bd5d5ca8a36a44d45661e93516de9a36b2f4d5e44be4896039272ad60fdc96e6

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe
Size

204KB
MD5

36c0c4d8061a8637cb14fb299617cac8
SHA1

de730ba958309f519e6058e82fa3d1a60dc04ec6
SHA256

bd5d5ca8a36a44d45661e93516de9a36b2f4d5e44be4896039272ad60fdc96e6
SHA512

97fe9bbb4a8dba5e2e47830e52ab60626e69dc1f320312d1c4ee5167c1f4935446bd06fbfc815f201f43e4c017eb2eb3ca1b0973f51bd5b9d0d8a521e5437004
SSDEEP

1536:1EGh0oBl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oBl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7D1F581-4AA3-4361-80C4-0D184E9032A2}	{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DB07949-EACF-4180-A1DE-408119198CE5}\stubpath = "C:\\Windows\\{4DB07949-EACF-4180-A1DE-408119198CE5}.exe"	{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AA7FF82-09E7-4b47-B01B-D56A670D2E30}\stubpath = "C:\\Windows\\{7AA7FF82-09E7-4b47-B01B-D56A670D2E30}.exe"	{4DB07949-EACF-4180-A1DE-408119198CE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD5B7B43-5E7F-420d-ADD2-1F19C354D2CB}	{89ECEB9C-2F09-4718-9450-96A7FD55E572}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAA0A556-84B6-46af-861B-6408518520E4}\stubpath = "C:\\Windows\\{AAA0A556-84B6-46af-861B-6408518520E4}.exe"	{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8A96AE3-7204-4bff-9EE0-69071B5042E1}\stubpath = "C:\\Windows\\{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe"	{AAA0A556-84B6-46af-861B-6408518520E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B86741DA-523F-49f6-A2F6-0775A557CE83}	{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89ECEB9C-2F09-4718-9450-96A7FD55E572}	{7AA7FF82-09E7-4b47-B01B-D56A670D2E30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9494DE2-4263-4f62-B78D-E70D5D7301E7}	{BD5B7B43-5E7F-420d-ADD2-1F19C354D2CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC40B019-2D41-427d-8BB7-6831EED5DBCA}	{037712BB-708E-4bd0-AF19-CD5057757689}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{932E1B2E-88D5-463e-9874-C776CC087E7C}	{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7D1F581-4AA3-4361-80C4-0D184E9032A2}\stubpath = "C:\\Windows\\{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe"	{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B86741DA-523F-49f6-A2F6-0775A557CE83}\stubpath = "C:\\Windows\\{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe"	{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AA7FF82-09E7-4b47-B01B-D56A670D2E30}	{4DB07949-EACF-4180-A1DE-408119198CE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9494DE2-4263-4f62-B78D-E70D5D7301E7}\stubpath = "C:\\Windows\\{A9494DE2-4263-4f62-B78D-E70D5D7301E7}.exe"	{BD5B7B43-5E7F-420d-ADD2-1F19C354D2CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{037712BB-708E-4bd0-AF19-CD5057757689}\stubpath = "C:\\Windows\\{037712BB-708E-4bd0-AF19-CD5057757689}.exe"	NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC40B019-2D41-427d-8BB7-6831EED5DBCA}\stubpath = "C:\\Windows\\{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe"	{037712BB-708E-4bd0-AF19-CD5057757689}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAA0A556-84B6-46af-861B-6408518520E4}	{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DB07949-EACF-4180-A1DE-408119198CE5}	{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89ECEB9C-2F09-4718-9450-96A7FD55E572}\stubpath = "C:\\Windows\\{89ECEB9C-2F09-4718-9450-96A7FD55E572}.exe"	{7AA7FF82-09E7-4b47-B01B-D56A670D2E30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD5B7B43-5E7F-420d-ADD2-1F19C354D2CB}\stubpath = "C:\\Windows\\{BD5B7B43-5E7F-420d-ADD2-1F19C354D2CB}.exe"	{89ECEB9C-2F09-4718-9450-96A7FD55E572}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{037712BB-708E-4bd0-AF19-CD5057757689}	NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{932E1B2E-88D5-463e-9874-C776CC087E7C}\stubpath = "C:\\Windows\\{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe"	{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8A96AE3-7204-4bff-9EE0-69071B5042E1}	{AAA0A556-84B6-46af-861B-6408518520E4}.exe

Deletes itself 1 IoCs

pid	Process
2136	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2888	{037712BB-708E-4bd0-AF19-CD5057757689}.exe
2688	{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe
2716	{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe
2672	{AAA0A556-84B6-46af-861B-6408518520E4}.exe
2616	{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe
1624	{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe
536	{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe
2900	{4DB07949-EACF-4180-A1DE-408119198CE5}.exe
1044	{7AA7FF82-09E7-4b47-B01B-D56A670D2E30}.exe
2516	{89ECEB9C-2F09-4718-9450-96A7FD55E572}.exe
1656	{BD5B7B43-5E7F-420d-ADD2-1F19C354D2CB}.exe
2184	{A9494DE2-4263-4f62-B78D-E70D5D7301E7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe	{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe
File created	C:\Windows\{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe	{037712BB-708E-4bd0-AF19-CD5057757689}.exe
File created	C:\Windows\{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe	{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe
File created	C:\Windows\{AAA0A556-84B6-46af-861B-6408518520E4}.exe	{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe
File created	C:\Windows\{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe	{AAA0A556-84B6-46af-861B-6408518520E4}.exe
File created	C:\Windows\{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe	{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe
File created	C:\Windows\{4DB07949-EACF-4180-A1DE-408119198CE5}.exe	{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe
File created	C:\Windows\{7AA7FF82-09E7-4b47-B01B-D56A670D2E30}.exe	{4DB07949-EACF-4180-A1DE-408119198CE5}.exe
File created	C:\Windows\{037712BB-708E-4bd0-AF19-CD5057757689}.exe	NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe
File created	C:\Windows\{BD5B7B43-5E7F-420d-ADD2-1F19C354D2CB}.exe	{89ECEB9C-2F09-4718-9450-96A7FD55E572}.exe
File created	C:\Windows\{A9494DE2-4263-4f62-B78D-E70D5D7301E7}.exe	{BD5B7B43-5E7F-420d-ADD2-1F19C354D2CB}.exe
File created	C:\Windows\{89ECEB9C-2F09-4718-9450-96A7FD55E572}.exe	{7AA7FF82-09E7-4b47-B01B-D56A670D2E30}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2648	NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2888	{037712BB-708E-4bd0-AF19-CD5057757689}.exe
Token: SeIncBasePriorityPrivilege	2688	{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe
Token: SeIncBasePriorityPrivilege	2716	{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe
Token: SeIncBasePriorityPrivilege	2672	{AAA0A556-84B6-46af-861B-6408518520E4}.exe
Token: SeIncBasePriorityPrivilege	2616	{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe
Token: SeIncBasePriorityPrivilege	1624	{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe
Token: SeIncBasePriorityPrivilege	536	{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe
Token: SeIncBasePriorityPrivilege	2900	{4DB07949-EACF-4180-A1DE-408119198CE5}.exe
Token: SeIncBasePriorityPrivilege	1044	{7AA7FF82-09E7-4b47-B01B-D56A670D2E30}.exe
Token: SeIncBasePriorityPrivilege	2516	{89ECEB9C-2F09-4718-9450-96A7FD55E572}.exe
Token: SeIncBasePriorityPrivilege	1656	{BD5B7B43-5E7F-420d-ADD2-1F19C354D2CB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2888	2648	NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe	28
PID 2648 wrote to memory of 2888	2648	NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe	28
PID 2648 wrote to memory of 2888	2648	NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe	28
PID 2648 wrote to memory of 2888	2648	NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe	28
PID 2648 wrote to memory of 2136	2648	NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe	29
PID 2648 wrote to memory of 2136	2648	NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe	29
PID 2648 wrote to memory of 2136	2648	NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe	29
PID 2648 wrote to memory of 2136	2648	NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe	29
PID 2888 wrote to memory of 2688	2888	{037712BB-708E-4bd0-AF19-CD5057757689}.exe	30
PID 2888 wrote to memory of 2688	2888	{037712BB-708E-4bd0-AF19-CD5057757689}.exe	30
PID 2888 wrote to memory of 2688	2888	{037712BB-708E-4bd0-AF19-CD5057757689}.exe	30
PID 2888 wrote to memory of 2688	2888	{037712BB-708E-4bd0-AF19-CD5057757689}.exe	30
PID 2888 wrote to memory of 2836	2888	{037712BB-708E-4bd0-AF19-CD5057757689}.exe	31
PID 2888 wrote to memory of 2836	2888	{037712BB-708E-4bd0-AF19-CD5057757689}.exe	31
PID 2888 wrote to memory of 2836	2888	{037712BB-708E-4bd0-AF19-CD5057757689}.exe	31
PID 2888 wrote to memory of 2836	2888	{037712BB-708E-4bd0-AF19-CD5057757689}.exe	31
PID 2688 wrote to memory of 2716	2688	{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe	32
PID 2688 wrote to memory of 2716	2688	{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe	32
PID 2688 wrote to memory of 2716	2688	{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe	32
PID 2688 wrote to memory of 2716	2688	{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe	32
PID 2688 wrote to memory of 2832	2688	{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe	33
PID 2688 wrote to memory of 2832	2688	{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe	33
PID 2688 wrote to memory of 2832	2688	{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe	33
PID 2688 wrote to memory of 2832	2688	{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe	33
PID 2716 wrote to memory of 2672	2716	{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe	36
PID 2716 wrote to memory of 2672	2716	{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe	36
PID 2716 wrote to memory of 2672	2716	{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe	36
PID 2716 wrote to memory of 2672	2716	{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe	36
PID 2716 wrote to memory of 2564	2716	{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe	37
PID 2716 wrote to memory of 2564	2716	{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe	37
PID 2716 wrote to memory of 2564	2716	{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe	37
PID 2716 wrote to memory of 2564	2716	{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe	37
PID 2672 wrote to memory of 2616	2672	{AAA0A556-84B6-46af-861B-6408518520E4}.exe	38
PID 2672 wrote to memory of 2616	2672	{AAA0A556-84B6-46af-861B-6408518520E4}.exe	38
PID 2672 wrote to memory of 2616	2672	{AAA0A556-84B6-46af-861B-6408518520E4}.exe	38
PID 2672 wrote to memory of 2616	2672	{AAA0A556-84B6-46af-861B-6408518520E4}.exe	38
PID 2672 wrote to memory of 1740	2672	{AAA0A556-84B6-46af-861B-6408518520E4}.exe	39
PID 2672 wrote to memory of 1740	2672	{AAA0A556-84B6-46af-861B-6408518520E4}.exe	39
PID 2672 wrote to memory of 1740	2672	{AAA0A556-84B6-46af-861B-6408518520E4}.exe	39
PID 2672 wrote to memory of 1740	2672	{AAA0A556-84B6-46af-861B-6408518520E4}.exe	39
PID 2616 wrote to memory of 1624	2616	{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe	41
PID 2616 wrote to memory of 1624	2616	{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe	41
PID 2616 wrote to memory of 1624	2616	{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe	41
PID 2616 wrote to memory of 1624	2616	{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe	41
PID 2616 wrote to memory of 2020	2616	{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe	40
PID 2616 wrote to memory of 2020	2616	{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe	40
PID 2616 wrote to memory of 2020	2616	{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe	40
PID 2616 wrote to memory of 2020	2616	{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe	40
PID 1624 wrote to memory of 536	1624	{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe	42
PID 1624 wrote to memory of 536	1624	{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe	42
PID 1624 wrote to memory of 536	1624	{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe	42
PID 1624 wrote to memory of 536	1624	{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe	42
PID 1624 wrote to memory of 2756	1624	{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe	43
PID 1624 wrote to memory of 2756	1624	{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe	43
PID 1624 wrote to memory of 2756	1624	{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe	43
PID 1624 wrote to memory of 2756	1624	{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe	43
PID 536 wrote to memory of 2900	536	{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe	44
PID 536 wrote to memory of 2900	536	{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe	44
PID 536 wrote to memory of 2900	536	{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe	44
PID 536 wrote to memory of 2900	536	{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe	44
PID 536 wrote to memory of 2904	536	{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe	45
PID 536 wrote to memory of 2904	536	{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe	45
PID 536 wrote to memory of 2904	536	{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe	45
PID 536 wrote to memory of 2904	536	{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-04_36c0c4d8061a8637cb14fb299617cac8_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\{037712BB-708E-4bd0-AF19-CD5057757689}.exe
  C:\Windows\{037712BB-708E-4bd0-AF19-CD5057757689}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe
    C:\Windows\{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe
      C:\Windows\{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\{AAA0A556-84B6-46af-861B-6408518520E4}.exe
        
        C:\Windows\{AAA0A556-84B6-46af-861B-6408518520E4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe
        
        C:\Windows\{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8A96~1.EXE > nul
        7⤵
        
        PID:2020
        
        C:\Windows\{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe
        
        C:\Windows\{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe
        
        C:\Windows\{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\{4DB07949-EACF-4180-A1DE-408119198CE5}.exe
        
        C:\Windows\{4DB07949-EACF-4180-A1DE-408119198CE5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\{7AA7FF82-09E7-4b47-B01B-D56A670D2E30}.exe
        
        C:\Windows\{7AA7FF82-09E7-4b47-B01B-D56A670D2E30}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\{89ECEB9C-2F09-4718-9450-96A7FD55E572}.exe
        
        C:\Windows\{89ECEB9C-2F09-4718-9450-96A7FD55E572}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\{BD5B7B43-5E7F-420d-ADD2-1F19C354D2CB}.exe
        
        C:\Windows\{BD5B7B43-5E7F-420d-ADD2-1F19C354D2CB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\{A9494DE2-4263-4f62-B78D-E70D5D7301E7}.exe
        
        C:\Windows\{A9494DE2-4263-4f62-B78D-E70D5D7301E7}.exe
        13⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD5B7~1.EXE > nul
        13⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89ECE~1.EXE > nul
        12⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AA7F~1.EXE > nul
        11⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DB07~1.EXE > nul
        10⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7D1F~1.EXE > nul
        9⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8674~1.EXE > nul
        8⤵
        
        PID:2756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAA0A~1.EXE > nul
        6⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{932E1~1.EXE > nul
        5⤵
        
        PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DC40B~1.EXE > nul
      4⤵
      PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{03771~1.EXE > nul
    3⤵
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{037712BB-708E-4bd0-AF19-CD5057757689}.exe

Filesize
204KB

MD5
7e7e30d8c122153ce3f9259955c20b38

SHA1
c4a51af2bd6976cd25b19392b282cc977ccdd820

SHA256
ce6f1cab3362c97ea627ee026e76da60d11d6668e8cb712dfdd3708f9f0930d4

SHA512
eb9fb5add496544d9b2fc70a2c4751476dee522a9319f794f15aa5a4382e97f0eb7419502cfccf6b8c69a9557239241f7574d0d30a18918c6e5b8f559566eb01

Download Submit
C:\Windows\{037712BB-708E-4bd0-AF19-CD5057757689}.exe

Filesize
204KB

MD5
7e7e30d8c122153ce3f9259955c20b38

SHA1
c4a51af2bd6976cd25b19392b282cc977ccdd820

SHA256
ce6f1cab3362c97ea627ee026e76da60d11d6668e8cb712dfdd3708f9f0930d4

SHA512
eb9fb5add496544d9b2fc70a2c4751476dee522a9319f794f15aa5a4382e97f0eb7419502cfccf6b8c69a9557239241f7574d0d30a18918c6e5b8f559566eb01

Download Submit
C:\Windows\{037712BB-708E-4bd0-AF19-CD5057757689}.exe

Filesize
204KB

MD5
7e7e30d8c122153ce3f9259955c20b38

SHA1
c4a51af2bd6976cd25b19392b282cc977ccdd820

SHA256
ce6f1cab3362c97ea627ee026e76da60d11d6668e8cb712dfdd3708f9f0930d4

SHA512
eb9fb5add496544d9b2fc70a2c4751476dee522a9319f794f15aa5a4382e97f0eb7419502cfccf6b8c69a9557239241f7574d0d30a18918c6e5b8f559566eb01

Download Submit
C:\Windows\{4DB07949-EACF-4180-A1DE-408119198CE5}.exe

Filesize
204KB

MD5
8f322620cb458c03f2596aae95f06d93

SHA1
d2aaecf95065ac735f03269dc357d736933429e0

SHA256
4f6e4dc33f51e9712b38e4ec83ca06b771a20effb3f7caf42b4fb41146a1e915

SHA512
7036c2b4fe38ab0eeb44d64582d8844a3c114ed36c53e075d014832272b51b93cc6cd8e561735488825ea62f00af4f9d1bfa4cdd5056c6400790ddb3b4b4058b

Download Submit
C:\Windows\{4DB07949-EACF-4180-A1DE-408119198CE5}.exe

Filesize
204KB

MD5
8f322620cb458c03f2596aae95f06d93

SHA1
d2aaecf95065ac735f03269dc357d736933429e0

SHA256
4f6e4dc33f51e9712b38e4ec83ca06b771a20effb3f7caf42b4fb41146a1e915

SHA512
7036c2b4fe38ab0eeb44d64582d8844a3c114ed36c53e075d014832272b51b93cc6cd8e561735488825ea62f00af4f9d1bfa4cdd5056c6400790ddb3b4b4058b

Download Submit
C:\Windows\{7AA7FF82-09E7-4b47-B01B-D56A670D2E30}.exe

Filesize
204KB

MD5
50d33c1d841898bbb6ef27d6267f8866

SHA1
7b58eb5b6821dbdd84da49828bac8bbd46609103

SHA256
7b3153e9507e16dcac6e71f7df43602763505c4777983898e618382ba7b4b84b

SHA512
505b83fc2809e9220909270554acbd0e83442754725130c4c9d5601a68f94f1186d910dce01415a5b2532e9cf28565a35036f00e3d4dfdcdd12e088ae235fdd0

Download Submit
C:\Windows\{7AA7FF82-09E7-4b47-B01B-D56A670D2E30}.exe

Filesize
204KB

MD5
50d33c1d841898bbb6ef27d6267f8866

SHA1
7b58eb5b6821dbdd84da49828bac8bbd46609103

SHA256
7b3153e9507e16dcac6e71f7df43602763505c4777983898e618382ba7b4b84b

SHA512
505b83fc2809e9220909270554acbd0e83442754725130c4c9d5601a68f94f1186d910dce01415a5b2532e9cf28565a35036f00e3d4dfdcdd12e088ae235fdd0

Download Submit
C:\Windows\{89ECEB9C-2F09-4718-9450-96A7FD55E572}.exe

Filesize
204KB

MD5
5679875dedd414c7cbd42eaee62986a7

SHA1
b193e010c9930bbe71e25d9f5bb2593055e39f36

SHA256
d864c0a7590e71d7b20d7cb58951a02d66a3e72bd68738650cb22df08e813675

SHA512
5c77a2e4d5dc027cb04534e60e4e01b1da81fc2ef668c6c76c7cfd21e5bad0f822fd0248213380365426a706359adc7ae5b5cb85c4c1db2593acad5d078cc48b

Download Submit
C:\Windows\{89ECEB9C-2F09-4718-9450-96A7FD55E572}.exe

Filesize
204KB

MD5
5679875dedd414c7cbd42eaee62986a7

SHA1
b193e010c9930bbe71e25d9f5bb2593055e39f36

SHA256
d864c0a7590e71d7b20d7cb58951a02d66a3e72bd68738650cb22df08e813675

SHA512
5c77a2e4d5dc027cb04534e60e4e01b1da81fc2ef668c6c76c7cfd21e5bad0f822fd0248213380365426a706359adc7ae5b5cb85c4c1db2593acad5d078cc48b

Download Submit
C:\Windows\{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe

Filesize
204KB

MD5
8f31ad86c0845a91b6e9b58f36fc73f9

SHA1
d75b6c48d05b4a44080127361012e107b29d7850

SHA256
d4398214970cbf4bbb171b110bc4c48dd911d8a5efda16b527ac6df1e5476b89

SHA512
5e34a81afd384928e3967b9d2248b65e0a1c0b1fa7a321606f60130de89e173c666440a51d70205a631b9866b1c651f1ee631094b7bd4ec853856553c6638896

Download Submit
C:\Windows\{932E1B2E-88D5-463e-9874-C776CC087E7C}.exe

Filesize
204KB

MD5
8f31ad86c0845a91b6e9b58f36fc73f9

SHA1
d75b6c48d05b4a44080127361012e107b29d7850

SHA256
d4398214970cbf4bbb171b110bc4c48dd911d8a5efda16b527ac6df1e5476b89

SHA512
5e34a81afd384928e3967b9d2248b65e0a1c0b1fa7a321606f60130de89e173c666440a51d70205a631b9866b1c651f1ee631094b7bd4ec853856553c6638896

Download Submit
C:\Windows\{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe

Filesize
204KB

MD5
49ce1e925be79ab6e8c3f66e8f397e6c

SHA1
2d644cd2eb126185617d2ca0b7a694652a681255

SHA256
0feca7156b5f07a922114e8760386667082c586f1fb940d0c815bab6e9e2d319

SHA512
e31d7fc3e4324d5b6b3c2b711c382f0f2206ea2d96f12ce54eb325b5f31a9f30e684f39e118d7daa7853ece166eaa6511270c0fa65306716dbe98f05a9bddba4

Download Submit
C:\Windows\{A7D1F581-4AA3-4361-80C4-0D184E9032A2}.exe

Filesize
204KB

MD5
49ce1e925be79ab6e8c3f66e8f397e6c

SHA1
2d644cd2eb126185617d2ca0b7a694652a681255

SHA256
0feca7156b5f07a922114e8760386667082c586f1fb940d0c815bab6e9e2d319

SHA512
e31d7fc3e4324d5b6b3c2b711c382f0f2206ea2d96f12ce54eb325b5f31a9f30e684f39e118d7daa7853ece166eaa6511270c0fa65306716dbe98f05a9bddba4

Download Submit
C:\Windows\{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe

Filesize
204KB

MD5
0f5d382ab8c16e1a1a49ae4b0bedc8fb

SHA1
35956bde8d3063449a3dc42511c5317a72792b6d

SHA256
afde956082caa0f8690e1f66bb2b9a2efe10d3313f83844add7a13fdd5ea940b

SHA512
b289ec10a168d118efcb08838f3de218c86d121b71a3f60f88d72815f81b6b37be0717665504d886328c0d51fee7fd9f51d8240cf55606c492a10c06e596999d

Download Submit
C:\Windows\{A8A96AE3-7204-4bff-9EE0-69071B5042E1}.exe

Filesize
204KB

MD5
0f5d382ab8c16e1a1a49ae4b0bedc8fb

SHA1
35956bde8d3063449a3dc42511c5317a72792b6d

SHA256
afde956082caa0f8690e1f66bb2b9a2efe10d3313f83844add7a13fdd5ea940b

SHA512
b289ec10a168d118efcb08838f3de218c86d121b71a3f60f88d72815f81b6b37be0717665504d886328c0d51fee7fd9f51d8240cf55606c492a10c06e596999d

Download Submit
C:\Windows\{A9494DE2-4263-4f62-B78D-E70D5D7301E7}.exe

Filesize
204KB

MD5
4de66eb71964ce9e62475f1b541a3e4d

SHA1
6f341c8a1e934b6c811e883bfffc60d0ee96641e

SHA256
af395d5136a3fbcd03972e5c216e9630301bf1df3cc905b3d5d418b384ed808f

SHA512
339e661ad9d52578346d6853f467c190ca4b624654b8f1d49fff134e2528defc6d020fd50ca8387e62217a8c0f3ff4ae6950fb2ab1e3d6d66f55c48ae3e566e4

Download Submit
C:\Windows\{AAA0A556-84B6-46af-861B-6408518520E4}.exe

Filesize
204KB

MD5
46b1ac89c63a51cb589dec0b3c61fae7

SHA1
81e1727f3207f6b4194db2cfa4bb78aab5c25e3f

SHA256
29be8d14f9873a7feeaa7e7528b38477f1f97fd403e8d4c8baf8a9657c548066

SHA512
008b9ef04f0b16bb64f9d4aaa580a2e69dc6011824449d4f7df98cc91d29ec143d081ffbd64061802a4e665c9f018ba467f2ba064eb253ef570b01a7ab302a97

Download Submit
C:\Windows\{AAA0A556-84B6-46af-861B-6408518520E4}.exe

Filesize
204KB

MD5
46b1ac89c63a51cb589dec0b3c61fae7

SHA1
81e1727f3207f6b4194db2cfa4bb78aab5c25e3f

SHA256
29be8d14f9873a7feeaa7e7528b38477f1f97fd403e8d4c8baf8a9657c548066

SHA512
008b9ef04f0b16bb64f9d4aaa580a2e69dc6011824449d4f7df98cc91d29ec143d081ffbd64061802a4e665c9f018ba467f2ba064eb253ef570b01a7ab302a97

Download Submit
C:\Windows\{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe

Filesize
204KB

MD5
cdcdc0e480c33129a5bf5930c6eaaa01

SHA1
26dbbd5cdf18fa8f52d268f1fa1727016a4fa141

SHA256
3389a223298157c31ef7e64da6b103a823ddb3b32179a89c6a4cbce914f6e8d3

SHA512
45b6023eddb5e5394bac5038a17fbf7e28cf973d0a55711618841961387ec90f6ad2be8f34a99c7a108edaf3d24ec14ca7f1e9b879c7a967173ca6abc086fe15

Download Submit
C:\Windows\{B86741DA-523F-49f6-A2F6-0775A557CE83}.exe

Filesize
204KB

MD5
cdcdc0e480c33129a5bf5930c6eaaa01

SHA1
26dbbd5cdf18fa8f52d268f1fa1727016a4fa141

SHA256
3389a223298157c31ef7e64da6b103a823ddb3b32179a89c6a4cbce914f6e8d3

SHA512
45b6023eddb5e5394bac5038a17fbf7e28cf973d0a55711618841961387ec90f6ad2be8f34a99c7a108edaf3d24ec14ca7f1e9b879c7a967173ca6abc086fe15

Download Submit
C:\Windows\{BD5B7B43-5E7F-420d-ADD2-1F19C354D2CB}.exe

Filesize
204KB

MD5
1311dc84428f617779c1307599ec5569

SHA1
daa76dd90da115d5cf3a3c6c046f324d97564f71

SHA256
f2c7ed102b3d28254336fcef7f6321424ab47c0beb3ca193f9d0d059eee7a343

SHA512
68e94a1d93af22128de78c76016846471f6d7124c4f2454a3a09d6259293badb1b30445f78142e18a7d8028901d504de7337a2ebd57336b9946b2fbb4142d2d1

Download Submit
C:\Windows\{BD5B7B43-5E7F-420d-ADD2-1F19C354D2CB}.exe

Filesize
204KB

MD5
1311dc84428f617779c1307599ec5569

SHA1
daa76dd90da115d5cf3a3c6c046f324d97564f71

SHA256
f2c7ed102b3d28254336fcef7f6321424ab47c0beb3ca193f9d0d059eee7a343

SHA512
68e94a1d93af22128de78c76016846471f6d7124c4f2454a3a09d6259293badb1b30445f78142e18a7d8028901d504de7337a2ebd57336b9946b2fbb4142d2d1

Download Submit
C:\Windows\{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe

Filesize
204KB

MD5
b5d35da474738bbbe94fd5372d73d089

SHA1
4a923cf553bba0b504f065ca6d48098e83cc29f1

SHA256
80d91a5d10ff4cf914c932b6bb94409dc37128046b6d11c20b9db16f10a04b16

SHA512
7baf4e20e8dd02e341ae1e7be49a1959e284210d27493cdb47899a80eb0e715f3386b134c1ecc747e07f4f70ef8e4e5ab4e026b359dc7d59b5049aff14bca43a

Download Submit
C:\Windows\{DC40B019-2D41-427d-8BB7-6831EED5DBCA}.exe

Filesize
204KB

MD5
b5d35da474738bbbe94fd5372d73d089

SHA1
4a923cf553bba0b504f065ca6d48098e83cc29f1

SHA256
80d91a5d10ff4cf914c932b6bb94409dc37128046b6d11c20b9db16f10a04b16

SHA512
7baf4e20e8dd02e341ae1e7be49a1959e284210d27493cdb47899a80eb0e715f3386b134c1ecc747e07f4f70ef8e4e5ab4e026b359dc7d59b5049aff14bca43a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads