02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe
Size

64KB
MD5

721e84b8d6d4567d937067738cd7170c
SHA1

5b23e8d576e6b1e5e7b3881a29af041b394b80bd
SHA256

02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a
SHA512

ee82e42ccb70283cc787a9658d6ede740559971b656757c5a8dd9fadb5d781e366d144f89a16499f08835625f4a57bed0902c0c8db7c04a5d96030bbe3d01152
SSDEEP

768:Ovw981iqhKQLroCK4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdk:6EGs0oCKlwWMZQcpmgDagIyS1loL7Wrk

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 29 IoCs

resource	yara_rule
behavioral1/memory/2320-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000c0000000144e0-5.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2524-9-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2320-10-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2524-18-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x003200000001480e-17.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2980-19-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2468-28-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2980-27-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000d0000000144e0-26.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2468-36-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x00320000000149e1-35.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1904-44-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0004000000004ed7-43.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2764-52-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000e0000000144e0-51.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0005000000004ed7-60.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1720-59-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1636-68-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000f0000000144e0-67.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1320-77-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0006000000004ed7-76.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/820-75-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1320-85-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x00100000000144e0-84.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/800-86-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/800-94-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0007000000004ed7-93.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1804-95-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E91409B-3BE0-42f2-8018-E66960E64E58}	{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E91409B-3BE0-42f2-8018-E66960E64E58}\stubpath = "C:\\Windows\\{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe"	{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}	{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{935597AC-68C5-4bef-84EA-D94476E333F1}	{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{935597AC-68C5-4bef-84EA-D94476E333F1}\stubpath = "C:\\Windows\\{935597AC-68C5-4bef-84EA-D94476E333F1}.exe"	{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FA4CD1C-5A12-4641-8955-F1A0392858C6}\stubpath = "C:\\Windows\\{4FA4CD1C-5A12-4641-8955-F1A0392858C6}.exe"	{14F7E47D-D62B-434b-8866-027264782978}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C971307D-A6F0-4077-82AD-A524A218DC1B}\stubpath = "C:\\Windows\\{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe"	{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D2068E6-755A-473a-A34B-FE5B6264D9DD}	{4FA4CD1C-5A12-4641-8955-F1A0392858C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E739F6D-D634-4dca-A821-A2557706A1A1}	{F1EF99E4-C4D1-420b-BA28-8E1A9858A40F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1EF99E4-C4D1-420b-BA28-8E1A9858A40F}	{2D2068E6-755A-473a-A34B-FE5B6264D9DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1EF99E4-C4D1-420b-BA28-8E1A9858A40F}\stubpath = "C:\\Windows\\{F1EF99E4-C4D1-420b-BA28-8E1A9858A40F}.exe"	{2D2068E6-755A-473a-A34B-FE5B6264D9DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FA4CD1C-5A12-4641-8955-F1A0392858C6}	{14F7E47D-D62B-434b-8866-027264782978}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D2068E6-755A-473a-A34B-FE5B6264D9DD}\stubpath = "C:\\Windows\\{2D2068E6-755A-473a-A34B-FE5B6264D9DD}.exe"	{4FA4CD1C-5A12-4641-8955-F1A0392858C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E739F6D-D634-4dca-A821-A2557706A1A1}\stubpath = "C:\\Windows\\{0E739F6D-D634-4dca-A821-A2557706A1A1}.exe"	{F1EF99E4-C4D1-420b-BA28-8E1A9858A40F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C971307D-A6F0-4077-82AD-A524A218DC1B}	{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14F7E47D-D62B-434b-8866-027264782978}	{935597AC-68C5-4bef-84EA-D94476E333F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}	{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}\stubpath = "C:\\Windows\\{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe"	{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14F7E47D-D62B-434b-8866-027264782978}\stubpath = "C:\\Windows\\{14F7E47D-D62B-434b-8866-027264782978}.exe"	{935597AC-68C5-4bef-84EA-D94476E333F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}\stubpath = "C:\\Windows\\{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe"	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}\stubpath = "C:\\Windows\\{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe"	{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe

Executes dropped EXE 11 IoCs

pid	Process
2524	{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe
2980	{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe
2468	{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe
1904	{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe
2764	{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe
1720	{935597AC-68C5-4bef-84EA-D94476E333F1}.exe
1636	{14F7E47D-D62B-434b-8866-027264782978}.exe
820	{4FA4CD1C-5A12-4641-8955-F1A0392858C6}.exe
1320	{2D2068E6-755A-473a-A34B-FE5B6264D9DD}.exe
800	{F1EF99E4-C4D1-420b-BA28-8E1A9858A40F}.exe
1804	{0E739F6D-D634-4dca-A821-A2557706A1A1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe	{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe
File created	C:\Windows\{935597AC-68C5-4bef-84EA-D94476E333F1}.exe	{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe
File created	C:\Windows\{14F7E47D-D62B-434b-8866-027264782978}.exe	{935597AC-68C5-4bef-84EA-D94476E333F1}.exe
File created	C:\Windows\{4FA4CD1C-5A12-4641-8955-F1A0392858C6}.exe	{14F7E47D-D62B-434b-8866-027264782978}.exe
File created	C:\Windows\{0E739F6D-D634-4dca-A821-A2557706A1A1}.exe	{F1EF99E4-C4D1-420b-BA28-8E1A9858A40F}.exe
File created	C:\Windows\{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe
File created	C:\Windows\{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe	{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe
File created	C:\Windows\{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe	{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe
File created	C:\Windows\{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe	{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe
File created	C:\Windows\{2D2068E6-755A-473a-A34B-FE5B6264D9DD}.exe	{4FA4CD1C-5A12-4641-8955-F1A0392858C6}.exe
File created	C:\Windows\{F1EF99E4-C4D1-420b-BA28-8E1A9858A40F}.exe	{2D2068E6-755A-473a-A34B-FE5B6264D9DD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2320	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe
Token: SeIncBasePriorityPrivilege	2524	{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe
Token: SeIncBasePriorityPrivilege	2980	{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe
Token: SeIncBasePriorityPrivilege	2468	{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe
Token: SeIncBasePriorityPrivilege	1904	{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe
Token: SeIncBasePriorityPrivilege	2764	{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe
Token: SeIncBasePriorityPrivilege	1720	{935597AC-68C5-4bef-84EA-D94476E333F1}.exe
Token: SeIncBasePriorityPrivilege	1636	{14F7E47D-D62B-434b-8866-027264782978}.exe
Token: SeIncBasePriorityPrivilege	820	{4FA4CD1C-5A12-4641-8955-F1A0392858C6}.exe
Token: SeIncBasePriorityPrivilege	1320	{2D2068E6-755A-473a-A34B-FE5B6264D9DD}.exe
Token: SeIncBasePriorityPrivilege	800	{F1EF99E4-C4D1-420b-BA28-8E1A9858A40F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2524	2320	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	28
PID 2320 wrote to memory of 2524	2320	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	28
PID 2320 wrote to memory of 2524	2320	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	28
PID 2320 wrote to memory of 2524	2320	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	28
PID 2320 wrote to memory of 2724	2320	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	29
PID 2320 wrote to memory of 2724	2320	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	29
PID 2320 wrote to memory of 2724	2320	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	29
PID 2320 wrote to memory of 2724	2320	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	29
PID 2524 wrote to memory of 2980	2524	{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe	30
PID 2524 wrote to memory of 2980	2524	{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe	30
PID 2524 wrote to memory of 2980	2524	{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe	30
PID 2524 wrote to memory of 2980	2524	{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe	30
PID 2524 wrote to memory of 2700	2524	{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe	31
PID 2524 wrote to memory of 2700	2524	{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe	31
PID 2524 wrote to memory of 2700	2524	{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe	31
PID 2524 wrote to memory of 2700	2524	{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe	31
PID 2980 wrote to memory of 2468	2980	{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe	32
PID 2980 wrote to memory of 2468	2980	{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe	32
PID 2980 wrote to memory of 2468	2980	{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe	32
PID 2980 wrote to memory of 2468	2980	{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe	32
PID 2980 wrote to memory of 2608	2980	{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe	33
PID 2980 wrote to memory of 2608	2980	{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe	33
PID 2980 wrote to memory of 2608	2980	{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe	33
PID 2980 wrote to memory of 2608	2980	{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe	33
PID 2468 wrote to memory of 1904	2468	{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe	36
PID 2468 wrote to memory of 1904	2468	{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe	36
PID 2468 wrote to memory of 1904	2468	{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe	36
PID 2468 wrote to memory of 1904	2468	{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe	36
PID 2468 wrote to memory of 2432	2468	{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe	37
PID 2468 wrote to memory of 2432	2468	{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe	37
PID 2468 wrote to memory of 2432	2468	{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe	37
PID 2468 wrote to memory of 2432	2468	{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe	37
PID 1904 wrote to memory of 2764	1904	{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe	38
PID 1904 wrote to memory of 2764	1904	{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe	38
PID 1904 wrote to memory of 2764	1904	{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe	38
PID 1904 wrote to memory of 2764	1904	{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe	38
PID 1904 wrote to memory of 1960	1904	{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe	39
PID 1904 wrote to memory of 1960	1904	{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe	39
PID 1904 wrote to memory of 1960	1904	{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe	39
PID 1904 wrote to memory of 1960	1904	{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe	39
PID 2764 wrote to memory of 1720	2764	{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe	40
PID 2764 wrote to memory of 1720	2764	{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe	40
PID 2764 wrote to memory of 1720	2764	{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe	40
PID 2764 wrote to memory of 1720	2764	{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe	40
PID 2764 wrote to memory of 1956	2764	{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe	41
PID 2764 wrote to memory of 1956	2764	{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe	41
PID 2764 wrote to memory of 1956	2764	{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe	41
PID 2764 wrote to memory of 1956	2764	{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe	41
PID 1720 wrote to memory of 1636	1720	{935597AC-68C5-4bef-84EA-D94476E333F1}.exe	42
PID 1720 wrote to memory of 1636	1720	{935597AC-68C5-4bef-84EA-D94476E333F1}.exe	42
PID 1720 wrote to memory of 1636	1720	{935597AC-68C5-4bef-84EA-D94476E333F1}.exe	42
PID 1720 wrote to memory of 1636	1720	{935597AC-68C5-4bef-84EA-D94476E333F1}.exe	42
PID 1720 wrote to memory of 1444	1720	{935597AC-68C5-4bef-84EA-D94476E333F1}.exe	43
PID 1720 wrote to memory of 1444	1720	{935597AC-68C5-4bef-84EA-D94476E333F1}.exe	43
PID 1720 wrote to memory of 1444	1720	{935597AC-68C5-4bef-84EA-D94476E333F1}.exe	43
PID 1720 wrote to memory of 1444	1720	{935597AC-68C5-4bef-84EA-D94476E333F1}.exe	43
PID 1636 wrote to memory of 820	1636	{14F7E47D-D62B-434b-8866-027264782978}.exe	44
PID 1636 wrote to memory of 820	1636	{14F7E47D-D62B-434b-8866-027264782978}.exe	44
PID 1636 wrote to memory of 820	1636	{14F7E47D-D62B-434b-8866-027264782978}.exe	44
PID 1636 wrote to memory of 820	1636	{14F7E47D-D62B-434b-8866-027264782978}.exe	44
PID 1636 wrote to memory of 2092	1636	{14F7E47D-D62B-434b-8866-027264782978}.exe	45
PID 1636 wrote to memory of 2092	1636	{14F7E47D-D62B-434b-8866-027264782978}.exe	45
PID 1636 wrote to memory of 2092	1636	{14F7E47D-D62B-434b-8866-027264782978}.exe	45
PID 1636 wrote to memory of 2092	1636	{14F7E47D-D62B-434b-8866-027264782978}.exe	45

C:\Users\Admin\AppData\Local\Temp\02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe
"C:\Users\Admin\AppData\Local\Temp\02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe
  C:\Windows\{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe
    C:\Windows\{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe
      C:\Windows\{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe
        
        C:\Windows\{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Windows\{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe
        
        C:\Windows\{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{935597AC-68C5-4bef-84EA-D94476E333F1}.exe
        
        C:\Windows\{935597AC-68C5-4bef-84EA-D94476E333F1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\{14F7E47D-D62B-434b-8866-027264782978}.exe
        
        C:\Windows\{14F7E47D-D62B-434b-8866-027264782978}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{4FA4CD1C-5A12-4641-8955-F1A0392858C6}.exe
        
        C:\Windows\{4FA4CD1C-5A12-4641-8955-F1A0392858C6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
        
        C:\Windows\{2D2068E6-755A-473a-A34B-FE5B6264D9DD}.exe
        
        C:\Windows\{2D2068E6-755A-473a-A34B-FE5B6264D9DD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\{F1EF99E4-C4D1-420b-BA28-8E1A9858A40F}.exe
        
        C:\Windows\{F1EF99E4-C4D1-420b-BA28-8E1A9858A40F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\{0E739F6D-D634-4dca-A821-A2557706A1A1}.exe
        
        C:\Windows\{0E739F6D-D634-4dca-A821-A2557706A1A1}.exe
        12⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1EF9~1.EXE > nul
        12⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D206~1.EXE > nul
        11⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FA4C~1.EXE > nul
        10⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14F7E~1.EXE > nul
        9⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93559~1.EXE > nul
        8⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CE80~1.EXE > nul
        7⤵
        
        PID:1956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E3A6~1.EXE > nul
        6⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E914~1.EXE > nul
        5⤵
        
        PID:2432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C9713~1.EXE > nul
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7E900~1.EXE > nul
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\02776D~1.EXE > nul
  2⤵
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E3A6514-9F59-48da-97FA-AFDDC55C4F0E}.exe

Filesize
64KB

MD5
14566c03b5de23fea87fc67f11a92337

SHA1
c965ec0a1a7245c5fb06630ced36a123a68d016e

SHA256
3a8cbff754c69e092cd2b89b054daf592940d3fd18995a23c277e8a916645b30

SHA512
6280ed6f2da5bee1f24feea0b6b64b10e40ef7624c6f36056e3120890ef68b8e8d4704464c02945fc2b1e20c31ea242c3457b1396214db3a6efe9bc62fd8b47e

Download Submit
C:\Windows\{0E739F6D-D634-4dca-A821-A2557706A1A1}.exe

Filesize
64KB

MD5
b2b208ec945e041b286b94779c26b1b2

SHA1
7aebbefb4f233aabee4531485e050d65f728a4dc

SHA256
b576b218d198301be438c2acbeffa06598394ae67577490faa460ca07db1eaf0

SHA512
3b1d8722bd69b682cc11831e8b4c452bd5787becf466c7771959b6463d8030240cae95d4e7055462af485e38d8556c84ffbf6a5d18f87c5f5ee31527946c2f5e

Download Submit
C:\Windows\{14F7E47D-D62B-434b-8866-027264782978}.exe

Filesize
64KB

MD5
705e4e80b6c55c324c0b31a5e05c2827

SHA1
455cd7242cc56c819f5716c3fc9123ee8697e8f5

SHA256
3d8925518b528a678cb78c2eafa2cdeef48c519ebb580487d4545e86e93a7f22

SHA512
3e0904a52ef7076cf904e12f7c2f15ceb1d012f2492caf883372dac24e613c227ac450e53b82ccb9af6db0ae80fdf205592dbcbf7e9b733445e9b9965a9137b2

Download Submit
C:\Windows\{2D2068E6-755A-473a-A34B-FE5B6264D9DD}.exe

Filesize
64KB

MD5
eb5ff25e39429b6ca62af08e05b7b877

SHA1
3ac55b0ad756d5ede47d31399e623778323533ed

SHA256
9ffe74f3c4e9a43a87c667e1a5fb87aca26537f8c60fe79f09ea7c4d358b2481

SHA512
c23153ef7ff610aea7e89e79238dd9e8946e2eb409b366e3a86ba8e4e305e6dbf9751d154ae44e08eef3aa3a7720b85e436031354f33bab7b4442889226e4751

Download Submit
C:\Windows\{4E91409B-3BE0-42f2-8018-E66960E64E58}.exe

Filesize
64KB

MD5
1cd34b0fa2cf4a224388c4d20acd91ae

SHA1
e9407cfa3fc48a6a272735189045b193f2a92ae4

SHA256
dc055e466c225a85880d5fa7e2148039a539b187b27151333352668af83fbf8d

SHA512
6893c9627a194092024d5d0346202d08e7e5d486a5741d8afce22353dafcbf91f1ed9fad4ca0b34cbea41258bb56ebf05a0eb754a2705f958bffdb3a3caedd82

Download Submit
C:\Windows\{4FA4CD1C-5A12-4641-8955-F1A0392858C6}.exe

Filesize
64KB

MD5
c1781da28de5da43c022629b38a95c94

SHA1
f265d7f8b8fb4bca2bffa55e6ac1f933c98fb468

SHA256
c679de620e113ccd2332389a50d17222d13add31e7708befbee5ee4cafeac51d

SHA512
7b2c33e38d62120d65dd03a8de6d4153638928673250a9e06de844663b8f636bcfd9091be88287fe20fc76c4c635765e28966f01fca2245cf6bdcd2c35b914cb

Download Submit
C:\Windows\{7E900070-A4A6-4adf-AFF8-3AC2A841CD5F}.exe

Filesize
64KB

MD5
92d856764c3d92c6d514c97d472abf02

SHA1
19723cf78a179a5074b543dbf875af6310950241

SHA256
c99ac1bd348ef6a5e8d8c3ba1df0978f666ebbba01104b7f4ceb779e6b212b33

SHA512
2ad3f06eddb5a7a957705d10a140c9edf6de291308babee559d2ada251ec245bf146dc73fe89df22a89fd233733e1a901697a041b19779cf90f2c67591bdf307

Download Submit
C:\Windows\{8CE80ECD-364F-410d-A65B-9BAEBF0DFF62}.exe

Filesize
64KB

MD5
7d7a3d7856a3925b0f829671e50f6fef

SHA1
fac6f72681b8a0524f67bf7cf7e25109b0e05897

SHA256
47f96f1bc4b26c1f976a2d91a1315a62f4f4950a13db991658f7cb63580c7287

SHA512
7d3ab3a1b5b6ccfc6473cadc938331b58b2ade0e0c25e7c1f67ea1de10be40edd02f82494a95266e4ea17a0b9635059e80553f14020f3b8b990d75aa45c592cc

Download Submit
C:\Windows\{935597AC-68C5-4bef-84EA-D94476E333F1}.exe

Filesize
64KB

MD5
74f9e439dc8261711095630dc7dea297

SHA1
6bb8fb180a049063326a5d3ce9b2a5e92f2aa301

SHA256
6e9460884dd05798c519f6d04bdbcddd53047c71488546acffe085f625d839ec

SHA512
555a851472ebf4add866b23924e9931f476498919a3d94da2f7ca3311c3d3821a0bd9206a92509ccb314b710b5c235f8fbb371fb4a1a18b4065e3e84c5ced1b2

Download Submit
C:\Windows\{C971307D-A6F0-4077-82AD-A524A218DC1B}.exe

Filesize
64KB

MD5
766ff49df37111e4b37754b19e75e5e5

SHA1
6df356498a1099ba63cd4559f7fbd92cb17ba94a

SHA256
37aab144f694527ee2f33a34fc759130d058ad596528fd0e5e8dbe11401d376b

SHA512
4dd6c46fee3277388d7b0caff97c3813c7e7d355e33488f853482bb21052b63fc06412b8985ceaf68280daa03f3fafb06d79bf37487dd7aadd86732e99f96465

Download Submit
C:\Windows\{F1EF99E4-C4D1-420b-BA28-8E1A9858A40F}.exe

Filesize
64KB

MD5
bc0505c36d62f3130e62d52b5d514b9c

SHA1
494ce71b23c5d6bdf07c73a5d07be8c32a95c93b

SHA256
fdbc174d0e31f8aca02d5cd30d0782d9892b9ed5ce59ef2b15b6b5dbb1ddbab5

SHA512
184aa0831108f74938c898eb2bdaa2563a23cd5fa903c7c97ddc280f2900f491f92fd4c2ee44b6df921e9722f154e43f22ace7c950a3e4d5ed9e53041d313c10

Download Submit
memory/800-94-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/800-86-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/820-75-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1320-77-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1320-85-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1636-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1720-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1804-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1904-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2320-7-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2320-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2320-8-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2320-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2468-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2468-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2524-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2524-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2764-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads