f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7f

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
Size

89KB
MD5

4f8a2d0d1f7241bc9c67b92bddac5f10
SHA1

28c18cdbc5aa0946c0b84d238cdb3065aca5eb28
SHA256

f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7f
SHA512

7e83e55e97225864eef37a727259f6f24456449af51828e2605a60365b7a71c7bc311d7849c66994bb644a4e10ce21ae910c2bc3ac55bafdc9f166f976132c6f
SSDEEP

768:5vw9816thKQLroZ4/wQkNrfrunMxVFA3k:lEG/0oZlbunMxVS3k

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EB8B456-3BAC-4ff2-9795-24EA22481083}	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EB8B456-3BAC-4ff2-9795-24EA22481083}\stubpath = "C:\\Windows\\{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe"	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}\stubpath = "C:\\Windows\\{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe"	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}\stubpath = "C:\\Windows\\{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe"	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{861F8AC7-38CE-4253-8C05-C747671668F8}	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{092D7519-9071-488f-90B8-C83C531B13CE}	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{070BCA18-924E-42e3-9D10-A2E678DB4995}	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46CB00C2-092A-4b25-BC7F-7BD87CFADF52}	{861F8AC7-38CE-4253-8C05-C747671668F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{070BCA18-924E-42e3-9D10-A2E678DB4995}\stubpath = "C:\\Windows\\{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe"	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37B8632C-6703-479c-A3C1-51996CCDFF19}	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37B8632C-6703-479c-A3C1-51996CCDFF19}\stubpath = "C:\\Windows\\{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe"	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{861F8AC7-38CE-4253-8C05-C747671668F8}\stubpath = "C:\\Windows\\{861F8AC7-38CE-4253-8C05-C747671668F8}.exe"	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{092D7519-9071-488f-90B8-C83C531B13CE}\stubpath = "C:\\Windows\\{092D7519-9071-488f-90B8-C83C531B13CE}.exe"	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21105BE3-37FE-4c00-9F99-B24E765ACFBE}	{092D7519-9071-488f-90B8-C83C531B13CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21105BE3-37FE-4c00-9F99-B24E765ACFBE}\stubpath = "C:\\Windows\\{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe"	{092D7519-9071-488f-90B8-C83C531B13CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46CB00C2-092A-4b25-BC7F-7BD87CFADF52}\stubpath = "C:\\Windows\\{46CB00C2-092A-4b25-BC7F-7BD87CFADF52}.exe"	{861F8AC7-38CE-4253-8C05-C747671668F8}.exe

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2824	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe
2640	{092D7519-9071-488f-90B8-C83C531B13CE}.exe
2688	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe
2212	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe
1700	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe
2972	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe
568	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe
2336	{861F8AC7-38CE-4253-8C05-C747671668F8}.exe
2196	{46CB00C2-092A-4b25-BC7F-7BD87CFADF52}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
File created	C:\Windows\{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe
File created	C:\Windows\{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe
File created	C:\Windows\{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe
File created	C:\Windows\{861F8AC7-38CE-4253-8C05-C747671668F8}.exe	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe
File created	C:\Windows\{46CB00C2-092A-4b25-BC7F-7BD87CFADF52}.exe	{861F8AC7-38CE-4253-8C05-C747671668F8}.exe
File created	C:\Windows\{092D7519-9071-488f-90B8-C83C531B13CE}.exe	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe
File created	C:\Windows\{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe	{092D7519-9071-488f-90B8-C83C531B13CE}.exe
File created	C:\Windows\{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{861F8AC7-38CE-4253-8C05-C747671668F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{46CB00C2-092A-4b25-BC7F-7BD87CFADF52}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{092D7519-9071-488f-90B8-C83C531B13CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2808	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
Token: SeIncBasePriorityPrivilege	2824	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe
Token: SeIncBasePriorityPrivilege	2640	{092D7519-9071-488f-90B8-C83C531B13CE}.exe
Token: SeIncBasePriorityPrivilege	2688	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe
Token: SeIncBasePriorityPrivilege	2212	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe
Token: SeIncBasePriorityPrivilege	1700	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe
Token: SeIncBasePriorityPrivilege	2972	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe
Token: SeIncBasePriorityPrivilege	568	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe
Token: SeIncBasePriorityPrivilege	2336	{861F8AC7-38CE-4253-8C05-C747671668F8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2824	2808	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	30
PID 2808 wrote to memory of 2824	2808	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	30
PID 2808 wrote to memory of 2824	2808	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	30
PID 2808 wrote to memory of 2824	2808	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	30
PID 2808 wrote to memory of 2816	2808	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	31
PID 2808 wrote to memory of 2816	2808	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	31
PID 2808 wrote to memory of 2816	2808	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	31
PID 2808 wrote to memory of 2816	2808	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	31
PID 2824 wrote to memory of 2640	2824	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe	32
PID 2824 wrote to memory of 2640	2824	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe	32
PID 2824 wrote to memory of 2640	2824	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe	32
PID 2824 wrote to memory of 2640	2824	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe	32
PID 2824 wrote to memory of 2852	2824	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe	33
PID 2824 wrote to memory of 2852	2824	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe	33
PID 2824 wrote to memory of 2852	2824	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe	33
PID 2824 wrote to memory of 2852	2824	{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe	33
PID 2640 wrote to memory of 2688	2640	{092D7519-9071-488f-90B8-C83C531B13CE}.exe	34
PID 2640 wrote to memory of 2688	2640	{092D7519-9071-488f-90B8-C83C531B13CE}.exe	34
PID 2640 wrote to memory of 2688	2640	{092D7519-9071-488f-90B8-C83C531B13CE}.exe	34
PID 2640 wrote to memory of 2688	2640	{092D7519-9071-488f-90B8-C83C531B13CE}.exe	34
PID 2640 wrote to memory of 2100	2640	{092D7519-9071-488f-90B8-C83C531B13CE}.exe	35
PID 2640 wrote to memory of 2100	2640	{092D7519-9071-488f-90B8-C83C531B13CE}.exe	35
PID 2640 wrote to memory of 2100	2640	{092D7519-9071-488f-90B8-C83C531B13CE}.exe	35
PID 2640 wrote to memory of 2100	2640	{092D7519-9071-488f-90B8-C83C531B13CE}.exe	35
PID 2688 wrote to memory of 2212	2688	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe	36
PID 2688 wrote to memory of 2212	2688	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe	36
PID 2688 wrote to memory of 2212	2688	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe	36
PID 2688 wrote to memory of 2212	2688	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe	36
PID 2688 wrote to memory of 2536	2688	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe	37
PID 2688 wrote to memory of 2536	2688	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe	37
PID 2688 wrote to memory of 2536	2688	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe	37
PID 2688 wrote to memory of 2536	2688	{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe	37
PID 2212 wrote to memory of 1700	2212	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe	38
PID 2212 wrote to memory of 1700	2212	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe	38
PID 2212 wrote to memory of 1700	2212	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe	38
PID 2212 wrote to memory of 1700	2212	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe	38
PID 2212 wrote to memory of 2992	2212	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe	39
PID 2212 wrote to memory of 2992	2212	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe	39
PID 2212 wrote to memory of 2992	2212	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe	39
PID 2212 wrote to memory of 2992	2212	{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe	39
PID 1700 wrote to memory of 2972	1700	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe	40
PID 1700 wrote to memory of 2972	1700	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe	40
PID 1700 wrote to memory of 2972	1700	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe	40
PID 1700 wrote to memory of 2972	1700	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe	40
PID 1700 wrote to memory of 2948	1700	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe	41
PID 1700 wrote to memory of 2948	1700	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe	41
PID 1700 wrote to memory of 2948	1700	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe	41
PID 1700 wrote to memory of 2948	1700	{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe	41
PID 2972 wrote to memory of 568	2972	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe	42
PID 2972 wrote to memory of 568	2972	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe	42
PID 2972 wrote to memory of 568	2972	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe	42
PID 2972 wrote to memory of 568	2972	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe	42
PID 2972 wrote to memory of 576	2972	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe	43
PID 2972 wrote to memory of 576	2972	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe	43
PID 2972 wrote to memory of 576	2972	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe	43
PID 2972 wrote to memory of 576	2972	{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe	43
PID 568 wrote to memory of 2336	568	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe	44
PID 568 wrote to memory of 2336	568	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe	44
PID 568 wrote to memory of 2336	568	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe	44
PID 568 wrote to memory of 2336	568	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe	44
PID 568 wrote to memory of 2104	568	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe	45
PID 568 wrote to memory of 2104	568	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe	45
PID 568 wrote to memory of 2104	568	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe	45
PID 568 wrote to memory of 2104	568	{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe	45

C:\Users\Admin\AppData\Local\Temp\f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
"C:\Users\Admin\AppData\Local\Temp\f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe
  C:\Windows\{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\{092D7519-9071-488f-90B8-C83C531B13CE}.exe
    C:\Windows\{092D7519-9071-488f-90B8-C83C531B13CE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe
      C:\Windows\{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe
        
        C:\Windows\{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe
        
        C:\Windows\{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe
        
        C:\Windows\{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe
        
        C:\Windows\{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\{861F8AC7-38CE-4253-8C05-C747671668F8}.exe
        
        C:\Windows\{861F8AC7-38CE-4253-8C05-C747671668F8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\{46CB00C2-092A-4b25-BC7F-7BD87CFADF52}.exe
        
        C:\Windows\{46CB00C2-092A-4b25-BC7F-7BD87CFADF52}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{861F8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37B86~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E2B7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1584~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{070BC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21105~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{092D7~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4EB8B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F0BBF5~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{070BCA18-924E-42e3-9D10-A2E678DB4995}.exe

Filesize
89KB

MD5
ba3ef2ca3b1db60b28f8fe0370f7869e

SHA1
9b44df5830c02d15f99facb8920a302d91a46e22

SHA256
767df6015255a4b2b6e629718618a050a2ab0388688bdc59db509eca1373593a

SHA512
6716e612c636d36e26d2702a8539920587fb3d9f1be071a52bd5c91122d3e12527e988fbe5dc45da31fa31955e04a8171830ce29786ce6d96fe75ec0f180f9fc

Download Submit
C:\Windows\{092D7519-9071-488f-90B8-C83C531B13CE}.exe

Filesize
89KB

MD5
486a771a818bb22e251139a0dc67783f

SHA1
dee8e6aea87cec6f1c4a3721e097446c6549d2e3

SHA256
5a5e719b9c2fab74ab97cfaad202177e1e698b57efaf9e9a90a1bf01eeebd27c

SHA512
0ca88320367fba0bd8fb8e14cfc9725b4cdb034ba5ad073b1655c42d93095c023b897ad27dd4ebdd718826dddb9967417d55f83f22cfcbc5f153c9fbdc511b0b

Download Submit
C:\Windows\{21105BE3-37FE-4c00-9F99-B24E765ACFBE}.exe

Filesize
89KB

MD5
12f356c270cf8a6ac9841c673b95464b

SHA1
c641f7ce0de8e7d49c3a1b8c021331f75d270245

SHA256
02d9c0d4f7a408d475c30ba37e60af2f3e04ed66797d278bf8359e80757a947d

SHA512
5b3988f81b94f793c5eaa2d945b946e094c2983e5024324871b8d006724ecd427590a7566d0903d67fb75d68a69253f8058cc5faa3710f920ab0183dd6565d5c

Download Submit
C:\Windows\{37B8632C-6703-479c-A3C1-51996CCDFF19}.exe

Filesize
89KB

MD5
ce76d271abfbac846ff0c3afe5bd8e79

SHA1
e18589125136a6c259252dfb98fadcbe0ba8a16a

SHA256
ed06ed5fd4e6f12f68137682ad9cb6a9c0aa06e14db22e4a02a59d467aac9858

SHA512
2431478d8ae3233d3f2371d4fa59be95bf464c58ca4716be0e55209934591423abf6ccdfa17d2c31ac7d7279c2a954819c16e26555bfdb0961e938544cec0104

Download Submit
C:\Windows\{46CB00C2-092A-4b25-BC7F-7BD87CFADF52}.exe

Filesize
89KB

MD5
9c28a358d880096447fbf65ed8f8667d

SHA1
49e96865332863cfb737b2bcedc1eed6287c4fd7

SHA256
65fd27d6c8520e97e87eae8aee106a0bf0478184293cbadad72344bf2f4e9eb0

SHA512
183bca2789d83e4775cfa257a35a68bdf5a5ae7cc835ff0afe05540379829adc6203f5428460370403e666ae302c0492d10b1d01fe9a0f353008242e51538077

Download Submit
C:\Windows\{4EB8B456-3BAC-4ff2-9795-24EA22481083}.exe

Filesize
89KB

MD5
9616a7508c73eae3949ffaf4e8a09ae0

SHA1
d5e803a3061fa5a0fe252132944d70b05f9e7279

SHA256
d22384bf0d89d943a7939d0e689a0a42d9b0e71f052b51a3f2216aa5f11791e6

SHA512
2fd0b0634ac3e3d371e3245be4d9fc51c9cda0a13e4ec6f46be93687c270695eb40d951197f2b537881a0bb17abbb43dfbabcfc464ab464f1e3c9abdeb060c13

Download Submit
C:\Windows\{861F8AC7-38CE-4253-8C05-C747671668F8}.exe

Filesize
89KB

MD5
b737401eedf9b3d03a6ad3bd4f1284e3

SHA1
6c84dd6f086a8f7c5e7fd267641501ad02825497

SHA256
354fc332d670de93fb42dfe90f2b52c35c38ab599c14d896aeb0abae9ac94283

SHA512
f610c01b48432995f31be4ab6389097fbebd492da81e335c2ab2250a3726be15623bbb4ab02eaa284d5187e86961ee742adaec754f5d58d708da21323f32e745

Download Submit
C:\Windows\{9E2B79E9-4432-42c6-88AF-28ADF1A06B87}.exe

Filesize
89KB

MD5
7ed5cae0b2e37f28323d397c30e9c3b4

SHA1
0edf7bd2d4da697ef3e157a68ad1370b94e87602

SHA256
95e77cfda9e97dc583a4449f576b32367fbfb35b186e1e6e0980692eece07feb

SHA512
bea7954d829116a89535d15fb54467cbe56f3510cfac9f5d6bb76ebc7ca98f97c8bee756cae6563c3c2e44ba5c33d1e756fc14272c524c82ff207263824a2871

Download Submit
C:\Windows\{E15843D6-AA11-4fd6-9D21-2C946ACB81C9}.exe

Filesize
89KB

MD5
7c8b9a8dea7ab1e6d58a21a109232594

SHA1
6796d4c196a30d23989a80be74433cc031663b2a

SHA256
b54d5d7e7a7e769b635bddf2da11435d983a96dac478ca39587ef3a01ac8bcb8

SHA512
c625d867fd6bc1e9e9c9aa86deb5cbd4ec882e1a2e6d9efdfffa65f761a6db7b97ef5da1680bdf815a017ed9e5dbe306308d63a21e5fad5d62f8784c08916a4c

Download Submit
memory/568-74-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/568-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1700-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1700-50-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2212-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2212-42-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2336-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2336-83-0x0000000001BD0000-0x0000000001BE1000-memory.dmp

Filesize
68KB

Download
memory/2336-82-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2640-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2640-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2640-23-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2688-36-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2688-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2688-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2808-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2808-4-0x00000000004E0000-0x00000000004F1000-memory.dmp

Filesize
68KB

Download
memory/2808-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2808-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2824-13-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2824-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2972-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2972-60-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads