9fa0af75c5fd7b52b808374a9f9720c22a50bcbc13c7e9bcebcdde5e5843a00a

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.458bb20a23a7271dcaf806b09b31ac20.exe
Size

103KB
MD5

458bb20a23a7271dcaf806b09b31ac20
SHA1

4856b0b56430b132f2b951ef91172273db7701cb
SHA256

9fa0af75c5fd7b52b808374a9f9720c22a50bcbc13c7e9bcebcdde5e5843a00a
SHA512

9ce6235d8bad3f862d412001cfc57011b8395b3ec5421bd3a7fcb82ae287c8a47a92ebd32042b643e6217926e5e7967f2ff3b3d8255c9b0e719d144dab245100
SSDEEP

768:Qvw9816vhKQLroGlu4/wQRNrfrunMxVFA3b7glwRjMlfwGxEIU:YEGh0onl2unMxVS3Hgdor

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70859872-FDB4-4a81-8227-E80E0CEAD0A1}	{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFF91ECA-84BC-487a-97F2-22A22B66A82F}\stubpath = "C:\\Windows\\{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe"	{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37750219-9E2A-48ec-8592-43EB50FDF348}	{E86E4512-0C3E-4322-A10D-1187AD176FC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37750219-9E2A-48ec-8592-43EB50FDF348}\stubpath = "C:\\Windows\\{37750219-9E2A-48ec-8592-43EB50FDF348}.exe"	{E86E4512-0C3E-4322-A10D-1187AD176FC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70859872-FDB4-4a81-8227-E80E0CEAD0A1}\stubpath = "C:\\Windows\\{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe"	{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}	{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}\stubpath = "C:\\Windows\\{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe"	{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EC57E66-E277-4a31-9585-F8D22298B707}	{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EC57E66-E277-4a31-9585-F8D22298B707}\stubpath = "C:\\Windows\\{2EC57E66-E277-4a31-9585-F8D22298B707}.exe"	{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A69C8A8-7351-4c3f-AE22-C1FACF72E033}\stubpath = "C:\\Windows\\{6A69C8A8-7351-4c3f-AE22-C1FACF72E033}.exe"	{37750219-9E2A-48ec-8592-43EB50FDF348}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}\stubpath = "C:\\Windows\\{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe"	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFF91ECA-84BC-487a-97F2-22A22B66A82F}	{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}	{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87968E18-AE9B-4838-AF00-7C9574468377}	{2EC57E66-E277-4a31-9585-F8D22298B707}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87968E18-AE9B-4838-AF00-7C9574468377}\stubpath = "C:\\Windows\\{87968E18-AE9B-4838-AF00-7C9574468377}.exe"	{2EC57E66-E277-4a31-9585-F8D22298B707}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E86E4512-0C3E-4322-A10D-1187AD176FC9}	{87968E18-AE9B-4838-AF00-7C9574468377}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB5EEF75-1F4E-4cd8-8AC0-D7628AE971C9}\stubpath = "C:\\Windows\\{EB5EEF75-1F4E-4cd8-8AC0-D7628AE971C9}.exe"	{6A69C8A8-7351-4c3f-AE22-C1FACF72E033}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}	{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}\stubpath = "C:\\Windows\\{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe"	{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}\stubpath = "C:\\Windows\\{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe"	{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E86E4512-0C3E-4322-A10D-1187AD176FC9}\stubpath = "C:\\Windows\\{E86E4512-0C3E-4322-A10D-1187AD176FC9}.exe"	{87968E18-AE9B-4838-AF00-7C9574468377}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A69C8A8-7351-4c3f-AE22-C1FACF72E033}	{37750219-9E2A-48ec-8592-43EB50FDF348}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB5EEF75-1F4E-4cd8-8AC0-D7628AE971C9}	{6A69C8A8-7351-4c3f-AE22-C1FACF72E033}.exe

Deletes itself 1 IoCs

pid	Process
1776	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2976	{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe
2824	{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe
2680	{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe
2516	{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe
2076	{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe
2524	{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe
2180	{2EC57E66-E277-4a31-9585-F8D22298B707}.exe
1480	{87968E18-AE9B-4838-AF00-7C9574468377}.exe
540	{E86E4512-0C3E-4322-A10D-1187AD176FC9}.exe
536	{37750219-9E2A-48ec-8592-43EB50FDF348}.exe
1676	{6A69C8A8-7351-4c3f-AE22-C1FACF72E033}.exe
1740	{EB5EEF75-1F4E-4cd8-8AC0-D7628AE971C9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe	{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe
File created	C:\Windows\{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe	{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe
File created	C:\Windows\{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe	{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe
File created	C:\Windows\{E86E4512-0C3E-4322-A10D-1187AD176FC9}.exe	{87968E18-AE9B-4838-AF00-7C9574468377}.exe
File created	C:\Windows\{6A69C8A8-7351-4c3f-AE22-C1FACF72E033}.exe	{37750219-9E2A-48ec-8592-43EB50FDF348}.exe
File created	C:\Windows\{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe
File created	C:\Windows\{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe	{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe
File created	C:\Windows\{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe	{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe
File created	C:\Windows\{2EC57E66-E277-4a31-9585-F8D22298B707}.exe	{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe
File created	C:\Windows\{87968E18-AE9B-4838-AF00-7C9574468377}.exe	{2EC57E66-E277-4a31-9585-F8D22298B707}.exe
File created	C:\Windows\{37750219-9E2A-48ec-8592-43EB50FDF348}.exe	{E86E4512-0C3E-4322-A10D-1187AD176FC9}.exe
File created	C:\Windows\{EB5EEF75-1F4E-4cd8-8AC0-D7628AE971C9}.exe	{6A69C8A8-7351-4c3f-AE22-C1FACF72E033}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2756	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe
Token: SeIncBasePriorityPrivilege	2976	{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe
Token: SeIncBasePriorityPrivilege	2824	{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe
Token: SeIncBasePriorityPrivilege	2680	{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe
Token: SeIncBasePriorityPrivilege	2516	{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe
Token: SeIncBasePriorityPrivilege	2076	{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe
Token: SeIncBasePriorityPrivilege	2524	{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe
Token: SeIncBasePriorityPrivilege	2180	{2EC57E66-E277-4a31-9585-F8D22298B707}.exe
Token: SeIncBasePriorityPrivilege	1480	{87968E18-AE9B-4838-AF00-7C9574468377}.exe
Token: SeIncBasePriorityPrivilege	540	{E86E4512-0C3E-4322-A10D-1187AD176FC9}.exe
Token: SeIncBasePriorityPrivilege	536	{37750219-9E2A-48ec-8592-43EB50FDF348}.exe
Token: SeIncBasePriorityPrivilege	1676	{6A69C8A8-7351-4c3f-AE22-C1FACF72E033}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2976	2756	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	28
PID 2756 wrote to memory of 2976	2756	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	28
PID 2756 wrote to memory of 2976	2756	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	28
PID 2756 wrote to memory of 2976	2756	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	28
PID 2756 wrote to memory of 1776	2756	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	29
PID 2756 wrote to memory of 1776	2756	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	29
PID 2756 wrote to memory of 1776	2756	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	29
PID 2756 wrote to memory of 1776	2756	NEAS.458bb20a23a7271dcaf806b09b31ac20.exe	29
PID 2976 wrote to memory of 2824	2976	{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe	32
PID 2976 wrote to memory of 2824	2976	{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe	32
PID 2976 wrote to memory of 2824	2976	{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe	32
PID 2976 wrote to memory of 2824	2976	{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe	32
PID 2976 wrote to memory of 2700	2976	{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe	33
PID 2976 wrote to memory of 2700	2976	{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe	33
PID 2976 wrote to memory of 2700	2976	{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe	33
PID 2976 wrote to memory of 2700	2976	{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe	33
PID 2824 wrote to memory of 2680	2824	{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe	34
PID 2824 wrote to memory of 2680	2824	{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe	34
PID 2824 wrote to memory of 2680	2824	{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe	34
PID 2824 wrote to memory of 2680	2824	{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe	34
PID 2824 wrote to memory of 2652	2824	{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe	35
PID 2824 wrote to memory of 2652	2824	{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe	35
PID 2824 wrote to memory of 2652	2824	{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe	35
PID 2824 wrote to memory of 2652	2824	{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe	35
PID 2680 wrote to memory of 2516	2680	{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe	36
PID 2680 wrote to memory of 2516	2680	{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe	36
PID 2680 wrote to memory of 2516	2680	{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe	36
PID 2680 wrote to memory of 2516	2680	{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe	36
PID 2680 wrote to memory of 2504	2680	{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe	37
PID 2680 wrote to memory of 2504	2680	{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe	37
PID 2680 wrote to memory of 2504	2680	{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe	37
PID 2680 wrote to memory of 2504	2680	{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe	37
PID 2516 wrote to memory of 2076	2516	{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe	38
PID 2516 wrote to memory of 2076	2516	{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe	38
PID 2516 wrote to memory of 2076	2516	{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe	38
PID 2516 wrote to memory of 2076	2516	{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe	38
PID 2516 wrote to memory of 2484	2516	{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe	39
PID 2516 wrote to memory of 2484	2516	{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe	39
PID 2516 wrote to memory of 2484	2516	{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe	39
PID 2516 wrote to memory of 2484	2516	{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe	39
PID 2076 wrote to memory of 2524	2076	{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe	40
PID 2076 wrote to memory of 2524	2076	{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe	40
PID 2076 wrote to memory of 2524	2076	{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe	40
PID 2076 wrote to memory of 2524	2076	{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe	40
PID 2076 wrote to memory of 2892	2076	{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe	41
PID 2076 wrote to memory of 2892	2076	{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe	41
PID 2076 wrote to memory of 2892	2076	{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe	41
PID 2076 wrote to memory of 2892	2076	{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe	41
PID 2524 wrote to memory of 2180	2524	{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe	42
PID 2524 wrote to memory of 2180	2524	{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe	42
PID 2524 wrote to memory of 2180	2524	{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe	42
PID 2524 wrote to memory of 2180	2524	{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe	42
PID 2524 wrote to memory of 1488	2524	{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe	43
PID 2524 wrote to memory of 1488	2524	{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe	43
PID 2524 wrote to memory of 1488	2524	{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe	43
PID 2524 wrote to memory of 1488	2524	{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe	43
PID 2180 wrote to memory of 1480	2180	{2EC57E66-E277-4a31-9585-F8D22298B707}.exe	44
PID 2180 wrote to memory of 1480	2180	{2EC57E66-E277-4a31-9585-F8D22298B707}.exe	44
PID 2180 wrote to memory of 1480	2180	{2EC57E66-E277-4a31-9585-F8D22298B707}.exe	44
PID 2180 wrote to memory of 1480	2180	{2EC57E66-E277-4a31-9585-F8D22298B707}.exe	44
PID 2180 wrote to memory of 2460	2180	{2EC57E66-E277-4a31-9585-F8D22298B707}.exe	45
PID 2180 wrote to memory of 2460	2180	{2EC57E66-E277-4a31-9585-F8D22298B707}.exe	45
PID 2180 wrote to memory of 2460	2180	{2EC57E66-E277-4a31-9585-F8D22298B707}.exe	45
PID 2180 wrote to memory of 2460	2180	{2EC57E66-E277-4a31-9585-F8D22298B707}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.458bb20a23a7271dcaf806b09b31ac20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.458bb20a23a7271dcaf806b09b31ac20.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe
  C:\Windows\{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe
    C:\Windows\{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe
      C:\Windows\{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe
        
        C:\Windows\{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Windows\{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe
        
        C:\Windows\{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe
        
        C:\Windows\{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{2EC57E66-E277-4a31-9585-F8D22298B707}.exe
        
        C:\Windows\{2EC57E66-E277-4a31-9585-F8D22298B707}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{87968E18-AE9B-4838-AF00-7C9574468377}.exe
        
        C:\Windows\{87968E18-AE9B-4838-AF00-7C9574468377}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\{E86E4512-0C3E-4322-A10D-1187AD176FC9}.exe
        
        C:\Windows\{E86E4512-0C3E-4322-A10D-1187AD176FC9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{37750219-9E2A-48ec-8592-43EB50FDF348}.exe
        
        C:\Windows\{37750219-9E2A-48ec-8592-43EB50FDF348}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\{6A69C8A8-7351-4c3f-AE22-C1FACF72E033}.exe
        
        C:\Windows\{6A69C8A8-7351-4c3f-AE22-C1FACF72E033}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A69C~1.EXE > nul
        13⤵
        
        PID:2400
        
        C:\Windows\{EB5EEF75-1F4E-4cd8-8AC0-D7628AE971C9}.exe
        
        C:\Windows\{EB5EEF75-1F4E-4cd8-8AC0-D7628AE971C9}.exe
        13⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37750~1.EXE > nul
        12⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E86E4~1.EXE > nul
        11⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87968~1.EXE > nul
        10⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EC57~1.EXE > nul
        9⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5CBE~1.EXE > nul
        8⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFF91~1.EXE > nul
        7⤵
        
        PID:2892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24E2A~1.EXE > nul
        6⤵
        
        PID:2484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70859~1.EXE > nul
        5⤵
        
        PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C6CB8~1.EXE > nul
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BA18C~1.EXE > nul
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS45~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe

Filesize
103KB

MD5
67f0342cfaee74b518c717fd3c9448b6

SHA1
f5d284617761731384b256c095001c83c529263c

SHA256
673f441aad049e195dd84bdd088e093544695f24c998d78c060b2413816d0244

SHA512
e324895067a175ac086a9359c83d92f1d3d22a63ff25d33b8f743fdfd799a174cda6970e3a5fb1afc58e103f69b80f944f83f527f499758ae598f68dc4008d83

Download Submit
C:\Windows\{24E2A2D7-3190-45cb-8BD5-252880EFDFDC}.exe

Filesize
103KB

MD5
67f0342cfaee74b518c717fd3c9448b6

SHA1
f5d284617761731384b256c095001c83c529263c

SHA256
673f441aad049e195dd84bdd088e093544695f24c998d78c060b2413816d0244

SHA512
e324895067a175ac086a9359c83d92f1d3d22a63ff25d33b8f743fdfd799a174cda6970e3a5fb1afc58e103f69b80f944f83f527f499758ae598f68dc4008d83

Download Submit
C:\Windows\{2EC57E66-E277-4a31-9585-F8D22298B707}.exe

Filesize
103KB

MD5
3cfd4a284d96f01aacac52ab4a3813e3

SHA1
eb27091fcdebf75a6519df874f7133a197242c7e

SHA256
45b04c9b0f91ac529c72f9a284afb062a8f07fadb7bc95bd95328f255bb01e48

SHA512
f7a7602ef9629a89d83135b3e5eb1e719b8bb0a1fdf80685bb3dd76f70dd33984dd293adc739c2d5d789eb3dfe386f133503e8823fc0a466dbf10c17320a8c7e

Download Submit
C:\Windows\{2EC57E66-E277-4a31-9585-F8D22298B707}.exe

Filesize
103KB

MD5
3cfd4a284d96f01aacac52ab4a3813e3

SHA1
eb27091fcdebf75a6519df874f7133a197242c7e

SHA256
45b04c9b0f91ac529c72f9a284afb062a8f07fadb7bc95bd95328f255bb01e48

SHA512
f7a7602ef9629a89d83135b3e5eb1e719b8bb0a1fdf80685bb3dd76f70dd33984dd293adc739c2d5d789eb3dfe386f133503e8823fc0a466dbf10c17320a8c7e

Download Submit
C:\Windows\{37750219-9E2A-48ec-8592-43EB50FDF348}.exe

Filesize
103KB

MD5
0ba52c209dd540f46ef49beace8770c2

SHA1
9d20d6e88f5c0b57cab1787fe595654a749fe6c2

SHA256
09d07d8dfd2ddf1d0e17e982ab10beb21697cca03feec2f98a925b556f255962

SHA512
6d6bd086dc5a7ca9e138472207e984c07f18f16043938b340d535d958ff6b931046aa8a40d01a29b9926b09371747393fa3e76b2366ca8de0c46891b552672ff

Download Submit
C:\Windows\{37750219-9E2A-48ec-8592-43EB50FDF348}.exe

Filesize
103KB

MD5
0ba52c209dd540f46ef49beace8770c2

SHA1
9d20d6e88f5c0b57cab1787fe595654a749fe6c2

SHA256
09d07d8dfd2ddf1d0e17e982ab10beb21697cca03feec2f98a925b556f255962

SHA512
6d6bd086dc5a7ca9e138472207e984c07f18f16043938b340d535d958ff6b931046aa8a40d01a29b9926b09371747393fa3e76b2366ca8de0c46891b552672ff

Download Submit
C:\Windows\{6A69C8A8-7351-4c3f-AE22-C1FACF72E033}.exe

Filesize
103KB

MD5
2ef34556320596c1837740dae3822637

SHA1
28f67c347d3e69718ef9c8d71cff367303b3bc00

SHA256
14d6fb0255c5ff620b89b45762b7554acc99f606e00aa5b80fa6a20e9581e4d8

SHA512
1389c3017459c6b841cd04a8e9aaacb2adae36d3eef439910910ad69e57b2666480580b12c167a7f3976718c636d2f9fa25e7c9cc31dc49a20302be2d5b0e2dc

Download Submit
C:\Windows\{6A69C8A8-7351-4c3f-AE22-C1FACF72E033}.exe

Filesize
103KB

MD5
2ef34556320596c1837740dae3822637

SHA1
28f67c347d3e69718ef9c8d71cff367303b3bc00

SHA256
14d6fb0255c5ff620b89b45762b7554acc99f606e00aa5b80fa6a20e9581e4d8

SHA512
1389c3017459c6b841cd04a8e9aaacb2adae36d3eef439910910ad69e57b2666480580b12c167a7f3976718c636d2f9fa25e7c9cc31dc49a20302be2d5b0e2dc

Download Submit
C:\Windows\{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe

Filesize
103KB

MD5
0057551da5dc30e18c2b5e0223eb59a6

SHA1
562b028747639663f98deaf542466cd90786eaca

SHA256
f41c81642b73cca7fc28410b33eabd124ebdaad8d1626c1cb7884ebdb21aee33

SHA512
6a016fe0a8cf5f7fa1ad5da3b8bfcf8c000bb150f0609cfb04c8a240a9f0c69524ea99c155c7e6a52e6c3189e0ae8c7c84138be97ada4dd422de5a746cabf067

Download Submit
C:\Windows\{70859872-FDB4-4a81-8227-E80E0CEAD0A1}.exe

Filesize
103KB

MD5
0057551da5dc30e18c2b5e0223eb59a6

SHA1
562b028747639663f98deaf542466cd90786eaca

SHA256
f41c81642b73cca7fc28410b33eabd124ebdaad8d1626c1cb7884ebdb21aee33

SHA512
6a016fe0a8cf5f7fa1ad5da3b8bfcf8c000bb150f0609cfb04c8a240a9f0c69524ea99c155c7e6a52e6c3189e0ae8c7c84138be97ada4dd422de5a746cabf067

Download Submit
C:\Windows\{87968E18-AE9B-4838-AF00-7C9574468377}.exe

Filesize
103KB

MD5
489d5dd1a44a4d190a57fabe77ded132

SHA1
9e747b2577a2c5c72bd393883a2aab9ea54ac4d4

SHA256
8bcc40b4a04b98cbdb01ad8257ca88eef3ba1087e0e026f61c958c09a72698c7

SHA512
6e22b7a4e64c0e93e673108b8a466098eb8cd48732c02d3a8d8cca8c0f20066fc572447e64a7546ff788c499e0d768e5db1aae4c46047d249cdedbd2aa358281

Download Submit
C:\Windows\{87968E18-AE9B-4838-AF00-7C9574468377}.exe

Filesize
103KB

MD5
489d5dd1a44a4d190a57fabe77ded132

SHA1
9e747b2577a2c5c72bd393883a2aab9ea54ac4d4

SHA256
8bcc40b4a04b98cbdb01ad8257ca88eef3ba1087e0e026f61c958c09a72698c7

SHA512
6e22b7a4e64c0e93e673108b8a466098eb8cd48732c02d3a8d8cca8c0f20066fc572447e64a7546ff788c499e0d768e5db1aae4c46047d249cdedbd2aa358281

Download Submit
C:\Windows\{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe

Filesize
103KB

MD5
f8a1a83fdec4a85d91adf3d2e7e1c035

SHA1
ae2adc7e6cedb65597bfb315366dc2acdcaf096d

SHA256
f8fb2768dc281caf1bbc2bc388c7d014df5a98e34be3e98ad1490b93a1488b57

SHA512
ccf39556d39dff7b7a2c3afc7ef9c7a238506205b154dc05c0d36c6e6c07ad391c7d0480c423542505c29486dcd5eb7d55429012f4e5e2da45c5d080b6bbfec5

Download Submit
C:\Windows\{A5CBED0F-9A80-4a4d-ADE4-89884302AA28}.exe

Filesize
103KB

MD5
f8a1a83fdec4a85d91adf3d2e7e1c035

SHA1
ae2adc7e6cedb65597bfb315366dc2acdcaf096d

SHA256
f8fb2768dc281caf1bbc2bc388c7d014df5a98e34be3e98ad1490b93a1488b57

SHA512
ccf39556d39dff7b7a2c3afc7ef9c7a238506205b154dc05c0d36c6e6c07ad391c7d0480c423542505c29486dcd5eb7d55429012f4e5e2da45c5d080b6bbfec5

Download Submit
C:\Windows\{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe

Filesize
103KB

MD5
731567a92494a6780a0bf0fd96fcc84f

SHA1
d7da4156492e3fa08fed51fad1348d874cba6f9a

SHA256
7d8c88e8a7374c2af52c3d6374f32bcb76163891e07076ae6cbd3b5fb9f90db7

SHA512
740028ddbb562a38fcdc8dc32696fc88351b50ad5bb01f523213fdebe64376727204bfab1d8731e6cc34cc69f3cbe596eff0aa61b2337e164bdea6ee858f97a5

Download Submit
C:\Windows\{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe

Filesize
103KB

MD5
731567a92494a6780a0bf0fd96fcc84f

SHA1
d7da4156492e3fa08fed51fad1348d874cba6f9a

SHA256
7d8c88e8a7374c2af52c3d6374f32bcb76163891e07076ae6cbd3b5fb9f90db7

SHA512
740028ddbb562a38fcdc8dc32696fc88351b50ad5bb01f523213fdebe64376727204bfab1d8731e6cc34cc69f3cbe596eff0aa61b2337e164bdea6ee858f97a5

Download Submit
C:\Windows\{BA18CB7C-BE85-4d74-84AE-CECE0DF5F295}.exe

Filesize
103KB

MD5
731567a92494a6780a0bf0fd96fcc84f

SHA1
d7da4156492e3fa08fed51fad1348d874cba6f9a

SHA256
7d8c88e8a7374c2af52c3d6374f32bcb76163891e07076ae6cbd3b5fb9f90db7

SHA512
740028ddbb562a38fcdc8dc32696fc88351b50ad5bb01f523213fdebe64376727204bfab1d8731e6cc34cc69f3cbe596eff0aa61b2337e164bdea6ee858f97a5

Download Submit
C:\Windows\{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe

Filesize
103KB

MD5
62334a89213f6a5bbe7987f5457b545e

SHA1
3a5a2a7fc3dcda9f2676c7455f9f1971358dc7b0

SHA256
778fb42c621f792ad549f706b93d8e6fbc7ccf5c83e3eed07abeb70b7889ed3a

SHA512
cc6be1ec98467f1087c5a5648cbf3ab4a9585331b261d35548ca1918daacb24fa99a06fc656cb5bb41ff594347c17889ad695f6556db4a2bee62e87f656d69bc

Download Submit
C:\Windows\{C6CB82F3-6695-4e04-89A7-7F4B36F0D173}.exe

Filesize
103KB

MD5
62334a89213f6a5bbe7987f5457b545e

SHA1
3a5a2a7fc3dcda9f2676c7455f9f1971358dc7b0

SHA256
778fb42c621f792ad549f706b93d8e6fbc7ccf5c83e3eed07abeb70b7889ed3a

SHA512
cc6be1ec98467f1087c5a5648cbf3ab4a9585331b261d35548ca1918daacb24fa99a06fc656cb5bb41ff594347c17889ad695f6556db4a2bee62e87f656d69bc

Download Submit
C:\Windows\{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe

Filesize
103KB

MD5
ad98075ee3dd98fa77c3fa2ae0e35c1b

SHA1
14c91c96e812da09ac27cf2edcc901b2af31fc91

SHA256
5c065eaa118cfa43d8b5a61b170bbd81fd6c3c42ae16a0625da6c0ed93bbadf9

SHA512
c36c7cb241efb0d3cb572f0ba44d1ed94a969cdab5c393623338e1f0c611d34c20d71088822384d07f7ab96401bdafba7dbe4829d03216d25010d7a62805a7a6

Download Submit
C:\Windows\{DFF91ECA-84BC-487a-97F2-22A22B66A82F}.exe

Filesize
103KB

MD5
ad98075ee3dd98fa77c3fa2ae0e35c1b

SHA1
14c91c96e812da09ac27cf2edcc901b2af31fc91

SHA256
5c065eaa118cfa43d8b5a61b170bbd81fd6c3c42ae16a0625da6c0ed93bbadf9

SHA512
c36c7cb241efb0d3cb572f0ba44d1ed94a969cdab5c393623338e1f0c611d34c20d71088822384d07f7ab96401bdafba7dbe4829d03216d25010d7a62805a7a6

Download Submit
C:\Windows\{E86E4512-0C3E-4322-A10D-1187AD176FC9}.exe

Filesize
103KB

MD5
933ffc0ca7ec2c8f8421b7cf30d98b60

SHA1
b6cd0d0f114bc4fc672681d7daa3492c440670f7

SHA256
46552ff568b4ea83b1b5e1e9609208f77e94fd870ae2bd1c43e96a513f3231cd

SHA512
4f6e132c0f68a29a5c3cb9b0a1d3a4eb3a84ae66b7941e8c2d128427dc0e6c185a78853dbd47fc08d9406998c55475d02b0a07c31ea0932618bb0cccc018b53e

Download Submit
C:\Windows\{E86E4512-0C3E-4322-A10D-1187AD176FC9}.exe

Filesize
103KB

MD5
933ffc0ca7ec2c8f8421b7cf30d98b60

SHA1
b6cd0d0f114bc4fc672681d7daa3492c440670f7

SHA256
46552ff568b4ea83b1b5e1e9609208f77e94fd870ae2bd1c43e96a513f3231cd

SHA512
4f6e132c0f68a29a5c3cb9b0a1d3a4eb3a84ae66b7941e8c2d128427dc0e6c185a78853dbd47fc08d9406998c55475d02b0a07c31ea0932618bb0cccc018b53e

Download Submit
C:\Windows\{EB5EEF75-1F4E-4cd8-8AC0-D7628AE971C9}.exe

Filesize
103KB

MD5
e13d6e209aa62a87457a0aca760d26ba

SHA1
72f8522ec542c7e559f6fb95e1200f2d8cda25ba

SHA256
73c426a3d0a87f5d46d951dafc9d59145d2c855f38090fd897fdb8ad67246a49

SHA512
b5184a53251abd47abd7960e2fa68ba028050e6726041077b823cf76701eca7fae3d890bbf07a07aa87f6de7c9a69f83fa360a6021c1303f541771375ab09792

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads