aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 01:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe
Size

64KB
MD5

9dc8fc2a6247abc7ad03773f2d04c063
SHA1

5f469fbae9a7a4af91fd3a57a07bf9ef8fdd0985
SHA256

aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98
SHA512

b2cfc44ad82fb9ada902da0d772433e3be30ded9d3d81058aefe287c1025bd1f11b24bb34a957c6831590608a852a255fb0a9703c9d2db59e707d17731ac22cf
SSDEEP

768:O0w981AvhKQLroCN4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdB:pEG70oCNlwWMZQcpmgDagIyS1loL7WrB

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 33 IoCs

resource	yara_rule
behavioral1/memory/2240-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0038000000016448-5.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2928-8-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2240-9-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2928-13-0x00000000003F0000-0x0000000000400000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2928-18-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0038000000016572-17.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2704-19-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2704-26-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000a0000000165d4-27.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2532-28-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2328-37-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2532-36-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0004000000004ed7-35.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2328-45-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1968-46-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000b0000000165d4-44.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1968-54-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000a000000016824-53.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2408-55-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2408-63-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000c0000000165d4-62.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000b000000016824-70.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1720-71-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/764-72-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000d0000000165d4-79.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2564-80-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/764-81-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2564-89-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000c000000016824-88.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2268-97-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000e0000000165d4-96.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/892-98-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC42D257-E467-4074-BC04-CE6C17B48200}	{BB980DA3-8307-410d-87FA-A7E3733C8F9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4291468-63D4-45a6-A12D-330691F81A38}	{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{142ADCA2-6895-42c9-AF99-28DB958EA9A8}\stubpath = "C:\\Windows\\{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe"	{D4291468-63D4-45a6-A12D-330691F81A38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1C5085E-6812-4539-B657-5434F42BCB94}	{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1C5085E-6812-4539-B657-5434F42BCB94}\stubpath = "C:\\Windows\\{F1C5085E-6812-4539-B657-5434F42BCB94}.exe"	{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB980DA3-8307-410d-87FA-A7E3733C8F9D}\stubpath = "C:\\Windows\\{BB980DA3-8307-410d-87FA-A7E3733C8F9D}.exe"	{F1C5085E-6812-4539-B657-5434F42BCB94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}	aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4291468-63D4-45a6-A12D-330691F81A38}\stubpath = "C:\\Windows\\{D4291468-63D4-45a6-A12D-330691F81A38}.exe"	{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}\stubpath = "C:\\Windows\\{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe"	{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}	{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{341FEFC4-50A2-4a8d-AECE-D6D5EF711695}	{CC42D257-E467-4074-BC04-CE6C17B48200}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1514FEB-1498-4ff3-B002-43C18611FC9B}	{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1514FEB-1498-4ff3-B002-43C18611FC9B}\stubpath = "C:\\Windows\\{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe"	{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}\stubpath = "C:\\Windows\\{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe"	{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB980DA3-8307-410d-87FA-A7E3733C8F9D}	{F1C5085E-6812-4539-B657-5434F42BCB94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC42D257-E467-4074-BC04-CE6C17B48200}\stubpath = "C:\\Windows\\{CC42D257-E467-4074-BC04-CE6C17B48200}.exe"	{BB980DA3-8307-410d-87FA-A7E3733C8F9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{341FEFC4-50A2-4a8d-AECE-D6D5EF711695}\stubpath = "C:\\Windows\\{341FEFC4-50A2-4a8d-AECE-D6D5EF711695}.exe"	{CC42D257-E467-4074-BC04-CE6C17B48200}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}\stubpath = "C:\\Windows\\{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe"	aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{142ADCA2-6895-42c9-AF99-28DB958EA9A8}	{D4291468-63D4-45a6-A12D-330691F81A38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}	{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}	{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}\stubpath = "C:\\Windows\\{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe"	{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2928	{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe
2704	{D4291468-63D4-45a6-A12D-330691F81A38}.exe
2532	{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe
2328	{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe
1968	{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe
2408	{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe
1720	{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe
764	{F1C5085E-6812-4539-B657-5434F42BCB94}.exe
2564	{BB980DA3-8307-410d-87FA-A7E3733C8F9D}.exe
2268	{CC42D257-E467-4074-BC04-CE6C17B48200}.exe
892	{341FEFC4-50A2-4a8d-AECE-D6D5EF711695}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe	aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe
File created	C:\Windows\{D4291468-63D4-45a6-A12D-330691F81A38}.exe	{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe
File created	C:\Windows\{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe	{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe
File created	C:\Windows\{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe	{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe
File created	C:\Windows\{F1C5085E-6812-4539-B657-5434F42BCB94}.exe	{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe
File created	C:\Windows\{BB980DA3-8307-410d-87FA-A7E3733C8F9D}.exe	{F1C5085E-6812-4539-B657-5434F42BCB94}.exe
File created	C:\Windows\{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe	{D4291468-63D4-45a6-A12D-330691F81A38}.exe
File created	C:\Windows\{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe	{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe
File created	C:\Windows\{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe	{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe
File created	C:\Windows\{CC42D257-E467-4074-BC04-CE6C17B48200}.exe	{BB980DA3-8307-410d-87FA-A7E3733C8F9D}.exe
File created	C:\Windows\{341FEFC4-50A2-4a8d-AECE-D6D5EF711695}.exe	{CC42D257-E467-4074-BC04-CE6C17B48200}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2240	aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe
Token: SeIncBasePriorityPrivilege	2928	{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe
Token: SeIncBasePriorityPrivilege	2704	{D4291468-63D4-45a6-A12D-330691F81A38}.exe
Token: SeIncBasePriorityPrivilege	2532	{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe
Token: SeIncBasePriorityPrivilege	2328	{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe
Token: SeIncBasePriorityPrivilege	1968	{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe
Token: SeIncBasePriorityPrivilege	2408	{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe
Token: SeIncBasePriorityPrivilege	1720	{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe
Token: SeIncBasePriorityPrivilege	764	{F1C5085E-6812-4539-B657-5434F42BCB94}.exe
Token: SeIncBasePriorityPrivilege	2564	{BB980DA3-8307-410d-87FA-A7E3733C8F9D}.exe
Token: SeIncBasePriorityPrivilege	2268	{CC42D257-E467-4074-BC04-CE6C17B48200}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2928	2240	aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe	28
PID 2240 wrote to memory of 2928	2240	aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe	28
PID 2240 wrote to memory of 2928	2240	aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe	28
PID 2240 wrote to memory of 2928	2240	aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe	28
PID 2240 wrote to memory of 2924	2240	aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe	29
PID 2240 wrote to memory of 2924	2240	aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe	29
PID 2240 wrote to memory of 2924	2240	aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe	29
PID 2240 wrote to memory of 2924	2240	aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe	29
PID 2928 wrote to memory of 2704	2928	{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe	30
PID 2928 wrote to memory of 2704	2928	{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe	30
PID 2928 wrote to memory of 2704	2928	{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe	30
PID 2928 wrote to memory of 2704	2928	{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe	30
PID 2928 wrote to memory of 2696	2928	{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe	31
PID 2928 wrote to memory of 2696	2928	{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe	31
PID 2928 wrote to memory of 2696	2928	{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe	31
PID 2928 wrote to memory of 2696	2928	{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe	31
PID 2704 wrote to memory of 2532	2704	{D4291468-63D4-45a6-A12D-330691F81A38}.exe	32
PID 2704 wrote to memory of 2532	2704	{D4291468-63D4-45a6-A12D-330691F81A38}.exe	32
PID 2704 wrote to memory of 2532	2704	{D4291468-63D4-45a6-A12D-330691F81A38}.exe	32
PID 2704 wrote to memory of 2532	2704	{D4291468-63D4-45a6-A12D-330691F81A38}.exe	32
PID 2704 wrote to memory of 2524	2704	{D4291468-63D4-45a6-A12D-330691F81A38}.exe	33
PID 2704 wrote to memory of 2524	2704	{D4291468-63D4-45a6-A12D-330691F81A38}.exe	33
PID 2704 wrote to memory of 2524	2704	{D4291468-63D4-45a6-A12D-330691F81A38}.exe	33
PID 2704 wrote to memory of 2524	2704	{D4291468-63D4-45a6-A12D-330691F81A38}.exe	33
PID 2532 wrote to memory of 2328	2532	{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe	36
PID 2532 wrote to memory of 2328	2532	{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe	36
PID 2532 wrote to memory of 2328	2532	{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe	36
PID 2532 wrote to memory of 2328	2532	{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe	36
PID 2532 wrote to memory of 2208	2532	{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe	37
PID 2532 wrote to memory of 2208	2532	{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe	37
PID 2532 wrote to memory of 2208	2532	{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe	37
PID 2532 wrote to memory of 2208	2532	{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe	37
PID 2328 wrote to memory of 1968	2328	{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe	38
PID 2328 wrote to memory of 1968	2328	{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe	38
PID 2328 wrote to memory of 1968	2328	{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe	38
PID 2328 wrote to memory of 1968	2328	{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe	38
PID 2328 wrote to memory of 2224	2328	{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe	39
PID 2328 wrote to memory of 2224	2328	{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe	39
PID 2328 wrote to memory of 2224	2328	{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe	39
PID 2328 wrote to memory of 2224	2328	{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe	39
PID 1968 wrote to memory of 2408	1968	{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe	40
PID 1968 wrote to memory of 2408	1968	{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe	40
PID 1968 wrote to memory of 2408	1968	{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe	40
PID 1968 wrote to memory of 2408	1968	{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe	40
PID 1968 wrote to memory of 2412	1968	{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe	41
PID 1968 wrote to memory of 2412	1968	{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe	41
PID 1968 wrote to memory of 2412	1968	{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe	41
PID 1968 wrote to memory of 2412	1968	{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe	41
PID 2408 wrote to memory of 1720	2408	{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe	42
PID 2408 wrote to memory of 1720	2408	{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe	42
PID 2408 wrote to memory of 1720	2408	{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe	42
PID 2408 wrote to memory of 1720	2408	{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe	42
PID 2408 wrote to memory of 772	2408	{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe	43
PID 2408 wrote to memory of 772	2408	{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe	43
PID 2408 wrote to memory of 772	2408	{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe	43
PID 2408 wrote to memory of 772	2408	{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe	43
PID 1720 wrote to memory of 764	1720	{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe	44
PID 1720 wrote to memory of 764	1720	{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe	44
PID 1720 wrote to memory of 764	1720	{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe	44
PID 1720 wrote to memory of 764	1720	{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe	44
PID 1720 wrote to memory of 1196	1720	{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe	45
PID 1720 wrote to memory of 1196	1720	{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe	45
PID 1720 wrote to memory of 1196	1720	{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe	45
PID 1720 wrote to memory of 1196	1720	{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe	45

C:\Users\Admin\AppData\Local\Temp\aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe
"C:\Users\Admin\AppData\Local\Temp\aaa84fed9176ba524ddd7d77c89169eabbb54c531cc110a2f170b3bdceee9c98.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe
  C:\Windows\{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\{D4291468-63D4-45a6-A12D-330691F81A38}.exe
    C:\Windows\{D4291468-63D4-45a6-A12D-330691F81A38}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe
      C:\Windows\{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe
        
        C:\Windows\{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Windows\{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe
        
        C:\Windows\{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe
        
        C:\Windows\{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe
        
        C:\Windows\{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\{F1C5085E-6812-4539-B657-5434F42BCB94}.exe
        
        C:\Windows\{F1C5085E-6812-4539-B657-5434F42BCB94}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\{BB980DA3-8307-410d-87FA-A7E3733C8F9D}.exe
        
        C:\Windows\{BB980DA3-8307-410d-87FA-A7E3733C8F9D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\{CC42D257-E467-4074-BC04-CE6C17B48200}.exe
        
        C:\Windows\{CC42D257-E467-4074-BC04-CE6C17B48200}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\{341FEFC4-50A2-4a8d-AECE-D6D5EF711695}.exe
        
        C:\Windows\{341FEFC4-50A2-4a8d-AECE-D6D5EF711695}.exe
        12⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC42D~1.EXE > nul
        12⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB980~1.EXE > nul
        11⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1C50~1.EXE > nul
        10⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B2F3~1.EXE > nul
        9⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDCF5~1.EXE > nul
        8⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85D83~1.EXE > nul
        7⤵
        
        PID:2412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1514~1.EXE > nul
        6⤵
        
        PID:2224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{142AD~1.EXE > nul
        5⤵
        
        PID:2208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D4291~1.EXE > nul
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{10A6A~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AAA84F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10A6A112-E9EF-4e53-8CC7-2F86B7B2E6A0}.exe

Filesize
64KB

MD5
f3f351428f0a64929f6927c8ebe51e9e

SHA1
7661409aec71b5bf2b8dfeb911c7cefd056a7fc8

SHA256
f86c8ecbb53572714c3bc0c09838600711fb86d76faabb09cd49c3440350021d

SHA512
f556a6f06e01b9056c2fc2e33838e0388eda8555470d0043d698f7bb4afb11a68f2c3de2dde4c5718457b8514cae8d556dc4667b7fae0bfb2f82e37fbe70f425

Download Submit
C:\Windows\{142ADCA2-6895-42c9-AF99-28DB958EA9A8}.exe

Filesize
64KB

MD5
d6c826bfe1fcedaabf06364b865f0549

SHA1
4d90e43ed45f5a252e7adc96c4a862235d895e64

SHA256
3e194235f9de0ba0d004d35b407ea65c00cc8a4146579b8610dc6d632e1dd5a4

SHA512
e3f8c19a9330212b77a0c510fe862069252e90b479510a52a125137f65c632875d119b33624e21998f6b661224a1e3c46e1251cee21b4f90137fd03ec86ef689

Download Submit
C:\Windows\{341FEFC4-50A2-4a8d-AECE-D6D5EF711695}.exe

Filesize
64KB

MD5
32418a9b1b3f253b49334edc5dd7ae16

SHA1
17ac20dfd7ccf1cb35f5df523b9e4820efefd85c

SHA256
fec7d4caaf0865035902b69869c5688fd26b7d59a000b6caf13edc06362a6cad

SHA512
c18b54065541508043f43d047c82cc9dcf2a77c2337b73984a018bef7014389c3813195072fb40e006c40769b1164c739b63fada276140f7e8369dbada85a76e

Download Submit
C:\Windows\{3B2F3815-37A6-42c9-BBEF-DECFB77B5980}.exe

Filesize
64KB

MD5
53db00ecca10712e1d026498ca980ad3

SHA1
8117ce13b5bba4d2f1b4a979dfdf257b7fc49047

SHA256
c8c27a39688766a306eed995ae58ca9ffce017073c0e3ac752b3b83d21c77183

SHA512
7157b2d88e66f4926db34ac0a324f1b594ec1344fb1cbad89a3f5cc12324defa4c98bc69d7f0b0e9f1abaa823a938d6c7b5c6151d488c129575e20bd3cd10338

Download Submit
C:\Windows\{85D83EF3-1CD5-4ef1-94C0-85D4B684A12B}.exe

Filesize
64KB

MD5
ee6cf3b4bcc792b68276c935dfc33949

SHA1
2c3aa372ca447a44f9076e664a79b254259e0d7b

SHA256
98b6c71bee47b315414c218f6e15b0505bee550a06316c4bcdf1e397125620c8

SHA512
203f56b1b12b534bf39fbd00f6f54c9623e49419334e3147fe8d1b6ceb80c87bb871b93fdc919b65f81fc4adfa71bb32fa3e34442aba2e13f62266d5b2fd864b

Download Submit
C:\Windows\{BB980DA3-8307-410d-87FA-A7E3733C8F9D}.exe

Filesize
64KB

MD5
df6b935024973c5ad1df7bfbb6cdfd59

SHA1
d9e29b19d60a7ae15859b2f16bd8f3680e5f05d2

SHA256
a1f2f8e83eece882f939512cc901d479b33374bf5a1475c6e2dae2a9fe570156

SHA512
556abdf1cd2f357957cde702c296715cc6bdd734498e8cdc4ac1b19ece90a092bd8846eb231caf76890c47bfe0be0c72033c4a0c15763de19d74bf50609e6fe1

Download Submit
C:\Windows\{BDCF5E20-0A7E-4c65-93D2-D6D4218A4543}.exe

Filesize
64KB

MD5
822d16a6bc1e22f4be059e6091d10afc

SHA1
a20c2fb35ad32b82c5cff6b37a96a0d1a39a6e3c

SHA256
f047a1faa34e2b039b5dbf8e30ec0a9c294e207952731dfe1a38f2ebd6956faa

SHA512
3c4e153ad2681312861307bb4e7984ea4ed10e870cb9c7d0f04af398639cfce1a452e16b253f7153fde36a222b1045baa21cf8f18f81ed2b20f7c9989b361af0

Download Submit
C:\Windows\{C1514FEB-1498-4ff3-B002-43C18611FC9B}.exe

Filesize
64KB

MD5
1630f41d4e0efbdf80bfad55efa0bb43

SHA1
a98ad2469a32f62b989c913a98ff49624e014afc

SHA256
b83a12c7aaa69237485466b35d329c4b6efcf274a0b3fb133ea34e12adcb75b4

SHA512
a23e94a11e14685173f7a0fb66ceaa330bd0ba296693f1a49644bd24ed5a22c0fe70b5af068f04c3abd78a493b8edbf1836ae82534fed4bc23fc20e4a56d0492

Download Submit
C:\Windows\{CC42D257-E467-4074-BC04-CE6C17B48200}.exe

Filesize
64KB

MD5
c5f4791633b385d3b45581e95864a03a

SHA1
8df55a4232c89b3add170113edd53f58b9db9b25

SHA256
5ca438fbcbf814569d4e37b73f1afda4b3a851f4030ba944c5a52269727db5b1

SHA512
a8d528d308c52c7d7625a9b0131c1f36ad7907e0c605db0ea999a45d65d77cac0a4adb9e66f3da2bb4533ba8903475c27c222c422a53d2fceb1ef18f76e69fe8

Download Submit
C:\Windows\{D4291468-63D4-45a6-A12D-330691F81A38}.exe

Filesize
64KB

MD5
58d91657929173809977da8fa5cc071a

SHA1
9b118be0c2cc9337a95dbcc99bf4eea62c042293

SHA256
51ec6237d5bef68dda1d689015ee5d9ffd1a1c0d15b21ff1674fe71b8cfe675b

SHA512
7f7b4bc4682767c50ec9e069d2d4051b68947e79f92f97d04ed8f74a6aa4c40f57f89f151f4605ec3e533b67e6890796641835d8d40f980550e6ed6ddee0b2bd

Download Submit
C:\Windows\{F1C5085E-6812-4539-B657-5434F42BCB94}.exe

Filesize
64KB

MD5
205622a4ec15395306de35f58b310472

SHA1
2958a379d5872c2c78dff088344a7d914a2e64fb

SHA256
ea5724a6431e267fe515a8fc96a5d5b3772468c98ed7d01f6b8d9fee1c68442f

SHA512
42dec14c405446faccf71141d27ce66bf3db2d84cb6e773a1992168b9fec9bf5424748129fdfbd8265e1a7e8749d872fcf2340c83ac24ec84d76e0f5eeb30fb4

Download Submit
memory/764-81-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/764-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/892-98-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1720-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1968-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1968-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2240-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2240-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2240-7-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2268-97-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2328-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2328-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2408-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2408-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2532-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2532-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2564-89-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2564-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2704-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2704-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2928-13-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2928-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2928-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads