ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe
Size

64KB
MD5

8d558a56bccc3dfda4843aee4d6cb66d
SHA1

804dac5822215b841ae6d1ef28a71075c4ca3f0a
SHA256

ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b
SHA512

f4f551f7cd716a27b50bd126766680e5c59fadcd4d35dd48b84bc67d8afa8226672b67abd194d605089e7e358ba9a0cffbc508c4a68e01b34d0e72fe3a9217fd
SSDEEP

384:ObLwOs8AHsc4zMfwhKQLroO4/CFsrdHWMZc:Ovw981JvhKQLroO4/wQpWMZc

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 30 IoCs

resource	yara_rule
behavioral1/memory/2512-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000b000000014284-5.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2716-8-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2512-9-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x00350000000144e1-17.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2556-18-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2716-16-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2736-27-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2556-26-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000c000000014284-25.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2736-35-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x00350000000144e9-34.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1644-36-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0004000000004ed7-44.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1644-43-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2772-45-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2772-53-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000d000000014284-52.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0005000000004ed7-61.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1068-60-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2324-62-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2324-70-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000e000000014284-69.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2416-79-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0006000000004ed7-78.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1520-77-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2416-87-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000f000000014284-86.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/684-95-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0007000000004ed7-94.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{693D07E8-3EE5-4846-B597-5A0EEEF00544}	ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE216130-B04B-46cd-A525-A7D32659C628}\stubpath = "C:\\Windows\\{DE216130-B04B-46cd-A525-A7D32659C628}.exe"	{BB825046-3BDC-4cde-9742-F7296444A836}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{303DCA89-F681-491f-85BA-0464C49ECBA7}\stubpath = "C:\\Windows\\{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe"	{DE216130-B04B-46cd-A525-A7D32659C628}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}	{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF9CC778-D081-44f4-80C1-AB9CEE6531D9}\stubpath = "C:\\Windows\\{DF9CC778-D081-44f4-80C1-AB9CEE6531D9}.exe"	{B35D1C54-3518-4434-A3BD-8E63EB0324FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B35D1C54-3518-4434-A3BD-8E63EB0324FE}	{7C7E3560-9A0C-499c-BFFA-15E4A56092FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B35D1C54-3518-4434-A3BD-8E63EB0324FE}\stubpath = "C:\\Windows\\{B35D1C54-3518-4434-A3BD-8E63EB0324FE}.exe"	{7C7E3560-9A0C-499c-BFFA-15E4A56092FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49392820-7C9F-4a78-B275-9D31DBBF30C9}	{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42C0842A-F019-45e7-88C3-0086B2F90AEE}	{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB825046-3BDC-4cde-9742-F7296444A836}	{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{303DCA89-F681-491f-85BA-0464C49ECBA7}	{DE216130-B04B-46cd-A525-A7D32659C628}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}\stubpath = "C:\\Windows\\{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe"	{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C7E3560-9A0C-499c-BFFA-15E4A56092FB}	{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF9CC778-D081-44f4-80C1-AB9CEE6531D9}	{B35D1C54-3518-4434-A3BD-8E63EB0324FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B348B6C-C7AD-45d3-957F-B5281AF67684}	{DF9CC778-D081-44f4-80C1-AB9CEE6531D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{693D07E8-3EE5-4846-B597-5A0EEEF00544}\stubpath = "C:\\Windows\\{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe"	ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49392820-7C9F-4a78-B275-9D31DBBF30C9}\stubpath = "C:\\Windows\\{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe"	{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB825046-3BDC-4cde-9742-F7296444A836}\stubpath = "C:\\Windows\\{BB825046-3BDC-4cde-9742-F7296444A836}.exe"	{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE216130-B04B-46cd-A525-A7D32659C628}	{BB825046-3BDC-4cde-9742-F7296444A836}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B348B6C-C7AD-45d3-957F-B5281AF67684}\stubpath = "C:\\Windows\\{8B348B6C-C7AD-45d3-957F-B5281AF67684}.exe"	{DF9CC778-D081-44f4-80C1-AB9CEE6531D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42C0842A-F019-45e7-88C3-0086B2F90AEE}\stubpath = "C:\\Windows\\{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe"	{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C7E3560-9A0C-499c-BFFA-15E4A56092FB}\stubpath = "C:\\Windows\\{7C7E3560-9A0C-499c-BFFA-15E4A56092FB}.exe"	{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe

Deletes itself 1 IoCs

pid	Process
2120	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2716	{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe
2556	{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe
2736	{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe
1644	{BB825046-3BDC-4cde-9742-F7296444A836}.exe
2772	{DE216130-B04B-46cd-A525-A7D32659C628}.exe
1068	{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe
2324	{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe
1520	{7C7E3560-9A0C-499c-BFFA-15E4A56092FB}.exe
2416	{B35D1C54-3518-4434-A3BD-8E63EB0324FE}.exe
684	{DF9CC778-D081-44f4-80C1-AB9CEE6531D9}.exe
1012	{8B348B6C-C7AD-45d3-957F-B5281AF67684}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe	{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe
File created	C:\Windows\{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe	{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe
File created	C:\Windows\{BB825046-3BDC-4cde-9742-F7296444A836}.exe	{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe
File created	C:\Windows\{DE216130-B04B-46cd-A525-A7D32659C628}.exe	{BB825046-3BDC-4cde-9742-F7296444A836}.exe
File created	C:\Windows\{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe	{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe
File created	C:\Windows\{7C7E3560-9A0C-499c-BFFA-15E4A56092FB}.exe	{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe
File created	C:\Windows\{DF9CC778-D081-44f4-80C1-AB9CEE6531D9}.exe	{B35D1C54-3518-4434-A3BD-8E63EB0324FE}.exe
File created	C:\Windows\{8B348B6C-C7AD-45d3-957F-B5281AF67684}.exe	{DF9CC778-D081-44f4-80C1-AB9CEE6531D9}.exe
File created	C:\Windows\{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe	ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe
File created	C:\Windows\{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe	{DE216130-B04B-46cd-A525-A7D32659C628}.exe
File created	C:\Windows\{B35D1C54-3518-4434-A3BD-8E63EB0324FE}.exe	{7C7E3560-9A0C-499c-BFFA-15E4A56092FB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2512	ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe
Token: SeIncBasePriorityPrivilege	2716	{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe
Token: SeIncBasePriorityPrivilege	2556	{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe
Token: SeIncBasePriorityPrivilege	2736	{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe
Token: SeIncBasePriorityPrivilege	1644	{BB825046-3BDC-4cde-9742-F7296444A836}.exe
Token: SeIncBasePriorityPrivilege	2772	{DE216130-B04B-46cd-A525-A7D32659C628}.exe
Token: SeIncBasePriorityPrivilege	1068	{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe
Token: SeIncBasePriorityPrivilege	2324	{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe
Token: SeIncBasePriorityPrivilege	1520	{7C7E3560-9A0C-499c-BFFA-15E4A56092FB}.exe
Token: SeIncBasePriorityPrivilege	2416	{B35D1C54-3518-4434-A3BD-8E63EB0324FE}.exe
Token: SeIncBasePriorityPrivilege	684	{DF9CC778-D081-44f4-80C1-AB9CEE6531D9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2716	2512	ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe	28
PID 2512 wrote to memory of 2716	2512	ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe	28
PID 2512 wrote to memory of 2716	2512	ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe	28
PID 2512 wrote to memory of 2716	2512	ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe	28
PID 2512 wrote to memory of 2120	2512	ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe	29
PID 2512 wrote to memory of 2120	2512	ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe	29
PID 2512 wrote to memory of 2120	2512	ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe	29
PID 2512 wrote to memory of 2120	2512	ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe	29
PID 2716 wrote to memory of 2556	2716	{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe	30
PID 2716 wrote to memory of 2556	2716	{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe	30
PID 2716 wrote to memory of 2556	2716	{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe	30
PID 2716 wrote to memory of 2556	2716	{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe	30
PID 2716 wrote to memory of 2704	2716	{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe	31
PID 2716 wrote to memory of 2704	2716	{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe	31
PID 2716 wrote to memory of 2704	2716	{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe	31
PID 2716 wrote to memory of 2704	2716	{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe	31
PID 2556 wrote to memory of 2736	2556	{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe	32
PID 2556 wrote to memory of 2736	2556	{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe	32
PID 2556 wrote to memory of 2736	2556	{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe	32
PID 2556 wrote to memory of 2736	2556	{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe	32
PID 2556 wrote to memory of 2496	2556	{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe	33
PID 2556 wrote to memory of 2496	2556	{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe	33
PID 2556 wrote to memory of 2496	2556	{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe	33
PID 2556 wrote to memory of 2496	2556	{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe	33
PID 2736 wrote to memory of 1644	2736	{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe	36
PID 2736 wrote to memory of 1644	2736	{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe	36
PID 2736 wrote to memory of 1644	2736	{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe	36
PID 2736 wrote to memory of 1644	2736	{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe	36
PID 2736 wrote to memory of 2500	2736	{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe	37
PID 2736 wrote to memory of 2500	2736	{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe	37
PID 2736 wrote to memory of 2500	2736	{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe	37
PID 2736 wrote to memory of 2500	2736	{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe	37
PID 1644 wrote to memory of 2772	1644	{BB825046-3BDC-4cde-9742-F7296444A836}.exe	38
PID 1644 wrote to memory of 2772	1644	{BB825046-3BDC-4cde-9742-F7296444A836}.exe	38
PID 1644 wrote to memory of 2772	1644	{BB825046-3BDC-4cde-9742-F7296444A836}.exe	38
PID 1644 wrote to memory of 2772	1644	{BB825046-3BDC-4cde-9742-F7296444A836}.exe	38
PID 1644 wrote to memory of 904	1644	{BB825046-3BDC-4cde-9742-F7296444A836}.exe	39
PID 1644 wrote to memory of 904	1644	{BB825046-3BDC-4cde-9742-F7296444A836}.exe	39
PID 1644 wrote to memory of 904	1644	{BB825046-3BDC-4cde-9742-F7296444A836}.exe	39
PID 1644 wrote to memory of 904	1644	{BB825046-3BDC-4cde-9742-F7296444A836}.exe	39
PID 2772 wrote to memory of 1068	2772	{DE216130-B04B-46cd-A525-A7D32659C628}.exe	40
PID 2772 wrote to memory of 1068	2772	{DE216130-B04B-46cd-A525-A7D32659C628}.exe	40
PID 2772 wrote to memory of 1068	2772	{DE216130-B04B-46cd-A525-A7D32659C628}.exe	40
PID 2772 wrote to memory of 1068	2772	{DE216130-B04B-46cd-A525-A7D32659C628}.exe	40
PID 2772 wrote to memory of 2200	2772	{DE216130-B04B-46cd-A525-A7D32659C628}.exe	41
PID 2772 wrote to memory of 2200	2772	{DE216130-B04B-46cd-A525-A7D32659C628}.exe	41
PID 2772 wrote to memory of 2200	2772	{DE216130-B04B-46cd-A525-A7D32659C628}.exe	41
PID 2772 wrote to memory of 2200	2772	{DE216130-B04B-46cd-A525-A7D32659C628}.exe	41
PID 1068 wrote to memory of 2324	1068	{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe	42
PID 1068 wrote to memory of 2324	1068	{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe	42
PID 1068 wrote to memory of 2324	1068	{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe	42
PID 1068 wrote to memory of 2324	1068	{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe	42
PID 1068 wrote to memory of 1672	1068	{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe	43
PID 1068 wrote to memory of 1672	1068	{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe	43
PID 1068 wrote to memory of 1672	1068	{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe	43
PID 1068 wrote to memory of 1672	1068	{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe	43
PID 2324 wrote to memory of 1520	2324	{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe	44
PID 2324 wrote to memory of 1520	2324	{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe	44
PID 2324 wrote to memory of 1520	2324	{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe	44
PID 2324 wrote to memory of 1520	2324	{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe	44
PID 2324 wrote to memory of 2104	2324	{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe	45
PID 2324 wrote to memory of 2104	2324	{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe	45
PID 2324 wrote to memory of 2104	2324	{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe	45
PID 2324 wrote to memory of 2104	2324	{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe	45

C:\Users\Admin\AppData\Local\Temp\ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe
"C:\Users\Admin\AppData\Local\Temp\ee39372e322afac4d4414097ce2d1721582da921c31ecc631dd81f20d2ac652b.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe
  C:\Windows\{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe
    C:\Windows\{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe
      C:\Windows\{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\{BB825046-3BDC-4cde-9742-F7296444A836}.exe
        
        C:\Windows\{BB825046-3BDC-4cde-9742-F7296444A836}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Windows\{DE216130-B04B-46cd-A525-A7D32659C628}.exe
        
        C:\Windows\{DE216130-B04B-46cd-A525-A7D32659C628}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe
        
        C:\Windows\{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe
        
        C:\Windows\{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\{7C7E3560-9A0C-499c-BFFA-15E4A56092FB}.exe
        
        C:\Windows\{7C7E3560-9A0C-499c-BFFA-15E4A56092FB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\{B35D1C54-3518-4434-A3BD-8E63EB0324FE}.exe
        
        C:\Windows\{B35D1C54-3518-4434-A3BD-8E63EB0324FE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\{DF9CC778-D081-44f4-80C1-AB9CEE6531D9}.exe
        
        C:\Windows\{DF9CC778-D081-44f4-80C1-AB9CEE6531D9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\{8B348B6C-C7AD-45d3-957F-B5281AF67684}.exe
        
        C:\Windows\{8B348B6C-C7AD-45d3-957F-B5281AF67684}.exe
        12⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF9CC~1.EXE > nul
        12⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B35D1~1.EXE > nul
        11⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C7E3~1.EXE > nul
        10⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41D98~1.EXE > nul
        9⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{303DC~1.EXE > nul
        8⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE216~1.EXE > nul
        7⤵
        
        PID:2200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB825~1.EXE > nul
        6⤵
        
        PID:904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42C08~1.EXE > nul
        5⤵
        
        PID:2500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{49392~1.EXE > nul
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{693D0~1.EXE > nul
    3⤵
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EE3937~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{303DCA89-F681-491f-85BA-0464C49ECBA7}.exe

Filesize
64KB

MD5
10fa31e51aa2646fec5c363ac37b8f16

SHA1
605b17ee20ca5a1d134c5abe781e9925d989cb61

SHA256
99a99767d9a58a755b0c1c64899bf465be153d2274dab5465b80f5cfc98c2a17

SHA512
7b3ba55eff6d6378b711e8ccf2cc1d3dc07544721a75e8a192f91c0523ded5bb64343c13f71b7bc5a7a9c615cca20ee10c1bbe83e675df2b0fd90748a582dfce

Download Submit
C:\Windows\{41D9821D-B04E-41f8-B3DD-74BD09CDFC35}.exe

Filesize
64KB

MD5
d7171bd90a11b9ec27f8b66d4ecb8394

SHA1
6cb622be46c5eb24ce92d2ec26b5868120403b67

SHA256
7b765b02646c05c0be1542b7f467741c192d711a1ad5baf70009e93507fda815

SHA512
071a24052ab703f845c385230cc1d30c6d4e68c60a9099a18c5650208c1aca87c6e684d625e1abbd69f59fc876b0109f2df31201e9b05d0c850afb7314e80b07

Download Submit
C:\Windows\{42C0842A-F019-45e7-88C3-0086B2F90AEE}.exe

Filesize
64KB

MD5
6798609acc945e870f4cf30476639f9a

SHA1
d2bf1eccc763197cc591ae4e40315a6f581db74b

SHA256
eb16ec92659ade34ac026754a712f23178c197706d426de343bef9422f74fed1

SHA512
4b4c5374d9f5d49697dd1303e29c448eb93962f58678c50fe785e24a70b71e492d0fb7598076ccb62f5f9f7fa0db780fd627b0c678f385107b9d0b2df8eddc5b

Download Submit
C:\Windows\{49392820-7C9F-4a78-B275-9D31DBBF30C9}.exe

Filesize
64KB

MD5
19114ad88d95a46e22cfd6a9b32cbbf0

SHA1
35571a5fac36a0434ad6a1ad8938b7f8b4a774f4

SHA256
c30f475ba71f7a71e2c2067a5f0a3d1f0acef0845270881a32db9f385c5ba12c

SHA512
c88e3ea77cf3c8ec17665a6e80f13195808069af833fe8f57e4ea5d3d801684c695aafd1ca3df135e7bd4db7e1316888e41a8c84641fade11392c2d92d540ea3

Download Submit
C:\Windows\{693D07E8-3EE5-4846-B597-5A0EEEF00544}.exe

Filesize
64KB

MD5
a1c33010aa658005a84672eb234b98a5

SHA1
9d7de9786076da448adebb59e5f34d4b9594c020

SHA256
f479e80e7d36d59bd136fc7ca20c4db314fd370838176640189fb760209bfd0d

SHA512
33ff8ac7ffe894516eeaa51b6369acb918f6078f580c5eee14721660e35e54606e5eb351dbd8aeb1d2c4b0c4a1a12951715030301dbbbff2e5baf3601f190209

Download Submit
C:\Windows\{7C7E3560-9A0C-499c-BFFA-15E4A56092FB}.exe

Filesize
64KB

MD5
92f3599f87fafe32d482f22e0b431a94

SHA1
ad7fa19e0fadf09d58fcace6962ac6a99d2b91e0

SHA256
62387bbe3533784ad1f050ebae84193e4365f2819f21b2bc13d3d49a071d13a9

SHA512
c8484a5cb33e000ef32c053c70a99ceeed2786b192e8bdea7fc817f7bf68d41f612f89cfd5c4f9466de4d3bc48c6c73f993478fbcbf9e8430b15f3862f7b05ed

Download Submit
C:\Windows\{8B348B6C-C7AD-45d3-957F-B5281AF67684}.exe

Filesize
64KB

MD5
a451e05ad6c11d402bc291243f17c04d

SHA1
6da038c32e912ecb1b26c9692e94e7eace3b27f1

SHA256
cd9df403d9ab41f7121af05c06e1406eca94ae291f289b810d147d48b3573646

SHA512
3b15314a24b4ac5dad4048a0a6e687ec8fc3931d3957cf5cbbdecf59450e60678f6b0e7f9d44413cdd3014f832dade2138d6cb6f17df5385b008009fbd412e9e

Download Submit
C:\Windows\{B35D1C54-3518-4434-A3BD-8E63EB0324FE}.exe

Filesize
64KB

MD5
f7daceaa8673499f440312a9c9224190

SHA1
72adde8dd878b542be158b874192507e20976bf3

SHA256
685b321df035fdcf40c8914233046d34c965d86a3adcaeb83b385ff1c497ad2d

SHA512
80626a195a3b1e3b52968cb1a94a040ab67e5214748ccdee7b6ed2852ed0a07d7723fb62427353d412e8f402661f4ef1c878970cb57153a5c99234be8c4ae6b2

Download Submit
C:\Windows\{BB825046-3BDC-4cde-9742-F7296444A836}.exe

Filesize
64KB

MD5
54c9a54f7aa478ee4b06c1a2397579c1

SHA1
b59b0a3fb7099161c8a1627c76c70e454e2e65c5

SHA256
ce1862f65e068d1415cd21df70c2d56914c42234deed5676a4bf440f85937b66

SHA512
803a7752616b470fcc6d8ee052ba388eb82420e32393f3d515951245d952e801309ec77fb1a2996c4a9bdf0126ebf5bd792cb31fe9d37e586123d8e82919d557

Download Submit
C:\Windows\{DE216130-B04B-46cd-A525-A7D32659C628}.exe

Filesize
64KB

MD5
1a6f79273cf8d02f575818c7680c7fdd

SHA1
5f7e715f5f84e2bd68ebbdb1312dc9aa7ec58ae3

SHA256
c41a689815b24d87bc4139231f5ad9cdfdcd735bb7941d08b3496f906d252a0a

SHA512
74954381d10dd37ff34064959eb6bb03d2b5406656bbe5ee59a58076ff21159c65c8a95706467d8a2d203cf3dfe6a07e5efa475b3eb26dacd7ce48eac12ff2f6

Download Submit
C:\Windows\{DF9CC778-D081-44f4-80C1-AB9CEE6531D9}.exe

Filesize
64KB

MD5
4b0555853df46c09b9f341be6bd7ea58

SHA1
fdbcea6235f6fc5f60a8be97b920ad506fe40363

SHA256
a9a35f00d6f2fa10fa398ed8480a547bb75a6279c6916f40432895bc3ef9279d

SHA512
6243bc0cac2f0714555ce9e8c3ad0de9902062b60881309261b205d36836bc8bafba2415b5281bcc404c75edebe7cf82e9e23e663501d1832489e5aab71f6bbe

Download Submit
memory/684-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1068-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1520-77-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1644-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1644-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2324-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2324-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2416-79-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2416-87-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2512-7-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2512-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2512-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2556-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2556-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2716-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2716-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2736-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2736-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2772-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2772-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads