d51f8e9b4744addf363f682060ca883d22d6b562c9cccc13b209f86230f649d2

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe
Size

192KB
MD5

6c48d030f70c63f64f4060bbc8e268da
SHA1

38215da17782e2bc1bd37472b72a6e19318b9b79
SHA256

d51f8e9b4744addf363f682060ca883d22d6b562c9cccc13b209f86230f649d2
SHA512

56a03344bcab93dd56f0b402a8b01f8756d0b6fd7f2976a2d090b58d0254609f1277a09e16842def6af7fb4134331ba6c4b44ef778b8f58f7a7fcc6e0c821b20
SSDEEP

1536:1EGh0oLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oLl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2B8019B-4C1A-4a86-A376-F8CC47611889}	{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{125C37B2-4E14-4048-88C4-399DAE67071C}	{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E2B92AE-972A-46c1-BEAB-165573F17CC8}	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E2B92AE-972A-46c1-BEAB-165573F17CC8}\stubpath = "C:\\Windows\\{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe"	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}	{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}\stubpath = "C:\\Windows\\{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe"	{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3E1017C-312F-4bde-854C-679D02B88CDE}	{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}\stubpath = "C:\\Windows\\{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe"	{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DABBFF14-EA1D-4af9-8492-1F901F53FE86}\stubpath = "C:\\Windows\\{DABBFF14-EA1D-4af9-8492-1F901F53FE86}.exe"	{54B69E80-8C10-46f0-A37E-608CF52031A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}	{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3E1017C-312F-4bde-854C-679D02B88CDE}\stubpath = "C:\\Windows\\{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe"	{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21DC7542-52CA-4d0c-A0D9-A79546F9739E}	{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21DC7542-52CA-4d0c-A0D9-A79546F9739E}\stubpath = "C:\\Windows\\{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe"	{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{125C37B2-4E14-4048-88C4-399DAE67071C}\stubpath = "C:\\Windows\\{125C37B2-4E14-4048-88C4-399DAE67071C}.exe"	{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54B69E80-8C10-46f0-A37E-608CF52031A8}\stubpath = "C:\\Windows\\{54B69E80-8C10-46f0-A37E-608CF52031A8}.exe"	{125C37B2-4E14-4048-88C4-399DAE67071C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}\stubpath = "C:\\Windows\\{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe"	{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2B8019B-4C1A-4a86-A376-F8CC47611889}\stubpath = "C:\\Windows\\{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe"	{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}	{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54B69E80-8C10-46f0-A37E-608CF52031A8}	{125C37B2-4E14-4048-88C4-399DAE67071C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DABBFF14-EA1D-4af9-8492-1F901F53FE86}	{54B69E80-8C10-46f0-A37E-608CF52031A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9B95009-EFCD-4c58-8EE3-EFA3EAF7572C}	{DABBFF14-EA1D-4af9-8492-1F901F53FE86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9B95009-EFCD-4c58-8EE3-EFA3EAF7572C}\stubpath = "C:\\Windows\\{B9B95009-EFCD-4c58-8EE3-EFA3EAF7572C}.exe"	{DABBFF14-EA1D-4af9-8492-1F901F53FE86}.exe

Deletes itself 1 IoCs

pid	Process
1712	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2524	{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe
2320	{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe
2876	{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe
2316	{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe
2828	{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe
2704	{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe
2600	{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe
2744	{125C37B2-4E14-4048-88C4-399DAE67071C}.exe
2592	{54B69E80-8C10-46f0-A37E-608CF52031A8}.exe
3036	{DABBFF14-EA1D-4af9-8492-1F901F53FE86}.exe
1856	{B9B95009-EFCD-4c58-8EE3-EFA3EAF7572C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe	{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe
File created	C:\Windows\{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe	{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe
File created	C:\Windows\{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe	{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe
File created	C:\Windows\{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe	{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe
File created	C:\Windows\{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe	{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe
File created	C:\Windows\{DABBFF14-EA1D-4af9-8492-1F901F53FE86}.exe	{54B69E80-8C10-46f0-A37E-608CF52031A8}.exe
File created	C:\Windows\{B9B95009-EFCD-4c58-8EE3-EFA3EAF7572C}.exe	{DABBFF14-EA1D-4af9-8492-1F901F53FE86}.exe
File created	C:\Windows\{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe
File created	C:\Windows\{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe	{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe
File created	C:\Windows\{125C37B2-4E14-4048-88C4-399DAE67071C}.exe	{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe
File created	C:\Windows\{54B69E80-8C10-46f0-A37E-608CF52031A8}.exe	{125C37B2-4E14-4048-88C4-399DAE67071C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1304	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2524	{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe
Token: SeIncBasePriorityPrivilege	2320	{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe
Token: SeIncBasePriorityPrivilege	2876	{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe
Token: SeIncBasePriorityPrivilege	2316	{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe
Token: SeIncBasePriorityPrivilege	2828	{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe
Token: SeIncBasePriorityPrivilege	2704	{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe
Token: SeIncBasePriorityPrivilege	2600	{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe
Token: SeIncBasePriorityPrivilege	2744	{125C37B2-4E14-4048-88C4-399DAE67071C}.exe
Token: SeIncBasePriorityPrivilege	2592	{54B69E80-8C10-46f0-A37E-608CF52031A8}.exe
Token: SeIncBasePriorityPrivilege	3036	{DABBFF14-EA1D-4af9-8492-1F901F53FE86}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2524	1304	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	28
PID 1304 wrote to memory of 2524	1304	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	28
PID 1304 wrote to memory of 2524	1304	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	28
PID 1304 wrote to memory of 2524	1304	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	28
PID 1304 wrote to memory of 1712	1304	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	29
PID 1304 wrote to memory of 1712	1304	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	29
PID 1304 wrote to memory of 1712	1304	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	29
PID 1304 wrote to memory of 1712	1304	NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe	29
PID 2524 wrote to memory of 2320	2524	{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe	32
PID 2524 wrote to memory of 2320	2524	{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe	32
PID 2524 wrote to memory of 2320	2524	{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe	32
PID 2524 wrote to memory of 2320	2524	{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe	32
PID 2524 wrote to memory of 2288	2524	{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe	33
PID 2524 wrote to memory of 2288	2524	{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe	33
PID 2524 wrote to memory of 2288	2524	{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe	33
PID 2524 wrote to memory of 2288	2524	{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe	33
PID 2320 wrote to memory of 2876	2320	{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe	34
PID 2320 wrote to memory of 2876	2320	{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe	34
PID 2320 wrote to memory of 2876	2320	{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe	34
PID 2320 wrote to memory of 2876	2320	{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe	34
PID 2320 wrote to memory of 2664	2320	{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe	35
PID 2320 wrote to memory of 2664	2320	{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe	35
PID 2320 wrote to memory of 2664	2320	{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe	35
PID 2320 wrote to memory of 2664	2320	{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe	35
PID 2876 wrote to memory of 2316	2876	{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe	36
PID 2876 wrote to memory of 2316	2876	{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe	36
PID 2876 wrote to memory of 2316	2876	{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe	36
PID 2876 wrote to memory of 2316	2876	{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe	36
PID 2876 wrote to memory of 2820	2876	{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe	37
PID 2876 wrote to memory of 2820	2876	{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe	37
PID 2876 wrote to memory of 2820	2876	{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe	37
PID 2876 wrote to memory of 2820	2876	{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe	37
PID 2316 wrote to memory of 2828	2316	{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe	39
PID 2316 wrote to memory of 2828	2316	{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe	39
PID 2316 wrote to memory of 2828	2316	{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe	39
PID 2316 wrote to memory of 2828	2316	{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe	39
PID 2316 wrote to memory of 2680	2316	{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe	38
PID 2316 wrote to memory of 2680	2316	{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe	38
PID 2316 wrote to memory of 2680	2316	{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe	38
PID 2316 wrote to memory of 2680	2316	{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe	38
PID 2828 wrote to memory of 2704	2828	{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe	40
PID 2828 wrote to memory of 2704	2828	{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe	40
PID 2828 wrote to memory of 2704	2828	{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe	40
PID 2828 wrote to memory of 2704	2828	{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe	40
PID 2828 wrote to memory of 2884	2828	{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe	41
PID 2828 wrote to memory of 2884	2828	{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe	41
PID 2828 wrote to memory of 2884	2828	{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe	41
PID 2828 wrote to memory of 2884	2828	{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe	41
PID 2704 wrote to memory of 2600	2704	{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe	42
PID 2704 wrote to memory of 2600	2704	{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe	42
PID 2704 wrote to memory of 2600	2704	{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe	42
PID 2704 wrote to memory of 2600	2704	{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe	42
PID 2704 wrote to memory of 3032	2704	{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe	43
PID 2704 wrote to memory of 3032	2704	{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe	43
PID 2704 wrote to memory of 3032	2704	{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe	43
PID 2704 wrote to memory of 3032	2704	{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe	43
PID 2600 wrote to memory of 2744	2600	{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe	44
PID 2600 wrote to memory of 2744	2600	{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe	44
PID 2600 wrote to memory of 2744	2600	{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe	44
PID 2600 wrote to memory of 2744	2600	{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe	44
PID 2600 wrote to memory of 2684	2600	{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe	45
PID 2600 wrote to memory of 2684	2600	{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe	45
PID 2600 wrote to memory of 2684	2600	{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe	45
PID 2600 wrote to memory of 2684	2600	{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_6c48d030f70c63f64f4060bbc8e268da_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe
  C:\Windows\{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe
    C:\Windows\{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe
      C:\Windows\{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe
        
        C:\Windows\{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91ABC~1.EXE > nul
        6⤵
        
        PID:2680
      - C:\Windows\{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe
        
        C:\Windows\{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe
        
        C:\Windows\{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe
        
        C:\Windows\{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\{125C37B2-4E14-4048-88C4-399DAE67071C}.exe
        
        C:\Windows\{125C37B2-4E14-4048-88C4-399DAE67071C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\{54B69E80-8C10-46f0-A37E-608CF52031A8}.exe
        
        C:\Windows\{54B69E80-8C10-46f0-A37E-608CF52031A8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\{DABBFF14-EA1D-4af9-8492-1F901F53FE86}.exe
        
        C:\Windows\{DABBFF14-EA1D-4af9-8492-1F901F53FE86}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DABBF~1.EXE > nul
        12⤵
        
        PID:1568
        
        C:\Windows\{B9B95009-EFCD-4c58-8EE3-EFA3EAF7572C}.exe
        
        C:\Windows\{B9B95009-EFCD-4c58-8EE3-EFA3EAF7572C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54B69~1.EXE > nul
        11⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{125C3~1.EXE > nul
        10⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21DC7~1.EXE > nul
        9⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA2A8~1.EXE > nul
        8⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3E10~1.EXE > nul
        7⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2B80~1.EXE > nul
        5⤵
        
        PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E1F63~1.EXE > nul
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E2B9~1.EXE > nul
    3⤵
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{125C37B2-4E14-4048-88C4-399DAE67071C}.exe

Filesize
192KB

MD5
b5672183ba9e0d11090b99c5e758bf98

SHA1
447a30a647fe55cc1056cf0e97282adbff14069e

SHA256
5ec00113ff3b783ecf4f1ce7c10ceb826622e182e2d27cd2c8e2182c57441eda

SHA512
5027cb4f5cfd6d6e28f70c7ab44a160a7e489115e15fe507cdbb5dc1a72aec639c50b55dd9e6434e18577ef8d8d9da21a3f9af63fb76c39279bc00c7beb349bb

Download Submit
C:\Windows\{125C37B2-4E14-4048-88C4-399DAE67071C}.exe

Filesize
192KB

MD5
b5672183ba9e0d11090b99c5e758bf98

SHA1
447a30a647fe55cc1056cf0e97282adbff14069e

SHA256
5ec00113ff3b783ecf4f1ce7c10ceb826622e182e2d27cd2c8e2182c57441eda

SHA512
5027cb4f5cfd6d6e28f70c7ab44a160a7e489115e15fe507cdbb5dc1a72aec639c50b55dd9e6434e18577ef8d8d9da21a3f9af63fb76c39279bc00c7beb349bb

Download Submit
C:\Windows\{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe

Filesize
192KB

MD5
8d0aba4d0e0d402a4817e4f0fde879f7

SHA1
f3882b9135a96ff950ff416c4754ea2fa0627af2

SHA256
94f81d88c60feb8ab001dc348affb32b68fd8d264565f5a3782f687ad329171b

SHA512
52c0f30a6e4df56c3e6dff277ce7d811f9d29427ff6b7f0566fab698d19d70b73d578584af87ed4b123338c017e8b11fd42f6b73135d69e94f4645a45f87074f

Download Submit
C:\Windows\{21DC7542-52CA-4d0c-A0D9-A79546F9739E}.exe

Filesize
192KB

MD5
8d0aba4d0e0d402a4817e4f0fde879f7

SHA1
f3882b9135a96ff950ff416c4754ea2fa0627af2

SHA256
94f81d88c60feb8ab001dc348affb32b68fd8d264565f5a3782f687ad329171b

SHA512
52c0f30a6e4df56c3e6dff277ce7d811f9d29427ff6b7f0566fab698d19d70b73d578584af87ed4b123338c017e8b11fd42f6b73135d69e94f4645a45f87074f

Download Submit
C:\Windows\{54B69E80-8C10-46f0-A37E-608CF52031A8}.exe

Filesize
192KB

MD5
684ad000021e2b6fd452bb6f9ecfab62

SHA1
c44b7dd9065ddbbac23845ef43570fc16846c480

SHA256
537e7c1ade50537bd58d77e97c805088805bea9328662e17943afca8c8c8c707

SHA512
18be29cb12e06e80e0d92a1d2fdec9fda69e96371ca9e4893a51e85bef49cd0efbb03ba87cbe0c89c9d072147025c19e1b6caa23453cec4881405d1c98d2c5cd

Download Submit
C:\Windows\{54B69E80-8C10-46f0-A37E-608CF52031A8}.exe

Filesize
192KB

MD5
684ad000021e2b6fd452bb6f9ecfab62

SHA1
c44b7dd9065ddbbac23845ef43570fc16846c480

SHA256
537e7c1ade50537bd58d77e97c805088805bea9328662e17943afca8c8c8c707

SHA512
18be29cb12e06e80e0d92a1d2fdec9fda69e96371ca9e4893a51e85bef49cd0efbb03ba87cbe0c89c9d072147025c19e1b6caa23453cec4881405d1c98d2c5cd

Download Submit
C:\Windows\{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe

Filesize
192KB

MD5
29bb221988b2d8e1fc9a639d7432c8de

SHA1
81b6df4cf46b3d9b94f1bf7c9e79a4adfe8ca151

SHA256
9e27a12987fe0308e73f9d22414dc185e3ff532041b6a3a6f632633b40b61c1d

SHA512
6244e373697173a87f7b2901bd903485ac9de15a8d5abb6e1f9dce583e90113cbab3793bcf000ce39011559f143751a7524a52bff7671658f615ebb98536404e

Download Submit
C:\Windows\{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe

Filesize
192KB

MD5
29bb221988b2d8e1fc9a639d7432c8de

SHA1
81b6df4cf46b3d9b94f1bf7c9e79a4adfe8ca151

SHA256
9e27a12987fe0308e73f9d22414dc185e3ff532041b6a3a6f632633b40b61c1d

SHA512
6244e373697173a87f7b2901bd903485ac9de15a8d5abb6e1f9dce583e90113cbab3793bcf000ce39011559f143751a7524a52bff7671658f615ebb98536404e

Download Submit
C:\Windows\{6E2B92AE-972A-46c1-BEAB-165573F17CC8}.exe

Filesize
192KB

MD5
29bb221988b2d8e1fc9a639d7432c8de

SHA1
81b6df4cf46b3d9b94f1bf7c9e79a4adfe8ca151

SHA256
9e27a12987fe0308e73f9d22414dc185e3ff532041b6a3a6f632633b40b61c1d

SHA512
6244e373697173a87f7b2901bd903485ac9de15a8d5abb6e1f9dce583e90113cbab3793bcf000ce39011559f143751a7524a52bff7671658f615ebb98536404e

Download Submit
C:\Windows\{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe

Filesize
192KB

MD5
27abe8021f9867848c77dfec851995d6

SHA1
e670842a884b97c50ba04375849edb044b88328f

SHA256
84648c364888aadb3f1b741b427b50dc27d10c7a3c865e2856e63c3bbb2e3d90

SHA512
515fc4935402cc4676dcc2cdc6a8e06ada2bad927472d8db16503fb7b7cce6fd3f1255f2697812ceb5a9fd3dcf8795324d013cae003003dd5e4b5d11604bf1fe

Download Submit
C:\Windows\{91ABCA88-B7CE-44a6-BC23-D3C9C6AF8C56}.exe

Filesize
192KB

MD5
27abe8021f9867848c77dfec851995d6

SHA1
e670842a884b97c50ba04375849edb044b88328f

SHA256
84648c364888aadb3f1b741b427b50dc27d10c7a3c865e2856e63c3bbb2e3d90

SHA512
515fc4935402cc4676dcc2cdc6a8e06ada2bad927472d8db16503fb7b7cce6fd3f1255f2697812ceb5a9fd3dcf8795324d013cae003003dd5e4b5d11604bf1fe

Download Submit
C:\Windows\{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe

Filesize
192KB

MD5
ef189d27664df6233bb6645d7e7abc81

SHA1
b8ec6c6b79cfed31a75a093909574f67770ad448

SHA256
8613a87d255ba4334ef6471aaaf470a36826db6263047924d50a5405db95bc2b

SHA512
963434198dab9549d81a19d1365baaaf569ffc80151e42d55978051f9644e43fe7792b4b5ef8c00684520328e523a92b5a7326a46edc9c9773437488e41e63b9

Download Submit
C:\Windows\{B3E1017C-312F-4bde-854C-679D02B88CDE}.exe

Filesize
192KB

MD5
ef189d27664df6233bb6645d7e7abc81

SHA1
b8ec6c6b79cfed31a75a093909574f67770ad448

SHA256
8613a87d255ba4334ef6471aaaf470a36826db6263047924d50a5405db95bc2b

SHA512
963434198dab9549d81a19d1365baaaf569ffc80151e42d55978051f9644e43fe7792b4b5ef8c00684520328e523a92b5a7326a46edc9c9773437488e41e63b9

Download Submit
C:\Windows\{B9B95009-EFCD-4c58-8EE3-EFA3EAF7572C}.exe

Filesize
192KB

MD5
acb049ae3a5e8c68372d0535a06a7aee

SHA1
6b993a63304a81074fa29d423cb39710eeb3783c

SHA256
aa26e527a756140fc6f62c6c1ee125e098bd4070885c02b081b0d20fba3965f8

SHA512
31688a16d9a30d2cf9d723dcd370551edf5c0faf4dd405585cdb7db09b8023dcc9962f1ee490a2ecc795f960991fde12399d4f9a82b7836f7651f36b57b55d53

Download Submit
C:\Windows\{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe

Filesize
192KB

MD5
dac506cf2e89f418884faf0f89fcb0c6

SHA1
55dd57628def03e68a88635527a9e1e89df686c5

SHA256
d3f074e03b726a526c56a79eb01c9446be1ff3549c38ca06df5508c353f3a743

SHA512
c00671b503680d2d36ff6ed7bce937b7da48db7d1141d8b3519e8a7ec40b52a865fec0e38fd3cc83cb30bf8860cd435a2308d13f50c1973a22816df1f88784bc

Download Submit
C:\Windows\{CA2A87FF-0B80-4d64-B9DA-865A07B723BC}.exe

Filesize
192KB

MD5
dac506cf2e89f418884faf0f89fcb0c6

SHA1
55dd57628def03e68a88635527a9e1e89df686c5

SHA256
d3f074e03b726a526c56a79eb01c9446be1ff3549c38ca06df5508c353f3a743

SHA512
c00671b503680d2d36ff6ed7bce937b7da48db7d1141d8b3519e8a7ec40b52a865fec0e38fd3cc83cb30bf8860cd435a2308d13f50c1973a22816df1f88784bc

Download Submit
C:\Windows\{DABBFF14-EA1D-4af9-8492-1F901F53FE86}.exe

Filesize
192KB

MD5
92a6975d96875d3f3a7ed82be583efbb

SHA1
b0e7288b1329eadc9bc856c0021b32c7058a4fcf

SHA256
b21073d95ae7e8033a0eefc39357a5831c72ef1ab09e663551f42326cdb239c7

SHA512
b95b3b61b66ea189d2f414838291c73f44ebe6c5b9739033ecf03ef2a6d4f0165dba454e08311c7a4471860dacd2ebb2c2a57d456ff448906e2381a444a41a4d

Download Submit
C:\Windows\{DABBFF14-EA1D-4af9-8492-1F901F53FE86}.exe

Filesize
192KB

MD5
92a6975d96875d3f3a7ed82be583efbb

SHA1
b0e7288b1329eadc9bc856c0021b32c7058a4fcf

SHA256
b21073d95ae7e8033a0eefc39357a5831c72ef1ab09e663551f42326cdb239c7

SHA512
b95b3b61b66ea189d2f414838291c73f44ebe6c5b9739033ecf03ef2a6d4f0165dba454e08311c7a4471860dacd2ebb2c2a57d456ff448906e2381a444a41a4d

Download Submit
C:\Windows\{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe

Filesize
192KB

MD5
9cf5d04487dc46073e1e0c28946ec5e9

SHA1
4cf968ada8037460c8312e919130972c2a99db3a

SHA256
3ed79067c18c58812fe94b67e87788aa810f47085591028140f551a5eeef10b9

SHA512
718a05a4eee1e5d286327cc522e4a5d134dcd9877c56d511d8b57ae9b8092a5d44fadd006fe92da9c1d1d83482a79ec9aff8cbc2b42c13ecd6136a63db440dca

Download Submit
C:\Windows\{E1F63EB4-AC33-4f3f-920C-47E51DFBA1E2}.exe

Filesize
192KB

MD5
9cf5d04487dc46073e1e0c28946ec5e9

SHA1
4cf968ada8037460c8312e919130972c2a99db3a

SHA256
3ed79067c18c58812fe94b67e87788aa810f47085591028140f551a5eeef10b9

SHA512
718a05a4eee1e5d286327cc522e4a5d134dcd9877c56d511d8b57ae9b8092a5d44fadd006fe92da9c1d1d83482a79ec9aff8cbc2b42c13ecd6136a63db440dca

Download Submit
C:\Windows\{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe

Filesize
192KB

MD5
47cf8209ffeb941cb337fd6a4c9130ff

SHA1
f5b93c7bd710b169dfe8469a37b3594021a05374

SHA256
ae401e994656d520a65cb93ca8408bb0593869c2f628a99cd07521780409ef94

SHA512
fe8deb38851577c230e1ef57eab2565ca09db4191e6fb7eb56658aeac35d866e4baab19f58334af546d2dd208dd9d161ae2048c032644340895166fa20bb4319

Download Submit
C:\Windows\{F2B8019B-4C1A-4a86-A376-F8CC47611889}.exe

Filesize
192KB

MD5
47cf8209ffeb941cb337fd6a4c9130ff

SHA1
f5b93c7bd710b169dfe8469a37b3594021a05374

SHA256
ae401e994656d520a65cb93ca8408bb0593869c2f628a99cd07521780409ef94

SHA512
fe8deb38851577c230e1ef57eab2565ca09db4191e6fb7eb56658aeac35d866e4baab19f58334af546d2dd208dd9d161ae2048c032644340895166fa20bb4319

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads