8075bc7969c5ff467a85a622b99d3de003f0eb53a0f908212334b43a5ae14f5d

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b547df592dd1ac75036533c1a67630a7.exe
Size

180KB
MD5

b547df592dd1ac75036533c1a67630a7
SHA1

44c0ad9b10087cdec8a667c583a8e319a39607d0
SHA256

8075bc7969c5ff467a85a622b99d3de003f0eb53a0f908212334b43a5ae14f5d
SHA512

b9db3bb97ceadd254e69688e7fef2a4449d56db2e6d95b010c2b6bd8452bb771b6a394a2e7623e9218562d4b3eed27644aed37887908e67822877a49802228a9
SSDEEP

3072:jEGh0oolfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG+l5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}	{58AB7C56-0C40-421a-A24F-136B12812523}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}\stubpath = "C:\\Windows\\{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe"	{58AB7C56-0C40-421a-A24F-136B12812523}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3F07CF0-C7BC-45da-A720-9AF00F11BC29}\stubpath = "C:\\Windows\\{E3F07CF0-C7BC-45da-A720-9AF00F11BC29}.exe"	{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4734FEF6-A5F4-4f67-B93C-80D74CF46199}	{E3F07CF0-C7BC-45da-A720-9AF00F11BC29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4734FEF6-A5F4-4f67-B93C-80D74CF46199}\stubpath = "C:\\Windows\\{4734FEF6-A5F4-4f67-B93C-80D74CF46199}.exe"	{E3F07CF0-C7BC-45da-A720-9AF00F11BC29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E4E6199-8C65-448d-AD92-1FFAD76893DC}\stubpath = "C:\\Windows\\{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe"	{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB8474D-EC47-4f94-B366-45822ECBD46B}	{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58AB7C56-0C40-421a-A24F-136B12812523}\stubpath = "C:\\Windows\\{58AB7C56-0C40-421a-A24F-136B12812523}.exe"	{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A81672FB-C7B8-427e-B40C-F0EF475A86DA}	{551D44B8-561E-4796-AFEE-CA616E919E34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A81672FB-C7B8-427e-B40C-F0EF475A86DA}\stubpath = "C:\\Windows\\{A81672FB-C7B8-427e-B40C-F0EF475A86DA}.exe"	{551D44B8-561E-4796-AFEE-CA616E919E34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E4E6199-8C65-448d-AD92-1FFAD76893DC}	{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}	{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{551D44B8-561E-4796-AFEE-CA616E919E34}\stubpath = "C:\\Windows\\{551D44B8-561E-4796-AFEE-CA616E919E34}.exe"	{4734FEF6-A5F4-4f67-B93C-80D74CF46199}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}\stubpath = "C:\\Windows\\{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe"	{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3F07CF0-C7BC-45da-A720-9AF00F11BC29}	{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{551D44B8-561E-4796-AFEE-CA616E919E34}	{4734FEF6-A5F4-4f67-B93C-80D74CF46199}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3526F09-84FE-49e9-9ED0-D642517E3B9A}\stubpath = "C:\\Windows\\{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe"	b547df592dd1ac75036533c1a67630a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{697AE3B7-AD85-403a-9A09-C80452DB8598}	{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{697AE3B7-AD85-403a-9A09-C80452DB8598}\stubpath = "C:\\Windows\\{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe"	{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E2FD07B-9187-45a4-A2E8-D391CFFDDF71}	{A81672FB-C7B8-427e-B40C-F0EF475A86DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E2FD07B-9187-45a4-A2E8-D391CFFDDF71}\stubpath = "C:\\Windows\\{4E2FD07B-9187-45a4-A2E8-D391CFFDDF71}.exe"	{A81672FB-C7B8-427e-B40C-F0EF475A86DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3526F09-84FE-49e9-9ED0-D642517E3B9A}	b547df592dd1ac75036533c1a67630a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EB8474D-EC47-4f94-B366-45822ECBD46B}\stubpath = "C:\\Windows\\{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe"	{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58AB7C56-0C40-421a-A24F-136B12812523}	{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe

Deletes itself 1 IoCs

pid	Process
2100	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
3064	{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe
2956	{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe
2508	{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe
3036	{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe
2904	{58AB7C56-0C40-421a-A24F-136B12812523}.exe
1588	{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe
2128	{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe
900	{E3F07CF0-C7BC-45da-A720-9AF00F11BC29}.exe
1256	{4734FEF6-A5F4-4f67-B93C-80D74CF46199}.exe
2236	{551D44B8-561E-4796-AFEE-CA616E919E34}.exe
2460	{A81672FB-C7B8-427e-B40C-F0EF475A86DA}.exe
624	{4E2FD07B-9187-45a4-A2E8-D391CFFDDF71}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{551D44B8-561E-4796-AFEE-CA616E919E34}.exe	{4734FEF6-A5F4-4f67-B93C-80D74CF46199}.exe
File created	C:\Windows\{A81672FB-C7B8-427e-B40C-F0EF475A86DA}.exe	{551D44B8-561E-4796-AFEE-CA616E919E34}.exe
File created	C:\Windows\{4E2FD07B-9187-45a4-A2E8-D391CFFDDF71}.exe	{A81672FB-C7B8-427e-B40C-F0EF475A86DA}.exe
File created	C:\Windows\{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe	b547df592dd1ac75036533c1a67630a7.exe
File created	C:\Windows\{58AB7C56-0C40-421a-A24F-136B12812523}.exe	{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe
File created	C:\Windows\{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe	{58AB7C56-0C40-421a-A24F-136B12812523}.exe
File created	C:\Windows\{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe	{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe
File created	C:\Windows\{4734FEF6-A5F4-4f67-B93C-80D74CF46199}.exe	{E3F07CF0-C7BC-45da-A720-9AF00F11BC29}.exe
File created	C:\Windows\{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe	{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe
File created	C:\Windows\{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe	{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe
File created	C:\Windows\{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe	{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe
File created	C:\Windows\{E3F07CF0-C7BC-45da-A720-9AF00F11BC29}.exe	{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2040	b547df592dd1ac75036533c1a67630a7.exe
Token: SeIncBasePriorityPrivilege	3064	{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe
Token: SeIncBasePriorityPrivilege	2956	{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe
Token: SeIncBasePriorityPrivilege	2508	{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe
Token: SeIncBasePriorityPrivilege	3036	{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe
Token: SeIncBasePriorityPrivilege	2904	{58AB7C56-0C40-421a-A24F-136B12812523}.exe
Token: SeIncBasePriorityPrivilege	1588	{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe
Token: SeIncBasePriorityPrivilege	2128	{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe
Token: SeIncBasePriorityPrivilege	900	{E3F07CF0-C7BC-45da-A720-9AF00F11BC29}.exe
Token: SeIncBasePriorityPrivilege	1256	{4734FEF6-A5F4-4f67-B93C-80D74CF46199}.exe
Token: SeIncBasePriorityPrivilege	2236	{551D44B8-561E-4796-AFEE-CA616E919E34}.exe
Token: SeIncBasePriorityPrivilege	2460	{A81672FB-C7B8-427e-B40C-F0EF475A86DA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 3064	2040	b547df592dd1ac75036533c1a67630a7.exe	28
PID 2040 wrote to memory of 3064	2040	b547df592dd1ac75036533c1a67630a7.exe	28
PID 2040 wrote to memory of 3064	2040	b547df592dd1ac75036533c1a67630a7.exe	28
PID 2040 wrote to memory of 3064	2040	b547df592dd1ac75036533c1a67630a7.exe	28
PID 2040 wrote to memory of 2100	2040	b547df592dd1ac75036533c1a67630a7.exe	29
PID 2040 wrote to memory of 2100	2040	b547df592dd1ac75036533c1a67630a7.exe	29
PID 2040 wrote to memory of 2100	2040	b547df592dd1ac75036533c1a67630a7.exe	29
PID 2040 wrote to memory of 2100	2040	b547df592dd1ac75036533c1a67630a7.exe	29
PID 3064 wrote to memory of 2956	3064	{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe	30
PID 3064 wrote to memory of 2956	3064	{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe	30
PID 3064 wrote to memory of 2956	3064	{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe	30
PID 3064 wrote to memory of 2956	3064	{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe	30
PID 3064 wrote to memory of 2948	3064	{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe	31
PID 3064 wrote to memory of 2948	3064	{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe	31
PID 3064 wrote to memory of 2948	3064	{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe	31
PID 3064 wrote to memory of 2948	3064	{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe	31
PID 2956 wrote to memory of 2508	2956	{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe	34
PID 2956 wrote to memory of 2508	2956	{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe	34
PID 2956 wrote to memory of 2508	2956	{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe	34
PID 2956 wrote to memory of 2508	2956	{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe	34
PID 2956 wrote to memory of 2576	2956	{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe	35
PID 2956 wrote to memory of 2576	2956	{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe	35
PID 2956 wrote to memory of 2576	2956	{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe	35
PID 2956 wrote to memory of 2576	2956	{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe	35
PID 2508 wrote to memory of 3036	2508	{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe	36
PID 2508 wrote to memory of 3036	2508	{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe	36
PID 2508 wrote to memory of 3036	2508	{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe	36
PID 2508 wrote to memory of 3036	2508	{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe	36
PID 2508 wrote to memory of 1644	2508	{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe	37
PID 2508 wrote to memory of 1644	2508	{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe	37
PID 2508 wrote to memory of 1644	2508	{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe	37
PID 2508 wrote to memory of 1644	2508	{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe	37
PID 3036 wrote to memory of 2904	3036	{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe	38
PID 3036 wrote to memory of 2904	3036	{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe	38
PID 3036 wrote to memory of 2904	3036	{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe	38
PID 3036 wrote to memory of 2904	3036	{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe	38
PID 3036 wrote to memory of 2912	3036	{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe	39
PID 3036 wrote to memory of 2912	3036	{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe	39
PID 3036 wrote to memory of 2912	3036	{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe	39
PID 3036 wrote to memory of 2912	3036	{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe	39
PID 2904 wrote to memory of 1588	2904	{58AB7C56-0C40-421a-A24F-136B12812523}.exe	40
PID 2904 wrote to memory of 1588	2904	{58AB7C56-0C40-421a-A24F-136B12812523}.exe	40
PID 2904 wrote to memory of 1588	2904	{58AB7C56-0C40-421a-A24F-136B12812523}.exe	40
PID 2904 wrote to memory of 1588	2904	{58AB7C56-0C40-421a-A24F-136B12812523}.exe	40
PID 2904 wrote to memory of 1196	2904	{58AB7C56-0C40-421a-A24F-136B12812523}.exe	41
PID 2904 wrote to memory of 1196	2904	{58AB7C56-0C40-421a-A24F-136B12812523}.exe	41
PID 2904 wrote to memory of 1196	2904	{58AB7C56-0C40-421a-A24F-136B12812523}.exe	41
PID 2904 wrote to memory of 1196	2904	{58AB7C56-0C40-421a-A24F-136B12812523}.exe	41
PID 1588 wrote to memory of 2128	1588	{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe	42
PID 1588 wrote to memory of 2128	1588	{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe	42
PID 1588 wrote to memory of 2128	1588	{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe	42
PID 1588 wrote to memory of 2128	1588	{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe	42
PID 1588 wrote to memory of 2572	1588	{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe	43
PID 1588 wrote to memory of 2572	1588	{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe	43
PID 1588 wrote to memory of 2572	1588	{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe	43
PID 1588 wrote to memory of 2572	1588	{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe	43
PID 2128 wrote to memory of 900	2128	{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe	44
PID 2128 wrote to memory of 900	2128	{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe	44
PID 2128 wrote to memory of 900	2128	{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe	44
PID 2128 wrote to memory of 900	2128	{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe	44
PID 2128 wrote to memory of 1496	2128	{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe	45
PID 2128 wrote to memory of 1496	2128	{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe	45
PID 2128 wrote to memory of 1496	2128	{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe	45
PID 2128 wrote to memory of 1496	2128	{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe	45

C:\Users\Admin\AppData\Local\Temp\b547df592dd1ac75036533c1a67630a7.exe
"C:\Users\Admin\AppData\Local\Temp\b547df592dd1ac75036533c1a67630a7.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe
  C:\Windows\{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe
    C:\Windows\{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe
      C:\Windows\{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Windows\{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe
        
        C:\Windows\{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\{58AB7C56-0C40-421a-A24F-136B12812523}.exe
        
        C:\Windows\{58AB7C56-0C40-421a-A24F-136B12812523}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe
        
        C:\Windows\{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe
        
        C:\Windows\{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\{E3F07CF0-C7BC-45da-A720-9AF00F11BC29}.exe
        
        C:\Windows\{E3F07CF0-C7BC-45da-A720-9AF00F11BC29}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\{4734FEF6-A5F4-4f67-B93C-80D74CF46199}.exe
        
        C:\Windows\{4734FEF6-A5F4-4f67-B93C-80D74CF46199}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\{551D44B8-561E-4796-AFEE-CA616E919E34}.exe
        
        C:\Windows\{551D44B8-561E-4796-AFEE-CA616E919E34}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\{A81672FB-C7B8-427e-B40C-F0EF475A86DA}.exe
        
        C:\Windows\{A81672FB-C7B8-427e-B40C-F0EF475A86DA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\{4E2FD07B-9187-45a4-A2E8-D391CFFDDF71}.exe
        
        C:\Windows\{4E2FD07B-9187-45a4-A2E8-D391CFFDDF71}.exe
        13⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8167~1.EXE > nul
        13⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{551D4~1.EXE > nul
        12⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4734F~1.EXE > nul
        11⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3F07~1.EXE > nul
        10⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D7D3~1.EXE > nul
        9⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0CF0~1.EXE > nul
        8⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58AB7~1.EXE > nul
        7⤵
        
        PID:1196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EB84~1.EXE > nul
        6⤵
        
        PID:2912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{697AE~1.EXE > nul
        5⤵
        
        PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6E4E6~1.EXE > nul
      4⤵
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F3526~1.EXE > nul
    3⤵
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B547DF~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3EB8474D-EC47-4f94-B366-45822ECBD46B}.exe

Filesize
180KB

MD5
d0ac83531d1a969c15871e662d7aa043

SHA1
596a5d111112d38423ea0665cf7c4052c3a805a9

SHA256
1f134f7e2f6603477846765dcf73eb15ddbd035ac1935c7c9fca441b0d48369e

SHA512
5932fd620f671601a9be4edc12756233e2940c3c98c71991e10bde2e38cc958302103b7c67f6d67a4721e6ea3696273863a954554ed6cfaf206147473673c53c

Download Submit
C:\Windows\{4734FEF6-A5F4-4f67-B93C-80D74CF46199}.exe

Filesize
180KB

MD5
527d42c49ae08c8171a1078c41de2b5e

SHA1
e573517f338d0092dc34bcf0b64dfdd8236e72bd

SHA256
4b9d779ed895d38da67075fdda842f7fd59e7cf9249eb67c6ef46b8a242a3377

SHA512
d9651b0805835b5f4c6bc7e9fc5f1843de6bf3384136d60d4a584d46530dc3205d56a48600d0cc210c6e8eda7e50226db5f73eb11e867008bab794ce9e3c4082

Download Submit
C:\Windows\{4E2FD07B-9187-45a4-A2E8-D391CFFDDF71}.exe

Filesize
180KB

MD5
52e2f8fd1de2069bbad10c247b3d48b0

SHA1
3bcd5badf47b62e4116b0a4dd0ccc28d944a3ec3

SHA256
bb27ef7319750e223b25e0fadd498c4051e54d119ca472560572f4b1233105f2

SHA512
40edcafb2e542e6ebf85c23871efe60042bac1e00e02d7137098729893572c23d5cac78268c2c923601a7535e423b5fa8b09b18dfd39e9772e74c29c0a60d774

Download Submit
C:\Windows\{551D44B8-561E-4796-AFEE-CA616E919E34}.exe

Filesize
180KB

MD5
7de1ced1010f669369717fee2e8f381c

SHA1
534f9a7d000a95b4244cb044f4ad827fe6fc0c93

SHA256
97345478711bc9bb3296212cc07db67ed16e7584ef538f095a87fce6e6265ded

SHA512
cb0319a27ff55a0b525cd4181a08f93796f634edc4a8db8d88336fae0ac42c5b5390c4eb174054a7ed256c02dc576325f705f4239d77214605d1dcc41941a65d

Download Submit
C:\Windows\{58AB7C56-0C40-421a-A24F-136B12812523}.exe

Filesize
180KB

MD5
4e569e32272960c247da393b1ab29878

SHA1
53ef076a5c4bf82405a0c9e9cb35ade006230ceb

SHA256
c1dfd42557fb3bbecd57912bba1ca2a33910ddff1a9feee9be5c6d344a7520b2

SHA512
c5fc3a439c804376606383faeff407db7b773d06fc59fc09a00a4185cb6bf0aa46179d7f51e5a2329089b75ec70c6c401049b9971fc88c04afb753eb3834956d

Download Submit
C:\Windows\{5D7D3BA3-6B0C-4178-93EA-80C4D64E9557}.exe

Filesize
180KB

MD5
5ac689f1f965f80bb3d765a8d2f16e15

SHA1
5bd1757a3a05146a17dc385c9744ed463413c79b

SHA256
0cf50b3a77a05baea8bf7f36923516c79e241920a756c2ff4052f332666063a9

SHA512
eebcbbf24c558ce5bb8c226387bd5e348d2593fa5987403c473c712cb569a7b86875b4d87fc20b0053c53e8be7edb5640474f9d42fb91e593bc63d7d668d78c0

Download Submit
C:\Windows\{697AE3B7-AD85-403a-9A09-C80452DB8598}.exe

Filesize
180KB

MD5
aab484d897ea4966792239fd2c2bb488

SHA1
6bca389799aaeb2ce4ddc61fb784932f0b472908

SHA256
1b5b2950daca542a0b6ccff5653bbefe8930ba53f452820bf812d5cd452c3d63

SHA512
0914e21d5b6049920b8851d71d49461375602926b2f6c406993fdcf0bd74c0976f1357cac9fe6433032aa5048cf82f9deca987adf4dcf7e7b580c44a586668bc

Download Submit
C:\Windows\{6E4E6199-8C65-448d-AD92-1FFAD76893DC}.exe

Filesize
180KB

MD5
de1c84419b0a930aec3699d5a4bab942

SHA1
f0ab0521aa4c5d45ace1f06234186a3a987d57af

SHA256
3d7e072a1c2d3c44103967c1d03b5603bcb2beb5b1eb460e3d0db16e7f1babae

SHA512
39d7d8053daf776ab032d6fdac99b10f0f862327d29e47019200e7eaee07b1f60d5627cd52cb70dce2fbcfaab2c484d644a314f734236a0707cac93c77ec8b7f

Download Submit
C:\Windows\{A81672FB-C7B8-427e-B40C-F0EF475A86DA}.exe

Filesize
180KB

MD5
b03434bb3472906994bf022b37ecd803

SHA1
322380babe8fb647a50407ca4c788dc19aa667f3

SHA256
bd3906fc80f21206d27ffed572ac397988a1ecbf7e1f8acdf07fec8fb4eedc3d

SHA512
4c5b0a99eb1a9c0e8f756ea993ac94c7d620385968f5414d09163f3557b583886071a0869a6af89fe869ef8c24c0406e72b39bd4c6da3014627ff7eca59f30a3

Download Submit
C:\Windows\{D0CF0041-EC7C-4a24-9FD9-08FF5C89A14A}.exe

Filesize
180KB

MD5
7a56a50b148ab40f51010000bde07c3a

SHA1
7d400c37a9d7404a33403cad3f19e8b0fe94bbd1

SHA256
3ab4ae188514efd975997a0dfca299b0c2955057c966dd885ab1c7145f0fe951

SHA512
fa1f790529c547fc057dc874c6f98950eafe0acd4867d7f1cad8eabe74314785cf121657973bf85ee6a2c1c5209a23b317cb913ebf3ef3076d19f9ba5163c5a5

Download Submit
C:\Windows\{E3F07CF0-C7BC-45da-A720-9AF00F11BC29}.exe

Filesize
180KB

MD5
26731150672e4658316d8af885bb310c

SHA1
6e4d91c7c26129f17eafcd08000511e6466cb20a

SHA256
d32e68d6b37a08e7e776013c39c9c1a4045ec20fee428255c05220e30c87e782

SHA512
4b2102f9ccfb4779cd489ad9e35d9170ac2c34fae7bc355a6badc78fa9cf032148cb07c158a9d0d585e6d1221caec103d6f2b96ef9600f61420b425a84a79336

Download Submit
C:\Windows\{F3526F09-84FE-49e9-9ED0-D642517E3B9A}.exe

Filesize
180KB

MD5
70adafbeb4ea18ddf013452325b09f54

SHA1
5be9e2b289ce9d9714adce30282942f8dcdb9447

SHA256
b13ef718c324661df9ae14921a9e9e5dd3cd63a35ae5b0e6f5bfd96dbc085d14

SHA512
915b4f288f824890bf95c6780bdb1ccdce492494307ec580e11db5a92278c07bda2b5b4d2056bcdb0b912b08df4bb9a8e21af8df894d9be0aaf5f1e31b400f87

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads