f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128da

Analysis

max time kernel
118s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 01:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe
Size

89KB
MD5

cedcef677784b59e571f645f4350dea0
SHA1

b5a536b738e59bc5aa19b2860d955e9ae8200a91
SHA256

f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128da
SHA512

725f8e64a544008a00efe27c7c32157adaeb18dea4e0b8cbe7854bebd8ae1984443e1b438238c7d1d96980f0600c5a6b1be49ddceb1910f7062e9cbfd6385d29
SSDEEP

768:Qvw9816vhKQLrop4/wQRNrfrunMxVFA3b7glL:YEGh0opl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}\stubpath = "C:\\Windows\\{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe"	f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}	{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}\stubpath = "C:\\Windows\\{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe"	{531A7956-81DC-4511-A87C-3EC901E35030}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}	{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16B711F3-FE8C-4225-AB60-0635737AE8A3}\stubpath = "C:\\Windows\\{16B711F3-FE8C-4225-AB60-0635737AE8A3}.exe"	{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}\stubpath = "C:\\Windows\\{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe"	{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}	{531A7956-81DC-4511-A87C-3EC901E35030}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B101574-4A00-41ca-80E7-F97F5AAB1832}	{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AB430EA-BBA3-41f9-8725-F2A530C86284}	{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16B711F3-FE8C-4225-AB60-0635737AE8A3}	{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{531A7956-81DC-4511-A87C-3EC901E35030}	{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{531A7956-81DC-4511-A87C-3EC901E35030}\stubpath = "C:\\Windows\\{531A7956-81DC-4511-A87C-3EC901E35030}.exe"	{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B101574-4A00-41ca-80E7-F97F5AAB1832}\stubpath = "C:\\Windows\\{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe"	{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}\stubpath = "C:\\Windows\\{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe"	{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}	f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AB430EA-BBA3-41f9-8725-F2A530C86284}\stubpath = "C:\\Windows\\{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe"	{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}	{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}\stubpath = "C:\\Windows\\{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe"	{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe

Executes dropped EXE 9 IoCs

pid	Process
4920	{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe
4324	{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe
4704	{531A7956-81DC-4511-A87C-3EC901E35030}.exe
4488	{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe
2544	{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe
2684	{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe
5092	{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe
512	{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe
1992	{16B711F3-FE8C-4225-AB60-0635737AE8A3}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe	{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe
File created	C:\Windows\{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe	{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe
File created	C:\Windows\{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe	f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe
File created	C:\Windows\{531A7956-81DC-4511-A87C-3EC901E35030}.exe	{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe
File created	C:\Windows\{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe	{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe
File created	C:\Windows\{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe	{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe
File created	C:\Windows\{16B711F3-FE8C-4225-AB60-0635737AE8A3}.exe	{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe
File created	C:\Windows\{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe	{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe
File created	C:\Windows\{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe	{531A7956-81DC-4511-A87C-3EC901E35030}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{531A7956-81DC-4511-A87C-3EC901E35030}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16B711F3-FE8C-4225-AB60-0635737AE8A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	880	f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe
Token: SeIncBasePriorityPrivilege	4920	{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe
Token: SeIncBasePriorityPrivilege	4324	{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe
Token: SeIncBasePriorityPrivilege	4704	{531A7956-81DC-4511-A87C-3EC901E35030}.exe
Token: SeIncBasePriorityPrivilege	4488	{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe
Token: SeIncBasePriorityPrivilege	2544	{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe
Token: SeIncBasePriorityPrivilege	2684	{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe
Token: SeIncBasePriorityPrivilege	5092	{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe
Token: SeIncBasePriorityPrivilege	512	{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 4920	880	f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe	97
PID 880 wrote to memory of 4920	880	f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe	97
PID 880 wrote to memory of 4920	880	f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe	97
PID 880 wrote to memory of 4772	880	f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe	98
PID 880 wrote to memory of 4772	880	f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe	98
PID 880 wrote to memory of 4772	880	f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe	98
PID 4920 wrote to memory of 4324	4920	{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe	99
PID 4920 wrote to memory of 4324	4920	{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe	99
PID 4920 wrote to memory of 4324	4920	{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe	99
PID 4920 wrote to memory of 3516	4920	{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe	100
PID 4920 wrote to memory of 3516	4920	{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe	100
PID 4920 wrote to memory of 3516	4920	{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe	100
PID 4324 wrote to memory of 4704	4324	{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe	106
PID 4324 wrote to memory of 4704	4324	{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe	106
PID 4324 wrote to memory of 4704	4324	{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe	106
PID 4324 wrote to memory of 1120	4324	{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe	107
PID 4324 wrote to memory of 1120	4324	{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe	107
PID 4324 wrote to memory of 1120	4324	{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe	107
PID 4704 wrote to memory of 4488	4704	{531A7956-81DC-4511-A87C-3EC901E35030}.exe	108
PID 4704 wrote to memory of 4488	4704	{531A7956-81DC-4511-A87C-3EC901E35030}.exe	108
PID 4704 wrote to memory of 4488	4704	{531A7956-81DC-4511-A87C-3EC901E35030}.exe	108
PID 4704 wrote to memory of 428	4704	{531A7956-81DC-4511-A87C-3EC901E35030}.exe	109
PID 4704 wrote to memory of 428	4704	{531A7956-81DC-4511-A87C-3EC901E35030}.exe	109
PID 4704 wrote to memory of 428	4704	{531A7956-81DC-4511-A87C-3EC901E35030}.exe	109
PID 4488 wrote to memory of 2544	4488	{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe	110
PID 4488 wrote to memory of 2544	4488	{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe	110
PID 4488 wrote to memory of 2544	4488	{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe	110
PID 4488 wrote to memory of 1320	4488	{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe	111
PID 4488 wrote to memory of 1320	4488	{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe	111
PID 4488 wrote to memory of 1320	4488	{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe	111
PID 2544 wrote to memory of 2684	2544	{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe	113
PID 2544 wrote to memory of 2684	2544	{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe	113
PID 2544 wrote to memory of 2684	2544	{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe	113
PID 2544 wrote to memory of 3772	2544	{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe	114
PID 2544 wrote to memory of 3772	2544	{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe	114
PID 2544 wrote to memory of 3772	2544	{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe	114
PID 2684 wrote to memory of 5092	2684	{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe	115
PID 2684 wrote to memory of 5092	2684	{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe	115
PID 2684 wrote to memory of 5092	2684	{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe	115
PID 2684 wrote to memory of 1796	2684	{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe	116
PID 2684 wrote to memory of 1796	2684	{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe	116
PID 2684 wrote to memory of 1796	2684	{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe	116
PID 5092 wrote to memory of 512	5092	{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe	119
PID 5092 wrote to memory of 512	5092	{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe	119
PID 5092 wrote to memory of 512	5092	{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe	119
PID 5092 wrote to memory of 3020	5092	{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe	120
PID 5092 wrote to memory of 3020	5092	{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe	120
PID 5092 wrote to memory of 3020	5092	{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe	120
PID 512 wrote to memory of 1992	512	{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe	124
PID 512 wrote to memory of 1992	512	{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe	124
PID 512 wrote to memory of 1992	512	{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe	124
PID 512 wrote to memory of 1004	512	{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe	125
PID 512 wrote to memory of 1004	512	{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe	125
PID 512 wrote to memory of 1004	512	{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe	125

C:\Users\Admin\AppData\Local\Temp\f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe
"C:\Users\Admin\AppData\Local\Temp\f619dda5594241f4daf8e978aa04189685ef6eb2d3da02d98bc45f1c513128daN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe
  C:\Windows\{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe
    C:\Windows\{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\{531A7956-81DC-4511-A87C-3EC901E35030}.exe
      C:\Windows\{531A7956-81DC-4511-A87C-3EC901E35030}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\Windows\{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe
        
        C:\Windows\{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
      - C:\Windows\{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe
        
        C:\Windows\{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe
        
        C:\Windows\{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe
        
        C:\Windows\{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe
        
        C:\Windows\{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\{16B711F3-FE8C-4225-AB60-0635737AE8A3}.exe
        
        C:\Windows\{16B711F3-FE8C-4225-AB60-0635737AE8A3}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5713F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AB43~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F5F3~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B101~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86EDF~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{531A7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8D4FC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D4723~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F619DD~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16B711F3-FE8C-4225-AB60-0635737AE8A3}.exe

Filesize
89KB

MD5
7c34a0efe8fc24977e6a50182adc4c82

SHA1
4e50ebc14f1b167ee9c2ce6daed14e57233b6155

SHA256
4d520ea35d732c9c3b8a7e18b23a7bbc94f774e69ca54ab163ca9cd62024eb9e

SHA512
89906d47705fd90c808b4e0f4f92e5bb41d4933c47d15304e9ab55c2d893ab3431f7a3ee890e4885890c7a03f6dc7d4d4f18aa9f1d631b70ab3c81e9353e469e

Download Submit
C:\Windows\{531A7956-81DC-4511-A87C-3EC901E35030}.exe

Filesize
89KB

MD5
d5a9c28583db455786424e6035e01ded

SHA1
d62eb9ff56afdc7499cb4836bd62160f32d7fced

SHA256
7e7b9fc6a7c799fcde720eb089e9b510759a72dfba303bfdc3c2b23de879529f

SHA512
a331103efa1dcb63969374cc317fc6ea9d3571bf96affe6707b8ae5165045ba4998a3c8d38fe756d539f52339e66c3ec8df36a09f0ad658d8aed44fcf275e0c5

Download Submit
C:\Windows\{5713F8B5-DA8A-48fb-8EF4-4144AE3079CD}.exe

Filesize
89KB

MD5
56ff32588f22794cd4f6fd2cb7da5013

SHA1
60d702d37990102b3bd9da21bb5a6378f63d8c8f

SHA256
2bcfb9abeac70af06a74b294dfa33200e08fb973532c90956998b6cfa439077d

SHA512
94bb304776f6c359abb3fa399b471671c30daaa1c26ae10b39f544f893eb8ab60ad8a95edeb3061656268a2723916bddfb3c0a0b42f0a2b834ce9e26b2960e88

Download Submit
C:\Windows\{5B101574-4A00-41ca-80E7-F97F5AAB1832}.exe

Filesize
89KB

MD5
a48c8609a311b464a297e92ad456da34

SHA1
c02f638f390b75f2f10cf0a34b4e3e0e35a7be33

SHA256
48a789b4020bda117116582fe42e3e7a51f1634af1f1e6fa395ada86405586ae

SHA512
08323ef76077b25bc8526656a2ade2439c622fd85a5298249dbf04ab9d4ac8a3a46e4186bdbd19281393298bfb1c52ada2f2a121027dd05d703a0ac2dbaf46a3

Download Submit
C:\Windows\{86EDF1D2-EC30-4cc5-AAD0-FF05799E3B30}.exe

Filesize
89KB

MD5
e0d626f8fdabeb064b320f9244a4706c

SHA1
e032f5a11844d450fe9549909b6898a0ef300629

SHA256
95b3ada42f67e6f6cd713802edf6cdc600f37b6057faa3182b697468d09f31de

SHA512
9b155cf616869dd6cf83852cd38ac25c6c00fac25f01f6ab0fb63800eae01d81ff3f9d2aae0311f0002d98543c0303040c42fae97a0ed65a0cefa7439692e55c

Download Submit
C:\Windows\{8D4FCDCB-79DB-4ff5-975B-429B743A22BE}.exe

Filesize
89KB

MD5
1544bf645191c69e41c643718f694364

SHA1
2809c99c2eaf280272d592deba5a20158273a4ba

SHA256
c50ef2a69404260fb218fb39bcdc48df8b04e080e77b0b7572e62834c624e1f7

SHA512
d5595aba1fea61dcd9e9d2e7a52cd2c37903a25e72fccce4da6850cffff6a3eebb1b0b3e35cb25f62b32ab99bd0ae1073a743d36e83d90dfe196f8eb1a30a165

Download Submit
C:\Windows\{9AB430EA-BBA3-41f9-8725-F2A530C86284}.exe

Filesize
89KB

MD5
dcd0893cc86b580ea501c99f935dffbd

SHA1
1239f2c8fd7306f75746952b2250be1227c813f3

SHA256
71501157963a787b367342aca37330fc68dc0013e17155056986f4093574a4d3

SHA512
cf1713e1267d653c2fed77862853c6bc4943645b9267154eb778086219933850a28deab69f960d8743f3141e7b3447204df0d48b2fad09879d6accdba405179e

Download Submit
C:\Windows\{9F5F3C64-E9CC-4ae4-A3D0-AFDE57948C8F}.exe

Filesize
89KB

MD5
80a4139b9feef936bbd2c2e4cd2c7336

SHA1
b1ddb1eeda684554c052a2fe127cbad4dd3d9318

SHA256
2d82218b39638f9e924b48f0bcacab7518d2ee6e43e24caadbf80385a4317b2b

SHA512
55c6c963869c1d548d89ae633c3792d74e8ab2da76c2cadefff3c7d1cd65171bcdff6cd4d42607f0e2dd2fa75f552776433b7f90e00d62de7a39daf3f603990f

Download Submit
C:\Windows\{D4723CB3-DB1C-4809-A89C-53168AC1ABF5}.exe

Filesize
89KB

MD5
ab7805c86ac033097720469656ab12ea

SHA1
4f03165d4a48943eb1a17143148fec304083baf2

SHA256
d8d9425838cc32b8faf8e45302c4b82c5c4623cceb4c156ef67ce2df1c49b1ff

SHA512
b946e5942d80410124b1edecaeb4ce6b9013cefdd4bea24c1183bf8a93ade0275786a5319a64b51a397a7c87fadd7e510d17670b8d192926810bd23775cd26cd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads