703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe
Size

90KB
MD5

4455b19d5ca69b9c3c4cd6818ae3a729
SHA1

a257e1b59a13cfdb04acae667c681bb4d6df30da
SHA256

703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb
SHA512

17c50ff4925f860b33cfee34dc4b3aa3425e1bfcab663e8245bde1a79f47e03fd7b112e182afdeb4e4b777f19ae6af6fbcb929dcd05b5997b79affa7bc859849
SSDEEP

768:Qvw9816vhKQLrou4/wQRNrfrunMxVFA3b7glwr:YEGh0oul2unMxVS3Hg8

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}\stubpath = "C:\\Windows\\{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe"	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F1BFF76-352E-4622-8324-0CEB6D1787DD}	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}\stubpath = "C:\\Windows\\{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe"	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D286220-6981-4643-84C8-15A0B1717C3B}\stubpath = "C:\\Windows\\{8D286220-6981-4643-84C8-15A0B1717C3B}.exe"	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74CA23C4-A78C-478b-A894-C5983101DCC9}	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D286220-6981-4643-84C8-15A0B1717C3B}	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5840661B-1A70-4c04-8FD1-C2FAD14F9B15}	{74CA23C4-A78C-478b-A894-C5983101DCC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}\stubpath = "C:\\Windows\\{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe"	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5840661B-1A70-4c04-8FD1-C2FAD14F9B15}\stubpath = "C:\\Windows\\{5840661B-1A70-4c04-8FD1-C2FAD14F9B15}.exe"	{74CA23C4-A78C-478b-A894-C5983101DCC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F1BFF76-352E-4622-8324-0CEB6D1787DD}\stubpath = "C:\\Windows\\{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe"	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{896E87C3-5663-4ace-9F7C-083050D0EC15}	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{896E87C3-5663-4ace-9F7C-083050D0EC15}\stubpath = "C:\\Windows\\{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe"	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C76A9E1D-1765-49ac-8239-5666351057E6}	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C76A9E1D-1765-49ac-8239-5666351057E6}\stubpath = "C:\\Windows\\{C76A9E1D-1765-49ac-8239-5666351057E6}.exe"	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74CA23C4-A78C-478b-A894-C5983101DCC9}\stubpath = "C:\\Windows\\{74CA23C4-A78C-478b-A894-C5983101DCC9}.exe"	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe

Executes dropped EXE 9 IoCs

pid	Process
1188	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe
2876	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe
2644	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe
2900	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe
840	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe
2812	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe
2788	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe
1760	{74CA23C4-A78C-478b-A894-C5983101DCC9}.exe
2100	{5840661B-1A70-4c04-8FD1-C2FAD14F9B15}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe
File created	C:\Windows\{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe
File created	C:\Windows\{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe
File created	C:\Windows\{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe
File created	C:\Windows\{74CA23C4-A78C-478b-A894-C5983101DCC9}.exe	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe
File created	C:\Windows\{5840661B-1A70-4c04-8FD1-C2FAD14F9B15}.exe	{74CA23C4-A78C-478b-A894-C5983101DCC9}.exe
File created	C:\Windows\{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe
File created	C:\Windows\{C76A9E1D-1765-49ac-8239-5666351057E6}.exe	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe
File created	C:\Windows\{8D286220-6981-4643-84C8-15A0B1717C3B}.exe	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5840661B-1A70-4c04-8FD1-C2FAD14F9B15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74CA23C4-A78C-478b-A894-C5983101DCC9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1416	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe
Token: SeIncBasePriorityPrivilege	1188	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe
Token: SeIncBasePriorityPrivilege	2876	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe
Token: SeIncBasePriorityPrivilege	2644	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe
Token: SeIncBasePriorityPrivilege	2900	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe
Token: SeIncBasePriorityPrivilege	840	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe
Token: SeIncBasePriorityPrivilege	2812	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe
Token: SeIncBasePriorityPrivilege	2788	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe
Token: SeIncBasePriorityPrivilege	1760	{74CA23C4-A78C-478b-A894-C5983101DCC9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1188	1416	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	31
PID 1416 wrote to memory of 1188	1416	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	31
PID 1416 wrote to memory of 1188	1416	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	31
PID 1416 wrote to memory of 1188	1416	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	31
PID 1416 wrote to memory of 2428	1416	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	32
PID 1416 wrote to memory of 2428	1416	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	32
PID 1416 wrote to memory of 2428	1416	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	32
PID 1416 wrote to memory of 2428	1416	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	32
PID 1188 wrote to memory of 2876	1188	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe	33
PID 1188 wrote to memory of 2876	1188	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe	33
PID 1188 wrote to memory of 2876	1188	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe	33
PID 1188 wrote to memory of 2876	1188	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe	33
PID 1188 wrote to memory of 2888	1188	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe	34
PID 1188 wrote to memory of 2888	1188	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe	34
PID 1188 wrote to memory of 2888	1188	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe	34
PID 1188 wrote to memory of 2888	1188	{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe	34
PID 2876 wrote to memory of 2644	2876	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe	35
PID 2876 wrote to memory of 2644	2876	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe	35
PID 2876 wrote to memory of 2644	2876	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe	35
PID 2876 wrote to memory of 2644	2876	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe	35
PID 2876 wrote to memory of 2320	2876	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe	36
PID 2876 wrote to memory of 2320	2876	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe	36
PID 2876 wrote to memory of 2320	2876	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe	36
PID 2876 wrote to memory of 2320	2876	{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe	36
PID 2644 wrote to memory of 2900	2644	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe	37
PID 2644 wrote to memory of 2900	2644	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe	37
PID 2644 wrote to memory of 2900	2644	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe	37
PID 2644 wrote to memory of 2900	2644	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe	37
PID 2644 wrote to memory of 2624	2644	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe	38
PID 2644 wrote to memory of 2624	2644	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe	38
PID 2644 wrote to memory of 2624	2644	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe	38
PID 2644 wrote to memory of 2624	2644	{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe	38
PID 2900 wrote to memory of 840	2900	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe	39
PID 2900 wrote to memory of 840	2900	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe	39
PID 2900 wrote to memory of 840	2900	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe	39
PID 2900 wrote to memory of 840	2900	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe	39
PID 2900 wrote to memory of 1888	2900	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe	40
PID 2900 wrote to memory of 1888	2900	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe	40
PID 2900 wrote to memory of 1888	2900	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe	40
PID 2900 wrote to memory of 1888	2900	{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe	40
PID 840 wrote to memory of 2812	840	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe	41
PID 840 wrote to memory of 2812	840	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe	41
PID 840 wrote to memory of 2812	840	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe	41
PID 840 wrote to memory of 2812	840	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe	41
PID 840 wrote to memory of 2980	840	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe	42
PID 840 wrote to memory of 2980	840	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe	42
PID 840 wrote to memory of 2980	840	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe	42
PID 840 wrote to memory of 2980	840	{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe	42
PID 2812 wrote to memory of 2788	2812	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe	44
PID 2812 wrote to memory of 2788	2812	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe	44
PID 2812 wrote to memory of 2788	2812	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe	44
PID 2812 wrote to memory of 2788	2812	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe	44
PID 2812 wrote to memory of 1196	2812	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe	45
PID 2812 wrote to memory of 1196	2812	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe	45
PID 2812 wrote to memory of 1196	2812	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe	45
PID 2812 wrote to memory of 1196	2812	{C76A9E1D-1765-49ac-8239-5666351057E6}.exe	45
PID 2788 wrote to memory of 1760	2788	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe	46
PID 2788 wrote to memory of 1760	2788	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe	46
PID 2788 wrote to memory of 1760	2788	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe	46
PID 2788 wrote to memory of 1760	2788	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe	46
PID 2788 wrote to memory of 768	2788	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe	47
PID 2788 wrote to memory of 768	2788	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe	47
PID 2788 wrote to memory of 768	2788	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe	47
PID 2788 wrote to memory of 768	2788	{8D286220-6981-4643-84C8-15A0B1717C3B}.exe	47

C:\Users\Admin\AppData\Local\Temp\703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe
"C:\Users\Admin\AppData\Local\Temp\703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe
  C:\Windows\{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe
    C:\Windows\{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe
      C:\Windows\{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe
        
        C:\Windows\{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe
        
        C:\Windows\{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\{C76A9E1D-1765-49ac-8239-5666351057E6}.exe
        
        C:\Windows\{C76A9E1D-1765-49ac-8239-5666351057E6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{8D286220-6981-4643-84C8-15A0B1717C3B}.exe
        
        C:\Windows\{8D286220-6981-4643-84C8-15A0B1717C3B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{74CA23C4-A78C-478b-A894-C5983101DCC9}.exe
        
        C:\Windows\{74CA23C4-A78C-478b-A894-C5983101DCC9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\{5840661B-1A70-4c04-8FD1-C2FAD14F9B15}.exe
        
        C:\Windows\{5840661B-1A70-4c04-8FD1-C2FAD14F9B15}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74CA2~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D286~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C76A9~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB05D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{896E8~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FDC9~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2F1BF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3A103~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\703B8D~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2F1BFF76-352E-4622-8324-0CEB6D1787DD}.exe

Filesize
90KB

MD5
f8c4c097ba79962e2a5b57ea746d7d04

SHA1
be60d6fea22688a8f6ba5cd2e121916408d7b50d

SHA256
2de6cc19fc4b1bc0b7c125a92069a77a86b6a483bc10cae5488c8a473b9db892

SHA512
8be464ef1dd2196d55166ef5ddd87ebcb9b286c41923d8317afbb6372b3ce1b2c008e4269ad625e7698b1b30246630f74913d993dfaa42d12ff2b207a9f79cb6

Download Submit
C:\Windows\{2FDC9F78-FF4E-4c39-81DE-F2AFB7842EAB}.exe

Filesize
90KB

MD5
9b7d6e60c8aa11dad7e0bd1f835e5176

SHA1
d8f2ff83405e1f7cb03da4da1daccba2f1865554

SHA256
2d2b2d59cbe7ef350d54bd67dbbca4a963167791a031913f29ca1ad88976c2b8

SHA512
ac24d0f39c91a1729e5d07cd8f729b36cb5ea69d1aeeee302f92e892c7444f492c74c32c42ab5172bc7c083810258d0f32af6c4f7612fc4fc570af17d6edfe8e

Download Submit
C:\Windows\{3A103BD4-6EC8-4088-995A-8D948D0E2A5C}.exe

Filesize
90KB

MD5
a5e92dd804155e2996ff626609ab8f13

SHA1
d55a2691a0e0bf76125d46913e23950813cf4196

SHA256
3a0792bf90c989edfc1a3c2379b03037332625eb21b21e92de93cb6ee4776b26

SHA512
c5afd77680fa4cf1570dca4d5c066deea9cd4f42631dbeedb5550d4e6c4e87d6f4cdeeca4cef1250a0f79878e14cf0a3373bb7c5bd319394f2dace859a5d311a

Download Submit
C:\Windows\{5840661B-1A70-4c04-8FD1-C2FAD14F9B15}.exe

Filesize
90KB

MD5
7f47d63f24845e50d9ade26ddfeb4b0b

SHA1
aef3d0b3f0efac996d64a346c6f4d8c9ed87a726

SHA256
536b244a89d93831bf31547d0266f5f3f31d5f992a3cfdb34227ae72c15006ea

SHA512
3dba83e38133b041b80927519a833d32551efb3538a28d51c43c92c9f7d931172bb964cbe80d912250965dafb22ee41dac1f4558b2c5a1a09787f2348d8d0dc0

Download Submit
C:\Windows\{74CA23C4-A78C-478b-A894-C5983101DCC9}.exe

Filesize
90KB

MD5
4d888dfde33f5dbf81a6c4cabe4ccc28

SHA1
71ddae22d6dc51b571b4909eb89877cfa6d95ce9

SHA256
b8ebc06888904e2184e6a68ef0043efe11f5d595a4b2b0505bbc3b894551f57f

SHA512
09d9fca1b2f6e322c937ce027894d78ed8d9843bf1ca9937ba285876e8b6d10128942c7fd7f6a102a58e0e7df828d3513ed0d3f2531c4b67f9936757f09dc8b6

Download Submit
C:\Windows\{896E87C3-5663-4ace-9F7C-083050D0EC15}.exe

Filesize
90KB

MD5
87c3d53faafd9d77ffca9ff4f9094c02

SHA1
54c941904036fc2306203c51fd8c2550062776f4

SHA256
09bfced938e60751a132749a20f483f7bf05d8611eeafb1c492b769f25577ebf

SHA512
2c2cb8c6cce6d92fe4c016cc40e0cf54aadf0e4969bb5ed8a482c493e18fde2946fccec0c9f24dc31a9a218b11963ae1d6a810d12a7e19c093b8054e873edda7

Download Submit
C:\Windows\{8D286220-6981-4643-84C8-15A0B1717C3B}.exe

Filesize
90KB

MD5
109db11a4073186a83e9aeeb39f482ee

SHA1
46f299787771bd5a7e071be40277394edb7ba0cb

SHA256
e25d0239495de1ed89a44c7ef43e7299e5b98f6c974dbaac9e49752c98a7bf80

SHA512
ad1ef1449f7542ba65809f875a4144a291d2702048ed6a21871192291bfb1759b0b208880731ca193a94b18a5e7884c5328732d800bf821f1df26b8c91e5d474

Download Submit
C:\Windows\{C76A9E1D-1765-49ac-8239-5666351057E6}.exe

Filesize
90KB

MD5
a05ba7159a138d19aeb250388527cdda

SHA1
513e27cb3bca61de26fc2501b8de65acee01e319

SHA256
66326e3bf145be5ca3e65632b7af9097649bc79c5c8d9de32688f967251899d8

SHA512
57ed0464a21dbd828b875ae01a1e8597abe1281e8b00c87d03d2258a50aad1a5052c49231a65427dadaf417db87e6943afa702987db3ab1e28a4b4032099803e

Download Submit
C:\Windows\{FB05DAFF-9F49-4030-BF23-7FAB9E803B0E}.exe

Filesize
90KB

MD5
3712a9f862fa66edad01393a0f1e4549

SHA1
4991dd863f8d56760a00eef289c9e2f1e1d17948

SHA256
c9c0e6c65254a2685c56a6de206c5f2362fdd2f0d8f326b323e07d0e99d5fcdf

SHA512
2be2e177901f95128bb05b154657437ab3ba4726424a0fefa10f55ca6c4ad4232b4822ae893c7b6c050c49d7ba5472a0f35131eee2977098c6fef091f9373eba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads