a9e6f02ab6eb1511dfe59109b2fb92b0a59c546e33192935825aa8cc7d4bf437

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe
Size

344KB
MD5

38817917703d30044ccc1abb053a3316
SHA1

96a1baf6ae08bfa30e8b3ea38a4d64a0d7339abb
SHA256

a9e6f02ab6eb1511dfe59109b2fb92b0a59c546e33192935825aa8cc7d4bf437
SHA512

f316bf0c260d6e2cea48bada5fd9d38fb11214d68b92dc1053ba33ae3b1b5243781ebd4e3652f172761bbe82b3122ad6e856e22cb90a7c9ed9e2051814fcf26f
SSDEEP

3072:mEGh0o9lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG3lqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}	{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74AF45B3-42B3-4036-969D-7B54F3CBE31B}	{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{712C846B-EA4D-4b37-91C4-03FC2D2938BD}\stubpath = "C:\\Windows\\{712C846B-EA4D-4b37-91C4-03FC2D2938BD}.exe"	{D90EFB94-31DB-4176-A117-5F770E889AD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}	{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}\stubpath = "C:\\Windows\\{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe"	{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}	{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}	{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}\stubpath = "C:\\Windows\\{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe"	{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{095A6028-4F61-44f9-B322-5179503EC890}\stubpath = "C:\\Windows\\{095A6028-4F61-44f9-B322-5179503EC890}.exe"	{712C846B-EA4D-4b37-91C4-03FC2D2938BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}\stubpath = "C:\\Windows\\{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe"	{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D90EFB94-31DB-4176-A117-5F770E889AD4}\stubpath = "C:\\Windows\\{D90EFB94-31DB-4176-A117-5F770E889AD4}.exe"	{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8A80F38-CAFF-49ca-8FD3-EBA9132B2A4C}\stubpath = "C:\\Windows\\{B8A80F38-CAFF-49ca-8FD3-EBA9132B2A4C}.exe"	{095A6028-4F61-44f9-B322-5179503EC890}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD982F04-F6FC-41ad-8690-F4A436BD9536}\stubpath = "C:\\Windows\\{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe"	{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{095A6028-4F61-44f9-B322-5179503EC890}	{712C846B-EA4D-4b37-91C4-03FC2D2938BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8A80F38-CAFF-49ca-8FD3-EBA9132B2A4C}	{095A6028-4F61-44f9-B322-5179503EC890}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{712C846B-EA4D-4b37-91C4-03FC2D2938BD}	{D90EFB94-31DB-4176-A117-5F770E889AD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}\stubpath = "C:\\Windows\\{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe"	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}\stubpath = "C:\\Windows\\{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe"	{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD982F04-F6FC-41ad-8690-F4A436BD9536}	{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74AF45B3-42B3-4036-969D-7B54F3CBE31B}\stubpath = "C:\\Windows\\{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe"	{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D90EFB94-31DB-4176-A117-5F770E889AD4}	{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe

Deletes itself 1 IoCs

pid	Process
1248	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2852	{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe
2704	{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe
2524	{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe
2556	{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe
2572	{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe
2128	{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe
528	{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe
532	{D90EFB94-31DB-4176-A117-5F770E889AD4}.exe
2756	{712C846B-EA4D-4b37-91C4-03FC2D2938BD}.exe
904	{095A6028-4F61-44f9-B322-5179503EC890}.exe
1708	{B8A80F38-CAFF-49ca-8FD3-EBA9132B2A4C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B8A80F38-CAFF-49ca-8FD3-EBA9132B2A4C}.exe	{095A6028-4F61-44f9-B322-5179503EC890}.exe
File created	C:\Windows\{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe
File created	C:\Windows\{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe	{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe
File created	C:\Windows\{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe	{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe
File created	C:\Windows\{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe	{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe
File created	C:\Windows\{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe	{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe
File created	C:\Windows\{095A6028-4F61-44f9-B322-5179503EC890}.exe	{712C846B-EA4D-4b37-91C4-03FC2D2938BD}.exe
File created	C:\Windows\{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe	{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe
File created	C:\Windows\{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe	{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe
File created	C:\Windows\{D90EFB94-31DB-4176-A117-5F770E889AD4}.exe	{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe
File created	C:\Windows\{712C846B-EA4D-4b37-91C4-03FC2D2938BD}.exe	{D90EFB94-31DB-4176-A117-5F770E889AD4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2104	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2852	{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe
Token: SeIncBasePriorityPrivilege	2704	{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe
Token: SeIncBasePriorityPrivilege	2524	{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe
Token: SeIncBasePriorityPrivilege	2556	{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe
Token: SeIncBasePriorityPrivilege	2572	{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe
Token: SeIncBasePriorityPrivilege	2128	{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe
Token: SeIncBasePriorityPrivilege	528	{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe
Token: SeIncBasePriorityPrivilege	532	{D90EFB94-31DB-4176-A117-5F770E889AD4}.exe
Token: SeIncBasePriorityPrivilege	2756	{712C846B-EA4D-4b37-91C4-03FC2D2938BD}.exe
Token: SeIncBasePriorityPrivilege	904	{095A6028-4F61-44f9-B322-5179503EC890}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2852	2104	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	28
PID 2104 wrote to memory of 2852	2104	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	28
PID 2104 wrote to memory of 2852	2104	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	28
PID 2104 wrote to memory of 2852	2104	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	28
PID 2104 wrote to memory of 1248	2104	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	29
PID 2104 wrote to memory of 1248	2104	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	29
PID 2104 wrote to memory of 1248	2104	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	29
PID 2104 wrote to memory of 1248	2104	NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe	29
PID 2852 wrote to memory of 2704	2852	{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe	30
PID 2852 wrote to memory of 2704	2852	{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe	30
PID 2852 wrote to memory of 2704	2852	{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe	30
PID 2852 wrote to memory of 2704	2852	{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe	30
PID 2852 wrote to memory of 2768	2852	{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe	31
PID 2852 wrote to memory of 2768	2852	{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe	31
PID 2852 wrote to memory of 2768	2852	{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe	31
PID 2852 wrote to memory of 2768	2852	{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe	31
PID 2704 wrote to memory of 2524	2704	{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe	34
PID 2704 wrote to memory of 2524	2704	{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe	34
PID 2704 wrote to memory of 2524	2704	{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe	34
PID 2704 wrote to memory of 2524	2704	{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe	34
PID 2704 wrote to memory of 2976	2704	{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe	35
PID 2704 wrote to memory of 2976	2704	{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe	35
PID 2704 wrote to memory of 2976	2704	{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe	35
PID 2704 wrote to memory of 2976	2704	{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe	35
PID 2524 wrote to memory of 2556	2524	{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe	36
PID 2524 wrote to memory of 2556	2524	{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe	36
PID 2524 wrote to memory of 2556	2524	{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe	36
PID 2524 wrote to memory of 2556	2524	{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe	36
PID 2524 wrote to memory of 2508	2524	{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe	37
PID 2524 wrote to memory of 2508	2524	{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe	37
PID 2524 wrote to memory of 2508	2524	{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe	37
PID 2524 wrote to memory of 2508	2524	{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe	37
PID 2556 wrote to memory of 2572	2556	{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe	38
PID 2556 wrote to memory of 2572	2556	{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe	38
PID 2556 wrote to memory of 2572	2556	{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe	38
PID 2556 wrote to memory of 2572	2556	{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe	38
PID 2556 wrote to memory of 2944	2556	{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe	39
PID 2556 wrote to memory of 2944	2556	{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe	39
PID 2556 wrote to memory of 2944	2556	{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe	39
PID 2556 wrote to memory of 2944	2556	{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe	39
PID 2572 wrote to memory of 2128	2572	{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe	40
PID 2572 wrote to memory of 2128	2572	{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe	40
PID 2572 wrote to memory of 2128	2572	{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe	40
PID 2572 wrote to memory of 2128	2572	{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe	40
PID 2572 wrote to memory of 2472	2572	{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe	41
PID 2572 wrote to memory of 2472	2572	{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe	41
PID 2572 wrote to memory of 2472	2572	{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe	41
PID 2572 wrote to memory of 2472	2572	{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe	41
PID 2128 wrote to memory of 528	2128	{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe	42
PID 2128 wrote to memory of 528	2128	{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe	42
PID 2128 wrote to memory of 528	2128	{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe	42
PID 2128 wrote to memory of 528	2128	{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe	42
PID 2128 wrote to memory of 268	2128	{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe	43
PID 2128 wrote to memory of 268	2128	{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe	43
PID 2128 wrote to memory of 268	2128	{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe	43
PID 2128 wrote to memory of 268	2128	{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe	43
PID 528 wrote to memory of 532	528	{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe	44
PID 528 wrote to memory of 532	528	{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe	44
PID 528 wrote to memory of 532	528	{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe	44
PID 528 wrote to memory of 532	528	{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe	44
PID 528 wrote to memory of 2548	528	{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe	45
PID 528 wrote to memory of 2548	528	{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe	45
PID 528 wrote to memory of 2548	528	{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe	45
PID 528 wrote to memory of 2548	528	{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_38817917703d30044ccc1abb053a3316_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe
  C:\Windows\{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe
    C:\Windows\{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe
      C:\Windows\{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe
        
        C:\Windows\{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe
        
        C:\Windows\{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe
        
        C:\Windows\{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe
        
        C:\Windows\{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\{D90EFB94-31DB-4176-A117-5F770E889AD4}.exe
        
        C:\Windows\{D90EFB94-31DB-4176-A117-5F770E889AD4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\{712C846B-EA4D-4b37-91C4-03FC2D2938BD}.exe
        
        C:\Windows\{712C846B-EA4D-4b37-91C4-03FC2D2938BD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{095A6028-4F61-44f9-B322-5179503EC890}.exe
        
        C:\Windows\{095A6028-4F61-44f9-B322-5179503EC890}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\{B8A80F38-CAFF-49ca-8FD3-EBA9132B2A4C}.exe
        
        C:\Windows\{B8A80F38-CAFF-49ca-8FD3-EBA9132B2A4C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{095A6~1.EXE > nul
        12⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{712C8~1.EXE > nul
        11⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D90EF~1.EXE > nul
        10⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74AF4~1.EXE > nul
        9⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFDDD~1.EXE > nul
        8⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD982~1.EXE > nul
        7⤵
        
        PID:2472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B5A4~1.EXE > nul
        6⤵
        
        PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DE9F~1.EXE > nul
        5⤵
        
        PID:2508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{15F41~1.EXE > nul
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AAB13~1.EXE > nul
    3⤵
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{095A6028-4F61-44f9-B322-5179503EC890}.exe

Filesize
344KB

MD5
620c7c3b5e051c82cbe546d060797595

SHA1
5e4b542018c8da08885feac520de04c14ee22d59

SHA256
175658dfe43274e243ba4a449b27f5798add7e910e090d34b2cd520df060415a

SHA512
715fadb347b00f25d5d74dff3c08c7f57e874507dfe0ec1ca124b0a25ae24826fb5027501bbdc8bdac36c2ffec3ec8e90005b22b0169852c63a42305e4f80d32

Download Submit
C:\Windows\{095A6028-4F61-44f9-B322-5179503EC890}.exe

Filesize
344KB

MD5
620c7c3b5e051c82cbe546d060797595

SHA1
5e4b542018c8da08885feac520de04c14ee22d59

SHA256
175658dfe43274e243ba4a449b27f5798add7e910e090d34b2cd520df060415a

SHA512
715fadb347b00f25d5d74dff3c08c7f57e874507dfe0ec1ca124b0a25ae24826fb5027501bbdc8bdac36c2ffec3ec8e90005b22b0169852c63a42305e4f80d32

Download Submit
C:\Windows\{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe

Filesize
344KB

MD5
8e44b06e18395ec76d4de0d8e1055b87

SHA1
7a1834c4a7e0a4863d53d32c9dda2e145b8552f8

SHA256
f3ba7a7db8dc45772a6e363c58f34b924d17ca4e24233284a8c4ad2fb279d9b5

SHA512
71a1351da995a50e64e379508a20b6500f1a004f8b7708973bda415750a9b0408cfbc2f879a8c9dc0db3a9041bc739b102e6553e800fc40b3eba9330490023c2

Download Submit
C:\Windows\{15F41E49-9C7D-41ce-ADC2-CC5892C2CBA0}.exe

Filesize
344KB

MD5
8e44b06e18395ec76d4de0d8e1055b87

SHA1
7a1834c4a7e0a4863d53d32c9dda2e145b8552f8

SHA256
f3ba7a7db8dc45772a6e363c58f34b924d17ca4e24233284a8c4ad2fb279d9b5

SHA512
71a1351da995a50e64e379508a20b6500f1a004f8b7708973bda415750a9b0408cfbc2f879a8c9dc0db3a9041bc739b102e6553e800fc40b3eba9330490023c2

Download Submit
C:\Windows\{712C846B-EA4D-4b37-91C4-03FC2D2938BD}.exe

Filesize
344KB

MD5
9e542854bcab4cb90b3195e3e4b1dad5

SHA1
bfbab2b2bba24aa5d10d6f4a1cf9d3537ae3c24d

SHA256
def81a08404d3bbeb05d273978d9fa7befad452d16877b39aaeb8ce2857acb41

SHA512
377b73c9a9c4d916ff19aa06f5190a14a80930fa8ee32c7dfd23970a6962035c48bcec5828ece3c786725e9ce92ca6eefc3dee057028831d220678cb5fdaec4a

Download Submit
C:\Windows\{712C846B-EA4D-4b37-91C4-03FC2D2938BD}.exe

Filesize
344KB

MD5
9e542854bcab4cb90b3195e3e4b1dad5

SHA1
bfbab2b2bba24aa5d10d6f4a1cf9d3537ae3c24d

SHA256
def81a08404d3bbeb05d273978d9fa7befad452d16877b39aaeb8ce2857acb41

SHA512
377b73c9a9c4d916ff19aa06f5190a14a80930fa8ee32c7dfd23970a6962035c48bcec5828ece3c786725e9ce92ca6eefc3dee057028831d220678cb5fdaec4a

Download Submit
C:\Windows\{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe

Filesize
344KB

MD5
b67e31a19a0d19eb55e990fd44570ebc

SHA1
7f20ab9baa9e0b259d60de7dd954bdea9f41eede

SHA256
2be88c03f77225603a9fc4726dc4219d40615cc52740aae9925e635e7a7e53c5

SHA512
963d2a5661d12553df81d7fe5f5996b7ce856f18aa0518a49762fb961f2d110f4e74840c8c90f0b9b9acbff6b04d7d5be77f611338a727f58140ebdd05bd2b7b

Download Submit
C:\Windows\{74AF45B3-42B3-4036-969D-7B54F3CBE31B}.exe

Filesize
344KB

MD5
b67e31a19a0d19eb55e990fd44570ebc

SHA1
7f20ab9baa9e0b259d60de7dd954bdea9f41eede

SHA256
2be88c03f77225603a9fc4726dc4219d40615cc52740aae9925e635e7a7e53c5

SHA512
963d2a5661d12553df81d7fe5f5996b7ce856f18aa0518a49762fb961f2d110f4e74840c8c90f0b9b9acbff6b04d7d5be77f611338a727f58140ebdd05bd2b7b

Download Submit
C:\Windows\{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe

Filesize
344KB

MD5
8766e703e0c882951464c17d5b30a6fc

SHA1
4225e36d1de01a413e3796bf26882c789af30df0

SHA256
336c6098bfa409ff14a716a0b3763e43bfe96ea068812b12fb871ce73e1c549c

SHA512
bd0bebdd962335a9f455a03b7d236115bb85dcb0e9b31019710b05ce14d25daf1f8790d870e1d1f09fd82eb6205b60ad9dbb78f179b5a2be8280d05e0b136508

Download Submit
C:\Windows\{7DE9FE7B-5FAA-4210-A04C-3ED6F20E5461}.exe

Filesize
344KB

MD5
8766e703e0c882951464c17d5b30a6fc

SHA1
4225e36d1de01a413e3796bf26882c789af30df0

SHA256
336c6098bfa409ff14a716a0b3763e43bfe96ea068812b12fb871ce73e1c549c

SHA512
bd0bebdd962335a9f455a03b7d236115bb85dcb0e9b31019710b05ce14d25daf1f8790d870e1d1f09fd82eb6205b60ad9dbb78f179b5a2be8280d05e0b136508

Download Submit
C:\Windows\{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe

Filesize
344KB

MD5
56664afd4a6095febc4ca43485eee8f5

SHA1
44e13203461c725f8ef96df33e004ba2d46e4c74

SHA256
cd7d5a39a3a0fa501847bc22dbe015df99a0063a4e7e7ecbbeb2918f805a286e

SHA512
ff72c4dc956dc9e3c314d61929ac000fd9eb24285e14e168289250dfbf583d71c075e1d6a1a10ec57cddbe290d5384bcf9c3c79d36301af2a3ce1a8d01c91d8f

Download Submit
C:\Windows\{8B5A43A3-9F7F-4680-8640-7EEEBD9BBD17}.exe

Filesize
344KB

MD5
56664afd4a6095febc4ca43485eee8f5

SHA1
44e13203461c725f8ef96df33e004ba2d46e4c74

SHA256
cd7d5a39a3a0fa501847bc22dbe015df99a0063a4e7e7ecbbeb2918f805a286e

SHA512
ff72c4dc956dc9e3c314d61929ac000fd9eb24285e14e168289250dfbf583d71c075e1d6a1a10ec57cddbe290d5384bcf9c3c79d36301af2a3ce1a8d01c91d8f

Download Submit
C:\Windows\{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe

Filesize
344KB

MD5
7d810135afbd7e1597bb2088af91a3db

SHA1
e300201e6db6c7044c6f620cbeed2a889d9327e0

SHA256
eab2bb2b5fc7659977651e241c9d77309486ea06646ec73c3779fa1040c31deb

SHA512
cba54d12d01239490c32f924094ddd149ad34fd654456b39313df5a55730a8f088c96d38cb30ee0ad1b7a306463d3673b9b623b894f8bc510918673b5752ed19

Download Submit
C:\Windows\{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe

Filesize
344KB

MD5
7d810135afbd7e1597bb2088af91a3db

SHA1
e300201e6db6c7044c6f620cbeed2a889d9327e0

SHA256
eab2bb2b5fc7659977651e241c9d77309486ea06646ec73c3779fa1040c31deb

SHA512
cba54d12d01239490c32f924094ddd149ad34fd654456b39313df5a55730a8f088c96d38cb30ee0ad1b7a306463d3673b9b623b894f8bc510918673b5752ed19

Download Submit
C:\Windows\{AAB132CB-71D8-45d9-99E8-5D46E3C6882E}.exe

Filesize
344KB

MD5
7d810135afbd7e1597bb2088af91a3db

SHA1
e300201e6db6c7044c6f620cbeed2a889d9327e0

SHA256
eab2bb2b5fc7659977651e241c9d77309486ea06646ec73c3779fa1040c31deb

SHA512
cba54d12d01239490c32f924094ddd149ad34fd654456b39313df5a55730a8f088c96d38cb30ee0ad1b7a306463d3673b9b623b894f8bc510918673b5752ed19

Download Submit
C:\Windows\{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe

Filesize
344KB

MD5
60e51a27cb2c8b86ed5ba46388a09c0d

SHA1
d8f240e33a5d44bdc15719120287ae5d0285306a

SHA256
e8b9eac69d56d85b95538a7e8cf3c0c24eb3e2b0f2533a1b26ad0a1c78685020

SHA512
472bc0a8b87b0d26dbaf9994dceacb159d7001452e7fe3a4a2d4bca7aa3a7b9525718801631382361dd13726e0a3d61045538c3446d32f5edd9d3f7348420db4

Download Submit
C:\Windows\{AD982F04-F6FC-41ad-8690-F4A436BD9536}.exe

Filesize
344KB

MD5
60e51a27cb2c8b86ed5ba46388a09c0d

SHA1
d8f240e33a5d44bdc15719120287ae5d0285306a

SHA256
e8b9eac69d56d85b95538a7e8cf3c0c24eb3e2b0f2533a1b26ad0a1c78685020

SHA512
472bc0a8b87b0d26dbaf9994dceacb159d7001452e7fe3a4a2d4bca7aa3a7b9525718801631382361dd13726e0a3d61045538c3446d32f5edd9d3f7348420db4

Download Submit
C:\Windows\{B8A80F38-CAFF-49ca-8FD3-EBA9132B2A4C}.exe

Filesize
344KB

MD5
f76148003fd2898a1a83ec625ba05b54

SHA1
0e26f8c93996f9bbd34416225cdc3c0999399523

SHA256
d142e42cf6ec69d5f3eff8ba1361c36642c0eddeb66c16be205931cc2b6e43a2

SHA512
a5785972dd0c3a34fa6d67037a79cda0ca0a5b04a95d9149a2e01008f3699bbb1367e55945059a55230ef9b860e407300d0714ef8d87acbdba93554d38d1c0c9

Download Submit
C:\Windows\{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe

Filesize
344KB

MD5
97e54895028e00fe26fd44664cd92f6a

SHA1
8baff955a48cb941b5bb04fde705ef4db2e851df

SHA256
c66d08b603d05926227b6c745bfaa588e532b6afa1108789eab0cb6c3f6a4ac6

SHA512
647b60e18d35f9f87c2c72cef8ab08f6e80e651e99b126813b8567681d2c39ef22458d67d0b8cb3ebdf1288ff09887b4d73ab64d592ea8a4e3b1fb68ec217ecf

Download Submit
C:\Windows\{CFDDDBD3-B1DD-4849-94AA-07B8164A6309}.exe

Filesize
344KB

MD5
97e54895028e00fe26fd44664cd92f6a

SHA1
8baff955a48cb941b5bb04fde705ef4db2e851df

SHA256
c66d08b603d05926227b6c745bfaa588e532b6afa1108789eab0cb6c3f6a4ac6

SHA512
647b60e18d35f9f87c2c72cef8ab08f6e80e651e99b126813b8567681d2c39ef22458d67d0b8cb3ebdf1288ff09887b4d73ab64d592ea8a4e3b1fb68ec217ecf

Download Submit
C:\Windows\{D90EFB94-31DB-4176-A117-5F770E889AD4}.exe

Filesize
344KB

MD5
5c1279df909f28771721cdfc2bb5e9f9

SHA1
477d00d974644bf20246a634a97112c407cc0ada

SHA256
fb2b46bc91db4793fe89d461160106b2c7e9218e2e5941f75c30b853e1b40b34

SHA512
9bf5c55aeedef510463c87151bfb3c4ca1c9cc056aafa773ae8660ff5c84f6c5a650e0ac4c8d3e0c127f78b45f4408c319998359475051f167d2c0c0098d8f91

Download Submit
C:\Windows\{D90EFB94-31DB-4176-A117-5F770E889AD4}.exe

Filesize
344KB

MD5
5c1279df909f28771721cdfc2bb5e9f9

SHA1
477d00d974644bf20246a634a97112c407cc0ada

SHA256
fb2b46bc91db4793fe89d461160106b2c7e9218e2e5941f75c30b853e1b40b34

SHA512
9bf5c55aeedef510463c87151bfb3c4ca1c9cc056aafa773ae8660ff5c84f6c5a650e0ac4c8d3e0c127f78b45f4408c319998359475051f167d2c0c0098d8f91

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads