fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddc

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
Size

90KB
MD5

59c3a2ba46fbef9e82930522b8dbbc00
SHA1

ffbc4a498e2cf5669714c3e9aebbdce954914a19
SHA256

fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddc
SHA512

b056776e5ac9b763a9046d118f54b7759b0a34a71dd585659727848ae57d7ba181935c2023e598e6b7293e3d19ab1db9cb6ea6644ed5e1d86e1516cc9768511d
SSDEEP

768:Qvw9816vhKQLrolk4/wQRNrfrunMxVFA3b7glws:YEGh0oGl2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F152754-8205-43f2-A835-3FAC001AF2BA}\stubpath = "C:\\Windows\\{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe"	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B27DECB-AAF9-42cc-B85A-581E9EBA7C0E}	{912DF15B-C46F-4fec-870E-0D9C79820527}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}\stubpath = "C:\\Windows\\{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe"	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F152754-8205-43f2-A835-3FAC001AF2BA}	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E35426F6-B616-4587-910A-F3A18BD61E73}\stubpath = "C:\\Windows\\{E35426F6-B616-4587-910A-F3A18BD61E73}.exe"	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B595F630-283D-4bb4-AE57-1162839E3AE4}	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{912DF15B-C46F-4fec-870E-0D9C79820527}\stubpath = "C:\\Windows\\{912DF15B-C46F-4fec-870E-0D9C79820527}.exe"	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30636273-560C-435c-BDEF-9AFAFF7BD9BB}	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30636273-560C-435c-BDEF-9AFAFF7BD9BB}\stubpath = "C:\\Windows\\{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe"	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B595F630-283D-4bb4-AE57-1162839E3AE4}\stubpath = "C:\\Windows\\{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe"	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}\stubpath = "C:\\Windows\\{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe"	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{912DF15B-C46F-4fec-870E-0D9C79820527}	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B27DECB-AAF9-42cc-B85A-581E9EBA7C0E}\stubpath = "C:\\Windows\\{6B27DECB-AAF9-42cc-B85A-581E9EBA7C0E}.exe"	{912DF15B-C46F-4fec-870E-0D9C79820527}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}\stubpath = "C:\\Windows\\{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe"	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E35426F6-B616-4587-910A-F3A18BD61E73}	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe

Deletes itself 1 IoCs

pid	Process
2064	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2964	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe
2056	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe
2672	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe
2524	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe
1524	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe
940	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe
1976	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe
2000	{912DF15B-C46F-4fec-870E-0D9C79820527}.exe
1544	{6B27DECB-AAF9-42cc-B85A-581E9EBA7C0E}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe
File created	C:\Windows\{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe
File created	C:\Windows\{6B27DECB-AAF9-42cc-B85A-581E9EBA7C0E}.exe	{912DF15B-C46F-4fec-870E-0D9C79820527}.exe
File created	C:\Windows\{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
File created	C:\Windows\{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe
File created	C:\Windows\{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe
File created	C:\Windows\{E35426F6-B616-4587-910A-F3A18BD61E73}.exe	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe
File created	C:\Windows\{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe
File created	C:\Windows\{912DF15B-C46F-4fec-870E-0D9C79820527}.exe	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{912DF15B-C46F-4fec-870E-0D9C79820527}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6B27DECB-AAF9-42cc-B85A-581E9EBA7C0E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1684	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
Token: SeIncBasePriorityPrivilege	2964	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe
Token: SeIncBasePriorityPrivilege	2056	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe
Token: SeIncBasePriorityPrivilege	2672	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe
Token: SeIncBasePriorityPrivilege	2524	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe
Token: SeIncBasePriorityPrivilege	1524	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe
Token: SeIncBasePriorityPrivilege	940	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe
Token: SeIncBasePriorityPrivilege	1976	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe
Token: SeIncBasePriorityPrivilege	2000	{912DF15B-C46F-4fec-870E-0D9C79820527}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2964	1684	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	28
PID 1684 wrote to memory of 2964	1684	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	28
PID 1684 wrote to memory of 2964	1684	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	28
PID 1684 wrote to memory of 2964	1684	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	28
PID 1684 wrote to memory of 2064	1684	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	29
PID 1684 wrote to memory of 2064	1684	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	29
PID 1684 wrote to memory of 2064	1684	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	29
PID 1684 wrote to memory of 2064	1684	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	29
PID 2964 wrote to memory of 2056	2964	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe	30
PID 2964 wrote to memory of 2056	2964	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe	30
PID 2964 wrote to memory of 2056	2964	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe	30
PID 2964 wrote to memory of 2056	2964	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe	30
PID 2964 wrote to memory of 2596	2964	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe	31
PID 2964 wrote to memory of 2596	2964	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe	31
PID 2964 wrote to memory of 2596	2964	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe	31
PID 2964 wrote to memory of 2596	2964	{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe	31
PID 2056 wrote to memory of 2672	2056	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe	34
PID 2056 wrote to memory of 2672	2056	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe	34
PID 2056 wrote to memory of 2672	2056	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe	34
PID 2056 wrote to memory of 2672	2056	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe	34
PID 2056 wrote to memory of 2628	2056	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe	35
PID 2056 wrote to memory of 2628	2056	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe	35
PID 2056 wrote to memory of 2628	2056	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe	35
PID 2056 wrote to memory of 2628	2056	{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe	35
PID 2672 wrote to memory of 2524	2672	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe	36
PID 2672 wrote to memory of 2524	2672	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe	36
PID 2672 wrote to memory of 2524	2672	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe	36
PID 2672 wrote to memory of 2524	2672	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe	36
PID 2672 wrote to memory of 1652	2672	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe	37
PID 2672 wrote to memory of 1652	2672	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe	37
PID 2672 wrote to memory of 1652	2672	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe	37
PID 2672 wrote to memory of 1652	2672	{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe	37
PID 2524 wrote to memory of 1524	2524	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe	38
PID 2524 wrote to memory of 1524	2524	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe	38
PID 2524 wrote to memory of 1524	2524	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe	38
PID 2524 wrote to memory of 1524	2524	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe	38
PID 2524 wrote to memory of 568	2524	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe	39
PID 2524 wrote to memory of 568	2524	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe	39
PID 2524 wrote to memory of 568	2524	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe	39
PID 2524 wrote to memory of 568	2524	{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe	39
PID 1524 wrote to memory of 940	1524	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe	40
PID 1524 wrote to memory of 940	1524	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe	40
PID 1524 wrote to memory of 940	1524	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe	40
PID 1524 wrote to memory of 940	1524	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe	40
PID 1524 wrote to memory of 1844	1524	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe	41
PID 1524 wrote to memory of 1844	1524	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe	41
PID 1524 wrote to memory of 1844	1524	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe	41
PID 1524 wrote to memory of 1844	1524	{E35426F6-B616-4587-910A-F3A18BD61E73}.exe	41
PID 940 wrote to memory of 1976	940	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe	42
PID 940 wrote to memory of 1976	940	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe	42
PID 940 wrote to memory of 1976	940	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe	42
PID 940 wrote to memory of 1976	940	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe	42
PID 940 wrote to memory of 2552	940	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe	43
PID 940 wrote to memory of 2552	940	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe	43
PID 940 wrote to memory of 2552	940	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe	43
PID 940 wrote to memory of 2552	940	{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe	43
PID 1976 wrote to memory of 2000	1976	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe	44
PID 1976 wrote to memory of 2000	1976	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe	44
PID 1976 wrote to memory of 2000	1976	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe	44
PID 1976 wrote to memory of 2000	1976	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe	44
PID 1976 wrote to memory of 2296	1976	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe	45
PID 1976 wrote to memory of 2296	1976	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe	45
PID 1976 wrote to memory of 2296	1976	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe	45
PID 1976 wrote to memory of 2296	1976	{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe	45

C:\Users\Admin\AppData\Local\Temp\fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
"C:\Users\Admin\AppData\Local\Temp\fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe
  C:\Windows\{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe
    C:\Windows\{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe
      C:\Windows\{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe
        
        C:\Windows\{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\{E35426F6-B616-4587-910A-F3A18BD61E73}.exe
        
        C:\Windows\{E35426F6-B616-4587-910A-F3A18BD61E73}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe
        
        C:\Windows\{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe
        
        C:\Windows\{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{912DF15B-C46F-4fec-870E-0D9C79820527}.exe
        
        C:\Windows\{912DF15B-C46F-4fec-870E-0D9C79820527}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\{6B27DECB-AAF9-42cc-B85A-581E9EBA7C0E}.exe
        
        C:\Windows\{6B27DECB-AAF9-42cc-B85A-581E9EBA7C0E}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{912DF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D18D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B595F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3542~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F5E7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F152~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7E86B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{30636~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FCF908~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F5E7AB3-FCAF-4726-93D0-4B9BFB4754A3}.exe

Filesize
90KB

MD5
7e3b34c80d8a843aa9267b3d8e49c69d

SHA1
f0edc8949b04b8a9bd59695859fc5659a5836775

SHA256
26f6ea97c780630b56df8b72c3273db8b457128bce9d327c37d00e8e0441ac1a

SHA512
31308300ff4ab3097a184170d42fb1aa9ebb760ddcd8f9508d274d23583328cc64c415a851e51c33ceda4dfc742e518ff13a2a793843209c61b40c3de6eaf5d5

Download Submit
C:\Windows\{30636273-560C-435c-BDEF-9AFAFF7BD9BB}.exe

Filesize
90KB

MD5
c550641bb6489533d40b8f181470b516

SHA1
afe1935812eebdb629f4808640d82d287af5995e

SHA256
36073ac0aaa01a92b620afedebe0509b55e977c400c76a34184bc888e2ba9b55

SHA512
b532d54c19e3041a25e3138ad213d570f18b7963ec3b79f10801ce080e7a0ba5728bbc6181e92c6a928ffb8cb20e3b38cc4e13e1e7faff904c2060a705a826c6

Download Submit
C:\Windows\{4D18D027-9B42-4f26-9D9D-7EFCBC01B286}.exe

Filesize
90KB

MD5
061befe7e4c71e30f905a072bf910cd0

SHA1
06a333f9bd874ad4b00ae9037f3d0bb4b3f732a8

SHA256
8889d6fd53b3bbd98ec044b85989bba6c4503d8a78a421d00b15d7b5dde26965

SHA512
d060ab15316d3b11451020d6b1aa06173cb3e324581fcd843622cc51f6e1dfbd502123f0e59c6736d8f9b12e7c8b03e6ddd52c9033227aa508ca373b0c874c76

Download Submit
C:\Windows\{6B27DECB-AAF9-42cc-B85A-581E9EBA7C0E}.exe

Filesize
90KB

MD5
953ae55eb546c17abce1544cbd4ab944

SHA1
8138d7b746d0663af91f89b85c00641e3f420f71

SHA256
dfa6606afaf6e03bca148d25399de787876502e773dcab2292be6bf56b641916

SHA512
f02af8cbedf3d5364eb8e01d57eecc82645f7fe7c4ba3dc07fd079f2c79fa165b1393829f561a0cd3b09b42b8b46ae0fb58b78cb043a689a0785711709854991

Download Submit
C:\Windows\{7E86B589-EDD1-41ff-8948-8B7E29B7BF36}.exe

Filesize
90KB

MD5
ebed215c8b4980512b63f3358d908964

SHA1
1b8388a97e0a7806ce57187555a5eaadf29b44a5

SHA256
b6347c03c57aa0ca7e3f31a7e5dbb9f6ba1d048829e5dc17be00cd16e55c1e99

SHA512
a6b61d5d166cf6e015f4e5be153562ffe4486c771d2cf8cbe13e136af63eeefebbac28ceb6256a96783307d546b3a504d15124391ac5e73e92a1a13ce8cfd301

Download Submit
C:\Windows\{8F152754-8205-43f2-A835-3FAC001AF2BA}.exe

Filesize
90KB

MD5
e88b82f56a654b41a6d907073dd57d12

SHA1
352ad518dfe47b9066f6f1ce24e8e703a3b62bb7

SHA256
73519470ab6ac235298843e4a49b03093c0048f3cb8df46fd77d02b8d210148e

SHA512
adaedc4227cd58e4e7b16f24f6dfadc72a3d24c69814aa039acd7c05144d0530529290f41b770cb8776e4f8a547b29ae473e8fb47f47626fb71a081968064cb5

Download Submit
C:\Windows\{912DF15B-C46F-4fec-870E-0D9C79820527}.exe

Filesize
90KB

MD5
3cd8fb7665f59cf2c0f0c58d3b771660

SHA1
38baee14a1a7e76448a4c3ec736b3e2d2b313156

SHA256
5d99c7f3bb73b63900e596ece237beb0e96f6163b08fc105d565715152d8ad2f

SHA512
34af2d0c3f7c51985df51476eefbe008ae3a05c64b6c89e76b352cb156f0d4c2fb16c68035feb3730b53602ba96798beb8057c9e3179f751ab49b17c8d41abeb

Download Submit
C:\Windows\{B595F630-283D-4bb4-AE57-1162839E3AE4}.exe

Filesize
90KB

MD5
b2b656d7b1e783e38a30b362541178f8

SHA1
a753562e1b2f9959b86862480d2245f7e5d3c3fb

SHA256
9adb7c7f4ef5bc813e408de8ff8e450a78ad340644b3b29c70eda1cfb64af3b2

SHA512
344a5eddb4a10879e42c179bb15cbdf0552443fcd1298a30325aca2c53e5aa571da7233467a5bf26711b93bd930480a0af31611ce0911245a3d2d029864374b3

Download Submit
C:\Windows\{E35426F6-B616-4587-910A-F3A18BD61E73}.exe

Filesize
90KB

MD5
cc5b5c0cad104723b7bbfb4de3eae568

SHA1
2e62536306ea309ce108dd326fe22db5bf25e695

SHA256
07235627ab45d097ca47e7e6421fcf54b851b51a1a2434c737e1969459ccc6cb

SHA512
380f3815539f18ebe754906c66c329464812ac56fc6a1ef83809d8c2bf99841c28491a3bb0813bde476056350d126f255a00a736c59b690b477504df478175c9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads