b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe
Size

372KB
MD5

f019755fc903ee8387d691c44a1d0c99
SHA1

7d48e5a4cd2dedeadaffdf9440e0c96c946a7c2e
SHA256

b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17
SHA512

549cde7e962193f2dfb3b87e2c4e6147417211d949f21cb222b0db4c7e5d304ff77523c33dc7183b9fe0060dc46e7c251f076b5e82c6bb25b4f45552f918190a
SSDEEP

3072:CEGh0oulMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGQlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}	{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}\stubpath = "C:\\Windows\\{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe"	{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42246606-9A45-45b6-957B-536C0B821FE3}	{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}\stubpath = "C:\\Windows\\{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe"	{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB684498-1A65-4850-BD9C-DBB5A2D268DC}	{6DE2A13F-3902-40ee-A897-535E18F3C5D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5519DEFA-027F-41f2-851A-343770FC7E24}\stubpath = "C:\\Windows\\{5519DEFA-027F-41f2-851A-343770FC7E24}.exe"	{BB684498-1A65-4850-BD9C-DBB5A2D268DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF9490DC-6EC5-419d-8EC0-1C9C0FC39C62}	{5519DEFA-027F-41f2-851A-343770FC7E24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF9490DC-6EC5-419d-8EC0-1C9C0FC39C62}\stubpath = "C:\\Windows\\{FF9490DC-6EC5-419d-8EC0-1C9C0FC39C62}.exe"	{5519DEFA-027F-41f2-851A-343770FC7E24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A7C3E03-572A-490b-ACC1-3A274204BCF3}	b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}	{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B2D81FF-543D-4984-A299-3ABB08C80DFE}\stubpath = "C:\\Windows\\{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe"	{42246606-9A45-45b6-957B-536C0B821FE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}	{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F0A3976-F858-45cf-A939-A902DA04C23E}\stubpath = "C:\\Windows\\{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe"	{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DE2A13F-3902-40ee-A897-535E18F3C5D9}	{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DE2A13F-3902-40ee-A897-535E18F3C5D9}\stubpath = "C:\\Windows\\{6DE2A13F-3902-40ee-A897-535E18F3C5D9}.exe"	{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A7C3E03-572A-490b-ACC1-3A274204BCF3}\stubpath = "C:\\Windows\\{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe"	b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42246606-9A45-45b6-957B-536C0B821FE3}\stubpath = "C:\\Windows\\{42246606-9A45-45b6-957B-536C0B821FE3}.exe"	{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B2D81FF-543D-4984-A299-3ABB08C80DFE}	{42246606-9A45-45b6-957B-536C0B821FE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F0A3976-F858-45cf-A939-A902DA04C23E}	{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5519DEFA-027F-41f2-851A-343770FC7E24}	{BB684498-1A65-4850-BD9C-DBB5A2D268DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}\stubpath = "C:\\Windows\\{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe"	{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB684498-1A65-4850-BD9C-DBB5A2D268DC}\stubpath = "C:\\Windows\\{BB684498-1A65-4850-BD9C-DBB5A2D268DC}.exe"	{6DE2A13F-3902-40ee-A897-535E18F3C5D9}.exe

Deletes itself 1 IoCs

pid	Process
1796	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2360	{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe
2612	{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe
2460	{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe
2528	{42246606-9A45-45b6-957B-536C0B821FE3}.exe
2632	{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe
3004	{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe
356	{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe
2544	{6DE2A13F-3902-40ee-A897-535E18F3C5D9}.exe
1520	{BB684498-1A65-4850-BD9C-DBB5A2D268DC}.exe
2812	{5519DEFA-027F-41f2-851A-343770FC7E24}.exe
1048	{FF9490DC-6EC5-419d-8EC0-1C9C0FC39C62}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe	b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe
File created	C:\Windows\{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe	{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe
File created	C:\Windows\{42246606-9A45-45b6-957B-536C0B821FE3}.exe	{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe
File created	C:\Windows\{BB684498-1A65-4850-BD9C-DBB5A2D268DC}.exe	{6DE2A13F-3902-40ee-A897-535E18F3C5D9}.exe
File created	C:\Windows\{5519DEFA-027F-41f2-851A-343770FC7E24}.exe	{BB684498-1A65-4850-BD9C-DBB5A2D268DC}.exe
File created	C:\Windows\{FF9490DC-6EC5-419d-8EC0-1C9C0FC39C62}.exe	{5519DEFA-027F-41f2-851A-343770FC7E24}.exe
File created	C:\Windows\{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe	{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe
File created	C:\Windows\{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe	{42246606-9A45-45b6-957B-536C0B821FE3}.exe
File created	C:\Windows\{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe	{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe
File created	C:\Windows\{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe	{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe
File created	C:\Windows\{6DE2A13F-3902-40ee-A897-535E18F3C5D9}.exe	{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2868	b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe
Token: SeIncBasePriorityPrivilege	2360	{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe
Token: SeIncBasePriorityPrivilege	2612	{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe
Token: SeIncBasePriorityPrivilege	2460	{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe
Token: SeIncBasePriorityPrivilege	2528	{42246606-9A45-45b6-957B-536C0B821FE3}.exe
Token: SeIncBasePriorityPrivilege	2632	{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe
Token: SeIncBasePriorityPrivilege	3004	{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe
Token: SeIncBasePriorityPrivilege	356	{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe
Token: SeIncBasePriorityPrivilege	2544	{6DE2A13F-3902-40ee-A897-535E18F3C5D9}.exe
Token: SeIncBasePriorityPrivilege	1520	{BB684498-1A65-4850-BD9C-DBB5A2D268DC}.exe
Token: SeIncBasePriorityPrivilege	2812	{5519DEFA-027F-41f2-851A-343770FC7E24}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2360	2868	b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe	28
PID 2868 wrote to memory of 2360	2868	b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe	28
PID 2868 wrote to memory of 2360	2868	b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe	28
PID 2868 wrote to memory of 2360	2868	b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe	28
PID 2868 wrote to memory of 1796	2868	b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe	29
PID 2868 wrote to memory of 1796	2868	b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe	29
PID 2868 wrote to memory of 1796	2868	b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe	29
PID 2868 wrote to memory of 1796	2868	b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe	29
PID 2360 wrote to memory of 2612	2360	{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe	30
PID 2360 wrote to memory of 2612	2360	{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe	30
PID 2360 wrote to memory of 2612	2360	{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe	30
PID 2360 wrote to memory of 2612	2360	{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe	30
PID 2360 wrote to memory of 2564	2360	{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe	31
PID 2360 wrote to memory of 2564	2360	{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe	31
PID 2360 wrote to memory of 2564	2360	{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe	31
PID 2360 wrote to memory of 2564	2360	{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe	31
PID 2612 wrote to memory of 2460	2612	{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe	32
PID 2612 wrote to memory of 2460	2612	{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe	32
PID 2612 wrote to memory of 2460	2612	{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe	32
PID 2612 wrote to memory of 2460	2612	{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe	32
PID 2612 wrote to memory of 2572	2612	{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe	33
PID 2612 wrote to memory of 2572	2612	{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe	33
PID 2612 wrote to memory of 2572	2612	{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe	33
PID 2612 wrote to memory of 2572	2612	{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe	33
PID 2460 wrote to memory of 2528	2460	{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe	36
PID 2460 wrote to memory of 2528	2460	{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe	36
PID 2460 wrote to memory of 2528	2460	{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe	36
PID 2460 wrote to memory of 2528	2460	{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe	36
PID 2460 wrote to memory of 2876	2460	{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe	37
PID 2460 wrote to memory of 2876	2460	{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe	37
PID 2460 wrote to memory of 2876	2460	{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe	37
PID 2460 wrote to memory of 2876	2460	{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe	37
PID 2528 wrote to memory of 2632	2528	{42246606-9A45-45b6-957B-536C0B821FE3}.exe	38
PID 2528 wrote to memory of 2632	2528	{42246606-9A45-45b6-957B-536C0B821FE3}.exe	38
PID 2528 wrote to memory of 2632	2528	{42246606-9A45-45b6-957B-536C0B821FE3}.exe	38
PID 2528 wrote to memory of 2632	2528	{42246606-9A45-45b6-957B-536C0B821FE3}.exe	38
PID 2528 wrote to memory of 2760	2528	{42246606-9A45-45b6-957B-536C0B821FE3}.exe	39
PID 2528 wrote to memory of 2760	2528	{42246606-9A45-45b6-957B-536C0B821FE3}.exe	39
PID 2528 wrote to memory of 2760	2528	{42246606-9A45-45b6-957B-536C0B821FE3}.exe	39
PID 2528 wrote to memory of 2760	2528	{42246606-9A45-45b6-957B-536C0B821FE3}.exe	39
PID 2632 wrote to memory of 3004	2632	{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe	40
PID 2632 wrote to memory of 3004	2632	{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe	40
PID 2632 wrote to memory of 3004	2632	{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe	40
PID 2632 wrote to memory of 3004	2632	{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe	40
PID 2632 wrote to memory of 332	2632	{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe	41
PID 2632 wrote to memory of 332	2632	{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe	41
PID 2632 wrote to memory of 332	2632	{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe	41
PID 2632 wrote to memory of 332	2632	{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe	41
PID 3004 wrote to memory of 356	3004	{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe	42
PID 3004 wrote to memory of 356	3004	{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe	42
PID 3004 wrote to memory of 356	3004	{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe	42
PID 3004 wrote to memory of 356	3004	{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe	42
PID 3004 wrote to memory of 1252	3004	{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe	43
PID 3004 wrote to memory of 1252	3004	{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe	43
PID 3004 wrote to memory of 1252	3004	{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe	43
PID 3004 wrote to memory of 1252	3004	{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe	43
PID 356 wrote to memory of 2544	356	{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe	44
PID 356 wrote to memory of 2544	356	{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe	44
PID 356 wrote to memory of 2544	356	{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe	44
PID 356 wrote to memory of 2544	356	{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe	44
PID 356 wrote to memory of 1028	356	{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe	45
PID 356 wrote to memory of 1028	356	{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe	45
PID 356 wrote to memory of 1028	356	{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe	45
PID 356 wrote to memory of 1028	356	{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe	45

C:\Users\Admin\AppData\Local\Temp\b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe
"C:\Users\Admin\AppData\Local\Temp\b6b1379689eae9e69726f18f467e22d2613d6b5317fd3c6d59d5a6c205617e17.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe
  C:\Windows\{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe
    C:\Windows\{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe
      C:\Windows\{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\{42246606-9A45-45b6-957B-536C0B821FE3}.exe
        
        C:\Windows\{42246606-9A45-45b6-957B-536C0B821FE3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe
        
        C:\Windows\{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe
        
        C:\Windows\{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe
        
        C:\Windows\{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:356
        
        C:\Windows\{6DE2A13F-3902-40ee-A897-535E18F3C5D9}.exe
        
        C:\Windows\{6DE2A13F-3902-40ee-A897-535E18F3C5D9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\{BB684498-1A65-4850-BD9C-DBB5A2D268DC}.exe
        
        C:\Windows\{BB684498-1A65-4850-BD9C-DBB5A2D268DC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\{5519DEFA-027F-41f2-851A-343770FC7E24}.exe
        
        C:\Windows\{5519DEFA-027F-41f2-851A-343770FC7E24}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\{FF9490DC-6EC5-419d-8EC0-1C9C0FC39C62}.exe
        
        C:\Windows\{FF9490DC-6EC5-419d-8EC0-1C9C0FC39C62}.exe
        12⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5519D~1.EXE > nul
        12⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB684~1.EXE > nul
        11⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DE2A~1.EXE > nul
        10⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F0A3~1.EXE > nul
        9⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAB02~1.EXE > nul
        8⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B2D8~1.EXE > nul
        7⤵
        
        PID:332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42246~1.EXE > nul
        6⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E890~1.EXE > nul
        5⤵
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9A9FF~1.EXE > nul
      4⤵
      PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2A7C3~1.EXE > nul
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B6B137~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2A7C3E03-572A-490b-ACC1-3A274204BCF3}.exe

Filesize
372KB

MD5
1ed88e20ec127a66cc9b28bb680c96a5

SHA1
9ae439bb5b4c2d72f1fc0d25c26a55d665837c30

SHA256
5e4615672d46e159b493b3184410fb9c2e7321df421052a676550e818ce0b937

SHA512
e1296dae27543487709214af377e716498e98ce2349722333902d40b915e08fd5c4e162f8bc20782cd9a47f960efb68a6a849e45781726db2ca2ff706726523d

Download Submit
C:\Windows\{2F0A3976-F858-45cf-A939-A902DA04C23E}.exe

Filesize
372KB

MD5
e73585ead03babdebce0ae26e72888c5

SHA1
b4292ac818031350acb5f285c60f5d33e9cc997f

SHA256
a39daeabaf5880711ca55dc9cb288adac9c2a80b2f94f92d388654c57932b060

SHA512
a006babeed4136cc08088a3f40465cd2ae84d00ede8bf303f353e7a18ce2232237c6acf0d47390239ff06bafac36606776d4ec2bbe7bc93e0f22860c0051ee8e

Download Submit
C:\Windows\{42246606-9A45-45b6-957B-536C0B821FE3}.exe

Filesize
372KB

MD5
f7a8146801d53c23d3ae63b09d16ff38

SHA1
56485a954dbca02b5797f4854db06ae8a41f5fd0

SHA256
c8ef082169e670fedd5af71e0f99734e26d1d43813eb3e7a6877293467df0702

SHA512
ee83ddcf83dc4e54010fa2b45bcfedc42d5c032ace9e45c03f0dc53f218b9f68c9ab801beeff48ea643c7d420deb3047d5a90db9131317ec04af6de63f01c06a

Download Submit
C:\Windows\{4B2D81FF-543D-4984-A299-3ABB08C80DFE}.exe

Filesize
372KB

MD5
cfc2acf2e371f4a09fceae3492f5ccec

SHA1
22b6ddacbec85f2238a6556bf01cdb8ddc1c1c71

SHA256
d42a5915b70d68fe4e9bd1bd640d6a5fbfeda89d79221969b4026907f84c9140

SHA512
d87ce59a00a940c12bcc5fc4b91266a041afc4f0a82e3e61b0c81abdd50527812f881264d28b247583d6b897583d4480099cee8fde2fcfe7d5a6a5aa363ae30d

Download Submit
C:\Windows\{5519DEFA-027F-41f2-851A-343770FC7E24}.exe

Filesize
372KB

MD5
7cc4038e5bc16112bd78ac7fd3467feb

SHA1
f5037dc8bde9d505fadf8b79d9eac8ed702bccbc

SHA256
4dc0e5df4e7ddfc684c31221b387db8ae82e0847fce5b99083507627b1ee8b5b

SHA512
56eb31fb796f9f68a354438096d0c4e82690e91e56d459d2043ed7526ecf7d8006f3e33efccf40a625e697273db58d01ae563941ee6bc991ea05b307c2d4a729

Download Submit
C:\Windows\{6DE2A13F-3902-40ee-A897-535E18F3C5D9}.exe

Filesize
372KB

MD5
bbac087044110c6c7ac0505898e712ef

SHA1
16276f5a45e89903f28a2b460170a5bd76cde863

SHA256
560087fa83d5c6b1b6cb94a49184695bf50582fd995913a41afaec308c9399a6

SHA512
d600b05b5f0cacb0a3f1b15286e8961e645da31147a44aa16af508b844bead965618c61ea07ff060f94e0275730460e2ac71de290cff4dbdc7ee50d183773ddb

Download Submit
C:\Windows\{7E89092D-EC9C-45f5-B24E-DFAD488DA60C}.exe

Filesize
372KB

MD5
761eb95bae3f26513051546d8c0706da

SHA1
9c83316dc0732f9eb641b43e7f9fe9c166479580

SHA256
44344bc98fff6a189e43c2b877b1fc95840d8a6245f77c52e15905e39d842208

SHA512
456d752fb4a5ca64f816bde6085b4e68071e5a4a8ecb58a15abc19c0959ed81e163c2d95cf391bf19c077e5d8d7021437f4c440d9cbb47f11ddd46afd2d3c157

Download Submit
C:\Windows\{9A9FFE90-DBEA-4ddf-874F-811B5FE929F7}.exe

Filesize
372KB

MD5
659a0f72afedceb7eaaabcb3b93ba1de

SHA1
ad91ea51ed1dddab58dadea478c1a7374f8b6b32

SHA256
977de4d4eeee89352ab97170299d912c97b04c7ac38a5b5f2d76eb480252d297

SHA512
0ad9d6ddcc28759db64ad1a3eb3650fb8f119eb68409fafd6c487beb4fe492f70000eb761ab172e145c27abca0c6008ab7a553e383cb743a33a99727a465c9c7

Download Submit
C:\Windows\{BB684498-1A65-4850-BD9C-DBB5A2D268DC}.exe

Filesize
372KB

MD5
7c4843a521074f7ea654e870c44ae230

SHA1
a774f16a3be58ec2d274ab386b9bd6d967b89c48

SHA256
7254bd6dc35433c2f1eff83388b857c79214b2ada579ed8a963381ccd1bf1453

SHA512
41242bd87ff3a9457bc18961df0794a23a66b9dcf5d4d9b64f2c5414e86533d0ca113a500986c9d3d6fceb17a314fa2014414a4951dd0c0e3182eaa51917feca

Download Submit
C:\Windows\{EAB02E4D-0ECE-43d1-9ABF-5FAAEF1BCA18}.exe

Filesize
372KB

MD5
de5128fcc353915e52dd03bc83cd7f3f

SHA1
86970bfc2ae6f75185df66e7b676ed4606d8ba16

SHA256
7843972150da659e5927d90d39e14cf8cbc516559adc9f1a4e4f6cbaecacf3bf

SHA512
a237e3b13564d755c52c22fab5ae0b0cda96a913de7572cfd0badc993df20618dc0ffea82caef0fc221d89278eada1712d7750c75aa0701e4046a3185b4d9c2d

Download Submit
C:\Windows\{FF9490DC-6EC5-419d-8EC0-1C9C0FC39C62}.exe

Filesize
372KB

MD5
8b3ee6520004eaafeb9a7e6388c5a542

SHA1
00a4332c129d3b7a8c5708f9d6a3144f1783d021

SHA256
25e4b2793422e674d6a036f1f591d9b477c27cf914c33d1cb0de22a3b56d662d

SHA512
c555146ae2cfdd4fd6a369d0f7870904f8cbc9f8a975b0333e665dc23b6b281f339ca345542fea5f42b497baabd4053b1719c6d112c6ec290b42190865f9af98

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads