e6a8f30e305b064551ac9f61361b1aef622aa9c19d1a523db5a731274eeaf9c1

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4ca333e09dde2ed79ac4e61365258760.exe
Size

80KB
MD5

4ca333e09dde2ed79ac4e61365258760
SHA1

c6a55ffcac98ea660c4098a093d4fe34c94689e1
SHA256

e6a8f30e305b064551ac9f61361b1aef622aa9c19d1a523db5a731274eeaf9c1
SHA512

a3e922d9121d4f4a68dce2ec43f9046c3b0d8a5f66830050e9a26290f953d32bccb778e3c45c6b4b99f8e5eefe4ae6f3ccb26ebd940388d37ffdd8f4c5b05331
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLrov4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOV:vvw9816vhKQLrov4/wQRNrfrunMxVFAi

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{838FF16A-1C82-439f-995D-4B90AD9961D3}\stubpath = "C:\\Windows\\{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe"	{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E96FEDCA-27F1-40cb-A4E7-549E52520160}	{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E96FEDCA-27F1-40cb-A4E7-549E52520160}\stubpath = "C:\\Windows\\{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe"	{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{864F5FEF-0980-4a27-9175-F44D3CA0E547}	{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{864F5FEF-0980-4a27-9175-F44D3CA0E547}\stubpath = "C:\\Windows\\{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe"	{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B598E726-B7F9-4655-BC90-B57E153BDA41}	{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B598E726-B7F9-4655-BC90-B57E153BDA41}\stubpath = "C:\\Windows\\{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe"	{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83F6E5CB-0829-4b35-9EDD-1A81FEC87EC3}	{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98AB81EA-1323-4994-BCB6-36450F9910DF}\stubpath = "C:\\Windows\\{98AB81EA-1323-4994-BCB6-36450F9910DF}.exe"	{83F6E5CB-0829-4b35-9EDD-1A81FEC87EC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EDE8CBB-6E90-4f83-95D1-C1DBEE08DB30}\stubpath = "C:\\Windows\\{7EDE8CBB-6E90-4f83-95D1-C1DBEE08DB30}.exe"	{98AB81EA-1323-4994-BCB6-36450F9910DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{523F2FEA-4636-4fbe-93CF-900795A480E9}	{7EDE8CBB-6E90-4f83-95D1-C1DBEE08DB30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{523F2FEA-4636-4fbe-93CF-900795A480E9}\stubpath = "C:\\Windows\\{523F2FEA-4636-4fbe-93CF-900795A480E9}.exe"	{7EDE8CBB-6E90-4f83-95D1-C1DBEE08DB30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44D25716-3AF8-41de-BBE9-BFBD179B59CD}\stubpath = "C:\\Windows\\{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe"	NEAS.4ca333e09dde2ed79ac4e61365258760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}\stubpath = "C:\\Windows\\{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe"	{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83F6E5CB-0829-4b35-9EDD-1A81FEC87EC3}\stubpath = "C:\\Windows\\{83F6E5CB-0829-4b35-9EDD-1A81FEC87EC3}.exe"	{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98AB81EA-1323-4994-BCB6-36450F9910DF}	{83F6E5CB-0829-4b35-9EDD-1A81FEC87EC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44D25716-3AF8-41de-BBE9-BFBD179B59CD}	NEAS.4ca333e09dde2ed79ac4e61365258760.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{838FF16A-1C82-439f-995D-4B90AD9961D3}	{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}	{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}\stubpath = "C:\\Windows\\{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe"	{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EDE8CBB-6E90-4f83-95D1-C1DBEE08DB30}	{98AB81EA-1323-4994-BCB6-36450F9910DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD711E76-C5D1-476a-94CB-9A4EA38C4485}	{523F2FEA-4636-4fbe-93CF-900795A480E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD711E76-C5D1-476a-94CB-9A4EA38C4485}\stubpath = "C:\\Windows\\{BD711E76-C5D1-476a-94CB-9A4EA38C4485}.exe"	{523F2FEA-4636-4fbe-93CF-900795A480E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}	{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe

Deletes itself 1 IoCs

pid	Process
2304	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2196	{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe
2664	{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe
2144	{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe
2500	{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe
2132	{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe
768	{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe
992	{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe
2760	{83F6E5CB-0829-4b35-9EDD-1A81FEC87EC3}.exe
2788	{98AB81EA-1323-4994-BCB6-36450F9910DF}.exe
2936	{7EDE8CBB-6E90-4f83-95D1-C1DBEE08DB30}.exe
2532	{523F2FEA-4636-4fbe-93CF-900795A480E9}.exe
1916	{BD711E76-C5D1-476a-94CB-9A4EA38C4485}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe	NEAS.4ca333e09dde2ed79ac4e61365258760.exe
File created	C:\Windows\{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe	{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe
File created	C:\Windows\{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe	{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe
File created	C:\Windows\{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe	{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe
File created	C:\Windows\{83F6E5CB-0829-4b35-9EDD-1A81FEC87EC3}.exe	{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe
File created	C:\Windows\{98AB81EA-1323-4994-BCB6-36450F9910DF}.exe	{83F6E5CB-0829-4b35-9EDD-1A81FEC87EC3}.exe
File created	C:\Windows\{523F2FEA-4636-4fbe-93CF-900795A480E9}.exe	{7EDE8CBB-6E90-4f83-95D1-C1DBEE08DB30}.exe
File created	C:\Windows\{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe	{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe
File created	C:\Windows\{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe	{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe
File created	C:\Windows\{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe	{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe
File created	C:\Windows\{7EDE8CBB-6E90-4f83-95D1-C1DBEE08DB30}.exe	{98AB81EA-1323-4994-BCB6-36450F9910DF}.exe
File created	C:\Windows\{BD711E76-C5D1-476a-94CB-9A4EA38C4485}.exe	{523F2FEA-4636-4fbe-93CF-900795A480E9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2020	NEAS.4ca333e09dde2ed79ac4e61365258760.exe
Token: SeIncBasePriorityPrivilege	2196	{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe
Token: SeIncBasePriorityPrivilege	2664	{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe
Token: SeIncBasePriorityPrivilege	2144	{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe
Token: SeIncBasePriorityPrivilege	2500	{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe
Token: SeIncBasePriorityPrivilege	2132	{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe
Token: SeIncBasePriorityPrivilege	768	{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe
Token: SeIncBasePriorityPrivilege	992	{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe
Token: SeIncBasePriorityPrivilege	2760	{83F6E5CB-0829-4b35-9EDD-1A81FEC87EC3}.exe
Token: SeIncBasePriorityPrivilege	2788	{98AB81EA-1323-4994-BCB6-36450F9910DF}.exe
Token: SeIncBasePriorityPrivilege	2936	{7EDE8CBB-6E90-4f83-95D1-C1DBEE08DB30}.exe
Token: SeIncBasePriorityPrivilege	2532	{523F2FEA-4636-4fbe-93CF-900795A480E9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2196	2020	NEAS.4ca333e09dde2ed79ac4e61365258760.exe	28
PID 2020 wrote to memory of 2196	2020	NEAS.4ca333e09dde2ed79ac4e61365258760.exe	28
PID 2020 wrote to memory of 2196	2020	NEAS.4ca333e09dde2ed79ac4e61365258760.exe	28
PID 2020 wrote to memory of 2196	2020	NEAS.4ca333e09dde2ed79ac4e61365258760.exe	28
PID 2020 wrote to memory of 2304	2020	NEAS.4ca333e09dde2ed79ac4e61365258760.exe	29
PID 2020 wrote to memory of 2304	2020	NEAS.4ca333e09dde2ed79ac4e61365258760.exe	29
PID 2020 wrote to memory of 2304	2020	NEAS.4ca333e09dde2ed79ac4e61365258760.exe	29
PID 2020 wrote to memory of 2304	2020	NEAS.4ca333e09dde2ed79ac4e61365258760.exe	29
PID 2196 wrote to memory of 2664	2196	{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe	31
PID 2196 wrote to memory of 2664	2196	{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe	31
PID 2196 wrote to memory of 2664	2196	{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe	31
PID 2196 wrote to memory of 2664	2196	{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe	31
PID 2196 wrote to memory of 2860	2196	{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe	30
PID 2196 wrote to memory of 2860	2196	{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe	30
PID 2196 wrote to memory of 2860	2196	{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe	30
PID 2196 wrote to memory of 2860	2196	{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe	30
PID 2664 wrote to memory of 2144	2664	{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe	34
PID 2664 wrote to memory of 2144	2664	{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe	34
PID 2664 wrote to memory of 2144	2664	{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe	34
PID 2664 wrote to memory of 2144	2664	{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe	34
PID 2664 wrote to memory of 2548	2664	{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe	35
PID 2664 wrote to memory of 2548	2664	{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe	35
PID 2664 wrote to memory of 2548	2664	{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe	35
PID 2664 wrote to memory of 2548	2664	{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe	35
PID 2144 wrote to memory of 2500	2144	{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe	36
PID 2144 wrote to memory of 2500	2144	{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe	36
PID 2144 wrote to memory of 2500	2144	{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe	36
PID 2144 wrote to memory of 2500	2144	{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe	36
PID 2144 wrote to memory of 2932	2144	{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe	37
PID 2144 wrote to memory of 2932	2144	{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe	37
PID 2144 wrote to memory of 2932	2144	{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe	37
PID 2144 wrote to memory of 2932	2144	{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe	37
PID 2500 wrote to memory of 2132	2500	{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe	39
PID 2500 wrote to memory of 2132	2500	{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe	39
PID 2500 wrote to memory of 2132	2500	{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe	39
PID 2500 wrote to memory of 2132	2500	{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe	39
PID 2500 wrote to memory of 516	2500	{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe	38
PID 2500 wrote to memory of 516	2500	{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe	38
PID 2500 wrote to memory of 516	2500	{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe	38
PID 2500 wrote to memory of 516	2500	{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe	38
PID 2132 wrote to memory of 768	2132	{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe	40
PID 2132 wrote to memory of 768	2132	{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe	40
PID 2132 wrote to memory of 768	2132	{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe	40
PID 2132 wrote to memory of 768	2132	{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe	40
PID 2132 wrote to memory of 1984	2132	{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe	41
PID 2132 wrote to memory of 1984	2132	{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe	41
PID 2132 wrote to memory of 1984	2132	{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe	41
PID 2132 wrote to memory of 1984	2132	{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe	41
PID 768 wrote to memory of 992	768	{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe	42
PID 768 wrote to memory of 992	768	{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe	42
PID 768 wrote to memory of 992	768	{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe	42
PID 768 wrote to memory of 992	768	{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe	42
PID 768 wrote to memory of 1460	768	{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe	43
PID 768 wrote to memory of 1460	768	{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe	43
PID 768 wrote to memory of 1460	768	{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe	43
PID 768 wrote to memory of 1460	768	{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe	43
PID 992 wrote to memory of 2760	992	{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe	44
PID 992 wrote to memory of 2760	992	{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe	44
PID 992 wrote to memory of 2760	992	{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe	44
PID 992 wrote to memory of 2760	992	{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe	44
PID 992 wrote to memory of 2724	992	{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe	45
PID 992 wrote to memory of 2724	992	{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe	45
PID 992 wrote to memory of 2724	992	{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe	45
PID 992 wrote to memory of 2724	992	{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.4ca333e09dde2ed79ac4e61365258760.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4ca333e09dde2ed79ac4e61365258760.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe
  C:\Windows\{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{44D25~1.EXE > nul
    3⤵
    PID:2860
- - C:\Windows\{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe
    C:\Windows\{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe
      C:\Windows\{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe
        
        C:\Windows\{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FD84~1.EXE > nul
        6⤵
        
        PID:516
      - C:\Windows\{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe
        
        C:\Windows\{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe
        
        C:\Windows\{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe
        
        C:\Windows\{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\{83F6E5CB-0829-4b35-9EDD-1A81FEC87EC3}.exe
        
        C:\Windows\{83F6E5CB-0829-4b35-9EDD-1A81FEC87EC3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\{98AB81EA-1323-4994-BCB6-36450F9910DF}.exe
        
        C:\Windows\{98AB81EA-1323-4994-BCB6-36450F9910DF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\{7EDE8CBB-6E90-4f83-95D1-C1DBEE08DB30}.exe
        
        C:\Windows\{7EDE8CBB-6E90-4f83-95D1-C1DBEE08DB30}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\{523F2FEA-4636-4fbe-93CF-900795A480E9}.exe
        
        C:\Windows\{523F2FEA-4636-4fbe-93CF-900795A480E9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\{BD711E76-C5D1-476a-94CB-9A4EA38C4485}.exe
        
        C:\Windows\{BD711E76-C5D1-476a-94CB-9A4EA38C4485}.exe
        13⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{523F2~1.EXE > nul
        13⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EDE8~1.EXE > nul
        12⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98AB8~1.EXE > nul
        11⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83F6E~1.EXE > nul
        10⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B598E~1.EXE > nul
        9⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BC27~1.EXE > nul
        8⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{864F5~1.EXE > nul
        7⤵
        
        PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E96FE~1.EXE > nul
        5⤵
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{838FF~1.EXE > nul
      4⤵
      PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS4C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe

Filesize
80KB

MD5
215b856fd1a25fde4011503f7a063ab5

SHA1
7dfbd05a9b3421e864ed129f10636c126b91b3ff

SHA256
f7505e6aed2695fc0aab61cbadbb9c79fc1e38e87505540039b7219d2559674d

SHA512
c582f4f0a3362fc297864fd99307017c5340bce5288823d6d03db91c80f26dc4326111f7120e265c0f6fb356d93a3c69fe84908803abbc517cb56d6f449cd0a5

Download Submit
C:\Windows\{1BC27F0A-0175-46d0-AAB4-BE8FFA0F308A}.exe

Filesize
80KB

MD5
215b856fd1a25fde4011503f7a063ab5

SHA1
7dfbd05a9b3421e864ed129f10636c126b91b3ff

SHA256
f7505e6aed2695fc0aab61cbadbb9c79fc1e38e87505540039b7219d2559674d

SHA512
c582f4f0a3362fc297864fd99307017c5340bce5288823d6d03db91c80f26dc4326111f7120e265c0f6fb356d93a3c69fe84908803abbc517cb56d6f449cd0a5

Download Submit
C:\Windows\{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe

Filesize
80KB

MD5
9770f2d6b614d263df3250183e0ae542

SHA1
2a78458f7ef5772b0cb6b877a7a8264e257d0184

SHA256
536fdc87ac81d6c0d24867b475c8c95e735c5b4c0df88809e0b2a0acdaffeae4

SHA512
1d03fa363f60aa5647ad94aeb469616f9c2d1ce18c06e47d57fbb07a3a51c180cbf28217b3df88aec39043c7a93976554149856c48d9138ddf762afac31f838f

Download Submit
C:\Windows\{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe

Filesize
80KB

MD5
9770f2d6b614d263df3250183e0ae542

SHA1
2a78458f7ef5772b0cb6b877a7a8264e257d0184

SHA256
536fdc87ac81d6c0d24867b475c8c95e735c5b4c0df88809e0b2a0acdaffeae4

SHA512
1d03fa363f60aa5647ad94aeb469616f9c2d1ce18c06e47d57fbb07a3a51c180cbf28217b3df88aec39043c7a93976554149856c48d9138ddf762afac31f838f

Download Submit
C:\Windows\{44D25716-3AF8-41de-BBE9-BFBD179B59CD}.exe

Filesize
80KB

MD5
9770f2d6b614d263df3250183e0ae542

SHA1
2a78458f7ef5772b0cb6b877a7a8264e257d0184

SHA256
536fdc87ac81d6c0d24867b475c8c95e735c5b4c0df88809e0b2a0acdaffeae4

SHA512
1d03fa363f60aa5647ad94aeb469616f9c2d1ce18c06e47d57fbb07a3a51c180cbf28217b3df88aec39043c7a93976554149856c48d9138ddf762afac31f838f

Download Submit
C:\Windows\{523F2FEA-4636-4fbe-93CF-900795A480E9}.exe

Filesize
80KB

MD5
f5118e8e734b5829e78a93b445288a98

SHA1
27b38ed239dedc01944ae480810162abd6ca3b80

SHA256
628160ded1f389a94b0e00268023aecdf9f0131917471f9c01f1477ed9c64596

SHA512
0b749e50caf842123bad3a2b43cf3b6543c5c3c81904575dd2d2347f6738762d559b28c805ac4e0e12593593ef7ef6941e18c37926839e392e98bb1128ac23c9

Download Submit
C:\Windows\{523F2FEA-4636-4fbe-93CF-900795A480E9}.exe

Filesize
80KB

MD5
f5118e8e734b5829e78a93b445288a98

SHA1
27b38ed239dedc01944ae480810162abd6ca3b80

SHA256
628160ded1f389a94b0e00268023aecdf9f0131917471f9c01f1477ed9c64596

SHA512
0b749e50caf842123bad3a2b43cf3b6543c5c3c81904575dd2d2347f6738762d559b28c805ac4e0e12593593ef7ef6941e18c37926839e392e98bb1128ac23c9

Download Submit
C:\Windows\{7EDE8CBB-6E90-4f83-95D1-C1DBEE08DB30}.exe

Filesize
80KB

MD5
4d090034a7fcfc7ee360b4612c98761e

SHA1
e8d8430ca7e1fc3033e02c712fa031825ec7d9be

SHA256
e76893b8e3b0173a9a1ace424127e792829d6336a40cd4be1e6b0ba0881f6b09

SHA512
104640b408e9727c84f83a81e3bb14e735e3033c6d9aca37192bc72ce5463f7c2bf349edf72ac6997e4b520a30ff8caac139432e92aba9f06f4757a0ce3bc0a2

Download Submit
C:\Windows\{7EDE8CBB-6E90-4f83-95D1-C1DBEE08DB30}.exe

Filesize
80KB

MD5
4d090034a7fcfc7ee360b4612c98761e

SHA1
e8d8430ca7e1fc3033e02c712fa031825ec7d9be

SHA256
e76893b8e3b0173a9a1ace424127e792829d6336a40cd4be1e6b0ba0881f6b09

SHA512
104640b408e9727c84f83a81e3bb14e735e3033c6d9aca37192bc72ce5463f7c2bf349edf72ac6997e4b520a30ff8caac139432e92aba9f06f4757a0ce3bc0a2

Download Submit
C:\Windows\{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe

Filesize
80KB

MD5
59de8ca281987410696908d99315b818

SHA1
976df9bcd67f2ad9e84f7363ff36e646eb486f15

SHA256
1b700f5c5d44aff04e60e3f28946fcf7f6a87b986ded8cec8918877a9be1a357

SHA512
6efd8e75900236c70764209f55e15be543d61fe84c2effefbcd9bc3552a6d5ef87f226274d3b7208257f8661545112fb39612f685a828c88280ab7cf4294ac84

Download Submit
C:\Windows\{838FF16A-1C82-439f-995D-4B90AD9961D3}.exe

Filesize
80KB

MD5
59de8ca281987410696908d99315b818

SHA1
976df9bcd67f2ad9e84f7363ff36e646eb486f15

SHA256
1b700f5c5d44aff04e60e3f28946fcf7f6a87b986ded8cec8918877a9be1a357

SHA512
6efd8e75900236c70764209f55e15be543d61fe84c2effefbcd9bc3552a6d5ef87f226274d3b7208257f8661545112fb39612f685a828c88280ab7cf4294ac84

Download Submit
C:\Windows\{83F6E5CB-0829-4b35-9EDD-1A81FEC87EC3}.exe

Filesize
80KB

MD5
ba0f310da33061200e31688598cb6c19

SHA1
01086fe480566ece2e6ac304b81322c9ce4b124d

SHA256
78ec57019ae57d166b35c119bcf0a44d9db668f9f03a4037b51360c6536db4eb

SHA512
8b205c5ecf1b964b706640e401809398e0b48f95f8ebe3e43b93a15d9f86062cb3df3d67b90bfee99da4e9e2244ab09e4449382bea2aa1e3e705c0f99a5a35bd

Download Submit
C:\Windows\{83F6E5CB-0829-4b35-9EDD-1A81FEC87EC3}.exe

Filesize
80KB

MD5
ba0f310da33061200e31688598cb6c19

SHA1
01086fe480566ece2e6ac304b81322c9ce4b124d

SHA256
78ec57019ae57d166b35c119bcf0a44d9db668f9f03a4037b51360c6536db4eb

SHA512
8b205c5ecf1b964b706640e401809398e0b48f95f8ebe3e43b93a15d9f86062cb3df3d67b90bfee99da4e9e2244ab09e4449382bea2aa1e3e705c0f99a5a35bd

Download Submit
C:\Windows\{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe

Filesize
80KB

MD5
1646dbce4368c92b3f5a7c7a756601fc

SHA1
8baf0551fbea266e27f85f6c37f4989d13f57fa1

SHA256
9a49efba64b5c1e815210f33d2a6800a7e5221a9a4eceec0b8d8539992ad5c25

SHA512
54dc2f2fff07f9ce8f2db48ec7917491a5711d56c1fb8e152bc2953342437a565a0ccee05ec0a5cbf1664939147cbae00919e81dd052869d3d8dc2adbcd385fb

Download Submit
C:\Windows\{864F5FEF-0980-4a27-9175-F44D3CA0E547}.exe

Filesize
80KB

MD5
1646dbce4368c92b3f5a7c7a756601fc

SHA1
8baf0551fbea266e27f85f6c37f4989d13f57fa1

SHA256
9a49efba64b5c1e815210f33d2a6800a7e5221a9a4eceec0b8d8539992ad5c25

SHA512
54dc2f2fff07f9ce8f2db48ec7917491a5711d56c1fb8e152bc2953342437a565a0ccee05ec0a5cbf1664939147cbae00919e81dd052869d3d8dc2adbcd385fb

Download Submit
C:\Windows\{98AB81EA-1323-4994-BCB6-36450F9910DF}.exe

Filesize
80KB

MD5
bac687c77ffb3d1ff76cf1636ee80677

SHA1
7a6f30f19e71f4a066ed163be7a669a874c7ec8a

SHA256
82719038cde613e64d2e6455a3c46af1ff56d188ead25bd97fd9b04dd3111504

SHA512
9da53cc16a51223e03215743f2c3ea8a3d29511f494b8ba6790aa1846715abef0206793d8ec22f91519cf772dd20afcaba889d39d69569c73e2c60ccc4494cb0

Download Submit
C:\Windows\{98AB81EA-1323-4994-BCB6-36450F9910DF}.exe

Filesize
80KB

MD5
bac687c77ffb3d1ff76cf1636ee80677

SHA1
7a6f30f19e71f4a066ed163be7a669a874c7ec8a

SHA256
82719038cde613e64d2e6455a3c46af1ff56d188ead25bd97fd9b04dd3111504

SHA512
9da53cc16a51223e03215743f2c3ea8a3d29511f494b8ba6790aa1846715abef0206793d8ec22f91519cf772dd20afcaba889d39d69569c73e2c60ccc4494cb0

Download Submit
C:\Windows\{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe

Filesize
80KB

MD5
d3821740d9e3b9307c5157a77822a7fd

SHA1
aab6f3e9e096a53ccdbff2c449928e241aed16b9

SHA256
19c4e69611cf7b828e9025411ec3f41cf0cdda5aadd1dbdd5443a2c2b66d7571

SHA512
c10c88a647b85ce55d19541013e9ae2710db6e9bf955b1b06a02610735fe0ba0475a3c1dea799327919c7a48f5e48e92097d13bdefa5b94aeddd012531f1645e

Download Submit
C:\Windows\{9FD84A20-16A8-4d52-82E6-5E92BBD25B09}.exe

Filesize
80KB

MD5
d3821740d9e3b9307c5157a77822a7fd

SHA1
aab6f3e9e096a53ccdbff2c449928e241aed16b9

SHA256
19c4e69611cf7b828e9025411ec3f41cf0cdda5aadd1dbdd5443a2c2b66d7571

SHA512
c10c88a647b85ce55d19541013e9ae2710db6e9bf955b1b06a02610735fe0ba0475a3c1dea799327919c7a48f5e48e92097d13bdefa5b94aeddd012531f1645e

Download Submit
C:\Windows\{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe

Filesize
80KB

MD5
f4d573eb9ba417465273752630d672c6

SHA1
6c21f8c7191a71946651b10ee91e484dfd2151d4

SHA256
aad898b80bbaeee2eff3a673f32efc3e1924e8bec8aa0d8d891ef2777a182985

SHA512
c8c0c2ef1c6befadd83b792d15bda3c8385fda7877a2a32e5fd4fec69ec082f92ae230894548a0b24287f590369112b9e29cb48c4e23ee53040c0992ce23f29b

Download Submit
C:\Windows\{B598E726-B7F9-4655-BC90-B57E153BDA41}.exe

Filesize
80KB

MD5
f4d573eb9ba417465273752630d672c6

SHA1
6c21f8c7191a71946651b10ee91e484dfd2151d4

SHA256
aad898b80bbaeee2eff3a673f32efc3e1924e8bec8aa0d8d891ef2777a182985

SHA512
c8c0c2ef1c6befadd83b792d15bda3c8385fda7877a2a32e5fd4fec69ec082f92ae230894548a0b24287f590369112b9e29cb48c4e23ee53040c0992ce23f29b

Download Submit
C:\Windows\{BD711E76-C5D1-476a-94CB-9A4EA38C4485}.exe

Filesize
80KB

MD5
8ae33a761ff24983ad743aa64b138f08

SHA1
d706db57ddb3b5bb95f81ee3bfa272227f031ffd

SHA256
b40eb74279c0e043d6e9a16fe7f58d3066c82bf2d0c76488322798bdc65c5432

SHA512
07344e5a1e4481f18e08846bd1fe774024b013f96fccaa32695d05974a445f2470b77b6e9c191cbf84da93441a8a40c4bdb34fb244ee194126b2f6094aa5fdaf

Download Submit
C:\Windows\{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe

Filesize
80KB

MD5
931fb6504cc4e3b57278d5ade00cdd56

SHA1
7ad9b49b41928300ede062b22607bf14eaa89366

SHA256
18cd068db442c616dfbc8c685f09b4c85673264962ffc883166a8ec412de7a09

SHA512
0c318d718e6391125412fc813ecf0ae432d109c8ac6ed1d72b42b3b1965601b0d61f7bce411b3928722bb0add70cc4df9eb02ea27d6c257f9f6a8f6b895c1d6e

Download Submit
C:\Windows\{E96FEDCA-27F1-40cb-A4E7-549E52520160}.exe

Filesize
80KB

MD5
931fb6504cc4e3b57278d5ade00cdd56

SHA1
7ad9b49b41928300ede062b22607bf14eaa89366

SHA256
18cd068db442c616dfbc8c685f09b4c85673264962ffc883166a8ec412de7a09

SHA512
0c318d718e6391125412fc813ecf0ae432d109c8ac6ed1d72b42b3b1965601b0d61f7bce411b3928722bb0add70cc4df9eb02ea27d6c257f9f6a8f6b895c1d6e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads