f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe
Size

89KB
MD5

cb8c25f622669ed66ac1d073ec37ec70
SHA1

69f963f3ae60198787e2dd4ce47f3b288d00ba47
SHA256

f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7
SHA512

82cf7d1389e5ddbe2761a293885e93f8b80965ba1eadba6a6f44f923476ce6bdee2617ddb28c3c90297289740b580648f03c7f436b41cda292b38c83d084b873
SSDEEP

768:Qvw9816vhKQLroG4/wQRNrfrunMxVFA3b7glL:YEGh0oGl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75CC823B-A8DD-4319-A013-61E4360056C8}	{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75CC823B-A8DD-4319-A013-61E4360056C8}\stubpath = "C:\\Windows\\{75CC823B-A8DD-4319-A013-61E4360056C8}.exe"	{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8151A937-098F-4fb5-8CA1-83070A15EBD6}	{75CC823B-A8DD-4319-A013-61E4360056C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BDCA2BD-840E-435d-928C-291D3577E746}\stubpath = "C:\\Windows\\{5BDCA2BD-840E-435d-928C-291D3577E746}.exe"	{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC562057-A72F-4dbe-80B4-76FB0CC95FA7}	{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}\stubpath = "C:\\Windows\\{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe"	f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7B50AE8-3B18-44da-B204-F15FEA83791F}\stubpath = "C:\\Windows\\{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe"	{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}\stubpath = "C:\\Windows\\{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe"	{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BDCA2BD-840E-435d-928C-291D3577E746}	{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}	{5BDCA2BD-840E-435d-928C-291D3577E746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC562057-A72F-4dbe-80B4-76FB0CC95FA7}\stubpath = "C:\\Windows\\{BC562057-A72F-4dbe-80B4-76FB0CC95FA7}.exe"	{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7B50AE8-3B18-44da-B204-F15FEA83791F}	{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8151A937-098F-4fb5-8CA1-83070A15EBD6}\stubpath = "C:\\Windows\\{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe"	{75CC823B-A8DD-4319-A013-61E4360056C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C00C104-2BBA-438d-8C39-BE35BCA935BF}	{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}	f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}	{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}\stubpath = "C:\\Windows\\{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe"	{5BDCA2BD-840E-435d-928C-291D3577E746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C00C104-2BBA-438d-8C39-BE35BCA935BF}\stubpath = "C:\\Windows\\{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe"	{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe

Executes dropped EXE 9 IoCs

pid	Process
4584	{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe
32	{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe
4136	{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe
3028	{75CC823B-A8DD-4319-A013-61E4360056C8}.exe
4348	{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe
2348	{5BDCA2BD-840E-435d-928C-291D3577E746}.exe
4592	{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe
2752	{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe
1340	{BC562057-A72F-4dbe-80B4-76FB0CC95FA7}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{75CC823B-A8DD-4319-A013-61E4360056C8}.exe	{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe
File created	C:\Windows\{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe	{5BDCA2BD-840E-435d-928C-291D3577E746}.exe
File created	C:\Windows\{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe	{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe
File created	C:\Windows\{BC562057-A72F-4dbe-80B4-76FB0CC95FA7}.exe	{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe
File created	C:\Windows\{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe	f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe
File created	C:\Windows\{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe	{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe
File created	C:\Windows\{5BDCA2BD-840E-435d-928C-291D3577E746}.exe	{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe
File created	C:\Windows\{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe	{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe
File created	C:\Windows\{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe	{75CC823B-A8DD-4319-A013-61E4360056C8}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC562057-A72F-4dbe-80B4-76FB0CC95FA7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75CC823B-A8DD-4319-A013-61E4360056C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5BDCA2BD-840E-435d-928C-291D3577E746}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4128	f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe
Token: SeIncBasePriorityPrivilege	4584	{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe
Token: SeIncBasePriorityPrivilege	32	{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe
Token: SeIncBasePriorityPrivilege	4136	{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe
Token: SeIncBasePriorityPrivilege	3028	{75CC823B-A8DD-4319-A013-61E4360056C8}.exe
Token: SeIncBasePriorityPrivilege	4348	{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe
Token: SeIncBasePriorityPrivilege	2348	{5BDCA2BD-840E-435d-928C-291D3577E746}.exe
Token: SeIncBasePriorityPrivilege	4592	{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe
Token: SeIncBasePriorityPrivilege	2752	{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 4584	4128	f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe	86
PID 4128 wrote to memory of 4584	4128	f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe	86
PID 4128 wrote to memory of 4584	4128	f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe	86
PID 4128 wrote to memory of 3276	4128	f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe	87
PID 4128 wrote to memory of 3276	4128	f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe	87
PID 4128 wrote to memory of 3276	4128	f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe	87
PID 4584 wrote to memory of 32	4584	{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe	88
PID 4584 wrote to memory of 32	4584	{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe	88
PID 4584 wrote to memory of 32	4584	{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe	88
PID 4584 wrote to memory of 4152	4584	{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe	89
PID 4584 wrote to memory of 4152	4584	{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe	89
PID 4584 wrote to memory of 4152	4584	{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe	89
PID 32 wrote to memory of 4136	32	{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe	95
PID 32 wrote to memory of 4136	32	{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe	95
PID 32 wrote to memory of 4136	32	{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe	95
PID 32 wrote to memory of 4216	32	{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe	96
PID 32 wrote to memory of 4216	32	{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe	96
PID 32 wrote to memory of 4216	32	{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe	96
PID 4136 wrote to memory of 3028	4136	{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe	97
PID 4136 wrote to memory of 3028	4136	{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe	97
PID 4136 wrote to memory of 3028	4136	{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe	97
PID 4136 wrote to memory of 5100	4136	{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe	98
PID 4136 wrote to memory of 5100	4136	{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe	98
PID 4136 wrote to memory of 5100	4136	{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe	98
PID 3028 wrote to memory of 4348	3028	{75CC823B-A8DD-4319-A013-61E4360056C8}.exe	99
PID 3028 wrote to memory of 4348	3028	{75CC823B-A8DD-4319-A013-61E4360056C8}.exe	99
PID 3028 wrote to memory of 4348	3028	{75CC823B-A8DD-4319-A013-61E4360056C8}.exe	99
PID 3028 wrote to memory of 2988	3028	{75CC823B-A8DD-4319-A013-61E4360056C8}.exe	100
PID 3028 wrote to memory of 2988	3028	{75CC823B-A8DD-4319-A013-61E4360056C8}.exe	100
PID 3028 wrote to memory of 2988	3028	{75CC823B-A8DD-4319-A013-61E4360056C8}.exe	100
PID 4348 wrote to memory of 2348	4348	{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe	101
PID 4348 wrote to memory of 2348	4348	{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe	101
PID 4348 wrote to memory of 2348	4348	{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe	101
PID 4348 wrote to memory of 2940	4348	{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe	102
PID 4348 wrote to memory of 2940	4348	{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe	102
PID 4348 wrote to memory of 2940	4348	{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe	102
PID 2348 wrote to memory of 4592	2348	{5BDCA2BD-840E-435d-928C-291D3577E746}.exe	103
PID 2348 wrote to memory of 4592	2348	{5BDCA2BD-840E-435d-928C-291D3577E746}.exe	103
PID 2348 wrote to memory of 4592	2348	{5BDCA2BD-840E-435d-928C-291D3577E746}.exe	103
PID 2348 wrote to memory of 2044	2348	{5BDCA2BD-840E-435d-928C-291D3577E746}.exe	104
PID 2348 wrote to memory of 2044	2348	{5BDCA2BD-840E-435d-928C-291D3577E746}.exe	104
PID 2348 wrote to memory of 2044	2348	{5BDCA2BD-840E-435d-928C-291D3577E746}.exe	104
PID 4592 wrote to memory of 2752	4592	{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe	105
PID 4592 wrote to memory of 2752	4592	{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe	105
PID 4592 wrote to memory of 2752	4592	{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe	105
PID 4592 wrote to memory of 3596	4592	{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe	106
PID 4592 wrote to memory of 3596	4592	{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe	106
PID 4592 wrote to memory of 3596	4592	{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe	106
PID 2752 wrote to memory of 1340	2752	{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe	107
PID 2752 wrote to memory of 1340	2752	{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe	107
PID 2752 wrote to memory of 1340	2752	{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe	107
PID 2752 wrote to memory of 2756	2752	{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe	108
PID 2752 wrote to memory of 2756	2752	{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe	108
PID 2752 wrote to memory of 2756	2752	{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe	108

C:\Users\Admin\AppData\Local\Temp\f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe
"C:\Users\Admin\AppData\Local\Temp\f84d0c40ce0296d4da5b27fbda3d252b579b3bc178808da65442a6098ba622d7N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe
  C:\Windows\{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe
    C:\Windows\{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:32
  - - C:\Windows\{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe
      C:\Windows\{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Windows\{75CC823B-A8DD-4319-A013-61E4360056C8}.exe
        
        C:\Windows\{75CC823B-A8DD-4319-A013-61E4360056C8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - C:\Windows\{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe
        
        C:\Windows\{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\{5BDCA2BD-840E-435d-928C-291D3577E746}.exe
        
        C:\Windows\{5BDCA2BD-840E-435d-928C-291D3577E746}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe
        
        C:\Windows\{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe
        
        C:\Windows\{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{BC562057-A72F-4dbe-80B4-76FB0CC95FA7}.exe
        
        C:\Windows\{BC562057-A72F-4dbe-80B4-76FB0CC95FA7}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C00C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6375~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BDCA~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8151A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75CC8~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7006~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E7B50~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{47DF7~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F84D0C~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{47DF7F56-3CD1-4c49-8EC6-3DF7C2BB9C47}.exe

Filesize
89KB

MD5
bb32f2b0cb7be6c1f2cb200db33a70a8

SHA1
3104467b94ed344c91da62276b87f16e66c9aef6

SHA256
f335cfa8e9bda1304897a21adba93ebf8900688f8054c224c3c0668fd5c724cd

SHA512
59bcee0f2cabe66304b1b42c3d242a4512b07db763337ddd07ea8877f78523c17ddffc7a69c8d7b01911b43c3534f0ecd5e5f11cb5473acee2caeed943ace55b

Download Submit
C:\Windows\{5BDCA2BD-840E-435d-928C-291D3577E746}.exe

Filesize
89KB

MD5
33601583a642ad30d10fae986ce2e146

SHA1
afa7a65692156127e494b8ea5bcb225b57e46cc8

SHA256
dfea6cc64b34f77490060e28d955bbd5a119693748012c3012cd195283206592

SHA512
111272c4e46f75a2e2801810c2ce5d84c4158563ef2a9b4b72c637432ad5dc4b03bbd93b083e44aed1fa8b8e9a906aa0f802a47d1042767773c258e8f794e929

Download Submit
C:\Windows\{6C00C104-2BBA-438d-8C39-BE35BCA935BF}.exe

Filesize
89KB

MD5
a5ce54b46295aaf6f81b217d44eb7ba5

SHA1
da3928b26ee2d06ffe651232ebc46ee4e59c9d7e

SHA256
49c3dc64673acd790e3cb9222310e09bb6c4ea8c2aed70080655cbff60ca75c6

SHA512
a167e293865cc191bde80f9e3c99fa8a68d2e20e477dd8e90f42e4423ea548bbf1d1bcd15d50b458b4eed222cef84e5082a006d3d26774476f5b66ed87fe443f

Download Submit
C:\Windows\{75CC823B-A8DD-4319-A013-61E4360056C8}.exe

Filesize
89KB

MD5
fd023d9411859a9c57f7218019e52bd9

SHA1
19eb54f12e6b4c6ed8eab18a0a30ab8eedb8a9bf

SHA256
6e251d004b6b6e20af89813b64126d705c999003b40e0a71c3bac3c1a5d775a5

SHA512
f25ffb976e1c012acb6c67aafff42ae65ca8f661042329db385daa214cf9340c78f41471fe1b2a9d94d913d90917f434ff3359f3bc1f6deed5644ed5b7e4bc07

Download Submit
C:\Windows\{8151A937-098F-4fb5-8CA1-83070A15EBD6}.exe

Filesize
89KB

MD5
5438fec3d40278aa5c3b487b0aa76972

SHA1
64554839050c21a7428c4d8504a005ccc56c8d92

SHA256
fca3aa33cecdac83be8f1f6d66fb509a765dacd6f3f5d18c9f0c7b004631061b

SHA512
c9153d9caa84898140e6a06fb9d011692c92352ce7a131ede1676ad23eb08ddeb3729f0d461bd2c4e64161f0e7882da42031a91628ef3aa411dd79fa21dd8b34

Download Submit
C:\Windows\{BC562057-A72F-4dbe-80B4-76FB0CC95FA7}.exe

Filesize
89KB

MD5
1d5e7d190ac17067a74f53221a594bf0

SHA1
0b20fd1ea3491452699db71ed63dea31f2ddd316

SHA256
c09173386ae268a7cd6072b9d15cb7abbc1b102845f27cb6dff22c475dd7a7de

SHA512
5a717fc39b85df97080bff9121693a606efb02b232b3aa290b15a6b8fc4c71ccc23e36a1bf63e45ca3d1ff67fa475b031cde74cc09d1f10f880c923f1b4c5060

Download Submit
C:\Windows\{E7006C9C-9DC3-4039-8553-D2CBD56FAD24}.exe

Filesize
89KB

MD5
38dd2195947787cea932e561d0652eb4

SHA1
3a15ad1cc8383a030c2f4aebdafed869bb544db2

SHA256
8602f443ba55a97f020680b42451739a2ca4276cace357e44a89abcb9a8c9fa1

SHA512
aeaec2da4513b4f89cbbfd9bc8df7b05a5c5404ac950a1e7daac36eee042ae529e8c029927b7d12d8889f31a4f3ffa832230e97033dfad8dd0a9d6239a3b08d1

Download Submit
C:\Windows\{E7B50AE8-3B18-44da-B204-F15FEA83791F}.exe

Filesize
89KB

MD5
ff482d76d6b7c5400409b3e82453b22d

SHA1
de589ba18d5930d7cc89d2d28960b1e836d3be9f

SHA256
73d97935633363b913521d57e305d4150281d034270ec03700c719757cbf20a8

SHA512
729cd97179bfe065db1f833c60933caedcfca66c1d1af4d82a4c6fec2b6687eb7cb13ba855b098fed77c037cebf609e27f19111d2a034983200e0d5071c01f6c

Download Submit
C:\Windows\{F6375BC8-459B-4a86-A5AA-F0D45B85F6CB}.exe

Filesize
89KB

MD5
771e811e8e265659189e3c5532f7e144

SHA1
390c080beb196e58c79eeab795c88e8fca94d3fa

SHA256
e2edd53457a51ca1d6c5eaca4c368958cf62b4027fe2528a0096a81490d377c4

SHA512
b9ffcf6316027cb1cd348a2c4e5bc442fa1431b45e89352ef4820af4931167bdc7ec0362e58c81b00d93d0f35a0301def0b2e9b333a5cb919cdba5f38164e545

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads