1cd34677ab9add040fcfd917d98319ee4011c2a06ba2c01e0572bb49977bc71f

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe
Size

60KB
MD5

c8aca3271c791762c193096937c7f3c0
SHA1

67586b914db27e608324d56363b594a95bbd6380
SHA256

1cd34677ab9add040fcfd917d98319ee4011c2a06ba2c01e0572bb49977bc71f
SHA512

b2349f0f11a168e75985cc706c3ce375664bfd8740f09d869260620464de33b5ba0acadf99ee72fe25ca8f0f8aeac383001bc890e9721847ad5ec6684ab4cb41
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLrod4/CFsrdHWMZ:vvw9816vhKQLrod4/wQpWMZ

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}\stubpath = "C:\\Windows\\{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe"	{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4872838-CD15-4758-9BE8-E26914A8C4D4}\stubpath = "C:\\Windows\\{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe"	NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{654059C0-BB32-464f-8E59-E37A5DABCB03}\stubpath = "C:\\Windows\\{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe"	{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}	{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}\stubpath = "C:\\Windows\\{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe"	{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}	{408615AD-7034-44b8-8489-FB0A07097134}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4417C618-04BD-4aea-A249-72035FAD0FDF}	{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{683A3C11-3403-44c4-AD8F-B3B62A29452F}	{4417C618-04BD-4aea-A249-72035FAD0FDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{683A3C11-3403-44c4-AD8F-B3B62A29452F}\stubpath = "C:\\Windows\\{683A3C11-3403-44c4-AD8F-B3B62A29452F}.exe"	{4417C618-04BD-4aea-A249-72035FAD0FDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE43551F-2C1D-4430-B306-F0E33F4D1335}	{683A3C11-3403-44c4-AD8F-B3B62A29452F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DEEF44A-BCAB-48cd-944C-FEE83475DB48}\stubpath = "C:\\Windows\\{4DEEF44A-BCAB-48cd-944C-FEE83475DB48}.exe"	{B70BB45F-98D6-404d-98B7-08573A31BD92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4872838-CD15-4758-9BE8-E26914A8C4D4}	NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{654059C0-BB32-464f-8E59-E37A5DABCB03}	{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}	{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{516EF549-30AF-43f8-B362-9F3F5DCFF830}\stubpath = "C:\\Windows\\{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe"	{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{408615AD-7034-44b8-8489-FB0A07097134}	{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{408615AD-7034-44b8-8489-FB0A07097134}\stubpath = "C:\\Windows\\{408615AD-7034-44b8-8489-FB0A07097134}.exe"	{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4417C618-04BD-4aea-A249-72035FAD0FDF}\stubpath = "C:\\Windows\\{4417C618-04BD-4aea-A249-72035FAD0FDF}.exe"	{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE43551F-2C1D-4430-B306-F0E33F4D1335}\stubpath = "C:\\Windows\\{DE43551F-2C1D-4430-B306-F0E33F4D1335}.exe"	{683A3C11-3403-44c4-AD8F-B3B62A29452F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B70BB45F-98D6-404d-98B7-08573A31BD92}	{DE43551F-2C1D-4430-B306-F0E33F4D1335}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DEEF44A-BCAB-48cd-944C-FEE83475DB48}	{B70BB45F-98D6-404d-98B7-08573A31BD92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{516EF549-30AF-43f8-B362-9F3F5DCFF830}	{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}\stubpath = "C:\\Windows\\{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe"	{408615AD-7034-44b8-8489-FB0A07097134}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B70BB45F-98D6-404d-98B7-08573A31BD92}\stubpath = "C:\\Windows\\{B70BB45F-98D6-404d-98B7-08573A31BD92}.exe"	{DE43551F-2C1D-4430-B306-F0E33F4D1335}.exe

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2936	{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe
2684	{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe
2816	{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe
2696	{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe
2544	{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe
2228	{408615AD-7034-44b8-8489-FB0A07097134}.exe
2132	{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe
2904	{4417C618-04BD-4aea-A249-72035FAD0FDF}.exe
324	{683A3C11-3403-44c4-AD8F-B3B62A29452F}.exe
108	{DE43551F-2C1D-4430-B306-F0E33F4D1335}.exe
1960	{B70BB45F-98D6-404d-98B7-08573A31BD92}.exe
2136	{4DEEF44A-BCAB-48cd-944C-FEE83475DB48}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe	NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe
File created	C:\Windows\{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe	{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe
File created	C:\Windows\{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe	{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe
File created	C:\Windows\{683A3C11-3403-44c4-AD8F-B3B62A29452F}.exe	{4417C618-04BD-4aea-A249-72035FAD0FDF}.exe
File created	C:\Windows\{B70BB45F-98D6-404d-98B7-08573A31BD92}.exe	{DE43551F-2C1D-4430-B306-F0E33F4D1335}.exe
File created	C:\Windows\{4DEEF44A-BCAB-48cd-944C-FEE83475DB48}.exe	{B70BB45F-98D6-404d-98B7-08573A31BD92}.exe
File created	C:\Windows\{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe	{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe
File created	C:\Windows\{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe	{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe
File created	C:\Windows\{408615AD-7034-44b8-8489-FB0A07097134}.exe	{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe
File created	C:\Windows\{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe	{408615AD-7034-44b8-8489-FB0A07097134}.exe
File created	C:\Windows\{4417C618-04BD-4aea-A249-72035FAD0FDF}.exe	{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe
File created	C:\Windows\{DE43551F-2C1D-4430-B306-F0E33F4D1335}.exe	{683A3C11-3403-44c4-AD8F-B3B62A29452F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2344	NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe
Token: SeIncBasePriorityPrivilege	2936	{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe
Token: SeIncBasePriorityPrivilege	2684	{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe
Token: SeIncBasePriorityPrivilege	2816	{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe
Token: SeIncBasePriorityPrivilege	2696	{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe
Token: SeIncBasePriorityPrivilege	2544	{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe
Token: SeIncBasePriorityPrivilege	2228	{408615AD-7034-44b8-8489-FB0A07097134}.exe
Token: SeIncBasePriorityPrivilege	2132	{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe
Token: SeIncBasePriorityPrivilege	2904	{4417C618-04BD-4aea-A249-72035FAD0FDF}.exe
Token: SeIncBasePriorityPrivilege	324	{683A3C11-3403-44c4-AD8F-B3B62A29452F}.exe
Token: SeIncBasePriorityPrivilege	108	{DE43551F-2C1D-4430-B306-F0E33F4D1335}.exe
Token: SeIncBasePriorityPrivilege	1960	{B70BB45F-98D6-404d-98B7-08573A31BD92}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2936	2344	NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe	28
PID 2344 wrote to memory of 2936	2344	NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe	28
PID 2344 wrote to memory of 2936	2344	NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe	28
PID 2344 wrote to memory of 2936	2344	NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe	28
PID 2344 wrote to memory of 2712	2344	NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe	29
PID 2344 wrote to memory of 2712	2344	NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe	29
PID 2344 wrote to memory of 2712	2344	NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe	29
PID 2344 wrote to memory of 2712	2344	NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe	29
PID 2936 wrote to memory of 2684	2936	{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe	30
PID 2936 wrote to memory of 2684	2936	{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe	30
PID 2936 wrote to memory of 2684	2936	{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe	30
PID 2936 wrote to memory of 2684	2936	{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe	30
PID 2936 wrote to memory of 2772	2936	{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe	31
PID 2936 wrote to memory of 2772	2936	{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe	31
PID 2936 wrote to memory of 2772	2936	{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe	31
PID 2936 wrote to memory of 2772	2936	{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe	31
PID 2684 wrote to memory of 2816	2684	{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe	33
PID 2684 wrote to memory of 2816	2684	{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe	33
PID 2684 wrote to memory of 2816	2684	{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe	33
PID 2684 wrote to memory of 2816	2684	{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe	33
PID 2684 wrote to memory of 2892	2684	{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe	35
PID 2684 wrote to memory of 2892	2684	{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe	35
PID 2684 wrote to memory of 2892	2684	{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe	35
PID 2684 wrote to memory of 2892	2684	{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe	35
PID 2816 wrote to memory of 2696	2816	{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe	36
PID 2816 wrote to memory of 2696	2816	{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe	36
PID 2816 wrote to memory of 2696	2816	{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe	36
PID 2816 wrote to memory of 2696	2816	{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe	36
PID 2816 wrote to memory of 1860	2816	{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe	37
PID 2816 wrote to memory of 1860	2816	{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe	37
PID 2816 wrote to memory of 1860	2816	{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe	37
PID 2816 wrote to memory of 1860	2816	{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe	37
PID 2696 wrote to memory of 2544	2696	{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe	39
PID 2696 wrote to memory of 2544	2696	{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe	39
PID 2696 wrote to memory of 2544	2696	{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe	39
PID 2696 wrote to memory of 2544	2696	{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe	39
PID 2696 wrote to memory of 2600	2696	{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe	38
PID 2696 wrote to memory of 2600	2696	{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe	38
PID 2696 wrote to memory of 2600	2696	{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe	38
PID 2696 wrote to memory of 2600	2696	{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe	38
PID 2544 wrote to memory of 2228	2544	{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe	40
PID 2544 wrote to memory of 2228	2544	{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe	40
PID 2544 wrote to memory of 2228	2544	{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe	40
PID 2544 wrote to memory of 2228	2544	{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe	40
PID 2544 wrote to memory of 2064	2544	{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe	41
PID 2544 wrote to memory of 2064	2544	{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe	41
PID 2544 wrote to memory of 2064	2544	{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe	41
PID 2544 wrote to memory of 2064	2544	{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe	41
PID 2228 wrote to memory of 2132	2228	{408615AD-7034-44b8-8489-FB0A07097134}.exe	42
PID 2228 wrote to memory of 2132	2228	{408615AD-7034-44b8-8489-FB0A07097134}.exe	42
PID 2228 wrote to memory of 2132	2228	{408615AD-7034-44b8-8489-FB0A07097134}.exe	42
PID 2228 wrote to memory of 2132	2228	{408615AD-7034-44b8-8489-FB0A07097134}.exe	42
PID 2228 wrote to memory of 2880	2228	{408615AD-7034-44b8-8489-FB0A07097134}.exe	43
PID 2228 wrote to memory of 2880	2228	{408615AD-7034-44b8-8489-FB0A07097134}.exe	43
PID 2228 wrote to memory of 2880	2228	{408615AD-7034-44b8-8489-FB0A07097134}.exe	43
PID 2228 wrote to memory of 2880	2228	{408615AD-7034-44b8-8489-FB0A07097134}.exe	43
PID 2132 wrote to memory of 2904	2132	{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe	44
PID 2132 wrote to memory of 2904	2132	{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe	44
PID 2132 wrote to memory of 2904	2132	{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe	44
PID 2132 wrote to memory of 2904	2132	{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe	44
PID 2132 wrote to memory of 1756	2132	{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe	45
PID 2132 wrote to memory of 1756	2132	{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe	45
PID 2132 wrote to memory of 1756	2132	{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe	45
PID 2132 wrote to memory of 1756	2132	{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c8aca3271c791762c193096937c7f3c0_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe
  C:\Windows\{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe
    C:\Windows\{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe
      C:\Windows\{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe
        
        C:\Windows\{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C9E3~1.EXE > nul
        6⤵
        
        PID:2600
      - C:\Windows\{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe
        
        C:\Windows\{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\{408615AD-7034-44b8-8489-FB0A07097134}.exe
        
        C:\Windows\{408615AD-7034-44b8-8489-FB0A07097134}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe
        
        C:\Windows\{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\{4417C618-04BD-4aea-A249-72035FAD0FDF}.exe
        
        C:\Windows\{4417C618-04BD-4aea-A249-72035FAD0FDF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\{683A3C11-3403-44c4-AD8F-B3B62A29452F}.exe
        
        C:\Windows\{683A3C11-3403-44c4-AD8F-B3B62A29452F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\{DE43551F-2C1D-4430-B306-F0E33F4D1335}.exe
        
        C:\Windows\{DE43551F-2C1D-4430-B306-F0E33F4D1335}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
        
        C:\Windows\{B70BB45F-98D6-404d-98B7-08573A31BD92}.exe
        
        C:\Windows\{B70BB45F-98D6-404d-98B7-08573A31BD92}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\{4DEEF44A-BCAB-48cd-944C-FEE83475DB48}.exe
        
        C:\Windows\{4DEEF44A-BCAB-48cd-944C-FEE83475DB48}.exe
        13⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B70BB~1.EXE > nul
        13⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE435~1.EXE > nul
        12⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{683A3~1.EXE > nul
        11⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4417C~1.EXE > nul
        10⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54A99~1.EXE > nul
        9⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40861~1.EXE > nul
        8⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{516EF~1.EXE > nul
        7⤵
        
        PID:2064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B1BF~1.EXE > nul
        5⤵
        
        PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{65405~1.EXE > nul
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C4872~1.EXE > nul
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEASC8~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe

Filesize
60KB

MD5
846389a5a93a6e354516f656fabd188f

SHA1
d04b0cd2ee97ada1c8606f7912c09f11a5084c33

SHA256
86a31615b7550b6ccfa9aa507137b4becc53f1360bf10f663342e493167fe864

SHA512
2f388c49ac053fbe5de44c958a8c9437c8625eb31b09c8285b30f22de580d364948ac797dfef1cdc62f855099fba9441353a7e9a24dd4288c1ba57d14ea2ee2f

Download Submit
C:\Windows\{2B1BF1A1-E00D-420a-A46F-ED2F84AD8006}.exe

Filesize
60KB

MD5
846389a5a93a6e354516f656fabd188f

SHA1
d04b0cd2ee97ada1c8606f7912c09f11a5084c33

SHA256
86a31615b7550b6ccfa9aa507137b4becc53f1360bf10f663342e493167fe864

SHA512
2f388c49ac053fbe5de44c958a8c9437c8625eb31b09c8285b30f22de580d364948ac797dfef1cdc62f855099fba9441353a7e9a24dd4288c1ba57d14ea2ee2f

Download Submit
C:\Windows\{408615AD-7034-44b8-8489-FB0A07097134}.exe

Filesize
60KB

MD5
2ec982eb44bf3db0ed545bb0e4ec18c8

SHA1
3c4b288297f793a8d1c82cd774f363fcb44ab59c

SHA256
b8dee658f4a6ca6de0e4c6d889878e4fec8b957f8c57e34d8bd46674394ad5ed

SHA512
7355bef1f6edcbe66850a9b7e9e568d7cfd6989c14084c4d1255b144770d26169cb50782a2773bc261ef550e1f8802c16fa08bfd55348b3fecd508c3cede23cd

Download Submit
C:\Windows\{408615AD-7034-44b8-8489-FB0A07097134}.exe

Filesize
60KB

MD5
2ec982eb44bf3db0ed545bb0e4ec18c8

SHA1
3c4b288297f793a8d1c82cd774f363fcb44ab59c

SHA256
b8dee658f4a6ca6de0e4c6d889878e4fec8b957f8c57e34d8bd46674394ad5ed

SHA512
7355bef1f6edcbe66850a9b7e9e568d7cfd6989c14084c4d1255b144770d26169cb50782a2773bc261ef550e1f8802c16fa08bfd55348b3fecd508c3cede23cd

Download Submit
C:\Windows\{4417C618-04BD-4aea-A249-72035FAD0FDF}.exe

Filesize
60KB

MD5
9fdeb8a72e3d8f1417c56895c5e2e41c

SHA1
db4a15991ac0e129e14ae73b646f1e6227992a1c

SHA256
097c2197d13ca50ef91bd2edc3a7fe9abf24a7280482d4b47291d08c65df5b81

SHA512
dd1da645a0f92424a3f88d2f70f0f36fd4c1980fbce5bfe42543b07813e230c7d5d85bf1fc15357110df56ef354418e6f920803253908f393ff74531274307ce

Download Submit
C:\Windows\{4417C618-04BD-4aea-A249-72035FAD0FDF}.exe

Filesize
60KB

MD5
9fdeb8a72e3d8f1417c56895c5e2e41c

SHA1
db4a15991ac0e129e14ae73b646f1e6227992a1c

SHA256
097c2197d13ca50ef91bd2edc3a7fe9abf24a7280482d4b47291d08c65df5b81

SHA512
dd1da645a0f92424a3f88d2f70f0f36fd4c1980fbce5bfe42543b07813e230c7d5d85bf1fc15357110df56ef354418e6f920803253908f393ff74531274307ce

Download Submit
C:\Windows\{4DEEF44A-BCAB-48cd-944C-FEE83475DB48}.exe

Filesize
60KB

MD5
ccf395c8f62783612088ec532a1b5174

SHA1
3548d0bc3c7ab575e70eaf88cdda30f88080c3f4

SHA256
98d9803a0008c6dd1ac8649855071ab30306a1391099e2e6997595738f8cdd51

SHA512
f0774f9cdcad8e25e44fa204c6801ec208938bb185d253ed4454b3a14d860cc0812e57c3865278356534b3de3c4fad1b0e02dbd26ece95b2340006900ab00228

Download Submit
C:\Windows\{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe

Filesize
60KB

MD5
789a66b1fab10d9098e940e0af96cc2f

SHA1
121a113490e5b5fcea7cf31607f2c866cd327955

SHA256
e1278ddfddde41d454c42ed9df00104e6414df1fc6dbcb84d5894f95530b5876

SHA512
f1324434bc7c8f78f7d034eaeff4d0b0cb45599fe13ec999c3dab2b9f33f163df73e3749aaae9322805b1401f368a910d7536f17e7a74e463a9a11fb9aca849f

Download Submit
C:\Windows\{516EF549-30AF-43f8-B362-9F3F5DCFF830}.exe

Filesize
60KB

MD5
789a66b1fab10d9098e940e0af96cc2f

SHA1
121a113490e5b5fcea7cf31607f2c866cd327955

SHA256
e1278ddfddde41d454c42ed9df00104e6414df1fc6dbcb84d5894f95530b5876

SHA512
f1324434bc7c8f78f7d034eaeff4d0b0cb45599fe13ec999c3dab2b9f33f163df73e3749aaae9322805b1401f368a910d7536f17e7a74e463a9a11fb9aca849f

Download Submit
C:\Windows\{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe

Filesize
60KB

MD5
d05d185b0fbb8cab8f374dba6e06b6a4

SHA1
a33b255873420ed101732724855a5a39abe7ff0b

SHA256
871e20886f0204200a5da93b5275800428ed98472b20591a4da0c6f19d6e7512

SHA512
316aa4b09c7f5701739c7afaee5ae9ae4493d78cde2b02ea80a52a0f317bf69f89d1bf52783399bf74e9315fc94d956d0b540a83853c8e7200bbb4cba4124fbf

Download Submit
C:\Windows\{54A99D36-2BA8-43f2-8E00-CBB7B9436B2A}.exe

Filesize
60KB

MD5
d05d185b0fbb8cab8f374dba6e06b6a4

SHA1
a33b255873420ed101732724855a5a39abe7ff0b

SHA256
871e20886f0204200a5da93b5275800428ed98472b20591a4da0c6f19d6e7512

SHA512
316aa4b09c7f5701739c7afaee5ae9ae4493d78cde2b02ea80a52a0f317bf69f89d1bf52783399bf74e9315fc94d956d0b540a83853c8e7200bbb4cba4124fbf

Download Submit
C:\Windows\{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe

Filesize
60KB

MD5
8aef28c47b56ef4a0fb8e6b7e3b624f5

SHA1
b546c6f6937d269acc02de139ce2ba4940818f50

SHA256
d29773921e79b37cf3f8d3ad03379d9715efaea8531ec40eeb13ad7552276db2

SHA512
feefd6a7ac65473e6ad237f9ac7792cc2963db93cf28073feb3fd17f6d20124ade2850f5d8f036eeafe1ad6301d5fbacecbc7c8c48679542087e4214e71804b6

Download Submit
C:\Windows\{5C9E35DB-F4C8-4646-B651-9D52AAC8CCCF}.exe

Filesize
60KB

MD5
8aef28c47b56ef4a0fb8e6b7e3b624f5

SHA1
b546c6f6937d269acc02de139ce2ba4940818f50

SHA256
d29773921e79b37cf3f8d3ad03379d9715efaea8531ec40eeb13ad7552276db2

SHA512
feefd6a7ac65473e6ad237f9ac7792cc2963db93cf28073feb3fd17f6d20124ade2850f5d8f036eeafe1ad6301d5fbacecbc7c8c48679542087e4214e71804b6

Download Submit
C:\Windows\{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe

Filesize
60KB

MD5
32d0cb9ffdfd179b0a80e3e1ace2c23c

SHA1
4e8dd044204d46466d5e7ebb1d55a5162558dd8b

SHA256
00717734762f0423c76279d697d40b11e1f189daaa8536a8817d3a7d04ba7ec6

SHA512
afcad913559b095a4986d959dc6357c66abb8d5b257adb29342cb2f6168665b21b02c69d82c2ff938c910ac01dc5d55c86b93dbc7338484a0094336e5c6f4ce0

Download Submit
C:\Windows\{654059C0-BB32-464f-8E59-E37A5DABCB03}.exe

Filesize
60KB

MD5
32d0cb9ffdfd179b0a80e3e1ace2c23c

SHA1
4e8dd044204d46466d5e7ebb1d55a5162558dd8b

SHA256
00717734762f0423c76279d697d40b11e1f189daaa8536a8817d3a7d04ba7ec6

SHA512
afcad913559b095a4986d959dc6357c66abb8d5b257adb29342cb2f6168665b21b02c69d82c2ff938c910ac01dc5d55c86b93dbc7338484a0094336e5c6f4ce0

Download Submit
C:\Windows\{683A3C11-3403-44c4-AD8F-B3B62A29452F}.exe

Filesize
60KB

MD5
2f8d2db758c8505cd4a2f8efb515c6ba

SHA1
468bdea714e39f7d3ef638f5f81ce1bd8b3fdab4

SHA256
2006937a7e2fe84024409096a8fdd87188c7d38ee11c6ea90f3d29c372c415e2

SHA512
43887ce647cfc001b36ccdb94327579555f86821e1be5e6b5cfeae78c2ba4a36cb7027ef160bf771ae8e40c569b0a121a07cf703f1a7147472ba67962dadffcf

Download Submit
C:\Windows\{683A3C11-3403-44c4-AD8F-B3B62A29452F}.exe

Filesize
60KB

MD5
2f8d2db758c8505cd4a2f8efb515c6ba

SHA1
468bdea714e39f7d3ef638f5f81ce1bd8b3fdab4

SHA256
2006937a7e2fe84024409096a8fdd87188c7d38ee11c6ea90f3d29c372c415e2

SHA512
43887ce647cfc001b36ccdb94327579555f86821e1be5e6b5cfeae78c2ba4a36cb7027ef160bf771ae8e40c569b0a121a07cf703f1a7147472ba67962dadffcf

Download Submit
C:\Windows\{B70BB45F-98D6-404d-98B7-08573A31BD92}.exe

Filesize
60KB

MD5
f2285ab35782117483b8554313a36ad1

SHA1
297be7aa311022e05482d3339ccc8f96dd70aeb3

SHA256
2def9e2c147bc70cb039e062da7de790f66eaabd5f6435c355177e04d48abc3f

SHA512
5c5d8968d9813e8aa211d6d80383260339f406cf847c74b8a7413f082a53b6c0a870050ce796f6e5b1c832257b112a8ca2361a7fbccee9d33088d523ab16dbb5

Download Submit
C:\Windows\{B70BB45F-98D6-404d-98B7-08573A31BD92}.exe

Filesize
60KB

MD5
f2285ab35782117483b8554313a36ad1

SHA1
297be7aa311022e05482d3339ccc8f96dd70aeb3

SHA256
2def9e2c147bc70cb039e062da7de790f66eaabd5f6435c355177e04d48abc3f

SHA512
5c5d8968d9813e8aa211d6d80383260339f406cf847c74b8a7413f082a53b6c0a870050ce796f6e5b1c832257b112a8ca2361a7fbccee9d33088d523ab16dbb5

Download Submit
C:\Windows\{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe

Filesize
60KB

MD5
b0007fea3d200b9d6b350ec071572bc0

SHA1
19adb48eb4cbc7ecc67a51566465e2015ef07e3d

SHA256
eb92e60f021ebfccc9d53074b6dbfc7614c43a68b8a620fd2200ed81eada036f

SHA512
a63aff6b6b4dbe2cb61762a658e4e6b131006eb23655b7c53ea16800807106fa5d730a6f7ee865fb0718d680148dea8bfdefe3e4acea1f8512a58a99ac1e8006

Download Submit
C:\Windows\{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe

Filesize
60KB

MD5
b0007fea3d200b9d6b350ec071572bc0

SHA1
19adb48eb4cbc7ecc67a51566465e2015ef07e3d

SHA256
eb92e60f021ebfccc9d53074b6dbfc7614c43a68b8a620fd2200ed81eada036f

SHA512
a63aff6b6b4dbe2cb61762a658e4e6b131006eb23655b7c53ea16800807106fa5d730a6f7ee865fb0718d680148dea8bfdefe3e4acea1f8512a58a99ac1e8006

Download Submit
C:\Windows\{C4872838-CD15-4758-9BE8-E26914A8C4D4}.exe

Filesize
60KB

MD5
b0007fea3d200b9d6b350ec071572bc0

SHA1
19adb48eb4cbc7ecc67a51566465e2015ef07e3d

SHA256
eb92e60f021ebfccc9d53074b6dbfc7614c43a68b8a620fd2200ed81eada036f

SHA512
a63aff6b6b4dbe2cb61762a658e4e6b131006eb23655b7c53ea16800807106fa5d730a6f7ee865fb0718d680148dea8bfdefe3e4acea1f8512a58a99ac1e8006

Download Submit
C:\Windows\{DE43551F-2C1D-4430-B306-F0E33F4D1335}.exe

Filesize
60KB

MD5
32ec8a3bfac8fb48288dceb450475ee6

SHA1
9ffaef6ea693b728950476b8108f7425f4408ddc

SHA256
230d4b905bce5c2b4411277c7dda61d655a502724af340de5314c30010454af0

SHA512
f124b717f252b7eb62cd01dacf07be5cce2b66243d7339d4d2904d35758bec37a7ea6f698c3a8d1b6733c71eb4710c018ac755009e70ca7d3b0c0bd8ffe5cc07

Download Submit
C:\Windows\{DE43551F-2C1D-4430-B306-F0E33F4D1335}.exe

Filesize
60KB

MD5
32ec8a3bfac8fb48288dceb450475ee6

SHA1
9ffaef6ea693b728950476b8108f7425f4408ddc

SHA256
230d4b905bce5c2b4411277c7dda61d655a502724af340de5314c30010454af0

SHA512
f124b717f252b7eb62cd01dacf07be5cce2b66243d7339d4d2904d35758bec37a7ea6f698c3a8d1b6733c71eb4710c018ac755009e70ca7d3b0c0bd8ffe5cc07

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads