5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5be

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
Size

87KB
MD5

5c7b983e7118d8b304acb37b199281c0
SHA1

f6217fca224dcf85dd5f1e5c18dfe3f637493320
SHA256

5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5be
SHA512

86e76bb5b1ccc5b78b14ac33bec55aa474b3ebe3363d6699ca7327675aed35eef88cd0422e9ba37a7d8d433ec9bd98407a63758c7e2a4e0a3aeeced40c95ff70
SSDEEP

384:5bLwOs8AHsc4sM6whKiro04/CFsrdk5I1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOP:5vw9816uhKiro04/wQNNrfrunMxVF7

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1F237E8-1AF4-442d-8B51-9333B96F3B55}\stubpath = "C:\\Windows\\{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe"	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}\stubpath = "C:\\Windows\\{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe"	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA076225-FFF3-4f0f-9B01-8946A63F6F72}\stubpath = "C:\\Windows\\{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe"	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1F237E8-1AF4-442d-8B51-9333B96F3B55}	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AFE1D9E-E67F-4278-A125-CCE13CDEA1AD}	{CD27E319-E25B-4b98-86DA-8806842098C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}\stubpath = "C:\\Windows\\{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe"	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55A36F87-230A-4c6b-B505-19D4FA3C5A22}\stubpath = "C:\\Windows\\{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe"	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{846B8FE6-0F56-403d-9A6E-175D3A4965EC}	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA076225-FFF3-4f0f-9B01-8946A63F6F72}	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}\stubpath = "C:\\Windows\\{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe"	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55A36F87-230A-4c6b-B505-19D4FA3C5A22}	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{846B8FE6-0F56-403d-9A6E-175D3A4965EC}\stubpath = "C:\\Windows\\{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe"	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD27E319-E25B-4b98-86DA-8806842098C3}	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD27E319-E25B-4b98-86DA-8806842098C3}\stubpath = "C:\\Windows\\{CD27E319-E25B-4b98-86DA-8806842098C3}.exe"	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AFE1D9E-E67F-4278-A125-CCE13CDEA1AD}\stubpath = "C:\\Windows\\{1AFE1D9E-E67F-4278-A125-CCE13CDEA1AD}.exe"	{CD27E319-E25B-4b98-86DA-8806842098C3}.exe

Deletes itself 1 IoCs

pid	Process
2936	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2288	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe
2912	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe
2968	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe
2648	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe
1252	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe
1476	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe
2128	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe
2112	{CD27E319-E25B-4b98-86DA-8806842098C3}.exe
2148	{1AFE1D9E-E67F-4278-A125-CCE13CDEA1AD}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{CD27E319-E25B-4b98-86DA-8806842098C3}.exe	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe
File created	C:\Windows\{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
File created	C:\Windows\{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe
File created	C:\Windows\{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe
File created	C:\Windows\{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe
File created	C:\Windows\{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe
File created	C:\Windows\{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe
File created	C:\Windows\{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe
File created	C:\Windows\{1AFE1D9E-E67F-4278-A125-CCE13CDEA1AD}.exe	{CD27E319-E25B-4b98-86DA-8806842098C3}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AFE1D9E-E67F-4278-A125-CCE13CDEA1AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD27E319-E25B-4b98-86DA-8806842098C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1732	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
Token: SeIncBasePriorityPrivilege	2288	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe
Token: SeIncBasePriorityPrivilege	2912	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe
Token: SeIncBasePriorityPrivilege	2968	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe
Token: SeIncBasePriorityPrivilege	2648	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe
Token: SeIncBasePriorityPrivilege	1252	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe
Token: SeIncBasePriorityPrivilege	1476	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe
Token: SeIncBasePriorityPrivilege	2128	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe
Token: SeIncBasePriorityPrivilege	2112	{CD27E319-E25B-4b98-86DA-8806842098C3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2288	1732	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	31
PID 1732 wrote to memory of 2288	1732	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	31
PID 1732 wrote to memory of 2288	1732	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	31
PID 1732 wrote to memory of 2288	1732	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	31
PID 1732 wrote to memory of 2936	1732	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	32
PID 1732 wrote to memory of 2936	1732	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	32
PID 1732 wrote to memory of 2936	1732	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	32
PID 1732 wrote to memory of 2936	1732	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	32
PID 2288 wrote to memory of 2912	2288	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe	33
PID 2288 wrote to memory of 2912	2288	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe	33
PID 2288 wrote to memory of 2912	2288	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe	33
PID 2288 wrote to memory of 2912	2288	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe	33
PID 2288 wrote to memory of 2712	2288	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe	34
PID 2288 wrote to memory of 2712	2288	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe	34
PID 2288 wrote to memory of 2712	2288	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe	34
PID 2288 wrote to memory of 2712	2288	{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe	34
PID 2912 wrote to memory of 2968	2912	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe	35
PID 2912 wrote to memory of 2968	2912	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe	35
PID 2912 wrote to memory of 2968	2912	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe	35
PID 2912 wrote to memory of 2968	2912	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe	35
PID 2912 wrote to memory of 2780	2912	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe	36
PID 2912 wrote to memory of 2780	2912	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe	36
PID 2912 wrote to memory of 2780	2912	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe	36
PID 2912 wrote to memory of 2780	2912	{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe	36
PID 2968 wrote to memory of 2648	2968	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe	37
PID 2968 wrote to memory of 2648	2968	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe	37
PID 2968 wrote to memory of 2648	2968	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe	37
PID 2968 wrote to memory of 2648	2968	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe	37
PID 2968 wrote to memory of 3060	2968	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe	38
PID 2968 wrote to memory of 3060	2968	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe	38
PID 2968 wrote to memory of 3060	2968	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe	38
PID 2968 wrote to memory of 3060	2968	{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe	38
PID 2648 wrote to memory of 1252	2648	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe	39
PID 2648 wrote to memory of 1252	2648	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe	39
PID 2648 wrote to memory of 1252	2648	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe	39
PID 2648 wrote to memory of 1252	2648	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe	39
PID 2648 wrote to memory of 1664	2648	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe	40
PID 2648 wrote to memory of 1664	2648	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe	40
PID 2648 wrote to memory of 1664	2648	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe	40
PID 2648 wrote to memory of 1664	2648	{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe	40
PID 1252 wrote to memory of 1476	1252	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe	41
PID 1252 wrote to memory of 1476	1252	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe	41
PID 1252 wrote to memory of 1476	1252	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe	41
PID 1252 wrote to memory of 1476	1252	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe	41
PID 1252 wrote to memory of 1800	1252	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe	42
PID 1252 wrote to memory of 1800	1252	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe	42
PID 1252 wrote to memory of 1800	1252	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe	42
PID 1252 wrote to memory of 1800	1252	{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe	42
PID 1476 wrote to memory of 2128	1476	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe	43
PID 1476 wrote to memory of 2128	1476	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe	43
PID 1476 wrote to memory of 2128	1476	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe	43
PID 1476 wrote to memory of 2128	1476	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe	43
PID 1476 wrote to memory of 1196	1476	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe	44
PID 1476 wrote to memory of 1196	1476	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe	44
PID 1476 wrote to memory of 1196	1476	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe	44
PID 1476 wrote to memory of 1196	1476	{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe	44
PID 2128 wrote to memory of 2112	2128	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe	45
PID 2128 wrote to memory of 2112	2128	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe	45
PID 2128 wrote to memory of 2112	2128	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe	45
PID 2128 wrote to memory of 2112	2128	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe	45
PID 2128 wrote to memory of 2200	2128	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe	46
PID 2128 wrote to memory of 2200	2128	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe	46
PID 2128 wrote to memory of 2200	2128	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe	46
PID 2128 wrote to memory of 2200	2128	{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe	46

C:\Users\Admin\AppData\Local\Temp\5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
"C:\Users\Admin\AppData\Local\Temp\5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe
  C:\Windows\{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe
    C:\Windows\{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe
      C:\Windows\{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe
        
        C:\Windows\{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe
        
        C:\Windows\{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe
        
        C:\Windows\{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe
        
        C:\Windows\{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\{CD27E319-E25B-4b98-86DA-8806842098C3}.exe
        
        C:\Windows\{CD27E319-E25B-4b98-86DA-8806842098C3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{1AFE1D9E-E67F-4278-A125-CCE13CDEA1AD}.exe
        
        C:\Windows\{1AFE1D9E-E67F-4278-A125-CCE13CDEA1AD}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD27E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1F23~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA076~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{846B8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55A36~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCE2B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BDCE5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8073E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5F5667~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1AFE1D9E-E67F-4278-A125-CCE13CDEA1AD}.exe

Filesize
87KB

MD5
fdd7b8ba656290c0b1f385ee17a14d50

SHA1
ccfd9173a33cfb3cfc02712d6027e6e99685daea

SHA256
8b8baf769d6947cb751db9615e9c2de168afa3d71ae37062f6fd52ad06c18785

SHA512
0bcaf7a02dfaeeaf99a9a64a665b8e813388f2403661f252e5f91b627a29dfe246e162736e36af39c2875ce97f366c2d0d7ca38639bf91290425b4dce7e23666

Download Submit
C:\Windows\{55A36F87-230A-4c6b-B505-19D4FA3C5A22}.exe

Filesize
87KB

MD5
d51e06b5fc1b0e2f9d06f44c4e17efa2

SHA1
a7639eaecb8cafd20fd080aeb2aba72d75285e70

SHA256
1fa7ec0bb3425bf334a38d6bea52e089686f6bb2a36322c426eda92029be78ed

SHA512
04d77d93863d68b327e03aa6d1e623acd0e9a9f0ae294ff50f9d703526f852aa22fac732a5c282d85b9d48ff4afe3d47a92a304eca8462f0bf1827dce176a437

Download Submit
C:\Windows\{8073E3AC-7541-46e0-BBFA-34D2EFD5C45C}.exe

Filesize
87KB

MD5
9c7ad09b37eb455647af20ec0243e0d9

SHA1
91d9dcdb21ed058bdb61dc406ea91caead756ef3

SHA256
209dcf03e6871b4289eacc4de11094c93da2987d68792c3fe431243c9c8fd563

SHA512
a2f21e7339e8b6d29ecb6d93c2acb8f2d6e7321cd461cb5de8778e299cf81fe504bd254155eeb55760e43dd14c7885036b393659a62a3a1d868e534207894b7c

Download Submit
C:\Windows\{846B8FE6-0F56-403d-9A6E-175D3A4965EC}.exe

Filesize
87KB

MD5
c29270920057c6442c93ddd216e05dde

SHA1
bcb4730aca78a898767d880d54b81cb93a0673cb

SHA256
cd890c3a9256396d5ef93f7a6c22e1ca8845ccc2b123b7fdccb8c025a8cda6da

SHA512
c16e9d10ce483f1ed572e53561f657600c1901a4659b5227fde25e1cff8d28a0a27e35282af17ef633c1a7b8b173175cd27d6f61e76a3e711fce60a77939e009

Download Submit
C:\Windows\{B1F237E8-1AF4-442d-8B51-9333B96F3B55}.exe

Filesize
87KB

MD5
ab1aa61f8bad9ccb05a8484c38fcb139

SHA1
6da07d214bd64cff5fe7daa98c141db282f95759

SHA256
d38b80c27ca70abfaea25dda945574d9f74705fc2994a17ca7025f6c3ddc6075

SHA512
536f5ec7f73e2dd8f8753c4448285c0d3a1463194437528d27b36260aef738cb2524d23ab178551a61292db7da902e83f22049762abbfb0a34e6a4b2de330b46

Download Submit
C:\Windows\{BDCE54D1-7108-4e68-A4FD-0E144E9C098A}.exe

Filesize
87KB

MD5
a3db9093f181a9b7155156606fb93061

SHA1
66aa7663403c64c2d57eb5825b98697c6f26bf32

SHA256
7a4fb06beabbd10d69c5ed6c0b7930785dfa95a86924e2d7f37c9c774ae14801

SHA512
8059d598a959de964eed1bc64b7049987e16c6499adfc17027eca4d7bbaecc3aad33680bee7d68e072bf99300049a1cd6af90deaaddc0f6685b61f46f3c269cb

Download Submit
C:\Windows\{CD27E319-E25B-4b98-86DA-8806842098C3}.exe

Filesize
87KB

MD5
6a1a0b8fde5f17809dd619f54fa65837

SHA1
63e70c715a0cd12584d4193409206ce9583e9193

SHA256
a89934e2e5073eb8fc1e4c58008865f2410288ccb5be7a8ab43169863ea15ceb

SHA512
6b75be98617a50e8bc7bfe2dae6eb23b760baaa85ba767fcceefe26ed8215dc899ed68fabd58274f82dd909db51a8bc5841bbef4682c38015dad910b86d0c015

Download Submit
C:\Windows\{FA076225-FFF3-4f0f-9B01-8946A63F6F72}.exe

Filesize
87KB

MD5
8f793b0fadc252f08456f4fa52bcc01c

SHA1
a49e0939b1115862cd398e6f5de5654c06435440

SHA256
67a7ab70aad2639d29098f9d892c75aa5be080aea84c94059484b48122e63776

SHA512
94dfa84808b75a5122de8b1471ae03834be23d7fed24df9ed45d99e02fb50c9d009f1048bcc529a747c67b9c6b997ffaf5d77502a32ec5d3b3bf4ba1d08455c0

Download Submit
C:\Windows\{FCE2B0FE-1A93-45ef-9182-03F6D468B7A2}.exe

Filesize
87KB

MD5
145d226ef1bc44fa5e08b8da92736c5e

SHA1
da515758b51e14ef06e63f2f6a8563e08e661aad

SHA256
247fe445f9a1856452273e84c3162038e8409e5e999728c0ea56e4de25020802

SHA512
93b3416e0789e4ca413538731ae69ca9cbf58098e4ea87d6bf1ce6e6c0950364b186231ad1b3c5e4a493103310fbc3ec2a9056e82dfa20fcabc541e828b584bb

Download Submit
memory/1252-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1476-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1476-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1476-65-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1476-66-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1732-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1732-4-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1732-9-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1732-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1732-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2112-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2112-80-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2128-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2128-72-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2288-20-0x0000000000540000-0x0000000000551000-memory.dmp

Filesize
68KB

Download
memory/2288-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2288-15-0x0000000000540000-0x0000000000551000-memory.dmp

Filesize
68KB

Download
memory/2288-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2648-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2912-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2912-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2912-26-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2968-39-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2968-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2968-38-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads