56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe
Size

60KB
MD5

1c20614e88d7f0d2e5812a65da23449d
SHA1

6e6cbb864a31eb66fcd07732b158436afe96baf7
SHA256

56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534
SHA512

efd1fcb4867b45359a3d91b5fe74c572ea3ef671048917529ee24f43350b1bc56f2f954706cfad42067ade88f4235c74d3c00928c904c1076d1e84d1e1c01f8a
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroT4/CFsrdHWMZo:vvw9816vhKQLroT4/wQpWMZo

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015f7a-4.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0009000000016a29-12.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000b000000015f7a-19.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0009000000016be2-26.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0006000000005a59-33.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000c000000015f7a-40.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0007000000005a59-47.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000d000000015f7a-54.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0008000000005a59-61.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000e000000015f7a-68.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0009000000005a59-75.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}	{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24CCDB98-4547-4698-91AF-5A1337EDA373}	{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}\stubpath = "C:\\Windows\\{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe"	56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16BD0050-798E-4e3f-99C4-5483800BD039}	{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16BD0050-798E-4e3f-99C4-5483800BD039}\stubpath = "C:\\Windows\\{16BD0050-798E-4e3f-99C4-5483800BD039}.exe"	{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}\stubpath = "C:\\Windows\\{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe"	{16BD0050-798E-4e3f-99C4-5483800BD039}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{736F54A6-6408-4807-B5A3-53B60B578A5C}\stubpath = "C:\\Windows\\{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe"	{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{720F3F19-8A05-4f76-9247-17038CCD76A9}\stubpath = "C:\\Windows\\{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe"	{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24CCDB98-4547-4698-91AF-5A1337EDA373}\stubpath = "C:\\Windows\\{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe"	{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7001A078-607A-4b2d-87AA-1EE9C51B1C3C}	{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE2FF663-FD25-4926-98D8-EB78D073C328}\stubpath = "C:\\Windows\\{FE2FF663-FD25-4926-98D8-EB78D073C328}.exe"	{F79032E2-788B-44ab-BDA7-CE2FA57AF207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C56C6BC-4611-4f31-8BC2-E74ABCE2E621}	{FE2FF663-FD25-4926-98D8-EB78D073C328}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}	56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{736F54A6-6408-4807-B5A3-53B60B578A5C}	{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{720F3F19-8A05-4f76-9247-17038CCD76A9}	{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F79032E2-788B-44ab-BDA7-CE2FA57AF207}	{7001A078-607A-4b2d-87AA-1EE9C51B1C3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C56C6BC-4611-4f31-8BC2-E74ABCE2E621}\stubpath = "C:\\Windows\\{6C56C6BC-4611-4f31-8BC2-E74ABCE2E621}.exe"	{FE2FF663-FD25-4926-98D8-EB78D073C328}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}	{16BD0050-798E-4e3f-99C4-5483800BD039}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}\stubpath = "C:\\Windows\\{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe"	{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7001A078-607A-4b2d-87AA-1EE9C51B1C3C}\stubpath = "C:\\Windows\\{7001A078-607A-4b2d-87AA-1EE9C51B1C3C}.exe"	{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F79032E2-788B-44ab-BDA7-CE2FA57AF207}\stubpath = "C:\\Windows\\{F79032E2-788B-44ab-BDA7-CE2FA57AF207}.exe"	{7001A078-607A-4b2d-87AA-1EE9C51B1C3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE2FF663-FD25-4926-98D8-EB78D073C328}	{F79032E2-788B-44ab-BDA7-CE2FA57AF207}.exe

Deletes itself 1 IoCs

pid	Process
2028	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2996	{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe
2700	{16BD0050-798E-4e3f-99C4-5483800BD039}.exe
2776	{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe
2172	{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe
2900	{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe
2536	{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe
3036	{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe
1792	{7001A078-607A-4b2d-87AA-1EE9C51B1C3C}.exe
2252	{F79032E2-788B-44ab-BDA7-CE2FA57AF207}.exe
384	{FE2FF663-FD25-4926-98D8-EB78D073C328}.exe
2960	{6C56C6BC-4611-4f31-8BC2-E74ABCE2E621}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe	56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe
File created	C:\Windows\{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe	{16BD0050-798E-4e3f-99C4-5483800BD039}.exe
File created	C:\Windows\{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe	{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe
File created	C:\Windows\{6C56C6BC-4611-4f31-8BC2-E74ABCE2E621}.exe	{FE2FF663-FD25-4926-98D8-EB78D073C328}.exe
File created	C:\Windows\{16BD0050-798E-4e3f-99C4-5483800BD039}.exe	{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe
File created	C:\Windows\{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe	{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe
File created	C:\Windows\{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe	{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe
File created	C:\Windows\{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe	{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe
File created	C:\Windows\{7001A078-607A-4b2d-87AA-1EE9C51B1C3C}.exe	{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe
File created	C:\Windows\{F79032E2-788B-44ab-BDA7-CE2FA57AF207}.exe	{7001A078-607A-4b2d-87AA-1EE9C51B1C3C}.exe
File created	C:\Windows\{FE2FF663-FD25-4926-98D8-EB78D073C328}.exe	{F79032E2-788B-44ab-BDA7-CE2FA57AF207}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2968	56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe
Token: SeIncBasePriorityPrivilege	2996	{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe
Token: SeIncBasePriorityPrivilege	2700	{16BD0050-798E-4e3f-99C4-5483800BD039}.exe
Token: SeIncBasePriorityPrivilege	2776	{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe
Token: SeIncBasePriorityPrivilege	2172	{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe
Token: SeIncBasePriorityPrivilege	2900	{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe
Token: SeIncBasePriorityPrivilege	2536	{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe
Token: SeIncBasePriorityPrivilege	3036	{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe
Token: SeIncBasePriorityPrivilege	1792	{7001A078-607A-4b2d-87AA-1EE9C51B1C3C}.exe
Token: SeIncBasePriorityPrivilege	2252	{F79032E2-788B-44ab-BDA7-CE2FA57AF207}.exe
Token: SeIncBasePriorityPrivilege	384	{FE2FF663-FD25-4926-98D8-EB78D073C328}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2996	2968	56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe	28
PID 2968 wrote to memory of 2996	2968	56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe	28
PID 2968 wrote to memory of 2996	2968	56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe	28
PID 2968 wrote to memory of 2996	2968	56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe	28
PID 2968 wrote to memory of 2028	2968	56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe	29
PID 2968 wrote to memory of 2028	2968	56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe	29
PID 2968 wrote to memory of 2028	2968	56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe	29
PID 2968 wrote to memory of 2028	2968	56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe	29
PID 2996 wrote to memory of 2700	2996	{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe	30
PID 2996 wrote to memory of 2700	2996	{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe	30
PID 2996 wrote to memory of 2700	2996	{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe	30
PID 2996 wrote to memory of 2700	2996	{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe	30
PID 2996 wrote to memory of 2624	2996	{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe	31
PID 2996 wrote to memory of 2624	2996	{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe	31
PID 2996 wrote to memory of 2624	2996	{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe	31
PID 2996 wrote to memory of 2624	2996	{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe	31
PID 2700 wrote to memory of 2776	2700	{16BD0050-798E-4e3f-99C4-5483800BD039}.exe	32
PID 2700 wrote to memory of 2776	2700	{16BD0050-798E-4e3f-99C4-5483800BD039}.exe	32
PID 2700 wrote to memory of 2776	2700	{16BD0050-798E-4e3f-99C4-5483800BD039}.exe	32
PID 2700 wrote to memory of 2776	2700	{16BD0050-798E-4e3f-99C4-5483800BD039}.exe	32
PID 2700 wrote to memory of 2840	2700	{16BD0050-798E-4e3f-99C4-5483800BD039}.exe	33
PID 2700 wrote to memory of 2840	2700	{16BD0050-798E-4e3f-99C4-5483800BD039}.exe	33
PID 2700 wrote to memory of 2840	2700	{16BD0050-798E-4e3f-99C4-5483800BD039}.exe	33
PID 2700 wrote to memory of 2840	2700	{16BD0050-798E-4e3f-99C4-5483800BD039}.exe	33
PID 2776 wrote to memory of 2172	2776	{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe	36
PID 2776 wrote to memory of 2172	2776	{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe	36
PID 2776 wrote to memory of 2172	2776	{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe	36
PID 2776 wrote to memory of 2172	2776	{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe	36
PID 2776 wrote to memory of 2136	2776	{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe	37
PID 2776 wrote to memory of 2136	2776	{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe	37
PID 2776 wrote to memory of 2136	2776	{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe	37
PID 2776 wrote to memory of 2136	2776	{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe	37
PID 2172 wrote to memory of 2900	2172	{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe	38
PID 2172 wrote to memory of 2900	2172	{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe	38
PID 2172 wrote to memory of 2900	2172	{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe	38
PID 2172 wrote to memory of 2900	2172	{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe	38
PID 2172 wrote to memory of 1540	2172	{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe	39
PID 2172 wrote to memory of 1540	2172	{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe	39
PID 2172 wrote to memory of 1540	2172	{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe	39
PID 2172 wrote to memory of 1540	2172	{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe	39
PID 2900 wrote to memory of 2536	2900	{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe	40
PID 2900 wrote to memory of 2536	2900	{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe	40
PID 2900 wrote to memory of 2536	2900	{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe	40
PID 2900 wrote to memory of 2536	2900	{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe	40
PID 2900 wrote to memory of 2556	2900	{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe	41
PID 2900 wrote to memory of 2556	2900	{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe	41
PID 2900 wrote to memory of 2556	2900	{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe	41
PID 2900 wrote to memory of 2556	2900	{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe	41
PID 2536 wrote to memory of 3036	2536	{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe	42
PID 2536 wrote to memory of 3036	2536	{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe	42
PID 2536 wrote to memory of 3036	2536	{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe	42
PID 2536 wrote to memory of 3036	2536	{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe	42
PID 2536 wrote to memory of 2896	2536	{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe	43
PID 2536 wrote to memory of 2896	2536	{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe	43
PID 2536 wrote to memory of 2896	2536	{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe	43
PID 2536 wrote to memory of 2896	2536	{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe	43
PID 3036 wrote to memory of 1792	3036	{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe	44
PID 3036 wrote to memory of 1792	3036	{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe	44
PID 3036 wrote to memory of 1792	3036	{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe	44
PID 3036 wrote to memory of 1792	3036	{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe	44
PID 3036 wrote to memory of 2200	3036	{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe	45
PID 3036 wrote to memory of 2200	3036	{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe	45
PID 3036 wrote to memory of 2200	3036	{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe	45
PID 3036 wrote to memory of 2200	3036	{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe	45

C:\Users\Admin\AppData\Local\Temp\56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe
"C:\Users\Admin\AppData\Local\Temp\56f107a77c28967437c8362a451eaf74c5fcff0205fc694ccbfcad5afe54d534.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe
  C:\Windows\{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\{16BD0050-798E-4e3f-99C4-5483800BD039}.exe
    C:\Windows\{16BD0050-798E-4e3f-99C4-5483800BD039}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe
      C:\Windows\{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe
        
        C:\Windows\{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe
        
        C:\Windows\{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe
        
        C:\Windows\{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe
        
        C:\Windows\{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\{7001A078-607A-4b2d-87AA-1EE9C51B1C3C}.exe
        
        C:\Windows\{7001A078-607A-4b2d-87AA-1EE9C51B1C3C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\{F79032E2-788B-44ab-BDA7-CE2FA57AF207}.exe
        
        C:\Windows\{F79032E2-788B-44ab-BDA7-CE2FA57AF207}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{FE2FF663-FD25-4926-98D8-EB78D073C328}.exe
        
        C:\Windows\{FE2FF663-FD25-4926-98D8-EB78D073C328}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\{6C56C6BC-4611-4f31-8BC2-E74ABCE2E621}.exe
        
        C:\Windows\{6C56C6BC-4611-4f31-8BC2-E74ABCE2E621}.exe
        12⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE2FF~1.EXE > nul
        12⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7903~1.EXE > nul
        11⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7001A~1.EXE > nul
        10⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24CCD~1.EXE > nul
        9⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0F7A~1.EXE > nul
        8⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{720F3~1.EXE > nul
        7⤵
        
        PID:2556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{736F5~1.EXE > nul
        6⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D86BC~1.EXE > nul
        5⤵
        
        PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{16BD0~1.EXE > nul
      4⤵
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{888A8~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\56F107~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16BD0050-798E-4e3f-99C4-5483800BD039}.exe

Filesize
60KB

MD5
2e69e64298f5e80732464ee486139dfb

SHA1
bdb3ebf163e62b3515bd371ed5140111566ccbd5

SHA256
a3db03989aa37cb3226849224c82f34f3e48d6f2cb95e68c3c191cc9237dd2c9

SHA512
cfc6f6a86adb29243c1b0f9a75d3ffbe315a5e045797e772a4cf1b92ce2d0717a1f40c0862ff76ce70ceb49a1de6b6769a4b3f99df9fd003a1a7575f2f21c4a1

Download Submit
C:\Windows\{24CCDB98-4547-4698-91AF-5A1337EDA373}.exe

Filesize
60KB

MD5
293d81d885fdcd6d2076628650009e63

SHA1
aa3cb7b2e73f83cdf4c02047b1dcc062238a6fe9

SHA256
46fb48f52fdf41d55df60dd2d160fde3385167a9f35972f0bf01b57de1b01c92

SHA512
48d9b56e2efc3e4a4b73b4ea2041b0dae13c562ab62dbedce48074f00f0e069ebc0c0fc695b9d5d660beaaf229c2aab5d2ed51730b53f916a0b3c6214df24fca

Download Submit
C:\Windows\{6C56C6BC-4611-4f31-8BC2-E74ABCE2E621}.exe

Filesize
60KB

MD5
9fea28a8fdfef5b21ef2acccb67c920a

SHA1
0349c95dbd26a9fbb5770f918ad314df6cca0235

SHA256
044c40a06bac0a1397daa22069f588f094de3468b478dc5cdffc81ae787ad4b5

SHA512
65cafb60db65c5389e699b897dd1b0d5131c272d45e14d63f033fac93b7c7519bd0ed2e7405464567d8e0f30e8308546b62136fd0df6b2ff814a7299c7231e61

Download Submit
C:\Windows\{7001A078-607A-4b2d-87AA-1EE9C51B1C3C}.exe

Filesize
60KB

MD5
c083e7b9933eaeec6dfd6320776a2308

SHA1
a92412cb6e63f55c19c9fd4680b7185c63540b6b

SHA256
0dbcb666c0e9c23967ecf47c28b5ac8440e164efee74bf48fe35fa2665bcee0b

SHA512
5225f890d41ace3f2da26f53041667449b6251561570661928f3ea7bdf1be7572614f6600866d2f2c12db92b0b910f6dfaed6003112de89d8b7dbefda23b2fa0

Download Submit
C:\Windows\{720F3F19-8A05-4f76-9247-17038CCD76A9}.exe

Filesize
60KB

MD5
f4c9eea185e1aba7991201c30b7ad42b

SHA1
8b45f808fd08972ce9e82223227a4b1d81757c5b

SHA256
4c6e46c68942156bb80710448a0694abc1477d3db5c7375ac7c8874e1b3397b3

SHA512
755c870755aedeefea2fc29762e7bcead3dcfbd67cedb0ff86a670a435e9da7203d01a3aa1e344528495fe97d161f832dbf1695ffca5021e77542936916d3e73

Download Submit
C:\Windows\{736F54A6-6408-4807-B5A3-53B60B578A5C}.exe

Filesize
60KB

MD5
0b33ec11cad63886bc82f0346bcf8159

SHA1
39f51aaf5f5759db01224815d6bd75ec0cc0c4cd

SHA256
9f61b74d967c4d5f909ecd78631c650df14a17de7dccad48c97d0cc3016b2f75

SHA512
c24d01341084af15049969df4f9585de319651dc8555ad3d7a099348adf0725ad829a5afe6f801a42daa822af788019b08aab95fcd2bfdfebaa02af40dbf9de1

Download Submit
C:\Windows\{888A8BF2-1EA5-4f5c-B2A8-93146F557A4D}.exe

Filesize
60KB

MD5
b3af770b98dacfb722da945aad1a7330

SHA1
57b1839cf2ecf859b77d0b6f819b6b0d9cd50a9d

SHA256
766ea9338c77139d2d36cef18c1767eafcf295d6c3e6ff13bbe3e71c50ce2542

SHA512
c091143131af0b55a3ed4121a0ea91d7647857ca0dbdda82a8fa2851b87fbd4c1e688437855db8a20793ed797af88b4d7ce6c55f3641b339a807ba5e24967454

Download Submit
C:\Windows\{D86BCD5E-62AE-4e81-AD64-2A5C30B60227}.exe

Filesize
60KB

MD5
fcc36b4a656091ddbcc94eea9428f5ae

SHA1
def02d9bd892d91dd12f82a37275ff2a4ce9b098

SHA256
68b1927e7dd9160a8d782c3f26d30f8b6d7867942f748fff00211a1ef50aa752

SHA512
033a1d609dbfc9e6d097a48e3d5a86ec3d026630a7de17a808c3dd83006db62e870568c3772e4065fcb2dae9814c4822d59fae60d4a12141c7c96d17b36d2070

Download Submit
C:\Windows\{F0F7AF6A-409B-4f73-B32C-D9A6C59132C7}.exe

Filesize
60KB

MD5
cb92abcc0091303a240a12e7b20b55c2

SHA1
9e064bbe884dcdc55d03c71ad1c580e7123a0081

SHA256
387c8dc4f7bec490a477874a906a00a222751fe2227566bf9069b5232b199b89

SHA512
d9ad4bba132af1eef0834743f3fb61578583682699616fe6e186372a4ca0b287814f7ba4d3f6645648de191b28bc1546926e47abf327edbd45de2d2b14c3c39d

Download Submit
C:\Windows\{F79032E2-788B-44ab-BDA7-CE2FA57AF207}.exe

Filesize
60KB

MD5
e2d6ffe9aa8ab48fe0e38ba935aecb7c

SHA1
6767521a66fbd3956d87c765327f8d1bf5ea1ec8

SHA256
1c05c75b3aa979ebb75dde21aa693d96ab4b13998f2bfd3e6a3d577464ea2c45

SHA512
10e1605e2faee900d2c4248389723015fa042185aa6868f723cbf5134647d6df36e012dc2df6306d5be2ada7fc9e6884695832d0360d03d73282096cea89e611

Download Submit
C:\Windows\{FE2FF663-FD25-4926-98D8-EB78D073C328}.exe

Filesize
60KB

MD5
07af7da240a713b4db9430b231565b9d

SHA1
7fd1c53099e865c18806b3da7f0969b47ebffe97

SHA256
d30a997d45b335030db91340710e12cb14359943bcbd22de3a18a96b1bd36fcd

SHA512
6912ebfa3ab5be6f768d723fb1a6d30e3f2b395825681cc5781519f7976fdb845b3099d63639e43e2a909862933ef34b4666a84943e6ca1e27aff773845110a2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads