7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 23:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe
Size

60KB
MD5

41a010246bf2d0126c78fc1ffed56514
SHA1

533484a83ea8b866187708c01ed23d206d4d4027
SHA256

7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923
SHA512

6ef24d94f24da43c0cbc6a910b35a49e970dabfba30862d4b811bc0076604b884fa8bdeac94756d05c6b3c7cb5f74666586a11e0e67877a1c9dfc7cc59b93bc9
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwBgh4/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroG4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188A1847-072A-4fec-8DCE-48682EA73B9F}	{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188A1847-072A-4fec-8DCE-48682EA73B9F}\stubpath = "C:\\Windows\\{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe"	{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}\stubpath = "C:\\Windows\\{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe"	{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AC85202-1142-42da-9439-6714BF742A19}\stubpath = "C:\\Windows\\{7AC85202-1142-42da-9439-6714BF742A19}.exe"	{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}\stubpath = "C:\\Windows\\{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe"	{7AC85202-1142-42da-9439-6714BF742A19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56A83519-2FEC-4849-AECC-B5978C2D3EF6}\stubpath = "C:\\Windows\\{56A83519-2FEC-4849-AECC-B5978C2D3EF6}.exe"	{F6DE19E6-2217-46f9-B33D-D09536F232D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89FFD6D1-6E7B-4b9c-95BC-8A1293E24B99}	{56A83519-2FEC-4849-AECC-B5978C2D3EF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF8166C0-8072-43aa-AAAD-5AB85B78AEB4}	{89FFD6D1-6E7B-4b9c-95BC-8A1293E24B99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7806D68D-6BEE-47da-BAFB-87AE83F884E7}	7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F903A70-346F-4864-97FE-0A3CDCA853F4}\stubpath = "C:\\Windows\\{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe"	{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}	{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56A83519-2FEC-4849-AECC-B5978C2D3EF6}	{F6DE19E6-2217-46f9-B33D-D09536F232D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF8166C0-8072-43aa-AAAD-5AB85B78AEB4}\stubpath = "C:\\Windows\\{EF8166C0-8072-43aa-AAAD-5AB85B78AEB4}.exe"	{89FFD6D1-6E7B-4b9c-95BC-8A1293E24B99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7806D68D-6BEE-47da-BAFB-87AE83F884E7}\stubpath = "C:\\Windows\\{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe"	7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F903A70-346F-4864-97FE-0A3CDCA853F4}	{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AC85202-1142-42da-9439-6714BF742A19}	{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}	{7AC85202-1142-42da-9439-6714BF742A19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6DE19E6-2217-46f9-B33D-D09536F232D4}	{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6DE19E6-2217-46f9-B33D-D09536F232D4}\stubpath = "C:\\Windows\\{F6DE19E6-2217-46f9-B33D-D09536F232D4}.exe"	{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89FFD6D1-6E7B-4b9c-95BC-8A1293E24B99}\stubpath = "C:\\Windows\\{89FFD6D1-6E7B-4b9c-95BC-8A1293E24B99}.exe"	{56A83519-2FEC-4849-AECC-B5978C2D3EF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}\stubpath = "C:\\Windows\\{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe"	{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}	{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe

Deletes itself 1 IoCs

pid	Process
2316	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2380	{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe
2636	{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe
2448	{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe
2920	{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe
2732	{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe
1808	{7AC85202-1142-42da-9439-6714BF742A19}.exe
1060	{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe
556	{F6DE19E6-2217-46f9-B33D-D09536F232D4}.exe
660	{56A83519-2FEC-4849-AECC-B5978C2D3EF6}.exe
2956	{89FFD6D1-6E7B-4b9c-95BC-8A1293E24B99}.exe
2816	{EF8166C0-8072-43aa-AAAD-5AB85B78AEB4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe	{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe
File created	C:\Windows\{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe	{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe
File created	C:\Windows\{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe	{7AC85202-1142-42da-9439-6714BF742A19}.exe
File created	C:\Windows\{56A83519-2FEC-4849-AECC-B5978C2D3EF6}.exe	{F6DE19E6-2217-46f9-B33D-D09536F232D4}.exe
File created	C:\Windows\{EF8166C0-8072-43aa-AAAD-5AB85B78AEB4}.exe	{89FFD6D1-6E7B-4b9c-95BC-8A1293E24B99}.exe
File created	C:\Windows\{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe	{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe
File created	C:\Windows\{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe	{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe
File created	C:\Windows\{7AC85202-1142-42da-9439-6714BF742A19}.exe	{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe
File created	C:\Windows\{F6DE19E6-2217-46f9-B33D-D09536F232D4}.exe	{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe
File created	C:\Windows\{89FFD6D1-6E7B-4b9c-95BC-8A1293E24B99}.exe	{56A83519-2FEC-4849-AECC-B5978C2D3EF6}.exe
File created	C:\Windows\{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe	7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2196	7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe
Token: SeIncBasePriorityPrivilege	2380	{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe
Token: SeIncBasePriorityPrivilege	2636	{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe
Token: SeIncBasePriorityPrivilege	2448	{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe
Token: SeIncBasePriorityPrivilege	2920	{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe
Token: SeIncBasePriorityPrivilege	2732	{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe
Token: SeIncBasePriorityPrivilege	1808	{7AC85202-1142-42da-9439-6714BF742A19}.exe
Token: SeIncBasePriorityPrivilege	1060	{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe
Token: SeIncBasePriorityPrivilege	556	{F6DE19E6-2217-46f9-B33D-D09536F232D4}.exe
Token: SeIncBasePriorityPrivilege	660	{56A83519-2FEC-4849-AECC-B5978C2D3EF6}.exe
Token: SeIncBasePriorityPrivilege	2956	{89FFD6D1-6E7B-4b9c-95BC-8A1293E24B99}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2380	2196	7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe	28
PID 2196 wrote to memory of 2380	2196	7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe	28
PID 2196 wrote to memory of 2380	2196	7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe	28
PID 2196 wrote to memory of 2380	2196	7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe	28
PID 2196 wrote to memory of 2316	2196	7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe	29
PID 2196 wrote to memory of 2316	2196	7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe	29
PID 2196 wrote to memory of 2316	2196	7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe	29
PID 2196 wrote to memory of 2316	2196	7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe	29
PID 2380 wrote to memory of 2636	2380	{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe	30
PID 2380 wrote to memory of 2636	2380	{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe	30
PID 2380 wrote to memory of 2636	2380	{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe	30
PID 2380 wrote to memory of 2636	2380	{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe	30
PID 2380 wrote to memory of 2800	2380	{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe	31
PID 2380 wrote to memory of 2800	2380	{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe	31
PID 2380 wrote to memory of 2800	2380	{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe	31
PID 2380 wrote to memory of 2800	2380	{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe	31
PID 2636 wrote to memory of 2448	2636	{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe	32
PID 2636 wrote to memory of 2448	2636	{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe	32
PID 2636 wrote to memory of 2448	2636	{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe	32
PID 2636 wrote to memory of 2448	2636	{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe	32
PID 2636 wrote to memory of 2436	2636	{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe	33
PID 2636 wrote to memory of 2436	2636	{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe	33
PID 2636 wrote to memory of 2436	2636	{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe	33
PID 2636 wrote to memory of 2436	2636	{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe	33
PID 2448 wrote to memory of 2920	2448	{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe	36
PID 2448 wrote to memory of 2920	2448	{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe	36
PID 2448 wrote to memory of 2920	2448	{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe	36
PID 2448 wrote to memory of 2920	2448	{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe	36
PID 2448 wrote to memory of 2036	2448	{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe	37
PID 2448 wrote to memory of 2036	2448	{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe	37
PID 2448 wrote to memory of 2036	2448	{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe	37
PID 2448 wrote to memory of 2036	2448	{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe	37
PID 2920 wrote to memory of 2732	2920	{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe	38
PID 2920 wrote to memory of 2732	2920	{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe	38
PID 2920 wrote to memory of 2732	2920	{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe	38
PID 2920 wrote to memory of 2732	2920	{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe	38
PID 2920 wrote to memory of 2776	2920	{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe	39
PID 2920 wrote to memory of 2776	2920	{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe	39
PID 2920 wrote to memory of 2776	2920	{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe	39
PID 2920 wrote to memory of 2776	2920	{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe	39
PID 2732 wrote to memory of 1808	2732	{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe	40
PID 2732 wrote to memory of 1808	2732	{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe	40
PID 2732 wrote to memory of 1808	2732	{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe	40
PID 2732 wrote to memory of 1808	2732	{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe	40
PID 2732 wrote to memory of 2012	2732	{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe	41
PID 2732 wrote to memory of 2012	2732	{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe	41
PID 2732 wrote to memory of 2012	2732	{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe	41
PID 2732 wrote to memory of 2012	2732	{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe	41
PID 1808 wrote to memory of 1060	1808	{7AC85202-1142-42da-9439-6714BF742A19}.exe	42
PID 1808 wrote to memory of 1060	1808	{7AC85202-1142-42da-9439-6714BF742A19}.exe	42
PID 1808 wrote to memory of 1060	1808	{7AC85202-1142-42da-9439-6714BF742A19}.exe	42
PID 1808 wrote to memory of 1060	1808	{7AC85202-1142-42da-9439-6714BF742A19}.exe	42
PID 1808 wrote to memory of 1752	1808	{7AC85202-1142-42da-9439-6714BF742A19}.exe	43
PID 1808 wrote to memory of 1752	1808	{7AC85202-1142-42da-9439-6714BF742A19}.exe	43
PID 1808 wrote to memory of 1752	1808	{7AC85202-1142-42da-9439-6714BF742A19}.exe	43
PID 1808 wrote to memory of 1752	1808	{7AC85202-1142-42da-9439-6714BF742A19}.exe	43
PID 1060 wrote to memory of 556	1060	{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe	44
PID 1060 wrote to memory of 556	1060	{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe	44
PID 1060 wrote to memory of 556	1060	{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe	44
PID 1060 wrote to memory of 556	1060	{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe	44
PID 1060 wrote to memory of 2884	1060	{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe	45
PID 1060 wrote to memory of 2884	1060	{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe	45
PID 1060 wrote to memory of 2884	1060	{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe	45
PID 1060 wrote to memory of 2884	1060	{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe	45

C:\Users\Admin\AppData\Local\Temp\7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe
"C:\Users\Admin\AppData\Local\Temp\7ec9b6ac4d3696ded2820a695c0ed935aef15a6b1ec06d8b3a0c0a1ccd047923.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe
  C:\Windows\{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe
    C:\Windows\{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe
      C:\Windows\{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe
        
        C:\Windows\{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe
        
        C:\Windows\{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{7AC85202-1142-42da-9439-6714BF742A19}.exe
        
        C:\Windows\{7AC85202-1142-42da-9439-6714BF742A19}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe
        
        C:\Windows\{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{F6DE19E6-2217-46f9-B33D-D09536F232D4}.exe
        
        C:\Windows\{F6DE19E6-2217-46f9-B33D-D09536F232D4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\{56A83519-2FEC-4849-AECC-B5978C2D3EF6}.exe
        
        C:\Windows\{56A83519-2FEC-4849-AECC-B5978C2D3EF6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
        
        C:\Windows\{89FFD6D1-6E7B-4b9c-95BC-8A1293E24B99}.exe
        
        C:\Windows\{89FFD6D1-6E7B-4b9c-95BC-8A1293E24B99}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\{EF8166C0-8072-43aa-AAAD-5AB85B78AEB4}.exe
        
        C:\Windows\{EF8166C0-8072-43aa-AAAD-5AB85B78AEB4}.exe
        12⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89FFD~1.EXE > nul
        12⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56A83~1.EXE > nul
        11⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6DE1~1.EXE > nul
        10⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA181~1.EXE > nul
        9⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AC85~1.EXE > nul
        8⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F71C~1.EXE > nul
        7⤵
        
        PID:2012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBBE2~1.EXE > nul
        6⤵
        
        PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F903~1.EXE > nul
        5⤵
        
        PID:2036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{188A1~1.EXE > nul
      4⤵
      PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7806D~1.EXE > nul
    3⤵
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7EC9B6~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{188A1847-072A-4fec-8DCE-48682EA73B9F}.exe

Filesize
60KB

MD5
190a970444a5fadc21aec90c54a442e7

SHA1
15b3417ae7a2107e6a768227d7ff2d7edcab858f

SHA256
578723a97e6cec562fb9b3cace15a54c1840a2a56b80d5ff4a5a12b69d8db6cb

SHA512
62a80c6be9cdb5c606b75f7b710e54c984591984d0969f3b3f77aff8628d52e4be95139ee254a021482df2d14c4cc0199c0d75f01a9c4750c366a84cd028b34d

Download Submit
C:\Windows\{4F71CDC6-0E2F-43b3-81E2-5B969FC87643}.exe

Filesize
60KB

MD5
1dae30ef4971249f0a4f2034f5bd8085

SHA1
f26d66cb95a84f8cdb7763931069b751d746ca9a

SHA256
47847bdb868b47ed1d14d49fa84b66fc8b3f980cb77c14b8ff5404699d05f2b3

SHA512
069334b183c8864c9c70469a9078d1a64adf24733ad46cf0c5862cee04ff4c275dfa108ca7a333b86a8b2cd1f7fa58e5c9f651fced355d66aeddc28e9bd94f22

Download Submit
C:\Windows\{56A83519-2FEC-4849-AECC-B5978C2D3EF6}.exe

Filesize
60KB

MD5
7fb9e04de3a02778b0c89b0de6162622

SHA1
4cf5df18707e8a72184fd007c06f3e47dd6d6a60

SHA256
e1fd329e376f5bb694dbcdf68e6842ae0ff120721fe703b15ba3f2af49040ace

SHA512
30e6c304ba8db2bb8dc9967b8806dd9cac1a3b51b2f5ae3e67698fdc9f0d7746547c8ea7fa13d6d96cebe169a70d04ef30e373cb5c635f404f4ee8dddef67a91

Download Submit
C:\Windows\{6F903A70-346F-4864-97FE-0A3CDCA853F4}.exe

Filesize
60KB

MD5
36bc07d0916d82f13f162ccc910ca238

SHA1
4055aa735761a62d67e461e5d59b265dabf05997

SHA256
ce250f6d1326a72a3e8f268dccd654eb0c597433bde18b1859e07056d07848d0

SHA512
d140b3e092ec6ec29b5f08e8ef0b983100716507abd6e779445c22364783930525b2f770fb0dda01cfc6d1c4306de7b3e1d57efb8e4deef6aa7ae70444bc8850

Download Submit
C:\Windows\{7806D68D-6BEE-47da-BAFB-87AE83F884E7}.exe

Filesize
60KB

MD5
0aaacc8878be7ffde2a7097d6a1b456a

SHA1
2ae6017789c25ead3ef2217ef382681f6bb72902

SHA256
c4c627f9ba7d90c1eb0eaa9af698eec9dfc7b91c5e34e4711c3cd815ce1d7399

SHA512
baee0ce6abfcf5388de99e36ff8a11370487ba2df4fa384d4a271e15a2ca14cafc84342cc5e77923d642b651fcbb17af6b50ee75529f3723cac297800da0d56a

Download Submit
C:\Windows\{7AC85202-1142-42da-9439-6714BF742A19}.exe

Filesize
60KB

MD5
17a43f0e885241d6ca3138d5b8ceb2ed

SHA1
1f9d77611a57f9409d6723c2eb4193fe445ba161

SHA256
e8df3ce78b3c830fff13fceb12297000175d4cfb59737a1618ec5b84bde1fcb8

SHA512
33a5b72f5321d667ae9a7a06b0034f8919059edff2e72208eca0ea23c2e849f38b4a620a391507f2d9ec7335ce18d5a5003e8717c13cfde0f102c9904c718ca2

Download Submit
C:\Windows\{89FFD6D1-6E7B-4b9c-95BC-8A1293E24B99}.exe

Filesize
60KB

MD5
10d9164524270e3482ce9f2a7cd490a9

SHA1
9ddcc576eda3701d5f04ae701593172f4671e0e1

SHA256
17090597dc9afb5802471d000e28e069778fd49130cfe7552e408e28d9b6d27f

SHA512
160565479cb82ba38a959a584cc8dedcb13bd098e9dff1b56d0e2ef5de409c26ebda272f67f9ea17906ef1f4d7be24cd0f9bb3db5a1841e9fe226589ceb9a5ce

Download Submit
C:\Windows\{AA1819F4-C9BA-446e-B680-BD6D8046BD7D}.exe

Filesize
60KB

MD5
daf1d79ea5978d30f7c4db1ba9c3d10b

SHA1
531988900eedc2091052a9090a73a4a69826a7df

SHA256
ceacadf937e8ec58f64d1f7bd631aa28c00467930875d3d70efd5e876603ec20

SHA512
fd284151fc7d6644751016296823bd2dcea569697a63d8dcbd9f332b306a54846664ae230d8cae85c2e6f12e2f46e3d874f369198100c9935a986de57e7bbbbf

Download Submit
C:\Windows\{EBBE29DC-E5DD-4ef8-BCA8-890E6D80B09F}.exe

Filesize
60KB

MD5
73e6579a9c27c01f62abba29fe072729

SHA1
a24c848b99f7e596055312ffa952b950cd161037

SHA256
b38deff30313bbbaab12e22b177acde3f1967e244eb4ed345bd608d1bb320d1d

SHA512
f451494a19abbe50e13bb560fc8aec53b76d79bef0d1e3f79fc3752368d6ab67e0a66e876510a746b542e99f8f3489cc82759a70f91c44a772596fdd3c3c773f

Download Submit
C:\Windows\{EF8166C0-8072-43aa-AAAD-5AB85B78AEB4}.exe

Filesize
60KB

MD5
8f80cef61de72801df8a1367d6044b15

SHA1
15101a9b6a07753ff34ea6e2b0cb3d8ebbdddb7c

SHA256
82b60e6e8fdcfc41962fb2f0c7a97784693e9242db8ab1a22864d7b3aadb9fa1

SHA512
73b8deb02d417b068d1ca1603a7493f1ff9c32bbddaff074b970520842ff482bfa8bc2861581e4cb6cee5ba179b6201f5db45f2a99f4bb8378faf1a4cd5e7aea

Download Submit
C:\Windows\{F6DE19E6-2217-46f9-B33D-D09536F232D4}.exe

Filesize
60KB

MD5
1f58e092ae963dcc8efaff91b7f44a6d

SHA1
6aa93b7533a7075d598a904dda3d210815dcf319

SHA256
b99d398c42253144482203a6d5659737b7f941afb968807bd1be20e0d7c6760f

SHA512
15bdc6494a93bf1b89b2da6e845f29c92a1799ab5cc3c8fd31f8824df7df5dbfb9e05a8a520b5c4d475122959ab1ad8105ee23189d3a59a1333a98b40bdc9389

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads