3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9

Analysis

max time kernel
118s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
Size

60KB
MD5

2a8f4c2a3543031770a5573b92086320
SHA1

450a69849f2ff7f2655349180e3eb497d987cc17
SHA256

3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9
SHA512

42c4b2219f64a3911d90959d0cf627ffb4c77e5e3f490471d1819530a38aabeab56c19e162bf386336ad8fe7d4f61b1b39e0d4a5387648a9d0013b7de4cda614
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwJY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLro74/CFsrd

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6E5E046-15B4-4941-A1B1-B31FACB7222D}	{38B75559-FC66-4314-8991-4D270D585077}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6E5E046-15B4-4941-A1B1-B31FACB7222D}\stubpath = "C:\\Windows\\{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe"	{38B75559-FC66-4314-8991-4D270D585077}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66C19083-AF77-41c8-BECC-EF38BD699C5B}	{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B705DEE-C077-4341-9D61-F49F23EA7B2C}\stubpath = "C:\\Windows\\{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe"	{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{880FD7E9-EC5F-487d-AC02-9D11518AF972}	{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{880FD7E9-EC5F-487d-AC02-9D11518AF972}\stubpath = "C:\\Windows\\{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe"	{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B705DEE-C077-4341-9D61-F49F23EA7B2C}	{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}	{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38B75559-FC66-4314-8991-4D270D585077}	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38B75559-FC66-4314-8991-4D270D585077}\stubpath = "C:\\Windows\\{38B75559-FC66-4314-8991-4D270D585077}.exe"	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39E79071-5B0C-435c-AAFF-0FA00D55551C}\stubpath = "C:\\Windows\\{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe"	{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}\stubpath = "C:\\Windows\\{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe"	{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B6A4068-E513-4e6b-A39B-0955D725B228}	{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66C19083-AF77-41c8-BECC-EF38BD699C5B}\stubpath = "C:\\Windows\\{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe"	{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{715528A2-F14A-45c0-86B5-6D1548DCCAFF}	{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{715528A2-F14A-45c0-86B5-6D1548DCCAFF}\stubpath = "C:\\Windows\\{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe"	{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39E79071-5B0C-435c-AAFF-0FA00D55551C}	{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B6A4068-E513-4e6b-A39B-0955D725B228}\stubpath = "C:\\Windows\\{1B6A4068-E513-4e6b-A39B-0955D725B228}.exe"	{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe

Executes dropped EXE 9 IoCs

pid	Process
1492	{38B75559-FC66-4314-8991-4D270D585077}.exe
1992	{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe
3716	{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe
2424	{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe
2796	{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe
4672	{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe
2656	{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe
4600	{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe
1560	{1B6A4068-E513-4e6b-A39B-0955D725B228}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{38B75559-FC66-4314-8991-4D270D585077}.exe	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
File created	C:\Windows\{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe	{38B75559-FC66-4314-8991-4D270D585077}.exe
File created	C:\Windows\{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe	{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe
File created	C:\Windows\{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe	{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe
File created	C:\Windows\{1B6A4068-E513-4e6b-A39B-0955D725B228}.exe	{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe
File created	C:\Windows\{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe	{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe
File created	C:\Windows\{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe	{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe
File created	C:\Windows\{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe	{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe
File created	C:\Windows\{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe	{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{38B75559-FC66-4314-8991-4D270D585077}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1B6A4068-E513-4e6b-A39B-0955D725B228}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	536	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
Token: SeIncBasePriorityPrivilege	1492	{38B75559-FC66-4314-8991-4D270D585077}.exe
Token: SeIncBasePriorityPrivilege	1992	{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe
Token: SeIncBasePriorityPrivilege	3716	{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe
Token: SeIncBasePriorityPrivilege	2424	{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe
Token: SeIncBasePriorityPrivilege	2796	{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe
Token: SeIncBasePriorityPrivilege	4672	{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe
Token: SeIncBasePriorityPrivilege	2656	{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe
Token: SeIncBasePriorityPrivilege	4600	{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1492	536	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	89
PID 536 wrote to memory of 1492	536	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	89
PID 536 wrote to memory of 1492	536	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	89
PID 536 wrote to memory of 2560	536	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	90
PID 536 wrote to memory of 2560	536	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	90
PID 536 wrote to memory of 2560	536	3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe	90
PID 1492 wrote to memory of 1992	1492	{38B75559-FC66-4314-8991-4D270D585077}.exe	91
PID 1492 wrote to memory of 1992	1492	{38B75559-FC66-4314-8991-4D270D585077}.exe	91
PID 1492 wrote to memory of 1992	1492	{38B75559-FC66-4314-8991-4D270D585077}.exe	91
PID 1492 wrote to memory of 3224	1492	{38B75559-FC66-4314-8991-4D270D585077}.exe	92
PID 1492 wrote to memory of 3224	1492	{38B75559-FC66-4314-8991-4D270D585077}.exe	92
PID 1492 wrote to memory of 3224	1492	{38B75559-FC66-4314-8991-4D270D585077}.exe	92
PID 1992 wrote to memory of 3716	1992	{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe	95
PID 1992 wrote to memory of 3716	1992	{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe	95
PID 1992 wrote to memory of 3716	1992	{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe	95
PID 1992 wrote to memory of 4536	1992	{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe	96
PID 1992 wrote to memory of 4536	1992	{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe	96
PID 1992 wrote to memory of 4536	1992	{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe	96
PID 3716 wrote to memory of 2424	3716	{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe	97
PID 3716 wrote to memory of 2424	3716	{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe	97
PID 3716 wrote to memory of 2424	3716	{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe	97
PID 3716 wrote to memory of 3244	3716	{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe	98
PID 3716 wrote to memory of 3244	3716	{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe	98
PID 3716 wrote to memory of 3244	3716	{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe	98
PID 2424 wrote to memory of 2796	2424	{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe	99
PID 2424 wrote to memory of 2796	2424	{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe	99
PID 2424 wrote to memory of 2796	2424	{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe	99
PID 2424 wrote to memory of 4460	2424	{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe	100
PID 2424 wrote to memory of 4460	2424	{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe	100
PID 2424 wrote to memory of 4460	2424	{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe	100
PID 2796 wrote to memory of 4672	2796	{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe	101
PID 2796 wrote to memory of 4672	2796	{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe	101
PID 2796 wrote to memory of 4672	2796	{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe	101
PID 2796 wrote to memory of 5096	2796	{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe	102
PID 2796 wrote to memory of 5096	2796	{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe	102
PID 2796 wrote to memory of 5096	2796	{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe	102
PID 4672 wrote to memory of 2656	4672	{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe	103
PID 4672 wrote to memory of 2656	4672	{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe	103
PID 4672 wrote to memory of 2656	4672	{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe	103
PID 4672 wrote to memory of 3084	4672	{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe	104
PID 4672 wrote to memory of 3084	4672	{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe	104
PID 4672 wrote to memory of 3084	4672	{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe	104
PID 2656 wrote to memory of 4600	2656	{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe	105
PID 2656 wrote to memory of 4600	2656	{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe	105
PID 2656 wrote to memory of 4600	2656	{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe	105
PID 2656 wrote to memory of 3836	2656	{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe	106
PID 2656 wrote to memory of 3836	2656	{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe	106
PID 2656 wrote to memory of 3836	2656	{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe	106
PID 4600 wrote to memory of 1560	4600	{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe	107
PID 4600 wrote to memory of 1560	4600	{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe	107
PID 4600 wrote to memory of 1560	4600	{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe	107
PID 4600 wrote to memory of 548	4600	{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe	108
PID 4600 wrote to memory of 548	4600	{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe	108
PID 4600 wrote to memory of 548	4600	{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe	108

C:\Users\Admin\AppData\Local\Temp\3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe
"C:\Users\Admin\AppData\Local\Temp\3fab79253dac79f42febc6a60607b438c1790e91af9cc42190bad769b654eda9N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\{38B75559-FC66-4314-8991-4D270D585077}.exe
  C:\Windows\{38B75559-FC66-4314-8991-4D270D585077}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe
    C:\Windows\{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe
      C:\Windows\{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Windows\{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe
        
        C:\Windows\{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe
        
        C:\Windows\{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe
        
        C:\Windows\{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe
        
        C:\Windows\{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe
        
        C:\Windows\{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\{1B6A4068-E513-4e6b-A39B-0955D725B228}.exe
        
        C:\Windows\{1B6A4068-E513-4e6b-A39B-0955D725B228}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35D83~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39E79~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71552~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B705~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{880FD~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66C19~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B6E5E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{38B75~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3FAB79~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B6A4068-E513-4e6b-A39B-0955D725B228}.exe

Filesize
60KB

MD5
5dcc33953fb35aff3879c5460676bdc7

SHA1
e279ede42d1b63e4e4193215717474953d7a7f58

SHA256
414842fa4a10e370cdaeac139ba260b142aea93621163bbbb6c8a2c2c9dd4ff8

SHA512
b01fb3e96e6adfbe3886dc712b16819084d7520654680e36436fd8c5f292a18e277aa03095ba8f9f4acb10c3a7c2294ed1d3cb15e5fd522593e183fa563f845a

Download Submit
C:\Windows\{35D83ECA-0946-4e8c-ABA5-CA1E1F69D4A8}.exe

Filesize
60KB

MD5
ccdbfa62900630598fbb2324f4d58cb7

SHA1
43bc247ff4ecc014c75f334546cc5c50abf9cb29

SHA256
9ef195e36a0bd7bd7e6d911116d7cc6c9555a61ec35ddbe44292b9f343a91622

SHA512
01696822c0f9e43c988ee863b3cade5e58fa67e69459aa13ea20c046b4cd7b1eecf9c02649ea5d8aaac64ac7146c4b5474bd1c1a39d4da2d88dd68b43cd0e5f2

Download Submit
C:\Windows\{38B75559-FC66-4314-8991-4D270D585077}.exe

Filesize
60KB

MD5
4eac36b75b50bab525d4fe301dde6290

SHA1
af8bc1c0faa1b95f3f2559c207b3b0dd6e80820f

SHA256
0a8bebaeeeade41a7a89ce75fcaf39dc6e99ec1982d77302f6fbc0fd1027c4b1

SHA512
9969e1a9a112309a1db67a03c7b8723192b62f8c1dbd651f96f8049a1748d45776ff751aedccc09eaf1e47f7ed9f1920aea300aa9f3558caaf94ddfeb63e52d3

Download Submit
C:\Windows\{39E79071-5B0C-435c-AAFF-0FA00D55551C}.exe

Filesize
60KB

MD5
4dd3789cd0f77a15c118c5e035667db1

SHA1
6a99b1b4847be424666dabddaf465c16a5dfcb52

SHA256
e0c7a76cab34eb1e9c6d2a5d4a86d24c4cef88414c8c75933c66b00e917c6cbb

SHA512
2f7a8295c53e3d098d01397064f1d42bb6bc7738f5da8aee65dd39faf702c1ca3dbed9af06274e54972854a0c327438020f73df6b75dd20e1b342a05bdb4892e

Download Submit
C:\Windows\{5B705DEE-C077-4341-9D61-F49F23EA7B2C}.exe

Filesize
60KB

MD5
5a96dc4fe84fbb756e30de96cae56d69

SHA1
4b310540c4fdf952e8dc4a32e8bbd6d30ac3dce8

SHA256
c2d707f3a40fb691caf8d31e48ec3e8fb3e6ce095885b81dcca5cc34f1b7f164

SHA512
9f256b3637d184fbff61895867ea4b0cf5b40b9292a056db64c9584d06769a5b95fecff3dc9a0da69b660000e64a6dfe5d5ce57a3dcda9e47da84ce995949a3f

Download Submit
C:\Windows\{66C19083-AF77-41c8-BECC-EF38BD699C5B}.exe

Filesize
60KB

MD5
75e7836101cfdc1bdb5a42ee6ea5f994

SHA1
ec3bf007b2019fb497256146d7d14175464e93b5

SHA256
090a2513790ff49763a6234d95b941333e4c1bec648209bdf28ad5199956f272

SHA512
5f6d8d2e4cb202f0ab88d5925ae74a677866ba12bd949dd039b466c7f32a9484c218e6c36b3adf0f99738cd58f2bde909c0341a94562e305949eed7cf735583e

Download Submit
C:\Windows\{715528A2-F14A-45c0-86B5-6D1548DCCAFF}.exe

Filesize
60KB

MD5
94fdc2fcd0a73f44ba336350b5cafb1e

SHA1
fcf243e34d1dec079d504197252076872578e6b4

SHA256
5d6620583df3ab0bb6b55329e6a5c0c33fc49169d9c1f3928f3f95614151bad5

SHA512
ee7d091098014e98bf894310e15da26ff6e3da37595474cbbf1188c7b07e0ac33c609032cb1af6d88d3a5576cb88e6a94458c29ab8d51a4134f3d200f2896d88

Download Submit
C:\Windows\{880FD7E9-EC5F-487d-AC02-9D11518AF972}.exe

Filesize
60KB

MD5
d1cc333bf9086d35567fe615f02781f4

SHA1
453cd2ae4a2ed23ccdf6a0b452a495b29f3d7987

SHA256
1f05083a79d3da3654a4cd63cf4947f398a4c024dee7035a1a24cc708fe034ca

SHA512
19cd841275f4ccbe9c884af73fe01fa5ce05d91d92474dbf16f4f0967e85ac6ae3a5f10835368c414fe8462f998c0f66b99e4351268520d311ce620ebdde6f96

Download Submit
C:\Windows\{B6E5E046-15B4-4941-A1B1-B31FACB7222D}.exe

Filesize
60KB

MD5
c3d0b92288f70292b5b265255ca5cbef

SHA1
1db7c1e5b6704ee830b49ace77b041ba1b1553e0

SHA256
3735287193f57bd4e4e1d71bb21b86f0688f720ea1f45d284d63c8537d4a00de

SHA512
3b4234dd2af14794fff9392033d454591f1ebdc114718bfd9003f922af89751e4c15b36de878474bc2d03ccd5a8d191b49883784a1956c8ab0144337cdee84c8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads