78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe
Size

83KB
MD5

8f457274d83c39717e79f3d1444dde60
SHA1

aa4ce4d3c969c65a24ef0880ddf6235f9462285a
SHA256

78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093
SHA512

9c158c77640640684a2fd750d18a5ddfc72adad0486062cdc6a8f7dd83e57e413e065c483f2cac8da6b6dfc908dbb34a89ffd27e25d3e52cb2830c296bf964c9
SSDEEP

1536:q4Gh0o4g0p3nouy8QbunMxVS3HgdoKjhLJh731xvsr:q4Gh0o4g05outQCMUyNjhLJh731xvsr

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}	{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}	78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{386A0770-3AA0-462b-9754-968FCC6E54D8}	{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B257002-A9ED-4e81-9728-CC82471753C7}	{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}\stubpath = "C:\\Windows\\{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe"	{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A17A2000-73E5-458b-8682-EF4AABBE3B23}	{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B257002-A9ED-4e81-9728-CC82471753C7}\stubpath = "C:\\Windows\\{6B257002-A9ED-4e81-9728-CC82471753C7}.exe"	{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEF8E7FF-BB26-487b-9978-F024D385FD82}\stubpath = "C:\\Windows\\{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe"	{B7758498-04AE-4079-9787-604D28DBABA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06E10833-4027-45f5-8DE6-8C79956F379C}	{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06E10833-4027-45f5-8DE6-8C79956F379C}\stubpath = "C:\\Windows\\{06E10833-4027-45f5-8DE6-8C79956F379C}.exe"	{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A17A2000-73E5-458b-8682-EF4AABBE3B23}\stubpath = "C:\\Windows\\{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe"	{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7758498-04AE-4079-9787-604D28DBABA8}\stubpath = "C:\\Windows\\{B7758498-04AE-4079-9787-604D28DBABA8}.exe"	{6B257002-A9ED-4e81-9728-CC82471753C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB245EC8-E567-4a48-B604-2B7CC2406E59}\stubpath = "C:\\Windows\\{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe"	{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEF8E7FF-BB26-487b-9978-F024D385FD82}	{B7758498-04AE-4079-9787-604D28DBABA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB245EC8-E567-4a48-B604-2B7CC2406E59}	{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}\stubpath = "C:\\Windows\\{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe"	78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{386A0770-3AA0-462b-9754-968FCC6E54D8}\stubpath = "C:\\Windows\\{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe"	{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7758498-04AE-4079-9787-604D28DBABA8}	{6B257002-A9ED-4e81-9728-CC82471753C7}.exe

Executes dropped EXE 9 IoCs

pid	Process
4528	{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe
3100	{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe
1336	{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe
4248	{6B257002-A9ED-4e81-9728-CC82471753C7}.exe
3452	{B7758498-04AE-4079-9787-604D28DBABA8}.exe
3764	{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe
996	{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe
4444	{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe
368	{06E10833-4027-45f5-8DE6-8C79956F379C}.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3736-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3736-1-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4528-5-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0007000000023451-4.dat	upx
behavioral2/memory/3736-7-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4528-8-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0007000000023459-11.dat	upx
behavioral2/memory/3100-14-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4528-13-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3100-15-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000300000000aefb-16.dat	upx
behavioral2/memory/3100-19-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1336-20-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1336-22-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0008000000023459-27.dat	upx
behavioral2/memory/4248-28-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1336-26-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4248-29-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000400000000aefb-34.dat	upx
behavioral2/memory/3452-35-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4248-33-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3452-36-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000c0000000217b7-40.dat	upx
behavioral2/memory/3452-39-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3764-41-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3764-43-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000500000000aefb-46.dat	upx
behavioral2/memory/996-48-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3764-47-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/996-50-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/996-54-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0003000000000705-53.dat	upx
behavioral2/memory/4444-55-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4444-57-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0003000000000707-61.dat	upx
behavioral2/memory/368-62-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4444-60-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe	{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe
File created	C:\Windows\{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe	{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe
File created	C:\Windows\{6B257002-A9ED-4e81-9728-CC82471753C7}.exe	{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe
File created	C:\Windows\{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe	{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe
File created	C:\Windows\{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe	{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe
File created	C:\Windows\{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe	78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe
File created	C:\Windows\{B7758498-04AE-4079-9787-604D28DBABA8}.exe	{6B257002-A9ED-4e81-9728-CC82471753C7}.exe
File created	C:\Windows\{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe	{B7758498-04AE-4079-9787-604D28DBABA8}.exe
File created	C:\Windows\{06E10833-4027-45f5-8DE6-8C79956F379C}.exe	{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06E10833-4027-45f5-8DE6-8C79956F379C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B7758498-04AE-4079-9787-604D28DBABA8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6B257002-A9ED-4e81-9728-CC82471753C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3736	78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe
Token: SeIncBasePriorityPrivilege	4528	{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe
Token: SeIncBasePriorityPrivilege	3100	{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe
Token: SeIncBasePriorityPrivilege	1336	{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe
Token: SeIncBasePriorityPrivilege	4248	{6B257002-A9ED-4e81-9728-CC82471753C7}.exe
Token: SeIncBasePriorityPrivilege	3452	{B7758498-04AE-4079-9787-604D28DBABA8}.exe
Token: SeIncBasePriorityPrivilege	3764	{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe
Token: SeIncBasePriorityPrivilege	996	{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe
Token: SeIncBasePriorityPrivilege	4444	{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 4528	3736	78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe	87
PID 3736 wrote to memory of 4528	3736	78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe	87
PID 3736 wrote to memory of 4528	3736	78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe	87
PID 3736 wrote to memory of 664	3736	78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe	88
PID 3736 wrote to memory of 664	3736	78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe	88
PID 3736 wrote to memory of 664	3736	78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe	88
PID 4528 wrote to memory of 3100	4528	{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe	91
PID 4528 wrote to memory of 3100	4528	{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe	91
PID 4528 wrote to memory of 3100	4528	{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe	91
PID 4528 wrote to memory of 4208	4528	{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe	92
PID 4528 wrote to memory of 4208	4528	{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe	92
PID 4528 wrote to memory of 4208	4528	{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe	92
PID 3100 wrote to memory of 1336	3100	{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe	95
PID 3100 wrote to memory of 1336	3100	{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe	95
PID 3100 wrote to memory of 1336	3100	{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe	95
PID 3100 wrote to memory of 3204	3100	{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe	96
PID 3100 wrote to memory of 3204	3100	{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe	96
PID 3100 wrote to memory of 3204	3100	{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe	96
PID 1336 wrote to memory of 4248	1336	{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe	97
PID 1336 wrote to memory of 4248	1336	{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe	97
PID 1336 wrote to memory of 4248	1336	{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe	97
PID 1336 wrote to memory of 4040	1336	{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe	98
PID 1336 wrote to memory of 4040	1336	{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe	98
PID 1336 wrote to memory of 4040	1336	{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe	98
PID 4248 wrote to memory of 3452	4248	{6B257002-A9ED-4e81-9728-CC82471753C7}.exe	99
PID 4248 wrote to memory of 3452	4248	{6B257002-A9ED-4e81-9728-CC82471753C7}.exe	99
PID 4248 wrote to memory of 3452	4248	{6B257002-A9ED-4e81-9728-CC82471753C7}.exe	99
PID 4248 wrote to memory of 4348	4248	{6B257002-A9ED-4e81-9728-CC82471753C7}.exe	100
PID 4248 wrote to memory of 4348	4248	{6B257002-A9ED-4e81-9728-CC82471753C7}.exe	100
PID 4248 wrote to memory of 4348	4248	{6B257002-A9ED-4e81-9728-CC82471753C7}.exe	100
PID 3452 wrote to memory of 3764	3452	{B7758498-04AE-4079-9787-604D28DBABA8}.exe	101
PID 3452 wrote to memory of 3764	3452	{B7758498-04AE-4079-9787-604D28DBABA8}.exe	101
PID 3452 wrote to memory of 3764	3452	{B7758498-04AE-4079-9787-604D28DBABA8}.exe	101
PID 3452 wrote to memory of 4868	3452	{B7758498-04AE-4079-9787-604D28DBABA8}.exe	102
PID 3452 wrote to memory of 4868	3452	{B7758498-04AE-4079-9787-604D28DBABA8}.exe	102
PID 3452 wrote to memory of 4868	3452	{B7758498-04AE-4079-9787-604D28DBABA8}.exe	102
PID 3764 wrote to memory of 996	3764	{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe	103
PID 3764 wrote to memory of 996	3764	{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe	103
PID 3764 wrote to memory of 996	3764	{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe	103
PID 3764 wrote to memory of 4548	3764	{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe	104
PID 3764 wrote to memory of 4548	3764	{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe	104
PID 3764 wrote to memory of 4548	3764	{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe	104
PID 996 wrote to memory of 4444	996	{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe	105
PID 996 wrote to memory of 4444	996	{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe	105
PID 996 wrote to memory of 4444	996	{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe	105
PID 996 wrote to memory of 3320	996	{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe	106
PID 996 wrote to memory of 3320	996	{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe	106
PID 996 wrote to memory of 3320	996	{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe	106
PID 4444 wrote to memory of 368	4444	{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe	107
PID 4444 wrote to memory of 368	4444	{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe	107
PID 4444 wrote to memory of 368	4444	{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe	107
PID 4444 wrote to memory of 1828	4444	{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe	108
PID 4444 wrote to memory of 1828	4444	{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe	108
PID 4444 wrote to memory of 1828	4444	{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe	108

C:\Users\Admin\AppData\Local\Temp\78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe
"C:\Users\Admin\AppData\Local\Temp\78cdbcdec655d7fa5c1a2084c35dc4153726146fdabb733e23b6a29ebec34093N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe
  C:\Windows\{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe
    C:\Windows\{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Windows\{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe
      C:\Windows\{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\{6B257002-A9ED-4e81-9728-CC82471753C7}.exe
        
        C:\Windows\{6B257002-A9ED-4e81-9728-CC82471753C7}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
      - C:\Windows\{B7758498-04AE-4079-9787-604D28DBABA8}.exe
        
        C:\Windows\{B7758498-04AE-4079-9787-604D28DBABA8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe
        
        C:\Windows\{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe
        
        C:\Windows\{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe
        
        C:\Windows\{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\{06E10833-4027-45f5-8DE6-8C79956F379C}.exe
        
        C:\Windows\{06E10833-4027-45f5-8DE6-8C79956F379C}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB245~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20FB7~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEF8E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7758~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B257~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{386A0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A17A2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C9C1A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\78CDBC~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06E10833-4027-45f5-8DE6-8C79956F379C}.exe

Filesize
83KB

MD5
773d15da0021579d9c7531738367c5c8

SHA1
e82545ac3379766d5178500d75d6e5aac90c5e27

SHA256
929b27fcbdb2271576c373a29e7672e2967d3ba36eccf1f13c4c755e759c31b3

SHA512
f308075b858fb96aca435cbed0be5efa247f81ce7b015d827a4e6bd4934b1f94b0054c1ccfa27962ecdf344d7e5d16cf380239147d19933a219959738a12e419

Download Submit
C:\Windows\{20FB7981-C4E1-41f2-9E81-38B8B928E5FF}.exe

Filesize
83KB

MD5
07a3e2c4a04558e1be765586b476824c

SHA1
95489f42e53cc9c9f69e6fac8614b7ccd70c253b

SHA256
02b9a3d608b9d5f8b32bce8de245d6b6ff55d7f5a0f3e18ce3eb8421b1458a89

SHA512
e19d3c41a0b227a1af75b710b8b90156770acf6f8d0d3b1ba43e5bdca293e0971c75d3e93510de5ba09eafed6e73b8929d7bed3121ef247f0bd1c770e842f8d0

Download Submit
C:\Windows\{386A0770-3AA0-462b-9754-968FCC6E54D8}.exe

Filesize
83KB

MD5
a11248fd18caa9d67d760d3e68e411d8

SHA1
a0d3840c253cb28d01449d1df847ad32269a645e

SHA256
4d0cde9ba10b4ee175ca9eddb8697e96c3ff600aa959ccca32e06c4bd115b227

SHA512
ebbab320f7e386e46af0c2394269a22d2183169d8bb65fab8f6e3e38577215af56832e326627d0e3f3ce26d288c9284a28d97b08abdf99f1763006a4afa143c2

Download Submit
C:\Windows\{6B257002-A9ED-4e81-9728-CC82471753C7}.exe

Filesize
83KB

MD5
cb77515b3d6047d50aa9c6ce0846ce37

SHA1
a8dce70a6ec40707a946f0c6cb28ff38c442dec1

SHA256
40aeb1d19fcbae9794b0fe1ed3f3f6acd79a7a383277300855930c4fdd73845d

SHA512
39d4c09f5f03559e1f1cdeda152e4ad3ac85d42d3b0d17aab6832231aa906a4810925749066369c0b126ec6e782aba0e0deaf574edf4cf9b484223f3396deccd

Download Submit
C:\Windows\{A17A2000-73E5-458b-8682-EF4AABBE3B23}.exe

Filesize
83KB

MD5
4929654177e45a5c3d0f555fd3256811

SHA1
810f2a289860a8d86b02aa79d0b85efbfb8f2aaa

SHA256
f4cb4bc0bf986da48cdddba2c27991bc66cfe18f19af34084e83643fb70e7838

SHA512
3c6be7f6f5d3996b1b6a4d78127b5a56f4221541b1b72c5ad87719aa2252926d8dc2d1e534eff54c6e2a5acfda465841363c88ec095eeda395eaca3e9241399d

Download Submit
C:\Windows\{AEF8E7FF-BB26-487b-9978-F024D385FD82}.exe

Filesize
83KB

MD5
4e3884d4ac0c5f9c40a569404e5a00ce

SHA1
621fa0c6b2bf017473408318ae2dc05d5a33c7cc

SHA256
96f2fb119333468db388a28731e0bfcda595e5807e09c7a5bde544ea9c82b836

SHA512
5b9bb111c175178918a871e2834adadc25037a577dda8b940175ce6b395c2939224c9a267041be43c03bd3f44d750b9a4880b5f97ac8c6eb287f8b7780684724

Download Submit
C:\Windows\{B7758498-04AE-4079-9787-604D28DBABA8}.exe

Filesize
83KB

MD5
3309b04c3848b26e0840be587c2e3bc1

SHA1
f9b46bdd3c694cadac6d6f9ab9a8962aadfbda8a

SHA256
88555cbc769d1aa4e93ba9994f6258ec9c014eb134307e11e4849d727262263b

SHA512
9c1b2b98700e10400c080b25da06d5d4a77d6149f20fb0dca34aaa0c5c4a3fa35e9118b6c3c366f2a7507337e78ccfd10cf8ec56d829e597ae99857b20474788

Download Submit
C:\Windows\{C9C1A002-AA03-40f8-BC80-B869FF7B3FD9}.exe

Filesize
83KB

MD5
3627dc94735d0c27d555d66a4d9a4edd

SHA1
65dac6f73ca08841af26850962462bb801aef9a9

SHA256
3e84b86b9f834fbebc01f0933aa38a89fd55b7a6cfd9ac2386022585c7d92912

SHA512
5a7fe0a80602930f89ec4c96b6d532de8af435758f3754c1a769484903790a8dab59d0e641ab44ba56f36eb8280567d73993769b8786d0e775e6051e12d3c4dc

Download Submit
C:\Windows\{CB245EC8-E567-4a48-B604-2B7CC2406E59}.exe

Filesize
83KB

MD5
0c61ec769a3250792cd45b46721b353d

SHA1
82ccf4e9374fd86e500d3d5249a24d218c47b610

SHA256
d58348d5b9c9079ecdedfad089b2d2eb9d522ff53e41becb4faa1ca7c3bbedff

SHA512
eb696ae39c4c035e7edc03fd830e8732d40d6f3e8cf0631366221029bfb60864cec2b8dcb60aa160a46e2241da539181b46bd0f72a0b38a644ae2de43d09a1d7

Download Submit
memory/368-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/996-48-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/996-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/996-50-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1336-20-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1336-22-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1336-26-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3100-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3100-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3100-19-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3452-39-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3452-36-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3452-35-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3736-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3736-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3736-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3764-47-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3764-43-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3764-41-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4248-33-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4248-29-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4248-28-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4444-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4444-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4444-60-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4528-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4528-5-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4528-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads