10796a1653fcd84c99a9db48dd7a67942e579670cc7fdabcfa892c75861a9a14

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
28/10/2023, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe
Size

192KB
MD5

9ea7d61a2c70ca3c5340135f25891c10
SHA1

54341a53119552ea28fb525dcf7ea2fc7f6cf9fa
SHA256

10796a1653fcd84c99a9db48dd7a67942e579670cc7fdabcfa892c75861a9a14
SHA512

ee28d1439341e158667d9614cde219f3b9da0bdca9dbd74d92819bfdc1e6d7aaf6b715e39eccd7dffcc083f51301e391f49f81667562c67e8efa903305d6af8e
SSDEEP

1536:1EGh0oOl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oOl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6274A602-6328-4f44-982A-169C3725B93A}	{421766C5-F33D-45ae-8442-040B3DB3621B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6FF848D-EE44-404e-BEB2-4F63315D22CA}	{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6FF848D-EE44-404e-BEB2-4F63315D22CA}\stubpath = "C:\\Windows\\{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe"	{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}	{B8B6D729-5947-46fa-A341-A25D36723054}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E3879F4-B834-4fce-87AF-4E806F646630}\stubpath = "C:\\Windows\\{3E3879F4-B834-4fce-87AF-4E806F646630}.exe"	{7FF4C6D6-9069-44a9-9DE5-39B3C2CBA80F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FD5D72A-4957-4271-BD83-3B1865CDAB67}\stubpath = "C:\\Windows\\{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe"	{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F493268-7211-4fa2-8202-419E7572E927}	{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F493268-7211-4fa2-8202-419E7572E927}\stubpath = "C:\\Windows\\{5F493268-7211-4fa2-8202-419E7572E927}.exe"	{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8B6D729-5947-46fa-A341-A25D36723054}	{5F493268-7211-4fa2-8202-419E7572E927}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A7A683D-952F-406c-B02A-01F2008271C4}	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A7A683D-952F-406c-B02A-01F2008271C4}\stubpath = "C:\\Windows\\{8A7A683D-952F-406c-B02A-01F2008271C4}.exe"	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}	{8A7A683D-952F-406c-B02A-01F2008271C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FD5D72A-4957-4271-BD83-3B1865CDAB67}	{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E3879F4-B834-4fce-87AF-4E806F646630}	{7FF4C6D6-9069-44a9-9DE5-39B3C2CBA80F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}\stubpath = "C:\\Windows\\{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe"	{8A7A683D-952F-406c-B02A-01F2008271C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{421766C5-F33D-45ae-8442-040B3DB3621B}\stubpath = "C:\\Windows\\{421766C5-F33D-45ae-8442-040B3DB3621B}.exe"	{3E3879F4-B834-4fce-87AF-4E806F646630}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22460AD5-22F4-42b8-95CE-17A07686AF2A}\stubpath = "C:\\Windows\\{22460AD5-22F4-42b8-95CE-17A07686AF2A}.exe"	{6274A602-6328-4f44-982A-169C3725B93A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{421766C5-F33D-45ae-8442-040B3DB3621B}	{3E3879F4-B834-4fce-87AF-4E806F646630}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6274A602-6328-4f44-982A-169C3725B93A}\stubpath = "C:\\Windows\\{6274A602-6328-4f44-982A-169C3725B93A}.exe"	{421766C5-F33D-45ae-8442-040B3DB3621B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22460AD5-22F4-42b8-95CE-17A07686AF2A}	{6274A602-6328-4f44-982A-169C3725B93A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8B6D729-5947-46fa-A341-A25D36723054}\stubpath = "C:\\Windows\\{B8B6D729-5947-46fa-A341-A25D36723054}.exe"	{5F493268-7211-4fa2-8202-419E7572E927}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}\stubpath = "C:\\Windows\\{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe"	{B8B6D729-5947-46fa-A341-A25D36723054}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FF4C6D6-9069-44a9-9DE5-39B3C2CBA80F}	{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FF4C6D6-9069-44a9-9DE5-39B3C2CBA80F}\stubpath = "C:\\Windows\\{7FF4C6D6-9069-44a9-9DE5-39B3C2CBA80F}.exe"	{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe

Deletes itself 1 IoCs

pid	Process
540	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2944	{8A7A683D-952F-406c-B02A-01F2008271C4}.exe
2780	{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe
312	{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe
2568	{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe
2556	{5F493268-7211-4fa2-8202-419E7572E927}.exe
2388	{B8B6D729-5947-46fa-A341-A25D36723054}.exe
2872	{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe
2852	{7FF4C6D6-9069-44a9-9DE5-39B3C2CBA80F}.exe
1988	{3E3879F4-B834-4fce-87AF-4E806F646630}.exe
1560	{421766C5-F33D-45ae-8442-040B3DB3621B}.exe
2016	{6274A602-6328-4f44-982A-169C3725B93A}.exe
1956	{22460AD5-22F4-42b8-95CE-17A07686AF2A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe	{8A7A683D-952F-406c-B02A-01F2008271C4}.exe
File created	C:\Windows\{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe	{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe
File created	C:\Windows\{5F493268-7211-4fa2-8202-419E7572E927}.exe	{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe
File created	C:\Windows\{3E3879F4-B834-4fce-87AF-4E806F646630}.exe	{7FF4C6D6-9069-44a9-9DE5-39B3C2CBA80F}.exe
File created	C:\Windows\{421766C5-F33D-45ae-8442-040B3DB3621B}.exe	{3E3879F4-B834-4fce-87AF-4E806F646630}.exe
File created	C:\Windows\{22460AD5-22F4-42b8-95CE-17A07686AF2A}.exe	{6274A602-6328-4f44-982A-169C3725B93A}.exe
File created	C:\Windows\{8A7A683D-952F-406c-B02A-01F2008271C4}.exe	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe
File created	C:\Windows\{B8B6D729-5947-46fa-A341-A25D36723054}.exe	{5F493268-7211-4fa2-8202-419E7572E927}.exe
File created	C:\Windows\{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe	{B8B6D729-5947-46fa-A341-A25D36723054}.exe
File created	C:\Windows\{7FF4C6D6-9069-44a9-9DE5-39B3C2CBA80F}.exe	{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe
File created	C:\Windows\{6274A602-6328-4f44-982A-169C3725B93A}.exe	{421766C5-F33D-45ae-8442-040B3DB3621B}.exe
File created	C:\Windows\{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe	{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2600	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe
Token: SeIncBasePriorityPrivilege	2944	{8A7A683D-952F-406c-B02A-01F2008271C4}.exe
Token: SeIncBasePriorityPrivilege	2780	{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe
Token: SeIncBasePriorityPrivilege	312	{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe
Token: SeIncBasePriorityPrivilege	2568	{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe
Token: SeIncBasePriorityPrivilege	2556	{5F493268-7211-4fa2-8202-419E7572E927}.exe
Token: SeIncBasePriorityPrivilege	2388	{B8B6D729-5947-46fa-A341-A25D36723054}.exe
Token: SeIncBasePriorityPrivilege	2872	{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe
Token: SeIncBasePriorityPrivilege	2852	{7FF4C6D6-9069-44a9-9DE5-39B3C2CBA80F}.exe
Token: SeIncBasePriorityPrivilege	1988	{3E3879F4-B834-4fce-87AF-4E806F646630}.exe
Token: SeIncBasePriorityPrivilege	1560	{421766C5-F33D-45ae-8442-040B3DB3621B}.exe
Token: SeIncBasePriorityPrivilege	2016	{6274A602-6328-4f44-982A-169C3725B93A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2944	2600	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	28
PID 2600 wrote to memory of 2944	2600	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	28
PID 2600 wrote to memory of 2944	2600	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	28
PID 2600 wrote to memory of 2944	2600	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	28
PID 2600 wrote to memory of 540	2600	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	29
PID 2600 wrote to memory of 540	2600	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	29
PID 2600 wrote to memory of 540	2600	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	29
PID 2600 wrote to memory of 540	2600	NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe	29
PID 2944 wrote to memory of 2780	2944	{8A7A683D-952F-406c-B02A-01F2008271C4}.exe	30
PID 2944 wrote to memory of 2780	2944	{8A7A683D-952F-406c-B02A-01F2008271C4}.exe	30
PID 2944 wrote to memory of 2780	2944	{8A7A683D-952F-406c-B02A-01F2008271C4}.exe	30
PID 2944 wrote to memory of 2780	2944	{8A7A683D-952F-406c-B02A-01F2008271C4}.exe	30
PID 2944 wrote to memory of 2772	2944	{8A7A683D-952F-406c-B02A-01F2008271C4}.exe	31
PID 2944 wrote to memory of 2772	2944	{8A7A683D-952F-406c-B02A-01F2008271C4}.exe	31
PID 2944 wrote to memory of 2772	2944	{8A7A683D-952F-406c-B02A-01F2008271C4}.exe	31
PID 2944 wrote to memory of 2772	2944	{8A7A683D-952F-406c-B02A-01F2008271C4}.exe	31
PID 2780 wrote to memory of 312	2780	{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe	33
PID 2780 wrote to memory of 312	2780	{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe	33
PID 2780 wrote to memory of 312	2780	{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe	33
PID 2780 wrote to memory of 312	2780	{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe	33
PID 2780 wrote to memory of 2816	2780	{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe	32
PID 2780 wrote to memory of 2816	2780	{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe	32
PID 2780 wrote to memory of 2816	2780	{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe	32
PID 2780 wrote to memory of 2816	2780	{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe	32
PID 312 wrote to memory of 2568	312	{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe	36
PID 312 wrote to memory of 2568	312	{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe	36
PID 312 wrote to memory of 2568	312	{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe	36
PID 312 wrote to memory of 2568	312	{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe	36
PID 312 wrote to memory of 2508	312	{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe	37
PID 312 wrote to memory of 2508	312	{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe	37
PID 312 wrote to memory of 2508	312	{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe	37
PID 312 wrote to memory of 2508	312	{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe	37
PID 2568 wrote to memory of 2556	2568	{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe	38
PID 2568 wrote to memory of 2556	2568	{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe	38
PID 2568 wrote to memory of 2556	2568	{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe	38
PID 2568 wrote to memory of 2556	2568	{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe	38
PID 2568 wrote to memory of 2636	2568	{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe	39
PID 2568 wrote to memory of 2636	2568	{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe	39
PID 2568 wrote to memory of 2636	2568	{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe	39
PID 2568 wrote to memory of 2636	2568	{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe	39
PID 2556 wrote to memory of 2388	2556	{5F493268-7211-4fa2-8202-419E7572E927}.exe	41
PID 2556 wrote to memory of 2388	2556	{5F493268-7211-4fa2-8202-419E7572E927}.exe	41
PID 2556 wrote to memory of 2388	2556	{5F493268-7211-4fa2-8202-419E7572E927}.exe	41
PID 2556 wrote to memory of 2388	2556	{5F493268-7211-4fa2-8202-419E7572E927}.exe	41
PID 2556 wrote to memory of 2496	2556	{5F493268-7211-4fa2-8202-419E7572E927}.exe	40
PID 2556 wrote to memory of 2496	2556	{5F493268-7211-4fa2-8202-419E7572E927}.exe	40
PID 2556 wrote to memory of 2496	2556	{5F493268-7211-4fa2-8202-419E7572E927}.exe	40
PID 2556 wrote to memory of 2496	2556	{5F493268-7211-4fa2-8202-419E7572E927}.exe	40
PID 2388 wrote to memory of 2872	2388	{B8B6D729-5947-46fa-A341-A25D36723054}.exe	42
PID 2388 wrote to memory of 2872	2388	{B8B6D729-5947-46fa-A341-A25D36723054}.exe	42
PID 2388 wrote to memory of 2872	2388	{B8B6D729-5947-46fa-A341-A25D36723054}.exe	42
PID 2388 wrote to memory of 2872	2388	{B8B6D729-5947-46fa-A341-A25D36723054}.exe	42
PID 2388 wrote to memory of 2932	2388	{B8B6D729-5947-46fa-A341-A25D36723054}.exe	43
PID 2388 wrote to memory of 2932	2388	{B8B6D729-5947-46fa-A341-A25D36723054}.exe	43
PID 2388 wrote to memory of 2932	2388	{B8B6D729-5947-46fa-A341-A25D36723054}.exe	43
PID 2388 wrote to memory of 2932	2388	{B8B6D729-5947-46fa-A341-A25D36723054}.exe	43
PID 2872 wrote to memory of 2852	2872	{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe	44
PID 2872 wrote to memory of 2852	2872	{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe	44
PID 2872 wrote to memory of 2852	2872	{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe	44
PID 2872 wrote to memory of 2852	2872	{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe	44
PID 2872 wrote to memory of 3048	2872	{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe	45
PID 2872 wrote to memory of 3048	2872	{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe	45
PID 2872 wrote to memory of 3048	2872	{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe	45
PID 2872 wrote to memory of 3048	2872	{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9ea7d61a2c70ca3c5340135f25891c10.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\{8A7A683D-952F-406c-B02A-01F2008271C4}.exe
  C:\Windows\{8A7A683D-952F-406c-B02A-01F2008271C4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe
    C:\Windows\{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F05FC~1.EXE > nul
      4⤵
      PID:2816
  - - C:\Windows\{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe
      C:\Windows\{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:312
    - - C:\Windows\{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe
        
        C:\Windows\{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\{5F493268-7211-4fa2-8202-419E7572E927}.exe
        
        C:\Windows\{5F493268-7211-4fa2-8202-419E7572E927}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F493~1.EXE > nul
        7⤵
        
        PID:2496
        
        C:\Windows\{B8B6D729-5947-46fa-A341-A25D36723054}.exe
        
        C:\Windows\{B8B6D729-5947-46fa-A341-A25D36723054}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe
        
        C:\Windows\{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{7FF4C6D6-9069-44a9-9DE5-39B3C2CBA80F}.exe
        
        C:\Windows\{7FF4C6D6-9069-44a9-9DE5-39B3C2CBA80F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{3E3879F4-B834-4fce-87AF-4E806F646630}.exe
        
        C:\Windows\{3E3879F4-B834-4fce-87AF-4E806F646630}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\{421766C5-F33D-45ae-8442-040B3DB3621B}.exe
        
        C:\Windows\{421766C5-F33D-45ae-8442-040B3DB3621B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42176~1.EXE > nul
        12⤵
        
        PID:2716
        
        C:\Windows\{6274A602-6328-4f44-982A-169C3725B93A}.exe
        
        C:\Windows\{6274A602-6328-4f44-982A-169C3725B93A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\{22460AD5-22F4-42b8-95CE-17A07686AF2A}.exe
        
        C:\Windows\{22460AD5-22F4-42b8-95CE-17A07686AF2A}.exe
        13⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6274A~1.EXE > nul
        13⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E387~1.EXE > nul
        11⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FF4C~1.EXE > nul
        10⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A84C1~1.EXE > nul
        9⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8B6D~1.EXE > nul
        8⤵
        
        PID:2932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FD5D~1.EXE > nul
        6⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6FF8~1.EXE > nul
        5⤵
        
        PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8A7A6~1.EXE > nul
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS9E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe

Filesize
192KB

MD5
2e7713a0f06bf2f5316740d696127bf6

SHA1
dc4c6dc9480affe45c9cca7482e10fddb09c0219

SHA256
1cfd054920ba25604893609bf73510955fc49f780a7ef70ad5171aeb201b2754

SHA512
3f95aad926c578211fd4d0ae7c637ae0a4cda503eab3a1d2379c2ed9f64c241a7634620897f6e8e3acf2f479bd77a53cff1d6bfb307d3c7cc7f063f6fa40154c

Download Submit
C:\Windows\{0FD5D72A-4957-4271-BD83-3B1865CDAB67}.exe

Filesize
192KB

MD5
2e7713a0f06bf2f5316740d696127bf6

SHA1
dc4c6dc9480affe45c9cca7482e10fddb09c0219

SHA256
1cfd054920ba25604893609bf73510955fc49f780a7ef70ad5171aeb201b2754

SHA512
3f95aad926c578211fd4d0ae7c637ae0a4cda503eab3a1d2379c2ed9f64c241a7634620897f6e8e3acf2f479bd77a53cff1d6bfb307d3c7cc7f063f6fa40154c

Download Submit
C:\Windows\{22460AD5-22F4-42b8-95CE-17A07686AF2A}.exe

Filesize
192KB

MD5
f3187981669f78cec0bc9abb60894cb0

SHA1
c3824827975fc8f4a4575edf6e774b286e387a57

SHA256
fa61ec9f1e531907717b2422cee987d7bfacd6235b1de49c23964a24ecf62c27

SHA512
754d5b41a2947398f2ddf7e91a23bf13a164a2e225aec4e4e9660888fdd61cb13a4630da5f6564d54d103d9a82628a130325730682f9a0b5648384c7f28116c3

Download Submit
C:\Windows\{3E3879F4-B834-4fce-87AF-4E806F646630}.exe

Filesize
192KB

MD5
abef1c4222800d7782a7a8f58a8f340c

SHA1
65c784b3dada48c63628d5c10f3a92cb6bc821d3

SHA256
47363b669736fe120bdbebcdc0a6c0dbc0a328cdb5c5a26b8b0a6cc31eb66fd2

SHA512
a4704d6ff932fd083958ecdcd580cdfa15f17fd65cb07d5e8de0763475828bf34b58dd805c2024f80663972aeb180da594dc417f864bb6ba29dd9943db98d631

Download Submit
C:\Windows\{3E3879F4-B834-4fce-87AF-4E806F646630}.exe

Filesize
192KB

MD5
abef1c4222800d7782a7a8f58a8f340c

SHA1
65c784b3dada48c63628d5c10f3a92cb6bc821d3

SHA256
47363b669736fe120bdbebcdc0a6c0dbc0a328cdb5c5a26b8b0a6cc31eb66fd2

SHA512
a4704d6ff932fd083958ecdcd580cdfa15f17fd65cb07d5e8de0763475828bf34b58dd805c2024f80663972aeb180da594dc417f864bb6ba29dd9943db98d631

Download Submit
C:\Windows\{421766C5-F33D-45ae-8442-040B3DB3621B}.exe

Filesize
192KB

MD5
539a2ffb02b6caee6eae7f165eddf944

SHA1
e08cc7034b99cd5034611530ceb574196fc177db

SHA256
c79f91f8e331c2636415292d8940645b1ebc728d47708c9c82919203dd28e01c

SHA512
04f5d02f5be4c73f2229a531f809779b5af3653ce6537fe6c6a3ca5e3e5443f65ce30ea632409c34dda78c7a93e3008f14b990c18889f4f48d4bb0e55837b8fc

Download Submit
C:\Windows\{421766C5-F33D-45ae-8442-040B3DB3621B}.exe

Filesize
192KB

MD5
539a2ffb02b6caee6eae7f165eddf944

SHA1
e08cc7034b99cd5034611530ceb574196fc177db

SHA256
c79f91f8e331c2636415292d8940645b1ebc728d47708c9c82919203dd28e01c

SHA512
04f5d02f5be4c73f2229a531f809779b5af3653ce6537fe6c6a3ca5e3e5443f65ce30ea632409c34dda78c7a93e3008f14b990c18889f4f48d4bb0e55837b8fc

Download Submit
C:\Windows\{5F493268-7211-4fa2-8202-419E7572E927}.exe

Filesize
192KB

MD5
45960305377e177d5918a37cc6abe73a

SHA1
e99bf357ce34b8b4ff3e053b5b42f150c2e7f140

SHA256
5e718dfebd750f9a1ce332682156f36be06254c25988f8736b06063323929c83

SHA512
d56c04832780093af14b8c197eb590d67caa98640c4d0fec9f19b33e48c51d037dc45c74446fca7b97159366ef1be26b5b846534dccde45d3aa1b6f891a5ddbe

Download Submit
C:\Windows\{5F493268-7211-4fa2-8202-419E7572E927}.exe

Filesize
192KB

MD5
45960305377e177d5918a37cc6abe73a

SHA1
e99bf357ce34b8b4ff3e053b5b42f150c2e7f140

SHA256
5e718dfebd750f9a1ce332682156f36be06254c25988f8736b06063323929c83

SHA512
d56c04832780093af14b8c197eb590d67caa98640c4d0fec9f19b33e48c51d037dc45c74446fca7b97159366ef1be26b5b846534dccde45d3aa1b6f891a5ddbe

Download Submit
C:\Windows\{6274A602-6328-4f44-982A-169C3725B93A}.exe

Filesize
192KB

MD5
fbbcffae6bb5313414deabeb6c8befd3

SHA1
f0fa632912bc76270d12a7ee5bcf6804ad6caa9d

SHA256
6756d49437da1554fc781d22ec455ae840459b06fb277baa685968b19c91ce9e

SHA512
6ea2eaed2299680c15c4c4e543d8eb562577283b341401edd89c6d7b883e0052a9adcc563d7702dd27deb3ad227189867437feeb92ddda0c045c43f1350af2bb

Download Submit
C:\Windows\{6274A602-6328-4f44-982A-169C3725B93A}.exe

Filesize
192KB

MD5
fbbcffae6bb5313414deabeb6c8befd3

SHA1
f0fa632912bc76270d12a7ee5bcf6804ad6caa9d

SHA256
6756d49437da1554fc781d22ec455ae840459b06fb277baa685968b19c91ce9e

SHA512
6ea2eaed2299680c15c4c4e543d8eb562577283b341401edd89c6d7b883e0052a9adcc563d7702dd27deb3ad227189867437feeb92ddda0c045c43f1350af2bb

Download Submit
C:\Windows\{7FF4C6D6-9069-44a9-9DE5-39B3C2CBA80F}.exe

Filesize
192KB

MD5
b6df2df5930f59fa520d35b1a1fcb169

SHA1
17e300fb2e6ec69f0ed33d28f4f7437ab417eef0

SHA256
405d6e9fd00eae800f2aedf573d4c4ea2b09bf27e8f22f9e4ef22c408bdb74fc

SHA512
d319c06a1ad77a1e3444ff5fb1bebc86822bcc79242a155a325d812754eb53e31faa84591c86e42a8b83804445ac9bd03f0ed610658e46b90b403f411e69cef7

Download Submit
C:\Windows\{7FF4C6D6-9069-44a9-9DE5-39B3C2CBA80F}.exe

Filesize
192KB

MD5
b6df2df5930f59fa520d35b1a1fcb169

SHA1
17e300fb2e6ec69f0ed33d28f4f7437ab417eef0

SHA256
405d6e9fd00eae800f2aedf573d4c4ea2b09bf27e8f22f9e4ef22c408bdb74fc

SHA512
d319c06a1ad77a1e3444ff5fb1bebc86822bcc79242a155a325d812754eb53e31faa84591c86e42a8b83804445ac9bd03f0ed610658e46b90b403f411e69cef7

Download Submit
C:\Windows\{8A7A683D-952F-406c-B02A-01F2008271C4}.exe

Filesize
192KB

MD5
efe3ebb9dafe3ecc551602517e11be05

SHA1
ec87866d1720b4accc63a4a1e1cd83b32e6f61da

SHA256
8c009995cce901e3c7e3e8087a305a572c2de3ce4db3260b31e5a27f3a696c79

SHA512
ae3efa0e0e62d279d21043ec90efd18438de2bc6da735f782d0e1a76d6c334604ee39105875d6299665d8ad8ba0a39c347f012d334db3d0abe37e030cda45dc5

Download Submit
C:\Windows\{8A7A683D-952F-406c-B02A-01F2008271C4}.exe

Filesize
192KB

MD5
efe3ebb9dafe3ecc551602517e11be05

SHA1
ec87866d1720b4accc63a4a1e1cd83b32e6f61da

SHA256
8c009995cce901e3c7e3e8087a305a572c2de3ce4db3260b31e5a27f3a696c79

SHA512
ae3efa0e0e62d279d21043ec90efd18438de2bc6da735f782d0e1a76d6c334604ee39105875d6299665d8ad8ba0a39c347f012d334db3d0abe37e030cda45dc5

Download Submit
C:\Windows\{8A7A683D-952F-406c-B02A-01F2008271C4}.exe

Filesize
192KB

MD5
efe3ebb9dafe3ecc551602517e11be05

SHA1
ec87866d1720b4accc63a4a1e1cd83b32e6f61da

SHA256
8c009995cce901e3c7e3e8087a305a572c2de3ce4db3260b31e5a27f3a696c79

SHA512
ae3efa0e0e62d279d21043ec90efd18438de2bc6da735f782d0e1a76d6c334604ee39105875d6299665d8ad8ba0a39c347f012d334db3d0abe37e030cda45dc5

Download Submit
C:\Windows\{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe

Filesize
192KB

MD5
8062dece59ecf6b010407e2fc307ad60

SHA1
3d3158f409ecf9d1e10b46e256a40feb9ffb427c

SHA256
41a79ab4506c83ecc578df01312ba9193fad77b412b5d78e7a65c1e74a8008dc

SHA512
fcde420d3f2bf238d7de5f7f751e024ca0934d698eb6f21da0600341b47a7fc34075f48eab900109c86e869c0ac9263b9d8317730c586d3e08a9afdbc409fbe8

Download Submit
C:\Windows\{A84C12DF-3BD1-42df-8042-8CAF2FE09AD6}.exe

Filesize
192KB

MD5
8062dece59ecf6b010407e2fc307ad60

SHA1
3d3158f409ecf9d1e10b46e256a40feb9ffb427c

SHA256
41a79ab4506c83ecc578df01312ba9193fad77b412b5d78e7a65c1e74a8008dc

SHA512
fcde420d3f2bf238d7de5f7f751e024ca0934d698eb6f21da0600341b47a7fc34075f48eab900109c86e869c0ac9263b9d8317730c586d3e08a9afdbc409fbe8

Download Submit
C:\Windows\{B8B6D729-5947-46fa-A341-A25D36723054}.exe

Filesize
192KB

MD5
0d61755a3cf18b641e1875d62286e842

SHA1
c39fb55f71afeccaa5aca6f5ac215156a1e5f653

SHA256
f85491968eed45223ef214675e1dc153fbaec09b1e96a3498e60107d2cc96e3f

SHA512
0744b1b907e8d0dce77584bb138652a16b3a502d68af8a79019059ee83fae6b3495bca9fae3a916eb9bded94e19cae480e7714d0e43c6ba35b705117af044bab

Download Submit
C:\Windows\{B8B6D729-5947-46fa-A341-A25D36723054}.exe

Filesize
192KB

MD5
0d61755a3cf18b641e1875d62286e842

SHA1
c39fb55f71afeccaa5aca6f5ac215156a1e5f653

SHA256
f85491968eed45223ef214675e1dc153fbaec09b1e96a3498e60107d2cc96e3f

SHA512
0744b1b907e8d0dce77584bb138652a16b3a502d68af8a79019059ee83fae6b3495bca9fae3a916eb9bded94e19cae480e7714d0e43c6ba35b705117af044bab

Download Submit
C:\Windows\{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe

Filesize
192KB

MD5
a6a4ba1f42faaf6a349f6f5bcf594161

SHA1
e652faddfd4100f69f96c512ce53d5169efca154

SHA256
8f81dd5ed4b1937492a90e8321c710943add30f5208f1f224286b1e4f8523043

SHA512
a1232c4e32961ec0a176a0f2da1ab5caebc839cfce977ea847fa25b955084744ce8bd675c5f2f67af3c96b330b2199c9e6952f8bca45b8a2b71b832cbe89847a

Download Submit
C:\Windows\{C6FF848D-EE44-404e-BEB2-4F63315D22CA}.exe

Filesize
192KB

MD5
a6a4ba1f42faaf6a349f6f5bcf594161

SHA1
e652faddfd4100f69f96c512ce53d5169efca154

SHA256
8f81dd5ed4b1937492a90e8321c710943add30f5208f1f224286b1e4f8523043

SHA512
a1232c4e32961ec0a176a0f2da1ab5caebc839cfce977ea847fa25b955084744ce8bd675c5f2f67af3c96b330b2199c9e6952f8bca45b8a2b71b832cbe89847a

Download Submit
C:\Windows\{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe

Filesize
192KB

MD5
5babeed45e6045262a009c6b938bb8d5

SHA1
cb7eb51a3de864e48c444d01f5ee47723971f537

SHA256
0d5d2d19102a9d9130d444fd03d79b530b619d84998c0ce970ceaf5688a08e05

SHA512
8b012c1cd610233c6d0b11a150af27932108225ab03685eae2932cc5059d091ce38b9cf3e5000455d5f6546ae98b46e3c53895a77c6e6317c8af8069cfadc39c

Download Submit
C:\Windows\{F05FC951-ACF2-409f-B9A2-A0F8F6D1FEE3}.exe

Filesize
192KB

MD5
5babeed45e6045262a009c6b938bb8d5

SHA1
cb7eb51a3de864e48c444d01f5ee47723971f537

SHA256
0d5d2d19102a9d9130d444fd03d79b530b619d84998c0ce970ceaf5688a08e05

SHA512
8b012c1cd610233c6d0b11a150af27932108225ab03685eae2932cc5059d091ce38b9cf3e5000455d5f6546ae98b46e3c53895a77c6e6317c8af8069cfadc39c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads