a2151d3128962dff0d3964fdf064e6ea3b3ad5dad1de0de0825f477f7e0b8710

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb4ec421f949b323260a50947879d361.exe
Size

344KB
MD5

cb4ec421f949b323260a50947879d361
SHA1

47126815a3400d5b3ce96af50cb117b91d176abe
SHA256

a2151d3128962dff0d3964fdf064e6ea3b3ad5dad1de0de0825f477f7e0b8710
SHA512

d6a8f87ccd4b97102946031ea884697eb020778114e9dd08db20adf8e38f03d73c24fb69636c452bec461b3e2a89d9227ea21ca40a6d4419a2da2bcecba9ba3e
SSDEEP

3072:mEGh0oxlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG3lqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F327F23-8B7A-428a-8A62-61E51ED32046}\stubpath = "C:\\Windows\\{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe"	{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ADB1451-DFDC-49f2-A931-7642C2319F7C}\stubpath = "C:\\Windows\\{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe"	{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{342D7097-2C10-4f96-8BDF-E6616FC95D74}\stubpath = "C:\\Windows\\{342D7097-2C10-4f96-8BDF-E6616FC95D74}.exe"	{AA459171-9DEA-4f7f-9455-451DD0413D17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{873B5B8F-BD78-4003-B1F5-BE59EA9949A8}	{342D7097-2C10-4f96-8BDF-E6616FC95D74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59D43557-8213-4e17-B060-9D3085CCFEBA}	{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F327F23-8B7A-428a-8A62-61E51ED32046}	{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ADB1451-DFDC-49f2-A931-7642C2319F7C}	{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA459171-9DEA-4f7f-9455-451DD0413D17}	{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA459171-9DEA-4f7f-9455-451DD0413D17}\stubpath = "C:\\Windows\\{AA459171-9DEA-4f7f-9455-451DD0413D17}.exe"	{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}\stubpath = "C:\\Windows\\{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe"	{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}\stubpath = "C:\\Windows\\{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe"	{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4552DD7E-EE77-409a-828D-C67668AA6CB6}	{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05CFF611-40EA-443e-AFA1-AE9C50704995}	{873B5B8F-BD78-4003-B1F5-BE59EA9949A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED30C0D0-A3A8-453e-B483-E207F45A7F0F}	{05CFF611-40EA-443e-AFA1-AE9C50704995}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68797F80-2C74-4e61-906C-9FBF5CE685FF}	cb4ec421f949b323260a50947879d361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59D43557-8213-4e17-B060-9D3085CCFEBA}\stubpath = "C:\\Windows\\{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe"	{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}	{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}	{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4552DD7E-EE77-409a-828D-C67668AA6CB6}\stubpath = "C:\\Windows\\{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe"	{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{342D7097-2C10-4f96-8BDF-E6616FC95D74}	{AA459171-9DEA-4f7f-9455-451DD0413D17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{873B5B8F-BD78-4003-B1F5-BE59EA9949A8}\stubpath = "C:\\Windows\\{873B5B8F-BD78-4003-B1F5-BE59EA9949A8}.exe"	{342D7097-2C10-4f96-8BDF-E6616FC95D74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05CFF611-40EA-443e-AFA1-AE9C50704995}\stubpath = "C:\\Windows\\{05CFF611-40EA-443e-AFA1-AE9C50704995}.exe"	{873B5B8F-BD78-4003-B1F5-BE59EA9949A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68797F80-2C74-4e61-906C-9FBF5CE685FF}\stubpath = "C:\\Windows\\{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe"	cb4ec421f949b323260a50947879d361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED30C0D0-A3A8-453e-B483-E207F45A7F0F}\stubpath = "C:\\Windows\\{ED30C0D0-A3A8-453e-B483-E207F45A7F0F}.exe"	{05CFF611-40EA-443e-AFA1-AE9C50704995}.exe

Executes dropped EXE 12 IoCs

pid	Process
1996	{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe
2688	{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe
2356	{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe
2336	{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe
1204	{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe
2812	{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe
456	{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe
2472	{AA459171-9DEA-4f7f-9455-451DD0413D17}.exe
1236	{342D7097-2C10-4f96-8BDF-E6616FC95D74}.exe
580	{873B5B8F-BD78-4003-B1F5-BE59EA9949A8}.exe
2028	{05CFF611-40EA-443e-AFA1-AE9C50704995}.exe
2284	{ED30C0D0-A3A8-453e-B483-E207F45A7F0F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe	{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe
File created	C:\Windows\{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe	{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe
File created	C:\Windows\{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe	{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe
File created	C:\Windows\{873B5B8F-BD78-4003-B1F5-BE59EA9949A8}.exe	{342D7097-2C10-4f96-8BDF-E6616FC95D74}.exe
File created	C:\Windows\{ED30C0D0-A3A8-453e-B483-E207F45A7F0F}.exe	{05CFF611-40EA-443e-AFA1-AE9C50704995}.exe
File created	C:\Windows\{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe	cb4ec421f949b323260a50947879d361.exe
File created	C:\Windows\{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe	{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe
File created	C:\Windows\{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe	{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe
File created	C:\Windows\{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe	{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe
File created	C:\Windows\{AA459171-9DEA-4f7f-9455-451DD0413D17}.exe	{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe
File created	C:\Windows\{342D7097-2C10-4f96-8BDF-E6616FC95D74}.exe	{AA459171-9DEA-4f7f-9455-451DD0413D17}.exe
File created	C:\Windows\{05CFF611-40EA-443e-AFA1-AE9C50704995}.exe	{873B5B8F-BD78-4003-B1F5-BE59EA9949A8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2332	cb4ec421f949b323260a50947879d361.exe
Token: SeIncBasePriorityPrivilege	1996	{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe
Token: SeIncBasePriorityPrivilege	2688	{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe
Token: SeIncBasePriorityPrivilege	2356	{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe
Token: SeIncBasePriorityPrivilege	2336	{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe
Token: SeIncBasePriorityPrivilege	1204	{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe
Token: SeIncBasePriorityPrivilege	2812	{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe
Token: SeIncBasePriorityPrivilege	456	{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe
Token: SeIncBasePriorityPrivilege	2472	{AA459171-9DEA-4f7f-9455-451DD0413D17}.exe
Token: SeIncBasePriorityPrivilege	1236	{342D7097-2C10-4f96-8BDF-E6616FC95D74}.exe
Token: SeIncBasePriorityPrivilege	580	{873B5B8F-BD78-4003-B1F5-BE59EA9949A8}.exe
Token: SeIncBasePriorityPrivilege	2028	{05CFF611-40EA-443e-AFA1-AE9C50704995}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1996	2332	cb4ec421f949b323260a50947879d361.exe	28
PID 2332 wrote to memory of 1996	2332	cb4ec421f949b323260a50947879d361.exe	28
PID 2332 wrote to memory of 1996	2332	cb4ec421f949b323260a50947879d361.exe	28
PID 2332 wrote to memory of 1996	2332	cb4ec421f949b323260a50947879d361.exe	28
PID 2332 wrote to memory of 2612	2332	cb4ec421f949b323260a50947879d361.exe	29
PID 2332 wrote to memory of 2612	2332	cb4ec421f949b323260a50947879d361.exe	29
PID 2332 wrote to memory of 2612	2332	cb4ec421f949b323260a50947879d361.exe	29
PID 2332 wrote to memory of 2612	2332	cb4ec421f949b323260a50947879d361.exe	29
PID 1996 wrote to memory of 2688	1996	{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe	30
PID 1996 wrote to memory of 2688	1996	{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe	30
PID 1996 wrote to memory of 2688	1996	{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe	30
PID 1996 wrote to memory of 2688	1996	{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe	30
PID 1996 wrote to memory of 2444	1996	{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe	31
PID 1996 wrote to memory of 2444	1996	{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe	31
PID 1996 wrote to memory of 2444	1996	{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe	31
PID 1996 wrote to memory of 2444	1996	{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe	31
PID 2688 wrote to memory of 2356	2688	{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe	34
PID 2688 wrote to memory of 2356	2688	{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe	34
PID 2688 wrote to memory of 2356	2688	{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe	34
PID 2688 wrote to memory of 2356	2688	{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe	34
PID 2688 wrote to memory of 2920	2688	{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe	35
PID 2688 wrote to memory of 2920	2688	{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe	35
PID 2688 wrote to memory of 2920	2688	{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe	35
PID 2688 wrote to memory of 2920	2688	{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe	35
PID 2356 wrote to memory of 2336	2356	{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe	36
PID 2356 wrote to memory of 2336	2356	{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe	36
PID 2356 wrote to memory of 2336	2356	{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe	36
PID 2356 wrote to memory of 2336	2356	{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe	36
PID 2356 wrote to memory of 268	2356	{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe	37
PID 2356 wrote to memory of 268	2356	{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe	37
PID 2356 wrote to memory of 268	2356	{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe	37
PID 2356 wrote to memory of 268	2356	{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe	37
PID 2336 wrote to memory of 1204	2336	{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe	38
PID 2336 wrote to memory of 1204	2336	{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe	38
PID 2336 wrote to memory of 1204	2336	{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe	38
PID 2336 wrote to memory of 1204	2336	{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe	38
PID 2336 wrote to memory of 592	2336	{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe	39
PID 2336 wrote to memory of 592	2336	{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe	39
PID 2336 wrote to memory of 592	2336	{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe	39
PID 2336 wrote to memory of 592	2336	{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe	39
PID 1204 wrote to memory of 2812	1204	{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe	40
PID 1204 wrote to memory of 2812	1204	{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe	40
PID 1204 wrote to memory of 2812	1204	{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe	40
PID 1204 wrote to memory of 2812	1204	{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe	40
PID 1204 wrote to memory of 1408	1204	{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe	41
PID 1204 wrote to memory of 1408	1204	{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe	41
PID 1204 wrote to memory of 1408	1204	{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe	41
PID 1204 wrote to memory of 1408	1204	{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe	41
PID 2812 wrote to memory of 456	2812	{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe	42
PID 2812 wrote to memory of 456	2812	{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe	42
PID 2812 wrote to memory of 456	2812	{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe	42
PID 2812 wrote to memory of 456	2812	{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe	42
PID 2812 wrote to memory of 2020	2812	{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe	43
PID 2812 wrote to memory of 2020	2812	{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe	43
PID 2812 wrote to memory of 2020	2812	{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe	43
PID 2812 wrote to memory of 2020	2812	{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe	43
PID 456 wrote to memory of 2472	456	{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe	44
PID 456 wrote to memory of 2472	456	{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe	44
PID 456 wrote to memory of 2472	456	{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe	44
PID 456 wrote to memory of 2472	456	{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe	44
PID 456 wrote to memory of 1348	456	{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe	45
PID 456 wrote to memory of 1348	456	{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe	45
PID 456 wrote to memory of 1348	456	{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe	45
PID 456 wrote to memory of 1348	456	{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe	45

C:\Users\Admin\AppData\Local\Temp\cb4ec421f949b323260a50947879d361.exe
"C:\Users\Admin\AppData\Local\Temp\cb4ec421f949b323260a50947879d361.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe
  C:\Windows\{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe
    C:\Windows\{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe
      C:\Windows\{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe
        
        C:\Windows\{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Windows\{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe
        
        C:\Windows\{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe
        
        C:\Windows\{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe
        
        C:\Windows\{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{AA459171-9DEA-4f7f-9455-451DD0413D17}.exe
        
        C:\Windows\{AA459171-9DEA-4f7f-9455-451DD0413D17}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\{342D7097-2C10-4f96-8BDF-E6616FC95D74}.exe
        
        C:\Windows\{342D7097-2C10-4f96-8BDF-E6616FC95D74}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\{873B5B8F-BD78-4003-B1F5-BE59EA9949A8}.exe
        
        C:\Windows\{873B5B8F-BD78-4003-B1F5-BE59EA9949A8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\{05CFF611-40EA-443e-AFA1-AE9C50704995}.exe
        
        C:\Windows\{05CFF611-40EA-443e-AFA1-AE9C50704995}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{ED30C0D0-A3A8-453e-B483-E207F45A7F0F}.exe
        
        C:\Windows\{ED30C0D0-A3A8-453e-B483-E207F45A7F0F}.exe
        13⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05CFF~1.EXE > nul
        13⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{873B5~1.EXE > nul
        12⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{342D7~1.EXE > nul
        11⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA459~1.EXE > nul
        10⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ADB1~1.EXE > nul
        9⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4552D~1.EXE > nul
        8⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F327~1.EXE > nul
        7⤵
        
        PID:1408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4916~1.EXE > nul
        6⤵
        
        PID:592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B364~1.EXE > nul
        5⤵
        
        PID:268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{59D43~1.EXE > nul
      4⤵
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{68797~1.EXE > nul
    3⤵
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CB4EC4~1.EXE > nul
  2⤵
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05CFF611-40EA-443e-AFA1-AE9C50704995}.exe

Filesize
344KB

MD5
154d09969ae47e32c26957cdee8a4c53

SHA1
49425294533eeadcefdbae49b43f31d12cb29d32

SHA256
460fa5b0f263ec1d2f8cc050c8669a05cb6f7a4c108edd9519f48d19d27e5a8c

SHA512
b9bb2fc3cc90c5e9616d527f527edb0d6dca749deab7c1893acfa08549c2fb74a883d143e8c52415358251daff01ee4ce51dc235fcae46570050d3590f17248c

Download Submit
C:\Windows\{2B3646BD-B8CE-4f71-AD2C-C6D5551D76AD}.exe

Filesize
344KB

MD5
ec1f2af07ec2b1964f19bd6708ffa281

SHA1
1c2ecb0cc9cacb28572ca6ef0278e35bc9abfcf8

SHA256
e577db27caf62d5ee985347c19fd668cd5b955b823e73a123260797d7665f988

SHA512
397991894e4d9e4a187b5be07e1d643689c617be045f69ce35bef5eae75ec85ff1ebc73a146c355dcbb40da47144549ea95697389f3fb2bf12753ca453c4500b

Download Submit
C:\Windows\{2F327F23-8B7A-428a-8A62-61E51ED32046}.exe

Filesize
344KB

MD5
16ad9e4f8e3eb0d1a8bd7894c9063d60

SHA1
8d024140908de3387fa16add671e18ce4f6d4273

SHA256
4724c26f577290beb1664b0baba5fd4288e0c7654564588e0316fc9945033dea

SHA512
16f1f39419db8c78d4f42b03a3bc358061cefd03fea6bcf7b0b0ea4e007627f31d3b09e7fc827023b0b763cfb4197efb7f9b1d7d0eb0aaa30dd604d77011fcb4

Download Submit
C:\Windows\{342D7097-2C10-4f96-8BDF-E6616FC95D74}.exe

Filesize
344KB

MD5
97f4b7f7b8025bb5645de761fb7b0694

SHA1
8b7ec4a3bb3856ca4b6c40a166bb9b53ac67453b

SHA256
0ca43d20f85ca34739c3212420b242d5485c1aaeedb60cb8c5feedbc064a8347

SHA512
5a19f127cdd620dce214db9f395b3890d3429591556fdb443ad0cc440e8647a27abd58dbabf7793ddf726b40e5aac7a1615006f167515b6af628ddc20ebfb8fb

Download Submit
C:\Windows\{4552DD7E-EE77-409a-828D-C67668AA6CB6}.exe

Filesize
344KB

MD5
b8f3005d0cccabcaedd0d573bad1de12

SHA1
48291613ba866f7a0649f3a8ffe3e269963effbd

SHA256
4e72b4c0395498e47b58307b060e2decf0af3ca7414a47eaa0980e067dd3fe9f

SHA512
b2d1840db4efd21fe92f8997322a2a006364fa89cd41b5aeeb2726c3bb4379890684b1b99c78afe7d7b087db621c6d471feb0af828b24151b43fe7f4e57ee764

Download Submit
C:\Windows\{59D43557-8213-4e17-B060-9D3085CCFEBA}.exe

Filesize
344KB

MD5
2c54eaebdd5fe5462abe3b6337f304e3

SHA1
5d54fad9f3b5c2cecf1c1934ccca55cd57498b16

SHA256
38ea39b56692f8e23329d0592901d88d8169a33f10965202ed72afaa46c332b4

SHA512
b950db57b3700012d55a10cf73e7a4823ec5d4c6271bc4e47a5ae4b2ea6aca9bb304aeefbaf66c49d2f9a181f192e87e75264c61f7dd51a2888335703f9ba863

Download Submit
C:\Windows\{68797F80-2C74-4e61-906C-9FBF5CE685FF}.exe

Filesize
344KB

MD5
8b3d2a8668cfaf934bf21701a6a724a3

SHA1
4bf0b3597ac1852c53ae3d7b1cbfa380a8f7b1fc

SHA256
037334290813d054acf711e7fbd5054037db15de775adbc4d3f65031b9bfd874

SHA512
eb23dcbdf8a7afc4e0b65d0b7af8bafa584acf15eebdbbf8619598f2fcddf82fae4280d18650fcb95d11890b03db220c6b0763c4c092bb962c84db569f66864c

Download Submit
C:\Windows\{6ADB1451-DFDC-49f2-A931-7642C2319F7C}.exe

Filesize
344KB

MD5
deb18eeb4cf0b6ce906cd6c8717b0656

SHA1
b6ccae3f79fe9ad1bd5f1acbd3bcb809ce0ee978

SHA256
aaec67f8968c55302082605e0266cfecf07a5cad5564d48ec8a9b755de8bac18

SHA512
ef48bd6ac4d45b62d2e52eefa132bc010771d96f8adfbf1ed578bb26b7e602608e30fcf745972aaa54425ca37bfc3b80c0f4957dd605a3190f102bda938edfbb

Download Submit
C:\Windows\{873B5B8F-BD78-4003-B1F5-BE59EA9949A8}.exe

Filesize
344KB

MD5
da66337a79aad81b479dbe86527ff12a

SHA1
3d03b53b2283e40f44468a2ca28822b1ff02ebb4

SHA256
f0e83320e00cf94c66b42a239fec75ef287e77efd7ad2710dc08953dc434cb84

SHA512
f0d2963bd4fc9579bf7728a704d31992b2dfa84812290d3b39ddabd397b410e0f8e42d8903de1e22dbedf8791782f776419c7f99b23f7a8f41671d41a527ba2c

Download Submit
C:\Windows\{A49169DF-F7E3-4819-A5F5-E2F38E896DEE}.exe

Filesize
344KB

MD5
cda6a75056e074de5b26918dbd923625

SHA1
a537456bd88623c51f16b395cefbb252965e4ca4

SHA256
2dc023a9025769b8f4708507b89a2c32efefaf91a510cfdf71f129a8a91be0e3

SHA512
8f79372fa7212983c145e4f758f557fb974168856f30ecbb68e28947e04b85e899bc221cdf0cddf7d4020258f82d5fed745d168bc4ca1973ab11d2ab42122b1e

Download Submit
C:\Windows\{AA459171-9DEA-4f7f-9455-451DD0413D17}.exe

Filesize
344KB

MD5
0cd9b63274aab288b66c72c0fb7743e9

SHA1
92fac83441f0738dec46a38f3f9e80222296d099

SHA256
77cb89db2d15ca7dc9d018a2714cc85e538e94172864cc7baa922c6687549dec

SHA512
39b4399c8b94f867d27668140fa0a6c19ef95bf27ef51e4e7a32795350e2d2ad982dcd18d2fc5ca759091e1ef0bab4a7babca4907e3734d886bc2a19cd3f28c1

Download Submit
C:\Windows\{ED30C0D0-A3A8-453e-B483-E207F45A7F0F}.exe

Filesize
344KB

MD5
8b1eb49d1d012175a7c853d2a8a745ab

SHA1
9b381cf3ff77a8d835442e44b867442a94b6ffd7

SHA256
975b5911f6ad68fb55f77663d19925d91fcf7b234356819b4f450ed10d9fade3

SHA512
5b9dc85c409da0b1c4a685931f4c37cc6c56fe58d0ac9833369dcf7fc257474b1943fb369fd21545db29a0e8c1da852b1ea743022e3f3b3dbf35e5d6f7291185

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads