34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe
Size

60KB
MD5

8f266c3ec9010ccc40801e98ebba3b40
SHA1

c60795b3b87f81c30749fcb02fbf412fbfe36894
SHA256

34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1
SHA512

5eccd16df113efb32588833905b2b7649b04da311fc70769b027a86d349a9f98dd15d634ad4d837a0f75bfdf1cfd5d913c604edf9bdc95c9ffe98263905e0c63
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwdY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroP4/CFsrd

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D87AFA7-5E31-4418-A015-F2F0AC4AA8AB}	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D87AFA7-5E31-4418-A015-F2F0AC4AA8AB}\stubpath = "C:\\Windows\\{1D87AFA7-5E31-4418-A015-F2F0AC4AA8AB}.exe"	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}\stubpath = "C:\\Windows\\{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe"	34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}\stubpath = "C:\\Windows\\{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe"	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B094CAB-30EA-4a57-B059-A49BAB33579A}\stubpath = "C:\\Windows\\{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe"	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46C60263-300B-4fe6-8ACA-4BBD3A76A345}\stubpath = "C:\\Windows\\{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe"	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D844437-BE96-4b9a-9D85-B882AA8B768E}\stubpath = "C:\\Windows\\{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe"	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}\stubpath = "C:\\Windows\\{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe"	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D844437-BE96-4b9a-9D85-B882AA8B768E}	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}\stubpath = "C:\\Windows\\{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe"	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED518B3-4494-418c-BE35-B515439D28BB}	{1D87AFA7-5E31-4418-A015-F2F0AC4AA8AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ED518B3-4494-418c-BE35-B515439D28BB}\stubpath = "C:\\Windows\\{6ED518B3-4494-418c-BE35-B515439D28BB}.exe"	{1D87AFA7-5E31-4418-A015-F2F0AC4AA8AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}	34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46C60263-300B-4fe6-8ACA-4BBD3A76A345}	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B094CAB-30EA-4a57-B059-A49BAB33579A}	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe

Deletes itself 1 IoCs

pid	Process
2152	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2708	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe
2940	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe
2552	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe
2576	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe
2340	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe
3008	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe
568	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe
2996	{1D87AFA7-5E31-4418-A015-F2F0AC4AA8AB}.exe
1952	{6ED518B3-4494-418c-BE35-B515439D28BB}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe
File created	C:\Windows\{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe
File created	C:\Windows\{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe
File created	C:\Windows\{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe
File created	C:\Windows\{6ED518B3-4494-418c-BE35-B515439D28BB}.exe	{1D87AFA7-5E31-4418-A015-F2F0AC4AA8AB}.exe
File created	C:\Windows\{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe	34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe
File created	C:\Windows\{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe
File created	C:\Windows\{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe
File created	C:\Windows\{1D87AFA7-5E31-4418-A015-F2F0AC4AA8AB}.exe	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6ED518B3-4494-418c-BE35-B515439D28BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D87AFA7-5E31-4418-A015-F2F0AC4AA8AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2124	34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe
Token: SeIncBasePriorityPrivilege	2708	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe
Token: SeIncBasePriorityPrivilege	2940	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe
Token: SeIncBasePriorityPrivilege	2552	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe
Token: SeIncBasePriorityPrivilege	2576	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe
Token: SeIncBasePriorityPrivilege	2340	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe
Token: SeIncBasePriorityPrivilege	3008	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe
Token: SeIncBasePriorityPrivilege	568	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe
Token: SeIncBasePriorityPrivilege	2996	{1D87AFA7-5E31-4418-A015-F2F0AC4AA8AB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2708	2124	34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe	30
PID 2124 wrote to memory of 2708	2124	34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe	30
PID 2124 wrote to memory of 2708	2124	34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe	30
PID 2124 wrote to memory of 2708	2124	34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe	30
PID 2124 wrote to memory of 2152	2124	34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe	31
PID 2124 wrote to memory of 2152	2124	34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe	31
PID 2124 wrote to memory of 2152	2124	34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe	31
PID 2124 wrote to memory of 2152	2124	34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe	31
PID 2708 wrote to memory of 2940	2708	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe	32
PID 2708 wrote to memory of 2940	2708	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe	32
PID 2708 wrote to memory of 2940	2708	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe	32
PID 2708 wrote to memory of 2940	2708	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe	32
PID 2708 wrote to memory of 2776	2708	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe	33
PID 2708 wrote to memory of 2776	2708	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe	33
PID 2708 wrote to memory of 2776	2708	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe	33
PID 2708 wrote to memory of 2776	2708	{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe	33
PID 2940 wrote to memory of 2552	2940	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe	34
PID 2940 wrote to memory of 2552	2940	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe	34
PID 2940 wrote to memory of 2552	2940	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe	34
PID 2940 wrote to memory of 2552	2940	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe	34
PID 2940 wrote to memory of 2688	2940	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe	35
PID 2940 wrote to memory of 2688	2940	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe	35
PID 2940 wrote to memory of 2688	2940	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe	35
PID 2940 wrote to memory of 2688	2940	{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe	35
PID 2552 wrote to memory of 2576	2552	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe	36
PID 2552 wrote to memory of 2576	2552	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe	36
PID 2552 wrote to memory of 2576	2552	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe	36
PID 2552 wrote to memory of 2576	2552	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe	36
PID 2552 wrote to memory of 1628	2552	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe	37
PID 2552 wrote to memory of 1628	2552	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe	37
PID 2552 wrote to memory of 1628	2552	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe	37
PID 2552 wrote to memory of 1628	2552	{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe	37
PID 2576 wrote to memory of 2340	2576	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe	38
PID 2576 wrote to memory of 2340	2576	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe	38
PID 2576 wrote to memory of 2340	2576	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe	38
PID 2576 wrote to memory of 2340	2576	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe	38
PID 2576 wrote to memory of 264	2576	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe	39
PID 2576 wrote to memory of 264	2576	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe	39
PID 2576 wrote to memory of 264	2576	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe	39
PID 2576 wrote to memory of 264	2576	{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe	39
PID 2340 wrote to memory of 3008	2340	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe	40
PID 2340 wrote to memory of 3008	2340	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe	40
PID 2340 wrote to memory of 3008	2340	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe	40
PID 2340 wrote to memory of 3008	2340	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe	40
PID 2340 wrote to memory of 2612	2340	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe	41
PID 2340 wrote to memory of 2612	2340	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe	41
PID 2340 wrote to memory of 2612	2340	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe	41
PID 2340 wrote to memory of 2612	2340	{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe	41
PID 3008 wrote to memory of 568	3008	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe	42
PID 3008 wrote to memory of 568	3008	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe	42
PID 3008 wrote to memory of 568	3008	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe	42
PID 3008 wrote to memory of 568	3008	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe	42
PID 3008 wrote to memory of 2752	3008	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe	43
PID 3008 wrote to memory of 2752	3008	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe	43
PID 3008 wrote to memory of 2752	3008	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe	43
PID 3008 wrote to memory of 2752	3008	{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe	43
PID 568 wrote to memory of 2996	568	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe	44
PID 568 wrote to memory of 2996	568	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe	44
PID 568 wrote to memory of 2996	568	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe	44
PID 568 wrote to memory of 2996	568	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe	44
PID 568 wrote to memory of 2572	568	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe	45
PID 568 wrote to memory of 2572	568	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe	45
PID 568 wrote to memory of 2572	568	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe	45
PID 568 wrote to memory of 2572	568	{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe	45

C:\Users\Admin\AppData\Local\Temp\34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe
"C:\Users\Admin\AppData\Local\Temp\34afbd73ad1c533ecdf1597a7bfa4ab583926f13fa32bb3cefa5c98b7fdde2c1N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe
  C:\Windows\{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe
    C:\Windows\{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe
      C:\Windows\{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe
        
        C:\Windows\{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe
        
        C:\Windows\{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe
        
        C:\Windows\{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe
        
        C:\Windows\{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\{1D87AFA7-5E31-4418-A015-F2F0AC4AA8AB}.exe
        
        C:\Windows\{1D87AFA7-5E31-4418-A015-F2F0AC4AA8AB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\{6ED518B3-4494-418c-BE35-B515439D28BB}.exe
        
        C:\Windows\{6ED518B3-4494-418c-BE35-B515439D28BB}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D87A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEAEF~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1EA9~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D844~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B094~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34E0E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{46C60~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0A0A8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\34AFBD~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A0A8745-9DAF-4585-AEF5-81694E61EDFB}.exe

Filesize
60KB

MD5
ba8edca5dedf7fa86e7e1888430e84e4

SHA1
76bfdba73b64416d325348a3a842af2e59b08cdf

SHA256
29002eaaa28e78d0a6d519beff59699664427feb3ebe0dba0250ded80afe084e

SHA512
49a12c052720685e5c79c57f42640fd9226e0b4bd60ac5bd4c1c49e54f075890191a76d0f55dacf94f34b4e07c6391fe59be9bf2f2af7ab763ff65458a6ab1fc

Download Submit
C:\Windows\{1B094CAB-30EA-4a57-B059-A49BAB33579A}.exe

Filesize
60KB

MD5
dec4beb9a5437aa37d1654614ea46981

SHA1
fe0b27891c15e65f9fd9a5208b707f257b476fc5

SHA256
d8d8582578b267d61eb05fe74296c6a9a8b61f6df495a30cb3eb6e91468c243b

SHA512
55d331590c0cd44bbb0db6c5476c64ef62637094fd31693d3cfcfa72e52c660964968c2a001dec257bfeaa14e56739ed0e1ecf6c4fa77fbbcbbea0989378897d

Download Submit
C:\Windows\{1D87AFA7-5E31-4418-A015-F2F0AC4AA8AB}.exe

Filesize
60KB

MD5
49035cda93125b19da241ceaaa9f9e09

SHA1
2b934f4939f396304f6640b36e7c4d898ac7887b

SHA256
0423d3d536ee2b62f0d267550afbaec70b015ca2f98869a6f7231e36dffe0619

SHA512
eb80aa9e457eb6454027c4124264de7b2613b8a308fbe1b3e686d71def848acf0a8d8281bcf87ac7ed2a826cabd4e552d1d09ea1ff6cdd7da5f942fccded9daf

Download Submit
C:\Windows\{34E0ECB5-A1F2-41f0-9BC3-128FBDDA55F9}.exe

Filesize
60KB

MD5
56388c8ccf9ae524d82d15eb29bfdaac

SHA1
1ef6f83a0b3c6c769fbfd171eac6d9cac2b21508

SHA256
381a6e91aceba8f808a5d8445ce79e8721ced343e1cee84ba91784ba023cdcc6

SHA512
1c78169446a7314feab158d697fa29d3714b7a1ba24262effc339e5c2c0c7a72d8c4b5952470549ceadef97557f077850dff2eb55fb5a907e6cd7a39e5cd2e18

Download Submit
C:\Windows\{46C60263-300B-4fe6-8ACA-4BBD3A76A345}.exe

Filesize
60KB

MD5
2f1bf65040115507e3c336c278601f1c

SHA1
186875c60c4ea1d03eb54faa5aff556fbef55835

SHA256
1d759c6dd0372d60451a7da6eceb7637eb95ff0bddfdec3377fbcadb43e0aa19

SHA512
789a3107991ec6a78819fc6c1fd74e2c3752577290600304c51eccf278a599ad6dea6980c68dae2feab214a39d9ea96962dbd8453c112e772df0beb8a12402ee

Download Submit
C:\Windows\{6ED518B3-4494-418c-BE35-B515439D28BB}.exe

Filesize
60KB

MD5
e937d04bcd55907e6907ba541fb243d3

SHA1
e6ae0ef158ec140b12394b579f1a7bbd25b692d1

SHA256
019aa30041749248a183f0b90bc645171fe4d3795e6f8ee241890da89d76bf22

SHA512
c2941915251e298dc6e5c839b2e6ef2197a5dfc8dd6a9cfed9b02fa94c13b61231b280d7d1ce0578755feb939e1dd3b3e7bd11ee787d8aa97513b1c4464e6144

Download Submit
C:\Windows\{8D844437-BE96-4b9a-9D85-B882AA8B768E}.exe

Filesize
60KB

MD5
8dffe766065da5cee58177f35bf29400

SHA1
c77904035fd199d7f61977b3dc27fb5103d28678

SHA256
68ad716f7773d938cc065226e13330ee4d5145434617264300cdedc23e61a1d2

SHA512
937db2989f73688e6a279d43d2394a0bb563c778890422fe3d45d2c1d318d0d18a880e0bbddcfb9dcc71e0c5c744aebb579dd3879c5e032930eeea86f47cd96d

Download Submit
C:\Windows\{AEAEFCE5-2A0A-4fd1-8594-F4D10CF50C7F}.exe

Filesize
60KB

MD5
f93d783119f05b7ab486b4da95cfceb3

SHA1
40bf4c67f693175f0c58ca8328da6de2f4f0baf1

SHA256
31edd2b8305bb5484c3d548fdcf8316865fd91ba4b7f28fb012cc9e967fd0e61

SHA512
d05636358c258293f3e7544f49c4fc0512d95bd9c91362a10785d77d232c719990dea3b7ab348e1d0fa6f2176971e7878c39474bdb37a898dea3aec715e1c946

Download Submit
C:\Windows\{C1EA9C43-CE8F-484f-8850-3EDE1B92AF6C}.exe

Filesize
60KB

MD5
77074fea645fadfa661776f7bdbb10c7

SHA1
7bde0425ddc79e5909cb12cde58482d20cb65f56

SHA256
7a5dd8394f9c8f9f82442979003988c3336ae9cc6c438803ad62fb4c7ee20dd9

SHA512
1ecc17afb0642ed804ebf62f2a571b5a09be0a61e12da7f7720b2fa31010054617a5008f404becdfceb3bb2437a598cdeba8f899ac0c8505b3a9f396c9ea76fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads