fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe
Size

89KB
MD5

920c8c15dca0f031cab21892b2548f56
SHA1

250bb8ef0161e8ebe0b8cd367ff1c281d9a85d9b
SHA256

fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1
SHA512

94f50b5732d1f63d2528df7bf7396e664c9c8b82474466dc949e8e43a6c46ef18d6afd13d40875c492fcbcb42da18226d1cf096f82a56708480ff151d2c553b2
SSDEEP

768:Qvw9816vhKQLroA4/wQRNrfrunMxVFA3b7gl5:YEGh0oAl2unMxVS3HgX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}\stubpath = "C:\\Windows\\{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe"	{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76314618-48A5-4214-B7E9-FEEC345AE894}\stubpath = "C:\\Windows\\{76314618-48A5-4214-B7E9-FEEC345AE894}.exe"	{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7934E28F-F797-4182-8D51-F8C7A0C7D440}\stubpath = "C:\\Windows\\{7934E28F-F797-4182-8D51-F8C7A0C7D440}.exe"	{76314618-48A5-4214-B7E9-FEEC345AE894}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}	{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F279C048-DF1E-41e5-A5B3-E4C488F90236}	{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F279C048-DF1E-41e5-A5B3-E4C488F90236}\stubpath = "C:\\Windows\\{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe"	{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}	{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}\stubpath = "C:\\Windows\\{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe"	{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76314618-48A5-4214-B7E9-FEEC345AE894}	{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3BCD6AE-3478-4f91-9586-3A8691E99C0F}	{7934E28F-F797-4182-8D51-F8C7A0C7D440}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7835F8D1-4FB1-4876-8E57-65AC0784F448}	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}\stubpath = "C:\\Windows\\{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe"	{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0287895-417B-414c-A461-D9ACE9F3885B}\stubpath = "C:\\Windows\\{F0287895-417B-414c-A461-D9ACE9F3885B}.exe"	{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}	{F0287895-417B-414c-A461-D9ACE9F3885B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}	{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7934E28F-F797-4182-8D51-F8C7A0C7D440}	{76314618-48A5-4214-B7E9-FEEC345AE894}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3BCD6AE-3478-4f91-9586-3A8691E99C0F}\stubpath = "C:\\Windows\\{C3BCD6AE-3478-4f91-9586-3A8691E99C0F}.exe"	{7934E28F-F797-4182-8D51-F8C7A0C7D440}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7835F8D1-4FB1-4876-8E57-65AC0784F448}\stubpath = "C:\\Windows\\{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe"	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98031F89-49C6-4c26-A113-CC2E5FE3EE96}\stubpath = "C:\\Windows\\{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe"	{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A5CE842-7274-49de-BC84-72D0588E7E5D}\stubpath = "C:\\Windows\\{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe"	{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}\stubpath = "C:\\Windows\\{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe"	{F0287895-417B-414c-A461-D9ACE9F3885B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98031F89-49C6-4c26-A113-CC2E5FE3EE96}	{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A5CE842-7274-49de-BC84-72D0588E7E5D}	{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0287895-417B-414c-A461-D9ACE9F3885B}	{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe

Executes dropped EXE 12 IoCs

pid	Process
2028	{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe
4580	{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe
2400	{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe
2560	{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe
372	{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe
1880	{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe
3112	{F0287895-417B-414c-A461-D9ACE9F3885B}.exe
4452	{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe
3100	{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe
2648	{76314618-48A5-4214-B7E9-FEEC345AE894}.exe
992	{7934E28F-F797-4182-8D51-F8C7A0C7D440}.exe
1580	{C3BCD6AE-3478-4f91-9586-3A8691E99C0F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7934E28F-F797-4182-8D51-F8C7A0C7D440}.exe	{76314618-48A5-4214-B7E9-FEEC345AE894}.exe
File created	C:\Windows\{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe
File created	C:\Windows\{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe	{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe
File created	C:\Windows\{F0287895-417B-414c-A461-D9ACE9F3885B}.exe	{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe
File created	C:\Windows\{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe	{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe
File created	C:\Windows\{76314618-48A5-4214-B7E9-FEEC345AE894}.exe	{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe
File created	C:\Windows\{C3BCD6AE-3478-4f91-9586-3A8691E99C0F}.exe	{7934E28F-F797-4182-8D51-F8C7A0C7D440}.exe
File created	C:\Windows\{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe	{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe
File created	C:\Windows\{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe	{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe
File created	C:\Windows\{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe	{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe
File created	C:\Windows\{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe	{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe
File created	C:\Windows\{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe	{F0287895-417B-414c-A461-D9ACE9F3885B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5008	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe
Token: SeIncBasePriorityPrivilege	2028	{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe
Token: SeIncBasePriorityPrivilege	4580	{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe
Token: SeIncBasePriorityPrivilege	2400	{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe
Token: SeIncBasePriorityPrivilege	2560	{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe
Token: SeIncBasePriorityPrivilege	372	{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe
Token: SeIncBasePriorityPrivilege	1880	{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe
Token: SeIncBasePriorityPrivilege	3112	{F0287895-417B-414c-A461-D9ACE9F3885B}.exe
Token: SeIncBasePriorityPrivilege	4452	{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe
Token: SeIncBasePriorityPrivilege	3100	{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe
Token: SeIncBasePriorityPrivilege	2648	{76314618-48A5-4214-B7E9-FEEC345AE894}.exe
Token: SeIncBasePriorityPrivilege	992	{7934E28F-F797-4182-8D51-F8C7A0C7D440}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 2028	5008	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	97
PID 5008 wrote to memory of 2028	5008	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	97
PID 5008 wrote to memory of 2028	5008	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	97
PID 5008 wrote to memory of 4452	5008	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	98
PID 5008 wrote to memory of 4452	5008	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	98
PID 5008 wrote to memory of 4452	5008	fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe	98
PID 2028 wrote to memory of 4580	2028	{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe	99
PID 2028 wrote to memory of 4580	2028	{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe	99
PID 2028 wrote to memory of 4580	2028	{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe	99
PID 2028 wrote to memory of 2436	2028	{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe	100
PID 2028 wrote to memory of 2436	2028	{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe	100
PID 2028 wrote to memory of 2436	2028	{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe	100
PID 4580 wrote to memory of 2400	4580	{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe	103
PID 4580 wrote to memory of 2400	4580	{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe	103
PID 4580 wrote to memory of 2400	4580	{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe	103
PID 4580 wrote to memory of 1560	4580	{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe	104
PID 4580 wrote to memory of 1560	4580	{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe	104
PID 4580 wrote to memory of 1560	4580	{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe	104
PID 2400 wrote to memory of 2560	2400	{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe	105
PID 2400 wrote to memory of 2560	2400	{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe	105
PID 2400 wrote to memory of 2560	2400	{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe	105
PID 2400 wrote to memory of 220	2400	{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe	106
PID 2400 wrote to memory of 220	2400	{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe	106
PID 2400 wrote to memory of 220	2400	{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe	106
PID 2560 wrote to memory of 372	2560	{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe	107
PID 2560 wrote to memory of 372	2560	{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe	107
PID 2560 wrote to memory of 372	2560	{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe	107
PID 2560 wrote to memory of 2128	2560	{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe	108
PID 2560 wrote to memory of 2128	2560	{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe	108
PID 2560 wrote to memory of 2128	2560	{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe	108
PID 372 wrote to memory of 1880	372	{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe	110
PID 372 wrote to memory of 1880	372	{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe	110
PID 372 wrote to memory of 1880	372	{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe	110
PID 372 wrote to memory of 5056	372	{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe	111
PID 372 wrote to memory of 5056	372	{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe	111
PID 372 wrote to memory of 5056	372	{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe	111
PID 1880 wrote to memory of 3112	1880	{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe	112
PID 1880 wrote to memory of 3112	1880	{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe	112
PID 1880 wrote to memory of 3112	1880	{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe	112
PID 1880 wrote to memory of 2724	1880	{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe	113
PID 1880 wrote to memory of 2724	1880	{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe	113
PID 1880 wrote to memory of 2724	1880	{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe	113
PID 3112 wrote to memory of 4452	3112	{F0287895-417B-414c-A461-D9ACE9F3885B}.exe	115
PID 3112 wrote to memory of 4452	3112	{F0287895-417B-414c-A461-D9ACE9F3885B}.exe	115
PID 3112 wrote to memory of 4452	3112	{F0287895-417B-414c-A461-D9ACE9F3885B}.exe	115
PID 3112 wrote to memory of 2728	3112	{F0287895-417B-414c-A461-D9ACE9F3885B}.exe	116
PID 3112 wrote to memory of 2728	3112	{F0287895-417B-414c-A461-D9ACE9F3885B}.exe	116
PID 3112 wrote to memory of 2728	3112	{F0287895-417B-414c-A461-D9ACE9F3885B}.exe	116
PID 4452 wrote to memory of 3100	4452	{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe	123
PID 4452 wrote to memory of 3100	4452	{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe	123
PID 4452 wrote to memory of 3100	4452	{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe	123
PID 4452 wrote to memory of 1388	4452	{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe	124
PID 4452 wrote to memory of 1388	4452	{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe	124
PID 4452 wrote to memory of 1388	4452	{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe	124
PID 3100 wrote to memory of 2648	3100	{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe	125
PID 3100 wrote to memory of 2648	3100	{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe	125
PID 3100 wrote to memory of 2648	3100	{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe	125
PID 3100 wrote to memory of 3748	3100	{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe	126
PID 3100 wrote to memory of 3748	3100	{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe	126
PID 3100 wrote to memory of 3748	3100	{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe	126
PID 2648 wrote to memory of 992	2648	{76314618-48A5-4214-B7E9-FEEC345AE894}.exe	129
PID 2648 wrote to memory of 992	2648	{76314618-48A5-4214-B7E9-FEEC345AE894}.exe	129
PID 2648 wrote to memory of 992	2648	{76314618-48A5-4214-B7E9-FEEC345AE894}.exe	129
PID 2648 wrote to memory of 4252	2648	{76314618-48A5-4214-B7E9-FEEC345AE894}.exe	130

C:\Users\Admin\AppData\Local\Temp\fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe
"C:\Users\Admin\AppData\Local\Temp\fbaca39fc021b99ef635e02e186d0f3ca76cf4eb9d9a84da8d4f45c7a5bb24e1.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe
  C:\Windows\{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe
    C:\Windows\{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe
      C:\Windows\{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe
        
        C:\Windows\{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe
        
        C:\Windows\{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe
        
        C:\Windows\{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{F0287895-417B-414c-A461-D9ACE9F3885B}.exe
        
        C:\Windows\{F0287895-417B-414c-A461-D9ACE9F3885B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe
        
        C:\Windows\{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe
        
        C:\Windows\{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\{76314618-48A5-4214-B7E9-FEEC345AE894}.exe
        
        C:\Windows\{76314618-48A5-4214-B7E9-FEEC345AE894}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\{7934E28F-F797-4182-8D51-F8C7A0C7D440}.exe
        
        C:\Windows\{7934E28F-F797-4182-8D51-F8C7A0C7D440}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\{C3BCD6AE-3478-4f91-9586-3A8691E99C0F}.exe
        
        C:\Windows\{C3BCD6AE-3478-4f91-9586-3A8691E99C0F}.exe
        13⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7934E~1.EXE > nul
        13⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76314~1.EXE > nul
        12⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22D20~1.EXE > nul
        11⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA8DA~1.EXE > nul
        10⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0287~1.EXE > nul
        9⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2CC7~1.EXE > nul
        8⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F279C~1.EXE > nul
        7⤵
        
        PID:5056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D26F~1.EXE > nul
        6⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A5CE~1.EXE > nul
        5⤵
        
        PID:220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{98031~1.EXE > nul
      4⤵
      PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7835F~1.EXE > nul
    3⤵
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FBACA3~1.EXE > nul
  2⤵
  PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A5CE842-7274-49de-BC84-72D0588E7E5D}.exe

Filesize
89KB

MD5
38717adc79aecdb740ac205327241d85

SHA1
9619dc11efc3af4774bb6578f100e0a01c7d0450

SHA256
c985147b557c0251fcf198bb043d7561aa6fe1f7af7e3a0047509a508e14e859

SHA512
29bd2926d9022708ae7e3182b884c62b77618d96de2fa6d51a813f5cde288d1f8aa80a64ec1714d2f9d1ae709f65776983e97ba2da67388061f38a63c6a3c310

Download Submit
C:\Windows\{22D20CDD-D656-44e6-BA45-4BC6A97AAD3E}.exe

Filesize
89KB

MD5
172d4da2288398cb2956833b07be9246

SHA1
fcd996dbc57a27e76ce38e11f28ca530d3b63929

SHA256
3184829cd587abb4c1466ad4c4002630e98572ef2c4a08c684e95dc46aae3211

SHA512
7d61b02e2fa9343f7cf1af053dbbb964dd4aacbbf5a37e10f5c9cf0fd138ae6eea5900ce86defcdf21d6f8f7fdcaa916fed4dff3ab20d50d90a2890b39d6b448

Download Submit
C:\Windows\{76314618-48A5-4214-B7E9-FEEC345AE894}.exe

Filesize
89KB

MD5
d701a1e6ce0f9ca78afe8e83b3c22872

SHA1
63ba4372793f6dce6026ed87e452ddbfd97af812

SHA256
705f4139715bf89d0a8af39cfac97377bcbf4d3500e97d8ff14ea17f946df056

SHA512
24f785e021c27b5fbb68708959db246b63baa57312961ece76b4608ceb31bc09c6ac3bfc2f7757f2de27fe0743b5bf88ca9c65c3b74cfed4ad35e8973a6a2633

Download Submit
C:\Windows\{7835F8D1-4FB1-4876-8E57-65AC0784F448}.exe

Filesize
89KB

MD5
6b9fc125251d065185545aec8fd7b775

SHA1
cad86971598d9cdc7daeb4c3181cb8b82915be7b

SHA256
06b6aba3c1c9cf28d0fda5922f17f22240afbd21df4124ed5f7d16179b2ef7ad

SHA512
b4f4e3cbe8d0a8b4f9bc69a8dd38413dd413cb994da86f935a889cdcba6c1e646ad426d3478c762071e5ca60c0eb4b74312462d76cafe383faddb0e28ff5b2d8

Download Submit
C:\Windows\{7934E28F-F797-4182-8D51-F8C7A0C7D440}.exe

Filesize
89KB

MD5
c9648a0fe4b1fa4e282e4aaee0a8679f

SHA1
23701091e3278ab8cd37c14aa28f4010c1c922e5

SHA256
c67f23abb5f8ff35d7fc18678d48fcb6413cecffec784ab486c2f77d3dc15d0c

SHA512
67eabd3fcb56f4b91dfdcbcb3a56502b49e2445e93f53b0d246ecb34ea4b708a507205b4223f65fde965ee0b007e0718a940ca8ddb7accfe18afff88d7f1b414

Download Submit
C:\Windows\{8D26FAD2-9438-45c6-A9A4-0AFE08F2FD14}.exe

Filesize
89KB

MD5
e150f81c333d3219a9f15b5e8d429136

SHA1
4323e1e5745b63481bd5f370a91a86ac7fb90914

SHA256
11bf6d26e3dd02edce55d7bcb8ae3ef990df84caabb14382849ae9aff08758e2

SHA512
25075f708566deae86abc1cc0078234a6b12e7fd51d72b49417a422de67564fd388af8d9810011cfb5cb566e0c16b5b403a025e8a2026d6f9f2e7c8e3b7df86f

Download Submit
C:\Windows\{98031F89-49C6-4c26-A113-CC2E5FE3EE96}.exe

Filesize
89KB

MD5
c6672477793859fb921252ce800718f6

SHA1
de28ca71fb9af42916ce7f387ec06552b95f79c6

SHA256
df1b66347276601e586d2c09ec9ad3e389f37b92e9839d9374e52a66026c9afe

SHA512
7ff215867a9a8cb61122b3e38026e5b2276bf68d3380279c8c458796e0e7cba05c3733c76e730afef2a9ae2d85d0d2831bab2fc7dbd9cb468782f0fe0db08d9a

Download Submit
C:\Windows\{C3BCD6AE-3478-4f91-9586-3A8691E99C0F}.exe

Filesize
89KB

MD5
3a204b1681ec5507ff8d2618e3d458b7

SHA1
e9781844bdff3c1fa5e87f682f370ffb7ca54262

SHA256
df8fd5691083fa855dd2cb39535461e6e8079b03b5a2da92dfe78e64870d8690

SHA512
7370388152a973fbf749a02dc48b4e5091a3cdfa1d2b7a1bbc04f6ae4faed98c81637a9183b935fcc21ceb12446f92c2423506fcb20a934b0403adcf44c7cd15

Download Submit
C:\Windows\{DA8DA85D-2BF4-4e28-9FB4-AD7D96B6DA3D}.exe

Filesize
89KB

MD5
328e7ae9b5805a9813b8bf57d6d7feb1

SHA1
87be985b2af58145169298a1e9eaf945544e8dab

SHA256
6116eeccf80f656adf108d059e839b540841035e3cb5320809480cf6a1c9ea7a

SHA512
3093b3464246dd4cb74b44ee0a099fe984b5126e455ecfc57b667eaa53e79d63f781af345330aede13ad67f9e91e38b2e7bb76db521b61816eaa0a06d67be718

Download Submit
C:\Windows\{F0287895-417B-414c-A461-D9ACE9F3885B}.exe

Filesize
89KB

MD5
b1046426273ff8b49ad43feeb7a8d49a

SHA1
31eac90694d1b50b45e88c6d1da8a5bb7916f545

SHA256
8c2368f7837e630f2fb877b4904052c7ddd2dd857049913011c41bc5bffcd38c

SHA512
f314ce409880ceed6df2353c797bfd0eec4dec9ce244578fe0529c26973b28dd91417da8ff17a7001ad5a4eccc0df49de31b3723d5551457dba16e72e98bef8d

Download Submit
C:\Windows\{F279C048-DF1E-41e5-A5B3-E4C488F90236}.exe

Filesize
89KB

MD5
4ad531019f3160f21dfb020f2265a484

SHA1
b4e11b6c47b1cd9d5242c3873b426b2f187ec14b

SHA256
5044745f946a3c5dd26222cbe7e5368f62c18f15b7e42038817c570243337dc5

SHA512
faae7375bf741496041106b962ae92ac22fbf76ee90b7f396438740975c7d01cf06d5caa06b8afcd4fd027debce70b18b68ffc4463ac28afe0639a11156c52a7

Download Submit
C:\Windows\{F2CC73A2-A06C-4ceb-9AF4-2112BC2B9354}.exe

Filesize
89KB

MD5
cb973d36ce32a5e17c03e7eb3535baa7

SHA1
f3e9c7df07bbf1848d15f31e82f927c251de070d

SHA256
d907a3022747c89375025818114a30e817d124d9241fdd6bee51bb0a8471e9d2

SHA512
b5dec3df7110bdc9f019f622d22995c0cc5f363289faa6c75f223431a9e911cd65d720361403f14b986fc1d3aa4d686a6a7b768dff3f0dd57e2ed18da82fa7e2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads