Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 22:42
Behavioral task
behavioral1
Sample
78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe
Resource
win10v2004-20240802-en
General
-
Target
78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe
-
Size
83KB
-
MD5
8f457274d83c39717e79f3d1444dde60
-
SHA1
aa4ce4d3c969c65a24ef0880ddf6235f9462285a
-
SHA256
78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093
-
SHA512
9c158c77640640684a2fd750d18a5ddfc72adad0486062cdc6a8f7dd83e57e413e065c483f2cac8da6b6dfc908dbb34a89ffd27e25d3e52cb2830c296bf964c9
-
SSDEEP
1536:q4Gh0o4g0p3nouy8QbunMxVS3HgdoKjhLJh731xvsr:q4Gh0o4g05outQCMUyNjhLJh731xvsr
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7243189F-04A0-4d2a-AD42-DA03DC862E68}\stubpath = "C:\\Windows\\{7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe" {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5462F3AD-E883-4ebd-834D-3F7B9DA46F4E} {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15A548D8-3BF6-4eac-BE2F-8A35E5CFFA84} {5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15A548D8-3BF6-4eac-BE2F-8A35E5CFFA84}\stubpath = "C:\\Windows\\{15A548D8-3BF6-4eac-BE2F-8A35E5CFFA84}.exe" {5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3189EAC6-0CAD-488a-9672-8DCAD07266BA} 78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FE05612-8065-4e92-BF2C-98148466913A} {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B03B788-6338-4fd1-9BD1-3F0DD909ED08}\stubpath = "C:\\Windows\\{0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe" {6FE05612-8065-4e92-BF2C-98148466913A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04DD1F30-FABA-4191-A66A-9B9A927B4E76} {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FE05612-8065-4e92-BF2C-98148466913A}\stubpath = "C:\\Windows\\{6FE05612-8065-4e92-BF2C-98148466913A}.exe" {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7243189F-04A0-4d2a-AD42-DA03DC862E68} {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04DD1F30-FABA-4191-A66A-9B9A927B4E76}\stubpath = "C:\\Windows\\{04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe" {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C48EA297-71A3-4337-A0C3-9AEB4B6C2894} {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C48EA297-71A3-4337-A0C3-9AEB4B6C2894}\stubpath = "C:\\Windows\\{C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe" {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3189EAC6-0CAD-488a-9672-8DCAD07266BA}\stubpath = "C:\\Windows\\{3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe" 78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77943A62-86F1-4b2a-BE76-ACB2961C6D34} {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77943A62-86F1-4b2a-BE76-ACB2961C6D34}\stubpath = "C:\\Windows\\{77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe" {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B03B788-6338-4fd1-9BD1-3F0DD909ED08} {6FE05612-8065-4e92-BF2C-98148466913A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}\stubpath = "C:\\Windows\\{5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}.exe" {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe -
Deletes itself 1 IoCs
pid Process 2660 cmd.exe -
Executes dropped EXE 9 IoCs
pid Process 2712 {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe 2824 {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe 808 {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe 2576 {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe 268 {6FE05612-8065-4e92-BF2C-98148466913A}.exe 1220 {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe 2188 {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe 1944 {5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}.exe 2916 {15A548D8-3BF6-4eac-BE2F-8A35E5CFFA84}.exe -
resource yara_rule behavioral1/memory/2872-0-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/2872-1-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/2872-3-0x00000000002D0000-0x00000000002E3000-memory.dmp upx behavioral1/files/0x0007000000012118-8.dat upx behavioral1/memory/2872-9-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/2712-10-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/2712-18-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/2712-14-0x0000000000350000-0x0000000000363000-memory.dmp upx behavioral1/files/0x0038000000015dc0-19.dat upx behavioral1/memory/2824-20-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/2824-28-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/files/0x0008000000012118-29.dat upx behavioral1/memory/2824-24-0x0000000000430000-0x0000000000443000-memory.dmp upx behavioral1/memory/808-30-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/808-37-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/2576-39-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/files/0x0039000000015dc0-38.dat upx behavioral1/memory/2576-40-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/files/0x0009000000012118-48.dat upx behavioral1/memory/2576-47-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/268-49-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/268-50-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/268-58-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/files/0x003a000000015dc0-59.dat upx behavioral1/memory/268-54-0x00000000003A0000-0x00000000003B3000-memory.dmp upx behavioral1/memory/1220-60-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/1220-67-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/files/0x000a000000012118-68.dat upx behavioral1/memory/2188-69-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/2188-70-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/2188-78-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/1944-80-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/files/0x003b000000015dc0-79.dat upx behavioral1/memory/1944-81-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/1944-84-0x00000000003B0000-0x00000000003C3000-memory.dmp upx behavioral1/memory/1944-89-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/files/0x000b000000012118-90.dat upx -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\{7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe File created C:\Windows\{C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe File created C:\Windows\{6FE05612-8065-4e92-BF2C-98148466913A}.exe {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe File created C:\Windows\{04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe File created C:\Windows\{0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe {6FE05612-8065-4e92-BF2C-98148466913A}.exe File created C:\Windows\{5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}.exe {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe File created C:\Windows\{15A548D8-3BF6-4eac-BE2F-8A35E5CFFA84}.exe {5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}.exe File created C:\Windows\{3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe 78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe File created C:\Windows\{77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {6FE05612-8065-4e92-BF2C-98148466913A}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {15A548D8-3BF6-4eac-BE2F-8A35E5CFFA84}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2872 78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe Token: SeIncBasePriorityPrivilege 2712 {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe Token: SeIncBasePriorityPrivilege 2824 {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe Token: SeIncBasePriorityPrivilege 808 {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe Token: SeIncBasePriorityPrivilege 2576 {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe Token: SeIncBasePriorityPrivilege 268 {6FE05612-8065-4e92-BF2C-98148466913A}.exe Token: SeIncBasePriorityPrivilege 1220 {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe Token: SeIncBasePriorityPrivilege 2188 {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe Token: SeIncBasePriorityPrivilege 1944 {5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2712 2872 78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe 30 PID 2872 wrote to memory of 2712 2872 78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe 30 PID 2872 wrote to memory of 2712 2872 78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe 30 PID 2872 wrote to memory of 2712 2872 78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe 30 PID 2872 wrote to memory of 2660 2872 78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe 31 PID 2872 wrote to memory of 2660 2872 78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe 31 PID 2872 wrote to memory of 2660 2872 78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe 31 PID 2872 wrote to memory of 2660 2872 78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe 31 PID 2712 wrote to memory of 2824 2712 {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe 32 PID 2712 wrote to memory of 2824 2712 {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe 32 PID 2712 wrote to memory of 2824 2712 {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe 32 PID 2712 wrote to memory of 2824 2712 {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe 32 PID 2712 wrote to memory of 2672 2712 {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe 33 PID 2712 wrote to memory of 2672 2712 {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe 33 PID 2712 wrote to memory of 2672 2712 {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe 33 PID 2712 wrote to memory of 2672 2712 {3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe 33 PID 2824 wrote to memory of 808 2824 {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe 34 PID 2824 wrote to memory of 808 2824 {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe 34 PID 2824 wrote to memory of 808 2824 {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe 34 PID 2824 wrote to memory of 808 2824 {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe 34 PID 2824 wrote to memory of 2968 2824 {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe 35 PID 2824 wrote to memory of 2968 2824 {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe 35 PID 2824 wrote to memory of 2968 2824 {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe 35 PID 2824 wrote to memory of 2968 2824 {77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe 35 PID 808 wrote to memory of 2576 808 {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe 36 PID 808 wrote to memory of 2576 808 {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe 36 PID 808 wrote to memory of 2576 808 {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe 36 PID 808 wrote to memory of 2576 808 {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe 36 PID 808 wrote to memory of 2812 808 {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe 37 PID 808 wrote to memory of 2812 808 {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe 37 PID 808 wrote to memory of 2812 808 {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe 37 PID 808 wrote to memory of 2812 808 {04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe 37 PID 2576 wrote to memory of 268 2576 {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe 38 PID 2576 wrote to memory of 268 2576 {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe 38 PID 2576 wrote to memory of 268 2576 {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe 38 PID 2576 wrote to memory of 268 2576 {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe 38 PID 2576 wrote to memory of 1300 2576 {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe 39 PID 2576 wrote to memory of 1300 2576 {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe 39 PID 2576 wrote to memory of 1300 2576 {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe 39 PID 2576 wrote to memory of 1300 2576 {C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe 39 PID 268 wrote to memory of 1220 268 {6FE05612-8065-4e92-BF2C-98148466913A}.exe 40 PID 268 wrote to memory of 1220 268 {6FE05612-8065-4e92-BF2C-98148466913A}.exe 40 PID 268 wrote to memory of 1220 268 {6FE05612-8065-4e92-BF2C-98148466913A}.exe 40 PID 268 wrote to memory of 1220 268 {6FE05612-8065-4e92-BF2C-98148466913A}.exe 40 PID 268 wrote to memory of 1500 268 {6FE05612-8065-4e92-BF2C-98148466913A}.exe 41 PID 268 wrote to memory of 1500 268 {6FE05612-8065-4e92-BF2C-98148466913A}.exe 41 PID 268 wrote to memory of 1500 268 {6FE05612-8065-4e92-BF2C-98148466913A}.exe 41 PID 268 wrote to memory of 1500 268 {6FE05612-8065-4e92-BF2C-98148466913A}.exe 41 PID 1220 wrote to memory of 2188 1220 {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe 42 PID 1220 wrote to memory of 2188 1220 {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe 42 PID 1220 wrote to memory of 2188 1220 {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe 42 PID 1220 wrote to memory of 2188 1220 {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe 42 PID 1220 wrote to memory of 2332 1220 {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe 43 PID 1220 wrote to memory of 2332 1220 {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe 43 PID 1220 wrote to memory of 2332 1220 {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe 43 PID 1220 wrote to memory of 2332 1220 {0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe 43 PID 2188 wrote to memory of 1944 2188 {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe 44 PID 2188 wrote to memory of 1944 2188 {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe 44 PID 2188 wrote to memory of 1944 2188 {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe 44 PID 2188 wrote to memory of 1944 2188 {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe 44 PID 2188 wrote to memory of 1796 2188 {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe 45 PID 2188 wrote to memory of 1796 2188 {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe 45 PID 2188 wrote to memory of 1796 2188 {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe 45 PID 2188 wrote to memory of 1796 2188 {7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe"C:\Users\Admin\AppData\Local\Temp\78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\{3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exeC:\Windows\{3189EAC6-0CAD-488a-9672-8DCAD07266BA}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\{77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exeC:\Windows\{77943A62-86F1-4b2a-BE76-ACB2961C6D34}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\{04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exeC:\Windows\{04DD1F30-FABA-4191-A66A-9B9A927B4E76}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\{C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exeC:\Windows\{C48EA297-71A3-4337-A0C3-9AEB4B6C2894}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\{6FE05612-8065-4e92-BF2C-98148466913A}.exeC:\Windows\{6FE05612-8065-4e92-BF2C-98148466913A}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\{0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exeC:\Windows\{0B03B788-6338-4fd1-9BD1-3F0DD909ED08}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\{7243189F-04A0-4d2a-AD42-DA03DC862E68}.exeC:\Windows\{7243189F-04A0-4d2a-AD42-DA03DC862E68}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\{5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}.exeC:\Windows\{5462F3AD-E883-4ebd-834D-3F7B9DA46F4E}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\{15A548D8-3BF6-4eac-BE2F-8A35E5CFFA84}.exeC:\Windows\{15A548D8-3BF6-4eac-BE2F-8A35E5CFFA84}.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5462F~1.EXE > nul10⤵
- System Location Discovery: System Language Discovery
PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{72431~1.EXE > nul9⤵
- System Location Discovery: System Language Discovery
PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0B03B~1.EXE > nul8⤵
- System Location Discovery: System Language Discovery
PID:2332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6FE05~1.EXE > nul7⤵
- System Location Discovery: System Language Discovery
PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C48EA~1.EXE > nul6⤵
- System Location Discovery: System Language Discovery
PID:1300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{04DD1~1.EXE > nul5⤵
- System Location Discovery: System Language Discovery
PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{77943~1.EXE > nul4⤵
- System Location Discovery: System Language Discovery
PID:2968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3189E~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\78CDBC~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD5e964533f084fa85e97294c195df65553
SHA1b55ee19f3d28c822e3678e9ee777f119f08baca2
SHA256616cfef8515b25562480c00eb9b24c704250fe198ffd5a9be31920ec7fd2d462
SHA512d1cc662f8e97d7c021a7b4fc2b3f38ace96d9263fc8b5a831d2d7d2f0472912478375641e6aaeac83346085b3eacb75b1cb03ec8e9c43fc1219ebb4f7249f261
-
Filesize
83KB
MD5a4a418000f6c23d190bd9323214d0f0f
SHA1abe3d6616b001279998a25aafb8223e6e0252c98
SHA2562050f0b694fef1870b6eadea1a76e5e9b8c233d25d863fa650533fcc4441727d
SHA5120922bd3ce52ab0a57716444bdb835154680eb1ad8bb267a52814da7fb131e80210af7c1e96dc6776eca1c8adbb374cde732c7e7f444406abb748fcff40737230
-
Filesize
83KB
MD56a26ff921d9ab0e115b266db965b16f5
SHA1d04f74359a4c981394bc15bd5d6dcd39177f8054
SHA256f6c24a38df424f40504d9ce98b7ab3ff53482fd6560190a015b57b6f028ed451
SHA5129eaa78bf54d05e4b32aef8eb43c01a8329c98ff28f12c54eac7a31cdab33d3c9624ca988c3347d8f6e01fd47c99eddc3fd732226ee8eb38ba72cf45011ff4355
-
Filesize
83KB
MD5094b5cd892ea1946f897d21a91d93090
SHA1ef063d3e1385d1a2ae88a849a785e1e4cbf64f23
SHA2560375ef5c521e927811bd53750dcc320b578479e7de91763f8eaaf72bd4b3959d
SHA51270ba9b8e657ea914a35548eadfc15fc5d4a5f3b583aed05bcf90fcabd7c69d19cf94737495eb98a0efb2729ea590912f369c42d8d1112873654f73aff2c4bac4
-
Filesize
83KB
MD51872bb45b85e134a34e7ced7609b0d9b
SHA16141d402fca5a0bc5c12c85cc203691340c35f87
SHA2561a75307785daea4a50c9b73f881ab8ea98ec9857998010eeeb1784bd4572399f
SHA51241c9e156fd65811a82e254f852d95a55b1ab8a0f499d9668337416521275dde9bb8263cfd154bbfcc542a9a3470000701fed43f1aca788dc735129b06a1c4a44
-
Filesize
83KB
MD5f74a13bed1112eb76f11db8cf4037c0c
SHA18ed58d3c064731d48a2bb0da62824e8ab574a37f
SHA25638d355eef8b6e778b9a82f41a5e49f1c4481f6b77fae2d6fef3015e322eb2693
SHA5129e96e6fb6b0e5fdb8df35dd8b471d7dff6cec1a827397e4a4672d9f3a6125dedd7d55094eb0a373768bcd696a4967b6493aee711748daac4fc16a3f8c095b71d
-
Filesize
83KB
MD503a79b9538621dbea97a4fe1b796b484
SHA1a1ac0843695a2752d264cd7be86ddf15a63d8834
SHA2562363e6d22695fb4aeabab5de476f7c39865fdd4ed2db7df5ff5b49d8cccf9c30
SHA5122728420010ec25bebfdb76e1e32a3d71b43a1b52e17006d4c389ad1c0b810d7007a921f385ccabdaddf8bf6c195af1e514541a95a229758b682fa0e22d33a622
-
Filesize
83KB
MD570bff6040b4c726b73b71ad22ea3fbcb
SHA176b23be74edb990d5a56ce748e48eeb77eb045a0
SHA256300c134ac213853c758d47082de4e2cbb5ee4fc3e7dc97c42c9444f5d6179cad
SHA5122320a30f1b2af0f4275be21aee01dd3094ced5a841b9b6cb18f01e95750857653da652ebc096c472cab3a81e45c2a0ba8e986e54dc41b5cd297ea5688a3ea873
-
Filesize
83KB
MD5a49d034b7124cbe2d7f372786017bc32
SHA1b01d6caedc9fbfed9ca619dc260566dc7509f27c
SHA2565cc5dd97d9b4d4118c89cfaaf4d2a10723a68215233a328ef99eb11a59b152e0
SHA512918d03c0d3cfc693809c3e5b86383e4694a46d3c8e3d4b3fffe41a61f16e27b9f48293226cee47cdf8418c61a406134465f581aa098f4b55e37fb2d9f3b05113