608c3ccefd807e6bef2bc1451ee4729cc30980f47d5db2a50c3db0e6b7fee4a6

Analysis

max time kernel
182s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21-10-2023 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe
Size

90KB
MD5

bd78c8b66d6bb4a837951b8bf24f5e70
SHA1

356c2617c0f5848ad108248b0bdcaf1cb9f1eb13
SHA256

608c3ccefd807e6bef2bc1451ee4729cc30980f47d5db2a50c3db0e6b7fee4a6
SHA512

265f3f9a68f2f31999beb10ad285258f24455b614f8882acc95d8b37c2cd151b89e9be8a05da0e3a1efd37685bbd085aaef6f334fd6bf16e5cd2a83b5d298809
SSDEEP

768:Qvw9816vhKQLroi4/wQRNrfrunMxVFA3b7glw6:YEGh0oil2unMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2EC7D7C-732F-447a-A237-6F413DD29A77}\stubpath = "C:\\Windows\\{C2EC7D7C-732F-447a-A237-6F413DD29A77}.exe"	{86337E21-EA64-458b-8FE2-90C20545D28E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A0FBC41-CC0D-4eb8-85F5-A77615CDDC45}\stubpath = "C:\\Windows\\{6A0FBC41-CC0D-4eb8-85F5-A77615CDDC45}.exe"	{B0F0CD7F-68D8-4eb8-9298-1D17E2F46537}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DB310F7-4BF6-4123-889E-C3FC93FB779C}	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DB310F7-4BF6-4123-889E-C3FC93FB779C}\stubpath = "C:\\Windows\\{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe"	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9FE7555-8B86-4824-9910-41FDA262920D}\stubpath = "C:\\Windows\\{A9FE7555-8B86-4824-9910-41FDA262920D}.exe"	{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10415E11-B089-499f-8114-B512A2A6D1F0}	{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86337E21-EA64-458b-8FE2-90C20545D28E}\stubpath = "C:\\Windows\\{86337E21-EA64-458b-8FE2-90C20545D28E}.exe"	{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2EC7D7C-732F-447a-A237-6F413DD29A77}	{86337E21-EA64-458b-8FE2-90C20545D28E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F368D216-D381-4326-BFAB-61D9265546C2}\stubpath = "C:\\Windows\\{F368D216-D381-4326-BFAB-61D9265546C2}.exe"	{6A0FBC41-CC0D-4eb8-85F5-A77615CDDC45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}\stubpath = "C:\\Windows\\{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe"	{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9FE7555-8B86-4824-9910-41FDA262920D}	{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10415E11-B089-499f-8114-B512A2A6D1F0}\stubpath = "C:\\Windows\\{10415E11-B089-499f-8114-B512A2A6D1F0}.exe"	{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}	{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0F0CD7F-68D8-4eb8-9298-1D17E2F46537}	{C2EC7D7C-732F-447a-A237-6F413DD29A77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F368D216-D381-4326-BFAB-61D9265546C2}	{6A0FBC41-CC0D-4eb8-85F5-A77615CDDC45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}	{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEBC37B1-5089-4211-BB1F-AEA206BFA403}\stubpath = "C:\\Windows\\{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe"	{A9FE7555-8B86-4824-9910-41FDA262920D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}\stubpath = "C:\\Windows\\{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe"	{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86337E21-EA64-458b-8FE2-90C20545D28E}	{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A0FBC41-CC0D-4eb8-85F5-A77615CDDC45}	{B0F0CD7F-68D8-4eb8-9298-1D17E2F46537}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEBC37B1-5089-4211-BB1F-AEA206BFA403}	{A9FE7555-8B86-4824-9910-41FDA262920D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}	{10415E11-B089-499f-8114-B512A2A6D1F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}\stubpath = "C:\\Windows\\{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe"	{10415E11-B089-499f-8114-B512A2A6D1F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0F0CD7F-68D8-4eb8-9298-1D17E2F46537}\stubpath = "C:\\Windows\\{B0F0CD7F-68D8-4eb8-9298-1D17E2F46537}.exe"	{C2EC7D7C-732F-447a-A237-6F413DD29A77}.exe

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2712	{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe
1616	{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe
2744	{A9FE7555-8B86-4824-9910-41FDA262920D}.exe
2752	{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe
2596	{10415E11-B089-499f-8114-B512A2A6D1F0}.exe
2396	{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe
372	{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe
1644	{86337E21-EA64-458b-8FE2-90C20545D28E}.exe
2768	{C2EC7D7C-732F-447a-A237-6F413DD29A77}.exe
1968	{B0F0CD7F-68D8-4eb8-9298-1D17E2F46537}.exe
1956	{6A0FBC41-CC0D-4eb8-85F5-A77615CDDC45}.exe
2528	{F368D216-D381-4326-BFAB-61D9265546C2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe	{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe
File created	C:\Windows\{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe	{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe
File created	C:\Windows\{6A0FBC41-CC0D-4eb8-85F5-A77615CDDC45}.exe	{B0F0CD7F-68D8-4eb8-9298-1D17E2F46537}.exe
File created	C:\Windows\{F368D216-D381-4326-BFAB-61D9265546C2}.exe	{6A0FBC41-CC0D-4eb8-85F5-A77615CDDC45}.exe
File created	C:\Windows\{86337E21-EA64-458b-8FE2-90C20545D28E}.exe	{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe
File created	C:\Windows\{C2EC7D7C-732F-447a-A237-6F413DD29A77}.exe	{86337E21-EA64-458b-8FE2-90C20545D28E}.exe
File created	C:\Windows\{B0F0CD7F-68D8-4eb8-9298-1D17E2F46537}.exe	{C2EC7D7C-732F-447a-A237-6F413DD29A77}.exe
File created	C:\Windows\{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe
File created	C:\Windows\{A9FE7555-8B86-4824-9910-41FDA262920D}.exe	{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe
File created	C:\Windows\{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe	{A9FE7555-8B86-4824-9910-41FDA262920D}.exe
File created	C:\Windows\{10415E11-B089-499f-8114-B512A2A6D1F0}.exe	{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe
File created	C:\Windows\{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe	{10415E11-B089-499f-8114-B512A2A6D1F0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1952	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe
Token: SeIncBasePriorityPrivilege	2712	{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe
Token: SeIncBasePriorityPrivilege	1616	{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe
Token: SeIncBasePriorityPrivilege	2744	{A9FE7555-8B86-4824-9910-41FDA262920D}.exe
Token: SeIncBasePriorityPrivilege	2752	{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe
Token: SeIncBasePriorityPrivilege	2596	{10415E11-B089-499f-8114-B512A2A6D1F0}.exe
Token: SeIncBasePriorityPrivilege	2396	{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe
Token: SeIncBasePriorityPrivilege	372	{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe
Token: SeIncBasePriorityPrivilege	1644	{86337E21-EA64-458b-8FE2-90C20545D28E}.exe
Token: SeIncBasePriorityPrivilege	2768	{C2EC7D7C-732F-447a-A237-6F413DD29A77}.exe
Token: SeIncBasePriorityPrivilege	1968	{B0F0CD7F-68D8-4eb8-9298-1D17E2F46537}.exe
Token: SeIncBasePriorityPrivilege	1956	{6A0FBC41-CC0D-4eb8-85F5-A77615CDDC45}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2712	1952	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	29
PID 1952 wrote to memory of 2712	1952	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	29
PID 1952 wrote to memory of 2712	1952	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	29
PID 1952 wrote to memory of 2712	1952	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	29
PID 1952 wrote to memory of 2820	1952	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	30
PID 1952 wrote to memory of 2820	1952	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	30
PID 1952 wrote to memory of 2820	1952	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	30
PID 1952 wrote to memory of 2820	1952	NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe	30
PID 2712 wrote to memory of 1616	2712	{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe	31
PID 2712 wrote to memory of 1616	2712	{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe	31
PID 2712 wrote to memory of 1616	2712	{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe	31
PID 2712 wrote to memory of 1616	2712	{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe	31
PID 2712 wrote to memory of 2716	2712	{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe	32
PID 2712 wrote to memory of 2716	2712	{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe	32
PID 2712 wrote to memory of 2716	2712	{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe	32
PID 2712 wrote to memory of 2716	2712	{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe	32
PID 1616 wrote to memory of 2744	1616	{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe	33
PID 1616 wrote to memory of 2744	1616	{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe	33
PID 1616 wrote to memory of 2744	1616	{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe	33
PID 1616 wrote to memory of 2744	1616	{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe	33
PID 1616 wrote to memory of 2808	1616	{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe	34
PID 1616 wrote to memory of 2808	1616	{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe	34
PID 1616 wrote to memory of 2808	1616	{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe	34
PID 1616 wrote to memory of 2808	1616	{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe	34
PID 2744 wrote to memory of 2752	2744	{A9FE7555-8B86-4824-9910-41FDA262920D}.exe	35
PID 2744 wrote to memory of 2752	2744	{A9FE7555-8B86-4824-9910-41FDA262920D}.exe	35
PID 2744 wrote to memory of 2752	2744	{A9FE7555-8B86-4824-9910-41FDA262920D}.exe	35
PID 2744 wrote to memory of 2752	2744	{A9FE7555-8B86-4824-9910-41FDA262920D}.exe	35
PID 2744 wrote to memory of 2696	2744	{A9FE7555-8B86-4824-9910-41FDA262920D}.exe	36
PID 2744 wrote to memory of 2696	2744	{A9FE7555-8B86-4824-9910-41FDA262920D}.exe	36
PID 2744 wrote to memory of 2696	2744	{A9FE7555-8B86-4824-9910-41FDA262920D}.exe	36
PID 2744 wrote to memory of 2696	2744	{A9FE7555-8B86-4824-9910-41FDA262920D}.exe	36
PID 2752 wrote to memory of 2596	2752	{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe	37
PID 2752 wrote to memory of 2596	2752	{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe	37
PID 2752 wrote to memory of 2596	2752	{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe	37
PID 2752 wrote to memory of 2596	2752	{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe	37
PID 2752 wrote to memory of 2656	2752	{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe	38
PID 2752 wrote to memory of 2656	2752	{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe	38
PID 2752 wrote to memory of 2656	2752	{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe	38
PID 2752 wrote to memory of 2656	2752	{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe	38
PID 2596 wrote to memory of 2396	2596	{10415E11-B089-499f-8114-B512A2A6D1F0}.exe	39
PID 2596 wrote to memory of 2396	2596	{10415E11-B089-499f-8114-B512A2A6D1F0}.exe	39
PID 2596 wrote to memory of 2396	2596	{10415E11-B089-499f-8114-B512A2A6D1F0}.exe	39
PID 2596 wrote to memory of 2396	2596	{10415E11-B089-499f-8114-B512A2A6D1F0}.exe	39
PID 2596 wrote to memory of 1996	2596	{10415E11-B089-499f-8114-B512A2A6D1F0}.exe	40
PID 2596 wrote to memory of 1996	2596	{10415E11-B089-499f-8114-B512A2A6D1F0}.exe	40
PID 2596 wrote to memory of 1996	2596	{10415E11-B089-499f-8114-B512A2A6D1F0}.exe	40
PID 2596 wrote to memory of 1996	2596	{10415E11-B089-499f-8114-B512A2A6D1F0}.exe	40
PID 2396 wrote to memory of 372	2396	{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe	41
PID 2396 wrote to memory of 372	2396	{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe	41
PID 2396 wrote to memory of 372	2396	{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe	41
PID 2396 wrote to memory of 372	2396	{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe	41
PID 2396 wrote to memory of 684	2396	{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe	42
PID 2396 wrote to memory of 684	2396	{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe	42
PID 2396 wrote to memory of 684	2396	{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe	42
PID 2396 wrote to memory of 684	2396	{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe	42
PID 372 wrote to memory of 1644	372	{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe	43
PID 372 wrote to memory of 1644	372	{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe	43
PID 372 wrote to memory of 1644	372	{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe	43
PID 372 wrote to memory of 1644	372	{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe	43
PID 372 wrote to memory of 1176	372	{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe	44
PID 372 wrote to memory of 1176	372	{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe	44
PID 372 wrote to memory of 1176	372	{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe	44
PID 372 wrote to memory of 1176	372	{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe	44

C:\Users\Admin\AppData\Local\Temp\NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bd78c8b66d6bb4a837951b8bf24f5e70.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe
  C:\Windows\{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe
    C:\Windows\{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\{A9FE7555-8B86-4824-9910-41FDA262920D}.exe
      C:\Windows\{A9FE7555-8B86-4824-9910-41FDA262920D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe
        
        C:\Windows\{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\{10415E11-B089-499f-8114-B512A2A6D1F0}.exe
        
        C:\Windows\{10415E11-B089-499f-8114-B512A2A6D1F0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe
        
        C:\Windows\{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe
        
        C:\Windows\{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\{86337E21-EA64-458b-8FE2-90C20545D28E}.exe
        
        C:\Windows\{86337E21-EA64-458b-8FE2-90C20545D28E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{C2EC7D7C-732F-447a-A237-6F413DD29A77}.exe
        
        C:\Windows\{C2EC7D7C-732F-447a-A237-6F413DD29A77}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\{B0F0CD7F-68D8-4eb8-9298-1D17E2F46537}.exe
        
        C:\Windows\{B0F0CD7F-68D8-4eb8-9298-1D17E2F46537}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\{6A0FBC41-CC0D-4eb8-85F5-A77615CDDC45}.exe
        
        C:\Windows\{6A0FBC41-CC0D-4eb8-85F5-A77615CDDC45}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\{F368D216-D381-4326-BFAB-61D9265546C2}.exe
        
        C:\Windows\{F368D216-D381-4326-BFAB-61D9265546C2}.exe
        13⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A0FB~1.EXE > nul
        13⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0F0C~1.EXE > nul
        12⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2EC7~1.EXE > nul
        11⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86337~1.EXE > nul
        10⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38C07~1.EXE > nul
        9⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0B07~1.EXE > nul
        8⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10415~1.EXE > nul
        7⤵
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEBC3~1.EXE > nul
        6⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9FE7~1.EXE > nul
        5⤵
        
        PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4C6EE~1.EXE > nul
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8DB31~1.EXE > nul
    3⤵
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEASBD~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10415E11-B089-499f-8114-B512A2A6D1F0}.exe

Filesize
90KB

MD5
0b6fafd5dc97aa8143e99006570a0bd3

SHA1
92e52eee47b0c56cadedbee44504d7db241cb47f

SHA256
269a57d360b5f68e99b8ce2c9943f71f1947e65e28d496b8859487a6553ff2a8

SHA512
351a3926119c2c0df25b2c34ab5a9b6c52d3dc5f7f442881961013ed37ca25aac2c28928542d4ddaa442c9d2f3aab13a982abcdca4404ace5225914cf660b409

Download Submit
C:\Windows\{10415E11-B089-499f-8114-B512A2A6D1F0}.exe

Filesize
90KB

MD5
0b6fafd5dc97aa8143e99006570a0bd3

SHA1
92e52eee47b0c56cadedbee44504d7db241cb47f

SHA256
269a57d360b5f68e99b8ce2c9943f71f1947e65e28d496b8859487a6553ff2a8

SHA512
351a3926119c2c0df25b2c34ab5a9b6c52d3dc5f7f442881961013ed37ca25aac2c28928542d4ddaa442c9d2f3aab13a982abcdca4404ace5225914cf660b409

Download Submit
C:\Windows\{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe

Filesize
90KB

MD5
b25bd72331790a89c20999564e5348af

SHA1
16daf6b77532555981489668da876bda4c82fcc9

SHA256
0f95a3e0801d65eeb629a6967717259d135e3f2a4a9959784393df2ba1622e85

SHA512
eb1d4ed1f21e24513cb6d96781f26e0c0943217e4b2743859e51fe3f88678bcdb224ce5b9c3020c9ee05f7f591ccfc926fdfe915fbbd6736fb06abe1c031946b

Download Submit
C:\Windows\{38C075BE-E95A-48ad-8DAE-8DB4E8F7744C}.exe

Filesize
90KB

MD5
b25bd72331790a89c20999564e5348af

SHA1
16daf6b77532555981489668da876bda4c82fcc9

SHA256
0f95a3e0801d65eeb629a6967717259d135e3f2a4a9959784393df2ba1622e85

SHA512
eb1d4ed1f21e24513cb6d96781f26e0c0943217e4b2743859e51fe3f88678bcdb224ce5b9c3020c9ee05f7f591ccfc926fdfe915fbbd6736fb06abe1c031946b

Download Submit
C:\Windows\{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe

Filesize
90KB

MD5
02ba2955b005e74e68cff6abbc97b6c4

SHA1
b1962dc4f2096ab4d58582e3ff5db5a0c622cd1e

SHA256
eb95607248390f51c47d984014333038d5be0381a0c507fcb7993f03e3961076

SHA512
873fc08a498a1d468275d7097a19a8e56b99245f22eb88d5918b868fcd305fc46df2f1246fd60aec228c89c51d9d0ee2b79f3d3e91f49254bf0b16cfaaad1896

Download Submit
C:\Windows\{4C6EE4CA-2336-4a26-8204-3BE2D1F9FE6B}.exe

Filesize
90KB

MD5
02ba2955b005e74e68cff6abbc97b6c4

SHA1
b1962dc4f2096ab4d58582e3ff5db5a0c622cd1e

SHA256
eb95607248390f51c47d984014333038d5be0381a0c507fcb7993f03e3961076

SHA512
873fc08a498a1d468275d7097a19a8e56b99245f22eb88d5918b868fcd305fc46df2f1246fd60aec228c89c51d9d0ee2b79f3d3e91f49254bf0b16cfaaad1896

Download Submit
C:\Windows\{6A0FBC41-CC0D-4eb8-85F5-A77615CDDC45}.exe

Filesize
90KB

MD5
a3ed1ea540b5a6e41fd37b65c72a2f74

SHA1
d29e0b7b7f0cc033497b1e52553967995e72c05f

SHA256
72179e6017f8c465b099702069b93e7b998c666ecb0e68a8bd0afc960f8762a3

SHA512
f089cd32a2db3899703ecb45c559986ecd5bfcd2a430f1d5adba7c0d911c012f60b060ff159255df8a4d842b5d8ca4b832c6e8c2f91b75a41ef9b28cef7ec5f9

Download Submit
C:\Windows\{6A0FBC41-CC0D-4eb8-85F5-A77615CDDC45}.exe

Filesize
90KB

MD5
a3ed1ea540b5a6e41fd37b65c72a2f74

SHA1
d29e0b7b7f0cc033497b1e52553967995e72c05f

SHA256
72179e6017f8c465b099702069b93e7b998c666ecb0e68a8bd0afc960f8762a3

SHA512
f089cd32a2db3899703ecb45c559986ecd5bfcd2a430f1d5adba7c0d911c012f60b060ff159255df8a4d842b5d8ca4b832c6e8c2f91b75a41ef9b28cef7ec5f9

Download Submit
C:\Windows\{86337E21-EA64-458b-8FE2-90C20545D28E}.exe

Filesize
90KB

MD5
4e306e30d969e71179835c67440189fd

SHA1
a43a6092c4734e2cf20f62644ec787865c61a477

SHA256
aaa005f760c9230e7efc64f44412d524d373916b84ad3d97dec10adf9799a594

SHA512
0375d69c82043eb0044540f53f92dc1dd6d37fac80b1cff4206e950b0ed9ac608e0d5d6600a6840b894479326374b8bc6f954a8aa74f84dea92037e808a8c52e

Download Submit
C:\Windows\{86337E21-EA64-458b-8FE2-90C20545D28E}.exe

Filesize
90KB

MD5
4e306e30d969e71179835c67440189fd

SHA1
a43a6092c4734e2cf20f62644ec787865c61a477

SHA256
aaa005f760c9230e7efc64f44412d524d373916b84ad3d97dec10adf9799a594

SHA512
0375d69c82043eb0044540f53f92dc1dd6d37fac80b1cff4206e950b0ed9ac608e0d5d6600a6840b894479326374b8bc6f954a8aa74f84dea92037e808a8c52e

Download Submit
C:\Windows\{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe

Filesize
90KB

MD5
9f2ec2b5388aca32ac057c63c08490c7

SHA1
bf1e8011c141a638080ff48a837b6017411e9948

SHA256
a9bbb601ed34d2b6eda7794552ba1daa44ab76a4cb18a2827c9e54d27fa0995f

SHA512
758741dbd9662ff3134fec83fc3ce63ee1c48800fb8dffa2ddcf69bbb3acbd3061a3df7541ebb3503e733e6a8c1e6ccbc0ef15b0d0339cc88a68a4fab34e57b3

Download Submit
C:\Windows\{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe

Filesize
90KB

MD5
9f2ec2b5388aca32ac057c63c08490c7

SHA1
bf1e8011c141a638080ff48a837b6017411e9948

SHA256
a9bbb601ed34d2b6eda7794552ba1daa44ab76a4cb18a2827c9e54d27fa0995f

SHA512
758741dbd9662ff3134fec83fc3ce63ee1c48800fb8dffa2ddcf69bbb3acbd3061a3df7541ebb3503e733e6a8c1e6ccbc0ef15b0d0339cc88a68a4fab34e57b3

Download Submit
C:\Windows\{8DB310F7-4BF6-4123-889E-C3FC93FB779C}.exe

Filesize
90KB

MD5
9f2ec2b5388aca32ac057c63c08490c7

SHA1
bf1e8011c141a638080ff48a837b6017411e9948

SHA256
a9bbb601ed34d2b6eda7794552ba1daa44ab76a4cb18a2827c9e54d27fa0995f

SHA512
758741dbd9662ff3134fec83fc3ce63ee1c48800fb8dffa2ddcf69bbb3acbd3061a3df7541ebb3503e733e6a8c1e6ccbc0ef15b0d0339cc88a68a4fab34e57b3

Download Submit
C:\Windows\{A9FE7555-8B86-4824-9910-41FDA262920D}.exe

Filesize
90KB

MD5
567708e1a68b99fc207045a8f0f5781c

SHA1
4622db67ccb024c1705a68964b354c6f6b7b7f5e

SHA256
503298174bf6b9acfbd5adf27fb0372695f6136de2d93e86834c0a17ed025a86

SHA512
f93fcc0cf536faea1d5cba251d207f65770fbc1240b8b76150f8885290c4d911bcfac31a5feff1a10c8bc174444ed8dda3d6eab432d29790e59fb876fe58cc5f

Download Submit
C:\Windows\{A9FE7555-8B86-4824-9910-41FDA262920D}.exe

Filesize
90KB

MD5
567708e1a68b99fc207045a8f0f5781c

SHA1
4622db67ccb024c1705a68964b354c6f6b7b7f5e

SHA256
503298174bf6b9acfbd5adf27fb0372695f6136de2d93e86834c0a17ed025a86

SHA512
f93fcc0cf536faea1d5cba251d207f65770fbc1240b8b76150f8885290c4d911bcfac31a5feff1a10c8bc174444ed8dda3d6eab432d29790e59fb876fe58cc5f

Download Submit
C:\Windows\{B0F0CD7F-68D8-4eb8-9298-1D17E2F46537}.exe

Filesize
90KB

MD5
e7486dc202c978bfd76574c3a0e35855

SHA1
32d0ddb1519c247406d3c1362e5f7d73ba944139

SHA256
9955572b8c9b549364997a5ad333c9a369642f885102fed1335b1a43ddebf3f3

SHA512
e550649e55a640edfc8f479b9839af8174c3a6afe5cd13b584ec9722b01838af57f769973617a2df8e65ce484cd98cb51cdd7ce4001e2c435f808d05ad84f013

Download Submit
C:\Windows\{B0F0CD7F-68D8-4eb8-9298-1D17E2F46537}.exe

Filesize
90KB

MD5
e7486dc202c978bfd76574c3a0e35855

SHA1
32d0ddb1519c247406d3c1362e5f7d73ba944139

SHA256
9955572b8c9b549364997a5ad333c9a369642f885102fed1335b1a43ddebf3f3

SHA512
e550649e55a640edfc8f479b9839af8174c3a6afe5cd13b584ec9722b01838af57f769973617a2df8e65ce484cd98cb51cdd7ce4001e2c435f808d05ad84f013

Download Submit
C:\Windows\{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe

Filesize
90KB

MD5
102715b4a86ed8b683a2796262725d22

SHA1
29a4d5ddeb64b1b1d698d7fd587e83a741063ed7

SHA256
5eb7eb644661490d604aff1640f077fcb914927e3336eae11d9a852819813b6e

SHA512
f561ddebb05c01c50fd2977b1b826aa4ac7c3a290c02d94f556be7857e2bb1679169050d8cb44e6b9074016451094d60ad303082313fe9c491e35f459ee6ee97

Download Submit
C:\Windows\{C0B07CA4-B02B-4cd4-AD84-BB1D64409A70}.exe

Filesize
90KB

MD5
102715b4a86ed8b683a2796262725d22

SHA1
29a4d5ddeb64b1b1d698d7fd587e83a741063ed7

SHA256
5eb7eb644661490d604aff1640f077fcb914927e3336eae11d9a852819813b6e

SHA512
f561ddebb05c01c50fd2977b1b826aa4ac7c3a290c02d94f556be7857e2bb1679169050d8cb44e6b9074016451094d60ad303082313fe9c491e35f459ee6ee97

Download Submit
C:\Windows\{C2EC7D7C-732F-447a-A237-6F413DD29A77}.exe

Filesize
90KB

MD5
0224214c02e6a0a363a636a83a9f70b8

SHA1
cd2e436c0ba34be3c292eb9d9bd4e5b1e5452556

SHA256
9d9e282f00f354f4a7f75ee7727851b0e8024bcbe23de8715bc92e736d42ea6d

SHA512
340e6cd9587e2c0c5a529c07730c692219255661e5838e6f53fa63ab477e34e399b300eefefef6690f21aa04d98cb06c0bc8d2403a456f536dc7c6f9de54bacc

Download Submit
C:\Windows\{C2EC7D7C-732F-447a-A237-6F413DD29A77}.exe

Filesize
90KB

MD5
0224214c02e6a0a363a636a83a9f70b8

SHA1
cd2e436c0ba34be3c292eb9d9bd4e5b1e5452556

SHA256
9d9e282f00f354f4a7f75ee7727851b0e8024bcbe23de8715bc92e736d42ea6d

SHA512
340e6cd9587e2c0c5a529c07730c692219255661e5838e6f53fa63ab477e34e399b300eefefef6690f21aa04d98cb06c0bc8d2403a456f536dc7c6f9de54bacc

Download Submit
C:\Windows\{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe

Filesize
90KB

MD5
2331fd6748e9b78826450d6664159868

SHA1
987f34cc74b5f32c4d9fa7bad2731061fa26addd

SHA256
b1ab3f9641de6100b783ff3ed8f14885872ff18ad034b9096b8e59ef896c5739

SHA512
62089f335d5bdbf158d1bee1136a53eb9b0b071b4e4891c0ed33a5cb4a9c67b39732d633633789814bf91bc726e097635e9d910fd6605e5795aa10d5acc38135

Download Submit
C:\Windows\{EEBC37B1-5089-4211-BB1F-AEA206BFA403}.exe

Filesize
90KB

MD5
2331fd6748e9b78826450d6664159868

SHA1
987f34cc74b5f32c4d9fa7bad2731061fa26addd

SHA256
b1ab3f9641de6100b783ff3ed8f14885872ff18ad034b9096b8e59ef896c5739

SHA512
62089f335d5bdbf158d1bee1136a53eb9b0b071b4e4891c0ed33a5cb4a9c67b39732d633633789814bf91bc726e097635e9d910fd6605e5795aa10d5acc38135

Download Submit
C:\Windows\{F368D216-D381-4326-BFAB-61D9265546C2}.exe

Filesize
90KB

MD5
aaf20d5d77ff5674eed11e3064032879

SHA1
757ff556462d2f0a2b96ce6cdd8de86ddce4e564

SHA256
6fe52f82103cc5325f7955cf872c2920c62d2a6d0496ba6a44f9362f56ef0acf

SHA512
00a907ae2c81b1435dcc6185c220257a2ec574c8fa2530210cb4daf2641dd3bbaeb47909546a17514fda5bee7ebe05f5ac9ee9078125b7f2fbac5efc93acf2b8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads