93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599a

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 10:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe
Size

88KB
MD5

1318bcc012c65c14b373ff87421b1480
SHA1

af941d08e671b8e5101eef4f8d7f953eb3fcb433
SHA256

93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599a
SHA512

bd07d9cb96cf2cd73a103e40326c1a98432cf0ceb50f2bca8a671d19bff4d5923429918ea4248833100b45df6bd68c1db5f3a40ee1546058153b2831355c7f97
SSDEEP

768:5vw9816thKQLrom4/wQkNrfrunMxVFA3V:lEG/0omlbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27D21798-EE48-424b-A524-B19AFE92556E}\stubpath = "C:\\Windows\\{27D21798-EE48-424b-A524-B19AFE92556E}.exe"	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29C1B074-406F-4349-B6A7-AF9CC714F137}	{27D21798-EE48-424b-A524-B19AFE92556E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}	{3AFB48A5-E826-4228-872C-61677380D14F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9CCBB2F-48FB-478b-8E2C-9364DF8BC34D}	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1241294-5D32-4070-B7AC-B4EAEE61DDDF}\stubpath = "C:\\Windows\\{E1241294-5D32-4070-B7AC-B4EAEE61DDDF}.exe"	{A9CCBB2F-48FB-478b-8E2C-9364DF8BC34D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}\stubpath = "C:\\Windows\\{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe"	93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29C1B074-406F-4349-B6A7-AF9CC714F137}\stubpath = "C:\\Windows\\{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe"	{27D21798-EE48-424b-A524-B19AFE92556E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}\stubpath = "C:\\Windows\\{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe"	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27D21798-EE48-424b-A524-B19AFE92556E}	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}\stubpath = "C:\\Windows\\{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe"	{3AFB48A5-E826-4228-872C-61677380D14F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1241294-5D32-4070-B7AC-B4EAEE61DDDF}	{A9CCBB2F-48FB-478b-8E2C-9364DF8BC34D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}	93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}\stubpath = "C:\\Windows\\{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe"	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AFB48A5-E826-4228-872C-61677380D14F}	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AFB48A5-E826-4228-872C-61677380D14F}\stubpath = "C:\\Windows\\{3AFB48A5-E826-4228-872C-61677380D14F}.exe"	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9CCBB2F-48FB-478b-8E2C-9364DF8BC34D}\stubpath = "C:\\Windows\\{A9CCBB2F-48FB-478b-8E2C-9364DF8BC34D}.exe"	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1764	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe
2728	{27D21798-EE48-424b-A524-B19AFE92556E}.exe
2772	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe
2176	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe
1012	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe
2332	{3AFB48A5-E826-4228-872C-61677380D14F}.exe
1564	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe
340	{A9CCBB2F-48FB-478b-8E2C-9364DF8BC34D}.exe
2696	{E1241294-5D32-4070-B7AC-B4EAEE61DDDF}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe	93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe
File created	C:\Windows\{27D21798-EE48-424b-A524-B19AFE92556E}.exe	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe
File created	C:\Windows\{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe	{27D21798-EE48-424b-A524-B19AFE92556E}.exe
File created	C:\Windows\{3AFB48A5-E826-4228-872C-61677380D14F}.exe	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe
File created	C:\Windows\{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe	{3AFB48A5-E826-4228-872C-61677380D14F}.exe
File created	C:\Windows\{A9CCBB2F-48FB-478b-8E2C-9364DF8BC34D}.exe	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe
File created	C:\Windows\{E1241294-5D32-4070-B7AC-B4EAEE61DDDF}.exe	{A9CCBB2F-48FB-478b-8E2C-9364DF8BC34D}.exe
File created	C:\Windows\{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe
File created	C:\Windows\{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9CCBB2F-48FB-478b-8E2C-9364DF8BC34D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27D21798-EE48-424b-A524-B19AFE92556E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3AFB48A5-E826-4228-872C-61677380D14F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E1241294-5D32-4070-B7AC-B4EAEE61DDDF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1352	93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe
Token: SeIncBasePriorityPrivilege	1764	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe
Token: SeIncBasePriorityPrivilege	2728	{27D21798-EE48-424b-A524-B19AFE92556E}.exe
Token: SeIncBasePriorityPrivilege	2772	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe
Token: SeIncBasePriorityPrivilege	2176	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe
Token: SeIncBasePriorityPrivilege	1012	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe
Token: SeIncBasePriorityPrivilege	2332	{3AFB48A5-E826-4228-872C-61677380D14F}.exe
Token: SeIncBasePriorityPrivilege	1564	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe
Token: SeIncBasePriorityPrivilege	340	{A9CCBB2F-48FB-478b-8E2C-9364DF8BC34D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1764	1352	93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe	30
PID 1352 wrote to memory of 1764	1352	93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe	30
PID 1352 wrote to memory of 1764	1352	93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe	30
PID 1352 wrote to memory of 1764	1352	93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe	30
PID 1352 wrote to memory of 2788	1352	93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe	31
PID 1352 wrote to memory of 2788	1352	93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe	31
PID 1352 wrote to memory of 2788	1352	93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe	31
PID 1352 wrote to memory of 2788	1352	93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe	31
PID 1764 wrote to memory of 2728	1764	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe	33
PID 1764 wrote to memory of 2728	1764	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe	33
PID 1764 wrote to memory of 2728	1764	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe	33
PID 1764 wrote to memory of 2728	1764	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe	33
PID 1764 wrote to memory of 1340	1764	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe	34
PID 1764 wrote to memory of 1340	1764	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe	34
PID 1764 wrote to memory of 1340	1764	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe	34
PID 1764 wrote to memory of 1340	1764	{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe	34
PID 2728 wrote to memory of 2772	2728	{27D21798-EE48-424b-A524-B19AFE92556E}.exe	35
PID 2728 wrote to memory of 2772	2728	{27D21798-EE48-424b-A524-B19AFE92556E}.exe	35
PID 2728 wrote to memory of 2772	2728	{27D21798-EE48-424b-A524-B19AFE92556E}.exe	35
PID 2728 wrote to memory of 2772	2728	{27D21798-EE48-424b-A524-B19AFE92556E}.exe	35
PID 2728 wrote to memory of 2796	2728	{27D21798-EE48-424b-A524-B19AFE92556E}.exe	36
PID 2728 wrote to memory of 2796	2728	{27D21798-EE48-424b-A524-B19AFE92556E}.exe	36
PID 2728 wrote to memory of 2796	2728	{27D21798-EE48-424b-A524-B19AFE92556E}.exe	36
PID 2728 wrote to memory of 2796	2728	{27D21798-EE48-424b-A524-B19AFE92556E}.exe	36
PID 2772 wrote to memory of 2176	2772	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe	37
PID 2772 wrote to memory of 2176	2772	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe	37
PID 2772 wrote to memory of 2176	2772	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe	37
PID 2772 wrote to memory of 2176	2772	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe	37
PID 2772 wrote to memory of 2388	2772	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe	38
PID 2772 wrote to memory of 2388	2772	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe	38
PID 2772 wrote to memory of 2388	2772	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe	38
PID 2772 wrote to memory of 2388	2772	{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe	38
PID 2176 wrote to memory of 1012	2176	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe	39
PID 2176 wrote to memory of 1012	2176	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe	39
PID 2176 wrote to memory of 1012	2176	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe	39
PID 2176 wrote to memory of 1012	2176	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe	39
PID 2176 wrote to memory of 1728	2176	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe	40
PID 2176 wrote to memory of 1728	2176	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe	40
PID 2176 wrote to memory of 1728	2176	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe	40
PID 2176 wrote to memory of 1728	2176	{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe	40
PID 1012 wrote to memory of 2332	1012	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe	41
PID 1012 wrote to memory of 2332	1012	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe	41
PID 1012 wrote to memory of 2332	1012	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe	41
PID 1012 wrote to memory of 2332	1012	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe	41
PID 1012 wrote to memory of 2940	1012	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe	42
PID 1012 wrote to memory of 2940	1012	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe	42
PID 1012 wrote to memory of 2940	1012	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe	42
PID 1012 wrote to memory of 2940	1012	{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe	42
PID 2332 wrote to memory of 1564	2332	{3AFB48A5-E826-4228-872C-61677380D14F}.exe	43
PID 2332 wrote to memory of 1564	2332	{3AFB48A5-E826-4228-872C-61677380D14F}.exe	43
PID 2332 wrote to memory of 1564	2332	{3AFB48A5-E826-4228-872C-61677380D14F}.exe	43
PID 2332 wrote to memory of 1564	2332	{3AFB48A5-E826-4228-872C-61677380D14F}.exe	43
PID 2332 wrote to memory of 1712	2332	{3AFB48A5-E826-4228-872C-61677380D14F}.exe	44
PID 2332 wrote to memory of 1712	2332	{3AFB48A5-E826-4228-872C-61677380D14F}.exe	44
PID 2332 wrote to memory of 1712	2332	{3AFB48A5-E826-4228-872C-61677380D14F}.exe	44
PID 2332 wrote to memory of 1712	2332	{3AFB48A5-E826-4228-872C-61677380D14F}.exe	44
PID 1564 wrote to memory of 340	1564	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe	45
PID 1564 wrote to memory of 340	1564	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe	45
PID 1564 wrote to memory of 340	1564	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe	45
PID 1564 wrote to memory of 340	1564	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe	45
PID 1564 wrote to memory of 2968	1564	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe	46
PID 1564 wrote to memory of 2968	1564	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe	46
PID 1564 wrote to memory of 2968	1564	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe	46
PID 1564 wrote to memory of 2968	1564	{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe	46

C:\Users\Admin\AppData\Local\Temp\93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe
"C:\Users\Admin\AppData\Local\Temp\93d0101a4786df8393b1aca83a1b22ad0895a3cdd8d9b7b69efd747acdb7599aN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe
  C:\Windows\{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\{27D21798-EE48-424b-A524-B19AFE92556E}.exe
    C:\Windows\{27D21798-EE48-424b-A524-B19AFE92556E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe
      C:\Windows\{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe
        
        C:\Windows\{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Windows\{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe
        
        C:\Windows\{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{3AFB48A5-E826-4228-872C-61677380D14F}.exe
        
        C:\Windows\{3AFB48A5-E826-4228-872C-61677380D14F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe
        
        C:\Windows\{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{A9CCBB2F-48FB-478b-8E2C-9364DF8BC34D}.exe
        
        C:\Windows\{A9CCBB2F-48FB-478b-8E2C-9364DF8BC34D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\{E1241294-5D32-4070-B7AC-B4EAEE61DDDF}.exe
        
        C:\Windows\{E1241294-5D32-4070-B7AC-B4EAEE61DDDF}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9CCB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C70B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AFB4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85A06~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C6A9~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29C1B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{27D21~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0955C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\93D010~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0955CD85-23B4-46a4-BBCD-1D56F4A43B6D}.exe

Filesize
88KB

MD5
204ed712dcb7c7b6c1f5de637cf3aaa0

SHA1
bf328a7e002c0f5983b2020fc8de056b833c2668

SHA256
f42001679876425e2e86061ee8abac13563f5036f008e2a4e9bb4d4651ad5c03

SHA512
0b8147681b9299a5a62d6d8ed05708b9cbf68583d5dd1791061b72d6b5e018b60a42e7f6f5efedd3ddbd8d5d5322d78e2aab926a5094acff18d3658fbf0cf2ae

Download Submit
C:\Windows\{27D21798-EE48-424b-A524-B19AFE92556E}.exe

Filesize
88KB

MD5
539f69430e3edc831ae32a71b2a2d6b9

SHA1
a6470c438e40ed42b2d6f6d1652e32d10ef833c1

SHA256
26e3de540eeb93f4a5396a0bfd0f0ce9618d3171548971b4ba18a5f6116236d7

SHA512
38ee57498bc60c71ae224cad1dd30e6b34c069e0abc5ec26f6711c79841417a4511512c279f7c1c381ab94b6d32e39be92af9f00b785b299972dcb52bf0e8bab

Download Submit
C:\Windows\{29C1B074-406F-4349-B6A7-AF9CC714F137}.exe

Filesize
88KB

MD5
756482f92dc066c6a51d741944d657bc

SHA1
34eeb1ed4756bb89d1786993776ebd2d4f5688c8

SHA256
5053e6e6a6120b1d2072fa970adde37f2da97a298854f6b6db538db3a180c767

SHA512
5f214647860149f03865e26f1918bfe826dd9ec75a588f66d7927ab50f3a01825d316d60ad658d304cc3a480df5cfeee3e15a49bb515a1df640009efd1229729

Download Submit
C:\Windows\{3AFB48A5-E826-4228-872C-61677380D14F}.exe

Filesize
88KB

MD5
76406b162ec90476930400dfb9d7dc89

SHA1
77006faf14c28ad6e8870a8015f1d28ec6a08ace

SHA256
34929a16d040309e953fa18e54686aeccd865aaf18caa21d56e1e21ad0270144

SHA512
eb9e7353eab12ca332efb6824d8085bb72826cfa05f307ff79a8c5a24d58b54ff94a3b6159f511bffea9a9faac2581a39360439d064c23a7d683557e1b624f38

Download Submit
C:\Windows\{3C70B283-85F9-43ba-A2AB-BEEAD2E98797}.exe

Filesize
88KB

MD5
f530bfc50009366eb4646d2fbc3e7cd6

SHA1
c62e2fbe44ecb1a9fa63310bafb7a6f69d76cb64

SHA256
0fea8523e3b85ec68ee7c1158d724aacdbb72ae57b48cf17c54df57a9bcc06ba

SHA512
0bf064e6481758f8004bae58a515262e5065f301cbb40365366d5795a15a23cbfd24543082f34ad576137f83d5735eff568b16c0439da28beccb5ed4b198e822

Download Submit
C:\Windows\{7C6A99A2-7B4C-49ae-8B05-3F8685FDFC12}.exe

Filesize
88KB

MD5
9892a1082e045130782d22c306b9a5ac

SHA1
d6dab29e3d94e91f41e81756ec6af57f1e2d9663

SHA256
955d3c4df9f3be4ee526be3e23f63179f3417ab22423629ff46f0df4a2546524

SHA512
fc902772705758587b72da6b4ecf05cb58f89dd613c2b47206d7a93ffe1abb75ac52ca6c72d8d3c2fa2b35d9fe839109f7ed47d3105b49d7af950ad94b34b279

Download Submit
C:\Windows\{85A06ACC-E5CA-4df9-8AF0-E7088A6A9EE8}.exe

Filesize
88KB

MD5
89d43662eaa5ce2603ea74d2849df522

SHA1
512bb30e58dcd9f165ba2d37847081d02795bda1

SHA256
5310da1d52be6f415b7f6c3cdd22f17e6c0fe69da9402708803759645bb20035

SHA512
f0b9e4e348393ce2f5bff8922e3fd1b51224adbcd6a86f206374180393586c9fe0e2e878f17afc17cb2c345f9be71f0444d0425f0025cfc21ffb7b15847fd7dc

Download Submit
C:\Windows\{A9CCBB2F-48FB-478b-8E2C-9364DF8BC34D}.exe

Filesize
88KB

MD5
e8d57a33a9b6ffcbcf4227154ad1ba46

SHA1
5c5cc7883b7aa5623f87c8df997af255aacc5db9

SHA256
83235a00d381e9951c82f0603ef25fa90cff4bc6384a5376c03a8b50ced0b5a8

SHA512
9a980cc806ca5409a16b5cea44b7ea094210477521a7f97f44f2c18ae6949e1ac79885274c91a52d4ef98b70294a009b85b4ad2de6255e69ec572e016b549c80

Download Submit
C:\Windows\{E1241294-5D32-4070-B7AC-B4EAEE61DDDF}.exe

Filesize
88KB

MD5
09681ccb7798e6631bb71983ec0b1fc3

SHA1
9b24849bd52485b09fae5eaa8be60c942106ec63

SHA256
ece79b19d6b06a20c8009f8742f7f6e156b386bcce0ebc8360d75196c4f2bcd3

SHA512
25b3baa8bfd81a1f7c76d77561ea9e72c0d0974d71b627989d12bec8cdb44b10504f509d6358d4ee084b59976ece73b01c77e79afc072ba4a70c4a08c04550ae

Download Submit
memory/340-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/340-88-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/340-84-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/1012-53-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/1012-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1012-57-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/1352-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1352-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1352-8-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/1352-4-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/1352-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1564-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1564-75-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/1564-79-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1764-14-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/1764-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2176-43-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2176-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2332-71-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/2332-69-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/2332-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2332-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2728-27-0x00000000005B0000-0x00000000005C1000-memory.dmp

Filesize
68KB

Download
memory/2728-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2728-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2772-35-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2772-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2772-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2772-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads