26bd9b80b6882f73f61f45c2da4a7e6a46f9d53136289c4350c50f35e4f4ddad

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe
Size

408KB
MD5

b9cc41becacc96fd0f4ffaf7d63b554b
SHA1

08a9c2a44b0454eaa364b57cdd6995fc605c1ca8
SHA256

26bd9b80b6882f73f61f45c2da4a7e6a46f9d53136289c4350c50f35e4f4ddad
SHA512

c44e65f99fc24612a245c2c1e3b2e752384f830c3ae78593a325ceae4975ee2649af22f6c4c9ecd68ae513b13dc862b8dd6f830e908a76a688249a42522d33b3
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}\stubpath = "C:\\Windows\\{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe"	{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C97B75EE-A558-4641-AED7-944E1E6364FD}	{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C84D70ED-8F99-4671-82C1-91134843B04D}	{A8B57B6C-21A5-4483-87C8-8AAE3ADD778A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B539293E-36AB-479e-84A3-4C23BA9247EF}\stubpath = "C:\\Windows\\{B539293E-36AB-479e-84A3-4C23BA9247EF}.exe"	{22A2C539-37F5-432c-8DB5-3773A987AA77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B539293E-36AB-479e-84A3-4C23BA9247EF}	{22A2C539-37F5-432c-8DB5-3773A987AA77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}\stubpath = "C:\\Windows\\{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe"	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{344FFD29-DCD9-4682-BF0D-85FB622D48C6}\stubpath = "C:\\Windows\\{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe"	{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1928D2F-34FA-4412-926F-202A8731DEEC}\stubpath = "C:\\Windows\\{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe"	{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}\stubpath = "C:\\Windows\\{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe"	{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8B57B6C-21A5-4483-87C8-8AAE3ADD778A}	{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22A2C539-37F5-432c-8DB5-3773A987AA77}\stubpath = "C:\\Windows\\{22A2C539-37F5-432c-8DB5-3773A987AA77}.exe"	{C84D70ED-8F99-4671-82C1-91134843B04D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{344FFD29-DCD9-4682-BF0D-85FB622D48C6}	{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1928D2F-34FA-4412-926F-202A8731DEEC}	{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C97B75EE-A558-4641-AED7-944E1E6364FD}\stubpath = "C:\\Windows\\{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe"	{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C84D70ED-8F99-4671-82C1-91134843B04D}\stubpath = "C:\\Windows\\{C84D70ED-8F99-4671-82C1-91134843B04D}.exe"	{A8B57B6C-21A5-4483-87C8-8AAE3ADD778A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22A2C539-37F5-432c-8DB5-3773A987AA77}	{C84D70ED-8F99-4671-82C1-91134843B04D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}	{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}	{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}\stubpath = "C:\\Windows\\{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe"	{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}	{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8B57B6C-21A5-4483-87C8-8AAE3ADD778A}\stubpath = "C:\\Windows\\{A8B57B6C-21A5-4483-87C8-8AAE3ADD778A}.exe"	{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe

Deletes itself 1 IoCs

pid	Process
1624	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2656	{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe
2404	{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe
2292	{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe
3012	{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe
3008	{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe
2484	{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe
2592	{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe
1124	{A8B57B6C-21A5-4483-87C8-8AAE3ADD778A}.exe
2928	{C84D70ED-8F99-4671-82C1-91134843B04D}.exe
2808	{22A2C539-37F5-432c-8DB5-3773A987AA77}.exe
1668	{B539293E-36AB-479e-84A3-4C23BA9247EF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe	{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe
File created	C:\Windows\{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe	{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe
File created	C:\Windows\{C84D70ED-8F99-4671-82C1-91134843B04D}.exe	{A8B57B6C-21A5-4483-87C8-8AAE3ADD778A}.exe
File created	C:\Windows\{B539293E-36AB-479e-84A3-4C23BA9247EF}.exe	{22A2C539-37F5-432c-8DB5-3773A987AA77}.exe
File created	C:\Windows\{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe
File created	C:\Windows\{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe	{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe
File created	C:\Windows\{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe	{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe
File created	C:\Windows\{22A2C539-37F5-432c-8DB5-3773A987AA77}.exe	{C84D70ED-8F99-4671-82C1-91134843B04D}.exe
File created	C:\Windows\{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe	{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe
File created	C:\Windows\{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe	{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe
File created	C:\Windows\{A8B57B6C-21A5-4483-87C8-8AAE3ADD778A}.exe	{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	832	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2656	{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe
Token: SeIncBasePriorityPrivilege	2404	{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe
Token: SeIncBasePriorityPrivilege	2292	{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe
Token: SeIncBasePriorityPrivilege	3012	{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe
Token: SeIncBasePriorityPrivilege	3008	{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe
Token: SeIncBasePriorityPrivilege	2484	{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe
Token: SeIncBasePriorityPrivilege	2592	{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe
Token: SeIncBasePriorityPrivilege	1124	{A8B57B6C-21A5-4483-87C8-8AAE3ADD778A}.exe
Token: SeIncBasePriorityPrivilege	2928	{C84D70ED-8F99-4671-82C1-91134843B04D}.exe
Token: SeIncBasePriorityPrivilege	2808	{22A2C539-37F5-432c-8DB5-3773A987AA77}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 2656	832	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	28
PID 832 wrote to memory of 2656	832	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	28
PID 832 wrote to memory of 2656	832	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	28
PID 832 wrote to memory of 2656	832	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	28
PID 832 wrote to memory of 1624	832	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	29
PID 832 wrote to memory of 1624	832	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	29
PID 832 wrote to memory of 1624	832	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	29
PID 832 wrote to memory of 1624	832	NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe	29
PID 2656 wrote to memory of 2404	2656	{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe	30
PID 2656 wrote to memory of 2404	2656	{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe	30
PID 2656 wrote to memory of 2404	2656	{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe	30
PID 2656 wrote to memory of 2404	2656	{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe	30
PID 2656 wrote to memory of 1152	2656	{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe	31
PID 2656 wrote to memory of 1152	2656	{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe	31
PID 2656 wrote to memory of 1152	2656	{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe	31
PID 2656 wrote to memory of 1152	2656	{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe	31
PID 2404 wrote to memory of 2292	2404	{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe	32
PID 2404 wrote to memory of 2292	2404	{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe	32
PID 2404 wrote to memory of 2292	2404	{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe	32
PID 2404 wrote to memory of 2292	2404	{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe	32
PID 2404 wrote to memory of 2192	2404	{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe	33
PID 2404 wrote to memory of 2192	2404	{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe	33
PID 2404 wrote to memory of 2192	2404	{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe	33
PID 2404 wrote to memory of 2192	2404	{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe	33
PID 2292 wrote to memory of 3012	2292	{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe	36
PID 2292 wrote to memory of 3012	2292	{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe	36
PID 2292 wrote to memory of 3012	2292	{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe	36
PID 2292 wrote to memory of 3012	2292	{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe	36
PID 2292 wrote to memory of 2896	2292	{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe	37
PID 2292 wrote to memory of 2896	2292	{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe	37
PID 2292 wrote to memory of 2896	2292	{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe	37
PID 2292 wrote to memory of 2896	2292	{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe	37
PID 3012 wrote to memory of 3008	3012	{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe	38
PID 3012 wrote to memory of 3008	3012	{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe	38
PID 3012 wrote to memory of 3008	3012	{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe	38
PID 3012 wrote to memory of 3008	3012	{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe	38
PID 3012 wrote to memory of 2748	3012	{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe	39
PID 3012 wrote to memory of 2748	3012	{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe	39
PID 3012 wrote to memory of 2748	3012	{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe	39
PID 3012 wrote to memory of 2748	3012	{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe	39
PID 3008 wrote to memory of 2484	3008	{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe	41
PID 3008 wrote to memory of 2484	3008	{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe	41
PID 3008 wrote to memory of 2484	3008	{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe	41
PID 3008 wrote to memory of 2484	3008	{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe	41
PID 3008 wrote to memory of 2880	3008	{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe	40
PID 3008 wrote to memory of 2880	3008	{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe	40
PID 3008 wrote to memory of 2880	3008	{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe	40
PID 3008 wrote to memory of 2880	3008	{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe	40
PID 2484 wrote to memory of 2592	2484	{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe	42
PID 2484 wrote to memory of 2592	2484	{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe	42
PID 2484 wrote to memory of 2592	2484	{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe	42
PID 2484 wrote to memory of 2592	2484	{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe	42
PID 2484 wrote to memory of 2652	2484	{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe	43
PID 2484 wrote to memory of 2652	2484	{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe	43
PID 2484 wrote to memory of 2652	2484	{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe	43
PID 2484 wrote to memory of 2652	2484	{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe	43
PID 2592 wrote to memory of 1124	2592	{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe	45
PID 2592 wrote to memory of 1124	2592	{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe	45
PID 2592 wrote to memory of 1124	2592	{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe	45
PID 2592 wrote to memory of 1124	2592	{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe	45
PID 2592 wrote to memory of 2412	2592	{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe	44
PID 2592 wrote to memory of 2412	2592	{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe	44
PID 2592 wrote to memory of 2412	2592	{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe	44
PID 2592 wrote to memory of 2412	2592	{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe	44

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_b9cc41becacc96fd0f4ffaf7d63b554b_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe
  C:\Windows\{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe
    C:\Windows\{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe
      C:\Windows\{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe
        
        C:\Windows\{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe
        
        C:\Windows\{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B534A~1.EXE > nul
        7⤵
        
        PID:2880
        
        C:\Windows\{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe
        
        C:\Windows\{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe
        
        C:\Windows\{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E0BF~1.EXE > nul
        9⤵
        
        PID:2412
        
        C:\Windows\{A8B57B6C-21A5-4483-87C8-8AAE3ADD778A}.exe
        
        C:\Windows\{A8B57B6C-21A5-4483-87C8-8AAE3ADD778A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\{C84D70ED-8F99-4671-82C1-91134843B04D}.exe
        
        C:\Windows\{C84D70ED-8F99-4671-82C1-91134843B04D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\{22A2C539-37F5-432c-8DB5-3773A987AA77}.exe
        
        C:\Windows\{22A2C539-37F5-432c-8DB5-3773A987AA77}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\{B539293E-36AB-479e-84A3-4C23BA9247EF}.exe
        
        C:\Windows\{B539293E-36AB-479e-84A3-4C23BA9247EF}.exe
        12⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22A2C~1.EXE > nul
        12⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C84D7~1.EXE > nul
        11⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8B57~1.EXE > nul
        10⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C97B7~1.EXE > nul
        8⤵
        
        PID:2652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1928~1.EXE > nul
        6⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B5A5~1.EXE > nul
        5⤵
        
        PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{344FF~1.EXE > nul
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{31E5B~1.EXE > nul
    3⤵
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22A2C539-37F5-432c-8DB5-3773A987AA77}.exe

Filesize
408KB

MD5
9646fc8c4240484925673a150316ec88

SHA1
3f818e7dde87405b15989c0da05806d6fd34ecbf

SHA256
94bd864ce4f79d93178d33695207d2fa76aad5ff7b207e13a64b38c4087b0828

SHA512
089783cd78c4c0dc664477ec1a24afd5024c81ca9ac923eb3fbc3d0264ee56e7878c1267c2e195d34464abe3bea46df9b0c7a3d9b3a4bc79484d28c6d33a9369

Download Submit
C:\Windows\{22A2C539-37F5-432c-8DB5-3773A987AA77}.exe

Filesize
408KB

MD5
9646fc8c4240484925673a150316ec88

SHA1
3f818e7dde87405b15989c0da05806d6fd34ecbf

SHA256
94bd864ce4f79d93178d33695207d2fa76aad5ff7b207e13a64b38c4087b0828

SHA512
089783cd78c4c0dc664477ec1a24afd5024c81ca9ac923eb3fbc3d0264ee56e7878c1267c2e195d34464abe3bea46df9b0c7a3d9b3a4bc79484d28c6d33a9369

Download Submit
C:\Windows\{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe

Filesize
408KB

MD5
b33e7c40af79fa9e037a97ef9ab9cfc4

SHA1
71eb1b44e5d730f3963c18245c9483039e7770ae

SHA256
892e89d29fb853555aeb687e39d0d777ca4c4584d7e9886bb0d472fe6347f1cf

SHA512
b90e34c1da2e59b0f9f50b2b5498ea9dc18db4292d92d54af5dc597f3c399938e253983277727e31009a87e6d499ab557aa05ea3a84064e6e1022f7b27ec4128

Download Submit
C:\Windows\{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe

Filesize
408KB

MD5
b33e7c40af79fa9e037a97ef9ab9cfc4

SHA1
71eb1b44e5d730f3963c18245c9483039e7770ae

SHA256
892e89d29fb853555aeb687e39d0d777ca4c4584d7e9886bb0d472fe6347f1cf

SHA512
b90e34c1da2e59b0f9f50b2b5498ea9dc18db4292d92d54af5dc597f3c399938e253983277727e31009a87e6d499ab557aa05ea3a84064e6e1022f7b27ec4128

Download Submit
C:\Windows\{31E5BF9A-1945-40ad-9A71-2F2938DB8CE5}.exe

Filesize
408KB

MD5
b33e7c40af79fa9e037a97ef9ab9cfc4

SHA1
71eb1b44e5d730f3963c18245c9483039e7770ae

SHA256
892e89d29fb853555aeb687e39d0d777ca4c4584d7e9886bb0d472fe6347f1cf

SHA512
b90e34c1da2e59b0f9f50b2b5498ea9dc18db4292d92d54af5dc597f3c399938e253983277727e31009a87e6d499ab557aa05ea3a84064e6e1022f7b27ec4128

Download Submit
C:\Windows\{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe

Filesize
408KB

MD5
c224e75aa0ceca25f14df2036b309277

SHA1
76511d1bfc71dedef967813f003ab733f4d7a98a

SHA256
14c629d9da5a836a7cbc1628c2a3e2f02adfd02e01bb6f45567d5b8ab9f94eae

SHA512
05bd063655bfd7b824790430101b940af139c32748e2e2a3f6a5796e80a8ef1ca7a34a6955acaa9ab1538f82f889382241f2a36927d241c2013f3ed25f6620a0

Download Submit
C:\Windows\{344FFD29-DCD9-4682-BF0D-85FB622D48C6}.exe

Filesize
408KB

MD5
c224e75aa0ceca25f14df2036b309277

SHA1
76511d1bfc71dedef967813f003ab733f4d7a98a

SHA256
14c629d9da5a836a7cbc1628c2a3e2f02adfd02e01bb6f45567d5b8ab9f94eae

SHA512
05bd063655bfd7b824790430101b940af139c32748e2e2a3f6a5796e80a8ef1ca7a34a6955acaa9ab1538f82f889382241f2a36927d241c2013f3ed25f6620a0

Download Submit
C:\Windows\{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe

Filesize
408KB

MD5
ca2370a3bf9646af6ae219e49791f35b

SHA1
662870d2d9d03bdd5d8753ad9df398a6ff6621df

SHA256
bb985df022e43fff5fa99f9d7d0bd649cad2cf1ae504150bae4f4da1b1a227a1

SHA512
900ded102be65d88fc06bbba9aa6b5639c81e184a95a3d12bb5306f42f9cca0a6bbfcc734f7160eaf4ce0a94869691421b533fcbac5ac06cdfe8edd15e0f3edb

Download Submit
C:\Windows\{6B5A5140-105D-43d3-ABF3-1C7D7AB87C20}.exe

Filesize
408KB

MD5
ca2370a3bf9646af6ae219e49791f35b

SHA1
662870d2d9d03bdd5d8753ad9df398a6ff6621df

SHA256
bb985df022e43fff5fa99f9d7d0bd649cad2cf1ae504150bae4f4da1b1a227a1

SHA512
900ded102be65d88fc06bbba9aa6b5639c81e184a95a3d12bb5306f42f9cca0a6bbfcc734f7160eaf4ce0a94869691421b533fcbac5ac06cdfe8edd15e0f3edb

Download Submit
C:\Windows\{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe

Filesize
408KB

MD5
ca5025ab110dd06c52c7bb7aa9e61844

SHA1
e9d6855c3a825fd994bd49db3debe3eb284aea3e

SHA256
eebcfaa4c0e71477ba7b5f2ac4237361e26267f53121fcf18a51967896bfda5d

SHA512
dbc8676902219174fc5724eb9102362635c101891e0dc6ce65d8db18b6176db7b9d28d25be40cf8872a8a4f567e71dcc9068ac94543578e365d46a1bf44419b0

Download Submit
C:\Windows\{7E0BF7B5-F5B5-40d6-AC88-967D83C3AFAE}.exe

Filesize
408KB

MD5
ca5025ab110dd06c52c7bb7aa9e61844

SHA1
e9d6855c3a825fd994bd49db3debe3eb284aea3e

SHA256
eebcfaa4c0e71477ba7b5f2ac4237361e26267f53121fcf18a51967896bfda5d

SHA512
dbc8676902219174fc5724eb9102362635c101891e0dc6ce65d8db18b6176db7b9d28d25be40cf8872a8a4f567e71dcc9068ac94543578e365d46a1bf44419b0

Download Submit
C:\Windows\{A8B57B6C-21A5-4483-87C8-8AAE3ADD778A}.exe

Filesize
408KB

MD5
70c99b24b7baaf12fc473d58a91e1cba

SHA1
54ad2ee8bd057e013ddd2efb43cc4835ff21071b

SHA256
7a75335658b69eec969a4a4ccf5b699db5b494cbe299da9a50e3a437d86768b1

SHA512
07fd7a219687a2036cee43e43db442bbf5849816cb580e7a363fa462b62ed19200a64e959cafb7dba310c6980888263a7f39497ecda197fc364a6ea1e169c152

Download Submit
C:\Windows\{A8B57B6C-21A5-4483-87C8-8AAE3ADD778A}.exe

Filesize
408KB

MD5
70c99b24b7baaf12fc473d58a91e1cba

SHA1
54ad2ee8bd057e013ddd2efb43cc4835ff21071b

SHA256
7a75335658b69eec969a4a4ccf5b699db5b494cbe299da9a50e3a437d86768b1

SHA512
07fd7a219687a2036cee43e43db442bbf5849816cb580e7a363fa462b62ed19200a64e959cafb7dba310c6980888263a7f39497ecda197fc364a6ea1e169c152

Download Submit
C:\Windows\{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe

Filesize
408KB

MD5
fafe6ac869ad6c23129c89e09f2d50db

SHA1
b84fc4898c3f98a26676e5f75c21709ad09a95cc

SHA256
78652c90a1a64ce91fd9624a1a507e4ef6dc29fbc710e1f6399db1b729eb88b3

SHA512
2c153d0a00df4d9cb62534dd33bb7aef558ae1f8e6310f412235c76a17f0830e90f98a1ddaa290a31d1e6c75875e8f46232b63188112a8f687e2ee0b25611a10

Download Submit
C:\Windows\{B534AC9A-8AE5-49e9-B4D5-2A28DC621A3A}.exe

Filesize
408KB

MD5
fafe6ac869ad6c23129c89e09f2d50db

SHA1
b84fc4898c3f98a26676e5f75c21709ad09a95cc

SHA256
78652c90a1a64ce91fd9624a1a507e4ef6dc29fbc710e1f6399db1b729eb88b3

SHA512
2c153d0a00df4d9cb62534dd33bb7aef558ae1f8e6310f412235c76a17f0830e90f98a1ddaa290a31d1e6c75875e8f46232b63188112a8f687e2ee0b25611a10

Download Submit
C:\Windows\{B539293E-36AB-479e-84A3-4C23BA9247EF}.exe

Filesize
408KB

MD5
4a2a25886fad486ec2b03957c46bde6f

SHA1
621bf48ccd8b2f821c053d9fb8981ccc3151564d

SHA256
437b5224c04d76adc968a093c86988998e44aaf56806162c078f1a89750c6b61

SHA512
22b800bb4d2bee2e995cc34ba86f6cfca8dffb3d7b7d15f833fdaec3513d5f8b172c4e9dd995644602164dc30dbf4fa51dcf4d7c7f295a1e09542f8f1fcc492f

Download Submit
C:\Windows\{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe

Filesize
408KB

MD5
cef9afede019966270c0c57e9d805dbf

SHA1
b4b684be6cd4babd7f3854e925b002247ece1b2c

SHA256
22137eb8429b80b48763c3810ffda8e0e6cdab36039d443f8868ec8b0b2a147a

SHA512
056b068af665c46c8f1d2678eac9e64b350d33d6f3ac53af8e0b6eb992b07115f203569a26b642d736d7079eb6b3b2aeca5b27dbfe26d701a96483e1a4150fd8

Download Submit
C:\Windows\{C1928D2F-34FA-4412-926F-202A8731DEEC}.exe

Filesize
408KB

MD5
cef9afede019966270c0c57e9d805dbf

SHA1
b4b684be6cd4babd7f3854e925b002247ece1b2c

SHA256
22137eb8429b80b48763c3810ffda8e0e6cdab36039d443f8868ec8b0b2a147a

SHA512
056b068af665c46c8f1d2678eac9e64b350d33d6f3ac53af8e0b6eb992b07115f203569a26b642d736d7079eb6b3b2aeca5b27dbfe26d701a96483e1a4150fd8

Download Submit
C:\Windows\{C84D70ED-8F99-4671-82C1-91134843B04D}.exe

Filesize
408KB

MD5
3c831e929d96bb7764ce05b079e72efe

SHA1
91aa6a14c230784124c70f272091970cbf862f75

SHA256
3a9cb0530e85b259c92722e49ebc29e066fd8bd0e11ea5dc6bcecbd9bb644f96

SHA512
61f45e9ec442c4936805693e5c8785eed4332619ebcd5d39b44b86c86c7e58773cb6ac5c1f5500993ded64e703a0c3868280746dd08fac8fd580449aeb55ad95

Download Submit
C:\Windows\{C84D70ED-8F99-4671-82C1-91134843B04D}.exe

Filesize
408KB

MD5
3c831e929d96bb7764ce05b079e72efe

SHA1
91aa6a14c230784124c70f272091970cbf862f75

SHA256
3a9cb0530e85b259c92722e49ebc29e066fd8bd0e11ea5dc6bcecbd9bb644f96

SHA512
61f45e9ec442c4936805693e5c8785eed4332619ebcd5d39b44b86c86c7e58773cb6ac5c1f5500993ded64e703a0c3868280746dd08fac8fd580449aeb55ad95

Download Submit
C:\Windows\{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe

Filesize
408KB

MD5
d15d9cb6b09d43b4519919dd500d158a

SHA1
ee1df10cf02dd78b11a86c4ccee7ef4b3138c9db

SHA256
8d5406bc6bc3ebbd69099a3984f31ebd27a2940f091c9d54772802ba0cad021c

SHA512
deb9b62e17ee29324f301fadee6cb4156794c519809d3cca84566f9035166bda347a2c591906ed441045c630c0935cfb75ad9520d08d0bb2a324747232ab0299

Download Submit
C:\Windows\{C97B75EE-A558-4641-AED7-944E1E6364FD}.exe

Filesize
408KB

MD5
d15d9cb6b09d43b4519919dd500d158a

SHA1
ee1df10cf02dd78b11a86c4ccee7ef4b3138c9db

SHA256
8d5406bc6bc3ebbd69099a3984f31ebd27a2940f091c9d54772802ba0cad021c

SHA512
deb9b62e17ee29324f301fadee6cb4156794c519809d3cca84566f9035166bda347a2c591906ed441045c630c0935cfb75ad9520d08d0bb2a324747232ab0299

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads