678088fbf7c059b198e2d9adeee1b3ce18c0c0770fdb0dc52691718863315803

Analysis

max time kernel
225s
max time network
227s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2023 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe
Size

372KB
MD5

8c1c1c35a3dfe792628564e667cd62a6
SHA1

90666aeb1ee4cfea1d5b9880c89da7cf6306f68e
SHA256

678088fbf7c059b198e2d9adeee1b3ce18c0c0770fdb0dc52691718863315803
SHA512

f8c4851c270bdb1937f36d3b30b1a0143f377e2cfc1bdf16391dd10b73e2dfddfd3745a69f14917ef703d2accd76920c9189337d48f07516e1114626418d4222
SSDEEP

3072:CEGh0oemlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGdl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1092E29-2051-4606-AFB9-7AB58B4B9683}\stubpath = "C:\\Windows\\{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe"	{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4C2E70F-4007-401b-8013-1E867C60338E}	{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4C2E70F-4007-401b-8013-1E867C60338E}\stubpath = "C:\\Windows\\{B4C2E70F-4007-401b-8013-1E867C60338E}.exe"	{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}	{B4C2E70F-4007-401b-8013-1E867C60338E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}\stubpath = "C:\\Windows\\{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe"	{B4C2E70F-4007-401b-8013-1E867C60338E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEED5511-5367-4b7e-9F85-3F87AA6B1173}	{2951D3BD-6A83-4252-AE41-62D480875530}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0B4DA87-F3E6-416a-8B24-4164A63133F8}\stubpath = "C:\\Windows\\{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe"	{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1092E29-2051-4606-AFB9-7AB58B4B9683}	{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}\stubpath = "C:\\Windows\\{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe"	{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66FF6DFF-2557-4692-8CCB-6EF1A9AA74FC}\stubpath = "C:\\Windows\\{66FF6DFF-2557-4692-8CCB-6EF1A9AA74FC}.exe"	{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2951D3BD-6A83-4252-AE41-62D480875530}	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0B4DA87-F3E6-416a-8B24-4164A63133F8}	{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}\stubpath = "C:\\Windows\\{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe"	{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEED5511-5367-4b7e-9F85-3F87AA6B1173}\stubpath = "C:\\Windows\\{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe"	{2951D3BD-6A83-4252-AE41-62D480875530}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4542C9DF-F0C3-40d5-955D-0DA963B77339}\stubpath = "C:\\Windows\\{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe"	{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}	{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66FF6DFF-2557-4692-8CCB-6EF1A9AA74FC}	{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2951D3BD-6A83-4252-AE41-62D480875530}\stubpath = "C:\\Windows\\{2951D3BD-6A83-4252-AE41-62D480875530}.exe"	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4542C9DF-F0C3-40d5-955D-0DA963B77339}	{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}	{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe

Executes dropped EXE 10 IoCs

pid	Process
4452	{2951D3BD-6A83-4252-AE41-62D480875530}.exe
1888	{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe
5104	{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe
1116	{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe
972	{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe
5028	{B4C2E70F-4007-401b-8013-1E867C60338E}.exe
2316	{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe
2864	{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe
4072	{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe
3740	{66FF6DFF-2557-4692-8CCB-6EF1A9AA74FC}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{2951D3BD-6A83-4252-AE41-62D480875530}.exe	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe
File created	C:\Windows\{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe	{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe
File created	C:\Windows\{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe	{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe
File created	C:\Windows\{B4C2E70F-4007-401b-8013-1E867C60338E}.exe	{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe
File created	C:\Windows\{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe	{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe
File created	C:\Windows\{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe	{2951D3BD-6A83-4252-AE41-62D480875530}.exe
File created	C:\Windows\{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe	{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe
File created	C:\Windows\{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe	{B4C2E70F-4007-401b-8013-1E867C60338E}.exe
File created	C:\Windows\{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe	{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe
File created	C:\Windows\{66FF6DFF-2557-4692-8CCB-6EF1A9AA74FC}.exe	{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4600	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4452	{2951D3BD-6A83-4252-AE41-62D480875530}.exe
Token: SeIncBasePriorityPrivilege	1888	{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe
Token: SeIncBasePriorityPrivilege	5104	{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe
Token: SeIncBasePriorityPrivilege	1116	{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe
Token: SeIncBasePriorityPrivilege	972	{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe
Token: SeIncBasePriorityPrivilege	5028	{B4C2E70F-4007-401b-8013-1E867C60338E}.exe
Token: SeIncBasePriorityPrivilege	2316	{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe
Token: SeIncBasePriorityPrivilege	2864	{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe
Token: SeIncBasePriorityPrivilege	4072	{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 4452	4600	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	86
PID 4600 wrote to memory of 4452	4600	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	86
PID 4600 wrote to memory of 4452	4600	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	86
PID 4600 wrote to memory of 4228	4600	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	87
PID 4600 wrote to memory of 4228	4600	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	87
PID 4600 wrote to memory of 4228	4600	NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe	87
PID 4452 wrote to memory of 1888	4452	{2951D3BD-6A83-4252-AE41-62D480875530}.exe	89
PID 4452 wrote to memory of 1888	4452	{2951D3BD-6A83-4252-AE41-62D480875530}.exe	89
PID 4452 wrote to memory of 1888	4452	{2951D3BD-6A83-4252-AE41-62D480875530}.exe	89
PID 4452 wrote to memory of 4812	4452	{2951D3BD-6A83-4252-AE41-62D480875530}.exe	90
PID 4452 wrote to memory of 4812	4452	{2951D3BD-6A83-4252-AE41-62D480875530}.exe	90
PID 4452 wrote to memory of 4812	4452	{2951D3BD-6A83-4252-AE41-62D480875530}.exe	90
PID 1888 wrote to memory of 5104	1888	{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe	94
PID 1888 wrote to memory of 5104	1888	{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe	94
PID 1888 wrote to memory of 5104	1888	{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe	94
PID 1888 wrote to memory of 2676	1888	{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe	93
PID 1888 wrote to memory of 2676	1888	{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe	93
PID 1888 wrote to memory of 2676	1888	{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe	93
PID 5104 wrote to memory of 1116	5104	{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe	95
PID 5104 wrote to memory of 1116	5104	{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe	95
PID 5104 wrote to memory of 1116	5104	{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe	95
PID 5104 wrote to memory of 3924	5104	{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe	96
PID 5104 wrote to memory of 3924	5104	{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe	96
PID 5104 wrote to memory of 3924	5104	{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe	96
PID 1116 wrote to memory of 972	1116	{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe	97
PID 1116 wrote to memory of 972	1116	{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe	97
PID 1116 wrote to memory of 972	1116	{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe	97
PID 1116 wrote to memory of 1792	1116	{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe	98
PID 1116 wrote to memory of 1792	1116	{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe	98
PID 1116 wrote to memory of 1792	1116	{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe	98
PID 972 wrote to memory of 5028	972	{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe	99
PID 972 wrote to memory of 5028	972	{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe	99
PID 972 wrote to memory of 5028	972	{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe	99
PID 972 wrote to memory of 4820	972	{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe	100
PID 972 wrote to memory of 4820	972	{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe	100
PID 972 wrote to memory of 4820	972	{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe	100
PID 5028 wrote to memory of 2316	5028	{B4C2E70F-4007-401b-8013-1E867C60338E}.exe	101
PID 5028 wrote to memory of 2316	5028	{B4C2E70F-4007-401b-8013-1E867C60338E}.exe	101
PID 5028 wrote to memory of 2316	5028	{B4C2E70F-4007-401b-8013-1E867C60338E}.exe	101
PID 5028 wrote to memory of 3960	5028	{B4C2E70F-4007-401b-8013-1E867C60338E}.exe	102
PID 5028 wrote to memory of 3960	5028	{B4C2E70F-4007-401b-8013-1E867C60338E}.exe	102
PID 5028 wrote to memory of 3960	5028	{B4C2E70F-4007-401b-8013-1E867C60338E}.exe	102
PID 2316 wrote to memory of 2864	2316	{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe	103
PID 2316 wrote to memory of 2864	2316	{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe	103
PID 2316 wrote to memory of 2864	2316	{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe	103
PID 2316 wrote to memory of 4880	2316	{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe	104
PID 2316 wrote to memory of 4880	2316	{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe	104
PID 2316 wrote to memory of 4880	2316	{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe	104
PID 2864 wrote to memory of 4072	2864	{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe	105
PID 2864 wrote to memory of 4072	2864	{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe	105
PID 2864 wrote to memory of 4072	2864	{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe	105
PID 2864 wrote to memory of 984	2864	{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe	106
PID 2864 wrote to memory of 984	2864	{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe	106
PID 2864 wrote to memory of 984	2864	{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe	106
PID 4072 wrote to memory of 3740	4072	{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe	107
PID 4072 wrote to memory of 3740	4072	{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe	107
PID 4072 wrote to memory of 3740	4072	{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe	107
PID 4072 wrote to memory of 1408	4072	{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe	108
PID 4072 wrote to memory of 1408	4072	{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe	108
PID 4072 wrote to memory of 1408	4072	{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe	108

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_8c1c1c35a3dfe792628564e667cd62a6_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\{2951D3BD-6A83-4252-AE41-62D480875530}.exe
  C:\Windows\{2951D3BD-6A83-4252-AE41-62D480875530}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe
    C:\Windows\{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BEED5~1.EXE > nul
      4⤵
      PID:2676
  - - C:\Windows\{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe
      C:\Windows\{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Windows\{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe
        
        C:\Windows\{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1116
      - C:\Windows\{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe
        
        C:\Windows\{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\{B4C2E70F-4007-401b-8013-1E867C60338E}.exe
        
        C:\Windows\{B4C2E70F-4007-401b-8013-1E867C60338E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe
        
        C:\Windows\{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe
        
        C:\Windows\{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe
        
        C:\Windows\{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{66FF6DFF-2557-4692-8CCB-6EF1A9AA74FC}.exe
        
        C:\Windows\{66FF6DFF-2557-4692-8CCB-6EF1A9AA74FC}.exe
        11⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B312B~1.EXE > nul
        11⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFCAB~1.EXE > nul
        10⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{539F4~1.EXE > nul
        9⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4C2E~1.EXE > nul
        8⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1092~1.EXE > nul
        7⤵
        
        PID:4820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4542C~1.EXE > nul
        6⤵
        
        PID:1792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0B4D~1.EXE > nul
        5⤵
        
        PID:3924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2951D~1.EXE > nul
    3⤵
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2951D3BD-6A83-4252-AE41-62D480875530}.exe

Filesize
372KB

MD5
f7f4234141471fdb02850f226bfd5a02

SHA1
13f867b984bcffae40ca1769449b54088d7b1c10

SHA256
ca9e606c35af094976550a026799e69c7f18813ad1973967f7cdbd3d902a0082

SHA512
c01d65bf29ebd25efff13138420cdd95028fb821becfe784ee4accad059a2e0ccf9f14a7bd5de2b2fdc1f7b8aa6084cd2ba4dd48459d72bf5bdf2449ab3935a4

Download Submit
C:\Windows\{2951D3BD-6A83-4252-AE41-62D480875530}.exe

Filesize
372KB

MD5
f7f4234141471fdb02850f226bfd5a02

SHA1
13f867b984bcffae40ca1769449b54088d7b1c10

SHA256
ca9e606c35af094976550a026799e69c7f18813ad1973967f7cdbd3d902a0082

SHA512
c01d65bf29ebd25efff13138420cdd95028fb821becfe784ee4accad059a2e0ccf9f14a7bd5de2b2fdc1f7b8aa6084cd2ba4dd48459d72bf5bdf2449ab3935a4

Download Submit
C:\Windows\{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe

Filesize
372KB

MD5
3afa6227a4c28fb36fc81a71f2293011

SHA1
a1d0a0dbc841b0ca954e2de6429ec011d865c982

SHA256
930876b3fc02249dac65f1c40cd5a478d9e1ec8d2c0a5c34352d1a3282fa0322

SHA512
955fc706098c570f8d19d5d7bba1c1af2e522a6cc79592fb5f21f3544de1d5900b1d35c4acd3ceed5e723ebe4b6cc5c0797b94641846d1636de0e4b9805b626a

Download Submit
C:\Windows\{4542C9DF-F0C3-40d5-955D-0DA963B77339}.exe

Filesize
372KB

MD5
3afa6227a4c28fb36fc81a71f2293011

SHA1
a1d0a0dbc841b0ca954e2de6429ec011d865c982

SHA256
930876b3fc02249dac65f1c40cd5a478d9e1ec8d2c0a5c34352d1a3282fa0322

SHA512
955fc706098c570f8d19d5d7bba1c1af2e522a6cc79592fb5f21f3544de1d5900b1d35c4acd3ceed5e723ebe4b6cc5c0797b94641846d1636de0e4b9805b626a

Download Submit
C:\Windows\{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe

Filesize
372KB

MD5
3b65f6b19ba5ff4ce9bfefeb9545f4c2

SHA1
bc164ff4c5ed7f554c8a82a50c01e72b007c23a5

SHA256
27252341926293be65479144f41f181a0d7c59700463c0c938eb089772e1c208

SHA512
556781fec9936b755a42cb9c4a2a628594ccd29fde76f0bf32b487df0b523490166d96b37dd3ec0be96c193ff1c8bb186b4d3d5496a5c47db3181ca79c8951e1

Download Submit
C:\Windows\{539F43EA-EF7F-4cbc-8E39-924BF4999A3B}.exe

Filesize
372KB

MD5
3b65f6b19ba5ff4ce9bfefeb9545f4c2

SHA1
bc164ff4c5ed7f554c8a82a50c01e72b007c23a5

SHA256
27252341926293be65479144f41f181a0d7c59700463c0c938eb089772e1c208

SHA512
556781fec9936b755a42cb9c4a2a628594ccd29fde76f0bf32b487df0b523490166d96b37dd3ec0be96c193ff1c8bb186b4d3d5496a5c47db3181ca79c8951e1

Download Submit
C:\Windows\{66FF6DFF-2557-4692-8CCB-6EF1A9AA74FC}.exe

Filesize
372KB

MD5
9cc8b0f0d761739ec7f488d779cecdd5

SHA1
29454b87ade4842d618a05a1686b945ed0b3c0dd

SHA256
8153662d2610948c85954d6a785ec8f248defbe13caa8a58cad9ed370ddaaea8

SHA512
c813983511f0520959d4f8a85e2ece8a28c46c01446e62bfbbc4f6772219032cfefdfd205a99e229fc1df6eecf8f77d636a798454a9452d277b4393112bb6e84

Download Submit
C:\Windows\{66FF6DFF-2557-4692-8CCB-6EF1A9AA74FC}.exe

Filesize
372KB

MD5
9cc8b0f0d761739ec7f488d779cecdd5

SHA1
29454b87ade4842d618a05a1686b945ed0b3c0dd

SHA256
8153662d2610948c85954d6a785ec8f248defbe13caa8a58cad9ed370ddaaea8

SHA512
c813983511f0520959d4f8a85e2ece8a28c46c01446e62bfbbc4f6772219032cfefdfd205a99e229fc1df6eecf8f77d636a798454a9452d277b4393112bb6e84

Download Submit
C:\Windows\{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe

Filesize
372KB

MD5
63e4da5ba02f8badc46c8b5960d94d4b

SHA1
8d1f8cfc11343605df0888af58d37245b46b2b6e

SHA256
90654628fdeafba82959f697a458236f5a089cd291e4455b9dcc80449d9f04ed

SHA512
8823a4af24c60e4b6c966461af15b778695eeb7bed7bc1276b03ccfbae85147de338d6d8a986cf81814a335b0caa802f01f405e7e8909ac5e83d8e8af6501004

Download Submit
C:\Windows\{B312BF3B-7579-484e-A6CC-1A21F3B82BC7}.exe

Filesize
372KB

MD5
63e4da5ba02f8badc46c8b5960d94d4b

SHA1
8d1f8cfc11343605df0888af58d37245b46b2b6e

SHA256
90654628fdeafba82959f697a458236f5a089cd291e4455b9dcc80449d9f04ed

SHA512
8823a4af24c60e4b6c966461af15b778695eeb7bed7bc1276b03ccfbae85147de338d6d8a986cf81814a335b0caa802f01f405e7e8909ac5e83d8e8af6501004

Download Submit
C:\Windows\{B4C2E70F-4007-401b-8013-1E867C60338E}.exe

Filesize
372KB

MD5
bf76bc9586d649b6fae7c46dae535f71

SHA1
87dcd1592e66b35b57d71ab3d99ae54083f285c5

SHA256
6943fc0440c3cadc6dcbf49a957a380b20b415a41d35192956ba29edeae269c8

SHA512
cb51ca077dd266cf8fc6c690d2e7cf533ce6dc2a8102197e8df71fa9793920b4494ac84c85e8f49721c053cea77631360b07bd187defbcad7723c3445d515afa

Download Submit
C:\Windows\{B4C2E70F-4007-401b-8013-1E867C60338E}.exe

Filesize
372KB

MD5
bf76bc9586d649b6fae7c46dae535f71

SHA1
87dcd1592e66b35b57d71ab3d99ae54083f285c5

SHA256
6943fc0440c3cadc6dcbf49a957a380b20b415a41d35192956ba29edeae269c8

SHA512
cb51ca077dd266cf8fc6c690d2e7cf533ce6dc2a8102197e8df71fa9793920b4494ac84c85e8f49721c053cea77631360b07bd187defbcad7723c3445d515afa

Download Submit
C:\Windows\{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe

Filesize
372KB

MD5
cdac42d23213f14576afed41b14755f4

SHA1
5ecf2c44bc4ec035be20598bc51b0f32f7e41396

SHA256
982f9a70de1717afd41aa66fa0cf0a38090e413844bb0a739e720f076160e80f

SHA512
0d7321b86307f523d7652959c9044560f7a067c826ee0dde0b729814c8eaf9457f0e0533b4687f8cdb5f78ee3ccc595e97d0575a5104a16f64b6ec1aa6d8e2aa

Download Submit
C:\Windows\{BEED5511-5367-4b7e-9F85-3F87AA6B1173}.exe

Filesize
372KB

MD5
cdac42d23213f14576afed41b14755f4

SHA1
5ecf2c44bc4ec035be20598bc51b0f32f7e41396

SHA256
982f9a70de1717afd41aa66fa0cf0a38090e413844bb0a739e720f076160e80f

SHA512
0d7321b86307f523d7652959c9044560f7a067c826ee0dde0b729814c8eaf9457f0e0533b4687f8cdb5f78ee3ccc595e97d0575a5104a16f64b6ec1aa6d8e2aa

Download Submit
C:\Windows\{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe

Filesize
372KB

MD5
5784d26d2c1ff88941eef0fe99dbe16d

SHA1
182865df939f617805a1a1dd917a229b75fa5415

SHA256
5cc9131b7f62d353d2e3deb8d77e4d73b53786bd953424587d58ca6ff7857c88

SHA512
04edbcd804a04874e573ee144be409c590e964109e46b393ab6475dae920780e593abb2f16be47257f5395b0d7c6c8c465820854f63fab41b7d89f560fdb0e02

Download Submit
C:\Windows\{C1092E29-2051-4606-AFB9-7AB58B4B9683}.exe

Filesize
372KB

MD5
5784d26d2c1ff88941eef0fe99dbe16d

SHA1
182865df939f617805a1a1dd917a229b75fa5415

SHA256
5cc9131b7f62d353d2e3deb8d77e4d73b53786bd953424587d58ca6ff7857c88

SHA512
04edbcd804a04874e573ee144be409c590e964109e46b393ab6475dae920780e593abb2f16be47257f5395b0d7c6c8c465820854f63fab41b7d89f560fdb0e02

Download Submit
C:\Windows\{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe

Filesize
372KB

MD5
79383daafc014e46f78d3372cce6d5b1

SHA1
695c271a172d7df91ca0def8520b7a07a5955e1d

SHA256
12fcac5737b5c58a77805df698708defb9c83a707d76c011d0c8bcd2424f707a

SHA512
5518be0307428c05e235ffc5e3195784c9ad40aeb24e6e7d3ab7aedcd5b61cd9722252b746474988a51f3b2654de849f18b16577fc2921a30e7f50f60226022c

Download Submit
C:\Windows\{DFCAB8E2-59BE-4a96-B9C4-DA0B45421183}.exe

Filesize
372KB

MD5
79383daafc014e46f78d3372cce6d5b1

SHA1
695c271a172d7df91ca0def8520b7a07a5955e1d

SHA256
12fcac5737b5c58a77805df698708defb9c83a707d76c011d0c8bcd2424f707a

SHA512
5518be0307428c05e235ffc5e3195784c9ad40aeb24e6e7d3ab7aedcd5b61cd9722252b746474988a51f3b2654de849f18b16577fc2921a30e7f50f60226022c

Download Submit
C:\Windows\{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe

Filesize
372KB

MD5
f06126e163a5796563ba33cfe32eeb02

SHA1
856db01f2ca527ad724dbcfb411315c36b7950b9

SHA256
b449654f6ae8668216574785b1b52bf9bdc977ea7181a3dd2a63d448704e929b

SHA512
73745ad5212b4834b1db3552c553d5b116c4671bdcb715cd627e2b3520ecba0dc5e44ae94e9d9e6a5faf75641191d64d47d7ef21735b97ddf334396d16e391d0

Download Submit
C:\Windows\{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe

Filesize
372KB

MD5
f06126e163a5796563ba33cfe32eeb02

SHA1
856db01f2ca527ad724dbcfb411315c36b7950b9

SHA256
b449654f6ae8668216574785b1b52bf9bdc977ea7181a3dd2a63d448704e929b

SHA512
73745ad5212b4834b1db3552c553d5b116c4671bdcb715cd627e2b3520ecba0dc5e44ae94e9d9e6a5faf75641191d64d47d7ef21735b97ddf334396d16e391d0

Download Submit
C:\Windows\{F0B4DA87-F3E6-416a-8B24-4164A63133F8}.exe

Filesize
372KB

MD5
f06126e163a5796563ba33cfe32eeb02

SHA1
856db01f2ca527ad724dbcfb411315c36b7950b9

SHA256
b449654f6ae8668216574785b1b52bf9bdc977ea7181a3dd2a63d448704e929b

SHA512
73745ad5212b4834b1db3552c553d5b116c4671bdcb715cd627e2b3520ecba0dc5e44ae94e9d9e6a5faf75641191d64d47d7ef21735b97ddf334396d16e391d0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads