39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 20:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe
Size

168KB
MD5

110513b12011ea1b959b04200b815f12
SHA1

8dfc45ed8c54f0f16c3625561fd35111aee978ca
SHA256

39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464
SHA512

fdc80e08daff58db17bea0d947504e25a7d23cd141237a8364bed4fe15043816d67d386ff018f811b4d0388a96c8107d1285be192876ef0c3cfc14bf4a392773
SSDEEP

192:pbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwH4/CFxyNhoy5t:pbLwOs8AHsc4sMfwhKQLroH4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5153CB19-57F9-4651-A662-E8DBD74DCC0D}	{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}	{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D538095C-4D93-48dc-BC67-FB1627BE378A}	{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D538095C-4D93-48dc-BC67-FB1627BE378A}\stubpath = "C:\\Windows\\{D538095C-4D93-48dc-BC67-FB1627BE378A}.exe"	{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A80D394-7FFA-4536-82CF-5C43D9EF3D91}\stubpath = "C:\\Windows\\{0A80D394-7FFA-4536-82CF-5C43D9EF3D91}.exe"	{8A1ED354-9DEF-4cdc-B39A-CF317C753E88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}\stubpath = "C:\\Windows\\{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe"	39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCFAA47E-A760-4194-AC34-574E6D0CBB94}\stubpath = "C:\\Windows\\{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe"	{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}	{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB7EC282-7202-427f-A838-738B5E1D1721}\stubpath = "C:\\Windows\\{DB7EC282-7202-427f-A838-738B5E1D1721}.exe"	{0A80D394-7FFA-4536-82CF-5C43D9EF3D91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A1ED354-9DEF-4cdc-B39A-CF317C753E88}	{D538095C-4D93-48dc-BC67-FB1627BE378A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A80D394-7FFA-4536-82CF-5C43D9EF3D91}	{8A1ED354-9DEF-4cdc-B39A-CF317C753E88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}\stubpath = "C:\\Windows\\{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe"	{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}\stubpath = "C:\\Windows\\{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe"	{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3BC810B-F215-4a00-B347-B496AC8D2648}\stubpath = "C:\\Windows\\{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe"	{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB7EC282-7202-427f-A838-738B5E1D1721}	{0A80D394-7FFA-4536-82CF-5C43D9EF3D91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCFAA47E-A760-4194-AC34-574E6D0CBB94}	{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5153CB19-57F9-4651-A662-E8DBD74DCC0D}\stubpath = "C:\\Windows\\{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe"	{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}\stubpath = "C:\\Windows\\{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe"	{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A1ED354-9DEF-4cdc-B39A-CF317C753E88}\stubpath = "C:\\Windows\\{8A1ED354-9DEF-4cdc-B39A-CF317C753E88}.exe"	{D538095C-4D93-48dc-BC67-FB1627BE378A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}	39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}	{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3BC810B-F215-4a00-B347-B496AC8D2648}	{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe

Deletes itself 1 IoCs

pid	Process
2144	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3020	{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe
2748	{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe
2636	{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe
2936	{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe
2612	{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe
1504	{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe
1812	{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe
1184	{D538095C-4D93-48dc-BC67-FB1627BE378A}.exe
1760	{8A1ED354-9DEF-4cdc-B39A-CF317C753E88}.exe
2140	{0A80D394-7FFA-4536-82CF-5C43D9EF3D91}.exe
596	{DB7EC282-7202-427f-A838-738B5E1D1721}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe	{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe
File created	C:\Windows\{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe	{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe
File created	C:\Windows\{0A80D394-7FFA-4536-82CF-5C43D9EF3D91}.exe	{8A1ED354-9DEF-4cdc-B39A-CF317C753E88}.exe
File created	C:\Windows\{DB7EC282-7202-427f-A838-738B5E1D1721}.exe	{0A80D394-7FFA-4536-82CF-5C43D9EF3D91}.exe
File created	C:\Windows\{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe	{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe
File created	C:\Windows\{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe	{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe
File created	C:\Windows\{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe	{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe
File created	C:\Windows\{D538095C-4D93-48dc-BC67-FB1627BE378A}.exe	{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe
File created	C:\Windows\{8A1ED354-9DEF-4cdc-B39A-CF317C753E88}.exe	{D538095C-4D93-48dc-BC67-FB1627BE378A}.exe
File created	C:\Windows\{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe	39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe
File created	C:\Windows\{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe	{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2716	39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe
Token: SeIncBasePriorityPrivilege	3020	{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe
Token: SeIncBasePriorityPrivilege	2748	{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe
Token: SeIncBasePriorityPrivilege	2636	{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe
Token: SeIncBasePriorityPrivilege	2936	{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe
Token: SeIncBasePriorityPrivilege	2612	{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe
Token: SeIncBasePriorityPrivilege	1504	{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe
Token: SeIncBasePriorityPrivilege	1812	{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe
Token: SeIncBasePriorityPrivilege	1184	{D538095C-4D93-48dc-BC67-FB1627BE378A}.exe
Token: SeIncBasePriorityPrivilege	1760	{8A1ED354-9DEF-4cdc-B39A-CF317C753E88}.exe
Token: SeIncBasePriorityPrivilege	2140	{0A80D394-7FFA-4536-82CF-5C43D9EF3D91}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 3020	2716	39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe	28
PID 2716 wrote to memory of 3020	2716	39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe	28
PID 2716 wrote to memory of 3020	2716	39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe	28
PID 2716 wrote to memory of 3020	2716	39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe	28
PID 2716 wrote to memory of 2144	2716	39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe	29
PID 2716 wrote to memory of 2144	2716	39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe	29
PID 2716 wrote to memory of 2144	2716	39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe	29
PID 2716 wrote to memory of 2144	2716	39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe	29
PID 3020 wrote to memory of 2748	3020	{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe	30
PID 3020 wrote to memory of 2748	3020	{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe	30
PID 3020 wrote to memory of 2748	3020	{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe	30
PID 3020 wrote to memory of 2748	3020	{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe	30
PID 3020 wrote to memory of 2056	3020	{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe	31
PID 3020 wrote to memory of 2056	3020	{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe	31
PID 3020 wrote to memory of 2056	3020	{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe	31
PID 3020 wrote to memory of 2056	3020	{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe	31
PID 2748 wrote to memory of 2636	2748	{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe	32
PID 2748 wrote to memory of 2636	2748	{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe	32
PID 2748 wrote to memory of 2636	2748	{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe	32
PID 2748 wrote to memory of 2636	2748	{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe	32
PID 2748 wrote to memory of 2828	2748	{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe	33
PID 2748 wrote to memory of 2828	2748	{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe	33
PID 2748 wrote to memory of 2828	2748	{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe	33
PID 2748 wrote to memory of 2828	2748	{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe	33
PID 2636 wrote to memory of 2936	2636	{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe	36
PID 2636 wrote to memory of 2936	2636	{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe	36
PID 2636 wrote to memory of 2936	2636	{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe	36
PID 2636 wrote to memory of 2936	2636	{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe	36
PID 2636 wrote to memory of 2188	2636	{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe	37
PID 2636 wrote to memory of 2188	2636	{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe	37
PID 2636 wrote to memory of 2188	2636	{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe	37
PID 2636 wrote to memory of 2188	2636	{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe	37
PID 2936 wrote to memory of 2612	2936	{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe	38
PID 2936 wrote to memory of 2612	2936	{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe	38
PID 2936 wrote to memory of 2612	2936	{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe	38
PID 2936 wrote to memory of 2612	2936	{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe	38
PID 2936 wrote to memory of 2832	2936	{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe	39
PID 2936 wrote to memory of 2832	2936	{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe	39
PID 2936 wrote to memory of 2832	2936	{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe	39
PID 2936 wrote to memory of 2832	2936	{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe	39
PID 2612 wrote to memory of 1504	2612	{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe	40
PID 2612 wrote to memory of 1504	2612	{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe	40
PID 2612 wrote to memory of 1504	2612	{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe	40
PID 2612 wrote to memory of 1504	2612	{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe	40
PID 2612 wrote to memory of 2488	2612	{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe	41
PID 2612 wrote to memory of 2488	2612	{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe	41
PID 2612 wrote to memory of 2488	2612	{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe	41
PID 2612 wrote to memory of 2488	2612	{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe	41
PID 1504 wrote to memory of 1812	1504	{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe	42
PID 1504 wrote to memory of 1812	1504	{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe	42
PID 1504 wrote to memory of 1812	1504	{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe	42
PID 1504 wrote to memory of 1812	1504	{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe	42
PID 1504 wrote to memory of 1844	1504	{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe	43
PID 1504 wrote to memory of 1844	1504	{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe	43
PID 1504 wrote to memory of 1844	1504	{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe	43
PID 1504 wrote to memory of 1844	1504	{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe	43
PID 1812 wrote to memory of 1184	1812	{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe	44
PID 1812 wrote to memory of 1184	1812	{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe	44
PID 1812 wrote to memory of 1184	1812	{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe	44
PID 1812 wrote to memory of 1184	1812	{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe	44
PID 1812 wrote to memory of 1276	1812	{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe	45
PID 1812 wrote to memory of 1276	1812	{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe	45
PID 1812 wrote to memory of 1276	1812	{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe	45
PID 1812 wrote to memory of 1276	1812	{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe	45

C:\Users\Admin\AppData\Local\Temp\39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe
"C:\Users\Admin\AppData\Local\Temp\39f347a4408d82522afdbe78858e80e959bc691185287dbae9c0326b221d3464.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe
  C:\Windows\{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe
    C:\Windows\{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe
      C:\Windows\{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe
        
        C:\Windows\{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe
        
        C:\Windows\{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe
        
        C:\Windows\{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe
        
        C:\Windows\{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{D538095C-4D93-48dc-BC67-FB1627BE378A}.exe
        
        C:\Windows\{D538095C-4D93-48dc-BC67-FB1627BE378A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\{8A1ED354-9DEF-4cdc-B39A-CF317C753E88}.exe
        
        C:\Windows\{8A1ED354-9DEF-4cdc-B39A-CF317C753E88}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\{0A80D394-7FFA-4536-82CF-5C43D9EF3D91}.exe
        
        C:\Windows\{0A80D394-7FFA-4536-82CF-5C43D9EF3D91}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\{DB7EC282-7202-427f-A838-738B5E1D1721}.exe
        
        C:\Windows\{DB7EC282-7202-427f-A838-738B5E1D1721}.exe
        12⤵
        Executes dropped EXE
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A80D~1.EXE > nul
        12⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A1ED~1.EXE > nul
        11⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5380~1.EXE > nul
        10⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3BC8~1.EXE > nul
        9⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C315~1.EXE > nul
        8⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5153C~1.EXE > nul
        7⤵
        
        PID:2488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDD9D~1.EXE > nul
        6⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CB2F~1.EXE > nul
        5⤵
        
        PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BCFAA~1.EXE > nul
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7C6E~1.EXE > nul
    3⤵
    PID:2056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\39F347~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A80D394-7FFA-4536-82CF-5C43D9EF3D91}.exe

Filesize
168KB

MD5
cf6c5c23e2eede76d60037043de99b21

SHA1
87388a34d96ab750e14177c2727000c2a0ab0eb2

SHA256
e9ee6d624661137c905dabd0ba64f7f665bf2b0d8a553d960c96ca78243e62f2

SHA512
77fbbd4f7daa86e0666d84b08fb79e940bd843ffb7787ad8283c3191fded1b528cda0e9e5c5e370c7f6e8fcda802e4b4d98026be0cc216ce90512e7f5819c2b6

Download Submit
C:\Windows\{4C315DC2-0887-47ee-A7E5-44F7F1D0ECC9}.exe

Filesize
168KB

MD5
b0bae8f1b0182fefea6968120b7ed23e

SHA1
a97e38aeb180e58d295801151d4fb35ad70b6351

SHA256
39ad42d6de11be7cd2b285b85f7f2cab56fe9ded03a85703950908b7f2b6916a

SHA512
9d6457280547b56982104fdd68d2b0844248c2a1b264ba6b38712d8d35da8c0dd95a08013ecd05d528b5e1a9ed1416a36a4d63661ca00de5691d68f56866f2ba

Download Submit
C:\Windows\{4CB2F61F-3E01-4cd1-BBA4-F41EA94534EE}.exe

Filesize
168KB

MD5
d5d885fc40e5dff9148edd127317c4d8

SHA1
e1b6705c9e90ed64cd4f097a5f29498bf91437c9

SHA256
e49cc9ffdff210d491bb7c33aeb0fbad9066f7ca4c2db0f28af392ef78837d07

SHA512
f55b49d99f19795272dc711e1c91cf63def95edaa25f57ff892fbc0c7dea8b4fb7b02df0e13c9cff46e5c67345974a5648153a3a51c7c7f816be1e5830aa6b13

Download Submit
C:\Windows\{5153CB19-57F9-4651-A662-E8DBD74DCC0D}.exe

Filesize
168KB

MD5
578a024f4bdaadde6984e1aeb7657ace

SHA1
360b661ea668ae4b523813d766a4400085de3727

SHA256
873636eeef17ec7f61e0114578f1ebff1fe15e8e851895727b3ce6fac2e1d0b9

SHA512
80c7a0cd3a2ce67fb0d44dc5cbfada0999aa92e5796b8e377e0d6c5c6ee002216e9171cdb6e4aba188e1b9866d7d1e02735f9643cfdf84b173b05ddf9be109f3

Download Submit
C:\Windows\{8A1ED354-9DEF-4cdc-B39A-CF317C753E88}.exe

Filesize
168KB

MD5
f1ef668a9807db009e9fda2bc44fbb1f

SHA1
a9d275c9c2bbd911da5a1150093063c897b241b5

SHA256
1e33bf10f81aa06611f210a5c386582d7b7cab43b59976770e4e201e593fe01b

SHA512
4104dcab86e71d88e447a535678a7ec64cf9eeefdb81f1f52f510dbd4725a2c5c62b2357fad7fea86e55e1be0a2a8e3e8392f297fb816d79ebc37b055a0a2ad1

Download Submit
C:\Windows\{A7C6E7C6-6BE5-47e0-B040-51481B7E45BB}.exe

Filesize
168KB

MD5
f6ddfa6096fb368942976fa5194189aa

SHA1
3cd5dac709ba28faf97c4157568fbff17424d851

SHA256
dfc26b7783938045980f21ef858fd4f4b1621624cb584cd072ca727625bf7c04

SHA512
24877361da6f81247f4c43ce59208862ae5d32c4d90d9bba2e7f6fdca095472c1306e0c8aeafc2a03495a6a947f047e793d8d0919bf3cb581e327e04cceed505

Download Submit
C:\Windows\{BCFAA47E-A760-4194-AC34-574E6D0CBB94}.exe

Filesize
168KB

MD5
cd62590a28b20932c13823b53e0a0560

SHA1
5e252b39a98d66e5a62f8ef49878b3b7d5749b17

SHA256
22d44e308dad24faf0c8831776b7d55086c82b64bd7448623844b4f94b110454

SHA512
1a07e646a175ca9f0d21858b47de96bd04353c92b5be29bb76068dc05cafb7221346b81e625d5b579159e7f4c233e7b0a48d2aa2bd303c5405a5ca8cea291afb

Download Submit
C:\Windows\{C3BC810B-F215-4a00-B347-B496AC8D2648}.exe

Filesize
168KB

MD5
82aacaffee21d647d8d7e2e13a552d8e

SHA1
b1195a6e8f26f235d27469475a750841d47ab8e1

SHA256
f16c026849643c16245270dff9bc32be40022e224968874db2af4c06daaa1228

SHA512
f88b89f277de013ecb6dbf04dac77b333cdf156adabfbfd6bd6edb75ecf5f7e7d3c816c1118d55b8e12898c9a5345dd928a0e2d86831ef1769706b1e81710075

Download Submit
C:\Windows\{CDD9D2D7-6F62-4283-A06B-70AEF4F9ACA1}.exe

Filesize
168KB

MD5
0986c78f099be71cf07d8e313d1bc04b

SHA1
ec4f79fa352a6317e4a1c2bd97108a8e546682cf

SHA256
a06e086edf11ebb577f2382a4d0fd1f0425c3386dd33fad9b87a20a7fa751bb4

SHA512
19ad172ea674e925276d2be2c921d5bd8aca4009ed0f597243c8303d28037f60f55b1684176bb355d366178b169820ce24e9de57576d4f3075eb42e60207394c

Download Submit
C:\Windows\{D538095C-4D93-48dc-BC67-FB1627BE378A}.exe

Filesize
168KB

MD5
20047e882475ed3014047dc9f1f20f76

SHA1
32f8275586d02d2edc4fe49a78594731a7039634

SHA256
6eaefcabda0a36204eae34aca8e8c58042f788e4c069406930819ab7be20febe

SHA512
0e24743ea4eafb436b505a4a5b2d76fe0550a4399ac5595dec840fca4614cc3ec6a7be00d5173382156519b461bb093496b2ea0ca15b1a10cccf9ec16ee0645f

Download Submit
C:\Windows\{DB7EC282-7202-427f-A838-738B5E1D1721}.exe

Filesize
168KB

MD5
22c770579403c33f441d2c2b64c2abf6

SHA1
1e6351183b23ac0d128599f12fe8167a42330ef8

SHA256
a8b885e2c26b9094511b146c841cb4620a07ed24df8d5e7a887a464cc544dc41

SHA512
bc04074c17fc8413b2246595f3db2f54d4080f426b02cca84e414be6aa0dae7e58c74f092d96a3f2de383c7f8e7f8e619f838a1e3fb0cc3c99b64c16176b3592

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads