9db2d0a43bd7a440891f9cc6c2c7d88068f0597626a4a30f33e35ea61ea663a8

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a371ab7572283b1dbe360a3da148bd0N.exe
Size

90KB
MD5

3a371ab7572283b1dbe360a3da148bd0
SHA1

489a21f1144f660a4058c9201f3e3b48558910db
SHA256

9db2d0a43bd7a440891f9cc6c2c7d88068f0597626a4a30f33e35ea61ea663a8
SHA512

e2a18e4ec8574e69c960736d716f2b54f764c157aab2609994b7bbfd413569a592aa14cbbd3f9167c8efcb1faa89218a8efb5ecc1a38173c55c73ca1d1e37b04
SSDEEP

768:Qvw9816vhKQLron4/wQRNrfrunMxVFA3b7glw6:YEGh0onl2unMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{401FE555-015D-472a-AF53-7F06B5D4C199}\stubpath = "C:\\Windows\\{401FE555-015D-472a-AF53-7F06B5D4C199}.exe"	{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04BA35CE-594F-4baf-A9A5-1101252599E8}\stubpath = "C:\\Windows\\{04BA35CE-594F-4baf-A9A5-1101252599E8}.exe"	{5AD737AB-A05D-4775-A900-A90424699A93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90DD0AE3-1550-4f2a-B879-F46821642D68}	{04BA35CE-594F-4baf-A9A5-1101252599E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23F99A15-B549-4144-A654-AD23B6F0C902}	3a371ab7572283b1dbe360a3da148bd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}	{B34106AB-FE36-402d-BBD7-220319FCA499}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}	{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AD737AB-A05D-4775-A900-A90424699A93}\stubpath = "C:\\Windows\\{5AD737AB-A05D-4775-A900-A90424699A93}.exe"	{401FE555-015D-472a-AF53-7F06B5D4C199}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90DD0AE3-1550-4f2a-B879-F46821642D68}\stubpath = "C:\\Windows\\{90DD0AE3-1550-4f2a-B879-F46821642D68}.exe"	{04BA35CE-594F-4baf-A9A5-1101252599E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}\stubpath = "C:\\Windows\\{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe"	{B34106AB-FE36-402d-BBD7-220319FCA499}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56C23C43-DB1D-4516-B1CA-D36F57A6340F}	{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AD737AB-A05D-4775-A900-A90424699A93}	{401FE555-015D-472a-AF53-7F06B5D4C199}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04BA35CE-594F-4baf-A9A5-1101252599E8}	{5AD737AB-A05D-4775-A900-A90424699A93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23F99A15-B549-4144-A654-AD23B6F0C902}\stubpath = "C:\\Windows\\{23F99A15-B549-4144-A654-AD23B6F0C902}.exe"	3a371ab7572283b1dbe360a3da148bd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B34106AB-FE36-402d-BBD7-220319FCA499}\stubpath = "C:\\Windows\\{B34106AB-FE36-402d-BBD7-220319FCA499}.exe"	{23F99A15-B549-4144-A654-AD23B6F0C902}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{401FE555-015D-472a-AF53-7F06B5D4C199}	{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B34106AB-FE36-402d-BBD7-220319FCA499}	{23F99A15-B549-4144-A654-AD23B6F0C902}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}\stubpath = "C:\\Windows\\{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe"	{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56C23C43-DB1D-4516-B1CA-D36F57A6340F}\stubpath = "C:\\Windows\\{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe"	{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe

Deletes itself 1 IoCs

pid	Process
2996	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2320	{23F99A15-B549-4144-A654-AD23B6F0C902}.exe
2820	{B34106AB-FE36-402d-BBD7-220319FCA499}.exe
2768	{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe
2776	{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe
3000	{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe
2644	{401FE555-015D-472a-AF53-7F06B5D4C199}.exe
264	{5AD737AB-A05D-4775-A900-A90424699A93}.exe
824	{04BA35CE-594F-4baf-A9A5-1101252599E8}.exe
2052	{90DD0AE3-1550-4f2a-B879-F46821642D68}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{23F99A15-B549-4144-A654-AD23B6F0C902}.exe	3a371ab7572283b1dbe360a3da148bd0N.exe
File created	C:\Windows\{B34106AB-FE36-402d-BBD7-220319FCA499}.exe	{23F99A15-B549-4144-A654-AD23B6F0C902}.exe
File created	C:\Windows\{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe	{B34106AB-FE36-402d-BBD7-220319FCA499}.exe
File created	C:\Windows\{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe	{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe
File created	C:\Windows\{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe	{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe
File created	C:\Windows\{401FE555-015D-472a-AF53-7F06B5D4C199}.exe	{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe
File created	C:\Windows\{5AD737AB-A05D-4775-A900-A90424699A93}.exe	{401FE555-015D-472a-AF53-7F06B5D4C199}.exe
File created	C:\Windows\{04BA35CE-594F-4baf-A9A5-1101252599E8}.exe	{5AD737AB-A05D-4775-A900-A90424699A93}.exe
File created	C:\Windows\{90DD0AE3-1550-4f2a-B879-F46821642D68}.exe	{04BA35CE-594F-4baf-A9A5-1101252599E8}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1344	3a371ab7572283b1dbe360a3da148bd0N.exe
Token: SeIncBasePriorityPrivilege	2320	{23F99A15-B549-4144-A654-AD23B6F0C902}.exe
Token: SeIncBasePriorityPrivilege	2820	{B34106AB-FE36-402d-BBD7-220319FCA499}.exe
Token: SeIncBasePriorityPrivilege	2768	{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe
Token: SeIncBasePriorityPrivilege	2776	{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe
Token: SeIncBasePriorityPrivilege	3000	{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe
Token: SeIncBasePriorityPrivilege	2644	{401FE555-015D-472a-AF53-7F06B5D4C199}.exe
Token: SeIncBasePriorityPrivilege	264	{5AD737AB-A05D-4775-A900-A90424699A93}.exe
Token: SeIncBasePriorityPrivilege	824	{04BA35CE-594F-4baf-A9A5-1101252599E8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 2320	1344	3a371ab7572283b1dbe360a3da148bd0N.exe	31
PID 1344 wrote to memory of 2320	1344	3a371ab7572283b1dbe360a3da148bd0N.exe	31
PID 1344 wrote to memory of 2320	1344	3a371ab7572283b1dbe360a3da148bd0N.exe	31
PID 1344 wrote to memory of 2320	1344	3a371ab7572283b1dbe360a3da148bd0N.exe	31
PID 1344 wrote to memory of 2996	1344	3a371ab7572283b1dbe360a3da148bd0N.exe	32
PID 1344 wrote to memory of 2996	1344	3a371ab7572283b1dbe360a3da148bd0N.exe	32
PID 1344 wrote to memory of 2996	1344	3a371ab7572283b1dbe360a3da148bd0N.exe	32
PID 1344 wrote to memory of 2996	1344	3a371ab7572283b1dbe360a3da148bd0N.exe	32
PID 2320 wrote to memory of 2820	2320	{23F99A15-B549-4144-A654-AD23B6F0C902}.exe	33
PID 2320 wrote to memory of 2820	2320	{23F99A15-B549-4144-A654-AD23B6F0C902}.exe	33
PID 2320 wrote to memory of 2820	2320	{23F99A15-B549-4144-A654-AD23B6F0C902}.exe	33
PID 2320 wrote to memory of 2820	2320	{23F99A15-B549-4144-A654-AD23B6F0C902}.exe	33
PID 2320 wrote to memory of 2864	2320	{23F99A15-B549-4144-A654-AD23B6F0C902}.exe	34
PID 2320 wrote to memory of 2864	2320	{23F99A15-B549-4144-A654-AD23B6F0C902}.exe	34
PID 2320 wrote to memory of 2864	2320	{23F99A15-B549-4144-A654-AD23B6F0C902}.exe	34
PID 2320 wrote to memory of 2864	2320	{23F99A15-B549-4144-A654-AD23B6F0C902}.exe	34
PID 2820 wrote to memory of 2768	2820	{B34106AB-FE36-402d-BBD7-220319FCA499}.exe	35
PID 2820 wrote to memory of 2768	2820	{B34106AB-FE36-402d-BBD7-220319FCA499}.exe	35
PID 2820 wrote to memory of 2768	2820	{B34106AB-FE36-402d-BBD7-220319FCA499}.exe	35
PID 2820 wrote to memory of 2768	2820	{B34106AB-FE36-402d-BBD7-220319FCA499}.exe	35
PID 2820 wrote to memory of 2640	2820	{B34106AB-FE36-402d-BBD7-220319FCA499}.exe	36
PID 2820 wrote to memory of 2640	2820	{B34106AB-FE36-402d-BBD7-220319FCA499}.exe	36
PID 2820 wrote to memory of 2640	2820	{B34106AB-FE36-402d-BBD7-220319FCA499}.exe	36
PID 2820 wrote to memory of 2640	2820	{B34106AB-FE36-402d-BBD7-220319FCA499}.exe	36
PID 2768 wrote to memory of 2776	2768	{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe	37
PID 2768 wrote to memory of 2776	2768	{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe	37
PID 2768 wrote to memory of 2776	2768	{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe	37
PID 2768 wrote to memory of 2776	2768	{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe	37
PID 2768 wrote to memory of 2604	2768	{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe	38
PID 2768 wrote to memory of 2604	2768	{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe	38
PID 2768 wrote to memory of 2604	2768	{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe	38
PID 2768 wrote to memory of 2604	2768	{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe	38
PID 2776 wrote to memory of 3000	2776	{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe	39
PID 2776 wrote to memory of 3000	2776	{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe	39
PID 2776 wrote to memory of 3000	2776	{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe	39
PID 2776 wrote to memory of 3000	2776	{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe	39
PID 2776 wrote to memory of 2224	2776	{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe	40
PID 2776 wrote to memory of 2224	2776	{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe	40
PID 2776 wrote to memory of 2224	2776	{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe	40
PID 2776 wrote to memory of 2224	2776	{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe	40
PID 3000 wrote to memory of 2644	3000	{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe	41
PID 3000 wrote to memory of 2644	3000	{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe	41
PID 3000 wrote to memory of 2644	3000	{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe	41
PID 3000 wrote to memory of 2644	3000	{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe	41
PID 3000 wrote to memory of 2848	3000	{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe	42
PID 3000 wrote to memory of 2848	3000	{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe	42
PID 3000 wrote to memory of 2848	3000	{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe	42
PID 3000 wrote to memory of 2848	3000	{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe	42
PID 2644 wrote to memory of 264	2644	{401FE555-015D-472a-AF53-7F06B5D4C199}.exe	43
PID 2644 wrote to memory of 264	2644	{401FE555-015D-472a-AF53-7F06B5D4C199}.exe	43
PID 2644 wrote to memory of 264	2644	{401FE555-015D-472a-AF53-7F06B5D4C199}.exe	43
PID 2644 wrote to memory of 264	2644	{401FE555-015D-472a-AF53-7F06B5D4C199}.exe	43
PID 2644 wrote to memory of 1040	2644	{401FE555-015D-472a-AF53-7F06B5D4C199}.exe	44
PID 2644 wrote to memory of 1040	2644	{401FE555-015D-472a-AF53-7F06B5D4C199}.exe	44
PID 2644 wrote to memory of 1040	2644	{401FE555-015D-472a-AF53-7F06B5D4C199}.exe	44
PID 2644 wrote to memory of 1040	2644	{401FE555-015D-472a-AF53-7F06B5D4C199}.exe	44
PID 264 wrote to memory of 824	264	{5AD737AB-A05D-4775-A900-A90424699A93}.exe	45
PID 264 wrote to memory of 824	264	{5AD737AB-A05D-4775-A900-A90424699A93}.exe	45
PID 264 wrote to memory of 824	264	{5AD737AB-A05D-4775-A900-A90424699A93}.exe	45
PID 264 wrote to memory of 824	264	{5AD737AB-A05D-4775-A900-A90424699A93}.exe	45
PID 264 wrote to memory of 1580	264	{5AD737AB-A05D-4775-A900-A90424699A93}.exe	46
PID 264 wrote to memory of 1580	264	{5AD737AB-A05D-4775-A900-A90424699A93}.exe	46
PID 264 wrote to memory of 1580	264	{5AD737AB-A05D-4775-A900-A90424699A93}.exe	46
PID 264 wrote to memory of 1580	264	{5AD737AB-A05D-4775-A900-A90424699A93}.exe	46

C:\Users\Admin\AppData\Local\Temp\3a371ab7572283b1dbe360a3da148bd0N.exe
"C:\Users\Admin\AppData\Local\Temp\3a371ab7572283b1dbe360a3da148bd0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\{23F99A15-B549-4144-A654-AD23B6F0C902}.exe
  C:\Windows\{23F99A15-B549-4144-A654-AD23B6F0C902}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\{B34106AB-FE36-402d-BBD7-220319FCA499}.exe
    C:\Windows\{B34106AB-FE36-402d-BBD7-220319FCA499}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe
      C:\Windows\{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe
        
        C:\Windows\{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe
        
        C:\Windows\{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{401FE555-015D-472a-AF53-7F06B5D4C199}.exe
        
        C:\Windows\{401FE555-015D-472a-AF53-7F06B5D4C199}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{5AD737AB-A05D-4775-A900-A90424699A93}.exe
        
        C:\Windows\{5AD737AB-A05D-4775-A900-A90424699A93}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\{04BA35CE-594F-4baf-A9A5-1101252599E8}.exe
        
        C:\Windows\{04BA35CE-594F-4baf-A9A5-1101252599E8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Windows\{90DD0AE3-1550-4f2a-B879-F46821642D68}.exe
        
        C:\Windows\{90DD0AE3-1550-4f2a-B879-F46821642D68}.exe
        10⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04BA3~1.EXE > nul
        10⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AD73~1.EXE > nul
        9⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{401FE~1.EXE > nul
        8⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56C23~1.EXE > nul
        7⤵
        
        PID:2848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46B5D~1.EXE > nul
        6⤵
        
        PID:2224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB391~1.EXE > nul
        5⤵
        
        PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3410~1.EXE > nul
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{23F99~1.EXE > nul
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A371A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04BA35CE-594F-4baf-A9A5-1101252599E8}.exe

Filesize
90KB

MD5
5662831172da6ae179046882c9ed5f7c

SHA1
be62f8849a7f3f810d5e00f25f4707e991e38df0

SHA256
f65bc8b48d1d3f16b9dc91062291939f771daa98e58aad66c4b37dc2df27b275

SHA512
0da625674783f70aecd3dd995e292083ca548d404ef7f963a4b44daf82d6f510c526b52fdb2de8b2d3327d6200fd57d7206c2483be21ac28270115e81c316733

Download Submit
C:\Windows\{23F99A15-B549-4144-A654-AD23B6F0C902}.exe

Filesize
90KB

MD5
dd0b3e54188e7dabed8b470be42ec53f

SHA1
1f9ada82569cd6f3a77f699c49ff3b5d5ca65c75

SHA256
69720ed9897397b284db9bd245308d9141fea961ec8233ad2dff5f60aa1328cb

SHA512
99fa4bc2692cd8b14648925cf1ddeb5478afc42c5bbd3a3db63ff6032e5271f7949a8b148bebbedecbfdb8233c2578bec0af3c9b51357a299d963b0098f16095

Download Submit
C:\Windows\{401FE555-015D-472a-AF53-7F06B5D4C199}.exe

Filesize
90KB

MD5
4e452d266cc2a9af8c8145e999ac4b71

SHA1
d02ada87f9c625a7a269e07288cc05b2b116b404

SHA256
1e08eef8e5f002f5c91ae4c6fd456c04c1f5527610233fef47e98fb94e2403c8

SHA512
0183aab97db6cbe4643a355623a3d6ecec3a55000899cc501c863b08c3fbfa06e9b2643f7d5d6d19b10e1a61d899399200ace0d4de4e1548c1448e033286089b

Download Submit
C:\Windows\{46B5DFEF-4DF1-4e6e-BCFF-8B174250DD7D}.exe

Filesize
90KB

MD5
5f4661ee7e11b2163bbe906a8d8e6679

SHA1
3a3c88287d3488392587e85255e3e9f5e87f736e

SHA256
338b938d268efb4c97680add3f7fe34c2593f35f17cbfe2ef19efb3d034bd3e0

SHA512
3583c4fdb5e6cc20fa6474a07d56d49f1b0306ae2e141b013a4047a965e6e0dff94145664686e45e40a9015b27de5d614fb1533bcf867a2a200c0c10ab816cf2

Download Submit
C:\Windows\{56C23C43-DB1D-4516-B1CA-D36F57A6340F}.exe

Filesize
90KB

MD5
bbd2ecb1af57235a25b19b8ceceae15f

SHA1
d8e8833aec3bd088b4c8b2f1a44912ca0b18ada0

SHA256
1651ec75422278c63ca8b4e4da4173be3a8afc4397f53277e28d504fe0d755fd

SHA512
b13c59d724d2a6479262563f36015ae8d03cf28b25eab3fcd703a87bd4a0e8ad90b8493105b0bad3bfc31d43aad202b9133558e5f3a2dce8b08bffd92aa894e9

Download Submit
C:\Windows\{5AD737AB-A05D-4775-A900-A90424699A93}.exe

Filesize
90KB

MD5
8f2d2ae14bfa65e869d90101dea48c23

SHA1
ad09c171cae8687e2506300fe4162a4997856b41

SHA256
bc6ae9a3a7a2d3f40f36933222d36cd80333a038717b182af6f79998c9734425

SHA512
21b6fde902782a1fc0ba585f20d7e5dbd99d459a59cd720b0f3ed1adc72c5576d3ff2f0dbd5b44179613b85de6c614ad3b35436b33d9ab09fef44f280abbefa1

Download Submit
C:\Windows\{90DD0AE3-1550-4f2a-B879-F46821642D68}.exe

Filesize
90KB

MD5
09a5d9c3acc14cd8114bfcb226e989ab

SHA1
11c2fce2c4de46243fe19c6b7ab47bdc69b7edfb

SHA256
7e5466ca763d6564196bada6c55dfa572c2e88e36592da58ae98c2fd692c8f65

SHA512
05ffcc1581b419c646111192e67cda63649687a0dd1412d8177e27a1d4d46e484cd6d197d5e6db4125eb6f82a73197fe57bfad7e49dc30c5330f227b6a9a951a

Download Submit
C:\Windows\{B34106AB-FE36-402d-BBD7-220319FCA499}.exe

Filesize
90KB

MD5
08224177383b372f6a543f635847df3e

SHA1
725545d8f99f0eebaa72ef41aed5efcc25bb35f7

SHA256
649e25b06691525ccc65e79eb173aba5ae29abbbf8aa559f2b45ce7db3000ee6

SHA512
01b6981d099c363faa0ad51d39d6d4b8b4b9e373748f9a308ded385f383516587e03e02f4c50b9c2e2b152e8a668e23a373beea2997fd4380f15b81fa60fa8c6

Download Submit
C:\Windows\{EB3914D4-D3CA-40fb-A9B5-BCA07FEBA5B2}.exe

Filesize
90KB

MD5
48e3b5df1311c76a955009a7be0c8b4a

SHA1
a1f87d937f8ce1668e13b96711b87ddcabce19b7

SHA256
fbd2f426651b856476a33281ec4999a697a4f01fc3913fa17dbbb121c6d9f98d

SHA512
830a56441ddc5e51bf535393969dd26069ed52d5d36cfded22d936879c0f524cb9120902c4926a8e60441713871c5d32424e8a43fb884194b0ae3f23be28d5c5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads