7aad157cd653a1574568fbc24b1886c68af6b4ec1306098178ca47163f1e88dc

Analysis

max time kernel
232s
max time network
31s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.88a54f932538284d3e02e92cc6e38390.exe
Size

372KB
MD5

88a54f932538284d3e02e92cc6e38390
SHA1

042cdfd4e1bf569898c9d39da42b09411a57905a
SHA256

7aad157cd653a1574568fbc24b1886c68af6b4ec1306098178ca47163f1e88dc
SHA512

3b70913034e43ee930d21c3c02787ece6ae4abbbb1d0a382763c795bad82eb6961c44e2b945b25e1858f3aa6d2d434a25eaba08a3509701f57485ef58cb6e23a
SSDEEP

3072:CEGh0o8mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGHl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A4868FE-0316-47ee-9847-E6964D42E5F9}	{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}	{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}\stubpath = "C:\\Windows\\{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe"	NEAS.88a54f932538284d3e02e92cc6e38390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F232A622-8360-4b45-9C55-413009562274}\stubpath = "C:\\Windows\\{F232A622-8360-4b45-9C55-413009562274}.exe"	{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B2023CE-3B51-4487-B922-11BDA33D67BE}\stubpath = "C:\\Windows\\{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe"	{F232A622-8360-4b45-9C55-413009562274}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09947C27-16EF-410b-806B-A1842FCF8786}	{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09947C27-16EF-410b-806B-A1842FCF8786}\stubpath = "C:\\Windows\\{09947C27-16EF-410b-806B-A1842FCF8786}.exe"	{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{648F06AD-307D-44f8-9FB3-D353EDF6E119}\stubpath = "C:\\Windows\\{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe"	{09947C27-16EF-410b-806B-A1842FCF8786}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3220AFB4-831D-4360-90CF-89DDBC6201CB}	{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{859D9E6D-8D0E-42c4-8C36-631E495D65DC}\stubpath = "C:\\Windows\\{859D9E6D-8D0E-42c4-8C36-631E495D65DC}.exe"	{3220AFB4-831D-4360-90CF-89DDBC6201CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F952EC1A-6229-4d2d-B352-9B105BF722E0}	{859D9E6D-8D0E-42c4-8C36-631E495D65DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}	NEAS.88a54f932538284d3e02e92cc6e38390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A4868FE-0316-47ee-9847-E6964D42E5F9}\stubpath = "C:\\Windows\\{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe"	{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}\stubpath = "C:\\Windows\\{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe"	{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3220AFB4-831D-4360-90CF-89DDBC6201CB}\stubpath = "C:\\Windows\\{3220AFB4-831D-4360-90CF-89DDBC6201CB}.exe"	{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F952EC1A-6229-4d2d-B352-9B105BF722E0}\stubpath = "C:\\Windows\\{F952EC1A-6229-4d2d-B352-9B105BF722E0}.exe"	{859D9E6D-8D0E-42c4-8C36-631E495D65DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F232A622-8360-4b45-9C55-413009562274}	{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B2023CE-3B51-4487-B922-11BDA33D67BE}	{F232A622-8360-4b45-9C55-413009562274}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{648F06AD-307D-44f8-9FB3-D353EDF6E119}	{09947C27-16EF-410b-806B-A1842FCF8786}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{859D9E6D-8D0E-42c4-8C36-631E495D65DC}	{3220AFB4-831D-4360-90CF-89DDBC6201CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76489FB2-CCED-48fc-9B10-D2EA18448212}\stubpath = "C:\\Windows\\{76489FB2-CCED-48fc-9B10-D2EA18448212}.exe"	{F952EC1A-6229-4d2d-B352-9B105BF722E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76489FB2-CCED-48fc-9B10-D2EA18448212}	{F952EC1A-6229-4d2d-B352-9B105BF722E0}.exe

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2760	{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe
2300	{F232A622-8360-4b45-9C55-413009562274}.exe
2592	{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe
2620	{09947C27-16EF-410b-806B-A1842FCF8786}.exe
2612	{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe
2616	{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe
2160	{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe
1808	{3220AFB4-831D-4360-90CF-89DDBC6201CB}.exe
1616	{859D9E6D-8D0E-42c4-8C36-631E495D65DC}.exe
1936	{F952EC1A-6229-4d2d-B352-9B105BF722E0}.exe
584	{76489FB2-CCED-48fc-9B10-D2EA18448212}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F952EC1A-6229-4d2d-B352-9B105BF722E0}.exe	{859D9E6D-8D0E-42c4-8C36-631E495D65DC}.exe
File created	C:\Windows\{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe	NEAS.88a54f932538284d3e02e92cc6e38390.exe
File created	C:\Windows\{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe	{F232A622-8360-4b45-9C55-413009562274}.exe
File created	C:\Windows\{3220AFB4-831D-4360-90CF-89DDBC6201CB}.exe	{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe
File created	C:\Windows\{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe	{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe
File created	C:\Windows\{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe	{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe
File created	C:\Windows\{859D9E6D-8D0E-42c4-8C36-631E495D65DC}.exe	{3220AFB4-831D-4360-90CF-89DDBC6201CB}.exe
File created	C:\Windows\{76489FB2-CCED-48fc-9B10-D2EA18448212}.exe	{F952EC1A-6229-4d2d-B352-9B105BF722E0}.exe
File created	C:\Windows\{F232A622-8360-4b45-9C55-413009562274}.exe	{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe
File created	C:\Windows\{09947C27-16EF-410b-806B-A1842FCF8786}.exe	{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe
File created	C:\Windows\{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe	{09947C27-16EF-410b-806B-A1842FCF8786}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2964	NEAS.88a54f932538284d3e02e92cc6e38390.exe
Token: SeIncBasePriorityPrivilege	2760	{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe
Token: SeIncBasePriorityPrivilege	2300	{F232A622-8360-4b45-9C55-413009562274}.exe
Token: SeIncBasePriorityPrivilege	2592	{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe
Token: SeIncBasePriorityPrivilege	2620	{09947C27-16EF-410b-806B-A1842FCF8786}.exe
Token: SeIncBasePriorityPrivilege	2612	{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe
Token: SeIncBasePriorityPrivilege	2616	{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe
Token: SeIncBasePriorityPrivilege	2160	{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe
Token: SeIncBasePriorityPrivilege	1808	{3220AFB4-831D-4360-90CF-89DDBC6201CB}.exe
Token: SeIncBasePriorityPrivilege	1616	{859D9E6D-8D0E-42c4-8C36-631E495D65DC}.exe
Token: SeIncBasePriorityPrivilege	1936	{F952EC1A-6229-4d2d-B352-9B105BF722E0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2760	2964	NEAS.88a54f932538284d3e02e92cc6e38390.exe	27
PID 2964 wrote to memory of 2760	2964	NEAS.88a54f932538284d3e02e92cc6e38390.exe	27
PID 2964 wrote to memory of 2760	2964	NEAS.88a54f932538284d3e02e92cc6e38390.exe	27
PID 2964 wrote to memory of 2760	2964	NEAS.88a54f932538284d3e02e92cc6e38390.exe	27
PID 2964 wrote to memory of 2684	2964	NEAS.88a54f932538284d3e02e92cc6e38390.exe	28
PID 2964 wrote to memory of 2684	2964	NEAS.88a54f932538284d3e02e92cc6e38390.exe	28
PID 2964 wrote to memory of 2684	2964	NEAS.88a54f932538284d3e02e92cc6e38390.exe	28
PID 2964 wrote to memory of 2684	2964	NEAS.88a54f932538284d3e02e92cc6e38390.exe	28
PID 2760 wrote to memory of 2300	2760	{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe	29
PID 2760 wrote to memory of 2300	2760	{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe	29
PID 2760 wrote to memory of 2300	2760	{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe	29
PID 2760 wrote to memory of 2300	2760	{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe	29
PID 2760 wrote to memory of 2096	2760	{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe	30
PID 2760 wrote to memory of 2096	2760	{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe	30
PID 2760 wrote to memory of 2096	2760	{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe	30
PID 2760 wrote to memory of 2096	2760	{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe	30
PID 2300 wrote to memory of 2592	2300	{F232A622-8360-4b45-9C55-413009562274}.exe	31
PID 2300 wrote to memory of 2592	2300	{F232A622-8360-4b45-9C55-413009562274}.exe	31
PID 2300 wrote to memory of 2592	2300	{F232A622-8360-4b45-9C55-413009562274}.exe	31
PID 2300 wrote to memory of 2592	2300	{F232A622-8360-4b45-9C55-413009562274}.exe	31
PID 2300 wrote to memory of 1704	2300	{F232A622-8360-4b45-9C55-413009562274}.exe	32
PID 2300 wrote to memory of 1704	2300	{F232A622-8360-4b45-9C55-413009562274}.exe	32
PID 2300 wrote to memory of 1704	2300	{F232A622-8360-4b45-9C55-413009562274}.exe	32
PID 2300 wrote to memory of 1704	2300	{F232A622-8360-4b45-9C55-413009562274}.exe	32
PID 2592 wrote to memory of 2620	2592	{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe	33
PID 2592 wrote to memory of 2620	2592	{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe	33
PID 2592 wrote to memory of 2620	2592	{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe	33
PID 2592 wrote to memory of 2620	2592	{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe	33
PID 2592 wrote to memory of 2560	2592	{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe	34
PID 2592 wrote to memory of 2560	2592	{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe	34
PID 2592 wrote to memory of 2560	2592	{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe	34
PID 2592 wrote to memory of 2560	2592	{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe	34
PID 2620 wrote to memory of 2612	2620	{09947C27-16EF-410b-806B-A1842FCF8786}.exe	35
PID 2620 wrote to memory of 2612	2620	{09947C27-16EF-410b-806B-A1842FCF8786}.exe	35
PID 2620 wrote to memory of 2612	2620	{09947C27-16EF-410b-806B-A1842FCF8786}.exe	35
PID 2620 wrote to memory of 2612	2620	{09947C27-16EF-410b-806B-A1842FCF8786}.exe	35
PID 2620 wrote to memory of 1688	2620	{09947C27-16EF-410b-806B-A1842FCF8786}.exe	36
PID 2620 wrote to memory of 1688	2620	{09947C27-16EF-410b-806B-A1842FCF8786}.exe	36
PID 2620 wrote to memory of 1688	2620	{09947C27-16EF-410b-806B-A1842FCF8786}.exe	36
PID 2620 wrote to memory of 1688	2620	{09947C27-16EF-410b-806B-A1842FCF8786}.exe	36
PID 2612 wrote to memory of 2616	2612	{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe	38
PID 2612 wrote to memory of 2616	2612	{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe	38
PID 2612 wrote to memory of 2616	2612	{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe	38
PID 2612 wrote to memory of 2616	2612	{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe	38
PID 2612 wrote to memory of 3060	2612	{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe	37
PID 2612 wrote to memory of 3060	2612	{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe	37
PID 2612 wrote to memory of 3060	2612	{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe	37
PID 2612 wrote to memory of 3060	2612	{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe	37
PID 2616 wrote to memory of 2160	2616	{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe	39
PID 2616 wrote to memory of 2160	2616	{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe	39
PID 2616 wrote to memory of 2160	2616	{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe	39
PID 2616 wrote to memory of 2160	2616	{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe	39
PID 2616 wrote to memory of 1664	2616	{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe	40
PID 2616 wrote to memory of 1664	2616	{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe	40
PID 2616 wrote to memory of 1664	2616	{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe	40
PID 2616 wrote to memory of 1664	2616	{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe	40
PID 2160 wrote to memory of 1808	2160	{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe	42
PID 2160 wrote to memory of 1808	2160	{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe	42
PID 2160 wrote to memory of 1808	2160	{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe	42
PID 2160 wrote to memory of 1808	2160	{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe	42
PID 2160 wrote to memory of 2124	2160	{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe	41
PID 2160 wrote to memory of 2124	2160	{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe	41
PID 2160 wrote to memory of 2124	2160	{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe	41
PID 2160 wrote to memory of 2124	2160	{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe	41

C:\Users\Admin\AppData\Local\Temp\NEAS.88a54f932538284d3e02e92cc6e38390.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.88a54f932538284d3e02e92cc6e38390.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe
  C:\Windows\{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\{F232A622-8360-4b45-9C55-413009562274}.exe
    C:\Windows\{F232A622-8360-4b45-9C55-413009562274}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe
      C:\Windows\{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\{09947C27-16EF-410b-806B-A1842FCF8786}.exe
        
        C:\Windows\{09947C27-16EF-410b-806B-A1842FCF8786}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe
        
        C:\Windows\{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{648F0~1.EXE > nul
        7⤵
        
        PID:3060
        
        C:\Windows\{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe
        
        C:\Windows\{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe
        
        C:\Windows\{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FE7D~1.EXE > nul
        9⤵
        
        PID:2124
        
        C:\Windows\{3220AFB4-831D-4360-90CF-89DDBC6201CB}.exe
        
        C:\Windows\{3220AFB4-831D-4360-90CF-89DDBC6201CB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\{859D9E6D-8D0E-42c4-8C36-631E495D65DC}.exe
        
        C:\Windows\{859D9E6D-8D0E-42c4-8C36-631E495D65DC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{859D9~1.EXE > nul
        11⤵
        
        PID:2484
        
        C:\Windows\{F952EC1A-6229-4d2d-B352-9B105BF722E0}.exe
        
        C:\Windows\{F952EC1A-6229-4d2d-B352-9B105BF722E0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\{76489FB2-CCED-48fc-9B10-D2EA18448212}.exe
        
        C:\Windows\{76489FB2-CCED-48fc-9B10-D2EA18448212}.exe
        12⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F952E~1.EXE > nul
        12⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3220A~1.EXE > nul
        10⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A486~1.EXE > nul
        8⤵
        
        PID:1664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09947~1.EXE > nul
        6⤵
        
        PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B202~1.EXE > nul
        5⤵
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F232A~1.EXE > nul
      4⤵
      PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{383CA~1.EXE > nul
    3⤵
    PID:2096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS88~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09947C27-16EF-410b-806B-A1842FCF8786}.exe

Filesize
372KB

MD5
e4c897aaba5407b77087091c2eb78df9

SHA1
4758d18f144fc973ba38fb3dc9a3b06d6ab5a94e

SHA256
bb1b1b5f7618d68efbc79a3f134324c0d48fc3911bd9542b7520e731deac78e5

SHA512
8fc8d73b456db026ecee757f81f3c9de9a8b157446c12dec8e4a794dc724ba84c9c9743d97946ae8046c89b9a4fec5979145cfeaea13020e7bb41458f74fa659

Download Submit
C:\Windows\{09947C27-16EF-410b-806B-A1842FCF8786}.exe

Filesize
372KB

MD5
e4c897aaba5407b77087091c2eb78df9

SHA1
4758d18f144fc973ba38fb3dc9a3b06d6ab5a94e

SHA256
bb1b1b5f7618d68efbc79a3f134324c0d48fc3911bd9542b7520e731deac78e5

SHA512
8fc8d73b456db026ecee757f81f3c9de9a8b157446c12dec8e4a794dc724ba84c9c9743d97946ae8046c89b9a4fec5979145cfeaea13020e7bb41458f74fa659

Download Submit
C:\Windows\{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe

Filesize
372KB

MD5
d7d9f8b25cd67708ff95898d6a05d622

SHA1
2f1b04922dd1d43281ea88787692bd89e3c13322

SHA256
67162433d74950d19c1bedf3a5c3923afe8c0cde13a80533099ba085b943eecd

SHA512
f11e894c5e57f4d3c91c2a91ae7c264ef8863f59ce156b6d156c72d0979c12eeeed4a48b13fb0e133acad673fc5446316ca0b890d07fc0fa56adf51861f1e0eb

Download Submit
C:\Windows\{1FE7D072-DFA4-4285-A8C1-46DECFEC05E0}.exe

Filesize
372KB

MD5
d7d9f8b25cd67708ff95898d6a05d622

SHA1
2f1b04922dd1d43281ea88787692bd89e3c13322

SHA256
67162433d74950d19c1bedf3a5c3923afe8c0cde13a80533099ba085b943eecd

SHA512
f11e894c5e57f4d3c91c2a91ae7c264ef8863f59ce156b6d156c72d0979c12eeeed4a48b13fb0e133acad673fc5446316ca0b890d07fc0fa56adf51861f1e0eb

Download Submit
C:\Windows\{3220AFB4-831D-4360-90CF-89DDBC6201CB}.exe

Filesize
372KB

MD5
337c1d6a056d70cc6f804b7cf97aded6

SHA1
c217a18afa665b8ae46713a361ff15e2ddf8d5bc

SHA256
8b0a2591e8cb532da78beea906ba1c3610bd4362c633779ba92e33707e0f3a42

SHA512
3c8284d8d213329bccb79fa227c5878649b83994ca936b4a8344a0d91c5b68baab9988418ea57f07969f4d65e15c46b09d59a4058a66227c4fc5b46f62a72584

Download Submit
C:\Windows\{3220AFB4-831D-4360-90CF-89DDBC6201CB}.exe

Filesize
372KB

MD5
337c1d6a056d70cc6f804b7cf97aded6

SHA1
c217a18afa665b8ae46713a361ff15e2ddf8d5bc

SHA256
8b0a2591e8cb532da78beea906ba1c3610bd4362c633779ba92e33707e0f3a42

SHA512
3c8284d8d213329bccb79fa227c5878649b83994ca936b4a8344a0d91c5b68baab9988418ea57f07969f4d65e15c46b09d59a4058a66227c4fc5b46f62a72584

Download Submit
C:\Windows\{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe

Filesize
372KB

MD5
6a8a459cdffa5b5feda307baabbc5989

SHA1
7c6fbd5eacad56d7de20cf1819c6debf4506674e

SHA256
15a69f1bba5a855731711e6d9ea720934e0adcde3dd33fbcb9e365e81c8535b7

SHA512
a391e1112e3291755f3aef3f7db2807a5945db5654a762f44327eea49a2860edae2da585ad8f460bbfe280e0b37d36976f4870240526059749d9233214c7341f

Download Submit
C:\Windows\{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe

Filesize
372KB

MD5
6a8a459cdffa5b5feda307baabbc5989

SHA1
7c6fbd5eacad56d7de20cf1819c6debf4506674e

SHA256
15a69f1bba5a855731711e6d9ea720934e0adcde3dd33fbcb9e365e81c8535b7

SHA512
a391e1112e3291755f3aef3f7db2807a5945db5654a762f44327eea49a2860edae2da585ad8f460bbfe280e0b37d36976f4870240526059749d9233214c7341f

Download Submit
C:\Windows\{383CA154-7E8D-47e0-85E7-AFC7428DC4F2}.exe

Filesize
372KB

MD5
6a8a459cdffa5b5feda307baabbc5989

SHA1
7c6fbd5eacad56d7de20cf1819c6debf4506674e

SHA256
15a69f1bba5a855731711e6d9ea720934e0adcde3dd33fbcb9e365e81c8535b7

SHA512
a391e1112e3291755f3aef3f7db2807a5945db5654a762f44327eea49a2860edae2da585ad8f460bbfe280e0b37d36976f4870240526059749d9233214c7341f

Download Submit
C:\Windows\{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe

Filesize
372KB

MD5
b419485b03bcccd4d86a70f14703106a

SHA1
aa9ef6184754d0f20f6e00d98beaee86333f8674

SHA256
6928d41752c66ce0d7880074b0690500896b8e6de43defdeae8a26edf4d3a33a

SHA512
aa295702cb844555b6c6bdb6207ae12881153b82ad4a533e7128c92f975fd54d1a2f9f25e32d5a519bf40488ca1439cf67060b4be7cd4cf3c3ec6eb81b2ff0fb

Download Submit
C:\Windows\{648F06AD-307D-44f8-9FB3-D353EDF6E119}.exe

Filesize
372KB

MD5
b419485b03bcccd4d86a70f14703106a

SHA1
aa9ef6184754d0f20f6e00d98beaee86333f8674

SHA256
6928d41752c66ce0d7880074b0690500896b8e6de43defdeae8a26edf4d3a33a

SHA512
aa295702cb844555b6c6bdb6207ae12881153b82ad4a533e7128c92f975fd54d1a2f9f25e32d5a519bf40488ca1439cf67060b4be7cd4cf3c3ec6eb81b2ff0fb

Download Submit
C:\Windows\{76489FB2-CCED-48fc-9B10-D2EA18448212}.exe

Filesize
372KB

MD5
f910a34d711eaaed2941f124a9b6a42c

SHA1
5163c750c4ad030aeaff30c4643118b7d138eaac

SHA256
4ce6c75effc8812e71abc0d9527f56a74f1fbb7e09fefaa0b78a6291a77c6a5c

SHA512
919c84fcd766a376c11fda71fb2d390875bcab8b6f0932a2ff0074767003cec6b3f30e7ac6537b7d7d484b8ab1783cb009edc3fdebec7fd090b81de40b21f031

Download Submit
C:\Windows\{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe

Filesize
372KB

MD5
abba405c24ca3d8cbb28f231cf26b555

SHA1
76cb794625481550d1e9c22029623cff5dada821

SHA256
adce94fab1fc7077fd1c40b6687902c66cd153639dce91dd50ccd041e49e7c52

SHA512
b1578f60d473952e799dfb6e32e65b24f86f28055645126170527a29ec8b6e5d97db8c024ecc834798d40387dcb4a26a8be76a3bbb838071d9e6020989f5542b

Download Submit
C:\Windows\{7B2023CE-3B51-4487-B922-11BDA33D67BE}.exe

Filesize
372KB

MD5
abba405c24ca3d8cbb28f231cf26b555

SHA1
76cb794625481550d1e9c22029623cff5dada821

SHA256
adce94fab1fc7077fd1c40b6687902c66cd153639dce91dd50ccd041e49e7c52

SHA512
b1578f60d473952e799dfb6e32e65b24f86f28055645126170527a29ec8b6e5d97db8c024ecc834798d40387dcb4a26a8be76a3bbb838071d9e6020989f5542b

Download Submit
C:\Windows\{859D9E6D-8D0E-42c4-8C36-631E495D65DC}.exe

Filesize
372KB

MD5
8523938fd395353f054a622e0ff206f3

SHA1
f0256a4f3606083217b709ef9f51c0ba7d4c28cd

SHA256
743b9f478615f4ba47812978b2f35d10058df18774ffce4207d5db716acbf20c

SHA512
91ad013172f20290b1b66baf91dad44a56076d0a43e07ff9f2f6bc6779f308875d93e90d2291dc23dfcef4b10a64363dee93069f40869c5cec023ea374ebeda9

Download Submit
C:\Windows\{859D9E6D-8D0E-42c4-8C36-631E495D65DC}.exe

Filesize
372KB

MD5
8523938fd395353f054a622e0ff206f3

SHA1
f0256a4f3606083217b709ef9f51c0ba7d4c28cd

SHA256
743b9f478615f4ba47812978b2f35d10058df18774ffce4207d5db716acbf20c

SHA512
91ad013172f20290b1b66baf91dad44a56076d0a43e07ff9f2f6bc6779f308875d93e90d2291dc23dfcef4b10a64363dee93069f40869c5cec023ea374ebeda9

Download Submit
C:\Windows\{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe

Filesize
372KB

MD5
8c7414d624239e1deea0f872b23510f0

SHA1
a7a9a8584bd5d6d76d7e37abdd5bc545c4d9f3db

SHA256
29b018672986e636792b4772b83eb8a334b3c504a9820aefb4656e4894ec81a5

SHA512
44dd5a3a3df30082e9b340053dfb7fe664b685ef5684eacc350c2cfe0564ad2459d4bb30dc8578d1ca4b87d69d6f8c825b7801afd132482a148b19222912c2cd

Download Submit
C:\Windows\{9A4868FE-0316-47ee-9847-E6964D42E5F9}.exe

Filesize
372KB

MD5
8c7414d624239e1deea0f872b23510f0

SHA1
a7a9a8584bd5d6d76d7e37abdd5bc545c4d9f3db

SHA256
29b018672986e636792b4772b83eb8a334b3c504a9820aefb4656e4894ec81a5

SHA512
44dd5a3a3df30082e9b340053dfb7fe664b685ef5684eacc350c2cfe0564ad2459d4bb30dc8578d1ca4b87d69d6f8c825b7801afd132482a148b19222912c2cd

Download Submit
C:\Windows\{F232A622-8360-4b45-9C55-413009562274}.exe

Filesize
372KB

MD5
c9510717da1daf990ae59d2ff57ffc84

SHA1
bb6b704d2e9a849499f89dbd175af8b20110f61e

SHA256
7abccb5e7d7dfc5964161e18929a60f78f0cfec7724b7c73bb7029b750ba4d8b

SHA512
11e05c0bde5a22bc14eabbaff8e678672eb4895a4d23618bf566f3af5a9f5a760f3b81e2db6b943245a6695f312c502bd3ab2bfd4147bde30a1892d2c79cd917

Download Submit
C:\Windows\{F232A622-8360-4b45-9C55-413009562274}.exe

Filesize
372KB

MD5
c9510717da1daf990ae59d2ff57ffc84

SHA1
bb6b704d2e9a849499f89dbd175af8b20110f61e

SHA256
7abccb5e7d7dfc5964161e18929a60f78f0cfec7724b7c73bb7029b750ba4d8b

SHA512
11e05c0bde5a22bc14eabbaff8e678672eb4895a4d23618bf566f3af5a9f5a760f3b81e2db6b943245a6695f312c502bd3ab2bfd4147bde30a1892d2c79cd917

Download Submit
C:\Windows\{F952EC1A-6229-4d2d-B352-9B105BF722E0}.exe

Filesize
372KB

MD5
66389211ec05ae239d9c33f4eb2cee3d

SHA1
36ce8bce24b2b74b6baf20d906111b03bd3056b8

SHA256
3d9d51ded33bb9bc1f734654d377ace1eed1fd803e83ba9a40c7dcd8006a9207

SHA512
5eae1f9f3630bc7d7cc15cb1bc91604789d1b83b8a726211310fc1f91cf0718ab8155491260d25c97a15f59ce7e94f95a421f931ddbbb46726d8e7dd7a9b024b

Download Submit
C:\Windows\{F952EC1A-6229-4d2d-B352-9B105BF722E0}.exe

Filesize
372KB

MD5
66389211ec05ae239d9c33f4eb2cee3d

SHA1
36ce8bce24b2b74b6baf20d906111b03bd3056b8

SHA256
3d9d51ded33bb9bc1f734654d377ace1eed1fd803e83ba9a40c7dcd8006a9207

SHA512
5eae1f9f3630bc7d7cc15cb1bc91604789d1b83b8a726211310fc1f91cf0718ab8155491260d25c97a15f59ce7e94f95a421f931ddbbb46726d8e7dd7a9b024b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads