070d374dc612ae39142b0ffbec71cb77eb9af31558a45d5a92dcaf239549e1d6

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f2e33de9b27977207a43d3c17121a88.exe
Size

216KB
MD5

5f2e33de9b27977207a43d3c17121a88
SHA1

39c25de78a88b212bad0cd26ed22f9b391dfb2ba
SHA256

070d374dc612ae39142b0ffbec71cb77eb9af31558a45d5a92dcaf239549e1d6
SHA512

4abf444aa098a46f49bbb4020735b11766c49154f4df47015014298f64f21604f3598a38686b1384bfa328c400aa7a862c66ffa13e72b0dca1c2d3e50c7516fd
SSDEEP

3072:jEGh0orl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG1lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75E081F8-2592-44cd-AC7C-C7269B1BE148}\stubpath = "C:\\Windows\\{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe"	5f2e33de9b27977207a43d3c17121a88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}\stubpath = "C:\\Windows\\{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe"	{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F475510-30DE-4504-9C97-A0B9ECD9E281}\stubpath = "C:\\Windows\\{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe"	{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7915258E-1ECB-495b-BE7F-8FA408BD67E5}\stubpath = "C:\\Windows\\{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe"	{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24A6F7C9-103E-44d9-BAB5-416DB858D466}	{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7216B696-DEAE-4e25-A164-603D5842F74F}\stubpath = "C:\\Windows\\{7216B696-DEAE-4e25-A164-603D5842F74F}.exe"	{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B875E5AA-6445-419b-9B6C-37609C5D134D}	{9470754A-5B80-47c4-87C9-FF4B84CDE7A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}	{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F475510-30DE-4504-9C97-A0B9ECD9E281}	{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}	{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}\stubpath = "C:\\Windows\\{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe"	{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24A6F7C9-103E-44d9-BAB5-416DB858D466}\stubpath = "C:\\Windows\\{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe"	{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC13BBE7-8958-4fc8-B553-1157101E10CA}\stubpath = "C:\\Windows\\{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe"	{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9470754A-5B80-47c4-87C9-FF4B84CDE7A2}\stubpath = "C:\\Windows\\{9470754A-5B80-47c4-87C9-FF4B84CDE7A2}.exe"	{7216B696-DEAE-4e25-A164-603D5842F74F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75E081F8-2592-44cd-AC7C-C7269B1BE148}	5f2e33de9b27977207a43d3c17121a88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7915258E-1ECB-495b-BE7F-8FA408BD67E5}	{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC13BBE7-8958-4fc8-B553-1157101E10CA}	{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7216B696-DEAE-4e25-A164-603D5842F74F}	{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D334D09-0FBE-4a2f-908C-7B3500BBA1ED}\stubpath = "C:\\Windows\\{7D334D09-0FBE-4a2f-908C-7B3500BBA1ED}.exe"	{B875E5AA-6445-419b-9B6C-37609C5D134D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9470754A-5B80-47c4-87C9-FF4B84CDE7A2}	{7216B696-DEAE-4e25-A164-603D5842F74F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B875E5AA-6445-419b-9B6C-37609C5D134D}\stubpath = "C:\\Windows\\{B875E5AA-6445-419b-9B6C-37609C5D134D}.exe"	{9470754A-5B80-47c4-87C9-FF4B84CDE7A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D334D09-0FBE-4a2f-908C-7B3500BBA1ED}	{B875E5AA-6445-419b-9B6C-37609C5D134D}.exe

Deletes itself 1 IoCs

pid	Process
2976	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2136	{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe
3008	{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe
2492	{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe
2924	{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe
2812	{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe
2072	{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe
380	{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe
1980	{7216B696-DEAE-4e25-A164-603D5842F74F}.exe
2068	{9470754A-5B80-47c4-87C9-FF4B84CDE7A2}.exe
2844	{B875E5AA-6445-419b-9B6C-37609C5D134D}.exe
1172	{7D334D09-0FBE-4a2f-908C-7B3500BBA1ED}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe	{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe
File created	C:\Windows\{7D334D09-0FBE-4a2f-908C-7B3500BBA1ED}.exe	{B875E5AA-6445-419b-9B6C-37609C5D134D}.exe
File created	C:\Windows\{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe	5f2e33de9b27977207a43d3c17121a88.exe
File created	C:\Windows\{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe	{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe
File created	C:\Windows\{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe	{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe
File created	C:\Windows\{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe	{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe
File created	C:\Windows\{7216B696-DEAE-4e25-A164-603D5842F74F}.exe	{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe
File created	C:\Windows\{9470754A-5B80-47c4-87C9-FF4B84CDE7A2}.exe	{7216B696-DEAE-4e25-A164-603D5842F74F}.exe
File created	C:\Windows\{B875E5AA-6445-419b-9B6C-37609C5D134D}.exe	{9470754A-5B80-47c4-87C9-FF4B84CDE7A2}.exe
File created	C:\Windows\{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe	{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe
File created	C:\Windows\{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe	{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3000	5f2e33de9b27977207a43d3c17121a88.exe
Token: SeIncBasePriorityPrivilege	2136	{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe
Token: SeIncBasePriorityPrivilege	3008	{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe
Token: SeIncBasePriorityPrivilege	2492	{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe
Token: SeIncBasePriorityPrivilege	2924	{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe
Token: SeIncBasePriorityPrivilege	2812	{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe
Token: SeIncBasePriorityPrivilege	2072	{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe
Token: SeIncBasePriorityPrivilege	380	{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe
Token: SeIncBasePriorityPrivilege	1980	{7216B696-DEAE-4e25-A164-603D5842F74F}.exe
Token: SeIncBasePriorityPrivilege	2068	{9470754A-5B80-47c4-87C9-FF4B84CDE7A2}.exe
Token: SeIncBasePriorityPrivilege	2844	{B875E5AA-6445-419b-9B6C-37609C5D134D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2136	3000	5f2e33de9b27977207a43d3c17121a88.exe	28
PID 3000 wrote to memory of 2136	3000	5f2e33de9b27977207a43d3c17121a88.exe	28
PID 3000 wrote to memory of 2136	3000	5f2e33de9b27977207a43d3c17121a88.exe	28
PID 3000 wrote to memory of 2136	3000	5f2e33de9b27977207a43d3c17121a88.exe	28
PID 3000 wrote to memory of 2976	3000	5f2e33de9b27977207a43d3c17121a88.exe	29
PID 3000 wrote to memory of 2976	3000	5f2e33de9b27977207a43d3c17121a88.exe	29
PID 3000 wrote to memory of 2976	3000	5f2e33de9b27977207a43d3c17121a88.exe	29
PID 3000 wrote to memory of 2976	3000	5f2e33de9b27977207a43d3c17121a88.exe	29
PID 2136 wrote to memory of 3008	2136	{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe	30
PID 2136 wrote to memory of 3008	2136	{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe	30
PID 2136 wrote to memory of 3008	2136	{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe	30
PID 2136 wrote to memory of 3008	2136	{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe	30
PID 2136 wrote to memory of 2080	2136	{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe	31
PID 2136 wrote to memory of 2080	2136	{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe	31
PID 2136 wrote to memory of 2080	2136	{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe	31
PID 2136 wrote to memory of 2080	2136	{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe	31
PID 3008 wrote to memory of 2492	3008	{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe	32
PID 3008 wrote to memory of 2492	3008	{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe	32
PID 3008 wrote to memory of 2492	3008	{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe	32
PID 3008 wrote to memory of 2492	3008	{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe	32
PID 3008 wrote to memory of 2688	3008	{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe	33
PID 3008 wrote to memory of 2688	3008	{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe	33
PID 3008 wrote to memory of 2688	3008	{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe	33
PID 3008 wrote to memory of 2688	3008	{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe	33
PID 2492 wrote to memory of 2924	2492	{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe	36
PID 2492 wrote to memory of 2924	2492	{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe	36
PID 2492 wrote to memory of 2924	2492	{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe	36
PID 2492 wrote to memory of 2924	2492	{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe	36
PID 2492 wrote to memory of 1892	2492	{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe	37
PID 2492 wrote to memory of 1892	2492	{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe	37
PID 2492 wrote to memory of 1892	2492	{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe	37
PID 2492 wrote to memory of 1892	2492	{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe	37
PID 2924 wrote to memory of 2812	2924	{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe	38
PID 2924 wrote to memory of 2812	2924	{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe	38
PID 2924 wrote to memory of 2812	2924	{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe	38
PID 2924 wrote to memory of 2812	2924	{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe	38
PID 2924 wrote to memory of 2964	2924	{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe	39
PID 2924 wrote to memory of 2964	2924	{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe	39
PID 2924 wrote to memory of 2964	2924	{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe	39
PID 2924 wrote to memory of 2964	2924	{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe	39
PID 2812 wrote to memory of 2072	2812	{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe	40
PID 2812 wrote to memory of 2072	2812	{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe	40
PID 2812 wrote to memory of 2072	2812	{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe	40
PID 2812 wrote to memory of 2072	2812	{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe	40
PID 2812 wrote to memory of 1828	2812	{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe	41
PID 2812 wrote to memory of 1828	2812	{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe	41
PID 2812 wrote to memory of 1828	2812	{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe	41
PID 2812 wrote to memory of 1828	2812	{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe	41
PID 2072 wrote to memory of 380	2072	{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe	42
PID 2072 wrote to memory of 380	2072	{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe	42
PID 2072 wrote to memory of 380	2072	{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe	42
PID 2072 wrote to memory of 380	2072	{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe	42
PID 2072 wrote to memory of 1704	2072	{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe	43
PID 2072 wrote to memory of 1704	2072	{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe	43
PID 2072 wrote to memory of 1704	2072	{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe	43
PID 2072 wrote to memory of 1704	2072	{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe	43
PID 380 wrote to memory of 1980	380	{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe	44
PID 380 wrote to memory of 1980	380	{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe	44
PID 380 wrote to memory of 1980	380	{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe	44
PID 380 wrote to memory of 1980	380	{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe	44
PID 380 wrote to memory of 1652	380	{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe	45
PID 380 wrote to memory of 1652	380	{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe	45
PID 380 wrote to memory of 1652	380	{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe	45
PID 380 wrote to memory of 1652	380	{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe	45

C:\Users\Admin\AppData\Local\Temp\5f2e33de9b27977207a43d3c17121a88.exe
"C:\Users\Admin\AppData\Local\Temp\5f2e33de9b27977207a43d3c17121a88.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe
  C:\Windows\{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe
    C:\Windows\{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe
      C:\Windows\{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe
        
        C:\Windows\{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe
        
        C:\Windows\{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe
        
        C:\Windows\{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe
        
        C:\Windows\{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\{7216B696-DEAE-4e25-A164-603D5842F74F}.exe
        
        C:\Windows\{7216B696-DEAE-4e25-A164-603D5842F74F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\{9470754A-5B80-47c4-87C9-FF4B84CDE7A2}.exe
        
        C:\Windows\{9470754A-5B80-47c4-87C9-FF4B84CDE7A2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{B875E5AA-6445-419b-9B6C-37609C5D134D}.exe
        
        C:\Windows\{B875E5AA-6445-419b-9B6C-37609C5D134D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{7D334D09-0FBE-4a2f-908C-7B3500BBA1ED}.exe
        
        C:\Windows\{7D334D09-0FBE-4a2f-908C-7B3500BBA1ED}.exe
        12⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B875E~1.EXE > nul
        12⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94707~1.EXE > nul
        11⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7216B~1.EXE > nul
        10⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC13B~1.EXE > nul
        9⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24A6F~1.EXE > nul
        8⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79152~1.EXE > nul
        7⤵
        
        PID:1828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A79DF~1.EXE > nul
        6⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F475~1.EXE > nul
        5⤵
        
        PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{74D93~1.EXE > nul
      4⤵
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{75E08~1.EXE > nul
    3⤵
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5F2E33~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24A6F7C9-103E-44d9-BAB5-416DB858D466}.exe

Filesize
216KB

MD5
ca5348e603b908a5ec55e00585e6ae79

SHA1
52002c535a1a63ace2cc7c83766e34cd8dd52a15

SHA256
2ee0d280faf5e4b75f02cb5cdbca0e6d3a4aab0348e0e08bafaccb25ac637dc1

SHA512
66efd449dd0a956f07e44cd604a7e594352b9404bc0685d7d28e368196a6764097ce532d1c09a6808f202fe491f65616fb922e34d836d258113428d238f23ebc

Download Submit
C:\Windows\{3F475510-30DE-4504-9C97-A0B9ECD9E281}.exe

Filesize
216KB

MD5
3c30943b3e5ea103e16e226202203c60

SHA1
e7d485cd410cc6c7a4e27e6b01dcd61e22941001

SHA256
098e78375eecc281c66cacfdea2701c67c6cc58281d0fb69eed18eae5059fbe7

SHA512
77b2080272028eba916d7c2f555d39ce563237f8a8aa343fb811e8e92bfb91caabab0c5f44ea4e12c9257968541b9617bce184432574b12300e01ca95627834c

Download Submit
C:\Windows\{7216B696-DEAE-4e25-A164-603D5842F74F}.exe

Filesize
216KB

MD5
9652e181c5f0fd284d421a276c7a67c0

SHA1
4d7fcab196b9fe5e87c75747c5efaf06d29bbfc2

SHA256
6a202255c3ee321d7709323a873ee467eba413a568a8c3ca860f28c8c00e6c01

SHA512
36207d0ee8eb2f116ef6c70d199f9d5c79e24d87405a771d68d7e9ef19407a9a3a63847c0e9562becf2328befdb6013fda9282ab8d49ebb91b1e397e26488d10

Download Submit
C:\Windows\{74D93B1E-F292-4821-A79F-8F9F73EB2E4A}.exe

Filesize
216KB

MD5
2f596a228fa6ec390b33a1cfb52d7b1b

SHA1
780d79258112a23cb6d5032f7fee067d1fbe6261

SHA256
081941d523156db72d84a5cbfb72afc6ef006ae0cc8e8e35faea4dbd7db1a0f4

SHA512
e2681c2e8be87facc1542b743c925e1cb3c1db14958b6bb6ec43c440c693349b0ad64ee6ac86092783800f278cc865c955f0787e84a713d5f44f387e170d0ee4

Download Submit
C:\Windows\{75E081F8-2592-44cd-AC7C-C7269B1BE148}.exe

Filesize
216KB

MD5
71f42e92d2e54057491e0899ee531b77

SHA1
55164acfbea49705f0b80dbb9db8062160f1158d

SHA256
c137cefdb053cf546e2c671f8af01d5bd3260c71fc72c5b6bf4c6a11f94a4fb1

SHA512
bb02f52bd64708639b1173df9277d3bdfcd700e3c892c2abd93f669b3b321cf14d434d7db26bf875149401db8e64fd961fe57437e404c4ca154b0428169fea99

Download Submit
C:\Windows\{7915258E-1ECB-495b-BE7F-8FA408BD67E5}.exe

Filesize
216KB

MD5
e4ea67fd844d89c2a8837cff43913558

SHA1
0441595def262ec14b0bb47758cdaaee4ad3e754

SHA256
84dbbc884fad72c4970e348bbf54b7e40ef59bd024e8c8fead51538b6cd216c0

SHA512
95576001cfb21fc0d535fd1338b99a24a781975fab607748f8514eb658aee856229ecc7bb4d7bb08503ac24e804c34008784a2e2821acd8b928b28c19ff85522

Download Submit
C:\Windows\{7D334D09-0FBE-4a2f-908C-7B3500BBA1ED}.exe

Filesize
216KB

MD5
e37d6026641d5173cedf8bdd20b86240

SHA1
a968e62f91707e21c579e591e2c88332564e2050

SHA256
9a2bce3a3c810625ccdfe21f2bfba93238f0e859abebfae6c0389664e3c1c4b1

SHA512
c1c2fe455ebf367322222eb0680ec89e90167645d4d5474633fb03c677ef444e3c0b46f2e9930170d8114b82e40ca8e87d0940e3ff6f3b3a5bb24a9d03329600

Download Submit
C:\Windows\{9470754A-5B80-47c4-87C9-FF4B84CDE7A2}.exe

Filesize
216KB

MD5
02c2e08f2982f4329e8f745766103822

SHA1
650ab622af682d71a3c2361255ac3ac64d7f43af

SHA256
69587a521a69a8bb0df2d64976911e193d779702804c5e177c4ef1981ce7939a

SHA512
b6f2b984e11b452beff168afd8ecf2c03d3fc3faf3baefb1ed5503feac285ace7a8cc75586d1aa2f6dc007d2ae61b52ed77a3f5d72d1a0f254133a7ffff62f1b

Download Submit
C:\Windows\{A79DF63D-EF6D-4e12-8091-B2F223A1ABAD}.exe

Filesize
216KB

MD5
5f732321d11039c45efd65618e1206a0

SHA1
e9458734f50a045d2e4a719a1ac7c06227c5d68e

SHA256
f967e99d97f3bc6bee8a32aee6172fa2353d291c613749087d3ac36b374179c3

SHA512
5492848829708a4fc0cd8098adf3ebbf6ab86834ec65deb003791f75ccccdd38db954809b53303f1fcd3976378385cea8ee89508389677f609819401b15bcd27

Download Submit
C:\Windows\{B875E5AA-6445-419b-9B6C-37609C5D134D}.exe

Filesize
216KB

MD5
59ec0ef32f031a4c73e55f4f82f9f487

SHA1
c8004697fd7d3d3bbd9281e632995bb5d63419ee

SHA256
af09b79165119c346038f4625efebb95647b5baa7d246ddef89aa15b1b0b6b9c

SHA512
7e5b825e6c83efc770a878a48e0a18f45b35942b262fce8995599ee94ce02bf6560bb47c2b320b30b66b8d95ae02a8300ec46372b152695a0078f7dafd364221

Download Submit
C:\Windows\{DC13BBE7-8958-4fc8-B553-1157101E10CA}.exe

Filesize
216KB

MD5
1326bc791a5fe8978b0302f6cb248669

SHA1
f8b6414e2540bdf321a2f2fcd88abbf27c235bd1

SHA256
699a24af143bad26fa6ebf4558c64027a40ff2d78024e28c6f8f2395a108eb6e

SHA512
370dfe702a3981182601283ce662b9253276f2301b5472a703a5cce81a888ba88bc8985bfea6976a796616b21230e2a725462ee623e961cbcb4058e00076785f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads