50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
06-06-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe
Size

60KB
MD5

edab1de6dc24c6cb7fd0d7dc93ffa36f
SHA1

a0a05d48a1cabed6701a90425c51d7d8197bcc95
SHA256

50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0
SHA512

a0852f6d30fbf498c16fa4bbb2c7272dc5864ecbc1a306d1f5c9bca10c3cb45315c4d73a39c75b3e4156d7276614a1cee5f09b226e767a3f457a6a787a5cee06
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroZ4/CFsrdHWMZ:vvw9816vhKQLroZ4/wQpWMZ

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001228a-4.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0037000000015c9b-12.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000d00000001228a-19.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0038000000015ca9-26.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0004000000004ed7-33.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000e00000001228a-40.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0005000000004ed7-47.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000f00000001228a-54.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0006000000004ed7-61.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x001000000001228a-68.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0007000000004ed7-75.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E70F254B-B0F3-4348-83CF-46CE9AD53E61}\stubpath = "C:\\Windows\\{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe"	{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}\stubpath = "C:\\Windows\\{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe"	{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A673D0E-5D16-4792-AED4-CF6C48DC5A6A}\stubpath = "C:\\Windows\\{0A673D0E-5D16-4792-AED4-CF6C48DC5A6A}.exe"	{950FD539-ADB6-498b-9629-25D8FF787B8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}	{862D8558-3D42-4049-AC82-162CA100B471}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}\stubpath = "C:\\Windows\\{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe"	{862D8558-3D42-4049-AC82-162CA100B471}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}	{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}	{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B69534E5-CC76-46c7-83BE-7C7033A3814D}	{281D8DE9-BD3F-49fa-B8EB-F9A90D1809FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E70F254B-B0F3-4348-83CF-46CE9AD53E61}	{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}	{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}\stubpath = "C:\\Windows\\{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe"	{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{281D8DE9-BD3F-49fa-B8EB-F9A90D1809FD}	{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A673D0E-5D16-4792-AED4-CF6C48DC5A6A}	{950FD539-ADB6-498b-9629-25D8FF787B8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99B0C519-E26A-4469-9416-554B408D4F45}\stubpath = "C:\\Windows\\{99B0C519-E26A-4469-9416-554B408D4F45}.exe"	50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{862D8558-3D42-4049-AC82-162CA100B471}	{99B0C519-E26A-4469-9416-554B408D4F45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}\stubpath = "C:\\Windows\\{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe"	{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B69534E5-CC76-46c7-83BE-7C7033A3814D}\stubpath = "C:\\Windows\\{B69534E5-CC76-46c7-83BE-7C7033A3814D}.exe"	{281D8DE9-BD3F-49fa-B8EB-F9A90D1809FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{950FD539-ADB6-498b-9629-25D8FF787B8B}	{B69534E5-CC76-46c7-83BE-7C7033A3814D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{950FD539-ADB6-498b-9629-25D8FF787B8B}\stubpath = "C:\\Windows\\{950FD539-ADB6-498b-9629-25D8FF787B8B}.exe"	{B69534E5-CC76-46c7-83BE-7C7033A3814D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99B0C519-E26A-4469-9416-554B408D4F45}	50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{862D8558-3D42-4049-AC82-162CA100B471}\stubpath = "C:\\Windows\\{862D8558-3D42-4049-AC82-162CA100B471}.exe"	{99B0C519-E26A-4469-9416-554B408D4F45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{281D8DE9-BD3F-49fa-B8EB-F9A90D1809FD}\stubpath = "C:\\Windows\\{281D8DE9-BD3F-49fa-B8EB-F9A90D1809FD}.exe"	{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe

Deletes itself 1 IoCs

pid	Process
2980	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2644	{99B0C519-E26A-4469-9416-554B408D4F45}.exe
2660	{862D8558-3D42-4049-AC82-162CA100B471}.exe
2652	{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe
2924	{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe
2436	{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe
2388	{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe
352	{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe
1844	{281D8DE9-BD3F-49fa-B8EB-F9A90D1809FD}.exe
2896	{B69534E5-CC76-46c7-83BE-7C7033A3814D}.exe
2560	{950FD539-ADB6-498b-9629-25D8FF787B8B}.exe
1068	{0A673D0E-5D16-4792-AED4-CF6C48DC5A6A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{862D8558-3D42-4049-AC82-162CA100B471}.exe	{99B0C519-E26A-4469-9416-554B408D4F45}.exe
File created	C:\Windows\{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe	{862D8558-3D42-4049-AC82-162CA100B471}.exe
File created	C:\Windows\{281D8DE9-BD3F-49fa-B8EB-F9A90D1809FD}.exe	{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe
File created	C:\Windows\{B69534E5-CC76-46c7-83BE-7C7033A3814D}.exe	{281D8DE9-BD3F-49fa-B8EB-F9A90D1809FD}.exe
File created	C:\Windows\{950FD539-ADB6-498b-9629-25D8FF787B8B}.exe	{B69534E5-CC76-46c7-83BE-7C7033A3814D}.exe
File created	C:\Windows\{0A673D0E-5D16-4792-AED4-CF6C48DC5A6A}.exe	{950FD539-ADB6-498b-9629-25D8FF787B8B}.exe
File created	C:\Windows\{99B0C519-E26A-4469-9416-554B408D4F45}.exe	50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe
File created	C:\Windows\{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe	{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe
File created	C:\Windows\{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe	{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe
File created	C:\Windows\{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe	{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe
File created	C:\Windows\{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe	{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3020	50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe
Token: SeIncBasePriorityPrivilege	2644	{99B0C519-E26A-4469-9416-554B408D4F45}.exe
Token: SeIncBasePriorityPrivilege	2660	{862D8558-3D42-4049-AC82-162CA100B471}.exe
Token: SeIncBasePriorityPrivilege	2652	{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe
Token: SeIncBasePriorityPrivilege	2924	{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe
Token: SeIncBasePriorityPrivilege	2436	{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe
Token: SeIncBasePriorityPrivilege	2388	{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe
Token: SeIncBasePriorityPrivilege	352	{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe
Token: SeIncBasePriorityPrivilege	1844	{281D8DE9-BD3F-49fa-B8EB-F9A90D1809FD}.exe
Token: SeIncBasePriorityPrivilege	2896	{B69534E5-CC76-46c7-83BE-7C7033A3814D}.exe
Token: SeIncBasePriorityPrivilege	2560	{950FD539-ADB6-498b-9629-25D8FF787B8B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2644	3020	50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe	28
PID 3020 wrote to memory of 2644	3020	50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe	28
PID 3020 wrote to memory of 2644	3020	50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe	28
PID 3020 wrote to memory of 2644	3020	50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe	28
PID 3020 wrote to memory of 2980	3020	50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe	29
PID 3020 wrote to memory of 2980	3020	50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe	29
PID 3020 wrote to memory of 2980	3020	50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe	29
PID 3020 wrote to memory of 2980	3020	50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe	29
PID 2644 wrote to memory of 2660	2644	{99B0C519-E26A-4469-9416-554B408D4F45}.exe	30
PID 2644 wrote to memory of 2660	2644	{99B0C519-E26A-4469-9416-554B408D4F45}.exe	30
PID 2644 wrote to memory of 2660	2644	{99B0C519-E26A-4469-9416-554B408D4F45}.exe	30
PID 2644 wrote to memory of 2660	2644	{99B0C519-E26A-4469-9416-554B408D4F45}.exe	30
PID 2644 wrote to memory of 2468	2644	{99B0C519-E26A-4469-9416-554B408D4F45}.exe	31
PID 2644 wrote to memory of 2468	2644	{99B0C519-E26A-4469-9416-554B408D4F45}.exe	31
PID 2644 wrote to memory of 2468	2644	{99B0C519-E26A-4469-9416-554B408D4F45}.exe	31
PID 2644 wrote to memory of 2468	2644	{99B0C519-E26A-4469-9416-554B408D4F45}.exe	31
PID 2660 wrote to memory of 2652	2660	{862D8558-3D42-4049-AC82-162CA100B471}.exe	32
PID 2660 wrote to memory of 2652	2660	{862D8558-3D42-4049-AC82-162CA100B471}.exe	32
PID 2660 wrote to memory of 2652	2660	{862D8558-3D42-4049-AC82-162CA100B471}.exe	32
PID 2660 wrote to memory of 2652	2660	{862D8558-3D42-4049-AC82-162CA100B471}.exe	32
PID 2660 wrote to memory of 2764	2660	{862D8558-3D42-4049-AC82-162CA100B471}.exe	33
PID 2660 wrote to memory of 2764	2660	{862D8558-3D42-4049-AC82-162CA100B471}.exe	33
PID 2660 wrote to memory of 2764	2660	{862D8558-3D42-4049-AC82-162CA100B471}.exe	33
PID 2660 wrote to memory of 2764	2660	{862D8558-3D42-4049-AC82-162CA100B471}.exe	33
PID 2652 wrote to memory of 2924	2652	{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe	36
PID 2652 wrote to memory of 2924	2652	{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe	36
PID 2652 wrote to memory of 2924	2652	{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe	36
PID 2652 wrote to memory of 2924	2652	{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe	36
PID 2652 wrote to memory of 1732	2652	{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe	37
PID 2652 wrote to memory of 1732	2652	{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe	37
PID 2652 wrote to memory of 1732	2652	{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe	37
PID 2652 wrote to memory of 1732	2652	{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe	37
PID 2924 wrote to memory of 2436	2924	{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe	38
PID 2924 wrote to memory of 2436	2924	{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe	38
PID 2924 wrote to memory of 2436	2924	{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe	38
PID 2924 wrote to memory of 2436	2924	{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe	38
PID 2924 wrote to memory of 2692	2924	{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe	39
PID 2924 wrote to memory of 2692	2924	{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe	39
PID 2924 wrote to memory of 2692	2924	{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe	39
PID 2924 wrote to memory of 2692	2924	{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe	39
PID 2436 wrote to memory of 2388	2436	{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe	40
PID 2436 wrote to memory of 2388	2436	{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe	40
PID 2436 wrote to memory of 2388	2436	{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe	40
PID 2436 wrote to memory of 2388	2436	{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe	40
PID 2436 wrote to memory of 2372	2436	{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe	41
PID 2436 wrote to memory of 2372	2436	{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe	41
PID 2436 wrote to memory of 2372	2436	{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe	41
PID 2436 wrote to memory of 2372	2436	{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe	41
PID 2388 wrote to memory of 352	2388	{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe	42
PID 2388 wrote to memory of 352	2388	{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe	42
PID 2388 wrote to memory of 352	2388	{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe	42
PID 2388 wrote to memory of 352	2388	{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe	42
PID 2388 wrote to memory of 1664	2388	{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe	43
PID 2388 wrote to memory of 1664	2388	{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe	43
PID 2388 wrote to memory of 1664	2388	{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe	43
PID 2388 wrote to memory of 1664	2388	{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe	43
PID 352 wrote to memory of 1844	352	{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe	44
PID 352 wrote to memory of 1844	352	{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe	44
PID 352 wrote to memory of 1844	352	{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe	44
PID 352 wrote to memory of 1844	352	{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe	44
PID 352 wrote to memory of 2788	352	{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe	45
PID 352 wrote to memory of 2788	352	{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe	45
PID 352 wrote to memory of 2788	352	{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe	45
PID 352 wrote to memory of 2788	352	{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe	45

C:\Users\Admin\AppData\Local\Temp\50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe
"C:\Users\Admin\AppData\Local\Temp\50729fea83dabdb199336cdb5c738eeed5af8ce63f4166ebe4604f2b1fdae5a0.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\{99B0C519-E26A-4469-9416-554B408D4F45}.exe
  C:\Windows\{99B0C519-E26A-4469-9416-554B408D4F45}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\{862D8558-3D42-4049-AC82-162CA100B471}.exe
    C:\Windows\{862D8558-3D42-4049-AC82-162CA100B471}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe
      C:\Windows\{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe
        
        C:\Windows\{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe
        
        C:\Windows\{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe
        
        C:\Windows\{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe
        
        C:\Windows\{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\{281D8DE9-BD3F-49fa-B8EB-F9A90D1809FD}.exe
        
        C:\Windows\{281D8DE9-BD3F-49fa-B8EB-F9A90D1809FD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\{B69534E5-CC76-46c7-83BE-7C7033A3814D}.exe
        
        C:\Windows\{B69534E5-CC76-46c7-83BE-7C7033A3814D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\{950FD539-ADB6-498b-9629-25D8FF787B8B}.exe
        
        C:\Windows\{950FD539-ADB6-498b-9629-25D8FF787B8B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\{0A673D0E-5D16-4792-AED4-CF6C48DC5A6A}.exe
        
        C:\Windows\{0A673D0E-5D16-4792-AED4-CF6C48DC5A6A}.exe
        12⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{950FD~1.EXE > nul
        12⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6953~1.EXE > nul
        11⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{281D8~1.EXE > nul
        10⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40A83~1.EXE > nul
        9⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D95C~1.EXE > nul
        8⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E70F2~1.EXE > nul
        7⤵
        
        PID:2372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB0CD~1.EXE > nul
        6⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F17F~1.EXE > nul
        5⤵
        
        PID:1732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{862D8~1.EXE > nul
      4⤵
      PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{99B0C~1.EXE > nul
    3⤵
    PID:2468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\50729F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A673D0E-5D16-4792-AED4-CF6C48DC5A6A}.exe

Filesize
60KB

MD5
ff5cf24a6a70cfdc8b06819f230621c4

SHA1
1884cbb4b0c28e388f15ef0d1826343371489296

SHA256
d184c4671b54ac780d757d4bb9919f43b23d4351fa55e150b44b90e7526fb0d3

SHA512
1f763baca9cae65b34f72ecabf6b746f0e5f56c74ddcfa26ac9cad338d7f145764c420d6cbc3c8dbaed0c450f258fa02808c170b31bafcddd9cd36dcd9ea8ea5

Download Submit
C:\Windows\{0F17FD7E-1E5B-428f-B919-E71D39CF26C3}.exe

Filesize
60KB

MD5
a240a4d5a51f7f8926056221e14b3f49

SHA1
1c0d7ab966cb99716bcd12564445787661d08a88

SHA256
a3156194764a2d5bb023b0e228c436e72ae1c6f87542b889c7cd739c114588d3

SHA512
59603202578ace7f7c998349db57561ed9ba034b40559793b27ad8e99aa86a6f74ae5fb8a091c3bf08ebfabde687537827715c32023b163492e0cf013b4fad28

Download Submit
C:\Windows\{281D8DE9-BD3F-49fa-B8EB-F9A90D1809FD}.exe

Filesize
60KB

MD5
8c67bd2c1f5bdb6c1ab7130c4a3d9ba1

SHA1
5ff4e24d0b59fe66c1afd07eb02ce141da188bd1

SHA256
f105bb58e8866ef8fef3e51ed765d2f49b02ee33541b034986aa95d31cc92aba

SHA512
062c78abd0480f328b9927f48329a6b37b900bab6ed303b11a7a85f82c22440d8fc1524f6e3f99d8aca72255d8b34a465a075fe6d07b3fd0742eb53a143cdcb5

Download Submit
C:\Windows\{40A83260-A75F-4fca-AF55-2E83FC3F1DD3}.exe

Filesize
60KB

MD5
7bf520e24ac04ec5658b79be6130c4f7

SHA1
51a82ba4e1b598bad6a0c752b92c1a8b6ec1a1e6

SHA256
2f44048d110c1bc15134b32da90e40660ec3249bb2939f2c711f173e006a2ffc

SHA512
75da68fff779c98a333d586c6f21b9646ccfd6166b2a18f5a8c0add0b17b86792c9fd96c7d00f3a8a8a50d9cfd75902628f0264e2259be1ad51ff71acb91c7f3

Download Submit
C:\Windows\{6D95CE66-ADA6-4960-A998-0ADFB9DFCA40}.exe

Filesize
60KB

MD5
3ff20d4cc0fc162e3db3c5ae073a6206

SHA1
dc299d8f2298ba35a8ce87101b4f48a6c4ba321b

SHA256
e4d91d4274c820ee8550b1f6ce2eb5090282de8c2cb63b8fa624eca47eaa5324

SHA512
249204edf6490033359700ff09f1f391e003629dc8b0c52a0bd4841c0496664481487e9837d749045700d74a7816f45fdcf722e37c245021c97a04e8264e622b

Download Submit
C:\Windows\{862D8558-3D42-4049-AC82-162CA100B471}.exe

Filesize
60KB

MD5
405a16f9c1e57fddb77fb1611f4502eb

SHA1
ac82c3498f0df0cf3b50f612e43842c9af3d6a24

SHA256
74503e73a76006953aa271bc64709bbf251fefbc8f893496f9fd22f5e1ae5eb2

SHA512
23839e21b17637c00ff5762f7bc3a0df3e22ed17994b7bd165c79ae67c800fe7f6a5ff3e857c66e07d8ab0ee21a2ccd5036c3241d60744ab0bd5329cf45f7959

Download Submit
C:\Windows\{950FD539-ADB6-498b-9629-25D8FF787B8B}.exe

Filesize
60KB

MD5
4715a9289cee47d147a558c64bc2900f

SHA1
5e5e123885cefc56eaed56d6ea57c46600cc8894

SHA256
d5208282171dc6b8bfb74a1000245f0b4ba4e276f4df1c61101eda900b5f9cec

SHA512
caba587716dfd6efcf9c55269bdb64b1d786b6d78b3d4e7bc625cfce99953a8727a093a24027e4357bd3c278e1fd9aa7d198ed2f745571dda7fb85f48688c4bc

Download Submit
C:\Windows\{99B0C519-E26A-4469-9416-554B408D4F45}.exe

Filesize
60KB

MD5
edbb583920aa0fe5f533d798698ce58a

SHA1
933879b9a0ade9feaef5c647afc16630d1bbaac4

SHA256
d4caf6db3dadf4a45d40eadc1974382fce5088d7f58c3fcbbd127c0ee209c0d9

SHA512
1236c3478b28dc2e27825bfec85576f81133746d8ad0b4c4f791b63ce44db0c0bc2f8495f935247f524c096075481e720b305b6bd2a32c4fb35657764bd636d0

Download Submit
C:\Windows\{B69534E5-CC76-46c7-83BE-7C7033A3814D}.exe

Filesize
60KB

MD5
2705e712de88d850d1d8f87f7acf7245

SHA1
ba032782fbdd838124d5df1b168e899ceba3ac30

SHA256
1297a88bf790cb7fb812b71c6a44bd7232442f3d4013d5a953921205ce2d2803

SHA512
05bd0e8746fb76b85e709ebb3fc5a4b8b733ee2ea784f61de9d44557aa9dd0eefcf4a776910d481e92c9dd6e3ba3a56c9fecd86f523361a220f789e12b097bcd

Download Submit
C:\Windows\{E70F254B-B0F3-4348-83CF-46CE9AD53E61}.exe

Filesize
60KB

MD5
302c5ffc4cf5db1dd28e2f80ea062914

SHA1
ade8517a9890a1304713b4b9701d3c82311aa627

SHA256
936334afd9174779cdc72254a1c10fa4da3406425319b4e3811775d35056d0cd

SHA512
d5562fd9088065967f43bb036d7f6f0fccb9c18e725bf809b0f30b4e8a6740aa7407723e5173a8dfaaed118521c814cfdc5e0951878d92ec8e959639b02a63a5

Download Submit
C:\Windows\{EB0CDAAD-83E0-4558-8CD6-C7957E83A23B}.exe

Filesize
60KB

MD5
a52aef3ee516f37c57a7ba9f65a363d0

SHA1
9a1aa73d2335bd083e85dd4e3e2764f8b76bb2b9

SHA256
2289e5cffad6eef193e92be716d9d53f6706d3350dc6efa0828c7ded9451bab8

SHA512
e25033d3c02f06c6e86be7bfaa2e0600823e16d2a47d1d1ced73dfdb4fc23b1c8e162f96bb53a7c76329977349dfd35e749a2cc8af341a76990bdcc9aaf33b2f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads