40c7d66a6eca62abd477d5d03aff5ed98f8ff5d528af8a37bf86c2e9748c2b95

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09/07/2023, 17:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ba7b6a61162d77exeexeexeex.exe
Size

204KB
MD5

ba7b6a61162d77f7072d06c94cd3d05b
SHA1

0ebd3be78cb91a6879c720089daa68a3c53d5bdc
SHA256

40c7d66a6eca62abd477d5d03aff5ed98f8ff5d528af8a37bf86c2e9748c2b95
SHA512

3204c5c14ccfa40c5760a5b574c66fc2f62cf65604f4c335cbcb2ac71df309eb2d230e306e09a50062b7ea0462d02e9ab64e70dbd5eab480e0775a79eee636e7
SSDEEP

1536:1EGh0osZl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0osZl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A82655E5-D2F7-4331-A1D2-FA760C1F048F}\stubpath = "C:\\Windows\\{A82655E5-D2F7-4331-A1D2-FA760C1F048F}.exe"	{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA097AE9-F4F7-41be-84AB-22BF253D40B5}\stubpath = "C:\\Windows\\{CA097AE9-F4F7-41be-84AB-22BF253D40B5}.exe"	{A82655E5-D2F7-4331-A1D2-FA760C1F048F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7AFDBFA-35E0-4890-B526-9C85410ABC27}	{CA097AE9-F4F7-41be-84AB-22BF253D40B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7AFDBFA-35E0-4890-B526-9C85410ABC27}\stubpath = "C:\\Windows\\{E7AFDBFA-35E0-4890-B526-9C85410ABC27}.exe"	{CA097AE9-F4F7-41be-84AB-22BF253D40B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}\stubpath = "C:\\Windows\\{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe"	ba7b6a61162d77exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89982992-8FBE-4255-9F3D-663B62744454}\stubpath = "C:\\Windows\\{89982992-8FBE-4255-9F3D-663B62744454}.exe"	{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}	{89982992-8FBE-4255-9F3D-663B62744454}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{805A8DAB-4E71-45b2-A641-DF7294EC2375}	{2CFAA14C-D7DB-4f6b-ADF3-88D0CF5F993C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E337FFEF-C67C-48dd-9E86-23F6C5CFB78A}\stubpath = "C:\\Windows\\{E337FFEF-C67C-48dd-9E86-23F6C5CFB78A}.exe"	{805A8DAB-4E71-45b2-A641-DF7294EC2375}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}	ba7b6a61162d77exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}	{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}\stubpath = "C:\\Windows\\{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe"	{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36170478-275A-4ba6-9B68-760632E4D0F7}\stubpath = "C:\\Windows\\{36170478-275A-4ba6-9B68-760632E4D0F7}.exe"	{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94B88B02-E459-4a03-9CA2-1A2A41AAC366}	{36170478-275A-4ba6-9B68-760632E4D0F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A82655E5-D2F7-4331-A1D2-FA760C1F048F}	{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{805A8DAB-4E71-45b2-A641-DF7294EC2375}\stubpath = "C:\\Windows\\{805A8DAB-4E71-45b2-A641-DF7294EC2375}.exe"	{2CFAA14C-D7DB-4f6b-ADF3-88D0CF5F993C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E337FFEF-C67C-48dd-9E86-23F6C5CFB78A}	{805A8DAB-4E71-45b2-A641-DF7294EC2375}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}	{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}\stubpath = "C:\\Windows\\{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe"	{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36170478-275A-4ba6-9B68-760632E4D0F7}	{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA097AE9-F4F7-41be-84AB-22BF253D40B5}	{A82655E5-D2F7-4331-A1D2-FA760C1F048F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CFAA14C-D7DB-4f6b-ADF3-88D0CF5F993C}	{E7AFDBFA-35E0-4890-B526-9C85410ABC27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CFAA14C-D7DB-4f6b-ADF3-88D0CF5F993C}\stubpath = "C:\\Windows\\{2CFAA14C-D7DB-4f6b-ADF3-88D0CF5F993C}.exe"	{E7AFDBFA-35E0-4890-B526-9C85410ABC27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94B88B02-E459-4a03-9CA2-1A2A41AAC366}\stubpath = "C:\\Windows\\{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe"	{36170478-275A-4ba6-9B68-760632E4D0F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89982992-8FBE-4255-9F3D-663B62744454}	{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}\stubpath = "C:\\Windows\\{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe"	{89982992-8FBE-4255-9F3D-663B62744454}.exe

Deletes itself 1 IoCs

pid	Process
1556	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2104	{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe
1696	{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe
1068	{36170478-275A-4ba6-9B68-760632E4D0F7}.exe
1396	{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe
1824	{89982992-8FBE-4255-9F3D-663B62744454}.exe
2212	{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe
2200	{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe
2272	{A82655E5-D2F7-4331-A1D2-FA760C1F048F}.exe
2672	{CA097AE9-F4F7-41be-84AB-22BF253D40B5}.exe
2576	{E7AFDBFA-35E0-4890-B526-9C85410ABC27}.exe
1972	{2CFAA14C-D7DB-4f6b-ADF3-88D0CF5F993C}.exe
2996	{805A8DAB-4E71-45b2-A641-DF7294EC2375}.exe
2476	{E337FFEF-C67C-48dd-9E86-23F6C5CFB78A}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{A82655E5-D2F7-4331-A1D2-FA760C1F048F}.exe	{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe
File created	C:\Windows\{CA097AE9-F4F7-41be-84AB-22BF253D40B5}.exe	{A82655E5-D2F7-4331-A1D2-FA760C1F048F}.exe
File created	C:\Windows\{805A8DAB-4E71-45b2-A641-DF7294EC2375}.exe	{2CFAA14C-D7DB-4f6b-ADF3-88D0CF5F993C}.exe
File created	C:\Windows\{E337FFEF-C67C-48dd-9E86-23F6C5CFB78A}.exe	{805A8DAB-4E71-45b2-A641-DF7294EC2375}.exe
File created	C:\Windows\{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe	ba7b6a61162d77exeexeexeex.exe
File created	C:\Windows\{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe	{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe
File created	C:\Windows\{89982992-8FBE-4255-9F3D-663B62744454}.exe	{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe
File created	C:\Windows\{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe	{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe
File created	C:\Windows\{2CFAA14C-D7DB-4f6b-ADF3-88D0CF5F993C}.exe	{E7AFDBFA-35E0-4890-B526-9C85410ABC27}.exe
File created	C:\Windows\{36170478-275A-4ba6-9B68-760632E4D0F7}.exe	{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe
File created	C:\Windows\{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe	{36170478-275A-4ba6-9B68-760632E4D0F7}.exe
File created	C:\Windows\{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe	{89982992-8FBE-4255-9F3D-663B62744454}.exe
File created	C:\Windows\{E7AFDBFA-35E0-4890-B526-9C85410ABC27}.exe	{CA097AE9-F4F7-41be-84AB-22BF253D40B5}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1184	ba7b6a61162d77exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2104	{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe
Token: SeIncBasePriorityPrivilege	1696	{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe
Token: SeIncBasePriorityPrivilege	1068	{36170478-275A-4ba6-9B68-760632E4D0F7}.exe
Token: SeIncBasePriorityPrivilege	1396	{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe
Token: SeIncBasePriorityPrivilege	1824	{89982992-8FBE-4255-9F3D-663B62744454}.exe
Token: SeIncBasePriorityPrivilege	2212	{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe
Token: SeIncBasePriorityPrivilege	2200	{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe
Token: SeIncBasePriorityPrivilege	2272	{A82655E5-D2F7-4331-A1D2-FA760C1F048F}.exe
Token: SeIncBasePriorityPrivilege	2672	{CA097AE9-F4F7-41be-84AB-22BF253D40B5}.exe
Token: SeIncBasePriorityPrivilege	2576	{E7AFDBFA-35E0-4890-B526-9C85410ABC27}.exe
Token: SeIncBasePriorityPrivilege	1972	{2CFAA14C-D7DB-4f6b-ADF3-88D0CF5F993C}.exe
Token: SeIncBasePriorityPrivilege	2996	{805A8DAB-4E71-45b2-A641-DF7294EC2375}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2104	1184	ba7b6a61162d77exeexeexeex.exe	28
PID 1184 wrote to memory of 2104	1184	ba7b6a61162d77exeexeexeex.exe	28
PID 1184 wrote to memory of 2104	1184	ba7b6a61162d77exeexeexeex.exe	28
PID 1184 wrote to memory of 2104	1184	ba7b6a61162d77exeexeexeex.exe	28
PID 1184 wrote to memory of 1556	1184	ba7b6a61162d77exeexeexeex.exe	29
PID 1184 wrote to memory of 1556	1184	ba7b6a61162d77exeexeexeex.exe	29
PID 1184 wrote to memory of 1556	1184	ba7b6a61162d77exeexeexeex.exe	29
PID 1184 wrote to memory of 1556	1184	ba7b6a61162d77exeexeexeex.exe	29
PID 2104 wrote to memory of 1696	2104	{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe	30
PID 2104 wrote to memory of 1696	2104	{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe	30
PID 2104 wrote to memory of 1696	2104	{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe	30
PID 2104 wrote to memory of 1696	2104	{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe	30
PID 2104 wrote to memory of 2556	2104	{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe	31
PID 2104 wrote to memory of 2556	2104	{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe	31
PID 2104 wrote to memory of 2556	2104	{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe	31
PID 2104 wrote to memory of 2556	2104	{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe	31
PID 1696 wrote to memory of 1068	1696	{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe	32
PID 1696 wrote to memory of 1068	1696	{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe	32
PID 1696 wrote to memory of 1068	1696	{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe	32
PID 1696 wrote to memory of 1068	1696	{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe	32
PID 1696 wrote to memory of 1948	1696	{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe	33
PID 1696 wrote to memory of 1948	1696	{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe	33
PID 1696 wrote to memory of 1948	1696	{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe	33
PID 1696 wrote to memory of 1948	1696	{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe	33
PID 1068 wrote to memory of 1396	1068	{36170478-275A-4ba6-9B68-760632E4D0F7}.exe	35
PID 1068 wrote to memory of 1396	1068	{36170478-275A-4ba6-9B68-760632E4D0F7}.exe	35
PID 1068 wrote to memory of 1396	1068	{36170478-275A-4ba6-9B68-760632E4D0F7}.exe	35
PID 1068 wrote to memory of 1396	1068	{36170478-275A-4ba6-9B68-760632E4D0F7}.exe	35
PID 1068 wrote to memory of 2276	1068	{36170478-275A-4ba6-9B68-760632E4D0F7}.exe	34
PID 1068 wrote to memory of 2276	1068	{36170478-275A-4ba6-9B68-760632E4D0F7}.exe	34
PID 1068 wrote to memory of 2276	1068	{36170478-275A-4ba6-9B68-760632E4D0F7}.exe	34
PID 1068 wrote to memory of 2276	1068	{36170478-275A-4ba6-9B68-760632E4D0F7}.exe	34
PID 1396 wrote to memory of 1824	1396	{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe	37
PID 1396 wrote to memory of 1824	1396	{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe	37
PID 1396 wrote to memory of 1824	1396	{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe	37
PID 1396 wrote to memory of 1824	1396	{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe	37
PID 1396 wrote to memory of 1216	1396	{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe	36
PID 1396 wrote to memory of 1216	1396	{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe	36
PID 1396 wrote to memory of 1216	1396	{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe	36
PID 1396 wrote to memory of 1216	1396	{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe	36
PID 1824 wrote to memory of 2212	1824	{89982992-8FBE-4255-9F3D-663B62744454}.exe	39
PID 1824 wrote to memory of 2212	1824	{89982992-8FBE-4255-9F3D-663B62744454}.exe	39
PID 1824 wrote to memory of 2212	1824	{89982992-8FBE-4255-9F3D-663B62744454}.exe	39
PID 1824 wrote to memory of 2212	1824	{89982992-8FBE-4255-9F3D-663B62744454}.exe	39
PID 1824 wrote to memory of 1688	1824	{89982992-8FBE-4255-9F3D-663B62744454}.exe	38
PID 1824 wrote to memory of 1688	1824	{89982992-8FBE-4255-9F3D-663B62744454}.exe	38
PID 1824 wrote to memory of 1688	1824	{89982992-8FBE-4255-9F3D-663B62744454}.exe	38
PID 1824 wrote to memory of 1688	1824	{89982992-8FBE-4255-9F3D-663B62744454}.exe	38
PID 2212 wrote to memory of 2200	2212	{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe	41
PID 2212 wrote to memory of 2200	2212	{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe	41
PID 2212 wrote to memory of 2200	2212	{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe	41
PID 2212 wrote to memory of 2200	2212	{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe	41
PID 2212 wrote to memory of 2428	2212	{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe	40
PID 2212 wrote to memory of 2428	2212	{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe	40
PID 2212 wrote to memory of 2428	2212	{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe	40
PID 2212 wrote to memory of 2428	2212	{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe	40
PID 2200 wrote to memory of 2272	2200	{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe	42
PID 2200 wrote to memory of 2272	2200	{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe	42
PID 2200 wrote to memory of 2272	2200	{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe	42
PID 2200 wrote to memory of 2272	2200	{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe	42
PID 2200 wrote to memory of 2656	2200	{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe	43
PID 2200 wrote to memory of 2656	2200	{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe	43
PID 2200 wrote to memory of 2656	2200	{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe	43
PID 2200 wrote to memory of 2656	2200	{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe	43

C:\Users\Admin\AppData\Local\Temp\ba7b6a61162d77exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ba7b6a61162d77exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe
  C:\Windows\{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe
    C:\Windows\{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\{36170478-275A-4ba6-9B68-760632E4D0F7}.exe
      C:\Windows\{36170478-275A-4ba6-9B68-760632E4D0F7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36170~1.EXE > nul
        5⤵
        
        PID:2276
    - - C:\Windows\{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe
        
        C:\Windows\{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94B88~1.EXE > nul
        6⤵
        
        PID:1216
      - C:\Windows\{89982992-8FBE-4255-9F3D-663B62744454}.exe
        
        C:\Windows\{89982992-8FBE-4255-9F3D-663B62744454}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89982~1.EXE > nul
        7⤵
        
        PID:1688
        
        C:\Windows\{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe
        
        C:\Windows\{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DC32~1.EXE > nul
        8⤵
        
        PID:2428
        
        C:\Windows\{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe
        
        C:\Windows\{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{A82655E5-D2F7-4331-A1D2-FA760C1F048F}.exe
        
        C:\Windows\{A82655E5-D2F7-4331-A1D2-FA760C1F048F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\{CA097AE9-F4F7-41be-84AB-22BF253D40B5}.exe
        
        C:\Windows\{CA097AE9-F4F7-41be-84AB-22BF253D40B5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\{E7AFDBFA-35E0-4890-B526-9C85410ABC27}.exe
        
        C:\Windows\{E7AFDBFA-35E0-4890-B526-9C85410ABC27}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\{2CFAA14C-D7DB-4f6b-ADF3-88D0CF5F993C}.exe
        
        C:\Windows\{2CFAA14C-D7DB-4f6b-ADF3-88D0CF5F993C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\{805A8DAB-4E71-45b2-A641-DF7294EC2375}.exe
        
        C:\Windows\{805A8DAB-4E71-45b2-A641-DF7294EC2375}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\{E337FFEF-C67C-48dd-9E86-23F6C5CFB78A}.exe
        
        C:\Windows\{E337FFEF-C67C-48dd-9E86-23F6C5CFB78A}.exe
        14⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{805A8~1.EXE > nul
        14⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CFAA~1.EXE > nul
        13⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7AFD~1.EXE > nul
        12⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA097~1.EXE > nul
        11⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8265~1.EXE > nul
        10⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC33E~1.EXE > nul
        9⤵
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D2C59~1.EXE > nul
      4⤵
      PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7B2B3~1.EXE > nul
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BA7B6A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2CFAA14C-D7DB-4f6b-ADF3-88D0CF5F993C}.exe

Filesize
204KB

MD5
c399ba2275e76069dc03a3a8416910b9

SHA1
31d841f7c79e2b12e57717bff06dcbe4c0a45e80

SHA256
c6ac8ef27d5b266c5c6e11f0f98b4aa5b9af5aa2f7d023576e1352043f6808d5

SHA512
47029bda89f658bbbba79d9b4c5604fd52efa212f32e399ee8c67e78cb8258a0bc441e79356cbc5d85212b174300f45508270ab3499fa386510e8e38d8467527

Download Submit
C:\Windows\{2CFAA14C-D7DB-4f6b-ADF3-88D0CF5F993C}.exe

Filesize
204KB

MD5
c399ba2275e76069dc03a3a8416910b9

SHA1
31d841f7c79e2b12e57717bff06dcbe4c0a45e80

SHA256
c6ac8ef27d5b266c5c6e11f0f98b4aa5b9af5aa2f7d023576e1352043f6808d5

SHA512
47029bda89f658bbbba79d9b4c5604fd52efa212f32e399ee8c67e78cb8258a0bc441e79356cbc5d85212b174300f45508270ab3499fa386510e8e38d8467527

Download Submit
C:\Windows\{36170478-275A-4ba6-9B68-760632E4D0F7}.exe

Filesize
204KB

MD5
0ede5a69438e38a7022b5bb3e12ded52

SHA1
b040b94596ac1da3598751e2f7e89b98c8d52ceb

SHA256
b25c5cba5ef6e316f45c9996f85cc7bb66f8667a428258e41db30160b10e79e4

SHA512
540e897f259fb7cd53b2a82a15359ef57e269ea9bcbd4034d5a5861d3dc7e77a42b4640294498e77bba1f8b4e1acdf20cf9c713a732e939d731419cdc267767b

Download Submit
C:\Windows\{36170478-275A-4ba6-9B68-760632E4D0F7}.exe

Filesize
204KB

MD5
0ede5a69438e38a7022b5bb3e12ded52

SHA1
b040b94596ac1da3598751e2f7e89b98c8d52ceb

SHA256
b25c5cba5ef6e316f45c9996f85cc7bb66f8667a428258e41db30160b10e79e4

SHA512
540e897f259fb7cd53b2a82a15359ef57e269ea9bcbd4034d5a5861d3dc7e77a42b4640294498e77bba1f8b4e1acdf20cf9c713a732e939d731419cdc267767b

Download Submit
C:\Windows\{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe

Filesize
204KB

MD5
72cff67e3e88a1b3d08a25c43a39bbc7

SHA1
3120a25f1d83ae6db710689c573bd31ed19a3936

SHA256
561367eed23e7f709fa82497fbbcbd9eb23136bec6a60203772fd46d1dc66a0d

SHA512
92f558cf7a0afde2757ac14b8f58f84c0261e415994bb2edc1aa45c49e2e7fbfa3f47fe3f0104c4c7cf8f9ea39c7391be1dca05604318617ecffb61b827d5934

Download Submit
C:\Windows\{5DC32DC7-F692-4fd3-A72B-972D6C3918F1}.exe

Filesize
204KB

MD5
72cff67e3e88a1b3d08a25c43a39bbc7

SHA1
3120a25f1d83ae6db710689c573bd31ed19a3936

SHA256
561367eed23e7f709fa82497fbbcbd9eb23136bec6a60203772fd46d1dc66a0d

SHA512
92f558cf7a0afde2757ac14b8f58f84c0261e415994bb2edc1aa45c49e2e7fbfa3f47fe3f0104c4c7cf8f9ea39c7391be1dca05604318617ecffb61b827d5934

Download Submit
C:\Windows\{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe

Filesize
204KB

MD5
a00da59a874387c60a2f831cb24a7135

SHA1
cd3740fd9f732f84ad20e9a6293c22e95a5f0e5b

SHA256
62cab5a21afcdd0c37af78d5d4b62e7a7e91c48699b93ed9631a3e8a2c59cfd3

SHA512
345a3f32b8935a0695456aca98dba569c6de612867cb2ed9d8765cb57f770c1c99e626178ed06ab580c36296a43cec9629ad1e276204adf41c5d3865d8f18834

Download Submit
C:\Windows\{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe

Filesize
204KB

MD5
a00da59a874387c60a2f831cb24a7135

SHA1
cd3740fd9f732f84ad20e9a6293c22e95a5f0e5b

SHA256
62cab5a21afcdd0c37af78d5d4b62e7a7e91c48699b93ed9631a3e8a2c59cfd3

SHA512
345a3f32b8935a0695456aca98dba569c6de612867cb2ed9d8765cb57f770c1c99e626178ed06ab580c36296a43cec9629ad1e276204adf41c5d3865d8f18834

Download Submit
C:\Windows\{7B2B3ACB-259D-4b5a-8A4C-B860839313DA}.exe

Filesize
204KB

MD5
a00da59a874387c60a2f831cb24a7135

SHA1
cd3740fd9f732f84ad20e9a6293c22e95a5f0e5b

SHA256
62cab5a21afcdd0c37af78d5d4b62e7a7e91c48699b93ed9631a3e8a2c59cfd3

SHA512
345a3f32b8935a0695456aca98dba569c6de612867cb2ed9d8765cb57f770c1c99e626178ed06ab580c36296a43cec9629ad1e276204adf41c5d3865d8f18834

Download Submit
C:\Windows\{805A8DAB-4E71-45b2-A641-DF7294EC2375}.exe

Filesize
204KB

MD5
8ee38b9ed5b0d74e9eb793dae5e01e55

SHA1
af2217f8edd2f059716c694a2d43e662e797f89b

SHA256
f609265df56efbb309e5304841dc5629dfc2b2e150a2ddd29077d71250e352e6

SHA512
e60f07e9e669f0d3c263c3b64458d1fa9c94bc5fef17621809470491eae060980b615052f797798edcb1c7e18a804a8d965326fec6f2064b677e62cd0f9c70d7

Download Submit
C:\Windows\{805A8DAB-4E71-45b2-A641-DF7294EC2375}.exe

Filesize
204KB

MD5
8ee38b9ed5b0d74e9eb793dae5e01e55

SHA1
af2217f8edd2f059716c694a2d43e662e797f89b

SHA256
f609265df56efbb309e5304841dc5629dfc2b2e150a2ddd29077d71250e352e6

SHA512
e60f07e9e669f0d3c263c3b64458d1fa9c94bc5fef17621809470491eae060980b615052f797798edcb1c7e18a804a8d965326fec6f2064b677e62cd0f9c70d7

Download Submit
C:\Windows\{89982992-8FBE-4255-9F3D-663B62744454}.exe

Filesize
204KB

MD5
b8f5606d1b7a8f88f8b6943a66017615

SHA1
b803366500ffb3d9d3a152260c2ed097477886e5

SHA256
b21eac345f6b5ad355d6a7ff08b883118eefb3e489db33f80df84d0b87ca7000

SHA512
c6d215d149890def4b7e55d635baea87e6289a2e0142e13d0cedd59ab980e33c3ff1b2dde20692fbc4f2c28ed16318c6a8174fc915f5575fd5800b7d5db82109

Download Submit
C:\Windows\{89982992-8FBE-4255-9F3D-663B62744454}.exe

Filesize
204KB

MD5
b8f5606d1b7a8f88f8b6943a66017615

SHA1
b803366500ffb3d9d3a152260c2ed097477886e5

SHA256
b21eac345f6b5ad355d6a7ff08b883118eefb3e489db33f80df84d0b87ca7000

SHA512
c6d215d149890def4b7e55d635baea87e6289a2e0142e13d0cedd59ab980e33c3ff1b2dde20692fbc4f2c28ed16318c6a8174fc915f5575fd5800b7d5db82109

Download Submit
C:\Windows\{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe

Filesize
204KB

MD5
4cf4d214d506cd7625d2d9b47544e461

SHA1
fcbde03c7c692b5492ff7e59897e6f5c66ac5130

SHA256
b7a1426300fe7b674aae0b0c324f0d67d0e4e203f8e3f6e0c7e58bf9ec70cd8d

SHA512
f4dab214dea8b2bbbb10e20fb7b4dd6984872b9db4e19110b747471be32c4f8f9410fafadb44f0d1c059b830f8bd5e049f3c0e0b2b78712ac0be6ae107ce1c01

Download Submit
C:\Windows\{94B88B02-E459-4a03-9CA2-1A2A41AAC366}.exe

Filesize
204KB

MD5
4cf4d214d506cd7625d2d9b47544e461

SHA1
fcbde03c7c692b5492ff7e59897e6f5c66ac5130

SHA256
b7a1426300fe7b674aae0b0c324f0d67d0e4e203f8e3f6e0c7e58bf9ec70cd8d

SHA512
f4dab214dea8b2bbbb10e20fb7b4dd6984872b9db4e19110b747471be32c4f8f9410fafadb44f0d1c059b830f8bd5e049f3c0e0b2b78712ac0be6ae107ce1c01

Download Submit
C:\Windows\{A82655E5-D2F7-4331-A1D2-FA760C1F048F}.exe

Filesize
204KB

MD5
1057681552e477fc9e475bd0d185a2f7

SHA1
7b8933234af0100ab941a3133466db5127b3dde1

SHA256
5aca3255ef521da2c24acd2a65747b112e125c8ce288b5867590856ea7fa1547

SHA512
9c174ece109cd493e3400fd4b7244061a6e2c0b653b87f1de82e1ae271d2d5b41c0ec39dc5b324729bf21f46447588ca173a6ca397b1d264872248315b7b7293

Download Submit
C:\Windows\{A82655E5-D2F7-4331-A1D2-FA760C1F048F}.exe

Filesize
204KB

MD5
1057681552e477fc9e475bd0d185a2f7

SHA1
7b8933234af0100ab941a3133466db5127b3dde1

SHA256
5aca3255ef521da2c24acd2a65747b112e125c8ce288b5867590856ea7fa1547

SHA512
9c174ece109cd493e3400fd4b7244061a6e2c0b653b87f1de82e1ae271d2d5b41c0ec39dc5b324729bf21f46447588ca173a6ca397b1d264872248315b7b7293

Download Submit
C:\Windows\{CA097AE9-F4F7-41be-84AB-22BF253D40B5}.exe

Filesize
204KB

MD5
3bd26e74ba35088231086b2ed4c39f29

SHA1
3c351563b4e1933bee0d62ed0038542a3dc43cc9

SHA256
44d73e335bb5ddebfa948d4a1fc79c49484d0c2cef34c6b8d8169859bc00ae15

SHA512
46727bfc3b818d05a923ea6437f1a7528b0e4943d803bd44f40a56c8e5b8e1ee3680b04ff54f481b445cd8ccc3b425aa75217ebabd893be13ca16029af84aaee

Download Submit
C:\Windows\{CA097AE9-F4F7-41be-84AB-22BF253D40B5}.exe

Filesize
204KB

MD5
3bd26e74ba35088231086b2ed4c39f29

SHA1
3c351563b4e1933bee0d62ed0038542a3dc43cc9

SHA256
44d73e335bb5ddebfa948d4a1fc79c49484d0c2cef34c6b8d8169859bc00ae15

SHA512
46727bfc3b818d05a923ea6437f1a7528b0e4943d803bd44f40a56c8e5b8e1ee3680b04ff54f481b445cd8ccc3b425aa75217ebabd893be13ca16029af84aaee

Download Submit
C:\Windows\{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe

Filesize
204KB

MD5
eef8f15cf7f3fdc6fb6e7e69ac153260

SHA1
12540129792975608d5e8587969d12a7a63121bc

SHA256
977f00052ece775b6aab168f2f3ede6688ff1771319019556cc30f41533ab122

SHA512
8d5edee201b6f21482bc1794261a814f3da757b16db466eebc57ac533537ed143b83197d08a0c1d7482dbff9cb80357023588f2dd2255ea08d4c462adaf59985

Download Submit
C:\Windows\{D2C592BE-4C4A-4790-B3DC-7212A2F3C685}.exe

Filesize
204KB

MD5
eef8f15cf7f3fdc6fb6e7e69ac153260

SHA1
12540129792975608d5e8587969d12a7a63121bc

SHA256
977f00052ece775b6aab168f2f3ede6688ff1771319019556cc30f41533ab122

SHA512
8d5edee201b6f21482bc1794261a814f3da757b16db466eebc57ac533537ed143b83197d08a0c1d7482dbff9cb80357023588f2dd2255ea08d4c462adaf59985

Download Submit
C:\Windows\{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe

Filesize
204KB

MD5
50fe61d0e1de0a7658d3474858aac56e

SHA1
068aee548f2b9093d75f0afdf54abcc267d3e044

SHA256
330743031f2e07aad1fc57155bc099204819d7b429fb0e454221d08e00db30c9

SHA512
ba23e98578465208ee649ecef22a911b6cd72ce4c2f2fa8f61458f9a38675596690ce36884d73e90136bbc272cef8fc3c027d5aad773190b388bdcdb6260c6f3

Download Submit
C:\Windows\{DC33EC59-8433-47b6-96F0-0B55BF6BB1A8}.exe

Filesize
204KB

MD5
50fe61d0e1de0a7658d3474858aac56e

SHA1
068aee548f2b9093d75f0afdf54abcc267d3e044

SHA256
330743031f2e07aad1fc57155bc099204819d7b429fb0e454221d08e00db30c9

SHA512
ba23e98578465208ee649ecef22a911b6cd72ce4c2f2fa8f61458f9a38675596690ce36884d73e90136bbc272cef8fc3c027d5aad773190b388bdcdb6260c6f3

Download Submit
C:\Windows\{E337FFEF-C67C-48dd-9E86-23F6C5CFB78A}.exe

Filesize
204KB

MD5
6ae966cf8bb0c0d3f935bc7019e7ffc1

SHA1
a2daa8dbf985f14acd4840e26b50cca28b93eb10

SHA256
4971d6d3042e36836de2a98cf7946f92edbe7e035de488b7705b6e522b50f864

SHA512
a105d43b810131c0cef78355ef180454491f069620cd2dd3732fa3164e287b783e9bf985e65539c2083f41b3f234821866826357107fdfa8715c1a7b7e70fcf0

Download Submit
C:\Windows\{E7AFDBFA-35E0-4890-B526-9C85410ABC27}.exe

Filesize
204KB

MD5
831f1e59f59ba68a687d123cf821f08f

SHA1
bf0b8ecd68ea0966d22f7a716531d5ac7c8dc3d3

SHA256
186d0e881bfb2d2042894700d4d3322d17320d1239b401e2451ecf00c7801080

SHA512
ca779563759199f97cb353180e3b05fe35d966d1711db9c46bc836a73f565f8a2f2bd55972d46291a207f1616e5db30264ab6ebfbceadae2f2b81b4a60d69ce0

Download Submit
C:\Windows\{E7AFDBFA-35E0-4890-B526-9C85410ABC27}.exe

Filesize
204KB

MD5
831f1e59f59ba68a687d123cf821f08f

SHA1
bf0b8ecd68ea0966d22f7a716531d5ac7c8dc3d3

SHA256
186d0e881bfb2d2042894700d4d3322d17320d1239b401e2451ecf00c7801080

SHA512
ca779563759199f97cb353180e3b05fe35d966d1711db9c46bc836a73f565f8a2f2bd55972d46291a207f1616e5db30264ab6ebfbceadae2f2b81b4a60d69ce0

Download Submit