b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 23:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe
Size

90KB
MD5

d73e565f8a2fc8ed530d3f9c1c2effd0
SHA1

89152dac91d3d5aea080d7303e5f924a7f87d893
SHA256

b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a
SHA512

3cb4a8109dad68cb1f0a99383dabf77e1c49eb473d5347aee830586e57d3a169c2b8002d4625d3421b29edf03bba17c6f0551106c9679f8210d815c36c246132
SSDEEP

768:Qvw9816vhKQLroyU4/wQRNrfrunMxVFA3b7glws:YEGh0oyUl2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E1A0E0B-9478-412d-B275-64794CEC4100}\stubpath = "C:\\Windows\\{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe"	{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5188235-1085-4c34-BE83-DB3B8F34B279}	{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}	{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{617ADD4B-07C7-46b7-9694-D2D9B1B53A63}	{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C60394-A311-432f-B02C-9C5EBB08E127}\stubpath = "C:\\Windows\\{52C60394-A311-432f-B02C-9C5EBB08E127}.exe"	{097596CA-3B5D-478c-84BE-5CECDC34DC98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}\stubpath = "C:\\Windows\\{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe"	{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{617ADD4B-07C7-46b7-9694-D2D9B1B53A63}\stubpath = "C:\\Windows\\{617ADD4B-07C7-46b7-9694-D2D9B1B53A63}.exe"	{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC4B9A90-382A-40e9-9026-944A5D903048}	{617ADD4B-07C7-46b7-9694-D2D9B1B53A63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{097596CA-3B5D-478c-84BE-5CECDC34DC98}	{FC4B9A90-382A-40e9-9026-944A5D903048}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C60394-A311-432f-B02C-9C5EBB08E127}	{097596CA-3B5D-478c-84BE-5CECDC34DC98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}	b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}\stubpath = "C:\\Windows\\{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe"	b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CB88B25-44EF-408e-BB20-C388582F0E91}	{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CB88B25-44EF-408e-BB20-C388582F0E91}\stubpath = "C:\\Windows\\{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe"	{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}\stubpath = "C:\\Windows\\{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe"	{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}	{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}\stubpath = "C:\\Windows\\{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe"	{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{097596CA-3B5D-478c-84BE-5CECDC34DC98}\stubpath = "C:\\Windows\\{097596CA-3B5D-478c-84BE-5CECDC34DC98}.exe"	{FC4B9A90-382A-40e9-9026-944A5D903048}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E1A0E0B-9478-412d-B275-64794CEC4100}	{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5188235-1085-4c34-BE83-DB3B8F34B279}\stubpath = "C:\\Windows\\{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe"	{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}	{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC4B9A90-382A-40e9-9026-944A5D903048}\stubpath = "C:\\Windows\\{FC4B9A90-382A-40e9-9026-944A5D903048}.exe"	{617ADD4B-07C7-46b7-9694-D2D9B1B53A63}.exe

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1956	{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe
2600	{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe
2720	{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe
2468	{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe
2640	{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe
2928	{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe
112	{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe
1496	{617ADD4B-07C7-46b7-9694-D2D9B1B53A63}.exe
1200	{FC4B9A90-382A-40e9-9026-944A5D903048}.exe
2220	{097596CA-3B5D-478c-84BE-5CECDC34DC98}.exe
1988	{52C60394-A311-432f-B02C-9C5EBB08E127}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe	{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe
File created	C:\Windows\{617ADD4B-07C7-46b7-9694-D2D9B1B53A63}.exe	{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe
File created	C:\Windows\{FC4B9A90-382A-40e9-9026-944A5D903048}.exe	{617ADD4B-07C7-46b7-9694-D2D9B1B53A63}.exe
File created	C:\Windows\{52C60394-A311-432f-B02C-9C5EBB08E127}.exe	{097596CA-3B5D-478c-84BE-5CECDC34DC98}.exe
File created	C:\Windows\{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe	b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe
File created	C:\Windows\{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe	{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe
File created	C:\Windows\{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe	{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe
File created	C:\Windows\{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe	{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe
File created	C:\Windows\{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe	{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe
File created	C:\Windows\{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe	{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe
File created	C:\Windows\{097596CA-3B5D-478c-84BE-5CECDC34DC98}.exe	{FC4B9A90-382A-40e9-9026-944A5D903048}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2304	b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe
Token: SeIncBasePriorityPrivilege	1956	{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe
Token: SeIncBasePriorityPrivilege	2600	{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe
Token: SeIncBasePriorityPrivilege	2720	{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe
Token: SeIncBasePriorityPrivilege	2468	{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe
Token: SeIncBasePriorityPrivilege	2640	{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe
Token: SeIncBasePriorityPrivilege	2928	{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe
Token: SeIncBasePriorityPrivilege	112	{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe
Token: SeIncBasePriorityPrivilege	1496	{617ADD4B-07C7-46b7-9694-D2D9B1B53A63}.exe
Token: SeIncBasePriorityPrivilege	1200	{FC4B9A90-382A-40e9-9026-944A5D903048}.exe
Token: SeIncBasePriorityPrivilege	2220	{097596CA-3B5D-478c-84BE-5CECDC34DC98}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1956	2304	b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe	28
PID 2304 wrote to memory of 1956	2304	b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe	28
PID 2304 wrote to memory of 1956	2304	b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe	28
PID 2304 wrote to memory of 1956	2304	b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe	28
PID 2304 wrote to memory of 2476	2304	b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe	29
PID 2304 wrote to memory of 2476	2304	b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe	29
PID 2304 wrote to memory of 2476	2304	b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe	29
PID 2304 wrote to memory of 2476	2304	b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe	29
PID 1956 wrote to memory of 2600	1956	{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe	30
PID 1956 wrote to memory of 2600	1956	{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe	30
PID 1956 wrote to memory of 2600	1956	{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe	30
PID 1956 wrote to memory of 2600	1956	{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe	30
PID 1956 wrote to memory of 2696	1956	{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe	31
PID 1956 wrote to memory of 2696	1956	{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe	31
PID 1956 wrote to memory of 2696	1956	{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe	31
PID 1956 wrote to memory of 2696	1956	{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe	31
PID 2600 wrote to memory of 2720	2600	{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe	32
PID 2600 wrote to memory of 2720	2600	{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe	32
PID 2600 wrote to memory of 2720	2600	{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe	32
PID 2600 wrote to memory of 2720	2600	{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe	32
PID 2600 wrote to memory of 2704	2600	{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe	33
PID 2600 wrote to memory of 2704	2600	{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe	33
PID 2600 wrote to memory of 2704	2600	{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe	33
PID 2600 wrote to memory of 2704	2600	{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe	33
PID 2720 wrote to memory of 2468	2720	{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe	36
PID 2720 wrote to memory of 2468	2720	{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe	36
PID 2720 wrote to memory of 2468	2720	{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe	36
PID 2720 wrote to memory of 2468	2720	{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe	36
PID 2720 wrote to memory of 2964	2720	{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe	37
PID 2720 wrote to memory of 2964	2720	{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe	37
PID 2720 wrote to memory of 2964	2720	{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe	37
PID 2720 wrote to memory of 2964	2720	{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe	37
PID 2468 wrote to memory of 2640	2468	{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe	38
PID 2468 wrote to memory of 2640	2468	{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe	38
PID 2468 wrote to memory of 2640	2468	{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe	38
PID 2468 wrote to memory of 2640	2468	{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe	38
PID 2468 wrote to memory of 2756	2468	{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe	39
PID 2468 wrote to memory of 2756	2468	{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe	39
PID 2468 wrote to memory of 2756	2468	{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe	39
PID 2468 wrote to memory of 2756	2468	{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe	39
PID 2640 wrote to memory of 2928	2640	{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe	40
PID 2640 wrote to memory of 2928	2640	{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe	40
PID 2640 wrote to memory of 2928	2640	{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe	40
PID 2640 wrote to memory of 2928	2640	{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe	40
PID 2640 wrote to memory of 2892	2640	{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe	41
PID 2640 wrote to memory of 2892	2640	{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe	41
PID 2640 wrote to memory of 2892	2640	{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe	41
PID 2640 wrote to memory of 2892	2640	{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe	41
PID 2928 wrote to memory of 112	2928	{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe	42
PID 2928 wrote to memory of 112	2928	{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe	42
PID 2928 wrote to memory of 112	2928	{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe	42
PID 2928 wrote to memory of 112	2928	{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe	42
PID 2928 wrote to memory of 2212	2928	{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe	43
PID 2928 wrote to memory of 2212	2928	{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe	43
PID 2928 wrote to memory of 2212	2928	{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe	43
PID 2928 wrote to memory of 2212	2928	{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe	43
PID 112 wrote to memory of 1496	112	{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe	44
PID 112 wrote to memory of 1496	112	{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe	44
PID 112 wrote to memory of 1496	112	{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe	44
PID 112 wrote to memory of 1496	112	{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe	44
PID 112 wrote to memory of 2616	112	{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe	45
PID 112 wrote to memory of 2616	112	{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe	45
PID 112 wrote to memory of 2616	112	{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe	45
PID 112 wrote to memory of 2616	112	{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe	45

C:\Users\Admin\AppData\Local\Temp\b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe
"C:\Users\Admin\AppData\Local\Temp\b349b2dc38456ec7e9139e8e9ecccb56891d51c10cd871b4675dc3428107cb7a.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe
  C:\Windows\{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe
    C:\Windows\{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe
      C:\Windows\{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe
        
        C:\Windows\{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
      - C:\Windows\{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe
        
        C:\Windows\{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe
        
        C:\Windows\{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe
        
        C:\Windows\{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\{617ADD4B-07C7-46b7-9694-D2D9B1B53A63}.exe
        
        C:\Windows\{617ADD4B-07C7-46b7-9694-D2D9B1B53A63}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\{FC4B9A90-382A-40e9-9026-944A5D903048}.exe
        
        C:\Windows\{FC4B9A90-382A-40e9-9026-944A5D903048}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\{097596CA-3B5D-478c-84BE-5CECDC34DC98}.exe
        
        C:\Windows\{097596CA-3B5D-478c-84BE-5CECDC34DC98}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\{52C60394-A311-432f-B02C-9C5EBB08E127}.exe
        
        C:\Windows\{52C60394-A311-432f-B02C-9C5EBB08E127}.exe
        12⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09759~1.EXE > nul
        12⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC4B9~1.EXE > nul
        11⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{617AD~1.EXE > nul
        10⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD3B2~1.EXE > nul
        9⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A10F2~1.EXE > nul
        8⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5DDF~1.EXE > nul
        7⤵
        
        PID:2892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5188~1.EXE > nul
        6⤵
        
        PID:2756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E1A0~1.EXE > nul
        5⤵
        
        PID:2964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6CB88~1.EXE > nul
      4⤵
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0C8B3~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B349B2~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{097596CA-3B5D-478c-84BE-5CECDC34DC98}.exe

Filesize
90KB

MD5
eab40f286ba9632cf2bc88d6470b915e

SHA1
f1d15ff796fd9a6019768936babb10a85a3f307a

SHA256
382f9b25b3ee8a3c1c3756f156f5c0d973528e7a569581a74e64dcca157ffa00

SHA512
60bdd1c7c29cad917e153208da289ea4c7ad452fc04b3e4a52b67ef3c1724bcaa4474b369a04b2b23c15ccd77818ecc5bb00806778afa8247fda5c466fb3a7f7

Download Submit
C:\Windows\{0C8B3A4A-749E-4b20-8E8D-5D09C7E6F4FA}.exe

Filesize
90KB

MD5
6be5592f41664f090fbcc216df3c8768

SHA1
08df31eadcba77485ff01999986543c51ebcdeae

SHA256
1fa3d60e89f82743703a10cde768f35b5ed814263c159197d465e275cfa6e8d9

SHA512
d16962c8113fd8413ee19334f0e09d515a48fec656d7567d01167f24f06428468597d7a4a4003671b31b0cb0feddbce6084eff753bfc58a4551b2f55a606b2b8

Download Submit
C:\Windows\{52C60394-A311-432f-B02C-9C5EBB08E127}.exe

Filesize
90KB

MD5
30851dcf741eeb5816f85aeaed3cdeee

SHA1
9aa70bb7d28436aedb755564aa0518e8a6133c73

SHA256
30e8375940654535db9733429e4972b294d266f16794e86b366901f250aac600

SHA512
acf8f9ec1024052fa0f64b54b5e43cc42be032db3199f629190c1377a46d71f3913a869bbd83cd3c46f8bb9afe959f5efe6dc2915b5c2d9cca5bfa4dff927f6a

Download Submit
C:\Windows\{5E1A0E0B-9478-412d-B275-64794CEC4100}.exe

Filesize
90KB

MD5
a9299aa54f93dc9e9bb3cfddbe471bec

SHA1
da6a0665fe6ec615d6468b0efbcab1ee8d74c4c7

SHA256
7017fac079c85d1057b9371fd002cf58de4aff90fa2f76e6dca61013782cdace

SHA512
204c0a84fb5742aa18f82aba75f64f968a8dd6172969910331c1da352c2cf8b8b96a08bed73af5ec28c931fdbb0332ede743709afb24d350b7f2d3664d5de2d6

Download Submit
C:\Windows\{617ADD4B-07C7-46b7-9694-D2D9B1B53A63}.exe

Filesize
90KB

MD5
98c584f06f1a155ccd0eb9f3301ec2fb

SHA1
6799cd639b7eeb38585faabb8bba814ee88336fe

SHA256
a4534a02692e0de329c7d3f3cf94aa36fd77e93cec4c92a99ada469b1566a2d6

SHA512
769a94e99f20adc1e42a1c153d2ce99741b8c00903bbf02bde6764d5183d8792df82eefe439872ce58405ce87b02b21c565f72ce32a508006bf82cca733243c0

Download Submit
C:\Windows\{6CB88B25-44EF-408e-BB20-C388582F0E91}.exe

Filesize
90KB

MD5
b5ae1450d4eebc7dd90bd1bc5fddce2e

SHA1
877f4ed6a76ed15ceac87f88c23d564ef97f761d

SHA256
f71eb9bf0eaeac726665fcd17f69d0441bd623df711dfce7cb088b2d575e6164

SHA512
4a8b07bd9fc693ad237aa9c4eb0e780fd8e7665b52f9282487b25cddd6f4e5e160a376acba3321d1511f5a589fe47361f9fdd1681e0cc22d4ca5c6820e285e77

Download Submit
C:\Windows\{A10F29E9-47FF-43e8-8D70-E35A7DD89DAC}.exe

Filesize
90KB

MD5
2606421d96e550c7a3d7917b58004aa9

SHA1
7af4381eaac9d6a96dfcf2368e05ac5d99446369

SHA256
a5d5788be2c22ba66cd2f85784d4d5e3d825527f5e411153e5cec5ca73760a6e

SHA512
efabd24c3e7e5d52ac4d37c89fefcc80d17de70f3379cc1b50d702578594d8754ca452bdf3bfd9f49e15e49a76f5d01f22c672112f3431747b46a37c6972e41d

Download Submit
C:\Windows\{B5188235-1085-4c34-BE83-DB3B8F34B279}.exe

Filesize
90KB

MD5
52b362fe15e38caf65d1465da81ff893

SHA1
5e8958e727a3ffd1180166f4a9c29905f7396dc9

SHA256
4f2bded01f836918284b3db006c8e4609d8ffaa6658ee9998d5fa0539e85c447

SHA512
a3630cc24657f57bbbbc4f05821362a0266e8c708fbdce0f98bd607a9cc074bfaae6d895b33ed5e774012936d0f8c7c466bc66be94f82ead7b9c423659df9678

Download Submit
C:\Windows\{CD3B2A32-E4A7-4fd6-91FC-BEECF5360598}.exe

Filesize
90KB

MD5
3027460fa8a56b86cbcc49d2d2952696

SHA1
5075912ea58afdb9f25dc060a86ab6a1e13d6ce7

SHA256
a20b5557de8ce4c0985c2e3737968d1e65b1a2ee880d36984f52c02c829befd5

SHA512
a6989109493bcc0887e7d451a8d4c80661329eb9af15887fe1c76b9ea04d32c683954e508b9a5c9bdef48ef185115703dac808ca4aa8e40e766363feb2187611

Download Submit
C:\Windows\{D5DDFA45-EF88-4f0d-9E26-D892E6AFD307}.exe

Filesize
90KB

MD5
e73bc9aab796ae5f25b5b402b09f086a

SHA1
207b9ae8f694d7f9119c835bf4b8b5517e08e8e2

SHA256
caf21fae6415be1b091cd6ecd9694c9250ec3a02fb61431aecca08f1dbe0beb5

SHA512
ad72a2d4c5a0523a753442e625b54b099b931e6da0393290c9d1ee990a67fb3d63402b8652e9a66939140985b954609d90ae5f3bae7450ca1a12709b9669f154

Download Submit
C:\Windows\{FC4B9A90-382A-40e9-9026-944A5D903048}.exe

Filesize
90KB

MD5
dd436b2490bb941d68137252bbfcd63c

SHA1
82c4fede7d64dab7acf64c65fea83e9435f1a852

SHA256
115c45d1b8bdee2d6f10af5e4b07b58a68c24af85c8dd065f21f0ed9323ed48e

SHA512
8eb8a0934b0ff5547816160e251536e94ed64d110eda6a0da6c89c6e2238c9fc05fb1156be10cdda87b20d75b3ba218780e31a7613dbac1be7ef49e1dd61364a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads