60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d

Analysis

max time kernel
118s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe
Size

91KB
MD5

7269ab455c7b9a4a1057231f3d52de29
SHA1

99d3e9df99c784b1586b47d7cf9a25f3e29406ce
SHA256

60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d
SHA512

3304807af44bd1583e16fb4169620edd068ef0f054a90a902b2c6f37fddc53ba17dfbe56c46f153a2be8530127980bcc9f669998fdc89bc5387a0c70a2762282
SSDEEP

768:5vw9816uhKiroU4/wQNNrfrunMxVFA3b7H:lEGkmoUlCunMxVS3HH

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE9223DE-98DE-450d-9D0A-EEFEF7105430}	{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D7C12CD-5382-478a-B976-944E0F35E57F}	{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D7C12CD-5382-478a-B976-944E0F35E57F}\stubpath = "C:\\Windows\\{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe"	{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}\stubpath = "C:\\Windows\\{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe"	{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}\stubpath = "C:\\Windows\\{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe"	{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}\stubpath = "C:\\Windows\\{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe"	60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76F6700A-4DF1-45cc-A7E0-24A596245E27}	{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}	{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE9223DE-98DE-450d-9D0A-EEFEF7105430}\stubpath = "C:\\Windows\\{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe"	{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}	{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}\stubpath = "C:\\Windows\\{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe"	{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B865C53-2D88-4f04-8677-53D4BF4E33C7}\stubpath = "C:\\Windows\\{1B865C53-2D88-4f04-8677-53D4BF4E33C7}.exe"	{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}	60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76F6700A-4DF1-45cc-A7E0-24A596245E27}\stubpath = "C:\\Windows\\{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe"	{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}	{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}\stubpath = "C:\\Windows\\{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe"	{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}	{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B865C53-2D88-4f04-8677-53D4BF4E33C7}	{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe

Executes dropped EXE 9 IoCs

pid	Process
4356	{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe
4668	{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe
620	{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe
888	{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe
4176	{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe
4380	{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe
1816	{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe
4748	{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe
636	{1B865C53-2D88-4f04-8677-53D4BF4E33C7}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe	60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe
File created	C:\Windows\{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe	{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe
File created	C:\Windows\{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe	{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe
File created	C:\Windows\{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe	{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe
File created	C:\Windows\{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe	{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe
File created	C:\Windows\{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe	{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe
File created	C:\Windows\{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe	{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe
File created	C:\Windows\{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe	{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe
File created	C:\Windows\{1B865C53-2D88-4f04-8677-53D4BF4E33C7}.exe	{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1B865C53-2D88-4f04-8677-53D4BF4E33C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3268	60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe
Token: SeIncBasePriorityPrivilege	4356	{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe
Token: SeIncBasePriorityPrivilege	4668	{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe
Token: SeIncBasePriorityPrivilege	620	{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe
Token: SeIncBasePriorityPrivilege	888	{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe
Token: SeIncBasePriorityPrivilege	4176	{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe
Token: SeIncBasePriorityPrivilege	4380	{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe
Token: SeIncBasePriorityPrivilege	1816	{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe
Token: SeIncBasePriorityPrivilege	4748	{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 4356	3268	60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe	94
PID 3268 wrote to memory of 4356	3268	60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe	94
PID 3268 wrote to memory of 4356	3268	60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe	94
PID 3268 wrote to memory of 1836	3268	60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe	95
PID 3268 wrote to memory of 1836	3268	60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe	95
PID 3268 wrote to memory of 1836	3268	60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe	95
PID 4356 wrote to memory of 4668	4356	{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe	96
PID 4356 wrote to memory of 4668	4356	{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe	96
PID 4356 wrote to memory of 4668	4356	{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe	96
PID 4356 wrote to memory of 232	4356	{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe	97
PID 4356 wrote to memory of 232	4356	{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe	97
PID 4356 wrote to memory of 232	4356	{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe	97
PID 4668 wrote to memory of 620	4668	{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe	100
PID 4668 wrote to memory of 620	4668	{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe	100
PID 4668 wrote to memory of 620	4668	{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe	100
PID 4668 wrote to memory of 368	4668	{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe	101
PID 4668 wrote to memory of 368	4668	{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe	101
PID 4668 wrote to memory of 368	4668	{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe	101
PID 620 wrote to memory of 888	620	{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe	102
PID 620 wrote to memory of 888	620	{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe	102
PID 620 wrote to memory of 888	620	{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe	102
PID 620 wrote to memory of 4244	620	{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe	103
PID 620 wrote to memory of 4244	620	{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe	103
PID 620 wrote to memory of 4244	620	{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe	103
PID 888 wrote to memory of 4176	888	{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe	104
PID 888 wrote to memory of 4176	888	{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe	104
PID 888 wrote to memory of 4176	888	{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe	104
PID 888 wrote to memory of 4340	888	{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe	105
PID 888 wrote to memory of 4340	888	{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe	105
PID 888 wrote to memory of 4340	888	{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe	105
PID 4176 wrote to memory of 4380	4176	{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe	106
PID 4176 wrote to memory of 4380	4176	{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe	106
PID 4176 wrote to memory of 4380	4176	{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe	106
PID 4176 wrote to memory of 1244	4176	{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe	107
PID 4176 wrote to memory of 1244	4176	{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe	107
PID 4176 wrote to memory of 1244	4176	{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe	107
PID 4380 wrote to memory of 1816	4380	{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe	108
PID 4380 wrote to memory of 1816	4380	{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe	108
PID 4380 wrote to memory of 1816	4380	{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe	108
PID 4380 wrote to memory of 4240	4380	{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe	109
PID 4380 wrote to memory of 4240	4380	{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe	109
PID 4380 wrote to memory of 4240	4380	{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe	109
PID 1816 wrote to memory of 4748	1816	{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe	110
PID 1816 wrote to memory of 4748	1816	{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe	110
PID 1816 wrote to memory of 4748	1816	{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe	110
PID 1816 wrote to memory of 3228	1816	{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe	111
PID 1816 wrote to memory of 3228	1816	{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe	111
PID 1816 wrote to memory of 3228	1816	{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe	111
PID 4748 wrote to memory of 636	4748	{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe	112
PID 4748 wrote to memory of 636	4748	{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe	112
PID 4748 wrote to memory of 636	4748	{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe	112
PID 4748 wrote to memory of 4496	4748	{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe	113
PID 4748 wrote to memory of 4496	4748	{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe	113
PID 4748 wrote to memory of 4496	4748	{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe	113

C:\Users\Admin\AppData\Local\Temp\60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe
"C:\Users\Admin\AppData\Local\Temp\60c2ddfb5e767336c30c27e9ecbfa747c13616ca5df5b92861ea6f088eea7e8d.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe
  C:\Windows\{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe
    C:\Windows\{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Windows\{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe
      C:\Windows\{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Windows\{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe
        
        C:\Windows\{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:888
      - C:\Windows\{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe
        
        C:\Windows\{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe
        
        C:\Windows\{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe
        
        C:\Windows\{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe
        
        C:\Windows\{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\{1B865C53-2D88-4f04-8677-53D4BF4E33C7}.exe
        
        C:\Windows\{1B865C53-2D88-4f04-8677-53D4BF4E33C7}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D3EB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A798E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D59C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16B15~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D7C1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE922~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{76F67~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EE466~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\60C2DD~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16B15BCE-BDD1-4657-A46E-8D0F765F31FE}.exe

Filesize
91KB

MD5
42bc2586fb8b9e5f75b5be4cf2a9b119

SHA1
42a7d3bb5abff59e9785dc57d9abe895bc712741

SHA256
497415a2d7d48350b4a948525264e9241b8c11752b217b34388f5f9bbf02d579

SHA512
d26ce32615e6988decdf785dc05ee5017f438d4da143367abb392dd0bbb90218da3755bc8b70696c094520d20d3559d2840a3e7b35ad9af17b5686cb005a7ab1

Download Submit
C:\Windows\{1B865C53-2D88-4f04-8677-53D4BF4E33C7}.exe

Filesize
91KB

MD5
659781b834392bacecbc91b78c07d63e

SHA1
e5112042a7556f65d39166d4cc1c8cbd3d5f1088

SHA256
2822ef78605fb59530d9ec24e993e08f127a70ccbbdcfc74e91280601fb80aff

SHA512
d1540a52621dada4dab529c5eb13c11c062aa9007d3f14fc2b32822e1c3b4be4e5b4dad42c788c4a1e1752a608b29ca31981f280af5194df6fa6e80a0c07e309

Download Submit
C:\Windows\{3D59C049-BCA6-4c3b-BB97-04B8B85506A2}.exe

Filesize
91KB

MD5
cd4f84c351713b9ea8b32d0ec62dfc82

SHA1
8ee7f25287dcb5d0390ca86169d2913a61c752de

SHA256
a7b82fcdec73b4b80d884288e5c37230ff2519fa2f74cb81f5961e2da1dc4f48

SHA512
429fd9f0e8ef4e369fedd9e3e51aec7b3fff50f7b8585823ca7bb29626fd90e0436a4a8c4145fa2ba0f368f4b79b5c7d0bcb0fce9443a00319e7dc331ff3c87c

Download Submit
C:\Windows\{76F6700A-4DF1-45cc-A7E0-24A596245E27}.exe

Filesize
91KB

MD5
7ae50dfac0fc1d64349a051c6cd67577

SHA1
ab786b2cd7cbf9e54f35f15f434554a62b5fc8cb

SHA256
0df1d8a346ad5093574d78ae8095e21a5a5ba9592b6260ded8788448db47d1c8

SHA512
3d4610ef99ecf72f8e229d63fb8aec28f5c4df0a2333ff4377109e28dc7ffecdd2c8903df868ee1c17026cba7bbe76004da62e7469dac9ab6f74e7927d7c97e4

Download Submit
C:\Windows\{8D3EBF13-5E9B-4799-8896-B9AA1A1A1C53}.exe

Filesize
91KB

MD5
51f663c4c65e0085e2a50766027e9f13

SHA1
73cde32f9f9a9b4fe0677ba6994d4825f7d00a48

SHA256
e352e2d844074e1491564a67455ee576e3ea688b7a9ffaed9303db811089b457

SHA512
bd849e32ad809c9b6c0e019986d665e5cc9e700bab16706db20ebe95e1273b34998f5baebb9f2281452b1f94a7e3c84f4266f50f5f1af3261ae9b41664e25da0

Download Submit
C:\Windows\{8D7C12CD-5382-478a-B976-944E0F35E57F}.exe

Filesize
91KB

MD5
3b8b02d496c48b43d6f0a556371bf033

SHA1
d794f73b2b1efaee98d9f9ab3681d4542d6cd93c

SHA256
2239a4bbd79fb1ab226a3e0b495eb45876d058ebd6f855c2eb0479ec7e6497ea

SHA512
b9ba2900448568a0f38ca81392900a55fc8ef729a83381565e1ee9f629a6624cc8eb6873fde62f903c6ce837b1b11c47b96a0c65a3a267c5dbab0aaea6dd9dbb

Download Submit
C:\Windows\{A798E06B-A98A-4bd5-B419-A0A050FB6B3C}.exe

Filesize
91KB

MD5
103c18eb832d8ebb82aaabb36c2cbdbc

SHA1
7b75af01d8e63194ac30bf33f5773c8426b759ad

SHA256
960e43c4d539a9a72bf20ea04f5b60871d3b4209b83ffb64bd698f7fbbf93886

SHA512
ae7ed7aafc4b9309df180e9972ff9e4ac48359ff9c2912e8aa47fd2ead7b2190a1d1251f8c6a2f6bd5bf9f71c872039ec61ff1137bf26a587805ef5cdb138ec7

Download Submit
C:\Windows\{DE9223DE-98DE-450d-9D0A-EEFEF7105430}.exe

Filesize
91KB

MD5
117f2fb9f63d21af865f44b4410f1033

SHA1
c553c6eb9efa1ba99a72e6ac9af56e2ac2f1dcd6

SHA256
6ffd54e9795a29f4fc81b5bd896a69ae990257e87e28cbc46949fae5d9070727

SHA512
1bd4eb04aafbd9dbb94506306717a4f25dbe67ae4a04f384ac3502f79f527436d1181771bd91b174067d3cb1f11af6fda727bed1c595e523154e7a3f0fb8ce07

Download Submit
C:\Windows\{EE4669CB-C0B1-4fca-BD5B-97E81506BBF8}.exe

Filesize
91KB

MD5
67538a414561f564203d7281d08ddbaf

SHA1
89698f770d17cffa4c6fa02bf5dd7517d5a51aee

SHA256
7dcfbbee0f2961176d5323fd67a58767576050478fe1154af3721a233aa944cf

SHA512
57ec1f295500a9855c36dbb64482b3b8cf3b837ab3a47abca52a0c2fa3674b856b5fd7b0f146143af687293b6919dc4b6ae2095334baa725b4734f8782b846f1

Download Submit
memory/620-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/620-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/636-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/888-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/888-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1816-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1816-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3268-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3268-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3268-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4176-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4176-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4356-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4356-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4356-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4380-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4380-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4668-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4668-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4748-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4748-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads