016332e80c05ed3d10840283fea5633e6a3ab5a6aa11a676f2756b5f5764ede4

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbc4b8f4f5e1bf2cd35ff794a32286c3.exe
Size

380KB
MD5

dbc4b8f4f5e1bf2cd35ff794a32286c3
SHA1

cd721adf50b65a69563d20d25943460a4bd927e9
SHA256

016332e80c05ed3d10840283fea5633e6a3ab5a6aa11a676f2756b5f5764ede4
SHA512

6788ec3e4e9425907eb1e0127c414efd054a403c5992d5de6f20076aa6e154b6cb7dad5a654b45b9bd94022d29bf9da503cbbcb82dd4d67465f10a498ebecac6
SSDEEP

3072:mEGh0o2lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGcl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67C27177-8897-4b41-B727-9F3728E37CD5}	{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B3E04F2-3DDF-4499-A6BC-6562C9B0CEE8}\stubpath = "C:\\Windows\\{7B3E04F2-3DDF-4499-A6BC-6562C9B0CEE8}.exe"	{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C50F5FB-9A6E-42b7-8AD1-52D3DAAD2074}	{7B3E04F2-3DDF-4499-A6BC-6562C9B0CEE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C50F5FB-9A6E-42b7-8AD1-52D3DAAD2074}\stubpath = "C:\\Windows\\{4C50F5FB-9A6E-42b7-8AD1-52D3DAAD2074}.exe"	{7B3E04F2-3DDF-4499-A6BC-6562C9B0CEE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{883CB9E5-E612-473c-8EB6-EA7762093325}	{4C50F5FB-9A6E-42b7-8AD1-52D3DAAD2074}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{883CB9E5-E612-473c-8EB6-EA7762093325}\stubpath = "C:\\Windows\\{883CB9E5-E612-473c-8EB6-EA7762093325}.exe"	{4C50F5FB-9A6E-42b7-8AD1-52D3DAAD2074}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0B28B51-E330-41c5-9032-1E2721A73966}	{883CB9E5-E612-473c-8EB6-EA7762093325}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0B28B51-E330-41c5-9032-1E2721A73966}\stubpath = "C:\\Windows\\{D0B28B51-E330-41c5-9032-1E2721A73966}.exe"	{883CB9E5-E612-473c-8EB6-EA7762093325}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}\stubpath = "C:\\Windows\\{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe"	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D624ED55-0242-4771-A906-BF5625AB61AE}	{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}\stubpath = "C:\\Windows\\{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe"	{D624ED55-0242-4771-A906-BF5625AB61AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}\stubpath = "C:\\Windows\\{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe"	{67C27177-8897-4b41-B727-9F3728E37CD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C344B39-E8D5-41ad-92AC-009E7A3624F0}\stubpath = "C:\\Windows\\{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe"	{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B3E04F2-3DDF-4499-A6BC-6562C9B0CEE8}	{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B29DA4D7-006D-43c6-AF99-45669BE4944C}	{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}	{D624ED55-0242-4771-A906-BF5625AB61AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67C27177-8897-4b41-B727-9F3728E37CD5}\stubpath = "C:\\Windows\\{67C27177-8897-4b41-B727-9F3728E37CD5}.exe"	{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}	{67C27177-8897-4b41-B727-9F3728E37CD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C344B39-E8D5-41ad-92AC-009E7A3624F0}	{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B29DA4D7-006D-43c6-AF99-45669BE4944C}\stubpath = "C:\\Windows\\{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe"	{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D624ED55-0242-4771-A906-BF5625AB61AE}\stubpath = "C:\\Windows\\{D624ED55-0242-4771-A906-BF5625AB61AE}.exe"	{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe

Deletes itself 1 IoCs

pid	Process
1932	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2212	{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe
2856	{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe
2556	{D624ED55-0242-4771-A906-BF5625AB61AE}.exe
616	{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe
2648	{67C27177-8897-4b41-B727-9F3728E37CD5}.exe
2824	{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe
1968	{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe
572	{7B3E04F2-3DDF-4499-A6BC-6562C9B0CEE8}.exe
1012	{4C50F5FB-9A6E-42b7-8AD1-52D3DAAD2074}.exe
1628	{883CB9E5-E612-473c-8EB6-EA7762093325}.exe
2320	{D0B28B51-E330-41c5-9032-1E2721A73966}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7B3E04F2-3DDF-4499-A6BC-6562C9B0CEE8}.exe	{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe
File created	C:\Windows\{4C50F5FB-9A6E-42b7-8AD1-52D3DAAD2074}.exe	{7B3E04F2-3DDF-4499-A6BC-6562C9B0CEE8}.exe
File created	C:\Windows\{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe
File created	C:\Windows\{D624ED55-0242-4771-A906-BF5625AB61AE}.exe	{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe
File created	C:\Windows\{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe	{D624ED55-0242-4771-A906-BF5625AB61AE}.exe
File created	C:\Windows\{67C27177-8897-4b41-B727-9F3728E37CD5}.exe	{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe
File created	C:\Windows\{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe	{67C27177-8897-4b41-B727-9F3728E37CD5}.exe
File created	C:\Windows\{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe	{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe
File created	C:\Windows\{D0B28B51-E330-41c5-9032-1E2721A73966}.exe	{883CB9E5-E612-473c-8EB6-EA7762093325}.exe
File created	C:\Windows\{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe	{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe
File created	C:\Windows\{883CB9E5-E612-473c-8EB6-EA7762093325}.exe	{4C50F5FB-9A6E-42b7-8AD1-52D3DAAD2074}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2476	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe
Token: SeIncBasePriorityPrivilege	2212	{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe
Token: SeIncBasePriorityPrivilege	2856	{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe
Token: SeIncBasePriorityPrivilege	2556	{D624ED55-0242-4771-A906-BF5625AB61AE}.exe
Token: SeIncBasePriorityPrivilege	616	{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe
Token: SeIncBasePriorityPrivilege	2648	{67C27177-8897-4b41-B727-9F3728E37CD5}.exe
Token: SeIncBasePriorityPrivilege	2824	{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe
Token: SeIncBasePriorityPrivilege	1968	{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe
Token: SeIncBasePriorityPrivilege	572	{7B3E04F2-3DDF-4499-A6BC-6562C9B0CEE8}.exe
Token: SeIncBasePriorityPrivilege	1012	{4C50F5FB-9A6E-42b7-8AD1-52D3DAAD2074}.exe
Token: SeIncBasePriorityPrivilege	1628	{883CB9E5-E612-473c-8EB6-EA7762093325}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2212	2476	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	28
PID 2476 wrote to memory of 2212	2476	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	28
PID 2476 wrote to memory of 2212	2476	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	28
PID 2476 wrote to memory of 2212	2476	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	28
PID 2476 wrote to memory of 1932	2476	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	29
PID 2476 wrote to memory of 1932	2476	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	29
PID 2476 wrote to memory of 1932	2476	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	29
PID 2476 wrote to memory of 1932	2476	dbc4b8f4f5e1bf2cd35ff794a32286c3.exe	29
PID 2212 wrote to memory of 2856	2212	{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe	30
PID 2212 wrote to memory of 2856	2212	{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe	30
PID 2212 wrote to memory of 2856	2212	{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe	30
PID 2212 wrote to memory of 2856	2212	{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe	30
PID 2212 wrote to memory of 3008	2212	{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe	31
PID 2212 wrote to memory of 3008	2212	{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe	31
PID 2212 wrote to memory of 3008	2212	{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe	31
PID 2212 wrote to memory of 3008	2212	{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe	31
PID 2856 wrote to memory of 2556	2856	{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe	34
PID 2856 wrote to memory of 2556	2856	{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe	34
PID 2856 wrote to memory of 2556	2856	{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe	34
PID 2856 wrote to memory of 2556	2856	{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe	34
PID 2856 wrote to memory of 2624	2856	{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe	35
PID 2856 wrote to memory of 2624	2856	{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe	35
PID 2856 wrote to memory of 2624	2856	{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe	35
PID 2856 wrote to memory of 2624	2856	{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe	35
PID 2556 wrote to memory of 616	2556	{D624ED55-0242-4771-A906-BF5625AB61AE}.exe	36
PID 2556 wrote to memory of 616	2556	{D624ED55-0242-4771-A906-BF5625AB61AE}.exe	36
PID 2556 wrote to memory of 616	2556	{D624ED55-0242-4771-A906-BF5625AB61AE}.exe	36
PID 2556 wrote to memory of 616	2556	{D624ED55-0242-4771-A906-BF5625AB61AE}.exe	36
PID 2556 wrote to memory of 1232	2556	{D624ED55-0242-4771-A906-BF5625AB61AE}.exe	37
PID 2556 wrote to memory of 1232	2556	{D624ED55-0242-4771-A906-BF5625AB61AE}.exe	37
PID 2556 wrote to memory of 1232	2556	{D624ED55-0242-4771-A906-BF5625AB61AE}.exe	37
PID 2556 wrote to memory of 1232	2556	{D624ED55-0242-4771-A906-BF5625AB61AE}.exe	37
PID 616 wrote to memory of 2648	616	{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe	38
PID 616 wrote to memory of 2648	616	{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe	38
PID 616 wrote to memory of 2648	616	{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe	38
PID 616 wrote to memory of 2648	616	{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe	38
PID 616 wrote to memory of 268	616	{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe	39
PID 616 wrote to memory of 268	616	{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe	39
PID 616 wrote to memory of 268	616	{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe	39
PID 616 wrote to memory of 268	616	{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe	39
PID 2648 wrote to memory of 2824	2648	{67C27177-8897-4b41-B727-9F3728E37CD5}.exe	40
PID 2648 wrote to memory of 2824	2648	{67C27177-8897-4b41-B727-9F3728E37CD5}.exe	40
PID 2648 wrote to memory of 2824	2648	{67C27177-8897-4b41-B727-9F3728E37CD5}.exe	40
PID 2648 wrote to memory of 2824	2648	{67C27177-8897-4b41-B727-9F3728E37CD5}.exe	40
PID 2648 wrote to memory of 1660	2648	{67C27177-8897-4b41-B727-9F3728E37CD5}.exe	41
PID 2648 wrote to memory of 1660	2648	{67C27177-8897-4b41-B727-9F3728E37CD5}.exe	41
PID 2648 wrote to memory of 1660	2648	{67C27177-8897-4b41-B727-9F3728E37CD5}.exe	41
PID 2648 wrote to memory of 1660	2648	{67C27177-8897-4b41-B727-9F3728E37CD5}.exe	41
PID 2824 wrote to memory of 1968	2824	{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe	42
PID 2824 wrote to memory of 1968	2824	{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe	42
PID 2824 wrote to memory of 1968	2824	{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe	42
PID 2824 wrote to memory of 1968	2824	{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe	42
PID 2824 wrote to memory of 2228	2824	{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe	43
PID 2824 wrote to memory of 2228	2824	{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe	43
PID 2824 wrote to memory of 2228	2824	{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe	43
PID 2824 wrote to memory of 2228	2824	{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe	43
PID 1968 wrote to memory of 572	1968	{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe	44
PID 1968 wrote to memory of 572	1968	{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe	44
PID 1968 wrote to memory of 572	1968	{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe	44
PID 1968 wrote to memory of 572	1968	{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe	44
PID 1968 wrote to memory of 1644	1968	{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe	45
PID 1968 wrote to memory of 1644	1968	{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe	45
PID 1968 wrote to memory of 1644	1968	{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe	45
PID 1968 wrote to memory of 1644	1968	{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe	45

C:\Users\Admin\AppData\Local\Temp\dbc4b8f4f5e1bf2cd35ff794a32286c3.exe
"C:\Users\Admin\AppData\Local\Temp\dbc4b8f4f5e1bf2cd35ff794a32286c3.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe
  C:\Windows\{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe
    C:\Windows\{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\{D624ED55-0242-4771-A906-BF5625AB61AE}.exe
      C:\Windows\{D624ED55-0242-4771-A906-BF5625AB61AE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe
        
        C:\Windows\{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:616
      - C:\Windows\{67C27177-8897-4b41-B727-9F3728E37CD5}.exe
        
        C:\Windows\{67C27177-8897-4b41-B727-9F3728E37CD5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe
        
        C:\Windows\{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe
        
        C:\Windows\{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\{7B3E04F2-3DDF-4499-A6BC-6562C9B0CEE8}.exe
        
        C:\Windows\{7B3E04F2-3DDF-4499-A6BC-6562C9B0CEE8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\{4C50F5FB-9A6E-42b7-8AD1-52D3DAAD2074}.exe
        
        C:\Windows\{4C50F5FB-9A6E-42b7-8AD1-52D3DAAD2074}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C50F~1.EXE > nul
        11⤵
        
        PID:2992
        
        C:\Windows\{883CB9E5-E612-473c-8EB6-EA7762093325}.exe
        
        C:\Windows\{883CB9E5-E612-473c-8EB6-EA7762093325}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\{D0B28B51-E330-41c5-9032-1E2721A73966}.exe
        
        C:\Windows\{D0B28B51-E330-41c5-9032-1E2721A73966}.exe
        12⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{883CB~1.EXE > nul
        12⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B3E0~1.EXE > nul
        10⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C344~1.EXE > nul
        9⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FFB3~1.EXE > nul
        8⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67C27~1.EXE > nul
        7⤵
        
        PID:1660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39B25~1.EXE > nul
        6⤵
        
        PID:268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D624E~1.EXE > nul
        5⤵
        
        PID:1232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B29DA~1.EXE > nul
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4D4DD~1.EXE > nul
    3⤵
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\DBC4B8~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FFB3759-F9D2-4771-8A88-1ACB5289ED04}.exe

Filesize
380KB

MD5
0c534ed67c409155a1fb37d2c059a81b

SHA1
79aaa30ea5faad3f41fa562a233a1d5c7239b802

SHA256
972578886e8f63d6fcbfc3e5b3a7f651c758ad6b0a29b429b05d24eb44bdc339

SHA512
fd91e82af072c0304972e59847c9b5a569899ef0aaca75e6d60c373830f515765630c37a1081e135522040e56439617e8592b41961bb2197fb14fb68788aa9b4

Download Submit
C:\Windows\{39B25465-4EDF-4eac-8BB8-016CE3CB0C96}.exe

Filesize
380KB

MD5
761497a9e3f1e32566ea677de946f74f

SHA1
93cbb8502f84d1dea9a4c622c177465b90003966

SHA256
51e3dec9115cd4b582e1e0cab02ffbdd37ba00ed67ea16121b011f42916eda37

SHA512
4cd24a76c2eac078074eafb0e9f082ade15b5034f3f0799c4528bfd77938212476f5362ea623d0b786dddcdc7e19a6129fc8dcc11833768e2c6b6fd13cf10e7d

Download Submit
C:\Windows\{4C50F5FB-9A6E-42b7-8AD1-52D3DAAD2074}.exe

Filesize
380KB

MD5
adcb3deb91f6128e93b7a3e2c7564711

SHA1
af322ce115391508e8b4612fdb9c80316e59d2fc

SHA256
69c3aa465162a56bc4aa351c003ec194eeb14ffd4ec702489e4640e30b11e00a

SHA512
441d01efa83d96ee0d90bd1052fd8d7256a3826f99ba82c071c759199a858e5e068c27e741ff14e768bf2694233429e95eebff1f37973a6c2a53b905df9fdda8

Download Submit
C:\Windows\{4D4DDAFA-90A7-4c16-9ED3-A03F514C9094}.exe

Filesize
380KB

MD5
e7aea3ba06ed8d3fe924f81e812407e8

SHA1
e294f7996a67c19d1a2954a83480160d1dc214bd

SHA256
ddaf3504444447bf97da9c62d3b9352d4cb4b74f1d7d112265c940d23681b745

SHA512
811341ea244dbb1a1b59395160feb5eb993d39c7e37ab2382dee2cf3b5cc5141916b21400e3d2425c7318944c33e3c900bb6d4e8bae19b3023b795b59fc9d15b

Download Submit
C:\Windows\{5C344B39-E8D5-41ad-92AC-009E7A3624F0}.exe

Filesize
380KB

MD5
923f85b094d59eacb281a8a39a68a63f

SHA1
3b6d1dd6f034862d0390dbf22b2f2e4e5a73d649

SHA256
b76209d3f00f61a0867e9ba4a8c7910f7f704a0233f759b800afe9d50bf750fe

SHA512
9ef5dba3fb68eba6a2d548d140426d48f723d2bab6c1bbafc27b7550c935f8429e7ae31079e7edc998562949327ba5b7e97ee31bf287658e68f780ab4af0ad6d

Download Submit
C:\Windows\{67C27177-8897-4b41-B727-9F3728E37CD5}.exe

Filesize
380KB

MD5
74ddf61ea0dcfbe056c831cfb986810f

SHA1
e2c8e86231010232d27ca3f528e6c350502b5433

SHA256
6cae5168c243c9cca47d6d59c3a8b73ca9488edf161c6d26fd6255eb1127a292

SHA512
1c6ac208abca3c3de1294eb7118df85de6f51ad878e176570affa81d785fbafba285e71fdce5aa84862a945b3e75e58caafb4690f0f4c8269835c5a3748e1f22

Download Submit
C:\Windows\{7B3E04F2-3DDF-4499-A6BC-6562C9B0CEE8}.exe

Filesize
380KB

MD5
6519838ceb7363a2f2d37932b7237dc2

SHA1
61ed51f5d0cba06661523595d4ebc91d0e732665

SHA256
667506d2cf0fbeb61e4798c2e9078dce108d6e3f46feff9fe060fbde2b551d57

SHA512
d6972b8a229b652ef497dc949ab42e893d0f3cbc16aff643643149d9fe6045a833681a8cadcec907034b93990b66a647f17a0a0d8b07a33e38bbeb72ebd8fc4a

Download Submit
C:\Windows\{883CB9E5-E612-473c-8EB6-EA7762093325}.exe

Filesize
380KB

MD5
55a15f5744b924bc8f3a6baf6da1abc2

SHA1
ecf9ab159c5f7b59d5eb804cb121110a3f14e5d1

SHA256
fe4e1b71371fca35b66a2f1b39f10764086e0b690feb4238d2c4a1d1d74e84d6

SHA512
93ddcecd4078d0137e486a8f17240538cf229cdf6d9c1aee1f78dd65971fb5249f80dacc2d7c07fc407a51d30334f1c7b1bfb8a1e843f6ca8a841c8b5cab47de

Download Submit
C:\Windows\{B29DA4D7-006D-43c6-AF99-45669BE4944C}.exe

Filesize
380KB

MD5
04a6a9a11d7d916372fe6b73a09c6f7d

SHA1
343377a8290a799b4d973a1cd8d686ad614768f1

SHA256
7bb6c0cc6142c56ca9c8b474f8968226aabcd2f1e83322cc712d8f058e9c8322

SHA512
9cebce2d3ee2466e12f1fd18eca60a95d231fdf1412ac8f5587373d563720cf2cdfa3ef0b6bb253536feedb29972e10558024bdfab711e2adfc7dc84e62e6bd1

Download Submit
C:\Windows\{D0B28B51-E330-41c5-9032-1E2721A73966}.exe

Filesize
380KB

MD5
0588d6faab63a25539cde380b6928bf8

SHA1
aacd9a43dd2358a1ceced7b22d3d4c033e53cf6d

SHA256
2b0d3a6ca068b4e5468523c0f266755ef090c4e22d634cfa54d38f9216ebd258

SHA512
eedd60f70dd0e63b2d7f81287402410658a6aa8eaabfea66efa36905cde9e6522b4101f60dbb5c1557957dd242ba930a83f7412b1d42be083e216d7688dff1d7

Download Submit
C:\Windows\{D624ED55-0242-4771-A906-BF5625AB61AE}.exe

Filesize
380KB

MD5
7b04c509f83bac40b8c54ce1bcae9064

SHA1
31d496cdabd9aba8e421969c0512786a405151ac

SHA256
93130716a9032beeaf6010a11e11e3747a2b8f27ebf9915c250e2de2260d4dfb

SHA512
f6b6ee6382e6e1f656979b9bcf7022f7262f26a64c1836dd6563715412727836d4f290b1015839363aa06659b88defce412d3daf0d8064d9b302344f3715b1c0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads