f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
Size

89KB
MD5

b24239aab22fdc02152eb5159047d688
SHA1

d30585ce7472f5c55bd4e8a58d413fc21bd3a793
SHA256

f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9
SHA512

b0f0ef41bc37a609ae81ecc295e60dbd98d161637bb39e1ab3160e436d6100f313e9a06f66c3f4452d7f19792c865f20eccc0b3bbfd45ba7409efc33b17a67d1
SSDEEP

768:Qvw9816vhKQLroU4/wQRNrfrunMxVFA3b7glL:YEGh0oUl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CF93341-CA6D-4e9f-808C-25671B70A7F8}\stubpath = "C:\\Windows\\{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe"	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}\stubpath = "C:\\Windows\\{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe"	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0818FCAC-D2CC-404d-BD6B-1342367CE094}	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}\stubpath = "C:\\Windows\\{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe"	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ED33D45-7D51-4577-A08C-649FFA5B6C1C}	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6197B4D1-7811-4048-9664-523E4B090301}\stubpath = "C:\\Windows\\{6197B4D1-7811-4048-9664-523E4B090301}.exe"	{1ED33D45-7D51-4577-A08C-649FFA5B6C1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DF9F430-B749-4e6e-870F-499390C167A0}\stubpath = "C:\\Windows\\{1DF9F430-B749-4e6e-870F-499390C167A0}.exe"	{0E1FB105-4F97-457c-A118-9B63DFE843A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6197B4D1-7811-4048-9664-523E4B090301}	{1ED33D45-7D51-4577-A08C-649FFA5B6C1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E1FB105-4F97-457c-A118-9B63DFE843A0}	{6197B4D1-7811-4048-9664-523E4B090301}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}\stubpath = "C:\\Windows\\{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe"	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0818FCAC-D2CC-404d-BD6B-1342367CE094}\stubpath = "C:\\Windows\\{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe"	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}\stubpath = "C:\\Windows\\{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe"	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ED33D45-7D51-4577-A08C-649FFA5B6C1C}\stubpath = "C:\\Windows\\{1ED33D45-7D51-4577-A08C-649FFA5B6C1C}.exe"	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E1FB105-4F97-457c-A118-9B63DFE843A0}\stubpath = "C:\\Windows\\{0E1FB105-4F97-457c-A118-9B63DFE843A0}.exe"	{6197B4D1-7811-4048-9664-523E4B090301}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CF93341-CA6D-4e9f-808C-25671B70A7F8}	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}\stubpath = "C:\\Windows\\{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe"	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DF9F430-B749-4e6e-870F-499390C167A0}	{0E1FB105-4F97-457c-A118-9B63DFE843A0}.exe

Executes dropped EXE 11 IoCs

pid	Process
2764	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe
2644	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe
2664	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe
3032	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe
1744	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe
2896	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe
2172	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe
1216	{1ED33D45-7D51-4577-A08C-649FFA5B6C1C}.exe
884	{6197B4D1-7811-4048-9664-523E4B090301}.exe
2208	{0E1FB105-4F97-457c-A118-9B63DFE843A0}.exe
1644	{1DF9F430-B749-4e6e-870F-499390C167A0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe
File created	C:\Windows\{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe
File created	C:\Windows\{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe
File created	C:\Windows\{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe
File created	C:\Windows\{6197B4D1-7811-4048-9664-523E4B090301}.exe	{1ED33D45-7D51-4577-A08C-649FFA5B6C1C}.exe
File created	C:\Windows\{0E1FB105-4F97-457c-A118-9B63DFE843A0}.exe	{6197B4D1-7811-4048-9664-523E4B090301}.exe
File created	C:\Windows\{1DF9F430-B749-4e6e-870F-499390C167A0}.exe	{0E1FB105-4F97-457c-A118-9B63DFE843A0}.exe
File created	C:\Windows\{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
File created	C:\Windows\{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe
File created	C:\Windows\{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe
File created	C:\Windows\{1ED33D45-7D51-4577-A08C-649FFA5B6C1C}.exe	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1DF9F430-B749-4e6e-870F-499390C167A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1ED33D45-7D51-4577-A08C-649FFA5B6C1C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6197B4D1-7811-4048-9664-523E4B090301}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E1FB105-4F97-457c-A118-9B63DFE843A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2520	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
Token: SeIncBasePriorityPrivilege	2764	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe
Token: SeIncBasePriorityPrivilege	2644	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe
Token: SeIncBasePriorityPrivilege	2664	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe
Token: SeIncBasePriorityPrivilege	3032	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe
Token: SeIncBasePriorityPrivilege	1744	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe
Token: SeIncBasePriorityPrivilege	2896	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe
Token: SeIncBasePriorityPrivilege	2172	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe
Token: SeIncBasePriorityPrivilege	1216	{1ED33D45-7D51-4577-A08C-649FFA5B6C1C}.exe
Token: SeIncBasePriorityPrivilege	884	{6197B4D1-7811-4048-9664-523E4B090301}.exe
Token: SeIncBasePriorityPrivilege	2208	{0E1FB105-4F97-457c-A118-9B63DFE843A0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2764	2520	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	30
PID 2520 wrote to memory of 2764	2520	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	30
PID 2520 wrote to memory of 2764	2520	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	30
PID 2520 wrote to memory of 2764	2520	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	30
PID 2520 wrote to memory of 2892	2520	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	31
PID 2520 wrote to memory of 2892	2520	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	31
PID 2520 wrote to memory of 2892	2520	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	31
PID 2520 wrote to memory of 2892	2520	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	31
PID 2764 wrote to memory of 2644	2764	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe	33
PID 2764 wrote to memory of 2644	2764	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe	33
PID 2764 wrote to memory of 2644	2764	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe	33
PID 2764 wrote to memory of 2644	2764	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe	33
PID 2764 wrote to memory of 2784	2764	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe	34
PID 2764 wrote to memory of 2784	2764	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe	34
PID 2764 wrote to memory of 2784	2764	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe	34
PID 2764 wrote to memory of 2784	2764	{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe	34
PID 2644 wrote to memory of 2664	2644	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe	35
PID 2644 wrote to memory of 2664	2644	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe	35
PID 2644 wrote to memory of 2664	2644	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe	35
PID 2644 wrote to memory of 2664	2644	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe	35
PID 2644 wrote to memory of 2516	2644	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe	36
PID 2644 wrote to memory of 2516	2644	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe	36
PID 2644 wrote to memory of 2516	2644	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe	36
PID 2644 wrote to memory of 2516	2644	{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe	36
PID 2664 wrote to memory of 3032	2664	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe	37
PID 2664 wrote to memory of 3032	2664	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe	37
PID 2664 wrote to memory of 3032	2664	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe	37
PID 2664 wrote to memory of 3032	2664	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe	37
PID 2664 wrote to memory of 2092	2664	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe	38
PID 2664 wrote to memory of 2092	2664	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe	38
PID 2664 wrote to memory of 2092	2664	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe	38
PID 2664 wrote to memory of 2092	2664	{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe	38
PID 3032 wrote to memory of 1744	3032	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe	39
PID 3032 wrote to memory of 1744	3032	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe	39
PID 3032 wrote to memory of 1744	3032	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe	39
PID 3032 wrote to memory of 1744	3032	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe	39
PID 3032 wrote to memory of 380	3032	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe	40
PID 3032 wrote to memory of 380	3032	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe	40
PID 3032 wrote to memory of 380	3032	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe	40
PID 3032 wrote to memory of 380	3032	{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe	40
PID 1744 wrote to memory of 2896	1744	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe	41
PID 1744 wrote to memory of 2896	1744	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe	41
PID 1744 wrote to memory of 2896	1744	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe	41
PID 1744 wrote to memory of 2896	1744	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe	41
PID 1744 wrote to memory of 2840	1744	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe	42
PID 1744 wrote to memory of 2840	1744	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe	42
PID 1744 wrote to memory of 2840	1744	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe	42
PID 1744 wrote to memory of 2840	1744	{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe	42
PID 2896 wrote to memory of 2172	2896	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe	43
PID 2896 wrote to memory of 2172	2896	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe	43
PID 2896 wrote to memory of 2172	2896	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe	43
PID 2896 wrote to memory of 2172	2896	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe	43
PID 2896 wrote to memory of 2364	2896	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe	44
PID 2896 wrote to memory of 2364	2896	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe	44
PID 2896 wrote to memory of 2364	2896	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe	44
PID 2896 wrote to memory of 2364	2896	{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe	44
PID 2172 wrote to memory of 1216	2172	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe	45
PID 2172 wrote to memory of 1216	2172	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe	45
PID 2172 wrote to memory of 1216	2172	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe	45
PID 2172 wrote to memory of 1216	2172	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe	45
PID 2172 wrote to memory of 1192	2172	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe	46
PID 2172 wrote to memory of 1192	2172	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe	46
PID 2172 wrote to memory of 1192	2172	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe	46
PID 2172 wrote to memory of 1192	2172	{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe	46

C:\Users\Admin\AppData\Local\Temp\f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
"C:\Users\Admin\AppData\Local\Temp\f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe
  C:\Windows\{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe
    C:\Windows\{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe
      C:\Windows\{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe
        
        C:\Windows\{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe
        
        C:\Windows\{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe
        
        C:\Windows\{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe
        
        C:\Windows\{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\{1ED33D45-7D51-4577-A08C-649FFA5B6C1C}.exe
        
        C:\Windows\{1ED33D45-7D51-4577-A08C-649FFA5B6C1C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\{6197B4D1-7811-4048-9664-523E4B090301}.exe
        
        C:\Windows\{6197B4D1-7811-4048-9664-523E4B090301}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\{0E1FB105-4F97-457c-A118-9B63DFE843A0}.exe
        
        C:\Windows\{0E1FB105-4F97-457c-A118-9B63DFE843A0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\{1DF9F430-B749-4e6e-870F-499390C167A0}.exe
        
        C:\Windows\{1DF9F430-B749-4e6e-870F-499390C167A0}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E1FB~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6197B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1ED33~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCB4D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A37EA~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0818F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3A3E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE8BC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7CF93~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EE2BF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F179C3~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0818FCAC-D2CC-404d-BD6B-1342367CE094}.exe

Filesize
89KB

MD5
f9f696e178d5b0f2e97526b20c57b9e9

SHA1
c1045c2789de16c73506631a6b18f5c5656ee9f9

SHA256
e8982076483be9cf569d9a698087690f9de000d4225a21d2ce4383653c93b279

SHA512
e93b638e89b7317812826bf11e3fe166465b60f4767605157ff41cd769b187bfad88214c8559773a12fc551a300bc4de1f454e0e5e96fd9f56d65755d877d5fa

Download Submit
C:\Windows\{0E1FB105-4F97-457c-A118-9B63DFE843A0}.exe

Filesize
89KB

MD5
76368d04433581680e2b03626d9e5898

SHA1
ecb224a1c97c51a3064299f0f33ab7a226fe9965

SHA256
d1b9c39e0f5275bdaef2a79fd0da7e82f8cced53ee80fbc8e8cf6ab2fed6a34c

SHA512
98b8cf1514e7f6442428ac769bc1f26eee9b0640ef7ab8d80b94be42deb01c0c91b228b9da876943b5f4c8a6ca37fe5c7c21630f35eb301a6b05ab9303f63840

Download Submit
C:\Windows\{1DF9F430-B749-4e6e-870F-499390C167A0}.exe

Filesize
89KB

MD5
b83238f05acaf77497813a69f44782c9

SHA1
2dfd959185a3e247e2b873409b1568a781556c2a

SHA256
a5e27730e7be945012ad1ef2b74ec19fad1412cb95ec7c6c106dcdd85ff7a496

SHA512
86e17159a259c5621356b1f30b631212ee29c4fbb501edab09c239c573299f0109f0820cc7827f92f099bd8d61c6ec4893fd909228cb1a480fbcb3f31309a7e0

Download Submit
C:\Windows\{1ED33D45-7D51-4577-A08C-649FFA5B6C1C}.exe

Filesize
89KB

MD5
4e78a4a2ca2f8479621963c0e9891754

SHA1
0ac8f68ba700fc965ef71dbdecd10b3e27537a71

SHA256
10c29425e2b7c4357d88dbaec205ae0e09594ed6f321c1bc9348de13df4c6bd1

SHA512
d35b6e84ce7c7ab75d776cd22f50be121720adf7aa4536ca8728efd2daae055689d3cd5b2d945e5f2a613524d34e44936f4c9253c6aefb64668e447b012961e2

Download Submit
C:\Windows\{6197B4D1-7811-4048-9664-523E4B090301}.exe

Filesize
89KB

MD5
a266ec36046bc42c1dc01561390e59aa

SHA1
4a9ecb32dc8ac8fda300b997e1092a16d3eadbcc

SHA256
58bb9bcfda69c87666ae945bf3a2157b7b82c7dea2d49e55443ea87ec51797e0

SHA512
d871718e75591af81a89cd7baadd7a58736aa68e99108c7f4f4cec482eca420b84dd45db4b1a6c446bda586238eaecb44ac7a823d8da42dbdab41da79190d38b

Download Submit
C:\Windows\{7CF93341-CA6D-4e9f-808C-25671B70A7F8}.exe

Filesize
89KB

MD5
f6237762fef40f8b7482aa6bafdc0685

SHA1
754bd094dea793a9e389ff58675c272faff7310b

SHA256
d113e953683d4d45e8eb110469ab58b7a73f947e9a6eec49eb51faeb06ed8a64

SHA512
3b6e358971c29ec7bfcac4960b8acf3723c6877dd2b18c8e6f96add852cf6a3758f57469283ac0b2f870d886c3f06108c9f758557a41a196e32af67b78dedc1f

Download Submit
C:\Windows\{A37EA115-3C9C-49e7-8331-C3DF4C7CADC7}.exe

Filesize
89KB

MD5
5cbb5ff3ea5395bade0a44251fd4f01f

SHA1
59ae1a7630a02f2a16e906306f16cab5f84374bd

SHA256
9040dc145727478f9b3cf6a78c97a8e0079eef36ceff5a27433bf7eeb1f14364

SHA512
990c63ce3128a7646c33c00d42820e21f2508f5cd9d30a1ab86372f16f03b31966d94d29bcfff75c0cdaa18af2110e88e82a258b996c81188d83cbb6556913e9

Download Submit
C:\Windows\{C3A3EE99-3724-4241-B7E4-D5AB1B161B49}.exe

Filesize
89KB

MD5
4f481941d4524e34dc484840afa23eb7

SHA1
9f1599be1614ebcd8fca54b78830145049629108

SHA256
43554abd3a2055972f0aa95a958e6078008eb4c540a985eec370b3b9944f2565

SHA512
ca40b3ab016bf6251620b5ae071da0b6f100584f8230138a52bde7f48db0249805d2459c8736e36f2ccad38b5768fa36d5bb9849055bdbf3f9af70e8aeb4b554

Download Submit
C:\Windows\{CCB4DAC7-B4D9-476a-BF0A-517C347326D7}.exe

Filesize
89KB

MD5
0c08ab5b0ecf1065e3180858801c1767

SHA1
dd29cb8cc7e74bcb38e3c2817e3f959070fb6b68

SHA256
a0d67f85dbd208144d40f57477b9c2513b823a6d3d7a76566d2f27aee61d0d44

SHA512
3135664e71a8f2c9b9b9db9a8c5903baef10aff54c1c1d11b59d539928bd8ad1dbea5a81a3803a0c4bfba139360a59407fd1e816619d09e8faf781c13f53cc40

Download Submit
C:\Windows\{EE2BFA93-F3E5-4a8a-912E-5AFC2CEFB105}.exe

Filesize
89KB

MD5
78203ae8fcd63df86672e484c8736c6d

SHA1
286839259a75d65a6238c17afe38e98eb99c9ee5

SHA256
39ca2e98e98ef17052c94e3c4dea8e8a82bc108649fb00d096a3a7847c8322c3

SHA512
05b32caf0d115611ff985606157c785569e039d1bd06c1aef24ae2a30727a2cec9a56a9fc21f722c516898dbb27ca46deecdabd33b0d0cc514c3f9ce93c59ca1

Download Submit
C:\Windows\{FE8BCA4A-6681-41e0-899B-C20450B5F0D9}.exe

Filesize
89KB

MD5
d3d6b30e6ce2d0d567c509d2fc871acc

SHA1
4efa21f778bd87e65ce469b14bf131f264e48c78

SHA256
159012d61fd36686a7a1b72a8e884ee1e4c0f124e5b9fefe87b0bd4a980ee78b

SHA512
763165f1a4b032e8bf8b13788373768e0963751ea5ba36bfa6085fa9c7862567993d6a5ceb5e447fc00019c41a741159feb24a6724797599a79a8f4cd5beaa97

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads