Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 12:46
Static task
static1
Behavioral task
behavioral1
Sample
c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe
Resource
win10v2004-20241007-en
General
-
Target
c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe
-
Size
90KB
-
MD5
21673f1e9b5deec9dc6bfe84927e53a0
-
SHA1
76361257921ba001dc4d6a4c6a93fdf5b8e70ef1
-
SHA256
c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919
-
SHA512
6971229362378fad2cfbea02d42f4c442de686d3c103f20d70f32bcbc4b6ddeb13c937277633b2550467bfe2b1e002be5fc0f6b25f0c54505770d63e8c81da4e
-
SSDEEP
768:Qvw9816vhKQLro04/wQRNrfrunMxVFA3b7glw:YEGh0o0l2unMxVS3Hg
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3799FB0-1447-47c6-AED4-435AC36BD9AC} {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}\stubpath = "C:\\Windows\\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe" {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{700B662E-1091-4508-B4B3-61082259EC1A} {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{700B662E-1091-4508-B4B3-61082259EC1A}\stubpath = "C:\\Windows\\{700B662E-1091-4508-B4B3-61082259EC1A}.exe" {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBDF962B-8049-4667-A893-F02469AFC179} {700B662E-1091-4508-B4B3-61082259EC1A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E081B303-FB06-4603-B6CF-8459EC78466A}\stubpath = "C:\\Windows\\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe" {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}\stubpath = "C:\\Windows\\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe" {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E081B303-FB06-4603-B6CF-8459EC78466A} {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF781A25-309F-4286-AF85-DE6DD161BDE2}\stubpath = "C:\\Windows\\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe" {E081B303-FB06-4603-B6CF-8459EC78466A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B} {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}\stubpath = "C:\\Windows\\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe" {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23A1DFEC-78EE-4b25-B579-5D686B7D493F} {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBDF962B-8049-4667-A893-F02469AFC179}\stubpath = "C:\\Windows\\{DBDF962B-8049-4667-A893-F02469AFC179}.exe" {700B662E-1091-4508-B4B3-61082259EC1A}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}\stubpath = "C:\\Windows\\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe" c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF781A25-309F-4286-AF85-DE6DD161BDE2} {E081B303-FB06-4603-B6CF-8459EC78466A}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6} {DBDF962B-8049-4667-A893-F02469AFC179}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}\stubpath = "C:\\Windows\\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe" {DBDF962B-8049-4667-A893-F02469AFC179}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B} c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe -
Deletes itself 1 IoCs
pid Process 2796 cmd.exe -
Executes dropped EXE 9 IoCs
pid Process 2488 {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe 2980 {E081B303-FB06-4603-B6CF-8459EC78466A}.exe 2344 {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe 2708 {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe 2412 {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe 2332 {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe 2900 {700B662E-1091-4508-B4B3-61082259EC1A}.exe 1376 {DBDF962B-8049-4667-A893-F02469AFC179}.exe 2544 {AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe File created C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe File created C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe File created C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe File created C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe {DBDF962B-8049-4667-A893-F02469AFC179}.exe File created C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe File created C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe {E081B303-FB06-4603-B6CF-8459EC78466A}.exe File created C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe File created C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe {700B662E-1091-4508-B4B3-61082259EC1A}.exe -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {E081B303-FB06-4603-B6CF-8459EC78466A}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {700B662E-1091-4508-B4B3-61082259EC1A}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {DBDF962B-8049-4667-A893-F02469AFC179}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2440 c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe Token: SeIncBasePriorityPrivilege 2488 {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe Token: SeIncBasePriorityPrivilege 2980 {E081B303-FB06-4603-B6CF-8459EC78466A}.exe Token: SeIncBasePriorityPrivilege 2344 {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe Token: SeIncBasePriorityPrivilege 2708 {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe Token: SeIncBasePriorityPrivilege 2412 {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe Token: SeIncBasePriorityPrivilege 2332 {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe Token: SeIncBasePriorityPrivilege 2900 {700B662E-1091-4508-B4B3-61082259EC1A}.exe Token: SeIncBasePriorityPrivilege 1376 {DBDF962B-8049-4667-A893-F02469AFC179}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2488 2440 c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe 31 PID 2440 wrote to memory of 2488 2440 c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe 31 PID 2440 wrote to memory of 2488 2440 c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe 31 PID 2440 wrote to memory of 2488 2440 c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe 31 PID 2440 wrote to memory of 2796 2440 c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe 32 PID 2440 wrote to memory of 2796 2440 c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe 32 PID 2440 wrote to memory of 2796 2440 c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe 32 PID 2440 wrote to memory of 2796 2440 c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe 32 PID 2488 wrote to memory of 2980 2488 {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe 33 PID 2488 wrote to memory of 2980 2488 {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe 33 PID 2488 wrote to memory of 2980 2488 {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe 33 PID 2488 wrote to memory of 2980 2488 {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe 33 PID 2488 wrote to memory of 2852 2488 {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe 34 PID 2488 wrote to memory of 2852 2488 {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe 34 PID 2488 wrote to memory of 2852 2488 {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe 34 PID 2488 wrote to memory of 2852 2488 {1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe 34 PID 2980 wrote to memory of 2344 2980 {E081B303-FB06-4603-B6CF-8459EC78466A}.exe 35 PID 2980 wrote to memory of 2344 2980 {E081B303-FB06-4603-B6CF-8459EC78466A}.exe 35 PID 2980 wrote to memory of 2344 2980 {E081B303-FB06-4603-B6CF-8459EC78466A}.exe 35 PID 2980 wrote to memory of 2344 2980 {E081B303-FB06-4603-B6CF-8459EC78466A}.exe 35 PID 2980 wrote to memory of 2728 2980 {E081B303-FB06-4603-B6CF-8459EC78466A}.exe 36 PID 2980 wrote to memory of 2728 2980 {E081B303-FB06-4603-B6CF-8459EC78466A}.exe 36 PID 2980 wrote to memory of 2728 2980 {E081B303-FB06-4603-B6CF-8459EC78466A}.exe 36 PID 2980 wrote to memory of 2728 2980 {E081B303-FB06-4603-B6CF-8459EC78466A}.exe 36 PID 2344 wrote to memory of 2708 2344 {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe 37 PID 2344 wrote to memory of 2708 2344 {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe 37 PID 2344 wrote to memory of 2708 2344 {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe 37 PID 2344 wrote to memory of 2708 2344 {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe 37 PID 2344 wrote to memory of 2736 2344 {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe 38 PID 2344 wrote to memory of 2736 2344 {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe 38 PID 2344 wrote to memory of 2736 2344 {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe 38 PID 2344 wrote to memory of 2736 2344 {BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe 38 PID 2708 wrote to memory of 2412 2708 {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe 39 PID 2708 wrote to memory of 2412 2708 {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe 39 PID 2708 wrote to memory of 2412 2708 {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe 39 PID 2708 wrote to memory of 2412 2708 {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe 39 PID 2708 wrote to memory of 2924 2708 {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe 40 PID 2708 wrote to memory of 2924 2708 {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe 40 PID 2708 wrote to memory of 2924 2708 {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe 40 PID 2708 wrote to memory of 2924 2708 {149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe 40 PID 2412 wrote to memory of 2332 2412 {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe 41 PID 2412 wrote to memory of 2332 2412 {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe 41 PID 2412 wrote to memory of 2332 2412 {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe 41 PID 2412 wrote to memory of 2332 2412 {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe 41 PID 2412 wrote to memory of 1632 2412 {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe 42 PID 2412 wrote to memory of 1632 2412 {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe 42 PID 2412 wrote to memory of 1632 2412 {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe 42 PID 2412 wrote to memory of 1632 2412 {E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe 42 PID 2332 wrote to memory of 2900 2332 {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe 43 PID 2332 wrote to memory of 2900 2332 {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe 43 PID 2332 wrote to memory of 2900 2332 {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe 43 PID 2332 wrote to memory of 2900 2332 {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe 43 PID 2332 wrote to memory of 2692 2332 {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe 44 PID 2332 wrote to memory of 2692 2332 {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe 44 PID 2332 wrote to memory of 2692 2332 {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe 44 PID 2332 wrote to memory of 2692 2332 {23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe 44 PID 2900 wrote to memory of 1376 2900 {700B662E-1091-4508-B4B3-61082259EC1A}.exe 45 PID 2900 wrote to memory of 1376 2900 {700B662E-1091-4508-B4B3-61082259EC1A}.exe 45 PID 2900 wrote to memory of 1376 2900 {700B662E-1091-4508-B4B3-61082259EC1A}.exe 45 PID 2900 wrote to memory of 1376 2900 {700B662E-1091-4508-B4B3-61082259EC1A}.exe 45 PID 2900 wrote to memory of 1028 2900 {700B662E-1091-4508-B4B3-61082259EC1A}.exe 46 PID 2900 wrote to memory of 1028 2900 {700B662E-1091-4508-B4B3-61082259EC1A}.exe 46 PID 2900 wrote to memory of 1028 2900 {700B662E-1091-4508-B4B3-61082259EC1A}.exe 46 PID 2900 wrote to memory of 1028 2900 {700B662E-1091-4508-B4B3-61082259EC1A}.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe"C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exeC:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exeC:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exeC:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exeC:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exeC:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exeC:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exeC:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exeC:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exeC:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DBDF9~1.EXE > nul10⤵
- System Location Discovery: System Language Discovery
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{700B6~1.EXE > nul9⤵
- System Location Discovery: System Language Discovery
PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{23A1D~1.EXE > nul8⤵
- System Location Discovery: System Language Discovery
PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E3799~1.EXE > nul7⤵
- System Location Discovery: System Language Discovery
PID:1632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{149E1~1.EXE > nul6⤵
- System Location Discovery: System Language Discovery
PID:2924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BF781~1.EXE > nul5⤵
- System Location Discovery: System Language Discovery
PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E081B~1.EXE > nul4⤵
- System Location Discovery: System Language Discovery
PID:2728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1C0AA~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:2852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C11BDD~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5f34a2b3cac20beb378c84e219ccbe62f
SHA1e6beebbb8820db153c8b858054220e804d6485aa
SHA2565768092a01eeaeb9e415afc6bbb1a64895298ee0bfa14ca0d777f6f0f38b91f3
SHA5122cee75964509e720bd5c32581ed9481075086be702e5ff5b6ed8f5d6e3399cb8e51b80659594e4d85bae583577ba24e3e7bad2d7b694ed46a071c5f4e56070fa
-
Filesize
90KB
MD5ea7f26a16a89bed39f55133417fe25c8
SHA14e3dcc2bdc5a15029caf2f4710911a6d62c3a142
SHA2568ffe4850eb35c6d68e91f5ecc3f9848157e31f5f9b073717c1640db502ade522
SHA512b041b04b79889107c4d83c6d895e7f48423d0742c8ef4e2061af006005d628e85fe7d3f6a6383b0d23002523515601a1f69f7bf1bc8a95cacef4a63420f5648e
-
Filesize
90KB
MD59439ee010d269158817094e843241f88
SHA190cf7e4c53bd54a33b7071b56eefbd18acf4b1b8
SHA256d84377a7aad749daa58382fdc4139ecd1487545e6bbf9f3c8874330c1c7caf98
SHA5122f17253f8bc491c98bbf4889eee28eb05e0cfe5065bca069b3ce07d65c266e010e27106e5ee0ca76b1f22acb76c1eb9836de4ee3515c7ef1159554b2b09871de
-
Filesize
90KB
MD59273d6b8925dd53864277a9cb87a3afb
SHA1cfa703d903d996447d5fe99e19a3a228847f98ff
SHA256ed9a77585e2dff90f37d9294389d251dd930e5f78227ee40800832c88f0c266a
SHA512930643b46acfde7c5b33f409b05a7719a2a2fa85b65780b503c9c011a250b265f278c16cef0939ea3c9dbc48be1c8bb31e5658a8468d953fef75743f821e65c6
-
Filesize
90KB
MD5eb312c3f9a6679438261de4bee7dc5c5
SHA169f3a4ae62444fb8fb7297069a980479b44c795a
SHA256f3d074be2414c307741890cfa6310b2a8ac0b5402af5f26d0132c5529422dbe5
SHA51217acaa6613084c056615497fea67f32f055e3d1a298e5ddb3b2966a5603ad40f6023e66a99a34ae35a52fa0f46456936274885016014c7e401aa97fd8adfc8c3
-
Filesize
90KB
MD58dcef8c69edd68c19e459ab0e324d2b7
SHA1423007b8c2cd1258495aa425b4db7e2619857d91
SHA2569e84ee157a742fe6ca0f21e8286800cdd87e4d586407a96d086cef2b0283493c
SHA51242105c4d6672917921c0ec087300f53f95bbe11f29ed2768b14316569ba7203fc90eb503b828b7d9edb5e4ea0eaa187b98f0f4d85cddead9b5b19bc4a43e2b95
-
Filesize
90KB
MD5fb4c3fb272af4399167b0542b15aea00
SHA1cf606fd06530299e3037b15b6ef15496276f7790
SHA256b591959f1b64818c76ac819b1dda0817e7b773cc6885fe34f090e9ddff56d0a7
SHA512fc667fc5fe8664cff812b969c5bbc4649601ae8afab789946d8d3cb4120fdac18422da04e8f72a7707238e3b52ec4b7999c4d3071795109666bb8b3b9f0f507b
-
Filesize
90KB
MD59594c9e4c71192bc927ed414c3c44ba1
SHA1d3b4b5742d9e01e9b9631b33c6a5c37b8fdf2573
SHA2566d47d9ace0ba678be82b71667ecc98de2d1965cce672cf72dc34ec980c20c1e9
SHA5120c39f1a86d44dd4c8e373231e74a80c4fb383f929959df26c603798bedeea0eae9bc29ae647218b4fd7e200709bba562011d0c3b7a74d789cc3e9886a14c7996
-
Filesize
90KB
MD5bb2b7d0f2c8cde70d2465d84bfa3ae2c
SHA135bf71bbf4cf4c91d34c9e758806391a89238761
SHA2561cfbbaac1e8e84e17f4449c0a2341fc44ecf3005e63d7b4fcd77b9cf2ba4a642
SHA512e6fa44193f05281281581edffe344f07e26176098b2230ca4c9c520c91bb193b8bb6dbf6280b19edca8326d67cc07c49932af61fda4c42e2902486cf6a5d04d2