2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
Size

89KB
MD5

0f194255765a4bd1b96ce639a48aef20
SHA1

9e98c98677c17aea1b2d96e51ec43fd3b858d15f
SHA256

2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974
SHA512

bdb6c81d0baaab8af5f4354701f373b4672741af24b555b5c90d58e33f7abbeaec5664c5a33521bcac35a0dde56ced477437525265d5d997952e4a3220e4725f
SSDEEP

768:Qvw9816vhKQLro94/wQRNrfrunMxVFA3b7glL:YEGh0o9l2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74843526-6ADE-4e32-957C-3626EC2C7F7A}	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74843526-6ADE-4e32-957C-3626EC2C7F7A}\stubpath = "C:\\Windows\\{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe"	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20F53F01-98A0-4964-9934-2AEC957F6D72}\stubpath = "C:\\Windows\\{20F53F01-98A0-4964-9934-2AEC957F6D72}.exe"	{48851373-9161-4d26-916F-0DF2ADA44915}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}\stubpath = "C:\\Windows\\{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe"	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}\stubpath = "C:\\Windows\\{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe"	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D747788-73E7-4194-96BE-ACE88B94D55E}\stubpath = "C:\\Windows\\{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe"	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48851373-9161-4d26-916F-0DF2ADA44915}\stubpath = "C:\\Windows\\{48851373-9161-4d26-916F-0DF2ADA44915}.exe"	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20F53F01-98A0-4964-9934-2AEC957F6D72}	{48851373-9161-4d26-916F-0DF2ADA44915}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}\stubpath = "C:\\Windows\\{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe"	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}\stubpath = "C:\\Windows\\{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe"	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}\stubpath = "C:\\Windows\\{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe"	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D747788-73E7-4194-96BE-ACE88B94D55E}	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48851373-9161-4d26-916F-0DF2ADA44915}	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe

Deletes itself 1 IoCs

pid	Process
2200	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2852	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe
2732	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe
2716	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe
2652	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe
1672	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe
2896	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe
2560	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe
2908	{48851373-9161-4d26-916F-0DF2ADA44915}.exe
1556	{20F53F01-98A0-4964-9934-2AEC957F6D72}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe
File created	C:\Windows\{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe
File created	C:\Windows\{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe
File created	C:\Windows\{48851373-9161-4d26-916F-0DF2ADA44915}.exe	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe
File created	C:\Windows\{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
File created	C:\Windows\{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe
File created	C:\Windows\{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe
File created	C:\Windows\{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe
File created	C:\Windows\{20F53F01-98A0-4964-9934-2AEC957F6D72}.exe	{48851373-9161-4d26-916F-0DF2ADA44915}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{48851373-9161-4d26-916F-0DF2ADA44915}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20F53F01-98A0-4964-9934-2AEC957F6D72}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2000	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
Token: SeIncBasePriorityPrivilege	2852	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe
Token: SeIncBasePriorityPrivilege	2732	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe
Token: SeIncBasePriorityPrivilege	2716	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe
Token: SeIncBasePriorityPrivilege	2652	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe
Token: SeIncBasePriorityPrivilege	1672	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe
Token: SeIncBasePriorityPrivilege	2896	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe
Token: SeIncBasePriorityPrivilege	2560	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe
Token: SeIncBasePriorityPrivilege	2908	{48851373-9161-4d26-916F-0DF2ADA44915}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2852	2000	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	29
PID 2000 wrote to memory of 2852	2000	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	29
PID 2000 wrote to memory of 2852	2000	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	29
PID 2000 wrote to memory of 2852	2000	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	29
PID 2000 wrote to memory of 2200	2000	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	30
PID 2000 wrote to memory of 2200	2000	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	30
PID 2000 wrote to memory of 2200	2000	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	30
PID 2000 wrote to memory of 2200	2000	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	30
PID 2852 wrote to memory of 2732	2852	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe	31
PID 2852 wrote to memory of 2732	2852	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe	31
PID 2852 wrote to memory of 2732	2852	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe	31
PID 2852 wrote to memory of 2732	2852	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe	31
PID 2852 wrote to memory of 2976	2852	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe	32
PID 2852 wrote to memory of 2976	2852	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe	32
PID 2852 wrote to memory of 2976	2852	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe	32
PID 2852 wrote to memory of 2976	2852	{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe	32
PID 2732 wrote to memory of 2716	2732	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe	33
PID 2732 wrote to memory of 2716	2732	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe	33
PID 2732 wrote to memory of 2716	2732	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe	33
PID 2732 wrote to memory of 2716	2732	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe	33
PID 2732 wrote to memory of 2692	2732	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe	34
PID 2732 wrote to memory of 2692	2732	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe	34
PID 2732 wrote to memory of 2692	2732	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe	34
PID 2732 wrote to memory of 2692	2732	{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe	34
PID 2716 wrote to memory of 2652	2716	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe	35
PID 2716 wrote to memory of 2652	2716	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe	35
PID 2716 wrote to memory of 2652	2716	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe	35
PID 2716 wrote to memory of 2652	2716	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe	35
PID 2716 wrote to memory of 3052	2716	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe	36
PID 2716 wrote to memory of 3052	2716	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe	36
PID 2716 wrote to memory of 3052	2716	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe	36
PID 2716 wrote to memory of 3052	2716	{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe	36
PID 2652 wrote to memory of 1672	2652	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe	37
PID 2652 wrote to memory of 1672	2652	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe	37
PID 2652 wrote to memory of 1672	2652	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe	37
PID 2652 wrote to memory of 1672	2652	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe	37
PID 2652 wrote to memory of 1032	2652	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe	38
PID 2652 wrote to memory of 1032	2652	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe	38
PID 2652 wrote to memory of 1032	2652	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe	38
PID 2652 wrote to memory of 1032	2652	{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe	38
PID 1672 wrote to memory of 2896	1672	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe	39
PID 1672 wrote to memory of 2896	1672	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe	39
PID 1672 wrote to memory of 2896	1672	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe	39
PID 1672 wrote to memory of 2896	1672	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe	39
PID 1672 wrote to memory of 1236	1672	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe	40
PID 1672 wrote to memory of 1236	1672	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe	40
PID 1672 wrote to memory of 1236	1672	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe	40
PID 1672 wrote to memory of 1236	1672	{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe	40
PID 2896 wrote to memory of 2560	2896	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe	41
PID 2896 wrote to memory of 2560	2896	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe	41
PID 2896 wrote to memory of 2560	2896	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe	41
PID 2896 wrote to memory of 2560	2896	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe	41
PID 2896 wrote to memory of 2668	2896	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe	42
PID 2896 wrote to memory of 2668	2896	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe	42
PID 2896 wrote to memory of 2668	2896	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe	42
PID 2896 wrote to memory of 2668	2896	{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe	42
PID 2560 wrote to memory of 2908	2560	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe	43
PID 2560 wrote to memory of 2908	2560	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe	43
PID 2560 wrote to memory of 2908	2560	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe	43
PID 2560 wrote to memory of 2908	2560	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe	43
PID 2560 wrote to memory of 1780	2560	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe	44
PID 2560 wrote to memory of 1780	2560	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe	44
PID 2560 wrote to memory of 1780	2560	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe	44
PID 2560 wrote to memory of 1780	2560	{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe	44

C:\Users\Admin\AppData\Local\Temp\2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
"C:\Users\Admin\AppData\Local\Temp\2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe
  C:\Windows\{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe
    C:\Windows\{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe
      C:\Windows\{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe
        
        C:\Windows\{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe
        
        C:\Windows\{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe
        
        C:\Windows\{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe
        
        C:\Windows\{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\{48851373-9161-4d26-916F-0DF2ADA44915}.exe
        
        C:\Windows\{48851373-9161-4d26-916F-0DF2ADA44915}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\{20F53F01-98A0-4964-9934-2AEC957F6D72}.exe
        
        C:\Windows\{20F53F01-98A0-4964-9934-2AEC957F6D72}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48851~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D747~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74843~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{186B8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EC5D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF2BC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4CBB1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CAFB3~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2CC1B9~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{186B82E3-10E3-46cb-8ED4-2BEEB36C1F77}.exe

Filesize
89KB

MD5
944fc528b6dcca86741c316d4b4160a8

SHA1
396a554be4fe693fe6f8887a90ca0475edf099f1

SHA256
cd5fba5f1d56effc6f5f0ea78b1117e66b7a37d59d958e86a0d38d2256956c4f

SHA512
e715708f21bc9c1f1260d315a6c96828cc4930dcaceeebfa485a0eba4a49a41f3113a7937f0a720d8f0fd631295d5c55327627c689abe8d439c775c187e8e09e

Download Submit
C:\Windows\{20F53F01-98A0-4964-9934-2AEC957F6D72}.exe

Filesize
89KB

MD5
214e7523e4705e05a8d3c322021d7a6c

SHA1
e6a0e2300c04d8eabef207595df8c64f80131602

SHA256
51b43846a732d57afd4668c9074b8e3e75e2358806a21cc6851fb7dd313ef970

SHA512
1fb2b91dfaaba94bbe8edb2801b08bf4615988930ce95a5bb272f724a1aeed168861c7344eb4a8b06c54c54a1f2ff352b2062fec9f6fd4e1005da0a9489cf63c

Download Submit
C:\Windows\{2D747788-73E7-4194-96BE-ACE88B94D55E}.exe

Filesize
89KB

MD5
a891f3113e60998a139b795809742722

SHA1
22771a113ae199fa9d15553c2f1efa3d8103a24d

SHA256
84e61512c56c4f817bdd7c03e327bacc0ad0def8682a0e6561c03222c3fcf792

SHA512
c33bebb3f9c2e71b57939371bf393fd43b5e285713397cc0e43712fd32bef61146b226e1bf89c5289ac700db1234664b16d3ce04c13a805186a12c2ee5da18e8

Download Submit
C:\Windows\{48851373-9161-4d26-916F-0DF2ADA44915}.exe

Filesize
89KB

MD5
4d9a4323596ba8322c491840d2cdd4fd

SHA1
7979b571513a0ee5bebf5f3b6364e103350e60f9

SHA256
ee022042baf91dd93d099e3f9c0fd163e526546d569d64915e771643eb5147c2

SHA512
7e364067f3053f7be6a3df67c02231f268d1df8007c3ada6c4b60511e81a296b8fe5242ee629d7c8d52912151998d6e3a1d697b90b55b90585360c380d546e77

Download Submit
C:\Windows\{4CBB1CD2-EA27-4e8a-B1D9-C9AF01AE4828}.exe

Filesize
89KB

MD5
c8278feec2df4a01261037444d45b6c1

SHA1
8a1bfd9641086de03851f6a33c4ab0aa3eaef24d

SHA256
8541be8d376ecb77e904ae3ef2e01d2a47a23ae241451d25733df94989fc9559

SHA512
663bd7ca4a6f48a336d7f786f3af8b304ea5f4d925b3626a0acb491c900f1e421e8ac8a03c732877398a61402f3b470981eacec85963c950cc1a3262d400e826

Download Submit
C:\Windows\{74843526-6ADE-4e32-957C-3626EC2C7F7A}.exe

Filesize
89KB

MD5
5a57414152e4f82fb59a18fba11c46d9

SHA1
613d8b5c858319c471306c6d99fc14483a4216df

SHA256
d9e18d6a42d7097c889cdea7b8257b8570282998695e4cf051852866e2a59cde

SHA512
972e211a8c434a4a472f93ccd7c2b74d46ef030327fcde29d44db5ff665630709a1def1dd5d0bdf67307869c29ce2da46e240c10394174f3fda340b3671a97f2

Download Submit
C:\Windows\{8EC5D18A-B7F3-4378-BF20-068ECD5E2504}.exe

Filesize
89KB

MD5
e21660a910866e057404cbf0851c4579

SHA1
671aba554e28c79befd217d26d7a57606f282f10

SHA256
5e006f8dc343ae4efd3efec90f028be15624d25380696516346737a4d95461bf

SHA512
4260d3f8724bcfdf3ea8758565161dcc04b60ce177e5d0e4e355a209659b1d1af3091ec24aa12d04dbfd2acc3bdf416c18906e84d8e11b98cb2b4d8b51d7fd4a

Download Submit
C:\Windows\{CAFB3E6E-F6F1-4be6-B4E9-AF0C25B4B97F}.exe

Filesize
89KB

MD5
4785a511c5fcf115718f7e7e41f17453

SHA1
ce13d89b81147c8e32ab737db8be64b4d666aeb2

SHA256
23fb239b86ea4f538c9551b4865728cc48cd8fce11b3ef34c3a429f16639313d

SHA512
83d5ecae8227b8cfa313a64939fd1c7ac654e838fa7d78c932ab44503acdf33c3642a900c00dc9a8782963931773faeba67f26ffb64a0b0b30c24c189b0778a6

Download Submit
C:\Windows\{EF2BC2DB-35B8-4edc-A080-ACF0FA13F4A9}.exe

Filesize
89KB

MD5
c9cf3687243a34d06b4e577da2d2a595

SHA1
7ef160cc4fb9a228ea7f09523a1e95c3f3cc62c2

SHA256
33b66f4dc992915bbeb99065f5eb2e3d79c24b5b30a517518a095b9c33fa1e4e

SHA512
add2f566a04b727f685a7235a9716377b4f30442820ddb88005afc7992b45bed95f7a4b242be62bfde2f8445d907298aec0feba28f24646b5aa682a9797ebb79

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads