ea516022800a13059d0dfb39c03493a6fa326e8a6451573b828d5f2d0f59ce6c

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-07_210b0a964127ab7e80c808c71a808c76_goldeneye_JC.exe
Size

168KB
MD5

210b0a964127ab7e80c808c71a808c76
SHA1

501e7b39588245ac1991ecb295f286183360528a
SHA256

ea516022800a13059d0dfb39c03493a6fa326e8a6451573b828d5f2d0f59ce6c
SHA512

fb3c33903c0e354dc00e09e234b9b11a047c0bacb9bb0af5726ccac049232f1c671d671032f933758c520695edf5f7441154748ca0b4231fb08b14d83c4d757e
SSDEEP

1536:1EGh0oKli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKliOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}	{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85913386-5798-47a0-9B1C-4A4500A1D673}\stubpath = "C:\\Windows\\{85913386-5798-47a0-9B1C-4A4500A1D673}.exe"	{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}	{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}\stubpath = "C:\\Windows\\{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe"	{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3644755-B006-42c9-94F1-C8B3871EEF0B}	{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}\stubpath = "C:\\Windows\\{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe"	{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3F5F8F8-861C-4895-9222-619E7D15B40E}\stubpath = "C:\\Windows\\{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe"	{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64608B34-D634-4964-9D6E-2D0A663F5C51}	{E4408441-8DB1-4646-A266-83928A964F0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E4C967-5CD5-4e64-AF94-1F66F9F0F342}	{64608B34-D634-4964-9D6E-2D0A663F5C51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E4C967-5CD5-4e64-AF94-1F66F9F0F342}\stubpath = "C:\\Windows\\{05E4C967-5CD5-4e64-AF94-1F66F9F0F342}.exe"	{64608B34-D634-4964-9D6E-2D0A663F5C51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}\stubpath = "C:\\Windows\\{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe"	{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71A377BC-9FEB-45b1-8E72-1767D495E31E}	{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3644755-B006-42c9-94F1-C8B3871EEF0B}\stubpath = "C:\\Windows\\{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe"	{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85913386-5798-47a0-9B1C-4A4500A1D673}	{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3F5F8F8-861C-4895-9222-619E7D15B40E}	{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}	{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}\stubpath = "C:\\Windows\\{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe"	{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4408441-8DB1-4646-A266-83928A964F0E}	{85913386-5798-47a0-9B1C-4A4500A1D673}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98B602AD-733C-436f-BB4D-18665A91D3B2}	NEAS.2023-09-07_210b0a964127ab7e80c808c71a808c76_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98B602AD-733C-436f-BB4D-18665A91D3B2}\stubpath = "C:\\Windows\\{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe"	NEAS.2023-09-07_210b0a964127ab7e80c808c71a808c76_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71A377BC-9FEB-45b1-8E72-1767D495E31E}\stubpath = "C:\\Windows\\{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe"	{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}	{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4408441-8DB1-4646-A266-83928A964F0E}\stubpath = "C:\\Windows\\{E4408441-8DB1-4646-A266-83928A964F0E}.exe"	{85913386-5798-47a0-9B1C-4A4500A1D673}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64608B34-D634-4964-9D6E-2D0A663F5C51}\stubpath = "C:\\Windows\\{64608B34-D634-4964-9D6E-2D0A663F5C51}.exe"	{E4408441-8DB1-4646-A266-83928A964F0E}.exe

Executes dropped EXE 12 IoCs

pid	Process
800	{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe
1156	{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe
2448	{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe
2968	{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe
1268	{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe
1904	{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe
4948	{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe
3208	{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe
2440	{85913386-5798-47a0-9B1C-4A4500A1D673}.exe
3464	{E4408441-8DB1-4646-A266-83928A964F0E}.exe
4684	{64608B34-D634-4964-9D6E-2D0A663F5C51}.exe
3288	{05E4C967-5CD5-4e64-AF94-1F66F9F0F342}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe	{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe
File created	C:\Windows\{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe	{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe
File created	C:\Windows\{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe	{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe
File created	C:\Windows\{64608B34-D634-4964-9D6E-2D0A663F5C51}.exe	{E4408441-8DB1-4646-A266-83928A964F0E}.exe
File created	C:\Windows\{85913386-5798-47a0-9B1C-4A4500A1D673}.exe	{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe
File created	C:\Windows\{E4408441-8DB1-4646-A266-83928A964F0E}.exe	{85913386-5798-47a0-9B1C-4A4500A1D673}.exe
File created	C:\Windows\{05E4C967-5CD5-4e64-AF94-1F66F9F0F342}.exe	{64608B34-D634-4964-9D6E-2D0A663F5C51}.exe
File created	C:\Windows\{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe	NEAS.2023-09-07_210b0a964127ab7e80c808c71a808c76_goldeneye_JC.exe
File created	C:\Windows\{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe	{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe
File created	C:\Windows\{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe	{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe
File created	C:\Windows\{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe	{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe
File created	C:\Windows\{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe	{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	824	NEAS.2023-09-07_210b0a964127ab7e80c808c71a808c76_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	800	{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe
Token: SeIncBasePriorityPrivilege	1156	{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe
Token: SeIncBasePriorityPrivilege	2448	{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe
Token: SeIncBasePriorityPrivilege	2968	{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe
Token: SeIncBasePriorityPrivilege	1268	{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe
Token: SeIncBasePriorityPrivilege	1904	{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe
Token: SeIncBasePriorityPrivilege	4948	{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe
Token: SeIncBasePriorityPrivilege	3208	{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe
Token: SeIncBasePriorityPrivilege	2440	{85913386-5798-47a0-9B1C-4A4500A1D673}.exe
Token: SeIncBasePriorityPrivilege	3464	{E4408441-8DB1-4646-A266-83928A964F0E}.exe
Token: SeIncBasePriorityPrivilege	4684	{64608B34-D634-4964-9D6E-2D0A663F5C51}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 800	824	NEAS.2023-09-07_210b0a964127ab7e80c808c71a808c76_goldeneye_JC.exe	80
PID 824 wrote to memory of 800	824	NEAS.2023-09-07_210b0a964127ab7e80c808c71a808c76_goldeneye_JC.exe	80
PID 824 wrote to memory of 800	824	NEAS.2023-09-07_210b0a964127ab7e80c808c71a808c76_goldeneye_JC.exe	80
PID 824 wrote to memory of 2796	824	NEAS.2023-09-07_210b0a964127ab7e80c808c71a808c76_goldeneye_JC.exe	81
PID 824 wrote to memory of 2796	824	NEAS.2023-09-07_210b0a964127ab7e80c808c71a808c76_goldeneye_JC.exe	81
PID 824 wrote to memory of 2796	824	NEAS.2023-09-07_210b0a964127ab7e80c808c71a808c76_goldeneye_JC.exe	81
PID 800 wrote to memory of 1156	800	{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe	82
PID 800 wrote to memory of 1156	800	{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe	82
PID 800 wrote to memory of 1156	800	{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe	82
PID 800 wrote to memory of 468	800	{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe	83
PID 800 wrote to memory of 468	800	{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe	83
PID 800 wrote to memory of 468	800	{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe	83
PID 1156 wrote to memory of 2448	1156	{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe	84
PID 1156 wrote to memory of 2448	1156	{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe	84
PID 1156 wrote to memory of 2448	1156	{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe	84
PID 1156 wrote to memory of 2376	1156	{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe	85
PID 1156 wrote to memory of 2376	1156	{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe	85
PID 1156 wrote to memory of 2376	1156	{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe	85
PID 2448 wrote to memory of 2968	2448	{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe	86
PID 2448 wrote to memory of 2968	2448	{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe	86
PID 2448 wrote to memory of 2968	2448	{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe	86
PID 2448 wrote to memory of 672	2448	{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe	87
PID 2448 wrote to memory of 672	2448	{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe	87
PID 2448 wrote to memory of 672	2448	{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe	87
PID 2968 wrote to memory of 1268	2968	{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe	88
PID 2968 wrote to memory of 1268	2968	{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe	88
PID 2968 wrote to memory of 1268	2968	{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe	88
PID 2968 wrote to memory of 556	2968	{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe	89
PID 2968 wrote to memory of 556	2968	{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe	89
PID 2968 wrote to memory of 556	2968	{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe	89
PID 1268 wrote to memory of 1904	1268	{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe	90
PID 1268 wrote to memory of 1904	1268	{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe	90
PID 1268 wrote to memory of 1904	1268	{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe	90
PID 1268 wrote to memory of 3592	1268	{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe	91
PID 1268 wrote to memory of 3592	1268	{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe	91
PID 1268 wrote to memory of 3592	1268	{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe	91
PID 1904 wrote to memory of 4948	1904	{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe	92
PID 1904 wrote to memory of 4948	1904	{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe	92
PID 1904 wrote to memory of 4948	1904	{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe	92
PID 1904 wrote to memory of 440	1904	{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe	93
PID 1904 wrote to memory of 440	1904	{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe	93
PID 1904 wrote to memory of 440	1904	{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe	93
PID 4948 wrote to memory of 3208	4948	{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe	94
PID 4948 wrote to memory of 3208	4948	{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe	94
PID 4948 wrote to memory of 3208	4948	{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe	94
PID 4948 wrote to memory of 3380	4948	{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe	95
PID 4948 wrote to memory of 3380	4948	{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe	95
PID 4948 wrote to memory of 3380	4948	{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe	95
PID 3208 wrote to memory of 2440	3208	{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe	96
PID 3208 wrote to memory of 2440	3208	{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe	96
PID 3208 wrote to memory of 2440	3208	{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe	96
PID 3208 wrote to memory of 2512	3208	{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe	97
PID 3208 wrote to memory of 2512	3208	{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe	97
PID 3208 wrote to memory of 2512	3208	{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe	97
PID 2440 wrote to memory of 3464	2440	{85913386-5798-47a0-9B1C-4A4500A1D673}.exe	98
PID 2440 wrote to memory of 3464	2440	{85913386-5798-47a0-9B1C-4A4500A1D673}.exe	98
PID 2440 wrote to memory of 3464	2440	{85913386-5798-47a0-9B1C-4A4500A1D673}.exe	98
PID 2440 wrote to memory of 3920	2440	{85913386-5798-47a0-9B1C-4A4500A1D673}.exe	99
PID 2440 wrote to memory of 3920	2440	{85913386-5798-47a0-9B1C-4A4500A1D673}.exe	99
PID 2440 wrote to memory of 3920	2440	{85913386-5798-47a0-9B1C-4A4500A1D673}.exe	99
PID 3464 wrote to memory of 4684	3464	{E4408441-8DB1-4646-A266-83928A964F0E}.exe	100
PID 3464 wrote to memory of 4684	3464	{E4408441-8DB1-4646-A266-83928A964F0E}.exe	100
PID 3464 wrote to memory of 4684	3464	{E4408441-8DB1-4646-A266-83928A964F0E}.exe	100
PID 3464 wrote to memory of 4008	3464	{E4408441-8DB1-4646-A266-83928A964F0E}.exe	101

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_210b0a964127ab7e80c808c71a808c76_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_210b0a964127ab7e80c808c71a808c76_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe
  C:\Windows\{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe
    C:\Windows\{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe
      C:\Windows\{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe
        
        C:\Windows\{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe
        
        C:\Windows\{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe
        
        C:\Windows\{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe
        
        C:\Windows\{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe
        
        C:\Windows\{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\{85913386-5798-47a0-9B1C-4A4500A1D673}.exe
        
        C:\Windows\{85913386-5798-47a0-9B1C-4A4500A1D673}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\{E4408441-8DB1-4646-A266-83928A964F0E}.exe
        
        C:\Windows\{E4408441-8DB1-4646-A266-83928A964F0E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\{64608B34-D634-4964-9D6E-2D0A663F5C51}.exe
        
        C:\Windows\{64608B34-D634-4964-9D6E-2D0A663F5C51}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
        
        C:\Windows\{05E4C967-5CD5-4e64-AF94-1F66F9F0F342}.exe
        
        C:\Windows\{05E4C967-5CD5-4e64-AF94-1F66F9F0F342}.exe
        13⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64608~1.EXE > nul
        13⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4408~1.EXE > nul
        12⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85913~1.EXE > nul
        11⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F89B6~1.EXE > nul
        10⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{158A4~1.EXE > nul
        9⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3644~1.EXE > nul
        8⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3F5F~1.EXE > nul
        7⤵
        
        PID:3592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7707~1.EXE > nul
        6⤵
        
        PID:556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71A37~1.EXE > nul
        5⤵
        
        PID:672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{351B5~1.EXE > nul
      4⤵
      PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{98B60~1.EXE > nul
    3⤵
    PID:468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05E4C967-5CD5-4e64-AF94-1F66F9F0F342}.exe

Filesize
168KB

MD5
92f4c01d27bc648a4d00ff6cccf0cc1c

SHA1
5e117d25b8ba96696bcffc12da027f4ca5601535

SHA256
c736c113bbf5bc9c1f22e030043ce9e1c6b31d3abd8a53e3464887368554f6aa

SHA512
1048040058e443a5a3429aa8f8b75f169a13ed21cbb6af3f8b1b876a6c5f7c0fa743633ccf64d331ced81f72c6ae7b86ffcbee1151815e01644801a6ce5a0966

Download Submit
C:\Windows\{05E4C967-5CD5-4e64-AF94-1F66F9F0F342}.exe

Filesize
168KB

MD5
92f4c01d27bc648a4d00ff6cccf0cc1c

SHA1
5e117d25b8ba96696bcffc12da027f4ca5601535

SHA256
c736c113bbf5bc9c1f22e030043ce9e1c6b31d3abd8a53e3464887368554f6aa

SHA512
1048040058e443a5a3429aa8f8b75f169a13ed21cbb6af3f8b1b876a6c5f7c0fa743633ccf64d331ced81f72c6ae7b86ffcbee1151815e01644801a6ce5a0966

Download Submit
C:\Windows\{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe

Filesize
168KB

MD5
5b0998950620596bc70d5dd468c0575e

SHA1
86832c09710b4fb0df2dc5772600e35d61dd1695

SHA256
73759d9e1575709c7f197db45c621bf85d721b7d905acb3b0fdcc183f9407697

SHA512
ce73a6e028a7da2dbc6f9f027002e25bc6418be686eee7f3de5c9251af36f4d8ce3725467383f792863d704ba98878c8432e8000bedaeb7030b4813838396f0a

Download Submit
C:\Windows\{158A4BD5-8CA9-4789-AA00-4583D3EA74B0}.exe

Filesize
168KB

MD5
5b0998950620596bc70d5dd468c0575e

SHA1
86832c09710b4fb0df2dc5772600e35d61dd1695

SHA256
73759d9e1575709c7f197db45c621bf85d721b7d905acb3b0fdcc183f9407697

SHA512
ce73a6e028a7da2dbc6f9f027002e25bc6418be686eee7f3de5c9251af36f4d8ce3725467383f792863d704ba98878c8432e8000bedaeb7030b4813838396f0a

Download Submit
C:\Windows\{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe

Filesize
168KB

MD5
9fb7339ace60127da8f5160923d7f8b2

SHA1
d1e25b957ffcf733da461a857127b63cfe5ee211

SHA256
62ffa69e28543d91fd1457f1cdbfbe39b823a18f7755e987f1aa6a8d0aa4ccff

SHA512
c208e942e72e4255473fdc3abf7ffdd77f01937831b2c2fb4bf6ec3d0d9bf6102d4c9842ac7099525781543b85d7b613f31bd5f2617220d8d81052883270463a

Download Submit
C:\Windows\{351B5DB0-1208-4a46-A5F3-0CBD6FEBF043}.exe

Filesize
168KB

MD5
9fb7339ace60127da8f5160923d7f8b2

SHA1
d1e25b957ffcf733da461a857127b63cfe5ee211

SHA256
62ffa69e28543d91fd1457f1cdbfbe39b823a18f7755e987f1aa6a8d0aa4ccff

SHA512
c208e942e72e4255473fdc3abf7ffdd77f01937831b2c2fb4bf6ec3d0d9bf6102d4c9842ac7099525781543b85d7b613f31bd5f2617220d8d81052883270463a

Download Submit
C:\Windows\{64608B34-D634-4964-9D6E-2D0A663F5C51}.exe

Filesize
168KB

MD5
a9a7c933ed3762c53dabbed43b713e95

SHA1
25acab7bf1016aeae72d4a2da656b0d20d6031d3

SHA256
b86d3dc5dd7ea5ad1339f5d0dd0e57a0e4758c64087940576e644818b6ffbf96

SHA512
cff8a7afe8e86b5d4d2bc4df38fe51f5d53506ab730f61120f1f4dbfa18daf233d3a5cc37cc5036f28e69c4bae69cc190cd72387734f7441240916a5f1601509

Download Submit
C:\Windows\{64608B34-D634-4964-9D6E-2D0A663F5C51}.exe

Filesize
168KB

MD5
a9a7c933ed3762c53dabbed43b713e95

SHA1
25acab7bf1016aeae72d4a2da656b0d20d6031d3

SHA256
b86d3dc5dd7ea5ad1339f5d0dd0e57a0e4758c64087940576e644818b6ffbf96

SHA512
cff8a7afe8e86b5d4d2bc4df38fe51f5d53506ab730f61120f1f4dbfa18daf233d3a5cc37cc5036f28e69c4bae69cc190cd72387734f7441240916a5f1601509

Download Submit
C:\Windows\{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe

Filesize
168KB

MD5
edc59bd3855d59fe6abc9b2effb0147f

SHA1
ad7df6dd4f5ac171c67de532fbeb99a7dcc11864

SHA256
cb470189d700a8b3844f7773aaa719008a678546f78316bc3adb7d6fb09a0f65

SHA512
56d12d5b283ef33dba2718ff8309707b61a334b8b6d12b9e814f302954d08c9e057bf87a492ae99f55c026c1e12ba368eb54c07d83c2755ae210bbb0d2543adf

Download Submit
C:\Windows\{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe

Filesize
168KB

MD5
edc59bd3855d59fe6abc9b2effb0147f

SHA1
ad7df6dd4f5ac171c67de532fbeb99a7dcc11864

SHA256
cb470189d700a8b3844f7773aaa719008a678546f78316bc3adb7d6fb09a0f65

SHA512
56d12d5b283ef33dba2718ff8309707b61a334b8b6d12b9e814f302954d08c9e057bf87a492ae99f55c026c1e12ba368eb54c07d83c2755ae210bbb0d2543adf

Download Submit
C:\Windows\{71A377BC-9FEB-45b1-8E72-1767D495E31E}.exe

Filesize
168KB

MD5
edc59bd3855d59fe6abc9b2effb0147f

SHA1
ad7df6dd4f5ac171c67de532fbeb99a7dcc11864

SHA256
cb470189d700a8b3844f7773aaa719008a678546f78316bc3adb7d6fb09a0f65

SHA512
56d12d5b283ef33dba2718ff8309707b61a334b8b6d12b9e814f302954d08c9e057bf87a492ae99f55c026c1e12ba368eb54c07d83c2755ae210bbb0d2543adf

Download Submit
C:\Windows\{85913386-5798-47a0-9B1C-4A4500A1D673}.exe

Filesize
168KB

MD5
e0a4703e1d5faea19ea59fa2eb356fb5

SHA1
93f6312269d6f35ce35c707a27207422402cd99b

SHA256
4431f014380d5b29faff0581594b4337526a869d316c20f4800562b9c2924f4e

SHA512
fd75fda5396b4cfa6bd2d7e2af189282991639c6f35df542a57c9b79a667fc35a2fa82d127f0b9582bf0d23afd9beee87c2c68f5f9ee43fe2d70361a1304b099

Download Submit
C:\Windows\{85913386-5798-47a0-9B1C-4A4500A1D673}.exe

Filesize
168KB

MD5
e0a4703e1d5faea19ea59fa2eb356fb5

SHA1
93f6312269d6f35ce35c707a27207422402cd99b

SHA256
4431f014380d5b29faff0581594b4337526a869d316c20f4800562b9c2924f4e

SHA512
fd75fda5396b4cfa6bd2d7e2af189282991639c6f35df542a57c9b79a667fc35a2fa82d127f0b9582bf0d23afd9beee87c2c68f5f9ee43fe2d70361a1304b099

Download Submit
C:\Windows\{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe

Filesize
168KB

MD5
85d2c2c2319da73e24289f04628268a8

SHA1
96bcce940d5dd123f2b85c6964fb90476a0c7f2b

SHA256
d49df2bc590c02b4ef7e760e58be449c85925fe800a3f061549695d73e92ef2a

SHA512
a7606967305e0d7e8506386d0df55ba16beba553778d4241e5f9973d1076bfc250d4417c4467eabb6b44a8ad9fb80cae3febe02c97e209cd2fc5f405c96f915e

Download Submit
C:\Windows\{98B602AD-733C-436f-BB4D-18665A91D3B2}.exe

Filesize
168KB

MD5
85d2c2c2319da73e24289f04628268a8

SHA1
96bcce940d5dd123f2b85c6964fb90476a0c7f2b

SHA256
d49df2bc590c02b4ef7e760e58be449c85925fe800a3f061549695d73e92ef2a

SHA512
a7606967305e0d7e8506386d0df55ba16beba553778d4241e5f9973d1076bfc250d4417c4467eabb6b44a8ad9fb80cae3febe02c97e209cd2fc5f405c96f915e

Download Submit
C:\Windows\{E4408441-8DB1-4646-A266-83928A964F0E}.exe

Filesize
168KB

MD5
4db06b162b3bd79be32fa21debeca0d5

SHA1
2b0bac2c917593a4f17730643076d75f98a2e752

SHA256
f6caa9a259bf374611f5ac9e195943700ea7b251c7e5a94b85c16747e55c8bfd

SHA512
ca26299d8d39903dc7434bbaac8258e36ba0aaa8ddc453908ff63552dc91d802f094874c9ebbf9f497c1a715ab6a7a3d26b6f8d3d968c32d0bdd326ab1690467

Download Submit
C:\Windows\{E4408441-8DB1-4646-A266-83928A964F0E}.exe

Filesize
168KB

MD5
4db06b162b3bd79be32fa21debeca0d5

SHA1
2b0bac2c917593a4f17730643076d75f98a2e752

SHA256
f6caa9a259bf374611f5ac9e195943700ea7b251c7e5a94b85c16747e55c8bfd

SHA512
ca26299d8d39903dc7434bbaac8258e36ba0aaa8ddc453908ff63552dc91d802f094874c9ebbf9f497c1a715ab6a7a3d26b6f8d3d968c32d0bdd326ab1690467

Download Submit
C:\Windows\{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe

Filesize
168KB

MD5
96cb0a62613a943cbe981d883bd576ee

SHA1
4e6dccc400db8005667523255df1f5f81bc33575

SHA256
128425ad3fd2b59b6bef336775c2bae9f1474c67d3fd66fd21aebf9f5e461d30

SHA512
0fb8369ec69641fd3b5350a483a9937bdb54ab013c290d15b9cddf5488449d096258af83cbfc56a132d290d1514368e4b0f3839647f14ffc5c4b00b996537d8e

Download Submit
C:\Windows\{F3644755-B006-42c9-94F1-C8B3871EEF0B}.exe

Filesize
168KB

MD5
96cb0a62613a943cbe981d883bd576ee

SHA1
4e6dccc400db8005667523255df1f5f81bc33575

SHA256
128425ad3fd2b59b6bef336775c2bae9f1474c67d3fd66fd21aebf9f5e461d30

SHA512
0fb8369ec69641fd3b5350a483a9937bdb54ab013c290d15b9cddf5488449d096258af83cbfc56a132d290d1514368e4b0f3839647f14ffc5c4b00b996537d8e

Download Submit
C:\Windows\{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe

Filesize
168KB

MD5
fe9b820663f9394621055be856580a20

SHA1
5565a618c80c436576306ec534a1fbb08d7a4dea

SHA256
a883c1a75fe612a0503851425f6127561460812a842b8324e4fd5025a8d4a772

SHA512
fbddc4e83babf9d96b52dc473f1861cda24d5e606904438150a946a38b86813761485c4b3c3c6469042874776bc6e9b723817731b132dc01fc9e687b046d9551

Download Submit
C:\Windows\{F3F5F8F8-861C-4895-9222-619E7D15B40E}.exe

Filesize
168KB

MD5
fe9b820663f9394621055be856580a20

SHA1
5565a618c80c436576306ec534a1fbb08d7a4dea

SHA256
a883c1a75fe612a0503851425f6127561460812a842b8324e4fd5025a8d4a772

SHA512
fbddc4e83babf9d96b52dc473f1861cda24d5e606904438150a946a38b86813761485c4b3c3c6469042874776bc6e9b723817731b132dc01fc9e687b046d9551

Download Submit
C:\Windows\{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe

Filesize
168KB

MD5
d7eac36ce95e2b577a8d95f5b44a235d

SHA1
e1a942822ffbf5eecbc1087106b8712eb0fdf358

SHA256
b8f78641b02ee5a82bc3b73414b1f2366b3d61a8794597df97a6b291e5abaf99

SHA512
0d7f07766036f00dae73cb8e57e28e5cf2dbdb967a9a0b2cebd8d61855166a8220c3d6b99518beee95b429f6f99c3fdbdb99e2462f953643509da9f07c54ac44

Download Submit
C:\Windows\{F7707D5A-8823-4ece-A4D6-BF62AEDCFE23}.exe

Filesize
168KB

MD5
d7eac36ce95e2b577a8d95f5b44a235d

SHA1
e1a942822ffbf5eecbc1087106b8712eb0fdf358

SHA256
b8f78641b02ee5a82bc3b73414b1f2366b3d61a8794597df97a6b291e5abaf99

SHA512
0d7f07766036f00dae73cb8e57e28e5cf2dbdb967a9a0b2cebd8d61855166a8220c3d6b99518beee95b429f6f99c3fdbdb99e2462f953643509da9f07c54ac44

Download Submit
C:\Windows\{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe

Filesize
168KB

MD5
ce32db747db521a18c82e28709d63d5c

SHA1
ac4548abc7f4d239a3bb1311c70f3e62ed11eb49

SHA256
1acf0b5c085820c0a2eab3e09c4aba355387a187f1f968b2d9f612d659e9ba1b

SHA512
873af6c6e20cfdcb0f466089619c55bec4d030a0dbee177b1d63a544bf2f83e35e836b3a615396e50cdea1fb5835df5fdf2b98a47f93d87913662a21a87eb02e

Download Submit
C:\Windows\{F89B6BCC-4C6D-4ba9-B123-FC69AC794FAC}.exe

Filesize
168KB

MD5
ce32db747db521a18c82e28709d63d5c

SHA1
ac4548abc7f4d239a3bb1311c70f3e62ed11eb49

SHA256
1acf0b5c085820c0a2eab3e09c4aba355387a187f1f968b2d9f612d659e9ba1b

SHA512
873af6c6e20cfdcb0f466089619c55bec4d030a0dbee177b1d63a544bf2f83e35e836b3a615396e50cdea1fb5835df5fdf2b98a47f93d87913662a21a87eb02e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads