1f11eab96d20b5c4b444144976962060f4a7be852b5212b5eea0cfceb25dba4d

Analysis

max time kernel
156s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2023 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe
Size

90KB
MD5

2fb3f1456b60c75e642013d2f7b5b6d0
SHA1

de616a8256b8293eaf0eb56eeaa490440e7d0b11
SHA256

1f11eab96d20b5c4b444144976962060f4a7be852b5212b5eea0cfceb25dba4d
SHA512

3428e2c6599a003c940af6e75193eaf15128eb5529eb79aaf272acec44ff2aa8306c6e9d2581ce04f3f8bd80ccc7719d5c443dc5b75b1513293c322ae7c12349
SSDEEP

768:Qvw9816vhKQLroN4/wQRNrfrunMxVFA3b7glw6:YEGh0oNl2unMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}\stubpath = "C:\\Windows\\{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe"	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}	{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4D350C6-EC38-4975-8609-E69C9B970B0C}\stubpath = "C:\\Windows\\{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe"	{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0295EFBA-10AB-4858-8578-BE8F0FF26855}\stubpath = "C:\\Windows\\{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe"	{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA763C2-7A9A-454e-87ED-643BD4131504}	{9947C788-D0E8-423e-8A02-411503C3E74C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}	{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}\stubpath = "C:\\Windows\\{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe"	{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9947C788-D0E8-423e-8A02-411503C3E74C}	{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9947C788-D0E8-423e-8A02-411503C3E74C}\stubpath = "C:\\Windows\\{9947C788-D0E8-423e-8A02-411503C3E74C}.exe"	{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3F64A21-C85C-4f03-B19A-066DFA722254}	{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}\stubpath = "C:\\Windows\\{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe"	{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4D350C6-EC38-4975-8609-E69C9B970B0C}	{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0295EFBA-10AB-4858-8578-BE8F0FF26855}	{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}	{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}\stubpath = "C:\\Windows\\{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe"	{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AD68814-3786-413e-8AEC-91BEA3A9A506}\stubpath = "C:\\Windows\\{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe"	{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA80A511-4362-40d2-B255-1E837B7FB14C}	{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA80A511-4362-40d2-B255-1E837B7FB14C}\stubpath = "C:\\Windows\\{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe"	{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA763C2-7A9A-454e-87ED-643BD4131504}\stubpath = "C:\\Windows\\{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe"	{9947C788-D0E8-423e-8A02-411503C3E74C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AD68814-3786-413e-8AEC-91BEA3A9A506}	{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3F64A21-C85C-4f03-B19A-066DFA722254}\stubpath = "C:\\Windows\\{C3F64A21-C85C-4f03-B19A-066DFA722254}.exe"	{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe

Executes dropped EXE 11 IoCs

pid	Process
1160	{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe
4556	{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe
3708	{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe
980	{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe
4364	{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe
3828	{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe
2232	{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe
2452	{9947C788-D0E8-423e-8A02-411503C3E74C}.exe
4576	{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe
3416	{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe
4888	{C3F64A21-C85C-4f03-B19A-066DFA722254}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe	{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe
File created	C:\Windows\{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe	{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe
File created	C:\Windows\{9947C788-D0E8-423e-8A02-411503C3E74C}.exe	{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe
File created	C:\Windows\{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe	{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe
File created	C:\Windows\{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe
File created	C:\Windows\{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe	{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe
File created	C:\Windows\{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe	{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe
File created	C:\Windows\{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe	{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe
File created	C:\Windows\{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe	{9947C788-D0E8-423e-8A02-411503C3E74C}.exe
File created	C:\Windows\{C3F64A21-C85C-4f03-B19A-066DFA722254}.exe	{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe
File created	C:\Windows\{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe	{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2416	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe
Token: SeIncBasePriorityPrivilege	1160	{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe
Token: SeIncBasePriorityPrivilege	4556	{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe
Token: SeIncBasePriorityPrivilege	3708	{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe
Token: SeIncBasePriorityPrivilege	980	{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe
Token: SeIncBasePriorityPrivilege	4364	{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe
Token: SeIncBasePriorityPrivilege	3828	{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe
Token: SeIncBasePriorityPrivilege	2232	{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe
Token: SeIncBasePriorityPrivilege	2452	{9947C788-D0E8-423e-8A02-411503C3E74C}.exe
Token: SeIncBasePriorityPrivilege	4576	{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe
Token: SeIncBasePriorityPrivilege	3416	{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1160	2416	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	91
PID 2416 wrote to memory of 1160	2416	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	91
PID 2416 wrote to memory of 1160	2416	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	91
PID 2416 wrote to memory of 4268	2416	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	92
PID 2416 wrote to memory of 4268	2416	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	92
PID 2416 wrote to memory of 4268	2416	NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe	92
PID 1160 wrote to memory of 4556	1160	{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe	97
PID 1160 wrote to memory of 4556	1160	{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe	97
PID 1160 wrote to memory of 4556	1160	{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe	97
PID 1160 wrote to memory of 3560	1160	{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe	96
PID 1160 wrote to memory of 3560	1160	{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe	96
PID 1160 wrote to memory of 3560	1160	{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe	96
PID 4556 wrote to memory of 3708	4556	{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe	104
PID 4556 wrote to memory of 3708	4556	{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe	104
PID 4556 wrote to memory of 3708	4556	{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe	104
PID 4556 wrote to memory of 1352	4556	{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe	103
PID 4556 wrote to memory of 1352	4556	{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe	103
PID 4556 wrote to memory of 1352	4556	{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe	103
PID 3708 wrote to memory of 980	3708	{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe	113
PID 3708 wrote to memory of 980	3708	{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe	113
PID 3708 wrote to memory of 980	3708	{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe	113
PID 3708 wrote to memory of 3864	3708	{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe	114
PID 3708 wrote to memory of 3864	3708	{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe	114
PID 3708 wrote to memory of 3864	3708	{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe	114
PID 980 wrote to memory of 4364	980	{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe	115
PID 980 wrote to memory of 4364	980	{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe	115
PID 980 wrote to memory of 4364	980	{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe	115
PID 980 wrote to memory of 4372	980	{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe	116
PID 980 wrote to memory of 4372	980	{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe	116
PID 980 wrote to memory of 4372	980	{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe	116
PID 4364 wrote to memory of 3828	4364	{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe	118
PID 4364 wrote to memory of 3828	4364	{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe	118
PID 4364 wrote to memory of 3828	4364	{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe	118
PID 4364 wrote to memory of 1224	4364	{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe	119
PID 4364 wrote to memory of 1224	4364	{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe	119
PID 4364 wrote to memory of 1224	4364	{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe	119
PID 3828 wrote to memory of 2232	3828	{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe	120
PID 3828 wrote to memory of 2232	3828	{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe	120
PID 3828 wrote to memory of 2232	3828	{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe	120
PID 3828 wrote to memory of 4500	3828	{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe	121
PID 3828 wrote to memory of 4500	3828	{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe	121
PID 3828 wrote to memory of 4500	3828	{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe	121
PID 2232 wrote to memory of 2452	2232	{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe	122
PID 2232 wrote to memory of 2452	2232	{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe	122
PID 2232 wrote to memory of 2452	2232	{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe	122
PID 2232 wrote to memory of 4700	2232	{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe	123
PID 2232 wrote to memory of 4700	2232	{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe	123
PID 2232 wrote to memory of 4700	2232	{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe	123
PID 2452 wrote to memory of 4576	2452	{9947C788-D0E8-423e-8A02-411503C3E74C}.exe	124
PID 2452 wrote to memory of 4576	2452	{9947C788-D0E8-423e-8A02-411503C3E74C}.exe	124
PID 2452 wrote to memory of 4576	2452	{9947C788-D0E8-423e-8A02-411503C3E74C}.exe	124
PID 2452 wrote to memory of 1840	2452	{9947C788-D0E8-423e-8A02-411503C3E74C}.exe	125
PID 2452 wrote to memory of 1840	2452	{9947C788-D0E8-423e-8A02-411503C3E74C}.exe	125
PID 2452 wrote to memory of 1840	2452	{9947C788-D0E8-423e-8A02-411503C3E74C}.exe	125
PID 4576 wrote to memory of 3416	4576	{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe	126
PID 4576 wrote to memory of 3416	4576	{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe	126
PID 4576 wrote to memory of 3416	4576	{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe	126
PID 4576 wrote to memory of 4660	4576	{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe	127
PID 4576 wrote to memory of 4660	4576	{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe	127
PID 4576 wrote to memory of 4660	4576	{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe	127
PID 3416 wrote to memory of 4888	3416	{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe	128
PID 3416 wrote to memory of 4888	3416	{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe	128
PID 3416 wrote to memory of 4888	3416	{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe	128
PID 3416 wrote to memory of 3348	3416	{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe	129

C:\Users\Admin\AppData\Local\Temp\NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2fb3f1456b60c75e642013d2f7b5b6d0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe
  C:\Windows\{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D55ED~1.EXE > nul
    3⤵
    PID:3560
- - C:\Windows\{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe
    C:\Windows\{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BA80A~1.EXE > nul
      4⤵
      PID:1352
  - - C:\Windows\{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe
      C:\Windows\{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Windows\{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe
        
        C:\Windows\{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:980
      - C:\Windows\{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe
        
        C:\Windows\{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe
        
        C:\Windows\{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe
        
        C:\Windows\{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\{9947C788-D0E8-423e-8A02-411503C3E74C}.exe
        
        C:\Windows\{9947C788-D0E8-423e-8A02-411503C3E74C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe
        
        C:\Windows\{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe
        
        C:\Windows\{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\{C3F64A21-C85C-4f03-B19A-066DFA722254}.exe
        
        C:\Windows\{C3F64A21-C85C-4f03-B19A-066DFA722254}.exe
        12⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AD68~1.EXE > nul
        12⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DA76~1.EXE > nul
        11⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9947C~1.EXE > nul
        10⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{403BE~1.EXE > nul
        9⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0295E~1.EXE > nul
        8⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4D35~1.EXE > nul
        7⤵
        
        PID:1224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D280A~1.EXE > nul
        6⤵
        
        PID:4372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{658FA~1.EXE > nul
        5⤵
        
        PID:3864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS2F~1.EXE > nul
  2⤵
  PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe

Filesize
90KB

MD5
50204ed6c41b21904a3bad4d45658332

SHA1
639680339fad2d7db87c369a7fe5aad826ab6b4c

SHA256
5c6a37c82ac9a81de830636c9357427b9f7e14b8b79620e70ac7de8ccb2ae7a9

SHA512
eced5da6ae66e3ef75cffe1051fba5ce3d20d847bf88c860956a79a9f4783fbafe47671d33a4ffdfba9a38430b0303ac322fb6f670ea0de362a95fa1074692d1

Download Submit
C:\Windows\{0295EFBA-10AB-4858-8578-BE8F0FF26855}.exe

Filesize
90KB

MD5
50204ed6c41b21904a3bad4d45658332

SHA1
639680339fad2d7db87c369a7fe5aad826ab6b4c

SHA256
5c6a37c82ac9a81de830636c9357427b9f7e14b8b79620e70ac7de8ccb2ae7a9

SHA512
eced5da6ae66e3ef75cffe1051fba5ce3d20d847bf88c860956a79a9f4783fbafe47671d33a4ffdfba9a38430b0303ac322fb6f670ea0de362a95fa1074692d1

Download Submit
C:\Windows\{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe

Filesize
90KB

MD5
e23c36361f2d09094115b5e0c66f9b6c

SHA1
f656cd66677fbf63c85c47da2d220d3c60c52c43

SHA256
21048856e9f45808887f8aa4bbef7f6c2a13af6f7b87641d5919db8ff7b25a62

SHA512
07b238f05e4e8f00c6947bb8478082d8d6858505f192102cc24dce11186970a83a1f8894672a0d444a3045040a30f2eef26a6691ad76d910299cd535162b417d

Download Submit
C:\Windows\{0DA763C2-7A9A-454e-87ED-643BD4131504}.exe

Filesize
90KB

MD5
e23c36361f2d09094115b5e0c66f9b6c

SHA1
f656cd66677fbf63c85c47da2d220d3c60c52c43

SHA256
21048856e9f45808887f8aa4bbef7f6c2a13af6f7b87641d5919db8ff7b25a62

SHA512
07b238f05e4e8f00c6947bb8478082d8d6858505f192102cc24dce11186970a83a1f8894672a0d444a3045040a30f2eef26a6691ad76d910299cd535162b417d

Download Submit
C:\Windows\{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe

Filesize
90KB

MD5
43023354b00ec5a6223e6591b3da51dc

SHA1
befdeb2a89f203bf9c1b4718af715d2290d5419a

SHA256
67e9e4362b1f95340406fc1135d5c7cc42261535983e4546ff482b6faf4ffb36

SHA512
ad9a8e0640792a73e5b880c05e24ccb7916f01619b15302e68781e55edcf9648e35c52a0dd424f360f71a1fc9241fc629dc5e9dfde336e9d3fccbcfaef3db8f2

Download Submit
C:\Windows\{403BEC24-9374-4b28-AA7D-ECACFA97CDF6}.exe

Filesize
90KB

MD5
43023354b00ec5a6223e6591b3da51dc

SHA1
befdeb2a89f203bf9c1b4718af715d2290d5419a

SHA256
67e9e4362b1f95340406fc1135d5c7cc42261535983e4546ff482b6faf4ffb36

SHA512
ad9a8e0640792a73e5b880c05e24ccb7916f01619b15302e68781e55edcf9648e35c52a0dd424f360f71a1fc9241fc629dc5e9dfde336e9d3fccbcfaef3db8f2

Download Submit
C:\Windows\{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe

Filesize
90KB

MD5
3cab9f0cff6df01ccd7feebbc65f86a5

SHA1
a0ba16e5c7f6167f7e9aea7770eb0eb841219235

SHA256
070dd3dadd717b1c321de51d36f843a5fbc0b6095c37a0e5ffd12d014feabc2c

SHA512
ec3b4a13f516d5aac2830e2c7ef1282cc3fe241884886c47ef44f5f5fcd5f7307baa36c43ddae093317a6f2877bc7685ccd52bf44330983566ebfbb547348a80

Download Submit
C:\Windows\{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe

Filesize
90KB

MD5
3cab9f0cff6df01ccd7feebbc65f86a5

SHA1
a0ba16e5c7f6167f7e9aea7770eb0eb841219235

SHA256
070dd3dadd717b1c321de51d36f843a5fbc0b6095c37a0e5ffd12d014feabc2c

SHA512
ec3b4a13f516d5aac2830e2c7ef1282cc3fe241884886c47ef44f5f5fcd5f7307baa36c43ddae093317a6f2877bc7685ccd52bf44330983566ebfbb547348a80

Download Submit
C:\Windows\{658FA0DB-19CC-4715-AF0F-4A0973F29E5A}.exe

Filesize
90KB

MD5
3cab9f0cff6df01ccd7feebbc65f86a5

SHA1
a0ba16e5c7f6167f7e9aea7770eb0eb841219235

SHA256
070dd3dadd717b1c321de51d36f843a5fbc0b6095c37a0e5ffd12d014feabc2c

SHA512
ec3b4a13f516d5aac2830e2c7ef1282cc3fe241884886c47ef44f5f5fcd5f7307baa36c43ddae093317a6f2877bc7685ccd52bf44330983566ebfbb547348a80

Download Submit
C:\Windows\{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe

Filesize
90KB

MD5
5c776373f6cb044aac4f1a09e2b71720

SHA1
5e7e8ca80711d72d6f92d17f9496952ed2973e92

SHA256
fa367ba09c7fcb692a0d06e86a033ab6472e53e4b2a947a12f262dd3fbb2e635

SHA512
bf6648b72887bf2ff1d3951818555b79b557ac4a700f2130833619c24f33f4828431809cca5b0101d472f59ef40210c0439f48526bce5497c67846e865516dd0

Download Submit
C:\Windows\{6AD68814-3786-413e-8AEC-91BEA3A9A506}.exe

Filesize
90KB

MD5
5c776373f6cb044aac4f1a09e2b71720

SHA1
5e7e8ca80711d72d6f92d17f9496952ed2973e92

SHA256
fa367ba09c7fcb692a0d06e86a033ab6472e53e4b2a947a12f262dd3fbb2e635

SHA512
bf6648b72887bf2ff1d3951818555b79b557ac4a700f2130833619c24f33f4828431809cca5b0101d472f59ef40210c0439f48526bce5497c67846e865516dd0

Download Submit
C:\Windows\{9947C788-D0E8-423e-8A02-411503C3E74C}.exe

Filesize
90KB

MD5
ab0dc5a2902030703b12a15010861e6d

SHA1
1be51a4e796df7f43f1a1acfe23fd39394c75437

SHA256
cd7944d718c739e3c89e063d1fb9f899f2f9ffda5005abe51bea6f2a22823083

SHA512
e564aa22feede738955d76fc84777194fe6916c1cef920a837dfdc52b38c2d927559e0c957f77c1268914047728326e8791a14e1c4ca8f65a0027d8fc19daa0c

Download Submit
C:\Windows\{9947C788-D0E8-423e-8A02-411503C3E74C}.exe

Filesize
90KB

MD5
ab0dc5a2902030703b12a15010861e6d

SHA1
1be51a4e796df7f43f1a1acfe23fd39394c75437

SHA256
cd7944d718c739e3c89e063d1fb9f899f2f9ffda5005abe51bea6f2a22823083

SHA512
e564aa22feede738955d76fc84777194fe6916c1cef920a837dfdc52b38c2d927559e0c957f77c1268914047728326e8791a14e1c4ca8f65a0027d8fc19daa0c

Download Submit
C:\Windows\{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe

Filesize
90KB

MD5
ad2cc1c16895a8d232e6c8eda6967ac3

SHA1
b6611f3929efe55380cbd0cd46ebdc80294e21b3

SHA256
e68a9b6063e2cabc678bb95c41ec3e573dded9841daba74ca9dfeaab12aa9351

SHA512
0f246c8db21d4a5090607835db2c256a4df23a8e395327fcb4b5b3c66ed91882697c023b0b0e124bc740b7bfb5e118972f5f01f7a6ec835d521d82f9afed77f8

Download Submit
C:\Windows\{BA80A511-4362-40d2-B255-1E837B7FB14C}.exe

Filesize
90KB

MD5
ad2cc1c16895a8d232e6c8eda6967ac3

SHA1
b6611f3929efe55380cbd0cd46ebdc80294e21b3

SHA256
e68a9b6063e2cabc678bb95c41ec3e573dded9841daba74ca9dfeaab12aa9351

SHA512
0f246c8db21d4a5090607835db2c256a4df23a8e395327fcb4b5b3c66ed91882697c023b0b0e124bc740b7bfb5e118972f5f01f7a6ec835d521d82f9afed77f8

Download Submit
C:\Windows\{C3F64A21-C85C-4f03-B19A-066DFA722254}.exe

Filesize
90KB

MD5
748b285fe862a26dc0729536fa1034e8

SHA1
300d414e3c329bd2df17c3f997767e369629627a

SHA256
e9bc0b08c6ba697639e2cba7d0c04d26959413e9cde5cb6e8c5ea7921a52fc40

SHA512
093806534d7845ee70c2a1cd17c28008197a7974823f568e93b985e8ca1dbe0ef9494d33ec7d72dee53fddc23a1c2e8012ac0667efc20d49dba910bf3ae659a3

Download Submit
C:\Windows\{C3F64A21-C85C-4f03-B19A-066DFA722254}.exe

Filesize
90KB

MD5
748b285fe862a26dc0729536fa1034e8

SHA1
300d414e3c329bd2df17c3f997767e369629627a

SHA256
e9bc0b08c6ba697639e2cba7d0c04d26959413e9cde5cb6e8c5ea7921a52fc40

SHA512
093806534d7845ee70c2a1cd17c28008197a7974823f568e93b985e8ca1dbe0ef9494d33ec7d72dee53fddc23a1c2e8012ac0667efc20d49dba910bf3ae659a3

Download Submit
C:\Windows\{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe

Filesize
90KB

MD5
98d178b8aa1f9a4cca576998111d3105

SHA1
080964bfc494cb8df88f6c0fe29810df4756980f

SHA256
9676c0d25754ef45b1d225d5feb1cd8c90e05d21ec6ae17b8097da26593cdbc9

SHA512
5e6182ffcbb2144e9bb591787fb517883343b9e127f8a6e7d9c62f22c14e1bc965956ba75bb5f373cc00eafd0d4336df6fb1af2f8af27c14c909d29eaa0009f7

Download Submit
C:\Windows\{D280A9EE-50F0-41ca-A6B4-38A729D31C0C}.exe

Filesize
90KB

MD5
98d178b8aa1f9a4cca576998111d3105

SHA1
080964bfc494cb8df88f6c0fe29810df4756980f

SHA256
9676c0d25754ef45b1d225d5feb1cd8c90e05d21ec6ae17b8097da26593cdbc9

SHA512
5e6182ffcbb2144e9bb591787fb517883343b9e127f8a6e7d9c62f22c14e1bc965956ba75bb5f373cc00eafd0d4336df6fb1af2f8af27c14c909d29eaa0009f7

Download Submit
C:\Windows\{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe

Filesize
90KB

MD5
4ac94d4bd981b3e525c23d4d6e098dd9

SHA1
4cd5f6e042effbbbc2adc7a11fc85158587f25df

SHA256
7426da4b23d4b97a2981abeb77302678ca9de3e90a645ff4c538ebe8f783d625

SHA512
c4f430f32afb6e772c4e4fef2dab0d908b7a436465dd0fd7978fc3a4e0264b0a666b70f14c0dad9541e4cc41f6397058c4f7172c58202cac78f3ab0b0a0a1142

Download Submit
C:\Windows\{D4D350C6-EC38-4975-8609-E69C9B970B0C}.exe

Filesize
90KB

MD5
4ac94d4bd981b3e525c23d4d6e098dd9

SHA1
4cd5f6e042effbbbc2adc7a11fc85158587f25df

SHA256
7426da4b23d4b97a2981abeb77302678ca9de3e90a645ff4c538ebe8f783d625

SHA512
c4f430f32afb6e772c4e4fef2dab0d908b7a436465dd0fd7978fc3a4e0264b0a666b70f14c0dad9541e4cc41f6397058c4f7172c58202cac78f3ab0b0a0a1142

Download Submit
C:\Windows\{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe

Filesize
90KB

MD5
512c96bd3cf0c497714e5255b60e1746

SHA1
17c9c32fbade56fa2d9124c35b727f47d1b20421

SHA256
b89fe2fe1c18de068342441f6fcb5620abaf5f9fc4f85d3446caadaa0276da2c

SHA512
6bc8beb2b5032633b139916175ed5d7780d0e5682dc56977f0bdea656990399c11696d16fb4044dcf414477f0e2bf400470badf445b4dfc9c656b8320ffa928c

Download Submit
C:\Windows\{D55EDBD5-0E92-45f4-AAF8-8584139FDB1B}.exe

Filesize
90KB

MD5
512c96bd3cf0c497714e5255b60e1746

SHA1
17c9c32fbade56fa2d9124c35b727f47d1b20421

SHA256
b89fe2fe1c18de068342441f6fcb5620abaf5f9fc4f85d3446caadaa0276da2c

SHA512
6bc8beb2b5032633b139916175ed5d7780d0e5682dc56977f0bdea656990399c11696d16fb4044dcf414477f0e2bf400470badf445b4dfc9c656b8320ffa928c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads