2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe
Size

79KB
MD5

8426c4e5639e86c2085bcdc675576240
SHA1

728cd29a62f84e24470f0e649e998dab09acf662
SHA256

2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9
SHA512

034ca5b4b4a46d9d1e748b75e61b4a7146c66d6c322e000ca477e25efdb25b51fe9790f223a0664352cd450708331f829bf95cfeab8643f8c93a328c08a1fd84
SSDEEP

768:4vw9816vhKQLroD4/wQpWMZ3XOQ69zbjlAAX5e9zz:wEGh0oDloWMZ3izbR9Xwzz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D6F78B1-B46E-47a5-B275-36F064971E5F}	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72295FF0-E1FC-4055-9626-FEBBED419EBE}	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72295FF0-E1FC-4055-9626-FEBBED419EBE}\stubpath = "C:\\Windows\\{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe"	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEAD15BE-096D-4bb2-8B28-9ED5889C1507}\stubpath = "C:\\Windows\\{CEAD15BE-096D-4bb2-8B28-9ED5889C1507}.exe"	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1667DD5D-E139-491d-8D05-A4D8F94D2E2C}\stubpath = "C:\\Windows\\{1667DD5D-E139-491d-8D05-A4D8F94D2E2C}.exe"	{CEAD15BE-096D-4bb2-8B28-9ED5889C1507}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EECB03EA-9FD8-4acb-B556-D521F4086C99}\stubpath = "C:\\Windows\\{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe"	2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E6C4470-822A-447f-B943-F55067FC9DD1}	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E6C4470-822A-447f-B943-F55067FC9DD1}\stubpath = "C:\\Windows\\{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe"	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}\stubpath = "C:\\Windows\\{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe"	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEAD15BE-096D-4bb2-8B28-9ED5889C1507}	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1667DD5D-E139-491d-8D05-A4D8F94D2E2C}	{CEAD15BE-096D-4bb2-8B28-9ED5889C1507}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}\stubpath = "C:\\Windows\\{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe"	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}\stubpath = "C:\\Windows\\{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe"	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D6F78B1-B46E-47a5-B275-36F064971E5F}\stubpath = "C:\\Windows\\{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe"	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EECB03EA-9FD8-4acb-B556-D521F4086C99}	2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2124	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe
2764	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe
2956	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe
2808	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe
3036	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe
1136	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe
2428	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe
2396	{CEAD15BE-096D-4bb2-8B28-9ED5889C1507}.exe
848	{1667DD5D-E139-491d-8D05-A4D8F94D2E2C}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe
File created	C:\Windows\{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe
File created	C:\Windows\{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe	2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe
File created	C:\Windows\{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe
File created	C:\Windows\{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe
File created	C:\Windows\{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe
File created	C:\Windows\{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe
File created	C:\Windows\{CEAD15BE-096D-4bb2-8B28-9ED5889C1507}.exe	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe
File created	C:\Windows\{1667DD5D-E139-491d-8D05-A4D8F94D2E2C}.exe	{CEAD15BE-096D-4bb2-8B28-9ED5889C1507}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CEAD15BE-096D-4bb2-8B28-9ED5889C1507}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1667DD5D-E139-491d-8D05-A4D8F94D2E2C}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2216	2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe
Token: SeIncBasePriorityPrivilege	2124	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe
Token: SeIncBasePriorityPrivilege	2764	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe
Token: SeIncBasePriorityPrivilege	2956	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe
Token: SeIncBasePriorityPrivilege	2808	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe
Token: SeIncBasePriorityPrivilege	3036	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe
Token: SeIncBasePriorityPrivilege	1136	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe
Token: SeIncBasePriorityPrivilege	2428	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe
Token: SeIncBasePriorityPrivilege	2396	{CEAD15BE-096D-4bb2-8B28-9ED5889C1507}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2124	2216	2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe	31
PID 2216 wrote to memory of 2124	2216	2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe	31
PID 2216 wrote to memory of 2124	2216	2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe	31
PID 2216 wrote to memory of 2124	2216	2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe	31
PID 2216 wrote to memory of 2532	2216	2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe	32
PID 2216 wrote to memory of 2532	2216	2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe	32
PID 2216 wrote to memory of 2532	2216	2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe	32
PID 2216 wrote to memory of 2532	2216	2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe	32
PID 2124 wrote to memory of 2764	2124	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe	33
PID 2124 wrote to memory of 2764	2124	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe	33
PID 2124 wrote to memory of 2764	2124	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe	33
PID 2124 wrote to memory of 2764	2124	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe	33
PID 2124 wrote to memory of 2864	2124	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe	34
PID 2124 wrote to memory of 2864	2124	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe	34
PID 2124 wrote to memory of 2864	2124	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe	34
PID 2124 wrote to memory of 2864	2124	{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe	34
PID 2764 wrote to memory of 2956	2764	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe	35
PID 2764 wrote to memory of 2956	2764	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe	35
PID 2764 wrote to memory of 2956	2764	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe	35
PID 2764 wrote to memory of 2956	2764	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe	35
PID 2764 wrote to memory of 2888	2764	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe	36
PID 2764 wrote to memory of 2888	2764	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe	36
PID 2764 wrote to memory of 2888	2764	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe	36
PID 2764 wrote to memory of 2888	2764	{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe	36
PID 2956 wrote to memory of 2808	2956	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe	37
PID 2956 wrote to memory of 2808	2956	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe	37
PID 2956 wrote to memory of 2808	2956	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe	37
PID 2956 wrote to memory of 2808	2956	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe	37
PID 2956 wrote to memory of 2860	2956	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe	38
PID 2956 wrote to memory of 2860	2956	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe	38
PID 2956 wrote to memory of 2860	2956	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe	38
PID 2956 wrote to memory of 2860	2956	{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe	38
PID 2808 wrote to memory of 3036	2808	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe	39
PID 2808 wrote to memory of 3036	2808	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe	39
PID 2808 wrote to memory of 3036	2808	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe	39
PID 2808 wrote to memory of 3036	2808	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe	39
PID 2808 wrote to memory of 584	2808	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe	40
PID 2808 wrote to memory of 584	2808	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe	40
PID 2808 wrote to memory of 584	2808	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe	40
PID 2808 wrote to memory of 584	2808	{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe	40
PID 3036 wrote to memory of 1136	3036	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe	41
PID 3036 wrote to memory of 1136	3036	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe	41
PID 3036 wrote to memory of 1136	3036	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe	41
PID 3036 wrote to memory of 1136	3036	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe	41
PID 3036 wrote to memory of 1020	3036	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe	42
PID 3036 wrote to memory of 1020	3036	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe	42
PID 3036 wrote to memory of 1020	3036	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe	42
PID 3036 wrote to memory of 1020	3036	{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe	42
PID 1136 wrote to memory of 2428	1136	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe	43
PID 1136 wrote to memory of 2428	1136	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe	43
PID 1136 wrote to memory of 2428	1136	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe	43
PID 1136 wrote to memory of 2428	1136	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe	43
PID 1136 wrote to memory of 1156	1136	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe	44
PID 1136 wrote to memory of 1156	1136	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe	44
PID 1136 wrote to memory of 1156	1136	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe	44
PID 1136 wrote to memory of 1156	1136	{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe	44
PID 2428 wrote to memory of 2396	2428	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe	45
PID 2428 wrote to memory of 2396	2428	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe	45
PID 2428 wrote to memory of 2396	2428	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe	45
PID 2428 wrote to memory of 2396	2428	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe	45
PID 2428 wrote to memory of 1608	2428	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe	46
PID 2428 wrote to memory of 1608	2428	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe	46
PID 2428 wrote to memory of 1608	2428	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe	46
PID 2428 wrote to memory of 1608	2428	{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe	46

C:\Users\Admin\AppData\Local\Temp\2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe
"C:\Users\Admin\AppData\Local\Temp\2f4d7f59e4d5e8228ad8171bc0dbacf85ee3bd2b6af0f65c918fb218a9ecb9f9N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe
  C:\Windows\{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe
    C:\Windows\{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe
      C:\Windows\{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe
        
        C:\Windows\{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe
        
        C:\Windows\{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe
        
        C:\Windows\{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe
        
        C:\Windows\{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{CEAD15BE-096D-4bb2-8B28-9ED5889C1507}.exe
        
        C:\Windows\{CEAD15BE-096D-4bb2-8B28-9ED5889C1507}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\{1667DD5D-E139-491d-8D05-A4D8F94D2E2C}.exe
        
        C:\Windows\{1667DD5D-E139-491d-8D05-A4D8F94D2E2C}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEAD1~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72295~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D6F7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E6C4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07D5F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68857~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5A698~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EECB0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2F4D7F~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07D5F68F-D43B-4299-8AA5-3508C39AE5D0}.exe

Filesize
79KB

MD5
cae005768b2d61b8409c7145ba9e5a2f

SHA1
cb4a3e55e08546855d1f4a2b9b66784fed7ed7be

SHA256
74437db4b3e025917d6175fce95bdbf196412e7b4adb5390aae87ec1a2ea7772

SHA512
118f64ab9766cd4b7d39dd32152e94a51e9c13c5213ebe30d6de43c0eb30f492f6b21a3d6cdab174cd9917fd10f9a6f7399ccb95c898fb75fb2d63bea779ebbf

Download Submit
C:\Windows\{1667DD5D-E139-491d-8D05-A4D8F94D2E2C}.exe

Filesize
79KB

MD5
bc3c11f2b7f7c4c98873ea8d6f2e34b5

SHA1
67c4e3095fb90349ffdb4cea2533ea93e7d65b83

SHA256
d4b3e67b16743283b4487ea96172d66ebbc07d0c136cd0661748d7f9cd3be267

SHA512
5d6b77bac7e1f9ad3dffa5c8f055c68b8deafc0d79fe466f3bfb5eb21748193097ab3b0f0e2e9085f230252dbc756a64e9c46289e9264ce2a27c4c6b72b7a0b4

Download Submit
C:\Windows\{4D6F78B1-B46E-47a5-B275-36F064971E5F}.exe

Filesize
79KB

MD5
5693087ef9cd1706b5fdb9316260f330

SHA1
f15088ecf6fd85fbf7fff7223668fb2a08f201e2

SHA256
360dd0bceb1ba12622d871c846323d5fc277256655fc6dea420c1688a575bedb

SHA512
5fc3bd2ce787dc8019dd4d9d62cf194665aca34b108fbb6b9ab6cac3f2282d925e5d5885fea249c435062faaeee85ee20fe57d9957e5e58a8445c0f15b5f8d7d

Download Submit
C:\Windows\{5A698A9E-8978-4bdc-AFF4-2DF3C86CADED}.exe

Filesize
79KB

MD5
13ea18b0b7261d0413054ef2f2a1e7f7

SHA1
49dc6b15f7d1f85a2feb0558ec6c4a8ffb1c6a04

SHA256
ebc1b9a4a4d3d6e4d8285c66bee795fa1035a01b277d67e393b37d6ef1b07595

SHA512
9f398e54d923d631eaad1d4f697a6f9515f519bef40a70d8ac2c9621d08b7c389fa803b780edd5cb33eb2a76b237681a4b9e4f23d222a7947994f0ed8eb60ea9

Download Submit
C:\Windows\{688571D4-1999-4d60-9BA9-9F23AEDBCFAD}.exe

Filesize
79KB

MD5
40556e6e1f1d24fc249e5a50c7f51afc

SHA1
d1790b12ad0374317d2e33c5362872c11277416b

SHA256
24e61bc6b6c2fab7f6d7bc9a84e6380bd1daa6a5056c4787919be0b43ea27505

SHA512
5417f7bb1bd206753c6e5c50dffef2d702e3e2dddb7122e2451c2b16583e3a2231475c074d560124c9bb480f6dfa5bb564eb7ce9eac4ca0ba9ecb17e05fae664

Download Submit
C:\Windows\{72295FF0-E1FC-4055-9626-FEBBED419EBE}.exe

Filesize
79KB

MD5
733472cbf301834855e63df08e897c33

SHA1
54f62b7569c30e761494fb6fe0b31923291201d6

SHA256
88905b0fbcf8680af54231e7b934e02f888067776f1ae9783102e2eb1395dbda

SHA512
e852828ecc8cc496a79adee423ee4386565021502e10acb515f3876b2e15a1e86f4338715f3422142dfd44217923b6cb1c7713ae46f4ce850df880b33f081be2

Download Submit
C:\Windows\{9E6C4470-822A-447f-B943-F55067FC9DD1}.exe

Filesize
79KB

MD5
b571006c39e00d7ba7c716538b6feb57

SHA1
35a5ebbaf01b6b450e1e872ab94fc208a525a8ae

SHA256
e04fe9976403353c2f6068072745e6ebce90917fecbb9f9962a0ef56d9c58548

SHA512
b750685761cf4b8eda711912de3e957b5f648a20e7d61774530deaa1fb255779efc6ef2bcc0d217b6e1ba159f0386decd3ef2db193a51ea3e39eecbe0bdbe7ad

Download Submit
C:\Windows\{CEAD15BE-096D-4bb2-8B28-9ED5889C1507}.exe

Filesize
79KB

MD5
552ead5a2fc383c42026f2525a9e72a4

SHA1
8f519db328e1db5f644615adb00428002283254c

SHA256
3c4a868d9bcdeb7299235920c4730edc4ff838e4374952cc8358225b1ef2fa89

SHA512
0b695759da0201fe3fc706f81b871ac38419d332a50fed7d09032c565a0ffba88df523a7723ada4eda72d7beb0e37135a6631681b3bafbf18bf2e60dfad90608

Download Submit
C:\Windows\{EECB03EA-9FD8-4acb-B556-D521F4086C99}.exe

Filesize
79KB

MD5
d34947c47f0391a2df2af5d6b0107410

SHA1
b5a1c5552da6b2711a37fbcdfb29ad0c17c5f96e

SHA256
3207583d701f643352aab34af294e391965e22ce9493bb23f500e8e126628481

SHA512
4bef65aa984efc2becc008d0187c8110b34d336a4caa6c505b257a837713b5ebe652f9ab723f3d9e255b777e17d35152b2e32c3d06bffd2a7cbecf5fa4f2d9d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads