4db3ea89fb5802355b3f98ba8a46ccdf16e8479949f273dc20e84b20cf2d9ee7

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.079cacbaa68d0a795e25edcea3a55f80.exe
Size

76KB
MD5

079cacbaa68d0a795e25edcea3a55f80
SHA1

07244ba840907e03a54c6b65a6658cc2b39937b4
SHA256

4db3ea89fb5802355b3f98ba8a46ccdf16e8479949f273dc20e84b20cf2d9ee7
SHA512

6eb3d98b4d2d3db5daea4d9b4178c3b52df2b9345274c1907a5919e04cf94901a8d86f51f778bd9724265d4b1077a8f91d6ea21ece01285abf95f162d93056b8
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroP4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwU1:vvw9816vhKQLroP4/wQRNrfrunMxVD

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5C2A552-2E56-41f0-BD8C-91E461C08290}	{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}	{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}\stubpath = "C:\\Windows\\{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe"	{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{220941D2-4093-4f4b-9B69-5A7E2553AC2A}	{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}\stubpath = "C:\\Windows\\{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe"	{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}	{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{350D3CE5-9452-4117-B869-CF4CE74629A2}	{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{350D3CE5-9452-4117-B869-CF4CE74629A2}\stubpath = "C:\\Windows\\{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe"	{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27D4B0EB-A237-4e66-A5C4-1F1DDC6DF355}	{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27D4B0EB-A237-4e66-A5C4-1F1DDC6DF355}\stubpath = "C:\\Windows\\{27D4B0EB-A237-4e66-A5C4-1F1DDC6DF355}.exe"	{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5C2A552-2E56-41f0-BD8C-91E461C08290}\stubpath = "C:\\Windows\\{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe"	{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{220941D2-4093-4f4b-9B69-5A7E2553AC2A}\stubpath = "C:\\Windows\\{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe"	{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}\stubpath = "C:\\Windows\\{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe"	{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}	{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8090546-82C8-4310-AF8E-41690108605C}	{27D4B0EB-A237-4e66-A5C4-1F1DDC6DF355}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8090546-82C8-4310-AF8E-41690108605C}\stubpath = "C:\\Windows\\{E8090546-82C8-4310-AF8E-41690108605C}.exe"	{27D4B0EB-A237-4e66-A5C4-1F1DDC6DF355}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{471DFB93-A373-43b6-83F4-C2FF57F073F3}\stubpath = "C:\\Windows\\{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe"	NEAS.079cacbaa68d0a795e25edcea3a55f80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{540F06B1-1F64-4bed-95E0-261DB37D23A2}	{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{540F06B1-1F64-4bed-95E0-261DB37D23A2}\stubpath = "C:\\Windows\\{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe"	{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}	{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}\stubpath = "C:\\Windows\\{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe"	{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}	{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}\stubpath = "C:\\Windows\\{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe"	{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{471DFB93-A373-43b6-83F4-C2FF57F073F3}	NEAS.079cacbaa68d0a795e25edcea3a55f80.exe

Executes dropped EXE 11 IoCs

pid	Process
5008	{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe
1936	{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe
1772	{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe
1252	{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe
2552	{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe
4720	{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe
2044	{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe
1612	{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe
1552	{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe
4036	{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe
3180	{27D4B0EB-A237-4e66-A5C4-1F1DDC6DF355}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe	{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe
File created	C:\Windows\{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe	{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe
File created	C:\Windows\{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe	{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe
File created	C:\Windows\{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe	{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe
File created	C:\Windows\{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe	{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe
File created	C:\Windows\{E8090546-82C8-4310-AF8E-41690108605C}.exe	{27D4B0EB-A237-4e66-A5C4-1F1DDC6DF355}.exe
File created	C:\Windows\{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe	NEAS.079cacbaa68d0a795e25edcea3a55f80.exe
File created	C:\Windows\{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe	{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe
File created	C:\Windows\{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe	{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe
File created	C:\Windows\{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe	{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe
File created	C:\Windows\{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe	{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe
File created	C:\Windows\{27D4B0EB-A237-4e66-A5C4-1F1DDC6DF355}.exe	{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2152	NEAS.079cacbaa68d0a795e25edcea3a55f80.exe
Token: SeIncBasePriorityPrivilege	5008	{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe
Token: SeIncBasePriorityPrivilege	1936	{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe
Token: SeIncBasePriorityPrivilege	1772	{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe
Token: SeIncBasePriorityPrivilege	1252	{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe
Token: SeIncBasePriorityPrivilege	2552	{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe
Token: SeIncBasePriorityPrivilege	4720	{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe
Token: SeIncBasePriorityPrivilege	2044	{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe
Token: SeIncBasePriorityPrivilege	1612	{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe
Token: SeIncBasePriorityPrivilege	1552	{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe
Token: SeIncBasePriorityPrivilege	4036	{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 5008	2152	NEAS.079cacbaa68d0a795e25edcea3a55f80.exe	85
PID 2152 wrote to memory of 5008	2152	NEAS.079cacbaa68d0a795e25edcea3a55f80.exe	85
PID 2152 wrote to memory of 5008	2152	NEAS.079cacbaa68d0a795e25edcea3a55f80.exe	85
PID 2152 wrote to memory of 4128	2152	NEAS.079cacbaa68d0a795e25edcea3a55f80.exe	86
PID 2152 wrote to memory of 4128	2152	NEAS.079cacbaa68d0a795e25edcea3a55f80.exe	86
PID 2152 wrote to memory of 4128	2152	NEAS.079cacbaa68d0a795e25edcea3a55f80.exe	86
PID 5008 wrote to memory of 1936	5008	{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe	87
PID 5008 wrote to memory of 1936	5008	{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe	87
PID 5008 wrote to memory of 1936	5008	{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe	87
PID 5008 wrote to memory of 2992	5008	{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe	88
PID 5008 wrote to memory of 2992	5008	{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe	88
PID 5008 wrote to memory of 2992	5008	{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe	88
PID 1936 wrote to memory of 1772	1936	{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe	91
PID 1936 wrote to memory of 1772	1936	{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe	91
PID 1936 wrote to memory of 1772	1936	{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe	91
PID 1936 wrote to memory of 2760	1936	{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe	92
PID 1936 wrote to memory of 2760	1936	{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe	92
PID 1936 wrote to memory of 2760	1936	{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe	92
PID 1772 wrote to memory of 1252	1772	{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe	95
PID 1772 wrote to memory of 1252	1772	{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe	95
PID 1772 wrote to memory of 1252	1772	{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe	95
PID 1772 wrote to memory of 2304	1772	{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe	96
PID 1772 wrote to memory of 2304	1772	{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe	96
PID 1772 wrote to memory of 2304	1772	{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe	96
PID 1252 wrote to memory of 2552	1252	{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe	97
PID 1252 wrote to memory of 2552	1252	{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe	97
PID 1252 wrote to memory of 2552	1252	{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe	97
PID 1252 wrote to memory of 3788	1252	{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe	98
PID 1252 wrote to memory of 3788	1252	{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe	98
PID 1252 wrote to memory of 3788	1252	{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe	98
PID 2552 wrote to memory of 4720	2552	{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe	99
PID 2552 wrote to memory of 4720	2552	{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe	99
PID 2552 wrote to memory of 4720	2552	{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe	99
PID 2552 wrote to memory of 4056	2552	{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe	100
PID 2552 wrote to memory of 4056	2552	{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe	100
PID 2552 wrote to memory of 4056	2552	{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe	100
PID 4720 wrote to memory of 2044	4720	{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe	101
PID 4720 wrote to memory of 2044	4720	{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe	101
PID 4720 wrote to memory of 2044	4720	{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe	101
PID 4720 wrote to memory of 1100	4720	{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe	102
PID 4720 wrote to memory of 1100	4720	{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe	102
PID 4720 wrote to memory of 1100	4720	{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe	102
PID 2044 wrote to memory of 1612	2044	{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe	103
PID 2044 wrote to memory of 1612	2044	{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe	103
PID 2044 wrote to memory of 1612	2044	{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe	103
PID 2044 wrote to memory of 2184	2044	{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe	104
PID 2044 wrote to memory of 2184	2044	{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe	104
PID 2044 wrote to memory of 2184	2044	{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe	104
PID 1612 wrote to memory of 1552	1612	{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe	105
PID 1612 wrote to memory of 1552	1612	{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe	105
PID 1612 wrote to memory of 1552	1612	{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe	105
PID 1612 wrote to memory of 3448	1612	{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe	106
PID 1612 wrote to memory of 3448	1612	{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe	106
PID 1612 wrote to memory of 3448	1612	{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe	106
PID 1552 wrote to memory of 4036	1552	{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe	107
PID 1552 wrote to memory of 4036	1552	{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe	107
PID 1552 wrote to memory of 4036	1552	{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe	107
PID 1552 wrote to memory of 4696	1552	{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe	108
PID 1552 wrote to memory of 4696	1552	{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe	108
PID 1552 wrote to memory of 4696	1552	{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe	108
PID 4036 wrote to memory of 3180	4036	{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe	110
PID 4036 wrote to memory of 3180	4036	{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe	110
PID 4036 wrote to memory of 3180	4036	{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe	110
PID 4036 wrote to memory of 4472	4036	{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe	109

C:\Users\Admin\AppData\Local\Temp\NEAS.079cacbaa68d0a795e25edcea3a55f80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.079cacbaa68d0a795e25edcea3a55f80.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe
  C:\Windows\{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe
    C:\Windows\{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe
      C:\Windows\{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Windows\{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe
        
        C:\Windows\{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
      - C:\Windows\{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe
        
        C:\Windows\{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe
        
        C:\Windows\{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe
        
        C:\Windows\{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe
        
        C:\Windows\{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe
        
        C:\Windows\{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe
        
        C:\Windows\{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{350D3~1.EXE > nul
        12⤵
        
        PID:4472
        
        C:\Windows\{27D4B0EB-A237-4e66-A5C4-1F1DDC6DF355}.exe
        
        C:\Windows\{27D4B0EB-A237-4e66-A5C4-1F1DDC6DF355}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3180
        
        C:\Windows\{E8090546-82C8-4310-AF8E-41690108605C}.exe
        
        C:\Windows\{E8090546-82C8-4310-AF8E-41690108605C}.exe
        13⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39F4F~1.EXE > nul
        11⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD79A~1.EXE > nul
        10⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCD49~1.EXE > nul
        9⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3260E~1.EXE > nul
        8⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FDA9~1.EXE > nul
        7⤵
        
        PID:4056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5C2A~1.EXE > nul
        6⤵
        
        PID:3788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{540F0~1.EXE > nul
        5⤵
        
        PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{22094~1.EXE > nul
      4⤵
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{471DF~1.EXE > nul
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS07~1.EXE > nul
  2⤵
  PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe

Filesize
76KB

MD5
8e75542fd53bf3e09e1f870f673887ea

SHA1
bdf75be4b76352cbe6acffa250bd4a34f1a5554b

SHA256
39ed0323f19c757d74e107cfb2d58cdddba15ccab74815caef74b24db4bb66be

SHA512
c534b205a80a6c726f0d8fcc1bb5d0a6b6f58a22e5373057b91b94f5b1ff7e0b4733a3f31cde02e0f0dc973d8b4373faa82f253d5c43db21db12620355208143

Download Submit
C:\Windows\{220941D2-4093-4f4b-9B69-5A7E2553AC2A}.exe

Filesize
76KB

MD5
8e75542fd53bf3e09e1f870f673887ea

SHA1
bdf75be4b76352cbe6acffa250bd4a34f1a5554b

SHA256
39ed0323f19c757d74e107cfb2d58cdddba15ccab74815caef74b24db4bb66be

SHA512
c534b205a80a6c726f0d8fcc1bb5d0a6b6f58a22e5373057b91b94f5b1ff7e0b4733a3f31cde02e0f0dc973d8b4373faa82f253d5c43db21db12620355208143

Download Submit
C:\Windows\{27D4B0EB-A237-4e66-A5C4-1F1DDC6DF355}.exe

Filesize
76KB

MD5
fbc14e841193290d9ccfbecf1894379e

SHA1
5b289ec8cfce40fb233b64115b5044bec5b3cb27

SHA256
bdc0315c46273be03ccfa8837aa19fd738b4ad8e731eb1c65c90435845944981

SHA512
fd1f3d011c7cd7f46ed9d60340b1520a7cea12f2ffbce225bcf6513c767f7ad93f35ffd1f523eb0f63cdf362ea0928716c976cb71d9199edcb8865707e19a2fc

Download Submit
C:\Windows\{27D4B0EB-A237-4e66-A5C4-1F1DDC6DF355}.exe

Filesize
76KB

MD5
fbc14e841193290d9ccfbecf1894379e

SHA1
5b289ec8cfce40fb233b64115b5044bec5b3cb27

SHA256
bdc0315c46273be03ccfa8837aa19fd738b4ad8e731eb1c65c90435845944981

SHA512
fd1f3d011c7cd7f46ed9d60340b1520a7cea12f2ffbce225bcf6513c767f7ad93f35ffd1f523eb0f63cdf362ea0928716c976cb71d9199edcb8865707e19a2fc

Download Submit
C:\Windows\{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe

Filesize
76KB

MD5
a9b3cc4e8185d659366c66805f800edf

SHA1
94a1ee5d48ae0805ff045c235ba1185433205730

SHA256
375b48ac3120a38911842bdaffb5cf19b195134ea329d6f6256bf1359d4b38a9

SHA512
68054497a96f71b3b40178c52360452409ae4b63f914ce3249c1e7b1c5161055ac2b4a0e3e40c972748094eb188a266c569beefda1ec47971665b4c8435bc0c8

Download Submit
C:\Windows\{3260E10D-77F9-4f6b-97CE-EF88485B6ED9}.exe

Filesize
76KB

MD5
a9b3cc4e8185d659366c66805f800edf

SHA1
94a1ee5d48ae0805ff045c235ba1185433205730

SHA256
375b48ac3120a38911842bdaffb5cf19b195134ea329d6f6256bf1359d4b38a9

SHA512
68054497a96f71b3b40178c52360452409ae4b63f914ce3249c1e7b1c5161055ac2b4a0e3e40c972748094eb188a266c569beefda1ec47971665b4c8435bc0c8

Download Submit
C:\Windows\{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe

Filesize
76KB

MD5
9f9432a890c8f82daed41715b41cf0f3

SHA1
2b01a6b4c488020105647d67efcd040bb90e9cc5

SHA256
d75e89ec2a404f2bbbbda6167fba4b5ad13555cdae42b06f5e65e18349e42d99

SHA512
2a23be352bc1bd0faff7319d01c9c468487c43236b73a170ed4d2b141330d5839f34f05be2911b22c3a6a90c64a85ff70a3052df0dc990aeaedfe0b97a16eb83

Download Submit
C:\Windows\{350D3CE5-9452-4117-B869-CF4CE74629A2}.exe

Filesize
76KB

MD5
9f9432a890c8f82daed41715b41cf0f3

SHA1
2b01a6b4c488020105647d67efcd040bb90e9cc5

SHA256
d75e89ec2a404f2bbbbda6167fba4b5ad13555cdae42b06f5e65e18349e42d99

SHA512
2a23be352bc1bd0faff7319d01c9c468487c43236b73a170ed4d2b141330d5839f34f05be2911b22c3a6a90c64a85ff70a3052df0dc990aeaedfe0b97a16eb83

Download Submit
C:\Windows\{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe

Filesize
76KB

MD5
5a4d8418da7673f4df5359bb62af578c

SHA1
facb9d92f16827141e46616646c951afc771d9da

SHA256
56b5cd97cda97be4a6e26e4387ba670bb07f73524c4346f35170e690711962aa

SHA512
7d10405058406be1aba02dc87aeed63d6039b2127ecf8e328f23e8a371437dae4b24a430985aa5f2cd0f139b35e5cdf5dd69ba703e0934deeb85008ed05ad451

Download Submit
C:\Windows\{39F4F81C-BA68-4120-A76C-B1FEABA2DAD2}.exe

Filesize
76KB

MD5
5a4d8418da7673f4df5359bb62af578c

SHA1
facb9d92f16827141e46616646c951afc771d9da

SHA256
56b5cd97cda97be4a6e26e4387ba670bb07f73524c4346f35170e690711962aa

SHA512
7d10405058406be1aba02dc87aeed63d6039b2127ecf8e328f23e8a371437dae4b24a430985aa5f2cd0f139b35e5cdf5dd69ba703e0934deeb85008ed05ad451

Download Submit
C:\Windows\{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe

Filesize
76KB

MD5
5f1a2699e4b78e7dbb87566b5bb6d2c4

SHA1
05a94c04fcc17c1131f6fd5035cda95bcc51ec45

SHA256
bcc9c7d2d96f80dceadd598f2905118984c743aa5c18845656e9e1c9f20572eb

SHA512
565d7db74c55cc9f0bf820d882a0edf4b81f39ac48d33680e2c609500ccb945a939587d22d41c976ab581fdd504263e8144b409883d4480d2e1fdd13bb1cf9c1

Download Submit
C:\Windows\{471DFB93-A373-43b6-83F4-C2FF57F073F3}.exe

Filesize
76KB

MD5
5f1a2699e4b78e7dbb87566b5bb6d2c4

SHA1
05a94c04fcc17c1131f6fd5035cda95bcc51ec45

SHA256
bcc9c7d2d96f80dceadd598f2905118984c743aa5c18845656e9e1c9f20572eb

SHA512
565d7db74c55cc9f0bf820d882a0edf4b81f39ac48d33680e2c609500ccb945a939587d22d41c976ab581fdd504263e8144b409883d4480d2e1fdd13bb1cf9c1

Download Submit
C:\Windows\{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe

Filesize
76KB

MD5
d81d2018ffa6b55577f90b19c88c90c1

SHA1
589052f04b4d8e80829b76eff37c757557b9f844

SHA256
629eb6b30f5e01ead787b425b72d291cc7891d4e199f27ecdf83dd8c759b2adb

SHA512
23dea79b05e516ae221b8bff49e9b056231b8e591eda5e4bca653f4a262704079b947583c1e34368ac99ada0a1c0b131eeb3553b1de113e90cc33d3e746b5e4f

Download Submit
C:\Windows\{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe

Filesize
76KB

MD5
d81d2018ffa6b55577f90b19c88c90c1

SHA1
589052f04b4d8e80829b76eff37c757557b9f844

SHA256
629eb6b30f5e01ead787b425b72d291cc7891d4e199f27ecdf83dd8c759b2adb

SHA512
23dea79b05e516ae221b8bff49e9b056231b8e591eda5e4bca653f4a262704079b947583c1e34368ac99ada0a1c0b131eeb3553b1de113e90cc33d3e746b5e4f

Download Submit
C:\Windows\{540F06B1-1F64-4bed-95E0-261DB37D23A2}.exe

Filesize
76KB

MD5
d81d2018ffa6b55577f90b19c88c90c1

SHA1
589052f04b4d8e80829b76eff37c757557b9f844

SHA256
629eb6b30f5e01ead787b425b72d291cc7891d4e199f27ecdf83dd8c759b2adb

SHA512
23dea79b05e516ae221b8bff49e9b056231b8e591eda5e4bca653f4a262704079b947583c1e34368ac99ada0a1c0b131eeb3553b1de113e90cc33d3e746b5e4f

Download Submit
C:\Windows\{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe

Filesize
76KB

MD5
adff6e3c5c0906102f69c8fab5729cd4

SHA1
4105408e38e9811e93c7dbc73dd0a48430f1e452

SHA256
4050a9ac01243188450ccb275b73f2476b95216300e2066b69e100c5d1a42d78

SHA512
30a3c4251db9828882d06dd707c17aa1c4973f0fe13669c125ba3fbdf7638a8abec2722072a3890b74a21a5e8af86d2fbfa4452e71c544f57eba92b1106e8dcd

Download Submit
C:\Windows\{8FDA9B1E-C6BE-4a3d-B756-7CE66C694CD3}.exe

Filesize
76KB

MD5
adff6e3c5c0906102f69c8fab5729cd4

SHA1
4105408e38e9811e93c7dbc73dd0a48430f1e452

SHA256
4050a9ac01243188450ccb275b73f2476b95216300e2066b69e100c5d1a42d78

SHA512
30a3c4251db9828882d06dd707c17aa1c4973f0fe13669c125ba3fbdf7638a8abec2722072a3890b74a21a5e8af86d2fbfa4452e71c544f57eba92b1106e8dcd

Download Submit
C:\Windows\{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe

Filesize
76KB

MD5
6f13adebf8689ec9158bd89656aaeda0

SHA1
6586d6058d9db3f6debe6f43f0b7afdf083273c8

SHA256
7744b092a5a69ead2e5c40deaf0fce975b2100214105c9c91afc36cf2c68f983

SHA512
173b04377119594a01e28efbcd233a61006a0263385e04e19b555aa77a24c106a97860dce7143943b19ac4baf18ebeedf3adf47a56dcdd2f9f7f4b7a75dc2c1b

Download Submit
C:\Windows\{C5C2A552-2E56-41f0-BD8C-91E461C08290}.exe

Filesize
76KB

MD5
6f13adebf8689ec9158bd89656aaeda0

SHA1
6586d6058d9db3f6debe6f43f0b7afdf083273c8

SHA256
7744b092a5a69ead2e5c40deaf0fce975b2100214105c9c91afc36cf2c68f983

SHA512
173b04377119594a01e28efbcd233a61006a0263385e04e19b555aa77a24c106a97860dce7143943b19ac4baf18ebeedf3adf47a56dcdd2f9f7f4b7a75dc2c1b

Download Submit
C:\Windows\{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe

Filesize
76KB

MD5
17c2306484daf980c09f934e5c538ef9

SHA1
997445c2b383b3e7e3696ba87b9db3fdec97782c

SHA256
c1429c0f4bdbfa4e86d90847192af0d100036250dba0f537e9e84c6b7c6087f1

SHA512
473508eaaf12f36810118aaf3ae8f8a74ff0b5192d30e242c85fee7c18010e81a9e494b0b43ca9ddacf19de41d6d955b30cdba334c7119792aeaecdb470df9f4

Download Submit
C:\Windows\{FCD49407-32C9-43f6-BFE8-6A31421E0FE1}.exe

Filesize
76KB

MD5
17c2306484daf980c09f934e5c538ef9

SHA1
997445c2b383b3e7e3696ba87b9db3fdec97782c

SHA256
c1429c0f4bdbfa4e86d90847192af0d100036250dba0f537e9e84c6b7c6087f1

SHA512
473508eaaf12f36810118aaf3ae8f8a74ff0b5192d30e242c85fee7c18010e81a9e494b0b43ca9ddacf19de41d6d955b30cdba334c7119792aeaecdb470df9f4

Download Submit
C:\Windows\{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe

Filesize
76KB

MD5
3ca7b89c73d96292e1f33290aaaeb13a

SHA1
8d9fd070de90b396a8c1418a03779a09b5342636

SHA256
b09b711cbe8a2e0331ce00a67986cfb21f3236f2d0d7a526a03c31d1cd787563

SHA512
65d4f1eeadf238ed583fa24fe01a615ab08c68367cfc80da4d27634cbce81d477055f643459d8f74da9cbfc682fd3be839bdefa49be10bd6bf4f89c5dc285252

Download Submit
C:\Windows\{FD79AFB8-C17F-43a7-A8AD-91FC9FA1F99B}.exe

Filesize
76KB

MD5
3ca7b89c73d96292e1f33290aaaeb13a

SHA1
8d9fd070de90b396a8c1418a03779a09b5342636

SHA256
b09b711cbe8a2e0331ce00a67986cfb21f3236f2d0d7a526a03c31d1cd787563

SHA512
65d4f1eeadf238ed583fa24fe01a615ab08c68367cfc80da4d27634cbce81d477055f643459d8f74da9cbfc682fd3be839bdefa49be10bd6bf4f89c5dc285252

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads