93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64

Analysis

max time kernel
118s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe
Size

380KB
MD5

8bcbb86a5f2cef7d98e59cb185691c00
SHA1

e047543c9843e58093a20f30d37f57868f7a1b7d
SHA256

93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64
SHA512

566bbf29d216ac8a0da693dd50e8cf8485249275bdfa4f4f29a3aabdc4fb389564b8c3ecc735cd7bfb3f923a649245a8c0e8c4cdc0fadfc8ff9f27b863e8c077
SSDEEP

3072:mEGh0oNlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGHl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C681BF9-6633-408e-A57E-34264D709FF6}\stubpath = "C:\\Windows\\{5C681BF9-6633-408e-A57E-34264D709FF6}.exe"	93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F96577F-8E96-45ca-A040-4D0E0A837A66}	{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F96577F-8E96-45ca-A040-4D0E0A837A66}\stubpath = "C:\\Windows\\{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe"	{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}\stubpath = "C:\\Windows\\{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe"	{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}	{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFF06CD5-FB92-433e-A898-C935F1EDAC36}	{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}\stubpath = "C:\\Windows\\{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe"	{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C580C553-5B65-493a-95E8-4379B5188FFE}\stubpath = "C:\\Windows\\{C580C553-5B65-493a-95E8-4379B5188FFE}.exe"	{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD5BDB72-5ED0-4239-A973-1B4EEBD71BEC}	{C580C553-5B65-493a-95E8-4379B5188FFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}	{5C681BF9-6633-408e-A57E-34264D709FF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}\stubpath = "C:\\Windows\\{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe"	{5C681BF9-6633-408e-A57E-34264D709FF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}	{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}\stubpath = "C:\\Windows\\{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe"	{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}	{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD5BDB72-5ED0-4239-A973-1B4EEBD71BEC}\stubpath = "C:\\Windows\\{CD5BDB72-5ED0-4239-A973-1B4EEBD71BEC}.exe"	{C580C553-5B65-493a-95E8-4379B5188FFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C681BF9-6633-408e-A57E-34264D709FF6}	93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFF06CD5-FB92-433e-A898-C935F1EDAC36}\stubpath = "C:\\Windows\\{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe"	{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C580C553-5B65-493a-95E8-4379B5188FFE}	{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe

Executes dropped EXE 9 IoCs

pid	Process
2788	{5C681BF9-6633-408e-A57E-34264D709FF6}.exe
2652	{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe
3916	{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe
1684	{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe
4692	{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe
2812	{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe
1168	{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe
4712	{C580C553-5B65-493a-95E8-4379B5188FFE}.exe
3020	{CD5BDB72-5ED0-4239-A973-1B4EEBD71BEC}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{5C681BF9-6633-408e-A57E-34264D709FF6}.exe	93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe
File created	C:\Windows\{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe	{5C681BF9-6633-408e-A57E-34264D709FF6}.exe
File created	C:\Windows\{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe	{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe
File created	C:\Windows\{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe	{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe
File created	C:\Windows\{C580C553-5B65-493a-95E8-4379B5188FFE}.exe	{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe
File created	C:\Windows\{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe	{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe
File created	C:\Windows\{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe	{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe
File created	C:\Windows\{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe	{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe
File created	C:\Windows\{CD5BDB72-5ED0-4239-A973-1B4EEBD71BEC}.exe	{C580C553-5B65-493a-95E8-4379B5188FFE}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD5BDB72-5ED0-4239-A973-1B4EEBD71BEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C681BF9-6633-408e-A57E-34264D709FF6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C580C553-5B65-493a-95E8-4379B5188FFE}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4388	93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe
Token: SeIncBasePriorityPrivilege	2788	{5C681BF9-6633-408e-A57E-34264D709FF6}.exe
Token: SeIncBasePriorityPrivilege	2652	{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe
Token: SeIncBasePriorityPrivilege	3916	{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe
Token: SeIncBasePriorityPrivilege	1684	{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe
Token: SeIncBasePriorityPrivilege	4692	{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe
Token: SeIncBasePriorityPrivilege	2812	{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe
Token: SeIncBasePriorityPrivilege	1168	{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe
Token: SeIncBasePriorityPrivilege	4712	{C580C553-5B65-493a-95E8-4379B5188FFE}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 2788	4388	93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe	87
PID 4388 wrote to memory of 2788	4388	93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe	87
PID 4388 wrote to memory of 2788	4388	93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe	87
PID 4388 wrote to memory of 3532	4388	93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe	88
PID 4388 wrote to memory of 3532	4388	93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe	88
PID 4388 wrote to memory of 3532	4388	93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe	88
PID 2788 wrote to memory of 2652	2788	{5C681BF9-6633-408e-A57E-34264D709FF6}.exe	91
PID 2788 wrote to memory of 2652	2788	{5C681BF9-6633-408e-A57E-34264D709FF6}.exe	91
PID 2788 wrote to memory of 2652	2788	{5C681BF9-6633-408e-A57E-34264D709FF6}.exe	91
PID 2788 wrote to memory of 1016	2788	{5C681BF9-6633-408e-A57E-34264D709FF6}.exe	92
PID 2788 wrote to memory of 1016	2788	{5C681BF9-6633-408e-A57E-34264D709FF6}.exe	92
PID 2788 wrote to memory of 1016	2788	{5C681BF9-6633-408e-A57E-34264D709FF6}.exe	92
PID 2652 wrote to memory of 3916	2652	{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe	95
PID 2652 wrote to memory of 3916	2652	{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe	95
PID 2652 wrote to memory of 3916	2652	{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe	95
PID 2652 wrote to memory of 3820	2652	{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe	96
PID 2652 wrote to memory of 3820	2652	{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe	96
PID 2652 wrote to memory of 3820	2652	{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe	96
PID 3916 wrote to memory of 1684	3916	{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe	97
PID 3916 wrote to memory of 1684	3916	{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe	97
PID 3916 wrote to memory of 1684	3916	{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe	97
PID 3916 wrote to memory of 2712	3916	{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe	98
PID 3916 wrote to memory of 2712	3916	{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe	98
PID 3916 wrote to memory of 2712	3916	{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe	98
PID 1684 wrote to memory of 4692	1684	{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe	99
PID 1684 wrote to memory of 4692	1684	{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe	99
PID 1684 wrote to memory of 4692	1684	{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe	99
PID 1684 wrote to memory of 1132	1684	{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe	100
PID 1684 wrote to memory of 1132	1684	{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe	100
PID 1684 wrote to memory of 1132	1684	{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe	100
PID 4692 wrote to memory of 2812	4692	{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe	101
PID 4692 wrote to memory of 2812	4692	{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe	101
PID 4692 wrote to memory of 2812	4692	{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe	101
PID 4692 wrote to memory of 1356	4692	{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe	102
PID 4692 wrote to memory of 1356	4692	{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe	102
PID 4692 wrote to memory of 1356	4692	{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe	102
PID 2812 wrote to memory of 1168	2812	{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe	103
PID 2812 wrote to memory of 1168	2812	{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe	103
PID 2812 wrote to memory of 1168	2812	{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe	103
PID 2812 wrote to memory of 1052	2812	{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe	104
PID 2812 wrote to memory of 1052	2812	{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe	104
PID 2812 wrote to memory of 1052	2812	{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe	104
PID 1168 wrote to memory of 4712	1168	{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe	105
PID 1168 wrote to memory of 4712	1168	{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe	105
PID 1168 wrote to memory of 4712	1168	{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe	105
PID 1168 wrote to memory of 764	1168	{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe	106
PID 1168 wrote to memory of 764	1168	{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe	106
PID 1168 wrote to memory of 764	1168	{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe	106
PID 4712 wrote to memory of 3020	4712	{C580C553-5B65-493a-95E8-4379B5188FFE}.exe	107
PID 4712 wrote to memory of 3020	4712	{C580C553-5B65-493a-95E8-4379B5188FFE}.exe	107
PID 4712 wrote to memory of 3020	4712	{C580C553-5B65-493a-95E8-4379B5188FFE}.exe	107
PID 4712 wrote to memory of 3056	4712	{C580C553-5B65-493a-95E8-4379B5188FFE}.exe	108
PID 4712 wrote to memory of 3056	4712	{C580C553-5B65-493a-95E8-4379B5188FFE}.exe	108
PID 4712 wrote to memory of 3056	4712	{C580C553-5B65-493a-95E8-4379B5188FFE}.exe	108

C:\Users\Admin\AppData\Local\Temp\93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe
"C:\Users\Admin\AppData\Local\Temp\93ed68d8e586c2060e56b04f4b7267917e3f64310db19129ef21744382c6da64N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\{5C681BF9-6633-408e-A57E-34264D709FF6}.exe
  C:\Windows\{5C681BF9-6633-408e-A57E-34264D709FF6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe
    C:\Windows\{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe
      C:\Windows\{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3916
    - - C:\Windows\{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe
        
        C:\Windows\{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe
        
        C:\Windows\{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe
        
        C:\Windows\{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe
        
        C:\Windows\{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\{C580C553-5B65-493a-95E8-4379B5188FFE}.exe
        
        C:\Windows\{C580C553-5B65-493a-95E8-4379B5188FFE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\{CD5BDB72-5ED0-4239-A973-1B4EEBD71BEC}.exe
        
        C:\Windows\{CD5BDB72-5ED0-4239-A973-1B4EEBD71BEC}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C580C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7F37~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFF06~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07C39~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7661~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F965~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F0E71~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5C681~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\93ED68~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07C39DE2-B1E3-4b3a-AFE7-7B05AF8C68F4}.exe

Filesize
380KB

MD5
a871e6478cb95983b4ff4067c7674921

SHA1
d5b8f309b001d84a30c2b1981821e2ffeee8fd44

SHA256
08e70199eefcd292f66af07e4c056d0a327106f001d800f316613ea43bd64906

SHA512
ed8af304d13f0cdddc4d2f042baac53309be85204e5dce5f2671956f19c989f5bbfc411b50e80346e002219d93528fee24a3bdb84e44084b0cd50fac6e42456f

Download Submit
C:\Windows\{5C681BF9-6633-408e-A57E-34264D709FF6}.exe

Filesize
380KB

MD5
767dd4bab0734f369b1fec017f7f8e7a

SHA1
58946a06bcb3270ea8a8e482504cf436a78d52f0

SHA256
27f90eca822c1998fb3cb7115e8bc3f92031b45279c260d48ac731e4254c22ef

SHA512
89219d19a45eac2f3a9db0bf48ff732d0434e3d4377afad60d5f9a53d096b1847c49b7b269061f4008d6ac2ff50660e6381c287b741b1ee2e917206176c3d9ea

Download Submit
C:\Windows\{5F96577F-8E96-45ca-A040-4D0E0A837A66}.exe

Filesize
380KB

MD5
f99029618159ba2a7455836d245fb536

SHA1
949e8af375fca651938b95bda16a0b6da1b68fbf

SHA256
9131930011fb9d4c4f37e8860b3fa8d0c81398e0266b09d049e83951f134299b

SHA512
7b957f1b84b2bc2456b2f6596425b482acbe75d0ad433645d79b4fec0646d338911373d88dd561ee65fbe850f07d458ce19a3d77676009543bd47db01fc7e0f1

Download Submit
C:\Windows\{C580C553-5B65-493a-95E8-4379B5188FFE}.exe

Filesize
380KB

MD5
68f600a4f4abf7ae6b738c3e12035f69

SHA1
ccf45df8c72ed52303727c5cfa5388118516d3e8

SHA256
d30ff604dafea825f57b204954f29266b50836adadca309de8022dc5a74471e7

SHA512
ea099964abe25e0f634980b016fb06895ba9ab708e3ecd996f63124d92efb879cd55cd325c5e53139c068253560ae486d01be170817188570b99fac2aa457de0

Download Submit
C:\Windows\{C7661F36-AE29-4ea8-8E9A-FDD6AEE37F1B}.exe

Filesize
380KB

MD5
47bce3b1014e1c397170274980c6c90a

SHA1
198aed5047ef21c654d2fb8fd38b63bfc4970ca8

SHA256
507fcf1c99b883a1cb44a703265582b2fc8eacd8599c51868aaa263e6487545d

SHA512
6650cbb65aac6213c2b28a6d193642708fa28af45bef263dc5eb2ddb82e4edec79711df9d1bc0524cca8ce80f1e94d826324eda14037492062b0921fcbf68105

Download Submit
C:\Windows\{C7F371A3-EAA4-4585-A9CC-44D0E62021AA}.exe

Filesize
380KB

MD5
7c3c957abf005a842e4b1f2e4e9ffa7d

SHA1
3d85174d93fc0f18999059ab3f2fa45483611986

SHA256
4ca6c67cd047b7e48868a15f78ffe125ffb0fd804d033333a3ee49975bcd4017

SHA512
72435b7ddc31df21df8f6fc15604c68d50008fb382ba188611f647b25ab81cd8e9f5258a4881bbd9c5f8e287e26049a8ab01931ef951b512df2bbd950f50e36f

Download Submit
C:\Windows\{CD5BDB72-5ED0-4239-A973-1B4EEBD71BEC}.exe

Filesize
380KB

MD5
cf409632bf948bf8436cbef58c602c2a

SHA1
789947ace43b8a042d19596a15991e0e5a9d9d19

SHA256
6a0bdfdae318b14d4470dca1fa31b3ebcb2d726b82f90960e2e70114855e89c5

SHA512
82b298b7e44b040e68dec7c9bbaf5002707759eaae04662a528876a515d71c9931747ee987a3a8b206a042f52058ef2d39455572eed749a6ed2661a80683913c

Download Submit
C:\Windows\{DFF06CD5-FB92-433e-A898-C935F1EDAC36}.exe

Filesize
380KB

MD5
3dcb56e4f8b77cbdae798bfa1cff30c0

SHA1
f2a689ba958d63df228e915c1ad5b5407e9beb12

SHA256
af354febdff33ca86f6f6a46658aaabf74257a8c220819a087e2dff94f4bd2e4

SHA512
89b11da696eccc871308d0c2e0e5ed5bfeec13fb430d2e8d1f242338384aaa4acafd283d204c80edec558524c84ca10995be21f40a926b94a3c0b485e603f180

Download Submit
C:\Windows\{F0E71FB5-D9AC-4a4a-8CCA-07F4BDA22D12}.exe

Filesize
380KB

MD5
ddd03ed6686c8fb7a6568bd9478f6957

SHA1
19530bb82d256a25729c0cba8608ed44390ee8d0

SHA256
ae4d66d3838c2111985161754a36a410c0b20d708642237f5950c94ad274aeb6

SHA512
9b4bb28137fdd953192b2b0d98be6a66da85ab5dc0d4b7ca3eb14c53f7ad0be4d596b84c589f877fea3f8b031659e8b857e35baba97ff0c4fa2ef100426242a7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads