9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6b

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
Size

91KB
MD5

1e2b3437eac561d5e0abd77a07f97090
SHA1

0a43d1c8a50480314f907e7a2736e092ea52a8bf
SHA256

9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6b
SHA512

7b1851077fede5b0e3a8a464dc8989918b928d7921745258920bd89d384603d2292bc53f7c114bcd53d5bfaf12242b67c8e57a3217a58c89b31262355bf459da
SSDEEP

768:5vw9816uhKiroz4/wQNNrfrunMxVFA3bQ:lEGkmozlCunMxVS3E

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D1736B1-AB18-4f81-BD31-B070E9C29E18}	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1E807DE-40B2-474a-A5C5-EF2A0FAE43D2}	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}\stubpath = "C:\\Windows\\{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe"	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24FE5DB3-B61D-41fe-B19B-520971C6B492}	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCF9D343-767B-48fc-B03F-67943CC26746}\stubpath = "C:\\Windows\\{CCF9D343-767B-48fc-B03F-67943CC26746}.exe"	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61B84417-19DE-4385-A259-2C1EF9E30E36}\stubpath = "C:\\Windows\\{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe"	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E6D617D-9F53-4717-A591-FBEA46F026B0}\stubpath = "C:\\Windows\\{2E6D617D-9F53-4717-A591-FBEA46F026B0}.exe"	{A1E807DE-40B2-474a-A5C5-EF2A0FAE43D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ACF621E-2D99-498a-9423-8140E44AE39A}	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCF9D343-767B-48fc-B03F-67943CC26746}	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D1736B1-AB18-4f81-BD31-B070E9C29E18}\stubpath = "C:\\Windows\\{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe"	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61B84417-19DE-4385-A259-2C1EF9E30E36}	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1E807DE-40B2-474a-A5C5-EF2A0FAE43D2}\stubpath = "C:\\Windows\\{A1E807DE-40B2-474a-A5C5-EF2A0FAE43D2}.exe"	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ACF621E-2D99-498a-9423-8140E44AE39A}\stubpath = "C:\\Windows\\{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe"	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F88EEB4-59D7-4a91-A41D-F799452AEB69}	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F88EEB4-59D7-4a91-A41D-F799452AEB69}\stubpath = "C:\\Windows\\{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe"	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E6D617D-9F53-4717-A591-FBEA46F026B0}	{A1E807DE-40B2-474a-A5C5-EF2A0FAE43D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24FE5DB3-B61D-41fe-B19B-520971C6B492}\stubpath = "C:\\Windows\\{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe"	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2968	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe
2088	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe
3056	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe
1932	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe
2000	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe
2028	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe
1092	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe
2404	{A1E807DE-40B2-474a-A5C5-EF2A0FAE43D2}.exe
1232	{2E6D617D-9F53-4717-A591-FBEA46F026B0}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
File created	C:\Windows\{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe
File created	C:\Windows\{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe
File created	C:\Windows\{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe
File created	C:\Windows\{A1E807DE-40B2-474a-A5C5-EF2A0FAE43D2}.exe	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe
File created	C:\Windows\{2E6D617D-9F53-4717-A591-FBEA46F026B0}.exe	{A1E807DE-40B2-474a-A5C5-EF2A0FAE43D2}.exe
File created	C:\Windows\{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe
File created	C:\Windows\{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe
File created	C:\Windows\{CCF9D343-767B-48fc-B03F-67943CC26746}.exe	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A1E807DE-40B2-474a-A5C5-EF2A0FAE43D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2E6D617D-9F53-4717-A591-FBEA46F026B0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2316	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
Token: SeIncBasePriorityPrivilege	2968	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe
Token: SeIncBasePriorityPrivilege	2088	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe
Token: SeIncBasePriorityPrivilege	3056	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe
Token: SeIncBasePriorityPrivilege	1932	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe
Token: SeIncBasePriorityPrivilege	2000	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe
Token: SeIncBasePriorityPrivilege	2028	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe
Token: SeIncBasePriorityPrivilege	1092	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe
Token: SeIncBasePriorityPrivilege	2404	{A1E807DE-40B2-474a-A5C5-EF2A0FAE43D2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2968	2316	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	30
PID 2316 wrote to memory of 2968	2316	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	30
PID 2316 wrote to memory of 2968	2316	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	30
PID 2316 wrote to memory of 2968	2316	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	30
PID 2316 wrote to memory of 2720	2316	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	31
PID 2316 wrote to memory of 2720	2316	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	31
PID 2316 wrote to memory of 2720	2316	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	31
PID 2316 wrote to memory of 2720	2316	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	31
PID 2968 wrote to memory of 2088	2968	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe	32
PID 2968 wrote to memory of 2088	2968	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe	32
PID 2968 wrote to memory of 2088	2968	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe	32
PID 2968 wrote to memory of 2088	2968	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe	32
PID 2968 wrote to memory of 2756	2968	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe	33
PID 2968 wrote to memory of 2756	2968	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe	33
PID 2968 wrote to memory of 2756	2968	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe	33
PID 2968 wrote to memory of 2756	2968	{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe	33
PID 2088 wrote to memory of 3056	2088	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe	35
PID 2088 wrote to memory of 3056	2088	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe	35
PID 2088 wrote to memory of 3056	2088	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe	35
PID 2088 wrote to memory of 3056	2088	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe	35
PID 2088 wrote to memory of 2920	2088	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe	36
PID 2088 wrote to memory of 2920	2088	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe	36
PID 2088 wrote to memory of 2920	2088	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe	36
PID 2088 wrote to memory of 2920	2088	{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe	36
PID 3056 wrote to memory of 1932	3056	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe	37
PID 3056 wrote to memory of 1932	3056	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe	37
PID 3056 wrote to memory of 1932	3056	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe	37
PID 3056 wrote to memory of 1932	3056	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe	37
PID 3056 wrote to memory of 576	3056	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe	38
PID 3056 wrote to memory of 576	3056	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe	38
PID 3056 wrote to memory of 576	3056	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe	38
PID 3056 wrote to memory of 576	3056	{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe	38
PID 1932 wrote to memory of 2000	1932	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe	39
PID 1932 wrote to memory of 2000	1932	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe	39
PID 1932 wrote to memory of 2000	1932	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe	39
PID 1932 wrote to memory of 2000	1932	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe	39
PID 1932 wrote to memory of 112	1932	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe	40
PID 1932 wrote to memory of 112	1932	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe	40
PID 1932 wrote to memory of 112	1932	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe	40
PID 1932 wrote to memory of 112	1932	{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe	40
PID 2000 wrote to memory of 2028	2000	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe	41
PID 2000 wrote to memory of 2028	2000	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe	41
PID 2000 wrote to memory of 2028	2000	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe	41
PID 2000 wrote to memory of 2028	2000	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe	41
PID 2000 wrote to memory of 1604	2000	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe	42
PID 2000 wrote to memory of 1604	2000	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe	42
PID 2000 wrote to memory of 1604	2000	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe	42
PID 2000 wrote to memory of 1604	2000	{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe	42
PID 2028 wrote to memory of 1092	2028	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe	43
PID 2028 wrote to memory of 1092	2028	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe	43
PID 2028 wrote to memory of 1092	2028	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe	43
PID 2028 wrote to memory of 1092	2028	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe	43
PID 2028 wrote to memory of 820	2028	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe	44
PID 2028 wrote to memory of 820	2028	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe	44
PID 2028 wrote to memory of 820	2028	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe	44
PID 2028 wrote to memory of 820	2028	{CCF9D343-767B-48fc-B03F-67943CC26746}.exe	44
PID 1092 wrote to memory of 2404	1092	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe	45
PID 1092 wrote to memory of 2404	1092	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe	45
PID 1092 wrote to memory of 2404	1092	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe	45
PID 1092 wrote to memory of 2404	1092	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe	45
PID 1092 wrote to memory of 2248	1092	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe	46
PID 1092 wrote to memory of 2248	1092	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe	46
PID 1092 wrote to memory of 2248	1092	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe	46
PID 1092 wrote to memory of 2248	1092	{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe	46

C:\Users\Admin\AppData\Local\Temp\9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
"C:\Users\Admin\AppData\Local\Temp\9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe
  C:\Windows\{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe
    C:\Windows\{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe
      C:\Windows\{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe
        
        C:\Windows\{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe
        
        C:\Windows\{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{CCF9D343-767B-48fc-B03F-67943CC26746}.exe
        
        C:\Windows\{CCF9D343-767B-48fc-B03F-67943CC26746}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe
        
        C:\Windows\{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\{A1E807DE-40B2-474a-A5C5-EF2A0FAE43D2}.exe
        
        C:\Windows\{A1E807DE-40B2-474a-A5C5-EF2A0FAE43D2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\{2E6D617D-9F53-4717-A591-FBEA46F026B0}.exe
        
        C:\Windows\{2E6D617D-9F53-4717-A591-FBEA46F026B0}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1E80~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61B84~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCF9D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D173~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F88E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24FE5~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3ACF6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{09547~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9E993E~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{095478FC-C45E-4f57-AB34-9E3EAE0EBADF}.exe

Filesize
91KB

MD5
f0cb2767d086e91368f6ad9552288c4d

SHA1
2b6feb1534e0cd2d1766f7ace798f4d547b69301

SHA256
6042c5a054bdf02613cb6b8f593f1bf8631c19984c2c45a528ee0fe9ccca26c5

SHA512
7261a3db388f45d6fc8e36885b9b7e99c7fc3ebca43490882bee1fa21b0b0c2f2e5f9f985f6b086b57f7bfbea87267ca1d045eb21a23e78130c7accab698e2d6

Download Submit
C:\Windows\{24FE5DB3-B61D-41fe-B19B-520971C6B492}.exe

Filesize
91KB

MD5
40968caf41a62da2d9c5291932dfd858

SHA1
db387eb519aec779d71669c24cafa46b83552f73

SHA256
69289f880fa7b0af0ae88b35066869dc449fbf3ed2797b352da18c49b3493e12

SHA512
a819f28f07604e3a84d2c7a91d3c1a2717ad5b3fa305b3c72cb0283e342c563550ca596f43fb2185916619da66de48657bddc7e612b9430a6f1b6a88c3b00ebb

Download Submit
C:\Windows\{2E6D617D-9F53-4717-A591-FBEA46F026B0}.exe

Filesize
91KB

MD5
8ff57d81cb58301a5f3c4516173a14c9

SHA1
3d6d00fc71e47c32ce4875ed8e121b30d6c2de24

SHA256
d5b9d187a9e53bae3e35a5d8f9d9f938c9255431d79a3adfe8517c1d13ba73b5

SHA512
60f63d511c8a692ce47d51c0c277212b9a706ae6ba85b7109d5dac8e78b807a883800c67c94ef5150f70af9e7183be2647a910327e0a91d49babdacd93a3503f

Download Submit
C:\Windows\{2F88EEB4-59D7-4a91-A41D-F799452AEB69}.exe

Filesize
91KB

MD5
67af597df1db1d6214158dde3e0d1fc1

SHA1
f611473a971aec204883ee90f2280095c66199dc

SHA256
9ba5c467d3505dd436597c018cc8f853cdaaa380e2e4d4a222fb7fd751581573

SHA512
52f408c0c8ec9f8acc8bf53dabd469d0f6f0aa6d1a83053c73889976dd6ca90a221c0a09fc9e7ed5ac1f00c741966503a39ec89e76582e4de7469e2917e267fd

Download Submit
C:\Windows\{3ACF621E-2D99-498a-9423-8140E44AE39A}.exe

Filesize
91KB

MD5
fdd4df1068037b4eec9d38e6e8ad84e4

SHA1
634d76cf898129ebdc9aedcb66cbb7a94b2c7b4e

SHA256
d71677f902fa8f3753e9203d62d8912b2a9cc4ea7d1c7f2917669161342d7740

SHA512
84a44ba510cb7586b653a234b7eb90873856d8a49d473e5662d0f5ef96afef083a6004bbb202d5b298160349b5e2b2ae176f303dea3b2378e20408e564cd363b

Download Submit
C:\Windows\{61B84417-19DE-4385-A259-2C1EF9E30E36}.exe

Filesize
91KB

MD5
a56128adc385f25dceecfce4ef255d40

SHA1
67bea69dcb31fbe8822ef20855d195aca6c92d0c

SHA256
432c93079f91f13d14204c1528a24dc278e72c5b32f43e54edbaa3d12d3a9bba

SHA512
eb41bc2aadfcc3da3bba778d233a14c76c2412faa5ef8af00c6fdb88a6f18767f096554093e2850d83af61ad00387db67aa677daf965b8d1dad8729f0dd37200

Download Submit
C:\Windows\{7D1736B1-AB18-4f81-BD31-B070E9C29E18}.exe

Filesize
91KB

MD5
502a431a5f418327ad4cc86c46fac878

SHA1
2521a3027525d0c8f2179a482d98125e863b3da9

SHA256
dbc265afd8d9f508a4a9eacd7bf47b0de81aa5454ad27d4b403de3f935c539a7

SHA512
ff2b57dca838bc9c0e9876f01e3e38e6bead3d7924b488f7e804045d1014fe67012aba67cfe0924de31cd66bfbeaa79094041c0fb69206d68d9ca0d41b7ab340

Download Submit
C:\Windows\{A1E807DE-40B2-474a-A5C5-EF2A0FAE43D2}.exe

Filesize
91KB

MD5
a8892b67ad0bf7352dc83479092f3888

SHA1
d2912e1f8b4d46f3f294caa35431918abacfa537

SHA256
bfef56a364e77ac2d70e4a66dc2f2d1e2f4da6a600a6bfb0c6eae167c0189f34

SHA512
cf672896b8059a6e0129219564ef75f2de0bbb8baa6963c4ef4c0af6a8e053e98a2b4aaa49e39ff6ee833b0a7881952aae861e04c4a56147d91fc78706e1d352

Download Submit
C:\Windows\{CCF9D343-767B-48fc-B03F-67943CC26746}.exe

Filesize
91KB

MD5
1be315cba30c0a16e9aa56db50532a9a

SHA1
ca9500d65bb31c303cbd42152f6c590f6697b5e3

SHA256
727edbf8d58b4dc6efd9ff89902c4100be4f27e1ba216c773576d4ba57b18593

SHA512
6df30cf8462576ddff3ad9e064f615bac21e77f5944525ed338b2c0ca367f5a76e8cbd3d0979a0616ba3300452d20b2f658adf152547c7a379bd429c7d61d95c

Download Submit
memory/1092-68-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/1092-74-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1932-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1932-41-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2000-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2000-50-0x00000000004A0000-0x00000000004B1000-memory.dmp

Filesize
68KB

Download
memory/2028-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-59-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2088-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2088-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2316-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2316-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2316-3-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2316-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2404-77-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2404-83-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2968-13-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2968-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3056-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3056-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3056-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3056-32-0x0000000002790000-0x00000000027A1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads