eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe
Size

64KB
MD5

7e48b671d74238e30da854b1ad36613e
SHA1

f4ad751a85a4cdf9bc454b86f22446aaa293f39d
SHA256

eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc
SHA512

47737d4b05ada48eec4c4644874d40b55d3286e7e8780405ceacdf166d26b06136691eeeb690fd5f99117ea65d04e295f54da9fba67b75232ed0446599cc51ee
SSDEEP

768:Ovw9816ihKQLroC74/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdu:6EGU0oC7lwWMZQcpmgDagIyS1loL7Wru

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 30 IoCs

resource	yara_rule
behavioral1/memory/2176-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000b0000000143e5-5.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2944-9-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2176-10-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x00090000000146f4-18.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2944-17-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2600-19-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2600-27-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000c0000000143e5-26.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x00090000000146fc-35.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2648-34-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3024-43-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0004000000004ed7-42.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000d0000000143e5-51.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1508-50-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2180-52-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0005000000004ed7-60.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2180-59-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2152-61-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000e0000000143e5-69.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2152-68-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2064-78-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0006000000004ed7-77.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2488-76-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/560-87-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2064-86-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000f0000000143e5-85.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/560-94-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/908-96-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0007000000004ed7-95.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77280034-E9CE-44a5-ACB3-E68AE7EFD864}	{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A56B842-141C-4ba4-9DA6-178CF4ACC110}	{5DA06DC6-E3BE-4a4d-88CB-DB0155D56223}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{809C3102-AB0B-4a68-93C1-CF53A7D69FAA}\stubpath = "C:\\Windows\\{809C3102-AB0B-4a68-93C1-CF53A7D69FAA}.exe"	{8A56B842-141C-4ba4-9DA6-178CF4ACC110}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}	{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}	{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0C19C14-243F-42e2-8B15-72D91AB144A1}	{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}\stubpath = "C:\\Windows\\{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe"	{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F90E444-46AF-4621-9AD7-11092F417357}	{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF48D8E9-A940-4c2e-A222-6A900F516BF4}	{3F90E444-46AF-4621-9AD7-11092F417357}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF13A05-E1D7-4173-B98B-935A883B12BA}	eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF13A05-E1D7-4173-B98B-935A883B12BA}\stubpath = "C:\\Windows\\{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe"	eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}	{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A56B842-141C-4ba4-9DA6-178CF4ACC110}\stubpath = "C:\\Windows\\{8A56B842-141C-4ba4-9DA6-178CF4ACC110}.exe"	{5DA06DC6-E3BE-4a4d-88CB-DB0155D56223}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}\stubpath = "C:\\Windows\\{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe"	{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0C19C14-243F-42e2-8B15-72D91AB144A1}\stubpath = "C:\\Windows\\{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe"	{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA06DC6-E3BE-4a4d-88CB-DB0155D56223}\stubpath = "C:\\Windows\\{5DA06DC6-E3BE-4a4d-88CB-DB0155D56223}.exe"	{77280034-E9CE-44a5-ACB3-E68AE7EFD864}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77280034-E9CE-44a5-ACB3-E68AE7EFD864}\stubpath = "C:\\Windows\\{77280034-E9CE-44a5-ACB3-E68AE7EFD864}.exe"	{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA06DC6-E3BE-4a4d-88CB-DB0155D56223}	{77280034-E9CE-44a5-ACB3-E68AE7EFD864}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{809C3102-AB0B-4a68-93C1-CF53A7D69FAA}	{8A56B842-141C-4ba4-9DA6-178CF4ACC110}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}\stubpath = "C:\\Windows\\{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe"	{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F90E444-46AF-4621-9AD7-11092F417357}\stubpath = "C:\\Windows\\{3F90E444-46AF-4621-9AD7-11092F417357}.exe"	{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF48D8E9-A940-4c2e-A222-6A900F516BF4}\stubpath = "C:\\Windows\\{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe"	{3F90E444-46AF-4621-9AD7-11092F417357}.exe

Deletes itself 1 IoCs

pid	Process
2984	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2944	{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe
2600	{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe
2648	{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe
3024	{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe
1508	{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe
2180	{3F90E444-46AF-4621-9AD7-11092F417357}.exe
2152	{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe
2488	{77280034-E9CE-44a5-ACB3-E68AE7EFD864}.exe
2064	{5DA06DC6-E3BE-4a4d-88CB-DB0155D56223}.exe
560	{8A56B842-141C-4ba4-9DA6-178CF4ACC110}.exe
908	{809C3102-AB0B-4a68-93C1-CF53A7D69FAA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe	{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe
File created	C:\Windows\{5DA06DC6-E3BE-4a4d-88CB-DB0155D56223}.exe	{77280034-E9CE-44a5-ACB3-E68AE7EFD864}.exe
File created	C:\Windows\{809C3102-AB0B-4a68-93C1-CF53A7D69FAA}.exe	{8A56B842-141C-4ba4-9DA6-178CF4ACC110}.exe
File created	C:\Windows\{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe	eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe
File created	C:\Windows\{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe	{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe
File created	C:\Windows\{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe	{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe
File created	C:\Windows\{3F90E444-46AF-4621-9AD7-11092F417357}.exe	{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe
File created	C:\Windows\{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe	{3F90E444-46AF-4621-9AD7-11092F417357}.exe
File created	C:\Windows\{77280034-E9CE-44a5-ACB3-E68AE7EFD864}.exe	{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe
File created	C:\Windows\{8A56B842-141C-4ba4-9DA6-178CF4ACC110}.exe	{5DA06DC6-E3BE-4a4d-88CB-DB0155D56223}.exe
File created	C:\Windows\{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe	{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2176	eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe
Token: SeIncBasePriorityPrivilege	2944	{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe
Token: SeIncBasePriorityPrivilege	2600	{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe
Token: SeIncBasePriorityPrivilege	2648	{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe
Token: SeIncBasePriorityPrivilege	3024	{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe
Token: SeIncBasePriorityPrivilege	1508	{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe
Token: SeIncBasePriorityPrivilege	2180	{3F90E444-46AF-4621-9AD7-11092F417357}.exe
Token: SeIncBasePriorityPrivilege	2152	{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe
Token: SeIncBasePriorityPrivilege	2488	{77280034-E9CE-44a5-ACB3-E68AE7EFD864}.exe
Token: SeIncBasePriorityPrivilege	2064	{5DA06DC6-E3BE-4a4d-88CB-DB0155D56223}.exe
Token: SeIncBasePriorityPrivilege	560	{8A56B842-141C-4ba4-9DA6-178CF4ACC110}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2944	2176	eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe	28
PID 2176 wrote to memory of 2944	2176	eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe	28
PID 2176 wrote to memory of 2944	2176	eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe	28
PID 2176 wrote to memory of 2944	2176	eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe	28
PID 2176 wrote to memory of 2984	2176	eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe	29
PID 2176 wrote to memory of 2984	2176	eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe	29
PID 2176 wrote to memory of 2984	2176	eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe	29
PID 2176 wrote to memory of 2984	2176	eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe	29
PID 2944 wrote to memory of 2600	2944	{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe	30
PID 2944 wrote to memory of 2600	2944	{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe	30
PID 2944 wrote to memory of 2600	2944	{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe	30
PID 2944 wrote to memory of 2600	2944	{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe	30
PID 2944 wrote to memory of 2640	2944	{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe	31
PID 2944 wrote to memory of 2640	2944	{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe	31
PID 2944 wrote to memory of 2640	2944	{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe	31
PID 2944 wrote to memory of 2640	2944	{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe	31
PID 2600 wrote to memory of 2648	2600	{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe	32
PID 2600 wrote to memory of 2648	2600	{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe	32
PID 2600 wrote to memory of 2648	2600	{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe	32
PID 2600 wrote to memory of 2648	2600	{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe	32
PID 2600 wrote to memory of 2680	2600	{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe	33
PID 2600 wrote to memory of 2680	2600	{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe	33
PID 2600 wrote to memory of 2680	2600	{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe	33
PID 2600 wrote to memory of 2680	2600	{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe	33
PID 2648 wrote to memory of 3024	2648	{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe	36
PID 2648 wrote to memory of 3024	2648	{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe	36
PID 2648 wrote to memory of 3024	2648	{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe	36
PID 2648 wrote to memory of 3024	2648	{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe	36
PID 2648 wrote to memory of 2884	2648	{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe	37
PID 2648 wrote to memory of 2884	2648	{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe	37
PID 2648 wrote to memory of 2884	2648	{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe	37
PID 2648 wrote to memory of 2884	2648	{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe	37
PID 3024 wrote to memory of 1508	3024	{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe	38
PID 3024 wrote to memory of 1508	3024	{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe	38
PID 3024 wrote to memory of 1508	3024	{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe	38
PID 3024 wrote to memory of 1508	3024	{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe	38
PID 3024 wrote to memory of 1916	3024	{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe	39
PID 3024 wrote to memory of 1916	3024	{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe	39
PID 3024 wrote to memory of 1916	3024	{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe	39
PID 3024 wrote to memory of 1916	3024	{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe	39
PID 1508 wrote to memory of 2180	1508	{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe	40
PID 1508 wrote to memory of 2180	1508	{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe	40
PID 1508 wrote to memory of 2180	1508	{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe	40
PID 1508 wrote to memory of 2180	1508	{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe	40
PID 1508 wrote to memory of 2284	1508	{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe	41
PID 1508 wrote to memory of 2284	1508	{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe	41
PID 1508 wrote to memory of 2284	1508	{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe	41
PID 1508 wrote to memory of 2284	1508	{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe	41
PID 2180 wrote to memory of 2152	2180	{3F90E444-46AF-4621-9AD7-11092F417357}.exe	42
PID 2180 wrote to memory of 2152	2180	{3F90E444-46AF-4621-9AD7-11092F417357}.exe	42
PID 2180 wrote to memory of 2152	2180	{3F90E444-46AF-4621-9AD7-11092F417357}.exe	42
PID 2180 wrote to memory of 2152	2180	{3F90E444-46AF-4621-9AD7-11092F417357}.exe	42
PID 2180 wrote to memory of 1552	2180	{3F90E444-46AF-4621-9AD7-11092F417357}.exe	43
PID 2180 wrote to memory of 1552	2180	{3F90E444-46AF-4621-9AD7-11092F417357}.exe	43
PID 2180 wrote to memory of 1552	2180	{3F90E444-46AF-4621-9AD7-11092F417357}.exe	43
PID 2180 wrote to memory of 1552	2180	{3F90E444-46AF-4621-9AD7-11092F417357}.exe	43
PID 2152 wrote to memory of 2488	2152	{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe	44
PID 2152 wrote to memory of 2488	2152	{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe	44
PID 2152 wrote to memory of 2488	2152	{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe	44
PID 2152 wrote to memory of 2488	2152	{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe	44
PID 2152 wrote to memory of 1232	2152	{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe	45
PID 2152 wrote to memory of 1232	2152	{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe	45
PID 2152 wrote to memory of 1232	2152	{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe	45
PID 2152 wrote to memory of 1232	2152	{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe	45

C:\Users\Admin\AppData\Local\Temp\eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe
"C:\Users\Admin\AppData\Local\Temp\eeff308a86161a8fa013ec18b526946e7df5316f59688cd9fffed559ebd532dc.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe
  C:\Windows\{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe
    C:\Windows\{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe
      C:\Windows\{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe
        
        C:\Windows\{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe
        
        C:\Windows\{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{3F90E444-46AF-4621-9AD7-11092F417357}.exe
        
        C:\Windows\{3F90E444-46AF-4621-9AD7-11092F417357}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe
        
        C:\Windows\{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{77280034-E9CE-44a5-ACB3-E68AE7EFD864}.exe
        
        C:\Windows\{77280034-E9CE-44a5-ACB3-E68AE7EFD864}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\{5DA06DC6-E3BE-4a4d-88CB-DB0155D56223}.exe
        
        C:\Windows\{5DA06DC6-E3BE-4a4d-88CB-DB0155D56223}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{8A56B842-141C-4ba4-9DA6-178CF4ACC110}.exe
        
        C:\Windows\{8A56B842-141C-4ba4-9DA6-178CF4ACC110}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\{809C3102-AB0B-4a68-93C1-CF53A7D69FAA}.exe
        
        C:\Windows\{809C3102-AB0B-4a68-93C1-CF53A7D69FAA}.exe
        12⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A56B~1.EXE > nul
        12⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DA06~1.EXE > nul
        11⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77280~1.EXE > nul
        10⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF48D~1.EXE > nul
        9⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F90E~1.EXE > nul
        8⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A1C2~1.EXE > nul
        7⤵
        
        PID:2284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0C19~1.EXE > nul
        6⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83EDC~1.EXE > nul
        5⤵
        
        PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8D81B~1.EXE > nul
      4⤵
      PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF13~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EEFF30~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3F90E444-46AF-4621-9AD7-11092F417357}.exe

Filesize
64KB

MD5
4e73ab9ea75772b3ad21d6ed135218a5

SHA1
b23c3ada28e1368b7f1bca4c47a1a27102d42c77

SHA256
6c1a9d2864e331be8b70859660e59232ad6ceec3652804c19e1ff9d268cd539f

SHA512
38d6c0b8fc531f22efd8b3fc74670e1febafef42a0eddd972a6e2bd1acbb29c139f02c6777ac35adb1d34e38d738f164105b5d1f4bfee807c45e007d5e53f51a

Download Submit
C:\Windows\{4A1C2718-DC85-458d-A4FE-37107ECBDAB7}.exe

Filesize
64KB

MD5
100e0f5b779c0e0371951fb78f7abdd4

SHA1
4a2ca658acdeee2d529bb9080213fd5a2725718d

SHA256
d81bdf4f7774a97ac020604ce85584be6ef142995399ca86bdb1f4d931b6e7e5

SHA512
02cb74e5cfa93da0f8c35e441afb6bc8265fead707a2ee88d2d56b158ccfa54ef04f6fbf5ed510db12aa416d7573c46d1616cdd394267fdd626b7172e4469d7c

Download Submit
C:\Windows\{5DA06DC6-E3BE-4a4d-88CB-DB0155D56223}.exe

Filesize
64KB

MD5
22bdfed03ff7e6157a9e19c5b94220e8

SHA1
e08bd73130314f343bff53b26f0c8afb7c96bed6

SHA256
da73d4eb6ea5f4f510b58ac38542b13b576c28005c336591aed08ad4f17ac4d1

SHA512
e473a5ac97f13a752990677f0a7dd4975a8b9c0aa225c753d4eeda2db67480be40945147ea5193d7d24bd03b91f15150bcb3cc97169a3ae95f34ff24cc670e9b

Download Submit
C:\Windows\{5FF13A05-E1D7-4173-B98B-935A883B12BA}.exe

Filesize
64KB

MD5
3aeca2c8834d5d14ae35ffc7589c2746

SHA1
69293cee892841afe2882b95f5033a657d3d0959

SHA256
7beb3521c6b8874398e7fd8bc55efb63aecd5cd2ff92c7f58f90a9d971266b49

SHA512
62b82df5db149be8222f5ff80451d65a87a9fa1344951372105b232c823c506ceba66a7ce8ad80b3c2646ecfd604fd98c1c314e611d9190ea16d45fe286dacce

Download Submit
C:\Windows\{77280034-E9CE-44a5-ACB3-E68AE7EFD864}.exe

Filesize
64KB

MD5
0b713b044b0c7de182c8d07cd4bffcce

SHA1
f517c327d0e394744378545b7fc9739fd190cb5e

SHA256
5a442f8150aa014d1b2524970fe72bbdb17253b2e634782729462486bf563b17

SHA512
08df4af5beeac5fa0c50e17f67e4bd55101762091ac97c3b7b30e377ef7f35b25119a198f726079830d005abf31d419f30757b7d5ca87a8b0aa181667bd0b794

Download Submit
C:\Windows\{809C3102-AB0B-4a68-93C1-CF53A7D69FAA}.exe

Filesize
64KB

MD5
bfdb7c452f04f2f5cb26b45243aacfc2

SHA1
03f771bdf6e122209cde7fd39cde2aadb9718523

SHA256
d8f8c0297d4a69d483336f27ff1541abcd48c3521d7f348d7d599ba1e6396567

SHA512
1e3495cb5012a8546b728b6b9e45502d6eb4da514802df2ea80d73b0bf0555c4aa520c41a18a583bd44fb92c099547391f05577007c6e1dcf2e447203a62a521

Download Submit
C:\Windows\{83EDC8F4-93C7-4958-8B1D-AB8AA35D9A70}.exe

Filesize
64KB

MD5
b3c0fdb5ab48131807bc375204472409

SHA1
832f525c8c4999187d1abeeda1355f7867701696

SHA256
43be077e6b2665f1942debc9c529e372be97b228a60227ac81bd3ce667f1ce30

SHA512
68be9963b92c12556b3f82c3f0455408327545b19985e042a8b6e218fe5f34a5f86d32b9b62ec578d0c39a1fa042dac833b25d7126a678b851417b4829af6e52

Download Submit
C:\Windows\{8A56B842-141C-4ba4-9DA6-178CF4ACC110}.exe

Filesize
64KB

MD5
00ca39033a66c9332383c82116e7d2a7

SHA1
7cfc9fd0a64b0ae908151e9dce776fd6463796d6

SHA256
7d4781b1f443e47f688193a64e3e70f0f1d6c8437bd67fa19bb3682b92f91a52

SHA512
5b2c98b4508397058ef91698bbe7bd464b08f76b85fe633a591968aa6999e0bcc1a80d6365ef1b5670b9018568737811df34558258147d1efa59c0a3fd0ee16c

Download Submit
C:\Windows\{8D81BD62-2CAE-4969-95CE-9DCD49A3DA2B}.exe

Filesize
64KB

MD5
16f60cbce9afe15bd7f893a3011551b1

SHA1
4207565c016e38a6644f130975af4703af17e0fe

SHA256
0685ac364c7cfab2823ba222154454d24a7a885b2f46dfb0e2e858c1f35b6ba2

SHA512
11b21cb69018da59dc4e6626b5db0fc56fb5060cb7fd05721c1aeb2c3f1eec3053f10488f6cfc819954564e27ac3047329a5181d31f44c4e4fd2938037089a74

Download Submit
C:\Windows\{CF48D8E9-A940-4c2e-A222-6A900F516BF4}.exe

Filesize
64KB

MD5
344be9d71a0f51ed63a62bef083fefae

SHA1
f223bb2dc1b47de07e4abc22065651a688a12c50

SHA256
7a2b39e66ddd6bf0674cd4b71abc66dad01228f0131515fd4e874629f6ff96ec

SHA512
802c59acbc2ddb50772983440c42bacf8300dd58206128d2358253c7fbe64b95e38fedc960789c8ae1298f0a61addea044f755400800d22280bb9e1376955f8b

Download Submit
C:\Windows\{E0C19C14-243F-42e2-8B15-72D91AB144A1}.exe

Filesize
64KB

MD5
dfcde109155c725cea01534543508ed7

SHA1
03bcb0ab4868d052fa065c5bd1bb1137708ee238

SHA256
fab06fb4fcc1e588ba4eab22c0fa7da1fda7ea5d7dc51cf55ba47fae59c6cdb2

SHA512
e2178b3712428ba4b923ecf58719a17b1e6670249493805af7744f4f69ec4b1f20cfc63f889829016b3c1d3dd37ee9d17d5e32873ce9a4e30782bde04dabaf6e

Download Submit
memory/560-87-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/560-94-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/908-96-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1508-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2064-86-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2064-78-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2152-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2152-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2176-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2176-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2176-8-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2176-7-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2180-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2180-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2488-76-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2600-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2600-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2648-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2944-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2944-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3024-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads