089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71ceb

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe
Size

90KB
MD5

036af28a3626935da0c91c6fb5330de0
SHA1

0592ebfd56003f59065eea1b10087021188c5447
SHA256

089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71ceb
SHA512

05feaec791bb54c847dd41d8501db632ff8d859dfb25e7655208f95336d5083aae75a0b28004ca385e5226aac12b2b7c82abba732d8c6e5c6172adfe88cfe7bc
SSDEEP

768:Qvw9816vhKQLroL4/wQRNrfrunMxVFA3b7glws:YEGh0oLl2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}	089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD227DCB-E248-43c8-A27D-863738F7835D}	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD227DCB-E248-43c8-A27D-863738F7835D}\stubpath = "C:\\Windows\\{DD227DCB-E248-43c8-A27D-863738F7835D}.exe"	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}\stubpath = "C:\\Windows\\{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe"	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6F87DB7-384F-404d-BE8F-9C7021694202}	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCC2E486-D1B8-4454-B2FA-02FD4966DC59}	{CADBD600-7966-4478-B794-B8B1AF985B89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1546F39A-5A3E-4318-A210-FC11C57C8162}\stubpath = "C:\\Windows\\{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe"	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CADBD600-7966-4478-B794-B8B1AF985B89}	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}\stubpath = "C:\\Windows\\{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe"	089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}\stubpath = "C:\\Windows\\{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe"	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CADBD600-7966-4478-B794-B8B1AF985B89}\stubpath = "C:\\Windows\\{CADBD600-7966-4478-B794-B8B1AF985B89}.exe"	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCC2E486-D1B8-4454-B2FA-02FD4966DC59}\stubpath = "C:\\Windows\\{DCC2E486-D1B8-4454-B2FA-02FD4966DC59}.exe"	{CADBD600-7966-4478-B794-B8B1AF985B89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95057A03-D77B-4fa3-8C73-50E2B60040F6}	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95057A03-D77B-4fa3-8C73-50E2B60040F6}\stubpath = "C:\\Windows\\{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe"	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6F87DB7-384F-404d-BE8F-9C7021694202}\stubpath = "C:\\Windows\\{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe"	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1546F39A-5A3E-4318-A210-FC11C57C8162}	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe

Deletes itself 1 IoCs

pid	Process
1684	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2500	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe
2856	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe
2960	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe
2604	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe
2268	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe
2012	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe
2928	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe
1428	{CADBD600-7966-4478-B794-B8B1AF985B89}.exe
480	{DCC2E486-D1B8-4454-B2FA-02FD4966DC59}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{DD227DCB-E248-43c8-A27D-863738F7835D}.exe	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe
File created	C:\Windows\{CADBD600-7966-4478-B794-B8B1AF985B89}.exe	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe
File created	C:\Windows\{DCC2E486-D1B8-4454-B2FA-02FD4966DC59}.exe	{CADBD600-7966-4478-B794-B8B1AF985B89}.exe
File created	C:\Windows\{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe	089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe
File created	C:\Windows\{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe
File created	C:\Windows\{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe
File created	C:\Windows\{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe
File created	C:\Windows\{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe
File created	C:\Windows\{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CADBD600-7966-4478-B794-B8B1AF985B89}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DCC2E486-D1B8-4454-B2FA-02FD4966DC59}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	812	089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe
Token: SeIncBasePriorityPrivilege	2500	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe
Token: SeIncBasePriorityPrivilege	2856	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe
Token: SeIncBasePriorityPrivilege	2960	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe
Token: SeIncBasePriorityPrivilege	2604	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe
Token: SeIncBasePriorityPrivilege	2268	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe
Token: SeIncBasePriorityPrivilege	2012	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe
Token: SeIncBasePriorityPrivilege	2928	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe
Token: SeIncBasePriorityPrivilege	1428	{CADBD600-7966-4478-B794-B8B1AF985B89}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 2500	812	089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe	30
PID 812 wrote to memory of 2500	812	089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe	30
PID 812 wrote to memory of 2500	812	089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe	30
PID 812 wrote to memory of 2500	812	089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe	30
PID 812 wrote to memory of 1684	812	089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe	31
PID 812 wrote to memory of 1684	812	089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe	31
PID 812 wrote to memory of 1684	812	089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe	31
PID 812 wrote to memory of 1684	812	089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe	31
PID 2500 wrote to memory of 2856	2500	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe	33
PID 2500 wrote to memory of 2856	2500	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe	33
PID 2500 wrote to memory of 2856	2500	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe	33
PID 2500 wrote to memory of 2856	2500	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe	33
PID 2500 wrote to memory of 2600	2500	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe	34
PID 2500 wrote to memory of 2600	2500	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe	34
PID 2500 wrote to memory of 2600	2500	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe	34
PID 2500 wrote to memory of 2600	2500	{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe	34
PID 2856 wrote to memory of 2960	2856	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe	35
PID 2856 wrote to memory of 2960	2856	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe	35
PID 2856 wrote to memory of 2960	2856	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe	35
PID 2856 wrote to memory of 2960	2856	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe	35
PID 2856 wrote to memory of 2800	2856	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe	36
PID 2856 wrote to memory of 2800	2856	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe	36
PID 2856 wrote to memory of 2800	2856	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe	36
PID 2856 wrote to memory of 2800	2856	{DD227DCB-E248-43c8-A27D-863738F7835D}.exe	36
PID 2960 wrote to memory of 2604	2960	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe	37
PID 2960 wrote to memory of 2604	2960	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe	37
PID 2960 wrote to memory of 2604	2960	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe	37
PID 2960 wrote to memory of 2604	2960	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe	37
PID 2960 wrote to memory of 2656	2960	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe	38
PID 2960 wrote to memory of 2656	2960	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe	38
PID 2960 wrote to memory of 2656	2960	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe	38
PID 2960 wrote to memory of 2656	2960	{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe	38
PID 2604 wrote to memory of 2268	2604	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe	39
PID 2604 wrote to memory of 2268	2604	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe	39
PID 2604 wrote to memory of 2268	2604	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe	39
PID 2604 wrote to memory of 2268	2604	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe	39
PID 2604 wrote to memory of 632	2604	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe	40
PID 2604 wrote to memory of 632	2604	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe	40
PID 2604 wrote to memory of 632	2604	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe	40
PID 2604 wrote to memory of 632	2604	{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe	40
PID 2268 wrote to memory of 2012	2268	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe	41
PID 2268 wrote to memory of 2012	2268	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe	41
PID 2268 wrote to memory of 2012	2268	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe	41
PID 2268 wrote to memory of 2012	2268	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe	41
PID 2268 wrote to memory of 2196	2268	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe	42
PID 2268 wrote to memory of 2196	2268	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe	42
PID 2268 wrote to memory of 2196	2268	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe	42
PID 2268 wrote to memory of 2196	2268	{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe	42
PID 2012 wrote to memory of 2928	2012	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe	43
PID 2012 wrote to memory of 2928	2012	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe	43
PID 2012 wrote to memory of 2928	2012	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe	43
PID 2012 wrote to memory of 2928	2012	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe	43
PID 2012 wrote to memory of 2356	2012	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe	44
PID 2012 wrote to memory of 2356	2012	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe	44
PID 2012 wrote to memory of 2356	2012	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe	44
PID 2012 wrote to memory of 2356	2012	{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe	44
PID 2928 wrote to memory of 1428	2928	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe	45
PID 2928 wrote to memory of 1428	2928	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe	45
PID 2928 wrote to memory of 1428	2928	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe	45
PID 2928 wrote to memory of 1428	2928	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe	45
PID 2928 wrote to memory of 2152	2928	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe	46
PID 2928 wrote to memory of 2152	2928	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe	46
PID 2928 wrote to memory of 2152	2928	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe	46
PID 2928 wrote to memory of 2152	2928	{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe	46

C:\Users\Admin\AppData\Local\Temp\089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe
"C:\Users\Admin\AppData\Local\Temp\089deaa7ae5b1feba6eae956d3e545b59e612bb15091ce02010fec5b62f71cebN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe
  C:\Windows\{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\{DD227DCB-E248-43c8-A27D-863738F7835D}.exe
    C:\Windows\{DD227DCB-E248-43c8-A27D-863738F7835D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe
      C:\Windows\{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe
        
        C:\Windows\{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe
        
        C:\Windows\{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe
        
        C:\Windows\{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe
        
        C:\Windows\{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{CADBD600-7966-4478-B794-B8B1AF985B89}.exe
        
        C:\Windows\{CADBD600-7966-4478-B794-B8B1AF985B89}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\{DCC2E486-D1B8-4454-B2FA-02FD4966DC59}.exe
        
        C:\Windows\{DCC2E486-D1B8-4454-B2FA-02FD4966DC59}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CADBD~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1546F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3714C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6F87~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C24EE~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95057~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DD227~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{47E4A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\089DEA~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1546F39A-5A3E-4318-A210-FC11C57C8162}.exe

Filesize
90KB

MD5
95ae1092503a1a3af1446652ba61ef4c

SHA1
91605d32eace7be360bc1871c23c7d71e5e4ee34

SHA256
573a1a0c09bb59c609df5a1c32b9d9c8cf159a0c36ce835ae5bc1c177e869eae

SHA512
f40c215034da596a4585b33d4f7fbb6e35e863991cf3686f1eb52dcb8df84c0cfbef14d061da4f32da787726f9a52e438dda473cd3adcb6df0cad4e4c06c35f4

Download Submit
C:\Windows\{3714C6D5-9B4A-44d6-BC67-AE6CBCB40A75}.exe

Filesize
90KB

MD5
162dff49e69cce835b9b9732c03b5303

SHA1
27be131dcbe3afb6f85fce02cd8d8fc2eeb4678e

SHA256
950e8abc252ac5a20dfb1ec5588eeb91d6c776cbff56bd13f410f06791646009

SHA512
f3421906c3d43e0c5de4906f58672af7ba781aa522e8b0fa1a3c72fecd9f7fd852256c9a6ade6783e8732a228fcece4c21cb1247fe0086e7dc893a85716af0b1

Download Submit
C:\Windows\{47E4A31A-07DF-435c-B9DB-7AA71DA784A9}.exe

Filesize
90KB

MD5
4f14d5261473c577b99231f1ae567252

SHA1
bf3ba43e918da1501b33c6fa3ddedc0d90184b2e

SHA256
f91ec6bddd6ac214fee0eb7a94d528ca892cce74e7e3082f41853c33616580af

SHA512
bef63f6376d170ceccaca4d957e74a17880db3cadfc57a96ba916b1fd0dc82b73fcf97fbfd85346e9cf882a2f434f2c5f288e11d1517d2d2c3739362a1a30b3a

Download Submit
C:\Windows\{95057A03-D77B-4fa3-8C73-50E2B60040F6}.exe

Filesize
90KB

MD5
e7dca4d121f81694a0089c88744d972c

SHA1
702b48e00aa7095040cc5de11617b9c0508c1d30

SHA256
5ba35c0072180eeecfe5e164f1f1ad9f3b701208a8b512d7e2dd8c077b0772bd

SHA512
51b4a8117c40f4898478a95055fbf147a1554d9e6bdce4bc4d4c3b25ea739e97b4a67207ffa91626398ebb562b2bd370b00c8ed570c8b6682cebe364b24001bd

Download Submit
C:\Windows\{C24EE23A-1F9F-4089-A3DC-89AE61BAA478}.exe

Filesize
90KB

MD5
03d7cfe7f37ac5b2b5ab24961df56209

SHA1
4cde407bc6afc64c797a3e0387165c885fb3c207

SHA256
9a060cd55311a505dd31645a91e90366f00d7442a41a74c7a14e5408534ec4bd

SHA512
617093ca9bff518b410926c9cefb27618605c0104bc8d0245cd54629c65ff3ea545fb2f6d40ca078f007e55445ee002927594aa83bbeccb0e8eb89b6e372fe24

Download Submit
C:\Windows\{C6F87DB7-384F-404d-BE8F-9C7021694202}.exe

Filesize
90KB

MD5
e1eed4ab20564de6eae72d6e3a21e909

SHA1
887baffa77d56a9ef03f803777d9fc9c473a9b11

SHA256
018706579adfefc1315598874be8618320a7b22344f9a4b8b0cc4f5ac8ba0b5e

SHA512
54401d0573ba981827a77df76820ea3854af70becdbc33c2c32eca56c00ca5f2bd53bf2e5a62ccb84c373664b849fc2424d71f11036ab0db0ef4e1f699c21b0b

Download Submit
C:\Windows\{CADBD600-7966-4478-B794-B8B1AF985B89}.exe

Filesize
90KB

MD5
43153ee060818ca5dcea9a08499c8730

SHA1
d62abf2505cf1d88f4e64ed35fe302facd60104a

SHA256
0eba6aa23e61526ffaafd8718f24012811ee22e72529d75deaf97c78ca3d37e0

SHA512
598dce636c0a73487583661df7616d5164a70ebcf53ce29c29a762597a749e607adf782eb88ab101a04721f44c55d69949a6c6f80dbb7d714459a6a3b694e41d

Download Submit
C:\Windows\{DCC2E486-D1B8-4454-B2FA-02FD4966DC59}.exe

Filesize
90KB

MD5
c17b1f1c3b359a9d02be90a3113e67ab

SHA1
efc41b605b12ad73d37e949be14e0e579388572a

SHA256
fa32cc3240f1029187814a2eed8d8d61724fef35ed60a77c836cdd3a5209a894

SHA512
19a176cec8a283d3df5c3249527f366cec4b395b72b6db409a95d7928b8e9ad4c3ad432a5a1ee70075fb08f6409743094d22e90f7e187283e2e62b68eead4276

Download Submit
C:\Windows\{DD227DCB-E248-43c8-A27D-863738F7835D}.exe

Filesize
90KB

MD5
3219c7b42299827288c4f7966beea5fb

SHA1
efedcb152b26760f1632b89522a2f4e936ad62f7

SHA256
53547ae7e517dcc14d5a777840b2a3ee0ca30750e0a83953bd7ada5f2635859b

SHA512
e5c7b3cde2391a3529ae9b6fb6ea373e763dc003c65a4926d7a874b29bb1d192e20ba1166da9864a3f27e5e687a1301eebd59ce2a9f8dd8d52ff25ab5f0331cb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads