b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 09:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe
Size

89KB
MD5

4b5e30781359333f2713fca8e87fb690
SHA1

409ac1ba0e4471d0fbf6847a7f8a09212c3c2f23
SHA256

b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97
SHA512

69bfa7b7bb01a49d9bdf41c1229bbb02d1565623ee46607d4109910fbd5ab86b608f9b22b2293c0759ad43530085020dfa70f6cf49d6b9b7c8af9c26274577cb
SSDEEP

768:Qvw9816vhKQLros4/wQRNrfrunMxVFA3b7glL:YEGh0osl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2C71EA6-B57C-4391-A59D-5A2AAF770985}\stubpath = "C:\\Windows\\{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe"	{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6A475D5-A92C-4131-A936-28184E36A954}	{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70F5B9A8-79AE-4d89-A294-F11DF41BED51}	{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B47AD306-404F-418a-8C5D-1D4EAD942AB3}	{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B47AD306-404F-418a-8C5D-1D4EAD942AB3}\stubpath = "C:\\Windows\\{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe"	{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC1BF74D-4124-4c85-ACEE-27A0915124DD}	{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2C71EA6-B57C-4391-A59D-5A2AAF770985}	{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}	{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}\stubpath = "C:\\Windows\\{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe"	{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46529E54-B2F6-4446-BF5B-C441F35D2337}\stubpath = "C:\\Windows\\{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe"	{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6A475D5-A92C-4131-A936-28184E36A954}\stubpath = "C:\\Windows\\{C6A475D5-A92C-4131-A936-28184E36A954}.exe"	{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70F5B9A8-79AE-4d89-A294-F11DF41BED51}\stubpath = "C:\\Windows\\{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe"	{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}\stubpath = "C:\\Windows\\{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe"	b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46529E54-B2F6-4446-BF5B-C441F35D2337}	{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FF29127-3F45-4d22-9CA7-53B5047D1180}	{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FF29127-3F45-4d22-9CA7-53B5047D1180}\stubpath = "C:\\Windows\\{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe"	{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC1BF74D-4124-4c85-ACEE-27A0915124DD}\stubpath = "C:\\Windows\\{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe"	{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}	b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe

Executes dropped EXE 9 IoCs

pid	Process
3640	{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe
3452	{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe
3128	{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe
2340	{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe
1632	{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe
4480	{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe
2212	{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe
4960	{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe
4888	{C6A475D5-A92C-4131-A936-28184E36A954}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe	{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe
File created	C:\Windows\{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe	{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe
File created	C:\Windows\{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe	{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe
File created	C:\Windows\{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe	{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe
File created	C:\Windows\{C6A475D5-A92C-4131-A936-28184E36A954}.exe	{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe
File created	C:\Windows\{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe	b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe
File created	C:\Windows\{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe	{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe
File created	C:\Windows\{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe	{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe
File created	C:\Windows\{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe	{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C6A475D5-A92C-4131-A936-28184E36A954}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2100	b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe
Token: SeIncBasePriorityPrivilege	3640	{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe
Token: SeIncBasePriorityPrivilege	3452	{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe
Token: SeIncBasePriorityPrivilege	3128	{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe
Token: SeIncBasePriorityPrivilege	2340	{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe
Token: SeIncBasePriorityPrivilege	1632	{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe
Token: SeIncBasePriorityPrivilege	4480	{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe
Token: SeIncBasePriorityPrivilege	2212	{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe
Token: SeIncBasePriorityPrivilege	4960	{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 3640	2100	b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe	84
PID 2100 wrote to memory of 3640	2100	b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe	84
PID 2100 wrote to memory of 3640	2100	b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe	84
PID 2100 wrote to memory of 1348	2100	b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe	85
PID 2100 wrote to memory of 1348	2100	b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe	85
PID 2100 wrote to memory of 1348	2100	b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe	85
PID 3640 wrote to memory of 3452	3640	{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe	91
PID 3640 wrote to memory of 3452	3640	{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe	91
PID 3640 wrote to memory of 3452	3640	{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe	91
PID 3640 wrote to memory of 3544	3640	{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe	92
PID 3640 wrote to memory of 3544	3640	{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe	92
PID 3640 wrote to memory of 3544	3640	{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe	92
PID 3452 wrote to memory of 3128	3452	{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe	94
PID 3452 wrote to memory of 3128	3452	{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe	94
PID 3452 wrote to memory of 3128	3452	{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe	94
PID 3452 wrote to memory of 4928	3452	{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe	95
PID 3452 wrote to memory of 4928	3452	{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe	95
PID 3452 wrote to memory of 4928	3452	{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe	95
PID 3128 wrote to memory of 2340	3128	{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe	97
PID 3128 wrote to memory of 2340	3128	{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe	97
PID 3128 wrote to memory of 2340	3128	{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe	97
PID 3128 wrote to memory of 408	3128	{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe	98
PID 3128 wrote to memory of 408	3128	{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe	98
PID 3128 wrote to memory of 408	3128	{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe	98
PID 2340 wrote to memory of 1632	2340	{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe	99
PID 2340 wrote to memory of 1632	2340	{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe	99
PID 2340 wrote to memory of 1632	2340	{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe	99
PID 2340 wrote to memory of 2720	2340	{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe	100
PID 2340 wrote to memory of 2720	2340	{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe	100
PID 2340 wrote to memory of 2720	2340	{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe	100
PID 1632 wrote to memory of 4480	1632	{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe	101
PID 1632 wrote to memory of 4480	1632	{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe	101
PID 1632 wrote to memory of 4480	1632	{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe	101
PID 1632 wrote to memory of 3648	1632	{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe	102
PID 1632 wrote to memory of 3648	1632	{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe	102
PID 1632 wrote to memory of 3648	1632	{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe	102
PID 4480 wrote to memory of 2212	4480	{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe	103
PID 4480 wrote to memory of 2212	4480	{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe	103
PID 4480 wrote to memory of 2212	4480	{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe	103
PID 4480 wrote to memory of 3724	4480	{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe	104
PID 4480 wrote to memory of 3724	4480	{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe	104
PID 4480 wrote to memory of 3724	4480	{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe	104
PID 2212 wrote to memory of 4960	2212	{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe	105
PID 2212 wrote to memory of 4960	2212	{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe	105
PID 2212 wrote to memory of 4960	2212	{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe	105
PID 2212 wrote to memory of 1884	2212	{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe	106
PID 2212 wrote to memory of 1884	2212	{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe	106
PID 2212 wrote to memory of 1884	2212	{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe	106
PID 4960 wrote to memory of 4888	4960	{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe	107
PID 4960 wrote to memory of 4888	4960	{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe	107
PID 4960 wrote to memory of 4888	4960	{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe	107
PID 4960 wrote to memory of 4896	4960	{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe	108
PID 4960 wrote to memory of 4896	4960	{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe	108
PID 4960 wrote to memory of 4896	4960	{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe	108

C:\Users\Admin\AppData\Local\Temp\b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe
"C:\Users\Admin\AppData\Local\Temp\b9de377523e8cfbc8010be41b02c17794ec55ac219e676780ae28e9ebac5ae97N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe
  C:\Windows\{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe
    C:\Windows\{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe
      C:\Windows\{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3128
    - - C:\Windows\{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe
        
        C:\Windows\{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe
        
        C:\Windows\{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe
        
        C:\Windows\{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe
        
        C:\Windows\{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe
        
        C:\Windows\{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{C6A475D5-A92C-4131-A936-28184E36A954}.exe
        
        C:\Windows\{C6A475D5-A92C-4131-A936-28184E36A954}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D256E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2C71~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC1BF~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70F5B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF29~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B47AD~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{46529~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{91DFE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B9DE37~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{46529E54-B2F6-4446-BF5B-C441F35D2337}.exe

Filesize
89KB

MD5
60dbd2536838e60b11d201f23e3c53a5

SHA1
7309a7e7a1c5560a0b4064960424aa7e16c71edd

SHA256
90c7b9487769d0d9355258c95cf28bdaafa8a6a7f96de8feb5b831cd6620d408

SHA512
0c4cb61299a0e4983daf1ff41498e2e60570b4a7c0eaf03662dbbfeb10e3f788c3a90b29d9f3033136b76b648686208c5e3121ca1045524332a1c78a0295a414

Download Submit
C:\Windows\{5FF29127-3F45-4d22-9CA7-53B5047D1180}.exe

Filesize
89KB

MD5
e4b13204e1ee958da4155e7304b7ffd3

SHA1
199f4b7d54fd51ce2dc5a3e11f0353df8d63efdb

SHA256
2a5641ed3c67b6cd8b1f69ef3b575dbd557e02f1cfa7453ec2aacfdf49d0e111

SHA512
95728cf10869966c3eebc25222adb999328d10f2fb0f645cc423b06af5209c44ba5cec3a596bb56ef6d895cfef7be53392fc3de7d53e387d361c690919002845

Download Submit
C:\Windows\{70F5B9A8-79AE-4d89-A294-F11DF41BED51}.exe

Filesize
89KB

MD5
7664356008b34727fea4f4affbc5fdae

SHA1
f7dd101c1f35aa214e17902bd5981c1d5514f1f0

SHA256
b96df92962d686a3bade1e0221ab05ba5cbc629b749e8ab5cfafc678e1bb3b23

SHA512
a195e0ac23dc2c68bfd47163d6f841d5625e8e5a9595c404532f7f58ba4021c61fa333e4d5629c07c0ebc8ed059c302dce316ec4434ba6bb5c47f023fb8b6aaf

Download Submit
C:\Windows\{91DFE8FC-8D83-4f94-BA9A-42064FFA514A}.exe

Filesize
89KB

MD5
062afdc4b6bdd6a43541cce64430420e

SHA1
1fa1c1859dc11a149224c30b0c68193811b2e342

SHA256
3fe40aa10f281382489049b87f815d7906f5fd2786229050c175072555b1dd41

SHA512
86ab7bb94097eb48983591436b6b484bc82337d20cf8a596b79107001d1b8f023904965a46019aa7ac7f92a1e68f8e6eb7f654dae4427e5729b231c64135c441

Download Submit
C:\Windows\{B47AD306-404F-418a-8C5D-1D4EAD942AB3}.exe

Filesize
89KB

MD5
19a24be5f2615149da9fa799787b904f

SHA1
d50675be29fc3fe2a430916a19f4b3fe0af651fb

SHA256
49ffd2b39970f2332429464d689d7b8bf7646fc4e5fb5377ce95c46e4d761399

SHA512
09c5425148c1d9dbd1be229c39238b03a6c1ffd7da5fbce14f0019613b1d9e984908f3124fbeb7f558b564741914fda4bc3423e62340e34c2512aa1ea7f1105c

Download Submit
C:\Windows\{C6A475D5-A92C-4131-A936-28184E36A954}.exe

Filesize
89KB

MD5
a0fcd4e190db3e2ef8acf48d0224e29c

SHA1
fceb0114c4341ffacc1076a6a0aebe1f281e47c6

SHA256
10ecf44f6ee34b13d1be3d19c6600e8b48032c4d0827130a2d9bd29bdab799ce

SHA512
e9fb7fe17f7de2ce7aba5ce0359d085bbc221714c40fdd1f2cb611a36b605eefcabbbb979b0b4e63cf6e4cc5ac8a696c693acb3b5fa5a992ebd995152db92af0

Download Submit
C:\Windows\{D256E8CE-A64A-4e8b-8D3D-AA477AED9F87}.exe

Filesize
89KB

MD5
ee23ab1c8fa66538ccdef9a632bcbb8c

SHA1
805b2ad36fd26a12619ef6ac82d0eb51bfeb6ac6

SHA256
9dfe794f060e231d7c70be93f0d43b8738b4b7e453a89218829a545112bc334e

SHA512
afb1b3e845bcd768f0fcd603d9e63d174b805c386550e4c0a6887def272fb26cb0de29df0161ed05fb2ea66124b1bd4234e9f34f2d9168b9b3a7ca0eb3c3d697

Download Submit
C:\Windows\{D2C71EA6-B57C-4391-A59D-5A2AAF770985}.exe

Filesize
89KB

MD5
2a10d80f9c329890931bdb80f689fb07

SHA1
61293b46f374b5d3d8d9eb01a196c1eda395864e

SHA256
9e5b331f2b51a4b5699d0b836cd28b9c7787ab15c8303dc223127421a064dabe

SHA512
3c2d5aca5ed7c2e7f2ca36cd368cb091cb5738dab5cfec91350c3fa6744983ec48f2a0447bd4de76e1c1133ddcd6f0bc6c5f50d6ae92ce8f8c46fb32484f3643

Download Submit
C:\Windows\{FC1BF74D-4124-4c85-ACEE-27A0915124DD}.exe

Filesize
89KB

MD5
30c7ef1295b6b6e64afb3323482ce86f

SHA1
22104bebc4cccf38b6b5d1e4cd282020f0835f83

SHA256
40b2ef62adaa5e526c0e5cd38bb1fab0d07ae7e2a716225bc054a83d17fa9045

SHA512
50d9457649ecffc6f82c82cae3dc8424c24686176145ae7d95b5084892a91fe27194bdc3c8051fcb02baa2d6db00c31738b2270ea79db278c65e8c83f714d441

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads