1f11eab96d20b5c4b444144976962060f4a7be852b5212b5eea0cfceb25dba4d

Analysis

max time kernel
169s
max time network
136s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe
Size

90KB
MD5

2fb3f1456b60c75e642013d2f7b5b6d0
SHA1

de616a8256b8293eaf0eb56eeaa490440e7d0b11
SHA256

1f11eab96d20b5c4b444144976962060f4a7be852b5212b5eea0cfceb25dba4d
SHA512

3428e2c6599a003c940af6e75193eaf15128eb5529eb79aaf272acec44ff2aa8306c6e9d2581ce04f3f8bd80ccc7719d5c443dc5b75b1513293c322ae7c12349
SSDEEP

768:Qvw9816vhKQLroN4/wQRNrfrunMxVFA3b7glw6:YEGh0oNl2unMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}\stubpath = "C:\\Windows\\{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe"	{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DD27B22-5B85-4f7a-A411-EAC8762618FF}\stubpath = "C:\\Windows\\{3DD27B22-5B85-4f7a-A411-EAC8762618FF}.exe"	{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C58B91D-D159-4a3f-95CF-4FD4FC508143}	{AAE64F15-2467-4f23-884C-E5D343B1B958}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96A1AC85-A209-4dae-9595-14B2B419319D}\stubpath = "C:\\Windows\\{96A1AC85-A209-4dae-9595-14B2B419319D}.exe"	{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}	{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96A1AC85-A209-4dae-9595-14B2B419319D}	{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}	{96A1AC85-A209-4dae-9595-14B2B419319D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}	{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}\stubpath = "C:\\Windows\\{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe"	{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}	{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAE64F15-2467-4f23-884C-E5D343B1B958}	{3DD27B22-5B85-4f7a-A411-EAC8762618FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}\stubpath = "C:\\Windows\\{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe"	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7282C15F-038A-4fe0-B55C-690E3C97B7FB}	{9C58B91D-D159-4a3f-95CF-4FD4FC508143}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAE64F15-2467-4f23-884C-E5D343B1B958}\stubpath = "C:\\Windows\\{AAE64F15-2467-4f23-884C-E5D343B1B958}.exe"	{3DD27B22-5B85-4f7a-A411-EAC8762618FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C58B91D-D159-4a3f-95CF-4FD4FC508143}\stubpath = "C:\\Windows\\{9C58B91D-D159-4a3f-95CF-4FD4FC508143}.exe"	{AAE64F15-2467-4f23-884C-E5D343B1B958}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7282C15F-038A-4fe0-B55C-690E3C97B7FB}\stubpath = "C:\\Windows\\{7282C15F-038A-4fe0-B55C-690E3C97B7FB}.exe"	{9C58B91D-D159-4a3f-95CF-4FD4FC508143}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{810D8A3C-FB25-4f3e-83A4-5F45611E178C}	{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DD27B22-5B85-4f7a-A411-EAC8762618FF}	{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}\stubpath = "C:\\Windows\\{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe"	{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}\stubpath = "C:\\Windows\\{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe"	{96A1AC85-A209-4dae-9595-14B2B419319D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{810D8A3C-FB25-4f3e-83A4-5F45611E178C}\stubpath = "C:\\Windows\\{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe"	{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe

Deletes itself 1 IoCs

pid	Process
1548	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
556	{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe
2124	{96A1AC85-A209-4dae-9595-14B2B419319D}.exe
2920	{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe
2740	{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe
2784	{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe
2892	{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe
2116	{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe
2944	{3DD27B22-5B85-4f7a-A411-EAC8762618FF}.exe
2584	{AAE64F15-2467-4f23-884C-E5D343B1B958}.exe
2120	{9C58B91D-D159-4a3f-95CF-4FD4FC508143}.exe
1932	{7282C15F-038A-4fe0-B55C-690E3C97B7FB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe
File created	C:\Windows\{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe	{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe
File created	C:\Windows\{AAE64F15-2467-4f23-884C-E5D343B1B958}.exe	{3DD27B22-5B85-4f7a-A411-EAC8762618FF}.exe
File created	C:\Windows\{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe	{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe
File created	C:\Windows\{3DD27B22-5B85-4f7a-A411-EAC8762618FF}.exe	{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe
File created	C:\Windows\{9C58B91D-D159-4a3f-95CF-4FD4FC508143}.exe	{AAE64F15-2467-4f23-884C-E5D343B1B958}.exe
File created	C:\Windows\{7282C15F-038A-4fe0-B55C-690E3C97B7FB}.exe	{9C58B91D-D159-4a3f-95CF-4FD4FC508143}.exe
File created	C:\Windows\{96A1AC85-A209-4dae-9595-14B2B419319D}.exe	{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe
File created	C:\Windows\{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe	{96A1AC85-A209-4dae-9595-14B2B419319D}.exe
File created	C:\Windows\{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe	{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe
File created	C:\Windows\{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe	{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2064	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe
Token: SeIncBasePriorityPrivilege	556	{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe
Token: SeIncBasePriorityPrivilege	2124	{96A1AC85-A209-4dae-9595-14B2B419319D}.exe
Token: SeIncBasePriorityPrivilege	2920	{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe
Token: SeIncBasePriorityPrivilege	2740	{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe
Token: SeIncBasePriorityPrivilege	2784	{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe
Token: SeIncBasePriorityPrivilege	2892	{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe
Token: SeIncBasePriorityPrivilege	2116	{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe
Token: SeIncBasePriorityPrivilege	2944	{3DD27B22-5B85-4f7a-A411-EAC8762618FF}.exe
Token: SeIncBasePriorityPrivilege	2584	{AAE64F15-2467-4f23-884C-E5D343B1B958}.exe
Token: SeIncBasePriorityPrivilege	2120	{9C58B91D-D159-4a3f-95CF-4FD4FC508143}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 556	2064	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	29
PID 2064 wrote to memory of 556	2064	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	29
PID 2064 wrote to memory of 556	2064	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	29
PID 2064 wrote to memory of 556	2064	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	29
PID 2064 wrote to memory of 1548	2064	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	30
PID 2064 wrote to memory of 1548	2064	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	30
PID 2064 wrote to memory of 1548	2064	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	30
PID 2064 wrote to memory of 1548	2064	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	30
PID 556 wrote to memory of 2124	556	{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe	31
PID 556 wrote to memory of 2124	556	{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe	31
PID 556 wrote to memory of 2124	556	{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe	31
PID 556 wrote to memory of 2124	556	{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe	31
PID 556 wrote to memory of 980	556	{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe	32
PID 556 wrote to memory of 980	556	{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe	32
PID 556 wrote to memory of 980	556	{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe	32
PID 556 wrote to memory of 980	556	{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe	32
PID 2124 wrote to memory of 2920	2124	{96A1AC85-A209-4dae-9595-14B2B419319D}.exe	33
PID 2124 wrote to memory of 2920	2124	{96A1AC85-A209-4dae-9595-14B2B419319D}.exe	33
PID 2124 wrote to memory of 2920	2124	{96A1AC85-A209-4dae-9595-14B2B419319D}.exe	33
PID 2124 wrote to memory of 2920	2124	{96A1AC85-A209-4dae-9595-14B2B419319D}.exe	33
PID 2124 wrote to memory of 2296	2124	{96A1AC85-A209-4dae-9595-14B2B419319D}.exe	34
PID 2124 wrote to memory of 2296	2124	{96A1AC85-A209-4dae-9595-14B2B419319D}.exe	34
PID 2124 wrote to memory of 2296	2124	{96A1AC85-A209-4dae-9595-14B2B419319D}.exe	34
PID 2124 wrote to memory of 2296	2124	{96A1AC85-A209-4dae-9595-14B2B419319D}.exe	34
PID 2920 wrote to memory of 2740	2920	{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe	35
PID 2920 wrote to memory of 2740	2920	{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe	35
PID 2920 wrote to memory of 2740	2920	{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe	35
PID 2920 wrote to memory of 2740	2920	{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe	35
PID 2920 wrote to memory of 2808	2920	{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe	36
PID 2920 wrote to memory of 2808	2920	{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe	36
PID 2920 wrote to memory of 2808	2920	{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe	36
PID 2920 wrote to memory of 2808	2920	{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe	36
PID 2740 wrote to memory of 2784	2740	{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe	37
PID 2740 wrote to memory of 2784	2740	{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe	37
PID 2740 wrote to memory of 2784	2740	{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe	37
PID 2740 wrote to memory of 2784	2740	{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe	37
PID 2740 wrote to memory of 2240	2740	{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe	38
PID 2740 wrote to memory of 2240	2740	{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe	38
PID 2740 wrote to memory of 2240	2740	{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe	38
PID 2740 wrote to memory of 2240	2740	{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe	38
PID 2784 wrote to memory of 2892	2784	{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe	39
PID 2784 wrote to memory of 2892	2784	{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe	39
PID 2784 wrote to memory of 2892	2784	{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe	39
PID 2784 wrote to memory of 2892	2784	{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe	39
PID 2784 wrote to memory of 2996	2784	{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe	40
PID 2784 wrote to memory of 2996	2784	{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe	40
PID 2784 wrote to memory of 2996	2784	{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe	40
PID 2784 wrote to memory of 2996	2784	{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe	40
PID 2892 wrote to memory of 2116	2892	{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe	41
PID 2892 wrote to memory of 2116	2892	{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe	41
PID 2892 wrote to memory of 2116	2892	{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe	41
PID 2892 wrote to memory of 2116	2892	{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe	41
PID 2892 wrote to memory of 3008	2892	{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe	42
PID 2892 wrote to memory of 3008	2892	{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe	42
PID 2892 wrote to memory of 3008	2892	{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe	42
PID 2892 wrote to memory of 3008	2892	{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe	42
PID 2116 wrote to memory of 2944	2116	{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe	43
PID 2116 wrote to memory of 2944	2116	{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe	43
PID 2116 wrote to memory of 2944	2116	{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe	43
PID 2116 wrote to memory of 2944	2116	{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe	43
PID 2116 wrote to memory of 2136	2116	{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe	44
PID 2116 wrote to memory of 2136	2116	{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe	44
PID 2116 wrote to memory of 2136	2116	{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe	44
PID 2116 wrote to memory of 2136	2116	{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe	44

C:\Users\Admin\AppData\Local\Temp\NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe
  C:\Windows\{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\{96A1AC85-A209-4dae-9595-14B2B419319D}.exe
    C:\Windows\{96A1AC85-A209-4dae-9595-14B2B419319D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe
      C:\Windows\{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe
        
        C:\Windows\{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe
        
        C:\Windows\{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe
        
        C:\Windows\{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe
        
        C:\Windows\{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{3DD27B22-5B85-4f7a-A411-EAC8762618FF}.exe
        
        C:\Windows\{3DD27B22-5B85-4f7a-A411-EAC8762618FF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\{AAE64F15-2467-4f23-884C-E5D343B1B958}.exe
        
        C:\Windows\{AAE64F15-2467-4f23-884C-E5D343B1B958}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\{9C58B91D-D159-4a3f-95CF-4FD4FC508143}.exe
        
        C:\Windows\{9C58B91D-D159-4a3f-95CF-4FD4FC508143}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\{7282C15F-038A-4fe0-B55C-690E3C97B7FB}.exe
        
        C:\Windows\{7282C15F-038A-4fe0-B55C-690E3C97B7FB}.exe
        12⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C58B~1.EXE > nul
        12⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAE64~1.EXE > nul
        11⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DD27~1.EXE > nul
        10⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D90DC~1.EXE > nul
        9⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DBC2~1.EXE > nul
        8⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{810D8~1.EXE > nul
        7⤵
        
        PID:2996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{714C8~1.EXE > nul
        6⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA8BE~1.EXE > nul
        5⤵
        
        PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{96A1A~1.EXE > nul
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{00CC3~1.EXE > nul
    3⤵
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS2F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe

Filesize
90KB

MD5
51c4981a6ad4fe10a8e16479556bd433

SHA1
9aa493a313a12b89b80d5183a3797f2340cf603e

SHA256
ac128370d3ec4b6526344fd3170fc4e496691bd819a30246b0531dd22eecbef9

SHA512
9b10a07064fcb8cf67c220a6c237105534a22a8aee4f9ce38b8ad0d47f77e026507646c6d53c3189b1fea6240a545bf1289b04103b455a0db4aa2e93e146012a

Download Submit
C:\Windows\{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe

Filesize
90KB

MD5
51c4981a6ad4fe10a8e16479556bd433

SHA1
9aa493a313a12b89b80d5183a3797f2340cf603e

SHA256
ac128370d3ec4b6526344fd3170fc4e496691bd819a30246b0531dd22eecbef9

SHA512
9b10a07064fcb8cf67c220a6c237105534a22a8aee4f9ce38b8ad0d47f77e026507646c6d53c3189b1fea6240a545bf1289b04103b455a0db4aa2e93e146012a

Download Submit
C:\Windows\{00CC3956-AEAE-47e9-AE49-BDDE23C86B75}.exe

Filesize
90KB

MD5
51c4981a6ad4fe10a8e16479556bd433

SHA1
9aa493a313a12b89b80d5183a3797f2340cf603e

SHA256
ac128370d3ec4b6526344fd3170fc4e496691bd819a30246b0531dd22eecbef9

SHA512
9b10a07064fcb8cf67c220a6c237105534a22a8aee4f9ce38b8ad0d47f77e026507646c6d53c3189b1fea6240a545bf1289b04103b455a0db4aa2e93e146012a

Download Submit
C:\Windows\{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe

Filesize
90KB

MD5
587438b300059967fe4178b28ecb5028

SHA1
e2a4a9f74230d6c9831c17ce82d556d8bf5b140f

SHA256
121b5e16c6fdaf194514c3e2b6380bc7e86b69dd229380ed5133141ec660a0d9

SHA512
8746b53c6e0d0e26c29e19ecd0b39e909971a5120becbb50aeecc9143913e9bc275bf42c6fcb748eb95cad26bb1d63aad05d164851e20dc77e3f5e9edd3481a6

Download Submit
C:\Windows\{0DBC298E-6102-48c4-89E8-DD6A8BD95B76}.exe

Filesize
90KB

MD5
587438b300059967fe4178b28ecb5028

SHA1
e2a4a9f74230d6c9831c17ce82d556d8bf5b140f

SHA256
121b5e16c6fdaf194514c3e2b6380bc7e86b69dd229380ed5133141ec660a0d9

SHA512
8746b53c6e0d0e26c29e19ecd0b39e909971a5120becbb50aeecc9143913e9bc275bf42c6fcb748eb95cad26bb1d63aad05d164851e20dc77e3f5e9edd3481a6

Download Submit
C:\Windows\{3DD27B22-5B85-4f7a-A411-EAC8762618FF}.exe

Filesize
90KB

MD5
f3e15d3b782a5d3728c972f0fc9212b1

SHA1
e8be20c4ebd5c1c8156ff728972708aa0dde668f

SHA256
2134831de80605379447dc1f9a4b1a18ad93c0c716ef43a2ea1c358deb5c4aea

SHA512
8b3d3f1fcc5074c10aac5e3378d94da81a4325fd86a1d7cbf48d34f420e842cdd599f004a1ec1a6e27d30162af7593c2592b7771254bdd4c1c6cfba6341033c0

Download Submit
C:\Windows\{3DD27B22-5B85-4f7a-A411-EAC8762618FF}.exe

Filesize
90KB

MD5
f3e15d3b782a5d3728c972f0fc9212b1

SHA1
e8be20c4ebd5c1c8156ff728972708aa0dde668f

SHA256
2134831de80605379447dc1f9a4b1a18ad93c0c716ef43a2ea1c358deb5c4aea

SHA512
8b3d3f1fcc5074c10aac5e3378d94da81a4325fd86a1d7cbf48d34f420e842cdd599f004a1ec1a6e27d30162af7593c2592b7771254bdd4c1c6cfba6341033c0

Download Submit
C:\Windows\{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe

Filesize
90KB

MD5
29ed604c75cb7240055c72e4afae7c68

SHA1
e27f49534a5fc405f994b19844769b430f6f0461

SHA256
df1e780f0bed93e13c96f9b74dbc2c5f05ab76985579d5bcfa0d6414abc7ef5b

SHA512
d0c01bcca10e1aabaf546dae8c6be2a420019f797c51e832514ac97db8353a6b077d99c49c1d050f0fad6ea3b2c314763babed0c4c8095be28af0680d171763d

Download Submit
C:\Windows\{714C83D6-DDBE-4fe9-A0C4-FCC39B4C133B}.exe

Filesize
90KB

MD5
29ed604c75cb7240055c72e4afae7c68

SHA1
e27f49534a5fc405f994b19844769b430f6f0461

SHA256
df1e780f0bed93e13c96f9b74dbc2c5f05ab76985579d5bcfa0d6414abc7ef5b

SHA512
d0c01bcca10e1aabaf546dae8c6be2a420019f797c51e832514ac97db8353a6b077d99c49c1d050f0fad6ea3b2c314763babed0c4c8095be28af0680d171763d

Download Submit
C:\Windows\{7282C15F-038A-4fe0-B55C-690E3C97B7FB}.exe

Filesize
90KB

MD5
79c301e98c32b47c27cae215835d6125

SHA1
467e4913ba1ec26f40b4433e5459908060107c1d

SHA256
96a2031afe544656fa088cc5a9eb48e7d8cfd8b2879f12f8ea47b1212b31df10

SHA512
1e611cf1854a0a12c093a12432bc2ff0b57be227f3c9746ffc9af554e645e7bf05d2458f210a3e5dd6dbf5d37d25bd3f189f9c6626a9ce8fcefc15aef8191c6c

Download Submit
C:\Windows\{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe

Filesize
90KB

MD5
958639d9f123be89fc354950aab885c3

SHA1
77a80e05e921322b05acab07ac217e7555ece95a

SHA256
71dc7e2a51c05898d571b6bace14fa35c1d54f5de61198845153f4b1f01bbecd

SHA512
0c48ef04a57c70fed50cd7a3503099e4862e521388d5e32f97207cbd79f3020ae6914b9cc81a5ade952d8e8f61aaee979f736303b18b899d522ca714389a1358

Download Submit
C:\Windows\{810D8A3C-FB25-4f3e-83A4-5F45611E178C}.exe

Filesize
90KB

MD5
958639d9f123be89fc354950aab885c3

SHA1
77a80e05e921322b05acab07ac217e7555ece95a

SHA256
71dc7e2a51c05898d571b6bace14fa35c1d54f5de61198845153f4b1f01bbecd

SHA512
0c48ef04a57c70fed50cd7a3503099e4862e521388d5e32f97207cbd79f3020ae6914b9cc81a5ade952d8e8f61aaee979f736303b18b899d522ca714389a1358

Download Submit
C:\Windows\{96A1AC85-A209-4dae-9595-14B2B419319D}.exe

Filesize
90KB

MD5
339a4fa1359b25378e77918a10b1cf43

SHA1
3aea3d7ec7370d6a30dfb09336261d8ffe1a428f

SHA256
4c92434ac8929e298a659c787fbf0f0d73b9ee298471ea4e4f48fc4eb83b8d3c

SHA512
0d89b1300660b74194bfb091dcc7b471b82cf165300ed354ec07b74903d9228b3895cfe7e5904b14f490699ff26b007c1c77c31a319bcf835c7f0670e6f5822b

Download Submit
C:\Windows\{96A1AC85-A209-4dae-9595-14B2B419319D}.exe

Filesize
90KB

MD5
339a4fa1359b25378e77918a10b1cf43

SHA1
3aea3d7ec7370d6a30dfb09336261d8ffe1a428f

SHA256
4c92434ac8929e298a659c787fbf0f0d73b9ee298471ea4e4f48fc4eb83b8d3c

SHA512
0d89b1300660b74194bfb091dcc7b471b82cf165300ed354ec07b74903d9228b3895cfe7e5904b14f490699ff26b007c1c77c31a319bcf835c7f0670e6f5822b

Download Submit
C:\Windows\{9C58B91D-D159-4a3f-95CF-4FD4FC508143}.exe

Filesize
90KB

MD5
c383db557f2d7662b637471853a71315

SHA1
f8ec72cc24380c7c0b0744fcd32c2785ef265d29

SHA256
e56e8734937d1d8513ff938fa10b0c0a4772453e2f1cda9469ac41bc70842725

SHA512
ba2d42d5fa9226b9d0d4e5af6abce619e4d0eb6bb5028d1589ac6b6530bc6d964a33eaca14f776f0404aa3775ab896a81fd027ff6f58015a7e21a0b68b08bf33

Download Submit
C:\Windows\{9C58B91D-D159-4a3f-95CF-4FD4FC508143}.exe

Filesize
90KB

MD5
c383db557f2d7662b637471853a71315

SHA1
f8ec72cc24380c7c0b0744fcd32c2785ef265d29

SHA256
e56e8734937d1d8513ff938fa10b0c0a4772453e2f1cda9469ac41bc70842725

SHA512
ba2d42d5fa9226b9d0d4e5af6abce619e4d0eb6bb5028d1589ac6b6530bc6d964a33eaca14f776f0404aa3775ab896a81fd027ff6f58015a7e21a0b68b08bf33

Download Submit
C:\Windows\{AAE64F15-2467-4f23-884C-E5D343B1B958}.exe

Filesize
90KB

MD5
6b2bfd66a0f6741303a07a9304d9bb5a

SHA1
853bd11104c1c1716d8bbffb72ac01330257423d

SHA256
d085935678cbd3e5c53650e1d24cfdb88cf93a779d21de5e4fbe471feb3243fd

SHA512
0fd80319b13b69cc62837fb5d088c0aa809d8811315c374c3391e7bad6b329fab16701d4d42b7485963114d207c19ed66411365afde1d902460518eeaa04670e

Download Submit
C:\Windows\{AAE64F15-2467-4f23-884C-E5D343B1B958}.exe

Filesize
90KB

MD5
6b2bfd66a0f6741303a07a9304d9bb5a

SHA1
853bd11104c1c1716d8bbffb72ac01330257423d

SHA256
d085935678cbd3e5c53650e1d24cfdb88cf93a779d21de5e4fbe471feb3243fd

SHA512
0fd80319b13b69cc62837fb5d088c0aa809d8811315c374c3391e7bad6b329fab16701d4d42b7485963114d207c19ed66411365afde1d902460518eeaa04670e

Download Submit
C:\Windows\{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe

Filesize
90KB

MD5
c2ec57d44703943fc6dbf8a0fdd1a5fe

SHA1
a68da4daccc9a7bad4a838b65cae887c58f5a0af

SHA256
d79c53564b97c8d00a68d036b9425a5e62ea82864d551de2d682b43b7050b784

SHA512
cd365715c20392a92036a9846ca70a71f9c4279bbaac5c5cd4f57f0914f78e912ffeef0755d64170bb3d9a1aa6f890d50337fc7b49a902f775c66f30f77ba870

Download Submit
C:\Windows\{CA8BEC3F-2ECA-45fd-8F14-990D8C8EEC19}.exe

Filesize
90KB

MD5
c2ec57d44703943fc6dbf8a0fdd1a5fe

SHA1
a68da4daccc9a7bad4a838b65cae887c58f5a0af

SHA256
d79c53564b97c8d00a68d036b9425a5e62ea82864d551de2d682b43b7050b784

SHA512
cd365715c20392a92036a9846ca70a71f9c4279bbaac5c5cd4f57f0914f78e912ffeef0755d64170bb3d9a1aa6f890d50337fc7b49a902f775c66f30f77ba870

Download Submit
C:\Windows\{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe

Filesize
90KB

MD5
35da77ff4ea42d32734fda9eefa37b7b

SHA1
e15bdc43a281f813f04053b8301fc986c6cc12f7

SHA256
c59beb863060f152cf2bb0fa96112847e1fe2b5ffbdcc36d9b24f8c8983c4a64

SHA512
12a39946669b76ac4510869ca0dc0fce58b0caa91dbcdfc163d53800591470621b2fd60850553026021fff733fec5eb4b308787722defb7aeaf7bd04f17ccba5

Download Submit
C:\Windows\{D90DC273-98D7-46a2-8CF1-138AA5BC63D9}.exe

Filesize
90KB

MD5
35da77ff4ea42d32734fda9eefa37b7b

SHA1
e15bdc43a281f813f04053b8301fc986c6cc12f7

SHA256
c59beb863060f152cf2bb0fa96112847e1fe2b5ffbdcc36d9b24f8c8983c4a64

SHA512
12a39946669b76ac4510869ca0dc0fce58b0caa91dbcdfc163d53800591470621b2fd60850553026021fff733fec5eb4b308787722defb7aeaf7bd04f17ccba5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads