a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe
Size

89KB
MD5

3c7b9fbdcf8376e9d3097a4adf895567
SHA1

877e810fa9757528bad34b1a24362cf6fb84a56c
SHA256

a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05
SHA512

3aeabed99d759ac7982af9240fa4998c58b4d26913a507551cb6f931e4bf10b29e1822ec052c823dc38953d6aba501c37574876f856f76fcb0f709a8650ea029
SSDEEP

768:Qvw9816vhKQLroS4/wQRN/frunMxVFA3b7glF:YEGh0oSlKunMxVS3Hgj

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5746E80-BE5F-49c2-B8DF-1C96D111E747}\stubpath = "C:\\Windows\\{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe"	{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}\stubpath = "C:\\Windows\\{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe"	{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F57A73D6-9D39-4d31-BEAF-4164580E687B}\stubpath = "C:\\Windows\\{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe"	{62088E55-EB68-4dec-A55E-947B87915508}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{186CFA76-691F-447d-B27C-F67F8F7FDF05}\stubpath = "C:\\Windows\\{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe"	{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F57A73D6-9D39-4d31-BEAF-4164580E687B}	{62088E55-EB68-4dec-A55E-947B87915508}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}\stubpath = "C:\\Windows\\{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe"	{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDB87CB9-0D22-48c3-9B72-C47D3FBA41FF}\stubpath = "C:\\Windows\\{DDB87CB9-0D22-48c3-9B72-C47D3FBA41FF}.exe"	{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62088E55-EB68-4dec-A55E-947B87915508}\stubpath = "C:\\Windows\\{62088E55-EB68-4dec-A55E-947B87915508}.exe"	{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}	{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDB87CB9-0D22-48c3-9B72-C47D3FBA41FF}	{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}	a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}\stubpath = "C:\\Windows\\{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe"	a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5746E80-BE5F-49c2-B8DF-1C96D111E747}	{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}	{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{186CFA76-691F-447d-B27C-F67F8F7FDF05}	{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62088E55-EB68-4dec-A55E-947B87915508}	{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}	{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}\stubpath = "C:\\Windows\\{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe"	{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe

Executes dropped EXE 9 IoCs

pid	Process
2724	{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe
1788	{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe
1480	{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe
2336	{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe
3288	{62088E55-EB68-4dec-A55E-947B87915508}.exe
1216	{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe
428	{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe
3400	{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe
3640	{DDB87CB9-0D22-48c3-9B72-C47D3FBA41FF}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe	{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe
File created	C:\Windows\{62088E55-EB68-4dec-A55E-947B87915508}.exe	{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe
File created	C:\Windows\{DDB87CB9-0D22-48c3-9B72-C47D3FBA41FF}.exe	{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe
File created	C:\Windows\{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe	a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe
File created	C:\Windows\{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe	{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe
File created	C:\Windows\{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe	{62088E55-EB68-4dec-A55E-947B87915508}.exe
File created	C:\Windows\{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe	{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe
File created	C:\Windows\{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe	{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe
File created	C:\Windows\{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe	{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{62088E55-EB68-4dec-A55E-947B87915508}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DDB87CB9-0D22-48c3-9B72-C47D3FBA41FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	312	a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe
Token: SeIncBasePriorityPrivilege	2724	{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe
Token: SeIncBasePriorityPrivilege	1788	{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe
Token: SeIncBasePriorityPrivilege	1480	{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe
Token: SeIncBasePriorityPrivilege	2336	{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe
Token: SeIncBasePriorityPrivilege	3288	{62088E55-EB68-4dec-A55E-947B87915508}.exe
Token: SeIncBasePriorityPrivilege	1216	{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe
Token: SeIncBasePriorityPrivilege	428	{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe
Token: SeIncBasePriorityPrivilege	3400	{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 312 wrote to memory of 2724	312	a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe	96
PID 312 wrote to memory of 2724	312	a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe	96
PID 312 wrote to memory of 2724	312	a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe	96
PID 312 wrote to memory of 944	312	a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe	97
PID 312 wrote to memory of 944	312	a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe	97
PID 312 wrote to memory of 944	312	a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe	97
PID 2724 wrote to memory of 1788	2724	{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe	98
PID 2724 wrote to memory of 1788	2724	{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe	98
PID 2724 wrote to memory of 1788	2724	{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe	98
PID 2724 wrote to memory of 2580	2724	{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe	99
PID 2724 wrote to memory of 2580	2724	{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe	99
PID 2724 wrote to memory of 2580	2724	{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe	99
PID 1788 wrote to memory of 1480	1788	{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe	102
PID 1788 wrote to memory of 1480	1788	{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe	102
PID 1788 wrote to memory of 1480	1788	{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe	102
PID 1788 wrote to memory of 2764	1788	{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe	103
PID 1788 wrote to memory of 2764	1788	{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe	103
PID 1788 wrote to memory of 2764	1788	{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe	103
PID 1480 wrote to memory of 2336	1480	{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe	104
PID 1480 wrote to memory of 2336	1480	{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe	104
PID 1480 wrote to memory of 2336	1480	{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe	104
PID 1480 wrote to memory of 3324	1480	{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe	105
PID 1480 wrote to memory of 3324	1480	{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe	105
PID 1480 wrote to memory of 3324	1480	{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe	105
PID 2336 wrote to memory of 3288	2336	{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe	106
PID 2336 wrote to memory of 3288	2336	{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe	106
PID 2336 wrote to memory of 3288	2336	{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe	106
PID 2336 wrote to memory of 4044	2336	{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe	107
PID 2336 wrote to memory of 4044	2336	{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe	107
PID 2336 wrote to memory of 4044	2336	{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe	107
PID 3288 wrote to memory of 1216	3288	{62088E55-EB68-4dec-A55E-947B87915508}.exe	108
PID 3288 wrote to memory of 1216	3288	{62088E55-EB68-4dec-A55E-947B87915508}.exe	108
PID 3288 wrote to memory of 1216	3288	{62088E55-EB68-4dec-A55E-947B87915508}.exe	108
PID 3288 wrote to memory of 3540	3288	{62088E55-EB68-4dec-A55E-947B87915508}.exe	109
PID 3288 wrote to memory of 3540	3288	{62088E55-EB68-4dec-A55E-947B87915508}.exe	109
PID 3288 wrote to memory of 3540	3288	{62088E55-EB68-4dec-A55E-947B87915508}.exe	109
PID 1216 wrote to memory of 428	1216	{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe	110
PID 1216 wrote to memory of 428	1216	{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe	110
PID 1216 wrote to memory of 428	1216	{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe	110
PID 1216 wrote to memory of 4524	1216	{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe	111
PID 1216 wrote to memory of 4524	1216	{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe	111
PID 1216 wrote to memory of 4524	1216	{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe	111
PID 428 wrote to memory of 3400	428	{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe	112
PID 428 wrote to memory of 3400	428	{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe	112
PID 428 wrote to memory of 3400	428	{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe	112
PID 428 wrote to memory of 5024	428	{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe	113
PID 428 wrote to memory of 5024	428	{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe	113
PID 428 wrote to memory of 5024	428	{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe	113
PID 3400 wrote to memory of 3640	3400	{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe	114
PID 3400 wrote to memory of 3640	3400	{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe	114
PID 3400 wrote to memory of 3640	3400	{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe	114
PID 3400 wrote to memory of 4420	3400	{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe	115
PID 3400 wrote to memory of 4420	3400	{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe	115
PID 3400 wrote to memory of 4420	3400	{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe	115

C:\Users\Admin\AppData\Local\Temp\a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe
"C:\Users\Admin\AppData\Local\Temp\a6e58f8fa14634fb98239b9f148443f1ae36ca8a51f38413c5ef770ece281c05.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:312
- C:\Windows\{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe
  C:\Windows\{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe
    C:\Windows\{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe
      C:\Windows\{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Windows\{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe
        
        C:\Windows\{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Windows\{62088E55-EB68-4dec-A55E-947B87915508}.exe
        
        C:\Windows\{62088E55-EB68-4dec-A55E-947B87915508}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe
        
        C:\Windows\{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe
        
        C:\Windows\{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe
        
        C:\Windows\{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\{DDB87CB9-0D22-48c3-9B72-C47D3FBA41FF}.exe
        
        C:\Windows\{DDB87CB9-0D22-48c3-9B72-C47D3FBA41FF}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABD3C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BD54~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F57A7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62088~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7BAF~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{186CF~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E5746~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8308D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A6E58F~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{186CFA76-691F-447d-B27C-F67F8F7FDF05}.exe

Filesize
89KB

MD5
14a79b89e997f9c2ef272b94fd8abe1d

SHA1
3dea46f1b00c3dc87a988944977b67503ce658c2

SHA256
be8b4c4da24e1937596e87c3f99af6ad07ee58fb8b3033ddcbedc92a422f9fcb

SHA512
a30b2217a10653e905316647a12799bcaa9147932d2066e06bc1db4654b62436ba26db9fc8cd01ddace00b6feed710baf34bb2edde54416312537bef269bf530

Download Submit
C:\Windows\{62088E55-EB68-4dec-A55E-947B87915508}.exe

Filesize
89KB

MD5
9873f32de51daf8ac4c6cfdf6b88b8c7

SHA1
dbb6d7b26af6f7702b43f15424576ae295dba4f1

SHA256
bce1de5cde4203d08808c58bd9b1a71479b8a05a7770a9ff5b99d7ac28a39f98

SHA512
92307e6533d1a552c2bab5c42e7fdaf5019b7aef81f727d280db70e8799e19616f542994c789759e0e2aced49eb0c5419612b4e4df4d04efd293045ef9c8e784

Download Submit
C:\Windows\{8308DAC1-7AC7-4cb2-8121-4DEBCEDEA61F}.exe

Filesize
89KB

MD5
8aa8b46521a9a8c7c7d548d1d891d9d5

SHA1
5fe29eb2f52146222dee7daa15f516ab0a777ca7

SHA256
5c2d4fae99ef432923af86a5c4ca4942f7afb32fe5f687d97a68cbcc9ca637e1

SHA512
6ed15ffaa2e540e45e56389465bb2d5b0f19ca508bdde2b5341fbdfc35d052cad9b5abd45468e2c4e398ea2eba30008dee458c718c6d21eb503ee103fa59b180

Download Submit
C:\Windows\{9BD54839-DBEA-403f-86DC-F5BEDE9825DE}.exe

Filesize
89KB

MD5
e836daa37835df9bade636066cc21484

SHA1
63319c77f0af5f56286d9a464f9e62f70d3227d4

SHA256
8d57f8ce6aafe376faf7b6febe1f7f17a811d1a7366049451d61a44829f4c754

SHA512
6e521e032ab3e7ca03fee0800449021dfae396b2ace115d4656986d4f8786313ed1ea671dc9a0e1d300fe916c95f479e1e772c7123fbde6acaa9ae47a486ef32

Download Submit
C:\Windows\{ABD3CB3D-40F6-463a-86BB-00B6BF656AA8}.exe

Filesize
89KB

MD5
a79596090f8a6c9723e9ba0170b30bb7

SHA1
d5fbfeef585eaf3c3694b7938fb6e912af58c26b

SHA256
670dd9948e56c259b20c42133d09416f63a34adb61a0d21b2214922e7856e5b2

SHA512
8af24802b3f612b6f08fb1b4cc527b84f92472ac3ab7ba086b9c93d6183d49fabbe7656ca15de00b3f27004910e7f916d904f4bc3f1e47760f5984e3ff8fb2ac

Download Submit
C:\Windows\{C7BAFF09-BF1B-470e-9000-7852FF77E3D5}.exe

Filesize
89KB

MD5
65917fe7ce4b9c50828d2e8413dbef36

SHA1
4c6d8b3de7fa76174f9976783daf1bb6531ff51c

SHA256
fc91a24f5fdfe8bd30e3352b3c87ab7ad81c506b68f40f5666037b6b3d7834a1

SHA512
4f4ede26857a19e0e156386ef0147931ee636e175744337255894928dafa16b5c84d567b58b600fd9e1b999191540fe37da93b36ff00ee23e9d8545fc831ce06

Download Submit
C:\Windows\{DDB87CB9-0D22-48c3-9B72-C47D3FBA41FF}.exe

Filesize
89KB

MD5
3bc2eeb63eb2623d463bddf707121691

SHA1
8befc5fb6eeba6ec7f72f440b980c7b6897d4967

SHA256
2817ac8a2fbb27dd3754f99d4b4de7f8bfc0dded6f3a05a96bc56841d1119305

SHA512
ca7ff6c80c8761833573ce4a1fb33b71f8e689f6a6680c077fbf7c7fb929b9bb7fae94a620addb9ea8c0456363e1f0520612c4a110b062aa5d69b3de28d63178

Download Submit
C:\Windows\{E5746E80-BE5F-49c2-B8DF-1C96D111E747}.exe

Filesize
89KB

MD5
63b892e14d26806fccf4eb90e3e2b1a6

SHA1
d8db78c06272956216cc4e5d58cc3f87703507e3

SHA256
107d213857a11e8e41c93877d83243a29dd4368b8fb5572631e735a3f04b6ae6

SHA512
3e77e5e3a42cec470b0c1a7331dceb0ed8845ee8aa420a40cfd95f23d2ecbdb1edc83bd340b1aa913bc8da09fe1a06ad15f7b4c32884568d42332f0398ff57d2

Download Submit
C:\Windows\{F57A73D6-9D39-4d31-BEAF-4164580E687B}.exe

Filesize
89KB

MD5
9054fe50038c5181224dc4a21d555eff

SHA1
aa6dffc2d96f7613579a7345b1bfee69b8483f35

SHA256
c12ab2eb842dd70bcb3e4c4a354cffc8917eed94ad7deca58cff8236ee264468

SHA512
5854706a2e581004a3cbe469180e0f91cee87394cd0884ca021595a21ba34927c24b2993457ae000faad8f4e4ba41560b06ebf0d232f3b83a76e6ff0f819205f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads