4dfadbe233372cdd6db8bae00ade40638a988765aaeb4a7f4c2193a773600001

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_bcccce82264f3c840c8d95faad2b80fe_goldeneye_JC.exe
Size

216KB
MD5

bcccce82264f3c840c8d95faad2b80fe
SHA1

966635d4c2fcfdbcb5c99bd88a03a39499225106
SHA256

4dfadbe233372cdd6db8bae00ade40638a988765aaeb4a7f4c2193a773600001
SHA512

d3057d52e6499ba1594349c0ab97d61aa73f40c4958bf9c3680b1bf22a3463a03d2bd9554a606de1fe5c2d7ad711433c96461569b315d7222ad088d5ce07c91a
SSDEEP

3072:jEGh0oAl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGSlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}	{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F86CB2C2-2432-42d7-B0DF-855C79ECB2D9}\stubpath = "C:\\Windows\\{F86CB2C2-2432-42d7-B0DF-855C79ECB2D9}.exe"	{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0809DA9-A67B-4eef-94A4-F8114585EBBB}\stubpath = "C:\\Windows\\{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe"	{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}\stubpath = "C:\\Windows\\{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe"	{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E90A0160-3BAE-4a1c-8826-95925B1244AD}	{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E90A0160-3BAE-4a1c-8826-95925B1244AD}\stubpath = "C:\\Windows\\{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe"	{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}\stubpath = "C:\\Windows\\{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe"	{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C84AEC4-B297-47da-B874-4457681FF4AF}\stubpath = "C:\\Windows\\{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe"	{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}	{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F86CB2C2-2432-42d7-B0DF-855C79ECB2D9}	{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}	{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83CE0EF7-A7B1-4680-AF26-624816DF9B50}\stubpath = "C:\\Windows\\{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe"	NEAS.2023-09-05_bcccce82264f3c840c8d95faad2b80fe_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}\stubpath = "C:\\Windows\\{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe"	{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F600518-52E8-4a9e-B224-ADEBD17069E5}\stubpath = "C:\\Windows\\{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe"	{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAED2E8C-88C2-4c03-8601-CE47DD01B9FC}	{F86CB2C2-2432-42d7-B0DF-855C79ECB2D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83CE0EF7-A7B1-4680-AF26-624816DF9B50}	NEAS.2023-09-05_bcccce82264f3c840c8d95faad2b80fe_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}	{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F600518-52E8-4a9e-B224-ADEBD17069E5}	{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C84AEC4-B297-47da-B874-4457681FF4AF}	{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}\stubpath = "C:\\Windows\\{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe"	{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB959A2E-F25B-4cac-8110-0CAE321168A6}	{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB959A2E-F25B-4cac-8110-0CAE321168A6}\stubpath = "C:\\Windows\\{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe"	{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAED2E8C-88C2-4c03-8601-CE47DD01B9FC}\stubpath = "C:\\Windows\\{DAED2E8C-88C2-4c03-8601-CE47DD01B9FC}.exe"	{F86CB2C2-2432-42d7-B0DF-855C79ECB2D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0809DA9-A67B-4eef-94A4-F8114585EBBB}	{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe

Executes dropped EXE 12 IoCs

pid	Process
3172	{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe
5084	{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe
4964	{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe
2980	{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe
3524	{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe
2192	{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe
4680	{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe
3868	{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe
3624	{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe
1372	{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe
3888	{F86CB2C2-2432-42d7-B0DF-855C79ECB2D9}.exe
4944	{DAED2E8C-88C2-4c03-8601-CE47DD01B9FC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe	{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe
File created	C:\Windows\{F86CB2C2-2432-42d7-B0DF-855C79ECB2D9}.exe	{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe
File created	C:\Windows\{DAED2E8C-88C2-4c03-8601-CE47DD01B9FC}.exe	{F86CB2C2-2432-42d7-B0DF-855C79ECB2D9}.exe
File created	C:\Windows\{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe	NEAS.2023-09-05_bcccce82264f3c840c8d95faad2b80fe_goldeneye_JC.exe
File created	C:\Windows\{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe	{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe
File created	C:\Windows\{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe	{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe
File created	C:\Windows\{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe	{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe
File created	C:\Windows\{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe	{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe
File created	C:\Windows\{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe	{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe
File created	C:\Windows\{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe	{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe
File created	C:\Windows\{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe	{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe
File created	C:\Windows\{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe	{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	844	NEAS.2023-09-05_bcccce82264f3c840c8d95faad2b80fe_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3172	{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe
Token: SeIncBasePriorityPrivilege	5084	{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe
Token: SeIncBasePriorityPrivilege	4964	{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe
Token: SeIncBasePriorityPrivilege	2980	{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe
Token: SeIncBasePriorityPrivilege	3524	{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe
Token: SeIncBasePriorityPrivilege	2192	{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe
Token: SeIncBasePriorityPrivilege	4680	{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe
Token: SeIncBasePriorityPrivilege	3868	{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe
Token: SeIncBasePriorityPrivilege	3624	{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe
Token: SeIncBasePriorityPrivilege	1372	{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe
Token: SeIncBasePriorityPrivilege	3888	{F86CB2C2-2432-42d7-B0DF-855C79ECB2D9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 3172	844	NEAS.2023-09-05_bcccce82264f3c840c8d95faad2b80fe_goldeneye_JC.exe	90
PID 844 wrote to memory of 3172	844	NEAS.2023-09-05_bcccce82264f3c840c8d95faad2b80fe_goldeneye_JC.exe	90
PID 844 wrote to memory of 3172	844	NEAS.2023-09-05_bcccce82264f3c840c8d95faad2b80fe_goldeneye_JC.exe	90
PID 844 wrote to memory of 1100	844	NEAS.2023-09-05_bcccce82264f3c840c8d95faad2b80fe_goldeneye_JC.exe	91
PID 844 wrote to memory of 1100	844	NEAS.2023-09-05_bcccce82264f3c840c8d95faad2b80fe_goldeneye_JC.exe	91
PID 844 wrote to memory of 1100	844	NEAS.2023-09-05_bcccce82264f3c840c8d95faad2b80fe_goldeneye_JC.exe	91
PID 3172 wrote to memory of 5084	3172	{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe	92
PID 3172 wrote to memory of 5084	3172	{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe	92
PID 3172 wrote to memory of 5084	3172	{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe	92
PID 3172 wrote to memory of 4864	3172	{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe	93
PID 3172 wrote to memory of 4864	3172	{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe	93
PID 3172 wrote to memory of 4864	3172	{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe	93
PID 5084 wrote to memory of 4964	5084	{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe	97
PID 5084 wrote to memory of 4964	5084	{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe	97
PID 5084 wrote to memory of 4964	5084	{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe	97
PID 5084 wrote to memory of 4284	5084	{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe	98
PID 5084 wrote to memory of 4284	5084	{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe	98
PID 5084 wrote to memory of 4284	5084	{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe	98
PID 4964 wrote to memory of 2980	4964	{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe	99
PID 4964 wrote to memory of 2980	4964	{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe	99
PID 4964 wrote to memory of 2980	4964	{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe	99
PID 4964 wrote to memory of 2864	4964	{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe	100
PID 4964 wrote to memory of 2864	4964	{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe	100
PID 4964 wrote to memory of 2864	4964	{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe	100
PID 2980 wrote to memory of 3524	2980	{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe	101
PID 2980 wrote to memory of 3524	2980	{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe	101
PID 2980 wrote to memory of 3524	2980	{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe	101
PID 2980 wrote to memory of 4588	2980	{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe	102
PID 2980 wrote to memory of 4588	2980	{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe	102
PID 2980 wrote to memory of 4588	2980	{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe	102
PID 3524 wrote to memory of 2192	3524	{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe	103
PID 3524 wrote to memory of 2192	3524	{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe	103
PID 3524 wrote to memory of 2192	3524	{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe	103
PID 3524 wrote to memory of 2172	3524	{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe	104
PID 3524 wrote to memory of 2172	3524	{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe	104
PID 3524 wrote to memory of 2172	3524	{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe	104
PID 2192 wrote to memory of 4680	2192	{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe	105
PID 2192 wrote to memory of 4680	2192	{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe	105
PID 2192 wrote to memory of 4680	2192	{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe	105
PID 2192 wrote to memory of 5008	2192	{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe	106
PID 2192 wrote to memory of 5008	2192	{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe	106
PID 2192 wrote to memory of 5008	2192	{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe	106
PID 4680 wrote to memory of 3868	4680	{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe	107
PID 4680 wrote to memory of 3868	4680	{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe	107
PID 4680 wrote to memory of 3868	4680	{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe	107
PID 4680 wrote to memory of 1568	4680	{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe	108
PID 4680 wrote to memory of 1568	4680	{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe	108
PID 4680 wrote to memory of 1568	4680	{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe	108
PID 3868 wrote to memory of 3624	3868	{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe	109
PID 3868 wrote to memory of 3624	3868	{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe	109
PID 3868 wrote to memory of 3624	3868	{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe	109
PID 3868 wrote to memory of 316	3868	{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe	110
PID 3868 wrote to memory of 316	3868	{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe	110
PID 3868 wrote to memory of 316	3868	{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe	110
PID 3624 wrote to memory of 1372	3624	{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe	111
PID 3624 wrote to memory of 1372	3624	{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe	111
PID 3624 wrote to memory of 1372	3624	{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe	111
PID 3624 wrote to memory of 2588	3624	{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe	112
PID 3624 wrote to memory of 2588	3624	{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe	112
PID 3624 wrote to memory of 2588	3624	{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe	112
PID 1372 wrote to memory of 3888	1372	{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe	113
PID 1372 wrote to memory of 3888	1372	{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe	113
PID 1372 wrote to memory of 3888	1372	{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe	113
PID 1372 wrote to memory of 1576	1372	{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe	114

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_bcccce82264f3c840c8d95faad2b80fe_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_bcccce82264f3c840c8d95faad2b80fe_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe
  C:\Windows\{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe
    C:\Windows\{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe
      C:\Windows\{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Windows\{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe
        
        C:\Windows\{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe
        
        C:\Windows\{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe
        
        C:\Windows\{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe
        
        C:\Windows\{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe
        
        C:\Windows\{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe
        
        C:\Windows\{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe
        
        C:\Windows\{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\{F86CB2C2-2432-42d7-B0DF-855C79ECB2D9}.exe
        
        C:\Windows\{F86CB2C2-2432-42d7-B0DF-855C79ECB2D9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F86CB~1.EXE > nul
        13⤵
        
        PID:2820
        
        C:\Windows\{DAED2E8C-88C2-4c03-8601-CE47DD01B9FC}.exe
        
        C:\Windows\{DAED2E8C-88C2-4c03-8601-CE47DD01B9FC}.exe
        13⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB959~1.EXE > nul
        12⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D23E~1.EXE > nul
        11⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C84A~1.EXE > nul
        10⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F600~1.EXE > nul
        9⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9071F~1.EXE > nul
        8⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E90A0~1.EXE > nul
        7⤵
        
        PID:2172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5EA6~1.EXE > nul
        6⤵
        
        PID:4588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0809~1.EXE > nul
        5⤵
        
        PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B1120~1.EXE > nul
      4⤵
      PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{83CE0~1.EXE > nul
    3⤵
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe

Filesize
216KB

MD5
9360c56cc1bb93bc97e8440ba045fc2d

SHA1
597afae7041f60cf6d14a8a564166d694352d5b7

SHA256
6640a39caba3e39ce691232908d4a5840ff9d8256c67042c604321eccd5ca717

SHA512
82429d20f9fcf70b3e53f2358679506d9c24ddbdd1ae1a5126c700f631dff64ecdb3f8b107d997579ddcbe5962c1eb0ef897fbc66da093887fa051a4221a8bde

Download Submit
C:\Windows\{7D23EBCB-A33A-474d-9FF9-F2F6E96BF34B}.exe

Filesize
216KB

MD5
9360c56cc1bb93bc97e8440ba045fc2d

SHA1
597afae7041f60cf6d14a8a564166d694352d5b7

SHA256
6640a39caba3e39ce691232908d4a5840ff9d8256c67042c604321eccd5ca717

SHA512
82429d20f9fcf70b3e53f2358679506d9c24ddbdd1ae1a5126c700f631dff64ecdb3f8b107d997579ddcbe5962c1eb0ef897fbc66da093887fa051a4221a8bde

Download Submit
C:\Windows\{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe

Filesize
216KB

MD5
9cbce8a5e43978df504a369a33aa8f22

SHA1
f800a94b02ffe6aa93745accbe2989787274b401

SHA256
cc8fa4e7503767baf6863c0af620709a228c7f03a5a50761e01c26177acb0cc7

SHA512
4367d20bf6123c8fd45a593d34d9f3734c4de2ecc4085200482cdbe1362c3f9c23cef0d3c47586be1a9fe890dbdc40c7a132f03f23250ddafbcead80634c7352

Download Submit
C:\Windows\{83CE0EF7-A7B1-4680-AF26-624816DF9B50}.exe

Filesize
216KB

MD5
9cbce8a5e43978df504a369a33aa8f22

SHA1
f800a94b02ffe6aa93745accbe2989787274b401

SHA256
cc8fa4e7503767baf6863c0af620709a228c7f03a5a50761e01c26177acb0cc7

SHA512
4367d20bf6123c8fd45a593d34d9f3734c4de2ecc4085200482cdbe1362c3f9c23cef0d3c47586be1a9fe890dbdc40c7a132f03f23250ddafbcead80634c7352

Download Submit
C:\Windows\{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe

Filesize
216KB

MD5
e0fdb2b61d0e8312463d31613c02151f

SHA1
56d8dcace5c3ce65e3e9d770686b46684f660c0d

SHA256
5b4d7abd32a5196c461c884571653f95ae6d08da67e3c4c9677a974a66e8647a

SHA512
206eef74c42f0815ca17862822d739f1a2247107516f02ea135587d5d0c64765acb1f0b045aee3b42f5a2bcd66f0a2a076aa6697250f061f3df0cf5c15f7cbd4

Download Submit
C:\Windows\{8C84AEC4-B297-47da-B874-4457681FF4AF}.exe

Filesize
216KB

MD5
e0fdb2b61d0e8312463d31613c02151f

SHA1
56d8dcace5c3ce65e3e9d770686b46684f660c0d

SHA256
5b4d7abd32a5196c461c884571653f95ae6d08da67e3c4c9677a974a66e8647a

SHA512
206eef74c42f0815ca17862822d739f1a2247107516f02ea135587d5d0c64765acb1f0b045aee3b42f5a2bcd66f0a2a076aa6697250f061f3df0cf5c15f7cbd4

Download Submit
C:\Windows\{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe

Filesize
216KB

MD5
b1a2f3f563ed2142b0df8a85c5d80455

SHA1
34711fc737ce62da3ecb23721352f63c79588828

SHA256
33527b5a479331c7da47fbb26e05d0e9ecfa81dcad68291e02589225d11a0636

SHA512
952a177dfee46e58c7cbd2bf4f6df40673a09d796aca399bb70a57f0ff17e41341e54d9f46913a7d0dec23d28c717c012b2e85b7c5a25876e465f28c25b8425f

Download Submit
C:\Windows\{8F600518-52E8-4a9e-B224-ADEBD17069E5}.exe

Filesize
216KB

MD5
b1a2f3f563ed2142b0df8a85c5d80455

SHA1
34711fc737ce62da3ecb23721352f63c79588828

SHA256
33527b5a479331c7da47fbb26e05d0e9ecfa81dcad68291e02589225d11a0636

SHA512
952a177dfee46e58c7cbd2bf4f6df40673a09d796aca399bb70a57f0ff17e41341e54d9f46913a7d0dec23d28c717c012b2e85b7c5a25876e465f28c25b8425f

Download Submit
C:\Windows\{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe

Filesize
216KB

MD5
c2eeabdd9e67b4d6ba52e7d97785e4a4

SHA1
437478789a699c041d0b707d3ea3c637f4035c2d

SHA256
29060130e3380de28a1c573a62cb11d50d395d50d9929be3bed8a731eaa9cd8a

SHA512
7687663645ca8ab40ebd283cf859b59a7252e5e78046b7297c500b9f6841e1f3be4277548e407309e3de32d1a566184abd752970ae0aa000068e259558861825

Download Submit
C:\Windows\{9071F7D9-E7E3-48a1-B378-8E6F3B42CF0A}.exe

Filesize
216KB

MD5
c2eeabdd9e67b4d6ba52e7d97785e4a4

SHA1
437478789a699c041d0b707d3ea3c637f4035c2d

SHA256
29060130e3380de28a1c573a62cb11d50d395d50d9929be3bed8a731eaa9cd8a

SHA512
7687663645ca8ab40ebd283cf859b59a7252e5e78046b7297c500b9f6841e1f3be4277548e407309e3de32d1a566184abd752970ae0aa000068e259558861825

Download Submit
C:\Windows\{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe

Filesize
216KB

MD5
f45776e3a4d8ec8731c0bd19177ca6a3

SHA1
61ee5652e81542c30b00e220d4d8cae482872116

SHA256
5973d4c0f8176974c048edef1102d0d236b2cb6fe22948f608c80a1055447c09

SHA512
4779af54def8a2ca7bf5a1bcf45af729824b7f912615876784188c3538e277ba5fbc4fdc544e7e57aa314e1bafeed198dcfecb5d4dc9030642b484752c8b9b98

Download Submit
C:\Windows\{B1120C5B-EFC7-44a3-B5CC-69D98D052FCF}.exe

Filesize
216KB

MD5
f45776e3a4d8ec8731c0bd19177ca6a3

SHA1
61ee5652e81542c30b00e220d4d8cae482872116

SHA256
5973d4c0f8176974c048edef1102d0d236b2cb6fe22948f608c80a1055447c09

SHA512
4779af54def8a2ca7bf5a1bcf45af729824b7f912615876784188c3538e277ba5fbc4fdc544e7e57aa314e1bafeed198dcfecb5d4dc9030642b484752c8b9b98

Download Submit
C:\Windows\{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe

Filesize
216KB

MD5
89eac6964442fe0f8243686dbbec3d79

SHA1
4b4956f4c4f009f63e7c96b6d9a17467bc9373cf

SHA256
2c07b1f56a0c35771c6bfb29691698b27c5b78288b923ccd73c98bff3709bdc4

SHA512
2d1266739009bf69a7a66d1e2957a39e77479c779ce4ef4f88e6c97866691a742b0f38140da548157d20642794ed1924b77373ad226f0af061f932f1c5738ffa

Download Submit
C:\Windows\{D5EA6850-CF69-4d1c-86C5-3FFB956FCB01}.exe

Filesize
216KB

MD5
89eac6964442fe0f8243686dbbec3d79

SHA1
4b4956f4c4f009f63e7c96b6d9a17467bc9373cf

SHA256
2c07b1f56a0c35771c6bfb29691698b27c5b78288b923ccd73c98bff3709bdc4

SHA512
2d1266739009bf69a7a66d1e2957a39e77479c779ce4ef4f88e6c97866691a742b0f38140da548157d20642794ed1924b77373ad226f0af061f932f1c5738ffa

Download Submit
C:\Windows\{DAED2E8C-88C2-4c03-8601-CE47DD01B9FC}.exe

Filesize
216KB

MD5
f804f2bd1b64eb9a99410b4e99369229

SHA1
d2610326984be0581a8acacb85b422b49718042a

SHA256
96ebe47a746029460f16d0bb8cc7f1d2f101ccdb0a4dd0ec7451a54ab5d15614

SHA512
ca133509d8ea4f6d349edbf64f8e438b28c2b5c85f3b6e0ef24bcd2b12aa436ec695280f7e8f23d6cb190c651cb49ca428be4f293c4e0c3936a29a02088e36a7

Download Submit
C:\Windows\{DAED2E8C-88C2-4c03-8601-CE47DD01B9FC}.exe

Filesize
216KB

MD5
f804f2bd1b64eb9a99410b4e99369229

SHA1
d2610326984be0581a8acacb85b422b49718042a

SHA256
96ebe47a746029460f16d0bb8cc7f1d2f101ccdb0a4dd0ec7451a54ab5d15614

SHA512
ca133509d8ea4f6d349edbf64f8e438b28c2b5c85f3b6e0ef24bcd2b12aa436ec695280f7e8f23d6cb190c651cb49ca428be4f293c4e0c3936a29a02088e36a7

Download Submit
C:\Windows\{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe

Filesize
216KB

MD5
972f82571985781c1c968e0ac976497c

SHA1
89a0fb62e3224e1efe76ec381779c7e980c70693

SHA256
bbdce33742333dc25715681540c19cf5330697eec28bab90ffcfd31511009819

SHA512
f6f4b311434473ff3df4ddd5405b197e490ea4db45189e922b33f93817945985fe7e236c20cc821c5d90baf0d64d85fbea9d4d36037670a715682fbcdf04ae94

Download Submit
C:\Windows\{E90A0160-3BAE-4a1c-8826-95925B1244AD}.exe

Filesize
216KB

MD5
972f82571985781c1c968e0ac976497c

SHA1
89a0fb62e3224e1efe76ec381779c7e980c70693

SHA256
bbdce33742333dc25715681540c19cf5330697eec28bab90ffcfd31511009819

SHA512
f6f4b311434473ff3df4ddd5405b197e490ea4db45189e922b33f93817945985fe7e236c20cc821c5d90baf0d64d85fbea9d4d36037670a715682fbcdf04ae94

Download Submit
C:\Windows\{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe

Filesize
216KB

MD5
d3e17d7b4f0e56d37ddf17fff8deebc4

SHA1
6ee95bbdc01cb2a7eddeaf9a70a1d41d86bfce05

SHA256
ffaf4675b1dd307153a479c09cece9f10e30073d62f8c33450b3c5e6d20ee65d

SHA512
76d2298601ca22c16924701f1a85e1d462f42f8ff3fd3e3c1a2418936a35b84adab873f67c90c230c1860ae12776fc4060a384a38a2662c48dbea4da32728252

Download Submit
C:\Windows\{EB959A2E-F25B-4cac-8110-0CAE321168A6}.exe

Filesize
216KB

MD5
d3e17d7b4f0e56d37ddf17fff8deebc4

SHA1
6ee95bbdc01cb2a7eddeaf9a70a1d41d86bfce05

SHA256
ffaf4675b1dd307153a479c09cece9f10e30073d62f8c33450b3c5e6d20ee65d

SHA512
76d2298601ca22c16924701f1a85e1d462f42f8ff3fd3e3c1a2418936a35b84adab873f67c90c230c1860ae12776fc4060a384a38a2662c48dbea4da32728252

Download Submit
C:\Windows\{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe

Filesize
216KB

MD5
c7885e2284f63b506c532a1c19d642b8

SHA1
56f213178e1d982852d6c6a72e21fe37fc900884

SHA256
2105f064c891645e930e87cc026e9092cb1f2807ee50a56dde734e7c335bb64f

SHA512
10cde46c45d4cbb20687f08a88c105edcf7f373ca19ad6f5e076616f0f2b48eb930fa4e5eca8270b7892964d50177eb9f62516c49382ca1edb13cd5ea6ccf12c

Download Submit
C:\Windows\{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe

Filesize
216KB

MD5
c7885e2284f63b506c532a1c19d642b8

SHA1
56f213178e1d982852d6c6a72e21fe37fc900884

SHA256
2105f064c891645e930e87cc026e9092cb1f2807ee50a56dde734e7c335bb64f

SHA512
10cde46c45d4cbb20687f08a88c105edcf7f373ca19ad6f5e076616f0f2b48eb930fa4e5eca8270b7892964d50177eb9f62516c49382ca1edb13cd5ea6ccf12c

Download Submit
C:\Windows\{F0809DA9-A67B-4eef-94A4-F8114585EBBB}.exe

Filesize
216KB

MD5
c7885e2284f63b506c532a1c19d642b8

SHA1
56f213178e1d982852d6c6a72e21fe37fc900884

SHA256
2105f064c891645e930e87cc026e9092cb1f2807ee50a56dde734e7c335bb64f

SHA512
10cde46c45d4cbb20687f08a88c105edcf7f373ca19ad6f5e076616f0f2b48eb930fa4e5eca8270b7892964d50177eb9f62516c49382ca1edb13cd5ea6ccf12c

Download Submit
C:\Windows\{F86CB2C2-2432-42d7-B0DF-855C79ECB2D9}.exe

Filesize
216KB

MD5
6369cd65d81ad98a7c38ec340da8dabc

SHA1
2f317f056bf81c80e2b627210c0ceeeff3c6ff8a

SHA256
cbf26d5d6236d0b0fa598893af32a24a6dad20d5b3ad8c8196532be304171c4a

SHA512
bda42a0d6b1813578720cfa6471fa44458b8d6e91c61edbbb4c18bd8abfe23b368238f55f13e9e67eca09d2b2fa372ee77379456119a889ec3a0d24a025e209d

Download Submit
C:\Windows\{F86CB2C2-2432-42d7-B0DF-855C79ECB2D9}.exe

Filesize
216KB

MD5
6369cd65d81ad98a7c38ec340da8dabc

SHA1
2f317f056bf81c80e2b627210c0ceeeff3c6ff8a

SHA256
cbf26d5d6236d0b0fa598893af32a24a6dad20d5b3ad8c8196532be304171c4a

SHA512
bda42a0d6b1813578720cfa6471fa44458b8d6e91c61edbbb4c18bd8abfe23b368238f55f13e9e67eca09d2b2fa372ee77379456119a889ec3a0d24a025e209d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads