f4fa817347a98cf0a448ad136d86d0e5e78da37d045507ed9be79ff2a5d1c963

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe
Size

344KB
MD5

1a01b91f05a13c497c5fb732101a9ca2
SHA1

9ad759ec29e01ffcd24ff802d1db70690c4810e6
SHA256

f4fa817347a98cf0a448ad136d86d0e5e78da37d045507ed9be79ff2a5d1c963
SHA512

29f3a5d19d1f34c337cb789d1b1a775d0c7d7bc7b89deae7a2af2cf2a5668978af4235a25afd687157aaf6dc22b8fef42158af013bcd2b9ef6f78c48e04fd30b
SSDEEP

3072:mEGh0oclVOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGalVOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}\stubpath = "C:\\Windows\\{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe"	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{828CC61D-E0E5-49af-B14E-8ED3D629487C}	{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1C580E1-DE9C-4b42-A79E-6784382E62D2}	{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A81AE05-B7A3-4a9b-90FE-F7C3A9A9D1A6}\stubpath = "C:\\Windows\\{2A81AE05-B7A3-4a9b-90FE-F7C3A9A9D1A6}.exe"	{B2E9D825-C74A-4615-A105-83B510116049}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C719D1B7-153D-4ba6-A392-61E7BEC74313}	{2A81AE05-B7A3-4a9b-90FE-F7C3A9A9D1A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C719D1B7-153D-4ba6-A392-61E7BEC74313}\stubpath = "C:\\Windows\\{C719D1B7-153D-4ba6-A392-61E7BEC74313}.exe"	{2A81AE05-B7A3-4a9b-90FE-F7C3A9A9D1A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E22697FA-8323-4671-B59D-0C018976C32F}	{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}	{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3535106F-C3C2-42b0-8A8A-2BA1E9EBE9FE}	{C719D1B7-153D-4ba6-A392-61E7BEC74313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3535106F-C3C2-42b0-8A8A-2BA1E9EBE9FE}\stubpath = "C:\\Windows\\{3535106F-C3C2-42b0-8A8A-2BA1E9EBE9FE}.exe"	{C719D1B7-153D-4ba6-A392-61E7BEC74313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E22697FA-8323-4671-B59D-0C018976C32F}\stubpath = "C:\\Windows\\{E22697FA-8323-4671-B59D-0C018976C32F}.exe"	{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AE39B1B-1EDF-4107-9219-97F25F3C162A}	{E22697FA-8323-4671-B59D-0C018976C32F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AE39B1B-1EDF-4107-9219-97F25F3C162A}\stubpath = "C:\\Windows\\{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe"	{E22697FA-8323-4671-B59D-0C018976C32F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{251F0311-71AD-4ab9-A1A2-F2D8DDAF82FB}	{3535106F-C3C2-42b0-8A8A-2BA1E9EBE9FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{251F0311-71AD-4ab9-A1A2-F2D8DDAF82FB}\stubpath = "C:\\Windows\\{251F0311-71AD-4ab9-A1A2-F2D8DDAF82FB}.exe"	{3535106F-C3C2-42b0-8A8A-2BA1E9EBE9FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A81AE05-B7A3-4a9b-90FE-F7C3A9A9D1A6}	{B2E9D825-C74A-4615-A105-83B510116049}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{828CC61D-E0E5-49af-B14E-8ED3D629487C}\stubpath = "C:\\Windows\\{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe"	{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1C580E1-DE9C-4b42-A79E-6784382E62D2}\stubpath = "C:\\Windows\\{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe"	{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}\stubpath = "C:\\Windows\\{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe"	{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E9D825-C74A-4615-A105-83B510116049}	{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E9D825-C74A-4615-A105-83B510116049}\stubpath = "C:\\Windows\\{B2E9D825-C74A-4615-A105-83B510116049}.exe"	{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe

Deletes itself 1 IoCs

pid	Process
2032	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2400	{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe
2156	{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe
3020	{E22697FA-8323-4671-B59D-0C018976C32F}.exe
2676	{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe
2768	{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe
2760	{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe
2832	{B2E9D825-C74A-4615-A105-83B510116049}.exe
2600	{2A81AE05-B7A3-4a9b-90FE-F7C3A9A9D1A6}.exe
2588	{C719D1B7-153D-4ba6-A392-61E7BEC74313}.exe
2176	{3535106F-C3C2-42b0-8A8A-2BA1E9EBE9FE}.exe
1656	{251F0311-71AD-4ab9-A1A2-F2D8DDAF82FB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe	{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe
File created	C:\Windows\{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe	{E22697FA-8323-4671-B59D-0C018976C32F}.exe
File created	C:\Windows\{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe	{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe
File created	C:\Windows\{2A81AE05-B7A3-4a9b-90FE-F7C3A9A9D1A6}.exe	{B2E9D825-C74A-4615-A105-83B510116049}.exe
File created	C:\Windows\{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe
File created	C:\Windows\{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe	{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe
File created	C:\Windows\{B2E9D825-C74A-4615-A105-83B510116049}.exe	{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe
File created	C:\Windows\{C719D1B7-153D-4ba6-A392-61E7BEC74313}.exe	{2A81AE05-B7A3-4a9b-90FE-F7C3A9A9D1A6}.exe
File created	C:\Windows\{3535106F-C3C2-42b0-8A8A-2BA1E9EBE9FE}.exe	{C719D1B7-153D-4ba6-A392-61E7BEC74313}.exe
File created	C:\Windows\{251F0311-71AD-4ab9-A1A2-F2D8DDAF82FB}.exe	{3535106F-C3C2-42b0-8A8A-2BA1E9EBE9FE}.exe
File created	C:\Windows\{E22697FA-8323-4671-B59D-0C018976C32F}.exe	{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2500	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2400	{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe
Token: SeIncBasePriorityPrivilege	2156	{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe
Token: SeIncBasePriorityPrivilege	3020	{E22697FA-8323-4671-B59D-0C018976C32F}.exe
Token: SeIncBasePriorityPrivilege	2676	{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe
Token: SeIncBasePriorityPrivilege	2768	{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe
Token: SeIncBasePriorityPrivilege	2760	{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe
Token: SeIncBasePriorityPrivilege	2832	{B2E9D825-C74A-4615-A105-83B510116049}.exe
Token: SeIncBasePriorityPrivilege	2600	{2A81AE05-B7A3-4a9b-90FE-F7C3A9A9D1A6}.exe
Token: SeIncBasePriorityPrivilege	2588	{C719D1B7-153D-4ba6-A392-61E7BEC74313}.exe
Token: SeIncBasePriorityPrivilege	2176	{3535106F-C3C2-42b0-8A8A-2BA1E9EBE9FE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2400	2500	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	28
PID 2500 wrote to memory of 2400	2500	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	28
PID 2500 wrote to memory of 2400	2500	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	28
PID 2500 wrote to memory of 2400	2500	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	28
PID 2500 wrote to memory of 2032	2500	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	29
PID 2500 wrote to memory of 2032	2500	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	29
PID 2500 wrote to memory of 2032	2500	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	29
PID 2500 wrote to memory of 2032	2500	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	29
PID 2400 wrote to memory of 2156	2400	{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe	32
PID 2400 wrote to memory of 2156	2400	{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe	32
PID 2400 wrote to memory of 2156	2400	{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe	32
PID 2400 wrote to memory of 2156	2400	{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe	32
PID 2400 wrote to memory of 2628	2400	{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe	33
PID 2400 wrote to memory of 2628	2400	{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe	33
PID 2400 wrote to memory of 2628	2400	{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe	33
PID 2400 wrote to memory of 2628	2400	{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe	33
PID 2156 wrote to memory of 3020	2156	{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe	34
PID 2156 wrote to memory of 3020	2156	{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe	34
PID 2156 wrote to memory of 3020	2156	{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe	34
PID 2156 wrote to memory of 3020	2156	{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe	34
PID 2156 wrote to memory of 2192	2156	{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe	35
PID 2156 wrote to memory of 2192	2156	{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe	35
PID 2156 wrote to memory of 2192	2156	{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe	35
PID 2156 wrote to memory of 2192	2156	{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe	35
PID 3020 wrote to memory of 2676	3020	{E22697FA-8323-4671-B59D-0C018976C32F}.exe	36
PID 3020 wrote to memory of 2676	3020	{E22697FA-8323-4671-B59D-0C018976C32F}.exe	36
PID 3020 wrote to memory of 2676	3020	{E22697FA-8323-4671-B59D-0C018976C32F}.exe	36
PID 3020 wrote to memory of 2676	3020	{E22697FA-8323-4671-B59D-0C018976C32F}.exe	36
PID 3020 wrote to memory of 2784	3020	{E22697FA-8323-4671-B59D-0C018976C32F}.exe	37
PID 3020 wrote to memory of 2784	3020	{E22697FA-8323-4671-B59D-0C018976C32F}.exe	37
PID 3020 wrote to memory of 2784	3020	{E22697FA-8323-4671-B59D-0C018976C32F}.exe	37
PID 3020 wrote to memory of 2784	3020	{E22697FA-8323-4671-B59D-0C018976C32F}.exe	37
PID 2676 wrote to memory of 2768	2676	{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe	38
PID 2676 wrote to memory of 2768	2676	{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe	38
PID 2676 wrote to memory of 2768	2676	{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe	38
PID 2676 wrote to memory of 2768	2676	{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe	38
PID 2676 wrote to memory of 2680	2676	{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe	39
PID 2676 wrote to memory of 2680	2676	{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe	39
PID 2676 wrote to memory of 2680	2676	{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe	39
PID 2676 wrote to memory of 2680	2676	{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe	39
PID 2768 wrote to memory of 2760	2768	{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe	40
PID 2768 wrote to memory of 2760	2768	{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe	40
PID 2768 wrote to memory of 2760	2768	{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe	40
PID 2768 wrote to memory of 2760	2768	{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe	40
PID 2768 wrote to memory of 2752	2768	{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe	41
PID 2768 wrote to memory of 2752	2768	{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe	41
PID 2768 wrote to memory of 2752	2768	{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe	41
PID 2768 wrote to memory of 2752	2768	{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe	41
PID 2760 wrote to memory of 2832	2760	{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe	42
PID 2760 wrote to memory of 2832	2760	{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe	42
PID 2760 wrote to memory of 2832	2760	{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe	42
PID 2760 wrote to memory of 2832	2760	{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe	42
PID 2760 wrote to memory of 2792	2760	{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe	43
PID 2760 wrote to memory of 2792	2760	{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe	43
PID 2760 wrote to memory of 2792	2760	{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe	43
PID 2760 wrote to memory of 2792	2760	{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe	43
PID 2832 wrote to memory of 2600	2832	{B2E9D825-C74A-4615-A105-83B510116049}.exe	44
PID 2832 wrote to memory of 2600	2832	{B2E9D825-C74A-4615-A105-83B510116049}.exe	44
PID 2832 wrote to memory of 2600	2832	{B2E9D825-C74A-4615-A105-83B510116049}.exe	44
PID 2832 wrote to memory of 2600	2832	{B2E9D825-C74A-4615-A105-83B510116049}.exe	44
PID 2832 wrote to memory of 2536	2832	{B2E9D825-C74A-4615-A105-83B510116049}.exe	45
PID 2832 wrote to memory of 2536	2832	{B2E9D825-C74A-4615-A105-83B510116049}.exe	45
PID 2832 wrote to memory of 2536	2832	{B2E9D825-C74A-4615-A105-83B510116049}.exe	45
PID 2832 wrote to memory of 2536	2832	{B2E9D825-C74A-4615-A105-83B510116049}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe
  C:\Windows\{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe
    C:\Windows\{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\{E22697FA-8323-4671-B59D-0C018976C32F}.exe
      C:\Windows\{E22697FA-8323-4671-B59D-0C018976C32F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe
        
        C:\Windows\{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe
        
        C:\Windows\{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe
        
        C:\Windows\{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{B2E9D825-C74A-4615-A105-83B510116049}.exe
        
        C:\Windows\{B2E9D825-C74A-4615-A105-83B510116049}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{2A81AE05-B7A3-4a9b-90FE-F7C3A9A9D1A6}.exe
        
        C:\Windows\{2A81AE05-B7A3-4a9b-90FE-F7C3A9A9D1A6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\{C719D1B7-153D-4ba6-A392-61E7BEC74313}.exe
        
        C:\Windows\{C719D1B7-153D-4ba6-A392-61E7BEC74313}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\{3535106F-C3C2-42b0-8A8A-2BA1E9EBE9FE}.exe
        
        C:\Windows\{3535106F-C3C2-42b0-8A8A-2BA1E9EBE9FE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\{251F0311-71AD-4ab9-A1A2-F2D8DDAF82FB}.exe
        
        C:\Windows\{251F0311-71AD-4ab9-A1A2-F2D8DDAF82FB}.exe
        12⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35351~1.EXE > nul
        12⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C719D~1.EXE > nul
        11⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A81A~1.EXE > nul
        10⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2E9D~1.EXE > nul
        9⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8439~1.EXE > nul
        8⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1C58~1.EXE > nul
        7⤵
        
        PID:2752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE39~1.EXE > nul
        6⤵
        
        PID:2680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2269~1.EXE > nul
        5⤵
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{828CC~1.EXE > nul
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BCF52~1.EXE > nul
    3⤵
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{251F0311-71AD-4ab9-A1A2-F2D8DDAF82FB}.exe

Filesize
344KB

MD5
9c2acae965ae6232acf1c393a8e80063

SHA1
4051613be48a9295da01bd42bc09011608d70405

SHA256
3a1621f9e8fec2b4d8f0b1ad6776cc40830f8732641375673040a0faecabbba2

SHA512
878e7c9b526f136f219b2945f9fa4d16d32b8426a88fb204e01d0ee4bd7a19e5b9da11254fca3d9f29e1fca558ea831217f9513e7afd48707e1e9c7a627609e9

Download Submit
C:\Windows\{2A81AE05-B7A3-4a9b-90FE-F7C3A9A9D1A6}.exe

Filesize
344KB

MD5
2c4ebcc1ff83e53e28fb52aea44bc778

SHA1
f842c67319e542bf0ede4201a91e3b8c6f817592

SHA256
a166bdf978e43b0d0dd1ac4aebb4a0e133f4826f4ce1c201bc322d9535fdc86a

SHA512
58da4815649b41b95bc4448b2b7372d14187965629d6c23fadc58a269dfcdfc1b923349948d17a0a50ff4f0f2bd580bf57001806fa5705f15a83c60aa05faac2

Download Submit
C:\Windows\{2A81AE05-B7A3-4a9b-90FE-F7C3A9A9D1A6}.exe

Filesize
344KB

MD5
2c4ebcc1ff83e53e28fb52aea44bc778

SHA1
f842c67319e542bf0ede4201a91e3b8c6f817592

SHA256
a166bdf978e43b0d0dd1ac4aebb4a0e133f4826f4ce1c201bc322d9535fdc86a

SHA512
58da4815649b41b95bc4448b2b7372d14187965629d6c23fadc58a269dfcdfc1b923349948d17a0a50ff4f0f2bd580bf57001806fa5705f15a83c60aa05faac2

Download Submit
C:\Windows\{3535106F-C3C2-42b0-8A8A-2BA1E9EBE9FE}.exe

Filesize
344KB

MD5
d6f996fda8d7fa5e2a32b892e8792ded

SHA1
62783e2cc5d61a93de8659fb2a2138a67c9f86f7

SHA256
116f6915a01741a3982d8cf297b73c70cc090d3af73d281a8664f865a103e775

SHA512
de9695c1aaf8ddfdde448c240e837429ec12a8cf466f61db21b8742fbbd3be4de8b751d95b310993a92ec77db597a7fb2aea7f73d8b869107b5d561a95447589

Download Submit
C:\Windows\{3535106F-C3C2-42b0-8A8A-2BA1E9EBE9FE}.exe

Filesize
344KB

MD5
d6f996fda8d7fa5e2a32b892e8792ded

SHA1
62783e2cc5d61a93de8659fb2a2138a67c9f86f7

SHA256
116f6915a01741a3982d8cf297b73c70cc090d3af73d281a8664f865a103e775

SHA512
de9695c1aaf8ddfdde448c240e837429ec12a8cf466f61db21b8742fbbd3be4de8b751d95b310993a92ec77db597a7fb2aea7f73d8b869107b5d561a95447589

Download Submit
C:\Windows\{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe

Filesize
344KB

MD5
e3764207f14fd6c2b014c2ba27cecb8f

SHA1
43db98e247d6b9632bf456e54df61cdb778fde71

SHA256
a0e86f056f4218aefa93379fe7c744ae058901375293d2817142a9724f72229a

SHA512
891a8ea7d8ff62d341cf9ac097bee51cff30c4baf17dbc47fb935c83e6f9b7bdf07307d3c689ef2966a2d97487d341a88266a41c3ef92597b2ad9a2fd01e1cac

Download Submit
C:\Windows\{7AE39B1B-1EDF-4107-9219-97F25F3C162A}.exe

Filesize
344KB

MD5
e3764207f14fd6c2b014c2ba27cecb8f

SHA1
43db98e247d6b9632bf456e54df61cdb778fde71

SHA256
a0e86f056f4218aefa93379fe7c744ae058901375293d2817142a9724f72229a

SHA512
891a8ea7d8ff62d341cf9ac097bee51cff30c4baf17dbc47fb935c83e6f9b7bdf07307d3c689ef2966a2d97487d341a88266a41c3ef92597b2ad9a2fd01e1cac

Download Submit
C:\Windows\{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe

Filesize
344KB

MD5
a5ff32a03fdbe8d2391fb4c80fc63074

SHA1
987ef7a5ef8fae1da5768fdde7eacf1917221774

SHA256
6ee419887eb456ead70c7782a709b1262e8d40bacc0b19f85d73a640b827bb9d

SHA512
e4bf36d8ab05999686a0d32a8af7297c32039a0ba3901419f226c3be3dcb560b9400276c09130a99d443cd57663c1ddeffdb4d3fccf9e665d1beb38141394bbd

Download Submit
C:\Windows\{828CC61D-E0E5-49af-B14E-8ED3D629487C}.exe

Filesize
344KB

MD5
a5ff32a03fdbe8d2391fb4c80fc63074

SHA1
987ef7a5ef8fae1da5768fdde7eacf1917221774

SHA256
6ee419887eb456ead70c7782a709b1262e8d40bacc0b19f85d73a640b827bb9d

SHA512
e4bf36d8ab05999686a0d32a8af7297c32039a0ba3901419f226c3be3dcb560b9400276c09130a99d443cd57663c1ddeffdb4d3fccf9e665d1beb38141394bbd

Download Submit
C:\Windows\{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe

Filesize
344KB

MD5
ea4a0261accf1cc3626ba1078755db1e

SHA1
6e4bdc48a5d88dafcf9b7de398ebfcef8999f80e

SHA256
dfcce25608187214e9831bf39e464124dd5364bfb10c42c6f4692fe0a55ca8a5

SHA512
bb753d71f3768a91874d1e1ee381662731d70640c0d084797103d611f63ff9114bce81845c076437863dd34547fe06859feaf120aed2410b968637ea983fc686

Download Submit
C:\Windows\{A1C580E1-DE9C-4b42-A79E-6784382E62D2}.exe

Filesize
344KB

MD5
ea4a0261accf1cc3626ba1078755db1e

SHA1
6e4bdc48a5d88dafcf9b7de398ebfcef8999f80e

SHA256
dfcce25608187214e9831bf39e464124dd5364bfb10c42c6f4692fe0a55ca8a5

SHA512
bb753d71f3768a91874d1e1ee381662731d70640c0d084797103d611f63ff9114bce81845c076437863dd34547fe06859feaf120aed2410b968637ea983fc686

Download Submit
C:\Windows\{B2E9D825-C74A-4615-A105-83B510116049}.exe

Filesize
344KB

MD5
1e98e94df63a749f4b11e0850df6b99f

SHA1
d88e59206210392dd1059ccadcf31a0fd348a27e

SHA256
08fcef3ca6fe305f9af5079e889d8f33cf50850ca54d3a8b9e4761a21f722436

SHA512
e77f23094942b8f6478a77aff7dcdb1b0f30f62eac8d57b38194566c55ea2f70921ecad2ab0640dd32000dd8998ab9c6e01bb634648805b33652cd67f96a36b2

Download Submit
C:\Windows\{B2E9D825-C74A-4615-A105-83B510116049}.exe

Filesize
344KB

MD5
1e98e94df63a749f4b11e0850df6b99f

SHA1
d88e59206210392dd1059ccadcf31a0fd348a27e

SHA256
08fcef3ca6fe305f9af5079e889d8f33cf50850ca54d3a8b9e4761a21f722436

SHA512
e77f23094942b8f6478a77aff7dcdb1b0f30f62eac8d57b38194566c55ea2f70921ecad2ab0640dd32000dd8998ab9c6e01bb634648805b33652cd67f96a36b2

Download Submit
C:\Windows\{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe

Filesize
344KB

MD5
1bf49c35dccd1f4627fe90a98e757734

SHA1
c75d0843aa31e572beb703030b1bc62f5ab16a56

SHA256
e4552d7f968b1123a83060370545d652295cdad437b79d32732718e157a93dcf

SHA512
0ca56db43a2533dcebbc1dc6990cc9256e74ec0e41649f026ff6d2fb3262db203e213c58969a27a17d71824ce42745c7e582b279f41bab6e315409f9927f49fb

Download Submit
C:\Windows\{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe

Filesize
344KB

MD5
1bf49c35dccd1f4627fe90a98e757734

SHA1
c75d0843aa31e572beb703030b1bc62f5ab16a56

SHA256
e4552d7f968b1123a83060370545d652295cdad437b79d32732718e157a93dcf

SHA512
0ca56db43a2533dcebbc1dc6990cc9256e74ec0e41649f026ff6d2fb3262db203e213c58969a27a17d71824ce42745c7e582b279f41bab6e315409f9927f49fb

Download Submit
C:\Windows\{BCF52DD5-BF87-4cfa-B8AC-83895FE44088}.exe

Filesize
344KB

MD5
1bf49c35dccd1f4627fe90a98e757734

SHA1
c75d0843aa31e572beb703030b1bc62f5ab16a56

SHA256
e4552d7f968b1123a83060370545d652295cdad437b79d32732718e157a93dcf

SHA512
0ca56db43a2533dcebbc1dc6990cc9256e74ec0e41649f026ff6d2fb3262db203e213c58969a27a17d71824ce42745c7e582b279f41bab6e315409f9927f49fb

Download Submit
C:\Windows\{C719D1B7-153D-4ba6-A392-61E7BEC74313}.exe

Filesize
344KB

MD5
a545078c9d509f5d888cfdc965cecdf2

SHA1
7c03e3b5d43ec47d4dc7f27253bdbef15b30c9d9

SHA256
3d7021a96ada19c9e75d7f8e83a9b061ebf1c0654b49a1e00459e145b883a6cf

SHA512
664f353963883f60b2d38851151ad7ae708795ff1c01e4f466a467996af9fd2f61f0d4f59ffa54b0dfab38ff0cf77276f0d8ee410321eb9cfb93e73fec881b95

Download Submit
C:\Windows\{C719D1B7-153D-4ba6-A392-61E7BEC74313}.exe

Filesize
344KB

MD5
a545078c9d509f5d888cfdc965cecdf2

SHA1
7c03e3b5d43ec47d4dc7f27253bdbef15b30c9d9

SHA256
3d7021a96ada19c9e75d7f8e83a9b061ebf1c0654b49a1e00459e145b883a6cf

SHA512
664f353963883f60b2d38851151ad7ae708795ff1c01e4f466a467996af9fd2f61f0d4f59ffa54b0dfab38ff0cf77276f0d8ee410321eb9cfb93e73fec881b95

Download Submit
C:\Windows\{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe

Filesize
344KB

MD5
133b74b9d93659010070d17dc1e5dd75

SHA1
28a79bdb6dfc65ea15b87890d54618002ec8d2c4

SHA256
4a34ee23a917f8866762127311c524797587ae1ac760d0c250d053805f917d76

SHA512
6c6e78f001436c780de19255087e347ee562d68701ffd64e37a685b05d372b8a282aeafea34781529e2bae3a7126be77d9ac6b204a956980dbe3b9d7f5b19b66

Download Submit
C:\Windows\{C8439BAA-5F3C-418a-B81A-B8F0EF97A488}.exe

Filesize
344KB

MD5
133b74b9d93659010070d17dc1e5dd75

SHA1
28a79bdb6dfc65ea15b87890d54618002ec8d2c4

SHA256
4a34ee23a917f8866762127311c524797587ae1ac760d0c250d053805f917d76

SHA512
6c6e78f001436c780de19255087e347ee562d68701ffd64e37a685b05d372b8a282aeafea34781529e2bae3a7126be77d9ac6b204a956980dbe3b9d7f5b19b66

Download Submit
C:\Windows\{E22697FA-8323-4671-B59D-0C018976C32F}.exe

Filesize
344KB

MD5
eace808e4c760ca8a6840cd8524bbb41

SHA1
bf03b3546b42f200de17b07a642f0dfe737ad784

SHA256
da9d02c78f14d1132e09f8b1ef6a5cae285d66210a80756d5895e4cf309696fb

SHA512
f41265ffac7a5c6d18b1b6e582fbc829b8d7bb7ce7cacd08b82307e5178eb9e666d82e70de011b6d892ce332c8de0eac9f39df74609f64427bc902ac8f2a1a0b

Download Submit
C:\Windows\{E22697FA-8323-4671-B59D-0C018976C32F}.exe

Filesize
344KB

MD5
eace808e4c760ca8a6840cd8524bbb41

SHA1
bf03b3546b42f200de17b07a642f0dfe737ad784

SHA256
da9d02c78f14d1132e09f8b1ef6a5cae285d66210a80756d5895e4cf309696fb

SHA512
f41265ffac7a5c6d18b1b6e582fbc829b8d7bb7ce7cacd08b82307e5178eb9e666d82e70de011b6d892ce332c8de0eac9f39df74609f64427bc902ac8f2a1a0b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads