97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07/10/2023, 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe
Size

408KB
MD5

f8c137fe47235171dba91a3b43a6c703
SHA1

4a867ff97f12a69de0a910a804b09eaf0f399b7e
SHA256

97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a
SHA512

1798c1693ff97f234121bb2277943f1bfe7a7038215e7962798db30709923f66fd1bd68eb8b72a14a50f93aa01f6304047135919501c826f201ff2757c7c0696
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}\stubpath = "C:\\Windows\\{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe"	{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}\stubpath = "C:\\Windows\\{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe"	{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F58441D-A29A-46e8-9E42-309D080020C1}	{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F58441D-A29A-46e8-9E42-309D080020C1}\stubpath = "C:\\Windows\\{9F58441D-A29A-46e8-9E42-309D080020C1}.exe"	{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}\stubpath = "C:\\Windows\\{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe"	{9F58441D-A29A-46e8-9E42-309D080020C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}	{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}	{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35CC5227-F121-4cbd-9F4A-BF41811A74C9}	{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{125D6D25-8A01-43cf-B095-722EE284DB39}\stubpath = "C:\\Windows\\{125D6D25-8A01-43cf-B095-722EE284DB39}.exe"	{4623E9BC-4A1B-4dde-98CA-6EE3F3F0BC24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{892CF624-FBCC-4243-BBA5-8C82B5A84B51}	{125D6D25-8A01-43cf-B095-722EE284DB39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}	{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}	{9F58441D-A29A-46e8-9E42-309D080020C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}\stubpath = "C:\\Windows\\{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe"	{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35CC5227-F121-4cbd-9F4A-BF41811A74C9}\stubpath = "C:\\Windows\\{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe"	{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4623E9BC-4A1B-4dde-98CA-6EE3F3F0BC24}\stubpath = "C:\\Windows\\{4623E9BC-4A1B-4dde-98CA-6EE3F3F0BC24}.exe"	{F067DCE7-0618-4e44-A972-F892BAF7E9CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{125D6D25-8A01-43cf-B095-722EE284DB39}	{4623E9BC-4A1B-4dde-98CA-6EE3F3F0BC24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{892CF624-FBCC-4243-BBA5-8C82B5A84B51}\stubpath = "C:\\Windows\\{892CF624-FBCC-4243-BBA5-8C82B5A84B51}.exe"	{125D6D25-8A01-43cf-B095-722EE284DB39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCF614E9-24D0-4508-AA6B-705C71A689B0}	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F067DCE7-0618-4e44-A972-F892BAF7E9CC}	{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F067DCE7-0618-4e44-A972-F892BAF7E9CC}\stubpath = "C:\\Windows\\{F067DCE7-0618-4e44-A972-F892BAF7E9CC}.exe"	{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4623E9BC-4A1B-4dde-98CA-6EE3F3F0BC24}	{F067DCE7-0618-4e44-A972-F892BAF7E9CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCF614E9-24D0-4508-AA6B-705C71A689B0}\stubpath = "C:\\Windows\\{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe"	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe

Deletes itself 1 IoCs

pid	Process
2448	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1744	{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe
2676	{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe
1988	{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe
2288	{9F58441D-A29A-46e8-9E42-309D080020C1}.exe
3020	{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe
2540	{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe
2568	{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe
2072	{F067DCE7-0618-4e44-A972-F892BAF7E9CC}.exe
2776	{4623E9BC-4A1B-4dde-98CA-6EE3F3F0BC24}.exe
1492	{125D6D25-8A01-43cf-B095-722EE284DB39}.exe
1672	{892CF624-FBCC-4243-BBA5-8C82B5A84B51}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe	{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe
File created	C:\Windows\{9F58441D-A29A-46e8-9E42-309D080020C1}.exe	{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe
File created	C:\Windows\{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe	{9F58441D-A29A-46e8-9E42-309D080020C1}.exe
File created	C:\Windows\{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe	{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe
File created	C:\Windows\{4623E9BC-4A1B-4dde-98CA-6EE3F3F0BC24}.exe	{F067DCE7-0618-4e44-A972-F892BAF7E9CC}.exe
File created	C:\Windows\{125D6D25-8A01-43cf-B095-722EE284DB39}.exe	{4623E9BC-4A1B-4dde-98CA-6EE3F3F0BC24}.exe
File created	C:\Windows\{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe
File created	C:\Windows\{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe	{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe
File created	C:\Windows\{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe	{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe
File created	C:\Windows\{F067DCE7-0618-4e44-A972-F892BAF7E9CC}.exe	{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe
File created	C:\Windows\{892CF624-FBCC-4243-BBA5-8C82B5A84B51}.exe	{125D6D25-8A01-43cf-B095-722EE284DB39}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2992	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe
Token: SeIncBasePriorityPrivilege	1744	{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe
Token: SeIncBasePriorityPrivilege	2676	{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe
Token: SeIncBasePriorityPrivilege	1988	{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe
Token: SeIncBasePriorityPrivilege	2288	{9F58441D-A29A-46e8-9E42-309D080020C1}.exe
Token: SeIncBasePriorityPrivilege	3020	{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe
Token: SeIncBasePriorityPrivilege	2540	{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe
Token: SeIncBasePriorityPrivilege	2568	{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe
Token: SeIncBasePriorityPrivilege	2072	{F067DCE7-0618-4e44-A972-F892BAF7E9CC}.exe
Token: SeIncBasePriorityPrivilege	2776	{4623E9BC-4A1B-4dde-98CA-6EE3F3F0BC24}.exe
Token: SeIncBasePriorityPrivilege	1492	{125D6D25-8A01-43cf-B095-722EE284DB39}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1744	2992	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	28
PID 2992 wrote to memory of 1744	2992	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	28
PID 2992 wrote to memory of 1744	2992	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	28
PID 2992 wrote to memory of 1744	2992	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	28
PID 2992 wrote to memory of 2448	2992	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	29
PID 2992 wrote to memory of 2448	2992	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	29
PID 2992 wrote to memory of 2448	2992	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	29
PID 2992 wrote to memory of 2448	2992	NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe	29
PID 1744 wrote to memory of 2676	1744	{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe	30
PID 1744 wrote to memory of 2676	1744	{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe	30
PID 1744 wrote to memory of 2676	1744	{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe	30
PID 1744 wrote to memory of 2676	1744	{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe	30
PID 1744 wrote to memory of 2864	1744	{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe	31
PID 1744 wrote to memory of 2864	1744	{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe	31
PID 1744 wrote to memory of 2864	1744	{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe	31
PID 1744 wrote to memory of 2864	1744	{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe	31
PID 2676 wrote to memory of 1988	2676	{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe	32
PID 2676 wrote to memory of 1988	2676	{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe	32
PID 2676 wrote to memory of 1988	2676	{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe	32
PID 2676 wrote to memory of 1988	2676	{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe	32
PID 2676 wrote to memory of 2636	2676	{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe	33
PID 2676 wrote to memory of 2636	2676	{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe	33
PID 2676 wrote to memory of 2636	2676	{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe	33
PID 2676 wrote to memory of 2636	2676	{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe	33
PID 1988 wrote to memory of 2288	1988	{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe	36
PID 1988 wrote to memory of 2288	1988	{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe	36
PID 1988 wrote to memory of 2288	1988	{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe	36
PID 1988 wrote to memory of 2288	1988	{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe	36
PID 1988 wrote to memory of 2744	1988	{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe	37
PID 1988 wrote to memory of 2744	1988	{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe	37
PID 1988 wrote to memory of 2744	1988	{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe	37
PID 1988 wrote to memory of 2744	1988	{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe	37
PID 2288 wrote to memory of 3020	2288	{9F58441D-A29A-46e8-9E42-309D080020C1}.exe	39
PID 2288 wrote to memory of 3020	2288	{9F58441D-A29A-46e8-9E42-309D080020C1}.exe	39
PID 2288 wrote to memory of 3020	2288	{9F58441D-A29A-46e8-9E42-309D080020C1}.exe	39
PID 2288 wrote to memory of 3020	2288	{9F58441D-A29A-46e8-9E42-309D080020C1}.exe	39
PID 2288 wrote to memory of 2724	2288	{9F58441D-A29A-46e8-9E42-309D080020C1}.exe	38
PID 2288 wrote to memory of 2724	2288	{9F58441D-A29A-46e8-9E42-309D080020C1}.exe	38
PID 2288 wrote to memory of 2724	2288	{9F58441D-A29A-46e8-9E42-309D080020C1}.exe	38
PID 2288 wrote to memory of 2724	2288	{9F58441D-A29A-46e8-9E42-309D080020C1}.exe	38
PID 3020 wrote to memory of 2540	3020	{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe	41
PID 3020 wrote to memory of 2540	3020	{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe	41
PID 3020 wrote to memory of 2540	3020	{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe	41
PID 3020 wrote to memory of 2540	3020	{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe	41
PID 3020 wrote to memory of 2488	3020	{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe	40
PID 3020 wrote to memory of 2488	3020	{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe	40
PID 3020 wrote to memory of 2488	3020	{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe	40
PID 3020 wrote to memory of 2488	3020	{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe	40
PID 2540 wrote to memory of 2568	2540	{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe	43
PID 2540 wrote to memory of 2568	2540	{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe	43
PID 2540 wrote to memory of 2568	2540	{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe	43
PID 2540 wrote to memory of 2568	2540	{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe	43
PID 2540 wrote to memory of 3012	2540	{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe	42
PID 2540 wrote to memory of 3012	2540	{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe	42
PID 2540 wrote to memory of 3012	2540	{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe	42
PID 2540 wrote to memory of 3012	2540	{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe	42
PID 2568 wrote to memory of 2072	2568	{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe	45
PID 2568 wrote to memory of 2072	2568	{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe	45
PID 2568 wrote to memory of 2072	2568	{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe	45
PID 2568 wrote to memory of 2072	2568	{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe	45
PID 2568 wrote to memory of 2976	2568	{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe	44
PID 2568 wrote to memory of 2976	2568	{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe	44
PID 2568 wrote to memory of 2976	2568	{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe	44
PID 2568 wrote to memory of 2976	2568	{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe	44

C:\Users\Admin\AppData\Local\Temp\NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.97085ad8394678854e4f62bf4072867dc22225ffb7492522ec53f2cc59a0218a_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe
  C:\Windows\{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe
    C:\Windows\{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe
      C:\Windows\{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\{9F58441D-A29A-46e8-9E42-309D080020C1}.exe
        
        C:\Windows\{9F58441D-A29A-46e8-9E42-309D080020C1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F584~1.EXE > nul
        6⤵
        
        PID:2724
      - C:\Windows\{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe
        
        C:\Windows\{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB21C~1.EXE > nul
        7⤵
        
        PID:2488
        
        C:\Windows\{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe
        
        C:\Windows\{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15829~1.EXE > nul
        8⤵
        
        PID:3012
        
        C:\Windows\{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe
        
        C:\Windows\{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35CC5~1.EXE > nul
        9⤵
        
        PID:2976
        
        C:\Windows\{F067DCE7-0618-4e44-A972-F892BAF7E9CC}.exe
        
        C:\Windows\{F067DCE7-0618-4e44-A972-F892BAF7E9CC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\{4623E9BC-4A1B-4dde-98CA-6EE3F3F0BC24}.exe
        
        C:\Windows\{4623E9BC-4A1B-4dde-98CA-6EE3F3F0BC24}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\{125D6D25-8A01-43cf-B095-722EE284DB39}.exe
        
        C:\Windows\{125D6D25-8A01-43cf-B095-722EE284DB39}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\{892CF624-FBCC-4243-BBA5-8C82B5A84B51}.exe
        
        C:\Windows\{892CF624-FBCC-4243-BBA5-8C82B5A84B51}.exe
        12⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{125D6~1.EXE > nul
        12⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4623E~1.EXE > nul
        11⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F067D~1.EXE > nul
        10⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7758C~1.EXE > nul
        5⤵
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7800F~1.EXE > nul
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DCF61~1.EXE > nul
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS97~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{125D6D25-8A01-43cf-B095-722EE284DB39}.exe

Filesize
408KB

MD5
370b0aa5210bb99866450b1065f5415a

SHA1
8744203fc9335ab67d2c7570344bcc2c6732ea76

SHA256
e761a82610b1c99409dc7ba77969d42591b4fc6f873aedbf15e2cccc1d3580fe

SHA512
78cb50772385382c8d9280d7f9ad569ed9c7ea9eb8ad2980d152fdcd02726bdfb4c780a4b13377f39434c8a06c4a24fdd93e3e1d04a83987cbb01ef85dd8ac74

Download Submit
C:\Windows\{125D6D25-8A01-43cf-B095-722EE284DB39}.exe

Filesize
408KB

MD5
370b0aa5210bb99866450b1065f5415a

SHA1
8744203fc9335ab67d2c7570344bcc2c6732ea76

SHA256
e761a82610b1c99409dc7ba77969d42591b4fc6f873aedbf15e2cccc1d3580fe

SHA512
78cb50772385382c8d9280d7f9ad569ed9c7ea9eb8ad2980d152fdcd02726bdfb4c780a4b13377f39434c8a06c4a24fdd93e3e1d04a83987cbb01ef85dd8ac74

Download Submit
C:\Windows\{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe

Filesize
408KB

MD5
4f2b7526f0fdcfbc25b07989cda28d6f

SHA1
2a36b9e71114d1c8f50ea8e715adabc1bf58104d

SHA256
3e73c7e2edc723234520151756206fa0b3fc0375f2fdd395babc53f574cc6bd4

SHA512
91994cbfaed7a293a9a0b2559593bd03ce511c4e5ee85a784e2041d7076b95ce095e1ec0883c59e47b3ee07dbdf3cb2fb96dc315645f0ac97ad59378f7bdd303

Download Submit
C:\Windows\{15829618-F2B5-4d3c-AB9E-AB7B231BD38C}.exe

Filesize
408KB

MD5
4f2b7526f0fdcfbc25b07989cda28d6f

SHA1
2a36b9e71114d1c8f50ea8e715adabc1bf58104d

SHA256
3e73c7e2edc723234520151756206fa0b3fc0375f2fdd395babc53f574cc6bd4

SHA512
91994cbfaed7a293a9a0b2559593bd03ce511c4e5ee85a784e2041d7076b95ce095e1ec0883c59e47b3ee07dbdf3cb2fb96dc315645f0ac97ad59378f7bdd303

Download Submit
C:\Windows\{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe

Filesize
408KB

MD5
d8c264291c9e0c3866cc57b596d7bc0f

SHA1
b3688d855aa6beb9cd3bc46c129215095d0f14b5

SHA256
e9c38c04145d5192006805b13a8f741b714f1d7452cef0eb559717eacab9e1a7

SHA512
73b91b6039d0c89b44c7291009faec18e10fc5c0fc2d1dc4bf9dcc6211cd915ba48c45d1294c33aa835592ab7384fbcd02a1e0f518190170443fcb616e0eb889

Download Submit
C:\Windows\{35CC5227-F121-4cbd-9F4A-BF41811A74C9}.exe

Filesize
408KB

MD5
d8c264291c9e0c3866cc57b596d7bc0f

SHA1
b3688d855aa6beb9cd3bc46c129215095d0f14b5

SHA256
e9c38c04145d5192006805b13a8f741b714f1d7452cef0eb559717eacab9e1a7

SHA512
73b91b6039d0c89b44c7291009faec18e10fc5c0fc2d1dc4bf9dcc6211cd915ba48c45d1294c33aa835592ab7384fbcd02a1e0f518190170443fcb616e0eb889

Download Submit
C:\Windows\{4623E9BC-4A1B-4dde-98CA-6EE3F3F0BC24}.exe

Filesize
408KB

MD5
e8944532a13f39c28637205c894e1f23

SHA1
ee2e11b7b16a30491209510e90065963be83f131

SHA256
56fbd476e5f17fbd14efdf6f0e0dd8b40d707baa485ba7397c7bbf2cc437a3a6

SHA512
682646e214b543872084af1978765f8ba4ea6df8e133af343b8f9a802f41aa4f227a114e720c49807abd0ebfb294c1a7c9e61600725432f22d53c924a40f6bfa

Download Submit
C:\Windows\{4623E9BC-4A1B-4dde-98CA-6EE3F3F0BC24}.exe

Filesize
408KB

MD5
e8944532a13f39c28637205c894e1f23

SHA1
ee2e11b7b16a30491209510e90065963be83f131

SHA256
56fbd476e5f17fbd14efdf6f0e0dd8b40d707baa485ba7397c7bbf2cc437a3a6

SHA512
682646e214b543872084af1978765f8ba4ea6df8e133af343b8f9a802f41aa4f227a114e720c49807abd0ebfb294c1a7c9e61600725432f22d53c924a40f6bfa

Download Submit
C:\Windows\{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe

Filesize
408KB

MD5
fbe2629a4ccd56b4da21f395419e9c74

SHA1
c6c4e04521571f5249a1bf9f0a924cdd89c06857

SHA256
18862cf35f2898bdd401ea5d9174fc03193f951e9c6f4f66b2eedbcb3dcd8d02

SHA512
eeeb7cf97e4bbf8f38f7f596336674c46f624398401e327d038e46dada5b7a185e6d4c0e9e7b5b9f4d004ea147019b60267f1924ad3a9c904cc8eedcdf61790f

Download Submit
C:\Windows\{7758CCFC-4C08-4e41-B536-23E36DEDB9B1}.exe

Filesize
408KB

MD5
fbe2629a4ccd56b4da21f395419e9c74

SHA1
c6c4e04521571f5249a1bf9f0a924cdd89c06857

SHA256
18862cf35f2898bdd401ea5d9174fc03193f951e9c6f4f66b2eedbcb3dcd8d02

SHA512
eeeb7cf97e4bbf8f38f7f596336674c46f624398401e327d038e46dada5b7a185e6d4c0e9e7b5b9f4d004ea147019b60267f1924ad3a9c904cc8eedcdf61790f

Download Submit
C:\Windows\{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe

Filesize
408KB

MD5
b9cdd810dfecf3e799fdab27a7c6bc93

SHA1
8041f077450496ed3e69b4ab87414fbb2a99d8b9

SHA256
4ce7e91cb3435bf954187396179d7b9b794316c0fd78e4283708b9e2b599e839

SHA512
e24c1fd7a7cf5baa51d5f9795e64829dd4254ed71b66ba76e26aacfb68f25ee6dad3bfeae7aa903d62fa65ea1e9e3aab385891f93824cea794b541f970ec9ce0

Download Submit
C:\Windows\{7800FFA1-1B45-41b4-AD71-32D5C1DA73AB}.exe

Filesize
408KB

MD5
b9cdd810dfecf3e799fdab27a7c6bc93

SHA1
8041f077450496ed3e69b4ab87414fbb2a99d8b9

SHA256
4ce7e91cb3435bf954187396179d7b9b794316c0fd78e4283708b9e2b599e839

SHA512
e24c1fd7a7cf5baa51d5f9795e64829dd4254ed71b66ba76e26aacfb68f25ee6dad3bfeae7aa903d62fa65ea1e9e3aab385891f93824cea794b541f970ec9ce0

Download Submit
C:\Windows\{892CF624-FBCC-4243-BBA5-8C82B5A84B51}.exe

Filesize
408KB

MD5
da65b64f6f3ef84c778072935a28bec0

SHA1
0570023252b23c8e799d49e49d302ae6daaa3443

SHA256
9ea76ef0ae8384e71be903334ae9dfce68d6f65c0081face42ee20c1f94184d1

SHA512
f43829ed468a004b5b4bee83c5a7e2e3970f400d223cbe93c23255a03b722c7e54086d676dbb2b3dcd6075210accb3afdb0a978579c99a946e52007c38477b60

Download Submit
C:\Windows\{9F58441D-A29A-46e8-9E42-309D080020C1}.exe

Filesize
408KB

MD5
295b2f648705e2cac637df8631608150

SHA1
0460b00113e5e6d4cffddfdd7d2a055c7db642d7

SHA256
9ad60d070c161924c6d9bc0968c5dd83c1f0884a3c7c5ff442843705959d0c0f

SHA512
bd7ba1530db56dcaa91ae788696a0e8161b4319a6fb6bf83b6a32bbdf30dd4a1bc9a5ae5de7eeda02cb3d0ea07811ea58638a6c37ee36cb3490be85097d77792

Download Submit
C:\Windows\{9F58441D-A29A-46e8-9E42-309D080020C1}.exe

Filesize
408KB

MD5
295b2f648705e2cac637df8631608150

SHA1
0460b00113e5e6d4cffddfdd7d2a055c7db642d7

SHA256
9ad60d070c161924c6d9bc0968c5dd83c1f0884a3c7c5ff442843705959d0c0f

SHA512
bd7ba1530db56dcaa91ae788696a0e8161b4319a6fb6bf83b6a32bbdf30dd4a1bc9a5ae5de7eeda02cb3d0ea07811ea58638a6c37ee36cb3490be85097d77792

Download Submit
C:\Windows\{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe

Filesize
408KB

MD5
ee7c711f38629d4d2108425fee2ce74c

SHA1
21e8dd1c88fcede10b454fdaced33e1936accd50

SHA256
4162732dbc2c1539ee0a97f09133a869b1eb5853e5bf797a6c6225569a768d59

SHA512
bd2f5965ad20cbdc8f365a60be95bcba0cbb16f7e7a7ca3f0a7fe26ee5ef4f69635a9779f57519f591f8715678b63c0e3984cc5a3622d7dcc51bdb4350be79f8

Download Submit
C:\Windows\{DB21CC4F-E2D0-465c-9FB3-ECD52F95E3C6}.exe

Filesize
408KB

MD5
ee7c711f38629d4d2108425fee2ce74c

SHA1
21e8dd1c88fcede10b454fdaced33e1936accd50

SHA256
4162732dbc2c1539ee0a97f09133a869b1eb5853e5bf797a6c6225569a768d59

SHA512
bd2f5965ad20cbdc8f365a60be95bcba0cbb16f7e7a7ca3f0a7fe26ee5ef4f69635a9779f57519f591f8715678b63c0e3984cc5a3622d7dcc51bdb4350be79f8

Download Submit
C:\Windows\{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe

Filesize
408KB

MD5
292f649a7d9fc98fccf8f999ca3d9988

SHA1
f1eb495f51266ef8e6190d85578c3c6dc8045340

SHA256
d0e072f3462891b33fb6580f1b6ba85030101de97da44d34beb4b5c909a39a1e

SHA512
4353ab57594e7ddbef09a7746a214c25a38cbc6e43b1e365ed147982de2693b66dbe82deac58a2c220df80989d87a83b6f7a94cb1324058010c04f660d79be9e

Download Submit
C:\Windows\{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe

Filesize
408KB

MD5
292f649a7d9fc98fccf8f999ca3d9988

SHA1
f1eb495f51266ef8e6190d85578c3c6dc8045340

SHA256
d0e072f3462891b33fb6580f1b6ba85030101de97da44d34beb4b5c909a39a1e

SHA512
4353ab57594e7ddbef09a7746a214c25a38cbc6e43b1e365ed147982de2693b66dbe82deac58a2c220df80989d87a83b6f7a94cb1324058010c04f660d79be9e

Download Submit
C:\Windows\{DCF614E9-24D0-4508-AA6B-705C71A689B0}.exe

Filesize
408KB

MD5
292f649a7d9fc98fccf8f999ca3d9988

SHA1
f1eb495f51266ef8e6190d85578c3c6dc8045340

SHA256
d0e072f3462891b33fb6580f1b6ba85030101de97da44d34beb4b5c909a39a1e

SHA512
4353ab57594e7ddbef09a7746a214c25a38cbc6e43b1e365ed147982de2693b66dbe82deac58a2c220df80989d87a83b6f7a94cb1324058010c04f660d79be9e

Download Submit
C:\Windows\{F067DCE7-0618-4e44-A972-F892BAF7E9CC}.exe

Filesize
408KB

MD5
38377dab5abe7ac8c2d74d93f1c8d92e

SHA1
87b774f5daf577a1ae5c8d0f84dd6d8f7cd14b66

SHA256
ddf406880a4a376a531eae8c795e503ec96a3e55fa1fbe48561e1c234f0d6142

SHA512
371c2633d76e511de39df031623eae1a60ddccbacbdd8d8eec88aa620e4e15318c6cfef3b7bb4814c4ff198091328c66ae851de2594fb11f599870321465c9cd

Download Submit
C:\Windows\{F067DCE7-0618-4e44-A972-F892BAF7E9CC}.exe

Filesize
408KB

MD5
38377dab5abe7ac8c2d74d93f1c8d92e

SHA1
87b774f5daf577a1ae5c8d0f84dd6d8f7cd14b66

SHA256
ddf406880a4a376a531eae8c795e503ec96a3e55fa1fbe48561e1c234f0d6142

SHA512
371c2633d76e511de39df031623eae1a60ddccbacbdd8d8eec88aa620e4e15318c6cfef3b7bb4814c4ff198091328c66ae851de2594fb11f599870321465c9cd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads