8358c4a24f0b425a072ce11bf35fc889883c16b473c15b7be71e6c845c565fb4

Analysis

max time kernel
163s
max time network
143s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.43d5685492a8c509696202b97ac36ad0.exe
Size

344KB
MD5

43d5685492a8c509696202b97ac36ad0
SHA1

36e0cd82c7ed05b0361bc9e2188272a6f0a98cdb
SHA256

8358c4a24f0b425a072ce11bf35fc889883c16b473c15b7be71e6c845c565fb4
SHA512

f57601cb06e0d76c59240f2f8625ee15d25b25b68e341116074361b8b60e1b8ac5fbfaa356d6989feee294cea510341add42e7193530757c1517d422db80fb34
SSDEEP

3072:mEGh0oklEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGGlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6894F365-4DAF-4cf0-8E41-B2681DC6F823}	{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}\stubpath = "C:\\Windows\\{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe"	{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}	{27E0E652-230B-4815-9621-71CF0447BC3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}\stubpath = "C:\\Windows\\{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe"	{27E0E652-230B-4815-9621-71CF0447BC3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}	{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}	{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FE5215C-00E6-496d-B6A6-B344D4AE91E8}\stubpath = "C:\\Windows\\{4FE5215C-00E6-496d-B6A6-B344D4AE91E8}.exe"	{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A950F64-DDD7-4137-AA0F-FCFADC6E5BDD}\stubpath = "C:\\Windows\\{9A950F64-DDD7-4137-AA0F-FCFADC6E5BDD}.exe"	{4FE5215C-00E6-496d-B6A6-B344D4AE91E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8238851-EB19-4270-8221-9F7EE3C3C06E}\stubpath = "C:\\Windows\\{A8238851-EB19-4270-8221-9F7EE3C3C06E}.exe"	{9A950F64-DDD7-4137-AA0F-FCFADC6E5BDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}	{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6894F365-4DAF-4cf0-8E41-B2681DC6F823}\stubpath = "C:\\Windows\\{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe"	{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27E0E652-230B-4815-9621-71CF0447BC3B}\stubpath = "C:\\Windows\\{27E0E652-230B-4815-9621-71CF0447BC3B}.exe"	{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}\stubpath = "C:\\Windows\\{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe"	{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}\stubpath = "C:\\Windows\\{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe"	{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A950F64-DDD7-4137-AA0F-FCFADC6E5BDD}	{4FE5215C-00E6-496d-B6A6-B344D4AE91E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5899C592-8E65-4615-AE72-3C306C34BCBF}	NEAS.43d5685492a8c509696202b97ac36ad0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5899C592-8E65-4615-AE72-3C306C34BCBF}\stubpath = "C:\\Windows\\{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe"	NEAS.43d5685492a8c509696202b97ac36ad0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8238851-EB19-4270-8221-9F7EE3C3C06E}	{9A950F64-DDD7-4137-AA0F-FCFADC6E5BDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27E0E652-230B-4815-9621-71CF0447BC3B}	{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FE5215C-00E6-496d-B6A6-B344D4AE91E8}	{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe

Deletes itself 1 IoCs

pid	Process
1980	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
2584	{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe
2560	{27E0E652-230B-4815-9621-71CF0447BC3B}.exe
2464	{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe
2472	{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe
2484	{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe
756	{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe
832	{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe
624	{4FE5215C-00E6-496d-B6A6-B344D4AE91E8}.exe
2740	{9A950F64-DDD7-4137-AA0F-FCFADC6E5BDD}.exe
3028	{A8238851-EB19-4270-8221-9F7EE3C3C06E}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe	{27E0E652-230B-4815-9621-71CF0447BC3B}.exe
File created	C:\Windows\{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe	{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe
File created	C:\Windows\{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe	{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe
File created	C:\Windows\{4FE5215C-00E6-496d-B6A6-B344D4AE91E8}.exe	{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe
File created	C:\Windows\{A8238851-EB19-4270-8221-9F7EE3C3C06E}.exe	{9A950F64-DDD7-4137-AA0F-FCFADC6E5BDD}.exe
File created	C:\Windows\{27E0E652-230B-4815-9621-71CF0447BC3B}.exe	{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe
File created	C:\Windows\{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe	{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe
File created	C:\Windows\{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe	{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe
File created	C:\Windows\{9A950F64-DDD7-4137-AA0F-FCFADC6E5BDD}.exe	{4FE5215C-00E6-496d-B6A6-B344D4AE91E8}.exe
File created	C:\Windows\{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe	NEAS.43d5685492a8c509696202b97ac36ad0.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1740	NEAS.43d5685492a8c509696202b97ac36ad0.exe
Token: SeIncBasePriorityPrivilege	2584	{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe
Token: SeIncBasePriorityPrivilege	2560	{27E0E652-230B-4815-9621-71CF0447BC3B}.exe
Token: SeIncBasePriorityPrivilege	2464	{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe
Token: SeIncBasePriorityPrivilege	2472	{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe
Token: SeIncBasePriorityPrivilege	2484	{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe
Token: SeIncBasePriorityPrivilege	756	{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe
Token: SeIncBasePriorityPrivilege	832	{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe
Token: SeIncBasePriorityPrivilege	624	{4FE5215C-00E6-496d-B6A6-B344D4AE91E8}.exe
Token: SeIncBasePriorityPrivilege	2740	{9A950F64-DDD7-4137-AA0F-FCFADC6E5BDD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2584	1740	NEAS.43d5685492a8c509696202b97ac36ad0.exe	29
PID 1740 wrote to memory of 2584	1740	NEAS.43d5685492a8c509696202b97ac36ad0.exe	29
PID 1740 wrote to memory of 2584	1740	NEAS.43d5685492a8c509696202b97ac36ad0.exe	29
PID 1740 wrote to memory of 2584	1740	NEAS.43d5685492a8c509696202b97ac36ad0.exe	29
PID 1740 wrote to memory of 1980	1740	NEAS.43d5685492a8c509696202b97ac36ad0.exe	30
PID 1740 wrote to memory of 1980	1740	NEAS.43d5685492a8c509696202b97ac36ad0.exe	30
PID 1740 wrote to memory of 1980	1740	NEAS.43d5685492a8c509696202b97ac36ad0.exe	30
PID 1740 wrote to memory of 1980	1740	NEAS.43d5685492a8c509696202b97ac36ad0.exe	30
PID 2584 wrote to memory of 2560	2584	{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe	31
PID 2584 wrote to memory of 2560	2584	{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe	31
PID 2584 wrote to memory of 2560	2584	{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe	31
PID 2584 wrote to memory of 2560	2584	{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe	31
PID 2584 wrote to memory of 2468	2584	{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe	32
PID 2584 wrote to memory of 2468	2584	{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe	32
PID 2584 wrote to memory of 2468	2584	{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe	32
PID 2584 wrote to memory of 2468	2584	{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe	32
PID 2560 wrote to memory of 2464	2560	{27E0E652-230B-4815-9621-71CF0447BC3B}.exe	34
PID 2560 wrote to memory of 2464	2560	{27E0E652-230B-4815-9621-71CF0447BC3B}.exe	34
PID 2560 wrote to memory of 2464	2560	{27E0E652-230B-4815-9621-71CF0447BC3B}.exe	34
PID 2560 wrote to memory of 2464	2560	{27E0E652-230B-4815-9621-71CF0447BC3B}.exe	34
PID 2560 wrote to memory of 2556	2560	{27E0E652-230B-4815-9621-71CF0447BC3B}.exe	33
PID 2560 wrote to memory of 2556	2560	{27E0E652-230B-4815-9621-71CF0447BC3B}.exe	33
PID 2560 wrote to memory of 2556	2560	{27E0E652-230B-4815-9621-71CF0447BC3B}.exe	33
PID 2560 wrote to memory of 2556	2560	{27E0E652-230B-4815-9621-71CF0447BC3B}.exe	33
PID 2464 wrote to memory of 2472	2464	{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe	36
PID 2464 wrote to memory of 2472	2464	{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe	36
PID 2464 wrote to memory of 2472	2464	{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe	36
PID 2464 wrote to memory of 2472	2464	{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe	36
PID 2464 wrote to memory of 2564	2464	{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe	35
PID 2464 wrote to memory of 2564	2464	{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe	35
PID 2464 wrote to memory of 2564	2464	{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe	35
PID 2464 wrote to memory of 2564	2464	{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe	35
PID 2472 wrote to memory of 2484	2472	{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe	38
PID 2472 wrote to memory of 2484	2472	{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe	38
PID 2472 wrote to memory of 2484	2472	{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe	38
PID 2472 wrote to memory of 2484	2472	{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe	38
PID 2472 wrote to memory of 1156	2472	{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe	37
PID 2472 wrote to memory of 1156	2472	{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe	37
PID 2472 wrote to memory of 1156	2472	{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe	37
PID 2472 wrote to memory of 1156	2472	{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe	37
PID 2484 wrote to memory of 756	2484	{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe	39
PID 2484 wrote to memory of 756	2484	{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe	39
PID 2484 wrote to memory of 756	2484	{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe	39
PID 2484 wrote to memory of 756	2484	{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe	39
PID 2484 wrote to memory of 1924	2484	{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe	40
PID 2484 wrote to memory of 1924	2484	{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe	40
PID 2484 wrote to memory of 1924	2484	{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe	40
PID 2484 wrote to memory of 1924	2484	{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe	40
PID 756 wrote to memory of 832	756	{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe	42
PID 756 wrote to memory of 832	756	{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe	42
PID 756 wrote to memory of 832	756	{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe	42
PID 756 wrote to memory of 832	756	{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe	42
PID 756 wrote to memory of 1536	756	{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe	41
PID 756 wrote to memory of 1536	756	{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe	41
PID 756 wrote to memory of 1536	756	{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe	41
PID 756 wrote to memory of 1536	756	{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe	41
PID 832 wrote to memory of 624	832	{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe	44
PID 832 wrote to memory of 624	832	{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe	44
PID 832 wrote to memory of 624	832	{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe	44
PID 832 wrote to memory of 624	832	{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe	44
PID 832 wrote to memory of 1308	832	{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe	43
PID 832 wrote to memory of 1308	832	{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe	43
PID 832 wrote to memory of 1308	832	{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe	43
PID 832 wrote to memory of 1308	832	{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe	43

C:\Users\Admin\AppData\Local\Temp\NEAS.43d5685492a8c509696202b97ac36ad0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.43d5685492a8c509696202b97ac36ad0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe
  C:\Windows\{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\{27E0E652-230B-4815-9621-71CF0447BC3B}.exe
    C:\Windows\{27E0E652-230B-4815-9621-71CF0447BC3B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{27E0E~1.EXE > nul
      4⤵
      PID:2556
  - - C:\Windows\{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe
      C:\Windows\{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE77~1.EXE > nul
        5⤵
        
        PID:2564
    - - C:\Windows\{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe
        
        C:\Windows\{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA6E0~1.EXE > nul
        6⤵
        
        PID:1156
      - C:\Windows\{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe
        
        C:\Windows\{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe
        
        C:\Windows\{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFB7B~1.EXE > nul
        8⤵
        
        PID:1536
        
        C:\Windows\{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe
        
        C:\Windows\{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D22E1~1.EXE > nul
        9⤵
        
        PID:1308
        
        C:\Windows\{4FE5215C-00E6-496d-B6A6-B344D4AE91E8}.exe
        
        C:\Windows\{4FE5215C-00E6-496d-B6A6-B344D4AE91E8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FE52~1.EXE > nul
        10⤵
        
        PID:2772
        
        C:\Windows\{9A950F64-DDD7-4137-AA0F-FCFADC6E5BDD}.exe
        
        C:\Windows\{9A950F64-DDD7-4137-AA0F-FCFADC6E5BDD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A950~1.EXE > nul
        11⤵
        
        PID:1856
        
        C:\Windows\{A8238851-EB19-4270-8221-9F7EE3C3C06E}.exe
        
        C:\Windows\{A8238851-EB19-4270-8221-9F7EE3C3C06E}.exe
        11⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6894F~1.EXE > nul
        7⤵
        
        PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5899C~1.EXE > nul
    3⤵
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS43~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{27E0E652-230B-4815-9621-71CF0447BC3B}.exe

Filesize
344KB

MD5
e7fda18fe9e5b7d960b06cfc3aed1e2d

SHA1
65db762a04b0708b21ad4fdb339ca7fe5cb7d9a0

SHA256
e9d2e09dc45da34fa28cca660ab2d349d6cef4bf790b64e078db8bb1ffee78d4

SHA512
2580fa9edaeba2591fd06c4abf0ba5ade00d6c77175c04141f2be376b13a0dbbf7a115b3a78a5c48ed99472763f67b132b360e37abff280724b568e59ff5e6e7

Download Submit
C:\Windows\{27E0E652-230B-4815-9621-71CF0447BC3B}.exe

Filesize
344KB

MD5
e7fda18fe9e5b7d960b06cfc3aed1e2d

SHA1
65db762a04b0708b21ad4fdb339ca7fe5cb7d9a0

SHA256
e9d2e09dc45da34fa28cca660ab2d349d6cef4bf790b64e078db8bb1ffee78d4

SHA512
2580fa9edaeba2591fd06c4abf0ba5ade00d6c77175c04141f2be376b13a0dbbf7a115b3a78a5c48ed99472763f67b132b360e37abff280724b568e59ff5e6e7

Download Submit
C:\Windows\{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe

Filesize
344KB

MD5
5686e365851e87019e0a04c3a267af42

SHA1
c6232334b43f17d105ede576e905509d6ce0b6e6

SHA256
e0e3b58bd70d34937f2570bc6e7ef14da9765e8691b903c184c01cc0278a895d

SHA512
4c8021ca1a2a5b5e39de4ee8e8987c525bc506b7ba00c2b18f5f55eed937f6e261920039035af9a4df0cddc03ed23c9b0c8b3914218daddde01ff8a76f1aa544

Download Submit
C:\Windows\{2BE77AEA-BF10-4e4c-A100-88FD5E315E8C}.exe

Filesize
344KB

MD5
5686e365851e87019e0a04c3a267af42

SHA1
c6232334b43f17d105ede576e905509d6ce0b6e6

SHA256
e0e3b58bd70d34937f2570bc6e7ef14da9765e8691b903c184c01cc0278a895d

SHA512
4c8021ca1a2a5b5e39de4ee8e8987c525bc506b7ba00c2b18f5f55eed937f6e261920039035af9a4df0cddc03ed23c9b0c8b3914218daddde01ff8a76f1aa544

Download Submit
C:\Windows\{4FE5215C-00E6-496d-B6A6-B344D4AE91E8}.exe

Filesize
344KB

MD5
ba658050fe3e6b202d9315687897e238

SHA1
290e9a222b1e9582902a16fda6e71ef6ac3cc3cc

SHA256
5bf7a8c43f5be85a1705b06eaf662777e98c85655369cf6a5738001dc643b0ef

SHA512
60b1e8947d24bf28aee9585b461c28efdacd15b580b53c71ea352a5425235e9292240708865b1d9c4879653fb52582c29b56dca2b4bec79c3d164bce7a4c68cd

Download Submit
C:\Windows\{4FE5215C-00E6-496d-B6A6-B344D4AE91E8}.exe

Filesize
344KB

MD5
ba658050fe3e6b202d9315687897e238

SHA1
290e9a222b1e9582902a16fda6e71ef6ac3cc3cc

SHA256
5bf7a8c43f5be85a1705b06eaf662777e98c85655369cf6a5738001dc643b0ef

SHA512
60b1e8947d24bf28aee9585b461c28efdacd15b580b53c71ea352a5425235e9292240708865b1d9c4879653fb52582c29b56dca2b4bec79c3d164bce7a4c68cd

Download Submit
C:\Windows\{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe

Filesize
344KB

MD5
a9ba2ac0f831277f68eace3e5826c9a0

SHA1
50a0a99010fbabd52491b91519bd478accf659e4

SHA256
9e7a2b17911c47bddba1e0e5a3ad3d01638476b0568558b7c201a747b9d58fb0

SHA512
e9eeae2cf4f657d46f7f7baedb3363e8bf40337ecbda321cdae78f872face49fb15fd7dc4bb7ec4a0ab24677583ff355e7303545018cb38865fcc825c058beed

Download Submit
C:\Windows\{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe

Filesize
344KB

MD5
a9ba2ac0f831277f68eace3e5826c9a0

SHA1
50a0a99010fbabd52491b91519bd478accf659e4

SHA256
9e7a2b17911c47bddba1e0e5a3ad3d01638476b0568558b7c201a747b9d58fb0

SHA512
e9eeae2cf4f657d46f7f7baedb3363e8bf40337ecbda321cdae78f872face49fb15fd7dc4bb7ec4a0ab24677583ff355e7303545018cb38865fcc825c058beed

Download Submit
C:\Windows\{5899C592-8E65-4615-AE72-3C306C34BCBF}.exe

Filesize
344KB

MD5
a9ba2ac0f831277f68eace3e5826c9a0

SHA1
50a0a99010fbabd52491b91519bd478accf659e4

SHA256
9e7a2b17911c47bddba1e0e5a3ad3d01638476b0568558b7c201a747b9d58fb0

SHA512
e9eeae2cf4f657d46f7f7baedb3363e8bf40337ecbda321cdae78f872face49fb15fd7dc4bb7ec4a0ab24677583ff355e7303545018cb38865fcc825c058beed

Download Submit
C:\Windows\{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe

Filesize
344KB

MD5
00a5886077459e2cc22f91a663b952f0

SHA1
bf3be8a27439507ee49e2126d19da9ef6322d05e

SHA256
8d1210b661293e51bda42a4a07a9e813910fffd8617dd8dc01596ab9623ad545

SHA512
eb70a5ce3ffc1b0329f81d49840ff429d97619ce22f4c413a0348bdc8b5329207aba023f92391752218e96157e5d8ec565341922724271bbbe613dc0b0cc0de0

Download Submit
C:\Windows\{6894F365-4DAF-4cf0-8E41-B2681DC6F823}.exe

Filesize
344KB

MD5
00a5886077459e2cc22f91a663b952f0

SHA1
bf3be8a27439507ee49e2126d19da9ef6322d05e

SHA256
8d1210b661293e51bda42a4a07a9e813910fffd8617dd8dc01596ab9623ad545

SHA512
eb70a5ce3ffc1b0329f81d49840ff429d97619ce22f4c413a0348bdc8b5329207aba023f92391752218e96157e5d8ec565341922724271bbbe613dc0b0cc0de0

Download Submit
C:\Windows\{9A950F64-DDD7-4137-AA0F-FCFADC6E5BDD}.exe

Filesize
344KB

MD5
6344c6ad3886da439ba4114e941039bf

SHA1
76a71131f984d261eb0bb6881d3c4df2d0926f5d

SHA256
554a048223f349befafeb365654a96c68ccade417503b4702bb6e7f57da4154f

SHA512
03fdd7f0de8435a4c91effc5334ae18d0b7f2f1486d484ed078e86e6726751862f7b55d1c45eb96eb966462b7a26c0b15fe003d61b43b1db4c987e3454e22b4a

Download Submit
C:\Windows\{9A950F64-DDD7-4137-AA0F-FCFADC6E5BDD}.exe

Filesize
344KB

MD5
6344c6ad3886da439ba4114e941039bf

SHA1
76a71131f984d261eb0bb6881d3c4df2d0926f5d

SHA256
554a048223f349befafeb365654a96c68ccade417503b4702bb6e7f57da4154f

SHA512
03fdd7f0de8435a4c91effc5334ae18d0b7f2f1486d484ed078e86e6726751862f7b55d1c45eb96eb966462b7a26c0b15fe003d61b43b1db4c987e3454e22b4a

Download Submit
C:\Windows\{A8238851-EB19-4270-8221-9F7EE3C3C06E}.exe

Filesize
344KB

MD5
732dae4457eed23af281547d682843bc

SHA1
2be55d733d0aac569155042df9b4970ff88875fe

SHA256
bbdf78717db78b6b03dc21ec08a1aeee3b4f1a701a2ed516588e98a653b7b20e

SHA512
5c0b5cfe3d6e0bf53017b17b87caaa17216da91e1baa8c6f377756a748ab2a38b034916787715c58ed248274e50f408b4cc8b564beebdf78f4991536d864674f

Download Submit
C:\Windows\{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe

Filesize
344KB

MD5
b7748156be4a211659f5f488e515d71a

SHA1
a3a35ab496c2be50315fa78803bd2a818ecbfba1

SHA256
ab5446993a5c955169bfd3143502a27e74727277673a449df992a3763f8ce5e8

SHA512
65ebdf7cfe7ddf00ea56968e08d27b47639ddc65e43d0cf645f4c07e4a66084365748a6eb6c9d02451752cab1408c244865a6e5f4a4efdc12e8747a6cd6d3cb2

Download Submit
C:\Windows\{D22E14FF-39AF-4774-BF43-F4EC9B8C7A75}.exe

Filesize
344KB

MD5
b7748156be4a211659f5f488e515d71a

SHA1
a3a35ab496c2be50315fa78803bd2a818ecbfba1

SHA256
ab5446993a5c955169bfd3143502a27e74727277673a449df992a3763f8ce5e8

SHA512
65ebdf7cfe7ddf00ea56968e08d27b47639ddc65e43d0cf645f4c07e4a66084365748a6eb6c9d02451752cab1408c244865a6e5f4a4efdc12e8747a6cd6d3cb2

Download Submit
C:\Windows\{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe

Filesize
344KB

MD5
c3f2aa3c1e3a3de5b9a8d42968ed192f

SHA1
91dfcc2f305091f5a39ea9a4775f5fd19e9e700f

SHA256
2752dd950c4c059d4e4ff543838a768aa7d0fe030947155fd14d15cb084b434a

SHA512
e6b8285ef3b4f24b40081522796e7d026e64a9328e14f480eac5c328ba344986d970a65d1653d5bd3352184a64e0c456e689a78dd6e8f5823ab6ac9cf9902601

Download Submit
C:\Windows\{EFB7B2B9-D2CA-457f-804B-D38FF17358D6}.exe

Filesize
344KB

MD5
c3f2aa3c1e3a3de5b9a8d42968ed192f

SHA1
91dfcc2f305091f5a39ea9a4775f5fd19e9e700f

SHA256
2752dd950c4c059d4e4ff543838a768aa7d0fe030947155fd14d15cb084b434a

SHA512
e6b8285ef3b4f24b40081522796e7d026e64a9328e14f480eac5c328ba344986d970a65d1653d5bd3352184a64e0c456e689a78dd6e8f5823ab6ac9cf9902601

Download Submit
C:\Windows\{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe

Filesize
344KB

MD5
b89167a4c5a1e72793ea808455e89bc1

SHA1
9f8ed53891c2337245c807951d10a72345c1d7e3

SHA256
8488955360bd6fc4c3994bb35e9efe027a4c04c4e33cee41e56443ecf0c1adfd

SHA512
fc98345a0530870093dc04512fc5565de17b3ff71f0ebf11619a9950664f61df200f384ad1168caeab28644643e65697bf0d5f6ba3c7e9e0b602c40f4251b778

Download Submit
C:\Windows\{FA6E0C4B-9107-4898-9AB1-28153FACDEDA}.exe

Filesize
344KB

MD5
b89167a4c5a1e72793ea808455e89bc1

SHA1
9f8ed53891c2337245c807951d10a72345c1d7e3

SHA256
8488955360bd6fc4c3994bb35e9efe027a4c04c4e33cee41e56443ecf0c1adfd

SHA512
fc98345a0530870093dc04512fc5565de17b3ff71f0ebf11619a9950664f61df200f384ad1168caeab28644643e65697bf0d5f6ba3c7e9e0b602c40f4251b778

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads