eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2a

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe
Size

90KB
MD5

ccd44d9cf191c8ce2e496c321ee07d50
SHA1

7725bdcd91468f036ead971b347b096e46e31a00
SHA256

eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2a
SHA512

b915d53e94a01e862071f90bc7d2c5605a18a134e556b054d88c82a67785610989c7761072b261a5f40ca74019272c104ebb5875af1a606c45167869b8bbe762
SSDEEP

768:5vw9816thKQLroq4/wQkNrfrunMxVFA3bA:lEG/0oqlbunMxVS3c

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4667685-8C6D-445c-A6F0-C075E373C61A}\stubpath = "C:\\Windows\\{C4667685-8C6D-445c-A6F0-C075E373C61A}.exe"	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7F6FB28-7012-4891-91C5-6409F9413ABE}\stubpath = "C:\\Windows\\{B7F6FB28-7012-4891-91C5-6409F9413ABE}.exe"	{C4667685-8C6D-445c-A6F0-C075E373C61A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}\stubpath = "C:\\Windows\\{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe"	eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26500469-F28B-48e3-9A39-97B58DF16225}	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}\stubpath = "C:\\Windows\\{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe"	{26500469-F28B-48e3-9A39-97B58DF16225}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}\stubpath = "C:\\Windows\\{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe"	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}\stubpath = "C:\\Windows\\{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe"	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}\stubpath = "C:\\Windows\\{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe"	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7F6FB28-7012-4891-91C5-6409F9413ABE}	{C4667685-8C6D-445c-A6F0-C075E373C61A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26500469-F28B-48e3-9A39-97B58DF16225}\stubpath = "C:\\Windows\\{26500469-F28B-48e3-9A39-97B58DF16225}.exe"	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}	{26500469-F28B-48e3-9A39-97B58DF16225}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4667685-8C6D-445c-A6F0-C075E373C61A}	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}	eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{674098BE-4CDC-4eda-B161-D72D8F80F3FD}	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{674098BE-4CDC-4eda-B161-D72D8F80F3FD}\stubpath = "C:\\Windows\\{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe"	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2636	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe
2700	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe
2904	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe
1784	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe
3056	{26500469-F28B-48e3-9A39-97B58DF16225}.exe
2496	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe
368	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe
2196	{C4667685-8C6D-445c-A6F0-C075E373C61A}.exe
1832	{B7F6FB28-7012-4891-91C5-6409F9413ABE}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{26500469-F28B-48e3-9A39-97B58DF16225}.exe	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe
File created	C:\Windows\{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe
File created	C:\Windows\{C4667685-8C6D-445c-A6F0-C075E373C61A}.exe	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe
File created	C:\Windows\{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe
File created	C:\Windows\{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe
File created	C:\Windows\{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe
File created	C:\Windows\{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe	{26500469-F28B-48e3-9A39-97B58DF16225}.exe
File created	C:\Windows\{B7F6FB28-7012-4891-91C5-6409F9413ABE}.exe	{C4667685-8C6D-445c-A6F0-C075E373C61A}.exe
File created	C:\Windows\{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe	eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26500469-F28B-48e3-9A39-97B58DF16225}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B7F6FB28-7012-4891-91C5-6409F9413ABE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4667685-8C6D-445c-A6F0-C075E373C61A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2964	eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe
Token: SeIncBasePriorityPrivilege	2636	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe
Token: SeIncBasePriorityPrivilege	2700	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe
Token: SeIncBasePriorityPrivilege	2904	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe
Token: SeIncBasePriorityPrivilege	1784	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe
Token: SeIncBasePriorityPrivilege	3056	{26500469-F28B-48e3-9A39-97B58DF16225}.exe
Token: SeIncBasePriorityPrivilege	2496	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe
Token: SeIncBasePriorityPrivilege	368	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe
Token: SeIncBasePriorityPrivilege	2196	{C4667685-8C6D-445c-A6F0-C075E373C61A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2636	2964	eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe	30
PID 2964 wrote to memory of 2636	2964	eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe	30
PID 2964 wrote to memory of 2636	2964	eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe	30
PID 2964 wrote to memory of 2636	2964	eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe	30
PID 2964 wrote to memory of 2712	2964	eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe	31
PID 2964 wrote to memory of 2712	2964	eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe	31
PID 2964 wrote to memory of 2712	2964	eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe	31
PID 2964 wrote to memory of 2712	2964	eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe	31
PID 2636 wrote to memory of 2700	2636	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe	32
PID 2636 wrote to memory of 2700	2636	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe	32
PID 2636 wrote to memory of 2700	2636	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe	32
PID 2636 wrote to memory of 2700	2636	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe	32
PID 2636 wrote to memory of 2624	2636	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe	33
PID 2636 wrote to memory of 2624	2636	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe	33
PID 2636 wrote to memory of 2624	2636	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe	33
PID 2636 wrote to memory of 2624	2636	{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe	33
PID 2700 wrote to memory of 2904	2700	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe	34
PID 2700 wrote to memory of 2904	2700	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe	34
PID 2700 wrote to memory of 2904	2700	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe	34
PID 2700 wrote to memory of 2904	2700	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe	34
PID 2700 wrote to memory of 2492	2700	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe	35
PID 2700 wrote to memory of 2492	2700	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe	35
PID 2700 wrote to memory of 2492	2700	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe	35
PID 2700 wrote to memory of 2492	2700	{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe	35
PID 2904 wrote to memory of 1784	2904	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe	36
PID 2904 wrote to memory of 1784	2904	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe	36
PID 2904 wrote to memory of 1784	2904	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe	36
PID 2904 wrote to memory of 1784	2904	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe	36
PID 2904 wrote to memory of 2080	2904	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe	37
PID 2904 wrote to memory of 2080	2904	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe	37
PID 2904 wrote to memory of 2080	2904	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe	37
PID 2904 wrote to memory of 2080	2904	{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe	37
PID 1784 wrote to memory of 3056	1784	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe	38
PID 1784 wrote to memory of 3056	1784	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe	38
PID 1784 wrote to memory of 3056	1784	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe	38
PID 1784 wrote to memory of 3056	1784	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe	38
PID 1784 wrote to memory of 2176	1784	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe	39
PID 1784 wrote to memory of 2176	1784	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe	39
PID 1784 wrote to memory of 2176	1784	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe	39
PID 1784 wrote to memory of 2176	1784	{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe	39
PID 3056 wrote to memory of 2496	3056	{26500469-F28B-48e3-9A39-97B58DF16225}.exe	40
PID 3056 wrote to memory of 2496	3056	{26500469-F28B-48e3-9A39-97B58DF16225}.exe	40
PID 3056 wrote to memory of 2496	3056	{26500469-F28B-48e3-9A39-97B58DF16225}.exe	40
PID 3056 wrote to memory of 2496	3056	{26500469-F28B-48e3-9A39-97B58DF16225}.exe	40
PID 3056 wrote to memory of 1820	3056	{26500469-F28B-48e3-9A39-97B58DF16225}.exe	41
PID 3056 wrote to memory of 1820	3056	{26500469-F28B-48e3-9A39-97B58DF16225}.exe	41
PID 3056 wrote to memory of 1820	3056	{26500469-F28B-48e3-9A39-97B58DF16225}.exe	41
PID 3056 wrote to memory of 1820	3056	{26500469-F28B-48e3-9A39-97B58DF16225}.exe	41
PID 2496 wrote to memory of 368	2496	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe	42
PID 2496 wrote to memory of 368	2496	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe	42
PID 2496 wrote to memory of 368	2496	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe	42
PID 2496 wrote to memory of 368	2496	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe	42
PID 2496 wrote to memory of 1336	2496	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe	43
PID 2496 wrote to memory of 1336	2496	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe	43
PID 2496 wrote to memory of 1336	2496	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe	43
PID 2496 wrote to memory of 1336	2496	{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe	43
PID 368 wrote to memory of 2196	368	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe	45
PID 368 wrote to memory of 2196	368	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe	45
PID 368 wrote to memory of 2196	368	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe	45
PID 368 wrote to memory of 2196	368	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe	45
PID 368 wrote to memory of 1716	368	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe	46
PID 368 wrote to memory of 1716	368	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe	46
PID 368 wrote to memory of 1716	368	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe	46
PID 368 wrote to memory of 1716	368	{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe	46

C:\Users\Admin\AppData\Local\Temp\eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe
"C:\Users\Admin\AppData\Local\Temp\eb591fa865d5803ebf1e7fbcbc68d58be7038446e35608a3e6f2686be93a2a2aN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe
  C:\Windows\{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe
    C:\Windows\{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe
      C:\Windows\{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe
        
        C:\Windows\{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Windows\{26500469-F28B-48e3-9A39-97B58DF16225}.exe
        
        C:\Windows\{26500469-F28B-48e3-9A39-97B58DF16225}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe
        
        C:\Windows\{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe
        
        C:\Windows\{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\{C4667685-8C6D-445c-A6F0-C075E373C61A}.exe
        
        C:\Windows\{C4667685-8C6D-445c-A6F0-C075E373C61A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\{B7F6FB28-7012-4891-91C5-6409F9413ABE}.exe
        
        C:\Windows\{B7F6FB28-7012-4891-91C5-6409F9413ABE}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4667~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D339~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21649~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26500~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67409~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD76E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5EC9C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1EA72~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EB591F~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1EA72634-7FC4-4315-9471-E8FFCF1FE51C}.exe

Filesize
90KB

MD5
bb66ef3bc6f6e47d8e6219c5bd84e7e1

SHA1
070fbdd18762d47a7ec5b14b79dd06b6426368d3

SHA256
30aa1d4a8efde3b8009f8b889ca0531563c454a943a761e9079fd5edcc60a56e

SHA512
f269052cfdef412c0a2b4d0a115688807341c0843039b96ef9f64b9db442626014978c79d19da09a9315384eb533aa4db6839457c1889972876829f77fa09e2d

Download Submit
C:\Windows\{21649129-6A48-4bc9-AAF9-7EB5D6D7A1CA}.exe

Filesize
90KB

MD5
7691533efbdeea501ecc7d07a614f83b

SHA1
34467a5d9c9c65378521b007bcb9bbd676a291ef

SHA256
d1a771c04c8523f9ecfc75febee5280f0bd100c5539c925153442cf4ed14dfdf

SHA512
7c060c036b9d71e33538c8086bd64d63b126ecb009006bb3535a243ef237291cab58ece62b6f1bd6572b0b1c2eeb252697eb81ea360dad01ed217a7c13dd6eac

Download Submit
C:\Windows\{26500469-F28B-48e3-9A39-97B58DF16225}.exe

Filesize
90KB

MD5
a5e622a484372bdbb7ef46515c4f20e8

SHA1
0b0f0a7d93c29db2ff45037b401b4e8e516d4bf0

SHA256
4c38f7a13a5a14a3e209efcccb682935a544d1480ef58b7e820cc949a6c062f9

SHA512
f70be17b02ed426daf0359421693529bc081fc0f3ae08769e597ab8eff1bdcfde3385127be126e0acd45bd68ebac03a6f2869360e59fba18d6edd45e9ca19714

Download Submit
C:\Windows\{3D339EAD-ABF3-49e6-B3C5-581DF7AD2949}.exe

Filesize
90KB

MD5
f8b665e5a7f45c997e0d90d740272245

SHA1
b5e3b64a49ac34ce7b5a7926803223b31237ba84

SHA256
147d19d50b24e6ef11ff4519edb043da8bbd7637e372a25e8c10230e8938adad

SHA512
495dc16a59859ce5cb34fc66caa824fc7704481e6d75890b8e03f963bd27c7d5143e58fc41dae5dabe784cf21475fe5ee60976e40514e232729e87d94b72cd17

Download Submit
C:\Windows\{5EC9C421-3859-439e-BCEE-0EEAAB0B632C}.exe

Filesize
90KB

MD5
707ad1fcc3ea0b9bb84c548105f8fd38

SHA1
49ebe0109fe574ab7dcb42d7095834193bc32098

SHA256
ba1c5eded0612830b2194b4074eeecaf03e87de467075b838aa45310d1889629

SHA512
3884ebf1c7feb5bde863479fe3d6702840f5fa15f1f594ec94989c6ac2213de7e33217d3dc4ee9b8efc55068a994a147c78e5b49d7c9490b84fb2f744f845f61

Download Submit
C:\Windows\{674098BE-4CDC-4eda-B161-D72D8F80F3FD}.exe

Filesize
90KB

MD5
6367034d53c408bfe2c6226f3f52ccd3

SHA1
cfbf427462890f7bd4acf18e4dcf35de2d326be7

SHA256
119751b3c910fc50ed8485eb690d00d56384833fc659567dcdd8a468cd7b4af8

SHA512
e115b00270dbe168a6107f903551d326c64caa02be3ffb3f9264456020de045fed387a3a94296f8b8fbb160681a270978fa6ca9ae8ddede52c3e3141575b3cb4

Download Submit
C:\Windows\{B7F6FB28-7012-4891-91C5-6409F9413ABE}.exe

Filesize
90KB

MD5
f679a456a3005e3f435e60bc727fae0b

SHA1
269e5eaa7b82b8acaf88a34e007147d75a9c3068

SHA256
1ba245b4c09763e35f747b4cf758c84357d214a86b3f1ec706a7925d3fee468b

SHA512
48cdfd4bbec16efb6cb8782e5903b87dc77c3032d238e9126574a3ffd49f5693a502cd3b4f57acf02e572bde84c28bc3cbe48ca5a30879f3220b87581c91919c

Download Submit
C:\Windows\{C4667685-8C6D-445c-A6F0-C075E373C61A}.exe

Filesize
90KB

MD5
a7d85c5eec7b36da7a2b54715cdcae90

SHA1
5be011cc36fccfb54d1c74d63b8d1da031fa30cb

SHA256
9602729512f0c5e8a1753e82d7546b810a81e64fdf08a1007193784156f58bf9

SHA512
2230397007cf54f5d0c389a702304195817ced33a6436b63b3cf0deb4f5109ee863a0a803747be6157ee6e52bfabac39ded6b5d9f695759fbdabeff000c7a1ad

Download Submit
C:\Windows\{DD76EFC6-DCE5-44aa-AAA9-C353D6523E80}.exe

Filesize
90KB

MD5
9aa1401779466fb33aea84384114afc9

SHA1
7ce85c9467cf874019a7d2705aef61d9af3a2aa7

SHA256
e81f1abff041df0ee141f56e63745a00cc3a0262a6870dba6e4b8c822e250fa9

SHA512
ff8ab1c13b69804ef48adb48bfe34ee5687a0d0480952226d976774a713a4d845ddcf086ae6f9ac7f81cea23c42b6613cbffe7627cfc9b5924f0f3da5adf6a14

Download Submit
memory/368-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/368-70-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/1784-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1784-44-0x00000000004A0000-0x00000000004B1000-memory.dmp

Filesize
68KB

Download
memory/2196-78-0x0000000000460000-0x0000000000471000-memory.dmp

Filesize
68KB

Download
memory/2196-84-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2496-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2496-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2496-61-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2636-13-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2636-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2700-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2700-22-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/2700-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2904-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2904-31-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/2964-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2964-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2964-4-0x00000000004A0000-0x00000000004B1000-memory.dmp

Filesize
68KB

Download
memory/2964-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3056-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3056-51-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/3056-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads