c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe
Size

64KB
MD5

0ca7cf096cccae834c2b690c2a99a417
SHA1

e8d572b158459124e31eb4099af352f0382781b3
SHA256

c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d
SHA512

24d3802f31ff07e257fbf18eaa314a8276c0ccee080d643d0ee1d57f29059b8551bd49083b4cf7147d5ad49107f3ff0b69341c1d7ee2d66d52c85789b6769928
SSDEEP

192:ObOzawOs81elJHsc45HcRZOgtSWcWaOT2QLrCqw/Y04/CFxyNhoy5tm:ObLwOs8AHsc4pMfwIKQLrox4/CFsrdm

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}\stubpath = "C:\\Windows\\{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe"	{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}	{6D576179-9894-4833-BA8F-6BAB29828302}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E47C856-336E-44d9-886F-C93075680DBB}	{1E647B85-54C2-4787-884C-1077F1B82F23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E47C856-336E-44d9-886F-C93075680DBB}\stubpath = "C:\\Windows\\{4E47C856-336E-44d9-886F-C93075680DBB}.exe"	{1E647B85-54C2-4787-884C-1077F1B82F23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}	{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D576179-9894-4833-BA8F-6BAB29828302}	{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}\stubpath = "C:\\Windows\\{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe"	{6D576179-9894-4833-BA8F-6BAB29828302}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1B4D231-36CE-4046-9764-CA3E2E0A99EC}\stubpath = "C:\\Windows\\{F1B4D231-36CE-4046-9764-CA3E2E0A99EC}.exe"	{20BE5FA9-C75E-4118-B121-1DB704B3726F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E647B85-54C2-4787-884C-1077F1B82F23}	{84F24993-2808-482b-91FB-8809F6FA9712}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E647B85-54C2-4787-884C-1077F1B82F23}\stubpath = "C:\\Windows\\{1E647B85-54C2-4787-884C-1077F1B82F23}.exe"	{84F24993-2808-482b-91FB-8809F6FA9712}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20BE5FA9-C75E-4118-B121-1DB704B3726F}	{4E47C856-336E-44d9-886F-C93075680DBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20BE5FA9-C75E-4118-B121-1DB704B3726F}\stubpath = "C:\\Windows\\{20BE5FA9-C75E-4118-B121-1DB704B3726F}.exe"	{4E47C856-336E-44d9-886F-C93075680DBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D79D0219-7C6B-4481-B5E8-DF235211CC3C}	c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}	{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D576179-9894-4833-BA8F-6BAB29828302}\stubpath = "C:\\Windows\\{6D576179-9894-4833-BA8F-6BAB29828302}.exe"	{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84F24993-2808-482b-91FB-8809F6FA9712}\stubpath = "C:\\Windows\\{84F24993-2808-482b-91FB-8809F6FA9712}.exe"	{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1B4D231-36CE-4046-9764-CA3E2E0A99EC}	{20BE5FA9-C75E-4118-B121-1DB704B3726F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84F24993-2808-482b-91FB-8809F6FA9712}	{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D79D0219-7C6B-4481-B5E8-DF235211CC3C}\stubpath = "C:\\Windows\\{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe"	c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2406FD0-51C2-4e32-9E37-237AFD580945}	{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2406FD0-51C2-4e32-9E37-237AFD580945}\stubpath = "C:\\Windows\\{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe"	{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}\stubpath = "C:\\Windows\\{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe"	{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe

Deletes itself 1 IoCs

pid	Process
1892	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2808	{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe
1044	{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe
2612	{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe
1284	{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe
2912	{6D576179-9894-4833-BA8F-6BAB29828302}.exe
2500	{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe
2760	{84F24993-2808-482b-91FB-8809F6FA9712}.exe
1540	{1E647B85-54C2-4787-884C-1077F1B82F23}.exe
1124	{4E47C856-336E-44d9-886F-C93075680DBB}.exe
992	{20BE5FA9-C75E-4118-B121-1DB704B3726F}.exe
1236	{F1B4D231-36CE-4046-9764-CA3E2E0A99EC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe	{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe
File created	C:\Windows\{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe	{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe
File created	C:\Windows\{F1B4D231-36CE-4046-9764-CA3E2E0A99EC}.exe	{20BE5FA9-C75E-4118-B121-1DB704B3726F}.exe
File created	C:\Windows\{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe	c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe
File created	C:\Windows\{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe	{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe
File created	C:\Windows\{84F24993-2808-482b-91FB-8809F6FA9712}.exe	{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe
File created	C:\Windows\{1E647B85-54C2-4787-884C-1077F1B82F23}.exe	{84F24993-2808-482b-91FB-8809F6FA9712}.exe
File created	C:\Windows\{4E47C856-336E-44d9-886F-C93075680DBB}.exe	{1E647B85-54C2-4787-884C-1077F1B82F23}.exe
File created	C:\Windows\{20BE5FA9-C75E-4118-B121-1DB704B3726F}.exe	{4E47C856-336E-44d9-886F-C93075680DBB}.exe
File created	C:\Windows\{6D576179-9894-4833-BA8F-6BAB29828302}.exe	{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe
File created	C:\Windows\{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe	{6D576179-9894-4833-BA8F-6BAB29828302}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3048	c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe
Token: SeIncBasePriorityPrivilege	2808	{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe
Token: SeIncBasePriorityPrivilege	1044	{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe
Token: SeIncBasePriorityPrivilege	2612	{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe
Token: SeIncBasePriorityPrivilege	1284	{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe
Token: SeIncBasePriorityPrivilege	2912	{6D576179-9894-4833-BA8F-6BAB29828302}.exe
Token: SeIncBasePriorityPrivilege	2500	{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe
Token: SeIncBasePriorityPrivilege	2760	{84F24993-2808-482b-91FB-8809F6FA9712}.exe
Token: SeIncBasePriorityPrivilege	1540	{1E647B85-54C2-4787-884C-1077F1B82F23}.exe
Token: SeIncBasePriorityPrivilege	1124	{4E47C856-336E-44d9-886F-C93075680DBB}.exe
Token: SeIncBasePriorityPrivilege	992	{20BE5FA9-C75E-4118-B121-1DB704B3726F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2808	3048	c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe	28
PID 3048 wrote to memory of 2808	3048	c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe	28
PID 3048 wrote to memory of 2808	3048	c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe	28
PID 3048 wrote to memory of 2808	3048	c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe	28
PID 3048 wrote to memory of 1892	3048	c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe	29
PID 3048 wrote to memory of 1892	3048	c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe	29
PID 3048 wrote to memory of 1892	3048	c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe	29
PID 3048 wrote to memory of 1892	3048	c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe	29
PID 2808 wrote to memory of 1044	2808	{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe	30
PID 2808 wrote to memory of 1044	2808	{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe	30
PID 2808 wrote to memory of 1044	2808	{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe	30
PID 2808 wrote to memory of 1044	2808	{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe	30
PID 2808 wrote to memory of 2656	2808	{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe	31
PID 2808 wrote to memory of 2656	2808	{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe	31
PID 2808 wrote to memory of 2656	2808	{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe	31
PID 2808 wrote to memory of 2656	2808	{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe	31
PID 1044 wrote to memory of 2612	1044	{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe	32
PID 1044 wrote to memory of 2612	1044	{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe	32
PID 1044 wrote to memory of 2612	1044	{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe	32
PID 1044 wrote to memory of 2612	1044	{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe	32
PID 1044 wrote to memory of 2692	1044	{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe	33
PID 1044 wrote to memory of 2692	1044	{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe	33
PID 1044 wrote to memory of 2692	1044	{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe	33
PID 1044 wrote to memory of 2692	1044	{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe	33
PID 2612 wrote to memory of 1284	2612	{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe	36
PID 2612 wrote to memory of 1284	2612	{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe	36
PID 2612 wrote to memory of 1284	2612	{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe	36
PID 2612 wrote to memory of 1284	2612	{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe	36
PID 2612 wrote to memory of 2848	2612	{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe	37
PID 2612 wrote to memory of 2848	2612	{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe	37
PID 2612 wrote to memory of 2848	2612	{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe	37
PID 2612 wrote to memory of 2848	2612	{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe	37
PID 1284 wrote to memory of 2912	1284	{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe	38
PID 1284 wrote to memory of 2912	1284	{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe	38
PID 1284 wrote to memory of 2912	1284	{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe	38
PID 1284 wrote to memory of 2912	1284	{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe	38
PID 1284 wrote to memory of 1572	1284	{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe	39
PID 1284 wrote to memory of 1572	1284	{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe	39
PID 1284 wrote to memory of 1572	1284	{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe	39
PID 1284 wrote to memory of 1572	1284	{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe	39
PID 2912 wrote to memory of 2500	2912	{6D576179-9894-4833-BA8F-6BAB29828302}.exe	40
PID 2912 wrote to memory of 2500	2912	{6D576179-9894-4833-BA8F-6BAB29828302}.exe	40
PID 2912 wrote to memory of 2500	2912	{6D576179-9894-4833-BA8F-6BAB29828302}.exe	40
PID 2912 wrote to memory of 2500	2912	{6D576179-9894-4833-BA8F-6BAB29828302}.exe	40
PID 2912 wrote to memory of 2012	2912	{6D576179-9894-4833-BA8F-6BAB29828302}.exe	41
PID 2912 wrote to memory of 2012	2912	{6D576179-9894-4833-BA8F-6BAB29828302}.exe	41
PID 2912 wrote to memory of 2012	2912	{6D576179-9894-4833-BA8F-6BAB29828302}.exe	41
PID 2912 wrote to memory of 2012	2912	{6D576179-9894-4833-BA8F-6BAB29828302}.exe	41
PID 2500 wrote to memory of 2760	2500	{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe	42
PID 2500 wrote to memory of 2760	2500	{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe	42
PID 2500 wrote to memory of 2760	2500	{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe	42
PID 2500 wrote to memory of 2760	2500	{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe	42
PID 2500 wrote to memory of 2836	2500	{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe	43
PID 2500 wrote to memory of 2836	2500	{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe	43
PID 2500 wrote to memory of 2836	2500	{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe	43
PID 2500 wrote to memory of 2836	2500	{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe	43
PID 2760 wrote to memory of 1540	2760	{84F24993-2808-482b-91FB-8809F6FA9712}.exe	44
PID 2760 wrote to memory of 1540	2760	{84F24993-2808-482b-91FB-8809F6FA9712}.exe	44
PID 2760 wrote to memory of 1540	2760	{84F24993-2808-482b-91FB-8809F6FA9712}.exe	44
PID 2760 wrote to memory of 1540	2760	{84F24993-2808-482b-91FB-8809F6FA9712}.exe	44
PID 2760 wrote to memory of 1796	2760	{84F24993-2808-482b-91FB-8809F6FA9712}.exe	45
PID 2760 wrote to memory of 1796	2760	{84F24993-2808-482b-91FB-8809F6FA9712}.exe	45
PID 2760 wrote to memory of 1796	2760	{84F24993-2808-482b-91FB-8809F6FA9712}.exe	45
PID 2760 wrote to memory of 1796	2760	{84F24993-2808-482b-91FB-8809F6FA9712}.exe	45

C:\Users\Admin\AppData\Local\Temp\c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe
"C:\Users\Admin\AppData\Local\Temp\c2ee51c5b1c28ba0aa647fbf5c5f1b4279584163675bee1a2e394f453f41a02d.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe
  C:\Windows\{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe
    C:\Windows\{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe
      C:\Windows\{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe
        
        C:\Windows\{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1284
      - C:\Windows\{6D576179-9894-4833-BA8F-6BAB29828302}.exe
        
        C:\Windows\{6D576179-9894-4833-BA8F-6BAB29828302}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe
        
        C:\Windows\{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{84F24993-2808-482b-91FB-8809F6FA9712}.exe
        
        C:\Windows\{84F24993-2808-482b-91FB-8809F6FA9712}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{1E647B85-54C2-4787-884C-1077F1B82F23}.exe
        
        C:\Windows\{1E647B85-54C2-4787-884C-1077F1B82F23}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\{4E47C856-336E-44d9-886F-C93075680DBB}.exe
        
        C:\Windows\{4E47C856-336E-44d9-886F-C93075680DBB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\{20BE5FA9-C75E-4118-B121-1DB704B3726F}.exe
        
        C:\Windows\{20BE5FA9-C75E-4118-B121-1DB704B3726F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\{F1B4D231-36CE-4046-9764-CA3E2E0A99EC}.exe
        
        C:\Windows\{F1B4D231-36CE-4046-9764-CA3E2E0A99EC}.exe
        12⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20BE5~1.EXE > nul
        12⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E47C~1.EXE > nul
        11⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E647~1.EXE > nul
        10⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84F24~1.EXE > nul
        9⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39380~1.EXE > nul
        8⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D576~1.EXE > nul
        7⤵
        
        PID:2012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39F4E~1.EXE > nul
        6⤵
        
        PID:1572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD604~1.EXE > nul
        5⤵
        
        PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A2406~1.EXE > nul
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D79D0~1.EXE > nul
    3⤵
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C2EE51~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E647B85-54C2-4787-884C-1077F1B82F23}.exe

Filesize
64KB

MD5
05b6e7e4bcda1011308340f8c6d0cbba

SHA1
352b8ea57c09fa3082e3ddb8ccfde7e51272e385

SHA256
12ed7086deadd2c543486617cea3822de7e1cb6ac036c41778c8c42553660837

SHA512
ea615ad8d33c041925ad11b873090cb2c4461b5d2c4cb6acf86773d5899702d7e081173c53a30190f93a4a88b5fdc4e42ffe03d1d891770dff3d6e15aca7c579

Download Submit
C:\Windows\{20BE5FA9-C75E-4118-B121-1DB704B3726F}.exe

Filesize
64KB

MD5
ac712140d895b6b827d4826c88c8606e

SHA1
cebecd34ea84cd4be1c439d0b685f5f90ba82048

SHA256
14fd8cdf8cd06b18d84ca14ccb76f4fa8a49a53614edaab48a8a449d41528023

SHA512
eef624990be811a409e27790668d7b41821adfa554ca7a529588e91ee1426442dbfbf2c509b4b942e7ef164f97b2fedb067f95ba1aec2f28039f8dcd84273f7b

Download Submit
C:\Windows\{39380C31-ED21-4bc4-9D31-4D8C6A6E4376}.exe

Filesize
64KB

MD5
d9e7c3e4c692e01bbf76b5e50a7f7431

SHA1
b7d0921ec83c0a5d95a9949b8da38a7f617f3e0b

SHA256
5a0c7c3a6d607aa257eb64aa50925e359c5995e87558ee47df274e1f132af991

SHA512
3e4b79276d5608bc6dc94da96571183a1cec219240702a4d3b361cf34efe7a239bcdadee5eec4da13b9d2449437adc7489648614d370733e6fa8d20c273a07ac

Download Submit
C:\Windows\{39F4E14C-A57D-4b32-AD0B-207A4384AEFA}.exe

Filesize
64KB

MD5
bca039a688a3e293663f03beecc55a53

SHA1
74422f9471720b8d7f2d49a3255609d9db2709f4

SHA256
fadca7350763f8c9756e5cb556a23f1bce4f2fa58c79f7365e5d6e86d2eda465

SHA512
b5b9a4a2ceb26b1e83e69452904ece1c2ea3020193da3c9d796e9fe2797789a49e3faa1e9cb4543591118b78287606e7f137ad065ceb14681b426dc1b39ff22e

Download Submit
C:\Windows\{4E47C856-336E-44d9-886F-C93075680DBB}.exe

Filesize
64KB

MD5
cbaafb9a098c2461f13ce5b23d394ef7

SHA1
f278952eb2b2d84df612dd504ef0f1c21d5547e7

SHA256
562c12153b59b5fde1911ffa13819f3608e82382b60ef1dfd4cfda9a5d685f60

SHA512
58686a502d2576c639b338660e9f71a1462dc9a18e9d777a209946a1bce23b016fd6862cf220fce81769883860f80c7848fd31d5a0b5490117918b0aadc95fb4

Download Submit
C:\Windows\{6D576179-9894-4833-BA8F-6BAB29828302}.exe

Filesize
64KB

MD5
6cf1b2e737927e1b73b2e65c487dffda

SHA1
ab85e6e2325719d23aad2e5b71b4706d8e7640db

SHA256
9fa8e61dfab11d5bbcdcb7119274fcf3e030b32ca29ebe49ab4df45ae6017baa

SHA512
89af1975a6fbee87cff520dfa32771ccac4f80bb32f1b1f022b201c35ed9ef9062dcb66cee18d3e07a74d8a2b0c2d9bf0259ce2e7b64476117e5f25e8ca77176

Download Submit
C:\Windows\{84F24993-2808-482b-91FB-8809F6FA9712}.exe

Filesize
64KB

MD5
7b608297a8a5863742f0373aa980e2ec

SHA1
7b1894f6f06b0c34cfb465bf6388c7f086569a01

SHA256
2982f73ed1ae44d05ca0df73f1070100002310cfeaba3cf8c93cd01faf274b04

SHA512
9847dfb628627797facf116dc9af4401f116404b26cc97042d0609648476580c7353f580f210031ebb5e0b55ed7cf5877a427bad0b4cbfe7e4374658d5c0ef3a

Download Submit
C:\Windows\{A2406FD0-51C2-4e32-9E37-237AFD580945}.exe

Filesize
64KB

MD5
b28b6c2398e72740ca215c40f911734f

SHA1
bcb9b52e97cf63236c393306760db5df92a8e2b3

SHA256
e945315a917b556de108950a6a1b7e70a3ef3c63222fd699f0ef1a5600f43bbc

SHA512
60b83e6f49cf40d37414d5948fd3feac1f77ca7e8760c3d277ed7e376852f450171471529ab7349820ec9e141bf99285e379c4e085d73ddc9a17ccddd1e47a5c

Download Submit
C:\Windows\{AD60497C-0F2E-4ba2-8D80-BDB744674CD5}.exe

Filesize
64KB

MD5
1aa0302f74bdd8a61b5f685c69b0b0a9

SHA1
bf62345f40271f2e9cd65d6f491d243eb4eb2bee

SHA256
e7771d7d52b2fe7ad93e0e6f78d9876bd538e57ddb719abe40b6dff33ef19a15

SHA512
f99dd0d45a1b8e4188d55405c7c874151aaf4622d6b3316ae791748c73018568e6525624342c359dc7f183fc77ade537ec1667db8eed3a5a379d63a3504153be

Download Submit
C:\Windows\{D79D0219-7C6B-4481-B5E8-DF235211CC3C}.exe

Filesize
64KB

MD5
e0cfe0564df102a87dc3dd0d21520734

SHA1
4684ee5cf975362d4923b8564673ef4743f8c3e9

SHA256
48aead000ae11708d3f364a27e8667efbe968f3c128a947759576bf2ac586f1c

SHA512
84b4b2bc3ca604b78cd66262f0dfdae71420e863ee6d17a46643048d8aaaa09587f10d09881ea72095effacd943dda416428dc46efa34979e39807b7d3403279

Download Submit
C:\Windows\{F1B4D231-36CE-4046-9764-CA3E2E0A99EC}.exe

Filesize
64KB

MD5
8f471a35a75bccb29dde8b0866604141

SHA1
5d4f9d5407a44b87f2ae9505973f419c6d1f1d85

SHA256
dec446f44fe6e2e1d42c695d6831020a8630625dc6eb2f485cfec9bf1e796b04

SHA512
e15ef56006baec7dc2797547514c7cd5f0d2827b3e5e498d34179e3c469f2d5aa687ff27e064a9d8d49e137a0608fcdf2996ce3a9aed82815310670c97309c69

Download Submit
memory/992-94-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1044-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1044-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1124-86-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1284-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1540-78-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1540-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2500-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2500-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2612-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2760-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2760-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2808-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2808-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2912-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2912-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3048-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3048-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3048-3-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads