8590912434e967afada07145f94319edb84ddf8f48cb4f6886d9df009f92af23

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4955ad722700c34de17403ee5788f3b4.exe
Size

180KB
MD5

4955ad722700c34de17403ee5788f3b4
SHA1

705179516692b5f88835a8a55bde01c2eeb9dfc7
SHA256

8590912434e967afada07145f94319edb84ddf8f48cb4f6886d9df009f92af23
SHA512

7209c8dba2074693ef59735bead08bcaa13319cf6989b435c3525e0910e9ae91a30841c561611184d11c3aac441726e0a303b6a7a2c62dca954b51c4296630b5
SSDEEP

3072:jEGh0oWlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGcl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}\stubpath = "C:\\Windows\\{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe"	{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71425390-823F-4867-A871-778A9D5EDFA5}	{DC2CA125-0365-4d28-A8F9-CCC3A977AD59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B10DA2F-D40E-461b-B1DB-A44AFED3776B}\stubpath = "C:\\Windows\\{5B10DA2F-D40E-461b-B1DB-A44AFED3776B}.exe"	{71425390-823F-4867-A871-778A9D5EDFA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}	{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}\stubpath = "C:\\Windows\\{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe"	{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D617EA04-5D97-40ec-A522-A22AF0A6A74B}	{CC81CB22-6199-4c2f-860E-96659907A212}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC2CA125-0365-4d28-A8F9-CCC3A977AD59}	{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC2CA125-0365-4d28-A8F9-CCC3A977AD59}\stubpath = "C:\\Windows\\{DC2CA125-0365-4d28-A8F9-CCC3A977AD59}.exe"	{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FCB5B39-F738-4d81-B981-5B0D878A8C55}	{5B10DA2F-D40E-461b-B1DB-A44AFED3776B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FCB5B39-F738-4d81-B981-5B0D878A8C55}\stubpath = "C:\\Windows\\{7FCB5B39-F738-4d81-B981-5B0D878A8C55}.exe"	{5B10DA2F-D40E-461b-B1DB-A44AFED3776B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F71EE3-9C52-42e2-83C2-239D228E15DB}	4955ad722700c34de17403ee5788f3b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC81CB22-6199-4c2f-860E-96659907A212}	{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC81CB22-6199-4c2f-860E-96659907A212}\stubpath = "C:\\Windows\\{CC81CB22-6199-4c2f-860E-96659907A212}.exe"	{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27DE254B-2E4F-4bd6-A066-08FB310D6388}	{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}	{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B10DA2F-D40E-461b-B1DB-A44AFED3776B}	{71425390-823F-4867-A871-778A9D5EDFA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F71EE3-9C52-42e2-83C2-239D228E15DB}\stubpath = "C:\\Windows\\{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe"	4955ad722700c34de17403ee5788f3b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D617EA04-5D97-40ec-A522-A22AF0A6A74B}\stubpath = "C:\\Windows\\{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe"	{CC81CB22-6199-4c2f-860E-96659907A212}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27DE254B-2E4F-4bd6-A066-08FB310D6388}\stubpath = "C:\\Windows\\{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe"	{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8870651C-DE36-435c-86FC-EC36B64DF9B9}	{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8870651C-DE36-435c-86FC-EC36B64DF9B9}\stubpath = "C:\\Windows\\{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe"	{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71425390-823F-4867-A871-778A9D5EDFA5}\stubpath = "C:\\Windows\\{71425390-823F-4867-A871-778A9D5EDFA5}.exe"	{DC2CA125-0365-4d28-A8F9-CCC3A977AD59}.exe

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2684	{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe
2544	{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe
2392	{CC81CB22-6199-4c2f-860E-96659907A212}.exe
2188	{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe
1052	{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe
1840	{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe
2304	{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe
944	{DC2CA125-0365-4d28-A8F9-CCC3A977AD59}.exe
952	{71425390-823F-4867-A871-778A9D5EDFA5}.exe
2428	{5B10DA2F-D40E-461b-B1DB-A44AFED3776B}.exe
2120	{7FCB5B39-F738-4d81-B981-5B0D878A8C55}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DC2CA125-0365-4d28-A8F9-CCC3A977AD59}.exe	{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe
File created	C:\Windows\{71425390-823F-4867-A871-778A9D5EDFA5}.exe	{DC2CA125-0365-4d28-A8F9-CCC3A977AD59}.exe
File created	C:\Windows\{7FCB5B39-F738-4d81-B981-5B0D878A8C55}.exe	{5B10DA2F-D40E-461b-B1DB-A44AFED3776B}.exe
File created	C:\Windows\{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe	4955ad722700c34de17403ee5788f3b4.exe
File created	C:\Windows\{CC81CB22-6199-4c2f-860E-96659907A212}.exe	{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe
File created	C:\Windows\{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe	{CC81CB22-6199-4c2f-860E-96659907A212}.exe
File created	C:\Windows\{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe	{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe
File created	C:\Windows\{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe	{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe
File created	C:\Windows\{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe	{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe
File created	C:\Windows\{5B10DA2F-D40E-461b-B1DB-A44AFED3776B}.exe	{71425390-823F-4867-A871-778A9D5EDFA5}.exe
File created	C:\Windows\{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe	{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2036	4955ad722700c34de17403ee5788f3b4.exe
Token: SeIncBasePriorityPrivilege	2684	{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe
Token: SeIncBasePriorityPrivilege	2544	{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe
Token: SeIncBasePriorityPrivilege	2392	{CC81CB22-6199-4c2f-860E-96659907A212}.exe
Token: SeIncBasePriorityPrivilege	2188	{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe
Token: SeIncBasePriorityPrivilege	1052	{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe
Token: SeIncBasePriorityPrivilege	1840	{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe
Token: SeIncBasePriorityPrivilege	2304	{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe
Token: SeIncBasePriorityPrivilege	944	{DC2CA125-0365-4d28-A8F9-CCC3A977AD59}.exe
Token: SeIncBasePriorityPrivilege	952	{71425390-823F-4867-A871-778A9D5EDFA5}.exe
Token: SeIncBasePriorityPrivilege	2428	{5B10DA2F-D40E-461b-B1DB-A44AFED3776B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2684	2036	4955ad722700c34de17403ee5788f3b4.exe	28
PID 2036 wrote to memory of 2684	2036	4955ad722700c34de17403ee5788f3b4.exe	28
PID 2036 wrote to memory of 2684	2036	4955ad722700c34de17403ee5788f3b4.exe	28
PID 2036 wrote to memory of 2684	2036	4955ad722700c34de17403ee5788f3b4.exe	28
PID 2036 wrote to memory of 2520	2036	4955ad722700c34de17403ee5788f3b4.exe	29
PID 2036 wrote to memory of 2520	2036	4955ad722700c34de17403ee5788f3b4.exe	29
PID 2036 wrote to memory of 2520	2036	4955ad722700c34de17403ee5788f3b4.exe	29
PID 2036 wrote to memory of 2520	2036	4955ad722700c34de17403ee5788f3b4.exe	29
PID 2684 wrote to memory of 2544	2684	{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe	30
PID 2684 wrote to memory of 2544	2684	{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe	30
PID 2684 wrote to memory of 2544	2684	{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe	30
PID 2684 wrote to memory of 2544	2684	{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe	30
PID 2684 wrote to memory of 2528	2684	{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe	31
PID 2684 wrote to memory of 2528	2684	{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe	31
PID 2684 wrote to memory of 2528	2684	{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe	31
PID 2684 wrote to memory of 2528	2684	{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe	31
PID 2544 wrote to memory of 2392	2544	{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe	34
PID 2544 wrote to memory of 2392	2544	{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe	34
PID 2544 wrote to memory of 2392	2544	{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe	34
PID 2544 wrote to memory of 2392	2544	{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe	34
PID 2544 wrote to memory of 2348	2544	{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe	35
PID 2544 wrote to memory of 2348	2544	{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe	35
PID 2544 wrote to memory of 2348	2544	{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe	35
PID 2544 wrote to memory of 2348	2544	{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe	35
PID 2392 wrote to memory of 2188	2392	{CC81CB22-6199-4c2f-860E-96659907A212}.exe	36
PID 2392 wrote to memory of 2188	2392	{CC81CB22-6199-4c2f-860E-96659907A212}.exe	36
PID 2392 wrote to memory of 2188	2392	{CC81CB22-6199-4c2f-860E-96659907A212}.exe	36
PID 2392 wrote to memory of 2188	2392	{CC81CB22-6199-4c2f-860E-96659907A212}.exe	36
PID 2392 wrote to memory of 2784	2392	{CC81CB22-6199-4c2f-860E-96659907A212}.exe	37
PID 2392 wrote to memory of 2784	2392	{CC81CB22-6199-4c2f-860E-96659907A212}.exe	37
PID 2392 wrote to memory of 2784	2392	{CC81CB22-6199-4c2f-860E-96659907A212}.exe	37
PID 2392 wrote to memory of 2784	2392	{CC81CB22-6199-4c2f-860E-96659907A212}.exe	37
PID 2188 wrote to memory of 1052	2188	{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe	38
PID 2188 wrote to memory of 1052	2188	{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe	38
PID 2188 wrote to memory of 1052	2188	{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe	38
PID 2188 wrote to memory of 1052	2188	{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe	38
PID 2188 wrote to memory of 1320	2188	{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe	39
PID 2188 wrote to memory of 1320	2188	{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe	39
PID 2188 wrote to memory of 1320	2188	{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe	39
PID 2188 wrote to memory of 1320	2188	{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe	39
PID 1052 wrote to memory of 1840	1052	{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe	40
PID 1052 wrote to memory of 1840	1052	{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe	40
PID 1052 wrote to memory of 1840	1052	{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe	40
PID 1052 wrote to memory of 1840	1052	{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe	40
PID 1052 wrote to memory of 1912	1052	{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe	41
PID 1052 wrote to memory of 1912	1052	{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe	41
PID 1052 wrote to memory of 1912	1052	{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe	41
PID 1052 wrote to memory of 1912	1052	{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe	41
PID 1840 wrote to memory of 2304	1840	{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe	42
PID 1840 wrote to memory of 2304	1840	{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe	42
PID 1840 wrote to memory of 2304	1840	{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe	42
PID 1840 wrote to memory of 2304	1840	{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe	42
PID 1840 wrote to memory of 1832	1840	{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe	43
PID 1840 wrote to memory of 1832	1840	{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe	43
PID 1840 wrote to memory of 1832	1840	{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe	43
PID 1840 wrote to memory of 1832	1840	{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe	43
PID 2304 wrote to memory of 944	2304	{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe	44
PID 2304 wrote to memory of 944	2304	{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe	44
PID 2304 wrote to memory of 944	2304	{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe	44
PID 2304 wrote to memory of 944	2304	{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe	44
PID 2304 wrote to memory of 1188	2304	{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe	45
PID 2304 wrote to memory of 1188	2304	{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe	45
PID 2304 wrote to memory of 1188	2304	{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe	45
PID 2304 wrote to memory of 1188	2304	{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe	45

C:\Users\Admin\AppData\Local\Temp\4955ad722700c34de17403ee5788f3b4.exe
"C:\Users\Admin\AppData\Local\Temp\4955ad722700c34de17403ee5788f3b4.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe
  C:\Windows\{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe
    C:\Windows\{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\{CC81CB22-6199-4c2f-860E-96659907A212}.exe
      C:\Windows\{CC81CB22-6199-4c2f-860E-96659907A212}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe
        
        C:\Windows\{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe
        
        C:\Windows\{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe
        
        C:\Windows\{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe
        
        C:\Windows\{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\{DC2CA125-0365-4d28-A8F9-CCC3A977AD59}.exe
        
        C:\Windows\{DC2CA125-0365-4d28-A8F9-CCC3A977AD59}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\{71425390-823F-4867-A871-778A9D5EDFA5}.exe
        
        C:\Windows\{71425390-823F-4867-A871-778A9D5EDFA5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\{5B10DA2F-D40E-461b-B1DB-A44AFED3776B}.exe
        
        C:\Windows\{5B10DA2F-D40E-461b-B1DB-A44AFED3776B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\{7FCB5B39-F738-4d81-B981-5B0D878A8C55}.exe
        
        C:\Windows\{7FCB5B39-F738-4d81-B981-5B0D878A8C55}.exe
        12⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B10D~1.EXE > nul
        12⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71425~1.EXE > nul
        11⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC2CA~1.EXE > nul
        10⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AFF4~1.EXE > nul
        9⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88706~1.EXE > nul
        8⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27DE2~1.EXE > nul
        7⤵
        
        PID:1912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D617E~1.EXE > nul
        6⤵
        
        PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC81C~1.EXE > nul
        5⤵
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3EA4C~1.EXE > nul
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C8F71~1.EXE > nul
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4955AD~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{27DE254B-2E4F-4bd6-A066-08FB310D6388}.exe

Filesize
180KB

MD5
e8b5a767f99aaf3a8e87c336ce5f0aa0

SHA1
0e4748809d482b1daaafa5cb51152d9f32115d71

SHA256
17aa54616a90b0432f5fa33841c4dc6b1c39cafc29c4a1e04090a59b80a27f49

SHA512
fbcad2879518295c713cf7d77f06fb4006384201ef95d8aea8420e2f442f93b8abd4f4404c002c84c620bd6dd8077a9c4ea36918a1af3b4c9f1c45dec6e036cb

Download Submit
C:\Windows\{2AFF4D4D-5E6C-4075-B2A7-0707A94953C6}.exe

Filesize
180KB

MD5
afcbdc82aec5534ca2006af1c55e2a15

SHA1
2ecc7bf2eb5210261c010f4412e067af424bc51f

SHA256
48d7a465bd9f5f7c8891cc05e177002f7706ba30b444d14d23b18f1e266af35c

SHA512
9a2cf4f80f20e6e599e5d6af23b642a2ead33d8dc154bf4455208946979173141c6ec37713549357bd1a0c09e645e334d591710784fb8bc40c9f7ee45085d392

Download Submit
C:\Windows\{3EA4C02E-4E9F-415e-A3C9-EA610E4E1A5A}.exe

Filesize
180KB

MD5
a4f69aaa54f338ad8d14826534110b16

SHA1
e0e90b52bcfca96d010e00c48999528f8c17a8d6

SHA256
57a6369cc0d3aea6d530efd29f29894d9e3d2989f71db22aed1c0d262049c9be

SHA512
808c40ea282f1d9670405e0fbfe8dffd362aa92329067d7652c5738beba4246732ff1ebd61a35c9b8ff4817d4c16bb2cec4d19fd53771ffe4483790a40051f3a

Download Submit
C:\Windows\{5B10DA2F-D40E-461b-B1DB-A44AFED3776B}.exe

Filesize
180KB

MD5
03e3c6ee8ca53a47ca9275bc58f638b6

SHA1
c359c9602746d8b8a611d7f462737901bdf816f3

SHA256
5126152a1f4f661c825b1094b1d9a0643061c557cc5a5cbe92fb4e38f48d0971

SHA512
11bb018754c401f31a408d0ca13bcf6c85d02acdc757943122212954fc7c82b7dd3b216a01e23bdee0eb78ef906cad466574d21aa49f7cb54fd28e82841a6209

Download Submit
C:\Windows\{71425390-823F-4867-A871-778A9D5EDFA5}.exe

Filesize
180KB

MD5
c62e777288a38f083ff979809f8b286f

SHA1
4a41b846e553ce0b2249322fb40aa214c5586ae7

SHA256
daf05b42aa7816ae07021045ba258ae850e70733d1fd538e11b13cfe78468f8f

SHA512
3ca14169fe72c737d48b2cafea397ff35e7c85b6ae48bdf2eda3f4e9d1209997f02f8050b808f274d36abce6d5371a07c4e83c2422cec77d86d92e841d221845

Download Submit
C:\Windows\{7FCB5B39-F738-4d81-B981-5B0D878A8C55}.exe

Filesize
180KB

MD5
19fd75c1ffef9fcf3a0f609bdc9dba81

SHA1
c792200b6f180455140a9919a2ae9e40858f8ee6

SHA256
22f5f2f67f99d20105bf71208fe6ace42d836278b3e00f59fb48d7a43f3ccf87

SHA512
09b406c82a4d6a832ae80858aa595d97aee7f3292889eb81a5c8ca8ffa39d0d999de661a1e6f9452060b445a83ec50062dbaf11e4bf75dcc372469cbfbff246d

Download Submit
C:\Windows\{8870651C-DE36-435c-86FC-EC36B64DF9B9}.exe

Filesize
180KB

MD5
3e230f78d9a1679608038336a53c710d

SHA1
8142a65fd94245aa49790926ced1bd9017502a31

SHA256
506d44538d997d0d99419573771a89d00cdb773de6b04e962ef3472b2f1bbc33

SHA512
31e66599d6b5d18040d8867d6f668568f741984bd14121ae40172084bd27c5d1578865ac8a5f737de34848ad91997923076304ee73ea14c38657a655d7c2221c

Download Submit
C:\Windows\{C8F71EE3-9C52-42e2-83C2-239D228E15DB}.exe

Filesize
180KB

MD5
0c2928799ee391c4fa35d6f0b6108349

SHA1
b38812ab320b56dd43df26fbdc1f014b99c29055

SHA256
c511f52cd365acf13a0bc6456b92efacd69b464c511d80a638f7faa5bddf6ddb

SHA512
0f52a7f048efd190569f87c6a931ae4cedc56bcd7c039bd87b3bb7b0268f6cc71343a354e1851d3cccdb1411bcd0dae02f136589e99ffb3187d891cafdb6b03d

Download Submit
C:\Windows\{CC81CB22-6199-4c2f-860E-96659907A212}.exe

Filesize
180KB

MD5
176c84db1428fdf47867fc3a72c6acab

SHA1
113853c62b93fcfd8710412dd94978071eaf56ff

SHA256
7962550932e093f95c1cfdae48bae72cf5e58aca000752dea45b60bd646e5416

SHA512
73f8db468027fd3cc8a671fc608e466e2ec7584e28ed7843cdacf2720ca5214356409fe82ec62df0be4a2f6081a41ec47674b6f75043733f05fd3261ae248ddf

Download Submit
C:\Windows\{D617EA04-5D97-40ec-A522-A22AF0A6A74B}.exe

Filesize
180KB

MD5
6ae61c1794d4307ceab6b1da8ee9876b

SHA1
eb8b3a9e36c196ff313bf0de8f128e12d380a818

SHA256
354c4a7e228dbf3806033c30b17751ad7991573725355decb3fe02f95b8e9851

SHA512
e3df3f97081e5654e6ea625cca2787cc49db18ef7587fe1cb15da8d15ce27add7e80d1e18d0f2be06180b782b19d056d6f938474b0d30280deea77167a48db78

Download Submit
C:\Windows\{DC2CA125-0365-4d28-A8F9-CCC3A977AD59}.exe

Filesize
180KB

MD5
acbf7a148a4bb27531cc690fea7acaa8

SHA1
e148f17a54c677b26b5a6cf05630a75e0320d486

SHA256
5ad6e692cee985fffcef12c94fac3678c6a3c8ae430c6da3cc4122eeb6580354

SHA512
f877ad64eefde2a7928a317747acaf9582f938cd072f121f5cf4278866f78dc4b30685a3dc1686b7c2d0771caf94870f44f98b12795545f12bc97f226c420525

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads