be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe
Size

90KB
MD5

1a11173afa8106ee2f9c3835d5182100
SHA1

0eba04ad8484d9aaf4185ea1765cb761ac4008d4
SHA256

be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1
SHA512

87b9505d3651af47fe91fe76cf2ce4c51bfce49eee202d7a97c6740287e84584f6bf071471e87027aa3958e9791847e148887e8a7f29c23a9b4aab10e7d62dae
SSDEEP

768:50w981IshKQLroW4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzv:CEGI0oWlVunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{534E1254-B8B0-4830-A421-96DEE4AB292D}	{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{534E1254-B8B0-4830-A421-96DEE4AB292D}\stubpath = "C:\\Windows\\{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe"	{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D786C0-2ABD-4789-B322-DFA2ABE5437C}	{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}	{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}	{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}\stubpath = "C:\\Windows\\{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe"	{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{593F7F39-E567-45fb-AD58-33F7BBEB0D11}\stubpath = "C:\\Windows\\{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe"	{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09D786C0-2ABD-4789-B322-DFA2ABE5437C}\stubpath = "C:\\Windows\\{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe"	{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D62DBFEF-5772-4963-AA25-7D8634F3368D}\stubpath = "C:\\Windows\\{D62DBFEF-5772-4963-AA25-7D8634F3368D}.exe"	{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14AE50A4-3F1A-459c-9335-D92388371D72}\stubpath = "C:\\Windows\\{14AE50A4-3F1A-459c-9335-D92388371D72}.exe"	{F99D6F5D-D1FF-4bf9-A01F-1C55FF10E401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80A437E0-76C9-4708-B279-01BEA383285C}	{14AE50A4-3F1A-459c-9335-D92388371D72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22C71299-1058-45e3-97C8-8DF78BC8243B}	{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22C71299-1058-45e3-97C8-8DF78BC8243B}\stubpath = "C:\\Windows\\{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe"	{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}\stubpath = "C:\\Windows\\{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe"	{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F99D6F5D-D1FF-4bf9-A01F-1C55FF10E401}\stubpath = "C:\\Windows\\{F99D6F5D-D1FF-4bf9-A01F-1C55FF10E401}.exe"	{D62DBFEF-5772-4963-AA25-7D8634F3368D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}\stubpath = "C:\\Windows\\{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe"	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{593F7F39-E567-45fb-AD58-33F7BBEB0D11}	{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D62DBFEF-5772-4963-AA25-7D8634F3368D}	{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F99D6F5D-D1FF-4bf9-A01F-1C55FF10E401}	{D62DBFEF-5772-4963-AA25-7D8634F3368D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14AE50A4-3F1A-459c-9335-D92388371D72}	{F99D6F5D-D1FF-4bf9-A01F-1C55FF10E401}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80A437E0-76C9-4708-B279-01BEA383285C}\stubpath = "C:\\Windows\\{80A437E0-76C9-4708-B279-01BEA383285C}.exe"	{14AE50A4-3F1A-459c-9335-D92388371D72}.exe

Deletes itself 1 IoCs

pid	Process
2944	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2228	{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe
2740	{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe
2860	{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe
2300	{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe
820	{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe
1708	{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe
2700	{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe
2824	{D62DBFEF-5772-4963-AA25-7D8634F3368D}.exe
1176	{F99D6F5D-D1FF-4bf9-A01F-1C55FF10E401}.exe
584	{14AE50A4-3F1A-459c-9335-D92388371D72}.exe
2972	{80A437E0-76C9-4708-B279-01BEA383285C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe	{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe
File created	C:\Windows\{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe	{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe
File created	C:\Windows\{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe	{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe
File created	C:\Windows\{14AE50A4-3F1A-459c-9335-D92388371D72}.exe	{F99D6F5D-D1FF-4bf9-A01F-1C55FF10E401}.exe
File created	C:\Windows\{80A437E0-76C9-4708-B279-01BEA383285C}.exe	{14AE50A4-3F1A-459c-9335-D92388371D72}.exe
File created	C:\Windows\{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe
File created	C:\Windows\{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe	{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe
File created	C:\Windows\{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe	{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe
File created	C:\Windows\{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe	{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe
File created	C:\Windows\{D62DBFEF-5772-4963-AA25-7D8634F3368D}.exe	{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe
File created	C:\Windows\{F99D6F5D-D1FF-4bf9-A01F-1C55FF10E401}.exe	{D62DBFEF-5772-4963-AA25-7D8634F3368D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1964	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe
Token: SeIncBasePriorityPrivilege	2228	{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe
Token: SeIncBasePriorityPrivilege	2740	{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe
Token: SeIncBasePriorityPrivilege	2860	{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe
Token: SeIncBasePriorityPrivilege	2300	{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe
Token: SeIncBasePriorityPrivilege	820	{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe
Token: SeIncBasePriorityPrivilege	1708	{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe
Token: SeIncBasePriorityPrivilege	2700	{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe
Token: SeIncBasePriorityPrivilege	2824	{D62DBFEF-5772-4963-AA25-7D8634F3368D}.exe
Token: SeIncBasePriorityPrivilege	1176	{F99D6F5D-D1FF-4bf9-A01F-1C55FF10E401}.exe
Token: SeIncBasePriorityPrivilege	584	{14AE50A4-3F1A-459c-9335-D92388371D72}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2228	1964	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	28
PID 1964 wrote to memory of 2228	1964	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	28
PID 1964 wrote to memory of 2228	1964	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	28
PID 1964 wrote to memory of 2228	1964	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	28
PID 1964 wrote to memory of 2944	1964	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	29
PID 1964 wrote to memory of 2944	1964	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	29
PID 1964 wrote to memory of 2944	1964	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	29
PID 1964 wrote to memory of 2944	1964	be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe	29
PID 2228 wrote to memory of 2740	2228	{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe	30
PID 2228 wrote to memory of 2740	2228	{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe	30
PID 2228 wrote to memory of 2740	2228	{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe	30
PID 2228 wrote to memory of 2740	2228	{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe	30
PID 2228 wrote to memory of 2908	2228	{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe	31
PID 2228 wrote to memory of 2908	2228	{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe	31
PID 2228 wrote to memory of 2908	2228	{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe	31
PID 2228 wrote to memory of 2908	2228	{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe	31
PID 2740 wrote to memory of 2860	2740	{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe	32
PID 2740 wrote to memory of 2860	2740	{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe	32
PID 2740 wrote to memory of 2860	2740	{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe	32
PID 2740 wrote to memory of 2860	2740	{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe	32
PID 2740 wrote to memory of 2524	2740	{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe	33
PID 2740 wrote to memory of 2524	2740	{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe	33
PID 2740 wrote to memory of 2524	2740	{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe	33
PID 2740 wrote to memory of 2524	2740	{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe	33
PID 2860 wrote to memory of 2300	2860	{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe	36
PID 2860 wrote to memory of 2300	2860	{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe	36
PID 2860 wrote to memory of 2300	2860	{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe	36
PID 2860 wrote to memory of 2300	2860	{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe	36
PID 2860 wrote to memory of 1524	2860	{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe	37
PID 2860 wrote to memory of 1524	2860	{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe	37
PID 2860 wrote to memory of 1524	2860	{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe	37
PID 2860 wrote to memory of 1524	2860	{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe	37
PID 2300 wrote to memory of 820	2300	{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe	38
PID 2300 wrote to memory of 820	2300	{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe	38
PID 2300 wrote to memory of 820	2300	{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe	38
PID 2300 wrote to memory of 820	2300	{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe	38
PID 2300 wrote to memory of 108	2300	{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe	39
PID 2300 wrote to memory of 108	2300	{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe	39
PID 2300 wrote to memory of 108	2300	{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe	39
PID 2300 wrote to memory of 108	2300	{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe	39
PID 820 wrote to memory of 1708	820	{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe	40
PID 820 wrote to memory of 1708	820	{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe	40
PID 820 wrote to memory of 1708	820	{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe	40
PID 820 wrote to memory of 1708	820	{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe	40
PID 820 wrote to memory of 2304	820	{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe	41
PID 820 wrote to memory of 2304	820	{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe	41
PID 820 wrote to memory of 2304	820	{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe	41
PID 820 wrote to memory of 2304	820	{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe	41
PID 1708 wrote to memory of 2700	1708	{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe	42
PID 1708 wrote to memory of 2700	1708	{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe	42
PID 1708 wrote to memory of 2700	1708	{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe	42
PID 1708 wrote to memory of 2700	1708	{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe	42
PID 1708 wrote to memory of 1276	1708	{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe	43
PID 1708 wrote to memory of 1276	1708	{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe	43
PID 1708 wrote to memory of 1276	1708	{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe	43
PID 1708 wrote to memory of 1276	1708	{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe	43
PID 2700 wrote to memory of 2824	2700	{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe	44
PID 2700 wrote to memory of 2824	2700	{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe	44
PID 2700 wrote to memory of 2824	2700	{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe	44
PID 2700 wrote to memory of 2824	2700	{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe	44
PID 2700 wrote to memory of 2120	2700	{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe	45
PID 2700 wrote to memory of 2120	2700	{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe	45
PID 2700 wrote to memory of 2120	2700	{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe	45
PID 2700 wrote to memory of 2120	2700	{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe	45

C:\Users\Admin\AppData\Local\Temp\be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe
"C:\Users\Admin\AppData\Local\Temp\be9aeeba5a11b13acc4f788bf4de7c36b8cb899b8238eb241fc4c0c820ffa6e1.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe
  C:\Windows\{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe
    C:\Windows\{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe
      C:\Windows\{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe
        
        C:\Windows\{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Windows\{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe
        
        C:\Windows\{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe
        
        C:\Windows\{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe
        
        C:\Windows\{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{D62DBFEF-5772-4963-AA25-7D8634F3368D}.exe
        
        C:\Windows\{D62DBFEF-5772-4963-AA25-7D8634F3368D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\{F99D6F5D-D1FF-4bf9-A01F-1C55FF10E401}.exe
        
        C:\Windows\{F99D6F5D-D1FF-4bf9-A01F-1C55FF10E401}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
        
        C:\Windows\{14AE50A4-3F1A-459c-9335-D92388371D72}.exe
        
        C:\Windows\{14AE50A4-3F1A-459c-9335-D92388371D72}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\{80A437E0-76C9-4708-B279-01BEA383285C}.exe
        
        C:\Windows\{80A437E0-76C9-4708-B279-01BEA383285C}.exe
        12⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14AE5~1.EXE > nul
        12⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F99D6~1.EXE > nul
        11⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D62DB~1.EXE > nul
        10⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05E67~1.EXE > nul
        9⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09D78~1.EXE > nul
        8⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22C71~1.EXE > nul
        7⤵
        
        PID:2304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{593F7~1.EXE > nul
        6⤵
        
        PID:108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB5B8~1.EXE > nul
        5⤵
        
        PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{534E1~1.EXE > nul
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{78972~1.EXE > nul
    3⤵
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BE9AEE~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05E679CF-FE6F-497d-A29A-39DAD5BC56FC}.exe

Filesize
90KB

MD5
f7fa545eaa33f8f9a791613aca0ef85c

SHA1
fc2a95654baa815c41be6a9f76d4b1190536130d

SHA256
e13394fce69fc432732cab917565e2d7e8a789ce2dc217f64dcfca35c631e30f

SHA512
6850911a0bd7e19bbeb69bbecb6b1acbe69bdec89ab4499ce843382dcec340445f91199098bda02782ea40941679a86e22dc6733ea1dc028411004ae178ff61a

Download Submit
C:\Windows\{09D786C0-2ABD-4789-B322-DFA2ABE5437C}.exe

Filesize
90KB

MD5
947a297fc985c1a4df9a469fbabe524a

SHA1
c515b65860226023e14f6b5140a35d5e3bea68e3

SHA256
8564eac2e2faec333ee7a680dad24f7294fd887ea96fe38a84931f8282a58fc8

SHA512
54ddec91e5559e96a2f7a483a337d82cf008eec59a536e0449ba3ab44d13ce19d918208ca3df8c5c88ffe8f27618ef3f706c34153a52ee2408204912ff085baa

Download Submit
C:\Windows\{14AE50A4-3F1A-459c-9335-D92388371D72}.exe

Filesize
90KB

MD5
c00c5e0fa934304c3e4024043fed5d3e

SHA1
2da7e5e4394119693b923c43019b8f102f88b856

SHA256
94c9135f44096bf53ba50115d21db88c728c92da886d62706fa7bf39d6992349

SHA512
7d4f1f6fe7994e6877828750436b5801c6c637495aae5a398640d35c1fc59e8112907a6f908f3a2eec142a8b09e93cbec2efe943a58629fa735e6e621f3a949a

Download Submit
C:\Windows\{22C71299-1058-45e3-97C8-8DF78BC8243B}.exe

Filesize
90KB

MD5
f68cc3ac9f013295dd6a95562be8e666

SHA1
f4092eab9b33ccb37c374dfb3b8011f5a5a24b5e

SHA256
4d111a0925c6eaa5d1be01f248e1395e420cdf89a9234ccc48518a1221c1feb5

SHA512
a7f3fac8c74488bd16064c16dee5964a8abdc0b98b4b4fb883fa743fde4eeaa1b497745badaca1d96c3060bebd51ca34d16eba1e3a8a043381f4d9918e63ff09

Download Submit
C:\Windows\{534E1254-B8B0-4830-A421-96DEE4AB292D}.exe

Filesize
90KB

MD5
5167e0ca2644e3e55c66451c63950f93

SHA1
4871bbaaedd05ded32d105d81d60bb1c9daa11cd

SHA256
2eda50a14c65ba74c21658d4c247ed8a80520092a81da3210c0b61eca81ee0da

SHA512
bdf82af432af2df008beec1e95954fd420f05d23382222e4ec87d2026b38076fd59b1a050a5de94802b3f5c11dcfd1e7749c1995f798ac6444ce159327615909

Download Submit
C:\Windows\{593F7F39-E567-45fb-AD58-33F7BBEB0D11}.exe

Filesize
90KB

MD5
66f9c394bf5ac2298964dd6c313dc53b

SHA1
11a1a9f4b698c1e5ef2d5179f82b3eab5118d4fb

SHA256
5b8e8261627509e1d51984c6b98c78d09a2a7c830f3af683b32ef8e67e301571

SHA512
9c9f386c0f6582448445aa423719f171257b9f050cfd47c024e4b1dad3542dbdbd8c19ef72ebdd8413e9194a61d5c79ec1fca662c5f7ccea844419dc4c7f9df4

Download Submit
C:\Windows\{78972B9E-A587-45e5-97B5-E3E0A7D25DE7}.exe

Filesize
90KB

MD5
08952a52ed3c360c157969ff0af800d2

SHA1
9a277190a9bd524ddbbd972096cb06f3467ad2d8

SHA256
9877f7b58a8e5cadf1e71f51df48b4db79ea60d83abd3117facd82117788ff07

SHA512
59be5fa8f9d968371fa88e9d930016d70d12238c3a036a559d0027b1148a590ee24b83309d2c1854d7f4ec78aced88e89303fde97cd42d479d31dcc3a9604651

Download Submit
C:\Windows\{80A437E0-76C9-4708-B279-01BEA383285C}.exe

Filesize
90KB

MD5
0e0bee8f8e49d78e2aba1f9c64d6ba40

SHA1
b282dad448a99a792abd1f89cfe499fdaea50217

SHA256
bab19e16d7dbdbeb5a5c772a3895965354c1401ccc644c3b5ba29f88c20f8a25

SHA512
2b2229f5d0293bce6ccfdab8e9530b339ff1d1b78da5c9fbe223ac5b226ead1d1cb88fa8b9d87d60d076600f8ab4ee4c399a07f6f9c3038973e4b51971d06c6e

Download Submit
C:\Windows\{AB5B823E-1B76-4fcd-84F5-D093CE2ED7AF}.exe

Filesize
90KB

MD5
cfc5ebba7739c7193171c461c433182d

SHA1
0ebb0fc7c5d91ff6bb1e7cb7d630e93e661b0a70

SHA256
87120c61c27b7acb0233c81ecc142d9f2f04f4963888e90e05720794eedaf189

SHA512
6e115f4f97ff917ea13e17ae225df410871edac63b81ba367c32902c65364242ac2497a616515903e02f383a84706362a954cedb39641b0e2764dc2d4dcba449

Download Submit
C:\Windows\{D62DBFEF-5772-4963-AA25-7D8634F3368D}.exe

Filesize
90KB

MD5
81f84e8db1935c83bef506784382b89b

SHA1
f5ae91d32bf4b27cdc75a89ee1565eb3f72b4549

SHA256
0b5606c9ce5e93e5bdc9c7e62b4a4631feb0a4a4396d3d3e8d5dc7e815107480

SHA512
2639a3ef55a04419708c519a663286117033c7f93db22529ce1d2e7ef5567acce0b5a00e5bafb3a7207eca48b86327420cdd2c0843c590513db9e14657d7dfd6

Download Submit
C:\Windows\{F99D6F5D-D1FF-4bf9-A01F-1C55FF10E401}.exe

Filesize
90KB

MD5
b759af781fe6114754032d6063b1abe3

SHA1
6e3b020cde104bb77fad3b91bce318262aa7ab1f

SHA256
1abf9ef035b5f226cec380de584866c5f7260ebe2aa772693231b89db0c72232

SHA512
243fc4446c56b3819f4ad5467357af67405484cd69c3d52a5312b1be3ce138324119dbadf536df6856479a005509ef506905f39d7bd19cc9683953f631595a1d

Download Submit
memory/584-96-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/584-97-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/584-99-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/584-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/820-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1176-88-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1708-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1964-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1964-7-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1964-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1964-3-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2228-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2228-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2300-42-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2300-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2300-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2700-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2700-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2740-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2740-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2824-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2860-35-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/2860-36-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/2860-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2972-100-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads