ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
Size

79KB
MD5

73ae5a63a08725057c33ff0b8f461051
SHA1

fe08e7d1ba9e540b43609dc160eed8f74e9c8d1f
SHA256

ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0
SHA512

28aea43b167cb2e5c598daf6ff27872ea08bca7a8c72aced92fdf2e66797d0067280030b0b9a8ed1a508477cb575baa131637cbbda240fdcd9288d077b055637
SSDEEP

768:4vw9816vhKQLroUN4/wQzXOQ69zbjlAAX5e9zp:wEGh0oYlGizbR9Xwzp

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A04AB671-9BB9-470f-B99A-BA9370FA7628}	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A04AB671-9BB9-470f-B99A-BA9370FA7628}\stubpath = "C:\\Windows\\{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe"	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C643405E-5DF1-4b46-A4EB-6CE5B436B619}	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}\stubpath = "C:\\Windows\\{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe"	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}\stubpath = "C:\\Windows\\{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe"	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6831DC2-0ECD-4a45-99F7-90850D830CF2}	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6831DC2-0ECD-4a45-99F7-90850D830CF2}\stubpath = "C:\\Windows\\{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe"	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07C8662C-3996-4ff7-A57A-5D4E660E5F03}\stubpath = "C:\\Windows\\{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe"	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62E8032B-109C-401e-8D94-68184E677F5D}\stubpath = "C:\\Windows\\{62E8032B-109C-401e-8D94-68184E677F5D}.exe"	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8AF286E-7B47-480a-AC91-3C819A7CEB1F}\stubpath = "C:\\Windows\\{E8AF286E-7B47-480a-AC91-3C819A7CEB1F}.exe"	{62E8032B-109C-401e-8D94-68184E677F5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDB8FA93-E636-424f-A688-AB9AF5A501F3}	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07C8662C-3996-4ff7-A57A-5D4E660E5F03}	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDB8FA93-E636-424f-A688-AB9AF5A501F3}\stubpath = "C:\\Windows\\{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe"	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C643405E-5DF1-4b46-A4EB-6CE5B436B619}\stubpath = "C:\\Windows\\{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe"	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8AF286E-7B47-480a-AC91-3C819A7CEB1F}	{62E8032B-109C-401e-8D94-68184E677F5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62E8032B-109C-401e-8D94-68184E677F5D}	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe

Deletes itself 1 IoCs

pid	Process
2180	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2076	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe
2864	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe
2684	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe
2728	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe
1572	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe
436	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe
2764	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe
1176	{62E8032B-109C-401e-8D94-68184E677F5D}.exe
2164	{E8AF286E-7B47-480a-AC91-3C819A7CEB1F}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe
File created	C:\Windows\{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe
File created	C:\Windows\{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe
File created	C:\Windows\{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe
File created	C:\Windows\{62E8032B-109C-401e-8D94-68184E677F5D}.exe	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe
File created	C:\Windows\{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
File created	C:\Windows\{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe
File created	C:\Windows\{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe
File created	C:\Windows\{E8AF286E-7B47-480a-AC91-3C819A7CEB1F}.exe	{62E8032B-109C-401e-8D94-68184E677F5D}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{62E8032B-109C-401e-8D94-68184E677F5D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E8AF286E-7B47-480a-AC91-3C819A7CEB1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2296	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
Token: SeIncBasePriorityPrivilege	2076	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe
Token: SeIncBasePriorityPrivilege	2864	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe
Token: SeIncBasePriorityPrivilege	2684	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe
Token: SeIncBasePriorityPrivilege	2728	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe
Token: SeIncBasePriorityPrivilege	1572	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe
Token: SeIncBasePriorityPrivilege	436	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe
Token: SeIncBasePriorityPrivilege	2764	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe
Token: SeIncBasePriorityPrivilege	1176	{62E8032B-109C-401e-8D94-68184E677F5D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2076	2296	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	30
PID 2296 wrote to memory of 2076	2296	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	30
PID 2296 wrote to memory of 2076	2296	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	30
PID 2296 wrote to memory of 2076	2296	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	30
PID 2296 wrote to memory of 2180	2296	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	31
PID 2296 wrote to memory of 2180	2296	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	31
PID 2296 wrote to memory of 2180	2296	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	31
PID 2296 wrote to memory of 2180	2296	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	31
PID 2076 wrote to memory of 2864	2076	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe	32
PID 2076 wrote to memory of 2864	2076	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe	32
PID 2076 wrote to memory of 2864	2076	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe	32
PID 2076 wrote to memory of 2864	2076	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe	32
PID 2076 wrote to memory of 1448	2076	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe	33
PID 2076 wrote to memory of 1448	2076	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe	33
PID 2076 wrote to memory of 1448	2076	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe	33
PID 2076 wrote to memory of 1448	2076	{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe	33
PID 2864 wrote to memory of 2684	2864	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe	34
PID 2864 wrote to memory of 2684	2864	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe	34
PID 2864 wrote to memory of 2684	2864	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe	34
PID 2864 wrote to memory of 2684	2864	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe	34
PID 2864 wrote to memory of 2832	2864	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe	35
PID 2864 wrote to memory of 2832	2864	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe	35
PID 2864 wrote to memory of 2832	2864	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe	35
PID 2864 wrote to memory of 2832	2864	{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe	35
PID 2684 wrote to memory of 2728	2684	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe	36
PID 2684 wrote to memory of 2728	2684	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe	36
PID 2684 wrote to memory of 2728	2684	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe	36
PID 2684 wrote to memory of 2728	2684	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe	36
PID 2684 wrote to memory of 1680	2684	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe	37
PID 2684 wrote to memory of 1680	2684	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe	37
PID 2684 wrote to memory of 1680	2684	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe	37
PID 2684 wrote to memory of 1680	2684	{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe	37
PID 2728 wrote to memory of 1572	2728	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe	38
PID 2728 wrote to memory of 1572	2728	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe	38
PID 2728 wrote to memory of 1572	2728	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe	38
PID 2728 wrote to memory of 1572	2728	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe	38
PID 2728 wrote to memory of 2264	2728	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe	39
PID 2728 wrote to memory of 2264	2728	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe	39
PID 2728 wrote to memory of 2264	2728	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe	39
PID 2728 wrote to memory of 2264	2728	{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe	39
PID 1572 wrote to memory of 436	1572	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe	40
PID 1572 wrote to memory of 436	1572	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe	40
PID 1572 wrote to memory of 436	1572	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe	40
PID 1572 wrote to memory of 436	1572	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe	40
PID 1572 wrote to memory of 2248	1572	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe	41
PID 1572 wrote to memory of 2248	1572	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe	41
PID 1572 wrote to memory of 2248	1572	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe	41
PID 1572 wrote to memory of 2248	1572	{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe	41
PID 436 wrote to memory of 2764	436	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe	42
PID 436 wrote to memory of 2764	436	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe	42
PID 436 wrote to memory of 2764	436	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe	42
PID 436 wrote to memory of 2764	436	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe	42
PID 436 wrote to memory of 2700	436	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe	43
PID 436 wrote to memory of 2700	436	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe	43
PID 436 wrote to memory of 2700	436	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe	43
PID 436 wrote to memory of 2700	436	{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe	43
PID 2764 wrote to memory of 1176	2764	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe	45
PID 2764 wrote to memory of 1176	2764	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe	45
PID 2764 wrote to memory of 1176	2764	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe	45
PID 2764 wrote to memory of 1176	2764	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe	45
PID 2764 wrote to memory of 616	2764	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe	46
PID 2764 wrote to memory of 616	2764	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe	46
PID 2764 wrote to memory of 616	2764	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe	46
PID 2764 wrote to memory of 616	2764	{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe	46

C:\Users\Admin\AppData\Local\Temp\ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
"C:\Users\Admin\AppData\Local\Temp\ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe
  C:\Windows\{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe
    C:\Windows\{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe
      C:\Windows\{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe
        
        C:\Windows\{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe
        
        C:\Windows\{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe
        
        C:\Windows\{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe
        
        C:\Windows\{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{62E8032B-109C-401e-8D94-68184E677F5D}.exe
        
        C:\Windows\{62E8032B-109C-401e-8D94-68184E677F5D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
        
        C:\Windows\{E8AF286E-7B47-480a-AC91-3C819A7CEB1F}.exe
        
        C:\Windows\{E8AF286E-7B47-480a-AC91-3C819A7CEB1F}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62E80~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07C86~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81C70~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6434~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A04AB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6831~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3A6C8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BDB8F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EC3A0F~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07C8662C-3996-4ff7-A57A-5D4E660E5F03}.exe

Filesize
79KB

MD5
3f0165ed7ae21856754fab0a8efd23c8

SHA1
1dec92891afc63c823004282641a8b04dfac6b59

SHA256
43d6a4dc5fb4b081900fe4ee5225f103dbde3c32a7c8d8b836773b55b8d3143d

SHA512
2ae406a64a26be68b540288704de3ad97e6e63133620e2f4e7b8944adb763a059e8012d0ebae60f19f1b88c7ab794d11d269d6f96727dcb06a010f7a4152aa3e

Download Submit
C:\Windows\{3A6C8C6D-B853-4ad6-8D07-597ADE137DDA}.exe

Filesize
79KB

MD5
caf6dd219e30a1581d9359620f7f1e91

SHA1
c96fa5db7078664cef3f8f1a6e31424e89786a12

SHA256
cc0e79230624382755ef18a8ebed00f52435e4a814ced467061b1ceb2e772002

SHA512
cf5d770f58abc7872bd3f6427151e3c5927103f61a889ba7a4fda2abd71801a4e3c5aa73325dcdda02a163de8d6ad8ab7f4311cb8b2305059c6d7b30234d7700

Download Submit
C:\Windows\{62E8032B-109C-401e-8D94-68184E677F5D}.exe

Filesize
79KB

MD5
1154e3028f33d02443c131b842a25881

SHA1
8ff449e993b91da5cc9311914e8ce5c6a26e46c5

SHA256
06a6f61f0e79c4474e6631df362fe582bdfff681845c80d9251b78e87e07487b

SHA512
e8bcfd173d8d63c1593a3a7b236f331dc5cd85b7c0cb3485813b3c5822cf63e8d1ccaf92fd1d80257306e2a3c257846305b9e2381934acf6ee173a8bf4562f0a

Download Submit
C:\Windows\{81C70CFE-B5A3-4ed8-89FF-B29D971846D8}.exe

Filesize
79KB

MD5
9c910c41483334322fc6d978a490569c

SHA1
d4f3b06b61b40414f4d782b5b6b14878b8936b97

SHA256
874e3178675c08e34084df32aaff52ac8249290339de2406b9aac0fe942c8046

SHA512
4c330fc267f9ea91a03e8288ddaa20b7b51c9233cdba85ab69c284597b715fce3eb747671bf2d8e8579ddc0fdc67d4800b85a57ea13280312d8f6dc7cc873e5c

Download Submit
C:\Windows\{A04AB671-9BB9-470f-B99A-BA9370FA7628}.exe

Filesize
79KB

MD5
10d51a471bbe46a4c0ed04612c2de247

SHA1
bdadab86677da5a1c107369ebe435d821151c7c4

SHA256
c1765b39116b74adf13f2addf90ebb79f4f9c60dcd12f7e6a0cc6d75420fa57d

SHA512
e0b8d214609a28f3439ac43c9f434d1bd02ce7346d8908af2df6321b3bd3aa664d6752024ef25e1d73adbc371b0f8d29faa0679bc4fe53f0a3a7d81ad5333e6b

Download Submit
C:\Windows\{B6831DC2-0ECD-4a45-99F7-90850D830CF2}.exe

Filesize
79KB

MD5
921739065e7c81b1edabb3d3b4e076fa

SHA1
b255ec15c1ef652e5caef0e93eeae7b7f0ff5ed7

SHA256
26a10df43a28a417df0afbfa27e7c7ff0b9ca939839e0f69236e7eb3ba22ddbf

SHA512
72d91075c1ec55ff667afb6d1a324288a0a9e3d3d9081ac0c57af172ce1c9636f7d3a4473873f5ce14a526fa12749b4c448aabab7d5f0352570001073ee2d502

Download Submit
C:\Windows\{BDB8FA93-E636-424f-A688-AB9AF5A501F3}.exe

Filesize
79KB

MD5
17a90f5bab0df1bc70201ec532e15e7a

SHA1
ade4c083bd607ae7dba7d9c525cd84468c993b5e

SHA256
bb0e1245247087f8af935750abbd8ebaeee08d1061198512a8ee32d469913984

SHA512
4398a39cbc759f6319ff706e5b1536b78c3abaca20b97cad0d2c2b6604753583e39fb61c242d417b38ff6bee89dcb3314229d67c397a4d0e1f8c17f46c39b6a4

Download Submit
C:\Windows\{C643405E-5DF1-4b46-A4EB-6CE5B436B619}.exe

Filesize
79KB

MD5
55071f0236b7dac8910014bd83dd8f30

SHA1
a25e2fede44432a645b28044e65c39349beff3b8

SHA256
e4b2d23b38234fd3f2451f9cbc1c07b7a6b941f7c1facf67858c75c7d1ecc242

SHA512
f8baef15a8905b63732518dbd6469e1013b94def0c0b41a3f29c929edfa8ce2e67691a5ff13fa4219a022261aaad77b981d7c74174f4dcd6d1a7d1a22d7b2716

Download Submit
C:\Windows\{E8AF286E-7B47-480a-AC91-3C819A7CEB1F}.exe

Filesize
79KB

MD5
14cb784c78ca9391f1c2f8924bf9161d

SHA1
29caacf3d9ef9fa147c2e3778d86cbad38da0bd4

SHA256
a57d21fc401e369cfa9f6ecbad5bf6b2f60f88414c8711b609f778c9b8268250

SHA512
e54d5e9df3e88e083014bc22c706966ff66b17f28b0bbe0c1fb23716975b302b87f2c86a38f092ce7ee6216ff370bd6f4e21880e4b2324014fe4749ee786f27b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads