Analysis
-
max time kernel
119s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 19:48
Static task
static1
Behavioral task
behavioral1
Sample
713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe
Resource
win10v2004-20241007-en
General
-
Target
713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe
-
Size
87KB
-
MD5
b0bf294b4fd731b84360e1bbcf4d8be0
-
SHA1
5e39a181470843c1714399e78af18103394629d2
-
SHA256
713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557
-
SHA512
07a99fece68a18e0f48dac4397638bf786352e40a02e154c6ed3ae6d35a01e57eb45980b55e7a44d0c7aa3f0641630e70302a218fb6a392a7a7509ae5e51d36e
-
SSDEEP
384:5bLwOs8AHsc4sM6whKiroZ4/CFsrdk5I1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUO3:5vw9816uhKiroZ4/wQNNrfrunMxVFj
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8} {0F5D4B54-B674-419b-8C92-00C483DA6507}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2631B3D5-7C2B-421b-AD53-08BCF872A900} {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B} {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}\stubpath = "C:\\Windows\\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe" {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D} {72F243EA-A689-41f9-9043-D5668AD7920B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}\stubpath = "C:\\Windows\\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe" {72F243EA-A689-41f9-9043-D5668AD7920B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1D68454-6413-48d6-B624-1374D4EAF212}\stubpath = "C:\\Windows\\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe" {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F5D4B54-B674-419b-8C92-00C483DA6507}\stubpath = "C:\\Windows\\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe" {E1D68454-6413-48d6-B624-1374D4EAF212}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}\stubpath = "C:\\Windows\\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe" 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9F6CB5-27E2-4f40-A932-D266004C6F43} {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F243EA-A689-41f9-9043-D5668AD7920B}\stubpath = "C:\\Windows\\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe" {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F5D4B54-B674-419b-8C92-00C483DA6507} {E1D68454-6413-48d6-B624-1374D4EAF212}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA} 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2631B3D5-7C2B-421b-AD53-08BCF872A900}\stubpath = "C:\\Windows\\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe" {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}\stubpath = "C:\\Windows\\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe" {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72F243EA-A689-41f9-9043-D5668AD7920B} {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1D68454-6413-48d6-B624-1374D4EAF212} {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}\stubpath = "C:\\Windows\\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe" {0F5D4B54-B674-419b-8C92-00C483DA6507}.exe -
Deletes itself 1 IoCs
pid Process 1108 cmd.exe -
Executes dropped EXE 9 IoCs
pid Process 2400 {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe 2600 {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe 2756 {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe 3068 {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe 836 {72F243EA-A689-41f9-9043-D5668AD7920B}.exe 2920 {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe 1996 {E1D68454-6413-48d6-B624-1374D4EAF212}.exe 2164 {0F5D4B54-B674-419b-8C92-00C483DA6507}.exe 752 {D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe File created C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe File created C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe File created C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe File created C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe {72F243EA-A689-41f9-9043-D5668AD7920B}.exe File created C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe {E1D68454-6413-48d6-B624-1374D4EAF212}.exe File created C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe {0F5D4B54-B674-419b-8C92-00C483DA6507}.exe File created C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe File created C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {E1D68454-6413-48d6-B624-1374D4EAF212}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {0F5D4B54-B674-419b-8C92-00C483DA6507}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {72F243EA-A689-41f9-9043-D5668AD7920B}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1848 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe Token: SeIncBasePriorityPrivilege 2400 {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe Token: SeIncBasePriorityPrivilege 2600 {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe Token: SeIncBasePriorityPrivilege 2756 {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe Token: SeIncBasePriorityPrivilege 3068 {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe Token: SeIncBasePriorityPrivilege 836 {72F243EA-A689-41f9-9043-D5668AD7920B}.exe Token: SeIncBasePriorityPrivilege 2920 {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe Token: SeIncBasePriorityPrivilege 1996 {E1D68454-6413-48d6-B624-1374D4EAF212}.exe Token: SeIncBasePriorityPrivilege 2164 {0F5D4B54-B674-419b-8C92-00C483DA6507}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2400 1848 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 30 PID 1848 wrote to memory of 2400 1848 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 30 PID 1848 wrote to memory of 2400 1848 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 30 PID 1848 wrote to memory of 2400 1848 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 30 PID 1848 wrote to memory of 1108 1848 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 31 PID 1848 wrote to memory of 1108 1848 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 31 PID 1848 wrote to memory of 1108 1848 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 31 PID 1848 wrote to memory of 1108 1848 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 31 PID 2400 wrote to memory of 2600 2400 {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe 33 PID 2400 wrote to memory of 2600 2400 {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe 33 PID 2400 wrote to memory of 2600 2400 {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe 33 PID 2400 wrote to memory of 2600 2400 {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe 33 PID 2400 wrote to memory of 2708 2400 {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe 34 PID 2400 wrote to memory of 2708 2400 {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe 34 PID 2400 wrote to memory of 2708 2400 {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe 34 PID 2400 wrote to memory of 2708 2400 {5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe 34 PID 2600 wrote to memory of 2756 2600 {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe 35 PID 2600 wrote to memory of 2756 2600 {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe 35 PID 2600 wrote to memory of 2756 2600 {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe 35 PID 2600 wrote to memory of 2756 2600 {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe 35 PID 2600 wrote to memory of 2864 2600 {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe 36 PID 2600 wrote to memory of 2864 2600 {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe 36 PID 2600 wrote to memory of 2864 2600 {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe 36 PID 2600 wrote to memory of 2864 2600 {2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe 36 PID 2756 wrote to memory of 3068 2756 {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe 37 PID 2756 wrote to memory of 3068 2756 {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe 37 PID 2756 wrote to memory of 3068 2756 {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe 37 PID 2756 wrote to memory of 3068 2756 {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe 37 PID 2756 wrote to memory of 3064 2756 {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe 38 PID 2756 wrote to memory of 3064 2756 {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe 38 PID 2756 wrote to memory of 3064 2756 {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe 38 PID 2756 wrote to memory of 3064 2756 {8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe 38 PID 3068 wrote to memory of 836 3068 {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe 39 PID 3068 wrote to memory of 836 3068 {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe 39 PID 3068 wrote to memory of 836 3068 {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe 39 PID 3068 wrote to memory of 836 3068 {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe 39 PID 3068 wrote to memory of 2828 3068 {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe 40 PID 3068 wrote to memory of 2828 3068 {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe 40 PID 3068 wrote to memory of 2828 3068 {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe 40 PID 3068 wrote to memory of 2828 3068 {49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe 40 PID 836 wrote to memory of 2920 836 {72F243EA-A689-41f9-9043-D5668AD7920B}.exe 41 PID 836 wrote to memory of 2920 836 {72F243EA-A689-41f9-9043-D5668AD7920B}.exe 41 PID 836 wrote to memory of 2920 836 {72F243EA-A689-41f9-9043-D5668AD7920B}.exe 41 PID 836 wrote to memory of 2920 836 {72F243EA-A689-41f9-9043-D5668AD7920B}.exe 41 PID 836 wrote to memory of 2936 836 {72F243EA-A689-41f9-9043-D5668AD7920B}.exe 42 PID 836 wrote to memory of 2936 836 {72F243EA-A689-41f9-9043-D5668AD7920B}.exe 42 PID 836 wrote to memory of 2936 836 {72F243EA-A689-41f9-9043-D5668AD7920B}.exe 42 PID 836 wrote to memory of 2936 836 {72F243EA-A689-41f9-9043-D5668AD7920B}.exe 42 PID 2920 wrote to memory of 1996 2920 {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe 43 PID 2920 wrote to memory of 1996 2920 {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe 43 PID 2920 wrote to memory of 1996 2920 {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe 43 PID 2920 wrote to memory of 1996 2920 {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe 43 PID 2920 wrote to memory of 1204 2920 {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe 44 PID 2920 wrote to memory of 1204 2920 {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe 44 PID 2920 wrote to memory of 1204 2920 {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe 44 PID 2920 wrote to memory of 1204 2920 {AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe 44 PID 1996 wrote to memory of 2164 1996 {E1D68454-6413-48d6-B624-1374D4EAF212}.exe 45 PID 1996 wrote to memory of 2164 1996 {E1D68454-6413-48d6-B624-1374D4EAF212}.exe 45 PID 1996 wrote to memory of 2164 1996 {E1D68454-6413-48d6-B624-1374D4EAF212}.exe 45 PID 1996 wrote to memory of 2164 1996 {E1D68454-6413-48d6-B624-1374D4EAF212}.exe 45 PID 1996 wrote to memory of 1040 1996 {E1D68454-6413-48d6-B624-1374D4EAF212}.exe 46 PID 1996 wrote to memory of 1040 1996 {E1D68454-6413-48d6-B624-1374D4EAF212}.exe 46 PID 1996 wrote to memory of 1040 1996 {E1D68454-6413-48d6-B624-1374D4EAF212}.exe 46 PID 1996 wrote to memory of 1040 1996 {E1D68454-6413-48d6-B624-1374D4EAF212}.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe"C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exeC:\Windows\{5785E8D8-DBF7-4df5-BF9E-599C73EBFEBA}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exeC:\Windows\{2631B3D5-7C2B-421b-AD53-08BCF872A900}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exeC:\Windows\{8D9F6CB5-27E2-4f40-A932-D266004C6F43}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exeC:\Windows\{49B72AAB-EC0E-42c9-972E-6C6649E1BF0B}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exeC:\Windows\{72F243EA-A689-41f9-9043-D5668AD7920B}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exeC:\Windows\{AF03F8D8-3DB1-41a1-8B95-A603CD76B85D}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exeC:\Windows\{E1D68454-6413-48d6-B624-1374D4EAF212}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exeC:\Windows\{0F5D4B54-B674-419b-8C92-00C483DA6507}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exeC:\Windows\{D8D0A893-5EDB-41a7-837D-4ED0B51A3FF8}.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0F5D4~1.EXE > nul10⤵
- System Location Discovery: System Language Discovery
PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E1D68~1.EXE > nul9⤵
- System Location Discovery: System Language Discovery
PID:1040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{AF03F~1.EXE > nul8⤵
- System Location Discovery: System Language Discovery
PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{72F24~1.EXE > nul7⤵
- System Location Discovery: System Language Discovery
PID:2936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{49B72~1.EXE > nul6⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8D9F6~1.EXE > nul5⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2631B~1.EXE > nul4⤵
- System Location Discovery: System Language Discovery
PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5785E~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\713EE2~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5bfeccaeab99b0c98313c61a65de3102d
SHA1e9de292a121851daaa326a2d2e08a7b6d6453597
SHA256154a2455827c6fb7b8869a91dd8747225ec199959cb6681c3e7940753ce8e1f4
SHA512ccd67720eea04bd576653441ec1844d168992352fcd737b2cb0ef2ac910ed59463aaa5203401542b23aeb0b29209b4297d01945ba2fe2a246cffc7f1546d912e
-
Filesize
87KB
MD5220250738f54fc7932ccc75d78cd1457
SHA1ce855c9def53928476d328205dff0680cedf355c
SHA256141b679178b0b868e98e8218273f431d1155a2c157b7e3046ad7fe74a5e1534a
SHA512df58a859fe6ee5075a7226f571b7d2b9462a9f731d6bed6fd28738be9c58843925122aec85d21cf6c97f4499a5deb6565b66f9a863d8e382f9882a04aa9ba969
-
Filesize
87KB
MD5fce388c48a7702fe11cfe9663029bdc9
SHA1a682a29da553f8fcabb1afb86a623f8808fe616d
SHA256d3f66a1f74f93ff2cc0c020e35b7f4c2377a14128089ef8fdcf14d5febc24541
SHA512f3fd11d957875addf46d6c7a8fc86e86433db524210419ebd5bf392b7641cc876bd8b4da72b5870aae82bb91b744fdb72c3af7f45743c1e81f9231310ba9f97d
-
Filesize
87KB
MD5dad5e32fdff8b9261f2bd5ad03d965c6
SHA1b19c85101b36a375970010771b5aca33238093bd
SHA256d0fcc934ca0c663f4e515d9c2ccdaf6f579c1dee0ac9b781aa30f352b4ed1259
SHA5124d0e56a679268514b7ab054b8094afdc299df08809eec12b4302af56d2ee1210a468125e3e59174a20617ede0f75278d7ee6c8fb430a5dce03fdb00129c71273
-
Filesize
87KB
MD516a3ca5899f03911ea95d1fbcd394fec
SHA126914c92bc18f1bed89a2bc7d00a216322c915bd
SHA25611620bb104af87ec575b6077434ef01864764969d445fa62d7a01058aac0123b
SHA512dc00351926d150ae7413830b45a6a9a8665382ee91829ab60fa51402baa1b71f9a59a97d709355d785b826abf19ab23725cfc699008991eac4b49c6bbf859e85
-
Filesize
87KB
MD5c08ef3b387f4a82201bfaf2e462953b7
SHA13904b0bad0f9afdb6c05ee1a4b2356158e967921
SHA25677b31e6b995e749876c0b7b72f2ee9d341d9fd156dbe5ec6ffc71e12ebe78a0d
SHA512f19d827b820830e9a5c59055a40ac1a47dc3ce646440309c36bf57d0f8e3465f9c4c2f8304ba716776dac1a8b9f1353b93defee0dc2c8a9447c020cdcceadd5c
-
Filesize
87KB
MD595ae5a19f060cca1d0a2ee342239efb2
SHA10620a3dd404b53158fb9c5faddc39cf5dd94f753
SHA2569a36599a2fc9aad33094eaa1302fd330b0ad4bd21e08b2d8cab87f56be7fba4f
SHA51288f5974f4e0991dfbd52f03d9f66528981a0a3ffb38f745f808c0df86a9a5fe9525c4c05d98360a2ad5ab0baf7df31b484dbb6e5e02972ca4b99ee35ed7b0779
-
Filesize
87KB
MD5fd7c5cf7c437347c0ec699e6973f493b
SHA1cb49fe0b5f520bca7b568a7f15084f86d2f9c14b
SHA256f93f78ca1afa2362b926ff178aa0a4cc8c11fc9c9df971238d3832f3dc25d07d
SHA5124fc89379d18c0f2668d101bd8bb519e06a1ddb015f16c2c9f8d5613469ee031e5cde43146f2e2fb89c243dad8ba7e96eca5dec13205504864a833600da065e38
-
Filesize
87KB
MD52241293ed4fc69772ce9cd8e8b58d38e
SHA1aee8a26af9f2d2e0693cfbb09ad07aad22e2a4fc
SHA2568a1cf3a9151c7a0503b98c96c5e545586e9728fe7f391d90d00cbfe65719d397
SHA512a27d51773d264ff2dced7439d09c01eca60b6d1e881eb7c2900fd0cd43e32bc0f57aee3fcd4d476db9031fd9d634f4dfdd88f1ff1232241e9e13ef0b5254ff0e