5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 22:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe
Size

64KB
MD5

9adef5d2c876990e78d9abe92e0a78d7
SHA1

5cd8c3f51714281041df719a467180ac186142f0
SHA256

5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08
SHA512

b83845c743b4ded7a2e9cb0df812df68afd29a07ce49d0e647591a8e8a8aaae1feb6269cafe63f05e975aa65bd946b8dc33713fa99192541794fe48dc1dbe516
SSDEEP

768:Vw9816vhKQLroCu4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdY:VEGh0oCulwWMZQcpmgDagIyS1loL7WrY

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 29 IoCs

resource	yara_rule
behavioral1/memory/1684-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000d000000013309-6.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2336-9-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1684-10-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x003a0000000139f1-18.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2828-19-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2336-17-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2828-27-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000e000000013309-26.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1400-35-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x003a000000013a3f-34.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0004000000004ed7-43.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1324-42-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2904-50-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1972-52-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000f000000013309-51.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0005000000004ed7-60.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1972-59-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0010000000013309-68.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1436-67-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1696-77-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0006000000004ed7-76.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1248-75-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0011000000013309-85.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2192-86-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1696-84-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2192-94-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3040-95-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0007000000004ed7-93.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74BB9C38-1444-4d7a-8897-A93853F1D92E}	{A5FADB4B-A7B7-41eb-B4CC-C159C7E92BF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09E46722-C999-411f-89CC-A976E8A00CF3}	5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09E46722-C999-411f-89CC-A976E8A00CF3}\stubpath = "C:\\Windows\\{09E46722-C999-411f-89CC-A976E8A00CF3}.exe"	5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{190D5A60-035F-485f-8280-BCB54AB64D52}	{09E46722-C999-411f-89CC-A976E8A00CF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{190D5A60-035F-485f-8280-BCB54AB64D52}\stubpath = "C:\\Windows\\{190D5A60-035F-485f-8280-BCB54AB64D52}.exe"	{09E46722-C999-411f-89CC-A976E8A00CF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25708C07-28CE-4f79-BA61-0BA0498FE4C3}\stubpath = "C:\\Windows\\{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe"	{190D5A60-035F-485f-8280-BCB54AB64D52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65A23D12-7C7A-4f83-B8F3-636E848CDB46}\stubpath = "C:\\Windows\\{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe"	{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{037720D1-B36D-456a-8B60-796D77672A1C}\stubpath = "C:\\Windows\\{037720D1-B36D-456a-8B60-796D77672A1C}.exe"	{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}\stubpath = "C:\\Windows\\{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe"	{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65A23D12-7C7A-4f83-B8F3-636E848CDB46}	{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55F8FE5A-D144-4071-AEAC-2A418053F289}	{037720D1-B36D-456a-8B60-796D77672A1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5FADB4B-A7B7-41eb-B4CC-C159C7E92BF2}\stubpath = "C:\\Windows\\{A5FADB4B-A7B7-41eb-B4CC-C159C7E92BF2}.exe"	{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25708C07-28CE-4f79-BA61-0BA0498FE4C3}	{190D5A60-035F-485f-8280-BCB54AB64D52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55F8FE5A-D144-4071-AEAC-2A418053F289}\stubpath = "C:\\Windows\\{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe"	{037720D1-B36D-456a-8B60-796D77672A1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5FADB4B-A7B7-41eb-B4CC-C159C7E92BF2}	{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AC86FAA-4AA9-42e8-99B7-160B13D6398B}\stubpath = "C:\\Windows\\{9AC86FAA-4AA9-42e8-99B7-160B13D6398B}.exe"	{74BB9C38-1444-4d7a-8897-A93853F1D92E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70F77148-B174-40ce-8715-4AFEED489F2A}\stubpath = "C:\\Windows\\{70F77148-B174-40ce-8715-4AFEED489F2A}.exe"	{9AC86FAA-4AA9-42e8-99B7-160B13D6398B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}	{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{037720D1-B36D-456a-8B60-796D77672A1C}	{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74BB9C38-1444-4d7a-8897-A93853F1D92E}\stubpath = "C:\\Windows\\{74BB9C38-1444-4d7a-8897-A93853F1D92E}.exe"	{A5FADB4B-A7B7-41eb-B4CC-C159C7E92BF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AC86FAA-4AA9-42e8-99B7-160B13D6398B}	{74BB9C38-1444-4d7a-8897-A93853F1D92E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70F77148-B174-40ce-8715-4AFEED489F2A}	{9AC86FAA-4AA9-42e8-99B7-160B13D6398B}.exe

Deletes itself 1 IoCs

pid	Process
1316	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2336	{09E46722-C999-411f-89CC-A976E8A00CF3}.exe
2828	{190D5A60-035F-485f-8280-BCB54AB64D52}.exe
1400	{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe
1324	{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe
2904	{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe
1972	{037720D1-B36D-456a-8B60-796D77672A1C}.exe
1436	{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe
1248	{A5FADB4B-A7B7-41eb-B4CC-C159C7E92BF2}.exe
1696	{74BB9C38-1444-4d7a-8897-A93853F1D92E}.exe
2192	{9AC86FAA-4AA9-42e8-99B7-160B13D6398B}.exe
3040	{70F77148-B174-40ce-8715-4AFEED489F2A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{09E46722-C999-411f-89CC-A976E8A00CF3}.exe	5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe
File created	C:\Windows\{190D5A60-035F-485f-8280-BCB54AB64D52}.exe	{09E46722-C999-411f-89CC-A976E8A00CF3}.exe
File created	C:\Windows\{037720D1-B36D-456a-8B60-796D77672A1C}.exe	{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe
File created	C:\Windows\{9AC86FAA-4AA9-42e8-99B7-160B13D6398B}.exe	{74BB9C38-1444-4d7a-8897-A93853F1D92E}.exe
File created	C:\Windows\{70F77148-B174-40ce-8715-4AFEED489F2A}.exe	{9AC86FAA-4AA9-42e8-99B7-160B13D6398B}.exe
File created	C:\Windows\{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe	{190D5A60-035F-485f-8280-BCB54AB64D52}.exe
File created	C:\Windows\{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe	{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe
File created	C:\Windows\{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe	{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe
File created	C:\Windows\{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe	{037720D1-B36D-456a-8B60-796D77672A1C}.exe
File created	C:\Windows\{A5FADB4B-A7B7-41eb-B4CC-C159C7E92BF2}.exe	{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe
File created	C:\Windows\{74BB9C38-1444-4d7a-8897-A93853F1D92E}.exe	{A5FADB4B-A7B7-41eb-B4CC-C159C7E92BF2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1684	5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe
Token: SeIncBasePriorityPrivilege	2336	{09E46722-C999-411f-89CC-A976E8A00CF3}.exe
Token: SeIncBasePriorityPrivilege	2828	{190D5A60-035F-485f-8280-BCB54AB64D52}.exe
Token: SeIncBasePriorityPrivilege	1400	{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe
Token: SeIncBasePriorityPrivilege	1324	{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe
Token: SeIncBasePriorityPrivilege	2904	{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe
Token: SeIncBasePriorityPrivilege	1972	{037720D1-B36D-456a-8B60-796D77672A1C}.exe
Token: SeIncBasePriorityPrivilege	1436	{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe
Token: SeIncBasePriorityPrivilege	1248	{A5FADB4B-A7B7-41eb-B4CC-C159C7E92BF2}.exe
Token: SeIncBasePriorityPrivilege	1696	{74BB9C38-1444-4d7a-8897-A93853F1D92E}.exe
Token: SeIncBasePriorityPrivilege	2192	{9AC86FAA-4AA9-42e8-99B7-160B13D6398B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2336	1684	5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe	28
PID 1684 wrote to memory of 2336	1684	5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe	28
PID 1684 wrote to memory of 2336	1684	5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe	28
PID 1684 wrote to memory of 2336	1684	5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe	28
PID 1684 wrote to memory of 1316	1684	5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe	29
PID 1684 wrote to memory of 1316	1684	5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe	29
PID 1684 wrote to memory of 1316	1684	5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe	29
PID 1684 wrote to memory of 1316	1684	5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe	29
PID 2336 wrote to memory of 2828	2336	{09E46722-C999-411f-89CC-A976E8A00CF3}.exe	30
PID 2336 wrote to memory of 2828	2336	{09E46722-C999-411f-89CC-A976E8A00CF3}.exe	30
PID 2336 wrote to memory of 2828	2336	{09E46722-C999-411f-89CC-A976E8A00CF3}.exe	30
PID 2336 wrote to memory of 2828	2336	{09E46722-C999-411f-89CC-A976E8A00CF3}.exe	30
PID 2336 wrote to memory of 2548	2336	{09E46722-C999-411f-89CC-A976E8A00CF3}.exe	31
PID 2336 wrote to memory of 2548	2336	{09E46722-C999-411f-89CC-A976E8A00CF3}.exe	31
PID 2336 wrote to memory of 2548	2336	{09E46722-C999-411f-89CC-A976E8A00CF3}.exe	31
PID 2336 wrote to memory of 2548	2336	{09E46722-C999-411f-89CC-A976E8A00CF3}.exe	31
PID 2828 wrote to memory of 1400	2828	{190D5A60-035F-485f-8280-BCB54AB64D52}.exe	32
PID 2828 wrote to memory of 1400	2828	{190D5A60-035F-485f-8280-BCB54AB64D52}.exe	32
PID 2828 wrote to memory of 1400	2828	{190D5A60-035F-485f-8280-BCB54AB64D52}.exe	32
PID 2828 wrote to memory of 1400	2828	{190D5A60-035F-485f-8280-BCB54AB64D52}.exe	32
PID 2828 wrote to memory of 2692	2828	{190D5A60-035F-485f-8280-BCB54AB64D52}.exe	33
PID 2828 wrote to memory of 2692	2828	{190D5A60-035F-485f-8280-BCB54AB64D52}.exe	33
PID 2828 wrote to memory of 2692	2828	{190D5A60-035F-485f-8280-BCB54AB64D52}.exe	33
PID 2828 wrote to memory of 2692	2828	{190D5A60-035F-485f-8280-BCB54AB64D52}.exe	33
PID 1400 wrote to memory of 1324	1400	{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe	36
PID 1400 wrote to memory of 1324	1400	{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe	36
PID 1400 wrote to memory of 1324	1400	{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe	36
PID 1400 wrote to memory of 1324	1400	{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe	36
PID 1400 wrote to memory of 2292	1400	{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe	37
PID 1400 wrote to memory of 2292	1400	{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe	37
PID 1400 wrote to memory of 2292	1400	{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe	37
PID 1400 wrote to memory of 2292	1400	{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe	37
PID 1324 wrote to memory of 2904	1324	{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe	38
PID 1324 wrote to memory of 2904	1324	{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe	38
PID 1324 wrote to memory of 2904	1324	{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe	38
PID 1324 wrote to memory of 2904	1324	{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe	38
PID 1324 wrote to memory of 2952	1324	{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe	39
PID 1324 wrote to memory of 2952	1324	{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe	39
PID 1324 wrote to memory of 2952	1324	{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe	39
PID 1324 wrote to memory of 2952	1324	{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe	39
PID 2904 wrote to memory of 1972	2904	{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe	40
PID 2904 wrote to memory of 1972	2904	{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe	40
PID 2904 wrote to memory of 1972	2904	{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe	40
PID 2904 wrote to memory of 1972	2904	{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe	40
PID 2904 wrote to memory of 2004	2904	{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe	41
PID 2904 wrote to memory of 2004	2904	{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe	41
PID 2904 wrote to memory of 2004	2904	{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe	41
PID 2904 wrote to memory of 2004	2904	{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe	41
PID 1972 wrote to memory of 1436	1972	{037720D1-B36D-456a-8B60-796D77672A1C}.exe	42
PID 1972 wrote to memory of 1436	1972	{037720D1-B36D-456a-8B60-796D77672A1C}.exe	42
PID 1972 wrote to memory of 1436	1972	{037720D1-B36D-456a-8B60-796D77672A1C}.exe	42
PID 1972 wrote to memory of 1436	1972	{037720D1-B36D-456a-8B60-796D77672A1C}.exe	42
PID 1972 wrote to memory of 2620	1972	{037720D1-B36D-456a-8B60-796D77672A1C}.exe	43
PID 1972 wrote to memory of 2620	1972	{037720D1-B36D-456a-8B60-796D77672A1C}.exe	43
PID 1972 wrote to memory of 2620	1972	{037720D1-B36D-456a-8B60-796D77672A1C}.exe	43
PID 1972 wrote to memory of 2620	1972	{037720D1-B36D-456a-8B60-796D77672A1C}.exe	43
PID 1436 wrote to memory of 1248	1436	{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe	44
PID 1436 wrote to memory of 1248	1436	{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe	44
PID 1436 wrote to memory of 1248	1436	{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe	44
PID 1436 wrote to memory of 1248	1436	{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe	44
PID 1436 wrote to memory of 1800	1436	{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe	45
PID 1436 wrote to memory of 1800	1436	{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe	45
PID 1436 wrote to memory of 1800	1436	{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe	45
PID 1436 wrote to memory of 1800	1436	{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe	45

C:\Users\Admin\AppData\Local\Temp\5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe
"C:\Users\Admin\AppData\Local\Temp\5a9f23904e996c2f6e0b3f40e346a9cb44e25dd6e1c85bf7d68e43fcdf0f4b08.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\{09E46722-C999-411f-89CC-A976E8A00CF3}.exe
  C:\Windows\{09E46722-C999-411f-89CC-A976E8A00CF3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\{190D5A60-035F-485f-8280-BCB54AB64D52}.exe
    C:\Windows\{190D5A60-035F-485f-8280-BCB54AB64D52}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe
      C:\Windows\{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Windows\{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe
        
        C:\Windows\{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe
        
        C:\Windows\{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{037720D1-B36D-456a-8B60-796D77672A1C}.exe
        
        C:\Windows\{037720D1-B36D-456a-8B60-796D77672A1C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe
        
        C:\Windows\{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\{A5FADB4B-A7B7-41eb-B4CC-C159C7E92BF2}.exe
        
        C:\Windows\{A5FADB4B-A7B7-41eb-B4CC-C159C7E92BF2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\{74BB9C38-1444-4d7a-8897-A93853F1D92E}.exe
        
        C:\Windows\{74BB9C38-1444-4d7a-8897-A93853F1D92E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\{9AC86FAA-4AA9-42e8-99B7-160B13D6398B}.exe
        
        C:\Windows\{9AC86FAA-4AA9-42e8-99B7-160B13D6398B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\{70F77148-B174-40ce-8715-4AFEED489F2A}.exe
        
        C:\Windows\{70F77148-B174-40ce-8715-4AFEED489F2A}.exe
        12⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AC86~1.EXE > nul
        12⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74BB9~1.EXE > nul
        11⤵
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5FAD~1.EXE > nul
        10⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55F8F~1.EXE > nul
        9⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03772~1.EXE > nul
        8⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65A23~1.EXE > nul
        7⤵
        
        PID:2004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D5C7~1.EXE > nul
        6⤵
        
        PID:2952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25708~1.EXE > nul
        5⤵
        
        PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{190D5~1.EXE > nul
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{09E46~1.EXE > nul
    3⤵
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5A9F23~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{037720D1-B36D-456a-8B60-796D77672A1C}.exe

Filesize
64KB

MD5
840e8f5635507f07aacc08407c0dd1e5

SHA1
dda8c9905aa66189e421c3582c5b7b70c6943a1f

SHA256
5e0f100e62762c0d42d3078756dd040255efd114b63b3399cc8e35aabcb1076d

SHA512
51dff9fdfeb266e2f24e078c27299ec20b2baf28ec0c3ddaafc1f35099003365ebe49bc48910b92e6fbf4cfe4277252a02df0e417c44cc1024c659c54ff144be

Download Submit
C:\Windows\{09E46722-C999-411f-89CC-A976E8A00CF3}.exe

Filesize
64KB

MD5
25c404a3dd40bb13afa42fbbd88836af

SHA1
b7f6a92ec97fcbd1d78e5bed3713411e76c86cbc

SHA256
c453fb07f7faebb0bccb04f870f800b992d1c0609af83399ba82e43849c81fd5

SHA512
810371fb82c654b78f7a8cd6154b9c7f031dd2437ef676550948796476d08d3bc390bfe0dfaa4331203045bed1516795d4ea9d23f25d5440b100fe632c77285b

Download Submit
C:\Windows\{190D5A60-035F-485f-8280-BCB54AB64D52}.exe

Filesize
64KB

MD5
ae7e06d2d412669cd5da3f1f1f5fb3d5

SHA1
5b21787732d653a9ee63c3cb57a7d9a84d062e9a

SHA256
510b3ff6a4503bd24cc29fbf906ac0ec2a4754148840db250e73afce245de512

SHA512
f3564116d5a93b448a2798ff412ea68458e05eab0866ae3369e81e55cdac6336d42680951384ce9e2dbb96634d33c496bf6fbef07216986bcb97ec841a54f476

Download Submit
C:\Windows\{25708C07-28CE-4f79-BA61-0BA0498FE4C3}.exe

Filesize
64KB

MD5
8c4f7f7940a6fe3679ce41d4770c3a4e

SHA1
419f14e47a90af59059d20d85eebcf32ea03c066

SHA256
0d92b7f6ec1f488e628e710f23fd241afe6e765f9fb7807f8ca03a7ff0ad9898

SHA512
50f265c50b51375b18ee6fc44b6eed26638f8d59b4ff979e5c9dedb047c1d0d5cb23e220b126d50b3d26656946855ff35d457a4df16c3dbafd29005d24b4203f

Download Submit
C:\Windows\{55F8FE5A-D144-4071-AEAC-2A418053F289}.exe

Filesize
64KB

MD5
43a8f6bccc78c003be0e4efc280ba6f9

SHA1
af608573ce4c383ac371a755ecb75cb0fc74a784

SHA256
27e577b77f545b51365dbfe0ddc532e44e48a75ee1096219cf281fee194a774b

SHA512
0f0ec0abc303364b82825a25ccd3296db569096d82b253a2dbd683a335fe169af1f731c251e05179ecad238ab1be194134250f119aead6c2717aa1e14368e55e

Download Submit
C:\Windows\{65A23D12-7C7A-4f83-B8F3-636E848CDB46}.exe

Filesize
64KB

MD5
3d84f79be19c6db2b00e6373357dabbc

SHA1
67f4c9a732e245aa82a60cc8e067552f8851dad7

SHA256
94683f963982c7cc2c2e7a773a32136e4de9ead35d9ababb69c37ee78358016c

SHA512
cbfc6b99790b446c43914853dab64f02b40f485cf6ced14066f8c82e672baf96eb5e9bbffb67435c887dcf6fd3221596b49a0298ad9763a98b2c3a24f16d2d06

Download Submit
C:\Windows\{70F77148-B174-40ce-8715-4AFEED489F2A}.exe

Filesize
64KB

MD5
7e98b2c5cd1f5dea0c4774cec6813115

SHA1
64fd80381b09c8a10c75d6d4419184ff025e6aad

SHA256
df3bca95ffb4e58574b569a502950949b3582d60f8164b1343caa171552c4654

SHA512
6427b1cd7cd623ab4dad43f9c31da8bcb57009d5978ce85c54b9cb5839a92bef092276fa318f4d30efa98e3750818428cfc51102919903195ed3195827ed2f08

Download Submit
C:\Windows\{74BB9C38-1444-4d7a-8897-A93853F1D92E}.exe

Filesize
64KB

MD5
f9af4c4c7dd98018d909111a740ecd66

SHA1
419080e76e91bad4e3b957f00fc1e629ae79f92f

SHA256
8aa066a6b2e56bceab9342706e65d61ea98e229cab03ee1ec9c6a1c849b6845a

SHA512
a09e94f5f46da15e7ae0181b522f4f9d0a43e97c61a781b762f7802cc38209f5de8b7e90bae4129cecfa549f2fc3e82b1a3cb2d7bac7136058eeba7acd4a5bed

Download Submit
C:\Windows\{7D5C7C0E-E8BB-4e82-9910-2D112FE2C7E4}.exe

Filesize
64KB

MD5
013a6da9832a929b07bd8ee26c584134

SHA1
1edb32d1908c809b7127f12aa77746e9e7f00e0c

SHA256
37480bfc6467fee3db1023d4d6ef442aa1c72b794926bacc0927fef9f81a10ef

SHA512
4740ca0e3609275fb33b402c5672b064af51604c114e249770cae4d89ad5e464beeb7fa33af152500a18f2477848afb92460e8e280cbb5259faa3880143da46d

Download Submit
C:\Windows\{9AC86FAA-4AA9-42e8-99B7-160B13D6398B}.exe

Filesize
64KB

MD5
27700bda0ee3b30b6da9d207d5b47b0d

SHA1
490f5bcfd260dffea0fca99881e9a9efb1cdd1a9

SHA256
48e4751f214b191f186d22d4f533d983eb73f39dcf1ed0457e5f7ad3a77c3dcb

SHA512
430e677c3c1b843d8fb145816713aca6db040ad95034a903151333cb4fa413dce7a2ee92f24e5a83bee1db0cc3cb64c7bd44b269e03c8d4d9ae68a8e7ad30d02

Download Submit
C:\Windows\{A5FADB4B-A7B7-41eb-B4CC-C159C7E92BF2}.exe

Filesize
64KB

MD5
aac5801ab01c293e8c0dcc98d505e11d

SHA1
4c4ca1c51864be805d2bbeeb84f726f371d781ec

SHA256
256aec7e3debf634f13d9ae059018c24c9cdd66629f1dc313bddd81ccd0fb494

SHA512
1a04f760bb7a8e0c09e102b09fe3527e18a7111abc1edad6b2a55bcbbd32d8b415c8136bf010c1e532a1ae74f9af26565a13adeb8c6ed33d712b9a247824729c

Download Submit
memory/1248-75-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1324-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1400-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1436-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1684-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1684-8-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/1684-7-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/1684-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1696-84-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1696-77-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1972-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1972-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2192-86-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2192-94-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2336-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2336-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2828-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2828-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2904-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3040-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads