e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 16:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe
Size

64KB
MD5

6cc2ca6116beedab442dc0d985ffb3b0
SHA1

5f3af230f289d1e63d46672878051f161e42dc1c
SHA256

e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1
SHA512

afa556614768b5ce917694112da20810909f885f6bcdb740373b1628f0df2e101313c689c753bb03ba5adb6a805a7905ae15344bcbf0e221b9f7dfe6cdbdf134
SSDEEP

384:ObIwOs8AHsc4sMDwhKQLrox4/CFsrdHWMZp:OEw9816vhKQLrox4/wQpWMZp

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}\stubpath = "C:\\Windows\\{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe"	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A76477E-2E04-4dd4-948F-AF5005DD765E}	{A51F9B2E-8DEA-4dfb-8586-40EBEB69363D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A76477E-2E04-4dd4-948F-AF5005DD765E}\stubpath = "C:\\Windows\\{1A76477E-2E04-4dd4-948F-AF5005DD765E}.exe"	{A51F9B2E-8DEA-4dfb-8586-40EBEB69363D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55AC7588-8F76-49a4-86A3-4DAAED720DCA}\stubpath = "C:\\Windows\\{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe"	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}\stubpath = "C:\\Windows\\{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe"	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A51F9B2E-8DEA-4dfb-8586-40EBEB69363D}\stubpath = "C:\\Windows\\{A51F9B2E-8DEA-4dfb-8586-40EBEB69363D}.exe"	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}\stubpath = "C:\\Windows\\{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe"	e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}\stubpath = "C:\\Windows\\{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe"	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}\stubpath = "C:\\Windows\\{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe"	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}\stubpath = "C:\\Windows\\{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe"	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A51F9B2E-8DEA-4dfb-8586-40EBEB69363D}	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}	e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55AC7588-8F76-49a4-86A3-4DAAED720DCA}	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe

Deletes itself 1 IoCs

pid	Process
2340	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
484	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe
2768	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe
2744	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe
1304	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe
3068	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe
1852	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe
1516	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe
2392	{A51F9B2E-8DEA-4dfb-8586-40EBEB69363D}.exe
940	{1A76477E-2E04-4dd4-948F-AF5005DD765E}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe
File created	C:\Windows\{A51F9B2E-8DEA-4dfb-8586-40EBEB69363D}.exe	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe
File created	C:\Windows\{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe
File created	C:\Windows\{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe
File created	C:\Windows\{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe
File created	C:\Windows\{1A76477E-2E04-4dd4-948F-AF5005DD765E}.exe	{A51F9B2E-8DEA-4dfb-8586-40EBEB69363D}.exe
File created	C:\Windows\{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe	e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe
File created	C:\Windows\{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe
File created	C:\Windows\{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A51F9B2E-8DEA-4dfb-8586-40EBEB69363D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A76477E-2E04-4dd4-948F-AF5005DD765E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1236	e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe
Token: SeIncBasePriorityPrivilege	484	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe
Token: SeIncBasePriorityPrivilege	2768	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe
Token: SeIncBasePriorityPrivilege	2744	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe
Token: SeIncBasePriorityPrivilege	1304	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe
Token: SeIncBasePriorityPrivilege	3068	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe
Token: SeIncBasePriorityPrivilege	1852	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe
Token: SeIncBasePriorityPrivilege	1516	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe
Token: SeIncBasePriorityPrivilege	2392	{A51F9B2E-8DEA-4dfb-8586-40EBEB69363D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 484	1236	e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe	31
PID 1236 wrote to memory of 484	1236	e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe	31
PID 1236 wrote to memory of 484	1236	e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe	31
PID 1236 wrote to memory of 484	1236	e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe	31
PID 1236 wrote to memory of 2340	1236	e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe	32
PID 1236 wrote to memory of 2340	1236	e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe	32
PID 1236 wrote to memory of 2340	1236	e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe	32
PID 1236 wrote to memory of 2340	1236	e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe	32
PID 484 wrote to memory of 2768	484	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe	33
PID 484 wrote to memory of 2768	484	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe	33
PID 484 wrote to memory of 2768	484	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe	33
PID 484 wrote to memory of 2768	484	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe	33
PID 484 wrote to memory of 2836	484	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe	34
PID 484 wrote to memory of 2836	484	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe	34
PID 484 wrote to memory of 2836	484	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe	34
PID 484 wrote to memory of 2836	484	{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe	34
PID 2768 wrote to memory of 2744	2768	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe	35
PID 2768 wrote to memory of 2744	2768	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe	35
PID 2768 wrote to memory of 2744	2768	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe	35
PID 2768 wrote to memory of 2744	2768	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe	35
PID 2768 wrote to memory of 2584	2768	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe	36
PID 2768 wrote to memory of 2584	2768	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe	36
PID 2768 wrote to memory of 2584	2768	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe	36
PID 2768 wrote to memory of 2584	2768	{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe	36
PID 2744 wrote to memory of 1304	2744	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe	37
PID 2744 wrote to memory of 1304	2744	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe	37
PID 2744 wrote to memory of 1304	2744	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe	37
PID 2744 wrote to memory of 1304	2744	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe	37
PID 2744 wrote to memory of 2568	2744	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe	38
PID 2744 wrote to memory of 2568	2744	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe	38
PID 2744 wrote to memory of 2568	2744	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe	38
PID 2744 wrote to memory of 2568	2744	{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe	38
PID 1304 wrote to memory of 3068	1304	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe	39
PID 1304 wrote to memory of 3068	1304	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe	39
PID 1304 wrote to memory of 3068	1304	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe	39
PID 1304 wrote to memory of 3068	1304	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe	39
PID 1304 wrote to memory of 2080	1304	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe	40
PID 1304 wrote to memory of 2080	1304	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe	40
PID 1304 wrote to memory of 2080	1304	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe	40
PID 1304 wrote to memory of 2080	1304	{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe	40
PID 3068 wrote to memory of 1852	3068	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe	41
PID 3068 wrote to memory of 1852	3068	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe	41
PID 3068 wrote to memory of 1852	3068	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe	41
PID 3068 wrote to memory of 1852	3068	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe	41
PID 3068 wrote to memory of 2772	3068	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe	42
PID 3068 wrote to memory of 2772	3068	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe	42
PID 3068 wrote to memory of 2772	3068	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe	42
PID 3068 wrote to memory of 2772	3068	{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe	42
PID 1852 wrote to memory of 1516	1852	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe	44
PID 1852 wrote to memory of 1516	1852	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe	44
PID 1852 wrote to memory of 1516	1852	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe	44
PID 1852 wrote to memory of 1516	1852	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe	44
PID 1852 wrote to memory of 2652	1852	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe	45
PID 1852 wrote to memory of 2652	1852	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe	45
PID 1852 wrote to memory of 2652	1852	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe	45
PID 1852 wrote to memory of 2652	1852	{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe	45
PID 1516 wrote to memory of 2392	1516	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe	46
PID 1516 wrote to memory of 2392	1516	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe	46
PID 1516 wrote to memory of 2392	1516	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe	46
PID 1516 wrote to memory of 2392	1516	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe	46
PID 1516 wrote to memory of 892	1516	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe	47
PID 1516 wrote to memory of 892	1516	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe	47
PID 1516 wrote to memory of 892	1516	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe	47
PID 1516 wrote to memory of 892	1516	{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe	47

C:\Users\Admin\AppData\Local\Temp\e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe
"C:\Users\Admin\AppData\Local\Temp\e12f9d3fa7478ac884c0deb708748dd7be86b84cfbb1c0a9bf2a23bfc9e05aa1N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe
  C:\Windows\{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe
    C:\Windows\{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe
      C:\Windows\{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe
        
        C:\Windows\{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
      - C:\Windows\{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe
        
        C:\Windows\{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe
        
        C:\Windows\{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe
        
        C:\Windows\{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\{A51F9B2E-8DEA-4dfb-8586-40EBEB69363D}.exe
        
        C:\Windows\{A51F9B2E-8DEA-4dfb-8586-40EBEB69363D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\{1A76477E-2E04-4dd4-948F-AF5005DD765E}.exe
        
        C:\Windows\{1A76477E-2E04-4dd4-948F-AF5005DD765E}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A51F9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F6BF~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF803~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0EB0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22578~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55AC7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CC5BB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4BDA9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E12F9D~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A76477E-2E04-4dd4-948F-AF5005DD765E}.exe

Filesize
64KB

MD5
cad1c7670f2608568472edc15debb568

SHA1
7d5fcd17b09c13f5c92211c82df685a0d7dfae91

SHA256
c66b6a107524d4eb090cddfa5e3a338786c8d65f452814c3cda775e47bf18dc5

SHA512
0332caf807b4be18af5996fb4c710aa5eaa08152fcc1caab59fd02f00cfcef104048c6361a04b6d14de3a91991384deed5e328110d70f429e8188108792621f1

Download Submit
C:\Windows\{2257864A-B6D2-4ed1-A1D5-CCC8CFF3F2A0}.exe

Filesize
64KB

MD5
41ce09e7c08ad62a0eea1c384e07e04a

SHA1
745a5b162a1b75f0dc9e5764754066b17e56e7e9

SHA256
e32ec28b15fb54171ae9c3c10f1734e638fb588a92c20734a4612d80656ab959

SHA512
2f0802200a3b1c12bce605bd8d0237e708ed3171d481661853b240e30cea52449ad5861e792bfe9e73e8d925bfcc429c84ce248d084e72250fc4a4e88a053294

Download Submit
C:\Windows\{3F6BFEAF-6C4F-4ed5-8D95-6235C8CEC50E}.exe

Filesize
64KB

MD5
fd3a6495ec9c3e20269d0b1e0569618d

SHA1
e29e3d0ae470283fa057b7721b4d77c185780354

SHA256
b1bdf8e772c6df81c7e88077e3d84926111b6ea39e5e5735a2d50f25eb8dba1a

SHA512
4e638bb0ff711f6763ab33bfaa0fd98677509a85ad62b4d23962c4a2f5ff57df9c08108b458ebb8441a3913c127b0da25991dc4e2f2bc62440bbebea8f1cf9d3

Download Submit
C:\Windows\{4BDA9F62-E44B-4211-AD5A-8E48102D0FF0}.exe

Filesize
64KB

MD5
dd229d1143b69c9d920220936f4e5031

SHA1
c0e77db8d911d197a10545d60acc501f68d1b435

SHA256
81b14bcc65d34c033e7dc59c2072d6f834a73ebdfe95a6727211c168e672cfa6

SHA512
1813b6684a719c4db639a5ca5a8c642c3859d43c7a90d7c30371e99ba4fea1d8c4d238766bd271ce8be70445eaa85314a3163931ce36b8acd54bf6885eb6b17f

Download Submit
C:\Windows\{55AC7588-8F76-49a4-86A3-4DAAED720DCA}.exe

Filesize
64KB

MD5
65593284d4ba1109f862deb98eec2a63

SHA1
66031d9b67cd8c5ce5c2b399fed1b7a71b96dc21

SHA256
84b6a7543ffd8e8225a2e68dafa5b0d81693fe8f41ed954e3c71b2326b3b42b5

SHA512
5d6931fba4391e5e849b8abdbc74c7d02d47601fb3f5a51518863b5ea038bf887409063341538fccee924e6b5ee06902289bb51b387e3b97c0bdfef7f9252e8d

Download Submit
C:\Windows\{A51F9B2E-8DEA-4dfb-8586-40EBEB69363D}.exe

Filesize
64KB

MD5
be179890919ddf8227b44b88e9938537

SHA1
5d5c7c25383929be2bc4202fda3d458ca93fd5dc

SHA256
2d20cce21d68b08df5312c909b68d13a1598656b6ba18fab03ce84678c1a78c3

SHA512
0a95c7a15676780d8f9fed1d567c4295a000f50a28815973616e197eb3631e936fa07eccb4cc879339e1fc09549f153b14cef64708356685b862a709454c9c8c

Download Submit
C:\Windows\{CC5BBD52-8E7B-4fbb-87D8-C7AE39F2C794}.exe

Filesize
64KB

MD5
4d65fbbf49d944f5ea5076475d4c733c

SHA1
7e9d18fc69db15e00e97953916e6fe5329af2a4c

SHA256
3e07c025e644cd3148108547f3414883c624b02891493d5317f151068a041613

SHA512
e79ec52d59bfa301ab7279ddbfe34b5889fb23029ccf563b5bc2c3e5845331f39773bd9cc99a12c3ee0866228f1aa0ce7336fcbfb64fad309dff1f5920da5372

Download Submit
C:\Windows\{E0EB0F25-479A-4dcc-BF26-8FB643209D2D}.exe

Filesize
64KB

MD5
c53ba542314b7b6d87ca5ca633e074ab

SHA1
33d325e94c38db96b11325167249a9782c0d2356

SHA256
ca193864abff87b5023768a0375526b2a3ecc35fa42ba8ef6c412a28efd85bde

SHA512
cf2102a51a87ea3cc374c92faf3fe0607ee33c42bbb05af34968bf7391150ebc724b423ddd09bae0901867f5b1d6ee02f8e1a237be01f69d499cd08b77f4f1c0

Download Submit
C:\Windows\{FF80340A-A4A5-4d8a-8B26-B33D1C186AE8}.exe

Filesize
64KB

MD5
aa05c80fad41594e43f72f1ebea1cbdd

SHA1
9d8b876450afc9fe8e98533ac01d030786a34e87

SHA256
7113f88db3667e25c019a66064fbfc149f65995068fd7eb52a5c7dc7620f2790

SHA512
b042d66e909513580a3fbd1d2cfb0a3d8e7a2b2e31c167b3e08f8da45a16ac49a6f818b64f1abbda982043e785b0bd8fd60592cb2ce318fd1145f2e4786b8b50

Download Submit
memory/484-12-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/484-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1236-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1236-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1236-3-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/1236-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1304-46-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/1304-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1516-67-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1516-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1852-59-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1852-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2392-76-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2392-82-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2768-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2768-23-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2768-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3068-50-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/3068-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads