83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-10-2023 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe
Size

180KB
MD5

ba32f17aa01947fc4febe5d95840623e
SHA1

f41880169c7a20d3a1f416a80dd71cd3853ecd4f
SHA256

83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426
SHA512

915ad31baef8bfbc57fbd708757c5a78b010816fca7058daf30ecd1e32da582e8b3bce1de3d9234b10227c3d70edaaf3709c93c442484607f58420a2e87c2ae5
SSDEEP

3072:jEGh0oYlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG+l5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40080882-642A-4600-8803-C6D0895A0BBE}\stubpath = "C:\\Windows\\{40080882-642A-4600-8803-C6D0895A0BBE}.exe"	{69AB80E0-3E51-40b3-8544-7A5605B54339}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D32317D9-0B86-463b-8BBA-032B200120B3}	{40080882-642A-4600-8803-C6D0895A0BBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}\stubpath = "C:\\Windows\\{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe"	{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}	{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}\stubpath = "C:\\Windows\\{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe"	{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC7159BB-B8AD-41b6-9540-B00610C08C9D}\stubpath = "C:\\Windows\\{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe"	{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}	{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69AB80E0-3E51-40b3-8544-7A5605B54339}\stubpath = "C:\\Windows\\{69AB80E0-3E51-40b3-8544-7A5605B54339}.exe"	{3821B420-ABB7-4369-A756-80ECADA0813B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D32317D9-0B86-463b-8BBA-032B200120B3}\stubpath = "C:\\Windows\\{D32317D9-0B86-463b-8BBA-032B200120B3}.exe"	{40080882-642A-4600-8803-C6D0895A0BBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}\stubpath = "C:\\Windows\\{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe"	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{003DD915-B0A2-48d7-A0DB-14FFB517F172}	{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{424D0073-E2CF-43f4-8594-1AB1114FFFCE}	{D32317D9-0B86-463b-8BBA-032B200120B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}\stubpath = "C:\\Windows\\{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe"	{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69AB80E0-3E51-40b3-8544-7A5605B54339}	{3821B420-ABB7-4369-A756-80ECADA0813B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{003DD915-B0A2-48d7-A0DB-14FFB517F172}\stubpath = "C:\\Windows\\{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe"	{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC7159BB-B8AD-41b6-9540-B00610C08C9D}	{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3821B420-ABB7-4369-A756-80ECADA0813B}	{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3821B420-ABB7-4369-A756-80ECADA0813B}\stubpath = "C:\\Windows\\{3821B420-ABB7-4369-A756-80ECADA0813B}.exe"	{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40080882-642A-4600-8803-C6D0895A0BBE}	{69AB80E0-3E51-40b3-8544-7A5605B54339}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{424D0073-E2CF-43f4-8594-1AB1114FFFCE}\stubpath = "C:\\Windows\\{424D0073-E2CF-43f4-8594-1AB1114FFFCE}.exe"	{D32317D9-0B86-463b-8BBA-032B200120B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}	{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe

Deletes itself 1 IoCs

pid	Process
2912	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2420	{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe
2060	{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe
2796	{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe
2520	{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe
1040	{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe
2568	{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe
1812	{3821B420-ABB7-4369-A756-80ECADA0813B}.exe
2720	{69AB80E0-3E51-40b3-8544-7A5605B54339}.exe
2892	{40080882-642A-4600-8803-C6D0895A0BBE}.exe
2732	{D32317D9-0B86-463b-8BBA-032B200120B3}.exe
1864	{424D0073-E2CF-43f4-8594-1AB1114FFFCE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D32317D9-0B86-463b-8BBA-032B200120B3}.exe	{40080882-642A-4600-8803-C6D0895A0BBE}.exe
File created	C:\Windows\{424D0073-E2CF-43f4-8594-1AB1114FFFCE}.exe	{D32317D9-0B86-463b-8BBA-032B200120B3}.exe
File created	C:\Windows\{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe	{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe
File created	C:\Windows\{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe	{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe
File created	C:\Windows\{3821B420-ABB7-4369-A756-80ECADA0813B}.exe	{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe
File created	C:\Windows\{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe	{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe
File created	C:\Windows\{69AB80E0-3E51-40b3-8544-7A5605B54339}.exe	{3821B420-ABB7-4369-A756-80ECADA0813B}.exe
File created	C:\Windows\{40080882-642A-4600-8803-C6D0895A0BBE}.exe	{69AB80E0-3E51-40b3-8544-7A5605B54339}.exe
File created	C:\Windows\{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe
File created	C:\Windows\{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe	{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe
File created	C:\Windows\{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe	{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2112	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe
Token: SeIncBasePriorityPrivilege	2420	{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe
Token: SeIncBasePriorityPrivilege	2060	{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe
Token: SeIncBasePriorityPrivilege	2796	{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe
Token: SeIncBasePriorityPrivilege	2520	{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe
Token: SeIncBasePriorityPrivilege	1040	{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe
Token: SeIncBasePriorityPrivilege	2568	{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe
Token: SeIncBasePriorityPrivilege	1812	{3821B420-ABB7-4369-A756-80ECADA0813B}.exe
Token: SeIncBasePriorityPrivilege	2720	{69AB80E0-3E51-40b3-8544-7A5605B54339}.exe
Token: SeIncBasePriorityPrivilege	2892	{40080882-642A-4600-8803-C6D0895A0BBE}.exe
Token: SeIncBasePriorityPrivilege	2732	{D32317D9-0B86-463b-8BBA-032B200120B3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2420	2112	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	28
PID 2112 wrote to memory of 2420	2112	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	28
PID 2112 wrote to memory of 2420	2112	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	28
PID 2112 wrote to memory of 2420	2112	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	28
PID 2112 wrote to memory of 2912	2112	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	29
PID 2112 wrote to memory of 2912	2112	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	29
PID 2112 wrote to memory of 2912	2112	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	29
PID 2112 wrote to memory of 2912	2112	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	29
PID 2420 wrote to memory of 2060	2420	{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe	30
PID 2420 wrote to memory of 2060	2420	{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe	30
PID 2420 wrote to memory of 2060	2420	{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe	30
PID 2420 wrote to memory of 2060	2420	{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe	30
PID 2420 wrote to memory of 2756	2420	{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe	31
PID 2420 wrote to memory of 2756	2420	{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe	31
PID 2420 wrote to memory of 2756	2420	{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe	31
PID 2420 wrote to memory of 2756	2420	{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe	31
PID 2060 wrote to memory of 2796	2060	{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe	32
PID 2060 wrote to memory of 2796	2060	{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe	32
PID 2060 wrote to memory of 2796	2060	{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe	32
PID 2060 wrote to memory of 2796	2060	{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe	32
PID 2060 wrote to memory of 2648	2060	{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe	33
PID 2060 wrote to memory of 2648	2060	{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe	33
PID 2060 wrote to memory of 2648	2060	{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe	33
PID 2060 wrote to memory of 2648	2060	{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe	33
PID 2796 wrote to memory of 2520	2796	{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe	36
PID 2796 wrote to memory of 2520	2796	{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe	36
PID 2796 wrote to memory of 2520	2796	{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe	36
PID 2796 wrote to memory of 2520	2796	{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe	36
PID 2796 wrote to memory of 2628	2796	{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe	37
PID 2796 wrote to memory of 2628	2796	{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe	37
PID 2796 wrote to memory of 2628	2796	{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe	37
PID 2796 wrote to memory of 2628	2796	{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe	37
PID 2520 wrote to memory of 1040	2520	{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe	38
PID 2520 wrote to memory of 1040	2520	{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe	38
PID 2520 wrote to memory of 1040	2520	{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe	38
PID 2520 wrote to memory of 1040	2520	{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe	38
PID 2520 wrote to memory of 2508	2520	{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe	39
PID 2520 wrote to memory of 2508	2520	{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe	39
PID 2520 wrote to memory of 2508	2520	{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe	39
PID 2520 wrote to memory of 2508	2520	{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe	39
PID 1040 wrote to memory of 2568	1040	{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe	40
PID 1040 wrote to memory of 2568	1040	{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe	40
PID 1040 wrote to memory of 2568	1040	{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe	40
PID 1040 wrote to memory of 2568	1040	{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe	40
PID 1040 wrote to memory of 2988	1040	{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe	41
PID 1040 wrote to memory of 2988	1040	{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe	41
PID 1040 wrote to memory of 2988	1040	{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe	41
PID 1040 wrote to memory of 2988	1040	{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe	41
PID 2568 wrote to memory of 1812	2568	{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe	42
PID 2568 wrote to memory of 1812	2568	{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe	42
PID 2568 wrote to memory of 1812	2568	{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe	42
PID 2568 wrote to memory of 1812	2568	{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe	42
PID 2568 wrote to memory of 1272	2568	{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe	43
PID 2568 wrote to memory of 1272	2568	{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe	43
PID 2568 wrote to memory of 1272	2568	{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe	43
PID 2568 wrote to memory of 1272	2568	{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe	43
PID 1812 wrote to memory of 2720	1812	{3821B420-ABB7-4369-A756-80ECADA0813B}.exe	44
PID 1812 wrote to memory of 2720	1812	{3821B420-ABB7-4369-A756-80ECADA0813B}.exe	44
PID 1812 wrote to memory of 2720	1812	{3821B420-ABB7-4369-A756-80ECADA0813B}.exe	44
PID 1812 wrote to memory of 2720	1812	{3821B420-ABB7-4369-A756-80ECADA0813B}.exe	44
PID 1812 wrote to memory of 2844	1812	{3821B420-ABB7-4369-A756-80ECADA0813B}.exe	45
PID 1812 wrote to memory of 2844	1812	{3821B420-ABB7-4369-A756-80ECADA0813B}.exe	45
PID 1812 wrote to memory of 2844	1812	{3821B420-ABB7-4369-A756-80ECADA0813B}.exe	45
PID 1812 wrote to memory of 2844	1812	{3821B420-ABB7-4369-A756-80ECADA0813B}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe
  C:\Windows\{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe
    C:\Windows\{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe
      C:\Windows\{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe
        
        C:\Windows\{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe
        
        C:\Windows\{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe
        
        C:\Windows\{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\{3821B420-ABB7-4369-A756-80ECADA0813B}.exe
        
        C:\Windows\{3821B420-ABB7-4369-A756-80ECADA0813B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{69AB80E0-3E51-40b3-8544-7A5605B54339}.exe
        
        C:\Windows\{69AB80E0-3E51-40b3-8544-7A5605B54339}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\{40080882-642A-4600-8803-C6D0895A0BBE}.exe
        
        C:\Windows\{40080882-642A-4600-8803-C6D0895A0BBE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\{D32317D9-0B86-463b-8BBA-032B200120B3}.exe
        
        C:\Windows\{D32317D9-0B86-463b-8BBA-032B200120B3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\{424D0073-E2CF-43f4-8594-1AB1114FFFCE}.exe
        
        C:\Windows\{424D0073-E2CF-43f4-8594-1AB1114FFFCE}.exe
        12⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3231~1.EXE > nul
        12⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40080~1.EXE > nul
        11⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69AB8~1.EXE > nul
        10⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3821B~1.EXE > nul
        9⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D37B~1.EXE > nul
        8⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC715~1.EXE > nul
        7⤵
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6DF6~1.EXE > nul
        6⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{003DD~1.EXE > nul
        5⤵
        
        PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0B66C~1.EXE > nul
      4⤵
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{039C9~1.EXE > nul
    3⤵
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS83~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe

Filesize
180KB

MD5
66593b35d1f0056b1006053c7f45223f

SHA1
42a8d2f1e8cd89e4c7c171948db11d168e0f64d4

SHA256
56167665595dfc740f7e3a6dfc3e3188b09e2bbaec422489f7c0bc28f2f9f9df

SHA512
89a0f7aa3424a5cc16b97aa8ee02e8a8fd7df376eab7d43d986804064e22e162f5da9373550180bbbcbea8046bfeb09dd60123033d7ff53d269f71de954b58dc

Download Submit
C:\Windows\{003DD915-B0A2-48d7-A0DB-14FFB517F172}.exe

Filesize
180KB

MD5
66593b35d1f0056b1006053c7f45223f

SHA1
42a8d2f1e8cd89e4c7c171948db11d168e0f64d4

SHA256
56167665595dfc740f7e3a6dfc3e3188b09e2bbaec422489f7c0bc28f2f9f9df

SHA512
89a0f7aa3424a5cc16b97aa8ee02e8a8fd7df376eab7d43d986804064e22e162f5da9373550180bbbcbea8046bfeb09dd60123033d7ff53d269f71de954b58dc

Download Submit
C:\Windows\{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe

Filesize
180KB

MD5
edcb27a29f5177ced75936526d93be48

SHA1
b18a8543dffe86ef8c98e6aa3bcfd79fb9fb35f2

SHA256
3a16c75b2b9fa0ab8bfcba62d7a284976671c5e15ab292b57ae9459152a9c422

SHA512
08c2af5d484b43632524fc33bca91fbe33b8d8c826c4735d7437b9ebee50a14d7579cb9ad3631505161fe1b455352e392329d22833cc90426e21ed751fd436ff

Download Submit
C:\Windows\{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe

Filesize
180KB

MD5
edcb27a29f5177ced75936526d93be48

SHA1
b18a8543dffe86ef8c98e6aa3bcfd79fb9fb35f2

SHA256
3a16c75b2b9fa0ab8bfcba62d7a284976671c5e15ab292b57ae9459152a9c422

SHA512
08c2af5d484b43632524fc33bca91fbe33b8d8c826c4735d7437b9ebee50a14d7579cb9ad3631505161fe1b455352e392329d22833cc90426e21ed751fd436ff

Download Submit
C:\Windows\{039C9B1D-5CD7-47f1-AB28-6DDE1A7CA5D5}.exe

Filesize
180KB

MD5
edcb27a29f5177ced75936526d93be48

SHA1
b18a8543dffe86ef8c98e6aa3bcfd79fb9fb35f2

SHA256
3a16c75b2b9fa0ab8bfcba62d7a284976671c5e15ab292b57ae9459152a9c422

SHA512
08c2af5d484b43632524fc33bca91fbe33b8d8c826c4735d7437b9ebee50a14d7579cb9ad3631505161fe1b455352e392329d22833cc90426e21ed751fd436ff

Download Submit
C:\Windows\{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe

Filesize
180KB

MD5
1a3311e38c98590af7c3bd4a081d9c74

SHA1
4b43e7b4d766c26398799299ae5963dde9ac8894

SHA256
b7160dc79bfc44393d1e048c2ee908fdc54859d90deb67650031adc6b04e6ab9

SHA512
c8f89e5e1cf9713f9cefd7232c30cee3796397fe455de65be7329e68534453d03217ce3010069755b63b8cc2d2f31941bc2759bd25b1e165aec3fdd4225518d1

Download Submit
C:\Windows\{0B66CE27-C84F-4bb2-8312-3BF0E6CD4577}.exe

Filesize
180KB

MD5
1a3311e38c98590af7c3bd4a081d9c74

SHA1
4b43e7b4d766c26398799299ae5963dde9ac8894

SHA256
b7160dc79bfc44393d1e048c2ee908fdc54859d90deb67650031adc6b04e6ab9

SHA512
c8f89e5e1cf9713f9cefd7232c30cee3796397fe455de65be7329e68534453d03217ce3010069755b63b8cc2d2f31941bc2759bd25b1e165aec3fdd4225518d1

Download Submit
C:\Windows\{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe

Filesize
180KB

MD5
c2b919def3ef1940036e93f004f9a500

SHA1
7e8a11301f75b0d5347197d3cad8a098abb36366

SHA256
0fbd0855c22f7ab82807849e68d97772fa5f476abc07c268a8f4b3a71bc88d9f

SHA512
bb6d9108b671c3920e00f1df331e874db030449b9d1a915f1a46e13d6e342054471570189e2f040449a46a6ad8c0c5fcb14eec85dabd800351b38ab9f24503ed

Download Submit
C:\Windows\{2D37BF9A-EEDB-48f9-8733-8EA9610B3AE8}.exe

Filesize
180KB

MD5
c2b919def3ef1940036e93f004f9a500

SHA1
7e8a11301f75b0d5347197d3cad8a098abb36366

SHA256
0fbd0855c22f7ab82807849e68d97772fa5f476abc07c268a8f4b3a71bc88d9f

SHA512
bb6d9108b671c3920e00f1df331e874db030449b9d1a915f1a46e13d6e342054471570189e2f040449a46a6ad8c0c5fcb14eec85dabd800351b38ab9f24503ed

Download Submit
C:\Windows\{3821B420-ABB7-4369-A756-80ECADA0813B}.exe

Filesize
180KB

MD5
055784ee0412962ef5e572d59bc605c1

SHA1
5766fa582ff7eac2fcd35230a76153b2cd0ba6cf

SHA256
d8d803d691ce26250162bc91fa5bb16bb2afd4256b9d4bb02a98c6a8a2a873bb

SHA512
347a368d64922ce1b922ed5adf96978633ec5dea960e119f48754405114b0cd2082a18596198cac06e2990a1cc7f5e087fecd0a769e353d862d4b7250ff20920

Download Submit
C:\Windows\{3821B420-ABB7-4369-A756-80ECADA0813B}.exe

Filesize
180KB

MD5
055784ee0412962ef5e572d59bc605c1

SHA1
5766fa582ff7eac2fcd35230a76153b2cd0ba6cf

SHA256
d8d803d691ce26250162bc91fa5bb16bb2afd4256b9d4bb02a98c6a8a2a873bb

SHA512
347a368d64922ce1b922ed5adf96978633ec5dea960e119f48754405114b0cd2082a18596198cac06e2990a1cc7f5e087fecd0a769e353d862d4b7250ff20920

Download Submit
C:\Windows\{40080882-642A-4600-8803-C6D0895A0BBE}.exe

Filesize
180KB

MD5
131145b5973c82c097b79d9d94d59f95

SHA1
6484d756ca8c32f6601264c936708013637dd556

SHA256
22cd0e87c051293e41ae43f41e935572c7cd474cddbbc9b42aef2cf387ed788a

SHA512
1853a477ae91eb1c448eb0eff55147d48d529bc8f2a5b99efd1f65a44d10bc414e7664d780187b2159308e7a70cf2672c2a49653f7716e7dbd0970e1b96dccfb

Download Submit
C:\Windows\{40080882-642A-4600-8803-C6D0895A0BBE}.exe

Filesize
180KB

MD5
131145b5973c82c097b79d9d94d59f95

SHA1
6484d756ca8c32f6601264c936708013637dd556

SHA256
22cd0e87c051293e41ae43f41e935572c7cd474cddbbc9b42aef2cf387ed788a

SHA512
1853a477ae91eb1c448eb0eff55147d48d529bc8f2a5b99efd1f65a44d10bc414e7664d780187b2159308e7a70cf2672c2a49653f7716e7dbd0970e1b96dccfb

Download Submit
C:\Windows\{424D0073-E2CF-43f4-8594-1AB1114FFFCE}.exe

Filesize
180KB

MD5
00dae7b383e22b02a5a23d07f0b8b4c1

SHA1
1242905ac6dcef380d99eb41d977bd49f5105e61

SHA256
d2bb9e277f99506ab5aeb60e96fe4cc9f4dae1a85b4f0e8d52c41a257fcd11fa

SHA512
cf488e50016105f4d6bfe04c12901f0f7dcd95e2105d4050744edaac0b7ab66add473db74ea56f14b2d44435fdc07af8f2785fe73222847d47044da85e30f1b8

Download Submit
C:\Windows\{69AB80E0-3E51-40b3-8544-7A5605B54339}.exe

Filesize
180KB

MD5
e223bcd59c80899c414a7fbaa5561bbd

SHA1
ea2aacac2dcc633d286d26539232aeccf39c4d27

SHA256
3959efb739dc7a425508933824dca3f63861f168972bf96c4ea4196f639b5804

SHA512
35425f8d293c92521d09fc14df8d7eec524694d9ee20a5046a6c50a13bb1f34f4c1173f4e5f97e717f917d791ccaeba0d9db882acef59d42f779e3a215948743

Download Submit
C:\Windows\{69AB80E0-3E51-40b3-8544-7A5605B54339}.exe

Filesize
180KB

MD5
e223bcd59c80899c414a7fbaa5561bbd

SHA1
ea2aacac2dcc633d286d26539232aeccf39c4d27

SHA256
3959efb739dc7a425508933824dca3f63861f168972bf96c4ea4196f639b5804

SHA512
35425f8d293c92521d09fc14df8d7eec524694d9ee20a5046a6c50a13bb1f34f4c1173f4e5f97e717f917d791ccaeba0d9db882acef59d42f779e3a215948743

Download Submit
C:\Windows\{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe

Filesize
180KB

MD5
621d91f34a8729bb01301c318e1b8743

SHA1
0214107edddf8eb353ac9ef1a972a4488b13beea

SHA256
d384204e846d4de53049285872afc79e4ab93f410f30552129f1bea3d87f85ce

SHA512
d3421ddf4472b30d6df198db819f5517abc57dea148db36e35ed6161c378fe54b99b8e02cf87b74c58de1e93eda28a1af88bb6e7fcc7c9aa66206ca9caeca6be

Download Submit
C:\Windows\{B6DF6828-2ECC-444d-A5F0-45365CC8FEF7}.exe

Filesize
180KB

MD5
621d91f34a8729bb01301c318e1b8743

SHA1
0214107edddf8eb353ac9ef1a972a4488b13beea

SHA256
d384204e846d4de53049285872afc79e4ab93f410f30552129f1bea3d87f85ce

SHA512
d3421ddf4472b30d6df198db819f5517abc57dea148db36e35ed6161c378fe54b99b8e02cf87b74c58de1e93eda28a1af88bb6e7fcc7c9aa66206ca9caeca6be

Download Submit
C:\Windows\{D32317D9-0B86-463b-8BBA-032B200120B3}.exe

Filesize
180KB

MD5
6fc5d1ae9772e7a7e7b625a629e88040

SHA1
798c1fc43c0ebb65300478c9313524cd783d87bd

SHA256
ce941e16dc1955b538a97569c8a688c1c6ae9143c42bee898353d70d6a7108d6

SHA512
5b2d43d7f75df81f5b15ab4c2affcd2d47fce5847413aab535dab639fc9d73d6a34bee11c6a676dd8dc3b30086a0c2cea94f9dcf4685c073d840a07482dc31d7

Download Submit
C:\Windows\{D32317D9-0B86-463b-8BBA-032B200120B3}.exe

Filesize
180KB

MD5
6fc5d1ae9772e7a7e7b625a629e88040

SHA1
798c1fc43c0ebb65300478c9313524cd783d87bd

SHA256
ce941e16dc1955b538a97569c8a688c1c6ae9143c42bee898353d70d6a7108d6

SHA512
5b2d43d7f75df81f5b15ab4c2affcd2d47fce5847413aab535dab639fc9d73d6a34bee11c6a676dd8dc3b30086a0c2cea94f9dcf4685c073d840a07482dc31d7

Download Submit
C:\Windows\{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe

Filesize
180KB

MD5
5eb2497d76d8acc755c2ec364a63e45b

SHA1
ba38cf43e8b8a29ad6458bd74c89fc0b5a7c0bab

SHA256
2c4dc5cfdebea17f44c5a8fd035991ec17b5fd6a45aac1455e6a07c2a8ee0a1f

SHA512
07ebd20f04d0c154d6e782f1cbeebe665b8f6b84c54b2c2774fc04449438d79e16788ce5bec408df7f071125b179ca2e407c5050e76c27ac42a8ecbb78d9f32e

Download Submit
C:\Windows\{EC7159BB-B8AD-41b6-9540-B00610C08C9D}.exe

Filesize
180KB

MD5
5eb2497d76d8acc755c2ec364a63e45b

SHA1
ba38cf43e8b8a29ad6458bd74c89fc0b5a7c0bab

SHA256
2c4dc5cfdebea17f44c5a8fd035991ec17b5fd6a45aac1455e6a07c2a8ee0a1f

SHA512
07ebd20f04d0c154d6e782f1cbeebe665b8f6b84c54b2c2774fc04449438d79e16788ce5bec408df7f071125b179ca2e407c5050e76c27ac42a8ecbb78d9f32e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads