cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe
Size

98KB
MD5

993226698b477deb23492867f3ddd1a0
SHA1

a5ef831a87f3360dacca2bd73a45d9b77031f1f5
SHA256

cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf
SHA512

68f6b27062f354f92f630e03bf001ebb899e4b30868287ca5eb54d4cfb62efd0c78270f1233c58f84a62de1851f2021ae5776fafcad058572d219860ba01a12d
SSDEEP

768:5vw9816thKQLro/4/wQkNrfrunMxVFA3b7glws:lEG/0o/lbunMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA557F04-4D8B-4f0e-924B-4871300626EA}	{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA557F04-4D8B-4f0e-924B-4871300626EA}\stubpath = "C:\\Windows\\{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe"	{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}\stubpath = "C:\\Windows\\{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe"	{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41CA0D90-8B71-450b-8715-E5D5E517E141}	{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1FE053A-9E5C-44b8-BABF-679137663093}	{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD4CF963-9404-48be-B0BF-FB83495FD1E4}\stubpath = "C:\\Windows\\{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe"	{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}	{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90CDD37F-CB97-4d45-A277-BE759C3E9D08}\stubpath = "C:\\Windows\\{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe"	{C1FE053A-9E5C-44b8-BABF-679137663093}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6DDBEB6-5EB4-43e4-9D41-38776A70EE22}	{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6DDBEB6-5EB4-43e4-9D41-38776A70EE22}\stubpath = "C:\\Windows\\{F6DDBEB6-5EB4-43e4-9D41-38776A70EE22}.exe"	{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDAD9BCD-3E76-4b31-BB0B-D3F888075F13}	{F6DDBEB6-5EB4-43e4-9D41-38776A70EE22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDAD9BCD-3E76-4b31-BB0B-D3F888075F13}\stubpath = "C:\\Windows\\{EDAD9BCD-3E76-4b31-BB0B-D3F888075F13}.exe"	{F6DDBEB6-5EB4-43e4-9D41-38776A70EE22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9EF10E6-D790-4c61-B016-4D69776F1022}\stubpath = "C:\\Windows\\{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe"	{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E39EA4C-1F29-4598-A783-141FE2D2D214}\stubpath = "C:\\Windows\\{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe"	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9EF10E6-D790-4c61-B016-4D69776F1022}	{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}	{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}\stubpath = "C:\\Windows\\{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe"	{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41CA0D90-8B71-450b-8715-E5D5E517E141}\stubpath = "C:\\Windows\\{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe"	{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1FE053A-9E5C-44b8-BABF-679137663093}\stubpath = "C:\\Windows\\{C1FE053A-9E5C-44b8-BABF-679137663093}.exe"	{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14C8E7DF-C100-4729-B102-6CEB3A7B1159}	{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E39EA4C-1F29-4598-A783-141FE2D2D214}	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14C8E7DF-C100-4729-B102-6CEB3A7B1159}\stubpath = "C:\\Windows\\{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe"	{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90CDD37F-CB97-4d45-A277-BE759C3E9D08}	{C1FE053A-9E5C-44b8-BABF-679137663093}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD4CF963-9404-48be-B0BF-FB83495FD1E4}	{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
5036	{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe
2780	{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe
844	{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe
5040	{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe
460	{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe
2552	{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe
5048	{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe
4952	{C1FE053A-9E5C-44b8-BABF-679137663093}.exe
1220	{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe
4544	{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe
3692	{F6DDBEB6-5EB4-43e4-9D41-38776A70EE22}.exe
2408	{EDAD9BCD-3E76-4b31-BB0B-D3F888075F13}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe	{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe
File created	C:\Windows\{EDAD9BCD-3E76-4b31-BB0B-D3F888075F13}.exe	{F6DDBEB6-5EB4-43e4-9D41-38776A70EE22}.exe
File created	C:\Windows\{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe	{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe
File created	C:\Windows\{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe	{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe
File created	C:\Windows\{C1FE053A-9E5C-44b8-BABF-679137663093}.exe	{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe
File created	C:\Windows\{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe	{C1FE053A-9E5C-44b8-BABF-679137663093}.exe
File created	C:\Windows\{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe	{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe
File created	C:\Windows\{F6DDBEB6-5EB4-43e4-9D41-38776A70EE22}.exe	{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe
File created	C:\Windows\{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe
File created	C:\Windows\{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe	{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe
File created	C:\Windows\{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe	{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe
File created	C:\Windows\{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe	{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4484	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe
Token: SeIncBasePriorityPrivilege	5036	{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe
Token: SeIncBasePriorityPrivilege	2780	{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe
Token: SeIncBasePriorityPrivilege	844	{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe
Token: SeIncBasePriorityPrivilege	5040	{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe
Token: SeIncBasePriorityPrivilege	460	{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe
Token: SeIncBasePriorityPrivilege	2552	{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe
Token: SeIncBasePriorityPrivilege	5048	{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe
Token: SeIncBasePriorityPrivilege	4952	{C1FE053A-9E5C-44b8-BABF-679137663093}.exe
Token: SeIncBasePriorityPrivilege	1220	{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe
Token: SeIncBasePriorityPrivilege	4544	{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe
Token: SeIncBasePriorityPrivilege	3692	{F6DDBEB6-5EB4-43e4-9D41-38776A70EE22}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 5036	4484	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	83
PID 4484 wrote to memory of 5036	4484	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	83
PID 4484 wrote to memory of 5036	4484	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	83
PID 4484 wrote to memory of 2728	4484	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	84
PID 4484 wrote to memory of 2728	4484	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	84
PID 4484 wrote to memory of 2728	4484	cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe	84
PID 5036 wrote to memory of 2780	5036	{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe	85
PID 5036 wrote to memory of 2780	5036	{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe	85
PID 5036 wrote to memory of 2780	5036	{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe	85
PID 5036 wrote to memory of 1460	5036	{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe	86
PID 5036 wrote to memory of 1460	5036	{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe	86
PID 5036 wrote to memory of 1460	5036	{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe	86
PID 2780 wrote to memory of 844	2780	{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe	88
PID 2780 wrote to memory of 844	2780	{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe	88
PID 2780 wrote to memory of 844	2780	{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe	88
PID 2780 wrote to memory of 2508	2780	{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe	89
PID 2780 wrote to memory of 2508	2780	{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe	89
PID 2780 wrote to memory of 2508	2780	{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe	89
PID 844 wrote to memory of 5040	844	{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe	90
PID 844 wrote to memory of 5040	844	{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe	90
PID 844 wrote to memory of 5040	844	{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe	90
PID 844 wrote to memory of 3456	844	{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe	91
PID 844 wrote to memory of 3456	844	{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe	91
PID 844 wrote to memory of 3456	844	{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe	91
PID 5040 wrote to memory of 460	5040	{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe	92
PID 5040 wrote to memory of 460	5040	{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe	92
PID 5040 wrote to memory of 460	5040	{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe	92
PID 5040 wrote to memory of 2744	5040	{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe	93
PID 5040 wrote to memory of 2744	5040	{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe	93
PID 5040 wrote to memory of 2744	5040	{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe	93
PID 460 wrote to memory of 2552	460	{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe	94
PID 460 wrote to memory of 2552	460	{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe	94
PID 460 wrote to memory of 2552	460	{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe	94
PID 460 wrote to memory of 668	460	{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe	95
PID 460 wrote to memory of 668	460	{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe	95
PID 460 wrote to memory of 668	460	{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe	95
PID 2552 wrote to memory of 5048	2552	{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe	96
PID 2552 wrote to memory of 5048	2552	{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe	96
PID 2552 wrote to memory of 5048	2552	{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe	96
PID 2552 wrote to memory of 4976	2552	{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe	97
PID 2552 wrote to memory of 4976	2552	{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe	97
PID 2552 wrote to memory of 4976	2552	{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe	97
PID 5048 wrote to memory of 4952	5048	{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe	98
PID 5048 wrote to memory of 4952	5048	{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe	98
PID 5048 wrote to memory of 4952	5048	{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe	98
PID 5048 wrote to memory of 4256	5048	{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe	99
PID 5048 wrote to memory of 4256	5048	{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe	99
PID 5048 wrote to memory of 4256	5048	{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe	99
PID 4952 wrote to memory of 1220	4952	{C1FE053A-9E5C-44b8-BABF-679137663093}.exe	100
PID 4952 wrote to memory of 1220	4952	{C1FE053A-9E5C-44b8-BABF-679137663093}.exe	100
PID 4952 wrote to memory of 1220	4952	{C1FE053A-9E5C-44b8-BABF-679137663093}.exe	100
PID 4952 wrote to memory of 4036	4952	{C1FE053A-9E5C-44b8-BABF-679137663093}.exe	101
PID 4952 wrote to memory of 4036	4952	{C1FE053A-9E5C-44b8-BABF-679137663093}.exe	101
PID 4952 wrote to memory of 4036	4952	{C1FE053A-9E5C-44b8-BABF-679137663093}.exe	101
PID 1220 wrote to memory of 4544	1220	{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe	102
PID 1220 wrote to memory of 4544	1220	{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe	102
PID 1220 wrote to memory of 4544	1220	{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe	102
PID 1220 wrote to memory of 4912	1220	{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe	103
PID 1220 wrote to memory of 4912	1220	{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe	103
PID 1220 wrote to memory of 4912	1220	{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe	103
PID 4544 wrote to memory of 3692	4544	{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe	104
PID 4544 wrote to memory of 3692	4544	{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe	104
PID 4544 wrote to memory of 3692	4544	{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe	104
PID 4544 wrote to memory of 444	4544	{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe	105

C:\Users\Admin\AppData\Local\Temp\cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe
"C:\Users\Admin\AppData\Local\Temp\cc93513974df1ddf9d480541f23b77aece569dfe9e83904d5579b55aa1abf3cf.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe
  C:\Windows\{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe
    C:\Windows\{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe
      C:\Windows\{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Windows\{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe
        
        C:\Windows\{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
      - C:\Windows\{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe
        
        C:\Windows\{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe
        
        C:\Windows\{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe
        
        C:\Windows\{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\{C1FE053A-9E5C-44b8-BABF-679137663093}.exe
        
        C:\Windows\{C1FE053A-9E5C-44b8-BABF-679137663093}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe
        
        C:\Windows\{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe
        
        C:\Windows\{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\{F6DDBEB6-5EB4-43e4-9D41-38776A70EE22}.exe
        
        C:\Windows\{F6DDBEB6-5EB4-43e4-9D41-38776A70EE22}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
        
        C:\Windows\{EDAD9BCD-3E76-4b31-BB0B-D3F888075F13}.exe
        
        C:\Windows\{EDAD9BCD-3E76-4b31-BB0B-D3F888075F13}.exe
        13⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6DDB~1.EXE > nul
        13⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14C8E~1.EXE > nul
        12⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90CDD~1.EXE > nul
        11⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1FE0~1.EXE > nul
        10⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41CA0~1.EXE > nul
        9⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{306E5~1.EXE > nul
        8⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA557~1.EXE > nul
        7⤵
        
        PID:668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD4CF~1.EXE > nul
        6⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{773F3~1.EXE > nul
        5⤵
        
        PID:3456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D9EF1~1.EXE > nul
      4⤵
      PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1E39E~1.EXE > nul
    3⤵
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CC9351~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14C8E7DF-C100-4729-B102-6CEB3A7B1159}.exe

Filesize
98KB

MD5
b64a1ed874864fbe490a3bbb0e230385

SHA1
efaf966df8873f71382941300d6d98d8692d78b7

SHA256
d7f8f33ad6b7baeda86600c11414ee309bcc7bbe454201378dd4d13002dae199

SHA512
a61db8c48bd32f5ef9a557eb6527cc28eb5297b6e4192f9b70068fd313c9d20a0330db28702dfbe0dd691b2ca1d3a0938ab6ad8fbdc585955f2421718fc57a35

Download Submit
C:\Windows\{1E39EA4C-1F29-4598-A783-141FE2D2D214}.exe

Filesize
98KB

MD5
1379299c1a1ee5fcf8079299007880b2

SHA1
1fe6d3946169df46fa3b122a51b598d12a33786f

SHA256
4f68173f4592db60cb42249aab1a1dd870058c1375c0315d5ede3564db78e8ab

SHA512
270f11302ba9f21b864688a28552ea96ae374c76f907559dbf6055113c7200738b8735f54cd1be13864a1a93f88df2a24eff6e30b777676a532692de0d162203

Download Submit
C:\Windows\{306E53E6-76E8-4199-8EE5-DEF1C2CE080D}.exe

Filesize
98KB

MD5
d8c8a8d08548684163ca1e41c7449e33

SHA1
6d617830b53458ef25d61522863189a3b0ce01e7

SHA256
70a3db25d17e7acb20724736b655521474c78c704649e09858c33205d24fe190

SHA512
8356f515889a45b51f71ee82cee12a9b438d98e3f1971b1cc718226a7deea3c22e92309991dadf335d3ae314fdf5a36283fa35c452a0a6660ff84031752f677d

Download Submit
C:\Windows\{41CA0D90-8B71-450b-8715-E5D5E517E141}.exe

Filesize
98KB

MD5
a4d54ac1dd9b35ee3065cc9b1ab2012c

SHA1
2a9deb073d526994e88447c4c95930dda10b72d6

SHA256
b971e94ca5b26038d13965276afee5dbe1130bfc81aa1c4a103fcb58ef82ba4a

SHA512
2842f0c3163d5524fc82b054b1e4982264b9190affd5935fc018eba0819a777959f38a35d3616b603179d81980622f829d035cfd007165240e2d303456161bec

Download Submit
C:\Windows\{773F39D8-EE5B-4532-8C05-4CB3FD76CB57}.exe

Filesize
98KB

MD5
28377b9bb6571af54bc7bd5985d0d37a

SHA1
4750855402b5e241fec00005b403457784f402d5

SHA256
9561818479efd72c53839a22cc7b99626642485c1f48d385340caa8c8bb11f39

SHA512
8817bb3b34c3ced616b28cf3594db286939fe1da9b5c75f404e57c57889c7687366a271b0fcbc2304d5118353ff688c6149fc37f1e7f2ab86db9f57720da41ef

Download Submit
C:\Windows\{90CDD37F-CB97-4d45-A277-BE759C3E9D08}.exe

Filesize
98KB

MD5
a9c9a211163bdcd4399390a27e0b7b9f

SHA1
a2b063fcbb5803559392cf9e2298adead618fff0

SHA256
c0b5dbd5ccce8bb4a14cf206393e5ba196098f0684cc3884c50d159bd10fe6ce

SHA512
c9debd7a5cc1e920027988631200802bc332b76f9e04a6f6864fe29285628a61635c5c9f062f11e0551b897882a045fcd201a113851dd24231eaa39bceb15b06

Download Submit
C:\Windows\{BD4CF963-9404-48be-B0BF-FB83495FD1E4}.exe

Filesize
98KB

MD5
eb256c504e426609fab007ca0967fe79

SHA1
cc6c6c4bc66e76a55d10f7c958c8143607f7b161

SHA256
ff5f9987c15cbfb494a4cb2fc7fa66184f1d86292fab01d1d74806b1ace38c04

SHA512
afbe25f503f1f866ef3872ec013e422986f0189f31823dcfd461315299092ce7943eb46bd94641d43cde7fd814a58ff22de469e950ec82f5de9b4a59ce4a3671

Download Submit
C:\Windows\{C1FE053A-9E5C-44b8-BABF-679137663093}.exe

Filesize
98KB

MD5
881c65224b43ab2eb3b247eecfd37abf

SHA1
6d43cf3bc4db6ddc82be57a5bde860a867dc9f95

SHA256
59ba65498db969828c0e363b63c7c9b5646d1982de168792402b2e8cb618eaf8

SHA512
5f7ca59f82b82532d4a2fd83f7eec649421dc2cb95a682f7dbac550c2d250d09a0c77aea5d5c4335a218c8305bb4bf671a38e44834449083e6f89a9e00a87d37

Download Submit
C:\Windows\{D9EF10E6-D790-4c61-B016-4D69776F1022}.exe

Filesize
98KB

MD5
f6979ef83abfa5df1e31c4c5f27fa9bb

SHA1
e7bca829607b06a6b9aa7a31824c78b7938aff18

SHA256
e12087be9ff3bd3f5290769b844423cab2515a77320de8f5baaf83a26d29e592

SHA512
66d5f3a52ecf96fda85724c82d4cbbd32a556587af9965b6496555d0062bb7e68e4cb0230200263c3f8c74bf02a3dafc36ebe2ae89f94946cf2b54e6a944b5bd

Download Submit
C:\Windows\{DA557F04-4D8B-4f0e-924B-4871300626EA}.exe

Filesize
98KB

MD5
888273efa215f0b099e763fc980381e3

SHA1
c84505a40afaa3c7dc803322888d57bce0c62be9

SHA256
cf4674ba0e2d14ef48b0f69ac5338fd5eb090c4dcfcb43fe08862db7193d0305

SHA512
310c5e0cb593d1f992b0f0a28e4532e9d04416a216058f859ed192d331cdb3d1c1b4a00f6a5ad5d95c3779ae18ca49e51169eb3301034830d9ff6f750b85c4c8

Download Submit
C:\Windows\{EDAD9BCD-3E76-4b31-BB0B-D3F888075F13}.exe

Filesize
98KB

MD5
3b1d8a03443b327af2d2698175a6c119

SHA1
7a73d49d8d16e1b60b9fe844bbdaf8a044db41ae

SHA256
e9b349043f974d74a2791f8ded2012e9102c3f26433f827539b11c2fb9962941

SHA512
180dae67fbc51dc9e32898aac882a419117d737c40a7177a21121e7fd9c7b30dbc3220c5d11a33e52386b0474379ca4671c84b3cdf87fac78c8244ad04b731ee

Download Submit
C:\Windows\{F6DDBEB6-5EB4-43e4-9D41-38776A70EE22}.exe

Filesize
98KB

MD5
efa2e6cedfeabb41955aaffe988e466c

SHA1
bd7584a77fea52c6ed6067248c91cf952209e43d

SHA256
b5642dd27bdc8c8a16d9930ea4750055fe744d36f0dda6c25e049bffa200b611

SHA512
7b299f2ff9007d0e8c93e772b3dfb6d259e4d106cb63ff00818fbd0bb595e4dd24e344c51c0e9460219f1f22183d1f00d4ff890677d130988d9cc0108d84b949

Download Submit
memory/460-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/460-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/844-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/844-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1220-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1220-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2408-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2552-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2552-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2780-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2780-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3692-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4484-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4484-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4544-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4952-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5036-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5036-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5040-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5040-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5048-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5048-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads