af49509d027c6d0231a8477eba91531016c4dbea01c87a971fd076397d1121c4

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

246e108c6780c7fe176adda9e736e0c0N.exe
Size

60KB
MD5

246e108c6780c7fe176adda9e736e0c0
SHA1

0523d81eb08d4fa42f191870cd3147795fe3a7cb
SHA256

af49509d027c6d0231a8477eba91531016c4dbea01c87a971fd076397d1121c4
SHA512

f3b181d04b9312c90e4cdcd5d89ab7872febbcb0c91ad38a13e20a4260822242bf3ba56360b3afeb038e2b7712ea1f5eef6453e7e8b4227a1df160fa35ea0a71
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqweY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLrok4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7039659-5B83-4925-AF5F-8EE4A724AEC2}	{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}	246e108c6780c7fe176adda9e736e0c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}\stubpath = "C:\\Windows\\{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe"	246e108c6780c7fe176adda9e736e0c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28E692D5-93A3-499b-B9AD-5296DE7D25C5}	{F7039659-5B83-4925-AF5F-8EE4A724AEC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28E692D5-93A3-499b-B9AD-5296DE7D25C5}\stubpath = "C:\\Windows\\{28E692D5-93A3-499b-B9AD-5296DE7D25C5}.exe"	{F7039659-5B83-4925-AF5F-8EE4A724AEC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D81B40D2-3CEC-4fab-A441-16F4A243CE76}\stubpath = "C:\\Windows\\{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe"	{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7847EE91-1847-4ca0-B2B8-F365E1776322}	{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7847EE91-1847-4ca0-B2B8-F365E1776322}\stubpath = "C:\\Windows\\{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe"	{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}	{3A1016F2-1086-444c-81E3-519A708860FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}\stubpath = "C:\\Windows\\{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe"	{3A1016F2-1086-444c-81E3-519A708860FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7039659-5B83-4925-AF5F-8EE4A724AEC2}\stubpath = "C:\\Windows\\{F7039659-5B83-4925-AF5F-8EE4A724AEC2}.exe"	{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}	{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}\stubpath = "C:\\Windows\\{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe"	{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D81B40D2-3CEC-4fab-A441-16F4A243CE76}	{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}	{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}\stubpath = "C:\\Windows\\{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe"	{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A1016F2-1086-444c-81E3-519A708860FA}	{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A1016F2-1086-444c-81E3-519A708860FA}\stubpath = "C:\\Windows\\{3A1016F2-1086-444c-81E3-519A708860FA}.exe"	{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe

Deletes itself 1 IoCs

pid	Process
1536	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2832	{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe
2600	{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe
2440	{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe
2028	{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe
2740	{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe
1908	{3A1016F2-1086-444c-81E3-519A708860FA}.exe
1820	{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe
1372	{F7039659-5B83-4925-AF5F-8EE4A724AEC2}.exe
2844	{28E692D5-93A3-499b-B9AD-5296DE7D25C5}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe	246e108c6780c7fe176adda9e736e0c0N.exe
File created	C:\Windows\{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe	{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe
File created	C:\Windows\{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe	{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe
File created	C:\Windows\{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe	{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe
File created	C:\Windows\{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe	{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe
File created	C:\Windows\{3A1016F2-1086-444c-81E3-519A708860FA}.exe	{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe
File created	C:\Windows\{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe	{3A1016F2-1086-444c-81E3-519A708860FA}.exe
File created	C:\Windows\{F7039659-5B83-4925-AF5F-8EE4A724AEC2}.exe	{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe
File created	C:\Windows\{28E692D5-93A3-499b-B9AD-5296DE7D25C5}.exe	{F7039659-5B83-4925-AF5F-8EE4A724AEC2}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2808	246e108c6780c7fe176adda9e736e0c0N.exe
Token: SeIncBasePriorityPrivilege	2832	{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe
Token: SeIncBasePriorityPrivilege	2600	{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe
Token: SeIncBasePriorityPrivilege	2440	{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe
Token: SeIncBasePriorityPrivilege	2028	{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe
Token: SeIncBasePriorityPrivilege	2740	{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe
Token: SeIncBasePriorityPrivilege	1908	{3A1016F2-1086-444c-81E3-519A708860FA}.exe
Token: SeIncBasePriorityPrivilege	1820	{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe
Token: SeIncBasePriorityPrivilege	1372	{F7039659-5B83-4925-AF5F-8EE4A724AEC2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2832	2808	246e108c6780c7fe176adda9e736e0c0N.exe	29
PID 2808 wrote to memory of 2832	2808	246e108c6780c7fe176adda9e736e0c0N.exe	29
PID 2808 wrote to memory of 2832	2808	246e108c6780c7fe176adda9e736e0c0N.exe	29
PID 2808 wrote to memory of 2832	2808	246e108c6780c7fe176adda9e736e0c0N.exe	29
PID 2808 wrote to memory of 1536	2808	246e108c6780c7fe176adda9e736e0c0N.exe	30
PID 2808 wrote to memory of 1536	2808	246e108c6780c7fe176adda9e736e0c0N.exe	30
PID 2808 wrote to memory of 1536	2808	246e108c6780c7fe176adda9e736e0c0N.exe	30
PID 2808 wrote to memory of 1536	2808	246e108c6780c7fe176adda9e736e0c0N.exe	30
PID 2832 wrote to memory of 2600	2832	{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe	31
PID 2832 wrote to memory of 2600	2832	{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe	31
PID 2832 wrote to memory of 2600	2832	{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe	31
PID 2832 wrote to memory of 2600	2832	{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe	31
PID 2832 wrote to memory of 2464	2832	{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe	32
PID 2832 wrote to memory of 2464	2832	{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe	32
PID 2832 wrote to memory of 2464	2832	{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe	32
PID 2832 wrote to memory of 2464	2832	{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe	32
PID 2600 wrote to memory of 2440	2600	{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe	33
PID 2600 wrote to memory of 2440	2600	{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe	33
PID 2600 wrote to memory of 2440	2600	{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe	33
PID 2600 wrote to memory of 2440	2600	{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe	33
PID 2600 wrote to memory of 2468	2600	{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe	34
PID 2600 wrote to memory of 2468	2600	{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe	34
PID 2600 wrote to memory of 2468	2600	{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe	34
PID 2600 wrote to memory of 2468	2600	{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe	34
PID 2440 wrote to memory of 2028	2440	{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe	35
PID 2440 wrote to memory of 2028	2440	{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe	35
PID 2440 wrote to memory of 2028	2440	{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe	35
PID 2440 wrote to memory of 2028	2440	{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe	35
PID 2440 wrote to memory of 1332	2440	{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe	36
PID 2440 wrote to memory of 1332	2440	{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe	36
PID 2440 wrote to memory of 1332	2440	{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe	36
PID 2440 wrote to memory of 1332	2440	{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe	36
PID 2028 wrote to memory of 2740	2028	{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe	37
PID 2028 wrote to memory of 2740	2028	{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe	37
PID 2028 wrote to memory of 2740	2028	{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe	37
PID 2028 wrote to memory of 2740	2028	{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe	37
PID 2028 wrote to memory of 2764	2028	{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe	38
PID 2028 wrote to memory of 2764	2028	{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe	38
PID 2028 wrote to memory of 2764	2028	{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe	38
PID 2028 wrote to memory of 2764	2028	{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe	38
PID 2740 wrote to memory of 1908	2740	{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe	39
PID 2740 wrote to memory of 1908	2740	{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe	39
PID 2740 wrote to memory of 1908	2740	{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe	39
PID 2740 wrote to memory of 1908	2740	{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe	39
PID 2740 wrote to memory of 2172	2740	{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe	40
PID 2740 wrote to memory of 2172	2740	{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe	40
PID 2740 wrote to memory of 2172	2740	{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe	40
PID 2740 wrote to memory of 2172	2740	{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe	40
PID 1908 wrote to memory of 1820	1908	{3A1016F2-1086-444c-81E3-519A708860FA}.exe	41
PID 1908 wrote to memory of 1820	1908	{3A1016F2-1086-444c-81E3-519A708860FA}.exe	41
PID 1908 wrote to memory of 1820	1908	{3A1016F2-1086-444c-81E3-519A708860FA}.exe	41
PID 1908 wrote to memory of 1820	1908	{3A1016F2-1086-444c-81E3-519A708860FA}.exe	41
PID 1908 wrote to memory of 1176	1908	{3A1016F2-1086-444c-81E3-519A708860FA}.exe	42
PID 1908 wrote to memory of 1176	1908	{3A1016F2-1086-444c-81E3-519A708860FA}.exe	42
PID 1908 wrote to memory of 1176	1908	{3A1016F2-1086-444c-81E3-519A708860FA}.exe	42
PID 1908 wrote to memory of 1176	1908	{3A1016F2-1086-444c-81E3-519A708860FA}.exe	42
PID 1820 wrote to memory of 1372	1820	{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe	43
PID 1820 wrote to memory of 1372	1820	{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe	43
PID 1820 wrote to memory of 1372	1820	{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe	43
PID 1820 wrote to memory of 1372	1820	{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe	43
PID 1820 wrote to memory of 2020	1820	{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe	44
PID 1820 wrote to memory of 2020	1820	{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe	44
PID 1820 wrote to memory of 2020	1820	{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe	44
PID 1820 wrote to memory of 2020	1820	{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe	44

C:\Users\Admin\AppData\Local\Temp\246e108c6780c7fe176adda9e736e0c0N.exe
"C:\Users\Admin\AppData\Local\Temp\246e108c6780c7fe176adda9e736e0c0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe
  C:\Windows\{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe
    C:\Windows\{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe
      C:\Windows\{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe
        
        C:\Windows\{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Windows\{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe
        
        C:\Windows\{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{3A1016F2-1086-444c-81E3-519A708860FA}.exe
        
        C:\Windows\{3A1016F2-1086-444c-81E3-519A708860FA}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe
        
        C:\Windows\{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{F7039659-5B83-4925-AF5F-8EE4A724AEC2}.exe
        
        C:\Windows\{F7039659-5B83-4925-AF5F-8EE4A724AEC2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\{28E692D5-93A3-499b-B9AD-5296DE7D25C5}.exe
        
        C:\Windows\{28E692D5-93A3-499b-B9AD-5296DE7D25C5}.exe
        10⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7039~1.EXE > nul
        10⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAEC8~1.EXE > nul
        9⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A101~1.EXE > nul
        8⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7847E~1.EXE > nul
        7⤵
        
        PID:2172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12ED4~1.EXE > nul
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D81B4~1.EXE > nul
        5⤵
        
        PID:1332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E73E8~1.EXE > nul
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C703A~1.EXE > nul
    3⤵
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\246E10~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12ED4C77-5A8C-44e6-BA0A-88D39B39C2F3}.exe

Filesize
60KB

MD5
ddada4e5cf653d07b2c7eee4a80c60ad

SHA1
9d4a4895c17500708c0e6c2d44ba29f0d11c48cc

SHA256
92af336d4508ded6aee2b25d836e10f8f4cee93d30620f337f6e98e639fda6d8

SHA512
07d01f30f6e5d5d5b396b8b24c324f02d7a40770f18c395609012e03063bf68410687a3f9c495872b064e7b1b430de36191bef71842f27f1388f1596c6805006

Download Submit
C:\Windows\{28E692D5-93A3-499b-B9AD-5296DE7D25C5}.exe

Filesize
60KB

MD5
11e25ad915bd7ace92e2df72a1771320

SHA1
4c495271bd697a04c507e5c15fdec87b07b890b4

SHA256
63ab66846d7b055b4dd50e610fe7b88f7654f957df75199f40386297ef4b8638

SHA512
6ae34d2962e154a7ae34ce6eed0554481636d31c4b2b3ef0528a1d2224f28ced775d158cb4758c10733c373f1434ea96fbe63e2fc01671aeed96921bccb1893d

Download Submit
C:\Windows\{3A1016F2-1086-444c-81E3-519A708860FA}.exe

Filesize
60KB

MD5
ff70a6a0d32552e59af5269816cf67af

SHA1
06ca7fe2dd7625630190f0338aeba3821ec95732

SHA256
10c33bd889a0bbda0babb815de84aff7db4022c4bab41710a504a59608f072e3

SHA512
79dd97dd7be1ba641c0da414707177bf204335e11427d4a3561667f8f988a2514312ef46b55b632d5b3d755f773851b411c3c1a23883033bc523689235feb828

Download Submit
C:\Windows\{7847EE91-1847-4ca0-B2B8-F365E1776322}.exe

Filesize
60KB

MD5
609f1a90818d323a3446753ee208d93d

SHA1
a1bf21a3fd7fac632017dd9bc06e61cb1fbc1804

SHA256
b227f3fb900a7f0e90ba283a3c57a26d5303cdcc2699892c65c5dc2e72eb0d75

SHA512
ef3385bbfde9f846f67c219cf5c984905d9736973165bb268565505c3f6370cede284d41f7dc63376dee867aafd08ce72360861b385ec99da4fe3472255065aa

Download Submit
C:\Windows\{BAEC8BC9-88BE-48c1-BCF1-7F584396D582}.exe

Filesize
60KB

MD5
574d785f79c4c51522fe19c5534345b9

SHA1
e5244004cca8118e403b9346626a17c03342c115

SHA256
670078c44746889d31ab06bcd6bda796331f2502cc480fed68cc0461cae330c8

SHA512
bcfce026952a8d88c7184fb61be311711766b77fcb5fd1b0b771b861df4f5825e60cec1470f55c890845bcc1f1fe0703029c9d3a53400875cb67eb6af1a9cdc9

Download Submit
C:\Windows\{C703ADB9-BFF0-4677-B6A3-36D2B84BF074}.exe

Filesize
60KB

MD5
50eed11b3ee09957726fec52a06f0a26

SHA1
e301344ac163620acba32af7baed2018e5d98536

SHA256
9fb25ddf7083bd5272c55a5dbbec6e0dcfded0caa2e72433704b3392aad9c3e2

SHA512
5f1b29e5078e69ca59a7ece9b5459c96b800735485c32ea3fb9370c0a4629a1ab11db5aa22c90026568093606d3d8dec73a00144bc49f29fa2911035b59c3cb1

Download Submit
C:\Windows\{D81B40D2-3CEC-4fab-A441-16F4A243CE76}.exe

Filesize
60KB

MD5
b5f98c8ccce4e43cdb00a3047acb593a

SHA1
6817e350dc7ae60158bbf102f1339807c9c48fc9

SHA256
edfd76b2f87f1027b8211abb2f0754712f9eb91ad0ac862df0bee0e8330969be

SHA512
0926edd29ebc71af6cb08c98bcd9ae29e889a260c18a9470ef5ab0edb25ebf14f35cbb3592b52195fa671413452976e943d20eef13288120e66f2889fa4f8051

Download Submit
C:\Windows\{E73E86F3-BF54-42e7-9FB0-AB859E7AD9A8}.exe

Filesize
60KB

MD5
98275deb17df09465f8a86d86602c088

SHA1
442a5920b07ec54ee99c309e8238002fe5997335

SHA256
2428ba367028b073c383b9c523cb4cb42777650fcfe05e1d37f3f3f2a3c3fd27

SHA512
24286248fb6234dac6b6555b88870edaf4b4d5945693a1c8bd189be3b09c0d281600e3b9207715f318f70377d4d1a672b0383e998eae0fb5d292040c7e9ca57c

Download Submit
C:\Windows\{F7039659-5B83-4925-AF5F-8EE4A724AEC2}.exe

Filesize
60KB

MD5
23831901bb4bf070afb40c5b319bd87f

SHA1
debf15ea8c76e9d59cdd802d3b1c91518eb3c8cd

SHA256
ad4bbdf8d657242f2be7e1af8ed081b0e8b843eb83b3240c1c83f39e6d032477

SHA512
24668490d7073dc462ccd0908b18516b13800f840a7f465078d18a356e266e1c50aafaa9cc99048902a39c8bbc07583418a668159991cce0a8ea1bb1a47f8b67

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads