650323470704670f5feea95b4e59082213ae112be12b79796c71be03393ff8ba

Analysis

max time kernel
125s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 19:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0d28802ec0303f0ddc63126a3624c58c.exe
Size

216KB
MD5

0d28802ec0303f0ddc63126a3624c58c
SHA1

e61e224dda47b55697b12b91936e61061ad36bf4
SHA256

650323470704670f5feea95b4e59082213ae112be12b79796c71be03393ff8ba
SHA512

40eb91ebb8b551ae5af67e5704c3517ce91d65ea6cef6f9df5f70f1f5a05275fe51a5a51807570761c0149a163c27b5e963816388ea9d4b49c647fd22e8d77d6
SSDEEP

3072:jEGh0oIl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGWlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}\stubpath = "C:\\Windows\\{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe"	{34F119FB-2746-41dc-8C7E-578BD869291C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD824E22-09D3-4576-B8A0-0D3EEA0E634D}\stubpath = "C:\\Windows\\{FD824E22-09D3-4576-B8A0-0D3EEA0E634D}.exe"	{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20C1E2E7-6A74-4f8b-A591-767EA8130F53}\stubpath = "C:\\Windows\\{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe"	{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}	{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD824E22-09D3-4576-B8A0-0D3EEA0E634D}	{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1430559-7262-42e9-834F-9D07D7C84D13}\stubpath = "C:\\Windows\\{B1430559-7262-42e9-834F-9D07D7C84D13}.exe"	{FD824E22-09D3-4576-B8A0-0D3EEA0E634D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03ABA2F2-A0E8-4a76-A0BF-AD44A3C5D906}\stubpath = "C:\\Windows\\{03ABA2F2-A0E8-4a76-A0BF-AD44A3C5D906}.exe"	{B1430559-7262-42e9-834F-9D07D7C84D13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}\stubpath = "C:\\Windows\\{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe"	0d28802ec0303f0ddc63126a3624c58c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F119FB-2746-41dc-8C7E-578BD869291C}\stubpath = "C:\\Windows\\{34F119FB-2746-41dc-8C7E-578BD869291C}.exe"	{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}\stubpath = "C:\\Windows\\{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe"	{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03ABA2F2-A0E8-4a76-A0BF-AD44A3C5D906}	{B1430559-7262-42e9-834F-9D07D7C84D13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ADB63C7-EB25-4041-A5D3-C64570B44E05}\stubpath = "C:\\Windows\\{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe"	{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}\stubpath = "C:\\Windows\\{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe"	{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1430559-7262-42e9-834F-9D07D7C84D13}	{FD824E22-09D3-4576-B8A0-0D3EEA0E634D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}	{34F119FB-2746-41dc-8C7E-578BD869291C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}	{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20C1E2E7-6A74-4f8b-A591-767EA8130F53}	{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}	0d28802ec0303f0ddc63126a3624c58c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ADB63C7-EB25-4041-A5D3-C64570B44E05}	{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F119FB-2746-41dc-8C7E-578BD869291C}	{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe

Deletes itself 1 IoCs

pid	Process
1316	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
2336	{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe
2680	{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe
2704	{34F119FB-2746-41dc-8C7E-578BD869291C}.exe
2924	{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe
2796	{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe
2576	{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe
280	{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe
2764	{FD824E22-09D3-4576-B8A0-0D3EEA0E634D}.exe
1212	{B1430559-7262-42e9-834F-9D07D7C84D13}.exe
2840	{03ABA2F2-A0E8-4a76-A0BF-AD44A3C5D906}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{FD824E22-09D3-4576-B8A0-0D3EEA0E634D}.exe	{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe
File created	C:\Windows\{03ABA2F2-A0E8-4a76-A0BF-AD44A3C5D906}.exe	{B1430559-7262-42e9-834F-9D07D7C84D13}.exe
File created	C:\Windows\{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe	0d28802ec0303f0ddc63126a3624c58c.exe
File created	C:\Windows\{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe	{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe
File created	C:\Windows\{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe	{34F119FB-2746-41dc-8C7E-578BD869291C}.exe
File created	C:\Windows\{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe	{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe
File created	C:\Windows\{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe	{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe
File created	C:\Windows\{34F119FB-2746-41dc-8C7E-578BD869291C}.exe	{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe
File created	C:\Windows\{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe	{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe
File created	C:\Windows\{B1430559-7262-42e9-834F-9D07D7C84D13}.exe	{FD824E22-09D3-4576-B8A0-0D3EEA0E634D}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1724	0d28802ec0303f0ddc63126a3624c58c.exe
Token: SeIncBasePriorityPrivilege	2336	{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe
Token: SeIncBasePriorityPrivilege	2680	{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe
Token: SeIncBasePriorityPrivilege	2704	{34F119FB-2746-41dc-8C7E-578BD869291C}.exe
Token: SeIncBasePriorityPrivilege	2924	{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe
Token: SeIncBasePriorityPrivilege	2796	{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe
Token: SeIncBasePriorityPrivilege	2576	{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe
Token: SeIncBasePriorityPrivilege	280	{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe
Token: SeIncBasePriorityPrivilege	2764	{FD824E22-09D3-4576-B8A0-0D3EEA0E634D}.exe
Token: SeIncBasePriorityPrivilege	1212	{B1430559-7262-42e9-834F-9D07D7C84D13}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2336	1724	0d28802ec0303f0ddc63126a3624c58c.exe	28
PID 1724 wrote to memory of 2336	1724	0d28802ec0303f0ddc63126a3624c58c.exe	28
PID 1724 wrote to memory of 2336	1724	0d28802ec0303f0ddc63126a3624c58c.exe	28
PID 1724 wrote to memory of 2336	1724	0d28802ec0303f0ddc63126a3624c58c.exe	28
PID 1724 wrote to memory of 1316	1724	0d28802ec0303f0ddc63126a3624c58c.exe	29
PID 1724 wrote to memory of 1316	1724	0d28802ec0303f0ddc63126a3624c58c.exe	29
PID 1724 wrote to memory of 1316	1724	0d28802ec0303f0ddc63126a3624c58c.exe	29
PID 1724 wrote to memory of 1316	1724	0d28802ec0303f0ddc63126a3624c58c.exe	29
PID 2336 wrote to memory of 2680	2336	{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe	30
PID 2336 wrote to memory of 2680	2336	{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe	30
PID 2336 wrote to memory of 2680	2336	{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe	30
PID 2336 wrote to memory of 2680	2336	{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe	30
PID 2336 wrote to memory of 2552	2336	{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe	31
PID 2336 wrote to memory of 2552	2336	{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe	31
PID 2336 wrote to memory of 2552	2336	{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe	31
PID 2336 wrote to memory of 2552	2336	{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe	31
PID 2680 wrote to memory of 2704	2680	{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe	32
PID 2680 wrote to memory of 2704	2680	{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe	32
PID 2680 wrote to memory of 2704	2680	{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe	32
PID 2680 wrote to memory of 2704	2680	{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe	32
PID 2680 wrote to memory of 1400	2680	{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe	33
PID 2680 wrote to memory of 1400	2680	{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe	33
PID 2680 wrote to memory of 1400	2680	{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe	33
PID 2680 wrote to memory of 1400	2680	{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe	33
PID 2704 wrote to memory of 2924	2704	{34F119FB-2746-41dc-8C7E-578BD869291C}.exe	36
PID 2704 wrote to memory of 2924	2704	{34F119FB-2746-41dc-8C7E-578BD869291C}.exe	36
PID 2704 wrote to memory of 2924	2704	{34F119FB-2746-41dc-8C7E-578BD869291C}.exe	36
PID 2704 wrote to memory of 2924	2704	{34F119FB-2746-41dc-8C7E-578BD869291C}.exe	36
PID 2704 wrote to memory of 2968	2704	{34F119FB-2746-41dc-8C7E-578BD869291C}.exe	37
PID 2704 wrote to memory of 2968	2704	{34F119FB-2746-41dc-8C7E-578BD869291C}.exe	37
PID 2704 wrote to memory of 2968	2704	{34F119FB-2746-41dc-8C7E-578BD869291C}.exe	37
PID 2704 wrote to memory of 2968	2704	{34F119FB-2746-41dc-8C7E-578BD869291C}.exe	37
PID 2924 wrote to memory of 2796	2924	{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe	38
PID 2924 wrote to memory of 2796	2924	{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe	38
PID 2924 wrote to memory of 2796	2924	{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe	38
PID 2924 wrote to memory of 2796	2924	{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe	38
PID 2924 wrote to memory of 2928	2924	{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe	39
PID 2924 wrote to memory of 2928	2924	{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe	39
PID 2924 wrote to memory of 2928	2924	{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe	39
PID 2924 wrote to memory of 2928	2924	{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe	39
PID 2796 wrote to memory of 2576	2796	{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe	40
PID 2796 wrote to memory of 2576	2796	{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe	40
PID 2796 wrote to memory of 2576	2796	{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe	40
PID 2796 wrote to memory of 2576	2796	{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe	40
PID 2796 wrote to memory of 2008	2796	{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe	41
PID 2796 wrote to memory of 2008	2796	{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe	41
PID 2796 wrote to memory of 2008	2796	{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe	41
PID 2796 wrote to memory of 2008	2796	{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe	41
PID 2576 wrote to memory of 280	2576	{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe	42
PID 2576 wrote to memory of 280	2576	{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe	42
PID 2576 wrote to memory of 280	2576	{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe	42
PID 2576 wrote to memory of 280	2576	{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe	42
PID 2576 wrote to memory of 2468	2576	{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe	43
PID 2576 wrote to memory of 2468	2576	{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe	43
PID 2576 wrote to memory of 2468	2576	{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe	43
PID 2576 wrote to memory of 2468	2576	{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe	43
PID 280 wrote to memory of 2764	280	{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe	44
PID 280 wrote to memory of 2764	280	{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe	44
PID 280 wrote to memory of 2764	280	{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe	44
PID 280 wrote to memory of 2764	280	{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe	44
PID 280 wrote to memory of 1968	280	{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe	45
PID 280 wrote to memory of 1968	280	{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe	45
PID 280 wrote to memory of 1968	280	{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe	45
PID 280 wrote to memory of 1968	280	{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe	45

C:\Users\Admin\AppData\Local\Temp\0d28802ec0303f0ddc63126a3624c58c.exe
"C:\Users\Admin\AppData\Local\Temp\0d28802ec0303f0ddc63126a3624c58c.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe
  C:\Windows\{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe
    C:\Windows\{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\{34F119FB-2746-41dc-8C7E-578BD869291C}.exe
      C:\Windows\{34F119FB-2746-41dc-8C7E-578BD869291C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe
        
        C:\Windows\{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe
        
        C:\Windows\{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe
        
        C:\Windows\{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe
        
        C:\Windows\{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\{FD824E22-09D3-4576-B8A0-0D3EEA0E634D}.exe
        
        C:\Windows\{FD824E22-09D3-4576-B8A0-0D3EEA0E634D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{B1430559-7262-42e9-834F-9D07D7C84D13}.exe
        
        C:\Windows\{B1430559-7262-42e9-834F-9D07D7C84D13}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\{03ABA2F2-A0E8-4a76-A0BF-AD44A3C5D906}.exe
        
        C:\Windows\{03ABA2F2-A0E8-4a76-A0BF-AD44A3C5D906}.exe
        11⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\{C6ABB4A3-E63C-4a4f-9F95-DF8F8823E9F2}.exe
        
        C:\Windows\{C6ABB4A3-E63C-4a4f-9F95-DF8F8823E9F2}.exe
        12⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03ABA~1.EXE > nul
        12⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1430~1.EXE > nul
        11⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD824~1.EXE > nul
        10⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{526D5~1.EXE > nul
        9⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20C1E~1.EXE > nul
        8⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BC1E~1.EXE > nul
        7⤵
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD3A4~1.EXE > nul
        6⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34F11~1.EXE > nul
        5⤵
        
        PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0ADB6~1.EXE > nul
      4⤵
      PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F3C1D~1.EXE > nul
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0D2880~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03ABA2F2-A0E8-4a76-A0BF-AD44A3C5D906}.exe

Filesize
216KB

MD5
f36d55fa707c0dc00e7e4ab94e4bc234

SHA1
bf23df9cb5a0564305573dcc214d48c03929911c

SHA256
7e31b664efeaecfcb249447c26f2c867b83f045391eb201c12caa11a54159e83

SHA512
140346d15221d9b1d139ff62e753a7389c059bb4ad550709f50132b13f64d7b55e75a69e26aad63a59685f1ae99288b15ad8d84010b53d621e005150d3927627

Download Submit
C:\Windows\{0ADB63C7-EB25-4041-A5D3-C64570B44E05}.exe

Filesize
216KB

MD5
1e6bed11c21c3b6c92f1a431cbe3878a

SHA1
7e936ca074d20fe6313999279c34c873499f409d

SHA256
20f11436eadf7a31a31be59aebac2a913c63dcb643e5986ea40c0a90e3b05db8

SHA512
cf309ec566a727aef41f0fe75595b1bc62e3cc8e79ca33c7d188a05d44142a3af4429ab7f6beb6163470c85658fb72967a1d0442a69a3396ecc71d8f247514f7

Download Submit
C:\Windows\{20C1E2E7-6A74-4f8b-A591-767EA8130F53}.exe

Filesize
216KB

MD5
16547efbca525391a3909bf84fe5bac0

SHA1
83206d0a4f5d152436bd01b29ca4f8033ec93708

SHA256
354c756adc25d20b6b6bdd53b0011c8686fb3d71964e5b4714501363d4791787

SHA512
d39ebd5f1207f84305e3560459c64277186345c9e620ba10c7b4c7e83d3e5d9ab79b23cd999ada3e7b8ad64a772321397a567a2a3417d7d3f99aaf840dccdd61

Download Submit
C:\Windows\{34F119FB-2746-41dc-8C7E-578BD869291C}.exe

Filesize
216KB

MD5
4a25fa0f0be2d35d032cc6d79fabd690

SHA1
662b5c1b3f647ab86dd3cbf6ae8437e3992f377a

SHA256
6fb0423fd1e57fbb99525c5216cb0b3d68a60a318151948bbf441b00289774aa

SHA512
d26bd394f4afc7395f3439f8f0dbaa0ee811cec40dc2f5a4db147eb16ee5e541dbf9c17f6b30123421bd09fc4d35ce2936fb67119d3c5921557f3d018e2b852a

Download Submit
C:\Windows\{526D5BB0-B9D8-48cd-92B1-56DEFB811B51}.exe

Filesize
216KB

MD5
1c3c1aa1b79f360f5a046a63bb14ab5f

SHA1
a804518d4bb9fadb14ff54f0ae95a88480da5d0c

SHA256
1eb5c3e5a721949f07a8531cbfd13bc51544b5cb3ede3cab47dd2898b6761f6d

SHA512
ea42aba052ceee3b0c586f65131a3458b242dfd4bb81fc56545cc580a5ad3065e17fd0b1739ea67790eb6896a56061ec6daed93b2c65b100f8913a4e6aafb819

Download Submit
C:\Windows\{7BC1E77F-1F95-4cd4-8A76-6928FA8B51F0}.exe

Filesize
216KB

MD5
9aa5cde16479fcdeb976b65a41554b81

SHA1
d63b63eda806e495ec3fa57402ea03ee56a5ecf7

SHA256
bfada0cd46f0bcf784931827ec031e5eaedbd8e51319b6666eb38456995e6b87

SHA512
e039e499e4848b1465d8460fa812359fb7703dec7cb1020a846f75052ddc91abc6e22ea9c8c9a672f04dcb5e7c35d3899cf77f6cebbb7361a93817cc7fab85ca

Download Submit
C:\Windows\{B1430559-7262-42e9-834F-9D07D7C84D13}.exe

Filesize
216KB

MD5
239ee8de729155b84f40b810cb3620a5

SHA1
df5e03c558c4b8332f83828ee2724a3925ac32b1

SHA256
0781cd452512ac8b7b17b81a04f6096fc7e0c20995d1c52adfea0758150fd018

SHA512
d3d9d4f3aca939c2ee2331d94b3f1e59c80367af0587ab31178927629aefc36f96eb86d8e63d3f523130fc1d5b4224b4e46f97ac714768776001fc49698d154a

Download Submit
C:\Windows\{C6ABB4A3-E63C-4a4f-9F95-DF8F8823E9F2}.exe

Filesize
216KB

MD5
47ae1828439437a8abc42f8f02aea478

SHA1
3b33d286f96b8ca37555f8782dcd702af8dbee29

SHA256
211486906c037c3ccbfe43b6bdc2082a25910a53f885667f14bb500b0ca620fa

SHA512
dd22e6d8d823c5856df8171464a77e5d41503bc76654be786a4768f09422443298010657b91704f9c3956580fce885a9fc4d9c4d08628ceca581fa6e5c818ab7

Download Submit
C:\Windows\{CD3A482D-7D0A-41a8-90A6-4507BDFBDE45}.exe

Filesize
216KB

MD5
f37f6a592bf6f086b8a4117e2aba99ea

SHA1
a39bda43de2cdd30c8063db11361fc7a0b6b27dc

SHA256
9094599d2bea97d22bf1e2bfff1675d3dc03d48741823edade044faf5f997796

SHA512
9ae4759e4365416db45667fe482426b11729a44de8577ea64a09530dc5caeb51a5f9eb55f63d003c52daaf541a7d4426789cb53846efe60a38f8512d8a216360

Download Submit
C:\Windows\{F3C1D21D-0051-43a1-9E04-624F0EB6E1C7}.exe

Filesize
216KB

MD5
a32afcb82416b2a0fcbd5d4687b009f5

SHA1
a42cf1ce02b2eea4500fe74dde467ae2f5e791e0

SHA256
042e8ce0915ad0387a72942d5641b4146fb5bfca51878dc5faf58fab7dc32dbe

SHA512
514ba4a1c0aeed82a151eb961cd39836a0fc099ec1db86d0208a288b02726fc83fe010c0bd2719d08559e683dac94a74bf53930811ae7fa9ab91a3f076ef1906

Download Submit
C:\Windows\{FD824E22-09D3-4576-B8A0-0D3EEA0E634D}.exe

Filesize
216KB

MD5
b571b856c82beb6a6a3fe509999cd882

SHA1
b635505a121866909ba633dd684495d2b2f86d77

SHA256
a02f18d8f62aa54d9edd0136f7ab20ff552e0198f97b708413d545e3446309cf

SHA512
44777cac403088e62f3d71ff079d856ee3e9378b0c823ad07e3bfe4885a3d0a97400b369de9bd9c1a91d5eadde60f59e76384b28145f2788ae9a3f1609c40f79

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads