b0e6c97556c456edfb8a643f85e50e129be6dd5eab5ab617a6c8402f6512f873

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7594ce258f46e0eb7a44b946fb98a420N.exe
Size

60KB
MD5

7594ce258f46e0eb7a44b946fb98a420
SHA1

025e43c58df90d20c753db54c3ea83d7d82a1296
SHA256

b0e6c97556c456edfb8a643f85e50e129be6dd5eab5ab617a6c8402f6512f873
SHA512

04c5a55984435eba06b112cc799aaef4bd348280c3700d3fd9ba837e9961d5cc9a64a4598bbb63eb0cd49d6f8c7aba62a2686a8e9238e0dd0788d21d5d825c93
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroN4/CFsrdHWMZ:vvw9816vhKQLroN4/wQpWMZ

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}\stubpath = "C:\\Windows\\{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe"	7594ce258f46e0eb7a44b946fb98a420N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E9BD50-8C58-4f38-929E-8174922BFD86}	{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}	{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82F74726-AB1E-42e4-B1FE-5661897638E6}\stubpath = "C:\\Windows\\{82F74726-AB1E-42e4-B1FE-5661897638E6}.exe"	{82C08B8C-36E7-47fb-BA47-CBB12834E14C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}	7594ce258f46e0eb7a44b946fb98a420N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82F74726-AB1E-42e4-B1FE-5661897638E6}	{82C08B8C-36E7-47fb-BA47-CBB12834E14C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53D5652C-7395-41c3-A880-1584EEE6EB22}\stubpath = "C:\\Windows\\{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe"	{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}\stubpath = "C:\\Windows\\{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe"	{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{398E41EB-5597-4575-917C-6281013A241C}	{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{032387A4-0CFA-432f-AD6A-5D5B4260938E}	{398E41EB-5597-4575-917C-6281013A241C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B34A8E88-F85F-490b-A45E-BC664A82CA8B}	{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82C08B8C-36E7-47fb-BA47-CBB12834E14C}\stubpath = "C:\\Windows\\{82C08B8C-36E7-47fb-BA47-CBB12834E14C}.exe"	{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53D5652C-7395-41c3-A880-1584EEE6EB22}	{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E9BD50-8C58-4f38-929E-8174922BFD86}\stubpath = "C:\\Windows\\{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe"	{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{398E41EB-5597-4575-917C-6281013A241C}\stubpath = "C:\\Windows\\{398E41EB-5597-4575-917C-6281013A241C}.exe"	{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{032387A4-0CFA-432f-AD6A-5D5B4260938E}\stubpath = "C:\\Windows\\{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe"	{398E41EB-5597-4575-917C-6281013A241C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B34A8E88-F85F-490b-A45E-BC664A82CA8B}\stubpath = "C:\\Windows\\{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe"	{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82C08B8C-36E7-47fb-BA47-CBB12834E14C}	{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe

Deletes itself 1 IoCs

pid	Process
2460	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1528	{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe
2292	{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe
2652	{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe
2560	{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe
2696	{398E41EB-5597-4575-917C-6281013A241C}.exe
2500	{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe
3028	{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe
1740	{82C08B8C-36E7-47fb-BA47-CBB12834E14C}.exe
1480	{82F74726-AB1E-42e4-B1FE-5661897638E6}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe	7594ce258f46e0eb7a44b946fb98a420N.exe
File created	C:\Windows\{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe	{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe
File created	C:\Windows\{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe	{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe
File created	C:\Windows\{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe	{398E41EB-5597-4575-917C-6281013A241C}.exe
File created	C:\Windows\{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe	{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe
File created	C:\Windows\{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe	{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe
File created	C:\Windows\{398E41EB-5597-4575-917C-6281013A241C}.exe	{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe
File created	C:\Windows\{82C08B8C-36E7-47fb-BA47-CBB12834E14C}.exe	{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe
File created	C:\Windows\{82F74726-AB1E-42e4-B1FE-5661897638E6}.exe	{82C08B8C-36E7-47fb-BA47-CBB12834E14C}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2472	7594ce258f46e0eb7a44b946fb98a420N.exe
Token: SeIncBasePriorityPrivilege	1528	{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe
Token: SeIncBasePriorityPrivilege	2292	{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe
Token: SeIncBasePriorityPrivilege	2652	{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe
Token: SeIncBasePriorityPrivilege	2560	{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe
Token: SeIncBasePriorityPrivilege	2696	{398E41EB-5597-4575-917C-6281013A241C}.exe
Token: SeIncBasePriorityPrivilege	2500	{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe
Token: SeIncBasePriorityPrivilege	3028	{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe
Token: SeIncBasePriorityPrivilege	1740	{82C08B8C-36E7-47fb-BA47-CBB12834E14C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 1528	2472	7594ce258f46e0eb7a44b946fb98a420N.exe	29
PID 2472 wrote to memory of 1528	2472	7594ce258f46e0eb7a44b946fb98a420N.exe	29
PID 2472 wrote to memory of 1528	2472	7594ce258f46e0eb7a44b946fb98a420N.exe	29
PID 2472 wrote to memory of 1528	2472	7594ce258f46e0eb7a44b946fb98a420N.exe	29
PID 2472 wrote to memory of 2460	2472	7594ce258f46e0eb7a44b946fb98a420N.exe	30
PID 2472 wrote to memory of 2460	2472	7594ce258f46e0eb7a44b946fb98a420N.exe	30
PID 2472 wrote to memory of 2460	2472	7594ce258f46e0eb7a44b946fb98a420N.exe	30
PID 2472 wrote to memory of 2460	2472	7594ce258f46e0eb7a44b946fb98a420N.exe	30
PID 1528 wrote to memory of 2292	1528	{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe	31
PID 1528 wrote to memory of 2292	1528	{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe	31
PID 1528 wrote to memory of 2292	1528	{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe	31
PID 1528 wrote to memory of 2292	1528	{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe	31
PID 1528 wrote to memory of 2872	1528	{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe	32
PID 1528 wrote to memory of 2872	1528	{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe	32
PID 1528 wrote to memory of 2872	1528	{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe	32
PID 1528 wrote to memory of 2872	1528	{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe	32
PID 2292 wrote to memory of 2652	2292	{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe	33
PID 2292 wrote to memory of 2652	2292	{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe	33
PID 2292 wrote to memory of 2652	2292	{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe	33
PID 2292 wrote to memory of 2652	2292	{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe	33
PID 2292 wrote to memory of 2796	2292	{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe	34
PID 2292 wrote to memory of 2796	2292	{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe	34
PID 2292 wrote to memory of 2796	2292	{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe	34
PID 2292 wrote to memory of 2796	2292	{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe	34
PID 2652 wrote to memory of 2560	2652	{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe	35
PID 2652 wrote to memory of 2560	2652	{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe	35
PID 2652 wrote to memory of 2560	2652	{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe	35
PID 2652 wrote to memory of 2560	2652	{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe	35
PID 2652 wrote to memory of 2092	2652	{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe	36
PID 2652 wrote to memory of 2092	2652	{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe	36
PID 2652 wrote to memory of 2092	2652	{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe	36
PID 2652 wrote to memory of 2092	2652	{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe	36
PID 2560 wrote to memory of 2696	2560	{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe	37
PID 2560 wrote to memory of 2696	2560	{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe	37
PID 2560 wrote to memory of 2696	2560	{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe	37
PID 2560 wrote to memory of 2696	2560	{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe	37
PID 2560 wrote to memory of 2252	2560	{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe	38
PID 2560 wrote to memory of 2252	2560	{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe	38
PID 2560 wrote to memory of 2252	2560	{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe	38
PID 2560 wrote to memory of 2252	2560	{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe	38
PID 2696 wrote to memory of 2500	2696	{398E41EB-5597-4575-917C-6281013A241C}.exe	39
PID 2696 wrote to memory of 2500	2696	{398E41EB-5597-4575-917C-6281013A241C}.exe	39
PID 2696 wrote to memory of 2500	2696	{398E41EB-5597-4575-917C-6281013A241C}.exe	39
PID 2696 wrote to memory of 2500	2696	{398E41EB-5597-4575-917C-6281013A241C}.exe	39
PID 2696 wrote to memory of 3012	2696	{398E41EB-5597-4575-917C-6281013A241C}.exe	40
PID 2696 wrote to memory of 3012	2696	{398E41EB-5597-4575-917C-6281013A241C}.exe	40
PID 2696 wrote to memory of 3012	2696	{398E41EB-5597-4575-917C-6281013A241C}.exe	40
PID 2696 wrote to memory of 3012	2696	{398E41EB-5597-4575-917C-6281013A241C}.exe	40
PID 2500 wrote to memory of 3028	2500	{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe	41
PID 2500 wrote to memory of 3028	2500	{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe	41
PID 2500 wrote to memory of 3028	2500	{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe	41
PID 2500 wrote to memory of 3028	2500	{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe	41
PID 2500 wrote to memory of 2964	2500	{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe	42
PID 2500 wrote to memory of 2964	2500	{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe	42
PID 2500 wrote to memory of 2964	2500	{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe	42
PID 2500 wrote to memory of 2964	2500	{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe	42
PID 3028 wrote to memory of 1740	3028	{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe	43
PID 3028 wrote to memory of 1740	3028	{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe	43
PID 3028 wrote to memory of 1740	3028	{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe	43
PID 3028 wrote to memory of 1740	3028	{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe	43
PID 3028 wrote to memory of 2996	3028	{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe	44
PID 3028 wrote to memory of 2996	3028	{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe	44
PID 3028 wrote to memory of 2996	3028	{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe	44
PID 3028 wrote to memory of 2996	3028	{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe	44

C:\Users\Admin\AppData\Local\Temp\7594ce258f46e0eb7a44b946fb98a420N.exe
"C:\Users\Admin\AppData\Local\Temp\7594ce258f46e0eb7a44b946fb98a420N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe
  C:\Windows\{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe
    C:\Windows\{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe
      C:\Windows\{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe
        
        C:\Windows\{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\{398E41EB-5597-4575-917C-6281013A241C}.exe
        
        C:\Windows\{398E41EB-5597-4575-917C-6281013A241C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe
        
        C:\Windows\{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe
        
        C:\Windows\{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\{82C08B8C-36E7-47fb-BA47-CBB12834E14C}.exe
        
        C:\Windows\{82C08B8C-36E7-47fb-BA47-CBB12834E14C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\{82F74726-AB1E-42e4-B1FE-5661897638E6}.exe
        
        C:\Windows\{82F74726-AB1E-42e4-B1FE-5661897638E6}.exe
        10⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82C08~1.EXE > nul
        10⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B34A8~1.EXE > nul
        9⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03238~1.EXE > nul
        8⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{398E4~1.EXE > nul
        7⤵
        
        PID:3012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01DD7~1.EXE > nul
        6⤵
        
        PID:2252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59E9B~1.EXE > nul
        5⤵
        
        PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{53D56~1.EXE > nul
      4⤵
      PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{05315~1.EXE > nul
    3⤵
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7594CE~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01DD7A7D-C5BA-4d9f-8EA2-A45E7F30CA7B}.exe

Filesize
60KB

MD5
52d131a3522b77cee19322da3d6ca560

SHA1
f41254f06a7e1bd49e15c699c50a57e1ef6527c7

SHA256
e46658cac7dbf7e5aa07afeb4898f37ab5593fc12db3b02f65fc9d7d844be2f6

SHA512
a58505c7167aee7ac56edaccba28338f5b410fb34334cbd71fb4a8054561e8cb61362a804a5e67254db6614c5662d365b93f8f81c97db5b2ee87feffa6d7a7eb

Download Submit
C:\Windows\{032387A4-0CFA-432f-AD6A-5D5B4260938E}.exe

Filesize
60KB

MD5
c59a4afc9718adbc3aea7bc027967a7d

SHA1
145ca847ced9f36957fe18f53aef3ae781d3fc2d

SHA256
7f4f4655da973e3382962a20796164d5f5b0ea7b801977cc6d36a4c57b4edfac

SHA512
9e8d58a8b3a20f1c91f87588fdf5b0691401d1dcca4f99d972621adf09b16702e0af89256395d3966e88cfee01dde1e88378a03fa8366ac84224032e1ef02faa

Download Submit
C:\Windows\{05315F7F-4D78-42f1-B6F6-B6F1163D7B28}.exe

Filesize
60KB

MD5
2ae8b07c20621bde2239d56b0c4c13ec

SHA1
aeeed2e218a6d88201efb1bdbb4afdd7ce9dfe7c

SHA256
b80f64ede619d07c04a5f3d2aa285275a5b3a287dab388160ec0b919748296b2

SHA512
45650ba3b17c49ccaf946058c99e0276050a50d256f0662c53d51e51c8a38e7c9257b934a9e210874396863dfd1426cebd46eb4161617e8938467e01b109a65d

Download Submit
C:\Windows\{398E41EB-5597-4575-917C-6281013A241C}.exe

Filesize
60KB

MD5
a520a1c0f41ad2c7211b88e4479c1c8d

SHA1
9b27aaf1ed6a41f1d98e1a399acc3e6b6ab450ff

SHA256
e653b42307ba9013dd6fcb46fc913f45458f4765ffe191ad6ee1a86047a53608

SHA512
76e1d76bc651c1d67f91af30bb54576ac0d1a5bd6c274ad388616516f0fd99713016cb29ac2ec765172f262f7cab9695cdbcb7119ae33b9cadeeed41b9d46445

Download Submit
C:\Windows\{53D5652C-7395-41c3-A880-1584EEE6EB22}.exe

Filesize
60KB

MD5
ab38464d2b08fa51a993175510edd70a

SHA1
f7fdd7330f4e3b2ee3ce7f2a8c697e9ce302c970

SHA256
684133c646d5c34d1bb52d9c0b236eccf5aeffab06b49a08eabbc37300f06e7f

SHA512
de40cdb4bf1b2e43a25f9c11f056067d700a216c776c4270a52f9ce4f86bbe383de87d7d09c7d7ea44db97d562141c7a4bf6f5c7330f4c760ef2cc2817cc26f4

Download Submit
C:\Windows\{59E9BD50-8C58-4f38-929E-8174922BFD86}.exe

Filesize
60KB

MD5
5fa43ca84d0749db3b067142e562e26c

SHA1
e90e37ae5178e2e570ab4b8e9301039b2c02db26

SHA256
550c2d919ff79da3872438e61ad567a8fb87836309a4cef682eca7877b421e12

SHA512
b2b7d5142649f42fc907bde7b806c89af4cc82adf73bf05489d9f1eabee2aacce7bcd983181ce15dba2173b307aee81710226052777f47147b05bd443979cd70

Download Submit
C:\Windows\{82C08B8C-36E7-47fb-BA47-CBB12834E14C}.exe

Filesize
60KB

MD5
8a266bfc6dfd929e80c85198579f89f4

SHA1
381b2db0ae2e9f92e1b74104942f2a4030999d1f

SHA256
4e444a130d3062e4a22e047cfa20e55608d5b254aac41549b643b79d19a63405

SHA512
01a556ae6a3ea9616cd2813d49b94a4f5e8a695be0ff402ceac4c9df52158d1bd77706a9a2eb86be7cb5965487827b9d86b83766e67cc5e749dbf9791b8cb494

Download Submit
C:\Windows\{82F74726-AB1E-42e4-B1FE-5661897638E6}.exe

Filesize
60KB

MD5
903de886d7bef7887d2783203d02186e

SHA1
b64ff868243b7dca09acd0289030da838ffc26e3

SHA256
ccb95b3e0064f80048c13f00e812f0d929048e2da92c0f43eb48031c36511b3a

SHA512
1b23643d800bca951e8c5b601c31644e87d01f6ecc3f1dcb196a64cc69660ecb1497a0a2eb2cfb2c53c1c585de0ac87f6344418fe26fa4c8a2845d697a2a35c5

Download Submit
C:\Windows\{B34A8E88-F85F-490b-A45E-BC664A82CA8B}.exe

Filesize
60KB

MD5
7e117e94fc8de288ccaad89480910582

SHA1
7682a91ae1208249b47e9b7a64464ed72de52a15

SHA256
0cd09dd074bfd4aaf4ae8a9e1131285f291db4f67b7d644be64d33aae3cc9edc

SHA512
10a0807d57e50d952260934fdbbd224c6b28a58b7237b4d8556f0473f5d31ca335327ce7d97e80e488ab6013c26b90ffd8240e037ddd10b95191dc69ed84573a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads