ba2ba336b34a765262ec01870eeb8f3a343d876931443aea9b6e121e1a582faf

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 14:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.85e256e7a3295db9142e855d77a4fe20.exe
Size

60KB
MD5

85e256e7a3295db9142e855d77a4fe20
SHA1

fc00169003df379deccefbea24da218d17dcef4e
SHA256

ba2ba336b34a765262ec01870eeb8f3a343d876931443aea9b6e121e1a582faf
SHA512

ce1910ff01dd7656dc443d2a6b37f91509d4f399e00fbfdf3357f07f929897f095edc49fccd847c651dbd2b5ff1f0498f5520cea04e3080c8cecfddd1d9186dc
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqw6Y04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLrow4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74CB7411-8ACC-4f90-9130-349C00C21C59}	{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B458A86-DC85-42cd-AB49-19F164DE4BA9}	{DDE230A2-906E-4010-8798-AE298867B86C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{897D4598-0185-4900-ACD6-58C1A798A3FF}	{5B458A86-DC85-42cd-AB49-19F164DE4BA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE65F78-E09D-462e-8F94-9AA44FD956DD}	{897D4598-0185-4900-ACD6-58C1A798A3FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF33B03F-D9D1-4d92-B24F-796AB048E670}	{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}\stubpath = "C:\\Windows\\{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe"	{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09819D97-2819-41cb-8A46-3F90A641AC64}	{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09819D97-2819-41cb-8A46-3F90A641AC64}\stubpath = "C:\\Windows\\{09819D97-2819-41cb-8A46-3F90A641AC64}.exe"	{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDE230A2-906E-4010-8798-AE298867B86C}	{09819D97-2819-41cb-8A46-3F90A641AC64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE65F78-E09D-462e-8F94-9AA44FD956DD}\stubpath = "C:\\Windows\\{4AE65F78-E09D-462e-8F94-9AA44FD956DD}.exe"	{897D4598-0185-4900-ACD6-58C1A798A3FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FB55A14-990A-4aec-9903-AC6A987632A3}\stubpath = "C:\\Windows\\{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe"	{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}\stubpath = "C:\\Windows\\{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe"	NEAS.85e256e7a3295db9142e855d77a4fe20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82A0A100-3305-4f95-BAEC-371087D1E9FA}\stubpath = "C:\\Windows\\{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe"	{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FB55A14-990A-4aec-9903-AC6A987632A3}	{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDE230A2-906E-4010-8798-AE298867B86C}\stubpath = "C:\\Windows\\{DDE230A2-906E-4010-8798-AE298867B86C}.exe"	{09819D97-2819-41cb-8A46-3F90A641AC64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B458A86-DC85-42cd-AB49-19F164DE4BA9}\stubpath = "C:\\Windows\\{5B458A86-DC85-42cd-AB49-19F164DE4BA9}.exe"	{DDE230A2-906E-4010-8798-AE298867B86C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{897D4598-0185-4900-ACD6-58C1A798A3FF}\stubpath = "C:\\Windows\\{897D4598-0185-4900-ACD6-58C1A798A3FF}.exe"	{5B458A86-DC85-42cd-AB49-19F164DE4BA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}	NEAS.85e256e7a3295db9142e855d77a4fe20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB791E62-C4FA-45da-8724-9D49FCA21381}	{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB791E62-C4FA-45da-8724-9D49FCA21381}\stubpath = "C:\\Windows\\{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe"	{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF33B03F-D9D1-4d92-B24F-796AB048E670}\stubpath = "C:\\Windows\\{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe"	{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74CB7411-8ACC-4f90-9130-349C00C21C59}\stubpath = "C:\\Windows\\{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe"	{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}	{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82A0A100-3305-4f95-BAEC-371087D1E9FA}	{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe

Deletes itself 1 IoCs

pid	Process
1908	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2972	{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe
2632	{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe
2304	{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe
2792	{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe
2592	{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe
2532	{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe
556	{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe
872	{09819D97-2819-41cb-8A46-3F90A641AC64}.exe
1384	{DDE230A2-906E-4010-8798-AE298867B86C}.exe
1708	{5B458A86-DC85-42cd-AB49-19F164DE4BA9}.exe
1704	{897D4598-0185-4900-ACD6-58C1A798A3FF}.exe
2088	{4AE65F78-E09D-462e-8F94-9AA44FD956DD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5B458A86-DC85-42cd-AB49-19F164DE4BA9}.exe	{DDE230A2-906E-4010-8798-AE298867B86C}.exe
File created	C:\Windows\{897D4598-0185-4900-ACD6-58C1A798A3FF}.exe	{5B458A86-DC85-42cd-AB49-19F164DE4BA9}.exe
File created	C:\Windows\{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe	NEAS.85e256e7a3295db9142e855d77a4fe20.exe
File created	C:\Windows\{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe	{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe
File created	C:\Windows\{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe	{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe
File created	C:\Windows\{09819D97-2819-41cb-8A46-3F90A641AC64}.exe	{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe
File created	C:\Windows\{DDE230A2-906E-4010-8798-AE298867B86C}.exe	{09819D97-2819-41cb-8A46-3F90A641AC64}.exe
File created	C:\Windows\{4AE65F78-E09D-462e-8F94-9AA44FD956DD}.exe	{897D4598-0185-4900-ACD6-58C1A798A3FF}.exe
File created	C:\Windows\{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe	{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe
File created	C:\Windows\{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe	{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe
File created	C:\Windows\{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe	{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe
File created	C:\Windows\{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe	{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2040	NEAS.85e256e7a3295db9142e855d77a4fe20.exe
Token: SeIncBasePriorityPrivilege	2972	{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe
Token: SeIncBasePriorityPrivilege	2632	{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe
Token: SeIncBasePriorityPrivilege	2304	{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe
Token: SeIncBasePriorityPrivilege	2792	{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe
Token: SeIncBasePriorityPrivilege	2592	{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe
Token: SeIncBasePriorityPrivilege	2532	{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe
Token: SeIncBasePriorityPrivilege	556	{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe
Token: SeIncBasePriorityPrivilege	872	{09819D97-2819-41cb-8A46-3F90A641AC64}.exe
Token: SeIncBasePriorityPrivilege	1384	{DDE230A2-906E-4010-8798-AE298867B86C}.exe
Token: SeIncBasePriorityPrivilege	1708	{5B458A86-DC85-42cd-AB49-19F164DE4BA9}.exe
Token: SeIncBasePriorityPrivilege	1704	{897D4598-0185-4900-ACD6-58C1A798A3FF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2972	2040	NEAS.85e256e7a3295db9142e855d77a4fe20.exe	28
PID 2040 wrote to memory of 2972	2040	NEAS.85e256e7a3295db9142e855d77a4fe20.exe	28
PID 2040 wrote to memory of 2972	2040	NEAS.85e256e7a3295db9142e855d77a4fe20.exe	28
PID 2040 wrote to memory of 2972	2040	NEAS.85e256e7a3295db9142e855d77a4fe20.exe	28
PID 2040 wrote to memory of 1908	2040	NEAS.85e256e7a3295db9142e855d77a4fe20.exe	29
PID 2040 wrote to memory of 1908	2040	NEAS.85e256e7a3295db9142e855d77a4fe20.exe	29
PID 2040 wrote to memory of 1908	2040	NEAS.85e256e7a3295db9142e855d77a4fe20.exe	29
PID 2040 wrote to memory of 1908	2040	NEAS.85e256e7a3295db9142e855d77a4fe20.exe	29
PID 2972 wrote to memory of 2632	2972	{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe	32
PID 2972 wrote to memory of 2632	2972	{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe	32
PID 2972 wrote to memory of 2632	2972	{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe	32
PID 2972 wrote to memory of 2632	2972	{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe	32
PID 2972 wrote to memory of 2812	2972	{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe	33
PID 2972 wrote to memory of 2812	2972	{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe	33
PID 2972 wrote to memory of 2812	2972	{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe	33
PID 2972 wrote to memory of 2812	2972	{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe	33
PID 2632 wrote to memory of 2304	2632	{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe	34
PID 2632 wrote to memory of 2304	2632	{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe	34
PID 2632 wrote to memory of 2304	2632	{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe	34
PID 2632 wrote to memory of 2304	2632	{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe	34
PID 2632 wrote to memory of 2596	2632	{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe	35
PID 2632 wrote to memory of 2596	2632	{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe	35
PID 2632 wrote to memory of 2596	2632	{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe	35
PID 2632 wrote to memory of 2596	2632	{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe	35
PID 2304 wrote to memory of 2792	2304	{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe	36
PID 2304 wrote to memory of 2792	2304	{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe	36
PID 2304 wrote to memory of 2792	2304	{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe	36
PID 2304 wrote to memory of 2792	2304	{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe	36
PID 2304 wrote to memory of 2192	2304	{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe	37
PID 2304 wrote to memory of 2192	2304	{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe	37
PID 2304 wrote to memory of 2192	2304	{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe	37
PID 2304 wrote to memory of 2192	2304	{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe	37
PID 2792 wrote to memory of 2592	2792	{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe	38
PID 2792 wrote to memory of 2592	2792	{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe	38
PID 2792 wrote to memory of 2592	2792	{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe	38
PID 2792 wrote to memory of 2592	2792	{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe	38
PID 2792 wrote to memory of 2496	2792	{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe	39
PID 2792 wrote to memory of 2496	2792	{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe	39
PID 2792 wrote to memory of 2496	2792	{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe	39
PID 2792 wrote to memory of 2496	2792	{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe	39
PID 2592 wrote to memory of 2532	2592	{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe	40
PID 2592 wrote to memory of 2532	2592	{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe	40
PID 2592 wrote to memory of 2532	2592	{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe	40
PID 2592 wrote to memory of 2532	2592	{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe	40
PID 2592 wrote to memory of 2928	2592	{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe	41
PID 2592 wrote to memory of 2928	2592	{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe	41
PID 2592 wrote to memory of 2928	2592	{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe	41
PID 2592 wrote to memory of 2928	2592	{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe	41
PID 2532 wrote to memory of 556	2532	{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe	42
PID 2532 wrote to memory of 556	2532	{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe	42
PID 2532 wrote to memory of 556	2532	{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe	42
PID 2532 wrote to memory of 556	2532	{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe	42
PID 2532 wrote to memory of 1468	2532	{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe	43
PID 2532 wrote to memory of 1468	2532	{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe	43
PID 2532 wrote to memory of 1468	2532	{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe	43
PID 2532 wrote to memory of 1468	2532	{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe	43
PID 556 wrote to memory of 872	556	{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe	44
PID 556 wrote to memory of 872	556	{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe	44
PID 556 wrote to memory of 872	556	{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe	44
PID 556 wrote to memory of 872	556	{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe	44
PID 556 wrote to memory of 2424	556	{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe	45
PID 556 wrote to memory of 2424	556	{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe	45
PID 556 wrote to memory of 2424	556	{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe	45
PID 556 wrote to memory of 2424	556	{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.85e256e7a3295db9142e855d77a4fe20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.85e256e7a3295db9142e855d77a4fe20.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe
  C:\Windows\{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe
    C:\Windows\{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe
      C:\Windows\{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe
        
        C:\Windows\{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe
        
        C:\Windows\{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe
        
        C:\Windows\{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe
        
        C:\Windows\{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\{09819D97-2819-41cb-8A46-3F90A641AC64}.exe
        
        C:\Windows\{09819D97-2819-41cb-8A46-3F90A641AC64}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\{DDE230A2-906E-4010-8798-AE298867B86C}.exe
        
        C:\Windows\{DDE230A2-906E-4010-8798-AE298867B86C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\{5B458A86-DC85-42cd-AB49-19F164DE4BA9}.exe
        
        C:\Windows\{5B458A86-DC85-42cd-AB49-19F164DE4BA9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\{897D4598-0185-4900-ACD6-58C1A798A3FF}.exe
        
        C:\Windows\{897D4598-0185-4900-ACD6-58C1A798A3FF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\{4AE65F78-E09D-462e-8F94-9AA44FD956DD}.exe
        
        C:\Windows\{4AE65F78-E09D-462e-8F94-9AA44FD956DD}.exe
        13⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{897D4~1.EXE > nul
        13⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B458~1.EXE > nul
        12⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDE23~1.EXE > nul
        11⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09819~1.EXE > nul
        10⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C6E0~1.EXE > nul
        9⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74CB7~1.EXE > nul
        8⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF33B~1.EXE > nul
        7⤵
        
        PID:2928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB791~1.EXE > nul
        6⤵
        
        PID:2496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FB55~1.EXE > nul
        5⤵
        
        PID:2192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{82A0A~1.EXE > nul
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0E2E1~1.EXE > nul
    3⤵
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS85~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09819D97-2819-41cb-8A46-3F90A641AC64}.exe

Filesize
60KB

MD5
1a3be00c576fb1f4910dbbbcafd3c485

SHA1
cc3882e1948fedcd483aee8a73831866fab41198

SHA256
fa49318a4b2d609a5b837b87bf851ddf1ebf7ed96c4804bd9fef3e420f732509

SHA512
de3b1589646320ca3a7b26075a61a0c7cee0e2118e0a9246899414eaf7795f01019464298e4418b93705c4be20ba68c77920df66692988f15a933bebd78842d6

Download Submit
C:\Windows\{09819D97-2819-41cb-8A46-3F90A641AC64}.exe

Filesize
60KB

MD5
1a3be00c576fb1f4910dbbbcafd3c485

SHA1
cc3882e1948fedcd483aee8a73831866fab41198

SHA256
fa49318a4b2d609a5b837b87bf851ddf1ebf7ed96c4804bd9fef3e420f732509

SHA512
de3b1589646320ca3a7b26075a61a0c7cee0e2118e0a9246899414eaf7795f01019464298e4418b93705c4be20ba68c77920df66692988f15a933bebd78842d6

Download Submit
C:\Windows\{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe

Filesize
60KB

MD5
e4658ab90ad9dd4db347f6579fa3b69d

SHA1
bb967e8b9531dc94841c2139871e792cfba6e6f8

SHA256
24f4623f093b826f88811db565a70bd6e3013442d2a98f4b963797212163803d

SHA512
4f2c6e39cf38dac47c95e37836dbe99dce3458637b9b38c30916d0039c7e0b09ca61d7fc42d02b108cae5d87d7e3a1b30cb7b94413e273731ee0f2b64a904395

Download Submit
C:\Windows\{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe

Filesize
60KB

MD5
e4658ab90ad9dd4db347f6579fa3b69d

SHA1
bb967e8b9531dc94841c2139871e792cfba6e6f8

SHA256
24f4623f093b826f88811db565a70bd6e3013442d2a98f4b963797212163803d

SHA512
4f2c6e39cf38dac47c95e37836dbe99dce3458637b9b38c30916d0039c7e0b09ca61d7fc42d02b108cae5d87d7e3a1b30cb7b94413e273731ee0f2b64a904395

Download Submit
C:\Windows\{0E2E1BB6-B324-4dfa-9A60-9E381A64C1AF}.exe

Filesize
60KB

MD5
e4658ab90ad9dd4db347f6579fa3b69d

SHA1
bb967e8b9531dc94841c2139871e792cfba6e6f8

SHA256
24f4623f093b826f88811db565a70bd6e3013442d2a98f4b963797212163803d

SHA512
4f2c6e39cf38dac47c95e37836dbe99dce3458637b9b38c30916d0039c7e0b09ca61d7fc42d02b108cae5d87d7e3a1b30cb7b94413e273731ee0f2b64a904395

Download Submit
C:\Windows\{4AE65F78-E09D-462e-8F94-9AA44FD956DD}.exe

Filesize
60KB

MD5
638a78e49b1af9263092d43f8efaa3fa

SHA1
e7f11f10749577aacbec54be08c1498b7a638dd1

SHA256
992ee24e2ca04c5711fbb77a8cb5ffc287be522134e59f0f1974a02d5482d25e

SHA512
273d5e2aa0181392727e468e9d7f8f90b0204fac2dd2f7718075212ca089660350f243a214d4a401e375b6489280b10e76f886bf1cd01d16037bb7071d8a9856

Download Submit
C:\Windows\{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe

Filesize
60KB

MD5
44f85969309595cc0bda909784514050

SHA1
757fc12c176c64e5b905e63786a05e12e40c2e4f

SHA256
94be8f10cad40d92be84073f5853e8ff890572c7e502b8218a0eb9c766205e53

SHA512
761da48ee1e4a79c1a5701db4f58533625bcfa467ec554b1eb4cf6ff81a4db7a71063e225f93e6f4ec75911a56f08acd2e32291fb915a8d320c22f443aaf23b2

Download Submit
C:\Windows\{4C6E018F-6D8F-4af9-9E5C-E2C5D3F7AA46}.exe

Filesize
60KB

MD5
44f85969309595cc0bda909784514050

SHA1
757fc12c176c64e5b905e63786a05e12e40c2e4f

SHA256
94be8f10cad40d92be84073f5853e8ff890572c7e502b8218a0eb9c766205e53

SHA512
761da48ee1e4a79c1a5701db4f58533625bcfa467ec554b1eb4cf6ff81a4db7a71063e225f93e6f4ec75911a56f08acd2e32291fb915a8d320c22f443aaf23b2

Download Submit
C:\Windows\{5B458A86-DC85-42cd-AB49-19F164DE4BA9}.exe

Filesize
60KB

MD5
4fd6cf299ba4595e51478ecd8b8136b0

SHA1
c91dc0ee088b4464b8b2e9c758850103cb4dbf81

SHA256
2587801624111f4aa13d547280770bc9759e986a2724a0038c7d17410cedc665

SHA512
d74cb3da0637429d8b47e479e73436ed8bf320af3f3c9d756b8ee7fc89a3f54ed88075db37e6c3622132f88caa481eeda91fd6e8f31332824864bf42ddcced87

Download Submit
C:\Windows\{5B458A86-DC85-42cd-AB49-19F164DE4BA9}.exe

Filesize
60KB

MD5
4fd6cf299ba4595e51478ecd8b8136b0

SHA1
c91dc0ee088b4464b8b2e9c758850103cb4dbf81

SHA256
2587801624111f4aa13d547280770bc9759e986a2724a0038c7d17410cedc665

SHA512
d74cb3da0637429d8b47e479e73436ed8bf320af3f3c9d756b8ee7fc89a3f54ed88075db37e6c3622132f88caa481eeda91fd6e8f31332824864bf42ddcced87

Download Submit
C:\Windows\{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe

Filesize
60KB

MD5
1c9d683f25462318b1fc0f007fc010b5

SHA1
af6fbaf9d79186fc3db666b4a1c030bfbcf01fdc

SHA256
8b2321b750c763ab30a186102a67b1bbb077c14a0fa21c19b572407358266a9e

SHA512
ff2c2abfc79c0fb99fd0776c397d5c68ecbf492c1124b8e7257750ee803f7de04886e3d43c97fd4ce4aa028d93c1b03e240a2ed7fbd20355f2c45ae966b7d53c

Download Submit
C:\Windows\{5FB55A14-990A-4aec-9903-AC6A987632A3}.exe

Filesize
60KB

MD5
1c9d683f25462318b1fc0f007fc010b5

SHA1
af6fbaf9d79186fc3db666b4a1c030bfbcf01fdc

SHA256
8b2321b750c763ab30a186102a67b1bbb077c14a0fa21c19b572407358266a9e

SHA512
ff2c2abfc79c0fb99fd0776c397d5c68ecbf492c1124b8e7257750ee803f7de04886e3d43c97fd4ce4aa028d93c1b03e240a2ed7fbd20355f2c45ae966b7d53c

Download Submit
C:\Windows\{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe

Filesize
60KB

MD5
d1fd405a995b7aaa904fbde3a43e6a11

SHA1
fae29f7b6b5442e10109605efea23fb3a654e82b

SHA256
bfc7b621f2b36553d82ca88e23c4242005072c316f7fdc5b35957097ac1f33ae

SHA512
2f884a589ed76309d58cdd2efe28fefcb98f1c423b6653451e2a97531ed5163c4212733cd351c46ba821ef5a484bff63156b13abb2628b22b957aef44214bdae

Download Submit
C:\Windows\{74CB7411-8ACC-4f90-9130-349C00C21C59}.exe

Filesize
60KB

MD5
d1fd405a995b7aaa904fbde3a43e6a11

SHA1
fae29f7b6b5442e10109605efea23fb3a654e82b

SHA256
bfc7b621f2b36553d82ca88e23c4242005072c316f7fdc5b35957097ac1f33ae

SHA512
2f884a589ed76309d58cdd2efe28fefcb98f1c423b6653451e2a97531ed5163c4212733cd351c46ba821ef5a484bff63156b13abb2628b22b957aef44214bdae

Download Submit
C:\Windows\{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe

Filesize
60KB

MD5
b1932d8983c61e01825a990555567fc7

SHA1
90394db85beba3ebab4b979edcf30b3672e461c6

SHA256
ea9c3492f0759bc12103133dae2534ac60f87d9d99221c959e9dbf8be90a05de

SHA512
0bb61e1f6315b0427034d690f82d00621cccab3538b0d63bac410a2883da790a89a688f683e040f3ec9b76f885b9afea7167adad714595f457acc07aea19f652

Download Submit
C:\Windows\{82A0A100-3305-4f95-BAEC-371087D1E9FA}.exe

Filesize
60KB

MD5
b1932d8983c61e01825a990555567fc7

SHA1
90394db85beba3ebab4b979edcf30b3672e461c6

SHA256
ea9c3492f0759bc12103133dae2534ac60f87d9d99221c959e9dbf8be90a05de

SHA512
0bb61e1f6315b0427034d690f82d00621cccab3538b0d63bac410a2883da790a89a688f683e040f3ec9b76f885b9afea7167adad714595f457acc07aea19f652

Download Submit
C:\Windows\{897D4598-0185-4900-ACD6-58C1A798A3FF}.exe

Filesize
60KB

MD5
d09227c083ad1403bc32010df1485ff9

SHA1
f468319235eeb570ed7a42a1fa8840b7c05e988a

SHA256
ac702cefa4abba1eed4a053b1b7756d07159628f71aade1ea046f4e6e02796e2

SHA512
7dc3ce20f2b50cbc535003eecc6f949f2b5e9c716c21006f9f1180fd03971925c36e3849991597e75323cceb734252967df405c1a58879fa2b9898717eefd79b

Download Submit
C:\Windows\{897D4598-0185-4900-ACD6-58C1A798A3FF}.exe

Filesize
60KB

MD5
d09227c083ad1403bc32010df1485ff9

SHA1
f468319235eeb570ed7a42a1fa8840b7c05e988a

SHA256
ac702cefa4abba1eed4a053b1b7756d07159628f71aade1ea046f4e6e02796e2

SHA512
7dc3ce20f2b50cbc535003eecc6f949f2b5e9c716c21006f9f1180fd03971925c36e3849991597e75323cceb734252967df405c1a58879fa2b9898717eefd79b

Download Submit
C:\Windows\{DDE230A2-906E-4010-8798-AE298867B86C}.exe

Filesize
60KB

MD5
3c862a3f1da4f30437a680c003d5917a

SHA1
3e43d9f5c08ea98d5bc44f9751db5032a2c96139

SHA256
6959e9a75baf481bd953541d6a38226fcfaed424d0f0dcea55186ff19d70e2a5

SHA512
8fc5df4dbd412458d7508569d4251d393f504f1788051dede550719869e9e9fe453c5b766b2171c1cabcaae9440673ba1f119fe119eca5daae2539e282add80e

Download Submit
C:\Windows\{DDE230A2-906E-4010-8798-AE298867B86C}.exe

Filesize
60KB

MD5
3c862a3f1da4f30437a680c003d5917a

SHA1
3e43d9f5c08ea98d5bc44f9751db5032a2c96139

SHA256
6959e9a75baf481bd953541d6a38226fcfaed424d0f0dcea55186ff19d70e2a5

SHA512
8fc5df4dbd412458d7508569d4251d393f504f1788051dede550719869e9e9fe453c5b766b2171c1cabcaae9440673ba1f119fe119eca5daae2539e282add80e

Download Submit
C:\Windows\{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe

Filesize
60KB

MD5
d06d57ef65b3acffea3d67bea40e5765

SHA1
494924408d536a67e36e132f4782293ebc010c28

SHA256
e9625d7b0edc0aa2a03268c5002e3c50961a101a3dfa97dd336847b5f221870d

SHA512
81406b4221de9338d6f162de1a334b9d8c77b7d4eda8898f694828f1c724a679b7ab10ca663312c643c5e82275d0d3be7f63e76a83f2b076c052bd5b827a0308

Download Submit
C:\Windows\{FB791E62-C4FA-45da-8724-9D49FCA21381}.exe

Filesize
60KB

MD5
d06d57ef65b3acffea3d67bea40e5765

SHA1
494924408d536a67e36e132f4782293ebc010c28

SHA256
e9625d7b0edc0aa2a03268c5002e3c50961a101a3dfa97dd336847b5f221870d

SHA512
81406b4221de9338d6f162de1a334b9d8c77b7d4eda8898f694828f1c724a679b7ab10ca663312c643c5e82275d0d3be7f63e76a83f2b076c052bd5b827a0308

Download Submit
C:\Windows\{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe

Filesize
60KB

MD5
bf77c38308bb283835abb3e2fd045dc7

SHA1
6fd74e79ef0a1fb495c384490ed7215812376970

SHA256
78b574ca181055f3f5261ddd3afcd0fa2a58925ff946295f1c611fa3d2ae2492

SHA512
b8b4ca4e0970a077816b5da97bfc6ca4f6d1aa8e716d31f2f3836d72f0ff6b1b5d62ad2675b0e4a5622245ab0ff2c98a114b839738310053b811f8ebc7729716

Download Submit
C:\Windows\{FF33B03F-D9D1-4d92-B24F-796AB048E670}.exe

Filesize
60KB

MD5
bf77c38308bb283835abb3e2fd045dc7

SHA1
6fd74e79ef0a1fb495c384490ed7215812376970

SHA256
78b574ca181055f3f5261ddd3afcd0fa2a58925ff946295f1c611fa3d2ae2492

SHA512
b8b4ca4e0970a077816b5da97bfc6ca4f6d1aa8e716d31f2f3836d72f0ff6b1b5d62ad2675b0e4a5622245ab0ff2c98a114b839738310053b811f8ebc7729716

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads