fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
Size

90KB
MD5

b9c41252b67d5c85b082242630a38f33
SHA1

51f1abcbe2c613908129442e984b6e63a445b4be
SHA256

fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911
SHA512

5ae618c668dd55f207fd399d1f721ff585de039038be127b20b9920853738f2fc633808ae57f28a2022e8dd3ff307118f57edab9d4cd84aeeb3cf5b053be85a4
SSDEEP

768:Qvw9816vhKQLroi4/wQRNrfrunMxVFA3b7glw5:YEGh0oil2unMxVS3Hgk

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}\stubpath = "C:\\Windows\\{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe"	{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{012D5773-5B29-4f32-A357-409F6B5F0BE4}	{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{012D5773-5B29-4f32-A357-409F6B5F0BE4}\stubpath = "C:\\Windows\\{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe"	{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28E0CC03-45FD-4fc5-BCE1-E19A1BFDB685}	{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84B7335C-1009-4208-962D-B58B9E5EC50F}\stubpath = "C:\\Windows\\{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe"	{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF98F3BF-5292-4e96-8F04-190F1172E8F1}\stubpath = "C:\\Windows\\{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe"	{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}\stubpath = "C:\\Windows\\{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe"	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}	{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}	{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}\stubpath = "C:\\Windows\\{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe"	{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}	{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}\stubpath = "C:\\Windows\\{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe"	{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0610F85C-8DFB-407d-92DD-F4A546B187EA}	{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0610F85C-8DFB-407d-92DD-F4A546B187EA}\stubpath = "C:\\Windows\\{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe"	{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84B7335C-1009-4208-962D-B58B9E5EC50F}	{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF98F3BF-5292-4e96-8F04-190F1172E8F1}	{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28E0CC03-45FD-4fc5-BCE1-E19A1BFDB685}\stubpath = "C:\\Windows\\{28E0CC03-45FD-4fc5-BCE1-E19A1BFDB685}.exe"	{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe

Executes dropped EXE 9 IoCs

pid	Process
2196	{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe
2740	{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe
4048	{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe
1912	{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe
2860	{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe
4324	{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe
3508	{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe
3652	{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe
3968	{28E0CC03-45FD-4fc5-BCE1-E19A1BFDB685}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe	{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe
File created	C:\Windows\{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe	{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe
File created	C:\Windows\{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
File created	C:\Windows\{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe	{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe
File created	C:\Windows\{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe	{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe
File created	C:\Windows\{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe	{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe
File created	C:\Windows\{28E0CC03-45FD-4fc5-BCE1-E19A1BFDB685}.exe	{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe
File created	C:\Windows\{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe	{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe
File created	C:\Windows\{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe	{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28E0CC03-45FD-4fc5-BCE1-E19A1BFDB685}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	820	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
Token: SeIncBasePriorityPrivilege	2196	{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe
Token: SeIncBasePriorityPrivilege	2740	{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe
Token: SeIncBasePriorityPrivilege	4048	{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe
Token: SeIncBasePriorityPrivilege	1912	{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe
Token: SeIncBasePriorityPrivilege	2860	{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe
Token: SeIncBasePriorityPrivilege	4324	{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe
Token: SeIncBasePriorityPrivilege	3508	{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe
Token: SeIncBasePriorityPrivilege	3652	{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 2196	820	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	94
PID 820 wrote to memory of 2196	820	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	94
PID 820 wrote to memory of 2196	820	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	94
PID 820 wrote to memory of 472	820	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	95
PID 820 wrote to memory of 472	820	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	95
PID 820 wrote to memory of 472	820	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	95
PID 2196 wrote to memory of 2740	2196	{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe	96
PID 2196 wrote to memory of 2740	2196	{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe	96
PID 2196 wrote to memory of 2740	2196	{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe	96
PID 2196 wrote to memory of 460	2196	{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe	97
PID 2196 wrote to memory of 460	2196	{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe	97
PID 2196 wrote to memory of 460	2196	{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe	97
PID 2740 wrote to memory of 4048	2740	{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe	100
PID 2740 wrote to memory of 4048	2740	{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe	100
PID 2740 wrote to memory of 4048	2740	{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe	100
PID 2740 wrote to memory of 1460	2740	{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe	101
PID 2740 wrote to memory of 1460	2740	{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe	101
PID 2740 wrote to memory of 1460	2740	{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe	101
PID 4048 wrote to memory of 1912	4048	{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe	102
PID 4048 wrote to memory of 1912	4048	{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe	102
PID 4048 wrote to memory of 1912	4048	{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe	102
PID 4048 wrote to memory of 1876	4048	{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe	103
PID 4048 wrote to memory of 1876	4048	{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe	103
PID 4048 wrote to memory of 1876	4048	{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe	103
PID 1912 wrote to memory of 2860	1912	{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe	104
PID 1912 wrote to memory of 2860	1912	{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe	104
PID 1912 wrote to memory of 2860	1912	{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe	104
PID 1912 wrote to memory of 4496	1912	{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe	105
PID 1912 wrote to memory of 4496	1912	{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe	105
PID 1912 wrote to memory of 4496	1912	{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe	105
PID 2860 wrote to memory of 4324	2860	{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe	106
PID 2860 wrote to memory of 4324	2860	{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe	106
PID 2860 wrote to memory of 4324	2860	{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe	106
PID 2860 wrote to memory of 1960	2860	{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe	107
PID 2860 wrote to memory of 1960	2860	{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe	107
PID 2860 wrote to memory of 1960	2860	{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe	107
PID 4324 wrote to memory of 3508	4324	{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe	108
PID 4324 wrote to memory of 3508	4324	{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe	108
PID 4324 wrote to memory of 3508	4324	{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe	108
PID 4324 wrote to memory of 3988	4324	{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe	109
PID 4324 wrote to memory of 3988	4324	{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe	109
PID 4324 wrote to memory of 3988	4324	{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe	109
PID 3508 wrote to memory of 3652	3508	{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe	110
PID 3508 wrote to memory of 3652	3508	{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe	110
PID 3508 wrote to memory of 3652	3508	{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe	110
PID 3508 wrote to memory of 3156	3508	{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe	111
PID 3508 wrote to memory of 3156	3508	{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe	111
PID 3508 wrote to memory of 3156	3508	{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe	111
PID 3652 wrote to memory of 3968	3652	{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe	112
PID 3652 wrote to memory of 3968	3652	{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe	112
PID 3652 wrote to memory of 3968	3652	{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe	112
PID 3652 wrote to memory of 4840	3652	{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe	113
PID 3652 wrote to memory of 4840	3652	{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe	113
PID 3652 wrote to memory of 4840	3652	{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe	113

C:\Users\Admin\AppData\Local\Temp\fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
"C:\Users\Admin\AppData\Local\Temp\fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe
  C:\Windows\{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe
    C:\Windows\{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe
      C:\Windows\{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Windows\{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe
        
        C:\Windows\{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Windows\{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe
        
        C:\Windows\{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe
        
        C:\Windows\{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe
        
        C:\Windows\{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe
        
        C:\Windows\{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\{28E0CC03-45FD-4fc5-BCE1-E19A1BFDB685}.exe
        
        C:\Windows\{28E0CC03-45FD-4fc5-BCE1-E19A1BFDB685}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF98F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE6FE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{012D5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B317D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84B73~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AE4D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0610F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E5A0B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FA9F67~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{012D5773-5B29-4f32-A357-409F6B5F0BE4}.exe

Filesize
90KB

MD5
ed6a0f12bc3eef1df6ac0b6fd09329fe

SHA1
28bd773d1e3c860e6a146f6a3c8250a8efb2e911

SHA256
3b6217f923b0e590ecf3a59cd4fa9295556183a29c79d985429cb4d3416b213b

SHA512
556f8f02caab21bf8893ddb5d2a4eb073883441282dc0748c77bfa4563ce19ddc732ee4af60f0d2a923f182b8e21b469d236bae670b0df897c06f0eca3cd1453

Download Submit
C:\Windows\{0610F85C-8DFB-407d-92DD-F4A546B187EA}.exe

Filesize
90KB

MD5
6ef4e2329bbeda2eb5618a54f77abfa6

SHA1
d9382748249cf933e7cf1e3022f766ecc6ab88a2

SHA256
ce6839234eb61c295ef605597a46f34dd58cb0e76a97e8c73059625348f524b7

SHA512
03b3a8fb5956a85a89cc334d36724dcd9876620250f3a36fa1044d5eda25fd2ed58aaa9e5157704245931ce72fa1e4036b4417b9da35f05da2014ec9cc644b23

Download Submit
C:\Windows\{28E0CC03-45FD-4fc5-BCE1-E19A1BFDB685}.exe

Filesize
90KB

MD5
268ac8a6243ec86874c88fb08ea941a0

SHA1
1a056856c639dea0e0854f5a2c056224f285b694

SHA256
d40d38f067bb5d9898d0ead73dd48503baebcc8f38f66136142f7ec4464e4935

SHA512
20e2c35e7c1665a0b49241b99d38c8fcb47608ba63929cc95b783c4b35ce036b71b090625dc723eea76f34df39e54f0897b6b1d163ffa6a32e6704c40f6bebff

Download Submit
C:\Windows\{5AE4D723-FA3D-465d-BAC8-4BE17C7953E1}.exe

Filesize
90KB

MD5
e1733296141d6d953e3a9d027bd65f98

SHA1
c1f91ed8d46fcb326371f044ff55d2c66880bac1

SHA256
4418481a7dcba50de64a83d294df3c8001661b38430416e82acd2a5f5e917b3c

SHA512
f12917b2eeaa3baed14ee258ed52e242f3dc83395b7e6e7318fea8475f43cef1eb523e1b616b66de01c94e38e97bc08619b3e44177ea053166aea406dd48c0cc

Download Submit
C:\Windows\{84B7335C-1009-4208-962D-B58B9E5EC50F}.exe

Filesize
90KB

MD5
75ebfc59b94e57387cd7345aed86516c

SHA1
fbc2d2e011f712701ad3985e52d5fd49457d6ea6

SHA256
93a9637b6ab9dfe890dde97e6aa3845f8593a6ce819393a210fe23efad68f4ed

SHA512
670fecc563ba1104b8506c4f9bfd7f27549d8ba338255c35ea6c8f2e13775af37558cf549354bdcd519524d50de1d51b4d3be15f2da2cb2fd63b97bc8e340cb7

Download Submit
C:\Windows\{B317D8C5-CEA0-42a7-A816-2C9A2EAA8836}.exe

Filesize
90KB

MD5
03d30601a2d692de95f9112e4ca62592

SHA1
37de66859302ad54cebc4b7e5735aeb907a9c4a5

SHA256
b7dc12197dd7b70660740206fc636c2b6e926e9e8113b2528477725f284e92ea

SHA512
df1c84c73ad41651dc4254be98b84887070ab8825d740d2e68377effb97ec41e187d19c5e34827086cd3bddb22af4d57571060522f39c22d7e79c8544e36c4ae

Download Submit
C:\Windows\{BE6FE22F-86BA-4b1c-9D8C-C62D6681ACCA}.exe

Filesize
90KB

MD5
ebc3cf2810b9a80c721de340d32013f7

SHA1
46ed83c0782218f64ebd3ae1faff53d458116cb2

SHA256
e22060b15a710b3860eb980c940a91f2ff1b796534b5389ded2b944519bdf5bf

SHA512
037c789315e64f4dec57a0f5c05375c503d2adf7d93d0b744aeeebfa97d14da2ca13447b42775586055270114214d104fb0a35709a61aed1b549308628c35c58

Download Submit
C:\Windows\{DF98F3BF-5292-4e96-8F04-190F1172E8F1}.exe

Filesize
90KB

MD5
82be889c07028318e006892317e5aa38

SHA1
2b339c14d03823a66d7e908cf35d03da966daa52

SHA256
9649a41a524549645c85abb12c7e9034c11d35d1e341b4c37a85367ea9a2600e

SHA512
ddaace84237d581c58d6491a46f3b2b050be3645b99a544cbf5cdcb68e066487240a2dbb21188391d884264fe7aa1944a3f8b2f08ee1539e79b260363bedca87

Download Submit
C:\Windows\{E5A0B5B6-B91A-43a0-9334-623CEAD553EE}.exe

Filesize
90KB

MD5
c10fc0eed963b4ddaaeab1d78dd65d62

SHA1
8d739251ae1f5842d4129c7a27eaa67886c4987b

SHA256
c97278d3065676d5897ee695f38baf10d7f1aa6a9f744d4c3419e199bcebc343

SHA512
665c66771c715d68bc353127cb79779a31c0d291338eb16edbe769758da281381a5dfec6409d6fdd76d7b6d19885f37c02216a8d630826933dbfe61e97cee8d3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads