83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe
Size

180KB
MD5

ba32f17aa01947fc4febe5d95840623e
SHA1

f41880169c7a20d3a1f416a80dd71cd3853ecd4f
SHA256

83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426
SHA512

915ad31baef8bfbc57fbd708757c5a78b010816fca7058daf30ecd1e32da582e8b3bce1de3d9234b10227c3d70edaaf3709c93c442484607f58420a2e87c2ae5
SSDEEP

3072:jEGh0oYlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG+l5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{956B6BA5-49E3-43b7-970A-2421C930026C}	{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3363CC45-7510-41f0-8DC2-2289170CCE30}\stubpath = "C:\\Windows\\{3363CC45-7510-41f0-8DC2-2289170CCE30}.exe"	{436C0720-59B1-48f6-88AB-89DE70B1E1F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D92F72A1-41B6-4c83-8EBF-040D469851F5}	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97406356-14E2-4e8e-8FD2-E821C69FA8E0}\stubpath = "C:\\Windows\\{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe"	{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}	{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D87DAA74-B172-43a5-A87C-032ECC83159C}\stubpath = "C:\\Windows\\{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe"	{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3363CC45-7510-41f0-8DC2-2289170CCE30}	{436C0720-59B1-48f6-88AB-89DE70B1E1F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97406356-14E2-4e8e-8FD2-E821C69FA8E0}	{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}\stubpath = "C:\\Windows\\{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe"	{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{956B6BA5-49E3-43b7-970A-2421C930026C}\stubpath = "C:\\Windows\\{956B6BA5-49E3-43b7-970A-2421C930026C}.exe"	{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97D9942B-65E1-4006-9B99-8A6498069AC0}\stubpath = "C:\\Windows\\{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe"	{956B6BA5-49E3-43b7-970A-2421C930026C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0753B23-249A-42ed-8CD8-4F6F5674C13E}\stubpath = "C:\\Windows\\{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe"	{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}\stubpath = "C:\\Windows\\{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe"	{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}	{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}\stubpath = "C:\\Windows\\{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe"	{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D92F72A1-41B6-4c83-8EBF-040D469851F5}\stubpath = "C:\\Windows\\{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe"	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{436C0720-59B1-48f6-88AB-89DE70B1E1F7}\stubpath = "C:\\Windows\\{436C0720-59B1-48f6-88AB-89DE70B1E1F7}.exe"	{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D87DAA74-B172-43a5-A87C-032ECC83159C}	{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97D9942B-65E1-4006-9B99-8A6498069AC0}	{956B6BA5-49E3-43b7-970A-2421C930026C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0753B23-249A-42ed-8CD8-4F6F5674C13E}	{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE407F5E-1455-4dd8-8809-4F062621BAE0}	{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE407F5E-1455-4dd8-8809-4F062621BAE0}\stubpath = "C:\\Windows\\{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe"	{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{436C0720-59B1-48f6-88AB-89DE70B1E1F7}	{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}	{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe

Executes dropped EXE 12 IoCs

pid	Process
4208	{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe
3364	{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe
404	{956B6BA5-49E3-43b7-970A-2421C930026C}.exe
4928	{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe
4076	{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe
3748	{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe
2528	{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe
1124	{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe
4908	{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe
4636	{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe
4620	{436C0720-59B1-48f6-88AB-89DE70B1E1F7}.exe
4688	{3363CC45-7510-41f0-8DC2-2289170CCE30}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe	{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe
File created	C:\Windows\{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe	{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe
File created	C:\Windows\{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe
File created	C:\Windows\{956B6BA5-49E3-43b7-970A-2421C930026C}.exe	{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe
File created	C:\Windows\{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe	{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe
File created	C:\Windows\{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe	{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe
File created	C:\Windows\{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe	{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe
File created	C:\Windows\{436C0720-59B1-48f6-88AB-89DE70B1E1F7}.exe	{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe
File created	C:\Windows\{3363CC45-7510-41f0-8DC2-2289170CCE30}.exe	{436C0720-59B1-48f6-88AB-89DE70B1E1F7}.exe
File created	C:\Windows\{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe	{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe
File created	C:\Windows\{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe	{956B6BA5-49E3-43b7-970A-2421C930026C}.exe
File created	C:\Windows\{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe	{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3596	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe
Token: SeIncBasePriorityPrivilege	4208	{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe
Token: SeIncBasePriorityPrivilege	3364	{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe
Token: SeIncBasePriorityPrivilege	404	{956B6BA5-49E3-43b7-970A-2421C930026C}.exe
Token: SeIncBasePriorityPrivilege	4928	{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe
Token: SeIncBasePriorityPrivilege	4076	{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe
Token: SeIncBasePriorityPrivilege	3748	{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe
Token: SeIncBasePriorityPrivilege	2528	{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe
Token: SeIncBasePriorityPrivilege	1124	{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe
Token: SeIncBasePriorityPrivilege	4908	{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe
Token: SeIncBasePriorityPrivilege	4636	{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe
Token: SeIncBasePriorityPrivilege	4620	{436C0720-59B1-48f6-88AB-89DE70B1E1F7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 4208	3596	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	95
PID 3596 wrote to memory of 4208	3596	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	95
PID 3596 wrote to memory of 4208	3596	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	95
PID 3596 wrote to memory of 1380	3596	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	96
PID 3596 wrote to memory of 1380	3596	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	96
PID 3596 wrote to memory of 1380	3596	NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe	96
PID 4208 wrote to memory of 3364	4208	{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe	98
PID 4208 wrote to memory of 3364	4208	{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe	98
PID 4208 wrote to memory of 3364	4208	{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe	98
PID 4208 wrote to memory of 3592	4208	{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe	99
PID 4208 wrote to memory of 3592	4208	{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe	99
PID 4208 wrote to memory of 3592	4208	{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe	99
PID 3364 wrote to memory of 404	3364	{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe	102
PID 3364 wrote to memory of 404	3364	{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe	102
PID 3364 wrote to memory of 404	3364	{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe	102
PID 3364 wrote to memory of 4576	3364	{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe	101
PID 3364 wrote to memory of 4576	3364	{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe	101
PID 3364 wrote to memory of 4576	3364	{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe	101
PID 404 wrote to memory of 4928	404	{956B6BA5-49E3-43b7-970A-2421C930026C}.exe	103
PID 404 wrote to memory of 4928	404	{956B6BA5-49E3-43b7-970A-2421C930026C}.exe	103
PID 404 wrote to memory of 4928	404	{956B6BA5-49E3-43b7-970A-2421C930026C}.exe	103
PID 404 wrote to memory of 3224	404	{956B6BA5-49E3-43b7-970A-2421C930026C}.exe	104
PID 404 wrote to memory of 3224	404	{956B6BA5-49E3-43b7-970A-2421C930026C}.exe	104
PID 404 wrote to memory of 3224	404	{956B6BA5-49E3-43b7-970A-2421C930026C}.exe	104
PID 4928 wrote to memory of 4076	4928	{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe	105
PID 4928 wrote to memory of 4076	4928	{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe	105
PID 4928 wrote to memory of 4076	4928	{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe	105
PID 4928 wrote to memory of 2500	4928	{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe	106
PID 4928 wrote to memory of 2500	4928	{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe	106
PID 4928 wrote to memory of 2500	4928	{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe	106
PID 4076 wrote to memory of 3748	4076	{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe	107
PID 4076 wrote to memory of 3748	4076	{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe	107
PID 4076 wrote to memory of 3748	4076	{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe	107
PID 4076 wrote to memory of 4624	4076	{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe	108
PID 4076 wrote to memory of 4624	4076	{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe	108
PID 4076 wrote to memory of 4624	4076	{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe	108
PID 3748 wrote to memory of 2528	3748	{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe	109
PID 3748 wrote to memory of 2528	3748	{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe	109
PID 3748 wrote to memory of 2528	3748	{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe	109
PID 3748 wrote to memory of 2840	3748	{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe	110
PID 3748 wrote to memory of 2840	3748	{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe	110
PID 3748 wrote to memory of 2840	3748	{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe	110
PID 2528 wrote to memory of 1124	2528	{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe	111
PID 2528 wrote to memory of 1124	2528	{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe	111
PID 2528 wrote to memory of 1124	2528	{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe	111
PID 2528 wrote to memory of 1888	2528	{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe	112
PID 2528 wrote to memory of 1888	2528	{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe	112
PID 2528 wrote to memory of 1888	2528	{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe	112
PID 1124 wrote to memory of 4908	1124	{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe	113
PID 1124 wrote to memory of 4908	1124	{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe	113
PID 1124 wrote to memory of 4908	1124	{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe	113
PID 1124 wrote to memory of 1104	1124	{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe	114
PID 1124 wrote to memory of 1104	1124	{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe	114
PID 1124 wrote to memory of 1104	1124	{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe	114
PID 4908 wrote to memory of 4636	4908	{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe	115
PID 4908 wrote to memory of 4636	4908	{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe	115
PID 4908 wrote to memory of 4636	4908	{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe	115
PID 4908 wrote to memory of 3676	4908	{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe	116
PID 4908 wrote to memory of 3676	4908	{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe	116
PID 4908 wrote to memory of 3676	4908	{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe	116
PID 4636 wrote to memory of 4620	4636	{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe	117
PID 4636 wrote to memory of 4620	4636	{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe	117
PID 4636 wrote to memory of 4620	4636	{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe	117
PID 4636 wrote to memory of 1808	4636	{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe	118

C:\Users\Admin\AppData\Local\Temp\NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.83478f42b403379cacd680811c6fb007985fa5fc41d9d7ff1041b83db643f426_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe
  C:\Windows\{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe
    C:\Windows\{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AE1EF~1.EXE > nul
      4⤵
      PID:4576
  - - C:\Windows\{956B6BA5-49E3-43b7-970A-2421C930026C}.exe
      C:\Windows\{956B6BA5-49E3-43b7-970A-2421C930026C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:404
    - - C:\Windows\{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe
        
        C:\Windows\{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4928
      - C:\Windows\{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe
        
        C:\Windows\{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe
        
        C:\Windows\{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe
        
        C:\Windows\{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe
        
        C:\Windows\{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe
        
        C:\Windows\{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe
        
        C:\Windows\{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\{436C0720-59B1-48f6-88AB-89DE70B1E1F7}.exe
        
        C:\Windows\{436C0720-59B1-48f6-88AB-89DE70B1E1F7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
        
        C:\Windows\{3363CC45-7510-41f0-8DC2-2289170CCE30}.exe
        
        C:\Windows\{3363CC45-7510-41f0-8DC2-2289170CCE30}.exe
        13⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{436C0~1.EXE > nul
        13⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D87DA~1.EXE > nul
        12⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE658~1.EXE > nul
        11⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE407~1.EXE > nul
        10⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A3D6~1.EXE > nul
        9⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0753~1.EXE > nul
        8⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97406~1.EXE > nul
        7⤵
        
        PID:4624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97D99~1.EXE > nul
        6⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{956B6~1.EXE > nul
        5⤵
        
        PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D92F7~1.EXE > nul
    3⤵
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS83~1.EXE > nul
  2⤵
  PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3363CC45-7510-41f0-8DC2-2289170CCE30}.exe

Filesize
180KB

MD5
ad83151a59aaf78fa75fc4c3ed3e0bc8

SHA1
1bdd90baabccdd74482261f8fdb4230f5b5a00ec

SHA256
fbff8fa9787a18b76eb97ba03d38584735fe6d4563cb56e184717b8083272a86

SHA512
98b9224f280a02c64d213995f0d6e33547059bdd1b1083d5c44f555f69160060f276bc69024c8fcd742dbc2e265c578c629468b0226314e457f723df8fb24527

Download Submit
C:\Windows\{3363CC45-7510-41f0-8DC2-2289170CCE30}.exe

Filesize
180KB

MD5
ad83151a59aaf78fa75fc4c3ed3e0bc8

SHA1
1bdd90baabccdd74482261f8fdb4230f5b5a00ec

SHA256
fbff8fa9787a18b76eb97ba03d38584735fe6d4563cb56e184717b8083272a86

SHA512
98b9224f280a02c64d213995f0d6e33547059bdd1b1083d5c44f555f69160060f276bc69024c8fcd742dbc2e265c578c629468b0226314e457f723df8fb24527

Download Submit
C:\Windows\{436C0720-59B1-48f6-88AB-89DE70B1E1F7}.exe

Filesize
180KB

MD5
9c681a6ae02114f5dbc816e68d251f1c

SHA1
2ef7d47ef4fcddb15245e81725d8c725047843bc

SHA256
87eb896f1418b9d737d8138515f0b36fcb1db7ac3545f10268052d757fa7e257

SHA512
9eee63b6bf24537a5c1f6354af2447a28ca704886c18d62e10c9816619d47605c1ce96c9608ac6b496bfb109cdcf944c54142e8343c645553befdf78d37780c1

Download Submit
C:\Windows\{436C0720-59B1-48f6-88AB-89DE70B1E1F7}.exe

Filesize
180KB

MD5
9c681a6ae02114f5dbc816e68d251f1c

SHA1
2ef7d47ef4fcddb15245e81725d8c725047843bc

SHA256
87eb896f1418b9d737d8138515f0b36fcb1db7ac3545f10268052d757fa7e257

SHA512
9eee63b6bf24537a5c1f6354af2447a28ca704886c18d62e10c9816619d47605c1ce96c9608ac6b496bfb109cdcf944c54142e8343c645553befdf78d37780c1

Download Submit
C:\Windows\{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe

Filesize
180KB

MD5
e0c15cf2a3575716057aeee5f1efb6ab

SHA1
f4c7c0f9f6c19ff20e6f98d70af8036b1e0c1d5e

SHA256
1b65b21240b809f01c6044c160358687310c8f9a80ea9b8b069d565a0635c8fa

SHA512
f0b42bbb8879fac3e3597c3eadb9cd49db0cd709e39e19a2fdbddc186cf7687e643f68219d0a1c04044e3f7f848e2ff47c79d879f6b1525d773a1e60b6cbd8e8

Download Submit
C:\Windows\{5A3D68FC-03AA-4116-BD74-2F951FCAFFBF}.exe

Filesize
180KB

MD5
e0c15cf2a3575716057aeee5f1efb6ab

SHA1
f4c7c0f9f6c19ff20e6f98d70af8036b1e0c1d5e

SHA256
1b65b21240b809f01c6044c160358687310c8f9a80ea9b8b069d565a0635c8fa

SHA512
f0b42bbb8879fac3e3597c3eadb9cd49db0cd709e39e19a2fdbddc186cf7687e643f68219d0a1c04044e3f7f848e2ff47c79d879f6b1525d773a1e60b6cbd8e8

Download Submit
C:\Windows\{956B6BA5-49E3-43b7-970A-2421C930026C}.exe

Filesize
180KB

MD5
2cafcb0a1afedf6593f85eeb0d402351

SHA1
2c8ca2c4135eea236b4f7fd176326a3055d7c93d

SHA256
07857aebc6186703cfb9f96a8478c51aff6d9e403f53ed8c5f29c41f035812f2

SHA512
ed6db72c7e9c1dcf6b55a69383f6e636da88ea86813f2d9abc4e84abc9247a8a97df5fb8162f853ef5e81c94c92c07c0371dff8e98e45524fe826eeeaa620e0f

Download Submit
C:\Windows\{956B6BA5-49E3-43b7-970A-2421C930026C}.exe

Filesize
180KB

MD5
2cafcb0a1afedf6593f85eeb0d402351

SHA1
2c8ca2c4135eea236b4f7fd176326a3055d7c93d

SHA256
07857aebc6186703cfb9f96a8478c51aff6d9e403f53ed8c5f29c41f035812f2

SHA512
ed6db72c7e9c1dcf6b55a69383f6e636da88ea86813f2d9abc4e84abc9247a8a97df5fb8162f853ef5e81c94c92c07c0371dff8e98e45524fe826eeeaa620e0f

Download Submit
C:\Windows\{956B6BA5-49E3-43b7-970A-2421C930026C}.exe

Filesize
180KB

MD5
2cafcb0a1afedf6593f85eeb0d402351

SHA1
2c8ca2c4135eea236b4f7fd176326a3055d7c93d

SHA256
07857aebc6186703cfb9f96a8478c51aff6d9e403f53ed8c5f29c41f035812f2

SHA512
ed6db72c7e9c1dcf6b55a69383f6e636da88ea86813f2d9abc4e84abc9247a8a97df5fb8162f853ef5e81c94c92c07c0371dff8e98e45524fe826eeeaa620e0f

Download Submit
C:\Windows\{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe

Filesize
180KB

MD5
556fa1835cbe824b8fb32e3ff85a1d36

SHA1
09d023b33852fe06c75a6836b15fb574f4ef1dee

SHA256
356d3c37577d0d282a4c50cc0ef6a492df65ce4a6b5e5ba516345689f83ca0e7

SHA512
a0e42ac9089a4cade7d721ebb75a8944ae5c9a5dfd7badfbe719d5009f20df33ab0db44100a05bac850e7169fe123078f30dec860f7594592c49a96c2018f2f2

Download Submit
C:\Windows\{97406356-14E2-4e8e-8FD2-E821C69FA8E0}.exe

Filesize
180KB

MD5
556fa1835cbe824b8fb32e3ff85a1d36

SHA1
09d023b33852fe06c75a6836b15fb574f4ef1dee

SHA256
356d3c37577d0d282a4c50cc0ef6a492df65ce4a6b5e5ba516345689f83ca0e7

SHA512
a0e42ac9089a4cade7d721ebb75a8944ae5c9a5dfd7badfbe719d5009f20df33ab0db44100a05bac850e7169fe123078f30dec860f7594592c49a96c2018f2f2

Download Submit
C:\Windows\{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe

Filesize
180KB

MD5
f577aa1779aeadd83990268b0cdf4e4b

SHA1
aa6a9cb0d3399f9f7ce63427e5dd2fe3ce67e43a

SHA256
c99ec5c16b9024304ba6dfccb480fafe6d83563b1bf4851a67517a4771bf57f2

SHA512
f684712224f2a240a5d4b1426b96ce4cffbd21de19c25b1b71d8a2e787d4e96f2ffc7f2a3358263dd819904092ef55ab5dd2a8af070e40dd41b7b2bcb7cfb44d

Download Submit
C:\Windows\{97D9942B-65E1-4006-9B99-8A6498069AC0}.exe

Filesize
180KB

MD5
f577aa1779aeadd83990268b0cdf4e4b

SHA1
aa6a9cb0d3399f9f7ce63427e5dd2fe3ce67e43a

SHA256
c99ec5c16b9024304ba6dfccb480fafe6d83563b1bf4851a67517a4771bf57f2

SHA512
f684712224f2a240a5d4b1426b96ce4cffbd21de19c25b1b71d8a2e787d4e96f2ffc7f2a3358263dd819904092ef55ab5dd2a8af070e40dd41b7b2bcb7cfb44d

Download Submit
C:\Windows\{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe

Filesize
180KB

MD5
3399d76ccfb080532a303f9478bf9d0a

SHA1
384f5f3dba2f854b4a069ff6fc3854642050f698

SHA256
26cc3ba64ef2092e3f28261cc6cc770236cc16c9a5a9af3d4e4b85c700c878e8

SHA512
8c530a430613accdc539b3dbff04d25880db7a2d5374d4f28fd318f8aef7d23562fedf11a13c807e22a4f9b28e97911b8306cf4fe1e60ef99dbd32beefaef9fb

Download Submit
C:\Windows\{AE1EFD4F-546D-4f37-B6BF-630DD28EDB39}.exe

Filesize
180KB

MD5
3399d76ccfb080532a303f9478bf9d0a

SHA1
384f5f3dba2f854b4a069ff6fc3854642050f698

SHA256
26cc3ba64ef2092e3f28261cc6cc770236cc16c9a5a9af3d4e4b85c700c878e8

SHA512
8c530a430613accdc539b3dbff04d25880db7a2d5374d4f28fd318f8aef7d23562fedf11a13c807e22a4f9b28e97911b8306cf4fe1e60ef99dbd32beefaef9fb

Download Submit
C:\Windows\{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe

Filesize
180KB

MD5
e737f47d731831022a9e4c7f02835f05

SHA1
b4a69b881ef519dd0db4568150e2c316b8128e5f

SHA256
c8688e033983f4e6692dc74a30df3e1083d750dbe12c99d479e1ef3b0cfdbd34

SHA512
910eef8e52e3699804783ce864f5baac12d71738362c5d84f18192cb23c9e882480a9b023a363c4ab4f782c8a12e50891989b48e7b0df791aec437030b6e4949

Download Submit
C:\Windows\{AE65889A-FBBB-40b6-A53C-50EE8D39C3A7}.exe

Filesize
180KB

MD5
e737f47d731831022a9e4c7f02835f05

SHA1
b4a69b881ef519dd0db4568150e2c316b8128e5f

SHA256
c8688e033983f4e6692dc74a30df3e1083d750dbe12c99d479e1ef3b0cfdbd34

SHA512
910eef8e52e3699804783ce864f5baac12d71738362c5d84f18192cb23c9e882480a9b023a363c4ab4f782c8a12e50891989b48e7b0df791aec437030b6e4949

Download Submit
C:\Windows\{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe

Filesize
180KB

MD5
f2a20afd7893adfb0abd9544a41f86ac

SHA1
ec3dd0f64e85b640f79436a4223ef1dc401ec525

SHA256
578c24b16273eca62ca7f83576fda1351cbebb00064e343b180a0a94d24536dd

SHA512
687530eaf82bdc4dea6c2c8f58f44badd09cc73b6f5e1dfae28e49e5b53b61cc33150bf718e24f11fa0e2d8f24334d2a6fa7e543f6de8d04ebaf7d9cf3425f20

Download Submit
C:\Windows\{C0753B23-249A-42ed-8CD8-4F6F5674C13E}.exe

Filesize
180KB

MD5
f2a20afd7893adfb0abd9544a41f86ac

SHA1
ec3dd0f64e85b640f79436a4223ef1dc401ec525

SHA256
578c24b16273eca62ca7f83576fda1351cbebb00064e343b180a0a94d24536dd

SHA512
687530eaf82bdc4dea6c2c8f58f44badd09cc73b6f5e1dfae28e49e5b53b61cc33150bf718e24f11fa0e2d8f24334d2a6fa7e543f6de8d04ebaf7d9cf3425f20

Download Submit
C:\Windows\{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe

Filesize
180KB

MD5
b6dbf8fb390a853b5dfa2ec54f14b356

SHA1
83d9b8890a440fbb4a46d93a94c4b1cee40078e3

SHA256
21df14d32efd6004dcb5d8ba2270156f1c9aa6bfe7ee140537b081fa9190efa8

SHA512
3fdfbeff56a126f71c40bb4ca90cc3cf0aaf7493334e4219faeded564b1f4d23fdd59493d8a57bd9210e82bac7f2e4d2320429d9cdbd61da8666a84ede42ab41

Download Submit
C:\Windows\{D87DAA74-B172-43a5-A87C-032ECC83159C}.exe

Filesize
180KB

MD5
b6dbf8fb390a853b5dfa2ec54f14b356

SHA1
83d9b8890a440fbb4a46d93a94c4b1cee40078e3

SHA256
21df14d32efd6004dcb5d8ba2270156f1c9aa6bfe7ee140537b081fa9190efa8

SHA512
3fdfbeff56a126f71c40bb4ca90cc3cf0aaf7493334e4219faeded564b1f4d23fdd59493d8a57bd9210e82bac7f2e4d2320429d9cdbd61da8666a84ede42ab41

Download Submit
C:\Windows\{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe

Filesize
180KB

MD5
4c811deced65a2ac754c5ecd48c51762

SHA1
7cdfa6a345ed9dde50f778f61f8799a9490073ff

SHA256
86d571d67ef76d88959d3db72d92d57058d4f7dbc082ff0d6af3ca1d5590ea94

SHA512
90ac66f518f1291b9a5c3bff834fd65ae4a370cc6046eadbc47655bdeaa583344fe7e49129ea8611dd8f80b25b4237519176841ecff60b305749c111ea641f02

Download Submit
C:\Windows\{D92F72A1-41B6-4c83-8EBF-040D469851F5}.exe

Filesize
180KB

MD5
4c811deced65a2ac754c5ecd48c51762

SHA1
7cdfa6a345ed9dde50f778f61f8799a9490073ff

SHA256
86d571d67ef76d88959d3db72d92d57058d4f7dbc082ff0d6af3ca1d5590ea94

SHA512
90ac66f518f1291b9a5c3bff834fd65ae4a370cc6046eadbc47655bdeaa583344fe7e49129ea8611dd8f80b25b4237519176841ecff60b305749c111ea641f02

Download Submit
C:\Windows\{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe

Filesize
180KB

MD5
5d517d34309ba12439917a789b24c405

SHA1
2eade4337ceddba22fdc3ba24e3d014a5de2d6ca

SHA256
47390855a1c4be84e244ae63fbcd5e265ac681eef6a0f20522ff3333b0a4d0d9

SHA512
47489624690b8a91ebae021f43c4f65890738e2085c9125059dc355c1b6bcdf4e68ae6ac2345407fd639b36196b39607c9978064e3ec79c78eb09825e130af63

Download Submit
C:\Windows\{EE407F5E-1455-4dd8-8809-4F062621BAE0}.exe

Filesize
180KB

MD5
5d517d34309ba12439917a789b24c405

SHA1
2eade4337ceddba22fdc3ba24e3d014a5de2d6ca

SHA256
47390855a1c4be84e244ae63fbcd5e265ac681eef6a0f20522ff3333b0a4d0d9

SHA512
47489624690b8a91ebae021f43c4f65890738e2085c9125059dc355c1b6bcdf4e68ae6ac2345407fd639b36196b39607c9978064e3ec79c78eb09825e130af63

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads