71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe
Size

64KB
MD5

3d60802b54394b4ee05a5b7a6ef4aace
SHA1

327bbdecd3e4e2a51643fe3e60bb016458a4c540
SHA256

71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a
SHA512

a7d4fb7db3d249f96e1f2aa90a40ac1fbeafe8d2dd2c62b930a01273c671899a8bb3e1f9e19ddb02d65b748779a8c9332facaa781753d6b56c51f315e0f61b23
SSDEEP

384:ObIwOs8AHsc4sMDwhKQLro/4/CFsrdHWMZp:OEw9816vhKQLro/4/wQpWMZp

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 34 IoCs

resource	yara_rule
behavioral1/memory/1612-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1612-3-0x0000000000370000-0x0000000000380000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x00090000000143d1-7.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1612-8-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3012-15-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2460-17-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0008000000014738-16.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2456-26-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2460-25-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000f00000000f680-24.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2456-30-0x00000000002D0000-0x00000000002E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2456-35-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000a0000000143d1-34.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1060-43-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x001000000000f680-42.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/568-47-0x00000000002D0000-0x00000000002E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000b0000000143d1-52.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/568-51-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2604-56-0x00000000002D0000-0x00000000002E0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2604-62-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x001100000000f680-60.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2028-70-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0009000000014738-69.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1772-71-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1772-75-0x0000000000250000-0x0000000000260000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1780-81-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1772-80-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x001200000000f680-79.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1780-89-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/592-90-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000a000000014738-88.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/592-96-0x0000000000390000-0x00000000003A0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/592-99-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0008000000014909-98.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C288D22-7F65-45e2-8DC1-FA935073E2F6}	{823709F2-D829-4b67-B742-17F43BF48DF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C288D22-7F65-45e2-8DC1-FA935073E2F6}\stubpath = "C:\\Windows\\{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe"	{823709F2-D829-4b67-B742-17F43BF48DF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF3C6D52-04B0-469e-937E-4E0D62ABD02F}\stubpath = "C:\\Windows\\{BF3C6D52-04B0-469e-937E-4E0D62ABD02F}.exe"	{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61FE4A69-BF1F-4dac-B6BC-EC1952471299}	{BF3C6D52-04B0-469e-937E-4E0D62ABD02F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{157AFF11-CE03-4fe2-A348-BE274EC9F859}\stubpath = "C:\\Windows\\{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe"	{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{823709F2-D829-4b67-B742-17F43BF48DF2}	{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40B65CF3-533A-4ed7-B2D3-07BD17D58DF9}\stubpath = "C:\\Windows\\{40B65CF3-533A-4ed7-B2D3-07BD17D58DF9}.exe"	{61FE4A69-BF1F-4dac-B6BC-EC1952471299}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCE59A6D-2F48-4098-B2FE-B52FD8112894}\stubpath = "C:\\Windows\\{FCE59A6D-2F48-4098-B2FE-B52FD8112894}.exe"	{40B65CF3-533A-4ed7-B2D3-07BD17D58DF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}	{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40B65CF3-533A-4ed7-B2D3-07BD17D58DF9}	{61FE4A69-BF1F-4dac-B6BC-EC1952471299}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78FF91DC-8800-434c-BEFA-D707568B67F9}	{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86591B4B-DB90-4bc9-9790-EBADB8017D76}\stubpath = "C:\\Windows\\{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe"	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}\stubpath = "C:\\Windows\\{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe"	{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{157AFF11-CE03-4fe2-A348-BE274EC9F859}	{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}	{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}\stubpath = "C:\\Windows\\{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe"	{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{823709F2-D829-4b67-B742-17F43BF48DF2}\stubpath = "C:\\Windows\\{823709F2-D829-4b67-B742-17F43BF48DF2}.exe"	{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78FF91DC-8800-434c-BEFA-D707568B67F9}\stubpath = "C:\\Windows\\{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe"	{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86591B4B-DB90-4bc9-9790-EBADB8017D76}	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61FE4A69-BF1F-4dac-B6BC-EC1952471299}\stubpath = "C:\\Windows\\{61FE4A69-BF1F-4dac-B6BC-EC1952471299}.exe"	{BF3C6D52-04B0-469e-937E-4E0D62ABD02F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCE59A6D-2F48-4098-B2FE-B52FD8112894}	{40B65CF3-533A-4ed7-B2D3-07BD17D58DF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF3C6D52-04B0-469e-937E-4E0D62ABD02F}	{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe

Deletes itself 1 IoCs

pid	Process
2516	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3012	{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe
2460	{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe
2456	{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe
1060	{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe
568	{823709F2-D829-4b67-B742-17F43BF48DF2}.exe
2604	{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe
2028	{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe
1772	{BF3C6D52-04B0-469e-937E-4E0D62ABD02F}.exe
1780	{61FE4A69-BF1F-4dac-B6BC-EC1952471299}.exe
592	{40B65CF3-533A-4ed7-B2D3-07BD17D58DF9}.exe
400	{FCE59A6D-2F48-4098-B2FE-B52FD8112894}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BF3C6D52-04B0-469e-937E-4E0D62ABD02F}.exe	{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe
File created	C:\Windows\{40B65CF3-533A-4ed7-B2D3-07BD17D58DF9}.exe	{61FE4A69-BF1F-4dac-B6BC-EC1952471299}.exe
File created	C:\Windows\{823709F2-D829-4b67-B742-17F43BF48DF2}.exe	{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe
File created	C:\Windows\{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe	{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe
File created	C:\Windows\{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe	{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe
File created	C:\Windows\{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe	{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe
File created	C:\Windows\{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe	{823709F2-D829-4b67-B742-17F43BF48DF2}.exe
File created	C:\Windows\{61FE4A69-BF1F-4dac-B6BC-EC1952471299}.exe	{BF3C6D52-04B0-469e-937E-4E0D62ABD02F}.exe
File created	C:\Windows\{FCE59A6D-2F48-4098-B2FE-B52FD8112894}.exe	{40B65CF3-533A-4ed7-B2D3-07BD17D58DF9}.exe
File created	C:\Windows\{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe
File created	C:\Windows\{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe	{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1612	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe
Token: SeIncBasePriorityPrivilege	3012	{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe
Token: SeIncBasePriorityPrivilege	2460	{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe
Token: SeIncBasePriorityPrivilege	2456	{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe
Token: SeIncBasePriorityPrivilege	1060	{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe
Token: SeIncBasePriorityPrivilege	568	{823709F2-D829-4b67-B742-17F43BF48DF2}.exe
Token: SeIncBasePriorityPrivilege	2604	{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe
Token: SeIncBasePriorityPrivilege	2028	{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe
Token: SeIncBasePriorityPrivilege	1772	{BF3C6D52-04B0-469e-937E-4E0D62ABD02F}.exe
Token: SeIncBasePriorityPrivilege	1780	{61FE4A69-BF1F-4dac-B6BC-EC1952471299}.exe
Token: SeIncBasePriorityPrivilege	592	{40B65CF3-533A-4ed7-B2D3-07BD17D58DF9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3012	1612	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	28
PID 1612 wrote to memory of 3012	1612	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	28
PID 1612 wrote to memory of 3012	1612	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	28
PID 1612 wrote to memory of 3012	1612	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	28
PID 1612 wrote to memory of 2516	1612	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	29
PID 1612 wrote to memory of 2516	1612	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	29
PID 1612 wrote to memory of 2516	1612	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	29
PID 1612 wrote to memory of 2516	1612	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	29
PID 3012 wrote to memory of 2460	3012	{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe	32
PID 3012 wrote to memory of 2460	3012	{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe	32
PID 3012 wrote to memory of 2460	3012	{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe	32
PID 3012 wrote to memory of 2460	3012	{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe	32
PID 3012 wrote to memory of 2448	3012	{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe	33
PID 3012 wrote to memory of 2448	3012	{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe	33
PID 3012 wrote to memory of 2448	3012	{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe	33
PID 3012 wrote to memory of 2448	3012	{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe	33
PID 2460 wrote to memory of 2456	2460	{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe	34
PID 2460 wrote to memory of 2456	2460	{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe	34
PID 2460 wrote to memory of 2456	2460	{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe	34
PID 2460 wrote to memory of 2456	2460	{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe	34
PID 2460 wrote to memory of 2068	2460	{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe	35
PID 2460 wrote to memory of 2068	2460	{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe	35
PID 2460 wrote to memory of 2068	2460	{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe	35
PID 2460 wrote to memory of 2068	2460	{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe	35
PID 2456 wrote to memory of 1060	2456	{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe	36
PID 2456 wrote to memory of 1060	2456	{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe	36
PID 2456 wrote to memory of 1060	2456	{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe	36
PID 2456 wrote to memory of 1060	2456	{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe	36
PID 2456 wrote to memory of 1324	2456	{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe	37
PID 2456 wrote to memory of 1324	2456	{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe	37
PID 2456 wrote to memory of 1324	2456	{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe	37
PID 2456 wrote to memory of 1324	2456	{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe	37
PID 1060 wrote to memory of 568	1060	{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe	38
PID 1060 wrote to memory of 568	1060	{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe	38
PID 1060 wrote to memory of 568	1060	{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe	38
PID 1060 wrote to memory of 568	1060	{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe	38
PID 1060 wrote to memory of 1868	1060	{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe	39
PID 1060 wrote to memory of 1868	1060	{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe	39
PID 1060 wrote to memory of 1868	1060	{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe	39
PID 1060 wrote to memory of 1868	1060	{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe	39
PID 568 wrote to memory of 2604	568	{823709F2-D829-4b67-B742-17F43BF48DF2}.exe	40
PID 568 wrote to memory of 2604	568	{823709F2-D829-4b67-B742-17F43BF48DF2}.exe	40
PID 568 wrote to memory of 2604	568	{823709F2-D829-4b67-B742-17F43BF48DF2}.exe	40
PID 568 wrote to memory of 2604	568	{823709F2-D829-4b67-B742-17F43BF48DF2}.exe	40
PID 568 wrote to memory of 1956	568	{823709F2-D829-4b67-B742-17F43BF48DF2}.exe	41
PID 568 wrote to memory of 1956	568	{823709F2-D829-4b67-B742-17F43BF48DF2}.exe	41
PID 568 wrote to memory of 1956	568	{823709F2-D829-4b67-B742-17F43BF48DF2}.exe	41
PID 568 wrote to memory of 1956	568	{823709F2-D829-4b67-B742-17F43BF48DF2}.exe	41
PID 2604 wrote to memory of 2028	2604	{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe	42
PID 2604 wrote to memory of 2028	2604	{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe	42
PID 2604 wrote to memory of 2028	2604	{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe	42
PID 2604 wrote to memory of 2028	2604	{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe	42
PID 2604 wrote to memory of 1048	2604	{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe	43
PID 2604 wrote to memory of 1048	2604	{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe	43
PID 2604 wrote to memory of 1048	2604	{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe	43
PID 2604 wrote to memory of 1048	2604	{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe	43
PID 2028 wrote to memory of 1772	2028	{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe	44
PID 2028 wrote to memory of 1772	2028	{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe	44
PID 2028 wrote to memory of 1772	2028	{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe	44
PID 2028 wrote to memory of 1772	2028	{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe	44
PID 2028 wrote to memory of 1580	2028	{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe	45
PID 2028 wrote to memory of 1580	2028	{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe	45
PID 2028 wrote to memory of 1580	2028	{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe	45
PID 2028 wrote to memory of 1580	2028	{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe	45

C:\Users\Admin\AppData\Local\Temp\71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe
"C:\Users\Admin\AppData\Local\Temp\71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe
  C:\Windows\{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe
    C:\Windows\{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe
      C:\Windows\{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe
        
        C:\Windows\{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\{823709F2-D829-4b67-B742-17F43BF48DF2}.exe
        
        C:\Windows\{823709F2-D829-4b67-B742-17F43BF48DF2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe
        
        C:\Windows\{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe
        
        C:\Windows\{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{BF3C6D52-04B0-469e-937E-4E0D62ABD02F}.exe
        
        C:\Windows\{BF3C6D52-04B0-469e-937E-4E0D62ABD02F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\{61FE4A69-BF1F-4dac-B6BC-EC1952471299}.exe
        
        C:\Windows\{61FE4A69-BF1F-4dac-B6BC-EC1952471299}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\{40B65CF3-533A-4ed7-B2D3-07BD17D58DF9}.exe
        
        C:\Windows\{40B65CF3-533A-4ed7-B2D3-07BD17D58DF9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\{FCE59A6D-2F48-4098-B2FE-B52FD8112894}.exe
        
        C:\Windows\{FCE59A6D-2F48-4098-B2FE-B52FD8112894}.exe
        12⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40B65~1.EXE > nul
        12⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61FE4~1.EXE > nul
        11⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF3C6~1.EXE > nul
        10⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78FF9~1.EXE > nul
        9⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C288~1.EXE > nul
        8⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82370~1.EXE > nul
        7⤵
        
        PID:1956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCC79~1.EXE > nul
        6⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{157AF~1.EXE > nul
        5⤵
        
        PID:1324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9DD3A~1.EXE > nul
      4⤵
      PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{86591~1.EXE > nul
    3⤵
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\71057D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C288D22-7F65-45e2-8DC1-FA935073E2F6}.exe

Filesize
64KB

MD5
ed34fad164e86d39456bd38cc7da4be7

SHA1
48866b5010283dffceb9af5786aa1b23d16bb423

SHA256
b286c4ce6006159d3131a05aeb89e38dfdecc5ea2eb7c5d9cdf97cc845db1ee7

SHA512
c0fb116b025ef55d98d2e82a76a6004a97304589dc641d15f8061c29728216269606c6053f2961cc671f1dfd671b1fe7c7a849d3ab58a32a1fe65107af14b85c

Download Submit
C:\Windows\{157AFF11-CE03-4fe2-A348-BE274EC9F859}.exe

Filesize
64KB

MD5
ae768de1a8f2afc603d64b117137a2b4

SHA1
1a135fc7a5b793a4f4541f91912dbf2c120dd0cf

SHA256
86b0ec8fb0f3f4d294e6810e23babb844b5db774e1c056c84672bb7553d6b013

SHA512
89bb5d81104ba20cf0433c4186f90754e8694e3a7eeafbac380ed97fab8d440adcc92bb419a56310aa6acb7147a94549801e06627b036581a7bf4103675c5fa2

Download Submit
C:\Windows\{40B65CF3-533A-4ed7-B2D3-07BD17D58DF9}.exe

Filesize
64KB

MD5
7428c1b5a85277ab3654791e649999cd

SHA1
3ddd1c6dff80621a0f22d03b3cf3fabb236299db

SHA256
d4532123fa6dbf14384a24e3897ef3fc6cc3dff494ae2a05de9975c40921720b

SHA512
f46463b9607426b19c7246ad108e2ba592199726d705f3ae7e2066cbc9000728bc6b1060a9ab185df4fcf130e39049d309aaf001d98ccf237b346ff97500f325

Download Submit
C:\Windows\{61FE4A69-BF1F-4dac-B6BC-EC1952471299}.exe

Filesize
64KB

MD5
dec9123cef0af1a174bb911f792ffef5

SHA1
b6430a07edd76e423ac7ee2bcadd980784211dcd

SHA256
b99cd6284b45015a462df5708e3a43dd3e6c2eff7af8246ee255a7cba035fff8

SHA512
6e823f2e2a54c7ae0321844c0e702f2317901cd0affc0cf2b209ace821fb11cde4817c47f7a6fa6a63dcc38277fc9ffd25c8926d9c3fabd6c38c043a30658b33

Download Submit
C:\Windows\{78FF91DC-8800-434c-BEFA-D707568B67F9}.exe

Filesize
64KB

MD5
2e0ce8c9b7f99ca2c21dcaa436c8af07

SHA1
d9bb7d658be36f61584b44ea286aa23d3d98fd8b

SHA256
26dc01737d8b960706492b2575a074dabfb27ceba3ee80d395c06e2ce5a7f97b

SHA512
06ff6d5c0fab8ee5021be7bebd40ec1e6b6ab4b7590dff023e1932acaedcddb528fca1b18ced1c790996d0915a219be6661dc5c409f924b9db09bac7014eb5ea

Download Submit
C:\Windows\{823709F2-D829-4b67-B742-17F43BF48DF2}.exe

Filesize
64KB

MD5
41290d16d28515a32cddffa0d4616cd2

SHA1
8fb2f9e1303163b100c20928ae437d5b9727e633

SHA256
12865c21dca286cec4500713135f0898729fa04275e60070dd73279aa7e023d1

SHA512
59cb07c9effa0eac872c3c3739d22bed731d528503bad4256d3f16e0a1451dd111c79c545dee08b12ac156049292e2d2c8aaa8b585c8fd63c253cead9881f3f0

Download Submit
C:\Windows\{86591B4B-DB90-4bc9-9790-EBADB8017D76}.exe

Filesize
64KB

MD5
3a9b37ebc94975fc28619217d86524cb

SHA1
7933d414673ec2b824676285d2957113c169768a

SHA256
7c2e834bc74a0acc260e0f68b4ee6ecab71b386737fda7b7322d63db25100b76

SHA512
36328d72013bde9d68ec28eef62caaf71b01369035b7cdd913f02917dc803764f3e0e50838169d76484973279b29210ebf7479d2bf8362499f852a8f4764b7a2

Download Submit
C:\Windows\{9DD3A83C-C6D4-4de5-9552-BB1C871B9E24}.exe

Filesize
64KB

MD5
8cf1e409c71078ceec82a6a3fae43265

SHA1
208f868be9c914aa949b9b77a5e6b3d44c7ea678

SHA256
e4464f5a6ce16bb67725353573c1d01d1a2202ab040a59ce43b23e7674f20b0a

SHA512
ca550edf94e8a07e69cfdf6b678b43662a74d0a1d4315d2dcf5af0c409a59fad75b8ae792eca472939b1d97d3d9ebfb8ea8402d8f6281b17ab4649efe975ba9b

Download Submit
C:\Windows\{BF3C6D52-04B0-469e-937E-4E0D62ABD02F}.exe

Filesize
64KB

MD5
baf5dbfbd651c2fcffa500a269a70906

SHA1
e7fe72101f67fae376d13dbff82b975b9b270250

SHA256
dcbbb79fcb3644a4d66c109e3f79dcdfeda000207f82ea6bb7990056b9a7f696

SHA512
7b29af72ff80e3b99ef15b94afe97622a8d558b41eb028e78640d2fbfd06ca84246a4cb51c1d511fe6b50d52fec2fa71d96e465ed7fd838feb1ba15a61d5636e

Download Submit
C:\Windows\{FCC79168-5E64-4652-A1ED-3AA5F4AB4634}.exe

Filesize
64KB

MD5
31c42d575dcf6033f9acded453693a7b

SHA1
206b929ece0492d576ee4a27140b726876234c0c

SHA256
c00cf9ee594e368a048ce6815c246adbc992e87f6987f551d94b61e568cd9a9a

SHA512
3e81719611082ef11a2d231a4c55ba49ea356050e012b8a950b5b62de0c65218266fd0202b3c197ff56de67f195059d1ee5ac90e87b6802a5affdaf30581c2f1

Download Submit
C:\Windows\{FCE59A6D-2F48-4098-B2FE-B52FD8112894}.exe

Filesize
64KB

MD5
d763390086b015875d4f41ff0bdbfd67

SHA1
5ee763814b9f63a33cd030e532491b4013043725

SHA256
356b65eb34e9666ba4071b0fe7841ee6128120884c5abc5845b74c30eee70a32

SHA512
df93d620cffc4276b1f5f5c41b2358d4fa7fb923aca71351400a6fffd48240130585d4fd211d9a0b0c675721c937e618dc5c17aee2ded0affe4c780685398b56

Download Submit
memory/568-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/568-47-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/592-99-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/592-90-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/592-96-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/1060-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1612-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1612-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1612-3-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/1772-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1772-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1772-75-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1780-81-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1780-89-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2028-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2456-30-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/2456-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2456-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2460-25-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2460-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2604-56-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/2604-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2604-61-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/3012-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads