b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7

Analysis

max time kernel
118s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 17:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe
Size

88KB
MD5

8af474b02c427bd01fa01d10a8541f50
SHA1

91e6e29c89ae62f776880f3e8e4803902797f560
SHA256

b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7
SHA512

0e83ed9e2a98fcb2ffecfd270e7a1848482f8050a98f663711b5a55c0f7a940f89cf878f2dc1f6d930e06fe3a3393291ff5084560bd032229fd2c973f3e67664
SSDEEP

768:5vw9816thKQLroDjc4/wQkNrfrunMxVFA3V:lEG/0o/clbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{657C52F2-5481-4d4e-88BF-91984CE3294D}	b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{657C52F2-5481-4d4e-88BF-91984CE3294D}\stubpath = "C:\\Windows\\{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe"	b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}\stubpath = "C:\\Windows\\{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe"	{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}\stubpath = "C:\\Windows\\{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe"	{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}\stubpath = "C:\\Windows\\{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe"	{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}	{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08393D3E-CAEE-475f-BDC2-A8C6B98EBB89}\stubpath = "C:\\Windows\\{08393D3E-CAEE-475f-BDC2-A8C6B98EBB89}.exe"	{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}	{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}\stubpath = "C:\\Windows\\{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe"	{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}\stubpath = "C:\\Windows\\{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe"	{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58A15655-3C87-4204-9AB5-026A534DA6D5}\stubpath = "C:\\Windows\\{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe"	{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}	{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}	{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}	{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58A15655-3C87-4204-9AB5-026A534DA6D5}	{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}	{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}\stubpath = "C:\\Windows\\{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe"	{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08393D3E-CAEE-475f-BDC2-A8C6B98EBB89}	{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe

Executes dropped EXE 9 IoCs

pid	Process
3700	{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe
4736	{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe
3128	{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe
1660	{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe
1156	{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe
2464	{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe
4160	{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe
1644	{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe
1092	{08393D3E-CAEE-475f-BDC2-A8C6B98EBB89}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe	{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe
File created	C:\Windows\{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe	{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe
File created	C:\Windows\{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe	{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe
File created	C:\Windows\{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe	{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe
File created	C:\Windows\{08393D3E-CAEE-475f-BDC2-A8C6B98EBB89}.exe	{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe
File created	C:\Windows\{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe	b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe
File created	C:\Windows\{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe	{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe
File created	C:\Windows\{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe	{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe
File created	C:\Windows\{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe	{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{08393D3E-CAEE-475f-BDC2-A8C6B98EBB89}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4008	b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe
Token: SeIncBasePriorityPrivilege	3700	{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe
Token: SeIncBasePriorityPrivilege	4736	{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe
Token: SeIncBasePriorityPrivilege	3128	{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe
Token: SeIncBasePriorityPrivilege	1660	{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe
Token: SeIncBasePriorityPrivilege	1156	{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe
Token: SeIncBasePriorityPrivilege	2464	{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe
Token: SeIncBasePriorityPrivilege	4160	{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe
Token: SeIncBasePriorityPrivilege	1644	{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 3700	4008	b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe	82
PID 4008 wrote to memory of 3700	4008	b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe	82
PID 4008 wrote to memory of 3700	4008	b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe	82
PID 4008 wrote to memory of 464	4008	b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe	83
PID 4008 wrote to memory of 464	4008	b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe	83
PID 4008 wrote to memory of 464	4008	b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe	83
PID 3700 wrote to memory of 4736	3700	{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe	91
PID 3700 wrote to memory of 4736	3700	{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe	91
PID 3700 wrote to memory of 4736	3700	{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe	91
PID 3700 wrote to memory of 2080	3700	{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe	92
PID 3700 wrote to memory of 2080	3700	{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe	92
PID 3700 wrote to memory of 2080	3700	{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe	92
PID 4736 wrote to memory of 3128	4736	{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe	94
PID 4736 wrote to memory of 3128	4736	{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe	94
PID 4736 wrote to memory of 3128	4736	{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe	94
PID 4736 wrote to memory of 2976	4736	{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe	95
PID 4736 wrote to memory of 2976	4736	{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe	95
PID 4736 wrote to memory of 2976	4736	{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe	95
PID 3128 wrote to memory of 1660	3128	{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe	97
PID 3128 wrote to memory of 1660	3128	{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe	97
PID 3128 wrote to memory of 1660	3128	{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe	97
PID 3128 wrote to memory of 2864	3128	{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe	98
PID 3128 wrote to memory of 2864	3128	{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe	98
PID 3128 wrote to memory of 2864	3128	{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe	98
PID 1660 wrote to memory of 1156	1660	{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe	99
PID 1660 wrote to memory of 1156	1660	{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe	99
PID 1660 wrote to memory of 1156	1660	{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe	99
PID 1660 wrote to memory of 4476	1660	{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe	100
PID 1660 wrote to memory of 4476	1660	{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe	100
PID 1660 wrote to memory of 4476	1660	{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe	100
PID 1156 wrote to memory of 2464	1156	{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe	101
PID 1156 wrote to memory of 2464	1156	{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe	101
PID 1156 wrote to memory of 2464	1156	{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe	101
PID 1156 wrote to memory of 4284	1156	{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe	102
PID 1156 wrote to memory of 4284	1156	{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe	102
PID 1156 wrote to memory of 4284	1156	{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe	102
PID 2464 wrote to memory of 4160	2464	{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe	103
PID 2464 wrote to memory of 4160	2464	{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe	103
PID 2464 wrote to memory of 4160	2464	{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe	103
PID 2464 wrote to memory of 3924	2464	{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe	104
PID 2464 wrote to memory of 3924	2464	{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe	104
PID 2464 wrote to memory of 3924	2464	{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe	104
PID 4160 wrote to memory of 1644	4160	{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe	105
PID 4160 wrote to memory of 1644	4160	{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe	105
PID 4160 wrote to memory of 1644	4160	{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe	105
PID 4160 wrote to memory of 2216	4160	{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe	106
PID 4160 wrote to memory of 2216	4160	{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe	106
PID 4160 wrote to memory of 2216	4160	{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe	106
PID 1644 wrote to memory of 1092	1644	{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe	107
PID 1644 wrote to memory of 1092	1644	{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe	107
PID 1644 wrote to memory of 1092	1644	{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe	107
PID 1644 wrote to memory of 2452	1644	{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe	108
PID 1644 wrote to memory of 2452	1644	{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe	108
PID 1644 wrote to memory of 2452	1644	{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe	108

C:\Users\Admin\AppData\Local\Temp\b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe
"C:\Users\Admin\AppData\Local\Temp\b7abeb948bdb84dc203c949250470a55b93e0d25a0d89c7ab2553a25cdccb4b7N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe
  C:\Windows\{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe
    C:\Windows\{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe
      C:\Windows\{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3128
    - - C:\Windows\{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe
        
        C:\Windows\{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe
        
        C:\Windows\{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe
        
        C:\Windows\{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe
        
        C:\Windows\{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe
        
        C:\Windows\{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{08393D3E-CAEE-475f-BDC2-A8C6B98EBB89}.exe
        
        C:\Windows\{08393D3E-CAEE-475f-BDC2-A8C6B98EBB89}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28982~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A8EA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C7F0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58A15~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EA0B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F314~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2B492~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{657C5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B7ABEB~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08393D3E-CAEE-475f-BDC2-A8C6B98EBB89}.exe

Filesize
88KB

MD5
6d723f38e76030cf12ede27dccefb7cd

SHA1
887035995ad561316ae802f50987aa3018ea9bf0

SHA256
7310ef0b3ef23824032b0d05a57a22e653ce39f165f3f815d82bbb86c0f38208

SHA512
31dca1763f2878daee709e0b2ed200ffbc02b8920e08579d02b4fddf27299b75fb6ae918053d02abdcfefbc6711d9d5be0faf30897fad717ebd23970c0f72644

Download Submit
C:\Windows\{0A8EA55B-C3D6-4a47-9DE4-2833E7A8D213}.exe

Filesize
88KB

MD5
8c52fa354a568a71d016b0ddad7fd282

SHA1
4811b43b0698f525167f5912c400cd05ad9f6a68

SHA256
43ae5a16f8a9036a77a3bba03b520b06b9ba28a28c65573432070315d99fbf70

SHA512
f25d16bad5231d5342b4b2ff416d7d1d036d9b7d88f85608344bd9c21467b80838a2315a7cc5bae2c57e49d1477f7074852fb38ec4077a0df8097546639443fd

Download Submit
C:\Windows\{28982E0D-2FE5-41bc-AC9F-9A6A57024B7B}.exe

Filesize
88KB

MD5
7bce2a3f2e5c619d40419dafa7333dff

SHA1
1f500122e38c6d5ddae2d998ad08263dbf4c41d1

SHA256
04fa8fdf3ed439e6818200d47c3ca755f370386e9143c5b5d811b527dd6f002d

SHA512
fcebc3f9f8310d52bfc93c4d447fcab7d6b7fa1280153d890ab7789b5aa214623de3c2d7bba97992c7dede30cad4e0662acc096324685fcce81a9cdbd3750861

Download Submit
C:\Windows\{2B492CD8-A363-46d6-815B-D3F1EE5A5EC4}.exe

Filesize
88KB

MD5
e47c822285e1727f936cbfb9b830ddb1

SHA1
fcdefd63ec66823a9116c67e5f142aa3fa1adfef

SHA256
515fad3f2b5d71fc06d84d965dbcd8e25b46aad68b26791ff9d4f85098e78194

SHA512
f7d1a064f3d8163e4c425b6aa08d3b7827c1620d2d6fe06ca2f19430c42825c2f2747f3cb81731589cd502bb5df74dd0b311d248b19ca87ee578ba05ac852442

Download Submit
C:\Windows\{2C7F0CF0-0844-4f06-9FB7-A4FAF46C239C}.exe

Filesize
88KB

MD5
e7cf446e9ff64fe7dcd28794e5901cba

SHA1
04b21407d2027d8282164b7a618aeef65b849a16

SHA256
2c6c10edbec74bbd987220585048a6e0f4821d61bbf4969362165470f6a559a4

SHA512
7000d5f64c0cc22b73601051881e71ecd913724cb4d0f1a188e747dd6379b2d4ad7e5a18b5237944914dabcf8f34df166608535c0544a03038fbdca05f1234d1

Download Submit
C:\Windows\{3EA0B7B2-B254-40e7-8074-5EBD70C935C4}.exe

Filesize
88KB

MD5
a5b5b01e8cc5f39b15aee04b8ce10651

SHA1
fb7664266063f096d7d221306e27599ca92120c1

SHA256
dee20a4567180dbc02ffa1a44e820349fe8d53b191354f66d82cd55498c7f9cb

SHA512
b02ec78649f33a0ebeed3d40e61165d4d5d65dc66bc65edf5fcb5195956ae3e3b58181c3350bb1dd75062281d63f060a67b02d2d994e41907bbb5b2ca9aca0f1

Download Submit
C:\Windows\{58A15655-3C87-4204-9AB5-026A534DA6D5}.exe

Filesize
88KB

MD5
3c5f93d4685d976a27514e81a950e2eb

SHA1
f05e2915816d30687b0b5ed152368b6403055b4b

SHA256
2c424ce306dcac4a597d16fad16542f2e230703ffa69984e6ec8f758f90911bd

SHA512
40f3681a8743d2d8082c18e71e6257ebb9c31567e6fd7a13ccea86c05f1ba9ce67894f56e4d55a17eec8f77574cd61042c5c3941a009308d652ebe3d8ea9d1e2

Download Submit
C:\Windows\{657C52F2-5481-4d4e-88BF-91984CE3294D}.exe

Filesize
88KB

MD5
c197cc70e8a4ce18436d90806e50fdd4

SHA1
e0a1d2ecff42f0251e089c2fb47fc08706cd46ef

SHA256
f784be5c4786fddb04630989298c2fcc06edfa8ffc5353e760ccc7ce24b64cb8

SHA512
4b84da9d9c99689e0652bfdc7edb8ec06691a6db061b85570cfea026d5314c57f61f0e7df05cd15c1580e912aafc26dcba70a30ef1aae62503e476dbc24ecd81

Download Submit
C:\Windows\{8F314F48-E66D-476d-BC07-E5FD1E75C2E7}.exe

Filesize
88KB

MD5
f5739be40ef7f1aec51e4310f1a4d306

SHA1
dbd23b7d0af208aec13467f8479d1b32709c094c

SHA256
b4c91c6c324bf7725ecd3d48d81d740adf57db09ed077997b93536b7e9cb09ce

SHA512
bfe7ffeb66576601fca937f2a6ecf92fdb33d5786c90038e569f026748df47055aec0331cc3f280f2fb2b5615c5a9298a3500f8586ab33ab7ffd68f2839c1178

Download Submit
memory/1092-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1156-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1156-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1644-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1644-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1660-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1660-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2464-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2464-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3128-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3128-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3700-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3700-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4008-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4008-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4008-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4160-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4160-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4736-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4736-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4736-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads