c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe
Size

60KB
MD5

335970663867f7b3a6223542467e2ccc
SHA1

c67b2052879e5196f91517bf94ffdc6e5b30deb4
SHA256

c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e
SHA512

39f615c50f58dc642cced0c13f0a096c2d3f5b03f6418a559fc73e9af1e9f9a163504bda214c00a9307ff22321e4a1fa4f06f599a5111eeab24571b5a7d3931b
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwiY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroY4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67B8559F-0633-4571-97D6-9EF2D36295B7}	{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F920E44D-D07D-471b-A1AC-C7F85F37ECCF}	{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F920E44D-D07D-471b-A1AC-C7F85F37ECCF}\stubpath = "C:\\Windows\\{F920E44D-D07D-471b-A1AC-C7F85F37ECCF}.exe"	{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FDF10B6-D5E2-4d08-8F48-06E3827F70B3}\stubpath = "C:\\Windows\\{8FDF10B6-D5E2-4d08-8F48-06E3827F70B3}.exe"	{F920E44D-D07D-471b-A1AC-C7F85F37ECCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F9EBDC-A1DE-4d88-AFA9-0F2848134E8F}\stubpath = "C:\\Windows\\{D9F9EBDC-A1DE-4d88-AFA9-0F2848134E8F}.exe"	{8FDF10B6-D5E2-4d08-8F48-06E3827F70B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94CD086-D9B8-4a9c-A648-CE4DE42F1CF5}\stubpath = "C:\\Windows\\{F94CD086-D9B8-4a9c-A648-CE4DE42F1CF5}.exe"	{D9F9EBDC-A1DE-4d88-AFA9-0F2848134E8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}	{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17852FF5-7F9B-40c9-A473-5AA63169EEB0}\stubpath = "C:\\Windows\\{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe"	{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4762336D-3BFC-45ed-B210-789DF5BD2DE5}	{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F54F9A33-5BD2-472b-B19C-A3409E8CB364}	{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F54F9A33-5BD2-472b-B19C-A3409E8CB364}\stubpath = "C:\\Windows\\{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe"	{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDB6F6CE-870C-4379-95DE-4A0417C0918F}	{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F9EBDC-A1DE-4d88-AFA9-0F2848134E8F}	{8FDF10B6-D5E2-4d08-8F48-06E3827F70B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}\stubpath = "C:\\Windows\\{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe"	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4762336D-3BFC-45ed-B210-789DF5BD2DE5}\stubpath = "C:\\Windows\\{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe"	{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67B8559F-0633-4571-97D6-9EF2D36295B7}\stubpath = "C:\\Windows\\{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe"	{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FDF10B6-D5E2-4d08-8F48-06E3827F70B3}	{F920E44D-D07D-471b-A1AC-C7F85F37ECCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}\stubpath = "C:\\Windows\\{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe"	{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17852FF5-7F9B-40c9-A473-5AA63169EEB0}	{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDB6F6CE-870C-4379-95DE-4A0417C0918F}\stubpath = "C:\\Windows\\{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe"	{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94CD086-D9B8-4a9c-A648-CE4DE42F1CF5}	{D9F9EBDC-A1DE-4d88-AFA9-0F2848134E8F}.exe

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2808	{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe
2612	{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe
2500	{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe
2912	{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe
1524	{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe
1788	{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe
1804	{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe
480	{F920E44D-D07D-471b-A1AC-C7F85F37ECCF}.exe
1468	{8FDF10B6-D5E2-4d08-8F48-06E3827F70B3}.exe
2880	{D9F9EBDC-A1DE-4d88-AFA9-0F2848134E8F}.exe
3024	{F94CD086-D9B8-4a9c-A648-CE4DE42F1CF5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8FDF10B6-D5E2-4d08-8F48-06E3827F70B3}.exe	{F920E44D-D07D-471b-A1AC-C7F85F37ECCF}.exe
File created	C:\Windows\{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe	{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe
File created	C:\Windows\{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe	{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe
File created	C:\Windows\{F920E44D-D07D-471b-A1AC-C7F85F37ECCF}.exe	{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe
File created	C:\Windows\{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe	{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe
File created	C:\Windows\{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe	{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe
File created	C:\Windows\{D9F9EBDC-A1DE-4d88-AFA9-0F2848134E8F}.exe	{8FDF10B6-D5E2-4d08-8F48-06E3827F70B3}.exe
File created	C:\Windows\{F94CD086-D9B8-4a9c-A648-CE4DE42F1CF5}.exe	{D9F9EBDC-A1DE-4d88-AFA9-0F2848134E8F}.exe
File created	C:\Windows\{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe
File created	C:\Windows\{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe	{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe
File created	C:\Windows\{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe	{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2084	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe
Token: SeIncBasePriorityPrivilege	2808	{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe
Token: SeIncBasePriorityPrivilege	2612	{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe
Token: SeIncBasePriorityPrivilege	2500	{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe
Token: SeIncBasePriorityPrivilege	2912	{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe
Token: SeIncBasePriorityPrivilege	1524	{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe
Token: SeIncBasePriorityPrivilege	1788	{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe
Token: SeIncBasePriorityPrivilege	1804	{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe
Token: SeIncBasePriorityPrivilege	480	{F920E44D-D07D-471b-A1AC-C7F85F37ECCF}.exe
Token: SeIncBasePriorityPrivilege	1468	{8FDF10B6-D5E2-4d08-8F48-06E3827F70B3}.exe
Token: SeIncBasePriorityPrivilege	2880	{D9F9EBDC-A1DE-4d88-AFA9-0F2848134E8F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2808	2084	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	28
PID 2084 wrote to memory of 2808	2084	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	28
PID 2084 wrote to memory of 2808	2084	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	28
PID 2084 wrote to memory of 2808	2084	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	28
PID 2084 wrote to memory of 2968	2084	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	29
PID 2084 wrote to memory of 2968	2084	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	29
PID 2084 wrote to memory of 2968	2084	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	29
PID 2084 wrote to memory of 2968	2084	c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe	29
PID 2808 wrote to memory of 2612	2808	{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe	30
PID 2808 wrote to memory of 2612	2808	{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe	30
PID 2808 wrote to memory of 2612	2808	{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe	30
PID 2808 wrote to memory of 2612	2808	{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe	30
PID 2808 wrote to memory of 2696	2808	{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe	31
PID 2808 wrote to memory of 2696	2808	{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe	31
PID 2808 wrote to memory of 2696	2808	{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe	31
PID 2808 wrote to memory of 2696	2808	{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe	31
PID 2612 wrote to memory of 2500	2612	{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe	34
PID 2612 wrote to memory of 2500	2612	{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe	34
PID 2612 wrote to memory of 2500	2612	{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe	34
PID 2612 wrote to memory of 2500	2612	{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe	34
PID 2612 wrote to memory of 2560	2612	{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe	35
PID 2612 wrote to memory of 2560	2612	{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe	35
PID 2612 wrote to memory of 2560	2612	{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe	35
PID 2612 wrote to memory of 2560	2612	{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe	35
PID 2500 wrote to memory of 2912	2500	{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe	36
PID 2500 wrote to memory of 2912	2500	{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe	36
PID 2500 wrote to memory of 2912	2500	{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe	36
PID 2500 wrote to memory of 2912	2500	{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe	36
PID 2500 wrote to memory of 332	2500	{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe	37
PID 2500 wrote to memory of 332	2500	{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe	37
PID 2500 wrote to memory of 332	2500	{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe	37
PID 2500 wrote to memory of 332	2500	{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe	37
PID 2912 wrote to memory of 1524	2912	{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe	38
PID 2912 wrote to memory of 1524	2912	{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe	38
PID 2912 wrote to memory of 1524	2912	{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe	38
PID 2912 wrote to memory of 1524	2912	{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe	38
PID 2912 wrote to memory of 1724	2912	{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe	39
PID 2912 wrote to memory of 1724	2912	{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe	39
PID 2912 wrote to memory of 1724	2912	{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe	39
PID 2912 wrote to memory of 1724	2912	{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe	39
PID 1524 wrote to memory of 1788	1524	{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe	40
PID 1524 wrote to memory of 1788	1524	{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe	40
PID 1524 wrote to memory of 1788	1524	{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe	40
PID 1524 wrote to memory of 1788	1524	{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe	40
PID 1524 wrote to memory of 1684	1524	{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe	41
PID 1524 wrote to memory of 1684	1524	{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe	41
PID 1524 wrote to memory of 1684	1524	{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe	41
PID 1524 wrote to memory of 1684	1524	{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe	41
PID 1788 wrote to memory of 1804	1788	{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe	42
PID 1788 wrote to memory of 1804	1788	{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe	42
PID 1788 wrote to memory of 1804	1788	{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe	42
PID 1788 wrote to memory of 1804	1788	{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe	42
PID 1788 wrote to memory of 2432	1788	{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe	43
PID 1788 wrote to memory of 2432	1788	{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe	43
PID 1788 wrote to memory of 2432	1788	{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe	43
PID 1788 wrote to memory of 2432	1788	{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe	43
PID 1804 wrote to memory of 480	1804	{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe	44
PID 1804 wrote to memory of 480	1804	{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe	44
PID 1804 wrote to memory of 480	1804	{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe	44
PID 1804 wrote to memory of 480	1804	{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe	44
PID 1804 wrote to memory of 1796	1804	{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe	45
PID 1804 wrote to memory of 1796	1804	{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe	45
PID 1804 wrote to memory of 1796	1804	{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe	45
PID 1804 wrote to memory of 1796	1804	{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe	45

C:\Users\Admin\AppData\Local\Temp\c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe
"C:\Users\Admin\AppData\Local\Temp\c6005c2381c40c7d02d389c8aab6cafc9f66c508389627f4d8bc4bf2745e700e.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe
  C:\Windows\{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe
    C:\Windows\{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe
      C:\Windows\{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe
        
        C:\Windows\{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe
        
        C:\Windows\{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe
        
        C:\Windows\{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe
        
        C:\Windows\{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\{F920E44D-D07D-471b-A1AC-C7F85F37ECCF}.exe
        
        C:\Windows\{F920E44D-D07D-471b-A1AC-C7F85F37ECCF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:480
        
        C:\Windows\{8FDF10B6-D5E2-4d08-8F48-06E3827F70B3}.exe
        
        C:\Windows\{8FDF10B6-D5E2-4d08-8F48-06E3827F70B3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\{D9F9EBDC-A1DE-4d88-AFA9-0F2848134E8F}.exe
        
        C:\Windows\{D9F9EBDC-A1DE-4d88-AFA9-0F2848134E8F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\{F94CD086-D9B8-4a9c-A648-CE4DE42F1CF5}.exe
        
        C:\Windows\{F94CD086-D9B8-4a9c-A648-CE4DE42F1CF5}.exe
        12⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9F9E~1.EXE > nul
        12⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FDF1~1.EXE > nul
        11⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F920E~1.EXE > nul
        10⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67B85~1.EXE > nul
        9⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDB6F~1.EXE > nul
        8⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F54F9~1.EXE > nul
        7⤵
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47623~1.EXE > nul
        6⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17852~1.EXE > nul
        5⤵
        
        PID:332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4AAD0~1.EXE > nul
      4⤵
      PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{059EB~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C6005C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{059EB7F2-139C-4b92-AD1C-FC5E47505FCB}.exe

Filesize
60KB

MD5
bcf76cb1da117faa0025bc372cbe6594

SHA1
6521eb6dddd9f5294ea5ebdb938312cabfd94a24

SHA256
77a6839a3d29ecc5f01f70b6566649f7620e1955e1eef760a33473bd117e841e

SHA512
6a8021aa4af45af7d1e2f0e47754bff1a1554b96ce5246efb2a3d7a90e5225d95a4350f6713d5e6a54f5283a7503aa1eb6d70ad57509dd0dc6c357f1b0f79f9e

Download Submit
C:\Windows\{17852FF5-7F9B-40c9-A473-5AA63169EEB0}.exe

Filesize
60KB

MD5
384317626ac673f33a48ace6b725978e

SHA1
e558196c43275e8b6fd5598bf583807105353666

SHA256
cb6eae19d8d78e1da5aa4a46253e436c7b63a1ded568f38e7db6a7619455c4d3

SHA512
cf194add814b858e92e41d2c26c5375131700ce85bf587361b2c8f4c5524ff0e321b1585bd74354f089643bc84892d31b57da20703a39eaf10d05e8ad41cde20

Download Submit
C:\Windows\{4762336D-3BFC-45ed-B210-789DF5BD2DE5}.exe

Filesize
60KB

MD5
100c44419e5e9d7e5012d09837c0f76c

SHA1
315366350d0f7ef0405032974b325f184d8236b4

SHA256
3e363077cb8db90a7dc433c517b6087d165119537f81917c671734ad4cdc88a3

SHA512
91c8d8886ec11aa40be2cf2c9f732efd276bd1b664d23e44a1382ab24be411f98b678dff5cadb1a15791281efe07a04f78f349491c50803f982e11593e509143

Download Submit
C:\Windows\{4AAD0D91-EB7A-4652-B8E8-85A7116B982A}.exe

Filesize
60KB

MD5
e0f45f8f44c3ec901895198b70519609

SHA1
dfc315e05a60a1547d791284209965cd2f34b320

SHA256
60c5cd12bcc31d92be089e3c321635c9372384c29c8eac38373044fbea34a9c2

SHA512
de1441e7631e3f90bcf744ebdee620161558043c83b2487f4e8a14c4c286d66e1ec245f73c46e056ded6093c9aadcfea8936676c902639a3bb70bc6dd0be2853

Download Submit
C:\Windows\{67B8559F-0633-4571-97D6-9EF2D36295B7}.exe

Filesize
60KB

MD5
4f4c29ca41120c272c5f69912e3c2e00

SHA1
4cc48bd8cae514629d27a7e4ed53ed4dc6aca2e3

SHA256
3f837b5ef1742fc7ea9bbcd99a4fe375cd217bcecb64f6f7723ac49aeadf3e21

SHA512
39ff823772ef3b81580c39db1e63fcf9d0c26ccfdde3ca4fe9bace24529367a6e4618278de161e18ceb9aba301f245ebdf4403e080a7b19db64d1e94758e02b9

Download Submit
C:\Windows\{8FDF10B6-D5E2-4d08-8F48-06E3827F70B3}.exe

Filesize
60KB

MD5
52d31a9c273192f435dea41a2b8dd3ba

SHA1
9f47f6bc8de3980083f38406a4c889d91c4a17de

SHA256
a0dc587e3144c4e47059aded8e5a8011d7280a318ad7d01b0865e410a07c0841

SHA512
714fdb01e5323b387d351ad1aa0742047b2bf433a7ca1c98333d5bcf9db24a944506fd3b8e30c9d79872981ec387ac260f28f6d8eb8ee2be51e60d01e643f15d

Download Submit
C:\Windows\{BDB6F6CE-870C-4379-95DE-4A0417C0918F}.exe

Filesize
60KB

MD5
3b6a1fcfca353b984bf3f8df7976c919

SHA1
32af5bac5c26b4b4c3ecf22fe77c59195d2d4b8f

SHA256
f4617ea5055ec48d4633425c05fc7979815ce461ae4fda0b08661444ca0f7489

SHA512
e493675929703f4251df9f36383f81fe374bfd1cc52d88231ffc3c90bdc2bd83abc468aa1fe617b7b8e9288832b2a9401e99f18286a1a7b52d7400c787dbc4a5

Download Submit
C:\Windows\{D9F9EBDC-A1DE-4d88-AFA9-0F2848134E8F}.exe

Filesize
60KB

MD5
d38b718dd98564b9e170edeea41f47a0

SHA1
38578c5cb78b4fb78450f018a4f30e4493370509

SHA256
cdcda90a2f2db4cec28018c2244c3e28b154f7b81722b4df993b83faa9a1446b

SHA512
fb659c85dcb0b6a1d452b4634f14386776d368ab231965743abf9630e8bd35beb29ee20a9a62653ac2ed5ec02899aaeb2bcc9b3e79f1228497482325739c4409

Download Submit
C:\Windows\{F54F9A33-5BD2-472b-B19C-A3409E8CB364}.exe

Filesize
60KB

MD5
1c5f4c6153eed80782465184f30a4c9b

SHA1
55bf1be1954810561b66062ae76c6a30738c5925

SHA256
9054c56ae82cd0b8a6d14ef337fe24c2e29a4fb68a844eb75f92f97a7374b89f

SHA512
98bfa35b1c95a99b13ba881eabfe83e7b0f4be92a10caac052cf44f99ea7ac609ad9cad20cb6a8caeacdab7b884640b3ba8af2c7a5b409b24c99fcc2896d2051

Download Submit
C:\Windows\{F920E44D-D07D-471b-A1AC-C7F85F37ECCF}.exe

Filesize
60KB

MD5
fcfc42976ac37f214e130b6b7a48788d

SHA1
1c1fd33b2fcd4095c940f748b090ddb61d7f52ad

SHA256
41a8ea725cfcb9bf4f142305f5c15078e8f6fd604167882f98fbd3c41de5681f

SHA512
715d1fa0d1e4a32de5342b67624c360fe6d422eb4e27ad1cc4c3e17f990149cc39ec277f03b4efc1da916209aa528b0b06baaa21b71870cbecc39dc8b96f9da1

Download Submit
C:\Windows\{F94CD086-D9B8-4a9c-A648-CE4DE42F1CF5}.exe

Filesize
60KB

MD5
075e9ce5dc7f0ce8a95ac1bbdf3e96a3

SHA1
9622f7b741b042bb4b28b1643a7a69c4aba5ccf0

SHA256
c4706c4061a91fdde074aca1e9a64d4ac262576c7f125ccd0e92b3fe793b4de1

SHA512
d970209c06a71348859e743fbd9eb5b255afc3116683d103f181f9addd9e2a99a6b3a4266ba8a377f1430f37a44f6ec6fb122150627d88b273f42763ecd0009c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads