a597ce260fd134394cf4fd1e2550db5f69f31afbec67296c37b8bee90fa90161

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 02:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

56389de1f15f32b25323914f7bd85c90.exe
Size

98KB
MD5

56389de1f15f32b25323914f7bd85c90
SHA1

e82eaebb883e9b227ab2a534e9b1cd1c6d2a1ae0
SHA256

a597ce260fd134394cf4fd1e2550db5f69f31afbec67296c37b8bee90fa90161
SHA512

18fad97a6253c9792936dccd996e158d0eece4f5a12faa4e623ec1c276b0697cbe90a745b8ea576cd883e41bb7d1d9303c0ac35fe7037105fae49cab2452dd1b
SSDEEP

768:5vw981UMhKQLros4/wQ4pNrfrunMxVFA3b7glw6:lEG00osl3zunMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}\stubpath = "C:\\Windows\\{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe"	{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E665B76-F343-4ac4-BA9D-7041FA621A6A}	{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}	{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B0966F9-307B-49bb-B55F-B25587656D9D}	{69DE9A22-5366-4da5-9587-3F7679FBBD3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B0966F9-307B-49bb-B55F-B25587656D9D}\stubpath = "C:\\Windows\\{3B0966F9-307B-49bb-B55F-B25587656D9D}.exe"	{69DE9A22-5366-4da5-9587-3F7679FBBD3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}\stubpath = "C:\\Windows\\{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe"	56389de1f15f32b25323914f7bd85c90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}	{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}	{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}	{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69DE9A22-5366-4da5-9587-3F7679FBBD3A}\stubpath = "C:\\Windows\\{69DE9A22-5366-4da5-9587-3F7679FBBD3A}.exe"	{1E6BE170-49DB-4138-80BE-641E67D3FA24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}\stubpath = "C:\\Windows\\{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe"	{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E6BE170-49DB-4138-80BE-641E67D3FA24}	{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E6BE170-49DB-4138-80BE-641E67D3FA24}\stubpath = "C:\\Windows\\{1E6BE170-49DB-4138-80BE-641E67D3FA24}.exe"	{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FC3A3F3-B914-4a1b-B23B-4BAF024126A3}	{3B0966F9-307B-49bb-B55F-B25587656D9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}	56389de1f15f32b25323914f7bd85c90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD98CA52-3C03-4670-A81C-B863A16A13B7}	{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD98CA52-3C03-4670-A81C-B863A16A13B7}\stubpath = "C:\\Windows\\{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe"	{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E665B76-F343-4ac4-BA9D-7041FA621A6A}\stubpath = "C:\\Windows\\{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe"	{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}\stubpath = "C:\\Windows\\{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe"	{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}\stubpath = "C:\\Windows\\{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe"	{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69DE9A22-5366-4da5-9587-3F7679FBBD3A}	{1E6BE170-49DB-4138-80BE-641E67D3FA24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FC3A3F3-B914-4a1b-B23B-4BAF024126A3}\stubpath = "C:\\Windows\\{8FC3A3F3-B914-4a1b-B23B-4BAF024126A3}.exe"	{3B0966F9-307B-49bb-B55F-B25587656D9D}.exe

Deletes itself 1 IoCs

pid	Process
2396	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2064	{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe
2624	{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe
2708	{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe
1908	{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe
2804	{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe
2004	{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe
1196	{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe
1152	{1E6BE170-49DB-4138-80BE-641E67D3FA24}.exe
2328	{69DE9A22-5366-4da5-9587-3F7679FBBD3A}.exe
2388	{3B0966F9-307B-49bb-B55F-B25587656D9D}.exe
1812	{8FC3A3F3-B914-4a1b-B23B-4BAF024126A3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8FC3A3F3-B914-4a1b-B23B-4BAF024126A3}.exe	{3B0966F9-307B-49bb-B55F-B25587656D9D}.exe
File created	C:\Windows\{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe	{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe
File created	C:\Windows\{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe	{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe
File created	C:\Windows\{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe	{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe
File created	C:\Windows\{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe	{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe
File created	C:\Windows\{69DE9A22-5366-4da5-9587-3F7679FBBD3A}.exe	{1E6BE170-49DB-4138-80BE-641E67D3FA24}.exe
File created	C:\Windows\{3B0966F9-307B-49bb-B55F-B25587656D9D}.exe	{69DE9A22-5366-4da5-9587-3F7679FBBD3A}.exe
File created	C:\Windows\{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe	56389de1f15f32b25323914f7bd85c90.exe
File created	C:\Windows\{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe	{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe
File created	C:\Windows\{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe	{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe
File created	C:\Windows\{1E6BE170-49DB-4138-80BE-641E67D3FA24}.exe	{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2104	56389de1f15f32b25323914f7bd85c90.exe
Token: SeIncBasePriorityPrivilege	2064	{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe
Token: SeIncBasePriorityPrivilege	2624	{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe
Token: SeIncBasePriorityPrivilege	2708	{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe
Token: SeIncBasePriorityPrivilege	1908	{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe
Token: SeIncBasePriorityPrivilege	2804	{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe
Token: SeIncBasePriorityPrivilege	2004	{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe
Token: SeIncBasePriorityPrivilege	1196	{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe
Token: SeIncBasePriorityPrivilege	1152	{1E6BE170-49DB-4138-80BE-641E67D3FA24}.exe
Token: SeIncBasePriorityPrivilege	2328	{69DE9A22-5366-4da5-9587-3F7679FBBD3A}.exe
Token: SeIncBasePriorityPrivilege	2388	{3B0966F9-307B-49bb-B55F-B25587656D9D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2064	2104	56389de1f15f32b25323914f7bd85c90.exe	28
PID 2104 wrote to memory of 2064	2104	56389de1f15f32b25323914f7bd85c90.exe	28
PID 2104 wrote to memory of 2064	2104	56389de1f15f32b25323914f7bd85c90.exe	28
PID 2104 wrote to memory of 2064	2104	56389de1f15f32b25323914f7bd85c90.exe	28
PID 2104 wrote to memory of 2396	2104	56389de1f15f32b25323914f7bd85c90.exe	29
PID 2104 wrote to memory of 2396	2104	56389de1f15f32b25323914f7bd85c90.exe	29
PID 2104 wrote to memory of 2396	2104	56389de1f15f32b25323914f7bd85c90.exe	29
PID 2104 wrote to memory of 2396	2104	56389de1f15f32b25323914f7bd85c90.exe	29
PID 2064 wrote to memory of 2624	2064	{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe	30
PID 2064 wrote to memory of 2624	2064	{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe	30
PID 2064 wrote to memory of 2624	2064	{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe	30
PID 2064 wrote to memory of 2624	2064	{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe	30
PID 2064 wrote to memory of 2352	2064	{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe	31
PID 2064 wrote to memory of 2352	2064	{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe	31
PID 2064 wrote to memory of 2352	2064	{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe	31
PID 2064 wrote to memory of 2352	2064	{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe	31
PID 2624 wrote to memory of 2708	2624	{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe	32
PID 2624 wrote to memory of 2708	2624	{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe	32
PID 2624 wrote to memory of 2708	2624	{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe	32
PID 2624 wrote to memory of 2708	2624	{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe	32
PID 2624 wrote to memory of 2684	2624	{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe	33
PID 2624 wrote to memory of 2684	2624	{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe	33
PID 2624 wrote to memory of 2684	2624	{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe	33
PID 2624 wrote to memory of 2684	2624	{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe	33
PID 2708 wrote to memory of 1908	2708	{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe	36
PID 2708 wrote to memory of 1908	2708	{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe	36
PID 2708 wrote to memory of 1908	2708	{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe	36
PID 2708 wrote to memory of 1908	2708	{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe	36
PID 2708 wrote to memory of 1344	2708	{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe	37
PID 2708 wrote to memory of 1344	2708	{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe	37
PID 2708 wrote to memory of 1344	2708	{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe	37
PID 2708 wrote to memory of 1344	2708	{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe	37
PID 1908 wrote to memory of 2804	1908	{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe	38
PID 1908 wrote to memory of 2804	1908	{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe	38
PID 1908 wrote to memory of 2804	1908	{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe	38
PID 1908 wrote to memory of 2804	1908	{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe	38
PID 1908 wrote to memory of 1300	1908	{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe	39
PID 1908 wrote to memory of 1300	1908	{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe	39
PID 1908 wrote to memory of 1300	1908	{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe	39
PID 1908 wrote to memory of 1300	1908	{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe	39
PID 2804 wrote to memory of 2004	2804	{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe	40
PID 2804 wrote to memory of 2004	2804	{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe	40
PID 2804 wrote to memory of 2004	2804	{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe	40
PID 2804 wrote to memory of 2004	2804	{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe	40
PID 2804 wrote to memory of 836	2804	{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe	41
PID 2804 wrote to memory of 836	2804	{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe	41
PID 2804 wrote to memory of 836	2804	{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe	41
PID 2804 wrote to memory of 836	2804	{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe	41
PID 2004 wrote to memory of 1196	2004	{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe	42
PID 2004 wrote to memory of 1196	2004	{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe	42
PID 2004 wrote to memory of 1196	2004	{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe	42
PID 2004 wrote to memory of 1196	2004	{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe	42
PID 2004 wrote to memory of 2224	2004	{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe	43
PID 2004 wrote to memory of 2224	2004	{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe	43
PID 2004 wrote to memory of 2224	2004	{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe	43
PID 2004 wrote to memory of 2224	2004	{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe	43
PID 1196 wrote to memory of 1152	1196	{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe	44
PID 1196 wrote to memory of 1152	1196	{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe	44
PID 1196 wrote to memory of 1152	1196	{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe	44
PID 1196 wrote to memory of 1152	1196	{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe	44
PID 1196 wrote to memory of 692	1196	{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe	45
PID 1196 wrote to memory of 692	1196	{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe	45
PID 1196 wrote to memory of 692	1196	{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe	45
PID 1196 wrote to memory of 692	1196	{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe	45

C:\Users\Admin\AppData\Local\Temp\56389de1f15f32b25323914f7bd85c90.exe
"C:\Users\Admin\AppData\Local\Temp\56389de1f15f32b25323914f7bd85c90.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe
  C:\Windows\{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe
    C:\Windows\{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe
      C:\Windows\{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe
        
        C:\Windows\{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe
        
        C:\Windows\{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe
        
        C:\Windows\{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe
        
        C:\Windows\{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\{1E6BE170-49DB-4138-80BE-641E67D3FA24}.exe
        
        C:\Windows\{1E6BE170-49DB-4138-80BE-641E67D3FA24}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\{69DE9A22-5366-4da5-9587-3F7679FBBD3A}.exe
        
        C:\Windows\{69DE9A22-5366-4da5-9587-3F7679FBBD3A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\{3B0966F9-307B-49bb-B55F-B25587656D9D}.exe
        
        C:\Windows\{3B0966F9-307B-49bb-B55F-B25587656D9D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\{8FC3A3F3-B914-4a1b-B23B-4BAF024126A3}.exe
        
        C:\Windows\{8FC3A3F3-B914-4a1b-B23B-4BAF024126A3}.exe
        12⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B096~1.EXE > nul
        12⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69DE9~1.EXE > nul
        11⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E6BE~1.EXE > nul
        10⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABB32~1.EXE > nul
        9⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EDDF~1.EXE > nul
        8⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AA68~1.EXE > nul
        7⤵
        
        PID:836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E665~1.EXE > nul
        6⤵
        
        PID:1300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD98C~1.EXE > nul
        5⤵
        
        PID:1344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{516A1~1.EXE > nul
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{385BE~1.EXE > nul
    3⤵
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\56389D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E6BE170-49DB-4138-80BE-641E67D3FA24}.exe

Filesize
98KB

MD5
9f0c194ae7b01af2caa5ae6640c9e12a

SHA1
3d50d20230c6ff556a60275e40b4bae9a5e4cf1b

SHA256
61aa66df8907450d4fb198e128a3dd3eec01dc38179e3857758afdc06fcc4798

SHA512
f1790366ee02b88f8fb3cea1b5cd1a2bd87e4d67059c678b0216f5c05d2708ee3e6b18489f759827490187f1799ad8dc20a097950926c0e7ee574aea9afe86c7

Download Submit
C:\Windows\{1EDDF939-BB7B-4128-AA2D-7D1BE14E2E8B}.exe

Filesize
98KB

MD5
3a61869bfc5fe0a90bcfde2972aa8383

SHA1
058cd70f8b4e100f1b22de7c9df55df1165ab0d4

SHA256
eab718bf66d91006da50f74c39cb09c8bf1563223aed32385c83c1bc984c1824

SHA512
6678ea0e934dc54a0b0f0ec0c0a27bc53cf327b5d88b4d24a88c0a50405987acd5b4e9da56d0e1c45777179dde6af3d63603788ca107a76e9d496d4bfa85df90

Download Submit
C:\Windows\{385BE428-6F0D-4d6c-A61D-D9E9C18C352E}.exe

Filesize
98KB

MD5
a5c05fc21569e56990f0ad956a046e83

SHA1
371da4f99a59affe026e44bc6161729312a65c79

SHA256
5bc9a72ef6c73aa8a51b275c1ffeeeba70c7a0f524f545ec750dbc6bb7f41007

SHA512
4b8650475abf6170945d36ccfd4412aab8babe8cde0158f8406640f46f3e7892485d606436c457e31829e8339875ab9b25e196272263c3a9f295b9a8f3be61f8

Download Submit
C:\Windows\{3B0966F9-307B-49bb-B55F-B25587656D9D}.exe

Filesize
98KB

MD5
cff1373e840658f0eedd98139c8d249f

SHA1
a481a5c454b3b9f595bf67c40d763a852bb262f8

SHA256
adbe63a6252d9640c96e602fd7f15eb3ba5d31fe76583e9698590072bc8c6e1a

SHA512
635205a788cf5e9ee381dbfbaa8bb3141e5e0fcdb1c18aa2e185d11ea35fe309ba5d2f792e7450d38b91e502633b1081941319ed6cef0ed3ca1d2fea901aadb2

Download Submit
C:\Windows\{516A1499-C7D2-40a9-984D-7EBCB0A2AAD1}.exe

Filesize
98KB

MD5
5b05d88e0e17052ed0b2da50ae72e458

SHA1
98b9aa7d554cd27bf006abe166407f3d6a3a8c3c

SHA256
d14210ed88ac8cb8563f2b18af899c655e62ce250ef671083b68c057a74e97b6

SHA512
e4ce0d4eb205f0523aae75a109c77400f218b20cdedf857018f695ae67988e4d96c54bb6db62d672741e7d328cccf1465b8b2b6c0dc73423ab2a59ccd34d0475

Download Submit
C:\Windows\{5AA68C79-95A9-45bd-9F26-9F31B148ACDA}.exe

Filesize
98KB

MD5
a5fffd14355ce60300c94887a9988277

SHA1
180130a81a1c6711b80e9800d822e6c1c63d261b

SHA256
55cd87439da40e867511d3286876a7086ca59482e6a325cc54bff10f1ee95261

SHA512
aae5ee7aa2341a50be4a29826779601a4b0d0e5070c3270dfa97d1b05eb17bb3173e76e7fcca96fa6561a2f149770e395109563a1cdc19a7fef8ec21d35069ae

Download Submit
C:\Windows\{69DE9A22-5366-4da5-9587-3F7679FBBD3A}.exe

Filesize
98KB

MD5
b2375866cef45f79f24b867d40cbdec1

SHA1
7b4fffe06e796ddf91506813d63e28f6c3895291

SHA256
c425b37c9fec831c965bdbe21292fc2f040d9666fd07951c8b48d3f1cbd9f15e

SHA512
2da019498a80099bb22cf328be9da655b507ea10483a3d4f3dc1e4507398a13d962a723f4a69a8a1172265d4220840242deb7ec0f8d00509dcad0dddd1d1270d

Download Submit
C:\Windows\{6E665B76-F343-4ac4-BA9D-7041FA621A6A}.exe

Filesize
98KB

MD5
6d52b165bdc0a246b794a62c412eedde

SHA1
4dd49af16d5ff9924d247ed3d805d5e5fb006074

SHA256
27daba567ce87d3eace0e2e83c8a6755a9ec67c9eedde48228cccb8175386e94

SHA512
f1a8c9c1106c037705077b384cb824159053e359c92a5f0defee858795417e8e08b6f204b0b9c668be5759fb0ce6868fb0efcbcea5718c2c09db612a4c7062e3

Download Submit
C:\Windows\{8FC3A3F3-B914-4a1b-B23B-4BAF024126A3}.exe

Filesize
98KB

MD5
a20816b2097dfd99037e9dbe1b479233

SHA1
1b0459288fa9086a8aec013442e324f912d2d9b0

SHA256
f1cbf353a9b9105f1c265a1b977512324ad0ea6193d7dab1ae78016a5ba4bf72

SHA512
1397a09ce2312a6f8ea949dc8e9979e1b0153547caba9fbefbb6d9281f68cd10553a08fb57bc58de2f33a53882a3d190d64e43a93bc60e2b5572a1821c1ee331

Download Submit
C:\Windows\{ABB32143-48A9-4e69-AA3C-AA37DE43EEA6}.exe

Filesize
98KB

MD5
5829002bbbcf290da26b7f549ff9e935

SHA1
8b8360bc97d942cfe990df6259278a80588a076f

SHA256
75c3a9aae51296093224d7c0996f2671ab4431a8fef21ab7de2f2ecb68f81fdb

SHA512
ff3937180aa25fc41d9a0cddaeae8c588418471b9c4efe846815775aefd5b468cca8a33f54970807419c6cfbf19de52b2941c745c226c3035ac4c410fd668568

Download Submit
C:\Windows\{FD98CA52-3C03-4670-A81C-B863A16A13B7}.exe

Filesize
98KB

MD5
a5f6591fe2bf6cac169fb5300057e751

SHA1
1a57b86c95d58ae193cb0fc55814c9df99b2b07a

SHA256
7c0987efc6db9677ea7c32c4af8c316f2f8bb9905fa8d964f548609600633129

SHA512
5656f033b5a480bd2918bf1245250da45842de27538d436e0bf52d8c0ed6be8c80136e43337181989b94cad6acc303828384bd32635dc65c70fd36913a8cfa80

Download Submit
memory/1152-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1196-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1196-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1908-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1908-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2004-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2004-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2064-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2064-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2104-8-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2104-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2104-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2104-3-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2328-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2388-87-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2388-95-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2624-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2624-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2708-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2804-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads