cd9c791060306bffeb21f92e51e903e3519506eabcb6dcd28475ec926e8e49fe

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe
Size

204KB
MD5

ad9a9285cf157d5f9014ad704e8cb27a
SHA1

a73f251d4da30d30381ef516cc60ab8009c23fa2
SHA256

cd9c791060306bffeb21f92e51e903e3519506eabcb6dcd28475ec926e8e49fe
SHA512

5bf943abe0143a5a3dee6d9647ca4a0aa0336f5878eda8cf109a0174b5f4ab3d98a78b53817c36412447377b8d943c5a187d8f8e304aee4f121056ab850a0675
SSDEEP

1536:1EGh0oXl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oXl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}\stubpath = "C:\\Windows\\{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe"	{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11BDAEE5-252A-49bd-9987-E209895B8D60}\stubpath = "C:\\Windows\\{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe"	{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27A46670-626E-46b9-AEDC-F5700C31674F}\stubpath = "C:\\Windows\\{27A46670-626E-46b9-AEDC-F5700C31674F}.exe"	{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3484E57C-E763-4eb2-AE41-E8C22435376E}\stubpath = "C:\\Windows\\{3484E57C-E763-4eb2-AE41-E8C22435376E}.exe"	{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9115E3D-6869-4e7c-BE5E-0332DF3FC795}	{6DB27120-279F-4d30-AD44-0E26C0C20747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16F4A86A-E903-457f-BE3F-1EAEE37383EC}	{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16F4A86A-E903-457f-BE3F-1EAEE37383EC}\stubpath = "C:\\Windows\\{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe"	{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D9914FF-ECA4-4231-B5ED-E22A616FE790}	{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11BDAEE5-252A-49bd-9987-E209895B8D60}	{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3484E57C-E763-4eb2-AE41-E8C22435376E}	{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DB27120-279F-4d30-AD44-0E26C0C20747}	{3484E57C-E763-4eb2-AE41-E8C22435376E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DB27120-279F-4d30-AD44-0E26C0C20747}\stubpath = "C:\\Windows\\{6DB27120-279F-4d30-AD44-0E26C0C20747}.exe"	{3484E57C-E763-4eb2-AE41-E8C22435376E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9115E3D-6869-4e7c-BE5E-0332DF3FC795}\stubpath = "C:\\Windows\\{F9115E3D-6869-4e7c-BE5E-0332DF3FC795}.exe"	{6DB27120-279F-4d30-AD44-0E26C0C20747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D9914FF-ECA4-4231-B5ED-E22A616FE790}\stubpath = "C:\\Windows\\{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe"	{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27A46670-626E-46b9-AEDC-F5700C31674F}	{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48B726CC-A69A-4a3b-B041-1D02FF13B342}	{27A46670-626E-46b9-AEDC-F5700C31674F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6224530E-0E5C-48fd-B207-9BA36231D1A4}\stubpath = "C:\\Windows\\{6224530E-0E5C-48fd-B207-9BA36231D1A4}.exe"	{F9115E3D-6869-4e7c-BE5E-0332DF3FC795}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}\stubpath = "C:\\Windows\\{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe"	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48B726CC-A69A-4a3b-B041-1D02FF13B342}\stubpath = "C:\\Windows\\{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe"	{27A46670-626E-46b9-AEDC-F5700C31674F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}	{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6224530E-0E5C-48fd-B207-9BA36231D1A4}	{F9115E3D-6869-4e7c-BE5E-0332DF3FC795}.exe

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2476	{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe
2928	{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe
2304	{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe
2116	{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe
2808	{27A46670-626E-46b9-AEDC-F5700C31674F}.exe
2940	{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe
2852	{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe
2708	{3484E57C-E763-4eb2-AE41-E8C22435376E}.exe
2568	{6DB27120-279F-4d30-AD44-0E26C0C20747}.exe
3008	{F9115E3D-6869-4e7c-BE5E-0332DF3FC795}.exe
1816	{6224530E-0E5C-48fd-B207-9BA36231D1A4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe
File created	C:\Windows\{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe	{27A46670-626E-46b9-AEDC-F5700C31674F}.exe
File created	C:\Windows\{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe	{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe
File created	C:\Windows\{3484E57C-E763-4eb2-AE41-E8C22435376E}.exe	{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe
File created	C:\Windows\{6DB27120-279F-4d30-AD44-0E26C0C20747}.exe	{3484E57C-E763-4eb2-AE41-E8C22435376E}.exe
File created	C:\Windows\{F9115E3D-6869-4e7c-BE5E-0332DF3FC795}.exe	{6DB27120-279F-4d30-AD44-0E26C0C20747}.exe
File created	C:\Windows\{6224530E-0E5C-48fd-B207-9BA36231D1A4}.exe	{F9115E3D-6869-4e7c-BE5E-0332DF3FC795}.exe
File created	C:\Windows\{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe	{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe
File created	C:\Windows\{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe	{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe
File created	C:\Windows\{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe	{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe
File created	C:\Windows\{27A46670-626E-46b9-AEDC-F5700C31674F}.exe	{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1764	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2476	{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe
Token: SeIncBasePriorityPrivilege	2928	{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe
Token: SeIncBasePriorityPrivilege	2304	{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe
Token: SeIncBasePriorityPrivilege	2116	{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe
Token: SeIncBasePriorityPrivilege	2808	{27A46670-626E-46b9-AEDC-F5700C31674F}.exe
Token: SeIncBasePriorityPrivilege	2940	{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe
Token: SeIncBasePriorityPrivilege	2852	{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe
Token: SeIncBasePriorityPrivilege	2708	{3484E57C-E763-4eb2-AE41-E8C22435376E}.exe
Token: SeIncBasePriorityPrivilege	2568	{6DB27120-279F-4d30-AD44-0E26C0C20747}.exe
Token: SeIncBasePriorityPrivilege	3008	{F9115E3D-6869-4e7c-BE5E-0332DF3FC795}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2476	1764	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	28
PID 1764 wrote to memory of 2476	1764	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	28
PID 1764 wrote to memory of 2476	1764	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	28
PID 1764 wrote to memory of 2476	1764	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	28
PID 1764 wrote to memory of 3052	1764	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	29
PID 1764 wrote to memory of 3052	1764	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	29
PID 1764 wrote to memory of 3052	1764	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	29
PID 1764 wrote to memory of 3052	1764	NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe	29
PID 2476 wrote to memory of 2928	2476	{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe	32
PID 2476 wrote to memory of 2928	2476	{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe	32
PID 2476 wrote to memory of 2928	2476	{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe	32
PID 2476 wrote to memory of 2928	2476	{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe	32
PID 2476 wrote to memory of 2944	2476	{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe	33
PID 2476 wrote to memory of 2944	2476	{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe	33
PID 2476 wrote to memory of 2944	2476	{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe	33
PID 2476 wrote to memory of 2944	2476	{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe	33
PID 2928 wrote to memory of 2304	2928	{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe	34
PID 2928 wrote to memory of 2304	2928	{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe	34
PID 2928 wrote to memory of 2304	2928	{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe	34
PID 2928 wrote to memory of 2304	2928	{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe	34
PID 2928 wrote to memory of 3020	2928	{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe	35
PID 2928 wrote to memory of 3020	2928	{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe	35
PID 2928 wrote to memory of 3020	2928	{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe	35
PID 2928 wrote to memory of 3020	2928	{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe	35
PID 2304 wrote to memory of 2116	2304	{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe	36
PID 2304 wrote to memory of 2116	2304	{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe	36
PID 2304 wrote to memory of 2116	2304	{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe	36
PID 2304 wrote to memory of 2116	2304	{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe	36
PID 2304 wrote to memory of 2700	2304	{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe	37
PID 2304 wrote to memory of 2700	2304	{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe	37
PID 2304 wrote to memory of 2700	2304	{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe	37
PID 2304 wrote to memory of 2700	2304	{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe	37
PID 2116 wrote to memory of 2808	2116	{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe	38
PID 2116 wrote to memory of 2808	2116	{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe	38
PID 2116 wrote to memory of 2808	2116	{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe	38
PID 2116 wrote to memory of 2808	2116	{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe	38
PID 2116 wrote to memory of 2724	2116	{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe	39
PID 2116 wrote to memory of 2724	2116	{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe	39
PID 2116 wrote to memory of 2724	2116	{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe	39
PID 2116 wrote to memory of 2724	2116	{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe	39
PID 2808 wrote to memory of 2940	2808	{27A46670-626E-46b9-AEDC-F5700C31674F}.exe	40
PID 2808 wrote to memory of 2940	2808	{27A46670-626E-46b9-AEDC-F5700C31674F}.exe	40
PID 2808 wrote to memory of 2940	2808	{27A46670-626E-46b9-AEDC-F5700C31674F}.exe	40
PID 2808 wrote to memory of 2940	2808	{27A46670-626E-46b9-AEDC-F5700C31674F}.exe	40
PID 2808 wrote to memory of 2388	2808	{27A46670-626E-46b9-AEDC-F5700C31674F}.exe	41
PID 2808 wrote to memory of 2388	2808	{27A46670-626E-46b9-AEDC-F5700C31674F}.exe	41
PID 2808 wrote to memory of 2388	2808	{27A46670-626E-46b9-AEDC-F5700C31674F}.exe	41
PID 2808 wrote to memory of 2388	2808	{27A46670-626E-46b9-AEDC-F5700C31674F}.exe	41
PID 2940 wrote to memory of 2852	2940	{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe	43
PID 2940 wrote to memory of 2852	2940	{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe	43
PID 2940 wrote to memory of 2852	2940	{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe	43
PID 2940 wrote to memory of 2852	2940	{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe	43
PID 2940 wrote to memory of 2596	2940	{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe	42
PID 2940 wrote to memory of 2596	2940	{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe	42
PID 2940 wrote to memory of 2596	2940	{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe	42
PID 2940 wrote to memory of 2596	2940	{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe	42
PID 2852 wrote to memory of 2708	2852	{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe	44
PID 2852 wrote to memory of 2708	2852	{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe	44
PID 2852 wrote to memory of 2708	2852	{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe	44
PID 2852 wrote to memory of 2708	2852	{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe	44
PID 2852 wrote to memory of 2620	2852	{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe	45
PID 2852 wrote to memory of 2620	2852	{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe	45
PID 2852 wrote to memory of 2620	2852	{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe	45
PID 2852 wrote to memory of 2620	2852	{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_ad9a9285cf157d5f9014ad704e8cb27a_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe
  C:\Windows\{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe
    C:\Windows\{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe
      C:\Windows\{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe
        
        C:\Windows\{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\{27A46670-626E-46b9-AEDC-F5700C31674F}.exe
        
        C:\Windows\{27A46670-626E-46b9-AEDC-F5700C31674F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe
        
        C:\Windows\{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48B72~1.EXE > nul
        8⤵
        
        PID:2596
        
        C:\Windows\{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe
        
        C:\Windows\{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{3484E57C-E763-4eb2-AE41-E8C22435376E}.exe
        
        C:\Windows\{3484E57C-E763-4eb2-AE41-E8C22435376E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3484E~1.EXE > nul
        10⤵
        
        PID:2636
        
        C:\Windows\{6DB27120-279F-4d30-AD44-0E26C0C20747}.exe
        
        C:\Windows\{6DB27120-279F-4d30-AD44-0E26C0C20747}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\{F9115E3D-6869-4e7c-BE5E-0332DF3FC795}.exe
        
        C:\Windows\{F9115E3D-6869-4e7c-BE5E-0332DF3FC795}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\{6224530E-0E5C-48fd-B207-9BA36231D1A4}.exe
        
        C:\Windows\{6224530E-0E5C-48fd-B207-9BA36231D1A4}.exe
        12⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9115~1.EXE > nul
        12⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DB27~1.EXE > nul
        11⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9B6F~1.EXE > nul
        9⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27A46~1.EXE > nul
        7⤵
        
        PID:2388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11BDA~1.EXE > nul
        6⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D991~1.EXE > nul
        5⤵
        
        PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{16F4A~1.EXE > nul
      4⤵
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2D54C~1.EXE > nul
    3⤵
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe

Filesize
204KB

MD5
26fd74103cacc1a0019b6e55f30cd181

SHA1
a06d8ae8c316fa9b13db71dd107631b13e81690e

SHA256
446c7a8a2dcd2e4d19a684b0ad540d0828aa40475e34ba29bf38ed40e78cab08

SHA512
b0c042f0ae9aee2b3ff575802131a5fa1df7937c457032f8249b55fa920cf911e569abdd81ccc409d16fbd8d42f0e7c6606ed85000ab4c93cd5949a4a8218928

Download Submit
C:\Windows\{11BDAEE5-252A-49bd-9987-E209895B8D60}.exe

Filesize
204KB

MD5
26fd74103cacc1a0019b6e55f30cd181

SHA1
a06d8ae8c316fa9b13db71dd107631b13e81690e

SHA256
446c7a8a2dcd2e4d19a684b0ad540d0828aa40475e34ba29bf38ed40e78cab08

SHA512
b0c042f0ae9aee2b3ff575802131a5fa1df7937c457032f8249b55fa920cf911e569abdd81ccc409d16fbd8d42f0e7c6606ed85000ab4c93cd5949a4a8218928

Download Submit
C:\Windows\{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe

Filesize
204KB

MD5
73ef6292e037e48dc278fcb84ad07a0e

SHA1
78ea4634172c9e381180c8d4a9a22d42a793726e

SHA256
03561c017683868fbe1d875f3048996920939a74f5e1258421c492bbc79deacc

SHA512
f3ddcf24036305fc8aa4d75c4ffd2b45faa32ba216fee9d54bed6ed3444788d4c8e9995a639273d1a800d440ebbbfc4605afa4a6198888afb96708768c70dbe4

Download Submit
C:\Windows\{16F4A86A-E903-457f-BE3F-1EAEE37383EC}.exe

Filesize
204KB

MD5
73ef6292e037e48dc278fcb84ad07a0e

SHA1
78ea4634172c9e381180c8d4a9a22d42a793726e

SHA256
03561c017683868fbe1d875f3048996920939a74f5e1258421c492bbc79deacc

SHA512
f3ddcf24036305fc8aa4d75c4ffd2b45faa32ba216fee9d54bed6ed3444788d4c8e9995a639273d1a800d440ebbbfc4605afa4a6198888afb96708768c70dbe4

Download Submit
C:\Windows\{27A46670-626E-46b9-AEDC-F5700C31674F}.exe

Filesize
204KB

MD5
f67ebdf046a289e9177fe8f9b3cdb8d2

SHA1
e6dbd95a007167ed1fb153a0fc081ee931a218b9

SHA256
570a611016efacc4c3f9baadd5b59d4abe41f5cf1190a0839f6d5dd0f2b8b05b

SHA512
0c9fbfe834c884f8e9d5e1e2085cf5ab560f600dd01bcfc21b886fffee1a3316931d663a770543ea6a2e42421e1d7038fc63becb34c13371f2fe86ed44d96f6b

Download Submit
C:\Windows\{27A46670-626E-46b9-AEDC-F5700C31674F}.exe

Filesize
204KB

MD5
f67ebdf046a289e9177fe8f9b3cdb8d2

SHA1
e6dbd95a007167ed1fb153a0fc081ee931a218b9

SHA256
570a611016efacc4c3f9baadd5b59d4abe41f5cf1190a0839f6d5dd0f2b8b05b

SHA512
0c9fbfe834c884f8e9d5e1e2085cf5ab560f600dd01bcfc21b886fffee1a3316931d663a770543ea6a2e42421e1d7038fc63becb34c13371f2fe86ed44d96f6b

Download Submit
C:\Windows\{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe

Filesize
204KB

MD5
378afec4d8a9bb3820ebbdbd529ef754

SHA1
6ac12ebf3fd8cf7ec094b84518d6ae4d583adb5b

SHA256
04bdfefaa4ad498531a469502030b9ef37a444a78393952c50148ec3ab847bcd

SHA512
85b2b4bdef1bd4b0b0abfb1ddcde163c579967584656fbd786358470c335ecff7d12a58552d8aaa9d2357990ee9f6e85ab3c42a3c3462c6ed09be43c6c3c65b8

Download Submit
C:\Windows\{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe

Filesize
204KB

MD5
378afec4d8a9bb3820ebbdbd529ef754

SHA1
6ac12ebf3fd8cf7ec094b84518d6ae4d583adb5b

SHA256
04bdfefaa4ad498531a469502030b9ef37a444a78393952c50148ec3ab847bcd

SHA512
85b2b4bdef1bd4b0b0abfb1ddcde163c579967584656fbd786358470c335ecff7d12a58552d8aaa9d2357990ee9f6e85ab3c42a3c3462c6ed09be43c6c3c65b8

Download Submit
C:\Windows\{2D54C1EB-6C5B-41bf-83E8-E68182FC81C2}.exe

Filesize
204KB

MD5
378afec4d8a9bb3820ebbdbd529ef754

SHA1
6ac12ebf3fd8cf7ec094b84518d6ae4d583adb5b

SHA256
04bdfefaa4ad498531a469502030b9ef37a444a78393952c50148ec3ab847bcd

SHA512
85b2b4bdef1bd4b0b0abfb1ddcde163c579967584656fbd786358470c335ecff7d12a58552d8aaa9d2357990ee9f6e85ab3c42a3c3462c6ed09be43c6c3c65b8

Download Submit
C:\Windows\{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe

Filesize
204KB

MD5
691a45e5e690a04d7d917ea8caad3979

SHA1
a2de4a15209a6ee7dd337405ae9c84584af3ae6e

SHA256
d9c3e28755e4e92d41d6e8d0bcddcc9400c647df14e68f00b33a18748cf9855b

SHA512
5f6479040174a0798be2bd4a11b0a5ef947749e2e0e96dc0a1f0d53a99f2b957931072bc9d6589dd504e173d12579cddea400d79b44bb641a67b13247f7517ba

Download Submit
C:\Windows\{2D9914FF-ECA4-4231-B5ED-E22A616FE790}.exe

Filesize
204KB

MD5
691a45e5e690a04d7d917ea8caad3979

SHA1
a2de4a15209a6ee7dd337405ae9c84584af3ae6e

SHA256
d9c3e28755e4e92d41d6e8d0bcddcc9400c647df14e68f00b33a18748cf9855b

SHA512
5f6479040174a0798be2bd4a11b0a5ef947749e2e0e96dc0a1f0d53a99f2b957931072bc9d6589dd504e173d12579cddea400d79b44bb641a67b13247f7517ba

Download Submit
C:\Windows\{3484E57C-E763-4eb2-AE41-E8C22435376E}.exe

Filesize
204KB

MD5
8df31a0d6830ab8a651dd7f34bcab4e8

SHA1
0671f74a4b3d06c7c794c6c04d977d6e9b0cea76

SHA256
f4d97bac8b2dd621785734a6ee9fdb81703b54ad7618cbd64355f1a0a6a79c9e

SHA512
ac5d31bb0eed3c48a072121caa6896869f2d997a04a2243f2d9f5890fc07a62a3fc554debf67012794e6847de79a353fcaba0a7bc56e1745081870e6682ac43c

Download Submit
C:\Windows\{3484E57C-E763-4eb2-AE41-E8C22435376E}.exe

Filesize
204KB

MD5
8df31a0d6830ab8a651dd7f34bcab4e8

SHA1
0671f74a4b3d06c7c794c6c04d977d6e9b0cea76

SHA256
f4d97bac8b2dd621785734a6ee9fdb81703b54ad7618cbd64355f1a0a6a79c9e

SHA512
ac5d31bb0eed3c48a072121caa6896869f2d997a04a2243f2d9f5890fc07a62a3fc554debf67012794e6847de79a353fcaba0a7bc56e1745081870e6682ac43c

Download Submit
C:\Windows\{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe

Filesize
204KB

MD5
7d5b37bdd30f61cead41933141a3e2ae

SHA1
3af118708494629be62f27e74305658b381c09fd

SHA256
7056b8624e06d7a522895c34deb2db13108a80d410a696fb5d2e4f12003f2829

SHA512
dafaa5aac1f75d981ffa0cf489df37d9930fa8175a1033e680cdd436fe356191e2b6fb7618b65b2a267b4e074b62139b9ae21e8f61262e4e94a990b772e3c76c

Download Submit
C:\Windows\{48B726CC-A69A-4a3b-B041-1D02FF13B342}.exe

Filesize
204KB

MD5
7d5b37bdd30f61cead41933141a3e2ae

SHA1
3af118708494629be62f27e74305658b381c09fd

SHA256
7056b8624e06d7a522895c34deb2db13108a80d410a696fb5d2e4f12003f2829

SHA512
dafaa5aac1f75d981ffa0cf489df37d9930fa8175a1033e680cdd436fe356191e2b6fb7618b65b2a267b4e074b62139b9ae21e8f61262e4e94a990b772e3c76c

Download Submit
C:\Windows\{6224530E-0E5C-48fd-B207-9BA36231D1A4}.exe

Filesize
204KB

MD5
1634be008da9c7421beed76f3c1c4409

SHA1
08e2353fd504be4c1a50f9b571339056fc7bf6da

SHA256
8ff9b841e8e47dbfef57b19f6a9334c5f305167a23832bc6d19f2508dd13e1c9

SHA512
bd5954be68e620b26d2d816b023cbc64c3ee0e945af3e789c79b177cb5fe6475535b4a5739134f7baeb195ceac58ab6b13a27d2c62f5d15cd66362edc4b8c227

Download Submit
C:\Windows\{6DB27120-279F-4d30-AD44-0E26C0C20747}.exe

Filesize
204KB

MD5
4a8adea4a7af52f5013f5788f5b78a4a

SHA1
72fda0bb1b63e60d2e389982ae745085db54f4d3

SHA256
4de935840a4252b9d38a231462737f6ccbf4da99b2396e38a80231b762de1f4b

SHA512
e9c3ad87695c5e70a477b0d3a172d7cb240d9a2824024aed5c8b3b1374977c505468604256c00b9d874c4a9a45c5578245ade362d249e1a044a3fee41428266a

Download Submit
C:\Windows\{6DB27120-279F-4d30-AD44-0E26C0C20747}.exe

Filesize
204KB

MD5
4a8adea4a7af52f5013f5788f5b78a4a

SHA1
72fda0bb1b63e60d2e389982ae745085db54f4d3

SHA256
4de935840a4252b9d38a231462737f6ccbf4da99b2396e38a80231b762de1f4b

SHA512
e9c3ad87695c5e70a477b0d3a172d7cb240d9a2824024aed5c8b3b1374977c505468604256c00b9d874c4a9a45c5578245ade362d249e1a044a3fee41428266a

Download Submit
C:\Windows\{F9115E3D-6869-4e7c-BE5E-0332DF3FC795}.exe

Filesize
204KB

MD5
4fb26974fae017e05fb2a1baf9a63ea5

SHA1
3401345c61ab6f713f4e496fdd87dcfc1cf9248c

SHA256
151eb8823b917e3c4666e81204247ee5dc4b6698b6bc4d34ff8269123aba5a36

SHA512
8074d911f5cd77ae134a80db19c694e61959f5d1c077127195df00221e7df040ab194706582d439663f5138082b453a0d41a7066ac35ef1c2472eeee9a030c7b

Download Submit
C:\Windows\{F9115E3D-6869-4e7c-BE5E-0332DF3FC795}.exe

Filesize
204KB

MD5
4fb26974fae017e05fb2a1baf9a63ea5

SHA1
3401345c61ab6f713f4e496fdd87dcfc1cf9248c

SHA256
151eb8823b917e3c4666e81204247ee5dc4b6698b6bc4d34ff8269123aba5a36

SHA512
8074d911f5cd77ae134a80db19c694e61959f5d1c077127195df00221e7df040ab194706582d439663f5138082b453a0d41a7066ac35ef1c2472eeee9a030c7b

Download Submit
C:\Windows\{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe

Filesize
204KB

MD5
29ed3849b7e18cfee96c88765977b901

SHA1
b7b97e8ffb219512a2d9c709d049853391903f1f

SHA256
99957695d3a3c516212e09d9c23af44e0aba110d0c23f8d16dc7bc82bfd73c1a

SHA512
722dca18b2b1aab21e450183979376850ba61bf79112a499f707e2e3fffaea06e5d647899d7996497b8090deb144cbd3623751090e6572cb859d24b597fecd16

Download Submit
C:\Windows\{F9B6F4CC-B388-46f5-80DC-E478F910AAFC}.exe

Filesize
204KB

MD5
29ed3849b7e18cfee96c88765977b901

SHA1
b7b97e8ffb219512a2d9c709d049853391903f1f

SHA256
99957695d3a3c516212e09d9c23af44e0aba110d0c23f8d16dc7bc82bfd73c1a

SHA512
722dca18b2b1aab21e450183979376850ba61bf79112a499f707e2e3fffaea06e5d647899d7996497b8090deb144cbd3623751090e6572cb859d24b597fecd16

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads