578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 08:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe
Size

89KB
MD5

4f81e376aec512610e521e70936a02f0
SHA1

82ef116689e44979bf090721f34909d93fbfe31f
SHA256

578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986
SHA512

e40d939f789e0dfe54f2c8637f961fc28b1a3f55561c59c77a233e93ecfe7e10f3a19b4992838103ee8ffbe8d18b94e50992386a5f864a0d66be2aac3e4d6551
SSDEEP

768:Qvw9816vhKQLro44/wQRNrfrunMxVFA3b7glL:YEGh0o4l2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A69FA41-EFEA-4041-A3EA-BAF73A6FD953}	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDD07880-75AF-4722-B397-8F1B210B0FCE}\stubpath = "C:\\Windows\\{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe"	578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8E7C340-DD37-4758-9537-B7C44A6BBC53}\stubpath = "C:\\Windows\\{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe"	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD16E638-0456-4cf7-84EC-0AA5EF57C965}	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}\stubpath = "C:\\Windows\\{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe"	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85422CF1-2E76-4a26-BCE2-3BE03BB5645B}\stubpath = "C:\\Windows\\{85422CF1-2E76-4a26-BCE2-3BE03BB5645B}.exe"	{3A69FA41-EFEA-4041-A3EA-BAF73A6FD953}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDD07880-75AF-4722-B397-8F1B210B0FCE}	578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}\stubpath = "C:\\Windows\\{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe"	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20F02DD4-210A-4b23-885A-A58F00F827E7}\stubpath = "C:\\Windows\\{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe"	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8E7C340-DD37-4758-9537-B7C44A6BBC53}	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}\stubpath = "C:\\Windows\\{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe"	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD16E638-0456-4cf7-84EC-0AA5EF57C965}\stubpath = "C:\\Windows\\{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe"	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20F02DD4-210A-4b23-885A-A58F00F827E7}	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A69FA41-EFEA-4041-A3EA-BAF73A6FD953}\stubpath = "C:\\Windows\\{3A69FA41-EFEA-4041-A3EA-BAF73A6FD953}.exe"	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85422CF1-2E76-4a26-BCE2-3BE03BB5645B}	{3A69FA41-EFEA-4041-A3EA-BAF73A6FD953}.exe

Deletes itself 1 IoCs

pid	Process
2056	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2364	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe
2792	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe
2332	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe
2624	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe
2628	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe
2928	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe
1756	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe
2476	{3A69FA41-EFEA-4041-A3EA-BAF73A6FD953}.exe
2260	{85422CF1-2E76-4a26-BCE2-3BE03BB5645B}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe
File created	C:\Windows\{85422CF1-2E76-4a26-BCE2-3BE03BB5645B}.exe	{3A69FA41-EFEA-4041-A3EA-BAF73A6FD953}.exe
File created	C:\Windows\{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe	578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe
File created	C:\Windows\{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe
File created	C:\Windows\{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe
File created	C:\Windows\{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe
File created	C:\Windows\{3A69FA41-EFEA-4041-A3EA-BAF73A6FD953}.exe	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe
File created	C:\Windows\{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe
File created	C:\Windows\{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{85422CF1-2E76-4a26-BCE2-3BE03BB5645B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A69FA41-EFEA-4041-A3EA-BAF73A6FD953}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2116	578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe
Token: SeIncBasePriorityPrivilege	2364	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe
Token: SeIncBasePriorityPrivilege	2792	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe
Token: SeIncBasePriorityPrivilege	2332	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe
Token: SeIncBasePriorityPrivilege	2624	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe
Token: SeIncBasePriorityPrivilege	2628	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe
Token: SeIncBasePriorityPrivilege	2928	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe
Token: SeIncBasePriorityPrivilege	1756	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe
Token: SeIncBasePriorityPrivilege	2476	{3A69FA41-EFEA-4041-A3EA-BAF73A6FD953}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2364	2116	578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe	31
PID 2116 wrote to memory of 2364	2116	578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe	31
PID 2116 wrote to memory of 2364	2116	578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe	31
PID 2116 wrote to memory of 2364	2116	578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe	31
PID 2116 wrote to memory of 2056	2116	578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe	32
PID 2116 wrote to memory of 2056	2116	578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe	32
PID 2116 wrote to memory of 2056	2116	578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe	32
PID 2116 wrote to memory of 2056	2116	578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe	32
PID 2364 wrote to memory of 2792	2364	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe	33
PID 2364 wrote to memory of 2792	2364	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe	33
PID 2364 wrote to memory of 2792	2364	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe	33
PID 2364 wrote to memory of 2792	2364	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe	33
PID 2364 wrote to memory of 2836	2364	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe	34
PID 2364 wrote to memory of 2836	2364	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe	34
PID 2364 wrote to memory of 2836	2364	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe	34
PID 2364 wrote to memory of 2836	2364	{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe	34
PID 2792 wrote to memory of 2332	2792	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe	35
PID 2792 wrote to memory of 2332	2792	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe	35
PID 2792 wrote to memory of 2332	2792	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe	35
PID 2792 wrote to memory of 2332	2792	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe	35
PID 2792 wrote to memory of 2828	2792	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe	36
PID 2792 wrote to memory of 2828	2792	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe	36
PID 2792 wrote to memory of 2828	2792	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe	36
PID 2792 wrote to memory of 2828	2792	{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe	36
PID 2332 wrote to memory of 2624	2332	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe	37
PID 2332 wrote to memory of 2624	2332	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe	37
PID 2332 wrote to memory of 2624	2332	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe	37
PID 2332 wrote to memory of 2624	2332	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe	37
PID 2332 wrote to memory of 2760	2332	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe	38
PID 2332 wrote to memory of 2760	2332	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe	38
PID 2332 wrote to memory of 2760	2332	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe	38
PID 2332 wrote to memory of 2760	2332	{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe	38
PID 2624 wrote to memory of 2628	2624	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe	39
PID 2624 wrote to memory of 2628	2624	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe	39
PID 2624 wrote to memory of 2628	2624	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe	39
PID 2624 wrote to memory of 2628	2624	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe	39
PID 2624 wrote to memory of 2000	2624	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe	40
PID 2624 wrote to memory of 2000	2624	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe	40
PID 2624 wrote to memory of 2000	2624	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe	40
PID 2624 wrote to memory of 2000	2624	{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe	40
PID 2628 wrote to memory of 2928	2628	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe	41
PID 2628 wrote to memory of 2928	2628	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe	41
PID 2628 wrote to memory of 2928	2628	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe	41
PID 2628 wrote to memory of 2928	2628	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe	41
PID 2628 wrote to memory of 2888	2628	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe	42
PID 2628 wrote to memory of 2888	2628	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe	42
PID 2628 wrote to memory of 2888	2628	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe	42
PID 2628 wrote to memory of 2888	2628	{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe	42
PID 2928 wrote to memory of 1756	2928	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe	43
PID 2928 wrote to memory of 1756	2928	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe	43
PID 2928 wrote to memory of 1756	2928	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe	43
PID 2928 wrote to memory of 1756	2928	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe	43
PID 2928 wrote to memory of 2776	2928	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe	44
PID 2928 wrote to memory of 2776	2928	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe	44
PID 2928 wrote to memory of 2776	2928	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe	44
PID 2928 wrote to memory of 2776	2928	{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe	44
PID 1756 wrote to memory of 2476	1756	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe	45
PID 1756 wrote to memory of 2476	1756	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe	45
PID 1756 wrote to memory of 2476	1756	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe	45
PID 1756 wrote to memory of 2476	1756	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe	45
PID 1756 wrote to memory of 1288	1756	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe	46
PID 1756 wrote to memory of 1288	1756	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe	46
PID 1756 wrote to memory of 1288	1756	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe	46
PID 1756 wrote to memory of 1288	1756	{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe	46

C:\Users\Admin\AppData\Local\Temp\578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe
"C:\Users\Admin\AppData\Local\Temp\578ed8acceaf3134b0ecdf58b4fa53d3539025df617cc0f2795483f74393f986N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe
  C:\Windows\{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe
    C:\Windows\{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe
      C:\Windows\{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe
        
        C:\Windows\{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe
        
        C:\Windows\{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe
        
        C:\Windows\{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe
        
        C:\Windows\{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\{3A69FA41-EFEA-4041-A3EA-BAF73A6FD953}.exe
        
        C:\Windows\{3A69FA41-EFEA-4041-A3EA-BAF73A6FD953}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\{85422CF1-2E76-4a26-BCE2-3BE03BB5645B}.exe
        
        C:\Windows\{85422CF1-2E76-4a26-BCE2-3BE03BB5645B}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A69F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8820A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD16E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19A11~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8E7C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20F02~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DD1CE~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FDD07~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\578ED8~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19A11DFB-FBB0-46bb-B586-EE15A6E2EE65}.exe

Filesize
89KB

MD5
f7299544b1fe776f97983efc4f5abcbf

SHA1
b3aa5b7f3aab022adb99d2b5829be72ac0d0f2ee

SHA256
1139ac7570404e54eb0113f54443b8808db9e3708b23bef21da561b0f1d90ecf

SHA512
bade2555bb9beaefd78486e0c67c4ea381e961a0fa30551f0da40c6dac81bf12319d099f44118e3f1b0c3a7940fb898682526f2e496cbbb574ec4c90759ae248

Download Submit
C:\Windows\{20F02DD4-210A-4b23-885A-A58F00F827E7}.exe

Filesize
89KB

MD5
58a32f64613b17592d20fe20cabe9365

SHA1
a6072d71a625f3edd30dfeec30b289386e68895c

SHA256
9d7880434a80d282d40dc00a1c91220a546537273f752f774b0215ec735bc44a

SHA512
932d6339dc285c2cb4453de07373a5f60f0fee7af526f0bea0cd06dba6508d027401cd4102a45a7fda3a48d51fabebb9f419f1bc0dded827765f37b47bb3ad91

Download Submit
C:\Windows\{3A69FA41-EFEA-4041-A3EA-BAF73A6FD953}.exe

Filesize
89KB

MD5
f12e6e3af364b413bd583ff4454d484d

SHA1
622fabdd7bd9b6fb8f52f0d8efd80134c32b2f69

SHA256
932c610349b70f838a03eb139a9dc0dc01303d7dba6a8d290c23075510f26aab

SHA512
47b21a2db0239ee1cf71f2efe8b50b9de0965a9ea7e297f94faf5548c358c02eb5126d3cf32bc941d983b2b248278959550b487b3f8d7cbf5ad50f9f272c9f32

Download Submit
C:\Windows\{85422CF1-2E76-4a26-BCE2-3BE03BB5645B}.exe

Filesize
89KB

MD5
81250d24734b70cb19d7d4b5d91b2b01

SHA1
73ff7567450163b0b6f4070cd28445d14fa8428c

SHA256
008428eeacfe79caf87d8a6b08be1a7813289548dea51ff7cb0416ba95c270ec

SHA512
7ab35deebf8d9b53bcf0ab20e8ecd4ef0e8887fa9280f8aa9f2828bf9b900e5642b7fedb19b8349dcda3bd3c0bc76f31598c92b906e4cce0c50256c9d4fe3604

Download Submit
C:\Windows\{8820A21D-2F5A-47ad-8E30-A2EC2728F3FC}.exe

Filesize
89KB

MD5
035df9f126d925d54454d690d34b9760

SHA1
23582946b4dd787b5c09a91cd1efabb3166e3934

SHA256
b7791a44080968aa1e0c4d4ac9e7b37776b10860b24e097f560111c9f3d82c33

SHA512
001c351ea029400ccda5265c5488b29ba3853f7b8cbb8b285801dd20ff04728c91cb92397e69abf78762ce44a6e26acbf304d1d9e6630a6c95763bf5894d9896

Download Submit
C:\Windows\{BD16E638-0456-4cf7-84EC-0AA5EF57C965}.exe

Filesize
89KB

MD5
1f7f736c87841c46ac691fe68257465e

SHA1
b6ed80a9ad7418b500ebb503a4a120ef711211c5

SHA256
a372c917674cde5ae83d1b7c48663f6b03c93473c4ca3e9b6bb0a31fa3990668

SHA512
537515b722d2b33a7ebba2b10ccb3cca8aa173641f0172c1e500fcfe572e1d10c7e1680341422c11f5b4ebad8cdeaff60b00908968e0c2578411fc628dc877dd

Download Submit
C:\Windows\{DD1CE9A2-7D46-4b4d-9EBF-C85816A9F64E}.exe

Filesize
89KB

MD5
357bf49ca3d4b48c5a33aa1db58af7c4

SHA1
81ccbfdafeeab0586dfd8293813729bb82ee1b12

SHA256
5e0fe405fd28be6a360099b0fc0f39ea415c6ffeff91453481451613228efec2

SHA512
67ed7215e3cf28794e546a31ef6867f1e0654991da6d3a430013827f02ff6487211bbbac8a41add58bcccc69f7df3166be82836d594893d3ed130ac8e672c5d7

Download Submit
C:\Windows\{E8E7C340-DD37-4758-9537-B7C44A6BBC53}.exe

Filesize
89KB

MD5
f8a15afd526aaa04a36acbcbb2fa955d

SHA1
94aa15d4e94ca3af1d786a06ad081855100fa328

SHA256
781012584b4add5b8779409b90527e6a4aed48370e8a1f3bedad586aa40603fc

SHA512
7d686f76e958f0e7d4c5c1638f5a7b2bbc86044d6f5fb8eeed5e5fae0f42408f085bcdaf024f6d1f1fbecaaf0ef65d558f44b4eff6124dc625bd03b956e0944e

Download Submit
C:\Windows\{FDD07880-75AF-4722-B397-8F1B210B0FCE}.exe

Filesize
89KB

MD5
0afe80a4082d881e850269457e221616

SHA1
71570fb871f4068a1a508df305d204167b7f7998

SHA256
ff2c6a54fc8268d19b0a4324af928708ef6d324585618ad738d76d8ec647cd2b

SHA512
553ba65266077f3f81db366f94aa48abec49d51e59b02b51f39cbd609a708bb6fb342031060f8781eb8b7d9560f4aabfa9774da52b0b87f87e5ae4710f384032

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads