e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 04:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe
Size

64KB
MD5

548bf9609260f39464e76d217a17e227
SHA1

2a3bc7885c2a5d41377e4d08724b8d3739e730e4
SHA256

e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658
SHA512

945413f5e0760107164b662124bd3c8427d2d53f8949d5ed0a1b2bdb5c333b87590218c038c013e4d134500667dd9f9d80dc23ed4a059a54de450d420190b882
SSDEEP

384:ObLwOs8AHsc4HMPwhKQLroh4/CFsrdHWMZw:Ovw981xvhKQLroh4/wQpWMZw

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 40 IoCs

resource	yara_rule
behavioral1/memory/2180-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2180-3-0x00000000002E0000-0x00000000002F0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0009000000014b6d-6.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1736-9-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2180-10-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1736-14-0x0000000000250000-0x0000000000260000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1736-19-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2100-20-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000f00000000f680-18.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2100-23-0x0000000000350000-0x0000000000360000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2100-29-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2988-30-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000a000000014b6d-28.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2988-34-0x0000000000250000-0x0000000000260000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2420-40-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2988-39-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x001000000000f680-38.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2420-44-0x0000000000250000-0x0000000000260000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000b000000014b6d-48.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2420-49-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2552-57-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000a000000014e3d-56.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2076-61-0x0000000000250000-0x0000000000260000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000c000000014b6d-66.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2076-65-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1964-70-0x0000000000270000-0x0000000000280000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2316-76-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1964-75-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000b000000014e3d-74.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2316-80-0x0000000000260000-0x0000000000270000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2316-85-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0009000000014ec4-84.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0007000000014fe1-93.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1512-92-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1048-97-0x00000000002D0000-0x00000000002E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1048-102-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000a000000014ec4-101.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1832-106-0x0000000000290000-0x00000000002A0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0007000000015264-111.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1832-110-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E859299F-6B94-4912-A5D5-A58EB52E27E4}\stubpath = "C:\\Windows\\{E859299F-6B94-4912-A5D5-A58EB52E27E4}.exe"	{D7AE7CA6-4134-4762-9DD1-89193526A051}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{690C88C5-92E6-4fff-9503-7FE2E45CC683}\stubpath = "C:\\Windows\\{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe"	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}\stubpath = "C:\\Windows\\{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe"	{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF3DD969-8288-4bbd-9F07-56F827FD52A0}	{E23BF922-3967-4554-9975-F2D78C97D13C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91A5D581-6619-442c-8E19-A40B32849D96}	{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F27730CA-42E0-45f5-8C31-4EEE87756DCB}\stubpath = "C:\\Windows\\{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe"	{91A5D581-6619-442c-8E19-A40B32849D96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41556336-DE13-4476-B0BD-77783B71E90F}\stubpath = "C:\\Windows\\{41556336-DE13-4476-B0BD-77783B71E90F}.exe"	{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E859299F-6B94-4912-A5D5-A58EB52E27E4}	{D7AE7CA6-4134-4762-9DD1-89193526A051}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEADF765-D82F-42dc-BBB4-D7E2C7C0B52E}\stubpath = "C:\\Windows\\{FEADF765-D82F-42dc-BBB4-D7E2C7C0B52E}.exe"	{E859299F-6B94-4912-A5D5-A58EB52E27E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D6480DC-2A01-4014-9122-63E7AFCF79E6}	{FEADF765-D82F-42dc-BBB4-D7E2C7C0B52E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F27730CA-42E0-45f5-8C31-4EEE87756DCB}	{91A5D581-6619-442c-8E19-A40B32849D96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FADC722-E467-4383-97B4-F9C2AA5E4044}	{41556336-DE13-4476-B0BD-77783B71E90F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7AE7CA6-4134-4762-9DD1-89193526A051}	{7FADC722-E467-4383-97B4-F9C2AA5E4044}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7AE7CA6-4134-4762-9DD1-89193526A051}\stubpath = "C:\\Windows\\{D7AE7CA6-4134-4762-9DD1-89193526A051}.exe"	{7FADC722-E467-4383-97B4-F9C2AA5E4044}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEADF765-D82F-42dc-BBB4-D7E2C7C0B52E}	{E859299F-6B94-4912-A5D5-A58EB52E27E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}	{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E23BF922-3967-4554-9975-F2D78C97D13C}	{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FADC722-E467-4383-97B4-F9C2AA5E4044}\stubpath = "C:\\Windows\\{7FADC722-E467-4383-97B4-F9C2AA5E4044}.exe"	{41556336-DE13-4476-B0BD-77783B71E90F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{690C88C5-92E6-4fff-9503-7FE2E45CC683}	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E23BF922-3967-4554-9975-F2D78C97D13C}\stubpath = "C:\\Windows\\{E23BF922-3967-4554-9975-F2D78C97D13C}.exe"	{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF3DD969-8288-4bbd-9F07-56F827FD52A0}\stubpath = "C:\\Windows\\{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe"	{E23BF922-3967-4554-9975-F2D78C97D13C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91A5D581-6619-442c-8E19-A40B32849D96}\stubpath = "C:\\Windows\\{91A5D581-6619-442c-8E19-A40B32849D96}.exe"	{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41556336-DE13-4476-B0BD-77783B71E90F}	{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D6480DC-2A01-4014-9122-63E7AFCF79E6}\stubpath = "C:\\Windows\\{7D6480DC-2A01-4014-9122-63E7AFCF79E6}.exe"	{FEADF765-D82F-42dc-BBB4-D7E2C7C0B52E}.exe

Deletes itself 1 IoCs

pid	Process
2272	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
1736	{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe
2100	{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe
2988	{E23BF922-3967-4554-9975-F2D78C97D13C}.exe
2420	{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe
2552	{91A5D581-6619-442c-8E19-A40B32849D96}.exe
2076	{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe
1964	{41556336-DE13-4476-B0BD-77783B71E90F}.exe
2316	{7FADC722-E467-4383-97B4-F9C2AA5E4044}.exe
1512	{D7AE7CA6-4134-4762-9DD1-89193526A051}.exe
1048	{E859299F-6B94-4912-A5D5-A58EB52E27E4}.exe
1832	{FEADF765-D82F-42dc-BBB4-D7E2C7C0B52E}.exe
972	{7D6480DC-2A01-4014-9122-63E7AFCF79E6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe	{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe
File created	C:\Windows\{E23BF922-3967-4554-9975-F2D78C97D13C}.exe	{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe
File created	C:\Windows\{7FADC722-E467-4383-97B4-F9C2AA5E4044}.exe	{41556336-DE13-4476-B0BD-77783B71E90F}.exe
File created	C:\Windows\{FEADF765-D82F-42dc-BBB4-D7E2C7C0B52E}.exe	{E859299F-6B94-4912-A5D5-A58EB52E27E4}.exe
File created	C:\Windows\{7D6480DC-2A01-4014-9122-63E7AFCF79E6}.exe	{FEADF765-D82F-42dc-BBB4-D7E2C7C0B52E}.exe
File created	C:\Windows\{E859299F-6B94-4912-A5D5-A58EB52E27E4}.exe	{D7AE7CA6-4134-4762-9DD1-89193526A051}.exe
File created	C:\Windows\{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe
File created	C:\Windows\{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe	{E23BF922-3967-4554-9975-F2D78C97D13C}.exe
File created	C:\Windows\{91A5D581-6619-442c-8E19-A40B32849D96}.exe	{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe
File created	C:\Windows\{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe	{91A5D581-6619-442c-8E19-A40B32849D96}.exe
File created	C:\Windows\{41556336-DE13-4476-B0BD-77783B71E90F}.exe	{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe
File created	C:\Windows\{D7AE7CA6-4134-4762-9DD1-89193526A051}.exe	{7FADC722-E467-4383-97B4-F9C2AA5E4044}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2180	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe
Token: SeIncBasePriorityPrivilege	1736	{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe
Token: SeIncBasePriorityPrivilege	2100	{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe
Token: SeIncBasePriorityPrivilege	2988	{E23BF922-3967-4554-9975-F2D78C97D13C}.exe
Token: SeIncBasePriorityPrivilege	2420	{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe
Token: SeIncBasePriorityPrivilege	2552	{91A5D581-6619-442c-8E19-A40B32849D96}.exe
Token: SeIncBasePriorityPrivilege	2076	{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe
Token: SeIncBasePriorityPrivilege	1964	{41556336-DE13-4476-B0BD-77783B71E90F}.exe
Token: SeIncBasePriorityPrivilege	2316	{7FADC722-E467-4383-97B4-F9C2AA5E4044}.exe
Token: SeIncBasePriorityPrivilege	1512	{D7AE7CA6-4134-4762-9DD1-89193526A051}.exe
Token: SeIncBasePriorityPrivilege	1048	{E859299F-6B94-4912-A5D5-A58EB52E27E4}.exe
Token: SeIncBasePriorityPrivilege	1832	{FEADF765-D82F-42dc-BBB4-D7E2C7C0B52E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1736	2180	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	30
PID 2180 wrote to memory of 1736	2180	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	30
PID 2180 wrote to memory of 1736	2180	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	30
PID 2180 wrote to memory of 1736	2180	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	30
PID 2180 wrote to memory of 2272	2180	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	31
PID 2180 wrote to memory of 2272	2180	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	31
PID 2180 wrote to memory of 2272	2180	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	31
PID 2180 wrote to memory of 2272	2180	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	31
PID 1736 wrote to memory of 2100	1736	{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe	32
PID 1736 wrote to memory of 2100	1736	{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe	32
PID 1736 wrote to memory of 2100	1736	{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe	32
PID 1736 wrote to memory of 2100	1736	{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe	32
PID 1736 wrote to memory of 552	1736	{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe	33
PID 1736 wrote to memory of 552	1736	{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe	33
PID 1736 wrote to memory of 552	1736	{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe	33
PID 1736 wrote to memory of 552	1736	{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe	33
PID 2100 wrote to memory of 2988	2100	{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe	34
PID 2100 wrote to memory of 2988	2100	{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe	34
PID 2100 wrote to memory of 2988	2100	{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe	34
PID 2100 wrote to memory of 2988	2100	{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe	34
PID 2100 wrote to memory of 2652	2100	{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe	35
PID 2100 wrote to memory of 2652	2100	{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe	35
PID 2100 wrote to memory of 2652	2100	{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe	35
PID 2100 wrote to memory of 2652	2100	{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe	35
PID 2988 wrote to memory of 2420	2988	{E23BF922-3967-4554-9975-F2D78C97D13C}.exe	36
PID 2988 wrote to memory of 2420	2988	{E23BF922-3967-4554-9975-F2D78C97D13C}.exe	36
PID 2988 wrote to memory of 2420	2988	{E23BF922-3967-4554-9975-F2D78C97D13C}.exe	36
PID 2988 wrote to memory of 2420	2988	{E23BF922-3967-4554-9975-F2D78C97D13C}.exe	36
PID 2988 wrote to memory of 2684	2988	{E23BF922-3967-4554-9975-F2D78C97D13C}.exe	37
PID 2988 wrote to memory of 2684	2988	{E23BF922-3967-4554-9975-F2D78C97D13C}.exe	37
PID 2988 wrote to memory of 2684	2988	{E23BF922-3967-4554-9975-F2D78C97D13C}.exe	37
PID 2988 wrote to memory of 2684	2988	{E23BF922-3967-4554-9975-F2D78C97D13C}.exe	37
PID 2420 wrote to memory of 2552	2420	{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe	38
PID 2420 wrote to memory of 2552	2420	{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe	38
PID 2420 wrote to memory of 2552	2420	{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe	38
PID 2420 wrote to memory of 2552	2420	{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe	38
PID 2420 wrote to memory of 2280	2420	{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe	39
PID 2420 wrote to memory of 2280	2420	{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe	39
PID 2420 wrote to memory of 2280	2420	{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe	39
PID 2420 wrote to memory of 2280	2420	{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe	39
PID 2552 wrote to memory of 2076	2552	{91A5D581-6619-442c-8E19-A40B32849D96}.exe	40
PID 2552 wrote to memory of 2076	2552	{91A5D581-6619-442c-8E19-A40B32849D96}.exe	40
PID 2552 wrote to memory of 2076	2552	{91A5D581-6619-442c-8E19-A40B32849D96}.exe	40
PID 2552 wrote to memory of 2076	2552	{91A5D581-6619-442c-8E19-A40B32849D96}.exe	40
PID 2552 wrote to memory of 1264	2552	{91A5D581-6619-442c-8E19-A40B32849D96}.exe	41
PID 2552 wrote to memory of 1264	2552	{91A5D581-6619-442c-8E19-A40B32849D96}.exe	41
PID 2552 wrote to memory of 1264	2552	{91A5D581-6619-442c-8E19-A40B32849D96}.exe	41
PID 2552 wrote to memory of 1264	2552	{91A5D581-6619-442c-8E19-A40B32849D96}.exe	41
PID 2076 wrote to memory of 1964	2076	{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe	42
PID 2076 wrote to memory of 1964	2076	{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe	42
PID 2076 wrote to memory of 1964	2076	{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe	42
PID 2076 wrote to memory of 1964	2076	{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe	42
PID 2076 wrote to memory of 1692	2076	{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe	43
PID 2076 wrote to memory of 1692	2076	{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe	43
PID 2076 wrote to memory of 1692	2076	{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe	43
PID 2076 wrote to memory of 1692	2076	{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe	43
PID 1964 wrote to memory of 2316	1964	{41556336-DE13-4476-B0BD-77783B71E90F}.exe	44
PID 1964 wrote to memory of 2316	1964	{41556336-DE13-4476-B0BD-77783B71E90F}.exe	44
PID 1964 wrote to memory of 2316	1964	{41556336-DE13-4476-B0BD-77783B71E90F}.exe	44
PID 1964 wrote to memory of 2316	1964	{41556336-DE13-4476-B0BD-77783B71E90F}.exe	44
PID 1964 wrote to memory of 1976	1964	{41556336-DE13-4476-B0BD-77783B71E90F}.exe	45
PID 1964 wrote to memory of 1976	1964	{41556336-DE13-4476-B0BD-77783B71E90F}.exe	45
PID 1964 wrote to memory of 1976	1964	{41556336-DE13-4476-B0BD-77783B71E90F}.exe	45
PID 1964 wrote to memory of 1976	1964	{41556336-DE13-4476-B0BD-77783B71E90F}.exe	45

C:\Users\Admin\AppData\Local\Temp\e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe
"C:\Users\Admin\AppData\Local\Temp\e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe
  C:\Windows\{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe
    C:\Windows\{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\{E23BF922-3967-4554-9975-F2D78C97D13C}.exe
      C:\Windows\{E23BF922-3967-4554-9975-F2D78C97D13C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe
        
        C:\Windows\{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Windows\{91A5D581-6619-442c-8E19-A40B32849D96}.exe
        
        C:\Windows\{91A5D581-6619-442c-8E19-A40B32849D96}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe
        
        C:\Windows\{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\{41556336-DE13-4476-B0BD-77783B71E90F}.exe
        
        C:\Windows\{41556336-DE13-4476-B0BD-77783B71E90F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{7FADC722-E467-4383-97B4-F9C2AA5E4044}.exe
        
        C:\Windows\{7FADC722-E467-4383-97B4-F9C2AA5E4044}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{D7AE7CA6-4134-4762-9DD1-89193526A051}.exe
        
        C:\Windows\{D7AE7CA6-4134-4762-9DD1-89193526A051}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\{E859299F-6B94-4912-A5D5-A58EB52E27E4}.exe
        
        C:\Windows\{E859299F-6B94-4912-A5D5-A58EB52E27E4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\{FEADF765-D82F-42dc-BBB4-D7E2C7C0B52E}.exe
        
        C:\Windows\{FEADF765-D82F-42dc-BBB4-D7E2C7C0B52E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\{7D6480DC-2A01-4014-9122-63E7AFCF79E6}.exe
        
        C:\Windows\{7D6480DC-2A01-4014-9122-63E7AFCF79E6}.exe
        13⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEADF~1.EXE > nul
        13⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8592~1.EXE > nul
        12⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7AE7~1.EXE > nul
        11⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FADC~1.EXE > nul
        10⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41556~1.EXE > nul
        9⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2773~1.EXE > nul
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91A5D~1.EXE > nul
        7⤵
        
        PID:1264
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF3DD~1.EXE > nul
        6⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E23BF~1.EXE > nul
        5⤵
        
        PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{00CF9~1.EXE > nul
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{690C8~1.EXE > nul
    3⤵
    PID:552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E0CE06~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00CF9A54-AE46-4d62-AFE8-E13CF13F52B9}.exe

Filesize
64KB

MD5
88257f2bac9f716c20b0a8a45bacb3cd

SHA1
d789d0b05db4cf5af6db0877fe000d6cab970bfa

SHA256
001d89528b44753fd995239cd606c1be6da6c05cff159a82e7ce42487d68d4b2

SHA512
0928cbf2faed73b6bde9f4d9771b158a5f16874e4f4f83823e6893d41dc4e27333c41d33b4d720b4ad6f1ca711e0ab093bf1b7e7058f14c032d76d337c2e6024

Download Submit
C:\Windows\{41556336-DE13-4476-B0BD-77783B71E90F}.exe

Filesize
64KB

MD5
1a8ad698b9dc738d7ef4a304aa9f0e36

SHA1
9c38625f71bb8ecc540f1cc1be60c5da6be5f83e

SHA256
9c2673785f9894097112521a94399ea6ced05e0d2c82a2144fe1976a216d5b2a

SHA512
29344f0b579e829574d2de83ea447fb393a4aa75067956abf5953add56017fc144433e13fd3f02ed8bd7ae996478ed6baa72d151e4baae2e5927fd2cca713c6c

Download Submit
C:\Windows\{690C88C5-92E6-4fff-9503-7FE2E45CC683}.exe

Filesize
64KB

MD5
0db12c4f4477a298fc7ac33cee587aec

SHA1
dc861bd236f9029344eed2ac3b014f9c65f8397e

SHA256
ef2a35d3680fde9453f6e4e67a6e14a03e415d1a9e92a95f5bdd5a8217b4049b

SHA512
c3a0bd449d2ab74ae1fd8172376db517394c6e0ece7ea22071b3cd299f5cb0ca5079e18823ae181f79142d838a59a3ce5ebe4272d5f2bbe721adb110d6b113ac

Download Submit
C:\Windows\{7D6480DC-2A01-4014-9122-63E7AFCF79E6}.exe

Filesize
64KB

MD5
83cefd415b744aa13cbab8b57e51ba41

SHA1
b6a775bea32929dcc52c180c70f53fadc28d3fc9

SHA256
011849a25029a60320426f4b31c64fe3c05426d34fbed0e68df37af42d6c34bf

SHA512
5e01134380b7f0de8fa5f9ab54da6e5167b6555e895e34a7aefd0ea28bbacf926cee7c2c91c565da11c6c51ae3a2660b1c61778dfdb403c2b6a434d71b457d50

Download Submit
C:\Windows\{7FADC722-E467-4383-97B4-F9C2AA5E4044}.exe

Filesize
64KB

MD5
5eab48c1b5db5efa78e7c78787d02bee

SHA1
5637a0911e5058d432c62db84e17fd2bc4ee4d83

SHA256
cbf6e4c877217cb102884f2b72914c744c7e88d5bc74df4308786afaa5ca8ad1

SHA512
73e2c6c20671a569cd40ed94426990c5197ac755634b15754b3b2dd2ef4fc681111626a95d91f13699675f89b52658b895178cf13416bf43aae61341120a6815

Download Submit
C:\Windows\{91A5D581-6619-442c-8E19-A40B32849D96}.exe

Filesize
64KB

MD5
b33bfced6a3c6b26c4d12583c012749c

SHA1
59471152c3821b0f6211df967ac8b0d9be6816c2

SHA256
767bd5964591e7d32ab3a5c468efa76f234c71fd11c72fec01eb3e48707a0773

SHA512
ad9c47c7a907d70e8c432eace48bc2655910e92d4ca0dde6f25e186e75ced0d6e1585ffa4a24c309b69299ee76db147c3cae7591c931a1d4f66fa1afc081cd46

Download Submit
C:\Windows\{D7AE7CA6-4134-4762-9DD1-89193526A051}.exe

Filesize
64KB

MD5
6133e1561f2c03b9082351e1c4c4bb7f

SHA1
774c866bd92f42b90d736e1f6cd6f5e1edc4abd8

SHA256
820598e371a3c81b261d1bc3eb3cab7d25ca108bc3b1c9e861416dc03eb81d56

SHA512
c824cc84cbd32adb5fafc3a98026caa90622222ccf23e07870a7a9f0f47d61d5024aa8bcb382b49a718258dca8d6e3b50b2b9df9c259e4bfaa5992383aa98c29

Download Submit
C:\Windows\{DF3DD969-8288-4bbd-9F07-56F827FD52A0}.exe

Filesize
64KB

MD5
7d6083c5670462cfa72b9a5929691064

SHA1
edbdc3138dc9175edde3413e6cd24a838c5d27c3

SHA256
517c693e52edf85f83262fe8458f158f64eb2be77398ce5d1ff2780582796d13

SHA512
b09eb7bbf382b5d7381f36fd756b1b872cbeece1e543df187dbb7d2a990ba08fe2fae38142ad3bdfd4e514faf536896904e176d496941e48ac26d47c92d7e2a6

Download Submit
C:\Windows\{E23BF922-3967-4554-9975-F2D78C97D13C}.exe

Filesize
64KB

MD5
d23262b4352eacef695670f27d6965ce

SHA1
6d032974db5c06b1f55ad5fb0250a99cf23b6501

SHA256
d154c2b71dcf6dc9ea81272ad99979ebbb4eccd22722f83e0bced95201503a5d

SHA512
1924af45d8241382e62cf27662ebb38c5749591f98d902605847727071deafa86cd9ffb05a97ea3aadbd268d2959d38fbce7677fa6e254ab2b31404b03f0fe6f

Download Submit
C:\Windows\{E859299F-6B94-4912-A5D5-A58EB52E27E4}.exe

Filesize
64KB

MD5
fb6f484b88c673b7fc6e3f389316e99f

SHA1
c669755cfda922e6a51da86524985f4a67018b1b

SHA256
8aeb3650978cc3448ed2aa3bfca3e2b34d9ab06aa4a48ab1381c8b6629a24e13

SHA512
fe574428397ccf52ac092d5e77f5c9520af87ebf776221b2269639475464fea5e723de165547a0f0f2d3356b1166aa8c94a7339efa944dba74238e1bba21d9be

Download Submit
C:\Windows\{F27730CA-42E0-45f5-8C31-4EEE87756DCB}.exe

Filesize
64KB

MD5
afa6536b220484d8d428e4a089fff3b4

SHA1
7bd8522d0a23e580ad8d66e50bc05a74d6bb4293

SHA256
55dd729d3d16ec6f531094da1d7f38981e708c86fcf1ceb98b51b4a3797b8e44

SHA512
6c7e0461ddf341a7a92676d2ddb1fd5e95e05db70099be05ff3fdedeba54373cf0a702c2ccd94368491095d69d688f34a37eee928f18ff31ff630b1ccdf152af

Download Submit
C:\Windows\{FEADF765-D82F-42dc-BBB4-D7E2C7C0B52E}.exe

Filesize
64KB

MD5
c0b02be61fd9bf86ef3af2f7665182a5

SHA1
07a13cd87fbfc03266ac917fa4ad0eea328e6fdf

SHA256
cef59a6bccb3d0bef19925898971affa3ad2392df1252b0f251e6092906f9600

SHA512
876dcd79ba88e0a259efcbb9ee241262194e86b3ef0cd57533a591b289c450dbf05d472fcd8f4de9f219f23b759f715016748ccb8e7b7acd43bfb2710ac24f0d

Download Submit
memory/1048-97-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/1048-102-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1512-92-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1736-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1736-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1736-14-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1832-110-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1832-106-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/1964-75-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1964-70-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2076-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2076-61-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2100-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2100-23-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2100-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2180-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2180-8-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2180-3-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2180-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2316-80-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2316-85-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2316-76-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2420-49-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2420-44-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2420-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2552-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2988-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2988-34-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2988-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads