703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb

Analysis

max time kernel
118s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe
Size

90KB
MD5

4455b19d5ca69b9c3c4cd6818ae3a729
SHA1

a257e1b59a13cfdb04acae667c681bb4d6df30da
SHA256

703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb
SHA512

17c50ff4925f860b33cfee34dc4b3aa3425e1bfcab663e8245bde1a79f47e03fd7b112e182afdeb4e4b777f19ae6af6fbcb929dcd05b5997b79affa7bc859849
SSDEEP

768:Qvw9816vhKQLrou4/wQRNrfrunMxVFA3b7glwr:YEGh0oul2unMxVS3Hg8

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{406365E6-14D8-43a1-B10D-622FB0C68FA0}	{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1EB1371-B0A4-42b7-988E-D693F6555302}\stubpath = "C:\\Windows\\{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe"	{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36A468A5-E7F1-4625-9BE7-D27DFEFD74FA}\stubpath = "C:\\Windows\\{36A468A5-E7F1-4625-9BE7-D27DFEFD74FA}.exe"	{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14A38CEE-DDB9-449b-8636-9B05B80FA911}	{6F779486-584B-463a-910F-826BECDB73C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}	{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36A468A5-E7F1-4625-9BE7-D27DFEFD74FA}	{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F779486-584B-463a-910F-826BECDB73C3}\stubpath = "C:\\Windows\\{6F779486-584B-463a-910F-826BECDB73C3}.exe"	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}\stubpath = "C:\\Windows\\{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe"	{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}\stubpath = "C:\\Windows\\{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe"	{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}	{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14A38CEE-DDB9-449b-8636-9B05B80FA911}\stubpath = "C:\\Windows\\{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe"	{6F779486-584B-463a-910F-826BECDB73C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{406365E6-14D8-43a1-B10D-622FB0C68FA0}\stubpath = "C:\\Windows\\{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe"	{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}	{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}	{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}\stubpath = "C:\\Windows\\{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe"	{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}\stubpath = "C:\\Windows\\{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe"	{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1EB1371-B0A4-42b7-988E-D693F6555302}	{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F779486-584B-463a-910F-826BECDB73C3}	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe

Executes dropped EXE 9 IoCs

pid	Process
3432	{6F779486-584B-463a-910F-826BECDB73C3}.exe
2768	{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe
4764	{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe
3200	{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe
3088	{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe
2808	{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe
1080	{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe
1084	{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe
3936	{36A468A5-E7F1-4625-9BE7-D27DFEFD74FA}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{6F779486-584B-463a-910F-826BECDB73C3}.exe	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe
File created	C:\Windows\{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe	{6F779486-584B-463a-910F-826BECDB73C3}.exe
File created	C:\Windows\{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe	{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe
File created	C:\Windows\{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe	{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe
File created	C:\Windows\{36A468A5-E7F1-4625-9BE7-D27DFEFD74FA}.exe	{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe
File created	C:\Windows\{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe	{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe
File created	C:\Windows\{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe	{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe
File created	C:\Windows\{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe	{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe
File created	C:\Windows\{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe	{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{36A468A5-E7F1-4625-9BE7-D27DFEFD74FA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F779486-584B-463a-910F-826BECDB73C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4656	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe
Token: SeIncBasePriorityPrivilege	3432	{6F779486-584B-463a-910F-826BECDB73C3}.exe
Token: SeIncBasePriorityPrivilege	2768	{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe
Token: SeIncBasePriorityPrivilege	4764	{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe
Token: SeIncBasePriorityPrivilege	3200	{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe
Token: SeIncBasePriorityPrivilege	3088	{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe
Token: SeIncBasePriorityPrivilege	2808	{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe
Token: SeIncBasePriorityPrivilege	1080	{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe
Token: SeIncBasePriorityPrivilege	1084	{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3432	4656	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	94
PID 4656 wrote to memory of 3432	4656	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	94
PID 4656 wrote to memory of 3432	4656	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	94
PID 4656 wrote to memory of 2756	4656	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	95
PID 4656 wrote to memory of 2756	4656	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	95
PID 4656 wrote to memory of 2756	4656	703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe	95
PID 3432 wrote to memory of 2768	3432	{6F779486-584B-463a-910F-826BECDB73C3}.exe	96
PID 3432 wrote to memory of 2768	3432	{6F779486-584B-463a-910F-826BECDB73C3}.exe	96
PID 3432 wrote to memory of 2768	3432	{6F779486-584B-463a-910F-826BECDB73C3}.exe	96
PID 3432 wrote to memory of 2312	3432	{6F779486-584B-463a-910F-826BECDB73C3}.exe	97
PID 3432 wrote to memory of 2312	3432	{6F779486-584B-463a-910F-826BECDB73C3}.exe	97
PID 3432 wrote to memory of 2312	3432	{6F779486-584B-463a-910F-826BECDB73C3}.exe	97
PID 2768 wrote to memory of 4764	2768	{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe	100
PID 2768 wrote to memory of 4764	2768	{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe	100
PID 2768 wrote to memory of 4764	2768	{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe	100
PID 2768 wrote to memory of 4056	2768	{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe	101
PID 2768 wrote to memory of 4056	2768	{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe	101
PID 2768 wrote to memory of 4056	2768	{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe	101
PID 4764 wrote to memory of 3200	4764	{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe	102
PID 4764 wrote to memory of 3200	4764	{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe	102
PID 4764 wrote to memory of 3200	4764	{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe	102
PID 4764 wrote to memory of 1032	4764	{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe	103
PID 4764 wrote to memory of 1032	4764	{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe	103
PID 4764 wrote to memory of 1032	4764	{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe	103
PID 3200 wrote to memory of 3088	3200	{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe	104
PID 3200 wrote to memory of 3088	3200	{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe	104
PID 3200 wrote to memory of 3088	3200	{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe	104
PID 3200 wrote to memory of 2344	3200	{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe	105
PID 3200 wrote to memory of 2344	3200	{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe	105
PID 3200 wrote to memory of 2344	3200	{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe	105
PID 3088 wrote to memory of 2808	3088	{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe	106
PID 3088 wrote to memory of 2808	3088	{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe	106
PID 3088 wrote to memory of 2808	3088	{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe	106
PID 3088 wrote to memory of 3948	3088	{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe	107
PID 3088 wrote to memory of 3948	3088	{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe	107
PID 3088 wrote to memory of 3948	3088	{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe	107
PID 2808 wrote to memory of 1080	2808	{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe	108
PID 2808 wrote to memory of 1080	2808	{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe	108
PID 2808 wrote to memory of 1080	2808	{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe	108
PID 2808 wrote to memory of 3048	2808	{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe	109
PID 2808 wrote to memory of 3048	2808	{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe	109
PID 2808 wrote to memory of 3048	2808	{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe	109
PID 1080 wrote to memory of 1084	1080	{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe	110
PID 1080 wrote to memory of 1084	1080	{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe	110
PID 1080 wrote to memory of 1084	1080	{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe	110
PID 1080 wrote to memory of 972	1080	{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe	111
PID 1080 wrote to memory of 972	1080	{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe	111
PID 1080 wrote to memory of 972	1080	{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe	111
PID 1084 wrote to memory of 3936	1084	{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe	112
PID 1084 wrote to memory of 3936	1084	{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe	112
PID 1084 wrote to memory of 3936	1084	{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe	112
PID 1084 wrote to memory of 1912	1084	{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe	113
PID 1084 wrote to memory of 1912	1084	{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe	113
PID 1084 wrote to memory of 1912	1084	{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe	113

C:\Users\Admin\AppData\Local\Temp\703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe
"C:\Users\Admin\AppData\Local\Temp\703b8d4f394ae81025383d6f8345949b99ca1cd17053d7515b9175eb162f8ccb.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\{6F779486-584B-463a-910F-826BECDB73C3}.exe
  C:\Windows\{6F779486-584B-463a-910F-826BECDB73C3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe
    C:\Windows\{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe
      C:\Windows\{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Windows\{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe
        
        C:\Windows\{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3200
      - C:\Windows\{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe
        
        C:\Windows\{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe
        
        C:\Windows\{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe
        
        C:\Windows\{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe
        
        C:\Windows\{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\{36A468A5-E7F1-4625-9BE7-D27DFEFD74FA}.exe
        
        C:\Windows\{36A468A5-E7F1-4625-9BE7-D27DFEFD74FA}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1EB1~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7950~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CA4A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1112~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8D0B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40636~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{14A38~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6F779~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\703B8D~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14A38CEE-DDB9-449b-8636-9B05B80FA911}.exe

Filesize
90KB

MD5
0172f922dc9028d4fd792a80bf547fdc

SHA1
44680233671b1342fa4e90295a61c8982a864c28

SHA256
d0dd81dbbfed2bd190a42b72c614c6e4c67d92845dfca07e6e57004643302631

SHA512
4755cabc2c9dff83166cdebec9328e8452862ef70eb48bfd9bc602c507401cec7b2a6ffaaa6fdc17189dcb4c37e30d0b5a62edc7c6e856450889f3f5036281af

Download Submit
C:\Windows\{36A468A5-E7F1-4625-9BE7-D27DFEFD74FA}.exe

Filesize
90KB

MD5
2adc02b0709de8b324e835b691ec5b18

SHA1
14da9cc9a5e96dc0d337defcdfc231c808709803

SHA256
33938eb0e1b7daf8143b38439e24869adad9047b8a518d16a073728b0c344a09

SHA512
849f1965c8b8124750c240c9d6f8807d9cc8637ed9e6d95645aac880e7ff1af2fa2d8d8403e36601b888d5eb74586b1aab1da474321b10e14e24b97dbf9aebc9

Download Submit
C:\Windows\{406365E6-14D8-43a1-B10D-622FB0C68FA0}.exe

Filesize
90KB

MD5
d5f2ebd235f93907652de441b52303bb

SHA1
c70b356d84ca2a2a3f2650c1c6296c24c76ef308

SHA256
6044206758561774ee77bd7468d67408b15924f156fe0fb40d26e009eeec920d

SHA512
c54c4026648d387db6a0cf91f3c8908ff7d0b1d8ab3afd78f6d60683cebb86eca5a010fcee8dabf8e342a00f442a81104176f65e4fc00941a518ab805cf08901

Download Submit
C:\Windows\{4CA4A9C3-5DC6-4c7a-B428-6AEE494F1F56}.exe

Filesize
90KB

MD5
9c5bc8225ac22c2205fcdd3fe7190820

SHA1
a981ea27f64044bf67dc5ef74cfd02e6c8527b93

SHA256
317db00aeb459a886f44a23c5a428afad016a1c72045134c9f551bef3fca57eb

SHA512
c1320520cdd0b25b8365cff05dfc54369ca55e3c7be3947840b9ae1a92baffa3fb68a77d4e0bdb61ef3cfa70793fbf1feee17e5aaa520022dadc6d614102c236

Download Submit
C:\Windows\{6F779486-584B-463a-910F-826BECDB73C3}.exe

Filesize
90KB

MD5
5f213606acc78c6c87a7766c203d3f09

SHA1
eb6b65b46aded9726592ed22926413c597ae1843

SHA256
eed5785d323632b9c176c6ef85f2925dbfb09acf05476be3e82889cbb5b81c64

SHA512
15d1f4eef5cbfde36f0ad79643ad12b02c050310e0fcea3985ee7fdeefb029fdacdbb1ba9ea845556674d3d09267cea9f2942d7ec45bf3a10803aeb5ec7d9871

Download Submit
C:\Windows\{B1112D2D-F16E-4aec-9E0C-32514EA2AA92}.exe

Filesize
90KB

MD5
1b127ce5955876b6a33c631f9dd82dc7

SHA1
3a1365771edfd031a471810207949d448b86b75c

SHA256
72f5e917a2f55868c5b289cbc1eb2f82cdada9fe7d455645f60cc0d70b435201

SHA512
e1aa1cc5f7ffc3ce631b0019f22572b7dd28a3606e2ce74873c6092f7fa0fd24f0c660cc0ae3472282ccee5c46d67e86476326bd33bf02c12400ea24ec490e73

Download Submit
C:\Windows\{C79509CB-94C0-4b4b-A9AE-ADA0EE7DBD1B}.exe

Filesize
90KB

MD5
6c1ced63c273eb377a72ce7dcdde11df

SHA1
cc3ab7e3189c52ba081c185d7265285acd9514e2

SHA256
8d317eafac17029f87f18daaab149f2571ac19749abe58cba52277d888908108

SHA512
e7676e45e6179512a8dd14cdbeb50c0a93b4f1c9646395d746ce419da09913e7e51d0310bca5753d9c6a5406c289832ce991cdc6802472450f6bf242e0ef9357

Download Submit
C:\Windows\{E8D0B761-3B32-4744-9934-B1DDEC33CDE8}.exe

Filesize
90KB

MD5
1951f4ba48bda3169e4100c4fc682f44

SHA1
a75e178552765804a6e4cf400b7c3d3a39b00ddb

SHA256
ebfaf95e75bc25227f2f1e8eb8df6972318dd6162df7392a796a2dff86ddcc36

SHA512
8866e670b48fa76be97d1e6fca6146831ff2e54514bd8bd28a75778cba9e7ef32ab25cbc7000987044701834b4fc31022eb84b9a61cbb7d850d529ee86829fab

Download Submit
C:\Windows\{F1EB1371-B0A4-42b7-988E-D693F6555302}.exe

Filesize
90KB

MD5
9d7bd8f9b2a085f02ee573c1a4ea8c50

SHA1
f4918ca6c3c5e4153398553990eddb7213616c58

SHA256
1526ec280ad576a260026044a39b964a2d35af313b17188e09b0dead97621974

SHA512
148aa1a70f169dae976a8cac3dfd5808f73cdd9b1bb7a25a8b42cf30a1eb903d4c0ada3d41c805e85f4ceff864a79343149ecf98bff905c14614bcf5be3ca59e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads