fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe
Size

89KB
MD5

920c8c15dca0f031cab21892b2548f56
SHA1

250bb8ef0161e8ebe0b8cd367ff1c281d9a85d9b
SHA256

fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1
SHA512

94f50b5732d1f63d2528df7bf7396e664c9c8b82474466dc949e8e43a6c46ef18d6afd13d40875c492fcbcb42da18226d1cf096f82a56708480ff151d2c553b2
SSDEEP

768:Qvw9816vhKQLroA4/wQRNrfrunMxVFA3b7gl5:YEGh0oAl2unMxVS3HgX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7FBEC2A-9875-4d5a-B027-57159C2EDEEA}	{8E7AA3F9-9EC4-44fc-9914-8FDDF4BF60FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7FBEC2A-9875-4d5a-B027-57159C2EDEEA}\stubpath = "C:\\Windows\\{C7FBEC2A-9875-4d5a-B027-57159C2EDEEA}.exe"	{8E7AA3F9-9EC4-44fc-9914-8FDDF4BF60FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}	{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}\stubpath = "C:\\Windows\\{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe"	{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A84CA589-576B-47ed-8860-A09C7CB67CB9}	{0C3E808C-594E-46cd-846E-5DB43F81BBCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{310383D7-BBD9-4937-919E-0D95A6B9F7BD}	{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E7AA3F9-9EC4-44fc-9914-8FDDF4BF60FB}\stubpath = "C:\\Windows\\{8E7AA3F9-9EC4-44fc-9914-8FDDF4BF60FB}.exe"	{A84CA589-576B-47ed-8860-A09C7CB67CB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C425B019-AE73-4af3-B608-9D5DC26D4002}	{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C425B019-AE73-4af3-B608-9D5DC26D4002}\stubpath = "C:\\Windows\\{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe"	{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEB82210-75D7-4b79-9CB7-AF74E476AA97}\stubpath = "C:\\Windows\\{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe"	{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}\stubpath = "C:\\Windows\\{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe"	{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{310383D7-BBD9-4937-919E-0D95A6B9F7BD}\stubpath = "C:\\Windows\\{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe"	{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C3E808C-594E-46cd-846E-5DB43F81BBCB}\stubpath = "C:\\Windows\\{0C3E808C-594E-46cd-846E-5DB43F81BBCB}.exe"	{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A84CA589-576B-47ed-8860-A09C7CB67CB9}\stubpath = "C:\\Windows\\{A84CA589-576B-47ed-8860-A09C7CB67CB9}.exe"	{0C3E808C-594E-46cd-846E-5DB43F81BBCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}\stubpath = "C:\\Windows\\{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe"	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEB82210-75D7-4b79-9CB7-AF74E476AA97}	{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B50607F-2BB7-4529-95EA-D961C9C49FDF}\stubpath = "C:\\Windows\\{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe"	{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}	{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B50607F-2BB7-4529-95EA-D961C9C49FDF}	{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C3E808C-594E-46cd-846E-5DB43F81BBCB}	{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E7AA3F9-9EC4-44fc-9914-8FDDF4BF60FB}	{A84CA589-576B-47ed-8860-A09C7CB67CB9}.exe

Deletes itself 1 IoCs

pid	Process
3028	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2468	{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe
2800	{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe
2928	{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe
1688	{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe
2684	{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe
1776	{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe
1600	{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe
872	{0C3E808C-594E-46cd-846E-5DB43F81BBCB}.exe
2892	{A84CA589-576B-47ed-8860-A09C7CB67CB9}.exe
1640	{8E7AA3F9-9EC4-44fc-9914-8FDDF4BF60FB}.exe
2056	{C7FBEC2A-9875-4d5a-B027-57159C2EDEEA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe	{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe
File created	C:\Windows\{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe	{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe
File created	C:\Windows\{8E7AA3F9-9EC4-44fc-9914-8FDDF4BF60FB}.exe	{A84CA589-576B-47ed-8860-A09C7CB67CB9}.exe
File created	C:\Windows\{C7FBEC2A-9875-4d5a-B027-57159C2EDEEA}.exe	{8E7AA3F9-9EC4-44fc-9914-8FDDF4BF60FB}.exe
File created	C:\Windows\{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe
File created	C:\Windows\{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe	{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe
File created	C:\Windows\{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe	{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe
File created	C:\Windows\{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe	{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe
File created	C:\Windows\{0C3E808C-594E-46cd-846E-5DB43F81BBCB}.exe	{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe
File created	C:\Windows\{A84CA589-576B-47ed-8860-A09C7CB67CB9}.exe	{0C3E808C-594E-46cd-846E-5DB43F81BBCB}.exe
File created	C:\Windows\{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe	{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1692	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe
Token: SeIncBasePriorityPrivilege	2468	{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe
Token: SeIncBasePriorityPrivilege	2800	{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe
Token: SeIncBasePriorityPrivilege	2928	{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe
Token: SeIncBasePriorityPrivilege	1688	{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe
Token: SeIncBasePriorityPrivilege	2684	{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe
Token: SeIncBasePriorityPrivilege	1776	{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe
Token: SeIncBasePriorityPrivilege	1600	{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe
Token: SeIncBasePriorityPrivilege	872	{0C3E808C-594E-46cd-846E-5DB43F81BBCB}.exe
Token: SeIncBasePriorityPrivilege	2892	{A84CA589-576B-47ed-8860-A09C7CB67CB9}.exe
Token: SeIncBasePriorityPrivilege	1640	{8E7AA3F9-9EC4-44fc-9914-8FDDF4BF60FB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2468	1692	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	28
PID 1692 wrote to memory of 2468	1692	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	28
PID 1692 wrote to memory of 2468	1692	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	28
PID 1692 wrote to memory of 2468	1692	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	28
PID 1692 wrote to memory of 3028	1692	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	29
PID 1692 wrote to memory of 3028	1692	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	29
PID 1692 wrote to memory of 3028	1692	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	29
PID 1692 wrote to memory of 3028	1692	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	29
PID 2468 wrote to memory of 2800	2468	{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe	30
PID 2468 wrote to memory of 2800	2468	{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe	30
PID 2468 wrote to memory of 2800	2468	{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe	30
PID 2468 wrote to memory of 2800	2468	{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe	30
PID 2468 wrote to memory of 2796	2468	{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe	31
PID 2468 wrote to memory of 2796	2468	{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe	31
PID 2468 wrote to memory of 2796	2468	{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe	31
PID 2468 wrote to memory of 2796	2468	{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe	31
PID 2800 wrote to memory of 2928	2800	{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe	32
PID 2800 wrote to memory of 2928	2800	{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe	32
PID 2800 wrote to memory of 2928	2800	{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe	32
PID 2800 wrote to memory of 2928	2800	{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe	32
PID 2800 wrote to memory of 2428	2800	{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe	33
PID 2800 wrote to memory of 2428	2800	{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe	33
PID 2800 wrote to memory of 2428	2800	{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe	33
PID 2800 wrote to memory of 2428	2800	{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe	33
PID 2928 wrote to memory of 1688	2928	{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe	36
PID 2928 wrote to memory of 1688	2928	{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe	36
PID 2928 wrote to memory of 1688	2928	{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe	36
PID 2928 wrote to memory of 1688	2928	{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe	36
PID 2928 wrote to memory of 1348	2928	{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe	37
PID 2928 wrote to memory of 1348	2928	{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe	37
PID 2928 wrote to memory of 1348	2928	{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe	37
PID 2928 wrote to memory of 1348	2928	{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe	37
PID 1688 wrote to memory of 2684	1688	{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe	38
PID 1688 wrote to memory of 2684	1688	{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe	38
PID 1688 wrote to memory of 2684	1688	{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe	38
PID 1688 wrote to memory of 2684	1688	{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe	38
PID 1688 wrote to memory of 1188	1688	{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe	39
PID 1688 wrote to memory of 1188	1688	{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe	39
PID 1688 wrote to memory of 1188	1688	{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe	39
PID 1688 wrote to memory of 1188	1688	{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe	39
PID 2684 wrote to memory of 1776	2684	{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe	40
PID 2684 wrote to memory of 1776	2684	{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe	40
PID 2684 wrote to memory of 1776	2684	{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe	40
PID 2684 wrote to memory of 1776	2684	{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe	40
PID 2684 wrote to memory of 1896	2684	{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe	41
PID 2684 wrote to memory of 1896	2684	{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe	41
PID 2684 wrote to memory of 1896	2684	{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe	41
PID 2684 wrote to memory of 1896	2684	{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe	41
PID 1776 wrote to memory of 1600	1776	{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe	42
PID 1776 wrote to memory of 1600	1776	{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe	42
PID 1776 wrote to memory of 1600	1776	{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe	42
PID 1776 wrote to memory of 1600	1776	{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe	42
PID 1776 wrote to memory of 1424	1776	{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe	43
PID 1776 wrote to memory of 1424	1776	{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe	43
PID 1776 wrote to memory of 1424	1776	{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe	43
PID 1776 wrote to memory of 1424	1776	{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe	43
PID 1600 wrote to memory of 872	1600	{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe	44
PID 1600 wrote to memory of 872	1600	{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe	44
PID 1600 wrote to memory of 872	1600	{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe	44
PID 1600 wrote to memory of 872	1600	{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe	44
PID 1600 wrote to memory of 1248	1600	{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe	45
PID 1600 wrote to memory of 1248	1600	{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe	45
PID 1600 wrote to memory of 1248	1600	{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe	45
PID 1600 wrote to memory of 1248	1600	{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe	45

C:\Users\Admin\AppData\Local\Temp\fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe
"C:\Users\Admin\AppData\Local\Temp\fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe
  C:\Windows\{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe
    C:\Windows\{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe
      C:\Windows\{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe
        
        C:\Windows\{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Windows\{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe
        
        C:\Windows\{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe
        
        C:\Windows\{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe
        
        C:\Windows\{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{0C3E808C-594E-46cd-846E-5DB43F81BBCB}.exe
        
        C:\Windows\{0C3E808C-594E-46cd-846E-5DB43F81BBCB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\{A84CA589-576B-47ed-8860-A09C7CB67CB9}.exe
        
        C:\Windows\{A84CA589-576B-47ed-8860-A09C7CB67CB9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\{8E7AA3F9-9EC4-44fc-9914-8FDDF4BF60FB}.exe
        
        C:\Windows\{8E7AA3F9-9EC4-44fc-9914-8FDDF4BF60FB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\{C7FBEC2A-9875-4d5a-B027-57159C2EDEEA}.exe
        
        C:\Windows\{C7FBEC2A-9875-4d5a-B027-57159C2EDEEA}.exe
        12⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E7AA~1.EXE > nul
        12⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A84CA~1.EXE > nul
        11⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C3E8~1.EXE > nul
        10⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31038~1.EXE > nul
        9⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DB01~1.EXE > nul
        8⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C852E~1.EXE > nul
        7⤵
        
        PID:1896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B506~1.EXE > nul
        6⤵
        
        PID:1188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEB82~1.EXE > nul
        5⤵
        
        PID:1348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C425B~1.EXE > nul
      4⤵
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4FAAC~1.EXE > nul
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FBACA3~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C3E808C-594E-46cd-846E-5DB43F81BBCB}.exe

Filesize
89KB

MD5
57b6bbe82f4858ebbb00e5e9b47edb4d

SHA1
8d5b9dc770ed6f70445588179ed28260bb0f7d9e

SHA256
e94a37623689b291a6818beb466414339d40f7f7aeca5f9f513b3d7d09a6b5b2

SHA512
be1062c528854d2f4c2120160e9759404929e26f19f8d189d1e79a21acb2d80a4a3ac90b9af88490ffecb705e2e15a5065af22fae2c87a70bff550a4e201f926

Download Submit
C:\Windows\{310383D7-BBD9-4937-919E-0D95A6B9F7BD}.exe

Filesize
89KB

MD5
1c79093ec7a3fd43775194c2cfb15e08

SHA1
23ec5eca398b32b9d9b982e872f53de2a3e4e20e

SHA256
c88a5015915cbc395fe425c9684a468b8ef5e2128a83e80c09df43f2208d11ba

SHA512
c59eeccf3bc16eca4f233bfa9fcd15e79020cd8ac38c6f02f687f4780d175bfee400f3300b82fe925cae521c21cbb7a02bc6b4a1bd45ecc6465e4a870c9bb80d

Download Submit
C:\Windows\{3B50607F-2BB7-4529-95EA-D961C9C49FDF}.exe

Filesize
89KB

MD5
fff939a625400940fb484e5a99cc89ae

SHA1
1531fa6d8e53df7db5086006a7b9793b0df30ea6

SHA256
015482ce796c029cbad9389c22f7c1e33e2583f3266d00d74e47f15750af8874

SHA512
e1cfeb2b9b2c5f00d0bfaa984639bb80a1752a79b686c38240c44a061b5f1646ca13978adaf08d159e15d79d6b8f930d0b8f2343c49493fb7cf55a3b9f7921fc

Download Submit
C:\Windows\{4FAAC875-498B-45a9-9EFC-5EDC391AA51C}.exe

Filesize
89KB

MD5
779a643486a234a7882df77af46f4654

SHA1
5020a26ca5d28cb1b76b94f97361f51dbaba8d96

SHA256
a675a0dfea0504cb361938be3c6c7467397138b7969111ae8ffc30f051f99b09

SHA512
8af277eef592f299c2c1f24f45aa5f6a019b3daacf8b4c48e6d7381d818952403036b4ea509155752f6f5803ca4da2e717e0bef83ab115993a94a4917e1a45c1

Download Submit
C:\Windows\{5DB01C4F-C674-4bb1-89B7-477CB5F37F04}.exe

Filesize
89KB

MD5
c71fc5e23c1cf62cc60f240f8cf82b49

SHA1
5ef050e9b7ed28c086a70d3385e8ca50d55fbd15

SHA256
41dfd57d1654cb6e0b2b44ab196d4d0aca8fd460ccb0e8517fdd5251edc3e4a3

SHA512
29c2b3aae2fa8e60a621295b27d8fe0315468a48443a69673a9e189b6119d131f3a5664790aeca9b630ce804185c8bbbb1db11d85ebba28bf10ff5a010cdd418

Download Submit
C:\Windows\{8E7AA3F9-9EC4-44fc-9914-8FDDF4BF60FB}.exe

Filesize
89KB

MD5
f237f667aa3ed1f9c6303dd518bf9699

SHA1
95eb01b5b7fbd1387e1d1cfa8f0680d2ffee4fe9

SHA256
c6eff41668e5b7c3a7ad24f266fc5baefd5fa57696e560ebafcbd10e753bfe35

SHA512
d550f364d4996a0d7d62a8db09cc12b137f8a51a4fb7ebec971968bf552ebcc690a311d29eef0846a7f1646ce9a61c15ccedc4204e4c4e84306040eef2f34e71

Download Submit
C:\Windows\{A84CA589-576B-47ed-8860-A09C7CB67CB9}.exe

Filesize
89KB

MD5
bbcd4a442adfecc626712231457ccec0

SHA1
3e091d1e2f888acef259423b032a957f854a1a03

SHA256
d96589f7c9f3cb93bb150292f7ee67ca85345f598f2e6d6f58908524fb926524

SHA512
309fd757ccc04e4cd17a91fdb2a1649cc3079f920c3aac3bdb40685b77c4e6a2d76bf7f92292ad141c96993441f0ee80260c9dc803a55b230359724548d52c6f

Download Submit
C:\Windows\{BEB82210-75D7-4b79-9CB7-AF74E476AA97}.exe

Filesize
89KB

MD5
c55f8711166b2a9259267ea0fb343d80

SHA1
12d7d4d9e3e50cf76db02e5759e27da37397d1f2

SHA256
8b082711143ac6f59349987bb978b0525ba9b33c7bd7bb5b6074ebe83e5bc024

SHA512
0cfe740a1e18253abab723baf2dc6c764657404e40f27b27b5908ef0d9729bd088995aaadca5441ed4674f6d99a88a11fa82a0db367147eb361dd5b72b42218b

Download Submit
C:\Windows\{C425B019-AE73-4af3-B608-9D5DC26D4002}.exe

Filesize
89KB

MD5
4de2cff52edcd1780186dbeec097fa72

SHA1
6d911b83b72dec6a1a9cff27b14eeef3e5f28765

SHA256
e730e724437dadceb5761a051b1f49ef4e0f734de65daa281c4e02c260e78c46

SHA512
f69e9130f9ab34b47ddaa8971bb4fe27ffba06545569a5ef0694e9638f785614c490f76d00110a16dd54043b07ce7dde6b42f953c3470d151b5779fc9eaa5fe3

Download Submit
C:\Windows\{C7FBEC2A-9875-4d5a-B027-57159C2EDEEA}.exe

Filesize
89KB

MD5
001a21543bd5ed0fdfb1eee4b232a723

SHA1
ab1364903f9c388a3440b4aa418637b46344a9d5

SHA256
5d4b5edf1c634385d29a866c758e50e7241381795bd73ade7569e42151fa5250

SHA512
0a1e9218acad361210d074fcd83f1e0f8382bed806450439c6410e866e1a954b52b5b4cd744fc713b39040732f805a7c9f487c00b0f4f85cf007fc89b49d430e

Download Submit
C:\Windows\{C852EB4B-9CB7-4513-8FC4-BA6FA9AB003D}.exe

Filesize
89KB

MD5
31ec3efce527ef25f59f3e659e01a048

SHA1
abba3ed56d58a435811b3e658d7a59adfb43e192

SHA256
a18809cbe7a6778231bd2833690034742b778f378755f246488352ced4ab0dd4

SHA512
e3ef2cee68c15c3cc2607c431a3814afddf5c6b0e4f2cca22ec0855d72d3707591ff34adc13b7dd76336d7a5840fe5363cc57492894e38ffd1ff0760db67e87e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads