Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 04:38
Static task
static1
Behavioral task
behavioral1
Sample
9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe
Resource
win10v2004-20240802-en
General
-
Target
9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe
-
Size
88KB
-
MD5
b381cdb0ea1410e3fafc78ee82b34ae0
-
SHA1
1643547a70af842cc1e99f2fdfd003fedaa958bc
-
SHA256
9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8
-
SHA512
fcf53fc43f82c5e57177d5f3848d144c45e43beab869b0aa2961dca4099dccb75114f91bd463f44c088fe2dcdaca38b2bba573467fcab30a7394fda4dc0cfb5a
-
SSDEEP
768:5vw9816thKQLro04/wQkNrfrunMxVFA3V:lEG/0o0lbunMxVS3V
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{798AF0DA-8B1A-412f-BB74-58E29AF31EA0}\stubpath = "C:\\Windows\\{798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe" {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E5A967F-BC20-4045-A8E6-925194CC377E}\stubpath = "C:\\Windows\\{5E5A967F-BC20-4045-A8E6-925194CC377E}.exe" {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D} 9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}\stubpath = "C:\\Windows\\{A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe" 9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2973A795-5857-4fd4-A04B-C7AC5589982C} {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{798AF0DA-8B1A-412f-BB74-58E29AF31EA0} {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB1E329E-5AFA-4871-BD5B-3F02ECB18C2E}\stubpath = "C:\\Windows\\{FB1E329E-5AFA-4871-BD5B-3F02ECB18C2E}.exe" {919286E1-8664-4268-90A9-D8037D365B36}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0FB6492-C86C-496f-A368-2C842D13B9B6} {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0FB6492-C86C-496f-A368-2C842D13B9B6}\stubpath = "C:\\Windows\\{A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe" {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F0EF60F-DB17-4c64-AB74-79A3CD389BDD} {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{919286E1-8664-4268-90A9-D8037D365B36} {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB1E329E-5AFA-4871-BD5B-3F02ECB18C2E} {919286E1-8664-4268-90A9-D8037D365B36}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2973A795-5857-4fd4-A04B-C7AC5589982C}\stubpath = "C:\\Windows\\{2973A795-5857-4fd4-A04B-C7AC5589982C}.exe" {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2470F2D9-4965-4d8a-A030-C72A7A3F14E6} {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E5A967F-BC20-4045-A8E6-925194CC377E} {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{919286E1-8664-4268-90A9-D8037D365B36}\stubpath = "C:\\Windows\\{919286E1-8664-4268-90A9-D8037D365B36}.exe" {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2470F2D9-4965-4d8a-A030-C72A7A3F14E6}\stubpath = "C:\\Windows\\{2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe" {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}\stubpath = "C:\\Windows\\{4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe" {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe -
Deletes itself 1 IoCs
pid Process 2180 cmd.exe -
Executes dropped EXE 9 IoCs
pid Process 2928 {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe 1144 {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe 2996 {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe 2684 {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe 1140 {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe 2036 {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe 2120 {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe 2968 {919286E1-8664-4268-90A9-D8037D365B36}.exe 2184 {FB1E329E-5AFA-4871-BD5B-3F02ECB18C2E}.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\{4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe File created C:\Windows\{919286E1-8664-4268-90A9-D8037D365B36}.exe {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe File created C:\Windows\{FB1E329E-5AFA-4871-BD5B-3F02ECB18C2E}.exe {919286E1-8664-4268-90A9-D8037D365B36}.exe File created C:\Windows\{798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe File created C:\Windows\{A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe File created C:\Windows\{2973A795-5857-4fd4-A04B-C7AC5589982C}.exe {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe File created C:\Windows\{2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe File created C:\Windows\{5E5A967F-BC20-4045-A8E6-925194CC377E}.exe {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe File created C:\Windows\{A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe 9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {919286E1-8664-4268-90A9-D8037D365B36}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {FB1E329E-5AFA-4871-BD5B-3F02ECB18C2E}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2104 9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe Token: SeIncBasePriorityPrivilege 2928 {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe Token: SeIncBasePriorityPrivilege 1144 {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe Token: SeIncBasePriorityPrivilege 2996 {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe Token: SeIncBasePriorityPrivilege 2684 {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe Token: SeIncBasePriorityPrivilege 1140 {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe Token: SeIncBasePriorityPrivilege 2036 {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe Token: SeIncBasePriorityPrivilege 2120 {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe Token: SeIncBasePriorityPrivilege 2968 {919286E1-8664-4268-90A9-D8037D365B36}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2928 2104 9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe 31 PID 2104 wrote to memory of 2928 2104 9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe 31 PID 2104 wrote to memory of 2928 2104 9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe 31 PID 2104 wrote to memory of 2928 2104 9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe 31 PID 2104 wrote to memory of 2180 2104 9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe 32 PID 2104 wrote to memory of 2180 2104 9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe 32 PID 2104 wrote to memory of 2180 2104 9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe 32 PID 2104 wrote to memory of 2180 2104 9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe 32 PID 2928 wrote to memory of 1144 2928 {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe 33 PID 2928 wrote to memory of 1144 2928 {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe 33 PID 2928 wrote to memory of 1144 2928 {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe 33 PID 2928 wrote to memory of 1144 2928 {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe 33 PID 2928 wrote to memory of 2616 2928 {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe 34 PID 2928 wrote to memory of 2616 2928 {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe 34 PID 2928 wrote to memory of 2616 2928 {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe 34 PID 2928 wrote to memory of 2616 2928 {A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe 34 PID 1144 wrote to memory of 2996 1144 {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe 35 PID 1144 wrote to memory of 2996 1144 {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe 35 PID 1144 wrote to memory of 2996 1144 {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe 35 PID 1144 wrote to memory of 2996 1144 {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe 35 PID 1144 wrote to memory of 2652 1144 {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe 36 PID 1144 wrote to memory of 2652 1144 {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe 36 PID 1144 wrote to memory of 2652 1144 {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe 36 PID 1144 wrote to memory of 2652 1144 {A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe 36 PID 2996 wrote to memory of 2684 2996 {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe 37 PID 2996 wrote to memory of 2684 2996 {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe 37 PID 2996 wrote to memory of 2684 2996 {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe 37 PID 2996 wrote to memory of 2684 2996 {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe 37 PID 2996 wrote to memory of 2188 2996 {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe 38 PID 2996 wrote to memory of 2188 2996 {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe 38 PID 2996 wrote to memory of 2188 2996 {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe 38 PID 2996 wrote to memory of 2188 2996 {2973A795-5857-4fd4-A04B-C7AC5589982C}.exe 38 PID 2684 wrote to memory of 1140 2684 {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe 39 PID 2684 wrote to memory of 1140 2684 {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe 39 PID 2684 wrote to memory of 1140 2684 {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe 39 PID 2684 wrote to memory of 1140 2684 {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe 39 PID 2684 wrote to memory of 1480 2684 {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe 40 PID 2684 wrote to memory of 1480 2684 {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe 40 PID 2684 wrote to memory of 1480 2684 {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe 40 PID 2684 wrote to memory of 1480 2684 {2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe 40 PID 1140 wrote to memory of 2036 1140 {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe 41 PID 1140 wrote to memory of 2036 1140 {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe 41 PID 1140 wrote to memory of 2036 1140 {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe 41 PID 1140 wrote to memory of 2036 1140 {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe 41 PID 1140 wrote to memory of 2860 1140 {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe 42 PID 1140 wrote to memory of 2860 1140 {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe 42 PID 1140 wrote to memory of 2860 1140 {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe 42 PID 1140 wrote to memory of 2860 1140 {798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe 42 PID 2036 wrote to memory of 2120 2036 {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe 43 PID 2036 wrote to memory of 2120 2036 {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe 43 PID 2036 wrote to memory of 2120 2036 {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe 43 PID 2036 wrote to memory of 2120 2036 {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe 43 PID 2036 wrote to memory of 1256 2036 {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe 44 PID 2036 wrote to memory of 1256 2036 {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe 44 PID 2036 wrote to memory of 1256 2036 {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe 44 PID 2036 wrote to memory of 1256 2036 {5E5A967F-BC20-4045-A8E6-925194CC377E}.exe 44 PID 2120 wrote to memory of 2968 2120 {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe 45 PID 2120 wrote to memory of 2968 2120 {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe 45 PID 2120 wrote to memory of 2968 2120 {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe 45 PID 2120 wrote to memory of 2968 2120 {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe 45 PID 2120 wrote to memory of 2708 2120 {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe 46 PID 2120 wrote to memory of 2708 2120 {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe 46 PID 2120 wrote to memory of 2708 2120 {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe 46 PID 2120 wrote to memory of 2708 2120 {4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe"C:\Users\Admin\AppData\Local\Temp\9ea1ebfbaad70b70a6b3d20eb19858283fb80b7f2ffcf54a1b64ee0b160f23f8N.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\{A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exeC:\Windows\{A8AD91CE-59AB-4f84-AA1E-A5BF42923C9D}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\{A0FB6492-C86C-496f-A368-2C842D13B9B6}.exeC:\Windows\{A0FB6492-C86C-496f-A368-2C842D13B9B6}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\{2973A795-5857-4fd4-A04B-C7AC5589982C}.exeC:\Windows\{2973A795-5857-4fd4-A04B-C7AC5589982C}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\{2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exeC:\Windows\{2470F2D9-4965-4d8a-A030-C72A7A3F14E6}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\{798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exeC:\Windows\{798AF0DA-8B1A-412f-BB74-58E29AF31EA0}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\{5E5A967F-BC20-4045-A8E6-925194CC377E}.exeC:\Windows\{5E5A967F-BC20-4045-A8E6-925194CC377E}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\{4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exeC:\Windows\{4F0EF60F-DB17-4c64-AB74-79A3CD389BDD}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\{919286E1-8664-4268-90A9-D8037D365B36}.exeC:\Windows\{919286E1-8664-4268-90A9-D8037D365B36}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\{FB1E329E-5AFA-4871-BD5B-3F02ECB18C2E}.exeC:\Windows\{FB1E329E-5AFA-4871-BD5B-3F02ECB18C2E}.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{91928~1.EXE > nul10⤵
- System Location Discovery: System Language Discovery
PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4F0EF~1.EXE > nul9⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5E5A9~1.EXE > nul8⤵
- System Location Discovery: System Language Discovery
PID:1256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{798AF~1.EXE > nul7⤵
- System Location Discovery: System Language Discovery
PID:2860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2470F~1.EXE > nul6⤵
- System Location Discovery: System Language Discovery
PID:1480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2973A~1.EXE > nul5⤵
- System Location Discovery: System Language Discovery
PID:2188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A0FB6~1.EXE > nul4⤵
- System Location Discovery: System Language Discovery
PID:2652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{A8AD9~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9EA1EB~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2180
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5191aae5ed44ce19d1b03bbb30cf1b4bf
SHA1d5480e034805992e86e2e5adb72b06d75589909d
SHA25628364b88d47c72664ad0117700cefdddb43bd69b8e406e8cb14a53222f86bafa
SHA5120c341b90d585e356d647de825c0d3c6e7cd3dc887d9a69a046f1618565f5a64faa3c5a59afe4a19723ab1cf59d9316178d0397cccf37dac2d6e130583e4e8cbb
-
Filesize
88KB
MD50ceed3904a758cefa8dcc61ff3981e79
SHA1d6561fc129d21c582364f9b3df15eb11d2013fa6
SHA256b1671545147b195009a0d52c7975b53e40c6c5ef9b7564f2bfb873f2cb306dd4
SHA512ad32d0913efd8db8407f2f450ef3395cdafe96e52863dc16c98e8217de5ceab746f10cdd4c71b546c6bae6d1f4b29afb0aeaad8d865954496dd655a8877248bf
-
Filesize
88KB
MD5cb6a5abdb726b8e1cd4ef5b269cfd1e5
SHA141e146b9dc80bc8e76c3b52b0692f0579f0de3f4
SHA256a7f7774352761884985c41fc8f6bcb72328c7af1d40e782b996270deac876f58
SHA512c805224f5c28473db5180b8a2faccaddc4825ca2be6ff4afa9782b4324e662a1ef067d9712b13f8c13488ddfbd8f343460297dce7c38fc928d26cb1a99827f99
-
Filesize
88KB
MD5e1ea60ccbc87f485ba02902258095563
SHA1ee9c3f1793a6af90b3d71a4686395f06ef8372d9
SHA25663f3b6a0147d57f70d46b88a38aa970f5d791272b07092a440f77dee82152fd1
SHA5120859f46b63c3398c28aee7a6088d8254b53695d7c8cb7ff2cf9dfec5e2fafd082709ea653ed0c9b0630efaa6845f2504bced58541ee441c6c7d7bf1df4184f7b
-
Filesize
88KB
MD581e64fbcfc4bb473db70b5eaffe1adb8
SHA12f8d75a197f80624aa810445f59a6def2766cf9f
SHA256d528314d15c14d5b03eb0c8494e7167fcb543ced4e648317614bdf3666fd5e8a
SHA512e7f4b62a3b0cd1bba981902898b59faf9b50209fe82c08e62d62a5f27d9c13b7629f5839c0c57e5aaf6911f0c19459b68a67e896362c8cc51338bfbe93e1a7da
-
Filesize
88KB
MD526dd6d13a4215bb563a5b2e90a86ec40
SHA19a6df293e715c6dd425f6f00fe7a1682b5a19af0
SHA2561b3423f60550adfe63aa924f97201b922ce0b8fba559347dca87899c00f7243f
SHA512d3f50a1a30d0164f96fd50e2ea96671bb489e838031b570e2491bb9dd1151d8ab805eb69a30bb5f51b7a017e80c408f9512b1ad5426af4583d2d23168d3a7910
-
Filesize
88KB
MD531199f4d55331b22872e4759c2c30bef
SHA1d706adbbfe4d00ef431588ea2984efcce2349753
SHA256c7982dc0a9a15a7d7b09824659b6b495dccd0e7105e828cf89def5b7677867db
SHA51214aefdd6bd768182e4c0be8701d1354e4f989460078804f28c4c57a74f37ae53388595fef2201d8858f0ba7f60d4d84f5d57f4c7e70e6a3be5cd5ea7e40a2acc
-
Filesize
88KB
MD5625171a0e209b61951c80dd57ba19602
SHA15e881286a94ae11520bcc4d5d449a66a1eac453a
SHA25672ab11b0898e52eb62475fe61e4f1475b9fcd09282a684f1eb2e0ffd6b3a651a
SHA512629fada808bd4b2e9c9cc2dcd7eb9d81eafcca98e0b455b5894660531b93aeef93a920ae347d5af5035b4689fd35fb4b2e7772f8786eed9dda650762106b0f7c
-
Filesize
88KB
MD50ad8fad41bf1a49d5e5966c340d150ab
SHA1dc4a187ce5c9b9aef39f76ca39ce808785dce790
SHA2567366fe141b98d109e215aa81ac8bdbc601f58a7a6da8315b3d7458bc3cc667af
SHA5120b9324163a23bc9a05ac66abdf17b15312558b9e88e2f247f29b510d7f9275a524fae70ff2086825688d2be0c7dd497331bfd97797e2b24a3a794abf9661634f