46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe
Size

80KB
MD5

719285b2a1ef8a48e6c2658230ed4ba0
SHA1

09e50b2ef04e7891a38002458aa0cc5018a3afd7
SHA256

46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a
SHA512

860ea6132f33887736de7dc6ff2ae00cdf26a48d148d9f56d636f5907e4f26acf093b90e14b7a5589e29f96f40a5473f0ead5d26b3ec8200f6a06c5cdd795b2e
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroC4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOV:vvw9816vhKQLroC4/wQRNrfrunMxVFAi

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}	{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}\stubpath = "C:\\Windows\\{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe"	{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0E6DE11-D5E2-48ea-ACB1-921187A64916}\stubpath = "C:\\Windows\\{B0E6DE11-D5E2-48ea-ACB1-921187A64916}.exe"	{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69AB197E-9EA5-46ae-827A-23D1CCDF97DA}	{B0E6DE11-D5E2-48ea-ACB1-921187A64916}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69AB197E-9EA5-46ae-827A-23D1CCDF97DA}\stubpath = "C:\\Windows\\{69AB197E-9EA5-46ae-827A-23D1CCDF97DA}.exe"	{B0E6DE11-D5E2-48ea-ACB1-921187A64916}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{986F9437-D183-4bd4-A746-BB41CB16FACF}\stubpath = "C:\\Windows\\{986F9437-D183-4bd4-A746-BB41CB16FACF}.exe"	{69AB197E-9EA5-46ae-827A-23D1CCDF97DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13642372-1BEF-4214-9B3F-3058D3D2BC5F}\stubpath = "C:\\Windows\\{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe"	46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}\stubpath = "C:\\Windows\\{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe"	{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}	{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}\stubpath = "C:\\Windows\\{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe"	{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13642372-1BEF-4214-9B3F-3058D3D2BC5F}	46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CF15FDB-8755-47dd-A9B8-39D669705F65}	{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}	{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}\stubpath = "C:\\Windows\\{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe"	{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABF3CAE6-0960-446b-9164-95D480D8550D}\stubpath = "C:\\Windows\\{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe"	{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{986F9437-D183-4bd4-A746-BB41CB16FACF}	{69AB197E-9EA5-46ae-827A-23D1CCDF97DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AF80015-2A7B-4b67-BE3B-D6D34B75BCF5}	{986F9437-D183-4bd4-A746-BB41CB16FACF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}	{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CF15FDB-8755-47dd-A9B8-39D669705F65}\stubpath = "C:\\Windows\\{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe"	{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABF3CAE6-0960-446b-9164-95D480D8550D}	{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0E6DE11-D5E2-48ea-ACB1-921187A64916}	{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AF80015-2A7B-4b67-BE3B-D6D34B75BCF5}\stubpath = "C:\\Windows\\{4AF80015-2A7B-4b67-BE3B-D6D34B75BCF5}.exe"	{986F9437-D183-4bd4-A746-BB41CB16FACF}.exe

Deletes itself 1 IoCs

pid	Process
1712	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2796	{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe
2572	{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe
2696	{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe
2484	{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe
1240	{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe
1728	{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe
1260	{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe
2024	{B0E6DE11-D5E2-48ea-ACB1-921187A64916}.exe
2928	{69AB197E-9EA5-46ae-827A-23D1CCDF97DA}.exe
2944	{986F9437-D183-4bd4-A746-BB41CB16FACF}.exe
960	{4AF80015-2A7B-4b67-BE3B-D6D34B75BCF5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{69AB197E-9EA5-46ae-827A-23D1CCDF97DA}.exe	{B0E6DE11-D5E2-48ea-ACB1-921187A64916}.exe
File created	C:\Windows\{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe	46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe
File created	C:\Windows\{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe	{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe
File created	C:\Windows\{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe	{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe
File created	C:\Windows\{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe	{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe
File created	C:\Windows\{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe	{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe
File created	C:\Windows\{B0E6DE11-D5E2-48ea-ACB1-921187A64916}.exe	{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe
File created	C:\Windows\{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe	{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe
File created	C:\Windows\{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe	{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe
File created	C:\Windows\{986F9437-D183-4bd4-A746-BB41CB16FACF}.exe	{69AB197E-9EA5-46ae-827A-23D1CCDF97DA}.exe
File created	C:\Windows\{4AF80015-2A7B-4b67-BE3B-D6D34B75BCF5}.exe	{986F9437-D183-4bd4-A746-BB41CB16FACF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2868	46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe
Token: SeIncBasePriorityPrivilege	2796	{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe
Token: SeIncBasePriorityPrivilege	2572	{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe
Token: SeIncBasePriorityPrivilege	2696	{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe
Token: SeIncBasePriorityPrivilege	2484	{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe
Token: SeIncBasePriorityPrivilege	1240	{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe
Token: SeIncBasePriorityPrivilege	1728	{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe
Token: SeIncBasePriorityPrivilege	1260	{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe
Token: SeIncBasePriorityPrivilege	2024	{B0E6DE11-D5E2-48ea-ACB1-921187A64916}.exe
Token: SeIncBasePriorityPrivilege	2928	{69AB197E-9EA5-46ae-827A-23D1CCDF97DA}.exe
Token: SeIncBasePriorityPrivilege	2944	{986F9437-D183-4bd4-A746-BB41CB16FACF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2796	2868	46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe	28
PID 2868 wrote to memory of 2796	2868	46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe	28
PID 2868 wrote to memory of 2796	2868	46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe	28
PID 2868 wrote to memory of 2796	2868	46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe	28
PID 2868 wrote to memory of 1712	2868	46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe	29
PID 2868 wrote to memory of 1712	2868	46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe	29
PID 2868 wrote to memory of 1712	2868	46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe	29
PID 2868 wrote to memory of 1712	2868	46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe	29
PID 2796 wrote to memory of 2572	2796	{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe	30
PID 2796 wrote to memory of 2572	2796	{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe	30
PID 2796 wrote to memory of 2572	2796	{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe	30
PID 2796 wrote to memory of 2572	2796	{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe	30
PID 2796 wrote to memory of 2648	2796	{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe	31
PID 2796 wrote to memory of 2648	2796	{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe	31
PID 2796 wrote to memory of 2648	2796	{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe	31
PID 2796 wrote to memory of 2648	2796	{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe	31
PID 2572 wrote to memory of 2696	2572	{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe	32
PID 2572 wrote to memory of 2696	2572	{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe	32
PID 2572 wrote to memory of 2696	2572	{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe	32
PID 2572 wrote to memory of 2696	2572	{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe	32
PID 2572 wrote to memory of 2664	2572	{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe	33
PID 2572 wrote to memory of 2664	2572	{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe	33
PID 2572 wrote to memory of 2664	2572	{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe	33
PID 2572 wrote to memory of 2664	2572	{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe	33
PID 2696 wrote to memory of 2484	2696	{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe	36
PID 2696 wrote to memory of 2484	2696	{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe	36
PID 2696 wrote to memory of 2484	2696	{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe	36
PID 2696 wrote to memory of 2484	2696	{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe	36
PID 2696 wrote to memory of 2564	2696	{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe	37
PID 2696 wrote to memory of 2564	2696	{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe	37
PID 2696 wrote to memory of 2564	2696	{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe	37
PID 2696 wrote to memory of 2564	2696	{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe	37
PID 2484 wrote to memory of 1240	2484	{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe	38
PID 2484 wrote to memory of 1240	2484	{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe	38
PID 2484 wrote to memory of 1240	2484	{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe	38
PID 2484 wrote to memory of 1240	2484	{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe	38
PID 2484 wrote to memory of 1396	2484	{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe	39
PID 2484 wrote to memory of 1396	2484	{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe	39
PID 2484 wrote to memory of 1396	2484	{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe	39
PID 2484 wrote to memory of 1396	2484	{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe	39
PID 1240 wrote to memory of 1728	1240	{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe	40
PID 1240 wrote to memory of 1728	1240	{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe	40
PID 1240 wrote to memory of 1728	1240	{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe	40
PID 1240 wrote to memory of 1728	1240	{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe	40
PID 1240 wrote to memory of 612	1240	{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe	41
PID 1240 wrote to memory of 612	1240	{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe	41
PID 1240 wrote to memory of 612	1240	{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe	41
PID 1240 wrote to memory of 612	1240	{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe	41
PID 1728 wrote to memory of 1260	1728	{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe	42
PID 1728 wrote to memory of 1260	1728	{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe	42
PID 1728 wrote to memory of 1260	1728	{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe	42
PID 1728 wrote to memory of 1260	1728	{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe	42
PID 1728 wrote to memory of 2704	1728	{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe	43
PID 1728 wrote to memory of 2704	1728	{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe	43
PID 1728 wrote to memory of 2704	1728	{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe	43
PID 1728 wrote to memory of 2704	1728	{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe	43
PID 1260 wrote to memory of 2024	1260	{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe	44
PID 1260 wrote to memory of 2024	1260	{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe	44
PID 1260 wrote to memory of 2024	1260	{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe	44
PID 1260 wrote to memory of 2024	1260	{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe	44
PID 1260 wrote to memory of 2040	1260	{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe	45
PID 1260 wrote to memory of 2040	1260	{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe	45
PID 1260 wrote to memory of 2040	1260	{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe	45
PID 1260 wrote to memory of 2040	1260	{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe	45

C:\Users\Admin\AppData\Local\Temp\46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe
"C:\Users\Admin\AppData\Local\Temp\46446afe8f89dadd01afde02389c589c18a2c59df936c7cfd91e71a3538b806a.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe
  C:\Windows\{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe
    C:\Windows\{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe
      C:\Windows\{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe
        
        C:\Windows\{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe
        
        C:\Windows\{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe
        
        C:\Windows\{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe
        
        C:\Windows\{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\{B0E6DE11-D5E2-48ea-ACB1-921187A64916}.exe
        
        C:\Windows\{B0E6DE11-D5E2-48ea-ACB1-921187A64916}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{69AB197E-9EA5-46ae-827A-23D1CCDF97DA}.exe
        
        C:\Windows\{69AB197E-9EA5-46ae-827A-23D1CCDF97DA}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\{986F9437-D183-4bd4-A746-BB41CB16FACF}.exe
        
        C:\Windows\{986F9437-D183-4bd4-A746-BB41CB16FACF}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\{4AF80015-2A7B-4b67-BE3B-D6D34B75BCF5}.exe
        
        C:\Windows\{4AF80015-2A7B-4b67-BE3B-D6D34B75BCF5}.exe
        12⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{986F9~1.EXE > nul
        12⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69AB1~1.EXE > nul
        11⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0E6D~1.EXE > nul
        10⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B2F5~1.EXE > nul
        9⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABF3C~1.EXE > nul
        8⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03B71~1.EXE > nul
        7⤵
        
        PID:612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CF15~1.EXE > nul
        6⤵
        
        PID:1396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2D0F~1.EXE > nul
        5⤵
        
        PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9687B~1.EXE > nul
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{13642~1.EXE > nul
    3⤵
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\46446A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03B71CA3-2518-4ac2-9CD8-2DDB6ED37000}.exe

Filesize
80KB

MD5
4552f47b17b4f505d38a7b491e74fba4

SHA1
db87c51ccafc309e5c7f175f8e669a90902fd399

SHA256
2a79ed4ea61891bc0c6157ad3db99667dacf4ff414e5f123f7d70df6ea715364

SHA512
a76cc90c0848074088b90406870dde267cbfea952c9267cb5219a46ff2b5c3a72703ac26244624781e5ce8fbc3d134e63933f4a49f658d63149dfb1f2cc64723

Download Submit
C:\Windows\{13642372-1BEF-4214-9B3F-3058D3D2BC5F}.exe

Filesize
80KB

MD5
e5378926922d387bc99862e46abcb013

SHA1
782b26c4086e2ca3dbf0de81d30e1491de7fc69f

SHA256
ab93e8cdd042e7cf32ea54753d50b93e70c9bef1fee30fa98c6c8a6cf373520f

SHA512
3e8f0bc36d890a9d515000ac66498d7819cdc0a1e68d6f79abb73726249d7f9abf7c85b28d3c80d643bf8920fd9256559d58f43aac68b3a610c302cc7f32574e

Download Submit
C:\Windows\{4AF80015-2A7B-4b67-BE3B-D6D34B75BCF5}.exe

Filesize
80KB

MD5
924f5aa2e878dce45583e9e513b77bd5

SHA1
313aceae2f853b0de84c76806bd348147462d2ea

SHA256
c594ec655f23c69cf8b528b1fcf9fe6543ec136bfad82c69851b83acd849a277

SHA512
7b64348bc8146283de01ea6db5a321b4d1645094170ccbeb41d5d36f0089689c0d4248bbbbf9d9ed71e4149245348c887b43d3c8a7c06797ba66f1ee6ca3fe6f

Download Submit
C:\Windows\{5CF15FDB-8755-47dd-A9B8-39D669705F65}.exe

Filesize
80KB

MD5
28425ad8f889697721e23b4ac1c9841a

SHA1
c2c6e2ed5a6e65cb89acf8b4152104aebc87a942

SHA256
e58d3756d96e5fcfd3ef16fdcd4d5fbcab1f652d7ed024c5af561f1dc00b7525

SHA512
9accd63e334416666b01487c65bda396cb646b4bdd66782bfd40c877735a007ed1f0fd5f29443fd492803dbd0190df6fad90c8bc257fc8b18a9528925b0aa936

Download Submit
C:\Windows\{69AB197E-9EA5-46ae-827A-23D1CCDF97DA}.exe

Filesize
80KB

MD5
ac63ed6a76686a50e1e2470bf248a1c9

SHA1
4ecf1dd6af4aa76bae2f01cfbd7f552aae03ac41

SHA256
8874a2a5ac58469be905b8e203372b3149ca95a7f9db10909b017a06ccf91668

SHA512
55e3d6598b762ccaab1f9c1133c49a648cd5c132879ebe4446b5b2911380b02af78ec7e93877491c8052c526d973bbed15f5a3a8e0ea96e13077c4b7d7a3da7b

Download Submit
C:\Windows\{9687BFE6-05B9-4641-82F1-AFE0E08B97F4}.exe

Filesize
80KB

MD5
0cf4e208fa1c54c4eb5335957a770e7d

SHA1
195561b66f770888be1b346c0f859c93515704e7

SHA256
c66f6271adc29fe51da79ae513fe55506f0669c2fa2201b3a1bff0ed30ae61eb

SHA512
aa88f90dd4823d4c6fb77a91f0849f10e6b4c75b425e2d70d0206312acd9d82be372e840afd1925907be0bb8099c1084afeabeca465abb27b4fb071cba03aa2a

Download Submit
C:\Windows\{986F9437-D183-4bd4-A746-BB41CB16FACF}.exe

Filesize
80KB

MD5
c0845fbe729bb1aecec95f8dfb0ffce0

SHA1
a38060d5fd3afea7ebb51c6685ec1e0e983272c3

SHA256
7a577fb6d6928159ec740034ccd655621ff9cd324cb7a636304b42c5a39cd7cd

SHA512
34a8934c57a908a7d041377d3e2911d35e0a47e6a26b47329ae63d8e6f3e8341a4bd08e56308a27e20addd7f9f156ef57eee6a7b1d1411ac01829703ff03fe2c

Download Submit
C:\Windows\{9B2F5FF6-B7FC-40a9-B7ED-83F28D3FB054}.exe

Filesize
80KB

MD5
51c193a06e0e8e2881d1df3dd488e16c

SHA1
1d3096821aaee07d3f4370c778364208b1eb2fc4

SHA256
c165fe973c0fcdd029e34c2f2e07a4b115dcadab493d3a2f148d126c708c383f

SHA512
869feb9aa29dfdd602b0e0497964b0c227a33325c6f7d1baa28976ebb3af0a350e3d03c81949065c51c5ffbb9682b7e5be2fd2e8ac4d2595527e57b01c1e8aa8

Download Submit
C:\Windows\{A2D0F37F-BECD-4f7d-9320-9F26194F2E75}.exe

Filesize
80KB

MD5
5e8b99597a145f044654c9a22afbab73

SHA1
48702229b28027f90845b450e00e3514402a139e

SHA256
1d3d250faabb34ea368859d429f3f86ca70e2c68dc1b96ef106646c5e504bdab

SHA512
a723a0a2e9b35e33a6d70de72b282a904666679272a60512b998d451ec0291fa68bbb15e51967c84ec6faa63b896062dbaa58bbbe53a450f9973f6b8392c1ed8

Download Submit
C:\Windows\{ABF3CAE6-0960-446b-9164-95D480D8550D}.exe

Filesize
80KB

MD5
361e68376377ec1e8f79630dbd7ee69f

SHA1
6fc4eba0646edcb460a055d24fbe6091001d8f43

SHA256
1cc2d6ed658651bb581a8fc9219228647154eea501e4e6549d0b9767dfe9b63e

SHA512
8eb373e4ed0ce696fedc4886cf4672d8f498d67100483f292987468a0893770e6a3ab2fc381c680d4feddbd5c513c69a9133b28e189a347f458b074590645c78

Download Submit
C:\Windows\{B0E6DE11-D5E2-48ea-ACB1-921187A64916}.exe

Filesize
80KB

MD5
9a7ad349c7bb2ca19771a7ecda8fe853

SHA1
af595b8b39ccdeadbbbddd486be17dc7dca7dd34

SHA256
bae37ae3ac3cbf6dd182acf4315992ea033ffd129cabd2bd7f0dd573d8b6ec4c

SHA512
f70a1b45dd20bb368daac2e546f331e6e3020db59828f4427decdcd6fbed15cd1702b5dfbb3b562500a815b7f3b28c13d7b0c5656c0da75d998826cbd0a4a2aa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads