4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe
Size

76KB
MD5

f66f8d89bb846fc2f6ae55d547fe76ed
SHA1

cafc75fe445e319e31ff17de872fd06ce842f44f
SHA256

4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15
SHA512

08a701e3f5ffefddd0852a94fb7e0842f2abecf3ebf5a3ae34900236618e040e15e217364080a19706488fe826e7619d780c24c21b2a40124716a2d145c9c62d
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLro834/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwU1:vvw9816vhKQLro834/wQRNrfrunMxVD

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}	{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{602954A1-5309-4cd5-A6A2-F8EFA9493773}	{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}\stubpath = "C:\\Windows\\{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe"	4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFD20165-95B6-417f-8576-5C24C759EE96}\stubpath = "C:\\Windows\\{BFD20165-95B6-417f-8576-5C24C759EE96}.exe"	{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}	{BFD20165-95B6-417f-8576-5C24C759EE96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC5592FC-C599-427f-9B53-7C3A1DB343CC}\stubpath = "C:\\Windows\\{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe"	{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64837B9B-107C-49be-A885-936AAD7CAFF0}\stubpath = "C:\\Windows\\{64837B9B-107C-49be-A885-936AAD7CAFF0}.exe"	{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0B33AF5-5196-4e10-9240-B9DC1473D0C2}	{64837B9B-107C-49be-A885-936AAD7CAFF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0B33AF5-5196-4e10-9240-B9DC1473D0C2}\stubpath = "C:\\Windows\\{A0B33AF5-5196-4e10-9240-B9DC1473D0C2}.exe"	{64837B9B-107C-49be-A885-936AAD7CAFF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22F2E86-5247-43b0-BA49-79F75D7F576E}	{A0B33AF5-5196-4e10-9240-B9DC1473D0C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFD20165-95B6-417f-8576-5C24C759EE96}	{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}\stubpath = "C:\\Windows\\{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe"	{BFD20165-95B6-417f-8576-5C24C759EE96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC5592FC-C599-427f-9B53-7C3A1DB343CC}	{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F22F2E86-5247-43b0-BA49-79F75D7F576E}\stubpath = "C:\\Windows\\{F22F2E86-5247-43b0-BA49-79F75D7F576E}.exe"	{A0B33AF5-5196-4e10-9240-B9DC1473D0C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87137FAF-3372-4c6c-95F1-29F52CFB98F3}\stubpath = "C:\\Windows\\{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe"	{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64837B9B-107C-49be-A885-936AAD7CAFF0}	{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B16E5E89-F27D-4fe7-9EF6-44F522AC3A26}	{F22F2E86-5247-43b0-BA49-79F75D7F576E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}	4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}\stubpath = "C:\\Windows\\{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe"	{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87137FAF-3372-4c6c-95F1-29F52CFB98F3}	{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{602954A1-5309-4cd5-A6A2-F8EFA9493773}\stubpath = "C:\\Windows\\{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe"	{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B16E5E89-F27D-4fe7-9EF6-44F522AC3A26}\stubpath = "C:\\Windows\\{B16E5E89-F27D-4fe7-9EF6-44F522AC3A26}.exe"	{F22F2E86-5247-43b0-BA49-79F75D7F576E}.exe

Deletes itself 1 IoCs

pid	Process
604	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2424	{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe
2696	{BFD20165-95B6-417f-8576-5C24C759EE96}.exe
2676	{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe
2304	{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe
432	{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe
360	{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe
2244	{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe
936	{64837B9B-107C-49be-A885-936AAD7CAFF0}.exe
2860	{A0B33AF5-5196-4e10-9240-B9DC1473D0C2}.exe
1656	{F22F2E86-5247-43b0-BA49-79F75D7F576E}.exe
2104	{B16E5E89-F27D-4fe7-9EF6-44F522AC3A26}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe	4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe
File created	C:\Windows\{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe	{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe
File created	C:\Windows\{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe	{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe
File created	C:\Windows\{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe	{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe
File created	C:\Windows\{F22F2E86-5247-43b0-BA49-79F75D7F576E}.exe	{A0B33AF5-5196-4e10-9240-B9DC1473D0C2}.exe
File created	C:\Windows\{BFD20165-95B6-417f-8576-5C24C759EE96}.exe	{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe
File created	C:\Windows\{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe	{BFD20165-95B6-417f-8576-5C24C759EE96}.exe
File created	C:\Windows\{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe	{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe
File created	C:\Windows\{64837B9B-107C-49be-A885-936AAD7CAFF0}.exe	{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe
File created	C:\Windows\{A0B33AF5-5196-4e10-9240-B9DC1473D0C2}.exe	{64837B9B-107C-49be-A885-936AAD7CAFF0}.exe
File created	C:\Windows\{B16E5E89-F27D-4fe7-9EF6-44F522AC3A26}.exe	{F22F2E86-5247-43b0-BA49-79F75D7F576E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2200	4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe
Token: SeIncBasePriorityPrivilege	2424	{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe
Token: SeIncBasePriorityPrivilege	2696	{BFD20165-95B6-417f-8576-5C24C759EE96}.exe
Token: SeIncBasePriorityPrivilege	2676	{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe
Token: SeIncBasePriorityPrivilege	2304	{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe
Token: SeIncBasePriorityPrivilege	432	{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe
Token: SeIncBasePriorityPrivilege	360	{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe
Token: SeIncBasePriorityPrivilege	2244	{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe
Token: SeIncBasePriorityPrivilege	936	{64837B9B-107C-49be-A885-936AAD7CAFF0}.exe
Token: SeIncBasePriorityPrivilege	2860	{A0B33AF5-5196-4e10-9240-B9DC1473D0C2}.exe
Token: SeIncBasePriorityPrivilege	1656	{F22F2E86-5247-43b0-BA49-79F75D7F576E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2424	2200	4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe	28
PID 2200 wrote to memory of 2424	2200	4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe	28
PID 2200 wrote to memory of 2424	2200	4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe	28
PID 2200 wrote to memory of 2424	2200	4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe	28
PID 2200 wrote to memory of 604	2200	4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe	29
PID 2200 wrote to memory of 604	2200	4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe	29
PID 2200 wrote to memory of 604	2200	4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe	29
PID 2200 wrote to memory of 604	2200	4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe	29
PID 2424 wrote to memory of 2696	2424	{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe	30
PID 2424 wrote to memory of 2696	2424	{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe	30
PID 2424 wrote to memory of 2696	2424	{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe	30
PID 2424 wrote to memory of 2696	2424	{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe	30
PID 2424 wrote to memory of 2632	2424	{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe	31
PID 2424 wrote to memory of 2632	2424	{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe	31
PID 2424 wrote to memory of 2632	2424	{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe	31
PID 2424 wrote to memory of 2632	2424	{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe	31
PID 2696 wrote to memory of 2676	2696	{BFD20165-95B6-417f-8576-5C24C759EE96}.exe	34
PID 2696 wrote to memory of 2676	2696	{BFD20165-95B6-417f-8576-5C24C759EE96}.exe	34
PID 2696 wrote to memory of 2676	2696	{BFD20165-95B6-417f-8576-5C24C759EE96}.exe	34
PID 2696 wrote to memory of 2676	2696	{BFD20165-95B6-417f-8576-5C24C759EE96}.exe	34
PID 2696 wrote to memory of 2496	2696	{BFD20165-95B6-417f-8576-5C24C759EE96}.exe	35
PID 2696 wrote to memory of 2496	2696	{BFD20165-95B6-417f-8576-5C24C759EE96}.exe	35
PID 2696 wrote to memory of 2496	2696	{BFD20165-95B6-417f-8576-5C24C759EE96}.exe	35
PID 2696 wrote to memory of 2496	2696	{BFD20165-95B6-417f-8576-5C24C759EE96}.exe	35
PID 2676 wrote to memory of 2304	2676	{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe	36
PID 2676 wrote to memory of 2304	2676	{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe	36
PID 2676 wrote to memory of 2304	2676	{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe	36
PID 2676 wrote to memory of 2304	2676	{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe	36
PID 2676 wrote to memory of 836	2676	{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe	37
PID 2676 wrote to memory of 836	2676	{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe	37
PID 2676 wrote to memory of 836	2676	{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe	37
PID 2676 wrote to memory of 836	2676	{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe	37
PID 2304 wrote to memory of 432	2304	{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe	38
PID 2304 wrote to memory of 432	2304	{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe	38
PID 2304 wrote to memory of 432	2304	{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe	38
PID 2304 wrote to memory of 432	2304	{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe	38
PID 2304 wrote to memory of 2840	2304	{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe	39
PID 2304 wrote to memory of 2840	2304	{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe	39
PID 2304 wrote to memory of 2840	2304	{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe	39
PID 2304 wrote to memory of 2840	2304	{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe	39
PID 432 wrote to memory of 360	432	{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe	40
PID 432 wrote to memory of 360	432	{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe	40
PID 432 wrote to memory of 360	432	{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe	40
PID 432 wrote to memory of 360	432	{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe	40
PID 432 wrote to memory of 2864	432	{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe	41
PID 432 wrote to memory of 2864	432	{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe	41
PID 432 wrote to memory of 2864	432	{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe	41
PID 432 wrote to memory of 2864	432	{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe	41
PID 360 wrote to memory of 2244	360	{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe	42
PID 360 wrote to memory of 2244	360	{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe	42
PID 360 wrote to memory of 2244	360	{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe	42
PID 360 wrote to memory of 2244	360	{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe	42
PID 360 wrote to memory of 1984	360	{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe	43
PID 360 wrote to memory of 1984	360	{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe	43
PID 360 wrote to memory of 1984	360	{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe	43
PID 360 wrote to memory of 1984	360	{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe	43
PID 2244 wrote to memory of 936	2244	{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe	44
PID 2244 wrote to memory of 936	2244	{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe	44
PID 2244 wrote to memory of 936	2244	{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe	44
PID 2244 wrote to memory of 936	2244	{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe	44
PID 2244 wrote to memory of 2728	2244	{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe	45
PID 2244 wrote to memory of 2728	2244	{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe	45
PID 2244 wrote to memory of 2728	2244	{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe	45
PID 2244 wrote to memory of 2728	2244	{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe	45

C:\Users\Admin\AppData\Local\Temp\4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe
"C:\Users\Admin\AppData\Local\Temp\4b6c208b2c68996f4a43a86386f2a5f23ba63004b20619e50ec638f5a65b6a15.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe
  C:\Windows\{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\{BFD20165-95B6-417f-8576-5C24C759EE96}.exe
    C:\Windows\{BFD20165-95B6-417f-8576-5C24C759EE96}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe
      C:\Windows\{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe
        
        C:\Windows\{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe
        
        C:\Windows\{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe
        
        C:\Windows\{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:360
        
        C:\Windows\{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe
        
        C:\Windows\{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\{64837B9B-107C-49be-A885-936AAD7CAFF0}.exe
        
        C:\Windows\{64837B9B-107C-49be-A885-936AAD7CAFF0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\{A0B33AF5-5196-4e10-9240-B9DC1473D0C2}.exe
        
        C:\Windows\{A0B33AF5-5196-4e10-9240-B9DC1473D0C2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\{F22F2E86-5247-43b0-BA49-79F75D7F576E}.exe
        
        C:\Windows\{F22F2E86-5247-43b0-BA49-79F75D7F576E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\{B16E5E89-F27D-4fe7-9EF6-44F522AC3A26}.exe
        
        C:\Windows\{B16E5E89-F27D-4fe7-9EF6-44F522AC3A26}.exe
        12⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F22F2~1.EXE > nul
        12⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0B33~1.EXE > nul
        11⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64837~1.EXE > nul
        10⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87137~1.EXE > nul
        9⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC559~1.EXE > nul
        8⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60295~1.EXE > nul
        7⤵
        
        PID:2864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA1B8~1.EXE > nul
        6⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A045C~1.EXE > nul
        5⤵
        
        PID:836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BFD20~1.EXE > nul
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5B456~1.EXE > nul
    3⤵
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4B6C20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5B456B4B-2CCF-4efb-B21D-7A869289EFBE}.exe

Filesize
76KB

MD5
4f1d84334cb5fccd4b866f70f58fbf47

SHA1
e9377d6ba517f5adc2a69fc0b434253d185c2a35

SHA256
025850317df804318102f3de39d23f744bf78b9d6a56aa2f8e16130b8f036447

SHA512
cd29ca90cdee716a7f25326237b92e763f73aa937a489850e296baa2363cce2813555294be35a9e1c364e3caa77548afc10bf47e0b80c710eee9cabdd76fae91

Download Submit
C:\Windows\{602954A1-5309-4cd5-A6A2-F8EFA9493773}.exe

Filesize
76KB

MD5
1376de5a5b40ce8fe97a1b96035c47a9

SHA1
213d49b3ba54e222b33b615603f0d9dd94b9695b

SHA256
e92996a2de2544c5b967dad8d7b2be582c3b25017b014492848c71ba950c3159

SHA512
dce07485480f136f2b05e9928ca8f0e80f56175d8bf7897e63af38067045884c969cebcb818a2e94618424e096a4d1a12c10eb3099879cfd070b2f7260d006c4

Download Submit
C:\Windows\{64837B9B-107C-49be-A885-936AAD7CAFF0}.exe

Filesize
76KB

MD5
e77c7c56e2d7d2ccc626a26164a3b0ff

SHA1
bc7f8cc82404fcb986c602cb113798f1be0e558a

SHA256
11a77c93f7733b4eb5299619416ea28d1e68486f2df18f0def6a28bdf64c7f74

SHA512
631cb422012e9cc30e9412b5bc2ec4be2418be7e6b148486ec4060a70130d22cbd5dd3f7a4fde94eb9b766a0b554508bac4e30e82ab5f1b3913901a020c12639

Download Submit
C:\Windows\{87137FAF-3372-4c6c-95F1-29F52CFB98F3}.exe

Filesize
76KB

MD5
fb72bd86a4c00b3a5c6a15d9f759ec81

SHA1
5eae69a610523d733a9729b1ebcb0bc24a274be6

SHA256
ea44297bb175fc88f530e8e792c39a383d484a3998f797846e1c2d3048eb3001

SHA512
00e957f20a88576fa34559033979e1b61043638a644bf4eb294f3d4e6bf2aa9c8e96a6a6db7e2e040ef44d8f90808782bc67949eaa09da7f5ecee2e36b90279f

Download Submit
C:\Windows\{A045C6F9-58B4-4544-AEEB-75178CB4BDE9}.exe

Filesize
76KB

MD5
c2647b88359f50bca3ae08578f8c13a3

SHA1
5b0671f42e525cbfe6bfb04d6b25aa1c8bf49803

SHA256
5bf226441db916d1e2179e989ac0ad35d66ce8911241f0fa5f30787bfa52b91d

SHA512
c9869a1045596efde0ad63e06c800e93c075823c3ed500c3c2fa7836879cbd3289c8a6bde952d65b2af24bbf8c7700e8934ee518255b090285a7956cb8296651

Download Submit
C:\Windows\{A0B33AF5-5196-4e10-9240-B9DC1473D0C2}.exe

Filesize
76KB

MD5
91a9a92729689d6f3e60d3b7bae943e8

SHA1
3f2c22abf86624aec4424f5a3d3f0f67587b876a

SHA256
fb6b7439722c3f3586d45c884d1777e867cde4b10cbe3dec4eebd3a319368bef

SHA512
499cbe6414242dbddf6f1a399414ed46bfbfb6f2507b1a9c797ed263dda8a32e99243d1c58f7ccf7f819bdbd37f7541f71e2d4b7189a42ea539b3dd435d5a8ae

Download Submit
C:\Windows\{B16E5E89-F27D-4fe7-9EF6-44F522AC3A26}.exe

Filesize
76KB

MD5
20843ce24e249e5927112128d42c2653

SHA1
0448c86c9897bb0de8a7921f5c886cc07e2ad3e3

SHA256
b320c0d8f57d4c0739102b7be1774491f37f7f97ce29707c6ad75d41fbee3dc7

SHA512
b775e553eb5e3659d4c309bd8b3409a1af934642790a9f3f7fbc8f2ad6fcf49ba4a827a26de49ff3f1a014792e5bb06b04fe51cbbf7ab2d7e8544ba417e8e4a5

Download Submit
C:\Windows\{BFD20165-95B6-417f-8576-5C24C759EE96}.exe

Filesize
76KB

MD5
5ac0af0e6982ba043060cfb67ce0f4d6

SHA1
ca1e63ce93a8e67ee5bb526264d444f932c3bd39

SHA256
26f6e99917e6c66898c528e7f000f43c56fe06027daac14ea28de110e5a0f2ac

SHA512
81ca001a12ab04232665d036bc2ad440b77cc4110e3ac11685f7504a4814d576e13988a118d6217bac351e2101d9898396a814a60dc24a3f4756a38482fed9f1

Download Submit
C:\Windows\{CA1B8D62-12AA-43f6-B9DE-76E2C29C42D0}.exe

Filesize
76KB

MD5
10cf3897cc378d3d1635d1feff90ee00

SHA1
8ff04c0d036f5ca7fb1e7c6c5a190e2a96ea5c06

SHA256
b0d57d85560d849e02f3ce205ee93731fac1674389f21b7de686aea2c6a1b239

SHA512
79966e3480bc0b25fa67a037f30a00f02f2c600e63c9b4fe0585b6eb3f5d6dc8b8eb65b4146eab6f74692a21883c26bf5a8b921fca94004f3fe819a24ca56364

Download Submit
C:\Windows\{EC5592FC-C599-427f-9B53-7C3A1DB343CC}.exe

Filesize
76KB

MD5
ebda2b9815c2c5208cc4e9729314a4e4

SHA1
32e09eefd6552e8c1035e9e8ebd77321ef0dfbd5

SHA256
2732142b5bba15f8a6de0bac867ff2d629403bf29274f7ab768c28b22632adda

SHA512
ae7b2d33048c85e755e0a97a09b4be144287e933359ac61442cd951148e90aadbd8c56d767f37f786219af154476731d57cf6f39374f161281cae74339081dc2

Download Submit
C:\Windows\{F22F2E86-5247-43b0-BA49-79F75D7F576E}.exe

Filesize
76KB

MD5
411e0064ef8ca1884a22a9c85ee5cac8

SHA1
0c5f7aa55f6411245f48217687c9a91a16669fdd

SHA256
906efba362783a6a20f21eff4f19460b04f6ffbdaeb3b70ffdd1211e39ddca23

SHA512
5cf849d720a09dc169aefbdb79938f12d16b34c3dbce0a6453abdb91a9624808d64d5fab2fd681ee87ab42cbef7507b624579f6d2b4e0f8370a7ecd796a5eb7f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads