2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe
Size

87KB
MD5

0a8623d8641e2736a98eb0103891e46b
SHA1

2dd6b590078f60c94c4d121c42f84acc775063d8
SHA256

2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160
SHA512

b35a9f825be4103f6ec2593dd1536d82931003a7fb8b540202e408890f3a748c2b844aa6780de9f05e6d5ab37f7815baaa0023b772d628a7438b0f15eed3f9d5
SSDEEP

384:5bLwOs8AHsc4sM6whKiroQ4/CFsrdk5I1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOa:5vw9816uhKiroQ4/wQNNrfrunMxVFm

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}\stubpath = "C:\\Windows\\{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe"	{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D267684-83CB-422a-B73D-26F78B549E57}\stubpath = "C:\\Windows\\{1D267684-83CB-422a-B73D-26F78B549E57}.exe"	{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB00C808-9AFE-493f-9100-57C75FEC2A0B}	{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EA274DC-0015-4f55-8007-679660CEBAE0}\stubpath = "C:\\Windows\\{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe"	{98555321-18A0-42a5-8409-C93DFF99B774}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98555321-18A0-42a5-8409-C93DFF99B774}	{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98555321-18A0-42a5-8409-C93DFF99B774}\stubpath = "C:\\Windows\\{98555321-18A0-42a5-8409-C93DFF99B774}.exe"	{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}\stubpath = "C:\\Windows\\{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe"	{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D267684-83CB-422a-B73D-26F78B549E57}	{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}	{1D267684-83CB-422a-B73D-26F78B549E57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDD5091A-8D8B-4b6e-8840-2D0466B67388}	{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB00C808-9AFE-493f-9100-57C75FEC2A0B}\stubpath = "C:\\Windows\\{FB00C808-9AFE-493f-9100-57C75FEC2A0B}.exe"	{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC8CC891-56E6-4380-ADD1-18269B7C03C3}\stubpath = "C:\\Windows\\{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe"	2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EA274DC-0015-4f55-8007-679660CEBAE0}	{98555321-18A0-42a5-8409-C93DFF99B774}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}	{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}\stubpath = "C:\\Windows\\{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe"	{1D267684-83CB-422a-B73D-26F78B549E57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDD5091A-8D8B-4b6e-8840-2D0466B67388}\stubpath = "C:\\Windows\\{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe"	{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}	{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC8CC891-56E6-4380-ADD1-18269B7C03C3}	2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe

Executes dropped EXE 9 IoCs

pid	Process
1340	{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe
4172	{98555321-18A0-42a5-8409-C93DFF99B774}.exe
2584	{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe
1524	{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe
3820	{1D267684-83CB-422a-B73D-26F78B549E57}.exe
4508	{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe
3680	{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe
3296	{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe
2800	{FB00C808-9AFE-493f-9100-57C75FEC2A0B}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{FB00C808-9AFE-493f-9100-57C75FEC2A0B}.exe	{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe
File created	C:\Windows\{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe	2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe
File created	C:\Windows\{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe	{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe
File created	C:\Windows\{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe	{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe
File created	C:\Windows\{1D267684-83CB-422a-B73D-26F78B549E57}.exe	{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe
File created	C:\Windows\{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe	{1D267684-83CB-422a-B73D-26F78B549E57}.exe
File created	C:\Windows\{98555321-18A0-42a5-8409-C93DFF99B774}.exe	{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe
File created	C:\Windows\{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe	{98555321-18A0-42a5-8409-C93DFF99B774}.exe
File created	C:\Windows\{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe	{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB00C808-9AFE-493f-9100-57C75FEC2A0B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D267684-83CB-422a-B73D-26F78B549E57}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{98555321-18A0-42a5-8409-C93DFF99B774}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3224	2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe
Token: SeIncBasePriorityPrivilege	1340	{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe
Token: SeIncBasePriorityPrivilege	4172	{98555321-18A0-42a5-8409-C93DFF99B774}.exe
Token: SeIncBasePriorityPrivilege	2584	{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe
Token: SeIncBasePriorityPrivilege	1524	{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe
Token: SeIncBasePriorityPrivilege	3820	{1D267684-83CB-422a-B73D-26F78B549E57}.exe
Token: SeIncBasePriorityPrivilege	4508	{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe
Token: SeIncBasePriorityPrivilege	3680	{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe
Token: SeIncBasePriorityPrivilege	3296	{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 1340	3224	2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe	99
PID 3224 wrote to memory of 1340	3224	2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe	99
PID 3224 wrote to memory of 1340	3224	2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe	99
PID 3224 wrote to memory of 4788	3224	2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe	100
PID 3224 wrote to memory of 4788	3224	2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe	100
PID 3224 wrote to memory of 4788	3224	2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe	100
PID 1340 wrote to memory of 4172	1340	{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe	101
PID 1340 wrote to memory of 4172	1340	{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe	101
PID 1340 wrote to memory of 4172	1340	{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe	101
PID 1340 wrote to memory of 4072	1340	{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe	102
PID 1340 wrote to memory of 4072	1340	{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe	102
PID 1340 wrote to memory of 4072	1340	{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe	102
PID 4172 wrote to memory of 2584	4172	{98555321-18A0-42a5-8409-C93DFF99B774}.exe	106
PID 4172 wrote to memory of 2584	4172	{98555321-18A0-42a5-8409-C93DFF99B774}.exe	106
PID 4172 wrote to memory of 2584	4172	{98555321-18A0-42a5-8409-C93DFF99B774}.exe	106
PID 4172 wrote to memory of 4060	4172	{98555321-18A0-42a5-8409-C93DFF99B774}.exe	107
PID 4172 wrote to memory of 4060	4172	{98555321-18A0-42a5-8409-C93DFF99B774}.exe	107
PID 4172 wrote to memory of 4060	4172	{98555321-18A0-42a5-8409-C93DFF99B774}.exe	107
PID 2584 wrote to memory of 1524	2584	{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe	108
PID 2584 wrote to memory of 1524	2584	{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe	108
PID 2584 wrote to memory of 1524	2584	{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe	108
PID 2584 wrote to memory of 432	2584	{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe	109
PID 2584 wrote to memory of 432	2584	{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe	109
PID 2584 wrote to memory of 432	2584	{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe	109
PID 1524 wrote to memory of 3820	1524	{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe	110
PID 1524 wrote to memory of 3820	1524	{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe	110
PID 1524 wrote to memory of 3820	1524	{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe	110
PID 1524 wrote to memory of 4856	1524	{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe	111
PID 1524 wrote to memory of 4856	1524	{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe	111
PID 1524 wrote to memory of 4856	1524	{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe	111
PID 3820 wrote to memory of 4508	3820	{1D267684-83CB-422a-B73D-26F78B549E57}.exe	112
PID 3820 wrote to memory of 4508	3820	{1D267684-83CB-422a-B73D-26F78B549E57}.exe	112
PID 3820 wrote to memory of 4508	3820	{1D267684-83CB-422a-B73D-26F78B549E57}.exe	112
PID 3820 wrote to memory of 4400	3820	{1D267684-83CB-422a-B73D-26F78B549E57}.exe	113
PID 3820 wrote to memory of 4400	3820	{1D267684-83CB-422a-B73D-26F78B549E57}.exe	113
PID 3820 wrote to memory of 4400	3820	{1D267684-83CB-422a-B73D-26F78B549E57}.exe	113
PID 4508 wrote to memory of 3680	4508	{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe	114
PID 4508 wrote to memory of 3680	4508	{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe	114
PID 4508 wrote to memory of 3680	4508	{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe	114
PID 4508 wrote to memory of 3688	4508	{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe	115
PID 4508 wrote to memory of 3688	4508	{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe	115
PID 4508 wrote to memory of 3688	4508	{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe	115
PID 3680 wrote to memory of 3296	3680	{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe	116
PID 3680 wrote to memory of 3296	3680	{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe	116
PID 3680 wrote to memory of 3296	3680	{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe	116
PID 3680 wrote to memory of 3008	3680	{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe	117
PID 3680 wrote to memory of 3008	3680	{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe	117
PID 3680 wrote to memory of 3008	3680	{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe	117
PID 3296 wrote to memory of 2800	3296	{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe	118
PID 3296 wrote to memory of 2800	3296	{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe	118
PID 3296 wrote to memory of 2800	3296	{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe	118
PID 3296 wrote to memory of 756	3296	{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe	119
PID 3296 wrote to memory of 756	3296	{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe	119
PID 3296 wrote to memory of 756	3296	{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe	119

C:\Users\Admin\AppData\Local\Temp\2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe
"C:\Users\Admin\AppData\Local\Temp\2b663218f749b84a0a558518cbde1f7b38ca39f250bf4141b2f5f02b85e4d160.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe
  C:\Windows\{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\{98555321-18A0-42a5-8409-C93DFF99B774}.exe
    C:\Windows\{98555321-18A0-42a5-8409-C93DFF99B774}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe
      C:\Windows\{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe
        
        C:\Windows\{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\{1D267684-83CB-422a-B73D-26F78B549E57}.exe
        
        C:\Windows\{1D267684-83CB-422a-B73D-26F78B549E57}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe
        
        C:\Windows\{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe
        
        C:\Windows\{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe
        
        C:\Windows\{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\{FB00C808-9AFE-493f-9100-57C75FEC2A0B}.exe
        
        C:\Windows\{FB00C808-9AFE-493f-9100-57C75FEC2A0B}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDC47~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDD50~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30024~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D267~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2183~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EA27~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{98555~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EC8CC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2B6632~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D267684-83CB-422a-B73D-26F78B549E57}.exe

Filesize
87KB

MD5
35cd437e44bec6b199821ff3171c9c4c

SHA1
8ccd8d23e63c0edf7f60ee25068f1f1b59722481

SHA256
71fdab5d6ac6725acfee80219b909222c463c9c134c5675e27dd6c628d9ee915

SHA512
a627e903c6d3b14b8869c65a33e5d65300d06274ae854b483c4293a947b95e3f07acf550b12ba31c9c31b72748991d56bdedc8be968fcfecc10282c020c10257

Download Submit
C:\Windows\{300243A7-4D9A-4cf1-B5DE-BF69618E0DE6}.exe

Filesize
87KB

MD5
0e7a72f0c10436bbcd338e5fdfd58c4b

SHA1
34d06fa7a5f19b26ca9e8abb03261d93c1efa008

SHA256
1ae197487209b5433ea38c7818e7db8ecee713f5d5527678d0643ce28d43bb0b

SHA512
e88d9f1d6a6149089f1f1c5f7b6ab21cd71e4a5c195f8ab066c16853c6e5264ff844423053e39d21232aeb8428d4cddb0a6919371213bf323248ed82db3ccadd

Download Submit
C:\Windows\{98555321-18A0-42a5-8409-C93DFF99B774}.exe

Filesize
87KB

MD5
6811967da6a992f58280bf8a69ede622

SHA1
5205d98e39f6f6b41ff9ee5b39838bbf4c0e6a67

SHA256
9fc0c9790c4c8a13a57bd735a80764970626480d14ab3f7e691951d0dc2a3cde

SHA512
74745342097d43c0b0f3d305058c4fb0b4428073568fea737889572c4813808919568bdd34f36ac3f5ddb4827790ff93c9ea50ef115f1d518ccc24d134a192f3

Download Submit
C:\Windows\{9EA274DC-0015-4f55-8007-679660CEBAE0}.exe

Filesize
87KB

MD5
53e7a5344a6d4fa7523663fcc2e493d2

SHA1
e93bfdb63ce0fff38896bd4581a24205dde0196f

SHA256
5f6f13d2cd2d099ddcd27b602ecba234d42aae3166d5676365b9103f374d1704

SHA512
b060bdbe7b9957be9a784dffa75193dbce4d57431a9e78c984ca10883eee2006bc13ecd942a50202916e587def7a620be86a817696bf64ae7658dae2c8e169d1

Download Submit
C:\Windows\{EC8CC891-56E6-4380-ADD1-18269B7C03C3}.exe

Filesize
87KB

MD5
a5aca9a76546f27a40c074dd19fd5404

SHA1
081c0a52a25c62807b777893d5ead47aaa27f075

SHA256
b7d39c6c7f91750983899dcdc50299a4c3d5e5899f4f83059c63005f4e44f706

SHA512
88d2fe31f66d97ab5ab2279a067e9a1cc45a0a6fa16e0fa2e75d5ef85b5b781bb07a2665cd8d38ccd20644cdd7dc8e7330d933de6123171a0ed9e92197642ffd

Download Submit
C:\Windows\{EDC47BA6-901D-4e78-AF3D-86D9B3A60742}.exe

Filesize
87KB

MD5
e034a6ec86370912513d7678eeba8aee

SHA1
d87cf25d0b3a1115ac500ef50b1b883da8d45ac9

SHA256
e7c2d31075693505f07e0b189626c82853037ab665d731d6c54b8337ddf83182

SHA512
4a280ab2aa92709e48732277e16568aeb08537287179bff48b7040673b81c403b711b17c4949a3652a96bdfe02bd6c54b0b249d5efb0244fcc69763165cbcf3c

Download Submit
C:\Windows\{F2183D6F-9764-4000-9FE1-FF5FEA4ECDC5}.exe

Filesize
87KB

MD5
b31f13574886d150f00f09716441e0e5

SHA1
1c0bb23056a6ade2e1f07f5b358bc7c9c2a44ac3

SHA256
a56338c8def2c0ab3bbb56d1ef955799944d61f2c08ae34e5b70176026cbf4cc

SHA512
e030052333afedac3bfec4ca764890ae623fa22c908c4577ed3d46a670e45d520cb68144e9aabfde585634686b0175ce4b2ca1d59a63fc7f523cf5a9573e81c2

Download Submit
C:\Windows\{FB00C808-9AFE-493f-9100-57C75FEC2A0B}.exe

Filesize
87KB

MD5
b0e4e1d2d7332bc0743796191e85354c

SHA1
0f87740a3b9a67bf0b8d6c8a8ea74116bad4879b

SHA256
86a7f11a88d57579062563758db614c3d5cd82d8e02105323b8b1b2cb10a4fd3

SHA512
0ab5f7aa19e8a5a33f028103130802eb4135a6265967bf17ddcc4814ed32d08d42ff8575696bdffa4726203841c2ef211cfdd19ccd7cdf8cd067c047bc59e9da

Download Submit
C:\Windows\{FDD5091A-8D8B-4b6e-8840-2D0466B67388}.exe

Filesize
87KB

MD5
80ca34d8b034fa542188921821452ca3

SHA1
850982e585e3e3c2710315111a04e72afe18b8e7

SHA256
c5baa8b3e89751aa33ca3f9f0507c6364a8b3236656c07e5a099a859a5b55e38

SHA512
fd67e8fe39a8113d5629e8ba63e069a2028ab652a014020b353b1934f83a46eab4826e81c4dca61c109d065d864e9b471bccca93cc26524af8938aecf0587fc2

Download Submit
memory/1340-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1340-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1524-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1524-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2584-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2584-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2800-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3224-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3224-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3224-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3296-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3296-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3680-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3680-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3820-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3820-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4172-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4172-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4172-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4508-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4508-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads