8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07/10/2023, 18:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe
Size

204KB
MD5

4f56ad82542884d6089c9e67f8cb1f0e
SHA1

8b0f974a45d83ae391841910b0256d95a568e470
SHA256

8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3
SHA512

7f7e48f8f39321e9850d8eff54f2b9c17aaee79c2749c08a68b477f5ad28e685f13ff1f4d1bdc84e83044b8332a4d277f4c88a0c005ac18664a8cdc9f8c3abd7
SSDEEP

1536:1EGh0oGLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oal1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39033880-EDE0-4e7c-937C-309322D04F6A}\stubpath = "C:\\Windows\\{39033880-EDE0-4e7c-937C-309322D04F6A}.exe"	{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1BB82FC-DE4C-4f66-9191-337A7CD68557}	{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1BB82FC-DE4C-4f66-9191-337A7CD68557}\stubpath = "C:\\Windows\\{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe"	{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}\stubpath = "C:\\Windows\\{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe"	{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F50B917D-0884-45a4-A12A-77530232C358}	{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22527F38-3F4E-4933-9CED-BF6B3AC31691}\stubpath = "C:\\Windows\\{22527F38-3F4E-4933-9CED-BF6B3AC31691}.exe"	{0DC91ADC-49FF-4686-8DEA-56FDCA208BDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}	NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}	{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39033880-EDE0-4e7c-937C-309322D04F6A}	{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F50B917D-0884-45a4-A12A-77530232C358}\stubpath = "C:\\Windows\\{F50B917D-0884-45a4-A12A-77530232C358}.exe"	{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DC91ADC-49FF-4686-8DEA-56FDCA208BDD}	{F50B917D-0884-45a4-A12A-77530232C358}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}\stubpath = "C:\\Windows\\{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe"	NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}	{39033880-EDE0-4e7c-937C-309322D04F6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}\stubpath = "C:\\Windows\\{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe"	{39033880-EDE0-4e7c-937C-309322D04F6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}	{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DC91ADC-49FF-4686-8DEA-56FDCA208BDD}\stubpath = "C:\\Windows\\{0DC91ADC-49FF-4686-8DEA-56FDCA208BDD}.exe"	{F50B917D-0884-45a4-A12A-77530232C358}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22527F38-3F4E-4933-9CED-BF6B3AC31691}	{0DC91ADC-49FF-4686-8DEA-56FDCA208BDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}\stubpath = "C:\\Windows\\{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe"	{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}	{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDFA4801-9DEA-4143-B9E5-34C8DFE6C65E}	{22527F38-3F4E-4933-9CED-BF6B3AC31691}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDFA4801-9DEA-4143-B9E5-34C8DFE6C65E}\stubpath = "C:\\Windows\\{EDFA4801-9DEA-4143-B9E5-34C8DFE6C65E}.exe"	{22527F38-3F4E-4933-9CED-BF6B3AC31691}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}\stubpath = "C:\\Windows\\{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe"	{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2596	{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe
2744	{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe
2244	{39033880-EDE0-4e7c-937C-309322D04F6A}.exe
2500	{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe
1316	{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe
2312	{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe
580	{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe
1636	{F50B917D-0884-45a4-A12A-77530232C358}.exe
1212	{0DC91ADC-49FF-4686-8DEA-56FDCA208BDD}.exe
2832	{22527F38-3F4E-4933-9CED-BF6B3AC31691}.exe
3056	{EDFA4801-9DEA-4143-B9E5-34C8DFE6C65E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe	NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe
File created	C:\Windows\{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe	{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe
File created	C:\Windows\{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe	{39033880-EDE0-4e7c-937C-309322D04F6A}.exe
File created	C:\Windows\{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe	{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe
File created	C:\Windows\{22527F38-3F4E-4933-9CED-BF6B3AC31691}.exe	{0DC91ADC-49FF-4686-8DEA-56FDCA208BDD}.exe
File created	C:\Windows\{39033880-EDE0-4e7c-937C-309322D04F6A}.exe	{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe
File created	C:\Windows\{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe	{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe
File created	C:\Windows\{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe	{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe
File created	C:\Windows\{F50B917D-0884-45a4-A12A-77530232C358}.exe	{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe
File created	C:\Windows\{0DC91ADC-49FF-4686-8DEA-56FDCA208BDD}.exe	{F50B917D-0884-45a4-A12A-77530232C358}.exe
File created	C:\Windows\{EDFA4801-9DEA-4143-B9E5-34C8DFE6C65E}.exe	{22527F38-3F4E-4933-9CED-BF6B3AC31691}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2112	NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe
Token: SeIncBasePriorityPrivilege	2596	{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe
Token: SeIncBasePriorityPrivilege	2744	{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe
Token: SeIncBasePriorityPrivilege	2244	{39033880-EDE0-4e7c-937C-309322D04F6A}.exe
Token: SeIncBasePriorityPrivilege	2500	{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe
Token: SeIncBasePriorityPrivilege	1316	{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe
Token: SeIncBasePriorityPrivilege	2312	{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe
Token: SeIncBasePriorityPrivilege	580	{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe
Token: SeIncBasePriorityPrivilege	1636	{F50B917D-0884-45a4-A12A-77530232C358}.exe
Token: SeIncBasePriorityPrivilege	1212	{0DC91ADC-49FF-4686-8DEA-56FDCA208BDD}.exe
Token: SeIncBasePriorityPrivilege	2832	{22527F38-3F4E-4933-9CED-BF6B3AC31691}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2596	2112	NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe	28
PID 2112 wrote to memory of 2596	2112	NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe	28
PID 2112 wrote to memory of 2596	2112	NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe	28
PID 2112 wrote to memory of 2596	2112	NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe	28
PID 2112 wrote to memory of 2612	2112	NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe	29
PID 2112 wrote to memory of 2612	2112	NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe	29
PID 2112 wrote to memory of 2612	2112	NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe	29
PID 2112 wrote to memory of 2612	2112	NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe	29
PID 2596 wrote to memory of 2744	2596	{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe	30
PID 2596 wrote to memory of 2744	2596	{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe	30
PID 2596 wrote to memory of 2744	2596	{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe	30
PID 2596 wrote to memory of 2744	2596	{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe	30
PID 2596 wrote to memory of 2656	2596	{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe	31
PID 2596 wrote to memory of 2656	2596	{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe	31
PID 2596 wrote to memory of 2656	2596	{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe	31
PID 2596 wrote to memory of 2656	2596	{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe	31
PID 2744 wrote to memory of 2244	2744	{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe	34
PID 2744 wrote to memory of 2244	2744	{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe	34
PID 2744 wrote to memory of 2244	2744	{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe	34
PID 2744 wrote to memory of 2244	2744	{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe	34
PID 2744 wrote to memory of 2672	2744	{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe	35
PID 2744 wrote to memory of 2672	2744	{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe	35
PID 2744 wrote to memory of 2672	2744	{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe	35
PID 2744 wrote to memory of 2672	2744	{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe	35
PID 2244 wrote to memory of 2500	2244	{39033880-EDE0-4e7c-937C-309322D04F6A}.exe	36
PID 2244 wrote to memory of 2500	2244	{39033880-EDE0-4e7c-937C-309322D04F6A}.exe	36
PID 2244 wrote to memory of 2500	2244	{39033880-EDE0-4e7c-937C-309322D04F6A}.exe	36
PID 2244 wrote to memory of 2500	2244	{39033880-EDE0-4e7c-937C-309322D04F6A}.exe	36
PID 2244 wrote to memory of 2544	2244	{39033880-EDE0-4e7c-937C-309322D04F6A}.exe	37
PID 2244 wrote to memory of 2544	2244	{39033880-EDE0-4e7c-937C-309322D04F6A}.exe	37
PID 2244 wrote to memory of 2544	2244	{39033880-EDE0-4e7c-937C-309322D04F6A}.exe	37
PID 2244 wrote to memory of 2544	2244	{39033880-EDE0-4e7c-937C-309322D04F6A}.exe	37
PID 2500 wrote to memory of 1316	2500	{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe	39
PID 2500 wrote to memory of 1316	2500	{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe	39
PID 2500 wrote to memory of 1316	2500	{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe	39
PID 2500 wrote to memory of 1316	2500	{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe	39
PID 2500 wrote to memory of 2560	2500	{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe	38
PID 2500 wrote to memory of 2560	2500	{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe	38
PID 2500 wrote to memory of 2560	2500	{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe	38
PID 2500 wrote to memory of 2560	2500	{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe	38
PID 1316 wrote to memory of 2312	1316	{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe	41
PID 1316 wrote to memory of 2312	1316	{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe	41
PID 1316 wrote to memory of 2312	1316	{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe	41
PID 1316 wrote to memory of 2312	1316	{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe	41
PID 1316 wrote to memory of 1120	1316	{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe	40
PID 1316 wrote to memory of 1120	1316	{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe	40
PID 1316 wrote to memory of 1120	1316	{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe	40
PID 1316 wrote to memory of 1120	1316	{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe	40
PID 2312 wrote to memory of 580	2312	{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe	42
PID 2312 wrote to memory of 580	2312	{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe	42
PID 2312 wrote to memory of 580	2312	{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe	42
PID 2312 wrote to memory of 580	2312	{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe	42
PID 2312 wrote to memory of 528	2312	{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe	43
PID 2312 wrote to memory of 528	2312	{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe	43
PID 2312 wrote to memory of 528	2312	{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe	43
PID 2312 wrote to memory of 528	2312	{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe	43
PID 580 wrote to memory of 1636	580	{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe	44
PID 580 wrote to memory of 1636	580	{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe	44
PID 580 wrote to memory of 1636	580	{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe	44
PID 580 wrote to memory of 1636	580	{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe	44
PID 580 wrote to memory of 564	580	{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe	45
PID 580 wrote to memory of 564	580	{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe	45
PID 580 wrote to memory of 564	580	{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe	45
PID 580 wrote to memory of 564	580	{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8def3d3f03900164754d81223956d27e827aa1a6643ca3b22954eec77e25cdb3_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe
  C:\Windows\{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe
    C:\Windows\{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\{39033880-EDE0-4e7c-937C-309322D04F6A}.exe
      C:\Windows\{39033880-EDE0-4e7c-937C-309322D04F6A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe
        
        C:\Windows\{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCE5B~1.EXE > nul
        6⤵
        
        PID:2560
      - C:\Windows\{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe
        
        C:\Windows\{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79CDB~1.EXE > nul
        7⤵
        
        PID:1120
        
        C:\Windows\{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe
        
        C:\Windows\{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe
        
        C:\Windows\{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\{F50B917D-0884-45a4-A12A-77530232C358}.exe
        
        C:\Windows\{F50B917D-0884-45a4-A12A-77530232C358}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\{0DC91ADC-49FF-4686-8DEA-56FDCA208BDD}.exe
        
        C:\Windows\{0DC91ADC-49FF-4686-8DEA-56FDCA208BDD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\{22527F38-3F4E-4933-9CED-BF6B3AC31691}.exe
        
        C:\Windows\{22527F38-3F4E-4933-9CED-BF6B3AC31691}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\{EDFA4801-9DEA-4143-B9E5-34C8DFE6C65E}.exe
        
        C:\Windows\{EDFA4801-9DEA-4143-B9E5-34C8DFE6C65E}.exe
        12⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22527~1.EXE > nul
        12⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DC91~1.EXE > nul
        11⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F50B9~1.EXE > nul
        10⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09A4A~1.EXE > nul
        9⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1BB8~1.EXE > nul
        8⤵
        
        PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39033~1.EXE > nul
        5⤵
        
        PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C6838~1.EXE > nul
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8D4F7~1.EXE > nul
    3⤵
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS8D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe

Filesize
204KB

MD5
bdc9463bc98ca4053ddad37c49383d02

SHA1
ce1f03359013b48d252f684bd5e889e9852fa8b1

SHA256
6c4fd5375836822e58334dccd9d817dccbd7324223f11cad2bee90324f1ae3c4

SHA512
26ad8f209381aab6a123b37865d7ff4e3cbfa261999a960e1539fc32644c7d8be9433c6f741eb791c21d75d32ae68ade0a485cb7931b6c35a77e1d29e05ca144

Download Submit
C:\Windows\{09A4A07A-CFC3-4e4b-B576-BC1D63FA80C2}.exe

Filesize
204KB

MD5
bdc9463bc98ca4053ddad37c49383d02

SHA1
ce1f03359013b48d252f684bd5e889e9852fa8b1

SHA256
6c4fd5375836822e58334dccd9d817dccbd7324223f11cad2bee90324f1ae3c4

SHA512
26ad8f209381aab6a123b37865d7ff4e3cbfa261999a960e1539fc32644c7d8be9433c6f741eb791c21d75d32ae68ade0a485cb7931b6c35a77e1d29e05ca144

Download Submit
C:\Windows\{0DC91ADC-49FF-4686-8DEA-56FDCA208BDD}.exe

Filesize
204KB

MD5
d6ab7ee19f23737afea84ab66d84e60e

SHA1
628722379aa7c868c226e22806d7afda57ddbf06

SHA256
25c0108ab950f27bcadd0e0788341eb9df19f3411ae7893a68b88dce0f2be7eb

SHA512
ffd6f175a009ca1848545496d3ef41b2586d07947060744dc64bb883c4ee061f97d5fa7177190d89349d7e760abf7dd28bea957650566e690bf2dd8a750ea082

Download Submit
C:\Windows\{0DC91ADC-49FF-4686-8DEA-56FDCA208BDD}.exe

Filesize
204KB

MD5
d6ab7ee19f23737afea84ab66d84e60e

SHA1
628722379aa7c868c226e22806d7afda57ddbf06

SHA256
25c0108ab950f27bcadd0e0788341eb9df19f3411ae7893a68b88dce0f2be7eb

SHA512
ffd6f175a009ca1848545496d3ef41b2586d07947060744dc64bb883c4ee061f97d5fa7177190d89349d7e760abf7dd28bea957650566e690bf2dd8a750ea082

Download Submit
C:\Windows\{22527F38-3F4E-4933-9CED-BF6B3AC31691}.exe

Filesize
204KB

MD5
0f6675b07c7de51681d997bad880020e

SHA1
5fb034419471f5eec6cc30321a2503ff678a9de5

SHA256
daec67608df6336a4961a2fb6c62a7813696266f0fce34a656921423fa87acb3

SHA512
a5ca2699d4a6ddc26acc3bac4402b3d5faca5064fde0f19561d550b26124c5ceb1b8f1a6dd01a3d34d040ef418a275c0d15b30b92f0ea999d2512d89bc6c6835

Download Submit
C:\Windows\{22527F38-3F4E-4933-9CED-BF6B3AC31691}.exe

Filesize
204KB

MD5
0f6675b07c7de51681d997bad880020e

SHA1
5fb034419471f5eec6cc30321a2503ff678a9de5

SHA256
daec67608df6336a4961a2fb6c62a7813696266f0fce34a656921423fa87acb3

SHA512
a5ca2699d4a6ddc26acc3bac4402b3d5faca5064fde0f19561d550b26124c5ceb1b8f1a6dd01a3d34d040ef418a275c0d15b30b92f0ea999d2512d89bc6c6835

Download Submit
C:\Windows\{39033880-EDE0-4e7c-937C-309322D04F6A}.exe

Filesize
204KB

MD5
635a4b8c6e24223be03c72b1afba0052

SHA1
a6dc4e8c55204cc26a803a2130e341d2c714902a

SHA256
412ffc1edfc68d36cead7e86cbe8966a8e817a19706429f3449d166a278d5060

SHA512
3e92342748c183e32eb507d3914487b169ca41215d5bda59b706281ab6b8bc5078c9c6aa14cf1a04312b19b425a9cdb7a76502851168198bddb80beff975c919

Download Submit
C:\Windows\{39033880-EDE0-4e7c-937C-309322D04F6A}.exe

Filesize
204KB

MD5
635a4b8c6e24223be03c72b1afba0052

SHA1
a6dc4e8c55204cc26a803a2130e341d2c714902a

SHA256
412ffc1edfc68d36cead7e86cbe8966a8e817a19706429f3449d166a278d5060

SHA512
3e92342748c183e32eb507d3914487b169ca41215d5bda59b706281ab6b8bc5078c9c6aa14cf1a04312b19b425a9cdb7a76502851168198bddb80beff975c919

Download Submit
C:\Windows\{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe

Filesize
204KB

MD5
863dd44f38639cad2cf42d23eeceb2b6

SHA1
9a9224ed5d0a717e5c60ae91a983781c0029f353

SHA256
4f05798fe539eacb51f6fa555d11c7ab5e6a2cb962a41395da7a67eb9d5b0f11

SHA512
76005152619af723d62effc5ce8d57a5a72622f1165df445ac48146d65e7f2750120b041589cf5aac55c260f3a1d00e38512749e58edb414234d7ad56b36fa41

Download Submit
C:\Windows\{79CDB657-3728-4886-8BF5-B4EACDB0DCB6}.exe

Filesize
204KB

MD5
863dd44f38639cad2cf42d23eeceb2b6

SHA1
9a9224ed5d0a717e5c60ae91a983781c0029f353

SHA256
4f05798fe539eacb51f6fa555d11c7ab5e6a2cb962a41395da7a67eb9d5b0f11

SHA512
76005152619af723d62effc5ce8d57a5a72622f1165df445ac48146d65e7f2750120b041589cf5aac55c260f3a1d00e38512749e58edb414234d7ad56b36fa41

Download Submit
C:\Windows\{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe

Filesize
204KB

MD5
f0d233f9ae84f085b3924a8868840849

SHA1
a2a1e1635c128479b4ecad2485e4a9112f1d1379

SHA256
a459b5ef5a31e3beb995d9d210bdac4bab491e59294edf030a0bb15dccaf57e4

SHA512
8a7959a197923afc26508dcef5e63bf256ae898498c74a7b4ce83dfc911203188f98b0c9bb8329c556c6087ffb650027f904767a04f9130ced4e86c91dd95e61

Download Submit
C:\Windows\{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe

Filesize
204KB

MD5
f0d233f9ae84f085b3924a8868840849

SHA1
a2a1e1635c128479b4ecad2485e4a9112f1d1379

SHA256
a459b5ef5a31e3beb995d9d210bdac4bab491e59294edf030a0bb15dccaf57e4

SHA512
8a7959a197923afc26508dcef5e63bf256ae898498c74a7b4ce83dfc911203188f98b0c9bb8329c556c6087ffb650027f904767a04f9130ced4e86c91dd95e61

Download Submit
C:\Windows\{8D4F75EF-A1C2-4ab1-9B77-C4460D94B543}.exe

Filesize
204KB

MD5
f0d233f9ae84f085b3924a8868840849

SHA1
a2a1e1635c128479b4ecad2485e4a9112f1d1379

SHA256
a459b5ef5a31e3beb995d9d210bdac4bab491e59294edf030a0bb15dccaf57e4

SHA512
8a7959a197923afc26508dcef5e63bf256ae898498c74a7b4ce83dfc911203188f98b0c9bb8329c556c6087ffb650027f904767a04f9130ced4e86c91dd95e61

Download Submit
C:\Windows\{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe

Filesize
204KB

MD5
215c488ee062050f7e873e78995bda37

SHA1
5b96dd3d12f8d24be1ffeeb382a4a7cacb29fde3

SHA256
ceb40f929290859f22199783475135a9505be57554db66c63e1144cf45575b67

SHA512
8b6045b3f990905a2e76caa5cf558fe1124f752b6571be04bf17aa9a76f4e491537e5e8104b2c2210aed9f95708ff5aeaa007d6b03b845547c7390a211a529e5

Download Submit
C:\Windows\{A1BB82FC-DE4C-4f66-9191-337A7CD68557}.exe

Filesize
204KB

MD5
215c488ee062050f7e873e78995bda37

SHA1
5b96dd3d12f8d24be1ffeeb382a4a7cacb29fde3

SHA256
ceb40f929290859f22199783475135a9505be57554db66c63e1144cf45575b67

SHA512
8b6045b3f990905a2e76caa5cf558fe1124f752b6571be04bf17aa9a76f4e491537e5e8104b2c2210aed9f95708ff5aeaa007d6b03b845547c7390a211a529e5

Download Submit
C:\Windows\{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe

Filesize
204KB

MD5
2991787157913d78d5d4b594bd137762

SHA1
8ca96ac95e428d3420237ecd6116eab47d5a35c1

SHA256
8c926a160d3f4f6f86ee9c58dfcb7f1e4400c1f6bd9aa5ad6841e2f78229acd0

SHA512
0d184e959c8d5acb9388240d51b087153d2e4ee31fab8b45d54df0c1b6dd3e7beaf57b9d5a7969b4d978949c685e31447b0fee00e14bc10734f386204f1f196b

Download Submit
C:\Windows\{BCE5B7CF-A6AB-4610-AF3B-06718F223CBA}.exe

Filesize
204KB

MD5
2991787157913d78d5d4b594bd137762

SHA1
8ca96ac95e428d3420237ecd6116eab47d5a35c1

SHA256
8c926a160d3f4f6f86ee9c58dfcb7f1e4400c1f6bd9aa5ad6841e2f78229acd0

SHA512
0d184e959c8d5acb9388240d51b087153d2e4ee31fab8b45d54df0c1b6dd3e7beaf57b9d5a7969b4d978949c685e31447b0fee00e14bc10734f386204f1f196b

Download Submit
C:\Windows\{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe

Filesize
204KB

MD5
4e24cb528adb7ac46c7b9fbc173cefc9

SHA1
e1006d81eb2847b0dde1cafdc6b841b9b7c9c764

SHA256
79a3c71fd8d90f571dbb3486f4b4d9fcc75892941b2a8d8cc498aaaddb6a58d9

SHA512
5c077ca30c3e825571d80e3217ea06931222bd02bf74e5c418012a7b6ef5bba496f5505f6d4048d2e06f5c225d8e74bdf3eb833f1f59a4693e9e91f9f364432f

Download Submit
C:\Windows\{C6838BEA-2C4E-486f-AAF9-CE7D1150D3A5}.exe

Filesize
204KB

MD5
4e24cb528adb7ac46c7b9fbc173cefc9

SHA1
e1006d81eb2847b0dde1cafdc6b841b9b7c9c764

SHA256
79a3c71fd8d90f571dbb3486f4b4d9fcc75892941b2a8d8cc498aaaddb6a58d9

SHA512
5c077ca30c3e825571d80e3217ea06931222bd02bf74e5c418012a7b6ef5bba496f5505f6d4048d2e06f5c225d8e74bdf3eb833f1f59a4693e9e91f9f364432f

Download Submit
C:\Windows\{EDFA4801-9DEA-4143-B9E5-34C8DFE6C65E}.exe

Filesize
204KB

MD5
28e158be39881568ecfe5eb42f554e17

SHA1
ee29768acceef48c730e1a85b42a813e67f40369

SHA256
b8f4c9af81884c84698382af02613b55fe1b0d23fb36954f65a36fac42d69af5

SHA512
a52445dec668e9fbfa7a42fa17443af1f348ae681b15d41e5f50daa7b5abba583038c6cc5fd4f87097e72af1664e1173b808923c203e4e388054412534ca9e5f

Download Submit
C:\Windows\{F50B917D-0884-45a4-A12A-77530232C358}.exe

Filesize
204KB

MD5
7c63ae4c81507bbe93b7052af6145993

SHA1
328564e5254be81c71c573380b3c9e90f6978864

SHA256
ced49950f173d2d0cf448dd1dc11c074e9b7a0b2842af25c89033d6babe89fe6

SHA512
a968cb335c7a3ac2c737688def5032d22ad5c51074259de4fdd02274df2b9da4baa0ad31dec99431b05e8528b0d5d4cac84d31fcc62bdb08f7cb61f26923b34f

Download Submit
C:\Windows\{F50B917D-0884-45a4-A12A-77530232C358}.exe

Filesize
204KB

MD5
7c63ae4c81507bbe93b7052af6145993

SHA1
328564e5254be81c71c573380b3c9e90f6978864

SHA256
ced49950f173d2d0cf448dd1dc11c074e9b7a0b2842af25c89033d6babe89fe6

SHA512
a968cb335c7a3ac2c737688def5032d22ad5c51074259de4fdd02274df2b9da4baa0ad31dec99431b05e8528b0d5d4cac84d31fcc62bdb08f7cb61f26923b34f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads