b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe
Size

64KB
MD5

ac42486aa3009e74ba9a1a2ba7eb7e45
SHA1

80f0ced204a426102062ee959793d996c9172103
SHA256

b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b
SHA512

17d7ab548ce54c9c514bd58a41e876ba220afb71066cb686e7c649785a73277ade52db5fdde46e6003a59c70bf0e7479f8280ae17a05cf08d715b7a48f34d3b0
SSDEEP

192:ObOzawOs81elJHsc45ecRZOgtShcWaOT2QLrCqwfY04/CFxyNhoy5tF:ObLwOs8AHsc4QMfwhKQLroR4/CFsrdF

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{263EB6F4-07DE-422d-83FE-F7FB57BAD75E}\stubpath = "C:\\Windows\\{263EB6F4-07DE-422d-83FE-F7FB57BAD75E}.exe"	{E2E5A20E-639B-415b-AA92-5AEF1E07E337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}	{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C519B2-4939-4f6c-A039-DFF2FEF0720D}\stubpath = "C:\\Windows\\{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe"	{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6633E376-E5BE-4868-B617-1410136E0A71}\stubpath = "C:\\Windows\\{6633E376-E5BE-4868-B617-1410136E0A71}.exe"	{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4348E50B-92E8-4bb4-9A27-8121C3ED684C}	{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4348E50B-92E8-4bb4-9A27-8121C3ED684C}\stubpath = "C:\\Windows\\{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe"	{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B5BB81F-E5E1-4377-960E-97AECCA7411E}	b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}	{6633E376-E5BE-4868-B617-1410136E0A71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}\stubpath = "C:\\Windows\\{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe"	{6633E376-E5BE-4868-B617-1410136E0A71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}	{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}\stubpath = "C:\\Windows\\{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe"	{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2E5A20E-639B-415b-AA92-5AEF1E07E337}\stubpath = "C:\\Windows\\{E2E5A20E-639B-415b-AA92-5AEF1E07E337}.exe"	{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{263EB6F4-07DE-422d-83FE-F7FB57BAD75E}	{E2E5A20E-639B-415b-AA92-5AEF1E07E337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1DCF4BE-7286-401f-902C-9481DBD60B1E}	{49F063EB-579A-4293-BE90-C7C86803ADB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6633E376-E5BE-4868-B617-1410136E0A71}	{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C519B2-4939-4f6c-A039-DFF2FEF0720D}	{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}\stubpath = "C:\\Windows\\{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe"	{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2E5A20E-639B-415b-AA92-5AEF1E07E337}	{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49F063EB-579A-4293-BE90-C7C86803ADB5}	{263EB6F4-07DE-422d-83FE-F7FB57BAD75E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49F063EB-579A-4293-BE90-C7C86803ADB5}\stubpath = "C:\\Windows\\{49F063EB-579A-4293-BE90-C7C86803ADB5}.exe"	{263EB6F4-07DE-422d-83FE-F7FB57BAD75E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1DCF4BE-7286-401f-902C-9481DBD60B1E}\stubpath = "C:\\Windows\\{A1DCF4BE-7286-401f-902C-9481DBD60B1E}.exe"	{49F063EB-579A-4293-BE90-C7C86803ADB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B5BB81F-E5E1-4377-960E-97AECCA7411E}\stubpath = "C:\\Windows\\{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe"	b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe

Deletes itself 1 IoCs

pid	Process
2588	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2160	{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe
2564	{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe
2532	{6633E376-E5BE-4868-B617-1410136E0A71}.exe
2340	{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe
2084	{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe
1640	{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe
1700	{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe
2300	{E2E5A20E-639B-415b-AA92-5AEF1E07E337}.exe
1956	{263EB6F4-07DE-422d-83FE-F7FB57BAD75E}.exe
1272	{49F063EB-579A-4293-BE90-C7C86803ADB5}.exe
916	{A1DCF4BE-7286-401f-902C-9481DBD60B1E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe	{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe
File created	C:\Windows\{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe	{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe
File created	C:\Windows\{E2E5A20E-639B-415b-AA92-5AEF1E07E337}.exe	{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe
File created	C:\Windows\{A1DCF4BE-7286-401f-902C-9481DBD60B1E}.exe	{49F063EB-579A-4293-BE90-C7C86803ADB5}.exe
File created	C:\Windows\{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe	{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe
File created	C:\Windows\{263EB6F4-07DE-422d-83FE-F7FB57BAD75E}.exe	{E2E5A20E-639B-415b-AA92-5AEF1E07E337}.exe
File created	C:\Windows\{49F063EB-579A-4293-BE90-C7C86803ADB5}.exe	{263EB6F4-07DE-422d-83FE-F7FB57BAD75E}.exe
File created	C:\Windows\{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe	b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe
File created	C:\Windows\{6633E376-E5BE-4868-B617-1410136E0A71}.exe	{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe
File created	C:\Windows\{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe	{6633E376-E5BE-4868-B617-1410136E0A71}.exe
File created	C:\Windows\{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe	{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2440	b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe
Token: SeIncBasePriorityPrivilege	2160	{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe
Token: SeIncBasePriorityPrivilege	2564	{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe
Token: SeIncBasePriorityPrivilege	2532	{6633E376-E5BE-4868-B617-1410136E0A71}.exe
Token: SeIncBasePriorityPrivilege	2340	{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe
Token: SeIncBasePriorityPrivilege	2084	{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe
Token: SeIncBasePriorityPrivilege	1640	{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe
Token: SeIncBasePriorityPrivilege	1700	{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe
Token: SeIncBasePriorityPrivilege	2300	{E2E5A20E-639B-415b-AA92-5AEF1E07E337}.exe
Token: SeIncBasePriorityPrivilege	1956	{263EB6F4-07DE-422d-83FE-F7FB57BAD75E}.exe
Token: SeIncBasePriorityPrivilege	1272	{49F063EB-579A-4293-BE90-C7C86803ADB5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2160	2440	b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe	28
PID 2440 wrote to memory of 2160	2440	b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe	28
PID 2440 wrote to memory of 2160	2440	b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe	28
PID 2440 wrote to memory of 2160	2440	b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe	28
PID 2440 wrote to memory of 2588	2440	b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe	29
PID 2440 wrote to memory of 2588	2440	b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe	29
PID 2440 wrote to memory of 2588	2440	b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe	29
PID 2440 wrote to memory of 2588	2440	b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe	29
PID 2160 wrote to memory of 2564	2160	{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe	30
PID 2160 wrote to memory of 2564	2160	{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe	30
PID 2160 wrote to memory of 2564	2160	{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe	30
PID 2160 wrote to memory of 2564	2160	{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe	30
PID 2160 wrote to memory of 2544	2160	{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe	31
PID 2160 wrote to memory of 2544	2160	{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe	31
PID 2160 wrote to memory of 2544	2160	{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe	31
PID 2160 wrote to memory of 2544	2160	{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe	31
PID 2564 wrote to memory of 2532	2564	{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe	32
PID 2564 wrote to memory of 2532	2564	{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe	32
PID 2564 wrote to memory of 2532	2564	{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe	32
PID 2564 wrote to memory of 2532	2564	{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe	32
PID 2564 wrote to memory of 2372	2564	{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe	33
PID 2564 wrote to memory of 2372	2564	{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe	33
PID 2564 wrote to memory of 2372	2564	{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe	33
PID 2564 wrote to memory of 2372	2564	{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe	33
PID 2532 wrote to memory of 2340	2532	{6633E376-E5BE-4868-B617-1410136E0A71}.exe	36
PID 2532 wrote to memory of 2340	2532	{6633E376-E5BE-4868-B617-1410136E0A71}.exe	36
PID 2532 wrote to memory of 2340	2532	{6633E376-E5BE-4868-B617-1410136E0A71}.exe	36
PID 2532 wrote to memory of 2340	2532	{6633E376-E5BE-4868-B617-1410136E0A71}.exe	36
PID 2532 wrote to memory of 2664	2532	{6633E376-E5BE-4868-B617-1410136E0A71}.exe	37
PID 2532 wrote to memory of 2664	2532	{6633E376-E5BE-4868-B617-1410136E0A71}.exe	37
PID 2532 wrote to memory of 2664	2532	{6633E376-E5BE-4868-B617-1410136E0A71}.exe	37
PID 2532 wrote to memory of 2664	2532	{6633E376-E5BE-4868-B617-1410136E0A71}.exe	37
PID 2340 wrote to memory of 2084	2340	{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe	38
PID 2340 wrote to memory of 2084	2340	{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe	38
PID 2340 wrote to memory of 2084	2340	{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe	38
PID 2340 wrote to memory of 2084	2340	{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe	38
PID 2340 wrote to memory of 804	2340	{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe	39
PID 2340 wrote to memory of 804	2340	{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe	39
PID 2340 wrote to memory of 804	2340	{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe	39
PID 2340 wrote to memory of 804	2340	{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe	39
PID 2084 wrote to memory of 1640	2084	{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe	40
PID 2084 wrote to memory of 1640	2084	{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe	40
PID 2084 wrote to memory of 1640	2084	{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe	40
PID 2084 wrote to memory of 1640	2084	{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe	40
PID 2084 wrote to memory of 2116	2084	{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe	41
PID 2084 wrote to memory of 2116	2084	{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe	41
PID 2084 wrote to memory of 2116	2084	{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe	41
PID 2084 wrote to memory of 2116	2084	{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe	41
PID 1640 wrote to memory of 1700	1640	{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe	42
PID 1640 wrote to memory of 1700	1640	{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe	42
PID 1640 wrote to memory of 1700	1640	{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe	42
PID 1640 wrote to memory of 1700	1640	{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe	42
PID 1640 wrote to memory of 2264	1640	{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe	43
PID 1640 wrote to memory of 2264	1640	{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe	43
PID 1640 wrote to memory of 2264	1640	{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe	43
PID 1640 wrote to memory of 2264	1640	{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe	43
PID 1700 wrote to memory of 2300	1700	{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe	44
PID 1700 wrote to memory of 2300	1700	{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe	44
PID 1700 wrote to memory of 2300	1700	{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe	44
PID 1700 wrote to memory of 2300	1700	{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe	44
PID 1700 wrote to memory of 2924	1700	{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe	45
PID 1700 wrote to memory of 2924	1700	{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe	45
PID 1700 wrote to memory of 2924	1700	{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe	45
PID 1700 wrote to memory of 2924	1700	{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe	45

C:\Users\Admin\AppData\Local\Temp\b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe
"C:\Users\Admin\AppData\Local\Temp\b3ce32c0a5c57b1e3a4858396747fd9cc49c31c6bfae18b3d08093ce2397d77b.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe
  C:\Windows\{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe
    C:\Windows\{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\{6633E376-E5BE-4868-B617-1410136E0A71}.exe
      C:\Windows\{6633E376-E5BE-4868-B617-1410136E0A71}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe
        
        C:\Windows\{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe
        
        C:\Windows\{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe
        
        C:\Windows\{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe
        
        C:\Windows\{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\{E2E5A20E-639B-415b-AA92-5AEF1E07E337}.exe
        
        C:\Windows\{E2E5A20E-639B-415b-AA92-5AEF1E07E337}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\{263EB6F4-07DE-422d-83FE-F7FB57BAD75E}.exe
        
        C:\Windows\{263EB6F4-07DE-422d-83FE-F7FB57BAD75E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\{49F063EB-579A-4293-BE90-C7C86803ADB5}.exe
        
        C:\Windows\{49F063EB-579A-4293-BE90-C7C86803ADB5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\{A1DCF4BE-7286-401f-902C-9481DBD60B1E}.exe
        
        C:\Windows\{A1DCF4BE-7286-401f-902C-9481DBD60B1E}.exe
        12⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49F06~1.EXE > nul
        12⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{263EB~1.EXE > nul
        11⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2E5A~1.EXE > nul
        10⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5590C~1.EXE > nul
        9⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4348E~1.EXE > nul
        8⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63FBB~1.EXE > nul
        7⤵
        
        PID:2116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA4E8~1.EXE > nul
        6⤵
        
        PID:804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6633E~1.EXE > nul
        5⤵
        
        PID:2664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{64C51~1.EXE > nul
      4⤵
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9B5BB~1.EXE > nul
    3⤵
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B3CE32~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{263EB6F4-07DE-422d-83FE-F7FB57BAD75E}.exe

Filesize
64KB

MD5
650b39b5313a8dab6cc766fc12bcfd81

SHA1
cc1cdbffbe274d20ff2993d54a8106199eca0406

SHA256
c7982c3f64db669eef4aa86ffda74c31fe7e28bfc147846079d2449afc753228

SHA512
dcb2ee648923a313c048a0ee5d00e091eb79f005065d739b4bff9812efb6fcf213214027d40505930bcf59c79619f43c95bbdfbb758c0e981d175573a491e383

Download Submit
C:\Windows\{4348E50B-92E8-4bb4-9A27-8121C3ED684C}.exe

Filesize
64KB

MD5
8b21afe27bce31e665ba025175ee7cc4

SHA1
fe387a4600623dd72d29eced2546d0c9b7566a16

SHA256
6d1552d2a890b29fe1deab7a0c3e93e8958b929d90a825e6b1383f58d867cc20

SHA512
e311c8dbce4939d195d1ede0eee3979ae23b352bd8a9eb84aa835820a5094ec510c48d1662223a0b626378f56149d79b800c91f1c53f46ab80a3b54f7b9e2640

Download Submit
C:\Windows\{49F063EB-579A-4293-BE90-C7C86803ADB5}.exe

Filesize
64KB

MD5
691bf1f8c1b69b95ffadc0c0e3cb2404

SHA1
364deb39ea84e260185a072eda130b93ed3a6f26

SHA256
f8d372d34f760a644322b412fc1823fd689b7d1f19d7f4809e91af2a468293c2

SHA512
4261cb083543249e1e18adb1e6d938b1d8332cf344edbc921bc4f4dd98166f2ed8afa483e0dc4349e74e854bc038375bafe3f2cc594258b9176ea55fc0900976

Download Submit
C:\Windows\{5590C612-5A67-4b77-BFD5-CFBC8D12A47E}.exe

Filesize
64KB

MD5
4766d9ec38b015e6bd8b6201141be7bb

SHA1
eb10839448793b435d332b203e2027ae0ef98113

SHA256
a92465614f94a4aa0ffb1166a498edc1c0be4c0600946b5c159efce01661eb82

SHA512
95188a1bd74880b1d60aac3889a0fde699427f4fe26b4b70c4786efbbf88cfc7a8213a2b07f6a92407a7d215231a80da10252098555be073d1533816acd28026

Download Submit
C:\Windows\{63FBBCC9-7073-4ba3-8D18-CE61D7583AFF}.exe

Filesize
64KB

MD5
de0a7aa88f590f13082db6ae9511e54d

SHA1
e79249fe6d4e6e725b0c9c403bc262748d172799

SHA256
20e8e1ce135bc04a3eda59b4539b9c448f82edef502f08dd30723bc2bfbdf08c

SHA512
e4169ad773759fa8096e3ca0e443b8d40f98a77be77dd0ea29dbe16c35e5869ef430e345c81b074ceb1c65f6c819b34dc5b13da6e6e88f54e7592f48edd4a9bc

Download Submit
C:\Windows\{64C519B2-4939-4f6c-A039-DFF2FEF0720D}.exe

Filesize
64KB

MD5
d57089191ab4ef5d813b330d3607c662

SHA1
715de857fa411cfdb9d5dde387ba1dee82e31a98

SHA256
179c6f69a713b1af5dca8ca38acb0ec4f37f91e5a17588cad6ddee4c6e131289

SHA512
e3ec724e61963e9b57337b385c61e518896ef95416eed3cbca35af6230fc1326572513aeb3f1a07cef4fe7e75464f47f6a56868ac04b2def8946a19022ace10c

Download Submit
C:\Windows\{6633E376-E5BE-4868-B617-1410136E0A71}.exe

Filesize
64KB

MD5
8467405917ff29960a422368b544cbf4

SHA1
43039d9ff058932c4755237b0f60bf911154de62

SHA256
b343f4b3b5a57f3cbe8fc9ddd035b3fb01aadd90c61fb5168da2b55ade9e5de5

SHA512
0a836ef87c5a8441b1a2f0cd7c1a7f1c6e4148713871cf3b22ce40b9d70f0e148195853f6f892b2da83d91abdbca7ae60d29b4d674fff1cd37567f3099c0ce26

Download Submit
C:\Windows\{9B5BB81F-E5E1-4377-960E-97AECCA7411E}.exe

Filesize
64KB

MD5
c8957b92a60cb20f35b536882e52fba0

SHA1
bad645e4f4ca21452236363d10325cde3db93ce8

SHA256
62bc86f9f2cf31191350d999b7a0a439d44545c7ed714705980dfd1b16343760

SHA512
84c6b0cb068e10f74126691aab039ede2eb348e025150d5576673dd47baedf1df32dd9ade9a2491c637f213c3e4f9d390bdcd1bc4f217a357fed89ff52245cca

Download Submit
C:\Windows\{A1DCF4BE-7286-401f-902C-9481DBD60B1E}.exe

Filesize
64KB

MD5
df141fa4c2ac2ed293da772d4caf4b6e

SHA1
6df3891981b76267db3978896fdcdac3bdc8a263

SHA256
111d7c92689a613143c9ef89f372e6e3653169bd1bff459c2eb95bb5891fe336

SHA512
4827542524a2660bba7dc667da586dd4bf3a5ae59e23880a4ee0a118a99222af10771ca211f9c9d2f6e1bc766efbef5d91e68f3a6a65e0a6663a653768ab781b

Download Submit
C:\Windows\{E2E5A20E-639B-415b-AA92-5AEF1E07E337}.exe

Filesize
64KB

MD5
fb7e1d8b2a3eb40ee214c06b54d7e82f

SHA1
2c443c10dd0906f3ceb445d5b49e59f4e71f445f

SHA256
f3dfadc8a0a9b73c4a5f4db8d83c0d38b549df5b9a68b16d0d90cb687ff4969f

SHA512
2acb05cedab2a13b45d19c7b22558fd0bcfcb5ea2cc505bcdcc1ee2bf7e7dfc180ee12716d4637cf826e28a13ea37c6bbdd617ae7d0b34874ceed7c9ab2387e4

Download Submit
C:\Windows\{EA4E89AE-0B62-41e9-BCD8-53353A178AAD}.exe

Filesize
64KB

MD5
ecf647872a50a3c67e648098f4411dde

SHA1
ff976619aa13d5716d667e7916c5a3bc0909c48d

SHA256
b6f17c1135a14ff98f547081d524248dd379950c53c531ef81007da1ffcc18c6

SHA512
5ca02fce92713f2a421e634e7313ff9520d19b975303020395a2a11163ed51be9aace8ee317b259a84b8f011a57f9ece0bd18093ad4d0810b1326def72b2b641

Download Submit
memory/1272-88-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1272-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1640-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1640-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1700-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1700-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1956-86-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2084-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2160-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2160-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2300-79-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2300-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2340-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2340-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2440-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2440-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2440-7-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2532-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2532-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2564-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2564-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads