ea356661afb783886dbbafaebc946de408bba1e37fade1377620395ff8c58bae

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce7c8807d103d8658927e1c64be9d41f.exe
Size

180KB
MD5

ce7c8807d103d8658927e1c64be9d41f
SHA1

9be0433277bc2d7ca510ce31f3b94f47eb91e162
SHA256

ea356661afb783886dbbafaebc946de408bba1e37fade1377620395ff8c58bae
SHA512

94ae165fc095f47946f64b57b4aecfd725f1d03d9cddea93893d62fef5b625807d93636022e5dd273e0e12240308692a208c4621fe99f43c1b7fc92f2cfec058
SSDEEP

3072:jEGh0o8lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGCl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}	{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CA77799-E606-43be-8DF4-DA583DAB59C3}	{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D35A5865-5DF3-459b-8288-B76FE8290918}\stubpath = "C:\\Windows\\{D35A5865-5DF3-459b-8288-B76FE8290918}.exe"	{499E582A-B4F8-4722-B46F-D4EA9F3C9762}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE749B11-883E-4abc-9317-85AB8E276571}\stubpath = "C:\\Windows\\{DE749B11-883E-4abc-9317-85AB8E276571}.exe"	ce7c8807d103d8658927e1c64be9d41f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1561F98E-A680-4a46-9807-2D3A9F772C61}	{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}\stubpath = "C:\\Windows\\{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe"	{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}	{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}	{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}\stubpath = "C:\\Windows\\{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe"	{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{499E582A-B4F8-4722-B46F-D4EA9F3C9762}	{0CA77799-E606-43be-8DF4-DA583DAB59C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{499E582A-B4F8-4722-B46F-D4EA9F3C9762}\stubpath = "C:\\Windows\\{499E582A-B4F8-4722-B46F-D4EA9F3C9762}.exe"	{0CA77799-E606-43be-8DF4-DA583DAB59C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3D5087A-758D-4a26-9315-8F038AF77DAD}\stubpath = "C:\\Windows\\{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe"	{DE749B11-883E-4abc-9317-85AB8E276571}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADA17179-06E9-49b4-98AB-C1447D356FAE}	{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1561F98E-A680-4a46-9807-2D3A9F772C61}\stubpath = "C:\\Windows\\{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe"	{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADA17179-06E9-49b4-98AB-C1447D356FAE}\stubpath = "C:\\Windows\\{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe"	{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}\stubpath = "C:\\Windows\\{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe"	{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CA77799-E606-43be-8DF4-DA583DAB59C3}\stubpath = "C:\\Windows\\{0CA77799-E606-43be-8DF4-DA583DAB59C3}.exe"	{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D35A5865-5DF3-459b-8288-B76FE8290918}	{499E582A-B4F8-4722-B46F-D4EA9F3C9762}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4094955D-7B4F-45a9-83C6-8D0252043E9D}	{D35A5865-5DF3-459b-8288-B76FE8290918}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE749B11-883E-4abc-9317-85AB8E276571}	ce7c8807d103d8658927e1c64be9d41f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3D5087A-758D-4a26-9315-8F038AF77DAD}	{DE749B11-883E-4abc-9317-85AB8E276571}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4094955D-7B4F-45a9-83C6-8D0252043E9D}\stubpath = "C:\\Windows\\{4094955D-7B4F-45a9-83C6-8D0252043E9D}.exe"	{D35A5865-5DF3-459b-8288-B76FE8290918}.exe

Deletes itself 1 IoCs

pid	Process
1156	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2000	{DE749B11-883E-4abc-9317-85AB8E276571}.exe
2624	{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe
2660	{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe
2180	{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe
940	{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe
2532	{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe
2716	{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe
1784	{0CA77799-E606-43be-8DF4-DA583DAB59C3}.exe
2052	{499E582A-B4F8-4722-B46F-D4EA9F3C9762}.exe
268	{D35A5865-5DF3-459b-8288-B76FE8290918}.exe
844	{4094955D-7B4F-45a9-83C6-8D0252043E9D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe	{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe
File created	C:\Windows\{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe	{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe
File created	C:\Windows\{0CA77799-E606-43be-8DF4-DA583DAB59C3}.exe	{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe
File created	C:\Windows\{4094955D-7B4F-45a9-83C6-8D0252043E9D}.exe	{D35A5865-5DF3-459b-8288-B76FE8290918}.exe
File created	C:\Windows\{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe	{DE749B11-883E-4abc-9317-85AB8E276571}.exe
File created	C:\Windows\{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe	{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe
File created	C:\Windows\{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe	{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe
File created	C:\Windows\{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe	{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe
File created	C:\Windows\{499E582A-B4F8-4722-B46F-D4EA9F3C9762}.exe	{0CA77799-E606-43be-8DF4-DA583DAB59C3}.exe
File created	C:\Windows\{D35A5865-5DF3-459b-8288-B76FE8290918}.exe	{499E582A-B4F8-4722-B46F-D4EA9F3C9762}.exe
File created	C:\Windows\{DE749B11-883E-4abc-9317-85AB8E276571}.exe	ce7c8807d103d8658927e1c64be9d41f.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2220	ce7c8807d103d8658927e1c64be9d41f.exe
Token: SeIncBasePriorityPrivilege	2000	{DE749B11-883E-4abc-9317-85AB8E276571}.exe
Token: SeIncBasePriorityPrivilege	2624	{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe
Token: SeIncBasePriorityPrivilege	2660	{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe
Token: SeIncBasePriorityPrivilege	2180	{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe
Token: SeIncBasePriorityPrivilege	940	{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe
Token: SeIncBasePriorityPrivilege	2532	{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe
Token: SeIncBasePriorityPrivilege	2716	{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe
Token: SeIncBasePriorityPrivilege	1784	{0CA77799-E606-43be-8DF4-DA583DAB59C3}.exe
Token: SeIncBasePriorityPrivilege	2052	{499E582A-B4F8-4722-B46F-D4EA9F3C9762}.exe
Token: SeIncBasePriorityPrivilege	268	{D35A5865-5DF3-459b-8288-B76FE8290918}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2000	2220	ce7c8807d103d8658927e1c64be9d41f.exe	28
PID 2220 wrote to memory of 2000	2220	ce7c8807d103d8658927e1c64be9d41f.exe	28
PID 2220 wrote to memory of 2000	2220	ce7c8807d103d8658927e1c64be9d41f.exe	28
PID 2220 wrote to memory of 2000	2220	ce7c8807d103d8658927e1c64be9d41f.exe	28
PID 2220 wrote to memory of 1156	2220	ce7c8807d103d8658927e1c64be9d41f.exe	29
PID 2220 wrote to memory of 1156	2220	ce7c8807d103d8658927e1c64be9d41f.exe	29
PID 2220 wrote to memory of 1156	2220	ce7c8807d103d8658927e1c64be9d41f.exe	29
PID 2220 wrote to memory of 1156	2220	ce7c8807d103d8658927e1c64be9d41f.exe	29
PID 2000 wrote to memory of 2624	2000	{DE749B11-883E-4abc-9317-85AB8E276571}.exe	30
PID 2000 wrote to memory of 2624	2000	{DE749B11-883E-4abc-9317-85AB8E276571}.exe	30
PID 2000 wrote to memory of 2624	2000	{DE749B11-883E-4abc-9317-85AB8E276571}.exe	30
PID 2000 wrote to memory of 2624	2000	{DE749B11-883E-4abc-9317-85AB8E276571}.exe	30
PID 2000 wrote to memory of 2480	2000	{DE749B11-883E-4abc-9317-85AB8E276571}.exe	31
PID 2000 wrote to memory of 2480	2000	{DE749B11-883E-4abc-9317-85AB8E276571}.exe	31
PID 2000 wrote to memory of 2480	2000	{DE749B11-883E-4abc-9317-85AB8E276571}.exe	31
PID 2000 wrote to memory of 2480	2000	{DE749B11-883E-4abc-9317-85AB8E276571}.exe	31
PID 2624 wrote to memory of 2660	2624	{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe	32
PID 2624 wrote to memory of 2660	2624	{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe	32
PID 2624 wrote to memory of 2660	2624	{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe	32
PID 2624 wrote to memory of 2660	2624	{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe	32
PID 2624 wrote to memory of 2404	2624	{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe	33
PID 2624 wrote to memory of 2404	2624	{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe	33
PID 2624 wrote to memory of 2404	2624	{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe	33
PID 2624 wrote to memory of 2404	2624	{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe	33
PID 2660 wrote to memory of 2180	2660	{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe	37
PID 2660 wrote to memory of 2180	2660	{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe	37
PID 2660 wrote to memory of 2180	2660	{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe	37
PID 2660 wrote to memory of 2180	2660	{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe	37
PID 2660 wrote to memory of 2364	2660	{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe	36
PID 2660 wrote to memory of 2364	2660	{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe	36
PID 2660 wrote to memory of 2364	2660	{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe	36
PID 2660 wrote to memory of 2364	2660	{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe	36
PID 2180 wrote to memory of 940	2180	{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe	39
PID 2180 wrote to memory of 940	2180	{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe	39
PID 2180 wrote to memory of 940	2180	{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe	39
PID 2180 wrote to memory of 940	2180	{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe	39
PID 2180 wrote to memory of 1124	2180	{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe	38
PID 2180 wrote to memory of 1124	2180	{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe	38
PID 2180 wrote to memory of 1124	2180	{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe	38
PID 2180 wrote to memory of 1124	2180	{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe	38
PID 940 wrote to memory of 2532	940	{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe	41
PID 940 wrote to memory of 2532	940	{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe	41
PID 940 wrote to memory of 2532	940	{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe	41
PID 940 wrote to memory of 2532	940	{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe	41
PID 940 wrote to memory of 1668	940	{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe	40
PID 940 wrote to memory of 1668	940	{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe	40
PID 940 wrote to memory of 1668	940	{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe	40
PID 940 wrote to memory of 1668	940	{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe	40
PID 2532 wrote to memory of 2716	2532	{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe	42
PID 2532 wrote to memory of 2716	2532	{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe	42
PID 2532 wrote to memory of 2716	2532	{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe	42
PID 2532 wrote to memory of 2716	2532	{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe	42
PID 2532 wrote to memory of 2820	2532	{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe	43
PID 2532 wrote to memory of 2820	2532	{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe	43
PID 2532 wrote to memory of 2820	2532	{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe	43
PID 2532 wrote to memory of 2820	2532	{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe	43
PID 2716 wrote to memory of 1784	2716	{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe	44
PID 2716 wrote to memory of 1784	2716	{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe	44
PID 2716 wrote to memory of 1784	2716	{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe	44
PID 2716 wrote to memory of 1784	2716	{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe	44
PID 2716 wrote to memory of 2796	2716	{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe	45
PID 2716 wrote to memory of 2796	2716	{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe	45
PID 2716 wrote to memory of 2796	2716	{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe	45
PID 2716 wrote to memory of 2796	2716	{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe	45

C:\Users\Admin\AppData\Local\Temp\ce7c8807d103d8658927e1c64be9d41f.exe
"C:\Users\Admin\AppData\Local\Temp\ce7c8807d103d8658927e1c64be9d41f.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\{DE749B11-883E-4abc-9317-85AB8E276571}.exe
  C:\Windows\{DE749B11-883E-4abc-9317-85AB8E276571}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe
    C:\Windows\{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe
      C:\Windows\{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1561F~1.EXE > nul
        5⤵
        
        PID:2364
    - - C:\Windows\{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe
        
        C:\Windows\{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADA17~1.EXE > nul
        6⤵
        
        PID:1124
      - C:\Windows\{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe
        
        C:\Windows\{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8175~1.EXE > nul
        7⤵
        
        PID:1668
        
        C:\Windows\{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe
        
        C:\Windows\{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe
        
        C:\Windows\{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{0CA77799-E606-43be-8DF4-DA583DAB59C3}.exe
        
        C:\Windows\{0CA77799-E606-43be-8DF4-DA583DAB59C3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\{499E582A-B4F8-4722-B46F-D4EA9F3C9762}.exe
        
        C:\Windows\{499E582A-B4F8-4722-B46F-D4EA9F3C9762}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{499E5~1.EXE > nul
        11⤵
        
        PID:1248
        
        C:\Windows\{D35A5865-5DF3-459b-8288-B76FE8290918}.exe
        
        C:\Windows\{D35A5865-5DF3-459b-8288-B76FE8290918}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{4094955D-7B4F-45a9-83C6-8D0252043E9D}.exe
        
        C:\Windows\{4094955D-7B4F-45a9-83C6-8D0252043E9D}.exe
        12⤵
        Executes dropped EXE
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D35A5~1.EXE > nul
        12⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CA77~1.EXE > nul
        10⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B44CC~1.EXE > nul
        9⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0BBC~1.EXE > nul
        8⤵
        
        PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3D50~1.EXE > nul
      4⤵
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DE749~1.EXE > nul
    3⤵
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CE7C88~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CA77799-E606-43be-8DF4-DA583DAB59C3}.exe

Filesize
180KB

MD5
5db6881bfb7a616394d1cbc1c3876f7b

SHA1
2d43226f496c54f34ddc1c80975ae8b4c8de19ae

SHA256
7829ff95a3ca9166ef8c34ea1a99b0d521b27a16f6096a481fcc584b9b66c82b

SHA512
e6548b95dc2fe5d3266ba07f250dfc0756ce07499c7cb6b2d623daae6b0064d5a4a486f40a93d5cdda70315383717da632fb2b0f0e9bcdf835cc527452677d33

Download Submit
C:\Windows\{1561F98E-A680-4a46-9807-2D3A9F772C61}.exe

Filesize
180KB

MD5
87dd7075a61afc5de3f7745c053b661d

SHA1
d2ec85a6d3869fbb03fa04f6aa686934b20139d3

SHA256
a13c1d0df5aa8a6f60df6b2e77051f5331ba771f26bc2ea2219b949a8ab8b38b

SHA512
d0cc60856bf076f33a363ed625ea6915454e3f76700e203b2166a91d51d13800193e8bce7860ab7d64f26b7038dd954eeac6fdbf4c8a2b4b529f1d6eb42f1a2d

Download Submit
C:\Windows\{4094955D-7B4F-45a9-83C6-8D0252043E9D}.exe

Filesize
180KB

MD5
b6adc997d2668141fe0d19f0e114b7d3

SHA1
13f18ae6e517d92b0393604017d72229fa2ab1cc

SHA256
2dcd4d3c40ecf4245ec9fcf3caa62bdc00c8dc29fe5f483bd5a65cb1338b3ba3

SHA512
22a4c702f761f9e55ccc50e0145d5d58cdc1c8d3dff5cbd0be76d69ae38b2a109bcf29097f2c099c33709e00da06883387232576f14c80025db0623ef0a566a3

Download Submit
C:\Windows\{499E582A-B4F8-4722-B46F-D4EA9F3C9762}.exe

Filesize
180KB

MD5
527f190f881be54bd01cc5f67aef1e12

SHA1
96a6f1f8a23d32c3abe67479dad17d2e9df8eaff

SHA256
e9c3caf9f9bf5c7597d7c09fedef2dedd2eaf7b0fd9b1c89fd0bc61bfeb0fc24

SHA512
e83294c1838824effe6d903a2b2ae6985de7e6ea1e8a7d6194397e99e741ec2df81cf7524e6828bb3c2248d048512188e309af596bfb2ea6ded878694d8c89cc

Download Submit
C:\Windows\{ADA17179-06E9-49b4-98AB-C1447D356FAE}.exe

Filesize
180KB

MD5
1acff731fe7619d98982713c25bcdefe

SHA1
d442bc31a7ce1b4226c715e8f7d240ac21e8d3f2

SHA256
1c74ccf21ffe82a3ac39dcd052e8dcb9084a01c66ef0d46824eaf13244acb812

SHA512
86295a9484fefed64375c72e5af6986586a34a624dddc0059280301913ad45e7fb88d54688ef07de91c095d5266e083133cc71b2b1fd2a58de213494a53d31f8

Download Submit
C:\Windows\{B0BBCE1F-225A-41c3-B3A3-130DD8259E3E}.exe

Filesize
180KB

MD5
41e971e739982f8a9c62eb6aec162ffc

SHA1
34b19edc6dbbc591aa49a74e92abf6eb795a0a36

SHA256
79707bd0b4402239d1a1c03474a6c03cbe30a8046f3783c60553cad039572623

SHA512
bd3c8268c6eb7252343b23554e7a4848ea9df605e688088bb054a7a10a1e28f5479d51dcc6c7097ef6d6d91d3cf4a65c07ae77535abeae5eee46903afafd2176

Download Submit
C:\Windows\{B3D5087A-758D-4a26-9315-8F038AF77DAD}.exe

Filesize
180KB

MD5
b2f7c24532835a856e685e73207ffdfe

SHA1
1873c68c975efa859634ec5f62b3a225a3011ca2

SHA256
a636c78f4db961368d4963fbafa80a5549c61b93788ac8435ec558dbf78ff54c

SHA512
12b6fc14e46d3ab5fce74bf81e2700c09c8b9dff595beb700211db24b76ef232cb7989a07b46f61849a07930c52bd99f3d8fee2d5136225903bb544cdd5bc99c

Download Submit
C:\Windows\{B44CCB92-BDF3-482e-B19B-ACC5A6F22A4B}.exe

Filesize
180KB

MD5
b4c6635bd576053cfd280c98280073a2

SHA1
dacf9c93234ab4e41fd00774fe0259b11e624836

SHA256
695caf2af1ed55022708839225e32f27918e0f56fc1b48332c68ded323bbcc35

SHA512
7b2f9e0b1a6eebe224df9f96d9669de87fcc0a3b70bbb2c02f0bdca789f2313645f18a6bcd950393f320b7eb57b098f3f0d7f9cf77670fe4c675ae16a42d41a4

Download Submit
C:\Windows\{D35A5865-5DF3-459b-8288-B76FE8290918}.exe

Filesize
180KB

MD5
8cd7e0a9ae77267cdb2d87942365d74f

SHA1
261fdca43a8a0f262fd97fddfc9be23427f90dd6

SHA256
64c8faba6980088a500d7251552ea0e14ea869e05bbf041b0413df175ce59b32

SHA512
ea9d24eb377298a6237763bd0fae543c5f6176eb609b3b4f3aa48e3c3d25458da4b69b2c87d05815b46638d0c0004db4a9c9699716419236fea10b642e8a0bcd

Download Submit
C:\Windows\{DE749B11-883E-4abc-9317-85AB8E276571}.exe

Filesize
180KB

MD5
db2a5806b1c369050d0ca88abad15355

SHA1
d8a49939d73207755fd892cae3ebcf67676067b8

SHA256
727f64aade1bdf80e74ffd483672bbba8f2b2f67ff3cfd51d0201a3ad595e65e

SHA512
199b95eb47b16cbdf67c666a4dc778542e3ae9fc0f7c62f4e8a3273c6e94bfef9e90a59effdc85b07e2febd431bbee6575a1b2ca26c20e67ff62180504708530

Download Submit
C:\Windows\{E81759E0-8EAE-4861-AB5C-F0AFE3C7FCE6}.exe

Filesize
180KB

MD5
c725ebbf9627858e52744867950da4b2

SHA1
e04945dd2bb107613aa2594691767cd382f58b52

SHA256
ed245b2f0a36f95d37f2987dbfcc010e20abb7a2d6717d71db8647822615605b

SHA512
f3d33563800a2f98f26fbe85c4719aebd45e4068aee7e2ab7cdc3933e1e08dbca815f948184fd76fa27eac3be293e02185eaaaa98fe9ae1860c904b1f7c6efdc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads