 2960 wrote to memory of 2744	2960	8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe	31
PID 2960 wrote to memory of 2744	2960	8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe	31
PID 2960 wrote to memory of 2744	2960	8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe	31
PID 1716 wrote to memory of 2760	1716	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe	33
PID 1716 wrote to memory of 2760	1716	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe	33
PID 1716 wrote to memory of 2760	1716	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe	33
PID 1716 wrote to memory of 2760	1716	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe	33
PID 1716 wrote to memory of 2424	1716	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe	34
PID 1716 wrote to memory of 2424	1716	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe	34
PID 1716 wrote to memory of 2424	1716	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe	34
PID 1716 wrote to memory of 2424	1716	{020B22ED-6D58-4096-9B93-8354F760C11F}.exe	34
PID 2760 wrote to memory of 2136	2760	{81054105-450F-43ff-98E6-5108E02D711A}.exe	35
PID 2760 wrote to memory of 2136	2760	{81054105-450F-43ff-98E6-5108E02D711A}.exe	35
PID 2760 wrote to memory of 2136	2760	{81054105-450F-43ff-98E6-5108E02D711A}.exe	35
PID 2760 wrote to memory of 2136	2760	{81054105-450F-43ff-98E6-5108E02D711A}.exe	35
PID 2760 wrote to memory of 2672	2760	{81054105-450F-43ff-98E6-5108E02D711A}.exe	36
PID 2760 wrote to memory of 2672	2760	{81054105-450F-43ff-98E6-5108E02D711A}.exe	36
PID 2760 wrote to memory of 2672	2760	{81054105-450F-43ff-98E6-5108E02D711A}.exe	36
PID 2760 wrote to memory of 2672	2760	{81054105-450F-43ff-98E6-5108E02D711A}.exe	36
PID 2136 wrote to memory of 3044	2136	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe	37
PID 2136 wrote to memory of 3044	2136	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe	37
PID 2136 wrote to memory of 3044	2136	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe	37
PID 2136 wrote to memory of 3044	2136	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe	37
PID 2136 wrote to memory of 2148	2136	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe	38
PID 2136 wrote to memory of 2148	2136	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe	38
PID 2136 wrote to memory of 2148	2136	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe	38
PID 2136 wrote to memory of 2148	2136	{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe	38
PID 3044 wrote to memory of 2924	3044	{995950C3-9DA6-4348-9796-08D682687EFD}.exe	39
PID 3044 wrote to memory of 2924	3044	{995950C3-9DA6-4348-9796-08D682687EFD}.exe	39
PID 3044 wrote to memory of 2924	3044	{995950C3-9DA6-4348-9796-08D682687EFD}.exe	39
PID 3044 wrote to memory of 2924	3044	{995950C3-9DA6-4348-9796-08D682687EFD}.exe	39
PID 3044 wrote to memory of 2912	3044	{995950C3-9DA6-4348-9796-08D682687EFD}.exe	40
PID 3044 wrote to memory of 2912	3044	{995950C3-9DA6-4348-9796-08D682687EFD}.exe	40
PID 3044 wrote to memory of 2912	3044	{995950C3-9DA6-4348-9796-08D682687EFD}.exe	40
PID 3044 wrote to memory of 2912	3044	{995950C3-9DA6-4348-9796-08D682687EFD}.exe	40
PID 2924 wrote to memory of 3040	2924	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe	41
PID 2924 wrote to memory of 3040	2924	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe	41
PID 2924 wrote to memory of 3040	2924	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe	41
PID 2924 wrote to memory of 3040	2924	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe	41
PID 2924 wrote to memory of 2548	2924	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe	42
PID 2924 wrote to memory of 2548	2924	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe	42
PID 2924 wrote to memory of 2548	2924	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe	42
PID 2924 wrote to memory of 2548	2924	{8297B712-9A0B-4015-882C-13B3D09B5933}.exe	42
PID 3040 wrote to memory of 1200	3040	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe	43
PID 3040 wrote to memory of 1200	3040	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe	43
PID 3040 wrote to memory of 1200	3040	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe	43
PID 3040 wrote to memory of 1200	3040	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe	43
PID 3040 wrote to memory of 1884	3040	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe	44
PID 3040 wrote to memory of 1884	3040	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe	44
PID 3040 wrote to memory of 1884	3040	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe	44
PID 3040 wrote to memory of 1884	3040	{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe	44
PID 1200 wrote to memory of 2072	1200	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe	45
PID 1200 wrote to memory of 2072	1200	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe	45
PID 1200 wrote to memory of 2072	1200	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe	45
PID 1200 wrote to memory of 2072	1200	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe	45
PID 1200 wrote to memory of 716	1200	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe	46
PID 1200 wrote to memory of 716	1200	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe	46
PID 1200 wrote to memory of 716	1200	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe	46
PID 1200 wrote to memory of 716	1200	{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe	46

C:\Users\Admin\AppData\Local\Temp\8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe
"C:\Users\Admin\AppData\Local\Temp\8c4a7c014f0ae1c77b675632631b6c822c4cbe5c52eb85c1a5894397dbfd40f7N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\{020B22ED-6D58-4096-9B93-8354F760C11F}.exe
  C:\Windows\{020B22ED-6D58-4096-9B93-8354F760C11F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\{81054105-450F-43ff-98E6-5108E02D711A}.exe
    C:\Windows\{81054105-450F-43ff-98E6-5108E02D711A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe
      C:\Windows\{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\{995950C3-9DA6-4348-9796-08D682687EFD}.exe
        
        C:\Windows\{995950C3-9DA6-4348-9796-08D682687EFD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\{8297B712-9A0B-4015-882C-13B3D09B5933}.exe
        
        C:\Windows\{8297B712-9A0B-4015-882C-13B3D09B5933}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe
        
        C:\Windows\{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe
        
        C:\Windows\{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\{3C10CC4C-CD46-4fe0-BBCD-4D4DA584F85A}.exe
        
        C:\Windows\{3C10CC4C-CD46-4fe0-BBCD-4D4DA584F85A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\{F3DB44A9-4713-45f3-8DD3-DCDD49D6F3AD}.exe
        
        C:\Windows\{F3DB44A9-4713-45f3-8DD3-DCDD49D6F3AD}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C10C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B123~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E10A2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8297B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99595~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8F35~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{81054~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{020B2~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8C4A7C~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{020B22ED-6D58-4096-9B93-8354F760C11F}.exe

Filesize
88KB

MD5
20f8f81a2927d042f8872c968ca67b69

SHA1
5100cfd566a99465159dc90d69211ebad94aef27

SHA256
43f79e8562eea4761482b239561b00fe6fcd4c14d807af05244365c512c86f2e

SHA512
ef571e539c89d45c512a8b7d220d05c73b0c39a4d2a409b67a0960420ba2bac413d4268166332c5daeea48732110bdafeb90be60524fea6bd291b4f5f928353c

Download Submit
C:\Windows\{3B1236BF-00CC-43f8-8602-943BB98C8637}.exe

Filesize
88KB

MD5
d1fad32f921959bdf111f2c60cb39a95

SHA1
38e7b142375875a13306d16ceeba7aac9e07f7c8

SHA256
5ca27b9d3cf38a0071f6822abd1d2bf820b2242a836f5a761d4ef08c6c943927

SHA512
337c4676f8fe7d9e10724c223786fdb5ed3042ba19d2c32e49a42b139884ed916f55edf92d58af3b9558352a27765a93440031e3d0d963eb29bf19438724c93d

Download Submit
C:\Windows\{3C10CC4C-CD46-4fe0-BBCD-4D4DA584F85A}.exe

Filesize
88KB

MD5
4421b53bfa8cab74efed0719d7a3dada

SHA1
8f6c9e384b097c816bf817abdf9226486014c4be

SHA256
2f2f3150071b6494fb2b0f9b72b4a7d1b5291fc729948f8d2faeaa8a4ffd0e34

SHA512
dd810ecb8c1751627b4477bff52bd15d52bc5696a00e88c44c88424e01015891ba0fc6dc3c5dde81916983e63e6b3f8050da628a2074d910356e7a24003aba30

Download Submit
C:\Windows\{81054105-450F-43ff-98E6-5108E02D711A}.exe

Filesize
88KB

MD5
2934bea9cd597df48c75437490f36835

SHA1
7b33257147f4fc0e2bdcb73c2628e8c82fbc3d3f

SHA256
d61e6be738d12be9cfe8aa4eefdda68666b604ac46743b379bae13964fcd4754

SHA512
bdffe7f0bc8c54786f0f8176f35900ead0d1e811c7d3f478f5df23bf0ddc20dfbdcde1239453d0d2b32e58cdb3a306fe963f43a83ca83e29391232ed9666883c

Download Submit
C:\Windows\{8297B712-9A0B-4015-882C-13B3D09B5933}.exe

Filesize
88KB

MD5
001a66302469a3b647a102161e3527c0

SHA1
5f3db912e8242cfe3d32534abad948f512adafb0

SHA256
35b5379a8ccd1f0811a8054d96960007a1360603e46e09d1d2cdbe893a724354

SHA512
4eb60f7099020a24bbed90dfb5f750e4a836fa664b517b3bbb1fa7684c60c934df39fc81647ae6e4ba199d340b85414ee359a79e1d08a2a675774b4a1971476a

Download Submit
C:\Windows\{995950C3-9DA6-4348-9796-08D682687EFD}.exe

Filesize
88KB

MD5
40a23625565cf4980f6f46fba37c7c12

SHA1
922afecf9107d685f4206fc6836b5d75168057c2

SHA256
8cd87594ab7487bfa232c450fea5070cc1c79beeec4fc0c99c24a5a8f040d0b2

SHA512
619804645b0d5a27964b300b042c192e552f273b9ed808dc1a520977b04724c04bc0deec91fe5870540b98af7a24ff85fff74caedcb8f648b0fb7b8eb8c691f6

Download Submit
C:\Windows\{C8F35E74-9179-49ca-9D92-3D7F837B0EEF}.exe

Filesize
88KB

MD5
52877124f05d996769adc445448e29e4

SHA1
e3aa2d3923c0a2ee341965a6faf2ed1bd03771fc

SHA256
3f3d200f86c4773eb519cf65c04035356b43d8c4246a6824477184a3c1eef27b

SHA512
998359695d32dc8b260d5b1343349995c256ad26cefdabab69e5748ce8f44ce0cc630429b39fcd2048c392fb89cf5418c1896017083cb0ae0864641d5a39854d

Download Submit
C:\Windows\{E10A209C-BD80-4036-B7E9-8458F5523F5C}.exe

Filesize
88KB

MD5
d40f19535c06079b125639ef4fc49f83

SHA1
4ac497474eac1f197656d3d32b7af678acd37269

SHA256
e56250e53e10154d0c947aed4a3d2366a9cbadedf5e339db14b883ea3f1ac401

SHA512
d2ce377f157c8042826622e3966eee9f14f4662d7ec2488864fd7063be911b443d0dc3a38cb3df56a822b891e03b39088010fa5e58a7919e4fa3226a550987f0

Download Submit
C:\Windows\{F3DB44A9-4713-45f3-8DD3-DCDD49D6F3AD}.exe

Filesize
88KB

MD5
62aa5cbc2ceca031612d951fb399447b

SHA1
0b22ef0a690e4670497156b3e96cdeebead13112

SHA256
98a608762bbf659a9fa99c52ccaf1ad621bc5291d19a8c18aaeb07f09d255d26

SHA512
90d322f628c93313a1ea6d76f27a50a899607963b9cc0559f289587ca8b96edbc6a0dafc75bd600d397d8d466a96f0a2a95d268a3a87786bca46624b859d25cd

Download Submit
memory/1200-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1200-69-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/1716-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1716-13-0x0000000001D20000-0x0000000001D31000-memory.dmp

Filesize
68KB

Download
memory/2072-79-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/2072-83-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2136-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2136-31-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/2136-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2760-22-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2760-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2924-51-0x00000000004B0000-0x00000000004C1000-memory.dmp

Filesize
68KB

Download
memory/2924-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2924-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2960-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2960-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2960-3-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/2960-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3040-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3040-60-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/3044-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3044-40-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/3044-45-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads