3f984210fc39997ec5397511b6969cd88551671440ac7a8d366760ae96777607

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.70f15420504504465f5d852870d6bf40.exe
Size

408KB
MD5

70f15420504504465f5d852870d6bf40
SHA1

8a9f395c1ef41a260d8f7dee973a3daf2061833d
SHA256

3f984210fc39997ec5397511b6969cd88551671440ac7a8d366760ae96777607
SHA512

c970c5c7662005f0f9972ade8bcdfafcf94464a2c520ad1a21753389d482a74ff3f58afe311b298e2f64cd5b5c134db8127a23cad7badb872d7635ea9c3e6738
SSDEEP

3072:CEGh0o+l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGsldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6AEC987-111E-4979-A228-2963EE700F83}\stubpath = "C:\\Windows\\{A6AEC987-111E-4979-A228-2963EE700F83}.exe"	{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08184CE9-032F-4669-A032-612382A81B1F}\stubpath = "C:\\Windows\\{08184CE9-032F-4669-A032-612382A81B1F}.exe"	{4C785171-53A9-4235-B0BD-23172374A1B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}\stubpath = "C:\\Windows\\{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe"	{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}	{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}\stubpath = "C:\\Windows\\{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe"	{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEA1061E-BA52-4332-8F68-58BA263E74C9}	{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C785171-53A9-4235-B0BD-23172374A1B6}	{A6AEC987-111E-4979-A228-2963EE700F83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C785171-53A9-4235-B0BD-23172374A1B6}\stubpath = "C:\\Windows\\{4C785171-53A9-4235-B0BD-23172374A1B6}.exe"	{A6AEC987-111E-4979-A228-2963EE700F83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08184CE9-032F-4669-A032-612382A81B1F}	{4C785171-53A9-4235-B0BD-23172374A1B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B1D55EE-4F08-48d1-B1CF-165630CCA674}\stubpath = "C:\\Windows\\{4B1D55EE-4F08-48d1-B1CF-165630CCA674}.exe"	{08184CE9-032F-4669-A032-612382A81B1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}\stubpath = "C:\\Windows\\{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe"	NEAS.70f15420504504465f5d852870d6bf40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B80ABA2-F491-4003-8966-377C0EAABCD4}	{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B80ABA2-F491-4003-8966-377C0EAABCD4}\stubpath = "C:\\Windows\\{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe"	{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6AEC987-111E-4979-A228-2963EE700F83}	{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AB07F6B-98B8-4708-B843-925FB34D8A67}	{4B1D55EE-4F08-48d1-B1CF-165630CCA674}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AB07F6B-98B8-4708-B843-925FB34D8A67}\stubpath = "C:\\Windows\\{5AB07F6B-98B8-4708-B843-925FB34D8A67}.exe"	{4B1D55EE-4F08-48d1-B1CF-165630CCA674}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}	{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}\stubpath = "C:\\Windows\\{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe"	{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{302BD31C-874E-4c51-BD2E-92E9ADEAE427}\stubpath = "C:\\Windows\\{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe"	{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEA1061E-BA52-4332-8F68-58BA263E74C9}\stubpath = "C:\\Windows\\{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe"	{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}	NEAS.70f15420504504465f5d852870d6bf40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}	{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{302BD31C-874E-4c51-BD2E-92E9ADEAE427}	{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B1D55EE-4F08-48d1-B1CF-165630CCA674}	{08184CE9-032F-4669-A032-612382A81B1F}.exe

Deletes itself 1 IoCs

pid	Process
2016	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2676	{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe
2340	{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe
3008	{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe
2480	{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe
2556	{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe
2960	{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe
620	{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe
1420	{A6AEC987-111E-4979-A228-2963EE700F83}.exe
2940	{4C785171-53A9-4235-B0BD-23172374A1B6}.exe
2916	{08184CE9-032F-4669-A032-612382A81B1F}.exe
2328	{4B1D55EE-4F08-48d1-B1CF-165630CCA674}.exe
2400	{5AB07F6B-98B8-4708-B843-925FB34D8A67}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A6AEC987-111E-4979-A228-2963EE700F83}.exe	{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe
File created	C:\Windows\{4C785171-53A9-4235-B0BD-23172374A1B6}.exe	{A6AEC987-111E-4979-A228-2963EE700F83}.exe
File created	C:\Windows\{4B1D55EE-4F08-48d1-B1CF-165630CCA674}.exe	{08184CE9-032F-4669-A032-612382A81B1F}.exe
File created	C:\Windows\{5AB07F6B-98B8-4708-B843-925FB34D8A67}.exe	{4B1D55EE-4F08-48d1-B1CF-165630CCA674}.exe
File created	C:\Windows\{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe	NEAS.70f15420504504465f5d852870d6bf40.exe
File created	C:\Windows\{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe	{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe
File created	C:\Windows\{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe	{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe
File created	C:\Windows\{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe	{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe
File created	C:\Windows\{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe	{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe
File created	C:\Windows\{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe	{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe
File created	C:\Windows\{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe	{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe
File created	C:\Windows\{08184CE9-032F-4669-A032-612382A81B1F}.exe	{4C785171-53A9-4235-B0BD-23172374A1B6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2240	NEAS.70f15420504504465f5d852870d6bf40.exe
Token: SeIncBasePriorityPrivilege	2676	{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe
Token: SeIncBasePriorityPrivilege	2340	{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe
Token: SeIncBasePriorityPrivilege	3008	{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe
Token: SeIncBasePriorityPrivilege	2480	{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe
Token: SeIncBasePriorityPrivilege	2556	{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe
Token: SeIncBasePriorityPrivilege	2960	{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe
Token: SeIncBasePriorityPrivilege	620	{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe
Token: SeIncBasePriorityPrivilege	1420	{A6AEC987-111E-4979-A228-2963EE700F83}.exe
Token: SeIncBasePriorityPrivilege	2940	{4C785171-53A9-4235-B0BD-23172374A1B6}.exe
Token: SeIncBasePriorityPrivilege	2916	{08184CE9-032F-4669-A032-612382A81B1F}.exe
Token: SeIncBasePriorityPrivilege	2328	{4B1D55EE-4F08-48d1-B1CF-165630CCA674}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2676	2240	NEAS.70f15420504504465f5d852870d6bf40.exe	28
PID 2240 wrote to memory of 2676	2240	NEAS.70f15420504504465f5d852870d6bf40.exe	28
PID 2240 wrote to memory of 2676	2240	NEAS.70f15420504504465f5d852870d6bf40.exe	28
PID 2240 wrote to memory of 2676	2240	NEAS.70f15420504504465f5d852870d6bf40.exe	28
PID 2240 wrote to memory of 2016	2240	NEAS.70f15420504504465f5d852870d6bf40.exe	29
PID 2240 wrote to memory of 2016	2240	NEAS.70f15420504504465f5d852870d6bf40.exe	29
PID 2240 wrote to memory of 2016	2240	NEAS.70f15420504504465f5d852870d6bf40.exe	29
PID 2240 wrote to memory of 2016	2240	NEAS.70f15420504504465f5d852870d6bf40.exe	29
PID 2676 wrote to memory of 2340	2676	{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe	32
PID 2676 wrote to memory of 2340	2676	{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe	32
PID 2676 wrote to memory of 2340	2676	{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe	32
PID 2676 wrote to memory of 2340	2676	{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe	32
PID 2676 wrote to memory of 2772	2676	{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe	33
PID 2676 wrote to memory of 2772	2676	{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe	33
PID 2676 wrote to memory of 2772	2676	{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe	33
PID 2676 wrote to memory of 2772	2676	{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe	33
PID 2340 wrote to memory of 3008	2340	{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe	34
PID 2340 wrote to memory of 3008	2340	{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe	34
PID 2340 wrote to memory of 3008	2340	{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe	34
PID 2340 wrote to memory of 3008	2340	{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe	34
PID 2340 wrote to memory of 2648	2340	{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe	35
PID 2340 wrote to memory of 2648	2340	{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe	35
PID 2340 wrote to memory of 2648	2340	{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe	35
PID 2340 wrote to memory of 2648	2340	{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe	35
PID 3008 wrote to memory of 2480	3008	{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe	36
PID 3008 wrote to memory of 2480	3008	{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe	36
PID 3008 wrote to memory of 2480	3008	{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe	36
PID 3008 wrote to memory of 2480	3008	{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe	36
PID 3008 wrote to memory of 2524	3008	{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe	37
PID 3008 wrote to memory of 2524	3008	{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe	37
PID 3008 wrote to memory of 2524	3008	{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe	37
PID 3008 wrote to memory of 2524	3008	{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe	37
PID 2480 wrote to memory of 2556	2480	{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe	38
PID 2480 wrote to memory of 2556	2480	{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe	38
PID 2480 wrote to memory of 2556	2480	{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe	38
PID 2480 wrote to memory of 2556	2480	{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe	38
PID 2480 wrote to memory of 2948	2480	{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe	39
PID 2480 wrote to memory of 2948	2480	{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe	39
PID 2480 wrote to memory of 2948	2480	{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe	39
PID 2480 wrote to memory of 2948	2480	{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe	39
PID 2556 wrote to memory of 2960	2556	{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe	41
PID 2556 wrote to memory of 2960	2556	{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe	41
PID 2556 wrote to memory of 2960	2556	{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe	41
PID 2556 wrote to memory of 2960	2556	{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe	41
PID 2556 wrote to memory of 468	2556	{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe	40
PID 2556 wrote to memory of 468	2556	{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe	40
PID 2556 wrote to memory of 468	2556	{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe	40
PID 2556 wrote to memory of 468	2556	{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe	40
PID 2960 wrote to memory of 620	2960	{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe	42
PID 2960 wrote to memory of 620	2960	{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe	42
PID 2960 wrote to memory of 620	2960	{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe	42
PID 2960 wrote to memory of 620	2960	{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe	42
PID 2960 wrote to memory of 1416	2960	{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe	43
PID 2960 wrote to memory of 1416	2960	{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe	43
PID 2960 wrote to memory of 1416	2960	{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe	43
PID 2960 wrote to memory of 1416	2960	{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe	43
PID 620 wrote to memory of 1420	620	{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe	44
PID 620 wrote to memory of 1420	620	{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe	44
PID 620 wrote to memory of 1420	620	{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe	44
PID 620 wrote to memory of 1420	620	{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe	44
PID 620 wrote to memory of 2768	620	{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe	45
PID 620 wrote to memory of 2768	620	{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe	45
PID 620 wrote to memory of 2768	620	{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe	45
PID 620 wrote to memory of 2768	620	{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.70f15420504504465f5d852870d6bf40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.70f15420504504465f5d852870d6bf40.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe
  C:\Windows\{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe
    C:\Windows\{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe
      C:\Windows\{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe
        
        C:\Windows\{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe
        
        C:\Windows\{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{302BD~1.EXE > nul
        7⤵
        
        PID:468
        
        C:\Windows\{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe
        
        C:\Windows\{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe
        
        C:\Windows\{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\{A6AEC987-111E-4979-A228-2963EE700F83}.exe
        
        C:\Windows\{A6AEC987-111E-4979-A228-2963EE700F83}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\{4C785171-53A9-4235-B0BD-23172374A1B6}.exe
        
        C:\Windows\{4C785171-53A9-4235-B0BD-23172374A1B6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\{08184CE9-032F-4669-A032-612382A81B1F}.exe
        
        C:\Windows\{08184CE9-032F-4669-A032-612382A81B1F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\{4B1D55EE-4F08-48d1-B1CF-165630CCA674}.exe
        
        C:\Windows\{4B1D55EE-4F08-48d1-B1CF-165630CCA674}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B1D5~1.EXE > nul
        13⤵
        
        PID:2248
        
        C:\Windows\{5AB07F6B-98B8-4708-B843-925FB34D8A67}.exe
        
        C:\Windows\{5AB07F6B-98B8-4708-B843-925FB34D8A67}.exe
        13⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08184~1.EXE > nul
        12⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C785~1.EXE > nul
        11⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6AEC~1.EXE > nul
        10⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEA10~1.EXE > nul
        9⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B5A0~1.EXE > nul
        8⤵
        
        PID:1416
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B80A~1.EXE > nul
        6⤵
        
        PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9B0F~1.EXE > nul
        5⤵
        
        PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5F895~1.EXE > nul
      4⤵
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{725B9~1.EXE > nul
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS70~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08184CE9-032F-4669-A032-612382A81B1F}.exe

Filesize
408KB

MD5
87ba29e66307fdeed03a3bb94e21f3e4

SHA1
63ebdf8d2e116db34c5a8dc16b3a09e7431b030d

SHA256
30c98ed606c72e024da86bcbb0e45e120fa45e3db34f12b9eecd434f55969329

SHA512
772135e95d428e458a49e9172bbe97d3481643483742340edbd6e4edaa2644dc9372cfff2b0beee9cd063941a3e57b9b148a6c4da3ac1fd91a7d6a3ffea51b90

Download Submit
C:\Windows\{08184CE9-032F-4669-A032-612382A81B1F}.exe

Filesize
408KB

MD5
87ba29e66307fdeed03a3bb94e21f3e4

SHA1
63ebdf8d2e116db34c5a8dc16b3a09e7431b030d

SHA256
30c98ed606c72e024da86bcbb0e45e120fa45e3db34f12b9eecd434f55969329

SHA512
772135e95d428e458a49e9172bbe97d3481643483742340edbd6e4edaa2644dc9372cfff2b0beee9cd063941a3e57b9b148a6c4da3ac1fd91a7d6a3ffea51b90

Download Submit
C:\Windows\{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe

Filesize
408KB

MD5
5b2a3ab32c9dc7840d3269f84c8edcdc

SHA1
a0999d0dc307c01d5e00e335c0a84361c60ad266

SHA256
ae89bc510afc5893473f9c82e647b462fb5342ffa8001654a584dc307e94eea1

SHA512
21320f779cf44427f9bad181a6d05401da1ed1d4baf61de08327b8b45ca1b7e5c2309051a48b8ba288d2d88235de76f8ece839a5ef221382cd2c890f6d307b0f

Download Submit
C:\Windows\{302BD31C-874E-4c51-BD2E-92E9ADEAE427}.exe

Filesize
408KB

MD5
5b2a3ab32c9dc7840d3269f84c8edcdc

SHA1
a0999d0dc307c01d5e00e335c0a84361c60ad266

SHA256
ae89bc510afc5893473f9c82e647b462fb5342ffa8001654a584dc307e94eea1

SHA512
21320f779cf44427f9bad181a6d05401da1ed1d4baf61de08327b8b45ca1b7e5c2309051a48b8ba288d2d88235de76f8ece839a5ef221382cd2c890f6d307b0f

Download Submit
C:\Windows\{4B1D55EE-4F08-48d1-B1CF-165630CCA674}.exe

Filesize
408KB

MD5
645dc6d0f5bc7c73bd6df10756ae16b7

SHA1
20d0c782fe7cd52d90e561e293ecce7791f0afdf

SHA256
ef8b179c6cae476d4b148b9c2b9f271e4e990b4f2496e77458249df940711454

SHA512
1f00477a654b7dbb66cb48b9dbddbf43e8053526b9c8076b9addb11e5219d39f3a8b73802ac2969a4ab74446514b690cbe3f398b4cbbddea38c26d1849b76447

Download Submit
C:\Windows\{4B1D55EE-4F08-48d1-B1CF-165630CCA674}.exe

Filesize
408KB

MD5
645dc6d0f5bc7c73bd6df10756ae16b7

SHA1
20d0c782fe7cd52d90e561e293ecce7791f0afdf

SHA256
ef8b179c6cae476d4b148b9c2b9f271e4e990b4f2496e77458249df940711454

SHA512
1f00477a654b7dbb66cb48b9dbddbf43e8053526b9c8076b9addb11e5219d39f3a8b73802ac2969a4ab74446514b690cbe3f398b4cbbddea38c26d1849b76447

Download Submit
C:\Windows\{4C785171-53A9-4235-B0BD-23172374A1B6}.exe

Filesize
408KB

MD5
867412b516afbe73c85590d30f9256a9

SHA1
bd9c262b1fbac768e37954101f05e44cbb3a6934

SHA256
2e280dbb184fe4c32f3ceb553972f68a63d2afe756e75311ed37956a3cd7e52e

SHA512
28ce1fac04bcda8fe90e4e865da16828afb404883fa09d26ce0f52ce22a16cce5c19bf734ec360864d73570468e331ced39f41bde8ac6b77b4a2a1e8a3182438

Download Submit
C:\Windows\{4C785171-53A9-4235-B0BD-23172374A1B6}.exe

Filesize
408KB

MD5
867412b516afbe73c85590d30f9256a9

SHA1
bd9c262b1fbac768e37954101f05e44cbb3a6934

SHA256
2e280dbb184fe4c32f3ceb553972f68a63d2afe756e75311ed37956a3cd7e52e

SHA512
28ce1fac04bcda8fe90e4e865da16828afb404883fa09d26ce0f52ce22a16cce5c19bf734ec360864d73570468e331ced39f41bde8ac6b77b4a2a1e8a3182438

Download Submit
C:\Windows\{5AB07F6B-98B8-4708-B843-925FB34D8A67}.exe

Filesize
408KB

MD5
6dc59ae80bd0237d6ce9d709f9d3e501

SHA1
7a7487362758ed6288bef7a70eb782b0830e1362

SHA256
e0f3a6d4e41b656c94e66c9c688ef43a86203e78df52a5bf358d91c0deced18c

SHA512
9d697d80396af486985f8a2e67940a548a909e3a7bb96819b69b7d9229286d09c8435a6f69fed9dfaffa2528044bb0116e0d901c06a69fd5530f37d16f25699e

Download Submit
C:\Windows\{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe

Filesize
408KB

MD5
8b5b4223ef9a16cb87b55302f27b681a

SHA1
99f04ac1d1173ac9624aa63b09de6cec5841696c

SHA256
b5e48b4a0955c8d5ba0e01840143039bf4df5ef975df22eb5d8fd8a4fa419e5a

SHA512
e714797dc3a366b9b1ff4afc3b927917c60a50a38a3c637b7711dde9a42fa52474e35468cf796441b318645577d324d10ad530911e5080edf3de9cff04bfd0b7

Download Submit
C:\Windows\{5B80ABA2-F491-4003-8966-377C0EAABCD4}.exe

Filesize
408KB

MD5
8b5b4223ef9a16cb87b55302f27b681a

SHA1
99f04ac1d1173ac9624aa63b09de6cec5841696c

SHA256
b5e48b4a0955c8d5ba0e01840143039bf4df5ef975df22eb5d8fd8a4fa419e5a

SHA512
e714797dc3a366b9b1ff4afc3b927917c60a50a38a3c637b7711dde9a42fa52474e35468cf796441b318645577d324d10ad530911e5080edf3de9cff04bfd0b7

Download Submit
C:\Windows\{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe

Filesize
408KB

MD5
76d39cbfa0d1d6f809951e495f5ec779

SHA1
b32c141c39107ce84368b026eb7bb2022d995d37

SHA256
4fefe0551104ab2577b694f6cfe5de37168d40aeb545dc05253e359558afba8f

SHA512
a58741222002da949b337e767af5635d96a637986c205a5b8139e663c17cfafe01a345573ebcb6267ccd3bef2db766fc8f4a37c44dd00f4b54ccbd104ee7707b

Download Submit
C:\Windows\{5F895BE6-B0D8-4f78-AEE5-2134F9635D5E}.exe

Filesize
408KB

MD5
76d39cbfa0d1d6f809951e495f5ec779

SHA1
b32c141c39107ce84368b026eb7bb2022d995d37

SHA256
4fefe0551104ab2577b694f6cfe5de37168d40aeb545dc05253e359558afba8f

SHA512
a58741222002da949b337e767af5635d96a637986c205a5b8139e663c17cfafe01a345573ebcb6267ccd3bef2db766fc8f4a37c44dd00f4b54ccbd104ee7707b

Download Submit
C:\Windows\{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe

Filesize
408KB

MD5
0122ab6a58aff503a80497e831e3ed08

SHA1
a91cf92be5c0c6ac7806378712582d82d0f4d218

SHA256
e166e54373371bbf3d0fbe3f53add3efc75c627c678b9d30f47341ae76aa0756

SHA512
d915bdff0df21b59b6b28345a1231e0a9f22abfa5babbe17699783af1452a9ec7c6c6d553997bee77288f7f841a0524026fd8a4308887c3ee8fdbdc82d70a341

Download Submit
C:\Windows\{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe

Filesize
408KB

MD5
0122ab6a58aff503a80497e831e3ed08

SHA1
a91cf92be5c0c6ac7806378712582d82d0f4d218

SHA256
e166e54373371bbf3d0fbe3f53add3efc75c627c678b9d30f47341ae76aa0756

SHA512
d915bdff0df21b59b6b28345a1231e0a9f22abfa5babbe17699783af1452a9ec7c6c6d553997bee77288f7f841a0524026fd8a4308887c3ee8fdbdc82d70a341

Download Submit
C:\Windows\{725B97EC-6CC3-4b57-A4AC-A766CE8749F4}.exe

Filesize
408KB

MD5
0122ab6a58aff503a80497e831e3ed08

SHA1
a91cf92be5c0c6ac7806378712582d82d0f4d218

SHA256
e166e54373371bbf3d0fbe3f53add3efc75c627c678b9d30f47341ae76aa0756

SHA512
d915bdff0df21b59b6b28345a1231e0a9f22abfa5babbe17699783af1452a9ec7c6c6d553997bee77288f7f841a0524026fd8a4308887c3ee8fdbdc82d70a341

Download Submit
C:\Windows\{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe

Filesize
408KB

MD5
666d21253d1e7574859c53c3fa6f6cb3

SHA1
7cb274cd3a99c315b08d30c15c6a149b8072da0c

SHA256
2c2233f50fc45e0727d66382baf987e7f3be3aebe0b0415ca883f938a30cac3a

SHA512
ee1238fa86a4758c8e1620129bce6b4b210e4c6dc71120b4dba294731fc9bf43af41ca4a8c2e5011210a10c74265e7d669574133231ba2484f28c196119ee3bc

Download Submit
C:\Windows\{7B5A0864-617B-4c4d-AD0E-53C920EFF4AA}.exe

Filesize
408KB

MD5
666d21253d1e7574859c53c3fa6f6cb3

SHA1
7cb274cd3a99c315b08d30c15c6a149b8072da0c

SHA256
2c2233f50fc45e0727d66382baf987e7f3be3aebe0b0415ca883f938a30cac3a

SHA512
ee1238fa86a4758c8e1620129bce6b4b210e4c6dc71120b4dba294731fc9bf43af41ca4a8c2e5011210a10c74265e7d669574133231ba2484f28c196119ee3bc

Download Submit
C:\Windows\{A6AEC987-111E-4979-A228-2963EE700F83}.exe

Filesize
408KB

MD5
7ba92c3ba81dff0005ad736a79d7fd2b

SHA1
eb4db2b9d5079971a37d1d5dc0f2b32a132d9cfb

SHA256
fc7f2de0cdc7b31f58feed5b796b78fa8125a5feebce53e9aa3a68960d583f89

SHA512
d554d13d3121d558adbd404a07d70bedc450e883aa333eb6bd2c30c14ceec00982d897e499ba53bb0dd52c7227d8d6da42b0d759b7220c57ce2bc0979f399e51

Download Submit
C:\Windows\{A6AEC987-111E-4979-A228-2963EE700F83}.exe

Filesize
408KB

MD5
7ba92c3ba81dff0005ad736a79d7fd2b

SHA1
eb4db2b9d5079971a37d1d5dc0f2b32a132d9cfb

SHA256
fc7f2de0cdc7b31f58feed5b796b78fa8125a5feebce53e9aa3a68960d583f89

SHA512
d554d13d3121d558adbd404a07d70bedc450e883aa333eb6bd2c30c14ceec00982d897e499ba53bb0dd52c7227d8d6da42b0d759b7220c57ce2bc0979f399e51

Download Submit
C:\Windows\{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe

Filesize
408KB

MD5
ec4215107876fe16a7dc34c4e7791c30

SHA1
1d104fc939bbcb2ce83146ee7f9613377e53455b

SHA256
1970440fd6c33e95163c8dc11870d25897501c954c9b8203e7fa4b6697271233

SHA512
0a3fdff685f6a787157e86abf995691a66716360a05ec380321983c2af92a133bc25f832edbe923a5974d18bcb9c1e7b73f9a513e52dc935c981e72279bb1767

Download Submit
C:\Windows\{E9B0FB4E-49A6-4796-A8BF-D1289C5FAC44}.exe

Filesize
408KB

MD5
ec4215107876fe16a7dc34c4e7791c30

SHA1
1d104fc939bbcb2ce83146ee7f9613377e53455b

SHA256
1970440fd6c33e95163c8dc11870d25897501c954c9b8203e7fa4b6697271233

SHA512
0a3fdff685f6a787157e86abf995691a66716360a05ec380321983c2af92a133bc25f832edbe923a5974d18bcb9c1e7b73f9a513e52dc935c981e72279bb1767

Download Submit
C:\Windows\{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe

Filesize
408KB

MD5
f5cb6b78dcb62832e9732bac43c3d556

SHA1
88e8ad3a2046a8bbb47c983d2a11fa8df67eeeaf

SHA256
4804c5d89c2f452e2aa153a1891ffdc2c2ad067ca7aa272f37f27ef10c72f57b

SHA512
18b201941ff7eb899626d2a75a95dbdcd0ccaf21a26c57006aa308020e34cfecc26afabe72da591fcf971a71de910b274f8432e9c8d582e72e2b6c3a14958edb

Download Submit
C:\Windows\{EEA1061E-BA52-4332-8F68-58BA263E74C9}.exe

Filesize
408KB

MD5
f5cb6b78dcb62832e9732bac43c3d556

SHA1
88e8ad3a2046a8bbb47c983d2a11fa8df67eeeaf

SHA256
4804c5d89c2f452e2aa153a1891ffdc2c2ad067ca7aa272f37f27ef10c72f57b

SHA512
18b201941ff7eb899626d2a75a95dbdcd0ccaf21a26c57006aa308020e34cfecc26afabe72da591fcf971a71de910b274f8432e9c8d582e72e2b6c3a14958edb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads