2bfba6a619d5ca1c6bca282228a5882d08d00cac0db353c5a5a82ea20aa74e15

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6433beaf713419a651ae44f642943c2b.exe
Size

118KB
MD5

6433beaf713419a651ae44f642943c2b
SHA1

11c7b14fb2f40713d7e41adbdc363a8399182bf0
SHA256

2bfba6a619d5ca1c6bca282228a5882d08d00cac0db353c5a5a82ea20aa74e15
SHA512

6057e3149844073dbdffca43ec1e7417b239c73958ae7bfd7cfc1c65f179083b7cc721635ea9d36156fa56a8dd89d4dd03b98d9ea408ea0fca2534f17d991411
SSDEEP

1536:nEGh0oal2unMxVS3HgdoKjhLJh731xvsr:nEGh0oalvMUyNjhLJh731xvsr

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA3CE462-A96C-4c87-A4E6-9079A3960D86}	{252A0D1F-B296-4e44-BFDE-9B6EA3826075}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}	6433beaf713419a651ae44f642943c2b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA2E723D-251E-434d-982A-3BCC4F33BA15}	{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}	{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7A86E6C-C62D-4758-8C4C-FE1D8A11EE56}\stubpath = "C:\\Windows\\{F7A86E6C-C62D-4758-8C4C-FE1D8A11EE56}.exe"	{EA3CE462-A96C-4c87-A4E6-9079A3960D86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}\stubpath = "C:\\Windows\\{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe"	6433beaf713419a651ae44f642943c2b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C02FB0B-81DA-4db6-AC6C-E2464F288626}	{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C02FB0B-81DA-4db6-AC6C-E2464F288626}\stubpath = "C:\\Windows\\{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe"	{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}\stubpath = "C:\\Windows\\{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe"	{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}\stubpath = "C:\\Windows\\{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe"	{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CB5C6A5-B326-4da0-ACDC-76E6C7ADBD02}	{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CB5C6A5-B326-4da0-ACDC-76E6C7ADBD02}\stubpath = "C:\\Windows\\{9CB5C6A5-B326-4da0-ACDC-76E6C7ADBD02}.exe"	{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{252A0D1F-B296-4e44-BFDE-9B6EA3826075}	{9CB5C6A5-B326-4da0-ACDC-76E6C7ADBD02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{252A0D1F-B296-4e44-BFDE-9B6EA3826075}\stubpath = "C:\\Windows\\{252A0D1F-B296-4e44-BFDE-9B6EA3826075}.exe"	{9CB5C6A5-B326-4da0-ACDC-76E6C7ADBD02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7A86E6C-C62D-4758-8C4C-FE1D8A11EE56}	{EA3CE462-A96C-4c87-A4E6-9079A3960D86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA2E723D-251E-434d-982A-3BCC4F33BA15}\stubpath = "C:\\Windows\\{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe"	{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}	{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E273EBCD-B6D5-46fa-97E7-1957864AA188}	{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E273EBCD-B6D5-46fa-97E7-1957864AA188}\stubpath = "C:\\Windows\\{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe"	{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}	{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}\stubpath = "C:\\Windows\\{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe"	{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA3CE462-A96C-4c87-A4E6-9079A3960D86}\stubpath = "C:\\Windows\\{EA3CE462-A96C-4c87-A4E6-9079A3960D86}.exe"	{252A0D1F-B296-4e44-BFDE-9B6EA3826075}.exe

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2664	{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe
2704	{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe
3032	{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe
2508	{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe
548	{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe
2780	{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe
800	{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe
1524	{9CB5C6A5-B326-4da0-ACDC-76E6C7ADBD02}.exe
1672	{252A0D1F-B296-4e44-BFDE-9B6EA3826075}.exe
1364	{EA3CE462-A96C-4c87-A4E6-9079A3960D86}.exe
2436	{F7A86E6C-C62D-4758-8C4C-FE1D8A11EE56}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe	{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe
File created	C:\Windows\{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe	{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe
File created	C:\Windows\{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe	6433beaf713419a651ae44f642943c2b.exe
File created	C:\Windows\{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe	{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe
File created	C:\Windows\{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe	{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe
File created	C:\Windows\{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe	{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe
File created	C:\Windows\{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe	{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe
File created	C:\Windows\{9CB5C6A5-B326-4da0-ACDC-76E6C7ADBD02}.exe	{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe
File created	C:\Windows\{252A0D1F-B296-4e44-BFDE-9B6EA3826075}.exe	{9CB5C6A5-B326-4da0-ACDC-76E6C7ADBD02}.exe
File created	C:\Windows\{EA3CE462-A96C-4c87-A4E6-9079A3960D86}.exe	{252A0D1F-B296-4e44-BFDE-9B6EA3826075}.exe
File created	C:\Windows\{F7A86E6C-C62D-4758-8C4C-FE1D8A11EE56}.exe	{EA3CE462-A96C-4c87-A4E6-9079A3960D86}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2028	6433beaf713419a651ae44f642943c2b.exe
Token: SeIncBasePriorityPrivilege	2664	{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe
Token: SeIncBasePriorityPrivilege	2704	{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe
Token: SeIncBasePriorityPrivilege	3032	{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe
Token: SeIncBasePriorityPrivilege	2508	{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe
Token: SeIncBasePriorityPrivilege	548	{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe
Token: SeIncBasePriorityPrivilege	2780	{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe
Token: SeIncBasePriorityPrivilege	800	{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe
Token: SeIncBasePriorityPrivilege	1524	{9CB5C6A5-B326-4da0-ACDC-76E6C7ADBD02}.exe
Token: SeIncBasePriorityPrivilege	1672	{252A0D1F-B296-4e44-BFDE-9B6EA3826075}.exe
Token: SeIncBasePriorityPrivilege	1364	{EA3CE462-A96C-4c87-A4E6-9079A3960D86}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2664	2028	6433beaf713419a651ae44f642943c2b.exe	28
PID 2028 wrote to memory of 2664	2028	6433beaf713419a651ae44f642943c2b.exe	28
PID 2028 wrote to memory of 2664	2028	6433beaf713419a651ae44f642943c2b.exe	28
PID 2028 wrote to memory of 2664	2028	6433beaf713419a651ae44f642943c2b.exe	28
PID 2028 wrote to memory of 2768	2028	6433beaf713419a651ae44f642943c2b.exe	29
PID 2028 wrote to memory of 2768	2028	6433beaf713419a651ae44f642943c2b.exe	29
PID 2028 wrote to memory of 2768	2028	6433beaf713419a651ae44f642943c2b.exe	29
PID 2028 wrote to memory of 2768	2028	6433beaf713419a651ae44f642943c2b.exe	29
PID 2664 wrote to memory of 2704	2664	{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe	30
PID 2664 wrote to memory of 2704	2664	{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe	30
PID 2664 wrote to memory of 2704	2664	{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe	30
PID 2664 wrote to memory of 2704	2664	{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe	30
PID 2664 wrote to memory of 2740	2664	{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe	31
PID 2664 wrote to memory of 2740	2664	{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe	31
PID 2664 wrote to memory of 2740	2664	{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe	31
PID 2664 wrote to memory of 2740	2664	{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe	31
PID 2704 wrote to memory of 3032	2704	{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe	34
PID 2704 wrote to memory of 3032	2704	{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe	34
PID 2704 wrote to memory of 3032	2704	{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe	34
PID 2704 wrote to memory of 3032	2704	{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe	34
PID 2704 wrote to memory of 1532	2704	{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe	35
PID 2704 wrote to memory of 1532	2704	{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe	35
PID 2704 wrote to memory of 1532	2704	{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe	35
PID 2704 wrote to memory of 1532	2704	{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe	35
PID 3032 wrote to memory of 2508	3032	{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe	36
PID 3032 wrote to memory of 2508	3032	{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe	36
PID 3032 wrote to memory of 2508	3032	{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe	36
PID 3032 wrote to memory of 2508	3032	{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe	36
PID 3032 wrote to memory of 1920	3032	{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe	37
PID 3032 wrote to memory of 1920	3032	{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe	37
PID 3032 wrote to memory of 1920	3032	{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe	37
PID 3032 wrote to memory of 1920	3032	{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe	37
PID 2508 wrote to memory of 548	2508	{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe	38
PID 2508 wrote to memory of 548	2508	{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe	38
PID 2508 wrote to memory of 548	2508	{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe	38
PID 2508 wrote to memory of 548	2508	{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe	38
PID 2508 wrote to memory of 2860	2508	{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe	39
PID 2508 wrote to memory of 2860	2508	{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe	39
PID 2508 wrote to memory of 2860	2508	{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe	39
PID 2508 wrote to memory of 2860	2508	{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe	39
PID 548 wrote to memory of 2780	548	{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe	40
PID 548 wrote to memory of 2780	548	{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe	40
PID 548 wrote to memory of 2780	548	{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe	40
PID 548 wrote to memory of 2780	548	{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe	40
PID 548 wrote to memory of 2984	548	{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe	41
PID 548 wrote to memory of 2984	548	{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe	41
PID 548 wrote to memory of 2984	548	{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe	41
PID 548 wrote to memory of 2984	548	{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe	41
PID 2780 wrote to memory of 800	2780	{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe	42
PID 2780 wrote to memory of 800	2780	{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe	42
PID 2780 wrote to memory of 800	2780	{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe	42
PID 2780 wrote to memory of 800	2780	{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe	42
PID 2780 wrote to memory of 1936	2780	{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe	43
PID 2780 wrote to memory of 1936	2780	{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe	43
PID 2780 wrote to memory of 1936	2780	{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe	43
PID 2780 wrote to memory of 1936	2780	{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe	43
PID 800 wrote to memory of 1524	800	{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe	44
PID 800 wrote to memory of 1524	800	{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe	44
PID 800 wrote to memory of 1524	800	{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe	44
PID 800 wrote to memory of 1524	800	{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe	44
PID 800 wrote to memory of 1656	800	{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe	45
PID 800 wrote to memory of 1656	800	{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe	45
PID 800 wrote to memory of 1656	800	{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe	45
PID 800 wrote to memory of 1656	800	{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe	45

C:\Users\Admin\AppData\Local\Temp\6433beaf713419a651ae44f642943c2b.exe
"C:\Users\Admin\AppData\Local\Temp\6433beaf713419a651ae44f642943c2b.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe
  C:\Windows\{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe
    C:\Windows\{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe
      C:\Windows\{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe
        
        C:\Windows\{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe
        
        C:\Windows\{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe
        
        C:\Windows\{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe
        
        C:\Windows\{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\{9CB5C6A5-B326-4da0-ACDC-76E6C7ADBD02}.exe
        
        C:\Windows\{9CB5C6A5-B326-4da0-ACDC-76E6C7ADBD02}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\{252A0D1F-B296-4e44-BFDE-9B6EA3826075}.exe
        
        C:\Windows\{252A0D1F-B296-4e44-BFDE-9B6EA3826075}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\{EA3CE462-A96C-4c87-A4E6-9079A3960D86}.exe
        
        C:\Windows\{EA3CE462-A96C-4c87-A4E6-9079A3960D86}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\{F7A86E6C-C62D-4758-8C4C-FE1D8A11EE56}.exe
        
        C:\Windows\{F7A86E6C-C62D-4758-8C4C-FE1D8A11EE56}.exe
        12⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA3CE~1.EXE > nul
        12⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{252A0~1.EXE > nul
        11⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CB5C~1.EXE > nul
        10⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46CC7~1.EXE > nul
        9⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41F68~1.EXE > nul
        8⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E273E~1.EXE > nul
        7⤵
        
        PID:2984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC487~1.EXE > nul
        6⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C02F~1.EXE > nul
        5⤵
        
        PID:1920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA2E7~1.EXE > nul
      4⤵
      PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4CF76~1.EXE > nul
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6433BE~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{252A0D1F-B296-4e44-BFDE-9B6EA3826075}.exe

Filesize
118KB

MD5
9c3aae4cdea34e437dd0c880d6ace034

SHA1
2d85c2798d3df86b9c251530bc25c3c212cee0d7

SHA256
03220fe95c0a4df36fa8f48774d4887cf457978e43b930122df73b33e6d3003d

SHA512
ac394738ecbd815977d3f95a576078d5a5ceb6e38862a314561f74677ae7ae7b9e19e5f1de9e9cae7f826f5aca070f133f8d7ed77c5843b57b26d8403c2b90f6

Download Submit
C:\Windows\{41F6820D-D84F-4089-A4A8-ECDA46FCCD44}.exe

Filesize
118KB

MD5
0d20cd2e5a0ea00e3a0bf57e39cde439

SHA1
e792c783db2964f06e8e6b53167e76fff855efd2

SHA256
66c4e7344a4ff2c97b60167ad4ad78394858eef21569cae6fb8b73c8f305b39b

SHA512
66b23b278071fe36294cbb9a3bc9c12ebc00031b8669e9ef330644dceaeb83885505833f099023468740d96fc64835ff7678dd3396ac679d620232065e58bcb7

Download Submit
C:\Windows\{46CC7B01-CC8D-4198-AAB7-DEBAC3731FBB}.exe

Filesize
118KB

MD5
3f6d2b7e3dcb11d6c72075bd134a3e19

SHA1
0cd3d94a8dc723deeeb4b83f678dcac773d00ed9

SHA256
ae958a225e906087b2a86a21d8c93fe5ff74d360a830b1593b22783dc275d104

SHA512
22d8d55e2c575e61540ee58c8b410f8b41ab98b5860edd38a719c9559c7875734ec2937fe270f72f81acc75fe6738967df5b73c8c5798c97adc6fe3da75628df

Download Submit
C:\Windows\{4C02FB0B-81DA-4db6-AC6C-E2464F288626}.exe

Filesize
118KB

MD5
7bf5d89d91a970e598a20a0696af1ba2

SHA1
5bc7e90e25a2be29053725b20c413eea25a056ff

SHA256
ea18d0e1ba18a814c7f4fcbf8bdfae0a916f1e35b9a5e1cbcd88b16bd2f55841

SHA512
5f134c2795bc159e86c3e0bea70b022a4a40850831c4636a2a54cfae0f6bf8945a91cc58548f38c850ec34188453270785745655ac8f6a69847b125aa71d6f8d

Download Submit
C:\Windows\{4CF765C7-98AC-42e4-BD1C-BCFB56E8F8D0}.exe

Filesize
118KB

MD5
acf87911e852ac67cdc912e907d9117e

SHA1
c7c41421238d6dc1eb0331628d03c1e636ea9d6b

SHA256
a329a54892ef4b9902ba28a2a765c74683149e9d57c98b89b6a87eaf52fb4652

SHA512
add872cb0eb85560b0a4f1cc385a272168a538f78f82f4418584eeca6c2d24c7a3ec41cc337a5231a9dfccb73c9f830fc81fe81ecbe2609ef48b5f65f31f6b03

Download Submit
C:\Windows\{9CB5C6A5-B326-4da0-ACDC-76E6C7ADBD02}.exe

Filesize
118KB

MD5
f502d4dbad9f2d9124133b65026d6def

SHA1
4a1bcafb1f4709811b7fa83e8d3493eb90ab18f3

SHA256
8bbaa4b489ba9f2a7d301ae72bc8411a46d562b88be15b3535075133947f4547

SHA512
620571e5da06631abd0f2574c0a939121674dfd712ff3d36087a8647f1dd112ec62264449e90b547c24152fc1eb4ace3cc75c2f5c3fd691411107c57af532a1d

Download Submit
C:\Windows\{AA2E723D-251E-434d-982A-3BCC4F33BA15}.exe

Filesize
118KB

MD5
b369f549baf62a8385c26884e66a5d61

SHA1
0cc7de6dcbcb64a3bf70ee3a822ac9afaac7c506

SHA256
c2ff7f16f8693e534413b1889f5dad3a3df262999fd78dbd2be70fba9f89a473

SHA512
588349a6b14b28bda4f754c8a7015ce6e8c5dfd7b1b6be515c84ddc8c1773a775c884276591fbb94951507ac3d671585e7c8d83f89fe9bba68132978363faa0a

Download Submit
C:\Windows\{DC4874DB-CA0E-46b1-8FF4-3EEF47776C50}.exe

Filesize
118KB

MD5
c5a88c018820dd3be0b813758c7fc0b3

SHA1
ed9e7c1a9998a14ca3367f911ae1df7e33df74bd

SHA256
ad2cdc799f25c6b44c703967d25441c55662e21d872b253d56d70916a14044c4

SHA512
32a693f1bd8bb0ec8a5d868d0ee918283493e9781d6c015f9cab68039f278be0610837aee67f7cdd0af2ac3a86cb7e7266dc78aebdc3cc4a13f6eb80cde1b837

Download Submit
C:\Windows\{E273EBCD-B6D5-46fa-97E7-1957864AA188}.exe

Filesize
118KB

MD5
276876b42132f26d8b11314cb3a66730

SHA1
c8f2b95a665e446b92797eec26d3fec548f0cbce

SHA256
9fba10027ab992bf585b1a930e370c113a7ad5478f6cd9b96188d6e594d97191

SHA512
6dffdd6ae999ac5b06f0a578ca8423e5d7bc8fcd0b1c47562e3ff8d8225050e0c412a4506769a4154955579e64da61a65e1722def80e2ed5511ba1a585de637e

Download Submit
C:\Windows\{EA3CE462-A96C-4c87-A4E6-9079A3960D86}.exe

Filesize
118KB

MD5
648a394194884307f09a1079176b2acd

SHA1
4fcc83598306bc834856a836afa600fb99d29f54

SHA256
896b1bced6db050df8b0e2c73f5d9b5aedb1ce931502b8d6f81420b61833dc6b

SHA512
84b64aa99787dd8635f18e317562a5974040c8b9d3bad3e77eb30c5646ac8acd1806fd17042bb3efa5c849b41ae4d6a774426012f3c8ef3469f8cdabca4322f6

Download Submit
C:\Windows\{F7A86E6C-C62D-4758-8C4C-FE1D8A11EE56}.exe

Filesize
118KB

MD5
350b30162c161e763599ea99ca42a91c

SHA1
a666e376e53ffdc918256026611d7595ca59cb7d

SHA256
a955c39cf95aaf88423bea3c70b161cc114702b1ad01f1a28574b1fa08c55ff4

SHA512
e42587ce9d4ed0c32e1c0bca4ff7adb43e08cd85e53a13d5b4e6071ced0e902e87f37908474d4eb085910588661109e10f60b2f1ef38546f95dbedfcdb1ce73e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads