f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe
Size

90KB
MD5

053c7dccc4f69f1a71b788276b118d10
SHA1

2b074b5bb48804caa24ce96db33376b1cc94b999
SHA256

f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734
SHA512

9c29bcc720965ddfd4f6a1a0f67fb864ed3f0bfa628739fd1cccc94ab8c200838e97e00123a4c4cb04f18db0463f6cf9bbe533bbadbb50088b2724b6df527f22
SSDEEP

768:5vw9816thKQLro84/wQkNrfrunMxVFA3bA:lEG/0o8lbunMxVS3c

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B60780B9-BB10-43a8-83C7-8F4E92993A6B}	f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1FE0B0F-142E-4233-B18F-0C88B9894316}\stubpath = "C:\\Windows\\{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe"	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DBA6F44-53E8-4373-81F3-E09597C692CC}	{718B9513-C939-430d-9618-EBDAF7486365}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C1F35A9-B01B-4e29-9DD0-38AEA9A6D1D2}	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}\stubpath = "C:\\Windows\\{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe"	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{718B9513-C939-430d-9618-EBDAF7486365}	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76300273-8260-4bf0-B4D1-EEBDC1842E76}\stubpath = "C:\\Windows\\{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe"	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DBA6F44-53E8-4373-81F3-E09597C692CC}\stubpath = "C:\\Windows\\{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe"	{718B9513-C939-430d-9618-EBDAF7486365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C1F35A9-B01B-4e29-9DD0-38AEA9A6D1D2}\stubpath = "C:\\Windows\\{9C1F35A9-B01B-4e29-9DD0-38AEA9A6D1D2}.exe"	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBA690A6-F5B9-42e2-BEA0-A3F76C7F667D}\stubpath = "C:\\Windows\\{EBA690A6-F5B9-42e2-BEA0-A3F76C7F667D}.exe"	{9C1F35A9-B01B-4e29-9DD0-38AEA9A6D1D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B60780B9-BB10-43a8-83C7-8F4E92993A6B}\stubpath = "C:\\Windows\\{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe"	f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1FE0B0F-142E-4233-B18F-0C88B9894316}	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9340C39-6A29-4e32-AE5B-59816A6799F3}	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9340C39-6A29-4e32-AE5B-59816A6799F3}\stubpath = "C:\\Windows\\{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe"	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76300273-8260-4bf0-B4D1-EEBDC1842E76}	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{718B9513-C939-430d-9618-EBDAF7486365}\stubpath = "C:\\Windows\\{718B9513-C939-430d-9618-EBDAF7486365}.exe"	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBA690A6-F5B9-42e2-BEA0-A3F76C7F667D}	{9C1F35A9-B01B-4e29-9DD0-38AEA9A6D1D2}.exe

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2772	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe
2840	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe
2712	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe
2764	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe
1036	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe
872	{718B9513-C939-430d-9618-EBDAF7486365}.exe
3036	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe
1612	{9C1F35A9-B01B-4e29-9DD0-38AEA9A6D1D2}.exe
2540	{EBA690A6-F5B9-42e2-BEA0-A3F76C7F667D}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe
File created	C:\Windows\{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe
File created	C:\Windows\{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe
File created	C:\Windows\{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe	{718B9513-C939-430d-9618-EBDAF7486365}.exe
File created	C:\Windows\{9C1F35A9-B01B-4e29-9DD0-38AEA9A6D1D2}.exe	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe
File created	C:\Windows\{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe	f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe
File created	C:\Windows\{718B9513-C939-430d-9618-EBDAF7486365}.exe	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe
File created	C:\Windows\{EBA690A6-F5B9-42e2-BEA0-A3F76C7F667D}.exe	{9C1F35A9-B01B-4e29-9DD0-38AEA9A6D1D2}.exe
File created	C:\Windows\{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{718B9513-C939-430d-9618-EBDAF7486365}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C1F35A9-B01B-4e29-9DD0-38AEA9A6D1D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EBA690A6-F5B9-42e2-BEA0-A3F76C7F667D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2104	f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe
Token: SeIncBasePriorityPrivilege	2772	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe
Token: SeIncBasePriorityPrivilege	2840	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe
Token: SeIncBasePriorityPrivilege	2712	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe
Token: SeIncBasePriorityPrivilege	2764	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe
Token: SeIncBasePriorityPrivilege	1036	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe
Token: SeIncBasePriorityPrivilege	872	{718B9513-C939-430d-9618-EBDAF7486365}.exe
Token: SeIncBasePriorityPrivilege	3036	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe
Token: SeIncBasePriorityPrivilege	1612	{9C1F35A9-B01B-4e29-9DD0-38AEA9A6D1D2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2772	2104	f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe	29
PID 2104 wrote to memory of 2772	2104	f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe	29
PID 2104 wrote to memory of 2772	2104	f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe	29
PID 2104 wrote to memory of 2772	2104	f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe	29
PID 2104 wrote to memory of 2528	2104	f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe	30
PID 2104 wrote to memory of 2528	2104	f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe	30
PID 2104 wrote to memory of 2528	2104	f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe	30
PID 2104 wrote to memory of 2528	2104	f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe	30
PID 2772 wrote to memory of 2840	2772	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe	31
PID 2772 wrote to memory of 2840	2772	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe	31
PID 2772 wrote to memory of 2840	2772	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe	31
PID 2772 wrote to memory of 2840	2772	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe	31
PID 2772 wrote to memory of 2824	2772	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe	32
PID 2772 wrote to memory of 2824	2772	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe	32
PID 2772 wrote to memory of 2824	2772	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe	32
PID 2772 wrote to memory of 2824	2772	{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe	32
PID 2840 wrote to memory of 2712	2840	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe	33
PID 2840 wrote to memory of 2712	2840	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe	33
PID 2840 wrote to memory of 2712	2840	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe	33
PID 2840 wrote to memory of 2712	2840	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe	33
PID 2840 wrote to memory of 2856	2840	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe	34
PID 2840 wrote to memory of 2856	2840	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe	34
PID 2840 wrote to memory of 2856	2840	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe	34
PID 2840 wrote to memory of 2856	2840	{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe	34
PID 2712 wrote to memory of 2764	2712	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe	35
PID 2712 wrote to memory of 2764	2712	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe	35
PID 2712 wrote to memory of 2764	2712	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe	35
PID 2712 wrote to memory of 2764	2712	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe	35
PID 2712 wrote to memory of 2744	2712	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe	36
PID 2712 wrote to memory of 2744	2712	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe	36
PID 2712 wrote to memory of 2744	2712	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe	36
PID 2712 wrote to memory of 2744	2712	{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe	36
PID 2764 wrote to memory of 1036	2764	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe	37
PID 2764 wrote to memory of 1036	2764	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe	37
PID 2764 wrote to memory of 1036	2764	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe	37
PID 2764 wrote to memory of 1036	2764	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe	37
PID 2764 wrote to memory of 3060	2764	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe	38
PID 2764 wrote to memory of 3060	2764	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe	38
PID 2764 wrote to memory of 3060	2764	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe	38
PID 2764 wrote to memory of 3060	2764	{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe	38
PID 1036 wrote to memory of 872	1036	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe	39
PID 1036 wrote to memory of 872	1036	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe	39
PID 1036 wrote to memory of 872	1036	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe	39
PID 1036 wrote to memory of 872	1036	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe	39
PID 1036 wrote to memory of 948	1036	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe	40
PID 1036 wrote to memory of 948	1036	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe	40
PID 1036 wrote to memory of 948	1036	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe	40
PID 1036 wrote to memory of 948	1036	{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe	40
PID 872 wrote to memory of 3036	872	{718B9513-C939-430d-9618-EBDAF7486365}.exe	41
PID 872 wrote to memory of 3036	872	{718B9513-C939-430d-9618-EBDAF7486365}.exe	41
PID 872 wrote to memory of 3036	872	{718B9513-C939-430d-9618-EBDAF7486365}.exe	41
PID 872 wrote to memory of 3036	872	{718B9513-C939-430d-9618-EBDAF7486365}.exe	41
PID 872 wrote to memory of 3040	872	{718B9513-C939-430d-9618-EBDAF7486365}.exe	42
PID 872 wrote to memory of 3040	872	{718B9513-C939-430d-9618-EBDAF7486365}.exe	42
PID 872 wrote to memory of 3040	872	{718B9513-C939-430d-9618-EBDAF7486365}.exe	42
PID 872 wrote to memory of 3040	872	{718B9513-C939-430d-9618-EBDAF7486365}.exe	42
PID 3036 wrote to memory of 1612	3036	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe	43
PID 3036 wrote to memory of 1612	3036	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe	43
PID 3036 wrote to memory of 1612	3036	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe	43
PID 3036 wrote to memory of 1612	3036	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe	43
PID 3036 wrote to memory of 1908	3036	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe	44
PID 3036 wrote to memory of 1908	3036	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe	44
PID 3036 wrote to memory of 1908	3036	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe	44
PID 3036 wrote to memory of 1908	3036	{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe	44

C:\Users\Admin\AppData\Local\Temp\f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe
"C:\Users\Admin\AppData\Local\Temp\f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe
  C:\Windows\{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe
    C:\Windows\{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe
      C:\Windows\{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe
        
        C:\Windows\{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe
        
        C:\Windows\{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\{718B9513-C939-430d-9618-EBDAF7486365}.exe
        
        C:\Windows\{718B9513-C939-430d-9618-EBDAF7486365}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe
        
        C:\Windows\{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\{9C1F35A9-B01B-4e29-9DD0-38AEA9A6D1D2}.exe
        
        C:\Windows\{9C1F35A9-B01B-4e29-9DD0-38AEA9A6D1D2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\{EBA690A6-F5B9-42e2-BEA0-A3F76C7F667D}.exe
        
        C:\Windows\{EBA690A6-F5B9-42e2-BEA0-A3F76C7F667D}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C1F3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DBA6~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{718B9~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76300~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9340~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69D6A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B1FE0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B6078~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F90C81~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{69D6A4CB-7109-4130-8F99-A0BC3A53AE43}.exe

Filesize
90KB

MD5
d022480d3ed88f21b10cfcdc7bf80964

SHA1
42b3aa49a81035272251cac1c92f95a170337e36

SHA256
d2e285a26d8a0aef2c4274f47f2e74860b483d9e1235d5c4a39188f12f90b2ad

SHA512
d23ff2600944ea55043bed8b9445da47512ba6c2c9954e12acddfaae49c92d69ac5068b8ac3d85ad118a72ed27d2211f1cad1c33189df3d94b7b46b95c6fa70c

Download Submit
C:\Windows\{718B9513-C939-430d-9618-EBDAF7486365}.exe

Filesize
90KB

MD5
3f807c31933c5cc0761b61cc5a94d60d

SHA1
242a5b12ca8b926c007f282eb57acc8fb90d0d97

SHA256
9ddf8c187fd3db2952efeb04858401cd3711bd906c472387019e5cb7a2edd847

SHA512
47af7a0594aa5759d38a323c3a2592d0942dfc4b90522c4eb7d543d2784cd6fa43b3273326e43db834080ad03051b558a61ec5e3c569f14321ab6b5292ad1057

Download Submit
C:\Windows\{76300273-8260-4bf0-B4D1-EEBDC1842E76}.exe

Filesize
90KB

MD5
ec2f63cdf9851d88d67c6983b4ee7d85

SHA1
fd55074c1c2f53b112bc258606053467402af2ce

SHA256
76cfa6ee172730a233c6be68e8a9de7cada644ab120d5ddf392d2ee9d0789b0e

SHA512
068374b2af41460aea38f3247115e5b01e5acee6c8b41b2b9b637c2619f435d23763594fa188cfd8632937d15d4a14edd58e569486a76197f2b4e29d207b3e6d

Download Submit
C:\Windows\{9C1F35A9-B01B-4e29-9DD0-38AEA9A6D1D2}.exe

Filesize
90KB

MD5
9947065e9972481a7728db54c9c54013

SHA1
9acf3d6cf03d88d4d33474ea90aea2781238a2d7

SHA256
f8c4d3ad01a13a01f874faf957ef6efb4a1077365a30f469de78a8710496c528

SHA512
5f04b0abc2ecfc6a8175d328264e6eb02a4f8b1699304b07688c4d8ff273c19b27238fd340a7434d635455ae90a3641abd937cefbd5a75dd04e9034566f22fc3

Download Submit
C:\Windows\{9DBA6F44-53E8-4373-81F3-E09597C692CC}.exe

Filesize
90KB

MD5
c89c164dc77fb47f20ac9217d362d5a5

SHA1
4a9621fe53ca25c0160cba44f0199f8f521187bd

SHA256
9fac758c26e754f8780d0a662da9f4a78d93c1293d25bc21d9f6b8e49c06f857

SHA512
48bae19871c9530096a9557982c56cdf984bf1cdc3d2973d3f2afed6f9f74ce4f723c56716b90556eb8c63a0715935f5258d04718ec09bc5412b45eca9644d74

Download Submit
C:\Windows\{A9340C39-6A29-4e32-AE5B-59816A6799F3}.exe

Filesize
90KB

MD5
e98f6e638b691365e36ff6d72d3ba7ff

SHA1
46e318d746b04d5e0ee09011ac4e66e50d51fc20

SHA256
0780918c366e79c2f249bd462b73711526fdfe966d2dac8a7bdaa1f0cdfbc247

SHA512
73449960304ffd0f33e504026e5f56bd9532c2655ae109685486311c372567311ef08643539859a916e89e89a2f613e30eb3e0f8387e2f9ea1c015bab5f8bd14

Download Submit
C:\Windows\{B1FE0B0F-142E-4233-B18F-0C88B9894316}.exe

Filesize
90KB

MD5
f190d9b53b1b3c39fc437d6d14944029

SHA1
ee849065a3ae4f46b5838fe5aa3fef2f9fa24da7

SHA256
05d9695c5f07eff7afa3a063ddcf6ad0ee697bfa419cf6e5df6cecca60a232c7

SHA512
ff6d32bf176c6e45ca61487b989158c372462c3f486326292b987055faa4f40d5afe1af0ff9afdabb7d1548bee176bab2fa7dfa3d0897783427996e8072ac338

Download Submit
C:\Windows\{B60780B9-BB10-43a8-83C7-8F4E92993A6B}.exe

Filesize
90KB

MD5
24bf95a1700e6732c376ea958722d8de

SHA1
a7d2e218361c694cdc963e4fb32e7219e494a07c

SHA256
b8548ba13ec9c8e38a0c9f9f6aa16652f9e4d25b04eb9e7f25a94f16ff1baf3e

SHA512
5d2557a093ed2c9a33387f6a9e2184ab403f12395a1396713db5e97a9cf7c67a2a14acfa13f0ffc9df1d1c2ffe51e24232ca9957d09f29b2d4703674a7626443

Download Submit
C:\Windows\{EBA690A6-F5B9-42e2-BEA0-A3F76C7F667D}.exe

Filesize
90KB

MD5
bf9232d7ef1062230a5abf16aa602825

SHA1
207eb150d6b7387f8010bc0c3ea1f6dad8fbfcb2

SHA256
3b13b1fb504a8bac82086af3715040768c3dfa250a90896631dce8c60d68db49

SHA512
4b056e0f43ada3c0f4a071e8c98e50f8aab0b6a928436d4c2f5ccdaf4b6f9f85607a70958b62d7911178b3678c375813f360be0be3b38b9fd7e3e6328bc4c635

Download Submit
memory/872-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/872-64-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/1036-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1036-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1036-54-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/1612-88-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1612-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1612-83-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/2104-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2104-4-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2104-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2104-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2540-90-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2712-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2712-34-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2712-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2712-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2764-45-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2764-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2764-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2772-12-0x0000000000380000-0x0000000000391000-memory.dmp

Filesize
68KB

Download
memory/2772-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2840-24-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/2840-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2840-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2840-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3036-74-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/3036-79-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3036-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads