404dc2e74bd58fa3bf98162778edceb8e2a3064f8d4a3a77f245e553d08eff63

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68b97e4931a92fexeexeexeex.exe
Size

192KB
MD5

68b97e4931a92fb45959eecca0c86247
SHA1

0f8328042c6a9f85a622d251bd35c4857e4ab6a4
SHA256

404dc2e74bd58fa3bf98162778edceb8e2a3064f8d4a3a77f245e553d08eff63
SHA512

2a969ab0003821fe00ef0ec02b9e03676389cdd8432895be00af142ec9cc997b1332ca79f3218eb54175ec555fbcad24af23f107da44b3c5e57a073e9f56bde6
SSDEEP

1536:1EGh0oKl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oKl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2D9904A-7364-4b39-B480-52A2DEF873CF}\stubpath = "C:\\Windows\\{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe"	{24B062C8-3393-405f-957C-05F0027E8967}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11ED9600-AD0A-4387-A53B-070905EA927B}	{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98B530A8-A85C-4b4c-B44C-1DB824EE052D}\stubpath = "C:\\Windows\\{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe"	{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9938BC1-5272-4318-9940-9AD20480AE0F}\stubpath = "C:\\Windows\\{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe"	{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}\stubpath = "C:\\Windows\\{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe"	{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49E49D7B-8446-4a8b-828E-6EDE515AB749}\stubpath = "C:\\Windows\\{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe"	{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB4EEB8C-FAFD-4161-B2BB-F143B2B3DB7F}\stubpath = "C:\\Windows\\{DB4EEB8C-FAFD-4161-B2BB-F143B2B3DB7F}.exe"	{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24B062C8-3393-405f-957C-05F0027E8967}\stubpath = "C:\\Windows\\{24B062C8-3393-405f-957C-05F0027E8967}.exe"	68b97e4931a92fexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11ED9600-AD0A-4387-A53B-070905EA927B}\stubpath = "C:\\Windows\\{11ED9600-AD0A-4387-A53B-070905EA927B}.exe"	{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A8E304-D4FC-40d1-B406-F301878BEBA4}	{11ED9600-AD0A-4387-A53B-070905EA927B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A8E304-D4FC-40d1-B406-F301878BEBA4}\stubpath = "C:\\Windows\\{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe"	{11ED9600-AD0A-4387-A53B-070905EA927B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}\stubpath = "C:\\Windows\\{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe"	{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49E49D7B-8446-4a8b-828E-6EDE515AB749}	{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24B062C8-3393-405f-957C-05F0027E8967}	68b97e4931a92fexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98B530A8-A85C-4b4c-B44C-1DB824EE052D}	{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9938BC1-5272-4318-9940-9AD20480AE0F}	{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A7C420-98DD-4323-A1E0-35CEB2906D89}	{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{878D5C95-9413-4f73-AEEE-4B5FD774FF95}	{DB4EEB8C-FAFD-4161-B2BB-F143B2B3DB7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2D9904A-7364-4b39-B480-52A2DEF873CF}	{24B062C8-3393-405f-957C-05F0027E8967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A7C420-98DD-4323-A1E0-35CEB2906D89}\stubpath = "C:\\Windows\\{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe"	{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}	{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB4EEB8C-FAFD-4161-B2BB-F143B2B3DB7F}	{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{878D5C95-9413-4f73-AEEE-4B5FD774FF95}\stubpath = "C:\\Windows\\{878D5C95-9413-4f73-AEEE-4B5FD774FF95}.exe"	{DB4EEB8C-FAFD-4161-B2BB-F143B2B3DB7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}	{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe

Executes dropped EXE 12 IoCs

pid	Process
1848	{24B062C8-3393-405f-957C-05F0027E8967}.exe
4348	{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe
5068	{11ED9600-AD0A-4387-A53B-070905EA927B}.exe
2564	{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe
3156	{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe
1292	{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe
4740	{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe
444	{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe
1768	{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe
3644	{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe
1996	{DB4EEB8C-FAFD-4161-B2BB-F143B2B3DB7F}.exe
3492	{878D5C95-9413-4f73-AEEE-4B5FD774FF95}.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{528F6AF4-B80F-4970-A476-0FBABC3688EA}.catalogItem	svchost.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe	{24B062C8-3393-405f-957C-05F0027E8967}.exe
File created	C:\Windows\{11ED9600-AD0A-4387-A53B-070905EA927B}.exe	{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe
File created	C:\Windows\{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe	{11ED9600-AD0A-4387-A53B-070905EA927B}.exe
File created	C:\Windows\{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe	{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe
File created	C:\Windows\{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe	{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe
File created	C:\Windows\{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe	{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe
File created	C:\Windows\{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe	{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe
File created	C:\Windows\{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe	{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe
File created	C:\Windows\{24B062C8-3393-405f-957C-05F0027E8967}.exe	68b97e4931a92fexeexeexeex.exe
File created	C:\Windows\{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe	{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe
File created	C:\Windows\{DB4EEB8C-FAFD-4161-B2BB-F143B2B3DB7F}.exe	{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe
File created	C:\Windows\{878D5C95-9413-4f73-AEEE-4B5FD774FF95}.exe	{DB4EEB8C-FAFD-4161-B2BB-F143B2B3DB7F}.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1760	68b97e4931a92fexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1848	{24B062C8-3393-405f-957C-05F0027E8967}.exe
Token: SeIncBasePriorityPrivilege	4348	{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe
Token: SeIncBasePriorityPrivilege	5068	{11ED9600-AD0A-4387-A53B-070905EA927B}.exe
Token: SeIncBasePriorityPrivilege	2564	{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe
Token: SeIncBasePriorityPrivilege	3156	{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe
Token: SeIncBasePriorityPrivilege	1292	{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe
Token: SeIncBasePriorityPrivilege	4740	{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe
Token: SeIncBasePriorityPrivilege	444	{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe
Token: SeIncBasePriorityPrivilege	1768	{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe
Token: SeIncBasePriorityPrivilege	3644	{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe
Token: SeIncBasePriorityPrivilege	1996	{DB4EEB8C-FAFD-4161-B2BB-F143B2B3DB7F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1848	1760	68b97e4931a92fexeexeexeex.exe	80
PID 1760 wrote to memory of 1848	1760	68b97e4931a92fexeexeexeex.exe	80
PID 1760 wrote to memory of 1848	1760	68b97e4931a92fexeexeexeex.exe	80
PID 1760 wrote to memory of 3524	1760	68b97e4931a92fexeexeexeex.exe	81
PID 1760 wrote to memory of 3524	1760	68b97e4931a92fexeexeexeex.exe	81
PID 1760 wrote to memory of 3524	1760	68b97e4931a92fexeexeexeex.exe	81
PID 1848 wrote to memory of 4348	1848	{24B062C8-3393-405f-957C-05F0027E8967}.exe	82
PID 1848 wrote to memory of 4348	1848	{24B062C8-3393-405f-957C-05F0027E8967}.exe	82
PID 1848 wrote to memory of 4348	1848	{24B062C8-3393-405f-957C-05F0027E8967}.exe	82
PID 1848 wrote to memory of 4756	1848	{24B062C8-3393-405f-957C-05F0027E8967}.exe	83
PID 1848 wrote to memory of 4756	1848	{24B062C8-3393-405f-957C-05F0027E8967}.exe	83
PID 1848 wrote to memory of 4756	1848	{24B062C8-3393-405f-957C-05F0027E8967}.exe	83
PID 4348 wrote to memory of 5068	4348	{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe	84
PID 4348 wrote to memory of 5068	4348	{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe	84
PID 4348 wrote to memory of 5068	4348	{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe	84
PID 4348 wrote to memory of 3112	4348	{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe	85
PID 4348 wrote to memory of 3112	4348	{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe	85
PID 4348 wrote to memory of 3112	4348	{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe	85
PID 5068 wrote to memory of 2564	5068	{11ED9600-AD0A-4387-A53B-070905EA927B}.exe	86
PID 5068 wrote to memory of 2564	5068	{11ED9600-AD0A-4387-A53B-070905EA927B}.exe	86
PID 5068 wrote to memory of 2564	5068	{11ED9600-AD0A-4387-A53B-070905EA927B}.exe	86
PID 5068 wrote to memory of 208	5068	{11ED9600-AD0A-4387-A53B-070905EA927B}.exe	87
PID 5068 wrote to memory of 208	5068	{11ED9600-AD0A-4387-A53B-070905EA927B}.exe	87
PID 5068 wrote to memory of 208	5068	{11ED9600-AD0A-4387-A53B-070905EA927B}.exe	87
PID 2564 wrote to memory of 3156	2564	{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe	88
PID 2564 wrote to memory of 3156	2564	{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe	88
PID 2564 wrote to memory of 3156	2564	{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe	88
PID 2564 wrote to memory of 4992	2564	{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe	89
PID 2564 wrote to memory of 4992	2564	{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe	89
PID 2564 wrote to memory of 4992	2564	{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe	89
PID 3156 wrote to memory of 1292	3156	{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe	90
PID 3156 wrote to memory of 1292	3156	{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe	90
PID 3156 wrote to memory of 1292	3156	{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe	90
PID 3156 wrote to memory of 4200	3156	{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe	91
PID 3156 wrote to memory of 4200	3156	{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe	91
PID 3156 wrote to memory of 4200	3156	{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe	91
PID 1292 wrote to memory of 4740	1292	{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe	92
PID 1292 wrote to memory of 4740	1292	{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe	92
PID 1292 wrote to memory of 4740	1292	{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe	92
PID 1292 wrote to memory of 2228	1292	{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe	93
PID 1292 wrote to memory of 2228	1292	{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe	93
PID 1292 wrote to memory of 2228	1292	{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe	93
PID 4740 wrote to memory of 444	4740	{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe	94
PID 4740 wrote to memory of 444	4740	{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe	94
PID 4740 wrote to memory of 444	4740	{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe	94
PID 4740 wrote to memory of 4128	4740	{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe	95
PID 4740 wrote to memory of 4128	4740	{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe	95
PID 4740 wrote to memory of 4128	4740	{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe	95
PID 444 wrote to memory of 1768	444	{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe	96
PID 444 wrote to memory of 1768	444	{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe	96
PID 444 wrote to memory of 1768	444	{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe	96
PID 444 wrote to memory of 5056	444	{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe	97
PID 444 wrote to memory of 5056	444	{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe	97
PID 444 wrote to memory of 5056	444	{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe	97
PID 1768 wrote to memory of 3644	1768	{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe	98
PID 1768 wrote to memory of 3644	1768	{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe	98
PID 1768 wrote to memory of 3644	1768	{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe	98
PID 1768 wrote to memory of 3876	1768	{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe	99
PID 1768 wrote to memory of 3876	1768	{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe	99
PID 1768 wrote to memory of 3876	1768	{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe	99
PID 3644 wrote to memory of 1996	3644	{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe	101
PID 3644 wrote to memory of 1996	3644	{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe	101
PID 3644 wrote to memory of 1996	3644	{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe	101
PID 3644 wrote to memory of 2364	3644	{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\68b97e4931a92fexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\68b97e4931a92fexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\{24B062C8-3393-405f-957C-05F0027E8967}.exe
  C:\Windows\{24B062C8-3393-405f-957C-05F0027E8967}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe
    C:\Windows\{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\{11ED9600-AD0A-4387-A53B-070905EA927B}.exe
      C:\Windows\{11ED9600-AD0A-4387-A53B-070905EA927B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Windows\{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe
        
        C:\Windows\{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe
        
        C:\Windows\{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe
        
        C:\Windows\{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe
        
        C:\Windows\{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe
        
        C:\Windows\{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe
        
        C:\Windows\{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe
        
        C:\Windows\{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49E49~1.EXE > nul
        12⤵
        
        PID:2364
        
        C:\Windows\{DB4EEB8C-FAFD-4161-B2BB-F143B2B3DB7F}.exe
        
        C:\Windows\{DB4EEB8C-FAFD-4161-B2BB-F143B2B3DB7F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB4EE~1.EXE > nul
        13⤵
        
        PID:4928
        
        C:\Windows\{878D5C95-9413-4f73-AEEE-4B5FD774FF95}.exe
        
        C:\Windows\{878D5C95-9413-4f73-AEEE-4B5FD774FF95}.exe
        13⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DE00~1.EXE > nul
        11⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28A7C~1.EXE > nul
        10⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFDE8~1.EXE > nul
        9⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9938~1.EXE > nul
        8⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98B53~1.EXE > nul
        7⤵
        
        PID:4200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34A8E~1.EXE > nul
        6⤵
        
        PID:4992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11ED9~1.EXE > nul
        5⤵
        
        PID:208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A2D99~1.EXE > nul
      4⤵
      PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{24B06~1.EXE > nul
    3⤵
    PID:4756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\68B97E~1.EXE > nul
  2⤵
  PID:3524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11ED9600-AD0A-4387-A53B-070905EA927B}.exe

Filesize
192KB

MD5
1c934b72ae3b7d231a8fde97ce7cf66a

SHA1
26a38df1086ab5d3fb80652ec5dd29df31da93c9

SHA256
e38dc9b7f1357935803a9c16b3a3c905b18ce7dee1334a43dbd2b7d582e6d318

SHA512
acb9673f47ba5f93ace6862ebd2280af784a1df1e01015c2eb78603b233c1d630b19acc4ca430691aae14c6e8bb9da09a0864736a674483620a616d3676c90ca

Download Submit
C:\Windows\{11ED9600-AD0A-4387-A53B-070905EA927B}.exe

Filesize
192KB

MD5
1c934b72ae3b7d231a8fde97ce7cf66a

SHA1
26a38df1086ab5d3fb80652ec5dd29df31da93c9

SHA256
e38dc9b7f1357935803a9c16b3a3c905b18ce7dee1334a43dbd2b7d582e6d318

SHA512
acb9673f47ba5f93ace6862ebd2280af784a1df1e01015c2eb78603b233c1d630b19acc4ca430691aae14c6e8bb9da09a0864736a674483620a616d3676c90ca

Download Submit
C:\Windows\{11ED9600-AD0A-4387-A53B-070905EA927B}.exe

Filesize
192KB

MD5
1c934b72ae3b7d231a8fde97ce7cf66a

SHA1
26a38df1086ab5d3fb80652ec5dd29df31da93c9

SHA256
e38dc9b7f1357935803a9c16b3a3c905b18ce7dee1334a43dbd2b7d582e6d318

SHA512
acb9673f47ba5f93ace6862ebd2280af784a1df1e01015c2eb78603b233c1d630b19acc4ca430691aae14c6e8bb9da09a0864736a674483620a616d3676c90ca

Download Submit
C:\Windows\{24B062C8-3393-405f-957C-05F0027E8967}.exe

Filesize
192KB

MD5
b0fe6d80f14e67b115bf2d1f39c04ca7

SHA1
c42a1c02cca43bd986822a9a0170421545e39eee

SHA256
494e6fcc1a83ed7eeaf6fbad549de4dac16e6d5c3123081d37bfdd66683375c4

SHA512
a01cad0b88013d4606af4bbd1aa8abee9327cfdb9632a7ef49064e94fda0fa2fcbadf1e3a5bb269795483fa0107e195e20c3b8061ea987ea09ea241d419f9af0

Download Submit
C:\Windows\{24B062C8-3393-405f-957C-05F0027E8967}.exe

Filesize
192KB

MD5
b0fe6d80f14e67b115bf2d1f39c04ca7

SHA1
c42a1c02cca43bd986822a9a0170421545e39eee

SHA256
494e6fcc1a83ed7eeaf6fbad549de4dac16e6d5c3123081d37bfdd66683375c4

SHA512
a01cad0b88013d4606af4bbd1aa8abee9327cfdb9632a7ef49064e94fda0fa2fcbadf1e3a5bb269795483fa0107e195e20c3b8061ea987ea09ea241d419f9af0

Download Submit
C:\Windows\{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe

Filesize
192KB

MD5
d51d0eb7404fba73d7b149abf0e5028d

SHA1
05f08139e195018f4a3de229d8178e9057c4f50f

SHA256
13c716bff73bedc73072432ebfb48abf3652abf067eeefaa72e4b3899372d3e8

SHA512
97d6e9a3e7422f7b52f7d2b954e89f98d1cc1552ad19a8b72c8ff3e444c760c7f3f06db65c5ebae31d0cf099f30800e7f6ee72b5456f8cbc984f965fc1c8f558

Download Submit
C:\Windows\{28A7C420-98DD-4323-A1E0-35CEB2906D89}.exe

Filesize
192KB

MD5
d51d0eb7404fba73d7b149abf0e5028d

SHA1
05f08139e195018f4a3de229d8178e9057c4f50f

SHA256
13c716bff73bedc73072432ebfb48abf3652abf067eeefaa72e4b3899372d3e8

SHA512
97d6e9a3e7422f7b52f7d2b954e89f98d1cc1552ad19a8b72c8ff3e444c760c7f3f06db65c5ebae31d0cf099f30800e7f6ee72b5456f8cbc984f965fc1c8f558

Download Submit
C:\Windows\{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe

Filesize
192KB

MD5
ab39335bb520b67d3e9c8da94080dc51

SHA1
6096b85cd33e777ae2c80757538bd2c02eed7c4c

SHA256
e4a5600e7eb3d5a734314306ad068b82fbbb703b9007832606585ea593e2efdc

SHA512
57c5c2f5757b27a9b71cb0fbde166e488ff616316b5022e4f3a8af86bb0f3ad232b1ac11ab580c4517af04c3cb9d5adeb481724351fd1148eb885456d3d94c42

Download Submit
C:\Windows\{2DE007D3-2AC0-4eea-89D9-B4D50D86D3B7}.exe

Filesize
192KB

MD5
ab39335bb520b67d3e9c8da94080dc51

SHA1
6096b85cd33e777ae2c80757538bd2c02eed7c4c

SHA256
e4a5600e7eb3d5a734314306ad068b82fbbb703b9007832606585ea593e2efdc

SHA512
57c5c2f5757b27a9b71cb0fbde166e488ff616316b5022e4f3a8af86bb0f3ad232b1ac11ab580c4517af04c3cb9d5adeb481724351fd1148eb885456d3d94c42

Download Submit
C:\Windows\{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe

Filesize
192KB

MD5
47eb47c6946b7e1027782cf276c6c893

SHA1
c4118563b1e58c99cab6bf767e14a20f163e5dce

SHA256
7f7642a1d5c771857b595acaf98fbf6dd79916651a5f6f437638e70f03cb6b2f

SHA512
346925ada8ddb2595263311caddf28ade8496cc6d36ef40f8f77552597adf0d0d69a4d7c358659d745c158d6cc829a208e5973d326f713eb885ae8761b1dadb7

Download Submit
C:\Windows\{34A8E304-D4FC-40d1-B406-F301878BEBA4}.exe

Filesize
192KB

MD5
47eb47c6946b7e1027782cf276c6c893

SHA1
c4118563b1e58c99cab6bf767e14a20f163e5dce

SHA256
7f7642a1d5c771857b595acaf98fbf6dd79916651a5f6f437638e70f03cb6b2f

SHA512
346925ada8ddb2595263311caddf28ade8496cc6d36ef40f8f77552597adf0d0d69a4d7c358659d745c158d6cc829a208e5973d326f713eb885ae8761b1dadb7

Download Submit
C:\Windows\{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe

Filesize
192KB

MD5
bf14c3b1f738a8c043307fb232297458

SHA1
0cd7b78cf1245bed5978ec8f7ecb2ce7d9d4c88d

SHA256
d4f349c2bdf0057fb3cf9b8187caa0593ceea45966ba42bff5159673932697f9

SHA512
e9bca7a139df0809d9182c0a9e489b9c37fea4e527e133f91ad8ecc34704322ddf232387d750460a96f0f0a7aa41c80afbc6707d446860a3d6d0ec255b05ef27

Download Submit
C:\Windows\{49E49D7B-8446-4a8b-828E-6EDE515AB749}.exe

Filesize
192KB

MD5
bf14c3b1f738a8c043307fb232297458

SHA1
0cd7b78cf1245bed5978ec8f7ecb2ce7d9d4c88d

SHA256
d4f349c2bdf0057fb3cf9b8187caa0593ceea45966ba42bff5159673932697f9

SHA512
e9bca7a139df0809d9182c0a9e489b9c37fea4e527e133f91ad8ecc34704322ddf232387d750460a96f0f0a7aa41c80afbc6707d446860a3d6d0ec255b05ef27

Download Submit
C:\Windows\{878D5C95-9413-4f73-AEEE-4B5FD774FF95}.exe

Filesize
192KB

MD5
978892f856d55884388adbd9f589a3c0

SHA1
ea2e35f7bf568c1006314e709609838614f085f4

SHA256
a4eca96cdd9c5ace05194d5ce9cfd0476d557bd9b999fffaaaac85e3838c232e

SHA512
73ff8438f7c254b7d5b02bd826f7a3df31054c0a3ce52919ab049c53c426db3f3b174dbed6750b7195f3ba07466425bd9fbe0636986250b1a9bb1bc5995bcd37

Download Submit
C:\Windows\{878D5C95-9413-4f73-AEEE-4B5FD774FF95}.exe

Filesize
192KB

MD5
978892f856d55884388adbd9f589a3c0

SHA1
ea2e35f7bf568c1006314e709609838614f085f4

SHA256
a4eca96cdd9c5ace05194d5ce9cfd0476d557bd9b999fffaaaac85e3838c232e

SHA512
73ff8438f7c254b7d5b02bd826f7a3df31054c0a3ce52919ab049c53c426db3f3b174dbed6750b7195f3ba07466425bd9fbe0636986250b1a9bb1bc5995bcd37

Download Submit
C:\Windows\{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe

Filesize
192KB

MD5
05698dff8def1d99ef27d20ad2ab6a99

SHA1
cc19d0e81c1187037f25d7f5f0e55ce2658af006

SHA256
86dc3fd66564d4bf530ec03435b0e8957c8b9da8c4109b3390df57faa34bebff

SHA512
e027d676ec6e0cacfd1132b6d0afbfef54deb1b6e5ae36a38d990ce9265be3298efd84d5e948acb37f822309389bda2697d91e6fe4d34cad5181ed8b0dbb6af6

Download Submit
C:\Windows\{98B530A8-A85C-4b4c-B44C-1DB824EE052D}.exe

Filesize
192KB

MD5
05698dff8def1d99ef27d20ad2ab6a99

SHA1
cc19d0e81c1187037f25d7f5f0e55ce2658af006

SHA256
86dc3fd66564d4bf530ec03435b0e8957c8b9da8c4109b3390df57faa34bebff

SHA512
e027d676ec6e0cacfd1132b6d0afbfef54deb1b6e5ae36a38d990ce9265be3298efd84d5e948acb37f822309389bda2697d91e6fe4d34cad5181ed8b0dbb6af6

Download Submit
C:\Windows\{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe

Filesize
192KB

MD5
fa7019ed6b7b8be2075788e9c13d1277

SHA1
11b43aefa55cdebf42e97b12d59060e85c2ccb83

SHA256
f32dc96d4e8448ff27fd29bb91cd3da056c70b0418303d83f572d9ba2a4e6b72

SHA512
e36a55be2eed83ce8d4c45542d17df4217760e3bcca2dc14943463eebea16528740335b34897cf17f6a79bb2e0913ee9bb21072e0c3455623bbad856385245cc

Download Submit
C:\Windows\{A2D9904A-7364-4b39-B480-52A2DEF873CF}.exe

Filesize
192KB

MD5
fa7019ed6b7b8be2075788e9c13d1277

SHA1
11b43aefa55cdebf42e97b12d59060e85c2ccb83

SHA256
f32dc96d4e8448ff27fd29bb91cd3da056c70b0418303d83f572d9ba2a4e6b72

SHA512
e36a55be2eed83ce8d4c45542d17df4217760e3bcca2dc14943463eebea16528740335b34897cf17f6a79bb2e0913ee9bb21072e0c3455623bbad856385245cc

Download Submit
C:\Windows\{DB4EEB8C-FAFD-4161-B2BB-F143B2B3DB7F}.exe

Filesize
192KB

MD5
c5930b0fe9c5d10c68c932c8073fe128

SHA1
51228a20cda620b75214ef32b04f61b05eaed078

SHA256
8f2a37a2fece9d0d0820c524023d9509d42c9778d56e33a319928ba4a427a36c

SHA512
05243ad75d94f36afffbbdb9bb2e12c463a7b14b8039e48dfb90a8f9492b2cb32e0d5999d0a6589b4b8f1cd66877d0fd74fb8f816b54f4563ec643d457cc23a2

Download Submit
C:\Windows\{DB4EEB8C-FAFD-4161-B2BB-F143B2B3DB7F}.exe

Filesize
192KB

MD5
c5930b0fe9c5d10c68c932c8073fe128

SHA1
51228a20cda620b75214ef32b04f61b05eaed078

SHA256
8f2a37a2fece9d0d0820c524023d9509d42c9778d56e33a319928ba4a427a36c

SHA512
05243ad75d94f36afffbbdb9bb2e12c463a7b14b8039e48dfb90a8f9492b2cb32e0d5999d0a6589b4b8f1cd66877d0fd74fb8f816b54f4563ec643d457cc23a2

Download Submit
C:\Windows\{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe

Filesize
192KB

MD5
ac25c321ea4d3260c9956e522785999e

SHA1
9501a8a3904c12eba028f5f325f53cdb01590afa

SHA256
cbf75429e110754b059963d37bf0a8d3d82e00b427db871b97699b05a80b1db8

SHA512
c005a36c1ff8143691047d69efd01d0535616de0ee3f3cbb10e13c4e18e373bdfa89a2d87f68dedcc03233ae7c693cf34b7f8c8e3d63e7d1ccb2b0b39cebf692

Download Submit
C:\Windows\{DFDE8A0E-5CC4-4c51-B80E-D69C83E20FAF}.exe

Filesize
192KB

MD5
ac25c321ea4d3260c9956e522785999e

SHA1
9501a8a3904c12eba028f5f325f53cdb01590afa

SHA256
cbf75429e110754b059963d37bf0a8d3d82e00b427db871b97699b05a80b1db8

SHA512
c005a36c1ff8143691047d69efd01d0535616de0ee3f3cbb10e13c4e18e373bdfa89a2d87f68dedcc03233ae7c693cf34b7f8c8e3d63e7d1ccb2b0b39cebf692

Download Submit
C:\Windows\{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe

Filesize
192KB

MD5
a5b96d409dfa639641a8b75ba2a8f102

SHA1
9bcb1229ab3646b2f148644d824523800e533203

SHA256
dba908afbd621094a91c19524b7e637e674d0a7bfaf8e38d06f3811c9e9796ea

SHA512
ecc4f12d202f4ad0876257413baae1eb8281bb5a3a02b130c0f908ef4253d669b75095c0f2348196c826b42f4b741f8e9ee81a60f5e22331a96c398ad5687ca9

Download Submit
C:\Windows\{F9938BC1-5272-4318-9940-9AD20480AE0F}.exe

Filesize
192KB

MD5
a5b96d409dfa639641a8b75ba2a8f102

SHA1
9bcb1229ab3646b2f148644d824523800e533203

SHA256
dba908afbd621094a91c19524b7e637e674d0a7bfaf8e38d06f3811c9e9796ea

SHA512
ecc4f12d202f4ad0876257413baae1eb8281bb5a3a02b130c0f908ef4253d669b75095c0f2348196c826b42f4b741f8e9ee81a60f5e22331a96c398ad5687ca9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads