f4fa817347a98cf0a448ad136d86d0e5e78da37d045507ed9be79ff2a5d1c963

Analysis

max time kernel
156s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2023 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe
Size

344KB
MD5

1a01b91f05a13c497c5fb732101a9ca2
SHA1

9ad759ec29e01ffcd24ff802d1db70690c4810e6
SHA256

f4fa817347a98cf0a448ad136d86d0e5e78da37d045507ed9be79ff2a5d1c963
SHA512

29f3a5d19d1f34c337cb789d1b1a775d0c7d7bc7b89deae7a2af2cf2a5668978af4235a25afd687157aaf6dc22b8fef42158af013bcd2b9ef6f78c48e04fd30b
SSDEEP

3072:mEGh0oclVOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGalVOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}	{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F7B374A-6629-4b37-8364-A48EB76A5492}\stubpath = "C:\\Windows\\{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe"	{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}	{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE07C19B-D114-42db-84E6-8A037D841AB7}\stubpath = "C:\\Windows\\{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe"	{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88E5B69D-71A7-45fe-9C78-26D71091715F}	{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88E5B69D-71A7-45fe-9C78-26D71091715F}\stubpath = "C:\\Windows\\{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe"	{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D1D5376-A705-4d21-8EC2-019D3EB101B2}\stubpath = "C:\\Windows\\{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe"	{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}	{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E523669-B848-42e9-BD68-9044DC677695}\stubpath = "C:\\Windows\\{1E523669-B848-42e9-BD68-9044DC677695}.exe"	{446BD908-4781-424d-BF0E-9D174D109CF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}\stubpath = "C:\\Windows\\{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe"	{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE07C19B-D114-42db-84E6-8A037D841AB7}	{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}\stubpath = "C:\\Windows\\{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe"	{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{446BD908-4781-424d-BF0E-9D174D109CF2}\stubpath = "C:\\Windows\\{446BD908-4781-424d-BF0E-9D174D109CF2}.exe"	{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}\stubpath = "C:\\Windows\\{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe"	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D1D5376-A705-4d21-8EC2-019D3EB101B2}	{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F7B374A-6629-4b37-8364-A48EB76A5492}	{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}\stubpath = "C:\\Windows\\{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe"	{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{446BD908-4781-424d-BF0E-9D174D109CF2}	{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E523669-B848-42e9-BD68-9044DC677695}	{446BD908-4781-424d-BF0E-9D174D109CF2}.exe

Executes dropped EXE 10 IoCs

pid	Process
4136	{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe
1720	{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe
4492	{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe
840	{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe
3840	{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe
2752	{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe
5084	{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe
4832	{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe
4384	{446BD908-4781-424d-BF0E-9D174D109CF2}.exe
2956	{1E523669-B848-42e9-BD68-9044DC677695}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe
File created	C:\Windows\{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe	{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe
File created	C:\Windows\{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe	{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe
File created	C:\Windows\{1E523669-B848-42e9-BD68-9044DC677695}.exe	{446BD908-4781-424d-BF0E-9D174D109CF2}.exe
File created	C:\Windows\{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe	{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe
File created	C:\Windows\{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe	{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe
File created	C:\Windows\{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe	{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe
File created	C:\Windows\{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe	{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe
File created	C:\Windows\{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe	{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe
File created	C:\Windows\{446BD908-4781-424d-BF0E-9D174D109CF2}.exe	{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3176	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4136	{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe
Token: SeIncBasePriorityPrivilege	1720	{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe
Token: SeIncBasePriorityPrivilege	4492	{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe
Token: SeIncBasePriorityPrivilege	840	{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe
Token: SeIncBasePriorityPrivilege	3840	{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe
Token: SeIncBasePriorityPrivilege	2752	{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe
Token: SeIncBasePriorityPrivilege	5084	{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe
Token: SeIncBasePriorityPrivilege	4832	{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe
Token: SeIncBasePriorityPrivilege	4384	{446BD908-4781-424d-BF0E-9D174D109CF2}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4136	3176	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	89
PID 3176 wrote to memory of 4136	3176	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	89
PID 3176 wrote to memory of 4136	3176	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	89
PID 3176 wrote to memory of 3764	3176	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	91
PID 3176 wrote to memory of 3764	3176	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	91
PID 3176 wrote to memory of 3764	3176	NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe	91
PID 4136 wrote to memory of 1720	4136	{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe	94
PID 4136 wrote to memory of 1720	4136	{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe	94
PID 4136 wrote to memory of 1720	4136	{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe	94
PID 4136 wrote to memory of 3860	4136	{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe	95
PID 4136 wrote to memory of 3860	4136	{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe	95
PID 4136 wrote to memory of 3860	4136	{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe	95
PID 1720 wrote to memory of 4492	1720	{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe	98
PID 1720 wrote to memory of 4492	1720	{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe	98
PID 1720 wrote to memory of 4492	1720	{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe	98
PID 1720 wrote to memory of 4060	1720	{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe	97
PID 1720 wrote to memory of 4060	1720	{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe	97
PID 1720 wrote to memory of 4060	1720	{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe	97
PID 4492 wrote to memory of 840	4492	{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe	99
PID 4492 wrote to memory of 840	4492	{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe	99
PID 4492 wrote to memory of 840	4492	{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe	99
PID 4492 wrote to memory of 5028	4492	{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe	100
PID 4492 wrote to memory of 5028	4492	{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe	100
PID 4492 wrote to memory of 5028	4492	{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe	100
PID 840 wrote to memory of 3840	840	{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe	101
PID 840 wrote to memory of 3840	840	{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe	101
PID 840 wrote to memory of 3840	840	{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe	101
PID 840 wrote to memory of 4068	840	{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe	102
PID 840 wrote to memory of 4068	840	{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe	102
PID 840 wrote to memory of 4068	840	{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe	102
PID 3840 wrote to memory of 2752	3840	{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe	103
PID 3840 wrote to memory of 2752	3840	{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe	103
PID 3840 wrote to memory of 2752	3840	{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe	103
PID 3840 wrote to memory of 2608	3840	{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe	104
PID 3840 wrote to memory of 2608	3840	{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe	104
PID 3840 wrote to memory of 2608	3840	{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe	104
PID 2752 wrote to memory of 5084	2752	{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe	105
PID 2752 wrote to memory of 5084	2752	{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe	105
PID 2752 wrote to memory of 5084	2752	{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe	105
PID 2752 wrote to memory of 3452	2752	{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe	106
PID 2752 wrote to memory of 3452	2752	{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe	106
PID 2752 wrote to memory of 3452	2752	{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe	106
PID 5084 wrote to memory of 4832	5084	{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe	109
PID 5084 wrote to memory of 4832	5084	{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe	109
PID 5084 wrote to memory of 4832	5084	{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe	109
PID 5084 wrote to memory of 2844	5084	{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe	110
PID 5084 wrote to memory of 2844	5084	{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe	110
PID 5084 wrote to memory of 2844	5084	{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe	110
PID 4832 wrote to memory of 4384	4832	{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe	111
PID 4832 wrote to memory of 4384	4832	{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe	111
PID 4832 wrote to memory of 4384	4832	{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe	111
PID 4832 wrote to memory of 4040	4832	{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe	112
PID 4832 wrote to memory of 4040	4832	{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe	112
PID 4832 wrote to memory of 4040	4832	{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe	112
PID 4384 wrote to memory of 2956	4384	{446BD908-4781-424d-BF0E-9D174D109CF2}.exe	113
PID 4384 wrote to memory of 2956	4384	{446BD908-4781-424d-BF0E-9D174D109CF2}.exe	113
PID 4384 wrote to memory of 2956	4384	{446BD908-4781-424d-BF0E-9D174D109CF2}.exe	113
PID 4384 wrote to memory of 5108	4384	{446BD908-4781-424d-BF0E-9D174D109CF2}.exe	114
PID 4384 wrote to memory of 5108	4384	{446BD908-4781-424d-BF0E-9D174D109CF2}.exe	114
PID 4384 wrote to memory of 5108	4384	{446BD908-4781-424d-BF0E-9D174D109CF2}.exe	114

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_1a01b91f05a13c497c5fb732101a9ca2_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe
  C:\Windows\{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe
    C:\Windows\{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6D1D5~1.EXE > nul
      4⤵
      PID:4060
  - - C:\Windows\{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe
      C:\Windows\{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Windows\{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe
        
        C:\Windows\{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Windows\{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe
        
        C:\Windows\{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe
        
        C:\Windows\{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe
        
        C:\Windows\{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe
        
        C:\Windows\{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\{446BD908-4781-424d-BF0E-9D174D109CF2}.exe
        
        C:\Windows\{446BD908-4781-424d-BF0E-9D174D109CF2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\{1E523669-B848-42e9-BD68-9044DC677695}.exe
        
        C:\Windows\{1E523669-B848-42e9-BD68-9044DC677695}.exe
        11⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{446BD~1.EXE > nul
        11⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0A9D~1.EXE > nul
        10⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88E5B~1.EXE > nul
        9⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE07C~1.EXE > nul
        8⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D588~1.EXE > nul
        7⤵
        
        PID:2608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A08BD~1.EXE > nul
        6⤵
        
        PID:4068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F7B3~1.EXE > nul
        5⤵
        
        PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AA7C5~1.EXE > nul
    3⤵
    PID:3860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe

Filesize
344KB

MD5
b27a217baeb9cef3a0eee063f4a66f25

SHA1
2a5a3b7c1535ff88e095eb30969b3e7a6158588e

SHA256
792e319ad2719752cd5d239e8a3e9becc195979b30a27758e818c1e404891445

SHA512
d117532dce5fe666d0e35c5a6e4cea5fd5193c02b3ba8ce7c618fcbc597fbfe9e74226217ab857308c8e738be85d37ff52b226705ab5ab6f7628b15d348254e8

Download Submit
C:\Windows\{1D588103-0668-46b9-BFE3-BB2EFDC27F9D}.exe

Filesize
344KB

MD5
b27a217baeb9cef3a0eee063f4a66f25

SHA1
2a5a3b7c1535ff88e095eb30969b3e7a6158588e

SHA256
792e319ad2719752cd5d239e8a3e9becc195979b30a27758e818c1e404891445

SHA512
d117532dce5fe666d0e35c5a6e4cea5fd5193c02b3ba8ce7c618fcbc597fbfe9e74226217ab857308c8e738be85d37ff52b226705ab5ab6f7628b15d348254e8

Download Submit
C:\Windows\{1E523669-B848-42e9-BD68-9044DC677695}.exe

Filesize
344KB

MD5
e04ef629b829f52a218eb465232f9aea

SHA1
fc7a4aab9908cd7134a764acf7960ba621eeedac

SHA256
faa813ed66ddf57bd3f19edc3a8a8533f484e1a4cd3bc942360226ef79d6c916

SHA512
f1969a2df08807b1c3ee19afa4d162e63a929db13fe8285aedb7fdd59614f6b79d7e7b6fc9100c8a1f9db50a6b0c5cea8a31ec8a27adbd8a240eb9f9b8838530

Download Submit
C:\Windows\{1E523669-B848-42e9-BD68-9044DC677695}.exe

Filesize
344KB

MD5
e04ef629b829f52a218eb465232f9aea

SHA1
fc7a4aab9908cd7134a764acf7960ba621eeedac

SHA256
faa813ed66ddf57bd3f19edc3a8a8533f484e1a4cd3bc942360226ef79d6c916

SHA512
f1969a2df08807b1c3ee19afa4d162e63a929db13fe8285aedb7fdd59614f6b79d7e7b6fc9100c8a1f9db50a6b0c5cea8a31ec8a27adbd8a240eb9f9b8838530

Download Submit
C:\Windows\{446BD908-4781-424d-BF0E-9D174D109CF2}.exe

Filesize
344KB

MD5
58b8fc1098233ac50df76b5fe10085f3

SHA1
35c27c61d217047c01ffdd9ab82da5647d2fa57f

SHA256
9a5d1c7856f0c20708bbb162f0d30170320609f90d77791fe971121fc5b680bc

SHA512
fa7539ab17847ab0f97b24646614c24fa69d0f487e86e5b0f8db841b216633968bdec2832aab7a21433593a4a8ae2d1b16c2aee3b29e12feeb19eba9cf947c52

Download Submit
C:\Windows\{446BD908-4781-424d-BF0E-9D174D109CF2}.exe

Filesize
344KB

MD5
58b8fc1098233ac50df76b5fe10085f3

SHA1
35c27c61d217047c01ffdd9ab82da5647d2fa57f

SHA256
9a5d1c7856f0c20708bbb162f0d30170320609f90d77791fe971121fc5b680bc

SHA512
fa7539ab17847ab0f97b24646614c24fa69d0f487e86e5b0f8db841b216633968bdec2832aab7a21433593a4a8ae2d1b16c2aee3b29e12feeb19eba9cf947c52

Download Submit
C:\Windows\{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe

Filesize
344KB

MD5
285aa55c7b50c9089964093d0c87bee7

SHA1
d2a15e87d6b3157c6e941a3cff73b9b46eed9d6b

SHA256
b638303743675f8d016dae1c8cccb9192de553e669d83821e5d43dc8074a267d

SHA512
c187c9fb91f919c70249964e9a50dc4ce83c80a5bb9496db0499f1665971274a82e9b518495c266b4dc0d9c87579ebe0c9a96495d8d420094c2b89c1e3b8371c

Download Submit
C:\Windows\{6D1D5376-A705-4d21-8EC2-019D3EB101B2}.exe

Filesize
344KB

MD5
285aa55c7b50c9089964093d0c87bee7

SHA1
d2a15e87d6b3157c6e941a3cff73b9b46eed9d6b

SHA256
b638303743675f8d016dae1c8cccb9192de553e669d83821e5d43dc8074a267d

SHA512
c187c9fb91f919c70249964e9a50dc4ce83c80a5bb9496db0499f1665971274a82e9b518495c266b4dc0d9c87579ebe0c9a96495d8d420094c2b89c1e3b8371c

Download Submit
C:\Windows\{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe

Filesize
344KB

MD5
121371afdeac6dc96cb2da04fdcadcf8

SHA1
6216bf42521b8180c87e7d6b0a2dc00cc1a3512d

SHA256
88cc1d21ace8777b9cb1973f5f7bbcba0182a786d38f70dd77c509bff3d867f5

SHA512
d72227a5ee3e756ac359d5bbb1ecf6806819900b863e34355bf678be3bb5ace53855398fdfe30daed265771d3b0116fd274006cfce04f5e495edad46a2fb7ec0

Download Submit
C:\Windows\{88E5B69D-71A7-45fe-9C78-26D71091715F}.exe

Filesize
344KB

MD5
121371afdeac6dc96cb2da04fdcadcf8

SHA1
6216bf42521b8180c87e7d6b0a2dc00cc1a3512d

SHA256
88cc1d21ace8777b9cb1973f5f7bbcba0182a786d38f70dd77c509bff3d867f5

SHA512
d72227a5ee3e756ac359d5bbb1ecf6806819900b863e34355bf678be3bb5ace53855398fdfe30daed265771d3b0116fd274006cfce04f5e495edad46a2fb7ec0

Download Submit
C:\Windows\{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe

Filesize
344KB

MD5
e3f1d0835c46fbbc4bd45cb89c1eae02

SHA1
92599fc072b1ea74975b921e00000e5c7121c919

SHA256
ec6612576348075c958ddd25d897a32d2a7bc3410833378c1d0af83e6c563153

SHA512
557a9c8399d61c670e6ef7cdc216d147a2540f8fe288378d70e0f1a0319f920e017905cd7faa1b364ccdd52ff6091384142bfdff647b4c7be14872c1f7d53dba

Download Submit
C:\Windows\{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe

Filesize
344KB

MD5
e3f1d0835c46fbbc4bd45cb89c1eae02

SHA1
92599fc072b1ea74975b921e00000e5c7121c919

SHA256
ec6612576348075c958ddd25d897a32d2a7bc3410833378c1d0af83e6c563153

SHA512
557a9c8399d61c670e6ef7cdc216d147a2540f8fe288378d70e0f1a0319f920e017905cd7faa1b364ccdd52ff6091384142bfdff647b4c7be14872c1f7d53dba

Download Submit
C:\Windows\{8F7B374A-6629-4b37-8364-A48EB76A5492}.exe

Filesize
344KB

MD5
e3f1d0835c46fbbc4bd45cb89c1eae02

SHA1
92599fc072b1ea74975b921e00000e5c7121c919

SHA256
ec6612576348075c958ddd25d897a32d2a7bc3410833378c1d0af83e6c563153

SHA512
557a9c8399d61c670e6ef7cdc216d147a2540f8fe288378d70e0f1a0319f920e017905cd7faa1b364ccdd52ff6091384142bfdff647b4c7be14872c1f7d53dba

Download Submit
C:\Windows\{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe

Filesize
344KB

MD5
3edbcdbca9066e71b60e6e60acfbf9d2

SHA1
d418302277944a5f0b6717d162b0f3e449bbb9fc

SHA256
a563b8d8ebb7cca730bc1c4075eb2fa97949dca9a11a6823afb07112d6f03ccb

SHA512
cd39f2a599a89e1f00bf7dc7907146e2e6f5e988ddf5ed8b12e1cc089450f82d337bf82a92c53a051d52bb4ddebc1efd450c846d7fc34c45ee0b442ef0eb8ec4

Download Submit
C:\Windows\{A08BD968-1C83-4e52-95A3-B86C3D1C0CBD}.exe

Filesize
344KB

MD5
3edbcdbca9066e71b60e6e60acfbf9d2

SHA1
d418302277944a5f0b6717d162b0f3e449bbb9fc

SHA256
a563b8d8ebb7cca730bc1c4075eb2fa97949dca9a11a6823afb07112d6f03ccb

SHA512
cd39f2a599a89e1f00bf7dc7907146e2e6f5e988ddf5ed8b12e1cc089450f82d337bf82a92c53a051d52bb4ddebc1efd450c846d7fc34c45ee0b442ef0eb8ec4

Download Submit
C:\Windows\{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe

Filesize
344KB

MD5
2f94e0b9f0e73c866a361e6cb552fcba

SHA1
62e2fa39b65b89764e3d04801f87e6441fac14ed

SHA256
920351ddd0587ab9aa6c306db46f33662f17dbe6bb3da285fd0faa7179f4a30a

SHA512
1c4d19a2c4cbb4266a2dcee4caa203677cbd21ab65447fc7a75c4c375ce0a0dc2c1cf81ff229039607e309e2c1f947f46c7d95e80e453abf1ad2768c0b5f7e3e

Download Submit
C:\Windows\{AA7C5D24-6886-4bd5-B20B-B2B4F81F64F8}.exe

Filesize
344KB

MD5
2f94e0b9f0e73c866a361e6cb552fcba

SHA1
62e2fa39b65b89764e3d04801f87e6441fac14ed

SHA256
920351ddd0587ab9aa6c306db46f33662f17dbe6bb3da285fd0faa7179f4a30a

SHA512
1c4d19a2c4cbb4266a2dcee4caa203677cbd21ab65447fc7a75c4c375ce0a0dc2c1cf81ff229039607e309e2c1f947f46c7d95e80e453abf1ad2768c0b5f7e3e

Download Submit
C:\Windows\{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe

Filesize
344KB

MD5
52addd4db276e189aa0b4e42a8e11b35

SHA1
14de1870536af87888e0544dcb78975291cd8c77

SHA256
ead842182da8f6899047854bd3d0a0518750edae9777cf261cd31071b42a0305

SHA512
9b5c845a5fc91c1aed254e1846fb89f4894832504ff9b09efe9eb95f5ff9209324228d53c1e1d470b5dcbddb8f215453262e112c05b8e2a352066a5398b50656

Download Submit
C:\Windows\{CE07C19B-D114-42db-84E6-8A037D841AB7}.exe

Filesize
344KB

MD5
52addd4db276e189aa0b4e42a8e11b35

SHA1
14de1870536af87888e0544dcb78975291cd8c77

SHA256
ead842182da8f6899047854bd3d0a0518750edae9777cf261cd31071b42a0305

SHA512
9b5c845a5fc91c1aed254e1846fb89f4894832504ff9b09efe9eb95f5ff9209324228d53c1e1d470b5dcbddb8f215453262e112c05b8e2a352066a5398b50656

Download Submit
C:\Windows\{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe

Filesize
344KB

MD5
61d51d66701e11284c3b2e299e7e28e6

SHA1
e3ff2e4ba33118986cc055e1794a913a1850054c

SHA256
ebac9888e0c1e238b6b1fb625151a52dcc785db136110ca73f4b863cd5dd3fa8

SHA512
849b6c4541304e90768a8097c651c173083e9bcabe90a65c7b0a17e57f5948a15a79359b10c6107f960d1716eb96ac1278d158b3e683ff38696b680e23ea6b34

Download Submit
C:\Windows\{F0A9DFFF-D91A-4b3f-862C-2F0D69739D52}.exe

Filesize
344KB

MD5
61d51d66701e11284c3b2e299e7e28e6

SHA1
e3ff2e4ba33118986cc055e1794a913a1850054c

SHA256
ebac9888e0c1e238b6b1fb625151a52dcc785db136110ca73f4b863cd5dd3fa8

SHA512
849b6c4541304e90768a8097c651c173083e9bcabe90a65c7b0a17e57f5948a15a79359b10c6107f960d1716eb96ac1278d158b3e683ff38696b680e23ea6b34

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads