11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe
Size

90KB
MD5

a33799b4413ca558fefbd2815dd58d70
SHA1

4254fbb8eae91c7be70323de60a0bd32023d54b4
SHA256

11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53
SHA512

2a82fee977e72c4040ae93c0dd75c71fc6e5caa32d853179b270b45ed3c168fd180b6dfdeacba999046735fac2beb105b8b7daf4346a06cb9cfadb52e26aca9d
SSDEEP

768:Qvw9816vhKQLroY4/wQRNrfrunMxVFA3b7glw:YEGh0oYl2unMxVS3Hg

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72E53CA1-C442-4b43-AC2D-A457F4B962EB}\stubpath = "C:\\Windows\\{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe"	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}	{F30FE819-C287-4217-8489-BE0796D735E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}\stubpath = "C:\\Windows\\{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe"	{F30FE819-C287-4217-8489-BE0796D735E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}	11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}\stubpath = "C:\\Windows\\{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe"	11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}	{417BB369-D487-4c1d-B850-3594AF455133}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}\stubpath = "C:\\Windows\\{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe"	{417BB369-D487-4c1d-B850-3594AF455133}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{547F538F-BB90-44a7-B3FD-0FFF9B91547C}\stubpath = "C:\\Windows\\{547F538F-BB90-44a7-B3FD-0FFF9B91547C}.exe"	{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{547F538F-BB90-44a7-B3FD-0FFF9B91547C}	{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{417BB369-D487-4c1d-B850-3594AF455133}	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{417BB369-D487-4c1d-B850-3594AF455133}\stubpath = "C:\\Windows\\{417BB369-D487-4c1d-B850-3594AF455133}.exe"	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}\stubpath = "C:\\Windows\\{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe"	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F30FE819-C287-4217-8489-BE0796D735E8}	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}\stubpath = "C:\\Windows\\{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe"	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72E53CA1-C442-4b43-AC2D-A457F4B962EB}	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F30FE819-C287-4217-8489-BE0796D735E8}\stubpath = "C:\\Windows\\{F30FE819-C287-4217-8489-BE0796D735E8}.exe"	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe

Deletes itself 1 IoCs

pid	Process
2872	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2288	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe
2792	{417BB369-D487-4c1d-B850-3594AF455133}.exe
2796	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe
2212	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe
2460	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe
1508	{F30FE819-C287-4217-8489-BE0796D735E8}.exe
2452	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe
2720	{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe
2184	{547F538F-BB90-44a7-B3FD-0FFF9B91547C}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe	{417BB369-D487-4c1d-B850-3594AF455133}.exe
File created	C:\Windows\{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe
File created	C:\Windows\{547F538F-BB90-44a7-B3FD-0FFF9B91547C}.exe	{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe
File created	C:\Windows\{F30FE819-C287-4217-8489-BE0796D735E8}.exe	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe
File created	C:\Windows\{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe	{F30FE819-C287-4217-8489-BE0796D735E8}.exe
File created	C:\Windows\{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe
File created	C:\Windows\{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe	11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe
File created	C:\Windows\{417BB369-D487-4c1d-B850-3594AF455133}.exe	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe
File created	C:\Windows\{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{417BB369-D487-4c1d-B850-3594AF455133}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F30FE819-C287-4217-8489-BE0796D735E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{547F538F-BB90-44a7-B3FD-0FFF9B91547C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2108	11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe
Token: SeIncBasePriorityPrivilege	2288	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe
Token: SeIncBasePriorityPrivilege	2792	{417BB369-D487-4c1d-B850-3594AF455133}.exe
Token: SeIncBasePriorityPrivilege	2796	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe
Token: SeIncBasePriorityPrivilege	2212	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe
Token: SeIncBasePriorityPrivilege	2460	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe
Token: SeIncBasePriorityPrivilege	1508	{F30FE819-C287-4217-8489-BE0796D735E8}.exe
Token: SeIncBasePriorityPrivilege	2452	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe
Token: SeIncBasePriorityPrivilege	2720	{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2288	2108	11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe	29
PID 2108 wrote to memory of 2288	2108	11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe	29
PID 2108 wrote to memory of 2288	2108	11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe	29
PID 2108 wrote to memory of 2288	2108	11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe	29
PID 2108 wrote to memory of 2872	2108	11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe	30
PID 2108 wrote to memory of 2872	2108	11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe	30
PID 2108 wrote to memory of 2872	2108	11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe	30
PID 2108 wrote to memory of 2872	2108	11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe	30
PID 2288 wrote to memory of 2792	2288	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe	31
PID 2288 wrote to memory of 2792	2288	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe	31
PID 2288 wrote to memory of 2792	2288	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe	31
PID 2288 wrote to memory of 2792	2288	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe	31
PID 2288 wrote to memory of 2972	2288	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe	32
PID 2288 wrote to memory of 2972	2288	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe	32
PID 2288 wrote to memory of 2972	2288	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe	32
PID 2288 wrote to memory of 2972	2288	{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe	32
PID 2792 wrote to memory of 2796	2792	{417BB369-D487-4c1d-B850-3594AF455133}.exe	33
PID 2792 wrote to memory of 2796	2792	{417BB369-D487-4c1d-B850-3594AF455133}.exe	33
PID 2792 wrote to memory of 2796	2792	{417BB369-D487-4c1d-B850-3594AF455133}.exe	33
PID 2792 wrote to memory of 2796	2792	{417BB369-D487-4c1d-B850-3594AF455133}.exe	33
PID 2792 wrote to memory of 2772	2792	{417BB369-D487-4c1d-B850-3594AF455133}.exe	34
PID 2792 wrote to memory of 2772	2792	{417BB369-D487-4c1d-B850-3594AF455133}.exe	34
PID 2792 wrote to memory of 2772	2792	{417BB369-D487-4c1d-B850-3594AF455133}.exe	34
PID 2792 wrote to memory of 2772	2792	{417BB369-D487-4c1d-B850-3594AF455133}.exe	34
PID 2796 wrote to memory of 2212	2796	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe	35
PID 2796 wrote to memory of 2212	2796	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe	35
PID 2796 wrote to memory of 2212	2796	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe	35
PID 2796 wrote to memory of 2212	2796	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe	35
PID 2796 wrote to memory of 3060	2796	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe	36
PID 2796 wrote to memory of 3060	2796	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe	36
PID 2796 wrote to memory of 3060	2796	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe	36
PID 2796 wrote to memory of 3060	2796	{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe	36
PID 2212 wrote to memory of 2460	2212	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe	37
PID 2212 wrote to memory of 2460	2212	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe	37
PID 2212 wrote to memory of 2460	2212	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe	37
PID 2212 wrote to memory of 2460	2212	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe	37
PID 2212 wrote to memory of 2080	2212	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe	38
PID 2212 wrote to memory of 2080	2212	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe	38
PID 2212 wrote to memory of 2080	2212	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe	38
PID 2212 wrote to memory of 2080	2212	{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe	38
PID 2460 wrote to memory of 1508	2460	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe	39
PID 2460 wrote to memory of 1508	2460	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe	39
PID 2460 wrote to memory of 1508	2460	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe	39
PID 2460 wrote to memory of 1508	2460	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe	39
PID 2460 wrote to memory of 1992	2460	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe	40
PID 2460 wrote to memory of 1992	2460	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe	40
PID 2460 wrote to memory of 1992	2460	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe	40
PID 2460 wrote to memory of 1992	2460	{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe	40
PID 1508 wrote to memory of 2452	1508	{F30FE819-C287-4217-8489-BE0796D735E8}.exe	41
PID 1508 wrote to memory of 2452	1508	{F30FE819-C287-4217-8489-BE0796D735E8}.exe	41
PID 1508 wrote to memory of 2452	1508	{F30FE819-C287-4217-8489-BE0796D735E8}.exe	41
PID 1508 wrote to memory of 2452	1508	{F30FE819-C287-4217-8489-BE0796D735E8}.exe	41
PID 1508 wrote to memory of 2148	1508	{F30FE819-C287-4217-8489-BE0796D735E8}.exe	42
PID 1508 wrote to memory of 2148	1508	{F30FE819-C287-4217-8489-BE0796D735E8}.exe	42
PID 1508 wrote to memory of 2148	1508	{F30FE819-C287-4217-8489-BE0796D735E8}.exe	42
PID 1508 wrote to memory of 2148	1508	{F30FE819-C287-4217-8489-BE0796D735E8}.exe	42
PID 2452 wrote to memory of 2720	2452	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe	43
PID 2452 wrote to memory of 2720	2452	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe	43
PID 2452 wrote to memory of 2720	2452	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe	43
PID 2452 wrote to memory of 2720	2452	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe	43
PID 2452 wrote to memory of 1308	2452	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe	44
PID 2452 wrote to memory of 1308	2452	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe	44
PID 2452 wrote to memory of 1308	2452	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe	44
PID 2452 wrote to memory of 1308	2452	{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe	44

C:\Users\Admin\AppData\Local\Temp\11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe
"C:\Users\Admin\AppData\Local\Temp\11cc40e757387625da40e4ae6c1e7e53fdd36ca32613096d5bf7b17a02022c53N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe
  C:\Windows\{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\{417BB369-D487-4c1d-B850-3594AF455133}.exe
    C:\Windows\{417BB369-D487-4c1d-B850-3594AF455133}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe
      C:\Windows\{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe
        
        C:\Windows\{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe
        
        C:\Windows\{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{F30FE819-C287-4217-8489-BE0796D735E8}.exe
        
        C:\Windows\{F30FE819-C287-4217-8489-BE0796D735E8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe
        
        C:\Windows\{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe
        
        C:\Windows\{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\{547F538F-BB90-44a7-B3FD-0FFF9B91547C}.exe
        
        C:\Windows\{547F538F-BB90-44a7-B3FD-0FFF9B91547C}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0119B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEB25~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F30FE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{177AC~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72E53~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA6A1~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{417BB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C4A1D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\11CC40~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0119B5D6-53D4-4bcb-928B-2B8BE8BB98E9}.exe

Filesize
90KB

MD5
7d626cf2ce8ae026397bc0a80e2bbb5c

SHA1
a1ddfb520b6b29cbf2465be5f9514f4518fa62e4

SHA256
b715e43aeb664a32529c18e3e94b335898d723489ff7de295964e24690bb4e9a

SHA512
80ff66ecb5c0a130f53e962044e67f977202c7b78556565fe3080471a964f68ba0057321cbe8d8897342580d3285ccf355cb84254fa0a22f95b28786b9edd548

Download Submit
C:\Windows\{177ACFFF-A8E4-4a95-8817-C3EB6DE7AB5B}.exe

Filesize
90KB

MD5
dffff7ab20811d338c78c102d88a376e

SHA1
d93aeca9335c72050dadded833a872ecc74cbf42

SHA256
bc6aed0b624c72c0340b4c553bc558c8c878e14ad3239d9421ab595f8282bec3

SHA512
74d5c284987967119a61cda2cc7f0fdb94379ffa53836c05ee767c3e86d63e08e3a5b38aaaf98d74ff050084f58326a4b63022a20a5b7e00d736f19a2d379a06

Download Submit
C:\Windows\{417BB369-D487-4c1d-B850-3594AF455133}.exe

Filesize
90KB

MD5
06729bf2808be92511de144806c6b944

SHA1
be9ab5f28030bca90576f18093246ac1aede9732

SHA256
7bfe443e9086464ddbf08b6575f9081fb393313c99d50f839462520fb831a026

SHA512
dbaec5336cad5b874f33ef1fd21378d027f1e1af3b2b3b531e722183cf847c1320291709aa4e7d9c947d84983040ea5bfeb0b0f179edc6b408d5ae1ccd1d45ee

Download Submit
C:\Windows\{547F538F-BB90-44a7-B3FD-0FFF9B91547C}.exe

Filesize
90KB

MD5
c4c9849678c41b78cfe71f97ceb2f2f3

SHA1
708d670f0ed1d94c3175d907528a8905d2e95b0a

SHA256
e66b114667eae13799da43cd40d98bac1edebc6a39c6eaf8c94006bd752ee823

SHA512
526f9b9d6dc4d04da8f5bcd6b8ae0e521d4eb592a21426e7575739f08c6b3335dcdf44e2fcbab92701810840bf75657301e05dd427c93df8265268f04a51c28d

Download Submit
C:\Windows\{72E53CA1-C442-4b43-AC2D-A457F4B962EB}.exe

Filesize
90KB

MD5
15ab301e0b8d56f95139a14de7667a7a

SHA1
e775e6f84cc5dc90dc17fde6ce638569e2dd7209

SHA256
9f7962dafce56f61bfcdd943d717acb7d92f0c4b6d07cf1b1aec842a489e9fbb

SHA512
32121cf0f78426157a098677b97976388dd5bc771f256edfc21ac75ed6f3f4177a5d44609a562b6d07321fa7ec31e9e1093ef6764552636c13b2bae2487d2a74

Download Submit
C:\Windows\{C4A1D2FB-05D2-4115-B83D-DEE5B2CDC939}.exe

Filesize
90KB

MD5
7411e3269e22feda04e83b8bd299dc49

SHA1
fc80e8c6fc3d817e71be1a850157ad8b3418ccc1

SHA256
8aa5bac0e90a493d6f562955417fd6929217da27898c0c4661125515632491ff

SHA512
788e5324da12f032c219b7bccf41c787bb357b8941310f11efad6b6eb89cbd4ca68526c5f80a0292366ae85fb14a7e7e2492503ba1f07ab22b5e5dd1f1cf524b

Download Submit
C:\Windows\{EEB25244-89F4-4c9c-A0A9-CBBFEE3604A7}.exe

Filesize
90KB

MD5
64d251d498ff2a4c50ab737c2a7d7fde

SHA1
d3f258d60eb5fa62975f15de4217265c13054c9d

SHA256
78453f3f65272fbffe5c6b7e052f5976d10f24363e07cb6b9f413d2d15e819e9

SHA512
950a1a53e69bb0a6067b7306f096684c33c8658b1970682c5dc572e11c75885ccdb5733bf0fee0e668463c89a9e4298073a875518cff2c55f29a78956ac79773

Download Submit
C:\Windows\{F30FE819-C287-4217-8489-BE0796D735E8}.exe

Filesize
90KB

MD5
8d74b99bc1c92a641bd9f82c388a240e

SHA1
016c5699274a99f3ba656862c8ec2b951eda69f5

SHA256
d3e169f860e4aae3252df3a97bd2d185bdcb3e67f00a297f9272765519c0b42e

SHA512
c8891e7546b5ba95fc8dabb3aa95dac6fa0b831127e9756733d43442d6f2c3eb7d69acde19f04bca44220cd502cdec48962c685af0a014e0c87e923023c3da8a

Download Submit
C:\Windows\{FA6A17A9-CBF3-4027-AA92-5A49D9CEA46F}.exe

Filesize
90KB

MD5
5796e0029fe9d3ec099061f450429e8a

SHA1
e4910384fb24650ca4a90ff5fa09da50a8b2351a

SHA256
c2fdd15b45d7e178ed7965f1293210e4408e05d29a9593a0473921e7fdb5c9a7

SHA512
aa03e98866e2ce95570cb31a5b310c257e76a114641c2349b48f3425b2845ddf9355925287b06c3e34f025974011df9004d7cba3cf352b0488a9ef4b005e29f0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads