f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
Size

89KB
MD5

b24239aab22fdc02152eb5159047d688
SHA1

d30585ce7472f5c55bd4e8a58d413fc21bd3a793
SHA256

f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9
SHA512

b0f0ef41bc37a609ae81ecc295e60dbd98d161637bb39e1ab3160e436d6100f313e9a06f66c3f4452d7f19792c865f20eccc0b3bbfd45ba7409efc33b17a67d1
SSDEEP

768:Qvw9816vhKQLroU4/wQRNrfrunMxVFA3b7glL:YEGh0oUl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ECED98A-CD2F-412d-9712-63863B540D1F}	{AA8A4372-181A-422b-9A66-4B408448E78C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BC58C0E-5798-46da-964E-196704638C6E}	{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A028CA-A412-422c-B4A3-1F14374D9282}	{3BC58C0E-5798-46da-964E-196704638C6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{568D11C8-F9C7-48c3-BA2C-3D780A017E4E}	{43A028CA-A412-422c-B4A3-1F14374D9282}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}\stubpath = "C:\\Windows\\{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe"	{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8A4372-181A-422b-9A66-4B408448E78C}\stubpath = "C:\\Windows\\{AA8A4372-181A-422b-9A66-4B408448E78C}.exe"	{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8A4372-181A-422b-9A66-4B408448E78C}	{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52656B3E-3758-44cd-B5D6-997A78A4402A}	{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CF5ED88-9109-4c94-8055-976A63F7CF7D}\stubpath = "C:\\Windows\\{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe"	{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BC58C0E-5798-46da-964E-196704638C6E}\stubpath = "C:\\Windows\\{3BC58C0E-5798-46da-964E-196704638C6E}.exe"	{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{568D11C8-F9C7-48c3-BA2C-3D780A017E4E}\stubpath = "C:\\Windows\\{568D11C8-F9C7-48c3-BA2C-3D780A017E4E}.exe"	{43A028CA-A412-422c-B4A3-1F14374D9282}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}\stubpath = "C:\\Windows\\{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe"	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E494BCCF-6042-4c46-8132-7F89E1E7A736}	{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}	{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43A028CA-A412-422c-B4A3-1F14374D9282}\stubpath = "C:\\Windows\\{43A028CA-A412-422c-B4A3-1F14374D9282}.exe"	{3BC58C0E-5798-46da-964E-196704638C6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93C1AB73-96CB-4728-8963-E78D79384765}	{568D11C8-F9C7-48c3-BA2C-3D780A017E4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93C1AB73-96CB-4728-8963-E78D79384765}\stubpath = "C:\\Windows\\{93C1AB73-96CB-4728-8963-E78D79384765}.exe"	{568D11C8-F9C7-48c3-BA2C-3D780A017E4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ECED98A-CD2F-412d-9712-63863B540D1F}\stubpath = "C:\\Windows\\{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe"	{AA8A4372-181A-422b-9A66-4B408448E78C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52656B3E-3758-44cd-B5D6-997A78A4402A}\stubpath = "C:\\Windows\\{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe"	{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E494BCCF-6042-4c46-8132-7F89E1E7A736}\stubpath = "C:\\Windows\\{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe"	{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CF5ED88-9109-4c94-8055-976A63F7CF7D}	{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}\stubpath = "C:\\Windows\\{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe"	{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}	{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe

Executes dropped EXE 12 IoCs

pid	Process
3992	{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe
3052	{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe
4252	{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe
3392	{AA8A4372-181A-422b-9A66-4B408448E78C}.exe
1080	{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe
4364	{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe
1420	{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe
2116	{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe
2892	{3BC58C0E-5798-46da-964E-196704638C6E}.exe
3736	{43A028CA-A412-422c-B4A3-1F14374D9282}.exe
4132	{568D11C8-F9C7-48c3-BA2C-3D780A017E4E}.exe
2356	{93C1AB73-96CB-4728-8963-E78D79384765}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe	{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe
File created	C:\Windows\{3BC58C0E-5798-46da-964E-196704638C6E}.exe	{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe
File created	C:\Windows\{43A028CA-A412-422c-B4A3-1F14374D9282}.exe	{3BC58C0E-5798-46da-964E-196704638C6E}.exe
File created	C:\Windows\{568D11C8-F9C7-48c3-BA2C-3D780A017E4E}.exe	{43A028CA-A412-422c-B4A3-1F14374D9282}.exe
File created	C:\Windows\{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
File created	C:\Windows\{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe	{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe
File created	C:\Windows\{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe	{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe
File created	C:\Windows\{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe	{AA8A4372-181A-422b-9A66-4B408448E78C}.exe
File created	C:\Windows\{93C1AB73-96CB-4728-8963-E78D79384765}.exe	{568D11C8-F9C7-48c3-BA2C-3D780A017E4E}.exe
File created	C:\Windows\{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe	{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe
File created	C:\Windows\{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe	{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe
File created	C:\Windows\{AA8A4372-181A-422b-9A66-4B408448E78C}.exe	{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3BC58C0E-5798-46da-964E-196704638C6E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93C1AB73-96CB-4728-8963-E78D79384765}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA8A4372-181A-422b-9A66-4B408448E78C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{568D11C8-F9C7-48c3-BA2C-3D780A017E4E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43A028CA-A412-422c-B4A3-1F14374D9282}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3192	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
Token: SeIncBasePriorityPrivilege	3992	{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe
Token: SeIncBasePriorityPrivilege	3052	{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe
Token: SeIncBasePriorityPrivilege	4252	{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe
Token: SeIncBasePriorityPrivilege	3392	{AA8A4372-181A-422b-9A66-4B408448E78C}.exe
Token: SeIncBasePriorityPrivilege	1080	{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe
Token: SeIncBasePriorityPrivilege	4364	{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe
Token: SeIncBasePriorityPrivilege	1420	{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe
Token: SeIncBasePriorityPrivilege	2116	{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe
Token: SeIncBasePriorityPrivilege	2892	{3BC58C0E-5798-46da-964E-196704638C6E}.exe
Token: SeIncBasePriorityPrivilege	3736	{43A028CA-A412-422c-B4A3-1F14374D9282}.exe
Token: SeIncBasePriorityPrivilege	4132	{568D11C8-F9C7-48c3-BA2C-3D780A017E4E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 3992	3192	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	91
PID 3192 wrote to memory of 3992	3192	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	91
PID 3192 wrote to memory of 3992	3192	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	91
PID 3192 wrote to memory of 4004	3192	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	92
PID 3192 wrote to memory of 4004	3192	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	92
PID 3192 wrote to memory of 4004	3192	f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe	92
PID 3992 wrote to memory of 3052	3992	{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe	93
PID 3992 wrote to memory of 3052	3992	{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe	93
PID 3992 wrote to memory of 3052	3992	{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe	93
PID 3992 wrote to memory of 2388	3992	{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe	94
PID 3992 wrote to memory of 2388	3992	{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe	94
PID 3992 wrote to memory of 2388	3992	{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe	94
PID 3052 wrote to memory of 4252	3052	{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe	97
PID 3052 wrote to memory of 4252	3052	{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe	97
PID 3052 wrote to memory of 4252	3052	{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe	97
PID 3052 wrote to memory of 5112	3052	{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe	98
PID 3052 wrote to memory of 5112	3052	{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe	98
PID 3052 wrote to memory of 5112	3052	{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe	98
PID 4252 wrote to memory of 3392	4252	{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe	99
PID 4252 wrote to memory of 3392	4252	{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe	99
PID 4252 wrote to memory of 3392	4252	{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe	99
PID 4252 wrote to memory of 1688	4252	{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe	100
PID 4252 wrote to memory of 1688	4252	{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe	100
PID 4252 wrote to memory of 1688	4252	{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe	100
PID 3392 wrote to memory of 1080	3392	{AA8A4372-181A-422b-9A66-4B408448E78C}.exe	101
PID 3392 wrote to memory of 1080	3392	{AA8A4372-181A-422b-9A66-4B408448E78C}.exe	101
PID 3392 wrote to memory of 1080	3392	{AA8A4372-181A-422b-9A66-4B408448E78C}.exe	101
PID 3392 wrote to memory of 948	3392	{AA8A4372-181A-422b-9A66-4B408448E78C}.exe	102
PID 3392 wrote to memory of 948	3392	{AA8A4372-181A-422b-9A66-4B408448E78C}.exe	102
PID 3392 wrote to memory of 948	3392	{AA8A4372-181A-422b-9A66-4B408448E78C}.exe	102
PID 1080 wrote to memory of 4364	1080	{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe	103
PID 1080 wrote to memory of 4364	1080	{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe	103
PID 1080 wrote to memory of 4364	1080	{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe	103
PID 1080 wrote to memory of 4296	1080	{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe	104
PID 1080 wrote to memory of 4296	1080	{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe	104
PID 1080 wrote to memory of 4296	1080	{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe	104
PID 4364 wrote to memory of 1420	4364	{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe	105
PID 4364 wrote to memory of 1420	4364	{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe	105
PID 4364 wrote to memory of 1420	4364	{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe	105
PID 4364 wrote to memory of 864	4364	{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe	106
PID 4364 wrote to memory of 864	4364	{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe	106
PID 4364 wrote to memory of 864	4364	{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe	106
PID 1420 wrote to memory of 2116	1420	{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe	107
PID 1420 wrote to memory of 2116	1420	{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe	107
PID 1420 wrote to memory of 2116	1420	{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe	107
PID 1420 wrote to memory of 1676	1420	{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe	108
PID 1420 wrote to memory of 1676	1420	{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe	108
PID 1420 wrote to memory of 1676	1420	{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe	108
PID 2116 wrote to memory of 2892	2116	{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe	109
PID 2116 wrote to memory of 2892	2116	{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe	109
PID 2116 wrote to memory of 2892	2116	{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe	109
PID 2116 wrote to memory of 2848	2116	{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe	110
PID 2116 wrote to memory of 2848	2116	{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe	110
PID 2116 wrote to memory of 2848	2116	{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe	110
PID 2892 wrote to memory of 3736	2892	{3BC58C0E-5798-46da-964E-196704638C6E}.exe	111
PID 2892 wrote to memory of 3736	2892	{3BC58C0E-5798-46da-964E-196704638C6E}.exe	111
PID 2892 wrote to memory of 3736	2892	{3BC58C0E-5798-46da-964E-196704638C6E}.exe	111
PID 2892 wrote to memory of 3960	2892	{3BC58C0E-5798-46da-964E-196704638C6E}.exe	112
PID 2892 wrote to memory of 3960	2892	{3BC58C0E-5798-46da-964E-196704638C6E}.exe	112
PID 2892 wrote to memory of 3960	2892	{3BC58C0E-5798-46da-964E-196704638C6E}.exe	112
PID 3736 wrote to memory of 4132	3736	{43A028CA-A412-422c-B4A3-1F14374D9282}.exe	113
PID 3736 wrote to memory of 4132	3736	{43A028CA-A412-422c-B4A3-1F14374D9282}.exe	113
PID 3736 wrote to memory of 4132	3736	{43A028CA-A412-422c-B4A3-1F14374D9282}.exe	113
PID 3736 wrote to memory of 4112	3736	{43A028CA-A412-422c-B4A3-1F14374D9282}.exe	114

C:\Users\Admin\AppData\Local\Temp\f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe
"C:\Users\Admin\AppData\Local\Temp\f179c34dbcfc9720381a4618cbd39092d46d89ccdee10230e36ac027ec1170e9.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe
  C:\Windows\{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe
    C:\Windows\{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe
      C:\Windows\{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4252
    - - C:\Windows\{AA8A4372-181A-422b-9A66-4B408448E78C}.exe
        
        C:\Windows\{AA8A4372-181A-422b-9A66-4B408448E78C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3392
      - C:\Windows\{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe
        
        C:\Windows\{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe
        
        C:\Windows\{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe
        
        C:\Windows\{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe
        
        C:\Windows\{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{3BC58C0E-5798-46da-964E-196704638C6E}.exe
        
        C:\Windows\{3BC58C0E-5798-46da-964E-196704638C6E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\{43A028CA-A412-422c-B4A3-1F14374D9282}.exe
        
        C:\Windows\{43A028CA-A412-422c-B4A3-1F14374D9282}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\{568D11C8-F9C7-48c3-BA2C-3D780A017E4E}.exe
        
        C:\Windows\{568D11C8-F9C7-48c3-BA2C-3D780A017E4E}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
        
        C:\Windows\{93C1AB73-96CB-4728-8963-E78D79384765}.exe
        
        C:\Windows\{93C1AB73-96CB-4728-8963-E78D79384765}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{568D1~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43A02~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BC58~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D3C8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CF5E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52656~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ECED~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA8A4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E494B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AB705~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1DDF1~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F179C3~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1DDF18FA-CE18-439e-8EE8-848F9722F2AC}.exe

Filesize
89KB

MD5
482e97268a1eb2ca8d3057441df2d46d

SHA1
7999b1aedcc901b63fdcdfc1ca29e807ff5e929e

SHA256
28d094dc1f8a1044d9aa6ecba1612657ae593fdb9906d59fd3a4c4a259ec98ec

SHA512
766e527acc50bfc57e7bccf7b596cac10c0e3c3fb75c4c309ef6bae23790516a26faec8da214e7932e8778fe17fa9ea9612693a08f50f40aa863286bdac99394

Download Submit
C:\Windows\{3BC58C0E-5798-46da-964E-196704638C6E}.exe

Filesize
89KB

MD5
384ef135892c05731964c8961207d669

SHA1
e165345cd084d6acdcc0e1d6e4018a1949ce584b

SHA256
9c3c153fda855f0cba7b2bfa2aabaacf47b47bf64fcc452fc16452e22edc7703

SHA512
a447d597ba12f33ca5955998c1a4fe9480d5f22f3714b2df87c205dd1383f0f7f9b8775bbf6509ba62c93ad048f6c5f4fce847f734ba7ef86efe10db2fe42cf0

Download Submit
C:\Windows\{43A028CA-A412-422c-B4A3-1F14374D9282}.exe

Filesize
89KB

MD5
dc353f627276841f2a7caa95e7d5276e

SHA1
a7eab7ad69e7695489b315f5930aa47dfc69ba6b

SHA256
c56a8eacae9d4716e502f830da1d2b851a2cefe7aa18e5746a38dcfad9901f2c

SHA512
3b47e51c89e099deb4534ece1ceac64c4185d34f04e4b380eed6738c3bdef5e2b90a3d4d3e4a3ddbc628f01fdc00048f0c81a8eb7ff753adcb263e9503ac7b92

Download Submit
C:\Windows\{52656B3E-3758-44cd-B5D6-997A78A4402A}.exe

Filesize
89KB

MD5
24598940157455502b82ec357ad91297

SHA1
b9e7bb2118608538c7c8ff68f6d5109e29b2a7f8

SHA256
3685445643ee0c7351c2e421f7e1253fad5c4b4af19fc6f035764862eecd5856

SHA512
67a2e63e1f2cef87ba196a71196908379aeb15d386fd302efaffe996f07e48b6adb3b6ca478d75febe709eda2dad17189b72b3ff523e51bd652aa27d0702ce26

Download Submit
C:\Windows\{568D11C8-F9C7-48c3-BA2C-3D780A017E4E}.exe

Filesize
89KB

MD5
af6d8ac1f4811380544f09f21953c6f8

SHA1
124eb92caf50d6964fe93bcd1c6c377336d4fc0f

SHA256
0d6f9685808bdc2a1b809605e3eb87f335acf26c7ffd50c57556ef59eee09c3d

SHA512
66a133b32f5daba7793f525aa5547215c70a14ff2f2405ae9e4419f90b974d7afe1c85511ad55d511e742d3d8eb6beabee6013141fc635353c37bfddbdf6ee75

Download Submit
C:\Windows\{6D3C8D56-B952-4d3e-A1D2-134ACCB86D3C}.exe

Filesize
89KB

MD5
b8bd16342b097e4416286991cdda3c59

SHA1
6632f0e4ada2ad5340f98a9dcb15c1c5ca865ca2

SHA256
68c8b35f956c5855ece841414cd46b3159c725b100e55d4682fdb7079c8b87e6

SHA512
0c5b8cee20ddf8dd07f4a5c82399fb3281336d194ceb6e4003281caf73bdb2a60d1690ceaa535848bdb7ca1037a2aa87fec378f8dfbe71b0e6dd266f0f109d86

Download Submit
C:\Windows\{7ECED98A-CD2F-412d-9712-63863B540D1F}.exe

Filesize
89KB

MD5
dcdc4c469d32a7a0a56b2ec57c31214a

SHA1
33c3a83e57c8ce892137e6ed99afa9eda3415376

SHA256
37445f60c9f753c622c90c320c970dcafb91ceda0bcb2b7dfea1329303267418

SHA512
11f4e546bcbc7d4f3778614426c79e2b973f66ebd87c81a7b197a98a04b3584f8b1e9358092555e158b8b05c55b8ba09b3d072cb9542269de0b153ac6ac138bc

Download Submit
C:\Windows\{93C1AB73-96CB-4728-8963-E78D79384765}.exe

Filesize
89KB

MD5
da39b4fe751b83197828c8ed4aa61d42

SHA1
98e40e472a8ba8f681223b543e870eabd8c9c8d4

SHA256
2c79f0f9ddf37de4415c4cf770e02fa14b63bc92cbd7adb9c2865d666be79d0b

SHA512
32caa48a1868ab4d43de78c74f917ad927fd4ceb0b6324aa5a1106d9d18988b5edeeddb4c934ef15347067a1ced347078f33d5112c19b9df748b06edba1b2bbf

Download Submit
C:\Windows\{9CF5ED88-9109-4c94-8055-976A63F7CF7D}.exe

Filesize
89KB

MD5
c576f82d50dc71e516f1f5da1819224a

SHA1
c6d6aa08623b70e481f58bbdc2866e6126e1968e

SHA256
fadf0aa86db534a595f696ec80bbb265f9fb78889e7003798404f07fb7019e38

SHA512
ce4463a0dbf37868603664f32546335275f017459a133b645f67b5b7cf737226d36fb4c64b4c6e0aee40b0b9fe2fc349feabdb08f57fa87d4c4a8ae0aa85238a

Download Submit
C:\Windows\{AA8A4372-181A-422b-9A66-4B408448E78C}.exe

Filesize
89KB

MD5
e040b6b5fb7d6809ef780f201cb60250

SHA1
dc6474de8ee18bddb195dc523f743a8d2c632bca

SHA256
9db7cbcad9a98581aa2a977fa9ca2f8d38115f17e27245c2c342128fbf9bb3fe

SHA512
f254415a48e94c08bffbdb1fb71c90e26519ab8508a4cb0d27f9eaa526a99d70252bb13dd7e301d144ee4b84bd46d574063ca3522861d5c9fec498419b73ee00

Download Submit
C:\Windows\{AB705AF3-3B7E-48d7-8677-C520ADCB07F6}.exe

Filesize
89KB

MD5
8a6116206b42a9cecdb530999c50fe61

SHA1
fa3e3987c1d025c8a05200403496c6b360ec9eb4

SHA256
bae2cf80bd79c0b0b7336ee3cdecfa2bf870f561f4a34b7b88b627c4be5c3089

SHA512
acaaf5747e7decaf5ef3b50aaec76d5ed52d65db155de73a1c352faa4db0e523bf3aa48ee97cc5cc3822c3764f64fccc12f3caefac2a1d6c28725ef83b7847df

Download Submit
C:\Windows\{E494BCCF-6042-4c46-8132-7F89E1E7A736}.exe

Filesize
89KB

MD5
3829226d2d8dfb5d91a7f83804dc3ced

SHA1
919e965c3fe8fdac549033530d1ba2b7abeb6bea

SHA256
e41fba70b2ff6b006042255075ee0d2e003ff69fe0f35ccb4e41892d4aeea7f0

SHA512
01fdf2881e06fe04e722455f924d813bd64de54727d87685c206e1e3261367e3d573bd661c264edee13379000205f2985883519d8de48b47719073dd6168be21

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads