Malware Analysis Report

2025-03-14 22:27

Sample ID 240407-29cm8shd9w
Target 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe
SHA256 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe

Threat Level: Known bad

The file 8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:16

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:16

Reported

2024-04-07 23:19

Platform

win7-20240221-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}\stubpath = "C:\\Windows\\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe" C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}\stubpath = "C:\\Windows\\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe" C:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{066E9405-A88F-475b-B516-A11BC7FF20DE} C:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F22C96-E553-449c-86B8-D666997174A9}\stubpath = "C:\\Windows\\{68F22C96-E553-449c-86B8-D666997174A9}.exe" C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4} C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3} C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}\stubpath = "C:\\Windows\\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe" C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}\stubpath = "C:\\Windows\\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe" C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}\stubpath = "C:\\Windows\\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe" C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{303224E0-AA94-47d8-957E-2698585A1C1A}\stubpath = "C:\\Windows\\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe" C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F} C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FACE99A-378C-4315-9FE4-FBE55743F25C} C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E} C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A} C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3} C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{303224E0-AA94-47d8-957E-2698585A1C1A} C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}\stubpath = "C:\\Windows\\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe" C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021} C:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{066E9405-A88F-475b-B516-A11BC7FF20DE}\stubpath = "C:\\Windows\\{066E9405-A88F-475b-B516-A11BC7FF20DE}.exe" C:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F22C96-E553-449c-86B8-D666997174A9} C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FACE99A-378C-4315-9FE4-FBE55743F25C}\stubpath = "C:\\Windows\\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe" C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}\stubpath = "C:\\Windows\\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe" C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe N/A
File created C:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe C:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe N/A
File created C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe N/A
File created C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe N/A
File created C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe N/A
File created C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe N/A
File created C:\Windows\{066E9405-A88F-475b-B516-A11BC7FF20DE}.exe C:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe N/A
File created C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe N/A
File created C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe N/A
File created C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe N/A
File created C:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe
PID 2156 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe
PID 2156 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe
PID 2156 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe
PID 2156 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2516 N/A C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe
PID 2480 wrote to memory of 2516 N/A C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe
PID 2480 wrote to memory of 2516 N/A C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe
PID 2480 wrote to memory of 2516 N/A C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe
PID 2480 wrote to memory of 2508 N/A C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2508 N/A C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2508 N/A C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2508 N/A C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2420 N/A C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe
PID 2516 wrote to memory of 2420 N/A C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe
PID 2516 wrote to memory of 2420 N/A C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe
PID 2516 wrote to memory of 2420 N/A C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe
PID 2516 wrote to memory of 1472 N/A C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 1472 N/A C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 1472 N/A C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 1472 N/A C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 984 N/A C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe
PID 2420 wrote to memory of 984 N/A C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe
PID 2420 wrote to memory of 984 N/A C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe
PID 2420 wrote to memory of 984 N/A C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe
PID 2420 wrote to memory of 528 N/A C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 528 N/A C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 528 N/A C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 528 N/A C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 1064 N/A C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe
PID 984 wrote to memory of 1064 N/A C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe
PID 984 wrote to memory of 1064 N/A C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe
PID 984 wrote to memory of 1064 N/A C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe
PID 984 wrote to memory of 2376 N/A C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 2376 N/A C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 2376 N/A C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 2376 N/A C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2728 N/A C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe
PID 1064 wrote to memory of 2728 N/A C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe
PID 1064 wrote to memory of 2728 N/A C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe
PID 1064 wrote to memory of 2728 N/A C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe
PID 1064 wrote to memory of 1840 N/A C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1840 N/A C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1840 N/A C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1840 N/A C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1948 N/A C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe
PID 2728 wrote to memory of 1948 N/A C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe
PID 2728 wrote to memory of 1948 N/A C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe
PID 2728 wrote to memory of 1948 N/A C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe
PID 2728 wrote to memory of 1476 N/A C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1476 N/A C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1476 N/A C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1476 N/A C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2180 N/A C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe
PID 1948 wrote to memory of 2180 N/A C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe
PID 1948 wrote to memory of 2180 N/A C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe
PID 1948 wrote to memory of 2180 N/A C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe
PID 1948 wrote to memory of 1700 N/A C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1700 N/A C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1700 N/A C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 1700 N/A C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe

"C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe"

C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe

C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8E1359~1.EXE > nul

C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe

C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{68F22~1.EXE > nul

C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe

C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0FACE~1.EXE > nul

C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe

C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F6F00~1.EXE > nul

C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe

C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B9BDB~1.EXE > nul

C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe

C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2A462~1.EXE > nul

C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe

C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C6028~1.EXE > nul

C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe

C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{30322~1.EXE > nul

C:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe

C:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{00EA5~1.EXE > nul

C:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe

C:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6EF92~1.EXE > nul

C:\Windows\{066E9405-A88F-475b-B516-A11BC7FF20DE}.exe

C:\Windows\{066E9405-A88F-475b-B516-A11BC7FF20DE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AEFB0~1.EXE > nul

Network

N/A

Files

C:\Windows\{68F22C96-E553-449c-86B8-D666997174A9}.exe

MD5 9f6af2fb1d6bdfad030cf037b58f526c
SHA1 719038e916328846a8d183ed5699779df2a38703
SHA256 633f799f66dcfed1b298eb0c634e0e9bebcd9364ea13cf887028257022321145
SHA512 48901a80bf1b20e0914584fb046f77f11dd1b7f4d9925f91046ebf573ea5f654c83330ae5b05b803d91cebff7c86718ec47c4ccfee4076f8ff70a8f8c7d4b3c4

C:\Windows\{0FACE99A-378C-4315-9FE4-FBE55743F25C}.exe

MD5 94f2a84bc53615bf08316f280f5c6c57
SHA1 ecd1f265fa288f0ccc4a5ba0f6cf88b687005867
SHA256 542a23cc31a8659742cbcad7920a2a8917a3315fc72b173921d13b8d42141671
SHA512 b07faa27e978efa291707f962c5d842e0efffb12a980c4c23a87b66f5bceac7337beb90dba4f0a571a41fb99d3a2da4bf4f1b640b588ba323d147519d3eff8ab

C:\Windows\{F6F002B2-4FCB-487e-82F6-F0CB13EE528E}.exe

MD5 137ebfe52a54c96d59bf193492e8e49e
SHA1 576d57b325c59b1c0927b16af8ee78392a413f23
SHA256 b283bcd47383a5a97d7ef1b515419e1b752025ad190befccbcc9b0ef4ad83f91
SHA512 aab549d86c0008baaf626cb6c6f14e82968d6f23ec67f2882883c94445442efbc671b5302b997fd44f30be7560f69eaba898262adc2d266e060f7e740a5e74f7

C:\Windows\{B9BDBFF5-A8C5-4a18-9BC8-36D7F2BA3E1A}.exe

MD5 8d6aa06fb642f30330b4e79a226eaa13
SHA1 0c34adaf6d5a785fbae62a8414b141bddcde1c38
SHA256 905d83f96d25a9a2cb8692bc37e1bcb8ad5e0ca6e4d052c0e8ff00070425e75e
SHA512 18fdae530af2bef6728c0e13c16b18bf03707642db468e9af216a0db5294d10371bc301b1f4866959bbc157830937e552bb127dc8f76ad22cbd4577972fd573d

C:\Windows\{2A462DB3-E887-4bb0-9C9C-BD5BABDA93F3}.exe

MD5 9a503735f186c5f1c7a547005e5627b7
SHA1 619e166763683bfb463a3358e3c67aacee6fcd85
SHA256 4feb3beedd9bd9fc33720e3a12a961e331f2c22fe3da740d1978466694d220ac
SHA512 afedec6a3466b063d5355543a85f9eaec0cb0ec33b47f3ce2ec71fff98b8e968047e7a55f1eeaa471d7df4216a51f2a8c4741497e7ca65236fd7d376f213966f

C:\Windows\{C6028977-AD9E-4ec6-847A-FB4A88FE1CF4}.exe

MD5 0731f0f975ddfb10e480fc924b0e7dcb
SHA1 a8fd2d42489450b2c641784657c2d085a03881c8
SHA256 090532feae0e8530aebbce4abf2c31d7221f153523df869d8ca29ae8d8bd8539
SHA512 124c273e82e104012265598d623f8d75eb05121aacbb43cd546110a7e9509709b1ecbd0bda4dec0518f15e4a3c8dac310cd6480b88fa118e760953099ccb9534

C:\Windows\{303224E0-AA94-47d8-957E-2698585A1C1A}.exe

MD5 05e589f625b0564ee3ba8589566abbbe
SHA1 3f93475a6ee68e484edc62d2b3f643d2bac9a0b3
SHA256 ea14ce9eca5bf6f7386a64a42d301feaaae39c1fd22c78e118e6c41fb6dc0a43
SHA512 3aec7139e083aabc7093351c320b153a01d407b8418d3ade6911576f047f0970edb4e3a3f2b3764c44e8cbba8b35f80465c2ff194c3863e9f90ad1ec3c82ef88

C:\Windows\{00EA561E-1CDB-411c-92DE-F5E8AFEA1A8F}.exe

MD5 f21dd0c54ffdd702af0ec41b37573c33
SHA1 4f0ceef4fdce62eaf327f36797546d5afe9a8fc4
SHA256 362c69ca0640db50dc4227c67221c69becf7ef66f0adcff0672b7c06499fb8fc
SHA512 fd80fcdb70e8afae3d0e5fd35bfe8576b4df7591185c470109bd56885c63f4515d6d7a5b642b474e96c5abec46c37c280a4c657aa6145ca50bfc8ed0a9f3d7b7

C:\Windows\{6EF9215B-CF6D-459d-8751-BBA8876AC8C3}.exe

MD5 72a3aa1705cdc4a4af341ec60211718a
SHA1 a5ce790f066a99e024bf5a9486d08e49ee8b2098
SHA256 0d049330559c85e516ed78dcae2671793eb21d3f449eb288d0b058df2ca87d29
SHA512 7103b8f67378a324df8955d4e8f57c9a5dd502aae58da76f62a3630ed59cfc16638755b457cee0710a7e88ecace9c2e1c86c66571c330fb7e078a000197d0fd2

C:\Windows\{AEFB00FE-6DFA-47ed-8ADB-2B8750C4D021}.exe

MD5 77037ec05af61aea53de36d4e550a4fd
SHA1 453e6a2533a0aa993149e52426b52e0eb4eda2ba
SHA256 5276464f860d4cd8126aabd5df38209986650f2664e4fcfdaeca9d01c2ff665c
SHA512 352d1cd375a0684cf1a6cc689458b0888ecae691984baa8c4e881b14dedca06e5283d53f1d54dfe80aea00675568665ecfaf62293c9d04ea46bb4b22dd0ec32a

C:\Windows\{066E9405-A88F-475b-B516-A11BC7FF20DE}.exe

MD5 b21530b4588e71e37aac540ecf945240
SHA1 5015cfd40393818a5ec3bfb4aab18a0ce2b665f3
SHA256 e4cd0cac4659f54250063d3a70639d069689bcbcfd0eefb32fb4c0dcac8c45cd
SHA512 eb7a90288ea01425ab25951b30c9a6c580fce12946ba42760b8da3016562980e61034712cbff9bc0e2c7e6e7461bb18663623959520d7182a3be792881db9e27

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:16

Reported

2024-04-07 23:17

Platform

win10v2004-20240319-en

Max time kernel

0s

Max time network

6s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe

"C:\Users\Admin\AppData\Local\Temp\8e135989b7a2632e22eb4af7b6793557efb615001457393bf06ffe26dc5ad5fe.exe"

Network

Files

N/A