db1a793be2c91b32600fc3453370c75cff0ff3eaed676af1f769be84de964485

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05-11-2023 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe
Size

76KB
MD5

2c4900f6c7167ca8e4df3277fd0dfcd0
SHA1

c81c8b7b015334a85855a498ee12c1b7e9270798
SHA256

db1a793be2c91b32600fc3453370c75cff0ff3eaed676af1f769be84de964485
SHA512

946167a7a81eb069b44b1347afbf48e34f0d37e8a4f01d7ca6dd6199227d1530bccbd68678dd6756c52ca4b18b0b29c43abc000fefadfd237b0995d1b5049848
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroN4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwU1:vvw9816vhKQLroN4/wQRNrfrunMxVD

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}	{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}\stubpath = "C:\\Windows\\{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe"	{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45D91245-5042-4750-B179-7FAE406C0A3D}	{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45D91245-5042-4750-B179-7FAE406C0A3D}\stubpath = "C:\\Windows\\{45D91245-5042-4750-B179-7FAE406C0A3D}.exe"	{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25325935-72C9-41f5-90E3-72BCE7D888BA}	{45D91245-5042-4750-B179-7FAE406C0A3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93258832-76F3-4d04-8A05-D7762989CF09}	{25325935-72C9-41f5-90E3-72BCE7D888BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}	{A37470F9-3590-493b-AD28-F555D78D274B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{249ACE86-B0F2-47d0-A67C-D086B7887DB6}	{93258832-76F3-4d04-8A05-D7762989CF09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{249ACE86-B0F2-47d0-A67C-D086B7887DB6}\stubpath = "C:\\Windows\\{249ACE86-B0F2-47d0-A67C-D086B7887DB6}.exe"	{93258832-76F3-4d04-8A05-D7762989CF09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}	{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}\stubpath = "C:\\Windows\\{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe"	{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25325935-72C9-41f5-90E3-72BCE7D888BA}\stubpath = "C:\\Windows\\{25325935-72C9-41f5-90E3-72BCE7D888BA}.exe"	{45D91245-5042-4750-B179-7FAE406C0A3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC81C75F-CDC0-489f-9EEC-167C8B076615}	{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19B899C4-7B83-4d2c-BD05-9E04A907759A}\stubpath = "C:\\Windows\\{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe"	{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19B899C4-7B83-4d2c-BD05-9E04A907759A}	{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93258832-76F3-4d04-8A05-D7762989CF09}\stubpath = "C:\\Windows\\{93258832-76F3-4d04-8A05-D7762989CF09}.exe"	{25325935-72C9-41f5-90E3-72BCE7D888BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}\stubpath = "C:\\Windows\\{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe"	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A37470F9-3590-493b-AD28-F555D78D274B}	{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC81C75F-CDC0-489f-9EEC-167C8B076615}\stubpath = "C:\\Windows\\{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe"	{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A37470F9-3590-493b-AD28-F555D78D274B}\stubpath = "C:\\Windows\\{A37470F9-3590-493b-AD28-F555D78D274B}.exe"	{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}\stubpath = "C:\\Windows\\{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe"	{A37470F9-3590-493b-AD28-F555D78D274B}.exe

Deletes itself 1 IoCs

pid	Process
2284	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
764	{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe
2148	{A37470F9-3590-493b-AD28-F555D78D274B}.exe
2704	{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe
2036	{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe
2960	{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe
2580	{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe
2496	{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe
2208	{45D91245-5042-4750-B179-7FAE406C0A3D}.exe
2968	{25325935-72C9-41f5-90E3-72BCE7D888BA}.exe
1696	{93258832-76F3-4d04-8A05-D7762989CF09}.exe
1992	{249ACE86-B0F2-47d0-A67C-D086B7887DB6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe	{A37470F9-3590-493b-AD28-F555D78D274B}.exe
File created	C:\Windows\{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe	{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe
File created	C:\Windows\{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe	{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe
File created	C:\Windows\{45D91245-5042-4750-B179-7FAE406C0A3D}.exe	{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe
File created	C:\Windows\{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe
File created	C:\Windows\{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe	{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe
File created	C:\Windows\{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe	{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe
File created	C:\Windows\{25325935-72C9-41f5-90E3-72BCE7D888BA}.exe	{45D91245-5042-4750-B179-7FAE406C0A3D}.exe
File created	C:\Windows\{93258832-76F3-4d04-8A05-D7762989CF09}.exe	{25325935-72C9-41f5-90E3-72BCE7D888BA}.exe
File created	C:\Windows\{249ACE86-B0F2-47d0-A67C-D086B7887DB6}.exe	{93258832-76F3-4d04-8A05-D7762989CF09}.exe
File created	C:\Windows\{A37470F9-3590-493b-AD28-F555D78D274B}.exe	{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3060	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe
Token: SeIncBasePriorityPrivilege	764	{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe
Token: SeIncBasePriorityPrivilege	2148	{A37470F9-3590-493b-AD28-F555D78D274B}.exe
Token: SeIncBasePriorityPrivilege	2704	{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe
Token: SeIncBasePriorityPrivilege	2036	{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe
Token: SeIncBasePriorityPrivilege	2960	{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe
Token: SeIncBasePriorityPrivilege	2580	{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe
Token: SeIncBasePriorityPrivilege	2496	{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe
Token: SeIncBasePriorityPrivilege	2208	{45D91245-5042-4750-B179-7FAE406C0A3D}.exe
Token: SeIncBasePriorityPrivilege	2968	{25325935-72C9-41f5-90E3-72BCE7D888BA}.exe
Token: SeIncBasePriorityPrivilege	1696	{93258832-76F3-4d04-8A05-D7762989CF09}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 764	3060	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	28
PID 3060 wrote to memory of 764	3060	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	28
PID 3060 wrote to memory of 764	3060	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	28
PID 3060 wrote to memory of 764	3060	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	28
PID 3060 wrote to memory of 2284	3060	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	29
PID 3060 wrote to memory of 2284	3060	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	29
PID 3060 wrote to memory of 2284	3060	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	29
PID 3060 wrote to memory of 2284	3060	NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe	29
PID 764 wrote to memory of 2148	764	{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe	30
PID 764 wrote to memory of 2148	764	{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe	30
PID 764 wrote to memory of 2148	764	{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe	30
PID 764 wrote to memory of 2148	764	{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe	30
PID 764 wrote to memory of 2436	764	{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe	31
PID 764 wrote to memory of 2436	764	{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe	31
PID 764 wrote to memory of 2436	764	{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe	31
PID 764 wrote to memory of 2436	764	{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe	31
PID 2148 wrote to memory of 2704	2148	{A37470F9-3590-493b-AD28-F555D78D274B}.exe	34
PID 2148 wrote to memory of 2704	2148	{A37470F9-3590-493b-AD28-F555D78D274B}.exe	34
PID 2148 wrote to memory of 2704	2148	{A37470F9-3590-493b-AD28-F555D78D274B}.exe	34
PID 2148 wrote to memory of 2704	2148	{A37470F9-3590-493b-AD28-F555D78D274B}.exe	34
PID 2148 wrote to memory of 2280	2148	{A37470F9-3590-493b-AD28-F555D78D274B}.exe	35
PID 2148 wrote to memory of 2280	2148	{A37470F9-3590-493b-AD28-F555D78D274B}.exe	35
PID 2148 wrote to memory of 2280	2148	{A37470F9-3590-493b-AD28-F555D78D274B}.exe	35
PID 2148 wrote to memory of 2280	2148	{A37470F9-3590-493b-AD28-F555D78D274B}.exe	35
PID 2704 wrote to memory of 2036	2704	{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe	36
PID 2704 wrote to memory of 2036	2704	{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe	36
PID 2704 wrote to memory of 2036	2704	{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe	36
PID 2704 wrote to memory of 2036	2704	{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe	36
PID 2704 wrote to memory of 2604	2704	{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe	37
PID 2704 wrote to memory of 2604	2704	{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe	37
PID 2704 wrote to memory of 2604	2704	{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe	37
PID 2704 wrote to memory of 2604	2704	{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe	37
PID 2036 wrote to memory of 2960	2036	{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe	38
PID 2036 wrote to memory of 2960	2036	{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe	38
PID 2036 wrote to memory of 2960	2036	{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe	38
PID 2036 wrote to memory of 2960	2036	{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe	38
PID 2036 wrote to memory of 2748	2036	{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe	39
PID 2036 wrote to memory of 2748	2036	{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe	39
PID 2036 wrote to memory of 2748	2036	{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe	39
PID 2036 wrote to memory of 2748	2036	{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe	39
PID 2960 wrote to memory of 2580	2960	{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe	40
PID 2960 wrote to memory of 2580	2960	{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe	40
PID 2960 wrote to memory of 2580	2960	{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe	40
PID 2960 wrote to memory of 2580	2960	{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe	40
PID 2960 wrote to memory of 2620	2960	{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe	41
PID 2960 wrote to memory of 2620	2960	{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe	41
PID 2960 wrote to memory of 2620	2960	{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe	41
PID 2960 wrote to memory of 2620	2960	{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe	41
PID 2580 wrote to memory of 2496	2580	{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe	42
PID 2580 wrote to memory of 2496	2580	{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe	42
PID 2580 wrote to memory of 2496	2580	{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe	42
PID 2580 wrote to memory of 2496	2580	{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe	42
PID 2580 wrote to memory of 2336	2580	{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe	43
PID 2580 wrote to memory of 2336	2580	{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe	43
PID 2580 wrote to memory of 2336	2580	{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe	43
PID 2580 wrote to memory of 2336	2580	{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe	43
PID 2496 wrote to memory of 2208	2496	{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe	44
PID 2496 wrote to memory of 2208	2496	{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe	44
PID 2496 wrote to memory of 2208	2496	{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe	44
PID 2496 wrote to memory of 2208	2496	{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe	44
PID 2496 wrote to memory of 1112	2496	{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe	45
PID 2496 wrote to memory of 1112	2496	{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe	45
PID 2496 wrote to memory of 1112	2496	{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe	45
PID 2496 wrote to memory of 1112	2496	{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2c4900f6c7167ca8e4df3277fd0dfcd0_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe
  C:\Windows\{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\{A37470F9-3590-493b-AD28-F555D78D274B}.exe
    C:\Windows\{A37470F9-3590-493b-AD28-F555D78D274B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe
      C:\Windows\{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe
        
        C:\Windows\{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe
        
        C:\Windows\{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe
        
        C:\Windows\{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe
        
        C:\Windows\{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{45D91245-5042-4750-B179-7FAE406C0A3D}.exe
        
        C:\Windows\{45D91245-5042-4750-B179-7FAE406C0A3D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\{25325935-72C9-41f5-90E3-72BCE7D888BA}.exe
        
        C:\Windows\{25325935-72C9-41f5-90E3-72BCE7D888BA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{93258832-76F3-4d04-8A05-D7762989CF09}.exe
        
        C:\Windows\{93258832-76F3-4d04-8A05-D7762989CF09}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\{249ACE86-B0F2-47d0-A67C-D086B7887DB6}.exe
        
        C:\Windows\{249ACE86-B0F2-47d0-A67C-D086B7887DB6}.exe
        12⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93258~1.EXE > nul
        12⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25325~1.EXE > nul
        11⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45D91~1.EXE > nul
        10⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4EDA~1.EXE > nul
        9⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF797~1.EXE > nul
        8⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19B89~1.EXE > nul
        7⤵
        
        PID:2620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC81C~1.EXE > nul
        6⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C0AF~1.EXE > nul
        5⤵
        
        PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A3747~1.EXE > nul
      4⤵
      PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E9F8E~1.EXE > nul
    3⤵
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS2C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe

Filesize
76KB

MD5
49caaae5f4725ccc21bf30b5f08aa72a

SHA1
22b0d0d7eac76e30d1edaf887bf0819a0a625933

SHA256
b24fa8a144796120429c9e92fe0e339aae0972837371ce708ae50aeece65e92b

SHA512
43d077cc950e6db720556bf18650769d491cd3db6bc8d4daa42f37efbc3edf9876f6ee5a1c41ae101c78c8e32af8d9e5de737512e178fe9673d8b094a0a964e1

Download Submit
C:\Windows\{19B899C4-7B83-4d2c-BD05-9E04A907759A}.exe

Filesize
76KB

MD5
49caaae5f4725ccc21bf30b5f08aa72a

SHA1
22b0d0d7eac76e30d1edaf887bf0819a0a625933

SHA256
b24fa8a144796120429c9e92fe0e339aae0972837371ce708ae50aeece65e92b

SHA512
43d077cc950e6db720556bf18650769d491cd3db6bc8d4daa42f37efbc3edf9876f6ee5a1c41ae101c78c8e32af8d9e5de737512e178fe9673d8b094a0a964e1

Download Submit
C:\Windows\{249ACE86-B0F2-47d0-A67C-D086B7887DB6}.exe

Filesize
76KB

MD5
2e15aa5d57923ef398815cb441fa0b94

SHA1
c0f5697d37f26ccdc8390c0e7459434e6eb8637a

SHA256
5cc0889e2bc31527be2fcf8fdbfbd10a4309ef063eec7f4d41cf9b2cc8744b18

SHA512
923dcace19a6f9658751b7bd93a8ddc1f2d2692c31c48c4146e2744738192a2789948d897c5093b46843fa942f8382cbf39c2b14779d9154ed6dac6c7a7e26db

Download Submit
C:\Windows\{25325935-72C9-41f5-90E3-72BCE7D888BA}.exe

Filesize
76KB

MD5
fb121e98e386cbf9cdad8c0f4d8abd25

SHA1
c8957ea4f74e683676a76bf14daf93f41cb1a080

SHA256
23e95aaa18e3378244844835d53c8b02cee600def6d1b969fe2d42955d18c89d

SHA512
fc75cdc207b5a784596ca6c98d06b0a701571c985f6e60dfa039bb65a3463219d2ab1e597f5ec868d49a54df53af3c0b774276c7c2de9a5c60ff8a408d26819d

Download Submit
C:\Windows\{25325935-72C9-41f5-90E3-72BCE7D888BA}.exe

Filesize
76KB

MD5
fb121e98e386cbf9cdad8c0f4d8abd25

SHA1
c8957ea4f74e683676a76bf14daf93f41cb1a080

SHA256
23e95aaa18e3378244844835d53c8b02cee600def6d1b969fe2d42955d18c89d

SHA512
fc75cdc207b5a784596ca6c98d06b0a701571c985f6e60dfa039bb65a3463219d2ab1e597f5ec868d49a54df53af3c0b774276c7c2de9a5c60ff8a408d26819d

Download Submit
C:\Windows\{45D91245-5042-4750-B179-7FAE406C0A3D}.exe

Filesize
76KB

MD5
502e3dae70a99aec045c24b3c002306f

SHA1
ba5df8658075c451b549b5a9d297f9e4da04a69a

SHA256
8a0ce16ddcce09df04ea69adeff6dfbf984df57c05469bae787fa8a24bd2e81d

SHA512
320d7b2fea87752607e8e5c9cd507cd74ac7272c28751f347c724a682925137eb46fa92c17a4bfacb389ecf410ebe650ae5cd307871c8dfc74cabc9e8b21f69d

Download Submit
C:\Windows\{45D91245-5042-4750-B179-7FAE406C0A3D}.exe

Filesize
76KB

MD5
502e3dae70a99aec045c24b3c002306f

SHA1
ba5df8658075c451b549b5a9d297f9e4da04a69a

SHA256
8a0ce16ddcce09df04ea69adeff6dfbf984df57c05469bae787fa8a24bd2e81d

SHA512
320d7b2fea87752607e8e5c9cd507cd74ac7272c28751f347c724a682925137eb46fa92c17a4bfacb389ecf410ebe650ae5cd307871c8dfc74cabc9e8b21f69d

Download Submit
C:\Windows\{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe

Filesize
76KB

MD5
a3a102608e0bc247260eaf6503237bd3

SHA1
b6a8904e735eed1bc56c56666fe820a5b089e762

SHA256
b07946cb2569d12b1c4cec94d1416ccdb7b12b106bb02c6975071aefa064a2a8

SHA512
ab5929f3ebd3acf332463293c4389cd987d09b870be0d693075c7bfacf8dcf351e534cb0d43ac9b2ce24332230717cd4f5b5815c7621bbb943061e2270f517a7

Download Submit
C:\Windows\{8C0AFF4F-0230-4ad7-B9AD-E0C17A4568CD}.exe

Filesize
76KB

MD5
a3a102608e0bc247260eaf6503237bd3

SHA1
b6a8904e735eed1bc56c56666fe820a5b089e762

SHA256
b07946cb2569d12b1c4cec94d1416ccdb7b12b106bb02c6975071aefa064a2a8

SHA512
ab5929f3ebd3acf332463293c4389cd987d09b870be0d693075c7bfacf8dcf351e534cb0d43ac9b2ce24332230717cd4f5b5815c7621bbb943061e2270f517a7

Download Submit
C:\Windows\{93258832-76F3-4d04-8A05-D7762989CF09}.exe

Filesize
76KB

MD5
6c8385f2c5476a8a1a557d0e95f6907f

SHA1
66f9e864d9aa25c6bd88b2ebbb633849083950b5

SHA256
c46e558f6b3e490a6eaddc6b95ff2c9fceaed196076412b6c6a6b3099a151561

SHA512
9f5986b71c6769bfe6edf89720bc7a5904ccae86986cd7d1ae7512560b64fbbf046555545c05665fbfeaa45466d89c46f9a126a123bec396e508d493228fdefa

Download Submit
C:\Windows\{93258832-76F3-4d04-8A05-D7762989CF09}.exe

Filesize
76KB

MD5
6c8385f2c5476a8a1a557d0e95f6907f

SHA1
66f9e864d9aa25c6bd88b2ebbb633849083950b5

SHA256
c46e558f6b3e490a6eaddc6b95ff2c9fceaed196076412b6c6a6b3099a151561

SHA512
9f5986b71c6769bfe6edf89720bc7a5904ccae86986cd7d1ae7512560b64fbbf046555545c05665fbfeaa45466d89c46f9a126a123bec396e508d493228fdefa

Download Submit
C:\Windows\{A37470F9-3590-493b-AD28-F555D78D274B}.exe

Filesize
76KB

MD5
490aaad71eea091bb79cee9d34de57a6

SHA1
c1b3d61308272e8ff325cd1da756aec9f64aea8b

SHA256
256b483706eedff25f7d6fa8e21ab72ac8ae49df8aad55b46b03ddb4ef0ff28f

SHA512
b481347a0696b15d35a1774517dcff4b27e5e87f965ae7a92fffc90c922bae3e6f2df87a51416e1215cbb8647d429a1ff274719a1a50f0d669f9e5d9ea9042e7

Download Submit
C:\Windows\{A37470F9-3590-493b-AD28-F555D78D274B}.exe

Filesize
76KB

MD5
490aaad71eea091bb79cee9d34de57a6

SHA1
c1b3d61308272e8ff325cd1da756aec9f64aea8b

SHA256
256b483706eedff25f7d6fa8e21ab72ac8ae49df8aad55b46b03ddb4ef0ff28f

SHA512
b481347a0696b15d35a1774517dcff4b27e5e87f965ae7a92fffc90c922bae3e6f2df87a51416e1215cbb8647d429a1ff274719a1a50f0d669f9e5d9ea9042e7

Download Submit
C:\Windows\{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe

Filesize
76KB

MD5
ddce3d51e4027f6cbec28d0c831eba13

SHA1
afa09bf9de97ab405c1ee2031cf978640fc12325

SHA256
3c22c1aa17c843693d7c9bb487e8d6831d2187456fb1ec6d1d33fc33d3f558f9

SHA512
765a08db39ee90a4cd240a2c6c8b84073609a7f993ffd357f7ce939a69a3cb8a3089bb7ac06e76f733b7585c08cf56ab4a1986730f42199229e7f9a2d9e97645

Download Submit
C:\Windows\{A4EDAD04-AA9B-48a3-AB52-B946AF34D81D}.exe

Filesize
76KB

MD5
ddce3d51e4027f6cbec28d0c831eba13

SHA1
afa09bf9de97ab405c1ee2031cf978640fc12325

SHA256
3c22c1aa17c843693d7c9bb487e8d6831d2187456fb1ec6d1d33fc33d3f558f9

SHA512
765a08db39ee90a4cd240a2c6c8b84073609a7f993ffd357f7ce939a69a3cb8a3089bb7ac06e76f733b7585c08cf56ab4a1986730f42199229e7f9a2d9e97645

Download Submit
C:\Windows\{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe

Filesize
76KB

MD5
da3c93af6db57f6bbe92e9107c1d2f5a

SHA1
9be875cddb8f763a9a775bd21056d71cbbc8b4f1

SHA256
b1b33eaf5da01fb74d817e500d9160bb50d1a2c8707a6b46345672cfbcb5ac71

SHA512
f1a4f3c808b0875cd5f3d0f6bc3c73fc06e240574c5e042967836e872911437dd66928b2e04df4e577e04a203fe77f2624a518ce1e53f454817776075bff7f74

Download Submit
C:\Windows\{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe

Filesize
76KB

MD5
da3c93af6db57f6bbe92e9107c1d2f5a

SHA1
9be875cddb8f763a9a775bd21056d71cbbc8b4f1

SHA256
b1b33eaf5da01fb74d817e500d9160bb50d1a2c8707a6b46345672cfbcb5ac71

SHA512
f1a4f3c808b0875cd5f3d0f6bc3c73fc06e240574c5e042967836e872911437dd66928b2e04df4e577e04a203fe77f2624a518ce1e53f454817776075bff7f74

Download Submit
C:\Windows\{E9F8E1F5-F773-45fa-9831-DC5B7CEF0C52}.exe

Filesize
76KB

MD5
da3c93af6db57f6bbe92e9107c1d2f5a

SHA1
9be875cddb8f763a9a775bd21056d71cbbc8b4f1

SHA256
b1b33eaf5da01fb74d817e500d9160bb50d1a2c8707a6b46345672cfbcb5ac71

SHA512
f1a4f3c808b0875cd5f3d0f6bc3c73fc06e240574c5e042967836e872911437dd66928b2e04df4e577e04a203fe77f2624a518ce1e53f454817776075bff7f74

Download Submit
C:\Windows\{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe

Filesize
76KB

MD5
b67f3d92417de2fc19a1d4e7df972ba1

SHA1
2f3c7a7213a1500b2bfd102c62eb63beda470a1b

SHA256
873e5d3932a624dcfd9f643e932fd3d9f64ee8e6403db6cc0216385406025653

SHA512
12dfc880ecb9959346881efb995fff920122c11c7610c1b566e2301b953db60352186b9465f2f0341e8626b5ff7269dfd52587d314de677ca454946a9e82423f

Download Submit
C:\Windows\{EC81C75F-CDC0-489f-9EEC-167C8B076615}.exe

Filesize
76KB

MD5
b67f3d92417de2fc19a1d4e7df972ba1

SHA1
2f3c7a7213a1500b2bfd102c62eb63beda470a1b

SHA256
873e5d3932a624dcfd9f643e932fd3d9f64ee8e6403db6cc0216385406025653

SHA512
12dfc880ecb9959346881efb995fff920122c11c7610c1b566e2301b953db60352186b9465f2f0341e8626b5ff7269dfd52587d314de677ca454946a9e82423f

Download Submit
C:\Windows\{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe

Filesize
76KB

MD5
ab5c67edb6c76aad7b7ef428ca58169b

SHA1
1aa93e04f498dc19220e5689c767b18be7e1858e

SHA256
628fe19f4feb13d4eccc38a8946ea467cc663b8d299ed5c11a9d1ae970055f57

SHA512
b56b07fa5cd1d5ba996a615eded53fca7969478c7796b451bbb84444cbd203148962a83196addc1250f059fa36c4aad8fc6f16fbb38c56ecf77774f79815e1d4

Download Submit
C:\Windows\{EF797F24-3EA6-4f1b-B78E-9B14B7669E1F}.exe

Filesize
76KB

MD5
ab5c67edb6c76aad7b7ef428ca58169b

SHA1
1aa93e04f498dc19220e5689c767b18be7e1858e

SHA256
628fe19f4feb13d4eccc38a8946ea467cc663b8d299ed5c11a9d1ae970055f57

SHA512
b56b07fa5cd1d5ba996a615eded53fca7969478c7796b451bbb84444cbd203148962a83196addc1250f059fa36c4aad8fc6f16fbb38c56ecf77774f79815e1d4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads