8a4b0e1e2ddd2e8cb6bc7a1fd76070e848640353c675d10ee3b081fbbe2ec12b

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe
Size

60KB
MD5

9790bee0d8456a39bbbda3dd029fdf70
SHA1

421ad2761987313887cd441f59539228900c6215
SHA256

8a4b0e1e2ddd2e8cb6bc7a1fd76070e848640353c675d10ee3b081fbbe2ec12b
SHA512

679ae6c79e3c04ba0469f2dbb0f36784d19328417a253f1cfd01fe2fc2412e7e97de79dd8a90629084d798352d2bffc78688b6eaeed52376c1b4f7ee92ec3323
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwfY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroR4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51DA160F-46A7-4d84-8DD2-E4B943C7D159}	{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51DA160F-46A7-4d84-8DD2-E4B943C7D159}\stubpath = "C:\\Windows\\{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe"	{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{171F3B99-1C54-4366-A42A-DADA04FC5CAD}\stubpath = "C:\\Windows\\{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe"	{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}\stubpath = "C:\\Windows\\{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe"	{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE98284F-5AD5-46f9-9649-EC3033C3A615}	{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E95DF4C-6718-4be6-A081-1ED63DF75732}\stubpath = "C:\\Windows\\{9E95DF4C-6718-4be6-A081-1ED63DF75732}.exe"	{F6743E9B-208F-4352-B498-4F143ACAECEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}\stubpath = "C:\\Windows\\{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe"	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{345B051F-B5E2-40fe-ADE2-696E237DE74A}	{D8768B3D-C816-4db7-AE32-999108195C66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}\stubpath = "C:\\Windows\\{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe"	{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}	{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE98284F-5AD5-46f9-9649-EC3033C3A615}\stubpath = "C:\\Windows\\{FE98284F-5AD5-46f9-9649-EC3033C3A615}.exe"	{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6743E9B-208F-4352-B498-4F143ACAECEA}	{FE98284F-5AD5-46f9-9649-EC3033C3A615}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F529B2B-A6F9-46d4-95C5-5E86E4B2C105}	{9E95DF4C-6718-4be6-A081-1ED63DF75732}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8768B3D-C816-4db7-AE32-999108195C66}	{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8768B3D-C816-4db7-AE32-999108195C66}\stubpath = "C:\\Windows\\{D8768B3D-C816-4db7-AE32-999108195C66}.exe"	{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6743E9B-208F-4352-B498-4F143ACAECEA}\stubpath = "C:\\Windows\\{F6743E9B-208F-4352-B498-4F143ACAECEA}.exe"	{FE98284F-5AD5-46f9-9649-EC3033C3A615}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E95DF4C-6718-4be6-A081-1ED63DF75732}	{F6743E9B-208F-4352-B498-4F143ACAECEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{171F3B99-1C54-4366-A42A-DADA04FC5CAD}	{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}	{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{345B051F-B5E2-40fe-ADE2-696E237DE74A}\stubpath = "C:\\Windows\\{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe"	{D8768B3D-C816-4db7-AE32-999108195C66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F529B2B-A6F9-46d4-95C5-5E86E4B2C105}\stubpath = "C:\\Windows\\{1F529B2B-A6F9-46d4-95C5-5E86E4B2C105}.exe"	{9E95DF4C-6718-4be6-A081-1ED63DF75732}.exe

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1736	{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe
2636	{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe
2604	{D8768B3D-C816-4db7-AE32-999108195C66}.exe
2652	{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe
2500	{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe
3008	{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe
2000	{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe
548	{FE98284F-5AD5-46f9-9649-EC3033C3A615}.exe
2832	{F6743E9B-208F-4352-B498-4F143ACAECEA}.exe
2848	{9E95DF4C-6718-4be6-A081-1ED63DF75732}.exe
2996	{1F529B2B-A6F9-46d4-95C5-5E86E4B2C105}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1F529B2B-A6F9-46d4-95C5-5E86E4B2C105}.exe	{9E95DF4C-6718-4be6-A081-1ED63DF75732}.exe
File created	C:\Windows\{D8768B3D-C816-4db7-AE32-999108195C66}.exe	{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe
File created	C:\Windows\{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe	{D8768B3D-C816-4db7-AE32-999108195C66}.exe
File created	C:\Windows\{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe	{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe
File created	C:\Windows\{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe	{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe
File created	C:\Windows\{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe	{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe
File created	C:\Windows\{9E95DF4C-6718-4be6-A081-1ED63DF75732}.exe	{F6743E9B-208F-4352-B498-4F143ACAECEA}.exe
File created	C:\Windows\{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe
File created	C:\Windows\{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe	{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe
File created	C:\Windows\{FE98284F-5AD5-46f9-9649-EC3033C3A615}.exe	{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe
File created	C:\Windows\{F6743E9B-208F-4352-B498-4F143ACAECEA}.exe	{FE98284F-5AD5-46f9-9649-EC3033C3A615}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1932	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe
Token: SeIncBasePriorityPrivilege	1736	{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe
Token: SeIncBasePriorityPrivilege	2636	{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe
Token: SeIncBasePriorityPrivilege	2604	{D8768B3D-C816-4db7-AE32-999108195C66}.exe
Token: SeIncBasePriorityPrivilege	2652	{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe
Token: SeIncBasePriorityPrivilege	2500	{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe
Token: SeIncBasePriorityPrivilege	3008	{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe
Token: SeIncBasePriorityPrivilege	2000	{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe
Token: SeIncBasePriorityPrivilege	548	{FE98284F-5AD5-46f9-9649-EC3033C3A615}.exe
Token: SeIncBasePriorityPrivilege	2832	{F6743E9B-208F-4352-B498-4F143ACAECEA}.exe
Token: SeIncBasePriorityPrivilege	2848	{9E95DF4C-6718-4be6-A081-1ED63DF75732}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1736	1932	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	28
PID 1932 wrote to memory of 1736	1932	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	28
PID 1932 wrote to memory of 1736	1932	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	28
PID 1932 wrote to memory of 1736	1932	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	28
PID 1932 wrote to memory of 3068	1932	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	29
PID 1932 wrote to memory of 3068	1932	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	29
PID 1932 wrote to memory of 3068	1932	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	29
PID 1932 wrote to memory of 3068	1932	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	29
PID 1736 wrote to memory of 2636	1736	{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe	30
PID 1736 wrote to memory of 2636	1736	{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe	30
PID 1736 wrote to memory of 2636	1736	{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe	30
PID 1736 wrote to memory of 2636	1736	{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe	30
PID 1736 wrote to memory of 2776	1736	{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe	31
PID 1736 wrote to memory of 2776	1736	{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe	31
PID 1736 wrote to memory of 2776	1736	{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe	31
PID 1736 wrote to memory of 2776	1736	{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe	31
PID 2636 wrote to memory of 2604	2636	{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe	34
PID 2636 wrote to memory of 2604	2636	{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe	34
PID 2636 wrote to memory of 2604	2636	{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe	34
PID 2636 wrote to memory of 2604	2636	{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe	34
PID 2636 wrote to memory of 2844	2636	{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe	35
PID 2636 wrote to memory of 2844	2636	{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe	35
PID 2636 wrote to memory of 2844	2636	{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe	35
PID 2636 wrote to memory of 2844	2636	{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe	35
PID 2604 wrote to memory of 2652	2604	{D8768B3D-C816-4db7-AE32-999108195C66}.exe	36
PID 2604 wrote to memory of 2652	2604	{D8768B3D-C816-4db7-AE32-999108195C66}.exe	36
PID 2604 wrote to memory of 2652	2604	{D8768B3D-C816-4db7-AE32-999108195C66}.exe	36
PID 2604 wrote to memory of 2652	2604	{D8768B3D-C816-4db7-AE32-999108195C66}.exe	36
PID 2604 wrote to memory of 2544	2604	{D8768B3D-C816-4db7-AE32-999108195C66}.exe	37
PID 2604 wrote to memory of 2544	2604	{D8768B3D-C816-4db7-AE32-999108195C66}.exe	37
PID 2604 wrote to memory of 2544	2604	{D8768B3D-C816-4db7-AE32-999108195C66}.exe	37
PID 2604 wrote to memory of 2544	2604	{D8768B3D-C816-4db7-AE32-999108195C66}.exe	37
PID 2652 wrote to memory of 2500	2652	{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe	38
PID 2652 wrote to memory of 2500	2652	{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe	38
PID 2652 wrote to memory of 2500	2652	{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe	38
PID 2652 wrote to memory of 2500	2652	{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe	38
PID 2652 wrote to memory of 2540	2652	{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe	39
PID 2652 wrote to memory of 2540	2652	{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe	39
PID 2652 wrote to memory of 2540	2652	{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe	39
PID 2652 wrote to memory of 2540	2652	{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe	39
PID 2500 wrote to memory of 3008	2500	{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe	40
PID 2500 wrote to memory of 3008	2500	{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe	40
PID 2500 wrote to memory of 3008	2500	{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe	40
PID 2500 wrote to memory of 3008	2500	{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe	40
PID 2500 wrote to memory of 1520	2500	{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe	41
PID 2500 wrote to memory of 1520	2500	{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe	41
PID 2500 wrote to memory of 1520	2500	{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe	41
PID 2500 wrote to memory of 1520	2500	{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe	41
PID 3008 wrote to memory of 2000	3008	{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe	42
PID 3008 wrote to memory of 2000	3008	{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe	42
PID 3008 wrote to memory of 2000	3008	{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe	42
PID 3008 wrote to memory of 2000	3008	{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe	42
PID 3008 wrote to memory of 588	3008	{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe	43
PID 3008 wrote to memory of 588	3008	{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe	43
PID 3008 wrote to memory of 588	3008	{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe	43
PID 3008 wrote to memory of 588	3008	{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe	43
PID 2000 wrote to memory of 548	2000	{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe	44
PID 2000 wrote to memory of 548	2000	{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe	44
PID 2000 wrote to memory of 548	2000	{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe	44
PID 2000 wrote to memory of 548	2000	{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe	44
PID 2000 wrote to memory of 1088	2000	{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe	45
PID 2000 wrote to memory of 1088	2000	{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe	45
PID 2000 wrote to memory of 1088	2000	{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe	45
PID 2000 wrote to memory of 1088	2000	{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe
  C:\Windows\{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe
    C:\Windows\{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\{D8768B3D-C816-4db7-AE32-999108195C66}.exe
      C:\Windows\{D8768B3D-C816-4db7-AE32-999108195C66}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe
        
        C:\Windows\{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe
        
        C:\Windows\{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe
        
        C:\Windows\{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe
        
        C:\Windows\{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{FE98284F-5AD5-46f9-9649-EC3033C3A615}.exe
        
        C:\Windows\{FE98284F-5AD5-46f9-9649-EC3033C3A615}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{F6743E9B-208F-4352-B498-4F143ACAECEA}.exe
        
        C:\Windows\{F6743E9B-208F-4352-B498-4F143ACAECEA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\{9E95DF4C-6718-4be6-A081-1ED63DF75732}.exe
        
        C:\Windows\{9E95DF4C-6718-4be6-A081-1ED63DF75732}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\{1F529B2B-A6F9-46d4-95C5-5E86E4B2C105}.exe
        
        C:\Windows\{1F529B2B-A6F9-46d4-95C5-5E86E4B2C105}.exe
        12⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E95D~1.EXE > nul
        12⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6743~1.EXE > nul
        11⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE982~1.EXE > nul
        10⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B72FE~1.EXE > nul
        9⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D179B~1.EXE > nul
        8⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{171F3~1.EXE > nul
        7⤵
        
        PID:1520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{345B0~1.EXE > nul
        6⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8768~1.EXE > nul
        5⤵
        
        PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{51DA1~1.EXE > nul
      4⤵
      PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FD0C6~1.EXE > nul
    3⤵
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS97~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe

Filesize
60KB

MD5
3b69650e566ae9d5f2a203613db30f53

SHA1
e9f6080b2c236c6de813f72ab90f646dd5f9e5c6

SHA256
20969319cce2defd8f1a8ccac41f24ecd9a157925c023a742238a626cac906f6

SHA512
7171d8c99ebaa4741dfac5d8342f115a77dca0ceea044038f7df3ecc2fe3b04a6c24c93508ebbee779e8722d57714ee96d0009c97228224bf19ae4b2c36515ce

Download Submit
C:\Windows\{171F3B99-1C54-4366-A42A-DADA04FC5CAD}.exe

Filesize
60KB

MD5
3b69650e566ae9d5f2a203613db30f53

SHA1
e9f6080b2c236c6de813f72ab90f646dd5f9e5c6

SHA256
20969319cce2defd8f1a8ccac41f24ecd9a157925c023a742238a626cac906f6

SHA512
7171d8c99ebaa4741dfac5d8342f115a77dca0ceea044038f7df3ecc2fe3b04a6c24c93508ebbee779e8722d57714ee96d0009c97228224bf19ae4b2c36515ce

Download Submit
C:\Windows\{1F529B2B-A6F9-46d4-95C5-5E86E4B2C105}.exe

Filesize
60KB

MD5
e7ec281eb84bdec33a8f58ea373b732c

SHA1
dcd7e2f2ba04b8f39dd9be6cd31a14c587d5bd0b

SHA256
954785e5d701d0a06c3c93a11fd92e993a98e7afc6cd96179b35024a413be8ba

SHA512
c5295e9cf9e30521a7ba5c70c3d02f803609844c7268a44e295f0434c003c49acb872146846a814896122d59c577f461b3bf14ae9fe7dea234b63cc2406445b2

Download Submit
C:\Windows\{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe

Filesize
60KB

MD5
52c5ebdd1a47272b335fc2077442f5f9

SHA1
1b20aa78e504cca02890e7e244cadd9c264f237d

SHA256
4910e3e788ea2b4a108704e75e88350f327bccb4bd3ceea42eb0c4d7ef2f8078

SHA512
1fe2963ba193969c23b7150ccbd1a648077e4089f3892f0f61878e43a7ab8f10766638bf46a85f0dd57628be9ae22a4ef6a4dc0100ef061c2cea72dc26c80baf

Download Submit
C:\Windows\{345B051F-B5E2-40fe-ADE2-696E237DE74A}.exe

Filesize
60KB

MD5
52c5ebdd1a47272b335fc2077442f5f9

SHA1
1b20aa78e504cca02890e7e244cadd9c264f237d

SHA256
4910e3e788ea2b4a108704e75e88350f327bccb4bd3ceea42eb0c4d7ef2f8078

SHA512
1fe2963ba193969c23b7150ccbd1a648077e4089f3892f0f61878e43a7ab8f10766638bf46a85f0dd57628be9ae22a4ef6a4dc0100ef061c2cea72dc26c80baf

Download Submit
C:\Windows\{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe

Filesize
60KB

MD5
53b8c16d1bf999b001b2dd084939e408

SHA1
3a10bcb5637f9796d6fdf9303ecaa64090c187e2

SHA256
ac02078c4fd64342c364239927cde41385a768f8679af228c3668054dcec2303

SHA512
74ac83386703ac5cceeeca2fe59353c9e452c1ca8d1b2e8215cfea83bf48c1101b1681be25c6632f796e864b4fb59ed6832da146d64eca49387378b5f6d7d2c8

Download Submit
C:\Windows\{51DA160F-46A7-4d84-8DD2-E4B943C7D159}.exe

Filesize
60KB

MD5
53b8c16d1bf999b001b2dd084939e408

SHA1
3a10bcb5637f9796d6fdf9303ecaa64090c187e2

SHA256
ac02078c4fd64342c364239927cde41385a768f8679af228c3668054dcec2303

SHA512
74ac83386703ac5cceeeca2fe59353c9e452c1ca8d1b2e8215cfea83bf48c1101b1681be25c6632f796e864b4fb59ed6832da146d64eca49387378b5f6d7d2c8

Download Submit
C:\Windows\{9E95DF4C-6718-4be6-A081-1ED63DF75732}.exe

Filesize
60KB

MD5
18bfc8a224f5b127f68438ce8e01263a

SHA1
90bb3cbe80c4c1f51631a66312aa03bda55007b3

SHA256
cee79801dc41ca53434b61f871ae365142f2af7e8cffe972f6f3a7cc51aeece7

SHA512
7c9b8a7bb05bf7be8702719d5c24246bb2bb118e5749ef5bf92c62b5893adaf708abf3bfebc36c95d053a3e56be5046ad5b663df4540c15234f33c01d9d36825

Download Submit
C:\Windows\{9E95DF4C-6718-4be6-A081-1ED63DF75732}.exe

Filesize
60KB

MD5
18bfc8a224f5b127f68438ce8e01263a

SHA1
90bb3cbe80c4c1f51631a66312aa03bda55007b3

SHA256
cee79801dc41ca53434b61f871ae365142f2af7e8cffe972f6f3a7cc51aeece7

SHA512
7c9b8a7bb05bf7be8702719d5c24246bb2bb118e5749ef5bf92c62b5893adaf708abf3bfebc36c95d053a3e56be5046ad5b663df4540c15234f33c01d9d36825

Download Submit
C:\Windows\{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe

Filesize
60KB

MD5
d437f948cba104ea6e04ff104f8fd392

SHA1
a02d9e93eb223aecb006f9fa3e902076c672c527

SHA256
fc03ae2c8c9e7830d5bd95347528679aceeda082a81d1eeb512414453bf2c758

SHA512
1ba50e0860336c60a16779528eae53f00a3a34216e13e47da2a6a5638ff16826f73a888c3172d8b5f7868b3c84a19aa808632b55323022d346104f0e126eadd4

Download Submit
C:\Windows\{B72FEB0F-4E6F-4ec8-8ED8-783403884C74}.exe

Filesize
60KB

MD5
d437f948cba104ea6e04ff104f8fd392

SHA1
a02d9e93eb223aecb006f9fa3e902076c672c527

SHA256
fc03ae2c8c9e7830d5bd95347528679aceeda082a81d1eeb512414453bf2c758

SHA512
1ba50e0860336c60a16779528eae53f00a3a34216e13e47da2a6a5638ff16826f73a888c3172d8b5f7868b3c84a19aa808632b55323022d346104f0e126eadd4

Download Submit
C:\Windows\{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe

Filesize
60KB

MD5
60ba1b1bb391a36b453a31b4a9cf06aa

SHA1
3e1951aa10c2be2a24a156fc10f0d816dbece8f5

SHA256
8f38ab27e2497360f5b8cedc51d130457991291a04c0f12ede28d08fceedc0bf

SHA512
bf45c606483035013bf7f9488ffd78693346c44daa81e6efab4e393895e63f43eac948bfd7fbe250e321aca7d861664dfcc90c1207e1eb30fd885ad11e64addc

Download Submit
C:\Windows\{D179B4A5-EAD2-4f45-A2A4-7266863A9E2F}.exe

Filesize
60KB

MD5
60ba1b1bb391a36b453a31b4a9cf06aa

SHA1
3e1951aa10c2be2a24a156fc10f0d816dbece8f5

SHA256
8f38ab27e2497360f5b8cedc51d130457991291a04c0f12ede28d08fceedc0bf

SHA512
bf45c606483035013bf7f9488ffd78693346c44daa81e6efab4e393895e63f43eac948bfd7fbe250e321aca7d861664dfcc90c1207e1eb30fd885ad11e64addc

Download Submit
C:\Windows\{D8768B3D-C816-4db7-AE32-999108195C66}.exe

Filesize
60KB

MD5
8ce3a3af6da044bbafa9e30ce260d959

SHA1
0c23a7835e1ba7e20e55e526e3bb45c8919e3c2b

SHA256
48f1be3a3b396b442d28049756631ad8265d8a88bd491b7f6dc4f2346cb458c1

SHA512
a32e1c63c00de2178e66c93bbd1d2284fa9fbd0f1a5ef37836d9b789ad8ba12ed4ea16719f091c149cf2548d3bc54ccd688a26eec2962f0e696f17ca428b42ac

Download Submit
C:\Windows\{D8768B3D-C816-4db7-AE32-999108195C66}.exe

Filesize
60KB

MD5
8ce3a3af6da044bbafa9e30ce260d959

SHA1
0c23a7835e1ba7e20e55e526e3bb45c8919e3c2b

SHA256
48f1be3a3b396b442d28049756631ad8265d8a88bd491b7f6dc4f2346cb458c1

SHA512
a32e1c63c00de2178e66c93bbd1d2284fa9fbd0f1a5ef37836d9b789ad8ba12ed4ea16719f091c149cf2548d3bc54ccd688a26eec2962f0e696f17ca428b42ac

Download Submit
C:\Windows\{F6743E9B-208F-4352-B498-4F143ACAECEA}.exe

Filesize
60KB

MD5
fff4ac99a5e44a8698ad5d64f6b3285b

SHA1
daa19dfd354aae0ed71886ecd007ec5b587270c0

SHA256
a20935fcbb966d7c7a6515e4255fc3bdd05880bb767e51c345d858de5e4d8905

SHA512
42f13ba7aaa53f59a03eb3ef9067b7b8df00692ecd297bbcfb24af1fefab2d7a9cc645df29e58320aa3de7e1433e1b061f42632b90e457f97e53da7dde9777c6

Download Submit
C:\Windows\{F6743E9B-208F-4352-B498-4F143ACAECEA}.exe

Filesize
60KB

MD5
fff4ac99a5e44a8698ad5d64f6b3285b

SHA1
daa19dfd354aae0ed71886ecd007ec5b587270c0

SHA256
a20935fcbb966d7c7a6515e4255fc3bdd05880bb767e51c345d858de5e4d8905

SHA512
42f13ba7aaa53f59a03eb3ef9067b7b8df00692ecd297bbcfb24af1fefab2d7a9cc645df29e58320aa3de7e1433e1b061f42632b90e457f97e53da7dde9777c6

Download Submit
C:\Windows\{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe

Filesize
60KB

MD5
a55dbdff9c9b6fac6b38bd9b8640233c

SHA1
2986806d47e571c3e677b2691272acb2e9a30b0f

SHA256
dc0c8bb96236d3e74c995f5ac333ba10bff859ce5752f641512214330fcb2807

SHA512
7cc3957e5dd36ee9ceff0702639558db568d40f57e676640ea09ef1d6897a815c3bdb8c09140718a701af7e5534801d2e0a69bd919face17e1803b281c4ceb3c

Download Submit
C:\Windows\{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe

Filesize
60KB

MD5
a55dbdff9c9b6fac6b38bd9b8640233c

SHA1
2986806d47e571c3e677b2691272acb2e9a30b0f

SHA256
dc0c8bb96236d3e74c995f5ac333ba10bff859ce5752f641512214330fcb2807

SHA512
7cc3957e5dd36ee9ceff0702639558db568d40f57e676640ea09ef1d6897a815c3bdb8c09140718a701af7e5534801d2e0a69bd919face17e1803b281c4ceb3c

Download Submit
C:\Windows\{FD0C6F84-7D6D-4c23-BFD1-655953CB1E55}.exe

Filesize
60KB

MD5
a55dbdff9c9b6fac6b38bd9b8640233c

SHA1
2986806d47e571c3e677b2691272acb2e9a30b0f

SHA256
dc0c8bb96236d3e74c995f5ac333ba10bff859ce5752f641512214330fcb2807

SHA512
7cc3957e5dd36ee9ceff0702639558db568d40f57e676640ea09ef1d6897a815c3bdb8c09140718a701af7e5534801d2e0a69bd919face17e1803b281c4ceb3c

Download Submit
C:\Windows\{FE98284F-5AD5-46f9-9649-EC3033C3A615}.exe

Filesize
60KB

MD5
f6de50044281f96456b2b9ac96046397

SHA1
561796128e09c375b1537456707fa8bfb52d42e6

SHA256
1406be3249d62f385d38c608f55cd94255675a315f59fe239f03c119da85cb7a

SHA512
b9aa0d41578dc97e91537f16efd3b227131906f10b8a0f7e8768ac7c0a91cd4ad440b53cb68a16cc29668d3c1f570ee94a8c741dd602b29888457ad9c469547c

Download Submit
C:\Windows\{FE98284F-5AD5-46f9-9649-EC3033C3A615}.exe

Filesize
60KB

MD5
f6de50044281f96456b2b9ac96046397

SHA1
561796128e09c375b1537456707fa8bfb52d42e6

SHA256
1406be3249d62f385d38c608f55cd94255675a315f59fe239f03c119da85cb7a

SHA512
b9aa0d41578dc97e91537f16efd3b227131906f10b8a0f7e8768ac7c0a91cd4ad440b53cb68a16cc29668d3c1f570ee94a8c741dd602b29888457ad9c469547c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads