531ee80627d29144e8e68b4aa1bc56a13585a316679916500326a2cc8e2326cf

Analysis

max time kernel
151s
max time network
131s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe
Size

344KB
MD5

987db58802f4eb37c5c7d6a302f2fd27
SHA1

2409bc6da9d71eac549696f57dc084e3e6c3f003
SHA256

531ee80627d29144e8e68b4aa1bc56a13585a316679916500326a2cc8e2326cf
SHA512

b4526d20c7bef6a041d9de9c5e87fa01fd95d24f429a0a9ff622fb8d96a53743f0e1792383c6143bfc8fc77100ec4b149f1b35906eb59231ffab504b2f2441c2
SSDEEP

3072:mEGh0oHlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGVlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}\stubpath = "C:\\Windows\\{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe"	{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EED6087-EC09-45bc-86EF-549FD09D0BA8}\stubpath = "C:\\Windows\\{3EED6087-EC09-45bc-86EF-549FD09D0BA8}.exe"	{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B13349A9-17C6-4fed-9CD0-98F23B1ED663}	{3EED6087-EC09-45bc-86EF-549FD09D0BA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53FF5FF5-A631-4b14-982F-A696B4AF55BC}	{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}	{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5484B9DA-45BE-4b7d-810A-0CADA7265702}	{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{881B74F4-5128-42f4-BDD0-F1DD37ED3711}	{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}	{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}\stubpath = "C:\\Windows\\{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe"	{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EED6087-EC09-45bc-86EF-549FD09D0BA8}	{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54392441-2644-410a-AFDA-90AA86832F75}	{504F6B3A-491A-4304-B536-5E8186AFB2BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E25F4030-FE40-4ad3-BFE0-966A86924519}	NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}\stubpath = "C:\\Windows\\{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe"	{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36056BB6-0787-417f-9910-B57C6098E12F}\stubpath = "C:\\Windows\\{36056BB6-0787-417f-9910-B57C6098E12F}.exe"	{54392441-2644-410a-AFDA-90AA86832F75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B13349A9-17C6-4fed-9CD0-98F23B1ED663}\stubpath = "C:\\Windows\\{B13349A9-17C6-4fed-9CD0-98F23B1ED663}.exe"	{3EED6087-EC09-45bc-86EF-549FD09D0BA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{504F6B3A-491A-4304-B536-5E8186AFB2BD}\stubpath = "C:\\Windows\\{504F6B3A-491A-4304-B536-5E8186AFB2BD}.exe"	{B13349A9-17C6-4fed-9CD0-98F23B1ED663}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54392441-2644-410a-AFDA-90AA86832F75}\stubpath = "C:\\Windows\\{54392441-2644-410a-AFDA-90AA86832F75}.exe"	{504F6B3A-491A-4304-B536-5E8186AFB2BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5484B9DA-45BE-4b7d-810A-0CADA7265702}\stubpath = "C:\\Windows\\{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe"	{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{881B74F4-5128-42f4-BDD0-F1DD37ED3711}\stubpath = "C:\\Windows\\{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe"	{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53FF5FF5-A631-4b14-982F-A696B4AF55BC}\stubpath = "C:\\Windows\\{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe"	{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{504F6B3A-491A-4304-B536-5E8186AFB2BD}	{B13349A9-17C6-4fed-9CD0-98F23B1ED663}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36056BB6-0787-417f-9910-B57C6098E12F}	{54392441-2644-410a-AFDA-90AA86832F75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E25F4030-FE40-4ad3-BFE0-966A86924519}\stubpath = "C:\\Windows\\{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe"	NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}	{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe

Deletes itself 1 IoCs

pid	Process
2384	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2392	{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe
2936	{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe
3060	{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe
2520	{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe
1908	{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe
2492	{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe
2860	{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe
664	{3EED6087-EC09-45bc-86EF-549FD09D0BA8}.exe
2916	{B13349A9-17C6-4fed-9CD0-98F23B1ED663}.exe
108	{504F6B3A-491A-4304-B536-5E8186AFB2BD}.exe
1004	{54392441-2644-410a-AFDA-90AA86832F75}.exe
2452	{36056BB6-0787-417f-9910-B57C6098E12F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe	NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe
File created	C:\Windows\{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe	{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe
File created	C:\Windows\{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe	{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe
File created	C:\Windows\{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe	{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe
File created	C:\Windows\{504F6B3A-491A-4304-B536-5E8186AFB2BD}.exe	{B13349A9-17C6-4fed-9CD0-98F23B1ED663}.exe
File created	C:\Windows\{36056BB6-0787-417f-9910-B57C6098E12F}.exe	{54392441-2644-410a-AFDA-90AA86832F75}.exe
File created	C:\Windows\{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe	{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe
File created	C:\Windows\{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe	{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe
File created	C:\Windows\{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe	{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe
File created	C:\Windows\{3EED6087-EC09-45bc-86EF-549FD09D0BA8}.exe	{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe
File created	C:\Windows\{B13349A9-17C6-4fed-9CD0-98F23B1ED663}.exe	{3EED6087-EC09-45bc-86EF-549FD09D0BA8}.exe
File created	C:\Windows\{54392441-2644-410a-AFDA-90AA86832F75}.exe	{504F6B3A-491A-4304-B536-5E8186AFB2BD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1356	NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2392	{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe
Token: SeIncBasePriorityPrivilege	2936	{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe
Token: SeIncBasePriorityPrivilege	3060	{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe
Token: SeIncBasePriorityPrivilege	2520	{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe
Token: SeIncBasePriorityPrivilege	1908	{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe
Token: SeIncBasePriorityPrivilege	2492	{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe
Token: SeIncBasePriorityPrivilege	2860	{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe
Token: SeIncBasePriorityPrivilege	664	{3EED6087-EC09-45bc-86EF-549FD09D0BA8}.exe
Token: SeIncBasePriorityPrivilege	2916	{B13349A9-17C6-4fed-9CD0-98F23B1ED663}.exe
Token: SeIncBasePriorityPrivilege	108	{504F6B3A-491A-4304-B536-5E8186AFB2BD}.exe
Token: SeIncBasePriorityPrivilege	1004	{54392441-2644-410a-AFDA-90AA86832F75}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2392	1356	NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe	28
PID 1356 wrote to memory of 2392	1356	NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe	28
PID 1356 wrote to memory of 2392	1356	NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe	28
PID 1356 wrote to memory of 2392	1356	NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe	28
PID 1356 wrote to memory of 2384	1356	NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe	29
PID 1356 wrote to memory of 2384	1356	NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe	29
PID 1356 wrote to memory of 2384	1356	NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe	29
PID 1356 wrote to memory of 2384	1356	NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe	29
PID 2392 wrote to memory of 2936	2392	{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe	32
PID 2392 wrote to memory of 2936	2392	{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe	32
PID 2392 wrote to memory of 2936	2392	{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe	32
PID 2392 wrote to memory of 2936	2392	{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe	32
PID 2392 wrote to memory of 2708	2392	{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe	33
PID 2392 wrote to memory of 2708	2392	{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe	33
PID 2392 wrote to memory of 2708	2392	{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe	33
PID 2392 wrote to memory of 2708	2392	{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe	33
PID 2936 wrote to memory of 3060	2936	{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe	34
PID 2936 wrote to memory of 3060	2936	{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe	34
PID 2936 wrote to memory of 3060	2936	{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe	34
PID 2936 wrote to memory of 3060	2936	{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe	34
PID 2936 wrote to memory of 2564	2936	{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe	35
PID 2936 wrote to memory of 2564	2936	{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe	35
PID 2936 wrote to memory of 2564	2936	{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe	35
PID 2936 wrote to memory of 2564	2936	{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe	35
PID 3060 wrote to memory of 2520	3060	{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe	36
PID 3060 wrote to memory of 2520	3060	{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe	36
PID 3060 wrote to memory of 2520	3060	{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe	36
PID 3060 wrote to memory of 2520	3060	{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe	36
PID 3060 wrote to memory of 2560	3060	{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe	37
PID 3060 wrote to memory of 2560	3060	{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe	37
PID 3060 wrote to memory of 2560	3060	{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe	37
PID 3060 wrote to memory of 2560	3060	{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe	37
PID 2520 wrote to memory of 1908	2520	{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe	38
PID 2520 wrote to memory of 1908	2520	{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe	38
PID 2520 wrote to memory of 1908	2520	{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe	38
PID 2520 wrote to memory of 1908	2520	{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe	38
PID 2520 wrote to memory of 2212	2520	{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe	39
PID 2520 wrote to memory of 2212	2520	{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe	39
PID 2520 wrote to memory of 2212	2520	{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe	39
PID 2520 wrote to memory of 2212	2520	{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe	39
PID 1908 wrote to memory of 2492	1908	{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe	40
PID 1908 wrote to memory of 2492	1908	{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe	40
PID 1908 wrote to memory of 2492	1908	{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe	40
PID 1908 wrote to memory of 2492	1908	{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe	40
PID 1908 wrote to memory of 2028	1908	{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe	41
PID 1908 wrote to memory of 2028	1908	{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe	41
PID 1908 wrote to memory of 2028	1908	{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe	41
PID 1908 wrote to memory of 2028	1908	{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe	41
PID 2492 wrote to memory of 2860	2492	{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe	42
PID 2492 wrote to memory of 2860	2492	{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe	42
PID 2492 wrote to memory of 2860	2492	{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe	42
PID 2492 wrote to memory of 2860	2492	{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe	42
PID 2492 wrote to memory of 2816	2492	{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe	43
PID 2492 wrote to memory of 2816	2492	{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe	43
PID 2492 wrote to memory of 2816	2492	{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe	43
PID 2492 wrote to memory of 2816	2492	{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe	43
PID 2860 wrote to memory of 664	2860	{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe	44
PID 2860 wrote to memory of 664	2860	{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe	44
PID 2860 wrote to memory of 664	2860	{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe	44
PID 2860 wrote to memory of 664	2860	{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe	44
PID 2860 wrote to memory of 732	2860	{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe	45
PID 2860 wrote to memory of 732	2860	{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe	45
PID 2860 wrote to memory of 732	2860	{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe	45
PID 2860 wrote to memory of 732	2860	{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_987db58802f4eb37c5c7d6a302f2fd27_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe
  C:\Windows\{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe
    C:\Windows\{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe
      C:\Windows\{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe
        
        C:\Windows\{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe
        
        C:\Windows\{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe
        
        C:\Windows\{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe
        
        C:\Windows\{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{3EED6087-EC09-45bc-86EF-549FD09D0BA8}.exe
        
        C:\Windows\{3EED6087-EC09-45bc-86EF-549FD09D0BA8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\{B13349A9-17C6-4fed-9CD0-98F23B1ED663}.exe
        
        C:\Windows\{B13349A9-17C6-4fed-9CD0-98F23B1ED663}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\{504F6B3A-491A-4304-B536-5E8186AFB2BD}.exe
        
        C:\Windows\{504F6B3A-491A-4304-B536-5E8186AFB2BD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
        
        C:\Windows\{54392441-2644-410a-AFDA-90AA86832F75}.exe
        
        C:\Windows\{54392441-2644-410a-AFDA-90AA86832F75}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\{36056BB6-0787-417f-9910-B57C6098E12F}.exe
        
        C:\Windows\{36056BB6-0787-417f-9910-B57C6098E12F}.exe
        13⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54392~1.EXE > nul
        13⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{504F6~1.EXE > nul
        12⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1334~1.EXE > nul
        11⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EED6~1.EXE > nul
        10⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E0DC~1.EXE > nul
        9⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{881B7~1.EXE > nul
        8⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5484B~1.EXE > nul
        7⤵
        
        PID:2028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFF65~1.EXE > nul
        6⤵
        
        PID:2212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53FF5~1.EXE > nul
        5⤵
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8D513~1.EXE > nul
      4⤵
      PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E25F4~1.EXE > nul
    3⤵
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{36056BB6-0787-417f-9910-B57C6098E12F}.exe

Filesize
344KB

MD5
5ba74ee3d873c394f17b5b4dbe71e8d8

SHA1
1dff6e76d08a02235c9f823b25580e454702a129

SHA256
8a6b1c371b7aaba3c60a55a15090c37f9ab05da983ea684de4bef5116ee3b439

SHA512
9e93fac950d3b4a1ecefb29065a667d7480b5d6fa26365b1f142b259fd6cbd1dae2a43ab28b79157c67008b109874c4b9186205688add15c4dd4a54635ca10c5

Download Submit
C:\Windows\{3EED6087-EC09-45bc-86EF-549FD09D0BA8}.exe

Filesize
344KB

MD5
f4099b2ee32ce3f73e4ee536d6c48d7e

SHA1
721ed63023bc97c17df01c312e020137bbce675e

SHA256
2a3bd96caed6d4dca81f4cb344d2082839f9b6dd4da5ba258e632d4efe83c8bc

SHA512
75d1ad9f0306d19cb03023dea8fa704c6232b86d2611a18c1479c95aa3d401f9fe1a7264a6eb3eee1700893c05e0bb137baf1099d75ce073014110754321d2ed

Download Submit
C:\Windows\{3EED6087-EC09-45bc-86EF-549FD09D0BA8}.exe

Filesize
344KB

MD5
f4099b2ee32ce3f73e4ee536d6c48d7e

SHA1
721ed63023bc97c17df01c312e020137bbce675e

SHA256
2a3bd96caed6d4dca81f4cb344d2082839f9b6dd4da5ba258e632d4efe83c8bc

SHA512
75d1ad9f0306d19cb03023dea8fa704c6232b86d2611a18c1479c95aa3d401f9fe1a7264a6eb3eee1700893c05e0bb137baf1099d75ce073014110754321d2ed

Download Submit
C:\Windows\{504F6B3A-491A-4304-B536-5E8186AFB2BD}.exe

Filesize
344KB

MD5
385cf360b9b8ccb45bad27daaeeeb35b

SHA1
53f84a079e24cb94769f6420393131b7fb865ca9

SHA256
2295d624f4d76f215e0109f5c47fb2f01843721bfd8a4b4362bdff9f12cb73dc

SHA512
e274d0a05c604195345c2255da99b4ec08f7290f8d498c50ecdc34346298ea5295b15d81e44d133c5bb8f836be84fb023da15c134a7f8d4273d300ec239468d1

Download Submit
C:\Windows\{504F6B3A-491A-4304-B536-5E8186AFB2BD}.exe

Filesize
344KB

MD5
385cf360b9b8ccb45bad27daaeeeb35b

SHA1
53f84a079e24cb94769f6420393131b7fb865ca9

SHA256
2295d624f4d76f215e0109f5c47fb2f01843721bfd8a4b4362bdff9f12cb73dc

SHA512
e274d0a05c604195345c2255da99b4ec08f7290f8d498c50ecdc34346298ea5295b15d81e44d133c5bb8f836be84fb023da15c134a7f8d4273d300ec239468d1

Download Submit
C:\Windows\{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe

Filesize
344KB

MD5
cac72869f4dff16e76c8620c3279d35a

SHA1
2ad8f3c830126d6c1fdd8e62416b0d1f7ad92399

SHA256
c5655f1e3a0784fb3cb9caf35e8528dd24241a017633c8244cc1240a97f62907

SHA512
2ce78eafdc02684b8725a02d9b30e424cba0ee186b86b296f0f170da3837e5e62187d1868ec27dd4fd3dc252186b1a5e528adf3a0176614a8f71864f673d3106

Download Submit
C:\Windows\{53FF5FF5-A631-4b14-982F-A696B4AF55BC}.exe

Filesize
344KB

MD5
cac72869f4dff16e76c8620c3279d35a

SHA1
2ad8f3c830126d6c1fdd8e62416b0d1f7ad92399

SHA256
c5655f1e3a0784fb3cb9caf35e8528dd24241a017633c8244cc1240a97f62907

SHA512
2ce78eafdc02684b8725a02d9b30e424cba0ee186b86b296f0f170da3837e5e62187d1868ec27dd4fd3dc252186b1a5e528adf3a0176614a8f71864f673d3106

Download Submit
C:\Windows\{54392441-2644-410a-AFDA-90AA86832F75}.exe

Filesize
344KB

MD5
308247906b048a25881abad35b01ca64

SHA1
206fd04ec36a182b1768b237e00790b93708e87f

SHA256
394b067a4204eb63e93e554648a46e95a55016ab87f58df152f69e64e51ed24c

SHA512
d618759b143b8b8df906d927a0bc479ac7639690155accf7e796a74fa1d0f01ccbc7d06eb9189d4eaa833eeb188a8d14917b954e42a5cd23d55d58ca00259349

Download Submit
C:\Windows\{54392441-2644-410a-AFDA-90AA86832F75}.exe

Filesize
344KB

MD5
308247906b048a25881abad35b01ca64

SHA1
206fd04ec36a182b1768b237e00790b93708e87f

SHA256
394b067a4204eb63e93e554648a46e95a55016ab87f58df152f69e64e51ed24c

SHA512
d618759b143b8b8df906d927a0bc479ac7639690155accf7e796a74fa1d0f01ccbc7d06eb9189d4eaa833eeb188a8d14917b954e42a5cd23d55d58ca00259349

Download Submit
C:\Windows\{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe

Filesize
344KB

MD5
289eda6bbe8bc5a536408cb2d7f919c8

SHA1
fec83fea2437ccdd63e3ae7811653485c689698a

SHA256
31d381888374dd4b3e626ec23213392dd935d98cf965187575008a9f0fa794f6

SHA512
3a7450fbf654488257a91c7a5dad3f835eeccf2e6831412fe538ed8da543a0d894d70bbc6d09d0bf671063d9196550fd08a1e43f79cec429483130cd57a66423

Download Submit
C:\Windows\{5484B9DA-45BE-4b7d-810A-0CADA7265702}.exe

Filesize
344KB

MD5
289eda6bbe8bc5a536408cb2d7f919c8

SHA1
fec83fea2437ccdd63e3ae7811653485c689698a

SHA256
31d381888374dd4b3e626ec23213392dd935d98cf965187575008a9f0fa794f6

SHA512
3a7450fbf654488257a91c7a5dad3f835eeccf2e6831412fe538ed8da543a0d894d70bbc6d09d0bf671063d9196550fd08a1e43f79cec429483130cd57a66423

Download Submit
C:\Windows\{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe

Filesize
344KB

MD5
21eb4607252157b231a9cf6137146db7

SHA1
c787070df62c164f29cd0d892ae4bbe89e182531

SHA256
405b679224d8990f70b10cdc49d479f67c402f18c660bf81527edecc60b1d086

SHA512
2225d95ae2ec4a931b51f31b4933fd17aff95e1f2415a38dfa2f1443a54059eb4a8b797fb0abd25e9598e7de33be874e97827158edc2bc168a7d92728c355b01

Download Submit
C:\Windows\{881B74F4-5128-42f4-BDD0-F1DD37ED3711}.exe

Filesize
344KB

MD5
21eb4607252157b231a9cf6137146db7

SHA1
c787070df62c164f29cd0d892ae4bbe89e182531

SHA256
405b679224d8990f70b10cdc49d479f67c402f18c660bf81527edecc60b1d086

SHA512
2225d95ae2ec4a931b51f31b4933fd17aff95e1f2415a38dfa2f1443a54059eb4a8b797fb0abd25e9598e7de33be874e97827158edc2bc168a7d92728c355b01

Download Submit
C:\Windows\{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe

Filesize
344KB

MD5
af84b1e0169acb40ccf6d0529d5c0af7

SHA1
321b6f21603f1b5b35221a23811f262683aaafa0

SHA256
58a9eff2e9f73bb8a48af9827fc70e6ac7c323c276d5fa92c2bdfa9f70aca2f1

SHA512
d6a15ada7ac41197b7ba2cd35f6051782ad62fb58bd573353afa900be0c3374a63c058e9e9c06d4e81516aa751c879c52a490da4276e04f52f856c7ea542e11c

Download Submit
C:\Windows\{8D513329-D9EC-4836-89B9-4ADA8FEAFECA}.exe

Filesize
344KB

MD5
af84b1e0169acb40ccf6d0529d5c0af7

SHA1
321b6f21603f1b5b35221a23811f262683aaafa0

SHA256
58a9eff2e9f73bb8a48af9827fc70e6ac7c323c276d5fa92c2bdfa9f70aca2f1

SHA512
d6a15ada7ac41197b7ba2cd35f6051782ad62fb58bd573353afa900be0c3374a63c058e9e9c06d4e81516aa751c879c52a490da4276e04f52f856c7ea542e11c

Download Submit
C:\Windows\{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe

Filesize
344KB

MD5
23dbf8e577f0fd44786e1d30bc7f2994

SHA1
2d54c9cc9cee97eaf0e311afccb6da34cb25c57b

SHA256
eb0a21e0e0190b8c5ccfdce33daf362fc59c0f8e7c107d0c6b4ad0932ba03cfb

SHA512
f04a2ef649fe8dc466d281d0197c443ceaeb7c0c2f27fb356c6ff40d55fcb46696a8f077efd9e05ecc04abe23ed4ed7dc48f848e8bcc55408c5655380976b13d

Download Submit
C:\Windows\{9E0DCC50-8816-4f85-A2B6-FAC0CDA86C76}.exe

Filesize
344KB

MD5
23dbf8e577f0fd44786e1d30bc7f2994

SHA1
2d54c9cc9cee97eaf0e311afccb6da34cb25c57b

SHA256
eb0a21e0e0190b8c5ccfdce33daf362fc59c0f8e7c107d0c6b4ad0932ba03cfb

SHA512
f04a2ef649fe8dc466d281d0197c443ceaeb7c0c2f27fb356c6ff40d55fcb46696a8f077efd9e05ecc04abe23ed4ed7dc48f848e8bcc55408c5655380976b13d

Download Submit
C:\Windows\{B13349A9-17C6-4fed-9CD0-98F23B1ED663}.exe

Filesize
344KB

MD5
85950011bbf98697d106aa05fc00ca9f

SHA1
c36e676900833bfb801cf6875acd0c7d9d81886a

SHA256
e4aa67c1f40ec056f6a19c97e216460eeaacb19e21ea78126a338c2b3e576168

SHA512
071cd3a0bacd51b1e2bf850ef8153e423e000211a959d0950b50973db5504bc5f1933e93a99ea31780bdc8e409cff11c3eeaac3d68aec331332c54b3e677af32

Download Submit
C:\Windows\{B13349A9-17C6-4fed-9CD0-98F23B1ED663}.exe

Filesize
344KB

MD5
85950011bbf98697d106aa05fc00ca9f

SHA1
c36e676900833bfb801cf6875acd0c7d9d81886a

SHA256
e4aa67c1f40ec056f6a19c97e216460eeaacb19e21ea78126a338c2b3e576168

SHA512
071cd3a0bacd51b1e2bf850ef8153e423e000211a959d0950b50973db5504bc5f1933e93a99ea31780bdc8e409cff11c3eeaac3d68aec331332c54b3e677af32

Download Submit
C:\Windows\{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe

Filesize
344KB

MD5
c450fd8b646ec1795b1b1476c299b4f5

SHA1
7c242e5316bd36fba2dca4fbdd98f118d9fd774f

SHA256
9babcec0c540ce998ea0901cec13270d561f35d8e0dc1693a1af3e1d2d4c519e

SHA512
79ceb509733cfe1dbce1c7e89cb92e5d8831841fabe882068d62a5dea6e2f8059af5ccfff03b0018dc1bdd5ca35a2ec511a7b806c5cf3b59e33de27df93a1dd5

Download Submit
C:\Windows\{CFF65809-843A-4b86-9555-E9DC3E4D0AB9}.exe

Filesize
344KB

MD5
c450fd8b646ec1795b1b1476c299b4f5

SHA1
7c242e5316bd36fba2dca4fbdd98f118d9fd774f

SHA256
9babcec0c540ce998ea0901cec13270d561f35d8e0dc1693a1af3e1d2d4c519e

SHA512
79ceb509733cfe1dbce1c7e89cb92e5d8831841fabe882068d62a5dea6e2f8059af5ccfff03b0018dc1bdd5ca35a2ec511a7b806c5cf3b59e33de27df93a1dd5

Download Submit
C:\Windows\{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe

Filesize
344KB

MD5
a10970e82248ab7a0e3093513638ed5f

SHA1
f3c35598b76e50e78881cdf76e0bc94242a39c89

SHA256
759c652b33eb97c87d9c0008d6d0e34edf67c2139f5c0ffdaec72be5f4bbd0e0

SHA512
fa109406e82b2adb01862c390de48d5b6eca224f13003e21555f65ad9e5eb21610909230b2e719ab93d9c26e1a52d89248340a3e82edd82c6856969dba4d1ed9

Download Submit
C:\Windows\{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe

Filesize
344KB

MD5
a10970e82248ab7a0e3093513638ed5f

SHA1
f3c35598b76e50e78881cdf76e0bc94242a39c89

SHA256
759c652b33eb97c87d9c0008d6d0e34edf67c2139f5c0ffdaec72be5f4bbd0e0

SHA512
fa109406e82b2adb01862c390de48d5b6eca224f13003e21555f65ad9e5eb21610909230b2e719ab93d9c26e1a52d89248340a3e82edd82c6856969dba4d1ed9

Download Submit
C:\Windows\{E25F4030-FE40-4ad3-BFE0-966A86924519}.exe

Filesize
344KB

MD5
a10970e82248ab7a0e3093513638ed5f

SHA1
f3c35598b76e50e78881cdf76e0bc94242a39c89

SHA256
759c652b33eb97c87d9c0008d6d0e34edf67c2139f5c0ffdaec72be5f4bbd0e0

SHA512
fa109406e82b2adb01862c390de48d5b6eca224f13003e21555f65ad9e5eb21610909230b2e719ab93d9c26e1a52d89248340a3e82edd82c6856969dba4d1ed9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads