7221d8a13beb0b29087fb72aba00ba49ceb9411a711579d72088cc6c8891255c

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca6938c15b1c8a79de9fff01cd1f243b.exe
Size

408KB
MD5

ca6938c15b1c8a79de9fff01cd1f243b
SHA1

db1e467b36f7b80c3ab2e9e5451d298236c9c4b9
SHA256

7221d8a13beb0b29087fb72aba00ba49ceb9411a711579d72088cc6c8891255c
SHA512

323daddc799a99d8dbc2468d7ebaf28b38a835f70fcaeaad0504622aa8f62f718b5695a2d56bbe5b56cfd4884c1f09c5301151fb3d7dec0b5fc6d17282830d28
SSDEEP

3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGLldOe2MUVg3vTeKcAEciTBqr3jy9

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69B92E1F-4764-478f-8E3E-07431C6E3851}	{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}	{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17FB1DE-25D7-4b56-B727-061B84994325}\stubpath = "C:\\Windows\\{C17FB1DE-25D7-4b56-B727-061B84994325}.exe"	{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B95C643-1C10-4d3b-BAAC-43CC4A674AFC}	{3E1FC069-0242-4ae8-88F6-3D68ED08594C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D00E47B-7EE5-4533-8477-A2EA4C95A3DF}	{C2B99E02-EC9A-41b2-BD58-95372BD39F42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D00E47B-7EE5-4533-8477-A2EA4C95A3DF}\stubpath = "C:\\Windows\\{5D00E47B-7EE5-4533-8477-A2EA4C95A3DF}.exe"	{C2B99E02-EC9A-41b2-BD58-95372BD39F42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}	{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C17FB1DE-25D7-4b56-B727-061B84994325}	{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}\stubpath = "C:\\Windows\\{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe"	{C17FB1DE-25D7-4b56-B727-061B84994325}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B95C643-1C10-4d3b-BAAC-43CC4A674AFC}\stubpath = "C:\\Windows\\{4B95C643-1C10-4d3b-BAAC-43CC4A674AFC}.exe"	{3E1FC069-0242-4ae8-88F6-3D68ED08594C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B99E02-EC9A-41b2-BD58-95372BD39F42}\stubpath = "C:\\Windows\\{C2B99E02-EC9A-41b2-BD58-95372BD39F42}.exe"	{4B95C643-1C10-4d3b-BAAC-43CC4A674AFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}\stubpath = "C:\\Windows\\{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe"	{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}	{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69B92E1F-4764-478f-8E3E-07431C6E3851}\stubpath = "C:\\Windows\\{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe"	{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}	{C17FB1DE-25D7-4b56-B727-061B84994325}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E1FC069-0242-4ae8-88F6-3D68ED08594C}	{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{812D23E0-85B0-41f4-99A6-960A935EA89E}	ca6938c15b1c8a79de9fff01cd1f243b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}\stubpath = "C:\\Windows\\{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe"	{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}\stubpath = "C:\\Windows\\{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe"	{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E1FC069-0242-4ae8-88F6-3D68ED08594C}\stubpath = "C:\\Windows\\{3E1FC069-0242-4ae8-88F6-3D68ED08594C}.exe"	{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B99E02-EC9A-41b2-BD58-95372BD39F42}	{4B95C643-1C10-4d3b-BAAC-43CC4A674AFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{812D23E0-85B0-41f4-99A6-960A935EA89E}\stubpath = "C:\\Windows\\{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe"	ca6938c15b1c8a79de9fff01cd1f243b.exe

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2080	{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe
2772	{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe
2696	{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe
2728	{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe
808	{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe
1932	{C17FB1DE-25D7-4b56-B727-061B84994325}.exe
1092	{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe
612	{3E1FC069-0242-4ae8-88F6-3D68ED08594C}.exe
1188	{4B95C643-1C10-4d3b-BAAC-43CC4A674AFC}.exe
2324	{C2B99E02-EC9A-41b2-BD58-95372BD39F42}.exe
2388	{5D00E47B-7EE5-4533-8477-A2EA4C95A3DF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe	{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe
File created	C:\Windows\{3E1FC069-0242-4ae8-88F6-3D68ED08594C}.exe	{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe
File created	C:\Windows\{C2B99E02-EC9A-41b2-BD58-95372BD39F42}.exe	{4B95C643-1C10-4d3b-BAAC-43CC4A674AFC}.exe
File created	C:\Windows\{5D00E47B-7EE5-4533-8477-A2EA4C95A3DF}.exe	{C2B99E02-EC9A-41b2-BD58-95372BD39F42}.exe
File created	C:\Windows\{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe	{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe
File created	C:\Windows\{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe	{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe
File created	C:\Windows\{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe	{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe
File created	C:\Windows\{C17FB1DE-25D7-4b56-B727-061B84994325}.exe	{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe
File created	C:\Windows\{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe	{C17FB1DE-25D7-4b56-B727-061B84994325}.exe
File created	C:\Windows\{4B95C643-1C10-4d3b-BAAC-43CC4A674AFC}.exe	{3E1FC069-0242-4ae8-88F6-3D68ED08594C}.exe
File created	C:\Windows\{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe	ca6938c15b1c8a79de9fff01cd1f243b.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2028	ca6938c15b1c8a79de9fff01cd1f243b.exe
Token: SeIncBasePriorityPrivilege	2080	{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe
Token: SeIncBasePriorityPrivilege	2772	{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe
Token: SeIncBasePriorityPrivilege	2696	{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe
Token: SeIncBasePriorityPrivilege	2728	{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe
Token: SeIncBasePriorityPrivilege	808	{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe
Token: SeIncBasePriorityPrivilege	1932	{C17FB1DE-25D7-4b56-B727-061B84994325}.exe
Token: SeIncBasePriorityPrivilege	1092	{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe
Token: SeIncBasePriorityPrivilege	612	{3E1FC069-0242-4ae8-88F6-3D68ED08594C}.exe
Token: SeIncBasePriorityPrivilege	1188	{4B95C643-1C10-4d3b-BAAC-43CC4A674AFC}.exe
Token: SeIncBasePriorityPrivilege	2324	{C2B99E02-EC9A-41b2-BD58-95372BD39F42}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2080	2028	ca6938c15b1c8a79de9fff01cd1f243b.exe	28
PID 2028 wrote to memory of 2080	2028	ca6938c15b1c8a79de9fff01cd1f243b.exe	28
PID 2028 wrote to memory of 2080	2028	ca6938c15b1c8a79de9fff01cd1f243b.exe	28
PID 2028 wrote to memory of 2080	2028	ca6938c15b1c8a79de9fff01cd1f243b.exe	28
PID 2028 wrote to memory of 2924	2028	ca6938c15b1c8a79de9fff01cd1f243b.exe	29
PID 2028 wrote to memory of 2924	2028	ca6938c15b1c8a79de9fff01cd1f243b.exe	29
PID 2028 wrote to memory of 2924	2028	ca6938c15b1c8a79de9fff01cd1f243b.exe	29
PID 2028 wrote to memory of 2924	2028	ca6938c15b1c8a79de9fff01cd1f243b.exe	29
PID 2080 wrote to memory of 2772	2080	{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe	31
PID 2080 wrote to memory of 2772	2080	{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe	31
PID 2080 wrote to memory of 2772	2080	{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe	31
PID 2080 wrote to memory of 2772	2080	{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe	31
PID 2080 wrote to memory of 2812	2080	{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe	30
PID 2080 wrote to memory of 2812	2080	{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe	30
PID 2080 wrote to memory of 2812	2080	{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe	30
PID 2080 wrote to memory of 2812	2080	{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe	30
PID 2772 wrote to memory of 2696	2772	{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe	34
PID 2772 wrote to memory of 2696	2772	{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe	34
PID 2772 wrote to memory of 2696	2772	{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe	34
PID 2772 wrote to memory of 2696	2772	{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe	34
PID 2772 wrote to memory of 2616	2772	{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe	35
PID 2772 wrote to memory of 2616	2772	{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe	35
PID 2772 wrote to memory of 2616	2772	{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe	35
PID 2772 wrote to memory of 2616	2772	{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe	35
PID 2696 wrote to memory of 2728	2696	{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe	36
PID 2696 wrote to memory of 2728	2696	{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe	36
PID 2696 wrote to memory of 2728	2696	{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe	36
PID 2696 wrote to memory of 2728	2696	{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe	36
PID 2696 wrote to memory of 2620	2696	{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe	37
PID 2696 wrote to memory of 2620	2696	{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe	37
PID 2696 wrote to memory of 2620	2696	{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe	37
PID 2696 wrote to memory of 2620	2696	{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe	37
PID 2728 wrote to memory of 808	2728	{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe	38
PID 2728 wrote to memory of 808	2728	{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe	38
PID 2728 wrote to memory of 808	2728	{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe	38
PID 2728 wrote to memory of 808	2728	{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe	38
PID 2728 wrote to memory of 584	2728	{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe	39
PID 2728 wrote to memory of 584	2728	{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe	39
PID 2728 wrote to memory of 584	2728	{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe	39
PID 2728 wrote to memory of 584	2728	{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe	39
PID 808 wrote to memory of 1932	808	{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe	41
PID 808 wrote to memory of 1932	808	{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe	41
PID 808 wrote to memory of 1932	808	{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe	41
PID 808 wrote to memory of 1932	808	{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe	41
PID 808 wrote to memory of 1908	808	{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe	40
PID 808 wrote to memory of 1908	808	{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe	40
PID 808 wrote to memory of 1908	808	{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe	40
PID 808 wrote to memory of 1908	808	{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe	40
PID 1932 wrote to memory of 1092	1932	{C17FB1DE-25D7-4b56-B727-061B84994325}.exe	43
PID 1932 wrote to memory of 1092	1932	{C17FB1DE-25D7-4b56-B727-061B84994325}.exe	43
PID 1932 wrote to memory of 1092	1932	{C17FB1DE-25D7-4b56-B727-061B84994325}.exe	43
PID 1932 wrote to memory of 1092	1932	{C17FB1DE-25D7-4b56-B727-061B84994325}.exe	43
PID 1932 wrote to memory of 2548	1932	{C17FB1DE-25D7-4b56-B727-061B84994325}.exe	42
PID 1932 wrote to memory of 2548	1932	{C17FB1DE-25D7-4b56-B727-061B84994325}.exe	42
PID 1932 wrote to memory of 2548	1932	{C17FB1DE-25D7-4b56-B727-061B84994325}.exe	42
PID 1932 wrote to memory of 2548	1932	{C17FB1DE-25D7-4b56-B727-061B84994325}.exe	42
PID 1092 wrote to memory of 612	1092	{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe	45
PID 1092 wrote to memory of 612	1092	{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe	45
PID 1092 wrote to memory of 612	1092	{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe	45
PID 1092 wrote to memory of 612	1092	{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe	45
PID 1092 wrote to memory of 1524	1092	{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe	44
PID 1092 wrote to memory of 1524	1092	{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe	44
PID 1092 wrote to memory of 1524	1092	{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe	44
PID 1092 wrote to memory of 1524	1092	{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe	44

C:\Users\Admin\AppData\Local\Temp\ca6938c15b1c8a79de9fff01cd1f243b.exe
"C:\Users\Admin\AppData\Local\Temp\ca6938c15b1c8a79de9fff01cd1f243b.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe
  C:\Windows\{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{812D2~1.EXE > nul
    3⤵
    PID:2812
- - C:\Windows\{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe
    C:\Windows\{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe
      C:\Windows\{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe
        
        C:\Windows\{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe
        
        C:\Windows\{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19AF2~1.EXE > nul
        7⤵
        
        PID:1908
        
        C:\Windows\{C17FB1DE-25D7-4b56-B727-061B84994325}.exe
        
        C:\Windows\{C17FB1DE-25D7-4b56-B727-061B84994325}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C17FB~1.EXE > nul
        8⤵
        
        PID:2548
        
        C:\Windows\{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe
        
        C:\Windows\{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBDF4~1.EXE > nul
        9⤵
        
        PID:1524
        
        C:\Windows\{3E1FC069-0242-4ae8-88F6-3D68ED08594C}.exe
        
        C:\Windows\{3E1FC069-0242-4ae8-88F6-3D68ED08594C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E1FC~1.EXE > nul
        10⤵
        
        PID:2992
        
        C:\Windows\{4B95C643-1C10-4d3b-BAAC-43CC4A674AFC}.exe
        
        C:\Windows\{4B95C643-1C10-4d3b-BAAC-43CC4A674AFC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\{C2B99E02-EC9A-41b2-BD58-95372BD39F42}.exe
        
        C:\Windows\{C2B99E02-EC9A-41b2-BD58-95372BD39F42}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2B99~1.EXE > nul
        12⤵
        
        PID:2852
        
        C:\Windows\{5D00E47B-7EE5-4533-8477-A2EA4C95A3DF}.exe
        
        C:\Windows\{5D00E47B-7EE5-4533-8477-A2EA4C95A3DF}.exe
        12⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B95C~1.EXE > nul
        11⤵
        
        PID:2232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69B92~1.EXE > nul
        6⤵
        
        PID:584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E349~1.EXE > nul
        5⤵
        
        PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3A8B8~1.EXE > nul
      4⤵
      PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CA6938~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19AF24DE-78AC-4941-AFF7-FDD1EEA609BA}.exe

Filesize
408KB

MD5
aea773f77a54e710b2029e95e4517c63

SHA1
b43bafb7491b34df4811a522cad0ba19d79251c6

SHA256
97a5accc0d3901f28d0cd4bcc1aed6ede0a54eee87a327b013d540324955d62a

SHA512
bc46901632d7af3478806ff8d92576c8d6b41a4751bf839c98071edc9604bdc8c06132bb5588107217b8c5b791435a35a4da1be37e696c8fc2004d5a6a1d256b

Download Submit
C:\Windows\{3A8B8ACE-2841-479b-BE48-B72BF30DDD8D}.exe

Filesize
408KB

MD5
75d66b4e4f69382a1575f3178536b063

SHA1
457213dd1dbd8b53d2646c47dd987391626ec41e

SHA256
7a0f897226dd6cea33596f599102dab0607a561143a40294ce4f09e3a7bb11d8

SHA512
4dcd140ae95412fd2ab89f1beb68f3106eadb0a741e7eb7be09d150ae3c6c0fa675b601b8083ddc7226a91141383e08116bd92f9fec304af6ac1d41e1f0dc7ba

Download Submit
C:\Windows\{3E1FC069-0242-4ae8-88F6-3D68ED08594C}.exe

Filesize
408KB

MD5
7680868e0d795d81ce5264df54d5c8bb

SHA1
26f8a3cbc489b5a19a2cd6902a9f8bcc25cf30f6

SHA256
96bb12d36346d5dc87ced7ad4f17f2e6d9b1e77c86a46363da2e89959c795e59

SHA512
4dec821f3b331241244cb7155cb1d5c12de3a7710c7ed3c092f89d6574b5a440c72138af0d7ced4863ba2e9b620097ad6436dcd0349f7da7aab2f8d705f25036

Download Submit
C:\Windows\{4B95C643-1C10-4d3b-BAAC-43CC4A674AFC}.exe

Filesize
408KB

MD5
986afb190bbcde4545398c3427dd05fd

SHA1
18c559067bb0b866a7cc8ecfa82eea8780ad2e81

SHA256
644909eae740683d3233779572d41ff3e35f22c9ee591ba4460a48cbb07223c0

SHA512
c4cc4f855428d24cf9ddfa593f90571a395603afad33998033f676a20881f146a1ff609e7af6a0570e4dfa3a0bfc8b0ce5423e5f4329973f541245102b6fa617

Download Submit
C:\Windows\{5D00E47B-7EE5-4533-8477-A2EA4C95A3DF}.exe

Filesize
408KB

MD5
25851b85cf808de1463ca28df2fec096

SHA1
f12e2f077d13992b7aed47079d4e997f1c25690c

SHA256
1ba732dac30d6f0ced39b57d3ed2e37a4d44f72bd8dd5c125e327ff9367f0ad3

SHA512
0728e3926372e93c021da756e7b8c7b2b221921494e5895deaeb97575c1dea589e0d09d31562cef6cff0389ec3f09180bfcc0ce29fe31c692a5a0542c9c3adc8

Download Submit
C:\Windows\{69B92E1F-4764-478f-8E3E-07431C6E3851}.exe

Filesize
408KB

MD5
068edb0934def9012718632a3590b8f9

SHA1
9323d8a2d67a063f4e975f40e90c47b3e42f2c42

SHA256
8c65bf616ae425fb9b1942e9a6d57d2226b72a1187813ddc91e0702a086ce049

SHA512
e4b505ebe071669f12452ebd5d90939dbde3b96e1b7bc27e6411e95f96d5e720acdeda8d1a77d733ad13fbd4d35b712e605354d7790d3282c65729d37ea2983f

Download Submit
C:\Windows\{812D23E0-85B0-41f4-99A6-960A935EA89E}.exe

Filesize
408KB

MD5
aabe0af3f6c9e915fffe279c4595fd41

SHA1
c4e5cde99846e8ec9b02def1989a690e99f5a256

SHA256
3b1bbae541b35f6fe7971c2512edac2dea9ed2c98f7fa2e2a16b50f175d9d223

SHA512
192f52a10552953ab1a20c3edd3e5af86a565f564758020a41108115ae05b69bfb47773d74e70110bb3400f12eb8f627923aa01cf38028138160555c2e2cf8eb

Download Submit
C:\Windows\{8E349FEC-BA3A-4481-8E0C-67C2F13A28E8}.exe

Filesize
408KB

MD5
22ca6a40b09969ed123b28bdd9d2fee3

SHA1
fa8df1d6a01aebe0dda5366d83858414cb186bc4

SHA256
eb0fd44d67c3fb1be57fb0fd710c5100a065fe18e2f624855c9c8178815f7f69

SHA512
988684ca95f423b2412b9e57018ac46362537f4d75e46188608150ba368b247f1b458d3f733d0a8f5f436bd51668a99dd3ed28f1b40c4b9522b61a3ee354be13

Download Submit
C:\Windows\{BBDF49B1-85B8-45af-A69C-3B6AF9E45A74}.exe

Filesize
408KB

MD5
c2fc2125ddf5d3698ac6dee349a75cca

SHA1
8a1d95ce9776221e03c8f9e1284c01ac9f0c23e1

SHA256
01ca13011fb9c514587177fa96348a7b3178ab34e3ea26e71418a018c1bf88d8

SHA512
21cdcac357eb4e96054f82829aad49a18353efdaac1c71b0c6722fd76e33bd5a1068076b310f88ee5391ff65a20ebdd8541d46e2e88df8f65368239b9e39ace4

Download Submit
C:\Windows\{C17FB1DE-25D7-4b56-B727-061B84994325}.exe

Filesize
408KB

MD5
2c5a917e9d8cbbb419f1b4cab87653b7

SHA1
9230f111ddcb9abefc8dad1a70f4bfd57789bd1b

SHA256
09db6876c40f03af1c6d12b9398700518884027d9e140bd61d307ebf95b2269d

SHA512
9d3d6c5f208ece129f2ddc8690543636f1545a430674bb1cafdd4c613dd5a0b9203cb2cc7ebd127fc8946a7a9efbd1510deca47cdb6eb37bbcdde61c170d3a8d

Download Submit
C:\Windows\{C2B99E02-EC9A-41b2-BD58-95372BD39F42}.exe

Filesize
408KB

MD5
1200904c29f1f6474db1528778a22b6c

SHA1
4e951cdffacb01b4bd9cb2418ba6604600c8ef66

SHA256
cc840a3ec1ebecdc0e71bf8ad42fcd457de4fbaf07a9b5d1d812f9cf1a17d28f

SHA512
fd7754fb2f03501521738a1c59a72c792cb8abe2b7497a3a6358fdd0b120dfe52ff0292a7040341500fce194d9fb17b90021997394f7f5a08bdba6755f4e130c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads