317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe
Size

79KB
MD5

9c83ecead24ac45cc0bc23f31be146b7
SHA1

7459ba28d5f1d36f8e7cee27a3c884e2d7a8857a
SHA256

317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a
SHA512

f14454dafb37d97a2ae39817c413d7944e84bddc39436b779e3d701d465cf09df01addc25490514e9aa3410b046bd38b12dee337b6e2c1df5a5b06cf11c602da
SSDEEP

768:4vw9816vhKQLro64/wQpWMZ3XOQ69zbjlAAX5e9zp:wEGh0o6loWMZ3izbR9Xwzp

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}	317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{083DF34C-059C-4c57-B0BE-4A546A07C3BF}\stubpath = "C:\\Windows\\{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe"	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63F40E0F-543F-45af-84A4-6E14056AB921}	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E12EA555-67F5-4540-9739-76E1C837C539}	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F53D677-12A2-4114-929C-F827F0908B9C}	{E12EA555-67F5-4540-9739-76E1C837C539}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}\stubpath = "C:\\Windows\\{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe"	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57339CE6-7361-47e6-AAC3-F2F2288B3671}	{63F40E0F-543F-45af-84A4-6E14056AB921}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63F40E0F-543F-45af-84A4-6E14056AB921}\stubpath = "C:\\Windows\\{63F40E0F-543F-45af-84A4-6E14056AB921}.exe"	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E12EA555-67F5-4540-9739-76E1C837C539}\stubpath = "C:\\Windows\\{E12EA555-67F5-4540-9739-76E1C837C539}.exe"	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F53D677-12A2-4114-929C-F827F0908B9C}\stubpath = "C:\\Windows\\{7F53D677-12A2-4114-929C-F827F0908B9C}.exe"	{E12EA555-67F5-4540-9739-76E1C837C539}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{083DF34C-059C-4c57-B0BE-4A546A07C3BF}	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0525E678-8E2E-4911-ABBA-1FD8617196C5}	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0525E678-8E2E-4911-ABBA-1FD8617196C5}\stubpath = "C:\\Windows\\{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe"	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}\stubpath = "C:\\Windows\\{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe"	317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}\stubpath = "C:\\Windows\\{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe"	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57339CE6-7361-47e6-AAC3-F2F2288B3671}\stubpath = "C:\\Windows\\{57339CE6-7361-47e6-AAC3-F2F2288B3671}.exe"	{63F40E0F-543F-45af-84A4-6E14056AB921}.exe

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1548	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe
2784	{E12EA555-67F5-4540-9739-76E1C837C539}.exe
3028	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe
1040	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe
2812	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe
1728	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe
1112	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe
1856	{63F40E0F-543F-45af-84A4-6E14056AB921}.exe
2268	{57339CE6-7361-47e6-AAC3-F2F2288B3671}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe
File created	C:\Windows\{57339CE6-7361-47e6-AAC3-F2F2288B3671}.exe	{63F40E0F-543F-45af-84A4-6E14056AB921}.exe
File created	C:\Windows\{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe	317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe
File created	C:\Windows\{E12EA555-67F5-4540-9739-76E1C837C539}.exe	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe
File created	C:\Windows\{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe
File created	C:\Windows\{63F40E0F-543F-45af-84A4-6E14056AB921}.exe	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe
File created	C:\Windows\{7F53D677-12A2-4114-929C-F827F0908B9C}.exe	{E12EA555-67F5-4540-9739-76E1C837C539}.exe
File created	C:\Windows\{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe
File created	C:\Windows\{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{57339CE6-7361-47e6-AAC3-F2F2288B3671}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E12EA555-67F5-4540-9739-76E1C837C539}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{63F40E0F-543F-45af-84A4-6E14056AB921}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2100	317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe
Token: SeIncBasePriorityPrivilege	1548	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe
Token: SeIncBasePriorityPrivilege	2784	{E12EA555-67F5-4540-9739-76E1C837C539}.exe
Token: SeIncBasePriorityPrivilege	3028	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe
Token: SeIncBasePriorityPrivilege	1040	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe
Token: SeIncBasePriorityPrivilege	2812	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe
Token: SeIncBasePriorityPrivilege	1728	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe
Token: SeIncBasePriorityPrivilege	1112	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe
Token: SeIncBasePriorityPrivilege	1856	{63F40E0F-543F-45af-84A4-6E14056AB921}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 1548	2100	317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe	28
PID 2100 wrote to memory of 1548	2100	317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe	28
PID 2100 wrote to memory of 1548	2100	317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe	28
PID 2100 wrote to memory of 1548	2100	317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe	28
PID 2100 wrote to memory of 2768	2100	317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe	29
PID 2100 wrote to memory of 2768	2100	317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe	29
PID 2100 wrote to memory of 2768	2100	317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe	29
PID 2100 wrote to memory of 2768	2100	317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe	29
PID 1548 wrote to memory of 2784	1548	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe	30
PID 1548 wrote to memory of 2784	1548	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe	30
PID 1548 wrote to memory of 2784	1548	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe	30
PID 1548 wrote to memory of 2784	1548	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe	30
PID 1548 wrote to memory of 2816	1548	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe	31
PID 1548 wrote to memory of 2816	1548	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe	31
PID 1548 wrote to memory of 2816	1548	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe	31
PID 1548 wrote to memory of 2816	1548	{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe	31
PID 2784 wrote to memory of 3028	2784	{E12EA555-67F5-4540-9739-76E1C837C539}.exe	34
PID 2784 wrote to memory of 3028	2784	{E12EA555-67F5-4540-9739-76E1C837C539}.exe	34
PID 2784 wrote to memory of 3028	2784	{E12EA555-67F5-4540-9739-76E1C837C539}.exe	34
PID 2784 wrote to memory of 3028	2784	{E12EA555-67F5-4540-9739-76E1C837C539}.exe	34
PID 2784 wrote to memory of 2988	2784	{E12EA555-67F5-4540-9739-76E1C837C539}.exe	35
PID 2784 wrote to memory of 2988	2784	{E12EA555-67F5-4540-9739-76E1C837C539}.exe	35
PID 2784 wrote to memory of 2988	2784	{E12EA555-67F5-4540-9739-76E1C837C539}.exe	35
PID 2784 wrote to memory of 2988	2784	{E12EA555-67F5-4540-9739-76E1C837C539}.exe	35
PID 3028 wrote to memory of 1040	3028	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe	36
PID 3028 wrote to memory of 1040	3028	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe	36
PID 3028 wrote to memory of 1040	3028	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe	36
PID 3028 wrote to memory of 1040	3028	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe	36
PID 3028 wrote to memory of 604	3028	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe	37
PID 3028 wrote to memory of 604	3028	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe	37
PID 3028 wrote to memory of 604	3028	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe	37
PID 3028 wrote to memory of 604	3028	{7F53D677-12A2-4114-929C-F827F0908B9C}.exe	37
PID 1040 wrote to memory of 2812	1040	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe	38
PID 1040 wrote to memory of 2812	1040	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe	38
PID 1040 wrote to memory of 2812	1040	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe	38
PID 1040 wrote to memory of 2812	1040	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe	38
PID 1040 wrote to memory of 2848	1040	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe	39
PID 1040 wrote to memory of 2848	1040	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe	39
PID 1040 wrote to memory of 2848	1040	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe	39
PID 1040 wrote to memory of 2848	1040	{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe	39
PID 2812 wrote to memory of 1728	2812	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe	40
PID 2812 wrote to memory of 1728	2812	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe	40
PID 2812 wrote to memory of 1728	2812	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe	40
PID 2812 wrote to memory of 1728	2812	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe	40
PID 2812 wrote to memory of 2176	2812	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe	41
PID 2812 wrote to memory of 2176	2812	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe	41
PID 2812 wrote to memory of 2176	2812	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe	41
PID 2812 wrote to memory of 2176	2812	{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe	41
PID 1728 wrote to memory of 1112	1728	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe	42
PID 1728 wrote to memory of 1112	1728	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe	42
PID 1728 wrote to memory of 1112	1728	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe	42
PID 1728 wrote to memory of 1112	1728	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe	42
PID 1728 wrote to memory of 2016	1728	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe	43
PID 1728 wrote to memory of 2016	1728	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe	43
PID 1728 wrote to memory of 2016	1728	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe	43
PID 1728 wrote to memory of 2016	1728	{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe	43
PID 1112 wrote to memory of 1856	1112	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe	44
PID 1112 wrote to memory of 1856	1112	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe	44
PID 1112 wrote to memory of 1856	1112	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe	44
PID 1112 wrote to memory of 1856	1112	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe	44
PID 1112 wrote to memory of 1828	1112	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe	45
PID 1112 wrote to memory of 1828	1112	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe	45
PID 1112 wrote to memory of 1828	1112	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe	45
PID 1112 wrote to memory of 1828	1112	{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe	45

C:\Users\Admin\AppData\Local\Temp\317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe
"C:\Users\Admin\AppData\Local\Temp\317fddd53bce84cfb47a1c1eeb54dbc23e250af42f2e26ef51b3e6a09602b94a.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe
  C:\Windows\{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\{E12EA555-67F5-4540-9739-76E1C837C539}.exe
    C:\Windows\{E12EA555-67F5-4540-9739-76E1C837C539}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\{7F53D677-12A2-4114-929C-F827F0908B9C}.exe
      C:\Windows\{7F53D677-12A2-4114-929C-F827F0908B9C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe
        
        C:\Windows\{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Windows\{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe
        
        C:\Windows\{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe
        
        C:\Windows\{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe
        
        C:\Windows\{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\{63F40E0F-543F-45af-84A4-6E14056AB921}.exe
        
        C:\Windows\{63F40E0F-543F-45af-84A4-6E14056AB921}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\{57339CE6-7361-47e6-AAC3-F2F2288B3671}.exe
        
        C:\Windows\{57339CE6-7361-47e6-AAC3-F2F2288B3671}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63F40~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1ADB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0525E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{083DF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C0EF~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F53D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E12EA~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8BE23~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\317FDD~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0525E678-8E2E-4911-ABBA-1FD8617196C5}.exe

Filesize
79KB

MD5
a9361c58d7422a1fbff8682c111ec2e9

SHA1
6b2085aea9b6b00d0f1f01a59d9683984bd4a04b

SHA256
268f8bbdcf4144f6281afca710de945b8f9fe33ad402acbe397d034772417df6

SHA512
4da49ad22d71ab9a1555249c442ec10e72a7c2ee105abb15d3fa87b1a5412d66550f7caca6686b05e16b5a7c5ea97659d257538355025b9c1d0ec03f6e32b9a7

Download Submit
C:\Windows\{083DF34C-059C-4c57-B0BE-4A546A07C3BF}.exe

Filesize
79KB

MD5
e59269e446d6a642bfac7d4bf701e858

SHA1
11f7abf45b59ecbb4b68ab0da359b363c67f7eb5

SHA256
e09bea974419319e4b9e670425b1dc38fd737a4fced7e3cf0c3bfa382425004b

SHA512
62fb1588c8906ce055f4936f012ba90ec0ec8eac038edccd0fd2517a5484282c5b95b64d275ce97159ec83e0722fcbb06d67168906ce0a110f15f5ea7cc38a1a

Download Submit
C:\Windows\{1C0EF714-DCAD-4858-AE56-F034E60FC2EB}.exe

Filesize
79KB

MD5
e6b47d642a826f6f9706d12afc7f7af5

SHA1
68058fdc20c6b3a6acdc1530cbe0462ced1078ec

SHA256
e929d77187e34113a83adbb39ff5ca67d84bd1df1aedd4265f0ecb2a36b20a52

SHA512
237e0dd1b29671698b0cb56161d1f3ec52380b6a388420bec9b44bb756b7c2b094fe8b8908d8db9bd1a5818e4de908e1148775d13baf43fa7f8f6110f7c81bda

Download Submit
C:\Windows\{57339CE6-7361-47e6-AAC3-F2F2288B3671}.exe

Filesize
79KB

MD5
18473d59668857512218a214880f5103

SHA1
d049c06dd436dba5f4350b5c35ab31eced31a5e9

SHA256
af9f386a8e1121b33f6d823529c39dc5a73c2a080145bbf3531b068b4a152d3b

SHA512
326cfb6115d2615f08362f614aa9fc8e181524a292c278e49f651f72d7af5a25538cca6043204f194116cbc6ea371e3b55275ecc72eaad1733079b867abf613c

Download Submit
C:\Windows\{63F40E0F-543F-45af-84A4-6E14056AB921}.exe

Filesize
79KB

MD5
12c032e3134b2c0e2fb04e9ac55faa16

SHA1
45f051f78358563380daeb01ad7c2a16efca1043

SHA256
fe6caacb192ea80b71af728f54efc5486cc85b5489dd85dbb3a3c7658648b598

SHA512
f5d3ab18c746b97d62331db87f9a62457b3a888b56a8edc77413e6a1698986b519e208f113e1926703449417565f207e080b687ad702e3f74bdd34f08c1e162b

Download Submit
C:\Windows\{7F53D677-12A2-4114-929C-F827F0908B9C}.exe

Filesize
79KB

MD5
da120aac61483050f73007a18738273e

SHA1
2135f442f81d9d406b91ee1f3cd9e65db60485f6

SHA256
8a1741a444b0d894705f7717b3e385bd48c350c6cf5d23dfda520e171457116d

SHA512
6cf7b2cdc1e8d3d20c255ce7f67e32de3b717385b12c9d55646793a7d7df116a9c1792256d0e1e7e7cfb044523f3540edfc133211abf9ed7432d019de029d525

Download Submit
C:\Windows\{8BE2301D-51A7-4fdd-AD12-EBD7F0259EA4}.exe

Filesize
79KB

MD5
a18b958415d76b9a060a6552b0c034fe

SHA1
c51a02faa6055c15f19b04c30c7ea0d4339efdf0

SHA256
3b9ed41f9b3ab0395e4451c945b4e6f032aff0e6470e6c6d2c2315fd01914ba7

SHA512
c66b94dfc86738861de021df517f69ebed99d0b281ca28758c0dc9beee2f7e2635c38d3b0e45e38580542030c15669baf96a54a8bbcf24cb9ba793a3cce88b34

Download Submit
C:\Windows\{E12EA555-67F5-4540-9739-76E1C837C539}.exe

Filesize
79KB

MD5
bccf3cd964ea7673e126722de9535a24

SHA1
7e8dddbe971ced9e1b334ebecd7be1d32e6f1fc9

SHA256
9b2782da7a88ef84177d0a0b49e199d9eca1ca0d08f398641f1cf5c292f6ebcf

SHA512
58b37e1af54c682eb2b0f11350c2265dcaeacf032469d7cf67d5e2344ccf51a41d42b4aed2296a6cb279c6f70b596be41e91e9f63c0b0d4c7d31a69100bae4a8

Download Submit
C:\Windows\{F1ADB3E3-F4ED-4e03-ACA1-37869B7FF938}.exe

Filesize
79KB

MD5
a3387b59074acebb68f3551e75d1dba5

SHA1
d1a3e3add0e74ac11c0fd357b83e0e755538400b

SHA256
955b29e4acdb00917f44fbc9a0a20134d67f24a01da325910c85727bf9b54cd1

SHA512
01274f0289c6cc021943d060400b7156a562011ce9abb6046690c7179bddaf14c41e6f7869ac5d6ff15aa03f98afb78a1b4833539a6d7edea7b0d322d38f8916

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads