9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44b

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
Size

380KB
MD5

04d89e338027b99222b32f45263f8ed0
SHA1

0b1923290ed255b70fa1f88ed4e7582948956638
SHA256

9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44b
SHA512

189869143e51e9ce19b9f731c416b1e874a689c3cd26bfa7c2f4bd577016cb4c3c35bd6474b59d33adabd5d18261007b22b28922f5197a2597bd67c03ae433e6
SSDEEP

3072:mEGh0ohlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG7l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1815F828-AC8F-41c9-9676-28AF20E6BCEC}	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE1467AB-6095-44d6-8E41-A45C629286F4}\stubpath = "C:\\Windows\\{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe"	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A133C864-DA52-4bc1-AB52-7754852A870B}	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A133C864-DA52-4bc1-AB52-7754852A870B}\stubpath = "C:\\Windows\\{A133C864-DA52-4bc1-AB52-7754852A870B}.exe"	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A6BA85C-CB01-49b1-AE20-5D3C8A8C0A5A}\stubpath = "C:\\Windows\\{3A6BA85C-CB01-49b1-AE20-5D3C8A8C0A5A}.exe"	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}\stubpath = "C:\\Windows\\{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe"	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1815F828-AC8F-41c9-9676-28AF20E6BCEC}\stubpath = "C:\\Windows\\{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe"	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A6BA85C-CB01-49b1-AE20-5D3C8A8C0A5A}	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0905D2A6-611E-4999-8B77-EF3A8B9D081D}	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0905D2A6-611E-4999-8B77-EF3A8B9D081D}\stubpath = "C:\\Windows\\{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe"	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6051C65-158E-41da-B6BB-6F44164F5E47}\stubpath = "C:\\Windows\\{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe"	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE1467AB-6095-44d6-8E41-A45C629286F4}	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0D610AA-DC49-4fee-8CDA-9C2CCB6C989D}	{3A6BA85C-CB01-49b1-AE20-5D3C8A8C0A5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0D610AA-DC49-4fee-8CDA-9C2CCB6C989D}\stubpath = "C:\\Windows\\{C0D610AA-DC49-4fee-8CDA-9C2CCB6C989D}.exe"	{3A6BA85C-CB01-49b1-AE20-5D3C8A8C0A5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F56A62CA-9438-494d-B6C1-83DD96207122}	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F56A62CA-9438-494d-B6C1-83DD96207122}\stubpath = "C:\\Windows\\{F56A62CA-9438-494d-B6C1-83DD96207122}.exe"	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6051C65-158E-41da-B6BB-6F44164F5E47}	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2804	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe
2844	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe
2780	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe
2536	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe
2376	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe
3048	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe
2560	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe
2064	{3A6BA85C-CB01-49b1-AE20-5D3C8A8C0A5A}.exe
2264	{C0D610AA-DC49-4fee-8CDA-9C2CCB6C989D}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
File created	C:\Windows\{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe
File created	C:\Windows\{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe
File created	C:\Windows\{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe
File created	C:\Windows\{3A6BA85C-CB01-49b1-AE20-5D3C8A8C0A5A}.exe	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe
File created	C:\Windows\{C0D610AA-DC49-4fee-8CDA-9C2CCB6C989D}.exe	{3A6BA85C-CB01-49b1-AE20-5D3C8A8C0A5A}.exe
File created	C:\Windows\{F56A62CA-9438-494d-B6C1-83DD96207122}.exe	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe
File created	C:\Windows\{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe
File created	C:\Windows\{A133C864-DA52-4bc1-AB52-7754852A870B}.exe	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A6BA85C-CB01-49b1-AE20-5D3C8A8C0A5A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C0D610AA-DC49-4fee-8CDA-9C2CCB6C989D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2836	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
Token: SeIncBasePriorityPrivilege	2804	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe
Token: SeIncBasePriorityPrivilege	2844	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe
Token: SeIncBasePriorityPrivilege	2780	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe
Token: SeIncBasePriorityPrivilege	2536	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe
Token: SeIncBasePriorityPrivilege	2376	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe
Token: SeIncBasePriorityPrivilege	3048	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe
Token: SeIncBasePriorityPrivilege	2560	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe
Token: SeIncBasePriorityPrivilege	2064	{3A6BA85C-CB01-49b1-AE20-5D3C8A8C0A5A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2804	2836	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	30
PID 2836 wrote to memory of 2804	2836	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	30
PID 2836 wrote to memory of 2804	2836	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	30
PID 2836 wrote to memory of 2804	2836	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	30
PID 2836 wrote to memory of 2932	2836	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	31
PID 2836 wrote to memory of 2932	2836	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	31
PID 2836 wrote to memory of 2932	2836	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	31
PID 2836 wrote to memory of 2932	2836	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	31
PID 2804 wrote to memory of 2844	2804	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe	32
PID 2804 wrote to memory of 2844	2804	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe	32
PID 2804 wrote to memory of 2844	2804	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe	32
PID 2804 wrote to memory of 2844	2804	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe	32
PID 2804 wrote to memory of 2732	2804	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe	33
PID 2804 wrote to memory of 2732	2804	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe	33
PID 2804 wrote to memory of 2732	2804	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe	33
PID 2804 wrote to memory of 2732	2804	{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe	33
PID 2844 wrote to memory of 2780	2844	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe	35
PID 2844 wrote to memory of 2780	2844	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe	35
PID 2844 wrote to memory of 2780	2844	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe	35
PID 2844 wrote to memory of 2780	2844	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe	35
PID 2844 wrote to memory of 684	2844	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe	36
PID 2844 wrote to memory of 684	2844	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe	36
PID 2844 wrote to memory of 684	2844	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe	36
PID 2844 wrote to memory of 684	2844	{F56A62CA-9438-494d-B6C1-83DD96207122}.exe	36
PID 2780 wrote to memory of 2536	2780	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe	37
PID 2780 wrote to memory of 2536	2780	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe	37
PID 2780 wrote to memory of 2536	2780	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe	37
PID 2780 wrote to memory of 2536	2780	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe	37
PID 2780 wrote to memory of 2180	2780	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe	38
PID 2780 wrote to memory of 2180	2780	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe	38
PID 2780 wrote to memory of 2180	2780	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe	38
PID 2780 wrote to memory of 2180	2780	{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe	38
PID 2536 wrote to memory of 2376	2536	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe	39
PID 2536 wrote to memory of 2376	2536	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe	39
PID 2536 wrote to memory of 2376	2536	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe	39
PID 2536 wrote to memory of 2376	2536	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe	39
PID 2536 wrote to memory of 2008	2536	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe	40
PID 2536 wrote to memory of 2008	2536	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe	40
PID 2536 wrote to memory of 2008	2536	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe	40
PID 2536 wrote to memory of 2008	2536	{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe	40
PID 2376 wrote to memory of 3048	2376	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe	41
PID 2376 wrote to memory of 3048	2376	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe	41
PID 2376 wrote to memory of 3048	2376	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe	41
PID 2376 wrote to memory of 3048	2376	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe	41
PID 2376 wrote to memory of 2984	2376	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe	42
PID 2376 wrote to memory of 2984	2376	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe	42
PID 2376 wrote to memory of 2984	2376	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe	42
PID 2376 wrote to memory of 2984	2376	{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe	42
PID 3048 wrote to memory of 2560	3048	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe	43
PID 3048 wrote to memory of 2560	3048	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe	43
PID 3048 wrote to memory of 2560	3048	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe	43
PID 3048 wrote to memory of 2560	3048	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe	43
PID 3048 wrote to memory of 2592	3048	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe	44
PID 3048 wrote to memory of 2592	3048	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe	44
PID 3048 wrote to memory of 2592	3048	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe	44
PID 3048 wrote to memory of 2592	3048	{A133C864-DA52-4bc1-AB52-7754852A870B}.exe	44
PID 2560 wrote to memory of 2064	2560	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe	45
PID 2560 wrote to memory of 2064	2560	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe	45
PID 2560 wrote to memory of 2064	2560	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe	45
PID 2560 wrote to memory of 2064	2560	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe	45
PID 2560 wrote to memory of 1192	2560	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe	46
PID 2560 wrote to memory of 1192	2560	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe	46
PID 2560 wrote to memory of 1192	2560	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe	46
PID 2560 wrote to memory of 1192	2560	{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe	46

C:\Users\Admin\AppData\Local\Temp\9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
"C:\Users\Admin\AppData\Local\Temp\9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe
  C:\Windows\{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\{F56A62CA-9438-494d-B6C1-83DD96207122}.exe
    C:\Windows\{F56A62CA-9438-494d-B6C1-83DD96207122}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe
      C:\Windows\{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe
        
        C:\Windows\{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe
        
        C:\Windows\{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{A133C864-DA52-4bc1-AB52-7754852A870B}.exe
        
        C:\Windows\{A133C864-DA52-4bc1-AB52-7754852A870B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe
        
        C:\Windows\{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\{3A6BA85C-CB01-49b1-AE20-5D3C8A8C0A5A}.exe
        
        C:\Windows\{3A6BA85C-CB01-49b1-AE20-5D3C8A8C0A5A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{C0D610AA-DC49-4fee-8CDA-9C2CCB6C989D}.exe
        
        C:\Windows\{C0D610AA-DC49-4fee-8CDA-9C2CCB6C989D}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A6BA~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1815F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A133C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0FD9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE146~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6051~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F56A6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0905D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9217D1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0905D2A6-611E-4999-8B77-EF3A8B9D081D}.exe

Filesize
380KB

MD5
c6ef9b8b43e372ea9f80ab5adb0b897e

SHA1
b0a915613c9f9766a10dd90aedeacde3d40361d6

SHA256
3ba27bcd935d3b7ccf03facd143bb0529013cdca8d5f11e64d72b9397af2cb3d

SHA512
9ad906978d6511332b4aa67e91cb3cc11a12c7217f974272d42326577c20f41c8c011a16b69417c8a68b124ec06736979c74bcd007e96d71ba8fa38c0fd9247f

Download Submit
C:\Windows\{1815F828-AC8F-41c9-9676-28AF20E6BCEC}.exe

Filesize
380KB

MD5
08cecabb35f6f95f257f386f3826b040

SHA1
44e9ccd40a212455ddf74b7e3821f2c576989d9b

SHA256
8bd5248f73df7a98077f71bf4fbf762b09f9b3700b3bd4d0ce2aa6536cdf6612

SHA512
825ee1a834ef4831f0347fa614630d8f4b640b1f26e2aedfdb2089c4464b4a0579f297c520957382015aef0351142684db500b888a30eb4246c232f242add9a8

Download Submit
C:\Windows\{3A6BA85C-CB01-49b1-AE20-5D3C8A8C0A5A}.exe

Filesize
380KB

MD5
c751dee9561d1bedfc6b66b3356d93e4

SHA1
0afceebb0a5270073228c02e13fe233a586bdaee

SHA256
62eebc8c80c30cc4dab2fb31f01c9a4a5687691068d2908fbd0cb6ac843fe8d2

SHA512
ea7ca71ebfb9608a55749af16f5f6afab6438fd4f3cc5b2e46fb0d93d015fa7f1658a26213794ef4fdf5ea8a5e8a012290cf6754eb7242952e2e8ae6911e2ac2

Download Submit
C:\Windows\{A133C864-DA52-4bc1-AB52-7754852A870B}.exe

Filesize
380KB

MD5
ba538b94454e2d915c18674fed60cf0a

SHA1
dc33128197de5ddcffbe73bfc902a6f0be86d160

SHA256
2dbd441c3d0d8e81e4f2aa74081415d11f498b465fb070621c13770fc1044dac

SHA512
83fb7449b990cc4439d4cded51f7134a9758575864b7c4a0014d885ca6d9512bc8eecbce9c9b04095a98e6b1df25415e23ff97e8f26225dcf694395618e9e584

Download Submit
C:\Windows\{C0D610AA-DC49-4fee-8CDA-9C2CCB6C989D}.exe

Filesize
380KB

MD5
de3a08c18fb300b2dedc42a6a590b35c

SHA1
19888cabf6d351d7c47c90fdaad8770788f0c2df

SHA256
b2407d54e36c4c3722885f9c28ea42ace0dac379f62415581432b21ece42f22f

SHA512
5d1a735a2244d17d28e2ab15b291951b3aceaaf797594b9296d0d88c380332393f35798477442947edf58c06257fd44ca4d8c5c49b524e021fc34f85aecf5419

Download Submit
C:\Windows\{CE1467AB-6095-44d6-8E41-A45C629286F4}.exe

Filesize
380KB

MD5
bc03e1dfee95fe0cc28eee8399e24148

SHA1
e4041dec8007efbf15925cbb61443773d62d8627

SHA256
50bda6a7cdef99fd30d99a98d19ae2bbe34bbf5c32b3accb1ad45a9d91f672c6

SHA512
a0962d71900e4e059453fcc51173f5dc6062eaa612c793b212a589f64560f5160d3ac1ea5221d80eb78734d5ebe0ea066d47eaab05b2fa2e4dee68b7e8e35f94

Download Submit
C:\Windows\{E6051C65-158E-41da-B6BB-6F44164F5E47}.exe

Filesize
380KB

MD5
2b98c407c4b20db9263d71fc379c413c

SHA1
5726ee7881303c7ce901f687949eecf020caf254

SHA256
5d8ee2204830c92692df622b0388a3bcaef98ff5a0eb07e8fbca717dfcf8328d

SHA512
579ce5dfd023634b1c5340ee7d3809a9b1e575e0e75955a58e0242847653f0b5c842891752ccfd2a61ec48f7d18ea134242e4735c4ee408474ba9e6627a370ed

Download Submit
C:\Windows\{F0FD900B-3CB0-4603-8F99-75FE0E75BBAC}.exe

Filesize
380KB

MD5
32c042f75b1c19c37d60f23c14427169

SHA1
7a1d051fde0779345b45f19e54e142bc323fb2f3

SHA256
700c5d4e4b225f8f1d0b2cc87801030f475b246088fa08132bddf9ead29c78e5

SHA512
f8bfb3d4c08acadf52007686b694e2366e6f41d010b4e418cad29c668326f00b49803fb4414fd1eeb8aff4bbd65a211b9d5ce0bae249be6dc35bd114fcf9b4e6

Download Submit
C:\Windows\{F56A62CA-9438-494d-B6C1-83DD96207122}.exe

Filesize
380KB

MD5
ac0906597488832581a8dd4d7ea76626

SHA1
a80dcba3b3b56e3bb54481156fd622e37facdb55

SHA256
847c639dc9d20a0a0eded264a9f2c859c19eefacd5b703e5baf1b5ffa57ccdc9

SHA512
535677685b17ff0f96c46b6c3c3776ecaa1864f93da554b49c05818e23c52cb5e1ae16f5622b0b64b6b35b498a0d921b1f96e420dc59773dc1fa9c628a21c719

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads