cc3895e853a55568ac47007c0cbe9bf6ee607255456296ca20781803a13d0287

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_8db0a7d9903b18038b6240536c8115a0.exe
Size

90KB
MD5

8db0a7d9903b18038b6240536c8115a0
SHA1

486dc0d0b83196df0029f3a8247162903135bd9d
SHA256

cc3895e853a55568ac47007c0cbe9bf6ee607255456296ca20781803a13d0287
SHA512

32ef4043d7798a91ae1802594c3030565d44279042e43fb13d1e648069512b14190ac16ca2682482412b959195dd84fc9ca21cea9e15fba14c615ac299acac14
SSDEEP

768:5vw9816thKQLroe4/wQkNrfrunMxVFA3bA:lEG/0oelbunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A523B7A3-2C94-42b0-858E-CA3D5563A15E}\stubpath = "C:\\Windows\\{A523B7A3-2C94-42b0-858E-CA3D5563A15E}.exe"	{C21FAA91-2981-4309-A2E2-C86210F89AA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72197BFD-1DE5-4969-BE25-1284A0561525}\stubpath = "C:\\Windows\\{72197BFD-1DE5-4969-BE25-1284A0561525}.exe"	{8574F55C-F548-41a6-B439-DDCD1366E257}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02CA2475-DF3B-42d8-8C93-97FCB6082D67}\stubpath = "C:\\Windows\\{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe"	{72197BFD-1DE5-4969-BE25-1284A0561525}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}\stubpath = "C:\\Windows\\{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe"	{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8227789B-FAD5-4a58-8FF7-746069931A0A}	{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86F1467A-06A5-4152-A158-5D3F06C8A19A}\stubpath = "C:\\Windows\\{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe"	{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8574F55C-F548-41a6-B439-DDCD1366E257}\stubpath = "C:\\Windows\\{8574F55C-F548-41a6-B439-DDCD1366E257}.exe"	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE80DC84-B22C-4929-AB97-71F75607D66E}	{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE80DC84-B22C-4929-AB97-71F75607D66E}\stubpath = "C:\\Windows\\{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe"	{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C21FAA91-2981-4309-A2E2-C86210F89AA1}	{5C7FD57E-0548-4a03-BAD2-B79126AB3E27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C21FAA91-2981-4309-A2E2-C86210F89AA1}\stubpath = "C:\\Windows\\{C21FAA91-2981-4309-A2E2-C86210F89AA1}.exe"	{5C7FD57E-0548-4a03-BAD2-B79126AB3E27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A523B7A3-2C94-42b0-858E-CA3D5563A15E}	{C21FAA91-2981-4309-A2E2-C86210F89AA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EB76B93-FCFC-46f2-8F38-2B16B6BA3530}\stubpath = "C:\\Windows\\{0EB76B93-FCFC-46f2-8F38-2B16B6BA3530}.exe"	{A523B7A3-2C94-42b0-858E-CA3D5563A15E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8574F55C-F548-41a6-B439-DDCD1366E257}	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72197BFD-1DE5-4969-BE25-1284A0561525}	{8574F55C-F548-41a6-B439-DDCD1366E257}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8227789B-FAD5-4a58-8FF7-746069931A0A}\stubpath = "C:\\Windows\\{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe"	{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C7FD57E-0548-4a03-BAD2-B79126AB3E27}	{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C7FD57E-0548-4a03-BAD2-B79126AB3E27}\stubpath = "C:\\Windows\\{5C7FD57E-0548-4a03-BAD2-B79126AB3E27}.exe"	{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02CA2475-DF3B-42d8-8C93-97FCB6082D67}	{72197BFD-1DE5-4969-BE25-1284A0561525}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}	{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86F1467A-06A5-4152-A158-5D3F06C8A19A}	{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EB76B93-FCFC-46f2-8F38-2B16B6BA3530}	{A523B7A3-2C94-42b0-858E-CA3D5563A15E}.exe

Deletes itself 1 IoCs

pid	Process
2904	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2616	{8574F55C-F548-41a6-B439-DDCD1366E257}.exe
2680	{72197BFD-1DE5-4969-BE25-1284A0561525}.exe
2408	{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe
1332	{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe
2684	{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe
2220	{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe
956	{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe
1164	{5C7FD57E-0548-4a03-BAD2-B79126AB3E27}.exe
2064	{C21FAA91-2981-4309-A2E2-C86210F89AA1}.exe
1568	{A523B7A3-2C94-42b0-858E-CA3D5563A15E}.exe
3056	{0EB76B93-FCFC-46f2-8F38-2B16B6BA3530}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe	{72197BFD-1DE5-4969-BE25-1284A0561525}.exe
File created	C:\Windows\{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe	{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe
File created	C:\Windows\{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe	{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe
File created	C:\Windows\{A523B7A3-2C94-42b0-858E-CA3D5563A15E}.exe	{C21FAA91-2981-4309-A2E2-C86210F89AA1}.exe
File created	C:\Windows\{8574F55C-F548-41a6-B439-DDCD1366E257}.exe	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe
File created	C:\Windows\{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe	{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe
File created	C:\Windows\{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe	{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe
File created	C:\Windows\{5C7FD57E-0548-4a03-BAD2-B79126AB3E27}.exe	{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe
File created	C:\Windows\{C21FAA91-2981-4309-A2E2-C86210F89AA1}.exe	{5C7FD57E-0548-4a03-BAD2-B79126AB3E27}.exe
File created	C:\Windows\{0EB76B93-FCFC-46f2-8F38-2B16B6BA3530}.exe	{A523B7A3-2C94-42b0-858E-CA3D5563A15E}.exe
File created	C:\Windows\{72197BFD-1DE5-4969-BE25-1284A0561525}.exe	{8574F55C-F548-41a6-B439-DDCD1366E257}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1692	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe
Token: SeIncBasePriorityPrivilege	2616	{8574F55C-F548-41a6-B439-DDCD1366E257}.exe
Token: SeIncBasePriorityPrivilege	2680	{72197BFD-1DE5-4969-BE25-1284A0561525}.exe
Token: SeIncBasePriorityPrivilege	2408	{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe
Token: SeIncBasePriorityPrivilege	1332	{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe
Token: SeIncBasePriorityPrivilege	2684	{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe
Token: SeIncBasePriorityPrivilege	2220	{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe
Token: SeIncBasePriorityPrivilege	956	{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe
Token: SeIncBasePriorityPrivilege	1164	{5C7FD57E-0548-4a03-BAD2-B79126AB3E27}.exe
Token: SeIncBasePriorityPrivilege	2064	{C21FAA91-2981-4309-A2E2-C86210F89AA1}.exe
Token: SeIncBasePriorityPrivilege	1568	{A523B7A3-2C94-42b0-858E-CA3D5563A15E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2616	1692	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	28
PID 1692 wrote to memory of 2616	1692	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	28
PID 1692 wrote to memory of 2616	1692	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	28
PID 1692 wrote to memory of 2616	1692	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	28
PID 1692 wrote to memory of 2904	1692	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	29
PID 1692 wrote to memory of 2904	1692	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	29
PID 1692 wrote to memory of 2904	1692	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	29
PID 1692 wrote to memory of 2904	1692	virussign.com_8db0a7d9903b18038b6240536c8115a0.exe	29
PID 2616 wrote to memory of 2680	2616	{8574F55C-F548-41a6-B439-DDCD1366E257}.exe	32
PID 2616 wrote to memory of 2680	2616	{8574F55C-F548-41a6-B439-DDCD1366E257}.exe	32
PID 2616 wrote to memory of 2680	2616	{8574F55C-F548-41a6-B439-DDCD1366E257}.exe	32
PID 2616 wrote to memory of 2680	2616	{8574F55C-F548-41a6-B439-DDCD1366E257}.exe	32
PID 2616 wrote to memory of 2504	2616	{8574F55C-F548-41a6-B439-DDCD1366E257}.exe	33
PID 2616 wrote to memory of 2504	2616	{8574F55C-F548-41a6-B439-DDCD1366E257}.exe	33
PID 2616 wrote to memory of 2504	2616	{8574F55C-F548-41a6-B439-DDCD1366E257}.exe	33
PID 2616 wrote to memory of 2504	2616	{8574F55C-F548-41a6-B439-DDCD1366E257}.exe	33
PID 2680 wrote to memory of 2408	2680	{72197BFD-1DE5-4969-BE25-1284A0561525}.exe	34
PID 2680 wrote to memory of 2408	2680	{72197BFD-1DE5-4969-BE25-1284A0561525}.exe	34
PID 2680 wrote to memory of 2408	2680	{72197BFD-1DE5-4969-BE25-1284A0561525}.exe	34
PID 2680 wrote to memory of 2408	2680	{72197BFD-1DE5-4969-BE25-1284A0561525}.exe	34
PID 2680 wrote to memory of 2800	2680	{72197BFD-1DE5-4969-BE25-1284A0561525}.exe	35
PID 2680 wrote to memory of 2800	2680	{72197BFD-1DE5-4969-BE25-1284A0561525}.exe	35
PID 2680 wrote to memory of 2800	2680	{72197BFD-1DE5-4969-BE25-1284A0561525}.exe	35
PID 2680 wrote to memory of 2800	2680	{72197BFD-1DE5-4969-BE25-1284A0561525}.exe	35
PID 2408 wrote to memory of 1332	2408	{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe	36
PID 2408 wrote to memory of 1332	2408	{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe	36
PID 2408 wrote to memory of 1332	2408	{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe	36
PID 2408 wrote to memory of 1332	2408	{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe	36
PID 2408 wrote to memory of 2316	2408	{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe	37
PID 2408 wrote to memory of 2316	2408	{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe	37
PID 2408 wrote to memory of 2316	2408	{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe	37
PID 2408 wrote to memory of 2316	2408	{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe	37
PID 1332 wrote to memory of 2684	1332	{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe	38
PID 1332 wrote to memory of 2684	1332	{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe	38
PID 1332 wrote to memory of 2684	1332	{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe	38
PID 1332 wrote to memory of 2684	1332	{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe	38
PID 1332 wrote to memory of 2812	1332	{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe	39
PID 1332 wrote to memory of 2812	1332	{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe	39
PID 1332 wrote to memory of 2812	1332	{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe	39
PID 1332 wrote to memory of 2812	1332	{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe	39
PID 2684 wrote to memory of 2220	2684	{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe	40
PID 2684 wrote to memory of 2220	2684	{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe	40
PID 2684 wrote to memory of 2220	2684	{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe	40
PID 2684 wrote to memory of 2220	2684	{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe	40
PID 2684 wrote to memory of 1988	2684	{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe	41
PID 2684 wrote to memory of 1988	2684	{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe	41
PID 2684 wrote to memory of 1988	2684	{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe	41
PID 2684 wrote to memory of 1988	2684	{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe	41
PID 2220 wrote to memory of 956	2220	{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe	42
PID 2220 wrote to memory of 956	2220	{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe	42
PID 2220 wrote to memory of 956	2220	{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe	42
PID 2220 wrote to memory of 956	2220	{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe	42
PID 2220 wrote to memory of 2156	2220	{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe	43
PID 2220 wrote to memory of 2156	2220	{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe	43
PID 2220 wrote to memory of 2156	2220	{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe	43
PID 2220 wrote to memory of 2156	2220	{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe	43
PID 956 wrote to memory of 1164	956	{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe	44
PID 956 wrote to memory of 1164	956	{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe	44
PID 956 wrote to memory of 1164	956	{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe	44
PID 956 wrote to memory of 1164	956	{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe	44
PID 956 wrote to memory of 2252	956	{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe	45
PID 956 wrote to memory of 2252	956	{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe	45
PID 956 wrote to memory of 2252	956	{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe	45
PID 956 wrote to memory of 2252	956	{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe	45

C:\Users\Admin\AppData\Local\Temp\virussign.com_8db0a7d9903b18038b6240536c8115a0.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_8db0a7d9903b18038b6240536c8115a0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\{8574F55C-F548-41a6-B439-DDCD1366E257}.exe
  C:\Windows\{8574F55C-F548-41a6-B439-DDCD1366E257}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\{72197BFD-1DE5-4969-BE25-1284A0561525}.exe
    C:\Windows\{72197BFD-1DE5-4969-BE25-1284A0561525}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe
      C:\Windows\{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe
        
        C:\Windows\{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1332
      - C:\Windows\{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe
        
        C:\Windows\{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe
        
        C:\Windows\{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe
        
        C:\Windows\{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\{5C7FD57E-0548-4a03-BAD2-B79126AB3E27}.exe
        
        C:\Windows\{5C7FD57E-0548-4a03-BAD2-B79126AB3E27}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\{C21FAA91-2981-4309-A2E2-C86210F89AA1}.exe
        
        C:\Windows\{C21FAA91-2981-4309-A2E2-C86210F89AA1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{A523B7A3-2C94-42b0-858E-CA3D5563A15E}.exe
        
        C:\Windows\{A523B7A3-2C94-42b0-858E-CA3D5563A15E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\{0EB76B93-FCFC-46f2-8F38-2B16B6BA3530}.exe
        
        C:\Windows\{0EB76B93-FCFC-46f2-8F38-2B16B6BA3530}.exe
        12⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A523B~1.EXE > nul
        12⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C21FA~1.EXE > nul
        11⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C7FD~1.EXE > nul
        10⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86F14~1.EXE > nul
        9⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82277~1.EXE > nul
        8⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4CF1~1.EXE > nul
        7⤵
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE80D~1.EXE > nul
        6⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02CA2~1.EXE > nul
        5⤵
        
        PID:2316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{72197~1.EXE > nul
      4⤵
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8574F~1.EXE > nul
    3⤵
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02CA2475-DF3B-42d8-8C93-97FCB6082D67}.exe

Filesize
90KB

MD5
3fd90fe3b239834b7d6912149f172689

SHA1
3b0d5e1f75d5058863fbe04e0f849eedd8c8ed7d

SHA256
7e547c90b20012637095de3911da18ba39fad9b4ad8b1456373ddbb41aae76af

SHA512
7b86139878eac0a2224902ced5c20a3cce89c15a7b2c69267782207bf6ae7bba83d929ad69ec857a4b25217c72fb750197a2a697cea7f8eb7613d3f1bf9e33aa

Download Submit
C:\Windows\{0EB76B93-FCFC-46f2-8F38-2B16B6BA3530}.exe

Filesize
90KB

MD5
8c1620a0b618c6e39a5e4bcaa84d0508

SHA1
de77ce137d438b0706b8dfe952b9f94157b2c2d0

SHA256
416f4a081d1b224bca3a11bf0171f0b4393931f944f9e23fa6eed540d6fd12b3

SHA512
07c2b02eeae69c1a2717fb486e902304f5a086dae3422d6450cf24fbfb911b9ebb80c80eec6c66849bf5261c3fb91b592e6c26408717e695bed69f11d9c42825

Download Submit
C:\Windows\{5C7FD57E-0548-4a03-BAD2-B79126AB3E27}.exe

Filesize
90KB

MD5
956092132fee9b39740d5686172b63f0

SHA1
84b8efe6a281a1cd1f8b7523d672d4ad73bb0a53

SHA256
a381e46a8804b4e5c8583dad69c0f96f532d9a5c5551931baae2ca1ba6cea73f

SHA512
97cda53319b31f420b02ba1b41f13591923504c9e9fc141db9973f57c39ef41edf68f780f9d7f24fcf9cc3dcfa63678bbaa1bdce59db7a59efc0ef027ab870b6

Download Submit
C:\Windows\{72197BFD-1DE5-4969-BE25-1284A0561525}.exe

Filesize
90KB

MD5
b169d938b6f2db2ebad7e3dd27c7e692

SHA1
1075a6ca2f56a3d8dd93b390623518bbf5a6ad1c

SHA256
42cec929cba742eb88cf8a6f5a53f8d16e94f427869a823995dfcfa9a8abfdf3

SHA512
6fd19b15d32c776dc0e178c2da6f45cc9376f0cd4e28b177f99a2f62048a7afc6b6b366482e96d8fed530c357c53b6ed92138453d39168f0804245d9b7395802

Download Submit
C:\Windows\{8227789B-FAD5-4a58-8FF7-746069931A0A}.exe

Filesize
90KB

MD5
812316c66bdd1c97c057670ac1d86421

SHA1
c406c38df683fa4a39d4b742c73a2258f3d96b82

SHA256
85a77da31cb74540975fabb9925eee326359a7c627bc8bc4b7ca0d1f2e2e34e9

SHA512
3260de2df280bc6055469ea039b80a46ed5050fa25c4fdacb75a0073748b83564d715f2bc4b6b1f67f7d697dbad4df2c619d1bb13c50b4daa7d43cbed5c893db

Download Submit
C:\Windows\{8574F55C-F548-41a6-B439-DDCD1366E257}.exe

Filesize
90KB

MD5
6bcf9c20a148a37bf79e5b544ee837b5

SHA1
6bd29be3728645d84d9e56be615de68d611a21f0

SHA256
746d422b0778c2c69f5714d057ae721da213afd3b53e12c8d85f4877cdd96019

SHA512
eaa770015e57e23a4ad418155bcd87bb670530e8e069ca84502494151b7d60285ce97201e4aa06878080db7ae6b4bada9f9a25ed849af2574d2e6e176290c35b

Download Submit
C:\Windows\{86F1467A-06A5-4152-A158-5D3F06C8A19A}.exe

Filesize
90KB

MD5
0ef8d1e6896a72ca2a299219321e608a

SHA1
3f6c5beb77f58a5257f69389aeedafbf094c0546

SHA256
119a046962074a3e4c2f632703a94a3a353461315bada774bf313bdc21699994

SHA512
464a773fe909763d59120b90962fdc2fbeae1f65e0c3e31cc9fcdf2138a993199e33c947669b17e6c10eb32a24a9ca88b3d3ae89cd8523334a64af5eda7072d9

Download Submit
C:\Windows\{A523B7A3-2C94-42b0-858E-CA3D5563A15E}.exe

Filesize
90KB

MD5
3a40cf7f82bb6c6c35b909643ac24f70

SHA1
5e5e460184008157a68641f88907195b61a2230b

SHA256
f11268f2ba11c87b59f938bc2d85fe61d3c8f12e2dbd2725c954b68d02c68559

SHA512
b0af223bcb3f4f9080b951f610fd37f12fb9d034a05851e966c922b9304f5255b963d6382d2303a815c00da83c79c056bde24648bf5a8bb70e2e28ded9516d3c

Download Submit
C:\Windows\{AE80DC84-B22C-4929-AB97-71F75607D66E}.exe

Filesize
90KB

MD5
b2a6dbf6a1607f2a805f5dbeb7c78ce2

SHA1
79eeee2ba8e0f38e9ccd0a687d8f5c794f445ff8

SHA256
d7ece758800f671674c74a988062226d2bd66088994acda3ffd2d1a94af6955d

SHA512
51ce31c9d27ebfc5301d19d9d237c0390c46b518cd3b867842d771b0ebb9a5eb3c806fad5fde0b6f9d0da0e04c861089091569def929dd14396d70cfbc0719a8

Download Submit
C:\Windows\{C21FAA91-2981-4309-A2E2-C86210F89AA1}.exe

Filesize
90KB

MD5
ee8f18c67d5e7c57ba8f481915b2a373

SHA1
6db57aad67426ab65df95d8a03e62e4b95dd8aa8

SHA256
4c89331306de2244a7d90027ebc41b93b8d447f272d49f7e12d097c330bf1771

SHA512
0d82c319bab82182891bd5047797ae39ce00932537158d86fa053fa8258805c08bc6294ee51360b055fcd96a3d9a4472b151a430ae9cee0d1f6cdf106724f9c5

Download Submit
C:\Windows\{F4CF16AC-BB21-45f5-8CF4-E531AF4E8316}.exe

Filesize
90KB

MD5
3105358cec3c2863d2824d18efd32b51

SHA1
010eb3602ba7956c43cbb3c3b56157b81b09a933

SHA256
9abcd5c017317f6fb30ebf349ea7f0573db30e860eecb37927f58f2944fbd093

SHA512
f87eef2e343f4a51809c3ed8ee410781e881038878ca96db0dedd1d25845b575672192645c2311baaba2e067e5f9f67956e07508f35bfbd2ed6f52ef3752f72b

Download Submit
memory/956-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/956-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1164-80-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1164-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1164-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1332-42-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/1332-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1332-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1568-101-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/1568-102-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/1568-103-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1568-94-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1692-3-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/1692-8-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/1692-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1692-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2064-93-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2220-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2220-61-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/2220-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2408-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2408-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-14-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2616-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2680-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2680-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2684-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2684-55-0x00000000005B0000-0x00000000005C1000-memory.dmp

Filesize
68KB

Download
memory/3056-105-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads