d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9f

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe
Size

90KB
MD5

6c76a2756679ccdd6a605cb320f6ba50
SHA1

af8b289f703229a1f661c2a1c18446b4c09f37e1
SHA256

d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9f
SHA512

1fe6aa32f32fbcde444efe7acec7de24ba6dcdc10a078ab424056731c0e4f43589d7dd34db3f2424c27e25ec14537b057461f94c16d4ecf564da9bed3e4866d6
SSDEEP

768:5vw9816uhKiroD4/wQNNrfrunMxVFA3bA:lEGkmoDlCunMxVS3c

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2EFC713-4003-45b3-A47B-6777FCAA68C1}	d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2882CD7F-D904-44b8-8803-E887D4AC3422}	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5932FCA-EF19-4ad7-81BD-8284034ACC08}	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2EFC713-4003-45b3-A47B-6777FCAA68C1}\stubpath = "C:\\Windows\\{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe"	d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5932FCA-EF19-4ad7-81BD-8284034ACC08}\stubpath = "C:\\Windows\\{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe"	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{405FCF1D-CB6E-4dc2-9128-AF665ED741A1}\stubpath = "C:\\Windows\\{405FCF1D-CB6E-4dc2-9128-AF665ED741A1}.exe"	{CA4F0FF9-753E-45c6-815C-C6191BAE05E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA4F0FF9-753E-45c6-815C-C6191BAE05E1}	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B881F7C-C653-4f9a-901F-193A71F28EED}	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B881F7C-C653-4f9a-901F-193A71F28EED}\stubpath = "C:\\Windows\\{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe"	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2882CD7F-D904-44b8-8803-E887D4AC3422}\stubpath = "C:\\Windows\\{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe"	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E66009-CF7A-4cc9-B43D-59A641B73297}	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E66009-CF7A-4cc9-B43D-59A641B73297}\stubpath = "C:\\Windows\\{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe"	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AED723C2-7273-4778-9848-07435F37840C}\stubpath = "C:\\Windows\\{AED723C2-7273-4778-9848-07435F37840C}.exe"	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}	{AED723C2-7273-4778-9848-07435F37840C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA4F0FF9-753E-45c6-815C-C6191BAE05E1}\stubpath = "C:\\Windows\\{CA4F0FF9-753E-45c6-815C-C6191BAE05E1}.exe"	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{405FCF1D-CB6E-4dc2-9128-AF665ED741A1}	{CA4F0FF9-753E-45c6-815C-C6191BAE05E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AED723C2-7273-4778-9848-07435F37840C}	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}\stubpath = "C:\\Windows\\{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe"	{AED723C2-7273-4778-9848-07435F37840C}.exe

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2804	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe
2772	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe
2648	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe
2104	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe
2532	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe
444	{AED723C2-7273-4778-9848-07435F37840C}.exe
2268	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe
1748	{CA4F0FF9-753E-45c6-815C-C6191BAE05E1}.exe
1312	{405FCF1D-CB6E-4dc2-9128-AF665ED741A1}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe
File created	C:\Windows\{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe	d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe
File created	C:\Windows\{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe
File created	C:\Windows\{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe
File created	C:\Windows\{AED723C2-7273-4778-9848-07435F37840C}.exe	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe
File created	C:\Windows\{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe	{AED723C2-7273-4778-9848-07435F37840C}.exe
File created	C:\Windows\{CA4F0FF9-753E-45c6-815C-C6191BAE05E1}.exe	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe
File created	C:\Windows\{405FCF1D-CB6E-4dc2-9128-AF665ED741A1}.exe	{CA4F0FF9-753E-45c6-815C-C6191BAE05E1}.exe
File created	C:\Windows\{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{405FCF1D-CB6E-4dc2-9128-AF665ED741A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA4F0FF9-753E-45c6-815C-C6191BAE05E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AED723C2-7273-4778-9848-07435F37840C}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2256	d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe
Token: SeIncBasePriorityPrivilege	2804	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe
Token: SeIncBasePriorityPrivilege	2772	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe
Token: SeIncBasePriorityPrivilege	2648	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe
Token: SeIncBasePriorityPrivilege	2104	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe
Token: SeIncBasePriorityPrivilege	2532	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe
Token: SeIncBasePriorityPrivilege	444	{AED723C2-7273-4778-9848-07435F37840C}.exe
Token: SeIncBasePriorityPrivilege	2268	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe
Token: SeIncBasePriorityPrivilege	1748	{CA4F0FF9-753E-45c6-815C-C6191BAE05E1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2804	2256	d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe	30
PID 2256 wrote to memory of 2804	2256	d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe	30
PID 2256 wrote to memory of 2804	2256	d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe	30
PID 2256 wrote to memory of 2804	2256	d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe	30
PID 2256 wrote to memory of 2820	2256	d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe	31
PID 2256 wrote to memory of 2820	2256	d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe	31
PID 2256 wrote to memory of 2820	2256	d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe	31
PID 2256 wrote to memory of 2820	2256	d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe	31
PID 2804 wrote to memory of 2772	2804	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe	32
PID 2804 wrote to memory of 2772	2804	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe	32
PID 2804 wrote to memory of 2772	2804	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe	32
PID 2804 wrote to memory of 2772	2804	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe	32
PID 2804 wrote to memory of 2748	2804	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe	33
PID 2804 wrote to memory of 2748	2804	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe	33
PID 2804 wrote to memory of 2748	2804	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe	33
PID 2804 wrote to memory of 2748	2804	{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe	33
PID 2772 wrote to memory of 2648	2772	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe	34
PID 2772 wrote to memory of 2648	2772	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe	34
PID 2772 wrote to memory of 2648	2772	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe	34
PID 2772 wrote to memory of 2648	2772	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe	34
PID 2772 wrote to memory of 2260	2772	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe	35
PID 2772 wrote to memory of 2260	2772	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe	35
PID 2772 wrote to memory of 2260	2772	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe	35
PID 2772 wrote to memory of 2260	2772	{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe	35
PID 2648 wrote to memory of 2104	2648	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe	36
PID 2648 wrote to memory of 2104	2648	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe	36
PID 2648 wrote to memory of 2104	2648	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe	36
PID 2648 wrote to memory of 2104	2648	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe	36
PID 2648 wrote to memory of 1416	2648	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe	37
PID 2648 wrote to memory of 1416	2648	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe	37
PID 2648 wrote to memory of 1416	2648	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe	37
PID 2648 wrote to memory of 1416	2648	{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe	37
PID 2104 wrote to memory of 2532	2104	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe	38
PID 2104 wrote to memory of 2532	2104	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe	38
PID 2104 wrote to memory of 2532	2104	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe	38
PID 2104 wrote to memory of 2532	2104	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe	38
PID 2104 wrote to memory of 1792	2104	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe	39
PID 2104 wrote to memory of 1792	2104	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe	39
PID 2104 wrote to memory of 1792	2104	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe	39
PID 2104 wrote to memory of 1792	2104	{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe	39
PID 2532 wrote to memory of 444	2532	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe	41
PID 2532 wrote to memory of 444	2532	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe	41
PID 2532 wrote to memory of 444	2532	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe	41
PID 2532 wrote to memory of 444	2532	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe	41
PID 2532 wrote to memory of 2084	2532	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe	42
PID 2532 wrote to memory of 2084	2532	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe	42
PID 2532 wrote to memory of 2084	2532	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe	42
PID 2532 wrote to memory of 2084	2532	{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe	42
PID 444 wrote to memory of 2268	444	{AED723C2-7273-4778-9848-07435F37840C}.exe	43
PID 444 wrote to memory of 2268	444	{AED723C2-7273-4778-9848-07435F37840C}.exe	43
PID 444 wrote to memory of 2268	444	{AED723C2-7273-4778-9848-07435F37840C}.exe	43
PID 444 wrote to memory of 2268	444	{AED723C2-7273-4778-9848-07435F37840C}.exe	43
PID 444 wrote to memory of 1064	444	{AED723C2-7273-4778-9848-07435F37840C}.exe	44
PID 444 wrote to memory of 1064	444	{AED723C2-7273-4778-9848-07435F37840C}.exe	44
PID 444 wrote to memory of 1064	444	{AED723C2-7273-4778-9848-07435F37840C}.exe	44
PID 444 wrote to memory of 1064	444	{AED723C2-7273-4778-9848-07435F37840C}.exe	44
PID 2268 wrote to memory of 1748	2268	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe	45
PID 2268 wrote to memory of 1748	2268	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe	45
PID 2268 wrote to memory of 1748	2268	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe	45
PID 2268 wrote to memory of 1748	2268	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe	45
PID 2268 wrote to memory of 2368	2268	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe	46
PID 2268 wrote to memory of 2368	2268	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe	46
PID 2268 wrote to memory of 2368	2268	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe	46
PID 2268 wrote to memory of 2368	2268	{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe	46

C:\Users\Admin\AppData\Local\Temp\d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe
"C:\Users\Admin\AppData\Local\Temp\d719688d3c98cf4611513b61bbd41083a2c8246a8854481236d0e6b2ae57ed9fN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe
  C:\Windows\{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe
    C:\Windows\{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe
      C:\Windows\{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe
        
        C:\Windows\{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
      - C:\Windows\{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe
        
        C:\Windows\{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\{AED723C2-7273-4778-9848-07435F37840C}.exe
        
        C:\Windows\{AED723C2-7273-4778-9848-07435F37840C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe
        
        C:\Windows\{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{CA4F0FF9-753E-45c6-815C-C6191BAE05E1}.exe
        
        C:\Windows\{CA4F0FF9-753E-45c6-815C-C6191BAE05E1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\{405FCF1D-CB6E-4dc2-9128-AF665ED741A1}.exe
        
        C:\Windows\{405FCF1D-CB6E-4dc2-9128-AF665ED741A1}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA4F0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6A46~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AED72~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5932~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64E66~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2882C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3B881~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E2EFC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D71968~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2882CD7F-D904-44b8-8803-E887D4AC3422}.exe

Filesize
90KB

MD5
65594adb53a6548120a19a2fc63918f9

SHA1
373d50e40e7f218e125f055762434a7023f15d48

SHA256
8ddaeb7d5ecd6afe5d155432ff46f8969ea7f17c3c593c3049d1956cc64a172a

SHA512
46a0d7d9dc103713253b0c9b215272a9931275d47ea6ad11e24e2c9a9239e8f223a06d99df999668a80c4b276a4704559da1a679bef7fd0e3dff9ea3162ac65f

Download Submit
C:\Windows\{3B881F7C-C653-4f9a-901F-193A71F28EED}.exe

Filesize
90KB

MD5
5e287beee4d3bc92314a4e9f42861809

SHA1
eaec4bc553b069fc1daa78a5c3e885a273b9cd21

SHA256
64798720590bb3e265946463ca7496cdaa60086913a96299822a0a20c08d198a

SHA512
28c9ae81c07e19896cd9670b08bfbf99db322404c9668316d40dfe92a980a5b2fe33dbd361a1deac4eddf06e82e1faf95f1085aaa188d093cc5ec2f772d63f99

Download Submit
C:\Windows\{405FCF1D-CB6E-4dc2-9128-AF665ED741A1}.exe

Filesize
90KB

MD5
51758a2ce2e9f5faa97e6d93bc3b5e8d

SHA1
d7ef8f8a10f76119e74db93fb1dc65a69310ff42

SHA256
5475ebe63c36f5c5c6344424ccc889065ebfd2b2636e69de361c385da16b43c8

SHA512
c30124567d0ddca60f4a4440fb4831183044e286669e64a7e80abdb678bf9704ef190cb91a50c4735d5a126698277298519bb0aab33a8642370c92f76f3ad023

Download Submit
C:\Windows\{64E66009-CF7A-4cc9-B43D-59A641B73297}.exe

Filesize
90KB

MD5
ce0bf5a9db7b17c162cc0603578b832b

SHA1
38d52f89d96c78ba8734d690cadf0d6d9e30737d

SHA256
0ce24188646551406bacba71506bb79528b2d8ff6013e05c1f6f3bf0d5aca821

SHA512
460b025010fd276f6645a3ef91cf58b6818149c45db8263e39e5c32eb2bf7dc5d703c5b1182cb70f97593c67cf16ef652ed5f27eda8000d80876ef7383c01881

Download Submit
C:\Windows\{A6A464D4-C3C8-49c5-AC79-991AFCC58E5B}.exe

Filesize
90KB

MD5
9e7b1ed77fb4cb122c710755c69ed3c7

SHA1
42b9863d3f626479f6e973b63b541c4df3dc6939

SHA256
ced5b52894a2a8405c09b73a404bdab6265419c08325f90407b8042395c76d6d

SHA512
e2b683325f720f33b7266e84a51a17867c380cb5e8dafe8f495a80bc354862c945381fd9fd0a11e4d24cfd7419d0fea76bc59b66b4a02b438442d37bd751313e

Download Submit
C:\Windows\{AED723C2-7273-4778-9848-07435F37840C}.exe

Filesize
90KB

MD5
9e6c55284534022a81bf3b43a61d615f

SHA1
1eb78bd8c84497866de538890f798e38cc0d603c

SHA256
8da5faa25d25c65662244cab39e9a61099d9724752cf445d1babfcdf281379e6

SHA512
2d329e7e7f6b6344a33c58c8485280070334e848218c04bf7f15ed9b737159a7dcf62174484085cdd92b3006a3c554f4833dac00436db853a4268676be0273f6

Download Submit
C:\Windows\{CA4F0FF9-753E-45c6-815C-C6191BAE05E1}.exe

Filesize
90KB

MD5
18bc9c3784fc4e1ad236e47365e79547

SHA1
d4d0f02d7a246edbe91d2d199536819bbf7d1941

SHA256
648deca77de6776e645d6db72c43580b89f09a26ed32290836b4a1a137b7eb89

SHA512
1cbe901b8f5adbbaed468cbdf1335a8fe9e1bcb3ca2d52ee868ab246a03c2ac8159ab2d25e3d2bf0d491f2b8c96fe07a2007e57745743600adced9292ba1e046

Download Submit
C:\Windows\{E2EFC713-4003-45b3-A47B-6777FCAA68C1}.exe

Filesize
90KB

MD5
944f3b3fb8645a13316db44d82e4cbc9

SHA1
0df16a6d7f033540b1755d78f4744e88e13ba8d0

SHA256
e52314522d904f3757a3f9562790e861e4badeff649b42866d18ef76d8ec5407

SHA512
bea4e43be5ab29255b9aa6965417df2d24a52520b960786654e24118a24f7602cc511acbc56b664df344099f310e3d3ee3ddb3d177e9ce1c25147c6c9b6c4ee4

Download Submit
C:\Windows\{E5932FCA-EF19-4ad7-81BD-8284034ACC08}.exe

Filesize
90KB

MD5
03868c37e220e8c5e057465125b3928a

SHA1
65ba70f287f903b587cf3444d492367007509e59

SHA256
4cc0e5acb75621b30a489a78715b20cd663609e3c298ff01f536d1e4231e493c

SHA512
1a08e501cac1c7643414ada98344a03c971710820dfcb9525f47aa3fef09b32c7ceb173c63365daa8f75cc29f4284a96f29bd2ff640418a555ac71537cf023bd

Download Submit
memory/444-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/444-62-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/444-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/444-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1748-80-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/1748-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2104-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2104-45-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2104-40-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2104-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2256-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2256-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2256-3-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2256-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2268-71-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2268-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2532-51-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2532-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2532-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2648-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2772-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2772-22-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2772-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2804-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2804-13-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads