e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe
Size

90KB
MD5

9c566323ba542ce27f53b09d52705558
SHA1

19635f373584e11f8a0504808e60ca0922e89adc
SHA256

e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae
SHA512

c6cafbc4abe5f7a0d0a325baf536bf64b28847bdfacc46d8a404b316a577497ce62e64e90208fecc27ffd15fab3a21f1fdcb54d85853cb2bc4377601f056ebf4
SSDEEP

768:Qvw9816vhKQLroE4/wQRNrfrunMxVFA3b7gl/:YEGh0oEl2unMxVS3HgR

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

{06D9331E-7AA8-4721-975E-52F337E92B8C}.exe{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe{ECB84189-35D1-406d-8795-608037B995DC}.exe{AF296206-80E2-49bd-B719-91407C3931CE}.exe{526F4D01-6E2E-461b-8C69-845A9056746F}.exe{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe{DE680093-F6B7-4635-A088-E551FAAB10BE}.exee730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE680093-F6B7-4635-A088-E551FAAB10BE}	{06D9331E-7AA8-4721-975E-52F337E92B8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}\stubpath = "C:\\Windows\\{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe"	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECB84189-35D1-406d-8795-608037B995DC}\stubpath = "C:\\Windows\\{ECB84189-35D1-406d-8795-608037B995DC}.exe"	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6725BDF-9DBD-4eca-85F1-5867DA01F369}	{ECB84189-35D1-406d-8795-608037B995DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6725BDF-9DBD-4eca-85F1-5867DA01F369}\stubpath = "C:\\Windows\\{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe"	{ECB84189-35D1-406d-8795-608037B995DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{526F4D01-6E2E-461b-8C69-845A9056746F}\stubpath = "C:\\Windows\\{526F4D01-6E2E-461b-8C69-845A9056746F}.exe"	{AF296206-80E2-49bd-B719-91407C3931CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A3DF5A-C105-4808-85FF-25235C0DC705}	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A3DF5A-C105-4808-85FF-25235C0DC705}\stubpath = "C:\\Windows\\{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe"	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECB84189-35D1-406d-8795-608037B995DC}	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{905A65E1-1809-45d0-8275-A21125CDCCD5}	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39A0570D-9A73-4760-AAF3-11CBC09DFE60}\stubpath = "C:\\Windows\\{39A0570D-9A73-4760-AAF3-11CBC09DFE60}.exe"	{DE680093-F6B7-4635-A088-E551FAAB10BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF296206-80E2-49bd-B719-91407C3931CE}	e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{526F4D01-6E2E-461b-8C69-845A9056746F}	{AF296206-80E2-49bd-B719-91407C3931CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}\stubpath = "C:\\Windows\\{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe"	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{905A65E1-1809-45d0-8275-A21125CDCCD5}\stubpath = "C:\\Windows\\{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe"	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06D9331E-7AA8-4721-975E-52F337E92B8C}	{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF296206-80E2-49bd-B719-91407C3931CE}\stubpath = "C:\\Windows\\{AF296206-80E2-49bd-B719-91407C3931CE}.exe"	e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06D9331E-7AA8-4721-975E-52F337E92B8C}\stubpath = "C:\\Windows\\{06D9331E-7AA8-4721-975E-52F337E92B8C}.exe"	{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE680093-F6B7-4635-A088-E551FAAB10BE}\stubpath = "C:\\Windows\\{DE680093-F6B7-4635-A088-E551FAAB10BE}.exe"	{06D9331E-7AA8-4721-975E-52F337E92B8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39A0570D-9A73-4760-AAF3-11CBC09DFE60}	{DE680093-F6B7-4635-A088-E551FAAB10BE}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2312 cmd.exe

pid	process
2312	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{AF296206-80E2-49bd-B719-91407C3931CE}.exe{526F4D01-6E2E-461b-8C69-845A9056746F}.exe{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe{ECB84189-35D1-406d-8795-608037B995DC}.exe{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe{06D9331E-7AA8-4721-975E-52F337E92B8C}.exe{DE680093-F6B7-4635-A088-E551FAAB10BE}.exe{39A0570D-9A73-4760-AAF3-11CBC09DFE60}.exe

pid	process
860	{AF296206-80E2-49bd-B719-91407C3931CE}.exe
2572	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe
2660	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe
2504	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe
1800	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe
812	{ECB84189-35D1-406d-8795-608037B995DC}.exe
2156	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe
628	{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe
2472	{06D9331E-7AA8-4721-975E-52F337E92B8C}.exe
2260	{DE680093-F6B7-4635-A088-E551FAAB10BE}.exe
1636	{39A0570D-9A73-4760-AAF3-11CBC09DFE60}.exe

Drops file in Windows directory 11 IoCs

Processes:

{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe{ECB84189-35D1-406d-8795-608037B995DC}.exe{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe{DE680093-F6B7-4635-A088-E551FAAB10BE}.exe{526F4D01-6E2E-461b-8C69-845A9056746F}.exe{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe{06D9331E-7AA8-4721-975E-52F337E92B8C}.exee730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe{AF296206-80E2-49bd-B719-91407C3931CE}.exe

description	ioc	process
File created	C:\Windows\{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe
File created	C:\Windows\{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe	{ECB84189-35D1-406d-8795-608037B995DC}.exe
File created	C:\Windows\{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe
File created	C:\Windows\{39A0570D-9A73-4760-AAF3-11CBC09DFE60}.exe	{DE680093-F6B7-4635-A088-E551FAAB10BE}.exe
File created	C:\Windows\{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe
File created	C:\Windows\{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe
File created	C:\Windows\{ECB84189-35D1-406d-8795-608037B995DC}.exe	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe
File created	C:\Windows\{06D9331E-7AA8-4721-975E-52F337E92B8C}.exe	{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe
File created	C:\Windows\{DE680093-F6B7-4635-A088-E551FAAB10BE}.exe	{06D9331E-7AA8-4721-975E-52F337E92B8C}.exe
File created	C:\Windows\{AF296206-80E2-49bd-B719-91407C3931CE}.exe	e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe
File created	C:\Windows\{526F4D01-6E2E-461b-8C69-845A9056746F}.exe	{AF296206-80E2-49bd-B719-91407C3931CE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe{AF296206-80E2-49bd-B719-91407C3931CE}.exe{526F4D01-6E2E-461b-8C69-845A9056746F}.exe{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe{ECB84189-35D1-406d-8795-608037B995DC}.exe{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe{06D9331E-7AA8-4721-975E-52F337E92B8C}.exe{DE680093-F6B7-4635-A088-E551FAAB10BE}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2140	e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe
Token: SeIncBasePriorityPrivilege	860	{AF296206-80E2-49bd-B719-91407C3931CE}.exe
Token: SeIncBasePriorityPrivilege	2572	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe
Token: SeIncBasePriorityPrivilege	2660	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe
Token: SeIncBasePriorityPrivilege	2504	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe
Token: SeIncBasePriorityPrivilege	1800	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe
Token: SeIncBasePriorityPrivilege	812	{ECB84189-35D1-406d-8795-608037B995DC}.exe
Token: SeIncBasePriorityPrivilege	2156	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe
Token: SeIncBasePriorityPrivilege	628	{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe
Token: SeIncBasePriorityPrivilege	2472	{06D9331E-7AA8-4721-975E-52F337E92B8C}.exe
Token: SeIncBasePriorityPrivilege	2260	{DE680093-F6B7-4635-A088-E551FAAB10BE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2140 wrote to memory of 860	2140	e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe	{AF296206-80E2-49bd-B719-91407C3931CE}.exe
PID 2140 wrote to memory of 860	2140	e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe	{AF296206-80E2-49bd-B719-91407C3931CE}.exe
PID 2140 wrote to memory of 860	2140	e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe	{AF296206-80E2-49bd-B719-91407C3931CE}.exe
PID 2140 wrote to memory of 860	2140	e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe	{AF296206-80E2-49bd-B719-91407C3931CE}.exe
PID 2140 wrote to memory of 2312	2140	e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe	cmd.exe
PID 2140 wrote to memory of 2312	2140	e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe	cmd.exe
PID 2140 wrote to memory of 2312	2140	e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe	cmd.exe
PID 2140 wrote to memory of 2312	2140	e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe	cmd.exe
PID 860 wrote to memory of 2572	860	{AF296206-80E2-49bd-B719-91407C3931CE}.exe	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe
PID 860 wrote to memory of 2572	860	{AF296206-80E2-49bd-B719-91407C3931CE}.exe	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe
PID 860 wrote to memory of 2572	860	{AF296206-80E2-49bd-B719-91407C3931CE}.exe	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe
PID 860 wrote to memory of 2572	860	{AF296206-80E2-49bd-B719-91407C3931CE}.exe	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe
PID 860 wrote to memory of 2632	860	{AF296206-80E2-49bd-B719-91407C3931CE}.exe	cmd.exe
PID 860 wrote to memory of 2632	860	{AF296206-80E2-49bd-B719-91407C3931CE}.exe	cmd.exe
PID 860 wrote to memory of 2632	860	{AF296206-80E2-49bd-B719-91407C3931CE}.exe	cmd.exe
PID 860 wrote to memory of 2632	860	{AF296206-80E2-49bd-B719-91407C3931CE}.exe	cmd.exe
PID 2572 wrote to memory of 2660	2572	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe
PID 2572 wrote to memory of 2660	2572	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe
PID 2572 wrote to memory of 2660	2572	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe
PID 2572 wrote to memory of 2660	2572	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe
PID 2572 wrote to memory of 2152	2572	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe	cmd.exe
PID 2572 wrote to memory of 2152	2572	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe	cmd.exe
PID 2572 wrote to memory of 2152	2572	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe	cmd.exe
PID 2572 wrote to memory of 2152	2572	{526F4D01-6E2E-461b-8C69-845A9056746F}.exe	cmd.exe
PID 2660 wrote to memory of 2504	2660	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe
PID 2660 wrote to memory of 2504	2660	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe
PID 2660 wrote to memory of 2504	2660	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe
PID 2660 wrote to memory of 2504	2660	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe
PID 2660 wrote to memory of 2696	2660	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe	cmd.exe
PID 2660 wrote to memory of 2696	2660	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe	cmd.exe
PID 2660 wrote to memory of 2696	2660	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe	cmd.exe
PID 2660 wrote to memory of 2696	2660	{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe	cmd.exe
PID 2504 wrote to memory of 1800	2504	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe
PID 2504 wrote to memory of 1800	2504	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe
PID 2504 wrote to memory of 1800	2504	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe
PID 2504 wrote to memory of 1800	2504	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe
PID 2504 wrote to memory of 1268	2504	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe	cmd.exe
PID 2504 wrote to memory of 1268	2504	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe	cmd.exe
PID 2504 wrote to memory of 1268	2504	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe	cmd.exe
PID 2504 wrote to memory of 1268	2504	{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe	cmd.exe
PID 1800 wrote to memory of 812	1800	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe	{ECB84189-35D1-406d-8795-608037B995DC}.exe
PID 1800 wrote to memory of 812	1800	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe	{ECB84189-35D1-406d-8795-608037B995DC}.exe
PID 1800 wrote to memory of 812	1800	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe	{ECB84189-35D1-406d-8795-608037B995DC}.exe
PID 1800 wrote to memory of 812	1800	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe	{ECB84189-35D1-406d-8795-608037B995DC}.exe
PID 1800 wrote to memory of 2208	1800	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe	cmd.exe
PID 1800 wrote to memory of 2208	1800	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe	cmd.exe
PID 1800 wrote to memory of 2208	1800	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe	cmd.exe
PID 1800 wrote to memory of 2208	1800	{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe	cmd.exe
PID 812 wrote to memory of 2156	812	{ECB84189-35D1-406d-8795-608037B995DC}.exe	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe
PID 812 wrote to memory of 2156	812	{ECB84189-35D1-406d-8795-608037B995DC}.exe	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe
PID 812 wrote to memory of 2156	812	{ECB84189-35D1-406d-8795-608037B995DC}.exe	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe
PID 812 wrote to memory of 2156	812	{ECB84189-35D1-406d-8795-608037B995DC}.exe	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe
PID 812 wrote to memory of 1564	812	{ECB84189-35D1-406d-8795-608037B995DC}.exe	cmd.exe
PID 812 wrote to memory of 1564	812	{ECB84189-35D1-406d-8795-608037B995DC}.exe	cmd.exe
PID 812 wrote to memory of 1564	812	{ECB84189-35D1-406d-8795-608037B995DC}.exe	cmd.exe
PID 812 wrote to memory of 1564	812	{ECB84189-35D1-406d-8795-608037B995DC}.exe	cmd.exe
PID 2156 wrote to memory of 628	2156	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe	{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe
PID 2156 wrote to memory of 628	2156	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe	{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe
PID 2156 wrote to memory of 628	2156	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe	{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe
PID 2156 wrote to memory of 628	2156	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe	{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe
PID 2156 wrote to memory of 1552	2156	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe	cmd.exe
PID 2156 wrote to memory of 1552	2156	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe	cmd.exe
PID 2156 wrote to memory of 1552	2156	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe	cmd.exe
PID 2156 wrote to memory of 1552	2156	{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe
"C:\Users\Admin\AppData\Local\Temp\e730e972cc95e1f5f2092b4c63401ee491350b0560cb5c101d3bc0abefd1bbae.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\{AF296206-80E2-49bd-B719-91407C3931CE}.exe
C:\Windows\{AF296206-80E2-49bd-B719-91407C3931CE}.exe
2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\{526F4D01-6E2E-461b-8C69-845A9056746F}.exe
C:\Windows\{526F4D01-6E2E-461b-8C69-845A9056746F}.exe
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe
C:\Windows\{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe
4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe
C:\Windows\{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe
5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe
C:\Windows\{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe
6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\{ECB84189-35D1-406d-8795-608037B995DC}.exe
C:\Windows\{ECB84189-35D1-406d-8795-608037B995DC}.exe
7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe
C:\Windows\{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe
8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe
C:\Windows\{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe
9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\{06D9331E-7AA8-4721-975E-52F337E92B8C}.exe
C:\Windows\{06D9331E-7AA8-4721-975E-52F337E92B8C}.exe
10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\{DE680093-F6B7-4635-A088-E551FAAB10BE}.exe
C:\Windows\{DE680093-F6B7-4635-A088-E551FAAB10BE}.exe
11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\{39A0570D-9A73-4760-AAF3-11CBC09DFE60}.exe
C:\Windows\{39A0570D-9A73-4760-AAF3-11CBC09DFE60}.exe
12⤵
- Executes dropped EXE
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DE680~1.EXE > nul
12⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{06D93~1.EXE > nul
11⤵
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{905A6~1.EXE > nul
10⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C6725~1.EXE > nul
9⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ECB84~1.EXE > nul
8⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8A2E6~1.EXE > nul
7⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A3BA1~1.EXE > nul
6⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{69A3D~1.EXE > nul
5⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{526F4~1.EXE > nul
4⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AF296~1.EXE > nul
3⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E730E9~1.EXE > nul
2⤵
- Deletes itself
PID:2312

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06D9331E-7AA8-4721-975E-52F337E92B8C}.exe
Filesize
90KB

MD5
124e6ec1fd4c6511ce6bda75b0f852c8

SHA1
3c45765b9ef2dcc0833b57c23ad936c399f9b6da

SHA256
b78ffc9fe5f060b579d06431ee001cb64a11aa4598fc641a34f862b27d90505e

SHA512
eb12cce81c015840eaa5b32924ef8a6fcba33d7808eedda22ee21eb7daa6ff5ff8b50ef8feabbe1cca485475eab6f4b2bfc1638e5e613463c14b1a2f8ffd8379

Download Submit
C:\Windows\{39A0570D-9A73-4760-AAF3-11CBC09DFE60}.exe
Filesize
90KB

MD5
ed0d673c8fbe2aa2707ff26f12ec95b4

SHA1
40a75b2ab4750ba07cf74e56ac22f8a74dcaff07

SHA256
1abf981a2b3fe55580d04cf9e5f424397836bf233c3f577eacc096e4ea1e7d6e

SHA512
57d926a8071f3adf359da9c345830c16b0a96a05d00c0dce0d914ae85479d343d252a55822a6ab3a9418c425008126d7577712ebcf97a26ad4edc6f18be7f50c

Download Submit
C:\Windows\{526F4D01-6E2E-461b-8C69-845A9056746F}.exe
Filesize
90KB

MD5
97c457807be11731a00b6aa75999b91b

SHA1
f2c566cbe0b272511af095238095eb23aaac7234

SHA256
cbd19dd1c59a4c5cf4361f79421bffd72039abd180089cd282fd831cbaefe920

SHA512
d94d71b771ed69bc900583570a7885dfed4f72ecadaded6d7e5cd3dd217bdc5eab383431a91be497c76de8d2118792dcfe12ab6abf771fcb04be6e9eb8990a3d

Download Submit
C:\Windows\{69A3DF5A-C105-4808-85FF-25235C0DC705}.exe
Filesize
90KB

MD5
fa5879aa04a68017ef83f34c28c69fe7

SHA1
059864c66735bcc248e4318ce5b41f8369a06f4b

SHA256
9d2a88082245300ff465af455fbdc393e99050605738f855be9529faf3214fe1

SHA512
f2925529674c34da6b709d646a20587d53f6f2f02082e1efdbe6348309758d914487de126ab6f36381cb1ee8b352a351b398dec06045da2724de4b70edff7384

Download Submit
C:\Windows\{8A2E6DA8-BE3C-4c1b-AB3F-8225A4964D19}.exe
Filesize
90KB

MD5
775cdc0b2fe5b9f50068178ae6e51260

SHA1
751b5c518a66c7f3037dd0453a3091e9ce37d1ce

SHA256
4d0da8128dbce10e60fa6d60abfe5800c4dc8b0d8f253c0dc11de0265678f775

SHA512
12a8dc9f95f3eedbd82adb9c7ccafbd3b84a9a4be86d2305320a69e98c38d8bb60250cc8b050207b06d3a33dbe7c0f45d290293f122b47e48d86d942720cfce4

Download Submit
C:\Windows\{905A65E1-1809-45d0-8275-A21125CDCCD5}.exe
Filesize
90KB

MD5
d6346961360b47d55783db1079f5e937

SHA1
e764f7a463a5705f344f8fde8aaf9c37f88f975c

SHA256
63f81e1beead51c71ea5e837a73f6d6a03ef22b1dff45cb30e40c7cbad8d5ae1

SHA512
f988c007dde9dde89f6703b7eb22ee00fd99c3151c526d9b2d4fdd2ce7800af9ad0f9719344891eefac6a39e63a38abaa0e37052b8c5a5c7aa6adb181a7f0190

Download Submit
C:\Windows\{A3BA105C-9FB3-45b7-8AD0-F65B7E22849D}.exe
Filesize
90KB

MD5
8ffb62f424719e77ffcc4919b14655d7

SHA1
668dc71a9b2e35ae2d35bfd89e81a046e783485c

SHA256
399fab9cf47d5b6ca328d9fa19ddaa2e779b053cf97c775ecf0a31f913927868

SHA512
79bf37c708baf41acae7a88fcfa9c0d6fc7fa16e1cf1c9cb603efa55b4d2c43d70ffa1f3a8cc705f1e8ee90527b65548aa19b6d31571f325139bbf11f4a899c9

Download Submit
C:\Windows\{AF296206-80E2-49bd-B719-91407C3931CE}.exe
Filesize
90KB

MD5
a5c6380c9f7552791c1e2d757c13b1d8

SHA1
824cde7b74d214c30aa823109ec824da46f01d77

SHA256
d267a49c3b986b56f3b609c42d2d32c575e78b13821e64da677f105b7f04c546

SHA512
3ab27863822d29bade9c138d3cba05b4209f76324246a89d5368f5179ffdec50e95074c69d1e299d6bc446ba84a14fe976cc997912ad214633654eae108ff016

Download Submit
C:\Windows\{C6725BDF-9DBD-4eca-85F1-5867DA01F369}.exe
Filesize
90KB

MD5
18d0f2b72efd52731206d0abd6c889f1

SHA1
9a860fa3b021c508647abfb641df307415633a3c

SHA256
24c91384578724cdfd533c8570332ef03ddbf62432434e7af4fa0d19253fd28a

SHA512
f213955927835a2d3ae4eb37ad36bcbae539e077fedf420ce935729f1b075f76a33daa907072adf2ae371e21219dca8c2c9fee6074cff3f274a65a9de55daee7

Download Submit
C:\Windows\{DE680093-F6B7-4635-A088-E551FAAB10BE}.exe
Filesize
90KB

MD5
33fac9942f18abaf0951d3066a9b043b

SHA1
88ad163be5aec0fc68cac8fbe061e19c94f0ed4b

SHA256
3d747118aa34fded148785b9c25a8339f2f9377f0b7d7e26e7fd84c4fa44049f

SHA512
6995fe0479571dc08f15a601992783e62b6fa826c158d2531cc2d812065cd0398fab593c1411ec62caca6d372e01fc56aaefb94a2b3a6d107b005f4b55cc7ef1

Download Submit
C:\Windows\{ECB84189-35D1-406d-8795-608037B995DC}.exe
Filesize
90KB

MD5
dd9ca3a54d9c2fe0bdd8ed993be69f38

SHA1
ba69ff3e16e00939b7d46d9a4fdf7566dd9efd14

SHA256
67940d673ebb8ecdbad820147707e65fe885e7f7de79bf8a5659dae1f878f9d3

SHA512
6f48625e37841dc43d46f77064a0190ff27fccecb6b470382d7a4db95761c538521797ccdaf27231a8b4a601f3e4f78acc3651c7985fade4a97265ce336036e8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads