2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187b

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe
Size

89KB
MD5

c05a8446dcc91b9c87c86e34f050f460
SHA1

c3757d2958e9dd0efc9fed12f6b17b7d25d12e99
SHA256

2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187b
SHA512

fd05f3ce90b723e4c9663fc2bc84a15a4d842b25de9f6ab528342e6bf083a9ebba2a4e8a311761f85da2399f08b60803bae2b672ac12026f08bbf1d77dbc2823
SSDEEP

768:5vw9816thKQLrot4/wQkNrfrunMxVFA3k:lEG/0otlbunMxVS3k

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3982315-FC8E-4bd9-8877-992D0B8C3A35}\stubpath = "C:\\Windows\\{D3982315-FC8E-4bd9-8877-992D0B8C3A35}.exe"	{E363BF2D-78E4-451d-AA1F-42F52A878F9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE9494EC-1F28-48a8-BC11-23A5C0603F30}	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0720615D-F398-4482-815A-3CD22CCAA0DA}\stubpath = "C:\\Windows\\{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe"	{B966B625-904F-401b-863E-9624CB84304F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E363BF2D-78E4-451d-AA1F-42F52A878F9F}\stubpath = "C:\\Windows\\{E363BF2D-78E4-451d-AA1F-42F52A878F9F}.exe"	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3982315-FC8E-4bd9-8877-992D0B8C3A35}	{E363BF2D-78E4-451d-AA1F-42F52A878F9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86021BB6-7B81-4d46-B8FC-A654B4513475}	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}	2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B966B625-904F-401b-863E-9624CB84304F}	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0720615D-F398-4482-815A-3CD22CCAA0DA}	{B966B625-904F-401b-863E-9624CB84304F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}\stubpath = "C:\\Windows\\{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe"	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}\stubpath = "C:\\Windows\\{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe"	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE9494EC-1F28-48a8-BC11-23A5C0603F30}\stubpath = "C:\\Windows\\{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe"	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B966B625-904F-401b-863E-9624CB84304F}\stubpath = "C:\\Windows\\{B966B625-904F-401b-863E-9624CB84304F}.exe"	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}\stubpath = "C:\\Windows\\{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe"	2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86021BB6-7B81-4d46-B8FC-A654B4513475}\stubpath = "C:\\Windows\\{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe"	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E363BF2D-78E4-451d-AA1F-42F52A878F9F}	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe

Deletes itself 1 IoCs

pid	Process
2252	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2028	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe
2828	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe
2804	{B966B625-904F-401b-863E-9624CB84304F}.exe
2612	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe
1516	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe
1252	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe
2712	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe
2648	{E363BF2D-78E4-451d-AA1F-42F52A878F9F}.exe
344	{D3982315-FC8E-4bd9-8877-992D0B8C3A35}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe
File created	C:\Windows\{E363BF2D-78E4-451d-AA1F-42F52A878F9F}.exe	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe
File created	C:\Windows\{D3982315-FC8E-4bd9-8877-992D0B8C3A35}.exe	{E363BF2D-78E4-451d-AA1F-42F52A878F9F}.exe
File created	C:\Windows\{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe
File created	C:\Windows\{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe
File created	C:\Windows\{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe	{B966B625-904F-401b-863E-9624CB84304F}.exe
File created	C:\Windows\{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe
File created	C:\Windows\{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe	2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe
File created	C:\Windows\{B966B625-904F-401b-863E-9624CB84304F}.exe	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B966B625-904F-401b-863E-9624CB84304F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E363BF2D-78E4-451d-AA1F-42F52A878F9F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3982315-FC8E-4bd9-8877-992D0B8C3A35}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2536	2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe
Token: SeIncBasePriorityPrivilege	2028	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe
Token: SeIncBasePriorityPrivilege	2828	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe
Token: SeIncBasePriorityPrivilege	2804	{B966B625-904F-401b-863E-9624CB84304F}.exe
Token: SeIncBasePriorityPrivilege	2612	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe
Token: SeIncBasePriorityPrivilege	1516	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe
Token: SeIncBasePriorityPrivilege	1252	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe
Token: SeIncBasePriorityPrivilege	2712	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe
Token: SeIncBasePriorityPrivilege	2648	{E363BF2D-78E4-451d-AA1F-42F52A878F9F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2028	2536	2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe	31
PID 2536 wrote to memory of 2028	2536	2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe	31
PID 2536 wrote to memory of 2028	2536	2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe	31
PID 2536 wrote to memory of 2028	2536	2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe	31
PID 2536 wrote to memory of 2252	2536	2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe	32
PID 2536 wrote to memory of 2252	2536	2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe	32
PID 2536 wrote to memory of 2252	2536	2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe	32
PID 2536 wrote to memory of 2252	2536	2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe	32
PID 2028 wrote to memory of 2828	2028	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe	33
PID 2028 wrote to memory of 2828	2028	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe	33
PID 2028 wrote to memory of 2828	2028	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe	33
PID 2028 wrote to memory of 2828	2028	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe	33
PID 2028 wrote to memory of 2812	2028	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe	34
PID 2028 wrote to memory of 2812	2028	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe	34
PID 2028 wrote to memory of 2812	2028	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe	34
PID 2028 wrote to memory of 2812	2028	{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe	34
PID 2828 wrote to memory of 2804	2828	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe	35
PID 2828 wrote to memory of 2804	2828	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe	35
PID 2828 wrote to memory of 2804	2828	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe	35
PID 2828 wrote to memory of 2804	2828	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe	35
PID 2828 wrote to memory of 2936	2828	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe	36
PID 2828 wrote to memory of 2936	2828	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe	36
PID 2828 wrote to memory of 2936	2828	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe	36
PID 2828 wrote to memory of 2936	2828	{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe	36
PID 2804 wrote to memory of 2612	2804	{B966B625-904F-401b-863E-9624CB84304F}.exe	37
PID 2804 wrote to memory of 2612	2804	{B966B625-904F-401b-863E-9624CB84304F}.exe	37
PID 2804 wrote to memory of 2612	2804	{B966B625-904F-401b-863E-9624CB84304F}.exe	37
PID 2804 wrote to memory of 2612	2804	{B966B625-904F-401b-863E-9624CB84304F}.exe	37
PID 2804 wrote to memory of 2672	2804	{B966B625-904F-401b-863E-9624CB84304F}.exe	38
PID 2804 wrote to memory of 2672	2804	{B966B625-904F-401b-863E-9624CB84304F}.exe	38
PID 2804 wrote to memory of 2672	2804	{B966B625-904F-401b-863E-9624CB84304F}.exe	38
PID 2804 wrote to memory of 2672	2804	{B966B625-904F-401b-863E-9624CB84304F}.exe	38
PID 2612 wrote to memory of 1516	2612	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe	39
PID 2612 wrote to memory of 1516	2612	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe	39
PID 2612 wrote to memory of 1516	2612	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe	39
PID 2612 wrote to memory of 1516	2612	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe	39
PID 2612 wrote to memory of 1536	2612	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe	40
PID 2612 wrote to memory of 1536	2612	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe	40
PID 2612 wrote to memory of 1536	2612	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe	40
PID 2612 wrote to memory of 1536	2612	{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe	40
PID 1516 wrote to memory of 1252	1516	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe	41
PID 1516 wrote to memory of 1252	1516	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe	41
PID 1516 wrote to memory of 1252	1516	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe	41
PID 1516 wrote to memory of 1252	1516	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe	41
PID 1516 wrote to memory of 1136	1516	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe	42
PID 1516 wrote to memory of 1136	1516	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe	42
PID 1516 wrote to memory of 1136	1516	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe	42
PID 1516 wrote to memory of 1136	1516	{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe	42
PID 1252 wrote to memory of 2712	1252	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe	43
PID 1252 wrote to memory of 2712	1252	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe	43
PID 1252 wrote to memory of 2712	1252	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe	43
PID 1252 wrote to memory of 2712	1252	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe	43
PID 1252 wrote to memory of 1916	1252	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe	44
PID 1252 wrote to memory of 1916	1252	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe	44
PID 1252 wrote to memory of 1916	1252	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe	44
PID 1252 wrote to memory of 1916	1252	{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe	44
PID 2712 wrote to memory of 2648	2712	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe	45
PID 2712 wrote to memory of 2648	2712	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe	45
PID 2712 wrote to memory of 2648	2712	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe	45
PID 2712 wrote to memory of 2648	2712	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe	45
PID 2712 wrote to memory of 3068	2712	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe	46
PID 2712 wrote to memory of 3068	2712	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe	46
PID 2712 wrote to memory of 3068	2712	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe	46
PID 2712 wrote to memory of 3068	2712	{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe	46

C:\Users\Admin\AppData\Local\Temp\2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe
"C:\Users\Admin\AppData\Local\Temp\2e6907f82f3b4aa336a98d9d1e959db38c9f9997f02f6720a7b4bf62697f187bN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe
  C:\Windows\{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe
    C:\Windows\{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\{B966B625-904F-401b-863E-9624CB84304F}.exe
      C:\Windows\{B966B625-904F-401b-863E-9624CB84304F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe
        
        C:\Windows\{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe
        
        C:\Windows\{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe
        
        C:\Windows\{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe
        
        C:\Windows\{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{E363BF2D-78E4-451d-AA1F-42F52A878F9F}.exe
        
        C:\Windows\{E363BF2D-78E4-451d-AA1F-42F52A878F9F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\{D3982315-FC8E-4bd9-8877-992D0B8C3A35}.exe
        
        C:\Windows\{D3982315-FC8E-4bd9-8877-992D0B8C3A35}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E363B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86021~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D590~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE527~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07206~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B966B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AE949~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8DB06~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2E6907~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0720615D-F398-4482-815A-3CD22CCAA0DA}.exe

Filesize
89KB

MD5
5eb1d4f44990fcf579aa621fe0556069

SHA1
1c555b61b48b01cce653381b191cc0a5e55de489

SHA256
6294dde047a8f7a50c3df98658320e2fcb5166e2ef03dab82853e8afa9991aa6

SHA512
888ef1aeedf24ef13420d0ec11f6b48e8f3f74eb913b6bec883b6bb14fc5d865e7a5d69c0c72935354a3024011a8a5c749c6bb44867d0e3a74d6554a3d706189

Download Submit
C:\Windows\{4D590C9C-6DB7-4d41-90EF-3FD69D5BCE13}.exe

Filesize
89KB

MD5
752db4640b58572c56dd4f0bf38c5dd9

SHA1
9cde479b212382a0f9e9d4b954e16f083e1a3e76

SHA256
e740f4568c9d526a7c818c3ee54c9e42461d29744c44bca4477d446ec4d87ca3

SHA512
2bf3049bf15414a7736b1dea9f7acaca66db7d7da15bc27aad9e335e8515ea46de903fe4e84fc4b23ac4cd3002904614c0a5a757363932ff9a65b0ce6ff8c28f

Download Submit
C:\Windows\{86021BB6-7B81-4d46-B8FC-A654B4513475}.exe

Filesize
89KB

MD5
c66ecf2d22b6df977e71edb232accfd4

SHA1
9cad428d558d0cfc11a4aae0b6f6f563d73cae99

SHA256
b0d2d51e254e423ebdbe1ab899cb9c6d430cb4ddc047cfdefcadee580e5fbfb8

SHA512
b3f664051d8c9b99cc770050633d88a5c39ff352cf9f35627dc101902f583a45e2408d0366919cb726a3194c1e7d16512b91f979965441512c5406f98167739d

Download Submit
C:\Windows\{8DB067FC-912D-41c9-B1EA-6562F3F7C5BE}.exe

Filesize
89KB

MD5
a19b579105a909cfaa1312382152b8c7

SHA1
c6eae98376f225f1dd834527e8541ddeccb5b90c

SHA256
e781ee3c3232990df2c121e52062763a0565402f2fd92296410e219a658b6eda

SHA512
9e3cb6fc57011b0c772741c43133ea9458f8a6d2060f60f3450e5ebf8723fff9846a9ffa8fcf8a9ae612d564fa56fe7ddf06187caa9d84da0528d940b84a986e

Download Submit
C:\Windows\{AE9494EC-1F28-48a8-BC11-23A5C0603F30}.exe

Filesize
89KB

MD5
e7ad005f7aa1c4dabd62767f098f8f6a

SHA1
4454fe9b0819c65f46b910e3be976bb45627c825

SHA256
9973bdb3e972b7b0987235fad1284184fd1a56fe70fc22f2eebaac9d995c0fe7

SHA512
671b35ec06c6e20da5119148d8e35f20883d2936331baadfecf344372a32f5c393cbab05f322a914774649ae0602300973c1bd9f965a196df7a449e3c73f40b4

Download Submit
C:\Windows\{B966B625-904F-401b-863E-9624CB84304F}.exe

Filesize
89KB

MD5
47a7adce87ac09e780759b7f485aeebf

SHA1
8a041a928842e633ab5e01c06ff002675d580ed7

SHA256
c4b3ea8303fc1ad481e5eb2a95d23d46176831aa5cd260a5f436b1a72cb38760

SHA512
b5ca3479494aff5f2a9e1beb0570aedbe129140dc0c6c6ee37af617448d0edee3835fdc2a3095c56565698119bd5f727159144c688a8410c9dbee6398851d8b5

Download Submit
C:\Windows\{D3982315-FC8E-4bd9-8877-992D0B8C3A35}.exe

Filesize
89KB

MD5
4a9068d44f808d052f9e1d01bd1bcbfc

SHA1
05eb3f569a90d12e031eece68dc467db16203b7d

SHA256
3b15f0ee6e94045d87a9e2f294207723fec43fc17193be27d8d02fdc5633d546

SHA512
36ae9b882139a7f8d534cff5e9d08b1c007ed6783769eddc49e7da0bcd586f75b115f6872543186a83975cfadfefe9ece0e2058c1a570a01a9cc04f1762b97b7

Download Submit
C:\Windows\{E363BF2D-78E4-451d-AA1F-42F52A878F9F}.exe

Filesize
89KB

MD5
5cda6d702b76e2d4ebe9498d8dec5b56

SHA1
bca3cad8e36899c5e3af43e6d7e6972bfa17e462

SHA256
dd18aac03a0689c4bdfe93e6836c04b501b35bd75b268806630fb68724b3522e

SHA512
3c4e183852948bd5c36e88a5ebaf41dbd56ebfd89f5a3c95cfbf0856bb0718232785abd2b7c943e96c1082cefd22c366ef1bd2d18b5205993540285c8938e7b1

Download Submit
C:\Windows\{FE5276F5-8EBC-4d72-ACDA-CF3E758022A8}.exe

Filesize
89KB

MD5
51fa810437a5f2b2baa261816696d89d

SHA1
65ea2197318e2c6d3037380dbd85b08dd7f68915

SHA256
e8f3125b0973e5bbc8613779a448b9b1fc7a2cfc1aac62a2da509ce06d08c842

SHA512
3124f2016b9a7c09a3a4ce6610723e5e79353d2f8a371b07850a0509a2ddd1438d10442e0d28be6ecac9f0f6fe977646941b668000958773964feadd4f427a25

Download Submit
memory/1252-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1252-59-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/1516-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1516-49-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2028-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-12-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/2536-4-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2536-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2536-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2536-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2612-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2612-40-0x0000000001C70000-0x0000000001C81000-memory.dmp

Filesize
68KB

Download
memory/2648-82-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2648-76-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/2712-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2712-67-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2804-31-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2804-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2828-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2828-22-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2828-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads