a20aab8166d583c919b74748c38a61c82ad75f60de0b6e3e30593819722550ab

Analysis

max time kernel
188s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe
Size

118KB
MD5

db07deb0b8521b511b8ac99a449b4dc0
SHA1

f64b4f8311d067cd54b523741718192cee2920e4
SHA256

a20aab8166d583c919b74748c38a61c82ad75f60de0b6e3e30593819722550ab
SHA512

2e4bba01da61670a70b388c30859624dbcba4dac6d670034421437efddbd6d76e3d392e46521bb3973f3f97bda4c7f26ff52033a6220a86bf259b2efde6797ca
SSDEEP

1536:nEGh0ozl2unMxVS3HgdoKjhLJh731xvsr:nEGh0ozlvMUyNjhLJh731xvsr

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8DC96E0-0E18-4333-8BF5-3E6E1C0C5B36}	{4F3E3762-2A70-4f53-B091-B9CE9ADA6798}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49183D9F-3588-4022-AB56-A241B69BB37B}\stubpath = "C:\\Windows\\{49183D9F-3588-4022-AB56-A241B69BB37B}.exe"	{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}\stubpath = "C:\\Windows\\{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe"	{06724576-AB03-457a-886E-C515ACC8031C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}\stubpath = "C:\\Windows\\{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe"	{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B223B397-0CC1-4d05-8E3B-27374CCB95B2}\stubpath = "C:\\Windows\\{B223B397-0CC1-4d05-8E3B-27374CCB95B2}.exe"	{DD27A60F-F031-4279-95B9-A8C3AA62919F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8DC96E0-0E18-4333-8BF5-3E6E1C0C5B36}\stubpath = "C:\\Windows\\{D8DC96E0-0E18-4333-8BF5-3E6E1C0C5B36}.exe"	{4F3E3762-2A70-4f53-B091-B9CE9ADA6798}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}	{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E97D652F-2F08-4613-9108-C98ECCF972D2}	{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD27A60F-F031-4279-95B9-A8C3AA62919F}\stubpath = "C:\\Windows\\{DD27A60F-F031-4279-95B9-A8C3AA62919F}.exe"	{E97D652F-2F08-4613-9108-C98ECCF972D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F3E3762-2A70-4f53-B091-B9CE9ADA6798}\stubpath = "C:\\Windows\\{4F3E3762-2A70-4f53-B091-B9CE9ADA6798}.exe"	{B223B397-0CC1-4d05-8E3B-27374CCB95B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}	{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E97D652F-2F08-4613-9108-C98ECCF972D2}\stubpath = "C:\\Windows\\{E97D652F-2F08-4613-9108-C98ECCF972D2}.exe"	{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD27A60F-F031-4279-95B9-A8C3AA62919F}	{E97D652F-2F08-4613-9108-C98ECCF972D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F3E3762-2A70-4f53-B091-B9CE9ADA6798}	{B223B397-0CC1-4d05-8E3B-27374CCB95B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CE1EDC1-C4B6-4372-8374-B240C744979A}	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49183D9F-3588-4022-AB56-A241B69BB37B}	{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06724576-AB03-457a-886E-C515ACC8031C}	{49183D9F-3588-4022-AB56-A241B69BB37B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}\stubpath = "C:\\Windows\\{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe"	{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}\stubpath = "C:\\Windows\\{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe"	{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B223B397-0CC1-4d05-8E3B-27374CCB95B2}	{DD27A60F-F031-4279-95B9-A8C3AA62919F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CE1EDC1-C4B6-4372-8374-B240C744979A}\stubpath = "C:\\Windows\\{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe"	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06724576-AB03-457a-886E-C515ACC8031C}\stubpath = "C:\\Windows\\{06724576-AB03-457a-886E-C515ACC8031C}.exe"	{49183D9F-3588-4022-AB56-A241B69BB37B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}	{06724576-AB03-457a-886E-C515ACC8031C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}	{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe

Deletes itself 1 IoCs

pid	Process
1908	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2724	{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe
2708	{49183D9F-3588-4022-AB56-A241B69BB37B}.exe
2744	{06724576-AB03-457a-886E-C515ACC8031C}.exe
2524	{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe
1820	{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe
1716	{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe
2968	{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe
3036	{E97D652F-2F08-4613-9108-C98ECCF972D2}.exe
2820	{DD27A60F-F031-4279-95B9-A8C3AA62919F}.exe
2516	{B223B397-0CC1-4d05-8E3B-27374CCB95B2}.exe
1980	{4F3E3762-2A70-4f53-B091-B9CE9ADA6798}.exe
1968	{D8DC96E0-0E18-4333-8BF5-3E6E1C0C5B36}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B223B397-0CC1-4d05-8E3B-27374CCB95B2}.exe	{DD27A60F-F031-4279-95B9-A8C3AA62919F}.exe
File created	C:\Windows\{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe	{06724576-AB03-457a-886E-C515ACC8031C}.exe
File created	C:\Windows\{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe	{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe
File created	C:\Windows\{06724576-AB03-457a-886E-C515ACC8031C}.exe	{49183D9F-3588-4022-AB56-A241B69BB37B}.exe
File created	C:\Windows\{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe	{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe
File created	C:\Windows\{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe	{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe
File created	C:\Windows\{E97D652F-2F08-4613-9108-C98ECCF972D2}.exe	{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe
File created	C:\Windows\{DD27A60F-F031-4279-95B9-A8C3AA62919F}.exe	{E97D652F-2F08-4613-9108-C98ECCF972D2}.exe
File created	C:\Windows\{4F3E3762-2A70-4f53-B091-B9CE9ADA6798}.exe	{B223B397-0CC1-4d05-8E3B-27374CCB95B2}.exe
File created	C:\Windows\{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe
File created	C:\Windows\{49183D9F-3588-4022-AB56-A241B69BB37B}.exe	{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe
File created	C:\Windows\{D8DC96E0-0E18-4333-8BF5-3E6E1C0C5B36}.exe	{4F3E3762-2A70-4f53-B091-B9CE9ADA6798}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2208	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe
Token: SeIncBasePriorityPrivilege	2724	{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe
Token: SeIncBasePriorityPrivilege	2708	{49183D9F-3588-4022-AB56-A241B69BB37B}.exe
Token: SeIncBasePriorityPrivilege	2744	{06724576-AB03-457a-886E-C515ACC8031C}.exe
Token: SeIncBasePriorityPrivilege	2524	{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe
Token: SeIncBasePriorityPrivilege	1820	{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe
Token: SeIncBasePriorityPrivilege	1716	{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe
Token: SeIncBasePriorityPrivilege	2968	{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe
Token: SeIncBasePriorityPrivilege	3036	{E97D652F-2F08-4613-9108-C98ECCF972D2}.exe
Token: SeIncBasePriorityPrivilege	2820	{DD27A60F-F031-4279-95B9-A8C3AA62919F}.exe
Token: SeIncBasePriorityPrivilege	2516	{B223B397-0CC1-4d05-8E3B-27374CCB95B2}.exe
Token: SeIncBasePriorityPrivilege	1980	{4F3E3762-2A70-4f53-B091-B9CE9ADA6798}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2724	2208	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	29
PID 2208 wrote to memory of 2724	2208	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	29
PID 2208 wrote to memory of 2724	2208	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	29
PID 2208 wrote to memory of 2724	2208	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	29
PID 2208 wrote to memory of 1908	2208	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	30
PID 2208 wrote to memory of 1908	2208	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	30
PID 2208 wrote to memory of 1908	2208	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	30
PID 2208 wrote to memory of 1908	2208	NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe	30
PID 2724 wrote to memory of 2708	2724	{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe	31
PID 2724 wrote to memory of 2708	2724	{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe	31
PID 2724 wrote to memory of 2708	2724	{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe	31
PID 2724 wrote to memory of 2708	2724	{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe	31
PID 2724 wrote to memory of 2176	2724	{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe	32
PID 2724 wrote to memory of 2176	2724	{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe	32
PID 2724 wrote to memory of 2176	2724	{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe	32
PID 2724 wrote to memory of 2176	2724	{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe	32
PID 2708 wrote to memory of 2744	2708	{49183D9F-3588-4022-AB56-A241B69BB37B}.exe	33
PID 2708 wrote to memory of 2744	2708	{49183D9F-3588-4022-AB56-A241B69BB37B}.exe	33
PID 2708 wrote to memory of 2744	2708	{49183D9F-3588-4022-AB56-A241B69BB37B}.exe	33
PID 2708 wrote to memory of 2744	2708	{49183D9F-3588-4022-AB56-A241B69BB37B}.exe	33
PID 2708 wrote to memory of 276	2708	{49183D9F-3588-4022-AB56-A241B69BB37B}.exe	34
PID 2708 wrote to memory of 276	2708	{49183D9F-3588-4022-AB56-A241B69BB37B}.exe	34
PID 2708 wrote to memory of 276	2708	{49183D9F-3588-4022-AB56-A241B69BB37B}.exe	34
PID 2708 wrote to memory of 276	2708	{49183D9F-3588-4022-AB56-A241B69BB37B}.exe	34
PID 2744 wrote to memory of 2524	2744	{06724576-AB03-457a-886E-C515ACC8031C}.exe	35
PID 2744 wrote to memory of 2524	2744	{06724576-AB03-457a-886E-C515ACC8031C}.exe	35
PID 2744 wrote to memory of 2524	2744	{06724576-AB03-457a-886E-C515ACC8031C}.exe	35
PID 2744 wrote to memory of 2524	2744	{06724576-AB03-457a-886E-C515ACC8031C}.exe	35
PID 2744 wrote to memory of 2576	2744	{06724576-AB03-457a-886E-C515ACC8031C}.exe	36
PID 2744 wrote to memory of 2576	2744	{06724576-AB03-457a-886E-C515ACC8031C}.exe	36
PID 2744 wrote to memory of 2576	2744	{06724576-AB03-457a-886E-C515ACC8031C}.exe	36
PID 2744 wrote to memory of 2576	2744	{06724576-AB03-457a-886E-C515ACC8031C}.exe	36
PID 2524 wrote to memory of 1820	2524	{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe	37
PID 2524 wrote to memory of 1820	2524	{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe	37
PID 2524 wrote to memory of 1820	2524	{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe	37
PID 2524 wrote to memory of 1820	2524	{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe	37
PID 2524 wrote to memory of 2384	2524	{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe	38
PID 2524 wrote to memory of 2384	2524	{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe	38
PID 2524 wrote to memory of 2384	2524	{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe	38
PID 2524 wrote to memory of 2384	2524	{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe	38
PID 1820 wrote to memory of 1716	1820	{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe	39
PID 1820 wrote to memory of 1716	1820	{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe	39
PID 1820 wrote to memory of 1716	1820	{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe	39
PID 1820 wrote to memory of 1716	1820	{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe	39
PID 1820 wrote to memory of 2940	1820	{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe	40
PID 1820 wrote to memory of 2940	1820	{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe	40
PID 1820 wrote to memory of 2940	1820	{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe	40
PID 1820 wrote to memory of 2940	1820	{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe	40
PID 1716 wrote to memory of 2968	1716	{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe	41
PID 1716 wrote to memory of 2968	1716	{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe	41
PID 1716 wrote to memory of 2968	1716	{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe	41
PID 1716 wrote to memory of 2968	1716	{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe	41
PID 1716 wrote to memory of 2024	1716	{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe	42
PID 1716 wrote to memory of 2024	1716	{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe	42
PID 1716 wrote to memory of 2024	1716	{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe	42
PID 1716 wrote to memory of 2024	1716	{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe	42
PID 2968 wrote to memory of 3036	2968	{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe	43
PID 2968 wrote to memory of 3036	2968	{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe	43
PID 2968 wrote to memory of 3036	2968	{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe	43
PID 2968 wrote to memory of 3036	2968	{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe	43
PID 2968 wrote to memory of 2884	2968	{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe	44
PID 2968 wrote to memory of 2884	2968	{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe	44
PID 2968 wrote to memory of 2884	2968	{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe	44
PID 2968 wrote to memory of 2884	2968	{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe	44

C:\Users\Admin\AppData\Local\Temp\NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.db07deb0b8521b511b8ac99a449b4dc0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe
  C:\Windows\{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\{49183D9F-3588-4022-AB56-A241B69BB37B}.exe
    C:\Windows\{49183D9F-3588-4022-AB56-A241B69BB37B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\{06724576-AB03-457a-886E-C515ACC8031C}.exe
      C:\Windows\{06724576-AB03-457a-886E-C515ACC8031C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe
        
        C:\Windows\{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe
        
        C:\Windows\{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe
        
        C:\Windows\{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe
        
        C:\Windows\{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{E97D652F-2F08-4613-9108-C98ECCF972D2}.exe
        
        C:\Windows\{E97D652F-2F08-4613-9108-C98ECCF972D2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\{DD27A60F-F031-4279-95B9-A8C3AA62919F}.exe
        
        C:\Windows\{DD27A60F-F031-4279-95B9-A8C3AA62919F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\{B223B397-0CC1-4d05-8E3B-27374CCB95B2}.exe
        
        C:\Windows\{B223B397-0CC1-4d05-8E3B-27374CCB95B2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\{4F3E3762-2A70-4f53-B091-B9CE9ADA6798}.exe
        
        C:\Windows\{4F3E3762-2A70-4f53-B091-B9CE9ADA6798}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\{D8DC96E0-0E18-4333-8BF5-3E6E1C0C5B36}.exe
        
        C:\Windows\{D8DC96E0-0E18-4333-8BF5-3E6E1C0C5B36}.exe
        13⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F3E3~1.EXE > nul
        13⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B223B~1.EXE > nul
        12⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD27A~1.EXE > nul
        11⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E97D6~1.EXE > nul
        10⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64AA8~1.EXE > nul
        9⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{911EB~1.EXE > nul
        8⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E51E~1.EXE > nul
        7⤵
        
        PID:2940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD2AB~1.EXE > nul
        6⤵
        
        PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06724~1.EXE > nul
        5⤵
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{49183~1.EXE > nul
      4⤵
      PID:276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3CE1E~1.EXE > nul
    3⤵
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEASDB~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06724576-AB03-457a-886E-C515ACC8031C}.exe

Filesize
118KB

MD5
6d0a98a2308e11e0d9ef204d12309d41

SHA1
ab94bc5a889f1f119c2312e7216195133cbaf33a

SHA256
f1d14a2f90d22eafeeb8e5872f33cdd2bfdade38a60067876aca91cb069efb14

SHA512
fbc5999a7c5c1acbf29a486e60db36df3a50ef092ce10b27692769988ac3eadd361b0dc557fbe7e352f912a466f14d0dd761a432867e1bf802918bfd5cd83edd

Download Submit
C:\Windows\{06724576-AB03-457a-886E-C515ACC8031C}.exe

Filesize
118KB

MD5
6d0a98a2308e11e0d9ef204d12309d41

SHA1
ab94bc5a889f1f119c2312e7216195133cbaf33a

SHA256
f1d14a2f90d22eafeeb8e5872f33cdd2bfdade38a60067876aca91cb069efb14

SHA512
fbc5999a7c5c1acbf29a486e60db36df3a50ef092ce10b27692769988ac3eadd361b0dc557fbe7e352f912a466f14d0dd761a432867e1bf802918bfd5cd83edd

Download Submit
C:\Windows\{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe

Filesize
118KB

MD5
a316933a73228babc0dea6eccd6aa7ae

SHA1
1d76ea08f797f63b800d9501c72f8309889a2a5f

SHA256
b0197f376db2653e07bc53e8d57a137c337eefa232951b737dca941424ac6864

SHA512
3f470abd48f553d64f0981756be7f2349c3c0c49dcb68ee81e3c0efb9c35cf765cef50eb5eb02aa5ca22664bc5310222102887cb166decbad17c3147a8f9cbb5

Download Submit
C:\Windows\{1E51E0EA-56C0-4d46-AC07-DF563EB4CCE5}.exe

Filesize
118KB

MD5
a316933a73228babc0dea6eccd6aa7ae

SHA1
1d76ea08f797f63b800d9501c72f8309889a2a5f

SHA256
b0197f376db2653e07bc53e8d57a137c337eefa232951b737dca941424ac6864

SHA512
3f470abd48f553d64f0981756be7f2349c3c0c49dcb68ee81e3c0efb9c35cf765cef50eb5eb02aa5ca22664bc5310222102887cb166decbad17c3147a8f9cbb5

Download Submit
C:\Windows\{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe

Filesize
118KB

MD5
05089c393170d89e344417a71c48fa32

SHA1
8f1eaf7042cf6172e9ec1b23f948148186f344e4

SHA256
cd81222398a224f9a51e5277c54b2e8f30118011abf75ddc981b54847424ba4a

SHA512
ee6a6ec73a5e81a234b8bb10a288d96438a2f54669d8ce7838ba29d8b41051c39593624f36e0f8bfcbda8b9d1b9249c1b0cf192478798a9c408ae5f1f44b1a3a

Download Submit
C:\Windows\{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe

Filesize
118KB

MD5
05089c393170d89e344417a71c48fa32

SHA1
8f1eaf7042cf6172e9ec1b23f948148186f344e4

SHA256
cd81222398a224f9a51e5277c54b2e8f30118011abf75ddc981b54847424ba4a

SHA512
ee6a6ec73a5e81a234b8bb10a288d96438a2f54669d8ce7838ba29d8b41051c39593624f36e0f8bfcbda8b9d1b9249c1b0cf192478798a9c408ae5f1f44b1a3a

Download Submit
C:\Windows\{3CE1EDC1-C4B6-4372-8374-B240C744979A}.exe

Filesize
118KB

MD5
05089c393170d89e344417a71c48fa32

SHA1
8f1eaf7042cf6172e9ec1b23f948148186f344e4

SHA256
cd81222398a224f9a51e5277c54b2e8f30118011abf75ddc981b54847424ba4a

SHA512
ee6a6ec73a5e81a234b8bb10a288d96438a2f54669d8ce7838ba29d8b41051c39593624f36e0f8bfcbda8b9d1b9249c1b0cf192478798a9c408ae5f1f44b1a3a

Download Submit
C:\Windows\{49183D9F-3588-4022-AB56-A241B69BB37B}.exe

Filesize
118KB

MD5
57fb43034a0019b2b082d7abd7a7f7e7

SHA1
2b7480e7ad1e710fdd2369ef35b0aaf1aab224cb

SHA256
b8fb4e6cb12b75ceea45552da4e00997228f26b81cf62109f830885d5b08bce6

SHA512
ecc40f3f7952528adfcd8c6b88f1fde771fe484e2ca89977737352651f916a22bb2bffaba7683b84241c27aff194faaa320820b0ec7d1edcf525f0fd31fc95b2

Download Submit
C:\Windows\{49183D9F-3588-4022-AB56-A241B69BB37B}.exe

Filesize
118KB

MD5
57fb43034a0019b2b082d7abd7a7f7e7

SHA1
2b7480e7ad1e710fdd2369ef35b0aaf1aab224cb

SHA256
b8fb4e6cb12b75ceea45552da4e00997228f26b81cf62109f830885d5b08bce6

SHA512
ecc40f3f7952528adfcd8c6b88f1fde771fe484e2ca89977737352651f916a22bb2bffaba7683b84241c27aff194faaa320820b0ec7d1edcf525f0fd31fc95b2

Download Submit
C:\Windows\{4F3E3762-2A70-4f53-B091-B9CE9ADA6798}.exe

Filesize
118KB

MD5
8291fef938c6b4a13d5c9c29dcb5df11

SHA1
86237da2a4c536ba77dcfb1c1d0c55e66174ed3e

SHA256
52d44aa3a74e0d74fda6253a6df236000103403b8e4d43ebe781ac797e02b0d7

SHA512
286d7d60adad96c3e1ff189f90e7641136418adfed1e0d5f39beb9794ee66b4ed926761c39157f02bccbe8f80bc7b91acc496f8543e0e13f189dfa5c9278fb31

Download Submit
C:\Windows\{4F3E3762-2A70-4f53-B091-B9CE9ADA6798}.exe

Filesize
118KB

MD5
8291fef938c6b4a13d5c9c29dcb5df11

SHA1
86237da2a4c536ba77dcfb1c1d0c55e66174ed3e

SHA256
52d44aa3a74e0d74fda6253a6df236000103403b8e4d43ebe781ac797e02b0d7

SHA512
286d7d60adad96c3e1ff189f90e7641136418adfed1e0d5f39beb9794ee66b4ed926761c39157f02bccbe8f80bc7b91acc496f8543e0e13f189dfa5c9278fb31

Download Submit
C:\Windows\{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe

Filesize
118KB

MD5
022a5a2c7636d8cad5f7283e7827787d

SHA1
e33f67a5ad454da2ecbb36791c4b834c5e23b837

SHA256
ead4100a5869e9ffc26e96a094691f0912db74389d9c619bae313e83fa8aa45d

SHA512
8ed8908bd57dc1e9a8b987895b32b2fbf023947bd580a60023a9897a2dca399d9a0a050d8c0e8a2e554ee273966729d2e9ae7a4e0aa086ecabe172dffdb42d81

Download Submit
C:\Windows\{64AA87E8-F8A5-46f5-9449-BF07A8DD54E0}.exe

Filesize
118KB

MD5
022a5a2c7636d8cad5f7283e7827787d

SHA1
e33f67a5ad454da2ecbb36791c4b834c5e23b837

SHA256
ead4100a5869e9ffc26e96a094691f0912db74389d9c619bae313e83fa8aa45d

SHA512
8ed8908bd57dc1e9a8b987895b32b2fbf023947bd580a60023a9897a2dca399d9a0a050d8c0e8a2e554ee273966729d2e9ae7a4e0aa086ecabe172dffdb42d81

Download Submit
C:\Windows\{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe

Filesize
118KB

MD5
7940d59d1def35befec7d38cb82b7539

SHA1
c1119410e2ad8dd4849e7ce7b8164a8aa217f0ea

SHA256
824078756590852d6683d336b8fcd9d99874ba1d69f972f877defa8cc33409c8

SHA512
ef92abe0e3f6472438bea4336098042487b28279ed18e448e6a732c86606b1d506b3defcf1da521edc8515cae0bdbe96d379932169029ec37d7aa9a921a26674

Download Submit
C:\Windows\{911EBB3C-4C15-4d93-B6B5-2699616C6EA5}.exe

Filesize
118KB

MD5
7940d59d1def35befec7d38cb82b7539

SHA1
c1119410e2ad8dd4849e7ce7b8164a8aa217f0ea

SHA256
824078756590852d6683d336b8fcd9d99874ba1d69f972f877defa8cc33409c8

SHA512
ef92abe0e3f6472438bea4336098042487b28279ed18e448e6a732c86606b1d506b3defcf1da521edc8515cae0bdbe96d379932169029ec37d7aa9a921a26674

Download Submit
C:\Windows\{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe

Filesize
118KB

MD5
24b3bcf9da64954cd839958df16069b2

SHA1
20ef687716f49f30e58483126812512c5ea20dfa

SHA256
a2c090b59757b9c508ee0aecbbe4fd6f19c0e49d05e99dd01adf9040c1367569

SHA512
4d86830acd5faba342fa5ac8c241bdd9946e69855cca9147f272ec20563cc2030020763538284949d5bbddae3eab2db5c4675e4acd43ed2da37e2a934d697fbb

Download Submit
C:\Windows\{AD2AB73F-BCEB-406c-B5CB-7903CA03B586}.exe

Filesize
118KB

MD5
24b3bcf9da64954cd839958df16069b2

SHA1
20ef687716f49f30e58483126812512c5ea20dfa

SHA256
a2c090b59757b9c508ee0aecbbe4fd6f19c0e49d05e99dd01adf9040c1367569

SHA512
4d86830acd5faba342fa5ac8c241bdd9946e69855cca9147f272ec20563cc2030020763538284949d5bbddae3eab2db5c4675e4acd43ed2da37e2a934d697fbb

Download Submit
C:\Windows\{B223B397-0CC1-4d05-8E3B-27374CCB95B2}.exe

Filesize
118KB

MD5
3530a2ecb79ba1bd15a69d44109a72dc

SHA1
f3e86258c6b55dab2e0f17fcb80910d5ea33407f

SHA256
38c06d15eaaa44f4a348e587d4cc899b657bcf2e4d62fc5cf7e9279edb72de6b

SHA512
ba49df6e6864a3e277b5f3c288de5de812f0b6125e306e4583a085a0eef0d5590dcd2cb406ad18abc611e13b63c849773fdf14c3418ae3a8e06f5f1e7e612dfa

Download Submit
C:\Windows\{B223B397-0CC1-4d05-8E3B-27374CCB95B2}.exe

Filesize
118KB

MD5
3530a2ecb79ba1bd15a69d44109a72dc

SHA1
f3e86258c6b55dab2e0f17fcb80910d5ea33407f

SHA256
38c06d15eaaa44f4a348e587d4cc899b657bcf2e4d62fc5cf7e9279edb72de6b

SHA512
ba49df6e6864a3e277b5f3c288de5de812f0b6125e306e4583a085a0eef0d5590dcd2cb406ad18abc611e13b63c849773fdf14c3418ae3a8e06f5f1e7e612dfa

Download Submit
C:\Windows\{D8DC96E0-0E18-4333-8BF5-3E6E1C0C5B36}.exe

Filesize
118KB

MD5
86a82df4d70bc82ac4790b1d03fc0f99

SHA1
3746886400a15ade394e5988f4d33a7cea12f0bb

SHA256
0d8c62e64cc09fe2a6591ff71bbcf3e75c457215102f4ec1c2dda4a9f8c48a06

SHA512
a1081f06c3a8bfa53cc3ad9c851cd1395928d8d32de99099e52225813898f7857c303c1d7071851a73a5ad366d327c80292b1ba060989666419ee828138b6b83

Download Submit
C:\Windows\{DD27A60F-F031-4279-95B9-A8C3AA62919F}.exe

Filesize
118KB

MD5
572acd1b57cd544ef06915345bd6be7c

SHA1
863513fe320947558b43d534e774234e953564bb

SHA256
8003bd61ba43f522285a5b10e4a35d5aeece6246374cf4c57ecd974abe856c5e

SHA512
f4440dfb0c34b152aa76dd1e5ec97e99786b1f7c687bd123158e9ab2f3e9aeebc2cf721637809f6055cc0002cba4ecd0dbcdf1e5c2c56177ad9237a1b9c821dd

Download Submit
C:\Windows\{DD27A60F-F031-4279-95B9-A8C3AA62919F}.exe

Filesize
118KB

MD5
572acd1b57cd544ef06915345bd6be7c

SHA1
863513fe320947558b43d534e774234e953564bb

SHA256
8003bd61ba43f522285a5b10e4a35d5aeece6246374cf4c57ecd974abe856c5e

SHA512
f4440dfb0c34b152aa76dd1e5ec97e99786b1f7c687bd123158e9ab2f3e9aeebc2cf721637809f6055cc0002cba4ecd0dbcdf1e5c2c56177ad9237a1b9c821dd

Download Submit
C:\Windows\{E97D652F-2F08-4613-9108-C98ECCF972D2}.exe

Filesize
118KB

MD5
e610b8b4fafbbdcf8263f539eff7f554

SHA1
50db678be1f1a8462d363a048ed889e5653ef742

SHA256
7bff8edf6f63ecca350a1fd15b8e6f7e0d66a9426a9ede96bd9788d201413de8

SHA512
fd5af56d965d6cee6c092885987e34b7e46c641251cd1c500cbc4d629717181b7b9409d4c1a9c498c59c5633b1d4ba7adf2bbdc29f8a3353aab0e278a7d55f41

Download Submit
C:\Windows\{E97D652F-2F08-4613-9108-C98ECCF972D2}.exe

Filesize
118KB

MD5
e610b8b4fafbbdcf8263f539eff7f554

SHA1
50db678be1f1a8462d363a048ed889e5653ef742

SHA256
7bff8edf6f63ecca350a1fd15b8e6f7e0d66a9426a9ede96bd9788d201413de8

SHA512
fd5af56d965d6cee6c092885987e34b7e46c641251cd1c500cbc4d629717181b7b9409d4c1a9c498c59c5633b1d4ba7adf2bbdc29f8a3353aab0e278a7d55f41

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads