8358c4a24f0b425a072ce11bf35fc889883c16b473c15b7be71e6c845c565fb4

Analysis

max time kernel
155s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.43d5685492a8c509696202b97ac36ad0.exe
Size

344KB
MD5

43d5685492a8c509696202b97ac36ad0
SHA1

36e0cd82c7ed05b0361bc9e2188272a6f0a98cdb
SHA256

8358c4a24f0b425a072ce11bf35fc889883c16b473c15b7be71e6c845c565fb4
SHA512

f57601cb06e0d76c59240f2f8625ee15d25b25b68e341116074361b8b60e1b8ac5fbfaa356d6989feee294cea510341add42e7193530757c1517d422db80fb34
SSDEEP

3072:mEGh0oklEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGGlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}\stubpath = "C:\\Windows\\{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe"	{8146C200-A667-4510-8516-C895869D6973}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{554B39AA-CC3E-45b4-AD56-099A79008EC1}	{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}\stubpath = "C:\\Windows\\{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe"	{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8146C200-A667-4510-8516-C895869D6973}	{74700201-58C3-438f-AA75-44F67767C8B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}	{8146C200-A667-4510-8516-C895869D6973}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74700201-58C3-438f-AA75-44F67767C8B3}	{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74700201-58C3-438f-AA75-44F67767C8B3}\stubpath = "C:\\Windows\\{74700201-58C3-438f-AA75-44F67767C8B3}.exe"	{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5E37A04-ED9F-479f-AD9A-B04BDD969DFF}	{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}	NEAS.43d5685492a8c509696202b97ac36ad0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}	{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}\stubpath = "C:\\Windows\\{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe"	{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}	{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}	{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5E37A04-ED9F-479f-AD9A-B04BDD969DFF}\stubpath = "C:\\Windows\\{C5E37A04-ED9F-479f-AD9A-B04BDD969DFF}.exe"	{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}\stubpath = "C:\\Windows\\{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe"	{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8146C200-A667-4510-8516-C895869D6973}\stubpath = "C:\\Windows\\{8146C200-A667-4510-8516-C895869D6973}.exe"	{74700201-58C3-438f-AA75-44F67767C8B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}\stubpath = "C:\\Windows\\{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe"	NEAS.43d5685492a8c509696202b97ac36ad0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{554B39AA-CC3E-45b4-AD56-099A79008EC1}\stubpath = "C:\\Windows\\{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe"	{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}	{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}\stubpath = "C:\\Windows\\{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe"	{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe

Executes dropped EXE 10 IoCs

pid	Process
3332	{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe
952	{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe
3936	{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe
4940	{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe
3464	{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe
2320	{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe
4848	{74700201-58C3-438f-AA75-44F67767C8B3}.exe
2160	{8146C200-A667-4510-8516-C895869D6973}.exe
2576	{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe
4888	{C5E37A04-ED9F-479f-AD9A-B04BDD969DFF}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe	{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe
File created	C:\Windows\{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe	{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe
File created	C:\Windows\{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe	{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe
File created	C:\Windows\{8146C200-A667-4510-8516-C895869D6973}.exe	{74700201-58C3-438f-AA75-44F67767C8B3}.exe
File created	C:\Windows\{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe	{8146C200-A667-4510-8516-C895869D6973}.exe
File created	C:\Windows\{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe	NEAS.43d5685492a8c509696202b97ac36ad0.exe
File created	C:\Windows\{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe	{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe
File created	C:\Windows\{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe	{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe
File created	C:\Windows\{74700201-58C3-438f-AA75-44F67767C8B3}.exe	{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe
File created	C:\Windows\{C5E37A04-ED9F-479f-AD9A-B04BDD969DFF}.exe	{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4624	NEAS.43d5685492a8c509696202b97ac36ad0.exe
Token: SeIncBasePriorityPrivilege	3332	{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe
Token: SeIncBasePriorityPrivilege	952	{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe
Token: SeIncBasePriorityPrivilege	3936	{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe
Token: SeIncBasePriorityPrivilege	4940	{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe
Token: SeIncBasePriorityPrivilege	3464	{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe
Token: SeIncBasePriorityPrivilege	2320	{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe
Token: SeIncBasePriorityPrivilege	4848	{74700201-58C3-438f-AA75-44F67767C8B3}.exe
Token: SeIncBasePriorityPrivilege	2160	{8146C200-A667-4510-8516-C895869D6973}.exe
Token: SeIncBasePriorityPrivilege	2576	{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 3332	4624	NEAS.43d5685492a8c509696202b97ac36ad0.exe	95
PID 4624 wrote to memory of 3332	4624	NEAS.43d5685492a8c509696202b97ac36ad0.exe	95
PID 4624 wrote to memory of 3332	4624	NEAS.43d5685492a8c509696202b97ac36ad0.exe	95
PID 4624 wrote to memory of 5108	4624	NEAS.43d5685492a8c509696202b97ac36ad0.exe	96
PID 4624 wrote to memory of 5108	4624	NEAS.43d5685492a8c509696202b97ac36ad0.exe	96
PID 4624 wrote to memory of 5108	4624	NEAS.43d5685492a8c509696202b97ac36ad0.exe	96
PID 3332 wrote to memory of 952	3332	{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe	100
PID 3332 wrote to memory of 952	3332	{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe	100
PID 3332 wrote to memory of 952	3332	{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe	100
PID 3332 wrote to memory of 2528	3332	{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe	101
PID 3332 wrote to memory of 2528	3332	{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe	101
PID 3332 wrote to memory of 2528	3332	{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe	101
PID 952 wrote to memory of 3936	952	{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe	104
PID 952 wrote to memory of 3936	952	{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe	104
PID 952 wrote to memory of 3936	952	{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe	104
PID 952 wrote to memory of 5012	952	{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe	103
PID 952 wrote to memory of 5012	952	{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe	103
PID 952 wrote to memory of 5012	952	{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe	103
PID 3936 wrote to memory of 4940	3936	{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe	106
PID 3936 wrote to memory of 4940	3936	{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe	106
PID 3936 wrote to memory of 4940	3936	{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe	106
PID 3936 wrote to memory of 2876	3936	{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe	107
PID 3936 wrote to memory of 2876	3936	{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe	107
PID 3936 wrote to memory of 2876	3936	{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe	107
PID 4940 wrote to memory of 3464	4940	{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe	108
PID 4940 wrote to memory of 3464	4940	{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe	108
PID 4940 wrote to memory of 3464	4940	{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe	108
PID 4940 wrote to memory of 5104	4940	{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe	109
PID 4940 wrote to memory of 5104	4940	{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe	109
PID 4940 wrote to memory of 5104	4940	{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe	109
PID 3464 wrote to memory of 2320	3464	{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe	110
PID 3464 wrote to memory of 2320	3464	{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe	110
PID 3464 wrote to memory of 2320	3464	{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe	110
PID 3464 wrote to memory of 1372	3464	{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe	111
PID 3464 wrote to memory of 1372	3464	{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe	111
PID 3464 wrote to memory of 1372	3464	{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe	111
PID 2320 wrote to memory of 4848	2320	{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe	112
PID 2320 wrote to memory of 4848	2320	{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe	112
PID 2320 wrote to memory of 4848	2320	{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe	112
PID 2320 wrote to memory of 1428	2320	{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe	113
PID 2320 wrote to memory of 1428	2320	{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe	113
PID 2320 wrote to memory of 1428	2320	{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe	113
PID 4848 wrote to memory of 2160	4848	{74700201-58C3-438f-AA75-44F67767C8B3}.exe	114
PID 4848 wrote to memory of 2160	4848	{74700201-58C3-438f-AA75-44F67767C8B3}.exe	114
PID 4848 wrote to memory of 2160	4848	{74700201-58C3-438f-AA75-44F67767C8B3}.exe	114
PID 4848 wrote to memory of 4168	4848	{74700201-58C3-438f-AA75-44F67767C8B3}.exe	115
PID 4848 wrote to memory of 4168	4848	{74700201-58C3-438f-AA75-44F67767C8B3}.exe	115
PID 4848 wrote to memory of 4168	4848	{74700201-58C3-438f-AA75-44F67767C8B3}.exe	115
PID 2160 wrote to memory of 2576	2160	{8146C200-A667-4510-8516-C895869D6973}.exe	116
PID 2160 wrote to memory of 2576	2160	{8146C200-A667-4510-8516-C895869D6973}.exe	116
PID 2160 wrote to memory of 2576	2160	{8146C200-A667-4510-8516-C895869D6973}.exe	116
PID 2160 wrote to memory of 4236	2160	{8146C200-A667-4510-8516-C895869D6973}.exe	117
PID 2160 wrote to memory of 4236	2160	{8146C200-A667-4510-8516-C895869D6973}.exe	117
PID 2160 wrote to memory of 4236	2160	{8146C200-A667-4510-8516-C895869D6973}.exe	117
PID 2576 wrote to memory of 4888	2576	{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe	120
PID 2576 wrote to memory of 4888	2576	{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe	120
PID 2576 wrote to memory of 4888	2576	{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe	120
PID 2576 wrote to memory of 5012	2576	{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe	121
PID 2576 wrote to memory of 5012	2576	{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe	121
PID 2576 wrote to memory of 5012	2576	{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe	121

C:\Users\Admin\AppData\Local\Temp\NEAS.43d5685492a8c509696202b97ac36ad0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.43d5685492a8c509696202b97ac36ad0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe
  C:\Windows\{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe
    C:\Windows\{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{554B3~1.EXE > nul
      4⤵
      PID:5012
  - - C:\Windows\{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe
      C:\Windows\{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe
        
        C:\Windows\{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Windows\{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe
        
        C:\Windows\{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe
        
        C:\Windows\{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{74700201-58C3-438f-AA75-44F67767C8B3}.exe
        
        C:\Windows\{74700201-58C3-438f-AA75-44F67767C8B3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\{8146C200-A667-4510-8516-C895869D6973}.exe
        
        C:\Windows\{8146C200-A667-4510-8516-C895869D6973}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe
        
        C:\Windows\{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\{C5E37A04-ED9F-479f-AD9A-B04BDD969DFF}.exe
        
        C:\Windows\{C5E37A04-ED9F-479f-AD9A-B04BDD969DFF}.exe
        11⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B1D1~1.EXE > nul
        11⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8146C~1.EXE > nul
        10⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74700~1.EXE > nul
        9⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C193B~1.EXE > nul
        8⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04DE7~1.EXE > nul
        7⤵
        
        PID:1372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA9DD~1.EXE > nul
        6⤵
        
        PID:5104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A0E0~1.EXE > nul
        5⤵
        
        PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A3E1B~1.EXE > nul
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS43~1.EXE > nul
  2⤵
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe

Filesize
344KB

MD5
7bc7e386c228686e0a40c94615e3015f

SHA1
9bc7a8fb1ff7c267ab4a9702ea6887a4cd75bcc0

SHA256
4abd475f4d03885435435f3985a1be9d65c7b1dc69373a31c4228026aa8ad1f1

SHA512
d25551c3b9e60a6889c8a1ccb2b16771d3dadd59505806913eec08c9bb6fe959245a919970cf92fb672d1bae84079913a9709eea55ec66ad4dc34fab8ee47c13

Download Submit
C:\Windows\{04DE76CD-4B7B-4e4d-B6A2-FFB599445CA2}.exe

Filesize
344KB

MD5
7bc7e386c228686e0a40c94615e3015f

SHA1
9bc7a8fb1ff7c267ab4a9702ea6887a4cd75bcc0

SHA256
4abd475f4d03885435435f3985a1be9d65c7b1dc69373a31c4228026aa8ad1f1

SHA512
d25551c3b9e60a6889c8a1ccb2b16771d3dadd59505806913eec08c9bb6fe959245a919970cf92fb672d1bae84079913a9709eea55ec66ad4dc34fab8ee47c13

Download Submit
C:\Windows\{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe

Filesize
344KB

MD5
15836755d0b6e3cea63952fcffcd3bd3

SHA1
e350cc556fdf56df208a51c2a38e6b03e1f629fe

SHA256
da0067eb7398f2306200aba6211da288e78099491e700dacfee79a72aebed4be

SHA512
a6b9c01f6f46e782e0eabf68b1af65ec918239b97074d7a7d3774d21f7d1859cb8accb93bebdb647230d17ad6f6badeaa37cb33192073635b4b108ed6de60613

Download Submit
C:\Windows\{4B1D1E6F-11CE-4bfb-996E-735CA4F140EC}.exe

Filesize
344KB

MD5
15836755d0b6e3cea63952fcffcd3bd3

SHA1
e350cc556fdf56df208a51c2a38e6b03e1f629fe

SHA256
da0067eb7398f2306200aba6211da288e78099491e700dacfee79a72aebed4be

SHA512
a6b9c01f6f46e782e0eabf68b1af65ec918239b97074d7a7d3774d21f7d1859cb8accb93bebdb647230d17ad6f6badeaa37cb33192073635b4b108ed6de60613

Download Submit
C:\Windows\{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe

Filesize
344KB

MD5
9692e2b3172b442050df761e83f9e8ac

SHA1
d3be93984e6b36c3aa0fc147c4b0cd97c96acd44

SHA256
818cb7cb29fbceca8193a4cba83fe80d8f8166605d64979ec9bfe2e68ec8d526

SHA512
e05d108654df61b2970287c6d2fc81ded07b46837aba031ef2f998937b95585d8d601624b310974e3d7807a1b325afb1c6f08c2f362af8b620e5af1ffee4428e

Download Submit
C:\Windows\{554B39AA-CC3E-45b4-AD56-099A79008EC1}.exe

Filesize
344KB

MD5
9692e2b3172b442050df761e83f9e8ac

SHA1
d3be93984e6b36c3aa0fc147c4b0cd97c96acd44

SHA256
818cb7cb29fbceca8193a4cba83fe80d8f8166605d64979ec9bfe2e68ec8d526

SHA512
e05d108654df61b2970287c6d2fc81ded07b46837aba031ef2f998937b95585d8d601624b310974e3d7807a1b325afb1c6f08c2f362af8b620e5af1ffee4428e

Download Submit
C:\Windows\{74700201-58C3-438f-AA75-44F67767C8B3}.exe

Filesize
344KB

MD5
08359494b55bfd0ccac0b690dda152d3

SHA1
0438913ddfa1a449ed2e7e70658b9ab0de543093

SHA256
94a09511bb8de9adac6d0bd0178a6b5aedd7b806d6d870741f713c3eb8f3d279

SHA512
a8872877d1c6029b57d1a3a971ad877234690cb36e23b29bc4f92477b068e955e1562096fb92101bd7e9a1a342fefc789ab93d3eb9f04bcfed6e7bfed9e56662

Download Submit
C:\Windows\{74700201-58C3-438f-AA75-44F67767C8B3}.exe

Filesize
344KB

MD5
08359494b55bfd0ccac0b690dda152d3

SHA1
0438913ddfa1a449ed2e7e70658b9ab0de543093

SHA256
94a09511bb8de9adac6d0bd0178a6b5aedd7b806d6d870741f713c3eb8f3d279

SHA512
a8872877d1c6029b57d1a3a971ad877234690cb36e23b29bc4f92477b068e955e1562096fb92101bd7e9a1a342fefc789ab93d3eb9f04bcfed6e7bfed9e56662

Download Submit
C:\Windows\{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe

Filesize
344KB

MD5
8a4ee8e10a5f38d3a2c227809b4e56ad

SHA1
235da107762685db1957a9ad46defc7fe189065d

SHA256
e9dc9ab104e6c9b992efcb1e20d07ec667b6d082b7d423fbf9f4680bbbbb2fb2

SHA512
350a893257012c407f5c5c285dcdc353478f18d8997231d091517c2168d02111a3f09d9a60297252efb0b41a0910e362efa05f37d1bce01380f9f33fe7cf5107

Download Submit
C:\Windows\{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe

Filesize
344KB

MD5
8a4ee8e10a5f38d3a2c227809b4e56ad

SHA1
235da107762685db1957a9ad46defc7fe189065d

SHA256
e9dc9ab104e6c9b992efcb1e20d07ec667b6d082b7d423fbf9f4680bbbbb2fb2

SHA512
350a893257012c407f5c5c285dcdc353478f18d8997231d091517c2168d02111a3f09d9a60297252efb0b41a0910e362efa05f37d1bce01380f9f33fe7cf5107

Download Submit
C:\Windows\{7A0E0BEA-506E-41f6-9E62-A0AAE70D9AE0}.exe

Filesize
344KB

MD5
8a4ee8e10a5f38d3a2c227809b4e56ad

SHA1
235da107762685db1957a9ad46defc7fe189065d

SHA256
e9dc9ab104e6c9b992efcb1e20d07ec667b6d082b7d423fbf9f4680bbbbb2fb2

SHA512
350a893257012c407f5c5c285dcdc353478f18d8997231d091517c2168d02111a3f09d9a60297252efb0b41a0910e362efa05f37d1bce01380f9f33fe7cf5107

Download Submit
C:\Windows\{8146C200-A667-4510-8516-C895869D6973}.exe

Filesize
344KB

MD5
1c94597c1ae01ca6e837cd8aa2776cbf

SHA1
9b73b8cd3b284f7408c9372c4bdc54556b5976a2

SHA256
e816f7fb35f713cbcd3afabf1efe2308b92a9190975d73161e0bed47069f0b44

SHA512
26561e1d6c88b77dca2dee413d383230eddbffb6aeed75063f1daf185c2605d0cef487bc47da236b98a283baeed67d0f039654f67fe2503eeb459301729f962e

Download Submit
C:\Windows\{8146C200-A667-4510-8516-C895869D6973}.exe

Filesize
344KB

MD5
1c94597c1ae01ca6e837cd8aa2776cbf

SHA1
9b73b8cd3b284f7408c9372c4bdc54556b5976a2

SHA256
e816f7fb35f713cbcd3afabf1efe2308b92a9190975d73161e0bed47069f0b44

SHA512
26561e1d6c88b77dca2dee413d383230eddbffb6aeed75063f1daf185c2605d0cef487bc47da236b98a283baeed67d0f039654f67fe2503eeb459301729f962e

Download Submit
C:\Windows\{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe

Filesize
344KB

MD5
6994f29e8ff8fa9d83c209c86c2b8262

SHA1
1dca5bb022e31f065ce01af6a7a3917c8463d897

SHA256
a41dccae1a73b040f07cdb6535a4e2742a8ea319d8c3b235197d1090a627b672

SHA512
12800494c661846ec29b94750a587a3f7a24f462974b2c33d82d6277e520e7c3333e7680b5c2b52d64e6f006cbad6eb94b13435ce6fb482bcaa02fd0ddd7099d

Download Submit
C:\Windows\{A3E1B918-6A46-4d7f-9AD0-21C1A5AB49D1}.exe

Filesize
344KB

MD5
6994f29e8ff8fa9d83c209c86c2b8262

SHA1
1dca5bb022e31f065ce01af6a7a3917c8463d897

SHA256
a41dccae1a73b040f07cdb6535a4e2742a8ea319d8c3b235197d1090a627b672

SHA512
12800494c661846ec29b94750a587a3f7a24f462974b2c33d82d6277e520e7c3333e7680b5c2b52d64e6f006cbad6eb94b13435ce6fb482bcaa02fd0ddd7099d

Download Submit
C:\Windows\{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe

Filesize
344KB

MD5
1283b62e1e254fdc45e9625d13de11fb

SHA1
508bb43800ce4ecbf08c2761f53c71a012e810ea

SHA256
6b4686ababf479a3eb963874e917f79cf49a0d7ea2a5402e8c4f173bbfad0f14

SHA512
cfa11060a32f31db687b303b91ce8be90ffc688aab3d98cb83a9faa3c8c9b034ee740a85fb1a06b024d1b5f6999fce6b7097daa157c09455ccfb78875ca97c88

Download Submit
C:\Windows\{BA9DDD67-3892-4bd9-9451-0A5C8CF0D6A6}.exe

Filesize
344KB

MD5
1283b62e1e254fdc45e9625d13de11fb

SHA1
508bb43800ce4ecbf08c2761f53c71a012e810ea

SHA256
6b4686ababf479a3eb963874e917f79cf49a0d7ea2a5402e8c4f173bbfad0f14

SHA512
cfa11060a32f31db687b303b91ce8be90ffc688aab3d98cb83a9faa3c8c9b034ee740a85fb1a06b024d1b5f6999fce6b7097daa157c09455ccfb78875ca97c88

Download Submit
C:\Windows\{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe

Filesize
344KB

MD5
ce523a4f713efd874191cc18648b8a1d

SHA1
ba65e80a7578d925f1dfa7e74e5f1a2dc485ec8a

SHA256
f0214090f42afaceff3ab3ac7ba1cfc71b3350a90df7c0907fcf4ee4b0bd9b3a

SHA512
5ccfa860417998fed0e181f3ac568926cdca838468bdfee53274926d069348f12a7c9a757ba2aa1eb4e1516164c3342f35ffd7d5ca96ed91b591dc8cb5580c24

Download Submit
C:\Windows\{C193BB87-2EB2-4e8b-99DD-4BD4EF15E65E}.exe

Filesize
344KB

MD5
ce523a4f713efd874191cc18648b8a1d

SHA1
ba65e80a7578d925f1dfa7e74e5f1a2dc485ec8a

SHA256
f0214090f42afaceff3ab3ac7ba1cfc71b3350a90df7c0907fcf4ee4b0bd9b3a

SHA512
5ccfa860417998fed0e181f3ac568926cdca838468bdfee53274926d069348f12a7c9a757ba2aa1eb4e1516164c3342f35ffd7d5ca96ed91b591dc8cb5580c24

Download Submit
C:\Windows\{C5E37A04-ED9F-479f-AD9A-B04BDD969DFF}.exe

Filesize
344KB

MD5
0a3dad3a4359a50256f1ff456236dbe0

SHA1
df1083fa0bfc989cc4241c9d81bbeccf8fb1a48c

SHA256
16e25dcdf9732cc2dc68fe07cf61691d5c3ac59055032df2add7f44b17f6fb75

SHA512
ef5f5b76e4505f8ea06b3101abe2abe76d0960871c56d7e5f48014ae93f8f4d93fc024a0148936638765fb8cdd7a1257a3a391bbd5e16f1740f4bbc11b6d1847

Download Submit
C:\Windows\{C5E37A04-ED9F-479f-AD9A-B04BDD969DFF}.exe

Filesize
344KB

MD5
0a3dad3a4359a50256f1ff456236dbe0

SHA1
df1083fa0bfc989cc4241c9d81bbeccf8fb1a48c

SHA256
16e25dcdf9732cc2dc68fe07cf61691d5c3ac59055032df2add7f44b17f6fb75

SHA512
ef5f5b76e4505f8ea06b3101abe2abe76d0960871c56d7e5f48014ae93f8f4d93fc024a0148936638765fb8cdd7a1257a3a391bbd5e16f1740f4bbc11b6d1847

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads