2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974

Analysis

max time kernel
118s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
Size

89KB
MD5

0f194255765a4bd1b96ce639a48aef20
SHA1

9e98c98677c17aea1b2d96e51ec43fd3b858d15f
SHA256

2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974
SHA512

bdb6c81d0baaab8af5f4354701f373b4672741af24b555b5c90d58e33f7abbeaec5664c5a33521bcac35a0dde56ced477437525265d5d997952e4a3220e4725f
SSDEEP

768:Qvw9816vhKQLro94/wQRNrfrunMxVFA3b7glL:YEGh0o9l2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}\stubpath = "C:\\Windows\\{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe"	{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}	{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08E39AB7-A9BF-4e36-9AA7-8187139BF136}	{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0619E05-AE71-4a20-8832-D2E5924BF28B}	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0619E05-AE71-4a20-8832-D2E5924BF28B}\stubpath = "C:\\Windows\\{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe"	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39854A1A-9A84-4973-9317-508A19BD03AB}	{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39854A1A-9A84-4973-9317-508A19BD03AB}\stubpath = "C:\\Windows\\{39854A1A-9A84-4973-9317-508A19BD03AB}.exe"	{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}	{39854A1A-9A84-4973-9317-508A19BD03AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0348EC93-93CE-4fa0-A3B1-4DEA547954C4}	{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0348EC93-93CE-4fa0-A3B1-4DEA547954C4}\stubpath = "C:\\Windows\\{0348EC93-93CE-4fa0-A3B1-4DEA547954C4}.exe"	{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}\stubpath = "C:\\Windows\\{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe"	{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E49CD52-4A10-4048-ADA4-E089F845A8F4}\stubpath = "C:\\Windows\\{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe"	{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}\stubpath = "C:\\Windows\\{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe"	{39854A1A-9A84-4973-9317-508A19BD03AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}\stubpath = "C:\\Windows\\{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe"	{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}	{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}	{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E49CD52-4A10-4048-ADA4-E089F845A8F4}	{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08E39AB7-A9BF-4e36-9AA7-8187139BF136}\stubpath = "C:\\Windows\\{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe"	{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe

Executes dropped EXE 9 IoCs

pid	Process
1472	{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe
3700	{39854A1A-9A84-4973-9317-508A19BD03AB}.exe
5092	{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe
1168	{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe
3532	{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe
2612	{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe
3556	{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe
2860	{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe
4964	{0348EC93-93CE-4fa0-A3B1-4DEA547954C4}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe	{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe
File created	C:\Windows\{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe	{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe
File created	C:\Windows\{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe	{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe
File created	C:\Windows\{0348EC93-93CE-4fa0-A3B1-4DEA547954C4}.exe	{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe
File created	C:\Windows\{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
File created	C:\Windows\{39854A1A-9A84-4973-9317-508A19BD03AB}.exe	{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe
File created	C:\Windows\{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe	{39854A1A-9A84-4973-9317-508A19BD03AB}.exe
File created	C:\Windows\{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe	{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe
File created	C:\Windows\{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe	{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0348EC93-93CE-4fa0-A3B1-4DEA547954C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39854A1A-9A84-4973-9317-508A19BD03AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3292	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
Token: SeIncBasePriorityPrivilege	1472	{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe
Token: SeIncBasePriorityPrivilege	3700	{39854A1A-9A84-4973-9317-508A19BD03AB}.exe
Token: SeIncBasePriorityPrivilege	5092	{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe
Token: SeIncBasePriorityPrivilege	1168	{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe
Token: SeIncBasePriorityPrivilege	3532	{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe
Token: SeIncBasePriorityPrivilege	2612	{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe
Token: SeIncBasePriorityPrivilege	3556	{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe
Token: SeIncBasePriorityPrivilege	2860	{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 1472	3292	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	82
PID 3292 wrote to memory of 1472	3292	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	82
PID 3292 wrote to memory of 1472	3292	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	82
PID 3292 wrote to memory of 2400	3292	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	83
PID 3292 wrote to memory of 2400	3292	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	83
PID 3292 wrote to memory of 2400	3292	2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe	83
PID 1472 wrote to memory of 3700	1472	{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe	84
PID 1472 wrote to memory of 3700	1472	{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe	84
PID 1472 wrote to memory of 3700	1472	{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe	84
PID 1472 wrote to memory of 4920	1472	{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe	85
PID 1472 wrote to memory of 4920	1472	{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe	85
PID 1472 wrote to memory of 4920	1472	{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe	85
PID 3700 wrote to memory of 5092	3700	{39854A1A-9A84-4973-9317-508A19BD03AB}.exe	91
PID 3700 wrote to memory of 5092	3700	{39854A1A-9A84-4973-9317-508A19BD03AB}.exe	91
PID 3700 wrote to memory of 5092	3700	{39854A1A-9A84-4973-9317-508A19BD03AB}.exe	91
PID 3700 wrote to memory of 4528	3700	{39854A1A-9A84-4973-9317-508A19BD03AB}.exe	92
PID 3700 wrote to memory of 4528	3700	{39854A1A-9A84-4973-9317-508A19BD03AB}.exe	92
PID 3700 wrote to memory of 4528	3700	{39854A1A-9A84-4973-9317-508A19BD03AB}.exe	92
PID 5092 wrote to memory of 1168	5092	{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe	96
PID 5092 wrote to memory of 1168	5092	{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe	96
PID 5092 wrote to memory of 1168	5092	{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe	96
PID 5092 wrote to memory of 4324	5092	{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe	97
PID 5092 wrote to memory of 4324	5092	{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe	97
PID 5092 wrote to memory of 4324	5092	{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe	97
PID 1168 wrote to memory of 3532	1168	{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe	98
PID 1168 wrote to memory of 3532	1168	{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe	98
PID 1168 wrote to memory of 3532	1168	{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe	98
PID 1168 wrote to memory of 3560	1168	{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe	99
PID 1168 wrote to memory of 3560	1168	{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe	99
PID 1168 wrote to memory of 3560	1168	{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe	99
PID 3532 wrote to memory of 2612	3532	{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe	100
PID 3532 wrote to memory of 2612	3532	{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe	100
PID 3532 wrote to memory of 2612	3532	{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe	100
PID 3532 wrote to memory of 4684	3532	{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe	101
PID 3532 wrote to memory of 4684	3532	{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe	101
PID 3532 wrote to memory of 4684	3532	{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe	101
PID 2612 wrote to memory of 3556	2612	{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe	102
PID 2612 wrote to memory of 3556	2612	{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe	102
PID 2612 wrote to memory of 3556	2612	{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe	102
PID 2612 wrote to memory of 4484	2612	{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe	103
PID 2612 wrote to memory of 4484	2612	{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe	103
PID 2612 wrote to memory of 4484	2612	{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe	103
PID 3556 wrote to memory of 2860	3556	{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe	104
PID 3556 wrote to memory of 2860	3556	{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe	104
PID 3556 wrote to memory of 2860	3556	{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe	104
PID 3556 wrote to memory of 2932	3556	{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe	105
PID 3556 wrote to memory of 2932	3556	{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe	105
PID 3556 wrote to memory of 2932	3556	{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe	105
PID 2860 wrote to memory of 4964	2860	{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe	106
PID 2860 wrote to memory of 4964	2860	{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe	106
PID 2860 wrote to memory of 4964	2860	{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe	106
PID 2860 wrote to memory of 2608	2860	{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe	107
PID 2860 wrote to memory of 2608	2860	{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe	107
PID 2860 wrote to memory of 2608	2860	{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe	107

C:\Users\Admin\AppData\Local\Temp\2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe
"C:\Users\Admin\AppData\Local\Temp\2cc1b9019dcca3b7cc47209a3d3fbc024354e9c955318c753d97c5a1a5685974N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe
  C:\Windows\{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\{39854A1A-9A84-4973-9317-508A19BD03AB}.exe
    C:\Windows\{39854A1A-9A84-4973-9317-508A19BD03AB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe
      C:\Windows\{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe
        
        C:\Windows\{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Windows\{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe
        
        C:\Windows\{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe
        
        C:\Windows\{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe
        
        C:\Windows\{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe
        
        C:\Windows\{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{0348EC93-93CE-4fa0-A3B1-4DEA547954C4}.exe
        
        C:\Windows\{0348EC93-93CE-4fa0-A3B1-4DEA547954C4}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08E39~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E49C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86FA5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD9CC~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73B5C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{380AC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{39854~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F0619~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2CC1B9~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0348EC93-93CE-4fa0-A3B1-4DEA547954C4}.exe

Filesize
89KB

MD5
d55c28f3f254ca377d685a7693aa1c22

SHA1
8d7582960c6b91faafb0ef2db7a8e4c97d845a52

SHA256
048a575613b6164c55ef2f1dce445c5150bcdd0b9fc9e54643f756e6b854e4df

SHA512
704061aa36c2dc3439caa0fa59427c23a7f0ab08677df600a8c5e9161c5819483232607a33015b9401a04d2b01b5f881722779b0ce6f041ca80427a0600c0992

Download Submit
C:\Windows\{08E39AB7-A9BF-4e36-9AA7-8187139BF136}.exe

Filesize
89KB

MD5
d815eae7097bdb40186c3f2e96a64176

SHA1
9ffc29dd7d86f22cf7fc3ede7895ebbf0f164667

SHA256
f22b1abd98f172205f0eed5368c935b212b34ace113f833bea6a9b9eaf174331

SHA512
4563f7d76fadde98b0af2eded139b124e668dd17b865fdf1e0afcd3fbbfadbddfdb0ffdd02ded471727527c25ae101970256bf3602884d77adeb18b6da973276

Download Submit
C:\Windows\{380AC47F-E57A-4bcb-AF54-B1450A5DCFC3}.exe

Filesize
89KB

MD5
f3c4c8597cb3ee99fcd3b2d4d5063d08

SHA1
608fc444bfa3bacdb0ef02cb2ce75d53852cf63d

SHA256
14c4b3930027bbc0abd1355b674f6731013c15bc713bd86c504679b66f4925c9

SHA512
368aa0c506e51f75a7077ba625fc34ad2b7fb98e9fcc1797d9955238215d0c8e17c149b0faced576184777a2263a4b726485297a36a78e8b34ee02ffe75fa597

Download Submit
C:\Windows\{39854A1A-9A84-4973-9317-508A19BD03AB}.exe

Filesize
89KB

MD5
e1345c891701f286292630fd87f0b24b

SHA1
3a14116a38292cb35ceeb6c978e73559a1894045

SHA256
d8bce722775914d015f1fcfee29c38a3b7d9715977d7a89f6830b3e62f340593

SHA512
40193cfcd9cb570789fdd49b42fd138c122c62504c5ee0e0634ffa2fd705d61e7a7a10ad6e29a4d7bf3f28de8018b7bfcc42d88acb07bd0fa0113a7439bb3a77

Download Submit
C:\Windows\{73B5C5E7-D37B-46b3-B7AD-CDA17F4CD987}.exe

Filesize
89KB

MD5
23b5c2f7d396ae6a58af7133f1635411

SHA1
02dd35a209890d55fb19116471143d7b7fb2257c

SHA256
65694ff6f2befcf3f08047898667b050a94bd91293de198135923595a5b36b54

SHA512
2e02cfaaefb2543d9f6f1e24bf8d5dd8187c50fc540b885e564b6ae9e30d4f7b3ce07ee6ef94aecc40b62c2ada852ced49b50b2fef02dbbc4126be190d007a18

Download Submit
C:\Windows\{7E49CD52-4A10-4048-ADA4-E089F845A8F4}.exe

Filesize
89KB

MD5
aadf99b24f314b9102cdc974cdcc2c39

SHA1
3341bb26d0a42f269deb0e3d4806e8c972e6ec7a

SHA256
ea995ddbb46a3941943f56fd5466aa35ad44726af8574864f65cad395de7a2f8

SHA512
2cd6a13084fc72b7f4e6f3efc07296e5d50dbe5f69275696ef0a7889e1c24740c85a0f44820da0160de38237187eb472bcda550712a7f70983362f182ab11f23

Download Submit
C:\Windows\{86FA5B09-54F6-40e6-82E7-6FC66F46DBFE}.exe

Filesize
89KB

MD5
0ad1b79c1f175cb71d5bde4ce8fffb3e

SHA1
53e70aed2636e6acf33b5a72b863c2ce167c6653

SHA256
2b9f801053c4293e4d1e3542c08a01fc3f00538690eb1abbb945523f11fc1a7e

SHA512
60afa08658b6d47227ce553562fe2d4b2ba6a3743256eb766698a9b40fdd3be5fe5028865e1dabb2bf01052b981c9ec7710d02d0ecb9d5327ed2379a3be6b8a1

Download Submit
C:\Windows\{CD9CC3EF-21DB-4c65-A9F9-3FE6B4DA5013}.exe

Filesize
89KB

MD5
ee2c7f7bd0190f5e0e8d624f3db219bd

SHA1
0ecbb683ffa9def613768c85d3f80fd827ae7a8a

SHA256
04f8c6adc4817a6ad150cffcef54d91774f854fdee9ff16d1869cd13798ec210

SHA512
6fcc370b492c16f392c29273fc20378e8d05677e2d031382bcf4fae4cae18df68fdc301dc84309ecfa3c87757e3cbed6115e337e13cc17f961a197fe1d178633

Download Submit
C:\Windows\{F0619E05-AE71-4a20-8832-D2E5924BF28B}.exe

Filesize
89KB

MD5
04a4c534551113c9921881006f8e61fb

SHA1
f96a4934d772f135430df5845415c01220796406

SHA256
d289a26980012f1851f941159fe67bdeb6983e99ff749a61fa7b84e642a1549b

SHA512
4c378a63dd59406729a8f51027f2bd9a0afacd038c101d28950264809ba486b2a6d44c1f57aa423a1ccf21826148cff1e7cb8d067cbc3b8cb67111cd605cdfc9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads