08c0453d2b3b72fb7829e49c0bda6cbaf1162ee660726f9fa025b9e1890472a1

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab9ec91c7f0c99c88faee658b48335b0.exe
Size

168KB
MD5

ab9ec91c7f0c99c88faee658b48335b0
SHA1

851e8247bac5cade929a850bd311e0a91e057638
SHA256

08c0453d2b3b72fb7829e49c0bda6cbaf1162ee660726f9fa025b9e1890472a1
SHA512

1ee87a62158349b6a8eb0550e6912503b56652c0135b2b7a874b683020ffcbc0908cb001bc5bc4298442feb86b5ab08585244b0cc4f98104a7e7020deb9c5194
SSDEEP

1536:1EGh0ozlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ozlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937DBB89-259A-4711-A7FC-388B9093ACA3}\stubpath = "C:\\Windows\\{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe"	{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29E793D7-5B84-4b0a-A5A9-E90076A502A8}	{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DFB5282-F44D-40f7-B981-A4CFF03F8935}	{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}\stubpath = "C:\\Windows\\{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe"	ab9ec91c7f0c99c88faee658b48335b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}	{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}	{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}\stubpath = "C:\\Windows\\{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe"	{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DFB5282-F44D-40f7-B981-A4CFF03F8935}\stubpath = "C:\\Windows\\{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe"	{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F3B0906-5E06-4a09-98EF-AF6712837228}	{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A689C800-2797-405e-8A32-DBD2061A3913}	{2F3B0906-5E06-4a09-98EF-AF6712837228}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A689C800-2797-405e-8A32-DBD2061A3913}\stubpath = "C:\\Windows\\{A689C800-2797-405e-8A32-DBD2061A3913}.exe"	{2F3B0906-5E06-4a09-98EF-AF6712837228}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}	ab9ec91c7f0c99c88faee658b48335b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}\stubpath = "C:\\Windows\\{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe"	{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEB2C506-9E9C-48f6-8F14-4995592DF9F3}\stubpath = "C:\\Windows\\{DEB2C506-9E9C-48f6-8F14-4995592DF9F3}.exe"	{A689C800-2797-405e-8A32-DBD2061A3913}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{436B4C42-C12E-4164-9CB6-C748C5DAE591}\stubpath = "C:\\Windows\\{436B4C42-C12E-4164-9CB6-C748C5DAE591}.exe"	{DEB2C506-9E9C-48f6-8F14-4995592DF9F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9930AAD8-B801-4476-B48D-D5C86B0E1505}\stubpath = "C:\\Windows\\{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe"	{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29E793D7-5B84-4b0a-A5A9-E90076A502A8}\stubpath = "C:\\Windows\\{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe"	{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F3B0906-5E06-4a09-98EF-AF6712837228}\stubpath = "C:\\Windows\\{2F3B0906-5E06-4a09-98EF-AF6712837228}.exe"	{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEB2C506-9E9C-48f6-8F14-4995592DF9F3}	{A689C800-2797-405e-8A32-DBD2061A3913}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937DBB89-259A-4711-A7FC-388B9093ACA3}	{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9930AAD8-B801-4476-B48D-D5C86B0E1505}	{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{436B4C42-C12E-4164-9CB6-C748C5DAE591}	{DEB2C506-9E9C-48f6-8F14-4995592DF9F3}.exe

Deletes itself 1 IoCs

pid	Process
772	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3016	{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe
2584	{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe
2052	{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe
2532	{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe
1696	{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe
2696	{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe
2760	{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe
2828	{2F3B0906-5E06-4a09-98EF-AF6712837228}.exe
2296	{A689C800-2797-405e-8A32-DBD2061A3913}.exe
2424	{DEB2C506-9E9C-48f6-8F14-4995592DF9F3}.exe
548	{436B4C42-C12E-4164-9CB6-C748C5DAE591}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A689C800-2797-405e-8A32-DBD2061A3913}.exe	{2F3B0906-5E06-4a09-98EF-AF6712837228}.exe
File created	C:\Windows\{436B4C42-C12E-4164-9CB6-C748C5DAE591}.exe	{DEB2C506-9E9C-48f6-8F14-4995592DF9F3}.exe
File created	C:\Windows\{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe	ab9ec91c7f0c99c88faee658b48335b0.exe
File created	C:\Windows\{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe	{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe
File created	C:\Windows\{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe	{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe
File created	C:\Windows\{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe	{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe
File created	C:\Windows\{DEB2C506-9E9C-48f6-8F14-4995592DF9F3}.exe	{A689C800-2797-405e-8A32-DBD2061A3913}.exe
File created	C:\Windows\{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe	{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe
File created	C:\Windows\{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe	{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe
File created	C:\Windows\{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe	{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe
File created	C:\Windows\{2F3B0906-5E06-4a09-98EF-AF6712837228}.exe	{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2360	ab9ec91c7f0c99c88faee658b48335b0.exe
Token: SeIncBasePriorityPrivilege	3016	{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe
Token: SeIncBasePriorityPrivilege	2584	{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe
Token: SeIncBasePriorityPrivilege	2052	{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe
Token: SeIncBasePriorityPrivilege	2532	{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe
Token: SeIncBasePriorityPrivilege	1696	{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe
Token: SeIncBasePriorityPrivilege	2696	{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe
Token: SeIncBasePriorityPrivilege	2760	{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe
Token: SeIncBasePriorityPrivilege	2828	{2F3B0906-5E06-4a09-98EF-AF6712837228}.exe
Token: SeIncBasePriorityPrivilege	2296	{A689C800-2797-405e-8A32-DBD2061A3913}.exe
Token: SeIncBasePriorityPrivilege	2424	{DEB2C506-9E9C-48f6-8F14-4995592DF9F3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3016	2360	ab9ec91c7f0c99c88faee658b48335b0.exe	28
PID 2360 wrote to memory of 3016	2360	ab9ec91c7f0c99c88faee658b48335b0.exe	28
PID 2360 wrote to memory of 3016	2360	ab9ec91c7f0c99c88faee658b48335b0.exe	28
PID 2360 wrote to memory of 3016	2360	ab9ec91c7f0c99c88faee658b48335b0.exe	28
PID 2360 wrote to memory of 772	2360	ab9ec91c7f0c99c88faee658b48335b0.exe	29
PID 2360 wrote to memory of 772	2360	ab9ec91c7f0c99c88faee658b48335b0.exe	29
PID 2360 wrote to memory of 772	2360	ab9ec91c7f0c99c88faee658b48335b0.exe	29
PID 2360 wrote to memory of 772	2360	ab9ec91c7f0c99c88faee658b48335b0.exe	29
PID 3016 wrote to memory of 2584	3016	{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe	30
PID 3016 wrote to memory of 2584	3016	{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe	30
PID 3016 wrote to memory of 2584	3016	{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe	30
PID 3016 wrote to memory of 2584	3016	{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe	30
PID 3016 wrote to memory of 2660	3016	{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe	31
PID 3016 wrote to memory of 2660	3016	{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe	31
PID 3016 wrote to memory of 2660	3016	{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe	31
PID 3016 wrote to memory of 2660	3016	{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe	31
PID 2584 wrote to memory of 2052	2584	{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe	32
PID 2584 wrote to memory of 2052	2584	{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe	32
PID 2584 wrote to memory of 2052	2584	{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe	32
PID 2584 wrote to memory of 2052	2584	{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe	32
PID 2584 wrote to memory of 2940	2584	{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe	33
PID 2584 wrote to memory of 2940	2584	{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe	33
PID 2584 wrote to memory of 2940	2584	{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe	33
PID 2584 wrote to memory of 2940	2584	{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe	33
PID 2052 wrote to memory of 2532	2052	{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe	36
PID 2052 wrote to memory of 2532	2052	{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe	36
PID 2052 wrote to memory of 2532	2052	{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe	36
PID 2052 wrote to memory of 2532	2052	{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe	36
PID 2052 wrote to memory of 2900	2052	{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe	37
PID 2052 wrote to memory of 2900	2052	{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe	37
PID 2052 wrote to memory of 2900	2052	{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe	37
PID 2052 wrote to memory of 2900	2052	{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe	37
PID 2532 wrote to memory of 1696	2532	{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe	38
PID 2532 wrote to memory of 1696	2532	{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe	38
PID 2532 wrote to memory of 1696	2532	{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe	38
PID 2532 wrote to memory of 1696	2532	{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe	38
PID 2532 wrote to memory of 2632	2532	{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe	39
PID 2532 wrote to memory of 2632	2532	{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe	39
PID 2532 wrote to memory of 2632	2532	{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe	39
PID 2532 wrote to memory of 2632	2532	{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe	39
PID 1696 wrote to memory of 2696	1696	{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe	40
PID 1696 wrote to memory of 2696	1696	{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe	40
PID 1696 wrote to memory of 2696	1696	{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe	40
PID 1696 wrote to memory of 2696	1696	{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe	40
PID 1696 wrote to memory of 2824	1696	{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe	41
PID 1696 wrote to memory of 2824	1696	{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe	41
PID 1696 wrote to memory of 2824	1696	{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe	41
PID 1696 wrote to memory of 2824	1696	{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe	41
PID 2696 wrote to memory of 2760	2696	{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe	42
PID 2696 wrote to memory of 2760	2696	{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe	42
PID 2696 wrote to memory of 2760	2696	{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe	42
PID 2696 wrote to memory of 2760	2696	{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe	42
PID 2696 wrote to memory of 2864	2696	{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe	43
PID 2696 wrote to memory of 2864	2696	{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe	43
PID 2696 wrote to memory of 2864	2696	{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe	43
PID 2696 wrote to memory of 2864	2696	{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe	43
PID 2760 wrote to memory of 2828	2760	{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe	44
PID 2760 wrote to memory of 2828	2760	{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe	44
PID 2760 wrote to memory of 2828	2760	{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe	44
PID 2760 wrote to memory of 2828	2760	{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe	44
PID 2760 wrote to memory of 2820	2760	{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe	45
PID 2760 wrote to memory of 2820	2760	{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe	45
PID 2760 wrote to memory of 2820	2760	{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe	45
PID 2760 wrote to memory of 2820	2760	{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe	45

C:\Users\Admin\AppData\Local\Temp\ab9ec91c7f0c99c88faee658b48335b0.exe
"C:\Users\Admin\AppData\Local\Temp\ab9ec91c7f0c99c88faee658b48335b0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe
  C:\Windows\{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe
    C:\Windows\{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe
      C:\Windows\{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe
        
        C:\Windows\{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe
        
        C:\Windows\{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe
        
        C:\Windows\{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe
        
        C:\Windows\{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{2F3B0906-5E06-4a09-98EF-AF6712837228}.exe
        
        C:\Windows\{2F3B0906-5E06-4a09-98EF-AF6712837228}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\{A689C800-2797-405e-8A32-DBD2061A3913}.exe
        
        C:\Windows\{A689C800-2797-405e-8A32-DBD2061A3913}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\{DEB2C506-9E9C-48f6-8F14-4995592DF9F3}.exe
        
        C:\Windows\{DEB2C506-9E9C-48f6-8F14-4995592DF9F3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\{436B4C42-C12E-4164-9CB6-C748C5DAE591}.exe
        
        C:\Windows\{436B4C42-C12E-4164-9CB6-C748C5DAE591}.exe
        12⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEB2C~1.EXE > nul
        12⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A689C~1.EXE > nul
        11⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F3B0~1.EXE > nul
        10⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DFB5~1.EXE > nul
        9⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29E79~1.EXE > nul
        8⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9930A~1.EXE > nul
        7⤵
        
        PID:2824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C8DA~1.EXE > nul
        6⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{937DB~1.EXE > nul
        5⤵
        
        PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3CE1~1.EXE > nul
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C5DCD~1.EXE > nul
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AB9EC9~1.EXE > nul
  2⤵
  - Deletes itself
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{29E793D7-5B84-4b0a-A5A9-E90076A502A8}.exe

Filesize
168KB

MD5
85c936ce656acc98b9a7b332a6c604ac

SHA1
8594698f61b1f7341a0f8e6909ff68f3fd8fe208

SHA256
edba737fc68096475cd915be3c291e350c3e665cd94902ffdf64b7915689f91e

SHA512
5f037d3ca5663ad9907553613f18982f82e312e8a03bff6f6bba6ed2fcb065188bde4f4c4e65af62810b094cb33a3dd8c9ca17069df171ce07cda9427203e1a1

Download Submit
C:\Windows\{2F3B0906-5E06-4a09-98EF-AF6712837228}.exe

Filesize
168KB

MD5
6c12cfa443cb03f9ff02cf21cb2672ec

SHA1
d5dc5e4719c7f711b5de4d2b6e618e14ca632425

SHA256
cbf732edfcf1c24a432a2ad597280715498652b2b601d11e64d3dc7c76a27531

SHA512
3ebd35ebd426d4c864796affc66119a99d79cdc27b44fa4d83cc3cdaf60bda2fce95f994924c6104153eaa07ceea5d113ea8d9239792fb69b656102dea8ed8aa

Download Submit
C:\Windows\{436B4C42-C12E-4164-9CB6-C748C5DAE591}.exe

Filesize
168KB

MD5
c961c90a6b2f4648453a1d13062f91c4

SHA1
29c5a46332f250be0a1bbbb459fc6ec8e7a02946

SHA256
c4d9545a059be5cfeca5497776527603e0ae1e15c6ad2e9a1f2cb05162f3354c

SHA512
183653ec82935553c3500c82acdde29cd1a19ec4c4ba6727004b08ce58a2d185cf8a00f1dd0ee33aa2d0543ebcaf828ed7a3bd383a230c2ff01a8aea4a3079be

Download Submit
C:\Windows\{4DFB5282-F44D-40f7-B981-A4CFF03F8935}.exe

Filesize
168KB

MD5
725bb995300d7d370bb258412d5149d1

SHA1
f97482487e1461a789de1ee70d1466b976647017

SHA256
82e54329be3b276e6b2dea6674dc0d91f9c9443b46a0c8d036d7d65d056111aa

SHA512
96f333fa268f665750ad64ce348ba583efa96d3f946fa9ee69469f4fc62468614436f1365972844341b4b7c145a9edecf0b255d8cdc1e8590cfdc577abaf9be4

Download Submit
C:\Windows\{6C8DA804-0DA3-4bdb-BE90-3BAFF46580C6}.exe

Filesize
168KB

MD5
0740901b31aa077f86296162c2d20e92

SHA1
8035cadec97a18410f87d5c8082c32a66e5644a9

SHA256
ac5475d860becb4d2fb02b6f7dd07d70dc09d405ab395c2a11a5bbb37246a304

SHA512
39f18790b7d4c6a1a6c4e6c58743786c4fb5416d9c4fd16afbb804357184ae5457c43a688ee717ac1ff24c6808eef23e41bf69ddebad2bbe7bd7e662c8c05f21

Download Submit
C:\Windows\{937DBB89-259A-4711-A7FC-388B9093ACA3}.exe

Filesize
168KB

MD5
f26afc3715562f398810343dfef8c251

SHA1
59f405a2148f7df066db8d7d4e16c32553ce0605

SHA256
66f98b50383b7802ca83624ff68bff9166da881b0d31441458ba1df92ab0d513

SHA512
3fb108a8e2776a45ea1157d089ad7da1f0cfc6f23ab6c13d2b9a8f17bbc08ab39e23de9292d9c2b13946968a9320d5ae72dc008bdddac2f533286c9f7d790548

Download Submit
C:\Windows\{9930AAD8-B801-4476-B48D-D5C86B0E1505}.exe

Filesize
168KB

MD5
10f9f0cd131c9c0b88435a247ede8b45

SHA1
c64d099d626596e21998650bd03a29d40c341faf

SHA256
4b7d9b048dff8805fe9984788c96e81891f28695d0c85bcce0891776d7e26b45

SHA512
9e5084389fcd96f698662944d8daf94717f4d7c5c48e73637e17ed6e78ef796c690db0097c84a14eb71e79108a70c0a5b527cda27bc4dc1a2c831bb0fef65f07

Download Submit
C:\Windows\{A689C800-2797-405e-8A32-DBD2061A3913}.exe

Filesize
168KB

MD5
2d42380e1faac6e810027a78f2859b77

SHA1
3589a34e88d02ddaa3e13b8c7be446f48cc4b3d6

SHA256
d379f86c78120d23921f8e98aaae11ebce321834288f1eb86440a2d4abdec75e

SHA512
818fec35c55c8ce9bfd2f0d558ee791af736e336b0f67f271afcc987f6bf31736b3ab9302ba7d784528e884ff829870c2317a3051caf2115971a7d976fe7216f

Download Submit
C:\Windows\{B3CE15DC-670D-4612-8FA9-DD2EFCC2F5C2}.exe

Filesize
168KB

MD5
07b29b711d536fda96da5a20451dc28f

SHA1
0cca3753b460e85b1c550ff2f34b4837ef9a84c9

SHA256
d0b942c25220944a87e50d0ac5a4c47d436e10edb59b79dad2ba0ef5c6ca06ee

SHA512
4493d493a5aad1fab367d358b1c12059d7cf434a3dce5946fadcb883c4efa2259eab80729085a11393f12fce88c3401a03dec631e69a02d69e91350ad2bdaca4

Download Submit
C:\Windows\{C5DCDC40-53F0-4d70-B72D-CECD209EF4B0}.exe

Filesize
168KB

MD5
c2a31eea31e64ac762117a62d83273c6

SHA1
ed5e23a840fcb99a1b6ea9a6f32f7a9e9bbeaaf6

SHA256
0ed14593cf53456bd101e46c2058c10263006d4f9b3e03364fbbd3d1d62cce4d

SHA512
198205bd013f3c353841cea33ef0ef77bcfd41cf73a90f0c2984f71d42a161a4f305a1d6bab0f3a969ae1463540dee511e9fb5bde56ee024fd4d18e35c50bf71

Download Submit
C:\Windows\{DEB2C506-9E9C-48f6-8F14-4995592DF9F3}.exe

Filesize
168KB

MD5
9dd09ba8b825567563df132d7a253129

SHA1
d17b690ef922a8174c8a1754387594979767ff99

SHA256
b8bee52e54ad1f6ebbb0ea144048fb9f64f810e22578abcff97cc3e586d5b231

SHA512
122e2e5c3a3f961bd40c6186c7ee5e5a1022032d0ba41f441927e471f0a485b882d3fc940b8b2314fd45db95b0688de74776f2eb4f78a869398118e99de16b33

Download Submit
C:\Windows\{DEB2C506-9E9C-48f6-8F14-4995592DF9F3}.exe

Filesize
116KB

MD5
861091aee1e107e0e17af60cfd9994b9

SHA1
00f65bc1ebed4eba3d4a47ce74b5830ec5fb3d4c

SHA256
825b96912486002eb67c10ec2290d75eeb28f69d8c2f39679c39a804ca5fd765

SHA512
551a7a79a36cf490976490530346287da58233ea26b6ec559a1486abfcddf025bce7dd690704ebbf995163dbf002e23d8136da02954c838eadad38f8d0b96cbe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads