023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
Size

90KB
MD5

3a4e059f01d3dda718db24b46e5b7ad5
SHA1

155295a065a7d770540162bf7aad0ed92111dd45
SHA256

023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497
SHA512

e2285c05086327aaf9f4e275337ba0642db2d6080b7b08ed51af96fb1458a32029b677caadc4f66d4dc6f4a766376bba5ee7b9db7ec7f52d515011b3b0fe2d2a
SSDEEP

768:5vw9816thKQLrob4/wQkNrfrunMxVFA3bA:lEG/0oblbunMxVS3c

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7753DA63-5C33-49ff-A40C-FA228ADC319D}	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}\stubpath = "C:\\Windows\\{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe"	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7EC061C-611C-45f5-B9BA-57CE4132228D}	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3188E221-D485-4db4-862B-B130235A3D56}	{599EA5CD-9853-4036-868C-0B6CC78088F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9361F989-34AC-4d39-9EA1-589AF1BF40F8}\stubpath = "C:\\Windows\\{9361F989-34AC-4d39-9EA1-589AF1BF40F8}.exe"	{3188E221-D485-4db4-862B-B130235A3D56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66FE4937-1357-4259-8840-BA4026C4C2CE}\stubpath = "C:\\Windows\\{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe"	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{378C03DD-533B-47d6-BF32-EB4061ADD3B5}	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{599EA5CD-9853-4036-868C-0B6CC78088F6}	{378C03DD-533B-47d6-BF32-EB4061ADD3B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C5C90E8-621C-4b79-BFF1-A8F23455C677}\stubpath = "C:\\Windows\\{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe"	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3188E221-D485-4db4-862B-B130235A3D56}\stubpath = "C:\\Windows\\{3188E221-D485-4db4-862B-B130235A3D56}.exe"	{599EA5CD-9853-4036-868C-0B6CC78088F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}\stubpath = "C:\\Windows\\{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe"	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C5C90E8-621C-4b79-BFF1-A8F23455C677}	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7EC061C-611C-45f5-B9BA-57CE4132228D}\stubpath = "C:\\Windows\\{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe"	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B2641D4-C270-482d-9270-6200B99A3B3F}	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B2641D4-C270-482d-9270-6200B99A3B3F}\stubpath = "C:\\Windows\\{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe"	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{378C03DD-533B-47d6-BF32-EB4061ADD3B5}\stubpath = "C:\\Windows\\{378C03DD-533B-47d6-BF32-EB4061ADD3B5}.exe"	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{599EA5CD-9853-4036-868C-0B6CC78088F6}\stubpath = "C:\\Windows\\{599EA5CD-9853-4036-868C-0B6CC78088F6}.exe"	{378C03DD-533B-47d6-BF32-EB4061ADD3B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7753DA63-5C33-49ff-A40C-FA228ADC319D}\stubpath = "C:\\Windows\\{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe"	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66FE4937-1357-4259-8840-BA4026C4C2CE}	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9361F989-34AC-4d39-9EA1-589AF1BF40F8}	{3188E221-D485-4db4-862B-B130235A3D56}.exe

Deletes itself 1 IoCs

pid	Process
2276	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
268	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe
2132	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe
2836	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe
2812	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe
2420	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe
1788	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe
1640	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe
2908	{378C03DD-533B-47d6-BF32-EB4061ADD3B5}.exe
3044	{599EA5CD-9853-4036-868C-0B6CC78088F6}.exe
1908	{3188E221-D485-4db4-862B-B130235A3D56}.exe
1704	{9361F989-34AC-4d39-9EA1-589AF1BF40F8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe
File created	C:\Windows\{378C03DD-533B-47d6-BF32-EB4061ADD3B5}.exe	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe
File created	C:\Windows\{3188E221-D485-4db4-862B-B130235A3D56}.exe	{599EA5CD-9853-4036-868C-0B6CC78088F6}.exe
File created	C:\Windows\{9361F989-34AC-4d39-9EA1-589AF1BF40F8}.exe	{3188E221-D485-4db4-862B-B130235A3D56}.exe
File created	C:\Windows\{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
File created	C:\Windows\{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe
File created	C:\Windows\{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe
File created	C:\Windows\{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe
File created	C:\Windows\{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe
File created	C:\Windows\{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe
File created	C:\Windows\{599EA5CD-9853-4036-868C-0B6CC78088F6}.exe	{378C03DD-533B-47d6-BF32-EB4061ADD3B5}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9361F989-34AC-4d39-9EA1-589AF1BF40F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{599EA5CD-9853-4036-868C-0B6CC78088F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3188E221-D485-4db4-862B-B130235A3D56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{378C03DD-533B-47d6-BF32-EB4061ADD3B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2528	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
Token: SeIncBasePriorityPrivilege	268	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe
Token: SeIncBasePriorityPrivilege	2132	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe
Token: SeIncBasePriorityPrivilege	2836	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe
Token: SeIncBasePriorityPrivilege	2812	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe
Token: SeIncBasePriorityPrivilege	2420	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe
Token: SeIncBasePriorityPrivilege	1788	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe
Token: SeIncBasePriorityPrivilege	1640	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe
Token: SeIncBasePriorityPrivilege	2908	{378C03DD-533B-47d6-BF32-EB4061ADD3B5}.exe
Token: SeIncBasePriorityPrivilege	3044	{599EA5CD-9853-4036-868C-0B6CC78088F6}.exe
Token: SeIncBasePriorityPrivilege	1908	{3188E221-D485-4db4-862B-B130235A3D56}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 268	2528	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	31
PID 2528 wrote to memory of 268	2528	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	31
PID 2528 wrote to memory of 268	2528	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	31
PID 2528 wrote to memory of 268	2528	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	31
PID 2528 wrote to memory of 2276	2528	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	32
PID 2528 wrote to memory of 2276	2528	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	32
PID 2528 wrote to memory of 2276	2528	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	32
PID 2528 wrote to memory of 2276	2528	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	32
PID 268 wrote to memory of 2132	268	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe	33
PID 268 wrote to memory of 2132	268	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe	33
PID 268 wrote to memory of 2132	268	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe	33
PID 268 wrote to memory of 2132	268	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe	33
PID 268 wrote to memory of 2776	268	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe	34
PID 268 wrote to memory of 2776	268	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe	34
PID 268 wrote to memory of 2776	268	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe	34
PID 268 wrote to memory of 2776	268	{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe	34
PID 2132 wrote to memory of 2836	2132	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe	35
PID 2132 wrote to memory of 2836	2132	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe	35
PID 2132 wrote to memory of 2836	2132	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe	35
PID 2132 wrote to memory of 2836	2132	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe	35
PID 2132 wrote to memory of 2848	2132	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe	36
PID 2132 wrote to memory of 2848	2132	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe	36
PID 2132 wrote to memory of 2848	2132	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe	36
PID 2132 wrote to memory of 2848	2132	{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe	36
PID 2836 wrote to memory of 2812	2836	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe	37
PID 2836 wrote to memory of 2812	2836	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe	37
PID 2836 wrote to memory of 2812	2836	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe	37
PID 2836 wrote to memory of 2812	2836	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe	37
PID 2836 wrote to memory of 2556	2836	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe	38
PID 2836 wrote to memory of 2556	2836	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe	38
PID 2836 wrote to memory of 2556	2836	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe	38
PID 2836 wrote to memory of 2556	2836	{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe	38
PID 2812 wrote to memory of 2420	2812	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe	39
PID 2812 wrote to memory of 2420	2812	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe	39
PID 2812 wrote to memory of 2420	2812	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe	39
PID 2812 wrote to memory of 2420	2812	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe	39
PID 2812 wrote to memory of 1952	2812	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe	40
PID 2812 wrote to memory of 1952	2812	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe	40
PID 2812 wrote to memory of 1952	2812	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe	40
PID 2812 wrote to memory of 1952	2812	{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe	40
PID 2420 wrote to memory of 1788	2420	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe	41
PID 2420 wrote to memory of 1788	2420	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe	41
PID 2420 wrote to memory of 1788	2420	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe	41
PID 2420 wrote to memory of 1788	2420	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe	41
PID 2420 wrote to memory of 1320	2420	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe	42
PID 2420 wrote to memory of 1320	2420	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe	42
PID 2420 wrote to memory of 1320	2420	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe	42
PID 2420 wrote to memory of 1320	2420	{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe	42
PID 1788 wrote to memory of 1640	1788	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe	44
PID 1788 wrote to memory of 1640	1788	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe	44
PID 1788 wrote to memory of 1640	1788	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe	44
PID 1788 wrote to memory of 1640	1788	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe	44
PID 1788 wrote to memory of 1272	1788	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe	45
PID 1788 wrote to memory of 1272	1788	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe	45
PID 1788 wrote to memory of 1272	1788	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe	45
PID 1788 wrote to memory of 1272	1788	{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe	45
PID 1640 wrote to memory of 2908	1640	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe	46
PID 1640 wrote to memory of 2908	1640	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe	46
PID 1640 wrote to memory of 2908	1640	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe	46
PID 1640 wrote to memory of 2908	1640	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe	46
PID 1640 wrote to memory of 2268	1640	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe	47
PID 1640 wrote to memory of 2268	1640	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe	47
PID 1640 wrote to memory of 2268	1640	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe	47
PID 1640 wrote to memory of 2268	1640	{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe	47

C:\Users\Admin\AppData\Local\Temp\023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
"C:\Users\Admin\AppData\Local\Temp\023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe
  C:\Windows\{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe
    C:\Windows\{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe
      C:\Windows\{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe
        
        C:\Windows\{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe
        
        C:\Windows\{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe
        
        C:\Windows\{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe
        
        C:\Windows\{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{378C03DD-533B-47d6-BF32-EB4061ADD3B5}.exe
        
        C:\Windows\{378C03DD-533B-47d6-BF32-EB4061ADD3B5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\{599EA5CD-9853-4036-868C-0B6CC78088F6}.exe
        
        C:\Windows\{599EA5CD-9853-4036-868C-0B6CC78088F6}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\{3188E221-D485-4db4-862B-B130235A3D56}.exe
        
        C:\Windows\{3188E221-D485-4db4-862B-B130235A3D56}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\{9361F989-34AC-4d39-9EA1-589AF1BF40F8}.exe
        
        C:\Windows\{9361F989-34AC-4d39-9EA1-589AF1BF40F8}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3188E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{599EA~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{378C0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B264~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7EC0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D6E0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C5C9~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66FE4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58736~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7753D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\023C67~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3188E221-D485-4db4-862B-B130235A3D56}.exe

Filesize
90KB

MD5
0afa40622ce24a5209a1a88d5a4ba812

SHA1
2f6040126e93018a9b512df6439cd66131338f28

SHA256
7a1959cbbba86f2d9e67e1785a760c2e71b5b7262a3be9e240b3e3119e535817

SHA512
017935e6b5cc837eb912d41a784c40b01d179fa26b04959a08969978a71fc1472fe9358f255ce2cd7b2e22bb0acf89dffb60c155c9fd4bb75dbd49d3e71e0e6c

Download Submit
C:\Windows\{378C03DD-533B-47d6-BF32-EB4061ADD3B5}.exe

Filesize
90KB

MD5
992280ed81f20183da015ef4e07cd698

SHA1
64829e75def07d30d4c0e924489ac0e37a5952c3

SHA256
c99da95d87922b9f92bad3ced0c0a5b99252137d480e2ad3f3a48027c9b658df

SHA512
59598e67ea666944fa2fc42818e4b5503463d34eb5d6c270cc7f258a373110c0f44a87ef960dc9c7d6d3979a7c56e259da8ca9c7bd113318fd728a6d196d9fd4

Download Submit
C:\Windows\{3C5C90E8-621C-4b79-BFF1-A8F23455C677}.exe

Filesize
90KB

MD5
40b809218b3082f43197fe5366f28b8d

SHA1
f0738343e7967b49658abe6837184398ea333e8b

SHA256
764b6b2519165de0be5315521b49f6e071e036a9f6ce1b9fdb4c92cbc2ec59fa

SHA512
e9873ed44b22cd7cf72c8f04eb2d91a1d33c7845fcbb72c989a818d514a36ea0884b7a5058707f53fe2b2618abee5f22ee39203c9639ea0a08a12c1977ca4108

Download Submit
C:\Windows\{3D6E0251-0A52-4f55-9B7D-CCD1B7DCA5BE}.exe

Filesize
90KB

MD5
b9465326a2c6268f0c56fac493ab6ef6

SHA1
93ef5b04feced079799e40c36f4640cfded4fbda

SHA256
2b4c011a40285a5cbd3d55ecf9ec2867467517cdd4d0ce7b8facaa03358d5cdd

SHA512
5fdbd3a1c7756aa3f5da626310d69184b40c3ed06cb26e2b554ea1f4bda1bb897ce0376e302d7713ae3baf9f0da1cb8fedd2b911bb12c6ebc518b0d7f3087884

Download Submit
C:\Windows\{58736210-9DBC-4523-9DDD-8EA77ACBB7EC}.exe

Filesize
90KB

MD5
b364060e997dbf92412b0bc637b254c1

SHA1
485fd2688935606c6e8172ad74b99e9f1d25c472

SHA256
c1bc9b875f1a233e33e94f824d499e6967a2987cd55e5f88b447913dd40b2dfa

SHA512
43a6615282a5e77c9a7a527b483c31addd68cddd80cecb19341d95355bfe3747108ff74c05ff7ea5503f6f619640116ac1f12493fcf7fda6f79adf031779cd58

Download Submit
C:\Windows\{599EA5CD-9853-4036-868C-0B6CC78088F6}.exe

Filesize
90KB

MD5
fd40f817961c6794fae50b958660df82

SHA1
8852e4b92b92eebbe11aaab893f1e04dc3cee670

SHA256
b318841c5d29fd123ef44aec09c4b057f5969bee5fa8e0f188bae74e500c4d68

SHA512
d9982de2c12431a13ba9fb231ab713a968e77b24d4f246a841a91d2dc711b2ad822925ac72522aa644beff02f08583ebce96722291bbd99cb5dc7328939515de

Download Submit
C:\Windows\{66FE4937-1357-4259-8840-BA4026C4C2CE}.exe

Filesize
90KB

MD5
e82146adee369335f04a749417daad23

SHA1
a23d6193657d026f3dc80513d5d00740148e3655

SHA256
e8e456d1b3b95237b484bf05636555852d20b624f35febbaed500de9cf9fae89

SHA512
205a51cc4f3f6359e17db87bb838fb7283fce31533537198c15dbf4626af36ca45ba61b265026787d8e3eef64fd2b311a3f908b2a6fedd94e4a0d4420d44592d

Download Submit
C:\Windows\{7753DA63-5C33-49ff-A40C-FA228ADC319D}.exe

Filesize
90KB

MD5
f1d279fb23b003df3014955d82bd57d6

SHA1
05f50b0f4ca9297a78105c80196598981b8b7f28

SHA256
2240aac5ea8e44c4a4215b70ed9dd289413bc7a788d70bbee56706ec75320841

SHA512
d2e5d4850c0c98a35ce30ca7d6d62a340971763fd9024e939674e4926e87d5c3e64d9c1f8fb33191fabadcd7ade3440b44d7cd534e0bf8f4788e833f1c222eb2

Download Submit
C:\Windows\{8B2641D4-C270-482d-9270-6200B99A3B3F}.exe

Filesize
90KB

MD5
262324d58d5660b37843717b5035b0f3

SHA1
ae41bf9f8cd5d9f25d8fcd1934fc6bcba953f905

SHA256
e6509520ab69cfbcfe8e6b32ba2b6b916292ef87b79695852d598a3e36b79fca

SHA512
6ed6729ace58530793b076cd287436c81e7a0fc04d56c133036aa01c6436efb38772c23d2fec554357d57730b54ea56161855562ae70d35219d2fd53a8b049b4

Download Submit
C:\Windows\{9361F989-34AC-4d39-9EA1-589AF1BF40F8}.exe

Filesize
90KB

MD5
85a075c19db122fdba657bcdf1f0d7d9

SHA1
e7db593b4128bdb2a3873f6c9131a05ffdc520bd

SHA256
fd60b388683a51c8663ad0bad10b1ec667544cc511621d62c2ca98e57fc1f193

SHA512
573d3049c9f9127abef006b6d852855a6dd226bebd4134a0a8fdd02b9d6d40e919346712af35fbccc78014fd04be9ef446068b17049dedb63fedb2247cdf5f50

Download Submit
C:\Windows\{F7EC061C-611C-45f5-B9BA-57CE4132228D}.exe

Filesize
90KB

MD5
daaedb86ad42933ef5031a65e885a440

SHA1
5c1ec447cdbbd474b043bfa15cf9f5daa9b80c75

SHA256
4ae870ae96003f947986e9bda42f9e33820f834b002b65473058b2517819e9e3

SHA512
32132c46dc13ca2b056344d48333de006ac467febd0db6009146e76d58f7729718afa411c6d01ea7bc6115b94679cfd964f16d0efe64f59d0750160de5f765b7

Download Submit
memory/268-12-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/268-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1640-74-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/1640-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1640-70-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/1788-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1788-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1908-98-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/1908-104-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2132-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2132-22-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2132-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2420-51-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2420-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2528-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2528-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2528-3-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2528-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2812-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2812-48-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2812-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2836-39-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2836-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2836-36-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2908-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2908-81-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2908-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3044-95-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3044-89-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads