023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 18:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
Size

90KB
MD5

3a4e059f01d3dda718db24b46e5b7ad5
SHA1

155295a065a7d770540162bf7aad0ed92111dd45
SHA256

023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497
SHA512

e2285c05086327aaf9f4e275337ba0642db2d6080b7b08ed51af96fb1458a32029b677caadc4f66d4dc6f4a766376bba5ee7b9db7ec7f52d515011b3b0fe2d2a
SSDEEP

768:5vw9816thKQLrob4/wQkNrfrunMxVFA3bA:lEG/0oblbunMxVS3c

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27925732-836D-413e-B491-A35456BF4EC2}	{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE3E04FF-1059-450f-B143-51A61E413AF1}	{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70022A52-C646-4c7c-9C8E-C19172853636}	{DE3E04FF-1059-450f-B143-51A61E413AF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70022A52-C646-4c7c-9C8E-C19172853636}\stubpath = "C:\\Windows\\{70022A52-C646-4c7c-9C8E-C19172853636}.exe"	{DE3E04FF-1059-450f-B143-51A61E413AF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}	{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E359B3E-B00E-4551-A8C5-EE9787B10107}	{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7BA0450-86F0-4621-BB2E-B044BB880229}\stubpath = "C:\\Windows\\{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe"	{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}	{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}\stubpath = "C:\\Windows\\{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe"	{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E359B3E-B00E-4551-A8C5-EE9787B10107}\stubpath = "C:\\Windows\\{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe"	{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3AE75A1-964B-4cae-98BB-65617D157E6B}\stubpath = "C:\\Windows\\{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe"	{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}	{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7BA0450-86F0-4621-BB2E-B044BB880229}	{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27925732-836D-413e-B491-A35456BF4EC2}\stubpath = "C:\\Windows\\{27925732-836D-413e-B491-A35456BF4EC2}.exe"	{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}\stubpath = "C:\\Windows\\{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe"	{27925732-836D-413e-B491-A35456BF4EC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}\stubpath = "C:\\Windows\\{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe"	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}\stubpath = "C:\\Windows\\{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe"	{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}\stubpath = "C:\\Windows\\{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe"	{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}	{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE3E04FF-1059-450f-B143-51A61E413AF1}\stubpath = "C:\\Windows\\{DE3E04FF-1059-450f-B143-51A61E413AF1}.exe"	{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3AE75A1-964B-4cae-98BB-65617D157E6B}	{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}\stubpath = "C:\\Windows\\{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe"	{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}	{27925732-836D-413e-B491-A35456BF4EC2}.exe

Executes dropped EXE 12 IoCs

pid	Process
4780	{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe
2428	{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe
4340	{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe
2284	{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe
4900	{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe
5116	{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe
2156	{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe
2820	{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe
3404	{27925732-836D-413e-B491-A35456BF4EC2}.exe
4836	{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe
1492	{DE3E04FF-1059-450f-B143-51A61E413AF1}.exe
4056	{70022A52-C646-4c7c-9C8E-C19172853636}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{27925732-836D-413e-B491-A35456BF4EC2}.exe	{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe
File created	C:\Windows\{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe	{27925732-836D-413e-B491-A35456BF4EC2}.exe
File created	C:\Windows\{DE3E04FF-1059-450f-B143-51A61E413AF1}.exe	{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe
File created	C:\Windows\{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
File created	C:\Windows\{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe	{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe
File created	C:\Windows\{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe	{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe
File created	C:\Windows\{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe	{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe
File created	C:\Windows\{70022A52-C646-4c7c-9C8E-C19172853636}.exe	{DE3E04FF-1059-450f-B143-51A61E413AF1}.exe
File created	C:\Windows\{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe	{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe
File created	C:\Windows\{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe	{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe
File created	C:\Windows\{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe	{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe
File created	C:\Windows\{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe	{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27925732-836D-413e-B491-A35456BF4EC2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70022A52-C646-4c7c-9C8E-C19172853636}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE3E04FF-1059-450f-B143-51A61E413AF1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2368	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
Token: SeIncBasePriorityPrivilege	4780	{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe
Token: SeIncBasePriorityPrivilege	2428	{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe
Token: SeIncBasePriorityPrivilege	4340	{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe
Token: SeIncBasePriorityPrivilege	2284	{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe
Token: SeIncBasePriorityPrivilege	4900	{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe
Token: SeIncBasePriorityPrivilege	5116	{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe
Token: SeIncBasePriorityPrivilege	2156	{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe
Token: SeIncBasePriorityPrivilege	2820	{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe
Token: SeIncBasePriorityPrivilege	3404	{27925732-836D-413e-B491-A35456BF4EC2}.exe
Token: SeIncBasePriorityPrivilege	4836	{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe
Token: SeIncBasePriorityPrivilege	1492	{DE3E04FF-1059-450f-B143-51A61E413AF1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 4780	2368	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	94
PID 2368 wrote to memory of 4780	2368	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	94
PID 2368 wrote to memory of 4780	2368	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	94
PID 2368 wrote to memory of 4752	2368	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	95
PID 2368 wrote to memory of 4752	2368	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	95
PID 2368 wrote to memory of 4752	2368	023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe	95
PID 4780 wrote to memory of 2428	4780	{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe	96
PID 4780 wrote to memory of 2428	4780	{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe	96
PID 4780 wrote to memory of 2428	4780	{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe	96
PID 4780 wrote to memory of 1200	4780	{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe	97
PID 4780 wrote to memory of 1200	4780	{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe	97
PID 4780 wrote to memory of 1200	4780	{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe	97
PID 2428 wrote to memory of 4340	2428	{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe	102
PID 2428 wrote to memory of 4340	2428	{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe	102
PID 2428 wrote to memory of 4340	2428	{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe	102
PID 2428 wrote to memory of 1676	2428	{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe	103
PID 2428 wrote to memory of 1676	2428	{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe	103
PID 2428 wrote to memory of 1676	2428	{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe	103
PID 4340 wrote to memory of 2284	4340	{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe	104
PID 4340 wrote to memory of 2284	4340	{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe	104
PID 4340 wrote to memory of 2284	4340	{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe	104
PID 4340 wrote to memory of 732	4340	{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe	105
PID 4340 wrote to memory of 732	4340	{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe	105
PID 4340 wrote to memory of 732	4340	{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe	105
PID 2284 wrote to memory of 4900	2284	{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe	107
PID 2284 wrote to memory of 4900	2284	{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe	107
PID 2284 wrote to memory of 4900	2284	{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe	107
PID 2284 wrote to memory of 2604	2284	{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe	108
PID 2284 wrote to memory of 2604	2284	{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe	108
PID 2284 wrote to memory of 2604	2284	{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe	108
PID 4900 wrote to memory of 5116	4900	{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe	110
PID 4900 wrote to memory of 5116	4900	{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe	110
PID 4900 wrote to memory of 5116	4900	{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe	110
PID 4900 wrote to memory of 4068	4900	{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe	111
PID 4900 wrote to memory of 4068	4900	{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe	111
PID 4900 wrote to memory of 4068	4900	{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe	111
PID 5116 wrote to memory of 2156	5116	{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe	112
PID 5116 wrote to memory of 2156	5116	{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe	112
PID 5116 wrote to memory of 2156	5116	{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe	112
PID 5116 wrote to memory of 1228	5116	{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe	113
PID 5116 wrote to memory of 1228	5116	{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe	113
PID 5116 wrote to memory of 1228	5116	{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe	113
PID 2156 wrote to memory of 2820	2156	{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe	121
PID 2156 wrote to memory of 2820	2156	{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe	121
PID 2156 wrote to memory of 2820	2156	{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe	121
PID 2156 wrote to memory of 4004	2156	{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe	122
PID 2156 wrote to memory of 4004	2156	{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe	122
PID 2156 wrote to memory of 4004	2156	{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe	122
PID 2820 wrote to memory of 3404	2820	{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe	123
PID 2820 wrote to memory of 3404	2820	{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe	123
PID 2820 wrote to memory of 3404	2820	{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe	123
PID 2820 wrote to memory of 1660	2820	{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe	124
PID 2820 wrote to memory of 1660	2820	{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe	124
PID 2820 wrote to memory of 1660	2820	{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe	124
PID 3404 wrote to memory of 4836	3404	{27925732-836D-413e-B491-A35456BF4EC2}.exe	125
PID 3404 wrote to memory of 4836	3404	{27925732-836D-413e-B491-A35456BF4EC2}.exe	125
PID 3404 wrote to memory of 4836	3404	{27925732-836D-413e-B491-A35456BF4EC2}.exe	125
PID 3404 wrote to memory of 4668	3404	{27925732-836D-413e-B491-A35456BF4EC2}.exe	126
PID 3404 wrote to memory of 4668	3404	{27925732-836D-413e-B491-A35456BF4EC2}.exe	126
PID 3404 wrote to memory of 4668	3404	{27925732-836D-413e-B491-A35456BF4EC2}.exe	126
PID 4836 wrote to memory of 1492	4836	{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe	130
PID 4836 wrote to memory of 1492	4836	{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe	130
PID 4836 wrote to memory of 1492	4836	{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe	130
PID 4836 wrote to memory of 3760	4836	{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe	131

C:\Users\Admin\AppData\Local\Temp\023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe
"C:\Users\Admin\AppData\Local\Temp\023c67a1f222286fa0a24474a99564755508a893e7e1bb62aae140f22b958497.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe
  C:\Windows\{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe
    C:\Windows\{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe
      C:\Windows\{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Windows\{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe
        
        C:\Windows\{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe
        
        C:\Windows\{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe
        
        C:\Windows\{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe
        
        C:\Windows\{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe
        
        C:\Windows\{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\{27925732-836D-413e-B491-A35456BF4EC2}.exe
        
        C:\Windows\{27925732-836D-413e-B491-A35456BF4EC2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe
        
        C:\Windows\{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\{DE3E04FF-1059-450f-B143-51A61E413AF1}.exe
        
        C:\Windows\{DE3E04FF-1059-450f-B143-51A61E413AF1}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\{70022A52-C646-4c7c-9C8E-C19172853636}.exe
        
        C:\Windows\{70022A52-C646-4c7c-9C8E-C19172853636}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE3E0~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7FF4~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27925~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE3AE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7BA0~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81250~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA8F5~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3AE7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E359~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EDC8F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BD0C5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\023C67~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E359B3E-B00E-4551-A8C5-EE9787B10107}.exe

Filesize
90KB

MD5
5b1cc5945d5169937fbcfd330b83a257

SHA1
e75f2b4ba908dd38ad6212706ae9beebd3572139

SHA256
1942bdf7ff2962ec328ec56221614266c2ae371af0636ca04ed53e1eea54d95e

SHA512
e7af50f03a01255b72afa50283e81e6eb30dfdbc1433f7d86cf93ba9c9241091622f79e16672240366232793deb77cc05dc0b12bb4e34aaca717b5bc315df3c9

Download Submit
C:\Windows\{27925732-836D-413e-B491-A35456BF4EC2}.exe

Filesize
90KB

MD5
dec1760a018fb5e5658cd49db2a8f4d2

SHA1
8d366094e91870e7374eace6132415716097a200

SHA256
7be45a4d089c191964a229a21c9c3fdb99c39fe0b3ef89d9723ca02b1d2aba0e

SHA512
ea410d4b95d9185d3bcc7ad97092c8fb6320f35734bedd5a5f74349aa8cbae70fb9597aef2a1aab13c5353db2057259e1fb4073c2649a5a239462bba3e0c4ad0

Download Submit
C:\Windows\{70022A52-C646-4c7c-9C8E-C19172853636}.exe

Filesize
90KB

MD5
941690b735a757cfd608e683c3afd966

SHA1
bec68c9e611f11d271c37feb87ed453bb0707658

SHA256
c9b96f61afd4e0e92db91247adba6826ebc1d4b1e1e50076ea4567c9f2134886

SHA512
21841f1a33be6e4f671badff809ee62243b7a7df90b16fddc6864eb64be5c568671d4c497b232a8b30aa7f2b5551dfad30a26da2dfa5753a36a859f824d973ed

Download Submit
C:\Windows\{81250A06-3EF5-44c0-97A8-B8E7FD7B58AA}.exe

Filesize
90KB

MD5
0c4916db2db58771387c40b686476bdf

SHA1
69bfd5610ced1c67d8e23b2941630ceedb2d5715

SHA256
88145c1549b16a6f473a1dcf8ab4abd7959b5b333e123f5ae7388561a05e7c5d

SHA512
45a550a02cbe919270cb0df7e095c5fe04317ef9a65d9376bbc55c77f452fe3fd7da4269419e6034497e73e631936bd5b05d10ce8bd1604a0aad51187c306c68

Download Submit
C:\Windows\{AA8F5683-79E3-4c6e-892B-A8E2D5EE2A01}.exe

Filesize
90KB

MD5
e36fa4ea733323d6607e1963bd95544a

SHA1
67a861b4b5dd2c96f6ffc6d39ef564282cb97fac

SHA256
df34516bcf7309e0c7560ecf7c4ae8283436b6537cf4e1b2132544f3165a58ba

SHA512
f60d0cc8340b94039056b9cfcd67be4cd519a8987c61bb7105a4e92d3c8614fb9be515fe48448355669f3a5f46d9f802d3331b937dedf64d0f6bfe9eaa3964b0

Download Submit
C:\Windows\{AE3AE7CD-D434-4f7d-967C-BB71D9691B2F}.exe

Filesize
90KB

MD5
7170d88b4d6b701429a4d0580918493b

SHA1
d3193e8406a95c27242ff7b0488c6613e2e05576

SHA256
1f559a5ae0fdbab36754f45de4545e88e654878e3ae72e9d016632be84dbb2cb

SHA512
cf6f5fcf2946a24ac8374daf4e7f425d35b477297a1ede3b68b47efd39518fa22b323a06736b5cd46c54d5f202dffe8fd2950d8580aea84d72e73babf6b337e4

Download Submit
C:\Windows\{B3AE75A1-964B-4cae-98BB-65617D157E6B}.exe

Filesize
90KB

MD5
03eb87b06a842b9a51f45c4407144e56

SHA1
21cd4f1ac60cdc7b4d2b1320109232dff7947434

SHA256
5aac931f833b31722080ab3f50236b827a32d3f462dbc00b113c3146eee6da36

SHA512
d7fb7f058713afd06562bfb4fee5bd08ad312dcce6dcaad44d06793269508a7353ee6e7e4aa43037c6e8db93703512886ceeacb9c1b1090d170643358ca8f414

Download Submit
C:\Windows\{B7FF483B-8C9D-48c8-8B43-F9B480E4DE67}.exe

Filesize
90KB

MD5
da5461e4ea292c2136b45ecb46146fe3

SHA1
9aacdb1255195e08fcfd0e2e873ad421d364ea74

SHA256
a1f0909d5ed106c3924b74957b4926e2be9298f58fd8d2d6f65787c56c4f9fc7

SHA512
933b7a66408d0c4a96bc118eeaf4dfd6c003d0a01d262b0658f939ba0d2c7f0a03a341a44ac56864218b9559edb2a39eba9aef6f3c7c7b1b59fbe9556963cd58

Download Submit
C:\Windows\{BD0C5050-3D1C-4d08-ACA6-825F856FDD73}.exe

Filesize
90KB

MD5
7909385c8b0cd9b2edf8951b599e4217

SHA1
0c299046111b6533df84ad02decef20146472b90

SHA256
01f19ecfa19e4e33ab766043eaccf566351bbd1d48bc5e10f4fc41868396668e

SHA512
70be9fb71614b1f032a63d38ef7d2e5763de3151d26f21cfccd9b5b86d97211af8d6cadd508a856ad639b7e65124e217b177625ad8fc359f4cf383817a493939

Download Submit
C:\Windows\{DE3E04FF-1059-450f-B143-51A61E413AF1}.exe

Filesize
90KB

MD5
3739f197fba05e72aafcf2f102223191

SHA1
ab9c727a3182a86e03f25a8b7aac4aee1073120d

SHA256
4ab8512ffd83baf947a2dde116adb40a76c2a8c79022428d4d2f814b740bee39

SHA512
db7412a8df57a0faf04828790e9f619c84b18989c02988441a1a85373b720499ad6143eae2038ee0e8b768b62d04d627c11332b1af89d69f2e9f0a40f70638cb

Download Submit
C:\Windows\{EDC8FAA6-106E-4c2c-BD1B-1207F3C512D7}.exe

Filesize
90KB

MD5
2f65fa00082045758b511e198b678f84

SHA1
7b2f224bf6aab5afe25e7b9b32793a177910d787

SHA256
f8b90a0deb7b195f58fb5e3c14930a2a0c8b586785beb38dcd4f62d8cf4c4469

SHA512
762b277e7d8a2d77ff2665b3f986279f3dbed37cf47e340cfa47b7d57dff4b604b9444d13897a481a614cc8cbd6c56add33ce19d48d4af63acfe8b414eb0e69a

Download Submit
C:\Windows\{F7BA0450-86F0-4621-BB2E-B044BB880229}.exe

Filesize
90KB

MD5
ba0849d158c2d5a5ae1244b6f9d5a490

SHA1
c30b81650c3fefa7f8b146a628cc5a82e059e012

SHA256
8860605a73ae1615904e7ec30c058db0cb5a9046a57156ac6dbf3125c972a30f

SHA512
287af78de5df21e39f2a74f3dc0830780849f87b07554ef76899d8c5680c004b847f10eb80ad64afa19c37ad4da97a41751400dd17ee62a6d91cbf3a16025abc

Download Submit
memory/1492-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1492-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2156-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2156-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2284-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2284-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2368-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2368-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2368-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2428-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2428-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2428-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2820-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2820-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3404-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3404-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4056-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4340-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4780-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4780-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4836-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4836-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4900-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4900-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5116-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads