4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe
Size

90KB
MD5

0326c71b0291122a302b68694d8705dc
SHA1

249185e7484a784a15f2e0f5eb8c943b8bfad379
SHA256

4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e
SHA512

94044f931a7241de228cefba1e179f4ad37732a514043ebbfc9574ba2b004c08a125ae63b38f6018124ae4ab86f7d7ac1bcea2e22dc3010a372c4088088e933f
SSDEEP

768:5vw981UMhKQLroU4/wQ4pNrfrunMxVFA3bA:lEG00oUl3zunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27638D64-366E-4791-81CC-48F36CC96C72}	{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2C38172-C308-439e-A8D5-3BD8232DACC1}	{27638D64-366E-4791-81CC-48F36CC96C72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E62A011-BEDC-4cc4-B6C1-99B740E6EB88}\stubpath = "C:\\Windows\\{1E62A011-BEDC-4cc4-B6C1-99B740E6EB88}.exe"	{01D309CF-029A-43b2-865E-64089BAC222C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ED5CF79-3866-4174-99B2-1E6E599B2135}\stubpath = "C:\\Windows\\{7ED5CF79-3866-4174-99B2-1E6E599B2135}.exe"	{1E62A011-BEDC-4cc4-B6C1-99B740E6EB88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{011DCBD3-1681-4dea-831D-8970A1E0B559}	{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{011DCBD3-1681-4dea-831D-8970A1E0B559}\stubpath = "C:\\Windows\\{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe"	{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80BC2E75-D590-4205-A58A-EDC1E5B23391}	{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01D309CF-029A-43b2-865E-64089BAC222C}\stubpath = "C:\\Windows\\{01D309CF-029A-43b2-865E-64089BAC222C}.exe"	{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E62A011-BEDC-4cc4-B6C1-99B740E6EB88}	{01D309CF-029A-43b2-865E-64089BAC222C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B72138E-A71F-4041-95FE-60BA1C752310}\stubpath = "C:\\Windows\\{4B72138E-A71F-4041-95FE-60BA1C752310}.exe"	{7ED5CF79-3866-4174-99B2-1E6E599B2135}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C252F05-DF91-4724-A1AD-014FDB7B98CD}\stubpath = "C:\\Windows\\{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe"	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80BC2E75-D590-4205-A58A-EDC1E5B23391}\stubpath = "C:\\Windows\\{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe"	{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}\stubpath = "C:\\Windows\\{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe"	{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2C38172-C308-439e-A8D5-3BD8232DACC1}\stubpath = "C:\\Windows\\{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe"	{27638D64-366E-4791-81CC-48F36CC96C72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01D309CF-029A-43b2-865E-64089BAC222C}	{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B72138E-A71F-4041-95FE-60BA1C752310}	{7ED5CF79-3866-4174-99B2-1E6E599B2135}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63F52E4E-F0BB-44d4-8A00-992410BE1A87}\stubpath = "C:\\Windows\\{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe"	{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}	{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ED5CF79-3866-4174-99B2-1E6E599B2135}	{1E62A011-BEDC-4cc4-B6C1-99B740E6EB88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C252F05-DF91-4724-A1AD-014FDB7B98CD}	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27638D64-366E-4791-81CC-48F36CC96C72}\stubpath = "C:\\Windows\\{27638D64-366E-4791-81CC-48F36CC96C72}.exe"	{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63F52E4E-F0BB-44d4-8A00-992410BE1A87}	{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1620	{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe
2880	{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe
2632	{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe
2668	{27638D64-366E-4791-81CC-48F36CC96C72}.exe
848	{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe
2808	{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe
2500	{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe
2496	{01D309CF-029A-43b2-865E-64089BAC222C}.exe
2372	{1E62A011-BEDC-4cc4-B6C1-99B740E6EB88}.exe
1432	{7ED5CF79-3866-4174-99B2-1E6E599B2135}.exe
1904	{4B72138E-A71F-4041-95FE-60BA1C752310}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe	{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe
File created	C:\Windows\{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe	{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe
File created	C:\Windows\{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe	{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe
File created	C:\Windows\{1E62A011-BEDC-4cc4-B6C1-99B740E6EB88}.exe	{01D309CF-029A-43b2-865E-64089BAC222C}.exe
File created	C:\Windows\{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe
File created	C:\Windows\{27638D64-366E-4791-81CC-48F36CC96C72}.exe	{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe
File created	C:\Windows\{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe	{27638D64-366E-4791-81CC-48F36CC96C72}.exe
File created	C:\Windows\{01D309CF-029A-43b2-865E-64089BAC222C}.exe	{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe
File created	C:\Windows\{7ED5CF79-3866-4174-99B2-1E6E599B2135}.exe	{1E62A011-BEDC-4cc4-B6C1-99B740E6EB88}.exe
File created	C:\Windows\{4B72138E-A71F-4041-95FE-60BA1C752310}.exe	{7ED5CF79-3866-4174-99B2-1E6E599B2135}.exe
File created	C:\Windows\{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe	{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1676	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe
Token: SeIncBasePriorityPrivilege	1620	{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe
Token: SeIncBasePriorityPrivilege	2880	{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe
Token: SeIncBasePriorityPrivilege	2632	{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe
Token: SeIncBasePriorityPrivilege	2668	{27638D64-366E-4791-81CC-48F36CC96C72}.exe
Token: SeIncBasePriorityPrivilege	848	{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe
Token: SeIncBasePriorityPrivilege	2808	{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe
Token: SeIncBasePriorityPrivilege	2500	{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe
Token: SeIncBasePriorityPrivilege	2496	{01D309CF-029A-43b2-865E-64089BAC222C}.exe
Token: SeIncBasePriorityPrivilege	2372	{1E62A011-BEDC-4cc4-B6C1-99B740E6EB88}.exe
Token: SeIncBasePriorityPrivilege	1432	{7ED5CF79-3866-4174-99B2-1E6E599B2135}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1620	1676	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	31
PID 1676 wrote to memory of 1620	1676	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	31
PID 1676 wrote to memory of 1620	1676	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	31
PID 1676 wrote to memory of 1620	1676	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	31
PID 1676 wrote to memory of 2792	1676	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	32
PID 1676 wrote to memory of 2792	1676	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	32
PID 1676 wrote to memory of 2792	1676	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	32
PID 1676 wrote to memory of 2792	1676	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	32
PID 1620 wrote to memory of 2880	1620	{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe	33
PID 1620 wrote to memory of 2880	1620	{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe	33
PID 1620 wrote to memory of 2880	1620	{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe	33
PID 1620 wrote to memory of 2880	1620	{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe	33
PID 1620 wrote to memory of 2712	1620	{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe	34
PID 1620 wrote to memory of 2712	1620	{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe	34
PID 1620 wrote to memory of 2712	1620	{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe	34
PID 1620 wrote to memory of 2712	1620	{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe	34
PID 2880 wrote to memory of 2632	2880	{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe	35
PID 2880 wrote to memory of 2632	2880	{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe	35
PID 2880 wrote to memory of 2632	2880	{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe	35
PID 2880 wrote to memory of 2632	2880	{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe	35
PID 2880 wrote to memory of 2744	2880	{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe	36
PID 2880 wrote to memory of 2744	2880	{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe	36
PID 2880 wrote to memory of 2744	2880	{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe	36
PID 2880 wrote to memory of 2744	2880	{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe	36
PID 2632 wrote to memory of 2668	2632	{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe	37
PID 2632 wrote to memory of 2668	2632	{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe	37
PID 2632 wrote to memory of 2668	2632	{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe	37
PID 2632 wrote to memory of 2668	2632	{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe	37
PID 2632 wrote to memory of 852	2632	{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe	38
PID 2632 wrote to memory of 852	2632	{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe	38
PID 2632 wrote to memory of 852	2632	{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe	38
PID 2632 wrote to memory of 852	2632	{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe	38
PID 2668 wrote to memory of 848	2668	{27638D64-366E-4791-81CC-48F36CC96C72}.exe	39
PID 2668 wrote to memory of 848	2668	{27638D64-366E-4791-81CC-48F36CC96C72}.exe	39
PID 2668 wrote to memory of 848	2668	{27638D64-366E-4791-81CC-48F36CC96C72}.exe	39
PID 2668 wrote to memory of 848	2668	{27638D64-366E-4791-81CC-48F36CC96C72}.exe	39
PID 2668 wrote to memory of 2324	2668	{27638D64-366E-4791-81CC-48F36CC96C72}.exe	40
PID 2668 wrote to memory of 2324	2668	{27638D64-366E-4791-81CC-48F36CC96C72}.exe	40
PID 2668 wrote to memory of 2324	2668	{27638D64-366E-4791-81CC-48F36CC96C72}.exe	40
PID 2668 wrote to memory of 2324	2668	{27638D64-366E-4791-81CC-48F36CC96C72}.exe	40
PID 848 wrote to memory of 2808	848	{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe	41
PID 848 wrote to memory of 2808	848	{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe	41
PID 848 wrote to memory of 2808	848	{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe	41
PID 848 wrote to memory of 2808	848	{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe	41
PID 848 wrote to memory of 2980	848	{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe	42
PID 848 wrote to memory of 2980	848	{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe	42
PID 848 wrote to memory of 2980	848	{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe	42
PID 848 wrote to memory of 2980	848	{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe	42
PID 2808 wrote to memory of 2500	2808	{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe	43
PID 2808 wrote to memory of 2500	2808	{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe	43
PID 2808 wrote to memory of 2500	2808	{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe	43
PID 2808 wrote to memory of 2500	2808	{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe	43
PID 2808 wrote to memory of 1980	2808	{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe	44
PID 2808 wrote to memory of 1980	2808	{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe	44
PID 2808 wrote to memory of 1980	2808	{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe	44
PID 2808 wrote to memory of 1980	2808	{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe	44
PID 2500 wrote to memory of 2496	2500	{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe	45
PID 2500 wrote to memory of 2496	2500	{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe	45
PID 2500 wrote to memory of 2496	2500	{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe	45
PID 2500 wrote to memory of 2496	2500	{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe	45
PID 2500 wrote to memory of 1364	2500	{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe	46
PID 2500 wrote to memory of 1364	2500	{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe	46
PID 2500 wrote to memory of 1364	2500	{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe	46
PID 2500 wrote to memory of 1364	2500	{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe	46

C:\Users\Admin\AppData\Local\Temp\4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe
"C:\Users\Admin\AppData\Local\Temp\4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe
  C:\Windows\{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe
    C:\Windows\{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe
      C:\Windows\{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{27638D64-366E-4791-81CC-48F36CC96C72}.exe
        
        C:\Windows\{27638D64-366E-4791-81CC-48F36CC96C72}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe
        
        C:\Windows\{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe
        
        C:\Windows\{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe
        
        C:\Windows\{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{01D309CF-029A-43b2-865E-64089BAC222C}.exe
        
        C:\Windows\{01D309CF-029A-43b2-865E-64089BAC222C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\{1E62A011-BEDC-4cc4-B6C1-99B740E6EB88}.exe
        
        C:\Windows\{1E62A011-BEDC-4cc4-B6C1-99B740E6EB88}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\{7ED5CF79-3866-4174-99B2-1E6E599B2135}.exe
        
        C:\Windows\{7ED5CF79-3866-4174-99B2-1E6E599B2135}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\{4B72138E-A71F-4041-95FE-60BA1C752310}.exe
        
        C:\Windows\{4B72138E-A71F-4041-95FE-60BA1C752310}.exe
        12⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ED5C~1.EXE > nul
        12⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E62A~1.EXE > nul
        11⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01D30~1.EXE > nul
        10⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0F1C~1.EXE > nul
        9⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63F52~1.EXE > nul
        8⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2C38~1.EXE > nul
        7⤵
        
        PID:2980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27638~1.EXE > nul
        6⤵
        
        PID:2324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80BC2~1.EXE > nul
        5⤵
        
        PID:852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{011DC~1.EXE > nul
      4⤵
      PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5C252~1.EXE > nul
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4ACE50~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{011DCBD3-1681-4dea-831D-8970A1E0B559}.exe

Filesize
90KB

MD5
baad1f80b4b1d1db2b84daa812a258f6

SHA1
cd14807fd34cc69f7d44771af398cdf591cbfd8d

SHA256
0ad29a61414cf847424c2b6ecd222486cf75acffcf63085720986606cd24e77a

SHA512
dddc8bbc61814495538cfc2592ae5e83bd546b2f5f955bc847399c8d44d933ccde790910eeef81bc12e909cb6b7c40f7eae9b12aa56978422fc7bd0bcd67aa18

Download Submit
C:\Windows\{01D309CF-029A-43b2-865E-64089BAC222C}.exe

Filesize
90KB

MD5
8df596446cff0638b06b257796209473

SHA1
9921ffcb9b191ff20b4a36a71d0a0c3d881099d8

SHA256
56a04f5efe6467de1acdd880b5aac5b76c91477859e77d6fb3001f31bfab79d4

SHA512
f4c92c274fd95f890d4e2634c306459029d4312e3eb901cd1edb731f365c308342793e2bc5437c7bd3329d747d620e282ad51f535afc4edf4baf02e51271a332

Download Submit
C:\Windows\{1E62A011-BEDC-4cc4-B6C1-99B740E6EB88}.exe

Filesize
90KB

MD5
54defae3365b90580f3b85b844379bd8

SHA1
097838a98867b53f1742313e66b7d8c3f312d459

SHA256
f22575153f1df21ca8253e2743a305c5abb7f28ea4f960181555a8f51f3db0f2

SHA512
469575ba56faec06ed1dd336fa886fe2744f9cdcd225afb74293f86dad4db0085fe9803700600067625c2c9ee9b889ea547104f1e07035ab87791b03a47b492f

Download Submit
C:\Windows\{27638D64-366E-4791-81CC-48F36CC96C72}.exe

Filesize
90KB

MD5
e29a533c92aee09eca8c004c498cfbc1

SHA1
d811510a26e40abe75f5a984b1db46d65f77ff7c

SHA256
f72bcce5f530f7666576fd5cddc9abac6c011003c227d41905ff8c60a5ef54d9

SHA512
f774ab0e1e1a2e58e7aada81d4a148b80b9a0a882cc8b8914de2bcc20c07eb4800b857fa1184ecf95eeaac159810c43ec5ccf5164934257e5a213b2b1ca3ce3b

Download Submit
C:\Windows\{4B72138E-A71F-4041-95FE-60BA1C752310}.exe

Filesize
90KB

MD5
a6f4e563ec30edfd3d11a2eb908082a5

SHA1
9a1d6a6bb682b8833cdd4c3b989b55b6b9afeb88

SHA256
527d29d6729dbffbb73b95fffbb1a76390d9ce713567d954853a357bda336ce0

SHA512
203600f32017eee8b62ba481d984f5f3f1e5210cc96bbdc3e4facb8ea39080daa58fbb312e1aee92166c3bc59f7168d463b1a3f3dd11a2d3518cbc4baacd846e

Download Submit
C:\Windows\{5C252F05-DF91-4724-A1AD-014FDB7B98CD}.exe

Filesize
90KB

MD5
f672cc633d3a56d537385971a4c0834b

SHA1
437d3d31717a28bc442f06d19822620a8eed7a37

SHA256
ee89223d8b7ee2d96cb1d3e9415f913e643d3e794a15b6687259edaad6bbedd8

SHA512
aead99c43f5a36c748652cedf6dd46e033d1d8250ee8570a9ab904cc54c1cb089fe9c550517c76b82a21e39e81899cb694691daf741822b0f2ecab073e2c3968

Download Submit
C:\Windows\{63F52E4E-F0BB-44d4-8A00-992410BE1A87}.exe

Filesize
90KB

MD5
686597795f085e75b98a20648cf872b4

SHA1
34ad47698fc1b816b7506a63a06a007fa09bea6d

SHA256
29956228a4e8689151d51451b27b4a258c9debbe16a75958e5643667d1527695

SHA512
a1712682b09fee923e25156b2728e6e975b422613858e34bdde3f6864fb957d16acd7216d8b66b46cc50fbb2a38a2fcbe679ca94eb873af251d89da5d0a7f733

Download Submit
C:\Windows\{7ED5CF79-3866-4174-99B2-1E6E599B2135}.exe

Filesize
90KB

MD5
3d61a944b01249728a7b011e04472f2e

SHA1
aba6ea352cf0ced5a51f3a79261bc1c4b3c52775

SHA256
f66e414cfe947db24b95c78889bf5f503d244ff9edac9bba62cf88d244f4dbd4

SHA512
6a18d7efefee0d7339d0b33a63694413a326418a8ea95d2ee641289bea7e0515fd2e2b121c5582b64febf3979dc85071652b342d1e191533a53f374e70833387

Download Submit
C:\Windows\{80BC2E75-D590-4205-A58A-EDC1E5B23391}.exe

Filesize
90KB

MD5
36e2104bc9d24b08d1d081be43634f44

SHA1
d7780de9a8411ea60b46ce440a1221f5855d2793

SHA256
a1e124e1b8b251767b6f17ffff635f654651fb0e677e17c2c4d873c81499827a

SHA512
7b52fca9cc4a3ce446a59ffd655509283acb71456a5813ee39774eb6d9dede4b202a65ff08e8bbb0a7950febef8ca12e15c9ae10895f8b67f8dd5bcea2a314d3

Download Submit
C:\Windows\{C0F1CAEA-D91B-41e4-BF16-F91C0D4638FD}.exe

Filesize
90KB

MD5
721e03d4208d9c41be42877143b26dc2

SHA1
29dc4422dc67bf69b479fba001f1e4223bd054ec

SHA256
2c98811aa8d3154b28e7d4a8c95f76bd493e134a663df8b93d48616172e52004

SHA512
51631b71d7d874bd5c876e56e72093caf1c01a683355995b934245f6c09b2a5d73ff2b9421406fb76d4fa33b0d58b6f68e63d32cc4524ffbdb383e40a13e461e

Download Submit
C:\Windows\{E2C38172-C308-439e-A8D5-3BD8232DACC1}.exe

Filesize
90KB

MD5
01b634ef75246587ac12574d1b1e0366

SHA1
30b28879d23c3968acee0e4b73aae2be6d417e55

SHA256
f9bf555daf3687c537f59113922229883ef8c8083a2415c6333b78092835eb5c

SHA512
c94235b472c239d4f276489b7af024b2c15dcdcbfb59b0911a4da0178272d1cb5921b29e447255964874fd4b1e8cf12befedc5be471519fc1e6797096ab653fc

Download Submit
memory/848-63-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/848-62-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/848-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/848-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1432-116-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/1432-107-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1432-118-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1432-115-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/1620-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1620-16-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/1620-17-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/1620-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1676-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1676-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1676-3-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/1904-119-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2372-108-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2372-105-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2372-106-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2372-97-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2496-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2496-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2496-93-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2496-94-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2500-74-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2500-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2500-84-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2500-79-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2632-39-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2632-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2632-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2632-40-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2668-47-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2668-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2668-52-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/2668-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2808-73-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/2808-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2808-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-25-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2880-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-30-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2880-21-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads