7c2e71b4f84da16e4addc586bfbe8d24bb03e4a19502f9081c488341f0102dd7

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

997e8fd5e14ec1ceffe6cfc87a2ec600N.exe
Size

90KB
MD5

997e8fd5e14ec1ceffe6cfc87a2ec600
SHA1

8248d91c60297bebb85809c2992973d4ee6e9a34
SHA256

7c2e71b4f84da16e4addc586bfbe8d24bb03e4a19502f9081c488341f0102dd7
SHA512

e7f68130f3df9557626d2737b55b2cbb78f70b9b71a5ac84250f8cc9e3f6344268631e9860628e3d3fe6652d44428cea84e766577b6a57b277c6121e39055265
SSDEEP

768:Qvw9816vhKQLro/4/wQRNrfrunMxVFA3b7glw6:YEGh0o/l2unMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57408319-B10F-496a-93ED-443C451653F2}	{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57408319-B10F-496a-93ED-443C451653F2}\stubpath = "C:\\Windows\\{57408319-B10F-496a-93ED-443C451653F2}.exe"	{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}	{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0551B2E-3B91-4f93-95DA-3E54A0C99622}	{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0551B2E-3B91-4f93-95DA-3E54A0C99622}\stubpath = "C:\\Windows\\{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe"	{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}	{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}\stubpath = "C:\\Windows\\{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe"	{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82E39BA6-C476-4e93-A17A-F28D8990A080}	997e8fd5e14ec1ceffe6cfc87a2ec600N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}\stubpath = "C:\\Windows\\{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe"	{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}	{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}\stubpath = "C:\\Windows\\{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe"	{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{997B69FA-514A-4e5a-9F9C-E679D2E97066}\stubpath = "C:\\Windows\\{997B69FA-514A-4e5a-9F9C-E679D2E97066}.exe"	{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7E8BCB3-6773-45f9-80EB-8E86CCE4EB78}	{997B69FA-514A-4e5a-9F9C-E679D2E97066}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82E39BA6-C476-4e93-A17A-F28D8990A080}\stubpath = "C:\\Windows\\{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe"	997e8fd5e14ec1ceffe6cfc87a2ec600N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{691C6E14-30FC-47f5-9449-586B197DD6E6}\stubpath = "C:\\Windows\\{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe"	{57408319-B10F-496a-93ED-443C451653F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{997B69FA-514A-4e5a-9F9C-E679D2E97066}	{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{691C6E14-30FC-47f5-9449-586B197DD6E6}	{57408319-B10F-496a-93ED-443C451653F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7E8BCB3-6773-45f9-80EB-8E86CCE4EB78}\stubpath = "C:\\Windows\\{D7E8BCB3-6773-45f9-80EB-8E86CCE4EB78}.exe"	{997B69FA-514A-4e5a-9F9C-E679D2E97066}.exe

Deletes itself 1 IoCs

pid	Process
2052	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1824	{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe
2888	{57408319-B10F-496a-93ED-443C451653F2}.exe
2960	{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe
2620	{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe
2296	{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe
2704	{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe
2676	{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe
1524	{997B69FA-514A-4e5a-9F9C-E679D2E97066}.exe
2180	{D7E8BCB3-6773-45f9-80EB-8E86CCE4EB78}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{57408319-B10F-496a-93ED-443C451653F2}.exe	{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe
File created	C:\Windows\{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe	{57408319-B10F-496a-93ED-443C451653F2}.exe
File created	C:\Windows\{997B69FA-514A-4e5a-9F9C-E679D2E97066}.exe	{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe
File created	C:\Windows\{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe	{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe
File created	C:\Windows\{D7E8BCB3-6773-45f9-80EB-8E86CCE4EB78}.exe	{997B69FA-514A-4e5a-9F9C-E679D2E97066}.exe
File created	C:\Windows\{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe	997e8fd5e14ec1ceffe6cfc87a2ec600N.exe
File created	C:\Windows\{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe	{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe
File created	C:\Windows\{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe	{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe
File created	C:\Windows\{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe	{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1604	997e8fd5e14ec1ceffe6cfc87a2ec600N.exe
Token: SeIncBasePriorityPrivilege	1824	{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe
Token: SeIncBasePriorityPrivilege	2888	{57408319-B10F-496a-93ED-443C451653F2}.exe
Token: SeIncBasePriorityPrivilege	2960	{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe
Token: SeIncBasePriorityPrivilege	2620	{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe
Token: SeIncBasePriorityPrivilege	2296	{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe
Token: SeIncBasePriorityPrivilege	2704	{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe
Token: SeIncBasePriorityPrivilege	2676	{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe
Token: SeIncBasePriorityPrivilege	1524	{997B69FA-514A-4e5a-9F9C-E679D2E97066}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1824	1604	997e8fd5e14ec1ceffe6cfc87a2ec600N.exe	30
PID 1604 wrote to memory of 1824	1604	997e8fd5e14ec1ceffe6cfc87a2ec600N.exe	30
PID 1604 wrote to memory of 1824	1604	997e8fd5e14ec1ceffe6cfc87a2ec600N.exe	30
PID 1604 wrote to memory of 1824	1604	997e8fd5e14ec1ceffe6cfc87a2ec600N.exe	30
PID 1604 wrote to memory of 2052	1604	997e8fd5e14ec1ceffe6cfc87a2ec600N.exe	31
PID 1604 wrote to memory of 2052	1604	997e8fd5e14ec1ceffe6cfc87a2ec600N.exe	31
PID 1604 wrote to memory of 2052	1604	997e8fd5e14ec1ceffe6cfc87a2ec600N.exe	31
PID 1604 wrote to memory of 2052	1604	997e8fd5e14ec1ceffe6cfc87a2ec600N.exe	31
PID 1824 wrote to memory of 2888	1824	{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe	33
PID 1824 wrote to memory of 2888	1824	{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe	33
PID 1824 wrote to memory of 2888	1824	{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe	33
PID 1824 wrote to memory of 2888	1824	{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe	33
PID 1824 wrote to memory of 2744	1824	{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe	34
PID 1824 wrote to memory of 2744	1824	{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe	34
PID 1824 wrote to memory of 2744	1824	{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe	34
PID 1824 wrote to memory of 2744	1824	{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe	34
PID 2888 wrote to memory of 2960	2888	{57408319-B10F-496a-93ED-443C451653F2}.exe	35
PID 2888 wrote to memory of 2960	2888	{57408319-B10F-496a-93ED-443C451653F2}.exe	35
PID 2888 wrote to memory of 2960	2888	{57408319-B10F-496a-93ED-443C451653F2}.exe	35
PID 2888 wrote to memory of 2960	2888	{57408319-B10F-496a-93ED-443C451653F2}.exe	35
PID 2888 wrote to memory of 2848	2888	{57408319-B10F-496a-93ED-443C451653F2}.exe	36
PID 2888 wrote to memory of 2848	2888	{57408319-B10F-496a-93ED-443C451653F2}.exe	36
PID 2888 wrote to memory of 2848	2888	{57408319-B10F-496a-93ED-443C451653F2}.exe	36
PID 2888 wrote to memory of 2848	2888	{57408319-B10F-496a-93ED-443C451653F2}.exe	36
PID 2960 wrote to memory of 2620	2960	{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe	37
PID 2960 wrote to memory of 2620	2960	{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe	37
PID 2960 wrote to memory of 2620	2960	{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe	37
PID 2960 wrote to memory of 2620	2960	{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe	37
PID 2960 wrote to memory of 2648	2960	{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe	38
PID 2960 wrote to memory of 2648	2960	{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe	38
PID 2960 wrote to memory of 2648	2960	{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe	38
PID 2960 wrote to memory of 2648	2960	{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe	38
PID 2620 wrote to memory of 2296	2620	{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe	39
PID 2620 wrote to memory of 2296	2620	{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe	39
PID 2620 wrote to memory of 2296	2620	{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe	39
PID 2620 wrote to memory of 2296	2620	{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe	39
PID 2620 wrote to memory of 804	2620	{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe	40
PID 2620 wrote to memory of 804	2620	{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe	40
PID 2620 wrote to memory of 804	2620	{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe	40
PID 2620 wrote to memory of 804	2620	{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe	40
PID 2296 wrote to memory of 2704	2296	{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe	41
PID 2296 wrote to memory of 2704	2296	{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe	41
PID 2296 wrote to memory of 2704	2296	{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe	41
PID 2296 wrote to memory of 2704	2296	{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe	41
PID 2296 wrote to memory of 2032	2296	{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe	42
PID 2296 wrote to memory of 2032	2296	{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe	42
PID 2296 wrote to memory of 2032	2296	{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe	42
PID 2296 wrote to memory of 2032	2296	{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe	42
PID 2704 wrote to memory of 2676	2704	{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe	43
PID 2704 wrote to memory of 2676	2704	{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe	43
PID 2704 wrote to memory of 2676	2704	{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe	43
PID 2704 wrote to memory of 2676	2704	{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe	43
PID 2704 wrote to memory of 2716	2704	{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe	44
PID 2704 wrote to memory of 2716	2704	{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe	44
PID 2704 wrote to memory of 2716	2704	{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe	44
PID 2704 wrote to memory of 2716	2704	{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe	44
PID 2676 wrote to memory of 1524	2676	{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe	45
PID 2676 wrote to memory of 1524	2676	{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe	45
PID 2676 wrote to memory of 1524	2676	{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe	45
PID 2676 wrote to memory of 1524	2676	{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe	45
PID 2676 wrote to memory of 1424	2676	{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe	46
PID 2676 wrote to memory of 1424	2676	{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe	46
PID 2676 wrote to memory of 1424	2676	{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe	46
PID 2676 wrote to memory of 1424	2676	{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe	46

C:\Users\Admin\AppData\Local\Temp\997e8fd5e14ec1ceffe6cfc87a2ec600N.exe
"C:\Users\Admin\AppData\Local\Temp\997e8fd5e14ec1ceffe6cfc87a2ec600N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe
  C:\Windows\{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\{57408319-B10F-496a-93ED-443C451653F2}.exe
    C:\Windows\{57408319-B10F-496a-93ED-443C451653F2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe
      C:\Windows\{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe
        
        C:\Windows\{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe
        
        C:\Windows\{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe
        
        C:\Windows\{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe
        
        C:\Windows\{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{997B69FA-514A-4e5a-9F9C-E679D2E97066}.exe
        
        C:\Windows\{997B69FA-514A-4e5a-9F9C-E679D2E97066}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\{D7E8BCB3-6773-45f9-80EB-8E86CCE4EB78}.exe
        
        C:\Windows\{D7E8BCB3-6773-45f9-80EB-8E86CCE4EB78}.exe
        10⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{997B6~1.EXE > nul
        10⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E3AE~1.EXE > nul
        9⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0551~1.EXE > nul
        8⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDA72~1.EXE > nul
        7⤵
        
        PID:2032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D380~1.EXE > nul
        6⤵
        
        PID:804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{691C6~1.EXE > nul
        5⤵
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{57408~1.EXE > nul
      4⤵
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{82E39~1.EXE > nul
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\997E8F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{57408319-B10F-496a-93ED-443C451653F2}.exe

Filesize
90KB

MD5
2c723780f8382b71473c6e29a3fb264d

SHA1
4571ece9be2eb041de04a8edd4c4701f5122aa8d

SHA256
da7a91de9c45abf14af0810cd0d61e31d3f9768bee6d61d25b131895bba79a92

SHA512
cb035f474ee6e80ffad572f3b6dd5167ef041e6e5fee398d9baf019f24aab2d49c6d65ec35de8eb4c9bfc9aa9f46a1082175bfc9b37ea944f1fb0f3fb03fc27d

Download Submit
C:\Windows\{691C6E14-30FC-47f5-9449-586B197DD6E6}.exe

Filesize
90KB

MD5
d972bfcc8c86b112d3ab31439572f441

SHA1
3277c5c41e7e2afd15bfc53abd64bd00b769f203

SHA256
6c5facb82653df07859b10af74b8049f69c6ea06a140e2c4877f11d31daadf9f

SHA512
659d2c6cc0c25d2112115fde0623f666507756b07b8e033bf8e021522d19a7b2be8af2121235138aca636b05885f202c906ad9877c33ec375cfc78fab978c0ca

Download Submit
C:\Windows\{6D380F5A-DA3E-4415-ABE9-A6664A7904EE}.exe

Filesize
90KB

MD5
de992d78cb56901034dd70bafe4b557c

SHA1
cebb7bc188044ec70ee9c6239aea82cf14a845fe

SHA256
11bc2ae01df455b1f2e1e676688aac4056e893dff2b7c45cd01af2377e0f2751

SHA512
1f2ba37b2d58c68e0503d66421246e304c81b5878cff7363efe9ba8d2ae22e32bef2c15368eb1824977874cb8f193c9bd19530130019994b3523e6e5c69da3da

Download Submit
C:\Windows\{82E39BA6-C476-4e93-A17A-F28D8990A080}.exe

Filesize
90KB

MD5
0713307d5c7d69be1c6d8712bbe62d35

SHA1
8b07bb0212a3eb4acc7f9e308930fdba95c6bbf0

SHA256
f9f45d710c2cd636f21a9ab9b7cef49197efe752bb8582008c66f43a18e93643

SHA512
ba53cdafc2052f884588169c4866657f1dc88465fec5cfb101ed95366f8963a3efad3427559a2bf987d2ad3c40a5372b57c246faade6a9a66c9d4298a714a7de

Download Submit
C:\Windows\{997B69FA-514A-4e5a-9F9C-E679D2E97066}.exe

Filesize
90KB

MD5
74cf5d3f116b73d52e94165c94d245a6

SHA1
492cf4669db889e893f333235b03cb4e72e29eb7

SHA256
5e69126db0cae4ab9721e261d2c7e01db271118c81231d6cc817f7550360cf80

SHA512
22dc58a1545c4199c66d7b33e48d48a6325a8a58e922ae6e9bc655be2450b3ff458c66fba39864f0ee08423b36631164aa2d5d1f605ee75ac0e00b806f200e68

Download Submit
C:\Windows\{9E3AE1F8-1DE6-484d-B4BA-3383BF9E3F84}.exe

Filesize
90KB

MD5
8e1440edc71aa1aed57477fe156dda90

SHA1
f8373588d83a8c772ee0e00a5b2afe186907d9bd

SHA256
69b9c23b86da8dbc59d28de3af84073443a6e717856edf72fa2d67d5cf446afb

SHA512
3338fbd332f7f214226ba9606f0d92dbce16e31557fa68923fc8259d694751a39d8e852876fe779fcf48685a4ffe42eb86e3154114c002aadd33b3d4c6522800

Download Submit
C:\Windows\{BDA727AC-D88C-4dec-A6EE-0AD16B924DCD}.exe

Filesize
90KB

MD5
71b4d12ce67a55a056843729ea62025b

SHA1
c18f07678fc1c1701e12bd4f9de1dd2da24397c3

SHA256
76f392771ba02375f0a3df0cbc09c6300a8920c3a7453f3ff5b313af991344cb

SHA512
55318eaefe16e32a342e386bd7383aa823703de0573b69e3342f2fc24526ea72ae33e2e059ad2c842c51b6fa8dba6dfd7396841f1dcd3b91aec3ee56f4a54cc4

Download Submit
C:\Windows\{D7E8BCB3-6773-45f9-80EB-8E86CCE4EB78}.exe

Filesize
90KB

MD5
21938c545ab349fcdcf80ba5df7d3c01

SHA1
16d1e9bf81bbd007349c8a8862193d22ee78f952

SHA256
4e00804755278c4da35a570cd4d6922405104ef6456448bcdbb5936e1de97e0e

SHA512
d2a0073d27786ac7e19600de6f9f6c0071e951f4584a28be87dd00cb2d2f00a540a6140e2ed930a834664a5195826747e2f0dce9c6dfcf15c64c006be2351d44

Download Submit
C:\Windows\{F0551B2E-3B91-4f93-95DA-3E54A0C99622}.exe

Filesize
90KB

MD5
eb975f49b7461f2ef58cfe917fa24f4b

SHA1
a23b60cd930fb287983ae20250e6171b7a95737f

SHA256
b4fc161642da335dbf87d312558a0fe9062d3418e7ef699cd3cd891053084729

SHA512
3b1a098513440979f06833ed0f7968adb2b536f39633d8975bf1430940792357ffad3c4765a14b0596d3ad0dc50c1a43bb142b51e5e49ed6854470b58dc0e047

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads