678088fbf7c059b198e2d9adeee1b3ce18c0c0770fdb0dc52691718863315803

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe
Size

372KB
MD5

8c1c1c35a3dfe792628564e667cd62a6
SHA1

90666aeb1ee4cfea1d5b9880c89da7cf6306f68e
SHA256

678088fbf7c059b198e2d9adeee1b3ce18c0c0770fdb0dc52691718863315803
SHA512

f8c4851c270bdb1937f36d3b30b1a0143f377e2cfc1bdf16391dd10b73e2dfddfd3745a69f14917ef703d2accd76920c9189337d48f07516e1114626418d4222
SSDEEP

3072:CEGh0oemlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGdl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BD21D7C-3E81-4409-98C9-25488679F196}\stubpath = "C:\\Windows\\{1BD21D7C-3E81-4409-98C9-25488679F196}.exe"	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D248A8F7-AEAB-4257-8CB5-E798D3521052}	{B8613B4F-081F-401f-934B-6379EE923C75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D248A8F7-AEAB-4257-8CB5-E798D3521052}\stubpath = "C:\\Windows\\{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe"	{B8613B4F-081F-401f-934B-6379EE923C75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C97D722F-E9A9-445b-B594-DB511EA6EC0C}	{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ABC7895-414E-4b62-B712-8F97121DFAB9}	{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7491E479-4D32-4be8-860B-970712933B50}	{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7491E479-4D32-4be8-860B-970712933B50}\stubpath = "C:\\Windows\\{7491E479-4D32-4be8-860B-970712933B50}.exe"	{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BD21D7C-3E81-4409-98C9-25488679F196}	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABEE85DF-E9E4-4aca-978B-0D5CEE64736E}\stubpath = "C:\\Windows\\{ABEE85DF-E9E4-4aca-978B-0D5CEE64736E}.exe"	{7491E479-4D32-4be8-860B-970712933B50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8613B4F-081F-401f-934B-6379EE923C75}\stubpath = "C:\\Windows\\{B8613B4F-081F-401f-934B-6379EE923C75}.exe"	{1BD21D7C-3E81-4409-98C9-25488679F196}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C97D722F-E9A9-445b-B594-DB511EA6EC0C}\stubpath = "C:\\Windows\\{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe"	{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D517D0B6-C513-441f-84C4-5C6BBBE3B631}\stubpath = "C:\\Windows\\{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe"	{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ABC7895-414E-4b62-B712-8F97121DFAB9}\stubpath = "C:\\Windows\\{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe"	{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABEE85DF-E9E4-4aca-978B-0D5CEE64736E}	{7491E479-4D32-4be8-860B-970712933B50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A89FADF5-E995-48b9-8FBC-F792FD11C591}	{92E692FD-0F9D-472c-9241-E7388A39A31F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A89FADF5-E995-48b9-8FBC-F792FD11C591}\stubpath = "C:\\Windows\\{A89FADF5-E995-48b9-8FBC-F792FD11C591}.exe"	{92E692FD-0F9D-472c-9241-E7388A39A31F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8613B4F-081F-401f-934B-6379EE923C75}	{1BD21D7C-3E81-4409-98C9-25488679F196}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0F58E34-138E-4397-8051-9A97FE4555A1}	{ABEE85DF-E9E4-4aca-978B-0D5CEE64736E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{829A2CF5-D641-414f-86B7-6C6C02BA8EA8}\stubpath = "C:\\Windows\\{829A2CF5-D641-414f-86B7-6C6C02BA8EA8}.exe"	{D0F58E34-138E-4397-8051-9A97FE4555A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92E692FD-0F9D-472c-9241-E7388A39A31F}	{829A2CF5-D641-414f-86B7-6C6C02BA8EA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92E692FD-0F9D-472c-9241-E7388A39A31F}\stubpath = "C:\\Windows\\{92E692FD-0F9D-472c-9241-E7388A39A31F}.exe"	{829A2CF5-D641-414f-86B7-6C6C02BA8EA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D517D0B6-C513-441f-84C4-5C6BBBE3B631}	{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{829A2CF5-D641-414f-86B7-6C6C02BA8EA8}	{D0F58E34-138E-4397-8051-9A97FE4555A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0F58E34-138E-4397-8051-9A97FE4555A1}\stubpath = "C:\\Windows\\{D0F58E34-138E-4397-8051-9A97FE4555A1}.exe"	{ABEE85DF-E9E4-4aca-978B-0D5CEE64736E}.exe

Deletes itself 1 IoCs

pid	Process
2124	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2872	{1BD21D7C-3E81-4409-98C9-25488679F196}.exe
2708	{B8613B4F-081F-401f-934B-6379EE923C75}.exe
2864	{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe
2208	{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe
2564	{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe
3032	{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe
2548	{7491E479-4D32-4be8-860B-970712933B50}.exe
2744	{ABEE85DF-E9E4-4aca-978B-0D5CEE64736E}.exe
2908	{D0F58E34-138E-4397-8051-9A97FE4555A1}.exe
2508	{829A2CF5-D641-414f-86B7-6C6C02BA8EA8}.exe
1952	{92E692FD-0F9D-472c-9241-E7388A39A31F}.exe
1640	{A89FADF5-E995-48b9-8FBC-F792FD11C591}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{829A2CF5-D641-414f-86B7-6C6C02BA8EA8}.exe	{D0F58E34-138E-4397-8051-9A97FE4555A1}.exe
File created	C:\Windows\{B8613B4F-081F-401f-934B-6379EE923C75}.exe	{1BD21D7C-3E81-4409-98C9-25488679F196}.exe
File created	C:\Windows\{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe	{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe
File created	C:\Windows\{D0F58E34-138E-4397-8051-9A97FE4555A1}.exe	{ABEE85DF-E9E4-4aca-978B-0D5CEE64736E}.exe
File created	C:\Windows\{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe	{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe
File created	C:\Windows\{7491E479-4D32-4be8-860B-970712933B50}.exe	{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe
File created	C:\Windows\{ABEE85DF-E9E4-4aca-978B-0D5CEE64736E}.exe	{7491E479-4D32-4be8-860B-970712933B50}.exe
File created	C:\Windows\{92E692FD-0F9D-472c-9241-E7388A39A31F}.exe	{829A2CF5-D641-414f-86B7-6C6C02BA8EA8}.exe
File created	C:\Windows\{A89FADF5-E995-48b9-8FBC-F792FD11C591}.exe	{92E692FD-0F9D-472c-9241-E7388A39A31F}.exe
File created	C:\Windows\{1BD21D7C-3E81-4409-98C9-25488679F196}.exe	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe
File created	C:\Windows\{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe	{B8613B4F-081F-401f-934B-6379EE923C75}.exe
File created	C:\Windows\{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe	{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1236	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2872	{1BD21D7C-3E81-4409-98C9-25488679F196}.exe
Token: SeIncBasePriorityPrivilege	2708	{B8613B4F-081F-401f-934B-6379EE923C75}.exe
Token: SeIncBasePriorityPrivilege	2864	{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe
Token: SeIncBasePriorityPrivilege	2208	{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe
Token: SeIncBasePriorityPrivilege	2564	{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe
Token: SeIncBasePriorityPrivilege	3032	{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe
Token: SeIncBasePriorityPrivilege	2548	{7491E479-4D32-4be8-860B-970712933B50}.exe
Token: SeIncBasePriorityPrivilege	2744	{ABEE85DF-E9E4-4aca-978B-0D5CEE64736E}.exe
Token: SeIncBasePriorityPrivilege	2908	{D0F58E34-138E-4397-8051-9A97FE4555A1}.exe
Token: SeIncBasePriorityPrivilege	2508	{829A2CF5-D641-414f-86B7-6C6C02BA8EA8}.exe
Token: SeIncBasePriorityPrivilege	1952	{92E692FD-0F9D-472c-9241-E7388A39A31F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2872	1236	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	28
PID 1236 wrote to memory of 2872	1236	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	28
PID 1236 wrote to memory of 2872	1236	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	28
PID 1236 wrote to memory of 2872	1236	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	28
PID 1236 wrote to memory of 2124	1236	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	29
PID 1236 wrote to memory of 2124	1236	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	29
PID 1236 wrote to memory of 2124	1236	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	29
PID 1236 wrote to memory of 2124	1236	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	29
PID 2872 wrote to memory of 2708	2872	{1BD21D7C-3E81-4409-98C9-25488679F196}.exe	30
PID 2872 wrote to memory of 2708	2872	{1BD21D7C-3E81-4409-98C9-25488679F196}.exe	30
PID 2872 wrote to memory of 2708	2872	{1BD21D7C-3E81-4409-98C9-25488679F196}.exe	30
PID 2872 wrote to memory of 2708	2872	{1BD21D7C-3E81-4409-98C9-25488679F196}.exe	30
PID 2872 wrote to memory of 2816	2872	{1BD21D7C-3E81-4409-98C9-25488679F196}.exe	31
PID 2872 wrote to memory of 2816	2872	{1BD21D7C-3E81-4409-98C9-25488679F196}.exe	31
PID 2872 wrote to memory of 2816	2872	{1BD21D7C-3E81-4409-98C9-25488679F196}.exe	31
PID 2872 wrote to memory of 2816	2872	{1BD21D7C-3E81-4409-98C9-25488679F196}.exe	31
PID 2708 wrote to memory of 2864	2708	{B8613B4F-081F-401f-934B-6379EE923C75}.exe	32
PID 2708 wrote to memory of 2864	2708	{B8613B4F-081F-401f-934B-6379EE923C75}.exe	32
PID 2708 wrote to memory of 2864	2708	{B8613B4F-081F-401f-934B-6379EE923C75}.exe	32
PID 2708 wrote to memory of 2864	2708	{B8613B4F-081F-401f-934B-6379EE923C75}.exe	32
PID 2708 wrote to memory of 2672	2708	{B8613B4F-081F-401f-934B-6379EE923C75}.exe	33
PID 2708 wrote to memory of 2672	2708	{B8613B4F-081F-401f-934B-6379EE923C75}.exe	33
PID 2708 wrote to memory of 2672	2708	{B8613B4F-081F-401f-934B-6379EE923C75}.exe	33
PID 2708 wrote to memory of 2672	2708	{B8613B4F-081F-401f-934B-6379EE923C75}.exe	33
PID 2864 wrote to memory of 2208	2864	{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe	36
PID 2864 wrote to memory of 2208	2864	{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe	36
PID 2864 wrote to memory of 2208	2864	{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe	36
PID 2864 wrote to memory of 2208	2864	{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe	36
PID 2864 wrote to memory of 2624	2864	{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe	37
PID 2864 wrote to memory of 2624	2864	{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe	37
PID 2864 wrote to memory of 2624	2864	{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe	37
PID 2864 wrote to memory of 2624	2864	{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe	37
PID 2208 wrote to memory of 2564	2208	{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe	38
PID 2208 wrote to memory of 2564	2208	{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe	38
PID 2208 wrote to memory of 2564	2208	{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe	38
PID 2208 wrote to memory of 2564	2208	{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe	38
PID 2208 wrote to memory of 2632	2208	{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe	39
PID 2208 wrote to memory of 2632	2208	{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe	39
PID 2208 wrote to memory of 2632	2208	{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe	39
PID 2208 wrote to memory of 2632	2208	{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe	39
PID 2564 wrote to memory of 3032	2564	{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe	40
PID 2564 wrote to memory of 3032	2564	{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe	40
PID 2564 wrote to memory of 3032	2564	{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe	40
PID 2564 wrote to memory of 3032	2564	{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe	40
PID 2564 wrote to memory of 2368	2564	{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe	41
PID 2564 wrote to memory of 2368	2564	{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe	41
PID 2564 wrote to memory of 2368	2564	{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe	41
PID 2564 wrote to memory of 2368	2564	{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe	41
PID 3032 wrote to memory of 2548	3032	{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe	42
PID 3032 wrote to memory of 2548	3032	{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe	42
PID 3032 wrote to memory of 2548	3032	{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe	42
PID 3032 wrote to memory of 2548	3032	{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe	42
PID 3032 wrote to memory of 1908	3032	{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe	43
PID 3032 wrote to memory of 1908	3032	{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe	43
PID 3032 wrote to memory of 1908	3032	{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe	43
PID 3032 wrote to memory of 1908	3032	{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe	43
PID 2548 wrote to memory of 2744	2548	{7491E479-4D32-4be8-860B-970712933B50}.exe	44
PID 2548 wrote to memory of 2744	2548	{7491E479-4D32-4be8-860B-970712933B50}.exe	44
PID 2548 wrote to memory of 2744	2548	{7491E479-4D32-4be8-860B-970712933B50}.exe	44
PID 2548 wrote to memory of 2744	2548	{7491E479-4D32-4be8-860B-970712933B50}.exe	44
PID 2548 wrote to memory of 2832	2548	{7491E479-4D32-4be8-860B-970712933B50}.exe	45
PID 2548 wrote to memory of 2832	2548	{7491E479-4D32-4be8-860B-970712933B50}.exe	45
PID 2548 wrote to memory of 2832	2548	{7491E479-4D32-4be8-860B-970712933B50}.exe	45
PID 2548 wrote to memory of 2832	2548	{7491E479-4D32-4be8-860B-970712933B50}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\{1BD21D7C-3E81-4409-98C9-25488679F196}.exe
  C:\Windows\{1BD21D7C-3E81-4409-98C9-25488679F196}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\{B8613B4F-081F-401f-934B-6379EE923C75}.exe
    C:\Windows\{B8613B4F-081F-401f-934B-6379EE923C75}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe
      C:\Windows\{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe
        
        C:\Windows\{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe
        
        C:\Windows\{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe
        
        C:\Windows\{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\{7491E479-4D32-4be8-860B-970712933B50}.exe
        
        C:\Windows\{7491E479-4D32-4be8-860B-970712933B50}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\{ABEE85DF-E9E4-4aca-978B-0D5CEE64736E}.exe
        
        C:\Windows\{ABEE85DF-E9E4-4aca-978B-0D5CEE64736E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABEE8~1.EXE > nul
        10⤵
        
        PID:2916
        
        C:\Windows\{D0F58E34-138E-4397-8051-9A97FE4555A1}.exe
        
        C:\Windows\{D0F58E34-138E-4397-8051-9A97FE4555A1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\{829A2CF5-D641-414f-86B7-6C6C02BA8EA8}.exe
        
        C:\Windows\{829A2CF5-D641-414f-86B7-6C6C02BA8EA8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\{92E692FD-0F9D-472c-9241-E7388A39A31F}.exe
        
        C:\Windows\{92E692FD-0F9D-472c-9241-E7388A39A31F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\{A89FADF5-E995-48b9-8FBC-F792FD11C591}.exe
        
        C:\Windows\{A89FADF5-E995-48b9-8FBC-F792FD11C591}.exe
        13⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92E69~1.EXE > nul
        13⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{829A2~1.EXE > nul
        12⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0F58~1.EXE > nul
        11⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7491E~1.EXE > nul
        9⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2ABC7~1.EXE > nul
        8⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D517D~1.EXE > nul
        7⤵
        
        PID:2368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C97D7~1.EXE > nul
        6⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D248A~1.EXE > nul
        5⤵
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B8613~1.EXE > nul
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1BD21~1.EXE > nul
    3⤵
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1BD21D7C-3E81-4409-98C9-25488679F196}.exe

Filesize
372KB

MD5
7ed994723d7b12aa417d20864bc29629

SHA1
99914cbd95b9f04a712ba28721079a3c25e1effe

SHA256
2a8de7a96519179ed0243b596b933a4404119d876ac8f3cfbbab18ae65858ba9

SHA512
60db865c24e13d29cb9e123f663698446f8cd97bff5593db0685d9f3505c3bcab1b6c570ca13272c84c84bebaffe2ff71b0107eaf72362af7333cafcdf1d52e6

Download Submit
C:\Windows\{1BD21D7C-3E81-4409-98C9-25488679F196}.exe

Filesize
372KB

MD5
7ed994723d7b12aa417d20864bc29629

SHA1
99914cbd95b9f04a712ba28721079a3c25e1effe

SHA256
2a8de7a96519179ed0243b596b933a4404119d876ac8f3cfbbab18ae65858ba9

SHA512
60db865c24e13d29cb9e123f663698446f8cd97bff5593db0685d9f3505c3bcab1b6c570ca13272c84c84bebaffe2ff71b0107eaf72362af7333cafcdf1d52e6

Download Submit
C:\Windows\{1BD21D7C-3E81-4409-98C9-25488679F196}.exe

Filesize
372KB

MD5
7ed994723d7b12aa417d20864bc29629

SHA1
99914cbd95b9f04a712ba28721079a3c25e1effe

SHA256
2a8de7a96519179ed0243b596b933a4404119d876ac8f3cfbbab18ae65858ba9

SHA512
60db865c24e13d29cb9e123f663698446f8cd97bff5593db0685d9f3505c3bcab1b6c570ca13272c84c84bebaffe2ff71b0107eaf72362af7333cafcdf1d52e6

Download Submit
C:\Windows\{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe

Filesize
372KB

MD5
56f52d771cd24b5c8365cd613597cc77

SHA1
e33b0be59e405537222557c7de1701801ec18d6e

SHA256
f37034e48999db31d03f16ca915a9c4b1fd0059d5b227d2e07b98c700e915452

SHA512
71c0cffe7f413f3391a76894f9a71c589527b4d7120d5e8cbf36ec7762e79a6aeb34ce467c7768e989e7e0b37588bdf84fa0acfb63374717413245a82195f42a

Download Submit
C:\Windows\{2ABC7895-414E-4b62-B712-8F97121DFAB9}.exe

Filesize
372KB

MD5
56f52d771cd24b5c8365cd613597cc77

SHA1
e33b0be59e405537222557c7de1701801ec18d6e

SHA256
f37034e48999db31d03f16ca915a9c4b1fd0059d5b227d2e07b98c700e915452

SHA512
71c0cffe7f413f3391a76894f9a71c589527b4d7120d5e8cbf36ec7762e79a6aeb34ce467c7768e989e7e0b37588bdf84fa0acfb63374717413245a82195f42a

Download Submit
C:\Windows\{7491E479-4D32-4be8-860B-970712933B50}.exe

Filesize
372KB

MD5
a3e3ca7feea2b7a94fc4b92eafb42c17

SHA1
449e8fa7d8544826f0df59f4ff5ec1d978759c64

SHA256
292602b7c7602242cc03d3196315a9b9b52890048cd827e08a74b316b2db1c88

SHA512
7e7abb8d92342ea980abf1aa2133b8bea25a8f68a58839bb830329b95c3d53db1a283b5fa7ffe8624e7bdbf52acce0bd526e6e5b3932f684f54a909d0fe6d06a

Download Submit
C:\Windows\{7491E479-4D32-4be8-860B-970712933B50}.exe

Filesize
372KB

MD5
a3e3ca7feea2b7a94fc4b92eafb42c17

SHA1
449e8fa7d8544826f0df59f4ff5ec1d978759c64

SHA256
292602b7c7602242cc03d3196315a9b9b52890048cd827e08a74b316b2db1c88

SHA512
7e7abb8d92342ea980abf1aa2133b8bea25a8f68a58839bb830329b95c3d53db1a283b5fa7ffe8624e7bdbf52acce0bd526e6e5b3932f684f54a909d0fe6d06a

Download Submit
C:\Windows\{829A2CF5-D641-414f-86B7-6C6C02BA8EA8}.exe

Filesize
372KB

MD5
ca6aa41e79fc0bb0f8d605deb04a23d3

SHA1
d0839485e15ae7e08b2020518ea7e6997849e071

SHA256
2a1ff348c6f22e5acbeb932d4c7ee8a4710935bc1bb23c634ceb19c474ccc12c

SHA512
dc1921d4d1122ebaf1f02ed27130038b89dbe74f29d0ba2b89e37421ef1a7ba90c0727e424fe6a4d23e91857a157f955b2de93ea362f1ad832d7c985296b4a16

Download Submit
C:\Windows\{829A2CF5-D641-414f-86B7-6C6C02BA8EA8}.exe

Filesize
372KB

MD5
ca6aa41e79fc0bb0f8d605deb04a23d3

SHA1
d0839485e15ae7e08b2020518ea7e6997849e071

SHA256
2a1ff348c6f22e5acbeb932d4c7ee8a4710935bc1bb23c634ceb19c474ccc12c

SHA512
dc1921d4d1122ebaf1f02ed27130038b89dbe74f29d0ba2b89e37421ef1a7ba90c0727e424fe6a4d23e91857a157f955b2de93ea362f1ad832d7c985296b4a16

Download Submit
C:\Windows\{92E692FD-0F9D-472c-9241-E7388A39A31F}.exe

Filesize
372KB

MD5
14426697e8f389faa9e67805554c3243

SHA1
b612e9c3a8b050ddd5922f01078d68c725857dad

SHA256
c799d8ebe347d145062cc597441c33cf4442e10a9a9226879a52b9669a53e780

SHA512
4c70d3438a3b2d5c0ad103375d451cd0dec8e27ea33bc56f73d38e37bbe38d03d754694b62e75b88106043c5d34df547e5d45380b0f513ff1d63e64d20d3fcb7

Download Submit
C:\Windows\{92E692FD-0F9D-472c-9241-E7388A39A31F}.exe

Filesize
372KB

MD5
14426697e8f389faa9e67805554c3243

SHA1
b612e9c3a8b050ddd5922f01078d68c725857dad

SHA256
c799d8ebe347d145062cc597441c33cf4442e10a9a9226879a52b9669a53e780

SHA512
4c70d3438a3b2d5c0ad103375d451cd0dec8e27ea33bc56f73d38e37bbe38d03d754694b62e75b88106043c5d34df547e5d45380b0f513ff1d63e64d20d3fcb7

Download Submit
C:\Windows\{A89FADF5-E995-48b9-8FBC-F792FD11C591}.exe

Filesize
372KB

MD5
10033d9a9f60404b7be8a88b7f73f34a

SHA1
25a7fac66916e65d2e8082ba66cc6b6ec515590c

SHA256
04ff926d79e543d4898547b21ab1e2803e7ec1bfafce5edd73aeb76385054ff3

SHA512
6d783a2ae43273f1214cfc806395336f1fe126315e1b81e0d4577318227f043e9430eb6fdef0a7a00de8772e74a2df2bde6695d049df672ce3047d64f5e65abc

Download Submit
C:\Windows\{ABEE85DF-E9E4-4aca-978B-0D5CEE64736E}.exe

Filesize
372KB

MD5
51fdd6fd20040ebfe09d823c45d960e5

SHA1
f63aa3dbfb7cf6135340aa515759eb592a2432a9

SHA256
997a831cb2515648a4d70fed79e726d046caddba3c876d0f068fe62649d87eb4

SHA512
07ed373ef44ac0217c81b98cf643d9bb8a328cabe3fdec08c2db25dfd09b0d36bfb7f41a35dabff96009cfd5557e55d8867a0f14ef281f4432a0d83d4af382c3

Download Submit
C:\Windows\{ABEE85DF-E9E4-4aca-978B-0D5CEE64736E}.exe

Filesize
372KB

MD5
51fdd6fd20040ebfe09d823c45d960e5

SHA1
f63aa3dbfb7cf6135340aa515759eb592a2432a9

SHA256
997a831cb2515648a4d70fed79e726d046caddba3c876d0f068fe62649d87eb4

SHA512
07ed373ef44ac0217c81b98cf643d9bb8a328cabe3fdec08c2db25dfd09b0d36bfb7f41a35dabff96009cfd5557e55d8867a0f14ef281f4432a0d83d4af382c3

Download Submit
C:\Windows\{B8613B4F-081F-401f-934B-6379EE923C75}.exe

Filesize
372KB

MD5
ba2c39963b9856a528186a25da2f9194

SHA1
b00fa9bad5b955a54712ab05ac78cbdf1d8f8c3f

SHA256
f19d0d465c61ab29c7c5cc9d995086e608b209f42f3fabba90b4ad9b3bf540d8

SHA512
e5756406309a1a7531b52aa174c76fd465c3c03386bc0022c007b9407643dc5abceed4b6ad8a5b09de9cf99f3062823ed4de49d5cfee489411f90e4b0535d992

Download Submit
C:\Windows\{B8613B4F-081F-401f-934B-6379EE923C75}.exe

Filesize
372KB

MD5
ba2c39963b9856a528186a25da2f9194

SHA1
b00fa9bad5b955a54712ab05ac78cbdf1d8f8c3f

SHA256
f19d0d465c61ab29c7c5cc9d995086e608b209f42f3fabba90b4ad9b3bf540d8

SHA512
e5756406309a1a7531b52aa174c76fd465c3c03386bc0022c007b9407643dc5abceed4b6ad8a5b09de9cf99f3062823ed4de49d5cfee489411f90e4b0535d992

Download Submit
C:\Windows\{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe

Filesize
372KB

MD5
a422cb4b9ea56493ae3038a76db026fc

SHA1
e03f2e1f8753c7bb15d109c44ab8a23e061165c4

SHA256
f2aa43ef52870be7c9d55bc59ab1a2a801f2cbe88900365766d73b52e2e87935

SHA512
f6b87d7ba3196f811cf54bada1a6bb8438c7caa851c7df0234ce3a8d827bd55040c4759740432d999b990db56562406c6f9199e7a90f170e726cad7ab716557b

Download Submit
C:\Windows\{C97D722F-E9A9-445b-B594-DB511EA6EC0C}.exe

Filesize
372KB

MD5
a422cb4b9ea56493ae3038a76db026fc

SHA1
e03f2e1f8753c7bb15d109c44ab8a23e061165c4

SHA256
f2aa43ef52870be7c9d55bc59ab1a2a801f2cbe88900365766d73b52e2e87935

SHA512
f6b87d7ba3196f811cf54bada1a6bb8438c7caa851c7df0234ce3a8d827bd55040c4759740432d999b990db56562406c6f9199e7a90f170e726cad7ab716557b

Download Submit
C:\Windows\{D0F58E34-138E-4397-8051-9A97FE4555A1}.exe

Filesize
372KB

MD5
1078df9887ed2fe6556361c8114ddcd5

SHA1
92816aec3f9cad443a866d47fb7309b3553f7ea2

SHA256
a19bde65ba1647b93f4090b76dfc80162cde1dda9e6868dfcb51b206410b645a

SHA512
cc37bda59fa3bf609bac15b33492940babf2da38c2e6bef569a346f5115d0b352bfa14efce8740a917d88e6652c1b0da923ecd88d656895f9398c6ed84642a1f

Download Submit
C:\Windows\{D0F58E34-138E-4397-8051-9A97FE4555A1}.exe

Filesize
372KB

MD5
1078df9887ed2fe6556361c8114ddcd5

SHA1
92816aec3f9cad443a866d47fb7309b3553f7ea2

SHA256
a19bde65ba1647b93f4090b76dfc80162cde1dda9e6868dfcb51b206410b645a

SHA512
cc37bda59fa3bf609bac15b33492940babf2da38c2e6bef569a346f5115d0b352bfa14efce8740a917d88e6652c1b0da923ecd88d656895f9398c6ed84642a1f

Download Submit
C:\Windows\{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe

Filesize
372KB

MD5
86558571fbdcb66d573af4828033d2ec

SHA1
3b17e4246bd5ca15787ca4ea2084d194f26c3ad0

SHA256
6cd847c2db6d1463300e90382f3ced7ab27a479cda458b38eae6bd6322bfbff7

SHA512
aa98b51d05e34ba6de539a0b0c3185500d919e2bf1b7a19eb29a9b60f6b5d0d60dd3a2dfd61279c4bcc495662402e415dc0ffe94e55c8092399623422c5a711f

Download Submit
C:\Windows\{D248A8F7-AEAB-4257-8CB5-E798D3521052}.exe

Filesize
372KB

MD5
86558571fbdcb66d573af4828033d2ec

SHA1
3b17e4246bd5ca15787ca4ea2084d194f26c3ad0

SHA256
6cd847c2db6d1463300e90382f3ced7ab27a479cda458b38eae6bd6322bfbff7

SHA512
aa98b51d05e34ba6de539a0b0c3185500d919e2bf1b7a19eb29a9b60f6b5d0d60dd3a2dfd61279c4bcc495662402e415dc0ffe94e55c8092399623422c5a711f

Download Submit
C:\Windows\{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe

Filesize
372KB

MD5
95cb91a35584b33e56594b39f3b203df

SHA1
e8ee8bafeba8aee5c257c8061c122b2ab872ee42

SHA256
5fdebc4a6e8886df2ce2e97f7ef27d7a30da6ddcdaea28c280f589a1271ac68d

SHA512
f08bb11218216af8212d57b99cbb5e23569efc4feb88f46301313eb36c5bb8ce5e83157977fd1ac70cc61c8bf473ae84986d42a10c810fa8a777878903deb24e

Download Submit
C:\Windows\{D517D0B6-C513-441f-84C4-5C6BBBE3B631}.exe

Filesize
372KB

MD5
95cb91a35584b33e56594b39f3b203df

SHA1
e8ee8bafeba8aee5c257c8061c122b2ab872ee42

SHA256
5fdebc4a6e8886df2ce2e97f7ef27d7a30da6ddcdaea28c280f589a1271ac68d

SHA512
f08bb11218216af8212d57b99cbb5e23569efc4feb88f46301313eb36c5bb8ce5e83157977fd1ac70cc61c8bf473ae84986d42a10c810fa8a777878903deb24e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads