e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940

Analysis

max time kernel
100s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe
Size

89KB
MD5

b1d291fe56b0578d9f7000687930160d
SHA1

e452c1d4ef3647e1d93a38f9f46822ae93e24eea
SHA256

e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940
SHA512

2e32eb34aa661298f448ac4da81df688b95b4bc20c93557d11395ed0cbc865d418ca43875e0bced02bfcda38f001b02882ca899d83c924bb64906a97fc4f4d50
SSDEEP

768:5vw9816thKQLroa4/wQkNrfrunMxVFA3k:lEG/0oalbunMxVS3k

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 16 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

{3152F1B2-F910-44e3-8275-608636F52F20}.exee8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B449BFF0-8D2F-4fc9-A3B2-4EEC612D3AE8}\stubpath = "C:\\Windows\\{B449BFF0-8D2F-4fc9-A3B2-4EEC612D3AE8}.exe"	{3152F1B2-F910-44e3-8275-608636F52F20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BA57E00-616D-43b3-899B-CAFBC841DDA9}\stubpath = "C:\\Windows\\{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe"	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}\stubpath = "C:\\Windows\\{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe"	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{453535E0-B154-4e3a-A6E8-EF687042CCB4}	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3152F1B2-F910-44e3-8275-608636F52F20}\stubpath = "C:\\Windows\\{3152F1B2-F910-44e3-8275-608636F52F20}.exe"	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64F5C62B-A842-4022-BAE3-A77005B1FD2F}\stubpath = "C:\\Windows\\{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe"	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{453535E0-B154-4e3a-A6E8-EF687042CCB4}\stubpath = "C:\\Windows\\{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe"	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}\stubpath = "C:\\Windows\\{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe"	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3152F1B2-F910-44e3-8275-608636F52F20}	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BA57E00-616D-43b3-899B-CAFBC841DDA9}	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B449BFF0-8D2F-4fc9-A3B2-4EEC612D3AE8}	{3152F1B2-F910-44e3-8275-608636F52F20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}\stubpath = "C:\\Windows\\{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe"	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64F5C62B-A842-4022-BAE3-A77005B1FD2F}	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3044 cmd.exe

pid	process
3044	cmd.exe

Executes dropped EXE 8 IoCs

Processes:

{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe{3152F1B2-F910-44e3-8275-608636F52F20}.exe{B449BFF0-8D2F-4fc9-A3B2-4EEC612D3AE8}.exe

pid	process
1632	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe
2732	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe
1216	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe
1588	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe
2764	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe
2844	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe
2752	{3152F1B2-F910-44e3-8275-608636F52F20}.exe
1516	{B449BFF0-8D2F-4fc9-A3B2-4EEC612D3AE8}.exe

Drops file in Windows directory 8 IoCs

Processes:

description	ioc	process
File created	C:\Windows\{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe
File created	C:\Windows\{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe
File created	C:\Windows\{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe
File created	C:\Windows\{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe
File created	C:\Windows\{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe
File created	C:\Windows\{3152F1B2-F910-44e3-8275-608636F52F20}.exe	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe
File created	C:\Windows\{B449BFF0-8D2F-4fc9-A3B2-4EEC612D3AE8}.exe	{3152F1B2-F910-44e3-8275-608636F52F20}.exe
File created	C:\Windows\{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe{3152F1B2-F910-44e3-8275-608636F52F20}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2428	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe
Token: SeIncBasePriorityPrivilege	1632	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe
Token: SeIncBasePriorityPrivilege	2732	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe
Token: SeIncBasePriorityPrivilege	1216	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe
Token: SeIncBasePriorityPrivilege	1588	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe
Token: SeIncBasePriorityPrivilege	2764	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe
Token: SeIncBasePriorityPrivilege	2844	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe
Token: SeIncBasePriorityPrivilege	2752	{3152F1B2-F910-44e3-8275-608636F52F20}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2428 wrote to memory of 1632	2428	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe
PID 2428 wrote to memory of 1632	2428	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe
PID 2428 wrote to memory of 1632	2428	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe
PID 2428 wrote to memory of 1632	2428	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe
PID 2428 wrote to memory of 3044	2428	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	cmd.exe
PID 2428 wrote to memory of 3044	2428	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	cmd.exe
PID 2428 wrote to memory of 3044	2428	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	cmd.exe
PID 2428 wrote to memory of 3044	2428	e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe	cmd.exe
PID 1632 wrote to memory of 2732	1632	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe
PID 1632 wrote to memory of 2732	1632	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe
PID 1632 wrote to memory of 2732	1632	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe
PID 1632 wrote to memory of 2732	1632	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe
PID 1632 wrote to memory of 2660	1632	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe	cmd.exe
PID 1632 wrote to memory of 2660	1632	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe	cmd.exe
PID 1632 wrote to memory of 2660	1632	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe	cmd.exe
PID 1632 wrote to memory of 2660	1632	{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe	cmd.exe
PID 2732 wrote to memory of 1216	2732	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe
PID 2732 wrote to memory of 1216	2732	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe
PID 2732 wrote to memory of 1216	2732	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe
PID 2732 wrote to memory of 1216	2732	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe
PID 2732 wrote to memory of 1284	2732	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe	cmd.exe
PID 2732 wrote to memory of 1284	2732	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe	cmd.exe
PID 2732 wrote to memory of 1284	2732	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe	cmd.exe
PID 2732 wrote to memory of 1284	2732	{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe	cmd.exe
PID 1216 wrote to memory of 1588	1216	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe
PID 1216 wrote to memory of 1588	1216	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe
PID 1216 wrote to memory of 1588	1216	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe
PID 1216 wrote to memory of 1588	1216	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe
PID 1216 wrote to memory of 3036	1216	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe	cmd.exe
PID 1216 wrote to memory of 3036	1216	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe	cmd.exe
PID 1216 wrote to memory of 3036	1216	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe	cmd.exe
PID 1216 wrote to memory of 3036	1216	{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe	cmd.exe
PID 1588 wrote to memory of 2764	1588	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe
PID 1588 wrote to memory of 2764	1588	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe
PID 1588 wrote to memory of 2764	1588	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe
PID 1588 wrote to memory of 2764	1588	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe
PID 1588 wrote to memory of 2060	1588	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe	cmd.exe
PID 1588 wrote to memory of 2060	1588	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe	cmd.exe
PID 1588 wrote to memory of 2060	1588	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe	cmd.exe
PID 1588 wrote to memory of 2060	1588	{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe	cmd.exe
PID 2764 wrote to memory of 2844	2764	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe
PID 2764 wrote to memory of 2844	2764	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe
PID 2764 wrote to memory of 2844	2764	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe
PID 2764 wrote to memory of 2844	2764	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe
PID 2764 wrote to memory of 2488	2764	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe	cmd.exe
PID 2764 wrote to memory of 2488	2764	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe	cmd.exe
PID 2764 wrote to memory of 2488	2764	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe	cmd.exe
PID 2764 wrote to memory of 2488	2764	{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe	cmd.exe
PID 2844 wrote to memory of 2752	2844	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe	{3152F1B2-F910-44e3-8275-608636F52F20}.exe
PID 2844 wrote to memory of 2752	2844	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe	{3152F1B2-F910-44e3-8275-608636F52F20}.exe
PID 2844 wrote to memory of 2752	2844	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe	{3152F1B2-F910-44e3-8275-608636F52F20}.exe
PID 2844 wrote to memory of 2752	2844	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe	{3152F1B2-F910-44e3-8275-608636F52F20}.exe
PID 2844 wrote to memory of 2968	2844	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe	cmd.exe
PID 2844 wrote to memory of 2968	2844	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe	cmd.exe
PID 2844 wrote to memory of 2968	2844	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe	cmd.exe
PID 2844 wrote to memory of 2968	2844	{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe	cmd.exe
PID 2752 wrote to memory of 1516	2752	{3152F1B2-F910-44e3-8275-608636F52F20}.exe	{B449BFF0-8D2F-4fc9-A3B2-4EEC612D3AE8}.exe
PID 2752 wrote to memory of 1516	2752	{3152F1B2-F910-44e3-8275-608636F52F20}.exe	{B449BFF0-8D2F-4fc9-A3B2-4EEC612D3AE8}.exe
PID 2752 wrote to memory of 1516	2752	{3152F1B2-F910-44e3-8275-608636F52F20}.exe	{B449BFF0-8D2F-4fc9-A3B2-4EEC612D3AE8}.exe
PID 2752 wrote to memory of 1516	2752	{3152F1B2-F910-44e3-8275-608636F52F20}.exe	{B449BFF0-8D2F-4fc9-A3B2-4EEC612D3AE8}.exe
PID 2752 wrote to memory of 1756	2752	{3152F1B2-F910-44e3-8275-608636F52F20}.exe	cmd.exe
PID 2752 wrote to memory of 1756	2752	{3152F1B2-F910-44e3-8275-608636F52F20}.exe	cmd.exe
PID 2752 wrote to memory of 1756	2752	{3152F1B2-F910-44e3-8275-608636F52F20}.exe	cmd.exe
PID 2752 wrote to memory of 1756	2752	{3152F1B2-F910-44e3-8275-608636F52F20}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe
"C:\Users\Admin\AppData\Local\Temp\e8967ebe7977d6a2982abb9cf44d69efcb4047b46b1f24443dadc4497935e940.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe
C:\Windows\{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe
2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe
C:\Windows\{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe
C:\Windows\{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe
4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe
C:\Windows\{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe
5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe
C:\Windows\{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe
6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe
C:\Windows\{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe
7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\{3152F1B2-F910-44e3-8275-608636F52F20}.exe
C:\Windows\{3152F1B2-F910-44e3-8275-608636F52F20}.exe
8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\{B449BFF0-8D2F-4fc9-A3B2-4EEC612D3AE8}.exe
C:\Windows\{B449BFF0-8D2F-4fc9-A3B2-4EEC612D3AE8}.exe
9⤵
- Executes dropped EXE
PID:1516

C:\Windows\{3A02A314-3404-4884-AC83-C9DD38CAF30D}.exe
C:\Windows\{3A02A314-3404-4884-AC83-C9DD38CAF30D}.exe
10⤵
PID:1996

C:\Windows\{1D7F5F38-D638-4c22-9FCC-9710167FA6DD}.exe
C:\Windows\{1D7F5F38-D638-4c22-9FCC-9710167FA6DD}.exe
11⤵
PID:612

C:\Windows\{C6D655CD-FCAD-45c0-B3A0-D40BDDC1772C}.exe
C:\Windows\{C6D655CD-FCAD-45c0-B3A0-D40BDDC1772C}.exe
12⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1D7F5~1.EXE > nul
12⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3A02A~1.EXE > nul
11⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B449B~1.EXE > nul
10⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3152F~1.EXE > nul
9⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6E02B~1.EXE > nul
8⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{45353~1.EXE > nul
7⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{64F5C~1.EXE > nul
6⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9945B~1.EXE > nul
5⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4BB9A~1.EXE > nul
4⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8BA57~1.EXE > nul
3⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E8967E~1.EXE > nul
2⤵
- Deletes itself
PID:3044

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D7F5F38-D638-4c22-9FCC-9710167FA6DD}.exe
Filesize
89KB

MD5
b151fc7bd5ee247603e3e3cd4b697869

SHA1
dcb359e72d0568920be715c6ce62221d032cf2d0

SHA256
38794589ec6d9a6eb80274393a3aa59777ec9928d41f3c038fd1ce451dbb9975

SHA512
5b17e34e52448316d9b696e218b1e16797c1da65dc4c854861138a7ef51dd94c36576faf57e002f21b21a5a9413ff8f4b1f025e19280c9c40d3cd1765f2ec4fa

Download Submit
C:\Windows\{3152F1B2-F910-44e3-8275-608636F52F20}.exe
Filesize
89KB

MD5
1543e0327aac171422fed984b19ca07e

SHA1
25da04bf0443e43fb094bdb07a0adc00f7d86dd6

SHA256
2f2e1d80d778b77d565c0fb27420fe75400495f10cdd45a0863dbf6663d0c897

SHA512
fb4964d5fc9f5e9d5f9c055af44c10fbb3eb633d52c574c898e7e907a6e259d4d8293bbf1378ca766b999e1ae12b51b2593eb5c33db523a1685c997414d87c70

Download Submit
C:\Windows\{3A02A314-3404-4884-AC83-C9DD38CAF30D}.exe
Filesize
89KB

MD5
2f4c7835709f9c5f1d2b7860c7342c8a

SHA1
f056b48b33c75c67000b0a77b6b8da1d1f3169c1

SHA256
c4edf728e5d4dc4e2e2d05395a984b04c639e09b5b922e54f200a31a11bd8489

SHA512
a0864cd04db5fde71bdc043ffdbb40afcd004687b6424091778054f4734bbb6b7de3941247c9a917a203929e1bd783ac7fa87e52aedbb1fec9fc9812418f81f9

Download Submit
C:\Windows\{453535E0-B154-4e3a-A6E8-EF687042CCB4}.exe
Filesize
89KB

MD5
bf2712661ceb59fcfcbf9f37b7cde14c

SHA1
3f05d7171a7d5cc18ae881722af11e1815139ca4

SHA256
16c5449fed55542e45bdb575c83135df2c21d5687633f113fd89476fa730a618

SHA512
0d9bee78db871dc2de7fb0eb42fa5eed87fe2b3fedeac877cb706a0ece4b5640a8c1bac94635dc9ada9918d019d746e2fd7073f2f10ed0983cec17d52b67716b

Download Submit
C:\Windows\{4BB9AAAD-8454-48d1-B9F0-995FD9D79458}.exe
Filesize
89KB

MD5
3e2e8dc4c95360d1839b75937b72330a

SHA1
4f8f64e828a2d2b216a0a21842958b776f86d98c

SHA256
708800fe5de9957c4deccc1ca1656af2011c267296e2fda5e5d7b1b8d8afe09e

SHA512
2b7823ab1d23e60c66553ab77d3cd9a54dcdef7c242b57f12e743d2cf0560267c7dac0d797bfd2adad72f015a4a255ffd41fdd056fa24f1d838f8654dba3fccb

Download Submit
C:\Windows\{64F5C62B-A842-4022-BAE3-A77005B1FD2F}.exe
Filesize
89KB

MD5
4e0a67e0eb154b837b4d276f3cfeefbe

SHA1
ffb19468767c483694aec4c6eb5dc758524ad84f

SHA256
ddb63e3361873e4a2384995c32c39c4ec054b1c426937911bcb40f5f6a90b4ce

SHA512
5c6a321fa2ed4c5ea6ef164b9c77e3b4217a9f1027c0d42810487b1d8f98b677eb59e6c9988aadd1926d7d4b039aa7277283f37052aefbfad2783ebea5860a39

Download Submit
C:\Windows\{6E02B342-7D6F-4753-968E-1DF5CEB5DC20}.exe
Filesize
89KB

MD5
751a7fb8d5452e764c826b511476f154

SHA1
b1c3e63408c7333842ddc864c0cb765d9dd09c92

SHA256
db981c6bb09d8ee1ad1671ebac9cc2ea90bbddc69623ac41299e90633e2fa4aa

SHA512
311545f22ce5d1a14712dc4b6fd55538a63ef3d430a7bcfd59e79a7769a24a0a0f9aca9a900eb0afcdf0f38f31e4365948070277fbdb581f524ba5c8c5514ffd

Download Submit
C:\Windows\{8BA57E00-616D-43b3-899B-CAFBC841DDA9}.exe
Filesize
89KB

MD5
ac5767659c103965c86de59b1b8004e6

SHA1
d18b3d3de1670f9e364a3f40fca37f3b4d579c12

SHA256
a7d1f9fb3471b535937b882e8ac274cb456e2b4bc4958c2753f9d4a5d4fc8fb8

SHA512
10c8c7732859381383c0a03c78c0ab40e77938a437506289744fe153471c2a571a34148280f9af8638a73051991212bb31037513a943b945ece6be48813008fe

Download Submit
C:\Windows\{9945B8D6-A471-4b02-AA16-3F9DC4C5AC6E}.exe
Filesize
89KB

MD5
14e207d1a72fec314a8b1b926d3efa23

SHA1
c19bd8e0e9c56eb4c586940ecb54ba2f8e48cdcb

SHA256
07cd467d1bb431350b76f0d546823f0f3b0e5c40354f01ca0edfdbbee0ae7b7a

SHA512
82528e62923b7e2f02656aa4c3cbe1f2caeb9acc8a7a88712db2983fd5967b88d0ce548ff27248ea3fae4ef64039c8db0c09c9c1c3ccff2e19add1bf2817422d

Download Submit
C:\Windows\{B449BFF0-8D2F-4fc9-A3B2-4EEC612D3AE8}.exe
Filesize
89KB

MD5
ff268741a88fbf91019dc3ec49776d4d

SHA1
5d4ce7ce7aa732627028d3c02ff7fb5e05082ad2

SHA256
de12703c3254d1cee0a44d1542dd83235942893b455e46c128c6f8500bcdae39

SHA512
06d7418afdb484167c71e8fb493541083f7963bcd8fb0b12e774655384243d4883d745ec7a75f488060f87d39b3c996d00bd28669c14ac35e1929aa4cc770450

Download Submit
C:\Windows\{C6D655CD-FCAD-45c0-B3A0-D40BDDC1772C}.exe
Filesize
89KB

MD5
293a01dbb6eeff63f14eddd667b3fbd2

SHA1
f42ffa9eb4f09be374628c6d84cbd535bfbb163f

SHA256
242e5db7f286e468d0556cba9d59df18520f2368c424d00a0e46ebc3b8ddde98

SHA512
40c4ecfa1fb93bc66cc063da02b23a27a0a1aa0eb8a6ff8cf9e2a68f94962d24af1aae7261554c38e6970a57f0b8afa9fb7337530cd17578804651aeb1b7c6f6

Download Submit
memory/612-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1216-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1216-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1516-81-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1516-79-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/1588-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1588-45-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/1588-44-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/1632-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1632-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1632-17-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/1788-98-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1996-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1996-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2428-8-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2428-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2428-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2428-3-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2732-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2732-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2752-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2764-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2844-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads