3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
Size

60KB
MD5

2a8f4c2a3543031770a5573b92086320
SHA1

450a69849f2ff7f2655349180e3eb497d987cc17
SHA256

3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9
SHA512

42c4b2219f64a3911d90959d0cf627ffb4c77e5e3f490471d1819530a38aabeab56c19e162bf386336ad8fe7d4f61b1b39e0d4a5387648a9d0013b7de4cda614
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwJY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLro74/CFsrd

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}\stubpath = "C:\\Windows\\{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe"	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00260E04-709A-4f85-BA05-7B23D216A68B}	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}\stubpath = "C:\\Windows\\{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe"	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB935363-6E18-4a87-AADE-0BC031FC944B}	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3F13168-EB81-4394-A683-B6F789B3B5A2}	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3F13168-EB81-4394-A683-B6F789B3B5A2}\stubpath = "C:\\Windows\\{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe"	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}\stubpath = "C:\\Windows\\{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe"	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}\stubpath = "C:\\Windows\\{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe"	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F85059B2-FE78-480c-9319-E422E500AA87}	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F85059B2-FE78-480c-9319-E422E500AA87}\stubpath = "C:\\Windows\\{F85059B2-FE78-480c-9319-E422E500AA87}.exe"	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB935363-6E18-4a87-AADE-0BC031FC944B}\stubpath = "C:\\Windows\\{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe"	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00260E04-709A-4f85-BA05-7B23D216A68B}\stubpath = "C:\\Windows\\{00260E04-709A-4f85-BA05-7B23D216A68B}.exe"	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40BE958C-DF33-4eb2-9565-61DB83090505}	{F85059B2-FE78-480c-9319-E422E500AA87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40BE958C-DF33-4eb2-9565-61DB83090505}\stubpath = "C:\\Windows\\{40BE958C-DF33-4eb2-9565-61DB83090505}.exe"	{F85059B2-FE78-480c-9319-E422E500AA87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe

Deletes itself 1 IoCs

pid	Process
2764	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2964	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe
2576	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe
2132	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe
1596	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe
2236	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe
1152	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe
3032	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe
1948	{F85059B2-FE78-480c-9319-E422E500AA87}.exe
2152	{40BE958C-DF33-4eb2-9565-61DB83090505}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe
File created	C:\Windows\{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe
File created	C:\Windows\{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe
File created	C:\Windows\{F85059B2-FE78-480c-9319-E422E500AA87}.exe	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe
File created	C:\Windows\{40BE958C-DF33-4eb2-9565-61DB83090505}.exe	{F85059B2-FE78-480c-9319-E422E500AA87}.exe
File created	C:\Windows\{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
File created	C:\Windows\{00260E04-709A-4f85-BA05-7B23D216A68B}.exe	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe
File created	C:\Windows\{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe
File created	C:\Windows\{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F85059B2-FE78-480c-9319-E422E500AA87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{40BE958C-DF33-4eb2-9565-61DB83090505}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2112	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
Token: SeIncBasePriorityPrivilege	2964	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe
Token: SeIncBasePriorityPrivilege	2576	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe
Token: SeIncBasePriorityPrivilege	2132	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe
Token: SeIncBasePriorityPrivilege	1596	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe
Token: SeIncBasePriorityPrivilege	2236	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe
Token: SeIncBasePriorityPrivilege	1152	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe
Token: SeIncBasePriorityPrivilege	3032	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe
Token: SeIncBasePriorityPrivilege	1948	{F85059B2-FE78-480c-9319-E422E500AA87}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2964	2112	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	30
PID 2112 wrote to memory of 2964	2112	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	30
PID 2112 wrote to memory of 2964	2112	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	30
PID 2112 wrote to memory of 2964	2112	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	30
PID 2112 wrote to memory of 2764	2112	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	31
PID 2112 wrote to memory of 2764	2112	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	31
PID 2112 wrote to memory of 2764	2112	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	31
PID 2112 wrote to memory of 2764	2112	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	31
PID 2964 wrote to memory of 2576	2964	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe	33
PID 2964 wrote to memory of 2576	2964	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe	33
PID 2964 wrote to memory of 2576	2964	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe	33
PID 2964 wrote to memory of 2576	2964	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe	33
PID 2964 wrote to memory of 2608	2964	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe	34
PID 2964 wrote to memory of 2608	2964	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe	34
PID 2964 wrote to memory of 2608	2964	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe	34
PID 2964 wrote to memory of 2608	2964	{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe	34
PID 2576 wrote to memory of 2132	2576	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe	35
PID 2576 wrote to memory of 2132	2576	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe	35
PID 2576 wrote to memory of 2132	2576	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe	35
PID 2576 wrote to memory of 2132	2576	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe	35
PID 2576 wrote to memory of 1056	2576	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe	36
PID 2576 wrote to memory of 1056	2576	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe	36
PID 2576 wrote to memory of 1056	2576	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe	36
PID 2576 wrote to memory of 1056	2576	{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe	36
PID 2132 wrote to memory of 1596	2132	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe	37
PID 2132 wrote to memory of 1596	2132	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe	37
PID 2132 wrote to memory of 1596	2132	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe	37
PID 2132 wrote to memory of 1596	2132	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe	37
PID 2132 wrote to memory of 1644	2132	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe	38
PID 2132 wrote to memory of 1644	2132	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe	38
PID 2132 wrote to memory of 1644	2132	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe	38
PID 2132 wrote to memory of 1644	2132	{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe	38
PID 1596 wrote to memory of 2236	1596	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe	39
PID 1596 wrote to memory of 2236	1596	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe	39
PID 1596 wrote to memory of 2236	1596	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe	39
PID 1596 wrote to memory of 2236	1596	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe	39
PID 1596 wrote to memory of 3036	1596	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe	40
PID 1596 wrote to memory of 3036	1596	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe	40
PID 1596 wrote to memory of 3036	1596	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe	40
PID 1596 wrote to memory of 3036	1596	{00260E04-709A-4f85-BA05-7B23D216A68B}.exe	40
PID 2236 wrote to memory of 1152	2236	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe	41
PID 2236 wrote to memory of 1152	2236	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe	41
PID 2236 wrote to memory of 1152	2236	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe	41
PID 2236 wrote to memory of 1152	2236	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe	41
PID 2236 wrote to memory of 1112	2236	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe	42
PID 2236 wrote to memory of 1112	2236	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe	42
PID 2236 wrote to memory of 1112	2236	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe	42
PID 2236 wrote to memory of 1112	2236	{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe	42
PID 1152 wrote to memory of 3032	1152	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe	43
PID 1152 wrote to memory of 3032	1152	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe	43
PID 1152 wrote to memory of 3032	1152	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe	43
PID 1152 wrote to memory of 3032	1152	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe	43
PID 1152 wrote to memory of 2672	1152	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe	44
PID 1152 wrote to memory of 2672	1152	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe	44
PID 1152 wrote to memory of 2672	1152	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe	44
PID 1152 wrote to memory of 2672	1152	{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe	44
PID 3032 wrote to memory of 1948	3032	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe	45
PID 3032 wrote to memory of 1948	3032	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe	45
PID 3032 wrote to memory of 1948	3032	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe	45
PID 3032 wrote to memory of 1948	3032	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe	45
PID 3032 wrote to memory of 1768	3032	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe	46
PID 3032 wrote to memory of 1768	3032	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe	46
PID 3032 wrote to memory of 1768	3032	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe	46
PID 3032 wrote to memory of 1768	3032	{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe	46

C:\Users\Admin\AppData\Local\Temp\3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
"C:\Users\Admin\AppData\Local\Temp\3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe
  C:\Windows\{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe
    C:\Windows\{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe
      C:\Windows\{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\{00260E04-709A-4f85-BA05-7B23D216A68B}.exe
        
        C:\Windows\{00260E04-709A-4f85-BA05-7B23D216A68B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Windows\{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe
        
        C:\Windows\{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe
        
        C:\Windows\{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe
        
        C:\Windows\{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\{F85059B2-FE78-480c-9319-E422E500AA87}.exe
        
        C:\Windows\{F85059B2-FE78-480c-9319-E422E500AA87}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\{40BE958C-DF33-4eb2-9565-61DB83090505}.exe
        
        C:\Windows\{40BE958C-DF33-4eb2-9565-61DB83090505}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8505~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EB8B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FCAF~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B356~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00260~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3F13~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DB935~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7281~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3FAB79~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00260E04-709A-4f85-BA05-7B23D216A68B}.exe

Filesize
60KB

MD5
f96e4d02926641c56537ba3d6fffc1ae

SHA1
c69187798a358f10aefd253cd5206059962bef9a

SHA256
dbe713fc2e1833ad56c4dffceae87496339c71281fa63a817f3e33b69dc1e99d

SHA512
15ce13c3b99ed6484a5b0c6d4421396e8cde43cb1c205b867b26c955aff4ea193d626a628a4bc6304ae039de174cd038f624f78b654f6567efc6eb5c21e22f3d

Download Submit
C:\Windows\{40BE958C-DF33-4eb2-9565-61DB83090505}.exe

Filesize
60KB

MD5
4d0b99062f7ee5144eb32577fb878c24

SHA1
bda7560014d2f9ea68360b169c0b3d3726224fcb

SHA256
b53c45447a1092ee471442a0c623152338034c6aaa12bcf2242834de2455780e

SHA512
8eac78aaf33ba7ffc61a4a54d96319bf7296916a5f9457eed575036e8ec52db149429455b990536ec90795444ab55159a040a86d6e7269e7224e9411d2884f74

Download Submit
C:\Windows\{7EB8B4AE-597C-4ca7-991B-E20F9FC32C1F}.exe

Filesize
60KB

MD5
acd3c7d487e095fb7c9ef874aa62e79d

SHA1
05cd7c376f98886f068cd525361985f43df97467

SHA256
0e2707330a50df32b4799dd0b08366263321492e92b0318c187aa4a1ec6f6056

SHA512
ae61d9cc329197a818daa1a2869e1f1e2125903db2a13af7cd77cca1f8cf521b25890ebad5b77bc169038f38cd244d8f575e4f068ee99fa3c77329c53b558504

Download Submit
C:\Windows\{7FCAFAD0-FEFF-4fdc-BEA0-D62400621043}.exe

Filesize
60KB

MD5
819b0a6682410865eaf4802fd38a7cda

SHA1
8b0f252a5ccd93a917020db417daa8284db9ee6d

SHA256
72a59be9be09bd4bacc78f279842c99654d9d091df93ae45d4cb2f70e6539165

SHA512
45d1d7670f8f50e26af97abe03d9e40c811c08987ff0b08454bb50afc3d5b2457e0e1a47fefb0d462859e697748293ddaf6f5e4a2d331dcd33dbc7aa4d7f4ba7

Download Submit
C:\Windows\{9B35686F-CB19-4749-8C7B-EBFDB8573C4F}.exe

Filesize
60KB

MD5
6abc91cb9d44df6292dbf4e16422dabf

SHA1
5b16627d36fbbf1bdb00903a890ee11f062f08f9

SHA256
dc1e05f8009403b157515ef7d84c854fdf834c74c2b5ea088ee25347ee4f1f13

SHA512
8cb70a139ffe2f8c8e350eb2bb98f429f7d91f1a59dc316c4f1fdff44c3597ae3e2cee4bcb3578596710a270982a65a829e9d6a31c0ce722bb6b0d3cf21a55b5

Download Submit
C:\Windows\{A3F13168-EB81-4394-A683-B6F789B3B5A2}.exe

Filesize
60KB

MD5
d910ec9bc22f50fb41f1eaa0cba3801c

SHA1
5cc242240f2024577a5043e7409d2666432e9695

SHA256
24a6ddba5c2d93a22c1e2dba3288ed2a95318e6c7c634bff365a1acd634e38bb

SHA512
9974157ae64e9da875805707eb096696d1c988413bc85dc358b7bd568e98b32016ace193703fa17eb76ef8c377f48094de7f486f3158b866cb85fbf491a86d80

Download Submit
C:\Windows\{A728183E-0D27-430e-A1E8-48B2ABBD5B8B}.exe

Filesize
60KB

MD5
e141e1889a67cc3201663a2b52bbc232

SHA1
3947c251a56a96f0f75811c9da8eeffdee76926f

SHA256
5b8397120c35939c51e9b3ac8bb8429117ebda7d9a348175885d982ef4b0481f

SHA512
f4b4ee4a481202c868e157df2dfc5d9eb7b7867fbfa55099b173255c595fa8d45f10062d7ce894486f4ae8fbdcce58b513ddb7a2ca85be2f21afdf0ff4a4b0fd

Download Submit
C:\Windows\{DB935363-6E18-4a87-AADE-0BC031FC944B}.exe

Filesize
60KB

MD5
9934495c294df20ce7f75667e5fee1c4

SHA1
f588dbe8805424b9334bd22a8d0a3f8c4e638b7b

SHA256
91ecfd552e2d3ce1141a2c77bbd222ae027e4a9c14b3e0055db9b804e3cdd812

SHA512
99797752e8c19b01398d4eca2cd20b35e21464e18bbe72d0b0c5344e1c68a2d426646210a9e437d6cfd438f4336482814891ded868486a8344af43c0d17143f4

Download Submit
C:\Windows\{F85059B2-FE78-480c-9319-E422E500AA87}.exe

Filesize
60KB

MD5
8d0bc30ec3f669d36f21b3041a11d0fb

SHA1
f31554996131c81938c479b619256c35113898e6

SHA256
e30fa01f834ebc44a83170dbb405cb012f152c9cb5d2db92ba9aaf9f4d22d341

SHA512
512e289847aa55bfc35e8d975f9e25ed4a502b4c8b6af478681c920349c12e80a8e1ed1e5ffb4493c1ce70e4f945b4bb989e6144be9ebc609bd81ebc0c536fe7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads