fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddc

Analysis

max time kernel
118s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
Size

90KB
MD5

59c3a2ba46fbef9e82930522b8dbbc00
SHA1

ffbc4a498e2cf5669714c3e9aebbdce954914a19
SHA256

fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddc
SHA512

b056776e5ac9b763a9046d118f54b7759b0a34a71dd585659727848ae57d7ba181935c2023e598e6b7293e3d19ab1db9cb6ea6644ed5e1d86e1516cc9768511d
SSDEEP

768:Qvw9816vhKQLrolk4/wQRNrfrunMxVFA3b7glws:YEGh0oGl2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA2E8C80-21CC-4154-ACF3-D8D4BDC8AAB7}\stubpath = "C:\\Windows\\{AA2E8C80-21CC-4154-ACF3-D8D4BDC8AAB7}.exe"	{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}\stubpath = "C:\\Windows\\{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe"	{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7308CD9-76BD-43b9-B645-F322DB95C6CE}\stubpath = "C:\\Windows\\{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe"	{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}	{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B5137FE-F750-4ba5-8E1D-484430644F8C}	{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}	{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}	{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC2D9F7D-F87A-4cf8-842B-1F243A191988}\stubpath = "C:\\Windows\\{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe"	{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7308CD9-76BD-43b9-B645-F322DB95C6CE}	{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}\stubpath = "C:\\Windows\\{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe"	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24DE75D4-E27A-4012-8A95-1CE7C5338FED}	{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B5137FE-F750-4ba5-8E1D-484430644F8C}\stubpath = "C:\\Windows\\{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe"	{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}\stubpath = "C:\\Windows\\{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe"	{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC2D9F7D-F87A-4cf8-842B-1F243A191988}	{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA2E8C80-21CC-4154-ACF3-D8D4BDC8AAB7}	{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}\stubpath = "C:\\Windows\\{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe"	{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24DE75D4-E27A-4012-8A95-1CE7C5338FED}\stubpath = "C:\\Windows\\{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe"	{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe

Executes dropped EXE 9 IoCs

pid	Process
4848	{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe
3712	{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe
2720	{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe
872	{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe
1384	{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe
2820	{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe
372	{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe
2752	{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe
4176	{AA2E8C80-21CC-4154-ACF3-D8D4BDC8AAB7}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe	{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe
File created	C:\Windows\{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe	{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe
File created	C:\Windows\{AA2E8C80-21CC-4154-ACF3-D8D4BDC8AAB7}.exe	{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe
File created	C:\Windows\{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
File created	C:\Windows\{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe	{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe
File created	C:\Windows\{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe	{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe
File created	C:\Windows\{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe	{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe
File created	C:\Windows\{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe	{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe
File created	C:\Windows\{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe	{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA2E8C80-21CC-4154-ACF3-D8D4BDC8AAB7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	532	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
Token: SeIncBasePriorityPrivilege	4848	{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe
Token: SeIncBasePriorityPrivilege	3712	{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe
Token: SeIncBasePriorityPrivilege	2720	{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe
Token: SeIncBasePriorityPrivilege	872	{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe
Token: SeIncBasePriorityPrivilege	1384	{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe
Token: SeIncBasePriorityPrivilege	2820	{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe
Token: SeIncBasePriorityPrivilege	372	{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe
Token: SeIncBasePriorityPrivilege	2752	{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 4848	532	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	86
PID 532 wrote to memory of 4848	532	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	86
PID 532 wrote to memory of 4848	532	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	86
PID 532 wrote to memory of 3952	532	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	87
PID 532 wrote to memory of 3952	532	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	87
PID 532 wrote to memory of 3952	532	fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe	87
PID 4848 wrote to memory of 3712	4848	{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe	88
PID 4848 wrote to memory of 3712	4848	{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe	88
PID 4848 wrote to memory of 3712	4848	{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe	88
PID 4848 wrote to memory of 2424	4848	{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe	89
PID 4848 wrote to memory of 2424	4848	{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe	89
PID 4848 wrote to memory of 2424	4848	{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe	89
PID 3712 wrote to memory of 2720	3712	{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe	96
PID 3712 wrote to memory of 2720	3712	{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe	96
PID 3712 wrote to memory of 2720	3712	{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe	96
PID 3712 wrote to memory of 4512	3712	{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe	97
PID 3712 wrote to memory of 4512	3712	{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe	97
PID 3712 wrote to memory of 4512	3712	{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe	97
PID 2720 wrote to memory of 872	2720	{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe	98
PID 2720 wrote to memory of 872	2720	{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe	98
PID 2720 wrote to memory of 872	2720	{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe	98
PID 2720 wrote to memory of 928	2720	{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe	99
PID 2720 wrote to memory of 928	2720	{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe	99
PID 2720 wrote to memory of 928	2720	{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe	99
PID 872 wrote to memory of 1384	872	{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe	100
PID 872 wrote to memory of 1384	872	{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe	100
PID 872 wrote to memory of 1384	872	{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe	100
PID 872 wrote to memory of 1996	872	{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe	101
PID 872 wrote to memory of 1996	872	{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe	101
PID 872 wrote to memory of 1996	872	{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe	101
PID 1384 wrote to memory of 2820	1384	{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe	103
PID 1384 wrote to memory of 2820	1384	{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe	103
PID 1384 wrote to memory of 2820	1384	{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe	103
PID 1384 wrote to memory of 4188	1384	{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe	104
PID 1384 wrote to memory of 4188	1384	{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe	104
PID 1384 wrote to memory of 4188	1384	{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe	104
PID 2820 wrote to memory of 372	2820	{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe	105
PID 2820 wrote to memory of 372	2820	{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe	105
PID 2820 wrote to memory of 372	2820	{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe	105
PID 2820 wrote to memory of 2164	2820	{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe	106
PID 2820 wrote to memory of 2164	2820	{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe	106
PID 2820 wrote to memory of 2164	2820	{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe	106
PID 372 wrote to memory of 2752	372	{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe	113
PID 372 wrote to memory of 2752	372	{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe	113
PID 372 wrote to memory of 2752	372	{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe	113
PID 372 wrote to memory of 2292	372	{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe	114
PID 372 wrote to memory of 2292	372	{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe	114
PID 372 wrote to memory of 2292	372	{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe	114
PID 2752 wrote to memory of 4176	2752	{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe	116
PID 2752 wrote to memory of 4176	2752	{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe	116
PID 2752 wrote to memory of 4176	2752	{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe	116
PID 2752 wrote to memory of 4180	2752	{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe	117
PID 2752 wrote to memory of 4180	2752	{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe	117
PID 2752 wrote to memory of 4180	2752	{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe	117

C:\Users\Admin\AppData\Local\Temp\fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe
"C:\Users\Admin\AppData\Local\Temp\fcf90875dc813123658e39b06171a128465bf91dad3beff7eaa6574628397ddcN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe
  C:\Windows\{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe
    C:\Windows\{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe
      C:\Windows\{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe
        
        C:\Windows\{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
      - C:\Windows\{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe
        
        C:\Windows\{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe
        
        C:\Windows\{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe
        
        C:\Windows\{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe
        
        C:\Windows\{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{AA2E8C80-21CC-4154-ACF3-D8D4BDC8AAB7}.exe
        
        C:\Windows\{AA2E8C80-21CC-4154-ACF3-D8D4BDC8AAB7}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC2D9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38F1C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ACDC~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B513~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24DE7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF7F4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A7308~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9B4FC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FCF908~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24DE75D4-E27A-4012-8A95-1CE7C5338FED}.exe

Filesize
90KB

MD5
41c43aed49d10470fde63e9df1b7c843

SHA1
cbaffaa8d69e0a96b2cb432854ec706d9112d585

SHA256
09962737e872debf22269a413004448f8fa45ae5068ddb7e13eb5069e56ac5d8

SHA512
6afb963d79d9e8e971ee2f75598f75fe2af0a00e2417d2d4ad652e9788d182d29d41f06f76953202f41fdb93eef4c2cc451aa4db0bb76ca3cfe551ed8d14c4fe

Download Submit
C:\Windows\{38F1CA60-F6F3-4aa8-B210-CC132F7FFE6C}.exe

Filesize
90KB

MD5
f482f4221067dfa130942ff78c4b0d6e

SHA1
59e5476c92156e80969f49407bb8aa8fc04808de

SHA256
cf2a50a6e3eb62a41a1d69055ddcebdd6f7a181560a4f0f5eaecfff755ba7d2c

SHA512
59c594f94bf26230b95066bc75aeef0f2365e057505b9bf25b09ae742e2a8056ebd9e08b6cf2e4daaa247e54376f651a261fb12da8e1c835a98fd421d19971f9

Download Submit
C:\Windows\{3ACDC998-3841-4ba6-920F-FB0C2CF983A8}.exe

Filesize
90KB

MD5
c747d71f213caf54261db40c5bb95a3b

SHA1
21a1ff64a495985ed07b7d85483b26bcaf94e854

SHA256
e7b0cb1fb803cc71898cc437aa69fbb54ec92be45b15cc73c9c54e94f6c1ff96

SHA512
1bdeb8952029b750ca3ec551b09d7f135e92b933c1e6844dd98edb7759457d71f684199ebae25add23025e7c7557839922e4b55e26efd19c83b0f57122b58206

Download Submit
C:\Windows\{7B5137FE-F750-4ba5-8E1D-484430644F8C}.exe

Filesize
90KB

MD5
76a27b8b51954baac9a2a8fc497c0b43

SHA1
882337d2025a8983b64a503604445781df5a0115

SHA256
923b0b50b1b90009bd598135e04e5fefb0585dffbcea282008e4530daff380e8

SHA512
9c1c58d23750e706960b272d121c58a012c5cec97c1ea1e0a0ed1db83be5112180f9029f62cf865fd55969b28c027cf1950076b4f954abf5d1b5cea0e86a564d

Download Submit
C:\Windows\{9B4FCE4D-5B1A-45c8-9D82-8FEC211A091B}.exe

Filesize
90KB

MD5
81c58f14a9650e4dbda4a04ebb82d377

SHA1
f349efa529a313830e3d9a1c64a022a3cb34afa3

SHA256
fb4c62d1c65f722ea3932af42eeea045ebf64a51fa4e9bee60abbebafb6e967f

SHA512
3620674a54b1bce77c9c16460a33ce54a0673808ba03a13931df0e7fd685585404e05ca48635f290b0675b83f40499195357019d12cba737c0c54442c5f041ea

Download Submit
C:\Windows\{A7308CD9-76BD-43b9-B645-F322DB95C6CE}.exe

Filesize
90KB

MD5
044cf481c522724883d022b3aae88b5d

SHA1
99337d4df7abd74fa1db9437d3b93844d936d214

SHA256
97d8c3370cc5c0de6dcbd3e77094cb069a20b886ac1e8cbc6602a30d7cac1643

SHA512
74438e69ae539ca2487f3a85f080f8706e436e72a92f42ed797b6d9403f2e8ee4637f8299c44c0497c056718195d45fc18206bf4d9e03137742865b1fe27c085

Download Submit
C:\Windows\{AA2E8C80-21CC-4154-ACF3-D8D4BDC8AAB7}.exe

Filesize
90KB

MD5
073af081569084858b31e94438f36ba3

SHA1
8821306ae4d86478ecc5765bad50b26d7c72fc32

SHA256
116aea8553d8de5efad40f5f41c144e39c82d8010927ebcc7004f2b1521f478a

SHA512
83f777b666a2fe07ecacb8c0e448c8bad82d0b9263f77c93a15fc5207363c25c8399b5f244facfb4bb3a344072816015b0a5fc4493b50d61d586f83cd0c0a738

Download Submit
C:\Windows\{AF7F4EF0-F747-4687-ACC0-685CDEC2675B}.exe

Filesize
90KB

MD5
3138303a62e002cede5dcab6296a5abf

SHA1
182c4cbc2a1c0eefb46f117170b42f4ad93d751d

SHA256
c66b4f9ad662bbeac113627003b27597e20db6679273fb41d3d22558cfdd10fe

SHA512
5d9ce1255bd5414a14f92077742471175d395f1cfedffa208c18355175102a088146a0a30ecaead343b9c9bca31df8af7340a1c9dc0346573f83486e17b39fe3

Download Submit
C:\Windows\{DC2D9F7D-F87A-4cf8-842B-1F243A191988}.exe

Filesize
90KB

MD5
df7b9895f81281e5a83c724b7f641223

SHA1
97434ffb2a5619579db4fdc153f225109a204b3c

SHA256
122ed32a88a6a98fdae587a075c57fd78ccf46121ab332f2a6adaee7179e6220

SHA512
091013adeec6075ddb7df4a24f8e417730f8ed5b6e227782dac8a760a93cd848ba68487561a53d7937b699357b564bdd20975e2c19e463a120867f8ba49d3a50

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads