b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 15:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe
Size

89KB
MD5

cb20fd36854fb3b55236f491a93fad80
SHA1

c0e5baacef3293e5f2b7ff441e4400d67d4cd7bf
SHA256

b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280
SHA512

7a4ed292b95a7f2c1fe505a34e1b18be7567dcb8cdc135ac0343993ba581dc6fe3d6eef8528e8d09b4b2c314b8e6eeed4f9da532cb680e370ecbf75758e7d2ed
SSDEEP

768:Qvw9816vhKQLroi4/wQRNrfrunMxVFA3b7gl5:YEGh0oil2unMxVS3HgX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06F07C89-4108-4ce0-9B07-5A24D644F766}	b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06F07C89-4108-4ce0-9B07-5A24D644F766}\stubpath = "C:\\Windows\\{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe"	b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D84DB2E-61EE-4315-8B23-969BD68610FD}	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D84DB2E-61EE-4315-8B23-969BD68610FD}\stubpath = "C:\\Windows\\{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe"	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{968B4732-4C83-408b-B73F-E12226997151}\stubpath = "C:\\Windows\\{968B4732-4C83-408b-B73F-E12226997151}.exe"	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68B0C347-656A-43cb-B6B1-B63A68324769}	{968B4732-4C83-408b-B73F-E12226997151}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{905898DF-F4C0-4b04-8503-392D172806A0}	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{968B4732-4C83-408b-B73F-E12226997151}	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{905898DF-F4C0-4b04-8503-392D172806A0}\stubpath = "C:\\Windows\\{905898DF-F4C0-4b04-8503-392D172806A0}.exe"	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2F47826-1F02-4032-8B90-4871F3561734}	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E630043-8330-46c1-80B1-748E66E55D51}	{B2F47826-1F02-4032-8B90-4871F3561734}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E630043-8330-46c1-80B1-748E66E55D51}\stubpath = "C:\\Windows\\{4E630043-8330-46c1-80B1-748E66E55D51}.exe"	{B2F47826-1F02-4032-8B90-4871F3561734}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68B0C347-656A-43cb-B6B1-B63A68324769}\stubpath = "C:\\Windows\\{68B0C347-656A-43cb-B6B1-B63A68324769}.exe"	{968B4732-4C83-408b-B73F-E12226997151}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA3E417D-7862-4ef2-88E7-7A90A958DC58}	{905898DF-F4C0-4b04-8503-392D172806A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2F47826-1F02-4032-8B90-4871F3561734}\stubpath = "C:\\Windows\\{B2F47826-1F02-4032-8B90-4871F3561734}.exe"	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}\stubpath = "C:\\Windows\\{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe"	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA3E417D-7862-4ef2-88E7-7A90A958DC58}\stubpath = "C:\\Windows\\{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe"	{905898DF-F4C0-4b04-8503-392D172806A0}.exe

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2784	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe
2592	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe
2576	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe
1928	{968B4732-4C83-408b-B73F-E12226997151}.exe
1040	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe
1952	{905898DF-F4C0-4b04-8503-392D172806A0}.exe
2828	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe
2348	{B2F47826-1F02-4032-8B90-4871F3561734}.exe
588	{4E630043-8330-46c1-80B1-748E66E55D51}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{68B0C347-656A-43cb-B6B1-B63A68324769}.exe	{968B4732-4C83-408b-B73F-E12226997151}.exe
File created	C:\Windows\{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe	{905898DF-F4C0-4b04-8503-392D172806A0}.exe
File created	C:\Windows\{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe
File created	C:\Windows\{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe
File created	C:\Windows\{968B4732-4C83-408b-B73F-E12226997151}.exe	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe
File created	C:\Windows\{4E630043-8330-46c1-80B1-748E66E55D51}.exe	{B2F47826-1F02-4032-8B90-4871F3561734}.exe
File created	C:\Windows\{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe	b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe
File created	C:\Windows\{905898DF-F4C0-4b04-8503-392D172806A0}.exe	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe
File created	C:\Windows\{B2F47826-1F02-4032-8B90-4871F3561734}.exe	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{905898DF-F4C0-4b04-8503-392D172806A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E630043-8330-46c1-80B1-748E66E55D51}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{968B4732-4C83-408b-B73F-E12226997151}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B2F47826-1F02-4032-8B90-4871F3561734}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3024	b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe
Token: SeIncBasePriorityPrivilege	2784	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe
Token: SeIncBasePriorityPrivilege	2592	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe
Token: SeIncBasePriorityPrivilege	2576	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe
Token: SeIncBasePriorityPrivilege	1928	{968B4732-4C83-408b-B73F-E12226997151}.exe
Token: SeIncBasePriorityPrivilege	1040	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe
Token: SeIncBasePriorityPrivilege	1952	{905898DF-F4C0-4b04-8503-392D172806A0}.exe
Token: SeIncBasePriorityPrivilege	2828	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe
Token: SeIncBasePriorityPrivilege	2348	{B2F47826-1F02-4032-8B90-4871F3561734}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2784	3024	b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe	30
PID 3024 wrote to memory of 2784	3024	b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe	30
PID 3024 wrote to memory of 2784	3024	b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe	30
PID 3024 wrote to memory of 2784	3024	b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe	30
PID 3024 wrote to memory of 2660	3024	b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe	31
PID 3024 wrote to memory of 2660	3024	b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe	31
PID 3024 wrote to memory of 2660	3024	b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe	31
PID 3024 wrote to memory of 2660	3024	b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe	31
PID 2784 wrote to memory of 2592	2784	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe	32
PID 2784 wrote to memory of 2592	2784	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe	32
PID 2784 wrote to memory of 2592	2784	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe	32
PID 2784 wrote to memory of 2592	2784	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe	32
PID 2784 wrote to memory of 2768	2784	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe	33
PID 2784 wrote to memory of 2768	2784	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe	33
PID 2784 wrote to memory of 2768	2784	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe	33
PID 2784 wrote to memory of 2768	2784	{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe	33
PID 2592 wrote to memory of 2576	2592	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe	34
PID 2592 wrote to memory of 2576	2592	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe	34
PID 2592 wrote to memory of 2576	2592	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe	34
PID 2592 wrote to memory of 2576	2592	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe	34
PID 2592 wrote to memory of 2632	2592	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe	35
PID 2592 wrote to memory of 2632	2592	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe	35
PID 2592 wrote to memory of 2632	2592	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe	35
PID 2592 wrote to memory of 2632	2592	{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe	35
PID 2576 wrote to memory of 1928	2576	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe	36
PID 2576 wrote to memory of 1928	2576	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe	36
PID 2576 wrote to memory of 1928	2576	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe	36
PID 2576 wrote to memory of 1928	2576	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe	36
PID 2576 wrote to memory of 2872	2576	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe	37
PID 2576 wrote to memory of 2872	2576	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe	37
PID 2576 wrote to memory of 2872	2576	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe	37
PID 2576 wrote to memory of 2872	2576	{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe	37
PID 1928 wrote to memory of 1040	1928	{968B4732-4C83-408b-B73F-E12226997151}.exe	38
PID 1928 wrote to memory of 1040	1928	{968B4732-4C83-408b-B73F-E12226997151}.exe	38
PID 1928 wrote to memory of 1040	1928	{968B4732-4C83-408b-B73F-E12226997151}.exe	38
PID 1928 wrote to memory of 1040	1928	{968B4732-4C83-408b-B73F-E12226997151}.exe	38
PID 1928 wrote to memory of 2084	1928	{968B4732-4C83-408b-B73F-E12226997151}.exe	39
PID 1928 wrote to memory of 2084	1928	{968B4732-4C83-408b-B73F-E12226997151}.exe	39
PID 1928 wrote to memory of 2084	1928	{968B4732-4C83-408b-B73F-E12226997151}.exe	39
PID 1928 wrote to memory of 2084	1928	{968B4732-4C83-408b-B73F-E12226997151}.exe	39
PID 1040 wrote to memory of 1952	1040	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe	40
PID 1040 wrote to memory of 1952	1040	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe	40
PID 1040 wrote to memory of 1952	1040	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe	40
PID 1040 wrote to memory of 1952	1040	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe	40
PID 1040 wrote to memory of 1432	1040	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe	41
PID 1040 wrote to memory of 1432	1040	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe	41
PID 1040 wrote to memory of 1432	1040	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe	41
PID 1040 wrote to memory of 1432	1040	{68B0C347-656A-43cb-B6B1-B63A68324769}.exe	41
PID 1952 wrote to memory of 2828	1952	{905898DF-F4C0-4b04-8503-392D172806A0}.exe	42
PID 1952 wrote to memory of 2828	1952	{905898DF-F4C0-4b04-8503-392D172806A0}.exe	42
PID 1952 wrote to memory of 2828	1952	{905898DF-F4C0-4b04-8503-392D172806A0}.exe	42
PID 1952 wrote to memory of 2828	1952	{905898DF-F4C0-4b04-8503-392D172806A0}.exe	42
PID 1952 wrote to memory of 2196	1952	{905898DF-F4C0-4b04-8503-392D172806A0}.exe	43
PID 1952 wrote to memory of 2196	1952	{905898DF-F4C0-4b04-8503-392D172806A0}.exe	43
PID 1952 wrote to memory of 2196	1952	{905898DF-F4C0-4b04-8503-392D172806A0}.exe	43
PID 1952 wrote to memory of 2196	1952	{905898DF-F4C0-4b04-8503-392D172806A0}.exe	43
PID 2828 wrote to memory of 2348	2828	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe	44
PID 2828 wrote to memory of 2348	2828	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe	44
PID 2828 wrote to memory of 2348	2828	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe	44
PID 2828 wrote to memory of 2348	2828	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe	44
PID 2828 wrote to memory of 2344	2828	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe	45
PID 2828 wrote to memory of 2344	2828	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe	45
PID 2828 wrote to memory of 2344	2828	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe	45
PID 2828 wrote to memory of 2344	2828	{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe	45

C:\Users\Admin\AppData\Local\Temp\b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe
"C:\Users\Admin\AppData\Local\Temp\b58128d7d7f039dc573c1eac487383c02fd29738cdde29523c96b1b7d7496280N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe
  C:\Windows\{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe
    C:\Windows\{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe
      C:\Windows\{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\{968B4732-4C83-408b-B73F-E12226997151}.exe
        
        C:\Windows\{968B4732-4C83-408b-B73F-E12226997151}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\{68B0C347-656A-43cb-B6B1-B63A68324769}.exe
        
        C:\Windows\{68B0C347-656A-43cb-B6B1-B63A68324769}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\{905898DF-F4C0-4b04-8503-392D172806A0}.exe
        
        C:\Windows\{905898DF-F4C0-4b04-8503-392D172806A0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe
        
        C:\Windows\{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{B2F47826-1F02-4032-8B90-4871F3561734}.exe
        
        C:\Windows\{B2F47826-1F02-4032-8B90-4871F3561734}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\{4E630043-8330-46c1-80B1-748E66E55D51}.exe
        
        C:\Windows\{4E630043-8330-46c1-80B1-748E66E55D51}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2F47~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA3E4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90589~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68B0C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{968B4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D84D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F7D59~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{06F07~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B58128~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06F07C89-4108-4ce0-9B07-5A24D644F766}.exe

Filesize
89KB

MD5
74dda867065e3706c2153d90ead15a09

SHA1
45efd8a9a307bb5a23973b74b01eebf6f1e4829d

SHA256
b9b52b71aafecaa592d2ac9cfe9bcce4283bd972489f6135197133bcec2863ab

SHA512
e9f046e9309d527dde84c69b0ec1cebbbd0184e9eafb03b3cffc8a810c0fc5f330fecc532cbd947806549b743914922f893c29c2899f890fb465e74a1a94922a

Download Submit
C:\Windows\{3D84DB2E-61EE-4315-8B23-969BD68610FD}.exe

Filesize
89KB

MD5
89bd7b4571f29f43c43c3ce6e42161a3

SHA1
1de270539acf8c9e3caa52fc13524a68697ab4fe

SHA256
0c7d8d43e9d94c558a960aa97b188db2b1715428bb4d8b351322e1bd35009b0e

SHA512
02658b8421d0626a2c2a77f0f916e728c0adcb7a33544f7775eb174328cb8810160059b7563be5fd0a942a649a59804f99982d50084b3c70a34fa7d573f4cfc8

Download Submit
C:\Windows\{4E630043-8330-46c1-80B1-748E66E55D51}.exe

Filesize
89KB

MD5
08a37cff7ec0e209ccc563e5badbea36

SHA1
4328bc60e80d737ecf054196ec06ddc3aa8e208f

SHA256
db7fed11188d4f58d79256badd594f25a3e8ce46c394686123fcbf4fad0dac44

SHA512
5a93bf686c2278717e456cfedbc7ce9a3c4a977e29ef423027bef50867828b6eb525639bb21c7bb3c01534750453082151510e460538ef4c6226bdb2cbe30724

Download Submit
C:\Windows\{68B0C347-656A-43cb-B6B1-B63A68324769}.exe

Filesize
89KB

MD5
f6378f2377a8577559900a02d8042135

SHA1
468b6194eeb2aee0d7c70638efa252c98b1941bd

SHA256
7c0056a1116435bd66244f0efdd4facea64ab2430a8c79d7b3226a386208d52c

SHA512
727f52bb4606ed7ae67b65c7334f8cf921f6f443376f465880414c0ff484f2b09e6f1694f46787edcc7df035d61c9f4329d3301dd3f77cd994e8611959b88f6c

Download Submit
C:\Windows\{905898DF-F4C0-4b04-8503-392D172806A0}.exe

Filesize
89KB

MD5
564b9a602af855139eeb7a2da96c7802

SHA1
39993fc314b49ea03864e8e6cf54e12852a59ae6

SHA256
c44060988abf07cff31d27ac57dd8b7dd19ef078df7255b27fdb0cdfbe8ffc1b

SHA512
3809ddc4fc2427fff205394583c6c1785feec225ab5e345d2b058ee46a2bc5614db4d74a70002743f3504bd577c2f15104d8424ad4ac4aac8a341ac93c08b6fd

Download Submit
C:\Windows\{968B4732-4C83-408b-B73F-E12226997151}.exe

Filesize
89KB

MD5
949823bd836b04e6c288104c3bfe4140

SHA1
1767c1e062b714d39e43101c47981f6a1727e585

SHA256
185181fc6e7469623c8c8a1765e285aaf3fde3987ead7a95d5ef0010c1771986

SHA512
952e5ab0b5553469a620e89f04f56a975b5e7e925db0cdf614888343d1733a5a77c27bc03fc368fd37f411454f491d12a991ad22d7ba89d157bcf99796c9bb41

Download Submit
C:\Windows\{B2F47826-1F02-4032-8B90-4871F3561734}.exe

Filesize
89KB

MD5
fd7d51984010ff3624a2c19864032eca

SHA1
4007bfa6d267f486d5b57d85bdde488b430f5dab

SHA256
25c52f1e004f0c645a6941b12f86b60d99f8c0b2baff7487301df7a0df656eba

SHA512
b87bacac5a8b404096e7b22186e0c1b87d408921ab4c37813c939ccb2102c77f6067282c7652c8e6f9bf13cea7bfda01b84c700c1e7b9b20f3a29e4bf8ea6555

Download Submit
C:\Windows\{BA3E417D-7862-4ef2-88E7-7A90A958DC58}.exe

Filesize
89KB

MD5
8433f78688a82956e3636c877a910df0

SHA1
6386288345dec2b56e8c068f5f4d72299ca0863a

SHA256
c234cfbdde1de6cdb3ffc6f26e0e9e63c9d38629b74ed66549dbb571a14d33df

SHA512
cffac16fca457a388b907519dec5af95dc411ff5a55c341d52e9316bfc30571218c6efd9090bcf587e30d2e489df42383de3831f3a3b71001033ce01933efcce

Download Submit
C:\Windows\{F7D59C8E-EE97-4ea5-80FC-CDEE04FEF5F5}.exe

Filesize
89KB

MD5
829a94c65fa67e4a1be304254f71e04b

SHA1
6eadf0fc35ad5f022c1fd77b0fd76c35d237ff83

SHA256
91224db98b050de02374cd17140e4040b804163a1154274347e27133ff843f40

SHA512
04207157a680c5339f7c8d21609b22404e5efe1aad0aa71c86357d349094b92570b309f8f45066a38e6c325ad92099a5a5289e546facd25b53a617dda52b6c75

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads