4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe
Size

90KB
MD5

0326c71b0291122a302b68694d8705dc
SHA1

249185e7484a784a15f2e0f5eb8c943b8bfad379
SHA256

4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e
SHA512

94044f931a7241de228cefba1e179f4ad37732a514043ebbfc9574ba2b004c08a125ae63b38f6018124ae4ab86f7d7ac1bcea2e22dc3010a372c4088088e933f
SSDEEP

768:5vw981UMhKQLroU4/wQ4pNrfrunMxVFA3bA:lEG00oUl3zunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}\stubpath = "C:\\Windows\\{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe"	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}\stubpath = "C:\\Windows\\{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe"	{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}	{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BFEC568-6F72-4742-9B60-46F8336BA6B1}	{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}\stubpath = "C:\\Windows\\{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe"	{819AE4F1-65AD-4080-994E-E086B9897951}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF55B94D-0390-4317-83D6-A87A2D01EF77}\stubpath = "C:\\Windows\\{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe"	{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}\stubpath = "C:\\Windows\\{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe"	{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8C925C9-249B-442a-93E4-25044E715C24}	{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}\stubpath = "C:\\Windows\\{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe"	{D8C925C9-249B-442a-93E4-25044E715C24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}	{819AE4F1-65AD-4080-994E-E086B9897951}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10CB7A6-4ECC-4ba9-B605-97569C11C641}\stubpath = "C:\\Windows\\{D10CB7A6-4ECC-4ba9-B605-97569C11C641}.exe"	{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBC5AE4C-A452-4f9d-9C9F-7C6C8E45D621}\stubpath = "C:\\Windows\\{DBC5AE4C-A452-4f9d-9C9F-7C6C8E45D621}.exe"	{D10CB7A6-4ECC-4ba9-B605-97569C11C641}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}	{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D28838D7-626D-43a6-8207-A9A43C33F89B}	{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{819AE4F1-65AD-4080-994E-E086B9897951}	{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{819AE4F1-65AD-4080-994E-E086B9897951}\stubpath = "C:\\Windows\\{819AE4F1-65AD-4080-994E-E086B9897951}.exe"	{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BFEC568-6F72-4742-9B60-46F8336BA6B1}\stubpath = "C:\\Windows\\{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe"	{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D10CB7A6-4ECC-4ba9-B605-97569C11C641}	{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBC5AE4C-A452-4f9d-9C9F-7C6C8E45D621}	{D10CB7A6-4ECC-4ba9-B605-97569C11C641}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF55B94D-0390-4317-83D6-A87A2D01EF77}	{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8C925C9-249B-442a-93E4-25044E715C24}\stubpath = "C:\\Windows\\{D8C925C9-249B-442a-93E4-25044E715C24}.exe"	{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}	{D8C925C9-249B-442a-93E4-25044E715C24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D28838D7-626D-43a6-8207-A9A43C33F89B}\stubpath = "C:\\Windows\\{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe"	{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe

Executes dropped EXE 12 IoCs

pid	Process
3440	{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe
2568	{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe
4652	{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe
840	{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe
2640	{D8C925C9-249B-442a-93E4-25044E715C24}.exe
2780	{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe
4124	{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe
4868	{819AE4F1-65AD-4080-994E-E086B9897951}.exe
4312	{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe
2940	{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe
4768	{D10CB7A6-4ECC-4ba9-B605-97569C11C641}.exe
1740	{DBC5AE4C-A452-4f9d-9C9F-7C6C8E45D621}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe	{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe
File created	C:\Windows\{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe	{819AE4F1-65AD-4080-994E-E086B9897951}.exe
File created	C:\Windows\{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe	{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe
File created	C:\Windows\{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe
File created	C:\Windows\{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe	{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe
File created	C:\Windows\{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe	{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe
File created	C:\Windows\{D8C925C9-249B-442a-93E4-25044E715C24}.exe	{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe
File created	C:\Windows\{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe	{D8C925C9-249B-442a-93E4-25044E715C24}.exe
File created	C:\Windows\{DBC5AE4C-A452-4f9d-9C9F-7C6C8E45D621}.exe	{D10CB7A6-4ECC-4ba9-B605-97569C11C641}.exe
File created	C:\Windows\{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe	{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe
File created	C:\Windows\{819AE4F1-65AD-4080-994E-E086B9897951}.exe	{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe
File created	C:\Windows\{D10CB7A6-4ECC-4ba9-B605-97569C11C641}.exe	{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1696	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe
Token: SeIncBasePriorityPrivilege	3440	{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe
Token: SeIncBasePriorityPrivilege	2568	{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe
Token: SeIncBasePriorityPrivilege	4652	{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe
Token: SeIncBasePriorityPrivilege	840	{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe
Token: SeIncBasePriorityPrivilege	2640	{D8C925C9-249B-442a-93E4-25044E715C24}.exe
Token: SeIncBasePriorityPrivilege	2780	{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe
Token: SeIncBasePriorityPrivilege	4124	{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe
Token: SeIncBasePriorityPrivilege	4868	{819AE4F1-65AD-4080-994E-E086B9897951}.exe
Token: SeIncBasePriorityPrivilege	4312	{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe
Token: SeIncBasePriorityPrivilege	2940	{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe
Token: SeIncBasePriorityPrivilege	4768	{D10CB7A6-4ECC-4ba9-B605-97569C11C641}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 3440	1696	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	83
PID 1696 wrote to memory of 3440	1696	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	83
PID 1696 wrote to memory of 3440	1696	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	83
PID 1696 wrote to memory of 2120	1696	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	84
PID 1696 wrote to memory of 2120	1696	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	84
PID 1696 wrote to memory of 2120	1696	4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe	84
PID 3440 wrote to memory of 2568	3440	{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe	85
PID 3440 wrote to memory of 2568	3440	{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe	85
PID 3440 wrote to memory of 2568	3440	{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe	85
PID 3440 wrote to memory of 3116	3440	{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe	86
PID 3440 wrote to memory of 3116	3440	{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe	86
PID 3440 wrote to memory of 3116	3440	{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe	86
PID 2568 wrote to memory of 4652	2568	{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe	92
PID 2568 wrote to memory of 4652	2568	{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe	92
PID 2568 wrote to memory of 4652	2568	{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe	92
PID 2568 wrote to memory of 2392	2568	{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe	93
PID 2568 wrote to memory of 2392	2568	{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe	93
PID 2568 wrote to memory of 2392	2568	{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe	93
PID 4652 wrote to memory of 840	4652	{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe	96
PID 4652 wrote to memory of 840	4652	{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe	96
PID 4652 wrote to memory of 840	4652	{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe	96
PID 4652 wrote to memory of 4484	4652	{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe	97
PID 4652 wrote to memory of 4484	4652	{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe	97
PID 4652 wrote to memory of 4484	4652	{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe	97
PID 840 wrote to memory of 2640	840	{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe	98
PID 840 wrote to memory of 2640	840	{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe	98
PID 840 wrote to memory of 2640	840	{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe	98
PID 840 wrote to memory of 3080	840	{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe	99
PID 840 wrote to memory of 3080	840	{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe	99
PID 840 wrote to memory of 3080	840	{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe	99
PID 2640 wrote to memory of 2780	2640	{D8C925C9-249B-442a-93E4-25044E715C24}.exe	100
PID 2640 wrote to memory of 2780	2640	{D8C925C9-249B-442a-93E4-25044E715C24}.exe	100
PID 2640 wrote to memory of 2780	2640	{D8C925C9-249B-442a-93E4-25044E715C24}.exe	100
PID 2640 wrote to memory of 1780	2640	{D8C925C9-249B-442a-93E4-25044E715C24}.exe	101
PID 2640 wrote to memory of 1780	2640	{D8C925C9-249B-442a-93E4-25044E715C24}.exe	101
PID 2640 wrote to memory of 1780	2640	{D8C925C9-249B-442a-93E4-25044E715C24}.exe	101
PID 2780 wrote to memory of 4124	2780	{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe	102
PID 2780 wrote to memory of 4124	2780	{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe	102
PID 2780 wrote to memory of 4124	2780	{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe	102
PID 2780 wrote to memory of 2064	2780	{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe	103
PID 2780 wrote to memory of 2064	2780	{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe	103
PID 2780 wrote to memory of 2064	2780	{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe	103
PID 4124 wrote to memory of 4868	4124	{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe	104
PID 4124 wrote to memory of 4868	4124	{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe	104
PID 4124 wrote to memory of 4868	4124	{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe	104
PID 4124 wrote to memory of 2964	4124	{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe	105
PID 4124 wrote to memory of 2964	4124	{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe	105
PID 4124 wrote to memory of 2964	4124	{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe	105
PID 4868 wrote to memory of 4312	4868	{819AE4F1-65AD-4080-994E-E086B9897951}.exe	106
PID 4868 wrote to memory of 4312	4868	{819AE4F1-65AD-4080-994E-E086B9897951}.exe	106
PID 4868 wrote to memory of 4312	4868	{819AE4F1-65AD-4080-994E-E086B9897951}.exe	106
PID 4868 wrote to memory of 5104	4868	{819AE4F1-65AD-4080-994E-E086B9897951}.exe	107
PID 4868 wrote to memory of 5104	4868	{819AE4F1-65AD-4080-994E-E086B9897951}.exe	107
PID 4868 wrote to memory of 5104	4868	{819AE4F1-65AD-4080-994E-E086B9897951}.exe	107
PID 4312 wrote to memory of 2940	4312	{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe	108
PID 4312 wrote to memory of 2940	4312	{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe	108
PID 4312 wrote to memory of 2940	4312	{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe	108
PID 4312 wrote to memory of 1340	4312	{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe	109
PID 4312 wrote to memory of 1340	4312	{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe	109
PID 4312 wrote to memory of 1340	4312	{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe	109
PID 2940 wrote to memory of 4768	2940	{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe	110
PID 2940 wrote to memory of 4768	2940	{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe	110
PID 2940 wrote to memory of 4768	2940	{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe	110
PID 2940 wrote to memory of 3300	2940	{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe	111

C:\Users\Admin\AppData\Local\Temp\4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe
"C:\Users\Admin\AppData\Local\Temp\4ace5014b62da53a3f1a26068625f8a3599b950e6abab7a806f693f91374075e.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe
  C:\Windows\{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe
    C:\Windows\{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe
      C:\Windows\{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Windows\{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe
        
        C:\Windows\{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Windows\{D8C925C9-249B-442a-93E4-25044E715C24}.exe
        
        C:\Windows\{D8C925C9-249B-442a-93E4-25044E715C24}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe
        
        C:\Windows\{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe
        
        C:\Windows\{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\{819AE4F1-65AD-4080-994E-E086B9897951}.exe
        
        C:\Windows\{819AE4F1-65AD-4080-994E-E086B9897951}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe
        
        C:\Windows\{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe
        
        C:\Windows\{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{D10CB7A6-4ECC-4ba9-B605-97569C11C641}.exe
        
        C:\Windows\{D10CB7A6-4ECC-4ba9-B605-97569C11C641}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\{DBC5AE4C-A452-4f9d-9C9F-7C6C8E45D621}.exe
        
        C:\Windows\{DBC5AE4C-A452-4f9d-9C9F-7C6C8E45D621}.exe
        13⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D10CB~1.EXE > nul
        13⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BFEC~1.EXE > nul
        12⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA20A~1.EXE > nul
        11⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{819AE~1.EXE > nul
        10⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2883~1.EXE > nul
        9⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3CFC~1.EXE > nul
        8⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8C92~1.EXE > nul
        7⤵
        
        PID:1780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BA21~1.EXE > nul
        6⤵
        
        PID:3080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF55B~1.EXE > nul
        5⤵
        
        PID:4484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F03F9~1.EXE > nul
      4⤵
      PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{90B4A~1.EXE > nul
    3⤵
    PID:3116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4ACE50~1.EXE > nul
  2⤵
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{819AE4F1-65AD-4080-994E-E086B9897951}.exe

Filesize
90KB

MD5
418e5ff3568593e06849b6e08d72e61b

SHA1
0c25f376da2c9ee6c98a90018bd71377f72a2c3b

SHA256
c56edcc84945d6b2a339a679ce2e5f01a759673e0972bcf35cf567e0d3df0913

SHA512
bd68df4ff4fac285977aab3f936fd800645fe454b10fa89b3aae5612c7ccdc43820bd10a5a2540821902d90a0bb92b8939a4278786c46e94c32fb8192e4a0a35

Download Submit
C:\Windows\{8BFEC568-6F72-4742-9B60-46F8336BA6B1}.exe

Filesize
90KB

MD5
bb2662de7446d6f2455ad672be0db09b

SHA1
3356483fc34ed49ab1358f3ad80a3ab5c60e3adc

SHA256
17a87262dfe6d253cbc1d7424029e77706977636433a513975097c6ca2054e1c

SHA512
667d498f028d03b78ae56dccfd7f1b9d64fea4ce06a82a9040803368e5cdab6fdfcf99d24c05d269a951901c3f25e74c657615562cef7f680744ec0a68fa1985

Download Submit
C:\Windows\{90B4A5B1-F148-4cde-87BB-D9765DCBCB82}.exe

Filesize
90KB

MD5
afc87a235f3448121cd7b29d8836f211

SHA1
78a2db0e28d6aaefffd49b760f238b12954956e9

SHA256
107a8fec6e49803eaad05fae6e26e12032375ad64315bc39d7e8391de0a91915

SHA512
b25fb31ffbd7d6d5b5164703b3b3467ce78cbdb330aefee933f19461ccc0ac55f09411a2a7c56a7940b46d9aba1a888068e86637fee9117bc20a822cd765286a

Download Submit
C:\Windows\{9BA210D5-B98B-4291-9B1A-8CEA4181F1E4}.exe

Filesize
90KB

MD5
8ec284df3709d42f66ed32ad995d6da0

SHA1
faa728a2e3cd077113c6b9f1567e11c2b96896fa

SHA256
496d0087de8ca468b2105ae1c5f7dcdd6add2b00449d7d6021b8033a4d61bc5a

SHA512
37bee7922b1511b2d11de7634b328afef373113a7e75bb1985e25b9066926a2a0f8fb2486b2dd6079fe3b4ddb6d2d3a4c03814e9e23a2ec3b416fac0da96b470

Download Submit
C:\Windows\{B3CFCD70-FB61-4b44-ADEA-7BF55DD362B4}.exe

Filesize
90KB

MD5
6c74ea07fd92b127e33dab983e630b2f

SHA1
1c133d16304f86b14b83c1f4f34a94eddcdd1725

SHA256
06c20cc0cae4b94cecafe49921eade1e388e8aec6d36f0699ca9bc9258b8eaee

SHA512
595797c26c8b8eb496d449fa5b118745d1b93310af2e9862a0c61f071d4f275d04178ceb4d460d6772c6a9c37de66f1689f30ad54f5d4f6e35023f73aefdf948

Download Submit
C:\Windows\{BF55B94D-0390-4317-83D6-A87A2D01EF77}.exe

Filesize
90KB

MD5
761aaf3ccbbb67508a4db676230cef76

SHA1
0a2b9cbf6cb87a9e4e0e980585499a257c070faf

SHA256
c896537bb30d76facd015301e41c171feb4e64fd8e686ea63488afca67e0abc6

SHA512
d12d970e4d943590fcc7404bcc1628a02ed38d85208cb9182cc18ac397c43fe0665a055f777453ad73b76c2216cbb5d40903e39d4817f7601458ed394501a237

Download Submit
C:\Windows\{D10CB7A6-4ECC-4ba9-B605-97569C11C641}.exe

Filesize
90KB

MD5
8ca6c8f2d891a9f5f51d6b970dc90137

SHA1
a19da6b5bb5638e2ee2581627fdbf80899114e7e

SHA256
30a068f856bd58686979893051b6d7a547041221313efb1a7cd3de917ab1bab0

SHA512
b6e2cc28424cc14b854818b6977d3f73703b27b8adf0c3e38de27f8fa52bece111abda3771b2b2753e0545e7860c491aa530cd6e5f29cd53e7f3549d6e1c47c2

Download Submit
C:\Windows\{D28838D7-626D-43a6-8207-A9A43C33F89B}.exe

Filesize
90KB

MD5
20659075bd078cd8b37705bedfe9cd1f

SHA1
0ac541690f43f194d2f5f7c68702c69c699b0074

SHA256
c90a42515af1f96af69ffe77271ec22892a2342f73921e28887ee027df4f23a8

SHA512
3a50f8f58e008663ba7c03df0ec7449a9693e84341e2112e01934e321b8a019a8d5a08cf6f1de6e1555785dd099492b80a3fd33d16abc0f92cd2c3ca115c64d9

Download Submit
C:\Windows\{D8C925C9-249B-442a-93E4-25044E715C24}.exe

Filesize
90KB

MD5
39027cfd41675114974ae040620fac63

SHA1
814a40f7a99c39c0601c714f693027022e7eb74c

SHA256
32ed0aa927e3ac3adf7eb79aec14e943983f0ea408dcee7aea88b05bdb7b39c5

SHA512
59c9e07fdb65b846dad43bfcab7aca755e14e651cfcf2ccf3c187f0cc344a8b4dc550b9bf33490a83747708fce6dfe6778dd2bc5bbf7986e3eb12669276aace1

Download Submit
C:\Windows\{DBC5AE4C-A452-4f9d-9C9F-7C6C8E45D621}.exe

Filesize
90KB

MD5
1d3bf36d860e0344cd8704364b98248b

SHA1
10f0ad89057ce5722a7ba8a594edd1ee784ca650

SHA256
f66167d44ab314bbe856b0c109f4b3d3ec913a10fce5fd8592ee0547526e514f

SHA512
038eae88b3ed41b7f2201656feff0f3aa42c384478c20433357b17f2bc3b68cd0bdd3d91abda3ab41fb3cb468ba0bae3a20909044e37b30b97932a890c189aa6

Download Submit
C:\Windows\{F03F95B8-5F82-4528-AFC9-7FE0230E4FE3}.exe

Filesize
90KB

MD5
dfe20fd0e0ff11d43f60af4b6085e0c9

SHA1
c01fdfa43b4a3f4c2c3c0698245a6b45567df490

SHA256
a6005b7ab668b3b91dc3cd580198d859d234a7768be8d6103998665bceca2d82

SHA512
4987ac6544cfb1d680204bbc94551808e463d57afa8a767c860b94abd567d2a2b19a865e3e147543dfe3d0965ad71798d551d75183c89dbf167c3a93cd9114e6

Download Submit
C:\Windows\{FA20A5DF-946F-4c1a-8D11-16F7415DA2C3}.exe

Filesize
90KB

MD5
c8cd70bdfcb6ec7731d2f9c7e76fccea

SHA1
064cadbc40c529646d9dddc550d9257483866840

SHA256
1bb1921ac5f168b430eb340843a4a1f922dae818221538a90f556b4e514bf3d1

SHA512
e581a8b3cf6d06e3453bbf4a96859e1081f76efea775563bff41e8d7923562208f665530ab1b317392d32496476e856a6051f967a46d26e36037f82981d1e9de

Download Submit
memory/840-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/840-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1696-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1696-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2568-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2568-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2640-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2640-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2780-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2780-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2940-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3440-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3440-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4124-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4124-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4312-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4652-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4652-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4768-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4768-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4868-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4868-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads