90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
Size

88KB
MD5

1012b63cceb9f0a40384afb4752c81f5
SHA1

4d1bdaca23b6d3a8af9d61cc9fcd894b62538100
SHA256

90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae
SHA512

21682c33d4feab8b2328b8775c116e2837ef4195b0d2cdb09f1d69767e6fef4fbb892eee126a43e11e0139f5f4cceff75e8cfd4976c164faee1fa34c1b322e59
SSDEEP

768:Qvw9816vhKQLroO4/wQRN/frunMxVFA3b70:YEGh0oOlKunMxVS3H0

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CEC71F7-84A0-4963-A509-056F58C05667}	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCDE83B0-1919-4b3c-B479-8DF3AF7C63DB}	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCDE83B0-1919-4b3c-B479-8DF3AF7C63DB}\stubpath = "C:\\Windows\\{BCDE83B0-1919-4b3c-B479-8DF3AF7C63DB}.exe"	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72DC5B11-6CCA-4ec4-966E-B9E094884D00}	{BCDE83B0-1919-4b3c-B479-8DF3AF7C63DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}\stubpath = "C:\\Windows\\{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe"	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CEC71F7-84A0-4963-A509-056F58C05667}\stubpath = "C:\\Windows\\{8CEC71F7-84A0-4963-A509-056F58C05667}.exe"	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}\stubpath = "C:\\Windows\\{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe"	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}\stubpath = "C:\\Windows\\{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe"	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}\stubpath = "C:\\Windows\\{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe"	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72DC5B11-6CCA-4ec4-966E-B9E094884D00}\stubpath = "C:\\Windows\\{72DC5B11-6CCA-4ec4-966E-B9E094884D00}.exe"	{BCDE83B0-1919-4b3c-B479-8DF3AF7C63DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}\stubpath = "C:\\Windows\\{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe"	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}\stubpath = "C:\\Windows\\{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe"	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe

Deletes itself 1 IoCs

pid	Process
2104	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2916	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe
2180	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe
2640	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe
2508	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe
2500	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe
1268	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe
1264	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe
1964	{BCDE83B0-1919-4b3c-B479-8DF3AF7C63DB}.exe
1896	{72DC5B11-6CCA-4ec4-966E-B9E094884D00}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{8CEC71F7-84A0-4963-A509-056F58C05667}.exe	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe
File created	C:\Windows\{72DC5B11-6CCA-4ec4-966E-B9E094884D00}.exe	{BCDE83B0-1919-4b3c-B479-8DF3AF7C63DB}.exe
File created	C:\Windows\{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
File created	C:\Windows\{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe
File created	C:\Windows\{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe
File created	C:\Windows\{BCDE83B0-1919-4b3c-B479-8DF3AF7C63DB}.exe	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe
File created	C:\Windows\{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe
File created	C:\Windows\{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe
File created	C:\Windows\{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BCDE83B0-1919-4b3c-B479-8DF3AF7C63DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72DC5B11-6CCA-4ec4-966E-B9E094884D00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1552	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
Token: SeIncBasePriorityPrivilege	2916	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe
Token: SeIncBasePriorityPrivilege	2180	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe
Token: SeIncBasePriorityPrivilege	2640	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe
Token: SeIncBasePriorityPrivilege	2508	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe
Token: SeIncBasePriorityPrivilege	2500	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe
Token: SeIncBasePriorityPrivilege	1268	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe
Token: SeIncBasePriorityPrivilege	1264	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe
Token: SeIncBasePriorityPrivilege	1964	{BCDE83B0-1919-4b3c-B479-8DF3AF7C63DB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2916	1552	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	31
PID 1552 wrote to memory of 2916	1552	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	31
PID 1552 wrote to memory of 2916	1552	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	31
PID 1552 wrote to memory of 2916	1552	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	31
PID 1552 wrote to memory of 2104	1552	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	32
PID 1552 wrote to memory of 2104	1552	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	32
PID 1552 wrote to memory of 2104	1552	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	32
PID 1552 wrote to memory of 2104	1552	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	32
PID 2916 wrote to memory of 2180	2916	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe	33
PID 2916 wrote to memory of 2180	2916	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe	33
PID 2916 wrote to memory of 2180	2916	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe	33
PID 2916 wrote to memory of 2180	2916	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe	33
PID 2916 wrote to memory of 2428	2916	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe	34
PID 2916 wrote to memory of 2428	2916	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe	34
PID 2916 wrote to memory of 2428	2916	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe	34
PID 2916 wrote to memory of 2428	2916	{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe	34
PID 2180 wrote to memory of 2640	2180	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe	35
PID 2180 wrote to memory of 2640	2180	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe	35
PID 2180 wrote to memory of 2640	2180	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe	35
PID 2180 wrote to memory of 2640	2180	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe	35
PID 2180 wrote to memory of 2620	2180	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe	36
PID 2180 wrote to memory of 2620	2180	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe	36
PID 2180 wrote to memory of 2620	2180	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe	36
PID 2180 wrote to memory of 2620	2180	{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe	36
PID 2640 wrote to memory of 2508	2640	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe	37
PID 2640 wrote to memory of 2508	2640	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe	37
PID 2640 wrote to memory of 2508	2640	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe	37
PID 2640 wrote to memory of 2508	2640	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe	37
PID 2640 wrote to memory of 2624	2640	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe	38
PID 2640 wrote to memory of 2624	2640	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe	38
PID 2640 wrote to memory of 2624	2640	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe	38
PID 2640 wrote to memory of 2624	2640	{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe	38
PID 2508 wrote to memory of 2500	2508	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe	39
PID 2508 wrote to memory of 2500	2508	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe	39
PID 2508 wrote to memory of 2500	2508	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe	39
PID 2508 wrote to memory of 2500	2508	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe	39
PID 2508 wrote to memory of 2560	2508	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe	40
PID 2508 wrote to memory of 2560	2508	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe	40
PID 2508 wrote to memory of 2560	2508	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe	40
PID 2508 wrote to memory of 2560	2508	{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe	40
PID 2500 wrote to memory of 1268	2500	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe	41
PID 2500 wrote to memory of 1268	2500	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe	41
PID 2500 wrote to memory of 1268	2500	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe	41
PID 2500 wrote to memory of 1268	2500	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe	41
PID 2500 wrote to memory of 1400	2500	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe	42
PID 2500 wrote to memory of 1400	2500	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe	42
PID 2500 wrote to memory of 1400	2500	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe	42
PID 2500 wrote to memory of 1400	2500	{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe	42
PID 1268 wrote to memory of 1264	1268	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe	43
PID 1268 wrote to memory of 1264	1268	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe	43
PID 1268 wrote to memory of 1264	1268	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe	43
PID 1268 wrote to memory of 1264	1268	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe	43
PID 1268 wrote to memory of 812	1268	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe	44
PID 1268 wrote to memory of 812	1268	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe	44
PID 1268 wrote to memory of 812	1268	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe	44
PID 1268 wrote to memory of 812	1268	{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe	44
PID 1264 wrote to memory of 1964	1264	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe	45
PID 1264 wrote to memory of 1964	1264	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe	45
PID 1264 wrote to memory of 1964	1264	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe	45
PID 1264 wrote to memory of 1964	1264	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe	45
PID 1264 wrote to memory of 2388	1264	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe	46
PID 1264 wrote to memory of 2388	1264	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe	46
PID 1264 wrote to memory of 2388	1264	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe	46
PID 1264 wrote to memory of 2388	1264	{8CEC71F7-84A0-4963-A509-056F58C05667}.exe	46

C:\Users\Admin\AppData\Local\Temp\90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
"C:\Users\Admin\AppData\Local\Temp\90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe
  C:\Windows\{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe
    C:\Windows\{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe
      C:\Windows\{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe
        
        C:\Windows\{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe
        
        C:\Windows\{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe
        
        C:\Windows\{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{8CEC71F7-84A0-4963-A509-056F58C05667}.exe
        
        C:\Windows\{8CEC71F7-84A0-4963-A509-056F58C05667}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\{BCDE83B0-1919-4b3c-B479-8DF3AF7C63DB}.exe
        
        C:\Windows\{BCDE83B0-1919-4b3c-B479-8DF3AF7C63DB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{72DC5B11-6CCA-4ec4-966E-B9E094884D00}.exe
        
        C:\Windows\{72DC5B11-6CCA-4ec4-966E-B9E094884D00}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCDE8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CEC7~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15981~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{028EF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B2D8~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE791~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3822~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FBAE5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\90F08E~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{028EF6A2-48C8-447a-8FEE-5BFA3A00ACA1}.exe

Filesize
88KB

MD5
cac308a87d4754496dee1943e7f3a854

SHA1
9553fbd05780e0cecef51d4fb1a01b3b98086d0c

SHA256
d0b4a79fa28e25451749c70b1ec05724b15325481ea1e426035d64bedf538cb0

SHA512
70eada9cff197e5b5d06d24fe776d856ef82d5f4e82780d4db62ccf615b54fc9c1e3d8dfbc2d66d78fbc08d69a67f9aa794316cc429823164990962387d431cd

Download Submit
C:\Windows\{1598142A-7C37-4d0b-ADF8-44DAE5E59DDD}.exe

Filesize
88KB

MD5
d494dc7cdea3c7444067212b950ed06f

SHA1
0b5d0ee4632e18ca52adc5e300116ee413079b01

SHA256
f29ecd01a071efcf8ba601d898f949d8b7025bac8e47a3ac483df9aa78e872e8

SHA512
8ccaacb79690f3effb945c6d58fa5fef7545fe09785a23b2bac0f872c47e19288013e2e287adb5c9db072c303a5e307c282339c684cb66e5b3cab69a3bfe593d

Download Submit
C:\Windows\{3B2D854A-FCB1-4958-9FC2-90BFA85BDF87}.exe

Filesize
88KB

MD5
3e271a1e0210d6372d3f24712f29280c

SHA1
f1e7989f17fdafef70cfdc5548bc5e80714e2575

SHA256
24cf6ae235f66f25ae4dc2db92e0778cb5cdd1fb19828ae712304ec502d493ce

SHA512
1b8bc1700da99877b06e4a7c739604cf8e7950405b7c9baa896270c6bf0ae136311a7e043dfb8b8623dd171996ce6176c1dabaf506f59d1367b570a574b5a44e

Download Submit
C:\Windows\{72DC5B11-6CCA-4ec4-966E-B9E094884D00}.exe

Filesize
88KB

MD5
147895988564534c3d0888f74862d849

SHA1
037253b0b9136e6239284ff6d8bb69327e458c7b

SHA256
637dcecf2f0d654cbd01880441f2c82b74af9abc76910eb6b1c32c02c64d7b3a

SHA512
c4e1bbe2d8e24bec321656a3550e0437adf44d3552d7662ee7fd1196f3a372db6af875bb81ab252853b9f4475af7ad5ef4f5f9a50186f1c64df9485a571eb14d

Download Submit
C:\Windows\{8CEC71F7-84A0-4963-A509-056F58C05667}.exe

Filesize
88KB

MD5
5ef546931ff4356a30ae30919a9a3859

SHA1
4227cc00f51c9892233330bebd9d1778e4ad02f7

SHA256
bcbce813734d3483b024cce72227a77a8083046c7f9a6a196b438375371409ec

SHA512
dca6012ca048cdf7b314d4b33cb5862aff320088842d0f03e5919ca34d7973687e4b25328ea6ac5d5aadc99a34bb6ebdd899cb1aff775db99849815bfa1a8941

Download Submit
C:\Windows\{B38222E8-D5F9-4b23-8C5E-E7190AEB6CC6}.exe

Filesize
88KB

MD5
adecf5c1016cb6e03667c361706ec922

SHA1
35bc4e1b58d7712c1f6789f34d19adbe27b10bec

SHA256
75eaf529c920d228d1ac20bfe8105cb521de6740d4c85977037a7d301822068f

SHA512
032975c4449cb9da0a63d3cfeabe2d7001c1ebd8153bc88e1959046a58b7a447a0766800e90c4edb1a13ff7f7de87f9267eb43ec62fa3d6cd768ce85a26b53fb

Download Submit
C:\Windows\{BCDE83B0-1919-4b3c-B479-8DF3AF7C63DB}.exe

Filesize
88KB

MD5
e40bed4dec967d2f63b416e3dd0efdb9

SHA1
f5c1ef8bd7d7997a71d8c3b13fe2b20dd73b64f8

SHA256
d91354936c8d143f2a36a6230216e32b17bab7abe3d5816e1908f79cfa362d1c

SHA512
2a4a9f1ce65f686e94f4250cee39b383f87c23dd9f1dd8a296b06d2b9c18e53f8c528c42804dbe1ff4d4ff72916bbbe56a3e5adeec59cf0da22536184fdf8a2b

Download Submit
C:\Windows\{EE791610-94E6-4bbf-AD6D-03196CD1A6C8}.exe

Filesize
88KB

MD5
f95266210c27209992e007864099843c

SHA1
d65656476116f5ac6519d46051f0361418c886a2

SHA256
e2f720a78527274dc86bd292fde7410a6e8c7ef980b357c35e6e47f21f8d51d1

SHA512
6368338995535b356d07e1d794f864df8ad0c72c04ae66bbe3e90f5e5196a10b876fa717dece0bb2b5a1a8f47a884a85239c871de1fcc43f4599954f72469d55

Download Submit
C:\Windows\{FBAE5EA3-9610-4f73-BA88-26DA4290F02A}.exe

Filesize
88KB

MD5
257b23093760a823f27edf5d78c0a477

SHA1
67ccfe5275a7d3a6a02941dd2085d7f5e0f3f79e

SHA256
74d152bc1bf920a46f43bc7a74ff1afa51aa2f932a3f9c1412d1e9432eff3c42

SHA512
b6820c0b37d25b8b7b5af3c9b910ea9cf0a57a4155eb201b189896239cec333d550adbce4a009ff766bae555984eb6c6d356cb8dc41251de0f7c98a3cbba70d2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads