9f64da239f64caf981905dcb9cbca1f64c396c38e102f273397cb44f8c050a70

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fa682f33d57229b8797c1a09e8336a0N.exe
Size

90KB
MD5

0fa682f33d57229b8797c1a09e8336a0
SHA1

1c447304f1f68205cbd65e7c0aaf88ed90301e00
SHA256

9f64da239f64caf981905dcb9cbca1f64c396c38e102f273397cb44f8c050a70
SHA512

8f6516332c6bba85375f6276e26389431d0ce486793b1a1d06e9e0ed4a14bb1cb01b28452a1ab7cd3ba39ff99b54b77e441c0af7896d79850e3338bb9101be4e
SSDEEP

768:Qvw9816vhKQLron4/wQRNrfrunMxVFA3b7glws:YEGh0onl2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}\stubpath = "C:\\Windows\\{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe"	{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD818016-198E-44c6-A735-E58E5355B6E5}\stubpath = "C:\\Windows\\{BD818016-198E-44c6-A735-E58E5355B6E5}.exe"	{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D31B325-13D8-4448-A1D1-38A8E99CE80C}	{1C30E923-21AA-44ba-9D74-6888E2FED35B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2599D942-B379-4da6-9970-6AB7907D3D53}\stubpath = "C:\\Windows\\{2599D942-B379-4da6-9970-6AB7907D3D53}.exe"	{9D31B325-13D8-4448-A1D1-38A8E99CE80C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{852EBC2D-5F12-496b-A574-D2639D019768}\stubpath = "C:\\Windows\\{852EBC2D-5F12-496b-A574-D2639D019768}.exe"	{2599D942-B379-4da6-9970-6AB7907D3D53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4097AB87-317D-463b-BCC1-3925A96D520D}\stubpath = "C:\\Windows\\{4097AB87-317D-463b-BCC1-3925A96D520D}.exe"	{86A2F97C-9423-4713-8C53-876324F13EDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}\stubpath = "C:\\Windows\\{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe"	{4097AB87-317D-463b-BCC1-3925A96D520D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}\stubpath = "C:\\Windows\\{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe"	{BD818016-198E-44c6-A735-E58E5355B6E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86A2F97C-9423-4713-8C53-876324F13EDE}	0fa682f33d57229b8797c1a09e8336a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86A2F97C-9423-4713-8C53-876324F13EDE}\stubpath = "C:\\Windows\\{86A2F97C-9423-4713-8C53-876324F13EDE}.exe"	0fa682f33d57229b8797c1a09e8336a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}	{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD818016-198E-44c6-A735-E58E5355B6E5}	{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C30E923-21AA-44ba-9D74-6888E2FED35B}	{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D31B325-13D8-4448-A1D1-38A8E99CE80C}\stubpath = "C:\\Windows\\{9D31B325-13D8-4448-A1D1-38A8E99CE80C}.exe"	{1C30E923-21AA-44ba-9D74-6888E2FED35B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4097AB87-317D-463b-BCC1-3925A96D520D}	{86A2F97C-9423-4713-8C53-876324F13EDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}\stubpath = "C:\\Windows\\{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe"	{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}	{BD818016-198E-44c6-A735-E58E5355B6E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C30E923-21AA-44ba-9D74-6888E2FED35B}\stubpath = "C:\\Windows\\{1C30E923-21AA-44ba-9D74-6888E2FED35B}.exe"	{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2599D942-B379-4da6-9970-6AB7907D3D53}	{9D31B325-13D8-4448-A1D1-38A8E99CE80C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{852EBC2D-5F12-496b-A574-D2639D019768}	{2599D942-B379-4da6-9970-6AB7907D3D53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}	{4097AB87-317D-463b-BCC1-3925A96D520D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}	{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2540	{86A2F97C-9423-4713-8C53-876324F13EDE}.exe
3068	{4097AB87-317D-463b-BCC1-3925A96D520D}.exe
2584	{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe
1580	{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe
1516	{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe
1604	{BD818016-198E-44c6-A735-E58E5355B6E5}.exe
856	{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe
1900	{1C30E923-21AA-44ba-9D74-6888E2FED35B}.exe
2708	{9D31B325-13D8-4448-A1D1-38A8E99CE80C}.exe
2144	{2599D942-B379-4da6-9970-6AB7907D3D53}.exe
1740	{852EBC2D-5F12-496b-A574-D2639D019768}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{86A2F97C-9423-4713-8C53-876324F13EDE}.exe	0fa682f33d57229b8797c1a09e8336a0N.exe
File created	C:\Windows\{4097AB87-317D-463b-BCC1-3925A96D520D}.exe	{86A2F97C-9423-4713-8C53-876324F13EDE}.exe
File created	C:\Windows\{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe	{4097AB87-317D-463b-BCC1-3925A96D520D}.exe
File created	C:\Windows\{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe	{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe
File created	C:\Windows\{BD818016-198E-44c6-A735-E58E5355B6E5}.exe	{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe
File created	C:\Windows\{9D31B325-13D8-4448-A1D1-38A8E99CE80C}.exe	{1C30E923-21AA-44ba-9D74-6888E2FED35B}.exe
File created	C:\Windows\{852EBC2D-5F12-496b-A574-D2639D019768}.exe	{2599D942-B379-4da6-9970-6AB7907D3D53}.exe
File created	C:\Windows\{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe	{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe
File created	C:\Windows\{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe	{BD818016-198E-44c6-A735-E58E5355B6E5}.exe
File created	C:\Windows\{1C30E923-21AA-44ba-9D74-6888E2FED35B}.exe	{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe
File created	C:\Windows\{2599D942-B379-4da6-9970-6AB7907D3D53}.exe	{9D31B325-13D8-4448-A1D1-38A8E99CE80C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2836	0fa682f33d57229b8797c1a09e8336a0N.exe
Token: SeIncBasePriorityPrivilege	2540	{86A2F97C-9423-4713-8C53-876324F13EDE}.exe
Token: SeIncBasePriorityPrivilege	3068	{4097AB87-317D-463b-BCC1-3925A96D520D}.exe
Token: SeIncBasePriorityPrivilege	2584	{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe
Token: SeIncBasePriorityPrivilege	1580	{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe
Token: SeIncBasePriorityPrivilege	1516	{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe
Token: SeIncBasePriorityPrivilege	1604	{BD818016-198E-44c6-A735-E58E5355B6E5}.exe
Token: SeIncBasePriorityPrivilege	856	{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe
Token: SeIncBasePriorityPrivilege	1900	{1C30E923-21AA-44ba-9D74-6888E2FED35B}.exe
Token: SeIncBasePriorityPrivilege	2708	{9D31B325-13D8-4448-A1D1-38A8E99CE80C}.exe
Token: SeIncBasePriorityPrivilege	2144	{2599D942-B379-4da6-9970-6AB7907D3D53}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2540	2836	0fa682f33d57229b8797c1a09e8336a0N.exe	28
PID 2836 wrote to memory of 2540	2836	0fa682f33d57229b8797c1a09e8336a0N.exe	28
PID 2836 wrote to memory of 2540	2836	0fa682f33d57229b8797c1a09e8336a0N.exe	28
PID 2836 wrote to memory of 2540	2836	0fa682f33d57229b8797c1a09e8336a0N.exe	28
PID 2836 wrote to memory of 2648	2836	0fa682f33d57229b8797c1a09e8336a0N.exe	29
PID 2836 wrote to memory of 2648	2836	0fa682f33d57229b8797c1a09e8336a0N.exe	29
PID 2836 wrote to memory of 2648	2836	0fa682f33d57229b8797c1a09e8336a0N.exe	29
PID 2836 wrote to memory of 2648	2836	0fa682f33d57229b8797c1a09e8336a0N.exe	29
PID 2540 wrote to memory of 3068	2540	{86A2F97C-9423-4713-8C53-876324F13EDE}.exe	30
PID 2540 wrote to memory of 3068	2540	{86A2F97C-9423-4713-8C53-876324F13EDE}.exe	30
PID 2540 wrote to memory of 3068	2540	{86A2F97C-9423-4713-8C53-876324F13EDE}.exe	30
PID 2540 wrote to memory of 3068	2540	{86A2F97C-9423-4713-8C53-876324F13EDE}.exe	30
PID 2540 wrote to memory of 2512	2540	{86A2F97C-9423-4713-8C53-876324F13EDE}.exe	31
PID 2540 wrote to memory of 2512	2540	{86A2F97C-9423-4713-8C53-876324F13EDE}.exe	31
PID 2540 wrote to memory of 2512	2540	{86A2F97C-9423-4713-8C53-876324F13EDE}.exe	31
PID 2540 wrote to memory of 2512	2540	{86A2F97C-9423-4713-8C53-876324F13EDE}.exe	31
PID 3068 wrote to memory of 2584	3068	{4097AB87-317D-463b-BCC1-3925A96D520D}.exe	32
PID 3068 wrote to memory of 2584	3068	{4097AB87-317D-463b-BCC1-3925A96D520D}.exe	32
PID 3068 wrote to memory of 2584	3068	{4097AB87-317D-463b-BCC1-3925A96D520D}.exe	32
PID 3068 wrote to memory of 2584	3068	{4097AB87-317D-463b-BCC1-3925A96D520D}.exe	32
PID 3068 wrote to memory of 2432	3068	{4097AB87-317D-463b-BCC1-3925A96D520D}.exe	33
PID 3068 wrote to memory of 2432	3068	{4097AB87-317D-463b-BCC1-3925A96D520D}.exe	33
PID 3068 wrote to memory of 2432	3068	{4097AB87-317D-463b-BCC1-3925A96D520D}.exe	33
PID 3068 wrote to memory of 2432	3068	{4097AB87-317D-463b-BCC1-3925A96D520D}.exe	33
PID 2584 wrote to memory of 1580	2584	{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe	36
PID 2584 wrote to memory of 1580	2584	{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe	36
PID 2584 wrote to memory of 1580	2584	{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe	36
PID 2584 wrote to memory of 1580	2584	{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe	36
PID 2584 wrote to memory of 2380	2584	{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe	37
PID 2584 wrote to memory of 2380	2584	{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe	37
PID 2584 wrote to memory of 2380	2584	{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe	37
PID 2584 wrote to memory of 2380	2584	{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe	37
PID 1580 wrote to memory of 1516	1580	{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe	38
PID 1580 wrote to memory of 1516	1580	{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe	38
PID 1580 wrote to memory of 1516	1580	{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe	38
PID 1580 wrote to memory of 1516	1580	{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe	38
PID 1580 wrote to memory of 1672	1580	{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe	39
PID 1580 wrote to memory of 1672	1580	{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe	39
PID 1580 wrote to memory of 1672	1580	{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe	39
PID 1580 wrote to memory of 1672	1580	{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe	39
PID 1516 wrote to memory of 1604	1516	{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe	40
PID 1516 wrote to memory of 1604	1516	{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe	40
PID 1516 wrote to memory of 1604	1516	{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe	40
PID 1516 wrote to memory of 1604	1516	{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe	40
PID 1516 wrote to memory of 1128	1516	{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe	41
PID 1516 wrote to memory of 1128	1516	{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe	41
PID 1516 wrote to memory of 1128	1516	{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe	41
PID 1516 wrote to memory of 1128	1516	{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe	41
PID 1604 wrote to memory of 856	1604	{BD818016-198E-44c6-A735-E58E5355B6E5}.exe	42
PID 1604 wrote to memory of 856	1604	{BD818016-198E-44c6-A735-E58E5355B6E5}.exe	42
PID 1604 wrote to memory of 856	1604	{BD818016-198E-44c6-A735-E58E5355B6E5}.exe	42
PID 1604 wrote to memory of 856	1604	{BD818016-198E-44c6-A735-E58E5355B6E5}.exe	42
PID 1604 wrote to memory of 268	1604	{BD818016-198E-44c6-A735-E58E5355B6E5}.exe	43
PID 1604 wrote to memory of 268	1604	{BD818016-198E-44c6-A735-E58E5355B6E5}.exe	43
PID 1604 wrote to memory of 268	1604	{BD818016-198E-44c6-A735-E58E5355B6E5}.exe	43
PID 1604 wrote to memory of 268	1604	{BD818016-198E-44c6-A735-E58E5355B6E5}.exe	43
PID 856 wrote to memory of 1900	856	{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe	44
PID 856 wrote to memory of 1900	856	{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe	44
PID 856 wrote to memory of 1900	856	{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe	44
PID 856 wrote to memory of 1900	856	{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe	44
PID 856 wrote to memory of 844	856	{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe	45
PID 856 wrote to memory of 844	856	{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe	45
PID 856 wrote to memory of 844	856	{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe	45
PID 856 wrote to memory of 844	856	{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe	45

C:\Users\Admin\AppData\Local\Temp\0fa682f33d57229b8797c1a09e8336a0N.exe
"C:\Users\Admin\AppData\Local\Temp\0fa682f33d57229b8797c1a09e8336a0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\{86A2F97C-9423-4713-8C53-876324F13EDE}.exe
  C:\Windows\{86A2F97C-9423-4713-8C53-876324F13EDE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\{4097AB87-317D-463b-BCC1-3925A96D520D}.exe
    C:\Windows\{4097AB87-317D-463b-BCC1-3925A96D520D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe
      C:\Windows\{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe
        
        C:\Windows\{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe
        
        C:\Windows\{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\{BD818016-198E-44c6-A735-E58E5355B6E5}.exe
        
        C:\Windows\{BD818016-198E-44c6-A735-E58E5355B6E5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe
        
        C:\Windows\{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\{1C30E923-21AA-44ba-9D74-6888E2FED35B}.exe
        
        C:\Windows\{1C30E923-21AA-44ba-9D74-6888E2FED35B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\{9D31B325-13D8-4448-A1D1-38A8E99CE80C}.exe
        
        C:\Windows\{9D31B325-13D8-4448-A1D1-38A8E99CE80C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\{2599D942-B379-4da6-9970-6AB7907D3D53}.exe
        
        C:\Windows\{2599D942-B379-4da6-9970-6AB7907D3D53}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\{852EBC2D-5F12-496b-A574-D2639D019768}.exe
        
        C:\Windows\{852EBC2D-5F12-496b-A574-D2639D019768}.exe
        12⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2599D~1.EXE > nul
        12⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D31B~1.EXE > nul
        11⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C30E~1.EXE > nul
        10⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{597FC~1.EXE > nul
        9⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD818~1.EXE > nul
        8⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10A51~1.EXE > nul
        7⤵
        
        PID:1128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EE57~1.EXE > nul
        6⤵
        
        PID:1672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF304~1.EXE > nul
        5⤵
        
        PID:2380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4097A~1.EXE > nul
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{86A2F~1.EXE > nul
    3⤵
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0FA682~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10A51E3D-5EC7-4ad4-8DEB-D7BD45756D0D}.exe

Filesize
90KB

MD5
1012d79f36e126b72c4d3948bb676828

SHA1
000c1f3045c0a6325a689e050870ad88f5c21a84

SHA256
c24b794aa2f2cff3dc71b0b455869cf411b982dbeee87d067d6d714ef93739b4

SHA512
a6c9acf09c3636e9f3960b59ad3cbc2721d5e410d4e473901f3af0e79713d67321b6fe87d92fd2ca74b33a99c6674df790bd9c04554118d1fb157ad40477b3cc

Download Submit
C:\Windows\{1C30E923-21AA-44ba-9D74-6888E2FED35B}.exe

Filesize
90KB

MD5
b0f00eaea572000da8f04a5415747bdb

SHA1
6c5df8cef7f7f4f61d6f56ded984abe1b93c56ec

SHA256
0835bbffeb56b617ee63f4d4ac06d71774943d1645067706ea75bdbc7030af69

SHA512
b125ab004bf9d6c57b39ec8a263dcc653805bfe99d945b3c5c78d9db6aefc81465e3028b0f9537619b0e75bbd45017b0eb377361f402bea620e2b11b9ac46f08

Download Submit
C:\Windows\{2599D942-B379-4da6-9970-6AB7907D3D53}.exe

Filesize
90KB

MD5
724af08c8cde88b537bb6acc7eb5bfb8

SHA1
5e709e50b00c4d6af0b3e9fa5e88b1493b7b4769

SHA256
fbc75e06a14de0caacd59fdc1e2024c372840aec948a8355f0d64c9419ea80d8

SHA512
1c6261f0dc7b1614e9e55164a08ef8de368090f5f92ddc76f9d967b05685c3db25af396d5d737e6d6b9653656d01c84b99c478693d258b3831e577ce2e8b1161

Download Submit
C:\Windows\{4097AB87-317D-463b-BCC1-3925A96D520D}.exe

Filesize
90KB

MD5
3160231c4f0968fc8d57f3dedcd37c87

SHA1
f8c04e9d224edb1700580c5ad50d617b879b902b

SHA256
83e3a5a8d2e9875b58f35257bfe53bdcfcf9abea114ea6b2170689fa8f1cf5ce

SHA512
b16d6442755a53484fcc077cce2c242707984d4eb4f878f4aed957958733f19c219c5c43a2915dad7f6a6299721e70b2b180a91aedf1efae870912421a7fa8a0

Download Submit
C:\Windows\{597FC6FE-B39C-4c26-8532-CD5F314DAAFB}.exe

Filesize
90KB

MD5
7614f7805c6eb51d66daa8686937925c

SHA1
cdaaba952c40fdc1d21032a1588781997425d803

SHA256
3b17fea1112ffcad5ff54ff4b182c66fece410ddb7a98d4f36d2771977f0bc56

SHA512
48d5b8355a88d12ae73d4e5bb0ee63c1ffe3543e908c4bcfc0840d5cb441310872ef2ee44c6d6fd03f515c80956d429dd19fda5613cb2b01822b6a03e089cea6

Download Submit
C:\Windows\{852EBC2D-5F12-496b-A574-D2639D019768}.exe

Filesize
90KB

MD5
3d52fff3b3f4893b4a8c87c7f8d91363

SHA1
4c21fa23446f0d4d72bd2d1fc08759a2b69e352f

SHA256
9d26e19778d3c077358d0d6abed00b2ea3af95c4aaae1f8cfd8c8adc3327d22b

SHA512
c9239b784753143221ff1f218f39c0174b1513a160514bbd49518b4ad0b9ebcea521c71a45eebc3899337bdbb4b47a0dbf1663f185c981180c35552728dca789

Download Submit
C:\Windows\{86A2F97C-9423-4713-8C53-876324F13EDE}.exe

Filesize
90KB

MD5
ffc131c9d74ae3e37028168c116d4a62

SHA1
724d826c95249d26668cbd142fcedcbb67fb44ca

SHA256
5cbfa0550076fcc1b5f053694a8fab87b65857e497864306ee734c0d84f6beac

SHA512
28ab1b507918861756a242342bac77d5aac24a3c12d6d36155b421d4acea6c7b1c9953559c4e269bf353f7d82844450cfcca87a3d7ea25ad00be22a27370dc9c

Download Submit
C:\Windows\{9D31B325-13D8-4448-A1D1-38A8E99CE80C}.exe

Filesize
90KB

MD5
311a4c4ab300087b39549678ca119191

SHA1
57d82ab9c10599c3b6329a60ae0fe9188e184f5c

SHA256
b35d0a6c09da31c3dcbe3c61e905b65add60545a12c7142e09f8ba57e9029adc

SHA512
3b25a3900e27d9da23289e2d5fcce448a0e10a1880d1bd78c53dcff4a8313ae7a10ec54aaf2773b1223e576644a3fe555933321c44599b7e82f712ecfe99856a

Download Submit
C:\Windows\{9EE577B5-75BF-4f12-9825-A9FF4C4E098C}.exe

Filesize
90KB

MD5
dcb4ac28352863e122c9fad00a5e9a46

SHA1
e8269ae74a2506caac42bda07847ee49e21269de

SHA256
8117839c79e53705ee4a2592c669967018de9e3966313c016906fd070c47f6f3

SHA512
a9c633ee22622e28a81d4dde35997834271f13c7752f944e41634eb095a23c84cba395c57b8849a1610c9c969df7d73d1df2438d8c6e272e4529467b5189ca7a

Download Submit
C:\Windows\{BD818016-198E-44c6-A735-E58E5355B6E5}.exe

Filesize
90KB

MD5
ff05cd32cc67e598b966d7602cc16959

SHA1
a59d493a7bd5562bd2d59314c54df20d11bc8e5f

SHA256
9ec0b3be435d091d5c65986e747f0bd7d2c752ea8a180ccb24fc2d9105c4a059

SHA512
6e51ed44a21ccb5098d593819387e04f7540f2f555ec99a4d9d75754154da458c1ea639a4dfdfe817f7801e661db3584741d4ddc6ae3a6dea4c9ecde87a1dd56

Download Submit
C:\Windows\{DF30488B-5F88-4ce1-B3BC-A87B8B9540DA}.exe

Filesize
90KB

MD5
1ef78a2503c95e03b36fbdbe9cb871f2

SHA1
ec2376dd2be1f8fbfa6d9bd751ed9295f2ab46ae

SHA256
453b5fb4abb4d3bd857a20527bd40ce8f3e0d9207126e0611bccf228454a575b

SHA512
67b44b887d46e48ef891a2225cee72cff501b491ab853d71fac04d24fa5480cb25fae105b272c8c761d8c6031df69d233a5de729d27882872d956f8f65b84c20

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads