8a4b0e1e2ddd2e8cb6bc7a1fd76070e848640353c675d10ee3b081fbbe2ec12b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe
Size

60KB
MD5

9790bee0d8456a39bbbda3dd029fdf70
SHA1

421ad2761987313887cd441f59539228900c6215
SHA256

8a4b0e1e2ddd2e8cb6bc7a1fd76070e848640353c675d10ee3b081fbbe2ec12b
SHA512

679ae6c79e3c04ba0469f2dbb0f36784d19328417a253f1cfd01fe2fc2412e7e97de79dd8a90629084d798352d2bffc78688b6eaeed52376c1b4f7ee92ec3323
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwfY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroR4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}	{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}	{99A1C462-9366-4ecd-964D-902D5CABF576}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}\stubpath = "C:\\Windows\\{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe"	{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}\stubpath = "C:\\Windows\\{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe"	{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A38368E8-1EEC-4495-965A-AF3FF451A2C9}\stubpath = "C:\\Windows\\{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe"	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}\stubpath = "C:\\Windows\\{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe"	{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B87277B-409E-4e88-BE11-3B1B068C73C4}	{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0F2C00-99CA-4184-BC1B-AFDB619DAE83}\stubpath = "C:\\Windows\\{1A0F2C00-99CA-4184-BC1B-AFDB619DAE83}.exe"	{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}	{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}\stubpath = "C:\\Windows\\{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe"	{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0F2C00-99CA-4184-BC1B-AFDB619DAE83}	{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A38368E8-1EEC-4495-965A-AF3FF451A2C9}	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}	{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}\stubpath = "C:\\Windows\\{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe"	{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFEC7343-3B31-46a3-ADDF-280E2003BD53}	{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A1C462-9366-4ecd-964D-902D5CABF576}	{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}	{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFEC7343-3B31-46a3-ADDF-280E2003BD53}\stubpath = "C:\\Windows\\{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe"	{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99A1C462-9366-4ecd-964D-902D5CABF576}\stubpath = "C:\\Windows\\{99A1C462-9366-4ecd-964D-902D5CABF576}.exe"	{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}\stubpath = "C:\\Windows\\{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe"	{99A1C462-9366-4ecd-964D-902D5CABF576}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B87277B-409E-4e88-BE11-3B1B068C73C4}\stubpath = "C:\\Windows\\{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe"	{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}	{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe

Executes dropped EXE 11 IoCs

pid	Process
928	{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe
2572	{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe
560	{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe
1380	{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe
4632	{99A1C462-9366-4ecd-964D-902D5CABF576}.exe
380	{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe
2968	{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe
2360	{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe
5112	{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe
3996	{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe
3212	{1A0F2C00-99CA-4184-BC1B-AFDB619DAE83}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1A0F2C00-99CA-4184-BC1B-AFDB619DAE83}.exe	{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe
File created	C:\Windows\{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe
File created	C:\Windows\{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe	{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe
File created	C:\Windows\{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe	{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe
File created	C:\Windows\{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe	{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe
File created	C:\Windows\{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe	{99A1C462-9366-4ecd-964D-902D5CABF576}.exe
File created	C:\Windows\{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe	{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe
File created	C:\Windows\{99A1C462-9366-4ecd-964D-902D5CABF576}.exe	{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe
File created	C:\Windows\{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe	{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe
File created	C:\Windows\{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe	{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe
File created	C:\Windows\{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe	{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3776	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe
Token: SeIncBasePriorityPrivilege	928	{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe
Token: SeIncBasePriorityPrivilege	2572	{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe
Token: SeIncBasePriorityPrivilege	560	{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe
Token: SeIncBasePriorityPrivilege	1380	{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe
Token: SeIncBasePriorityPrivilege	4632	{99A1C462-9366-4ecd-964D-902D5CABF576}.exe
Token: SeIncBasePriorityPrivilege	380	{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe
Token: SeIncBasePriorityPrivilege	2968	{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe
Token: SeIncBasePriorityPrivilege	2360	{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe
Token: SeIncBasePriorityPrivilege	5112	{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe
Token: SeIncBasePriorityPrivilege	3996	{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 928	3776	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	91
PID 3776 wrote to memory of 928	3776	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	91
PID 3776 wrote to memory of 928	3776	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	91
PID 3776 wrote to memory of 3212	3776	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	92
PID 3776 wrote to memory of 3212	3776	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	92
PID 3776 wrote to memory of 3212	3776	NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe	92
PID 928 wrote to memory of 2572	928	{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe	98
PID 928 wrote to memory of 2572	928	{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe	98
PID 928 wrote to memory of 2572	928	{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe	98
PID 928 wrote to memory of 4132	928	{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe	99
PID 928 wrote to memory of 4132	928	{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe	99
PID 928 wrote to memory of 4132	928	{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe	99
PID 2572 wrote to memory of 560	2572	{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe	104
PID 2572 wrote to memory of 560	2572	{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe	104
PID 2572 wrote to memory of 560	2572	{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe	104
PID 2572 wrote to memory of 844	2572	{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe	103
PID 2572 wrote to memory of 844	2572	{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe	103
PID 2572 wrote to memory of 844	2572	{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe	103
PID 560 wrote to memory of 1380	560	{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe	113
PID 560 wrote to memory of 1380	560	{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe	113
PID 560 wrote to memory of 1380	560	{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe	113
PID 560 wrote to memory of 1620	560	{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe	114
PID 560 wrote to memory of 1620	560	{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe	114
PID 560 wrote to memory of 1620	560	{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe	114
PID 1380 wrote to memory of 4632	1380	{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe	115
PID 1380 wrote to memory of 4632	1380	{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe	115
PID 1380 wrote to memory of 4632	1380	{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe	115
PID 1380 wrote to memory of 1760	1380	{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe	116
PID 1380 wrote to memory of 1760	1380	{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe	116
PID 1380 wrote to memory of 1760	1380	{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe	116
PID 4632 wrote to memory of 380	4632	{99A1C462-9366-4ecd-964D-902D5CABF576}.exe	117
PID 4632 wrote to memory of 380	4632	{99A1C462-9366-4ecd-964D-902D5CABF576}.exe	117
PID 4632 wrote to memory of 380	4632	{99A1C462-9366-4ecd-964D-902D5CABF576}.exe	117
PID 4632 wrote to memory of 1964	4632	{99A1C462-9366-4ecd-964D-902D5CABF576}.exe	118
PID 4632 wrote to memory of 1964	4632	{99A1C462-9366-4ecd-964D-902D5CABF576}.exe	118
PID 4632 wrote to memory of 1964	4632	{99A1C462-9366-4ecd-964D-902D5CABF576}.exe	118
PID 380 wrote to memory of 2968	380	{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe	120
PID 380 wrote to memory of 2968	380	{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe	120
PID 380 wrote to memory of 2968	380	{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe	120
PID 380 wrote to memory of 1116	380	{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe	121
PID 380 wrote to memory of 1116	380	{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe	121
PID 380 wrote to memory of 1116	380	{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe	121
PID 2968 wrote to memory of 2360	2968	{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe	122
PID 2968 wrote to memory of 2360	2968	{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe	122
PID 2968 wrote to memory of 2360	2968	{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe	122
PID 2968 wrote to memory of 4604	2968	{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe	123
PID 2968 wrote to memory of 4604	2968	{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe	123
PID 2968 wrote to memory of 4604	2968	{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe	123
PID 2360 wrote to memory of 5112	2360	{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe	124
PID 2360 wrote to memory of 5112	2360	{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe	124
PID 2360 wrote to memory of 5112	2360	{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe	124
PID 2360 wrote to memory of 1800	2360	{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe	125
PID 2360 wrote to memory of 1800	2360	{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe	125
PID 2360 wrote to memory of 1800	2360	{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe	125
PID 5112 wrote to memory of 3996	5112	{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe	126
PID 5112 wrote to memory of 3996	5112	{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe	126
PID 5112 wrote to memory of 3996	5112	{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe	126
PID 5112 wrote to memory of 2548	5112	{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe	127
PID 5112 wrote to memory of 2548	5112	{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe	127
PID 5112 wrote to memory of 2548	5112	{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe	127
PID 3996 wrote to memory of 3212	3996	{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe	128
PID 3996 wrote to memory of 3212	3996	{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe	128
PID 3996 wrote to memory of 3212	3996	{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe	128
PID 3996 wrote to memory of 3452	3996	{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe	129

C:\Users\Admin\AppData\Local\Temp\NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9790bee0d8456a39bbbda3dd029fdf70.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe
  C:\Windows\{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe
    C:\Windows\{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E0F85~1.EXE > nul
      4⤵
      PID:844
  - - C:\Windows\{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe
      C:\Windows\{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Windows\{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe
        
        C:\Windows\{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Windows\{99A1C462-9366-4ecd-964D-902D5CABF576}.exe
        
        C:\Windows\{99A1C462-9366-4ecd-964D-902D5CABF576}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe
        
        C:\Windows\{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe
        
        C:\Windows\{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe
        
        C:\Windows\{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe
        
        C:\Windows\{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe
        
        C:\Windows\{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{1A0F2C00-99CA-4184-BC1B-AFDB619DAE83}.exe
        
        C:\Windows\{1A0F2C00-99CA-4184-BC1B-AFDB619DAE83}.exe
        12⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5709C~1.EXE > nul
        12⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B21F6~1.EXE > nul
        11⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE0AE~1.EXE > nul
        10⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B872~1.EXE > nul
        9⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E284~1.EXE > nul
        8⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99A1C~1.EXE > nul
        7⤵
        
        PID:1964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF088~1.EXE > nul
        6⤵
        
        PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFEC7~1.EXE > nul
        5⤵
        
        PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A3836~1.EXE > nul
    3⤵
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS97~1.EXE > nul
  2⤵
  PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A0F2C00-99CA-4184-BC1B-AFDB619DAE83}.exe

Filesize
60KB

MD5
532277c963d1659cc9d74ff31935e0e5

SHA1
666edb6a4b8f3ce7eaaf9a6ee3404d4a3dd92fd3

SHA256
3e3ed2faa367c57c977a46c6dcadfd3ea8b70c75fbfe2b96a9d201bd1db98922

SHA512
35389c51d912263dbf9ca7e6e90e02b66653fd59de7b081c1c5df3c843b4e60f421e333387431f75c5f6156ecc0d4f16013e0522621f4432d9105db27e9f3cb2

Download Submit
C:\Windows\{1A0F2C00-99CA-4184-BC1B-AFDB619DAE83}.exe

Filesize
60KB

MD5
532277c963d1659cc9d74ff31935e0e5

SHA1
666edb6a4b8f3ce7eaaf9a6ee3404d4a3dd92fd3

SHA256
3e3ed2faa367c57c977a46c6dcadfd3ea8b70c75fbfe2b96a9d201bd1db98922

SHA512
35389c51d912263dbf9ca7e6e90e02b66653fd59de7b081c1c5df3c843b4e60f421e333387431f75c5f6156ecc0d4f16013e0522621f4432d9105db27e9f3cb2

Download Submit
C:\Windows\{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe

Filesize
60KB

MD5
d8139fe8cc0d3c305bdef90e408f52fd

SHA1
f18fcd1cfd895689cfbffea535c96902d9eac598

SHA256
49a60e3e01191bc9b592ccb84932ca0c2838d7a18a31847dc8d3633479ea9990

SHA512
6a3285868f8ed55e706bff6cade81eaf16fe058f9668a8750f5fbbe04040f5eeaf836848909652fe50752c22b57d5cd15b4d468211828b9212a28250a7a1fadd

Download Submit
C:\Windows\{3E28472B-1CCB-47d8-AE11-33AACB2D81A3}.exe

Filesize
60KB

MD5
d8139fe8cc0d3c305bdef90e408f52fd

SHA1
f18fcd1cfd895689cfbffea535c96902d9eac598

SHA256
49a60e3e01191bc9b592ccb84932ca0c2838d7a18a31847dc8d3633479ea9990

SHA512
6a3285868f8ed55e706bff6cade81eaf16fe058f9668a8750f5fbbe04040f5eeaf836848909652fe50752c22b57d5cd15b4d468211828b9212a28250a7a1fadd

Download Submit
C:\Windows\{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe

Filesize
60KB

MD5
09c74eb652f26603146431baf9ea67d2

SHA1
45b9b4913231e8d303522f111e765c2afbe97065

SHA256
02fdfe9e5c9270a9dd8ab498f19b7514d5dc8b3091ef207f24509e186fc6859a

SHA512
21959f1ef7e58a202e7b6c9fbf8be7513cd2cf7c1865f66f00f684a91884ce8389275751640da696b5f6088d5dcee75ae6a6ac106acece94e0d8f4f39459e855

Download Submit
C:\Windows\{5709C67E-6B07-40e5-BAD2-2051CCCB90D8}.exe

Filesize
60KB

MD5
09c74eb652f26603146431baf9ea67d2

SHA1
45b9b4913231e8d303522f111e765c2afbe97065

SHA256
02fdfe9e5c9270a9dd8ab498f19b7514d5dc8b3091ef207f24509e186fc6859a

SHA512
21959f1ef7e58a202e7b6c9fbf8be7513cd2cf7c1865f66f00f684a91884ce8389275751640da696b5f6088d5dcee75ae6a6ac106acece94e0d8f4f39459e855

Download Submit
C:\Windows\{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe

Filesize
60KB

MD5
9dd43fceec1ad5e5c590aad2e3298648

SHA1
72246d728bd1551b0c467d8c65431341818d29cb

SHA256
c2d7d714e1c7bfd8b7fd0354ec1ac9b64184ee4e7473364e9062597a1043917a

SHA512
62f8d483dcaab6531f5a71c31ec30c5ed0e5f8f8646e42970bdfe6d4fae6cd20d70e12f220db5e3bcce74ec01a6fbd8c41a25df3c4b557fa9cacddab709d1fe3

Download Submit
C:\Windows\{5B87277B-409E-4e88-BE11-3B1B068C73C4}.exe

Filesize
60KB

MD5
9dd43fceec1ad5e5c590aad2e3298648

SHA1
72246d728bd1551b0c467d8c65431341818d29cb

SHA256
c2d7d714e1c7bfd8b7fd0354ec1ac9b64184ee4e7473364e9062597a1043917a

SHA512
62f8d483dcaab6531f5a71c31ec30c5ed0e5f8f8646e42970bdfe6d4fae6cd20d70e12f220db5e3bcce74ec01a6fbd8c41a25df3c4b557fa9cacddab709d1fe3

Download Submit
C:\Windows\{99A1C462-9366-4ecd-964D-902D5CABF576}.exe

Filesize
60KB

MD5
b985b0b202eb50e413a53adb3f95d9ea

SHA1
ee920247b3712d6a667162e2045fe966efa9923a

SHA256
33b9111561891d261db7bcaa5ce57846e549ee5d33129946f685ebd590287d8a

SHA512
1cc29d3b11931e080d3c7144585e2e4397f77305a3c05360e196f6009dcf20e260f82cd4ab5617a87c1b81ddcc46f462562fab1f39f14b3d6922607d07ac4d3c

Download Submit
C:\Windows\{99A1C462-9366-4ecd-964D-902D5CABF576}.exe

Filesize
60KB

MD5
b985b0b202eb50e413a53adb3f95d9ea

SHA1
ee920247b3712d6a667162e2045fe966efa9923a

SHA256
33b9111561891d261db7bcaa5ce57846e549ee5d33129946f685ebd590287d8a

SHA512
1cc29d3b11931e080d3c7144585e2e4397f77305a3c05360e196f6009dcf20e260f82cd4ab5617a87c1b81ddcc46f462562fab1f39f14b3d6922607d07ac4d3c

Download Submit
C:\Windows\{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe

Filesize
60KB

MD5
117d05d9dea725f215afe3777a778ea6

SHA1
b38ef76d4c0df4243ab00033ca28b7847a6844d9

SHA256
73876c806c64e5a3d14bb3c6c38dd9e2e8c53a46fe13988c01020d8e1f46b6a4

SHA512
bc958187487b76e216519fc86815903f00d6cfae7533bc7812b2d9ae381dfca3bbc228fe55f8f9f4032fa591a26fe7a5e4b924bdac5692f753a9b3c96a07f131

Download Submit
C:\Windows\{A38368E8-1EEC-4495-965A-AF3FF451A2C9}.exe

Filesize
60KB

MD5
117d05d9dea725f215afe3777a778ea6

SHA1
b38ef76d4c0df4243ab00033ca28b7847a6844d9

SHA256
73876c806c64e5a3d14bb3c6c38dd9e2e8c53a46fe13988c01020d8e1f46b6a4

SHA512
bc958187487b76e216519fc86815903f00d6cfae7533bc7812b2d9ae381dfca3bbc228fe55f8f9f4032fa591a26fe7a5e4b924bdac5692f753a9b3c96a07f131

Download Submit
C:\Windows\{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe

Filesize
60KB

MD5
1c98a4691328cc78a7941a5d2733f526

SHA1
3f86e685082a4d4f89335d8ace1f21869dee1127

SHA256
c2a3b38e6926243c2f02fa6fe39d3ede8e5f47c45d43ec337ab9adb34295595b

SHA512
25504725d6549ef5f165e98f76545a126c66673b4f19b0060846524478d35a7ba38336ec892b34e504010ad2592a38d030ec2cfc6241be316a9a9aebbdb04dcb

Download Submit
C:\Windows\{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe

Filesize
60KB

MD5
1c98a4691328cc78a7941a5d2733f526

SHA1
3f86e685082a4d4f89335d8ace1f21869dee1127

SHA256
c2a3b38e6926243c2f02fa6fe39d3ede8e5f47c45d43ec337ab9adb34295595b

SHA512
25504725d6549ef5f165e98f76545a126c66673b4f19b0060846524478d35a7ba38336ec892b34e504010ad2592a38d030ec2cfc6241be316a9a9aebbdb04dcb

Download Submit
C:\Windows\{AFEC7343-3B31-46a3-ADDF-280E2003BD53}.exe

Filesize
60KB

MD5
1c98a4691328cc78a7941a5d2733f526

SHA1
3f86e685082a4d4f89335d8ace1f21869dee1127

SHA256
c2a3b38e6926243c2f02fa6fe39d3ede8e5f47c45d43ec337ab9adb34295595b

SHA512
25504725d6549ef5f165e98f76545a126c66673b4f19b0060846524478d35a7ba38336ec892b34e504010ad2592a38d030ec2cfc6241be316a9a9aebbdb04dcb

Download Submit
C:\Windows\{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe

Filesize
60KB

MD5
5dd6f4185b80b3f888e8780f61736a4f

SHA1
856786125f5e7a4b26e336a715f2958c2baa4c9d

SHA256
5f57aecf94a854dabf622f81dee373d73f0ff691d989f71f452b36ba84649130

SHA512
12217dc0e0b5f4bfa3974a4366ce7491b70fb9fc51cee709b2d7522787a7ab1cc5f6556c34b878cc0f8dfdb1f7d0c789131501f79e8d6440caa8b39cfe29aeae

Download Submit
C:\Windows\{B21F6BB1-37C4-4f0a-98C2-0E25160E3308}.exe

Filesize
60KB

MD5
5dd6f4185b80b3f888e8780f61736a4f

SHA1
856786125f5e7a4b26e336a715f2958c2baa4c9d

SHA256
5f57aecf94a854dabf622f81dee373d73f0ff691d989f71f452b36ba84649130

SHA512
12217dc0e0b5f4bfa3974a4366ce7491b70fb9fc51cee709b2d7522787a7ab1cc5f6556c34b878cc0f8dfdb1f7d0c789131501f79e8d6440caa8b39cfe29aeae

Download Submit
C:\Windows\{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe

Filesize
60KB

MD5
44b893c980c6a36fab06f7e9e2bfc9bb

SHA1
e0dae3b6bdc50827c54137e9d8a98b56c1efb1c6

SHA256
0d981fce5c6d50045589a18f3248ba5f807209f0d50adda59ca9a961e6940d83

SHA512
3d4d2b3f799c9bdf1d9b031fbd826174eead5ce53b6360f079b543076426eee5fac14d4a0607fce4d16a3d64b60a9e5fbbb6f969b304e4ba445e4088879c5b0b

Download Submit
C:\Windows\{DF08852C-400C-4f5e-A9C9-A33AD4AB3F70}.exe

Filesize
60KB

MD5
44b893c980c6a36fab06f7e9e2bfc9bb

SHA1
e0dae3b6bdc50827c54137e9d8a98b56c1efb1c6

SHA256
0d981fce5c6d50045589a18f3248ba5f807209f0d50adda59ca9a961e6940d83

SHA512
3d4d2b3f799c9bdf1d9b031fbd826174eead5ce53b6360f079b543076426eee5fac14d4a0607fce4d16a3d64b60a9e5fbbb6f969b304e4ba445e4088879c5b0b

Download Submit
C:\Windows\{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe

Filesize
60KB

MD5
e7f17716ef8bec8554898797b2a85e0c

SHA1
60e467aeed7e0379550dea030bdae0db3864ddca

SHA256
52e93fe41720a0758ef4c20c2da6b588a85941b17caa03eb3fe6b861c7259bf3

SHA512
e361d095a1cc5d671dd7379a3adc3483bb5b3a532dd79423ffd009e480ba2aa38c975b4f3fe668a8d1226ef92c943a3d5a96f5758bcd7f8983eefffd04fe95e8

Download Submit
C:\Windows\{E0F857DB-CAE6-4498-AD09-17B5B1FAD677}.exe

Filesize
60KB

MD5
e7f17716ef8bec8554898797b2a85e0c

SHA1
60e467aeed7e0379550dea030bdae0db3864ddca

SHA256
52e93fe41720a0758ef4c20c2da6b588a85941b17caa03eb3fe6b861c7259bf3

SHA512
e361d095a1cc5d671dd7379a3adc3483bb5b3a532dd79423ffd009e480ba2aa38c975b4f3fe668a8d1226ef92c943a3d5a96f5758bcd7f8983eefffd04fe95e8

Download Submit
C:\Windows\{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe

Filesize
60KB

MD5
a223a51071e39955f9d20ad16ccdeeeb

SHA1
8d337989775487096e87cb753ac88dfc507e13c1

SHA256
f9dfff248f9400e3c43beb918683527423685582ff6b2144525b9a139883c4b2

SHA512
37e9d8471a9a62215d261c759ddef24d2800ade36d74cf817bbfd0e17e6e6a26129c7b2505cce7b48c0b4bf08d21be7e4430cd6908224a54e18a97121ef16247

Download Submit
C:\Windows\{FE0AE673-AE8C-4e07-BDAF-592981BFA74D}.exe

Filesize
60KB

MD5
a223a51071e39955f9d20ad16ccdeeeb

SHA1
8d337989775487096e87cb753ac88dfc507e13c1

SHA256
f9dfff248f9400e3c43beb918683527423685582ff6b2144525b9a139883c4b2

SHA512
37e9d8471a9a62215d261c759ddef24d2800ade36d74cf817bbfd0e17e6e6a26129c7b2505cce7b48c0b4bf08d21be7e4430cd6908224a54e18a97121ef16247

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads