cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 03:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe
Size

64KB
MD5

36f5995892b0bf8a1c7cbc38a678d074
SHA1

43bbf757b37bdee1c81b5928e0d46403386da1ea
SHA256

cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be
SHA512

2973482224a653426b704725483af037b129c9d1c35edf3ebb6ab842d1f17b428b90f4c8fddf3a0cbf1bd821364d8f4d55ad63f51ab8f0d41018ccfa7165ce3d
SSDEEP

768:Ovw9816mhKQLroCr4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdB:6EG00oCrlwWMZQcpmgDagIyS1loL7WrB

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 34 IoCs

resource	yara_rule
behavioral1/memory/2748-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2748-3-0x0000000000270000-0x0000000000280000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000b0000000133b9-6.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2092-9-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2748-10-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2092-17-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2668-19-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000a00000001342b-18.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000c0000000133b9-26.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2668-27-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2508-28-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000a000000013928-36.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2508-35-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1820-37-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0006000000005a59-47.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1820-46-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1820-44-0x0000000000200000-0x0000000000210000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1900-48-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2808-57-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000d0000000133b9-56.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1900-55-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2808-65-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0007000000005a59-64.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1664-73-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000e0000000133b9-72.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1440-74-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0008000000005a59-82.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1440-81-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2256-83-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000f0000000133b9-91.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2256-90-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1512-98-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/844-100-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0009000000005a59-99.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E99974-E91D-4b14-A9AD-0130C24B1A83}	cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D501EDCA-7E3E-4032-AA41-BA236E969FBA}\stubpath = "C:\\Windows\\{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe"	{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}	{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E99974-E91D-4b14-A9AD-0130C24B1A83}\stubpath = "C:\\Windows\\{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe"	cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{394024DC-4D20-4893-9EAA-ABD96CAD1612}	{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44D609E2-EB23-467e-BD28-3275AF64E133}	{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44D609E2-EB23-467e-BD28-3275AF64E133}\stubpath = "C:\\Windows\\{44D609E2-EB23-467e-BD28-3275AF64E133}.exe"	{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{824ED742-E5D0-466a-8FCB-616D40084E43}	{44D609E2-EB23-467e-BD28-3275AF64E133}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}\stubpath = "C:\\Windows\\{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe"	{824ED742-E5D0-466a-8FCB-616D40084E43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{782931E2-614A-4630-86F9-D9FB2D45243F}	{2B64C07A-8725-44cc-9D7E-ACAA63A05C15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{824ED742-E5D0-466a-8FCB-616D40084E43}\stubpath = "C:\\Windows\\{824ED742-E5D0-466a-8FCB-616D40084E43}.exe"	{44D609E2-EB23-467e-BD28-3275AF64E133}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2E0623A-C59E-40cf-A515-E3667CE7A698}	{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2BBC2B6-17FF-4371-A281-A98A984F08D1}\stubpath = "C:\\Windows\\{F2BBC2B6-17FF-4371-A281-A98A984F08D1}.exe"	{F2E0623A-C59E-40cf-A515-E3667CE7A698}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B64C07A-8725-44cc-9D7E-ACAA63A05C15}\stubpath = "C:\\Windows\\{2B64C07A-8725-44cc-9D7E-ACAA63A05C15}.exe"	{F2BBC2B6-17FF-4371-A281-A98A984F08D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{394024DC-4D20-4893-9EAA-ABD96CAD1612}\stubpath = "C:\\Windows\\{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe"	{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}	{824ED742-E5D0-466a-8FCB-616D40084E43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D501EDCA-7E3E-4032-AA41-BA236E969FBA}	{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}\stubpath = "C:\\Windows\\{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe"	{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2E0623A-C59E-40cf-A515-E3667CE7A698}\stubpath = "C:\\Windows\\{F2E0623A-C59E-40cf-A515-E3667CE7A698}.exe"	{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2BBC2B6-17FF-4371-A281-A98A984F08D1}	{F2E0623A-C59E-40cf-A515-E3667CE7A698}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B64C07A-8725-44cc-9D7E-ACAA63A05C15}	{F2BBC2B6-17FF-4371-A281-A98A984F08D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{782931E2-614A-4630-86F9-D9FB2D45243F}\stubpath = "C:\\Windows\\{782931E2-614A-4630-86F9-D9FB2D45243F}.exe"	{2B64C07A-8725-44cc-9D7E-ACAA63A05C15}.exe

Deletes itself 1 IoCs

pid	Process
2100	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2092	{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe
2668	{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe
2508	{44D609E2-EB23-467e-BD28-3275AF64E133}.exe
1820	{824ED742-E5D0-466a-8FCB-616D40084E43}.exe
1900	{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe
2808	{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe
1664	{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe
1440	{F2E0623A-C59E-40cf-A515-E3667CE7A698}.exe
2256	{F2BBC2B6-17FF-4371-A281-A98A984F08D1}.exe
1512	{2B64C07A-8725-44cc-9D7E-ACAA63A05C15}.exe
844	{782931E2-614A-4630-86F9-D9FB2D45243F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{44D609E2-EB23-467e-BD28-3275AF64E133}.exe	{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe
File created	C:\Windows\{824ED742-E5D0-466a-8FCB-616D40084E43}.exe	{44D609E2-EB23-467e-BD28-3275AF64E133}.exe
File created	C:\Windows\{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe	{824ED742-E5D0-466a-8FCB-616D40084E43}.exe
File created	C:\Windows\{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe	{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe
File created	C:\Windows\{F2E0623A-C59E-40cf-A515-E3667CE7A698}.exe	{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe
File created	C:\Windows\{F2BBC2B6-17FF-4371-A281-A98A984F08D1}.exe	{F2E0623A-C59E-40cf-A515-E3667CE7A698}.exe
File created	C:\Windows\{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe	cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe
File created	C:\Windows\{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe	{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe
File created	C:\Windows\{2B64C07A-8725-44cc-9D7E-ACAA63A05C15}.exe	{F2BBC2B6-17FF-4371-A281-A98A984F08D1}.exe
File created	C:\Windows\{782931E2-614A-4630-86F9-D9FB2D45243F}.exe	{2B64C07A-8725-44cc-9D7E-ACAA63A05C15}.exe
File created	C:\Windows\{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe	{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2748	cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe
Token: SeIncBasePriorityPrivilege	2092	{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe
Token: SeIncBasePriorityPrivilege	2668	{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe
Token: SeIncBasePriorityPrivilege	2508	{44D609E2-EB23-467e-BD28-3275AF64E133}.exe
Token: SeIncBasePriorityPrivilege	1820	{824ED742-E5D0-466a-8FCB-616D40084E43}.exe
Token: SeIncBasePriorityPrivilege	1900	{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe
Token: SeIncBasePriorityPrivilege	2808	{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe
Token: SeIncBasePriorityPrivilege	1664	{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe
Token: SeIncBasePriorityPrivilege	1440	{F2E0623A-C59E-40cf-A515-E3667CE7A698}.exe
Token: SeIncBasePriorityPrivilege	2256	{F2BBC2B6-17FF-4371-A281-A98A984F08D1}.exe
Token: SeIncBasePriorityPrivilege	1512	{2B64C07A-8725-44cc-9D7E-ACAA63A05C15}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2092	2748	cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe	28
PID 2748 wrote to memory of 2092	2748	cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe	28
PID 2748 wrote to memory of 2092	2748	cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe	28
PID 2748 wrote to memory of 2092	2748	cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe	28
PID 2748 wrote to memory of 2100	2748	cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe	29
PID 2748 wrote to memory of 2100	2748	cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe	29
PID 2748 wrote to memory of 2100	2748	cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe	29
PID 2748 wrote to memory of 2100	2748	cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe	29
PID 2092 wrote to memory of 2668	2092	{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe	30
PID 2092 wrote to memory of 2668	2092	{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe	30
PID 2092 wrote to memory of 2668	2092	{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe	30
PID 2092 wrote to memory of 2668	2092	{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe	30
PID 2092 wrote to memory of 2476	2092	{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe	31
PID 2092 wrote to memory of 2476	2092	{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe	31
PID 2092 wrote to memory of 2476	2092	{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe	31
PID 2092 wrote to memory of 2476	2092	{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe	31
PID 2668 wrote to memory of 2508	2668	{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe	32
PID 2668 wrote to memory of 2508	2668	{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe	32
PID 2668 wrote to memory of 2508	2668	{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe	32
PID 2668 wrote to memory of 2508	2668	{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe	32
PID 2668 wrote to memory of 2704	2668	{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe	33
PID 2668 wrote to memory of 2704	2668	{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe	33
PID 2668 wrote to memory of 2704	2668	{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe	33
PID 2668 wrote to memory of 2704	2668	{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe	33
PID 2508 wrote to memory of 1820	2508	{44D609E2-EB23-467e-BD28-3275AF64E133}.exe	36
PID 2508 wrote to memory of 1820	2508	{44D609E2-EB23-467e-BD28-3275AF64E133}.exe	36
PID 2508 wrote to memory of 1820	2508	{44D609E2-EB23-467e-BD28-3275AF64E133}.exe	36
PID 2508 wrote to memory of 1820	2508	{44D609E2-EB23-467e-BD28-3275AF64E133}.exe	36
PID 2508 wrote to memory of 2780	2508	{44D609E2-EB23-467e-BD28-3275AF64E133}.exe	37
PID 2508 wrote to memory of 2780	2508	{44D609E2-EB23-467e-BD28-3275AF64E133}.exe	37
PID 2508 wrote to memory of 2780	2508	{44D609E2-EB23-467e-BD28-3275AF64E133}.exe	37
PID 2508 wrote to memory of 2780	2508	{44D609E2-EB23-467e-BD28-3275AF64E133}.exe	37
PID 1820 wrote to memory of 1900	1820	{824ED742-E5D0-466a-8FCB-616D40084E43}.exe	38
PID 1820 wrote to memory of 1900	1820	{824ED742-E5D0-466a-8FCB-616D40084E43}.exe	38
PID 1820 wrote to memory of 1900	1820	{824ED742-E5D0-466a-8FCB-616D40084E43}.exe	38
PID 1820 wrote to memory of 1900	1820	{824ED742-E5D0-466a-8FCB-616D40084E43}.exe	38
PID 1820 wrote to memory of 2844	1820	{824ED742-E5D0-466a-8FCB-616D40084E43}.exe	39
PID 1820 wrote to memory of 2844	1820	{824ED742-E5D0-466a-8FCB-616D40084E43}.exe	39
PID 1820 wrote to memory of 2844	1820	{824ED742-E5D0-466a-8FCB-616D40084E43}.exe	39
PID 1820 wrote to memory of 2844	1820	{824ED742-E5D0-466a-8FCB-616D40084E43}.exe	39
PID 1900 wrote to memory of 2808	1900	{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe	40
PID 1900 wrote to memory of 2808	1900	{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe	40
PID 1900 wrote to memory of 2808	1900	{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe	40
PID 1900 wrote to memory of 2808	1900	{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe	40
PID 1900 wrote to memory of 2108	1900	{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe	41
PID 1900 wrote to memory of 2108	1900	{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe	41
PID 1900 wrote to memory of 2108	1900	{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe	41
PID 1900 wrote to memory of 2108	1900	{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe	41
PID 2808 wrote to memory of 1664	2808	{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe	42
PID 2808 wrote to memory of 1664	2808	{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe	42
PID 2808 wrote to memory of 1664	2808	{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe	42
PID 2808 wrote to memory of 1664	2808	{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe	42
PID 2808 wrote to memory of 1628	2808	{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe	43
PID 2808 wrote to memory of 1628	2808	{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe	43
PID 2808 wrote to memory of 1628	2808	{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe	43
PID 2808 wrote to memory of 1628	2808	{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe	43
PID 1664 wrote to memory of 1440	1664	{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe	44
PID 1664 wrote to memory of 1440	1664	{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe	44
PID 1664 wrote to memory of 1440	1664	{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe	44
PID 1664 wrote to memory of 1440	1664	{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe	44
PID 1664 wrote to memory of 1684	1664	{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe	45
PID 1664 wrote to memory of 1684	1664	{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe	45
PID 1664 wrote to memory of 1684	1664	{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe	45
PID 1664 wrote to memory of 1684	1664	{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe	45

C:\Users\Admin\AppData\Local\Temp\cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe
"C:\Users\Admin\AppData\Local\Temp\cd98d21815f944595f9aa2fbb80d02a330d7abf07025481d1d631251ced255be.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe
  C:\Windows\{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe
    C:\Windows\{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{44D609E2-EB23-467e-BD28-3275AF64E133}.exe
      C:\Windows\{44D609E2-EB23-467e-BD28-3275AF64E133}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Windows\{824ED742-E5D0-466a-8FCB-616D40084E43}.exe
        
        C:\Windows\{824ED742-E5D0-466a-8FCB-616D40084E43}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
      - C:\Windows\{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe
        
        C:\Windows\{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe
        
        C:\Windows\{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe
        
        C:\Windows\{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{F2E0623A-C59E-40cf-A515-E3667CE7A698}.exe
        
        C:\Windows\{F2E0623A-C59E-40cf-A515-E3667CE7A698}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\{F2BBC2B6-17FF-4371-A281-A98A984F08D1}.exe
        
        C:\Windows\{F2BBC2B6-17FF-4371-A281-A98A984F08D1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\{2B64C07A-8725-44cc-9D7E-ACAA63A05C15}.exe
        
        C:\Windows\{2B64C07A-8725-44cc-9D7E-ACAA63A05C15}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\{782931E2-614A-4630-86F9-D9FB2D45243F}.exe
        
        C:\Windows\{782931E2-614A-4630-86F9-D9FB2D45243F}.exe
        12⤵
        Executes dropped EXE
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B64C~1.EXE > nul
        12⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2BBC~1.EXE > nul
        11⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2E06~1.EXE > nul
        10⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DE92~1.EXE > nul
        9⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D501E~1.EXE > nul
        8⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D6AD~1.EXE > nul
        7⤵
        
        PID:2108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{824ED~1.EXE > nul
        6⤵
        
        PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44D60~1.EXE > nul
        5⤵
        
        PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{39402~1.EXE > nul
      4⤵
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{10E99~1.EXE > nul
    3⤵
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CD98D2~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10E99974-E91D-4b14-A9AD-0130C24B1A83}.exe

Filesize
64KB

MD5
f2c56e8a491a05fc455582adc2742430

SHA1
daa8281e401bb1321a3e081b7f16b7df6c960147

SHA256
bce6b2d488d4a82460b0e214b067ad22193735b23977028bbc1f9243763689fc

SHA512
fcb77313db2585b086e700957aa52ad12754c1f73035219a5d6251e2f0924a943066bdb5b0c759851b9d7c6d1f16e525d76285f1e4a3d3be1aa1913e404d1246

Download Submit
C:\Windows\{2B64C07A-8725-44cc-9D7E-ACAA63A05C15}.exe

Filesize
64KB

MD5
3c2a5a138496fd3f9ea20e6af6fcb928

SHA1
b90da673b708083c0e49b033e50f79befa1fa7e4

SHA256
345d61b06ed6a945267d57d361cd5f5ed31bd96a5bbb18af776550a5962aabe0

SHA512
08be980a4b9bbff60cc3baa1d9451c80b53604814db53ad5a39a2695e257c2b9798bc10613a2dd43e6e24e1f61b9a68e0ea736f11b351683c59c34f722d79bc4

Download Submit
C:\Windows\{2DE92317-C3B2-47aa-8BDF-986A6D1D7F21}.exe

Filesize
64KB

MD5
b3c2e1b481e0f754960d0e556ac401c1

SHA1
260471519a4cca3191af2bfca12f561c77372f79

SHA256
57d1de996b1df2b2b696b5acba6e21105554f41776fb9740c7a9454e9fa45548

SHA512
5b3ad3055189e2895f6c2bffaf2e86fbcc4136361dd54621f3fc6ae9197015b4c1ada37d0d8978f65c327b04114f3a577f924476971cca94037272ef449b884e

Download Submit
C:\Windows\{394024DC-4D20-4893-9EAA-ABD96CAD1612}.exe

Filesize
64KB

MD5
9afe9be8cbc7e529a2abb51e1b4c1b4f

SHA1
92459fb3de022004bb71e12bd3f0cc1fb139405c

SHA256
943976e4a93b8f26916bcf7b2b9426a6b7c103f65cbca0dfe22904d3047c5801

SHA512
b90327b3d1d3343fd996afa76ef06c3d4ed44479b54855c168814a9d851e441febe4106caf416322577dda3dd755a3ae6c1dfbc972ceb38dd90070af96133d8d

Download Submit
C:\Windows\{44D609E2-EB23-467e-BD28-3275AF64E133}.exe

Filesize
64KB

MD5
56ff42eb38f51ad11397180e49d3d4c1

SHA1
9614f374a4b93347bd6035bf146fb56f66dc50ce

SHA256
cbcd77de22949fbb0af4b3e773ec1a76f8c7387168983f34dbc3103aab937e89

SHA512
acddb35b53f6be983c74d4ff838a8e3862f02ae1d359bd4c7342935ae1d1525afc464faf72b61aa75921af89fcf36a7008eb97a12a7abf8fc17775e9af9ee399

Download Submit
C:\Windows\{782931E2-614A-4630-86F9-D9FB2D45243F}.exe

Filesize
64KB

MD5
71ed13e7cd86ef9daec2df8280e25815

SHA1
4e1bc1493079fb5accf5a202f9f786c280377440

SHA256
c46b1bcb69cce59c1abbe8ab40716767f68227122bac4d1890274163334576f7

SHA512
26b3d35d6bb23fd5e9491c9f456d4587d50688961078ede48a32a4fd465b2566f55e970553a6f2e1d015dcff77d1fc67db6726bc0d529f5bcd6f840d3a69b0ec

Download Submit
C:\Windows\{824ED742-E5D0-466a-8FCB-616D40084E43}.exe

Filesize
64KB

MD5
2e93f4a9035e71076a6fcf3d7ef3d632

SHA1
37815ccb79735cc9dc8c80bdd66262558026d9a0

SHA256
b62341c5f83953667fbce9e1bb202df66bc5b42ead2a35a9cf2f36b0d34730c6

SHA512
5ea6dcaac920a3ac3b5c4202fb215ac33a19f851629be8e6b4f0d766a6cfc112aa735ea12997bc08060cab0a3849f05b2a9d5fb51ab90bac727a6e153d35d86b

Download Submit
C:\Windows\{9D6ADF27-91A0-49af-87EF-1A1BF4043F07}.exe

Filesize
64KB

MD5
c34cc49e0bacbd231d26ce684b9de056

SHA1
e8790fa72b2ebcdc4d4414a9a89a2c22bd6b0dfb

SHA256
4391c43baf1134d3bb76ec80710b9c3e7d69e55cb704e48fb71ebf878a26a7df

SHA512
dd72bde09ae69dfdc9f1eed49954d2d2736e82d4d6067854b53198e39d85ec1cf5065989570f64f823a534c03dc750bf7fa09e009663b00020a4f07947af1ac4

Download Submit
C:\Windows\{D501EDCA-7E3E-4032-AA41-BA236E969FBA}.exe

Filesize
64KB

MD5
1bb1dd7f76a445d7081fb3890ae21b2d

SHA1
cb34556e1a3b4ee29ede8041a662fa14718f2665

SHA256
1dc48207b7121a2e10667a604543a150e91a0cf5647c474926694f9b945baa9e

SHA512
603017646af87f26a6669304b74a90dc6e8d6e14d360b84aaf073833b4037a0d519894029f896bf230a4b2c1a747a998fbc525743d77065bec972b9d3f6fa727

Download Submit
C:\Windows\{F2BBC2B6-17FF-4371-A281-A98A984F08D1}.exe

Filesize
64KB

MD5
b7f15650fc16fd7a1aec3e70311ae368

SHA1
20be6c009c0eb68a68f4eb2d90e15d7b53a22175

SHA256
858abd64120bd52da8bf56cb264d90a9410e8adf0cd6a3a2bb2d6d0fce749ce7

SHA512
5281b782040a8e1b588f870f4940afa4f90d9eff0c1a0c7f3718edb826707c4db85ef37d1a3982c44bee73eac101cba20998880abe49a5c76b33dbb330ba3349

Download Submit
C:\Windows\{F2E0623A-C59E-40cf-A515-E3667CE7A698}.exe

Filesize
64KB

MD5
57e01c7b45b85ddd447f5aaab7509e3d

SHA1
3d26ac2e21a218a8674e0d19e924e98e6b52eb72

SHA256
6e38145f024a3ee8571cfad47c352cb42d56c0076a833f45e4f17102287a8839

SHA512
524934a0900d52d87c8f8a53b7e8e94e3bfa5a4d19cbec87eda2adc59ea5169fe06921b390e9a314a9077ef83d886d13720c95b1f1ec158a0947125c7d453c16

Download Submit
memory/844-100-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1440-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1440-81-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1512-98-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1664-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1820-45-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/1820-44-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/1820-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1820-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1900-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1900-48-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2092-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2092-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2256-90-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2256-83-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2508-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2508-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2668-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2668-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2748-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2748-8-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2748-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2748-3-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2808-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2808-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads