4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe
Size

89KB
MD5

50563eefb2f1fe8d01ba40e689b9a074
SHA1

24110031ae6132d566326044d09141b73b031c99
SHA256

4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806
SHA512

b9a16c77b5e0de60ab2cec6281d793faef86fa75144aecf0d830ec468ff21d0bec5a1ab38c775baf852ff8f594f8743a108b4a04fa98abf5b34e5f2d7f88942e
SSDEEP

768:Qvw9816vhKQLroQ84/wQRNrfrunMxVFA3b7glL:YEGh0oQ8l2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4683E72-DF30-4cfa-8401-68125AA9117C}	{4FB4B130-BA36-40c1-8174-E0775C16451F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7701F0C-075F-44f7-987F-D1A66FD038DC}	{B4683E72-DF30-4cfa-8401-68125AA9117C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48596C60-B26E-45da-8FA3-6C3BB7E115BA}	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48596C60-B26E-45da-8FA3-6C3BB7E115BA}\stubpath = "C:\\Windows\\{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe"	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8A1814C-5043-4262-90C0-FD70B3668EC9}\stubpath = "C:\\Windows\\{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe"	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0500892B-79A1-4eb6-9116-93A309845E98}	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC9F4496-5211-4d57-9167-9037AA6A6744}\stubpath = "C:\\Windows\\{BC9F4496-5211-4d57-9167-9037AA6A6744}.exe"	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FB4B130-BA36-40c1-8174-E0775C16451F}\stubpath = "C:\\Windows\\{4FB4B130-BA36-40c1-8174-E0775C16451F}.exe"	{BC9F4496-5211-4d57-9167-9037AA6A6744}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4683E72-DF30-4cfa-8401-68125AA9117C}\stubpath = "C:\\Windows\\{B4683E72-DF30-4cfa-8401-68125AA9117C}.exe"	{4FB4B130-BA36-40c1-8174-E0775C16451F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C910578-E1CF-48f3-A87C-65DEE5147F87}	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C910578-E1CF-48f3-A87C-65DEE5147F87}\stubpath = "C:\\Windows\\{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe"	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}\stubpath = "C:\\Windows\\{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe"	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FB4B130-BA36-40c1-8174-E0775C16451F}	{BC9F4496-5211-4d57-9167-9037AA6A6744}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0500892B-79A1-4eb6-9116-93A309845E98}\stubpath = "C:\\Windows\\{0500892B-79A1-4eb6-9116-93A309845E98}.exe"	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF524C15-15EC-4030-8D99-E37983D2CF5A}\stubpath = "C:\\Windows\\{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe"	{0500892B-79A1-4eb6-9116-93A309845E98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC9F4496-5211-4d57-9167-9037AA6A6744}	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8A1814C-5043-4262-90C0-FD70B3668EC9}	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF524C15-15EC-4030-8D99-E37983D2CF5A}	{0500892B-79A1-4eb6-9116-93A309845E98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7701F0C-075F-44f7-987F-D1A66FD038DC}\stubpath = "C:\\Windows\\{C7701F0C-075F-44f7-987F-D1A66FD038DC}.exe"	{B4683E72-DF30-4cfa-8401-68125AA9117C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}	4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}\stubpath = "C:\\Windows\\{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe"	4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2516	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe
2292	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe
2608	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe
2624	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe
2672	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe
1968	{0500892B-79A1-4eb6-9116-93A309845E98}.exe
2776	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe
1476	{BC9F4496-5211-4d57-9167-9037AA6A6744}.exe
1672	{4FB4B130-BA36-40c1-8174-E0775C16451F}.exe
1996	{B4683E72-DF30-4cfa-8401-68125AA9117C}.exe
2224	{C7701F0C-075F-44f7-987F-D1A66FD038DC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe
File created	C:\Windows\{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe
File created	C:\Windows\{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe
File created	C:\Windows\{0500892B-79A1-4eb6-9116-93A309845E98}.exe	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe
File created	C:\Windows\{BC9F4496-5211-4d57-9167-9037AA6A6744}.exe	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe
File created	C:\Windows\{4FB4B130-BA36-40c1-8174-E0775C16451F}.exe	{BC9F4496-5211-4d57-9167-9037AA6A6744}.exe
File created	C:\Windows\{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe	4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe
File created	C:\Windows\{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe
File created	C:\Windows\{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe	{0500892B-79A1-4eb6-9116-93A309845E98}.exe
File created	C:\Windows\{B4683E72-DF30-4cfa-8401-68125AA9117C}.exe	{4FB4B130-BA36-40c1-8174-E0775C16451F}.exe
File created	C:\Windows\{C7701F0C-075F-44f7-987F-D1A66FD038DC}.exe	{B4683E72-DF30-4cfa-8401-68125AA9117C}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC9F4496-5211-4d57-9167-9037AA6A6744}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7701F0C-075F-44f7-987F-D1A66FD038DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0500892B-79A1-4eb6-9116-93A309845E98}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4FB4B130-BA36-40c1-8174-E0775C16451F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B4683E72-DF30-4cfa-8401-68125AA9117C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1700	4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe
Token: SeIncBasePriorityPrivilege	2516	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe
Token: SeIncBasePriorityPrivilege	2292	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe
Token: SeIncBasePriorityPrivilege	2608	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe
Token: SeIncBasePriorityPrivilege	2624	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe
Token: SeIncBasePriorityPrivilege	2672	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe
Token: SeIncBasePriorityPrivilege	1968	{0500892B-79A1-4eb6-9116-93A309845E98}.exe
Token: SeIncBasePriorityPrivilege	2776	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe
Token: SeIncBasePriorityPrivilege	1476	{BC9F4496-5211-4d57-9167-9037AA6A6744}.exe
Token: SeIncBasePriorityPrivilege	1672	{4FB4B130-BA36-40c1-8174-E0775C16451F}.exe
Token: SeIncBasePriorityPrivilege	1996	{B4683E72-DF30-4cfa-8401-68125AA9117C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2516	1700	4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe	31
PID 1700 wrote to memory of 2516	1700	4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe	31
PID 1700 wrote to memory of 2516	1700	4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe	31
PID 1700 wrote to memory of 2516	1700	4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe	31
PID 1700 wrote to memory of 2528	1700	4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe	32
PID 1700 wrote to memory of 2528	1700	4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe	32
PID 1700 wrote to memory of 2528	1700	4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe	32
PID 1700 wrote to memory of 2528	1700	4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe	32
PID 2516 wrote to memory of 2292	2516	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe	33
PID 2516 wrote to memory of 2292	2516	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe	33
PID 2516 wrote to memory of 2292	2516	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe	33
PID 2516 wrote to memory of 2292	2516	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe	33
PID 2516 wrote to memory of 2704	2516	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe	34
PID 2516 wrote to memory of 2704	2516	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe	34
PID 2516 wrote to memory of 2704	2516	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe	34
PID 2516 wrote to memory of 2704	2516	{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe	34
PID 2292 wrote to memory of 2608	2292	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe	35
PID 2292 wrote to memory of 2608	2292	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe	35
PID 2292 wrote to memory of 2608	2292	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe	35
PID 2292 wrote to memory of 2608	2292	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe	35
PID 2292 wrote to memory of 2876	2292	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe	36
PID 2292 wrote to memory of 2876	2292	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe	36
PID 2292 wrote to memory of 2876	2292	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe	36
PID 2292 wrote to memory of 2876	2292	{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe	36
PID 2608 wrote to memory of 2624	2608	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe	37
PID 2608 wrote to memory of 2624	2608	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe	37
PID 2608 wrote to memory of 2624	2608	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe	37
PID 2608 wrote to memory of 2624	2608	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe	37
PID 2608 wrote to memory of 2764	2608	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe	38
PID 2608 wrote to memory of 2764	2608	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe	38
PID 2608 wrote to memory of 2764	2608	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe	38
PID 2608 wrote to memory of 2764	2608	{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe	38
PID 2624 wrote to memory of 2672	2624	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe	39
PID 2624 wrote to memory of 2672	2624	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe	39
PID 2624 wrote to memory of 2672	2624	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe	39
PID 2624 wrote to memory of 2672	2624	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe	39
PID 2624 wrote to memory of 1224	2624	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe	40
PID 2624 wrote to memory of 1224	2624	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe	40
PID 2624 wrote to memory of 1224	2624	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe	40
PID 2624 wrote to memory of 1224	2624	{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe	40
PID 2672 wrote to memory of 1968	2672	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe	41
PID 2672 wrote to memory of 1968	2672	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe	41
PID 2672 wrote to memory of 1968	2672	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe	41
PID 2672 wrote to memory of 1968	2672	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe	41
PID 2672 wrote to memory of 2988	2672	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe	42
PID 2672 wrote to memory of 2988	2672	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe	42
PID 2672 wrote to memory of 2988	2672	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe	42
PID 2672 wrote to memory of 2988	2672	{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe	42
PID 1968 wrote to memory of 2776	1968	{0500892B-79A1-4eb6-9116-93A309845E98}.exe	43
PID 1968 wrote to memory of 2776	1968	{0500892B-79A1-4eb6-9116-93A309845E98}.exe	43
PID 1968 wrote to memory of 2776	1968	{0500892B-79A1-4eb6-9116-93A309845E98}.exe	43
PID 1968 wrote to memory of 2776	1968	{0500892B-79A1-4eb6-9116-93A309845E98}.exe	43
PID 1968 wrote to memory of 2992	1968	{0500892B-79A1-4eb6-9116-93A309845E98}.exe	44
PID 1968 wrote to memory of 2992	1968	{0500892B-79A1-4eb6-9116-93A309845E98}.exe	44
PID 1968 wrote to memory of 2992	1968	{0500892B-79A1-4eb6-9116-93A309845E98}.exe	44
PID 1968 wrote to memory of 2992	1968	{0500892B-79A1-4eb6-9116-93A309845E98}.exe	44
PID 2776 wrote to memory of 1476	2776	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe	45
PID 2776 wrote to memory of 1476	2776	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe	45
PID 2776 wrote to memory of 1476	2776	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe	45
PID 2776 wrote to memory of 1476	2776	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe	45
PID 2776 wrote to memory of 1868	2776	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe	46
PID 2776 wrote to memory of 1868	2776	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe	46
PID 2776 wrote to memory of 1868	2776	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe	46
PID 2776 wrote to memory of 1868	2776	{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe	46

C:\Users\Admin\AppData\Local\Temp\4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe
"C:\Users\Admin\AppData\Local\Temp\4b8716ab1540b97e0f5b4e10ad04419c48a4c2e97f67e9780d62cf5408b2c806.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe
  C:\Windows\{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe
    C:\Windows\{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe
      C:\Windows\{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe
        
        C:\Windows\{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe
        
        C:\Windows\{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{0500892B-79A1-4eb6-9116-93A309845E98}.exe
        
        C:\Windows\{0500892B-79A1-4eb6-9116-93A309845E98}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe
        
        C:\Windows\{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{BC9F4496-5211-4d57-9167-9037AA6A6744}.exe
        
        C:\Windows\{BC9F4496-5211-4d57-9167-9037AA6A6744}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\{4FB4B130-BA36-40c1-8174-E0775C16451F}.exe
        
        C:\Windows\{4FB4B130-BA36-40c1-8174-E0775C16451F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\{B4683E72-DF30-4cfa-8401-68125AA9117C}.exe
        
        C:\Windows\{B4683E72-DF30-4cfa-8401-68125AA9117C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\{C7701F0C-075F-44f7-987F-D1A66FD038DC}.exe
        
        C:\Windows\{C7701F0C-075F-44f7-987F-D1A66FD038DC}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4683~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FB4B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC9F4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF524~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05008~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8A18~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14349~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48596~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6C910~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{078B3~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4B8716~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0500892B-79A1-4eb6-9116-93A309845E98}.exe

Filesize
89KB

MD5
93365ea656dcb74f92d4ffd85c84c9aa

SHA1
d0e115c0fbdd4e6e28988dbcb7b2ac019044edad

SHA256
757e3a97b9811aab16967f585119b79146fb34b41d96e7cdcd5181b53ced87ca

SHA512
82241f20e4ce61657ca3e84338f3e83ea5f2854bcdfcb8ba294cd630596d06373cb1999dbd8b8e2648366144e3e197a2a9ef99a78d1f63618dc676c5833c5325

Download Submit
C:\Windows\{078B3B33-6120-4cf7-A954-CBBC1B5D59D1}.exe

Filesize
89KB

MD5
129fcfd683bd30646346cb2e79a2b237

SHA1
5b2cff76e2d35e99a3f4f4ed207f857b0f016f3b

SHA256
242fa61e7909fdfbbd8cdae1af09a6b8204f1f0d231d5e38948ca930d11cb2fe

SHA512
ec39b6757661235e832bd2ac045edfbe00d9baa73df52a6777c4267d978deab4b9abb8e30925bdbe8145523f333e35d91d2b1fe16eed6462cb74a811eed61911

Download Submit
C:\Windows\{14349A33-18FB-4ed6-B4A1-C7A5FF64FE8F}.exe

Filesize
89KB

MD5
a06a50744499db6b4e05c1af2e8ae298

SHA1
a41676de4368521704a2ec232357853466167109

SHA256
99911ec3376bd2f80de9b1135b7420711084d2cf86f5520dd4bbf056f57e864f

SHA512
cd708ef4d7ff0bfbffe82e02a2ebd2054d56d45398c808cec12f8349f1b8fa1caa60143d312ff6dfb9e7ca4ee55b7a5a9ec6a898fce0fa875b1e3ae035fd22f5

Download Submit
C:\Windows\{48596C60-B26E-45da-8FA3-6C3BB7E115BA}.exe

Filesize
89KB

MD5
2449131cf8e513664bfdd3486cd3d011

SHA1
cb91f84c1c0a02afe5a88083c416e513b4d9e409

SHA256
8a03b582c311289a654d1465b413c85c65a14e2f09ee1d80fa5dae7c42d2cd49

SHA512
d9735eaefe87975d9e4b4b31e1afd44ea9677957577511fbd79eb0b90de1aade5ad8bc068be60615732c2791d7b332856594bc35dd30b8eb7f28d6e0afa6cf4b

Download Submit
C:\Windows\{4FB4B130-BA36-40c1-8174-E0775C16451F}.exe

Filesize
89KB

MD5
8fa4d4d5d480dcfb131f85e34fa0581b

SHA1
8c52019bf7b6db10d249d281ff05d45781a0e73e

SHA256
ced2090da6940f0241e691a41862fa089b2745a230add399bc8387694d5133b5

SHA512
7283ed6c1e5934dbe14773f4dd92197b4bd93093a0640d311aecb25860fd45f5c77bd4179037b31b7213904dcc28e894a8e609ca527cf9e39f9516dfbc7a1567

Download Submit
C:\Windows\{6C910578-E1CF-48f3-A87C-65DEE5147F87}.exe

Filesize
89KB

MD5
46ca6ed8570a96c8f638e3839e5ad514

SHA1
f9aca68b2c31e9a37fd78a6a22f8bb6a5bc32804

SHA256
8a66055a2ef27c209962ca87acf168f4e962291466c5e5b1d0ed027e9ca5dda7

SHA512
9758d954a105de265578f746e20d22d9305ada0569a7bc63fdf1141b3af680c44a367adb2f5d009142e0cd6a37ea379069028805d0f1996bef593800adac4c30

Download Submit
C:\Windows\{B4683E72-DF30-4cfa-8401-68125AA9117C}.exe

Filesize
89KB

MD5
6b8bdbf43314422c9983dde79c92ba10

SHA1
d9eca969f1fc697da25b86e11a7e2b79fb410386

SHA256
5cf8faaa8c193b0cf5f6cf7815068562362ad560dc0e84584fe493514f0bdea2

SHA512
119e284d0bdceec95cfb0d26cf7e3c30af4e8beadfc098a4b79f5f80e6201a6e7b00a91e83db2db3444eca12e49c7f64619ce8c4583024bff44823f4afd6a5bb

Download Submit
C:\Windows\{BC9F4496-5211-4d57-9167-9037AA6A6744}.exe

Filesize
89KB

MD5
39d980af7ccd41c325696259c0374e15

SHA1
63c18c48e8d8a0a094dac93cd8594ae9e5015a6b

SHA256
7c1b545ff7c621420b39c858663e7e41efe5f9354715722a94cc25a8d1d9db96

SHA512
dba4114ae69a0811d5274bec7fd6e2dd6a2d528d1bca7cf4d1ab02d6199a605a83ec3de5bf92a1d72e0c135587f1885f49aa3253de44e7514fcb3edd33e40ee2

Download Submit
C:\Windows\{C7701F0C-075F-44f7-987F-D1A66FD038DC}.exe

Filesize
89KB

MD5
8ff04e3ece50a634f8d8a51a4fe83f34

SHA1
3950be13b198cb830de871a51ebf1158b69c18ba

SHA256
ef1813de3636d088480859652fe2b78b54265b193ef342d4fa43454336102f2e

SHA512
48bd24ffae46903ac4cda5337a3fb9f504c12adbf9bd2c4284d02b5dbbf291ed8d75d8899cb30ebf28d53edbf5be4f9360eecd2d62bd26f1b7a278b6284c5492

Download Submit
C:\Windows\{DF524C15-15EC-4030-8D99-E37983D2CF5A}.exe

Filesize
89KB

MD5
ad59e28d2dc89ac8c6eb00cd6f81ecc8

SHA1
56a7606a97ab4a89e8be5cf1a8cc34808939dc18

SHA256
d746a0991e57d323455e460184c48ca7968c2cde393873131f1d1cc0d20193af

SHA512
e2fdc8874e091e34f2759a51a46656923b409b7bf398ca6f0a98d52a4a89b6366916a24f57c0e811f5f11dbba9d97c0bb2c4ba4ac74d9ce3b83e14dc1a7e4d40

Download Submit
C:\Windows\{F8A1814C-5043-4262-90C0-FD70B3668EC9}.exe

Filesize
89KB

MD5
173f5d75a16a796df6318d5d72d7dabb

SHA1
ea43b4cf224ef96458ad4a53acb8b6a0b7e4860b

SHA256
215aaadf746a457675a61a5cb12af542b5eebf57726ad5a6d20129faa8a21749

SHA512
cbc896c2f975ba5f8b323e17c1f3ae92afce9c3561675c7dcb7da35ac0baf8f1be8391bf58c5e2d694c088ad64268e4dd89fe68e7f9058c95aa67e0a93b4fd7d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads