86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 01:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe
Size

76KB
MD5

76104353d5187a50619ca6c21f33850e
SHA1

811e3d3c45aef425340f46a57294ef0f2066de76
SHA256

86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070
SHA512

e4cfb0487daee0db67a5b96f7bff5c469edc58ad4ac9b45cbe5cf2dc94d14d19def0387466dc70f3e58f88b5f92e04af069c615171d7b085a927cf40ae334c9a
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLro44/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwU1:vvw9816vhKQLro44/wQRNrfrunMxVD

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B34A416A-E3E6-40c6-B7F4-97893BBC634D}\stubpath = "C:\\Windows\\{B34A416A-E3E6-40c6-B7F4-97893BBC634D}.exe"	{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}	{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}	{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FFF9BBC-2DCB-4172-B650-789BC121907D}\stubpath = "C:\\Windows\\{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe"	{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}\stubpath = "C:\\Windows\\{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe"	{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B34A416A-E3E6-40c6-B7F4-97893BBC634D}	{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D019D31-9721-47a6-B24D-0C9086A08DC5}	{B34A416A-E3E6-40c6-B7F4-97893BBC634D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FACA008B-46FB-4978-B36D-FB7557A3CC9F}	{7D019D31-9721-47a6-B24D-0C9086A08DC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}	86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}\stubpath = "C:\\Windows\\{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe"	86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}\stubpath = "C:\\Windows\\{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe"	{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FACA008B-46FB-4978-B36D-FB7557A3CC9F}\stubpath = "C:\\Windows\\{FACA008B-46FB-4978-B36D-FB7557A3CC9F}.exe"	{7D019D31-9721-47a6-B24D-0C9086A08DC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33372DFF-C346-4fea-A7F6-80250A04B18A}	{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}\stubpath = "C:\\Windows\\{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe"	{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FFF9BBC-2DCB-4172-B650-789BC121907D}	{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92389311-6A09-4027-81C6-ECB06FFE90AD}\stubpath = "C:\\Windows\\{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe"	{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D019D31-9721-47a6-B24D-0C9086A08DC5}\stubpath = "C:\\Windows\\{7D019D31-9721-47a6-B24D-0C9086A08DC5}.exe"	{B34A416A-E3E6-40c6-B7F4-97893BBC634D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A8E9094-1E33-429a-B736-A3431EFC7B0F}	{FACA008B-46FB-4978-B36D-FB7557A3CC9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A8E9094-1E33-429a-B736-A3431EFC7B0F}\stubpath = "C:\\Windows\\{2A8E9094-1E33-429a-B736-A3431EFC7B0F}.exe"	{FACA008B-46FB-4978-B36D-FB7557A3CC9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33372DFF-C346-4fea-A7F6-80250A04B18A}\stubpath = "C:\\Windows\\{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe"	{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}	{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92389311-6A09-4027-81C6-ECB06FFE90AD}	{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1192	{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe
2816	{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe
2760	{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe
2868	{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe
2344	{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe
2840	{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe
1388	{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe
1856	{B34A416A-E3E6-40c6-B7F4-97893BBC634D}.exe
2300	{7D019D31-9721-47a6-B24D-0C9086A08DC5}.exe
316	{FACA008B-46FB-4978-B36D-FB7557A3CC9F}.exe
2500	{2A8E9094-1E33-429a-B736-A3431EFC7B0F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe	{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe
File created	C:\Windows\{FACA008B-46FB-4978-B36D-FB7557A3CC9F}.exe	{7D019D31-9721-47a6-B24D-0C9086A08DC5}.exe
File created	C:\Windows\{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe	86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe
File created	C:\Windows\{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe	{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe
File created	C:\Windows\{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe	{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe
File created	C:\Windows\{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe	{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe
File created	C:\Windows\{2A8E9094-1E33-429a-B736-A3431EFC7B0F}.exe	{FACA008B-46FB-4978-B36D-FB7557A3CC9F}.exe
File created	C:\Windows\{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe	{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe
File created	C:\Windows\{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe	{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe
File created	C:\Windows\{B34A416A-E3E6-40c6-B7F4-97893BBC634D}.exe	{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe
File created	C:\Windows\{7D019D31-9721-47a6-B24D-0C9086A08DC5}.exe	{B34A416A-E3E6-40c6-B7F4-97893BBC634D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2360	86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe
Token: SeIncBasePriorityPrivilege	1192	{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe
Token: SeIncBasePriorityPrivilege	2816	{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe
Token: SeIncBasePriorityPrivilege	2760	{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe
Token: SeIncBasePriorityPrivilege	2868	{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe
Token: SeIncBasePriorityPrivilege	2344	{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe
Token: SeIncBasePriorityPrivilege	2840	{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe
Token: SeIncBasePriorityPrivilege	1388	{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe
Token: SeIncBasePriorityPrivilege	1856	{B34A416A-E3E6-40c6-B7F4-97893BBC634D}.exe
Token: SeIncBasePriorityPrivilege	2300	{7D019D31-9721-47a6-B24D-0C9086A08DC5}.exe
Token: SeIncBasePriorityPrivilege	316	{FACA008B-46FB-4978-B36D-FB7557A3CC9F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1192	2360	86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe	31
PID 2360 wrote to memory of 1192	2360	86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe	31
PID 2360 wrote to memory of 1192	2360	86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe	31
PID 2360 wrote to memory of 1192	2360	86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe	31
PID 2360 wrote to memory of 2548	2360	86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe	32
PID 2360 wrote to memory of 2548	2360	86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe	32
PID 2360 wrote to memory of 2548	2360	86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe	32
PID 2360 wrote to memory of 2548	2360	86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe	32
PID 1192 wrote to memory of 2816	1192	{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe	33
PID 1192 wrote to memory of 2816	1192	{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe	33
PID 1192 wrote to memory of 2816	1192	{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe	33
PID 1192 wrote to memory of 2816	1192	{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe	33
PID 1192 wrote to memory of 3032	1192	{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe	34
PID 1192 wrote to memory of 3032	1192	{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe	34
PID 1192 wrote to memory of 3032	1192	{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe	34
PID 1192 wrote to memory of 3032	1192	{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe	34
PID 2816 wrote to memory of 2760	2816	{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe	35
PID 2816 wrote to memory of 2760	2816	{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe	35
PID 2816 wrote to memory of 2760	2816	{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe	35
PID 2816 wrote to memory of 2760	2816	{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe	35
PID 2816 wrote to memory of 2852	2816	{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe	36
PID 2816 wrote to memory of 2852	2816	{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe	36
PID 2816 wrote to memory of 2852	2816	{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe	36
PID 2816 wrote to memory of 2852	2816	{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe	36
PID 2760 wrote to memory of 2868	2760	{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe	37
PID 2760 wrote to memory of 2868	2760	{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe	37
PID 2760 wrote to memory of 2868	2760	{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe	37
PID 2760 wrote to memory of 2868	2760	{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe	37
PID 2760 wrote to memory of 2616	2760	{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe	38
PID 2760 wrote to memory of 2616	2760	{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe	38
PID 2760 wrote to memory of 2616	2760	{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe	38
PID 2760 wrote to memory of 2616	2760	{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe	38
PID 2868 wrote to memory of 2344	2868	{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe	39
PID 2868 wrote to memory of 2344	2868	{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe	39
PID 2868 wrote to memory of 2344	2868	{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe	39
PID 2868 wrote to memory of 2344	2868	{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe	39
PID 2868 wrote to memory of 1964	2868	{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe	40
PID 2868 wrote to memory of 1964	2868	{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe	40
PID 2868 wrote to memory of 1964	2868	{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe	40
PID 2868 wrote to memory of 1964	2868	{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe	40
PID 2344 wrote to memory of 2840	2344	{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe	41
PID 2344 wrote to memory of 2840	2344	{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe	41
PID 2344 wrote to memory of 2840	2344	{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe	41
PID 2344 wrote to memory of 2840	2344	{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe	41
PID 2344 wrote to memory of 2932	2344	{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe	42
PID 2344 wrote to memory of 2932	2344	{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe	42
PID 2344 wrote to memory of 2932	2344	{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe	42
PID 2344 wrote to memory of 2932	2344	{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe	42
PID 2840 wrote to memory of 1388	2840	{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe	43
PID 2840 wrote to memory of 1388	2840	{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe	43
PID 2840 wrote to memory of 1388	2840	{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe	43
PID 2840 wrote to memory of 1388	2840	{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe	43
PID 2840 wrote to memory of 2832	2840	{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe	44
PID 2840 wrote to memory of 2832	2840	{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe	44
PID 2840 wrote to memory of 2832	2840	{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe	44
PID 2840 wrote to memory of 2832	2840	{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe	44
PID 1388 wrote to memory of 1856	1388	{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe	45
PID 1388 wrote to memory of 1856	1388	{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe	45
PID 1388 wrote to memory of 1856	1388	{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe	45
PID 1388 wrote to memory of 1856	1388	{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe	45
PID 1388 wrote to memory of 1776	1388	{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe	46
PID 1388 wrote to memory of 1776	1388	{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe	46
PID 1388 wrote to memory of 1776	1388	{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe	46
PID 1388 wrote to memory of 1776	1388	{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe	46

C:\Users\Admin\AppData\Local\Temp\86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe
"C:\Users\Admin\AppData\Local\Temp\86dd6ed1c3ec1636ef17c7ac49d5a041a9ad2a89cca89765fb6209bed3cc5070.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe
  C:\Windows\{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe
    C:\Windows\{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe
      C:\Windows\{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe
        
        C:\Windows\{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe
        
        C:\Windows\{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe
        
        C:\Windows\{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe
        
        C:\Windows\{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\{B34A416A-E3E6-40c6-B7F4-97893BBC634D}.exe
        
        C:\Windows\{B34A416A-E3E6-40c6-B7F4-97893BBC634D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\{7D019D31-9721-47a6-B24D-0C9086A08DC5}.exe
        
        C:\Windows\{7D019D31-9721-47a6-B24D-0C9086A08DC5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\{FACA008B-46FB-4978-B36D-FB7557A3CC9F}.exe
        
        C:\Windows\{FACA008B-46FB-4978-B36D-FB7557A3CC9F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\{2A8E9094-1E33-429a-B736-A3431EFC7B0F}.exe
        
        C:\Windows\{2A8E9094-1E33-429a-B736-A3431EFC7B0F}.exe
        12⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FACA0~1.EXE > nul
        12⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D019~1.EXE > nul
        11⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B34A4~1.EXE > nul
        10⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FFF9~1.EXE > nul
        9⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0DBF~1.EXE > nul
        8⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92389~1.EXE > nul
        7⤵
        
        PID:2932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91C9F~1.EXE > nul
        6⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E21E3~1.EXE > nul
        5⤵
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{33372~1.EXE > nul
      4⤵
      PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AC8DB~1.EXE > nul
    3⤵
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\86DD6E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2A8E9094-1E33-429a-B736-A3431EFC7B0F}.exe

Filesize
76KB

MD5
25e686acd218ade2e43d2bbf01274738

SHA1
138a9c4ba3114bc665669c82843205a1e9bfcbc7

SHA256
32bf93d59a7c050c1cb7dc3b834163a28848f7e4142222416c39c7b224239d37

SHA512
79c73d7daf89f005164a61a1a6d41dafe6724d948e5098cce660e6477a605b4d8a2e45909ebe66c2314499587a6bd0060af25c0a06dcee01cf3080ed4b05451f

Download Submit
C:\Windows\{33372DFF-C346-4fea-A7F6-80250A04B18A}.exe

Filesize
76KB

MD5
9434e9f719012ab5ccad48c08c5fafa1

SHA1
b70c066efb8ff34c535c492d4148d5f73db4abad

SHA256
533b13ef4a0e3dc457b51d55c6457a01bee02e76a960503c537c7918704e8966

SHA512
b558d8ed34a7dc68651324036362219db2ce22e425ebc5ce4df71ea738208f469e8e87233b82cd7154fc804e9a2d78507e6607c578949d0db6867e4a45d55b48

Download Submit
C:\Windows\{4FFF9BBC-2DCB-4172-B650-789BC121907D}.exe

Filesize
76KB

MD5
15457fde5ac2367271684d28449a8b4c

SHA1
24ec42d0d94dbb05784913c6e400131ac5e19bf0

SHA256
f4fc0f41ccf24c4e7fcdd694279eade5d201d553585ad053e283f8f488969a65

SHA512
b3fbdbcd1a87b2a557be19a2551bed7ba217d637da4e772d085488edf552dd11a13f28ce2b232587c8fefada615c159bdb80e5c232b9e9750827c3d5552c2caf

Download Submit
C:\Windows\{7D019D31-9721-47a6-B24D-0C9086A08DC5}.exe

Filesize
76KB

MD5
ba045c5fe4014cb9fc8dc3171858ee2f

SHA1
8b4041697be9606e87582515bc582a0b609164e2

SHA256
486b124225ef558efb864c6da0aad3772ac25759754d35a94092762a012b20af

SHA512
fdc1cf66c5b8765a1cbe7cd127eb15fdaba273f4032dbbfe1811dfecaae71f5026860d83f3154d40432caf2946adc7266f5531820ecea80d4b7f3e4d443c1d9f

Download Submit
C:\Windows\{91C9FA95-C7FF-4e37-B881-7DE3EAEB7189}.exe

Filesize
76KB

MD5
816360a4d22a40dd361e9784c34e9770

SHA1
9f0baf3cbd9757783b870a818b32118749286197

SHA256
5229845a202ad9974c57829a11470e37810d3bb008781a11b3243c5428d70f16

SHA512
3efb776d3781bbb503008fa37c853853e6a5c1dfd0288af4449163abb9a72adfcda0217e1f3b42a115266a5c8a17e9b21476b4141c89ef373fbbe855c8096be1

Download Submit
C:\Windows\{92389311-6A09-4027-81C6-ECB06FFE90AD}.exe

Filesize
76KB

MD5
66f8ba5b8cc68705e79e62f63aa45a37

SHA1
cca2bb6f228c8f60c8222f84a30c95a86cba1532

SHA256
14c34fd151102f9b016c032cc3e6d5cc28c2bcfca4b2a5b3dc1a613b33981148

SHA512
d95e5ff9c139cd6060c15196b4efe6283b3fd07794110532dd3c1f5dd6fbfa4ce0c011a0393e973fe9598a4251c2293086077a111e43b78631b29121faccbf0c

Download Submit
C:\Windows\{A0DBFF23-E9F7-4a3e-AF98-0A536A57C501}.exe

Filesize
76KB

MD5
daac6a025e1ef0e918cf286a17d75ee2

SHA1
944ca01d63b905a76dc8281d0c8602ad0e8c6e3d

SHA256
137bc1683874942c7b2f0a406d441705a811817a39df881d58934861ea1ea8fa

SHA512
e8e37725ae7c37cd4030c79d312aeda27024aed9d0f27d876dc915dd49b74f8b846ee5851f68641c3c92ba8ea2b41857df04a14937cc39b8b70a19aed1e0fba9

Download Submit
C:\Windows\{AC8DBA07-8F06-46f7-8DFD-C9A2096B035E}.exe

Filesize
76KB

MD5
61ada932dee1f5fbbc9de8d14c36eb85

SHA1
e272dd00e09046b3973ae4877805f10c85eb5786

SHA256
40f124d2c1db12ad03c73bf39e368166816514eb37531939ce5330d8b9e5b998

SHA512
18877955427a89e984ec392aba8d549e5858d3878c77ff3afdcc50e838c1165a6edcca9682cc80a8cc080b902838b0a4876a003bde1b40f4f11e2f9bdbe3656c

Download Submit
C:\Windows\{B34A416A-E3E6-40c6-B7F4-97893BBC634D}.exe

Filesize
76KB

MD5
1b3ee6aa899230cf7802b15f88122228

SHA1
252294922a07abb95dc1224f18b289dd18442353

SHA256
6fa5bfddd2c40ced7cf258125e27a3e6ca34ad377807fd1c34e7fc904f43a9ec

SHA512
d162a9ec7224831cecb9d05a8c52baa26514587434cf7bc6c7d51402976274d443826606e286e1c7d881bd5c12621193533c8575d5d049eb76104a3030ab2ae9

Download Submit
C:\Windows\{E21E3D88-0503-4b2b-AFFC-EADB8B8CF535}.exe

Filesize
76KB

MD5
9fc7d1455749202dcbb1bb16c17be275

SHA1
a8b39ddfde73a2c8f23689112c6b52f71efdb66b

SHA256
58e006fb6beb23ec75de9aa83c7d8918f1a718ef9730f461d2749f69ff270c5b

SHA512
a5273e2d23601271921c6f6238c913b1414a7c0d642f440832da085476bc0ddfc8622e53bf949b9a4b0b2bdbab77fcc2142ef37f38faf27ca73a993562eaf849

Download Submit
C:\Windows\{FACA008B-46FB-4978-B36D-FB7557A3CC9F}.exe

Filesize
76KB

MD5
0214671fc3bc168eba16ba570e0772cf

SHA1
89366c50d55110ed2601d4668a83e1fbcb1ba10a

SHA256
2ef36f84eea5fdcb16bee9715901e6b7b2e9365d6bd62b1153d786a75836e06d

SHA512
77f7a0d1f9706cc9cbac78751ba2b3547702274184355ce6b5d9cd18bd21e2a99fdb4d015adfe961de0c8c65e504166ba64dc6064c88aaceffd9719e1aabc942

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads