27802f412b56d841b17eb3b9fa50e690f9b348d729dee17a916edc3949264ef4

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe
Size

372KB
MD5

2bf6b9770a4ec5163fe735b3dc619cee
SHA1

30809301238323dfb7ea76f694b90ce37a71df0d
SHA256

27802f412b56d841b17eb3b9fa50e690f9b348d729dee17a916edc3949264ef4
SHA512

0c8a2a2a2928cbaa98871df8c7ac2db52500a2d926d2fe3d776444443302f3a2397ca5a316ca9495908d94870df05e59d3c709044c7ca056ddc936d329801d2b
SSDEEP

3072:CEGh0ogmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGbl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9317C6FB-AE80-433b-8731-4A1DC821FB84}\stubpath = "C:\\Windows\\{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe"	{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}\stubpath = "C:\\Windows\\{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe"	{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}\stubpath = "C:\\Windows\\{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe"	{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D3AD677-CB7C-402a-8217-E079F238E178}\stubpath = "C:\\Windows\\{1D3AD677-CB7C-402a-8217-E079F238E178}.exe"	{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29F50670-8AEB-46b3-8EB7-7AB49F117AC9}\stubpath = "C:\\Windows\\{29F50670-8AEB-46b3-8EB7-7AB49F117AC9}.exe"	{1D3AD677-CB7C-402a-8217-E079F238E178}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5981AC1C-2D83-4167-A478-6D24DC3C3F4F}\stubpath = "C:\\Windows\\{5981AC1C-2D83-4167-A478-6D24DC3C3F4F}.exe"	{29F50670-8AEB-46b3-8EB7-7AB49F117AC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29093515-C224-4b65-A4F4-E62CB611CC7D}	{4C42BA29-B857-4afa-AEB3-6A9D68FBBAF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28484747-177F-4d6b-8B8B-B078D9562047}	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{991F143B-F025-4fa9-B812-BAE6E5837B69}	{28484747-177F-4d6b-8B8B-B078D9562047}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{991F143B-F025-4fa9-B812-BAE6E5837B69}\stubpath = "C:\\Windows\\{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe"	{28484747-177F-4d6b-8B8B-B078D9562047}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9317C6FB-AE80-433b-8731-4A1DC821FB84}	{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}	{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5981AC1C-2D83-4167-A478-6D24DC3C3F4F}	{29F50670-8AEB-46b3-8EB7-7AB49F117AC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}	{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}\stubpath = "C:\\Windows\\{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe"	{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D3AD677-CB7C-402a-8217-E079F238E178}	{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C42BA29-B857-4afa-AEB3-6A9D68FBBAF1}	{5981AC1C-2D83-4167-A478-6D24DC3C3F4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29093515-C224-4b65-A4F4-E62CB611CC7D}\stubpath = "C:\\Windows\\{29093515-C224-4b65-A4F4-E62CB611CC7D}.exe"	{4C42BA29-B857-4afa-AEB3-6A9D68FBBAF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28484747-177F-4d6b-8B8B-B078D9562047}\stubpath = "C:\\Windows\\{28484747-177F-4d6b-8B8B-B078D9562047}.exe"	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}	{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29F50670-8AEB-46b3-8EB7-7AB49F117AC9}	{1D3AD677-CB7C-402a-8217-E079F238E178}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C42BA29-B857-4afa-AEB3-6A9D68FBBAF1}\stubpath = "C:\\Windows\\{4C42BA29-B857-4afa-AEB3-6A9D68FBBAF1}.exe"	{5981AC1C-2D83-4167-A478-6D24DC3C3F4F}.exe

Deletes itself 1 IoCs

pid	Process
1376	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2192	{28484747-177F-4d6b-8B8B-B078D9562047}.exe
2440	{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe
2848	{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe
2580	{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe
1984	{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe
2616	{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe
2588	{1D3AD677-CB7C-402a-8217-E079F238E178}.exe
2312	{29F50670-8AEB-46b3-8EB7-7AB49F117AC9}.exe
1092	{5981AC1C-2D83-4167-A478-6D24DC3C3F4F}.exe
2808	{4C42BA29-B857-4afa-AEB3-6A9D68FBBAF1}.exe
2176	{29093515-C224-4b65-A4F4-E62CB611CC7D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4C42BA29-B857-4afa-AEB3-6A9D68FBBAF1}.exe	{5981AC1C-2D83-4167-A478-6D24DC3C3F4F}.exe
File created	C:\Windows\{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe	{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe
File created	C:\Windows\{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe	{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe
File created	C:\Windows\{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe	{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe
File created	C:\Windows\{1D3AD677-CB7C-402a-8217-E079F238E178}.exe	{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe
File created	C:\Windows\{29F50670-8AEB-46b3-8EB7-7AB49F117AC9}.exe	{1D3AD677-CB7C-402a-8217-E079F238E178}.exe
File created	C:\Windows\{5981AC1C-2D83-4167-A478-6D24DC3C3F4F}.exe	{29F50670-8AEB-46b3-8EB7-7AB49F117AC9}.exe
File created	C:\Windows\{28484747-177F-4d6b-8B8B-B078D9562047}.exe	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe
File created	C:\Windows\{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe	{28484747-177F-4d6b-8B8B-B078D9562047}.exe
File created	C:\Windows\{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe	{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe
File created	C:\Windows\{29093515-C224-4b65-A4F4-E62CB611CC7D}.exe	{4C42BA29-B857-4afa-AEB3-6A9D68FBBAF1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1640	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2192	{28484747-177F-4d6b-8B8B-B078D9562047}.exe
Token: SeIncBasePriorityPrivilege	2440	{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe
Token: SeIncBasePriorityPrivilege	2848	{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe
Token: SeIncBasePriorityPrivilege	2580	{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe
Token: SeIncBasePriorityPrivilege	1984	{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe
Token: SeIncBasePriorityPrivilege	2616	{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe
Token: SeIncBasePriorityPrivilege	2588	{1D3AD677-CB7C-402a-8217-E079F238E178}.exe
Token: SeIncBasePriorityPrivilege	2312	{29F50670-8AEB-46b3-8EB7-7AB49F117AC9}.exe
Token: SeIncBasePriorityPrivilege	1092	{5981AC1C-2D83-4167-A478-6D24DC3C3F4F}.exe
Token: SeIncBasePriorityPrivilege	2808	{4C42BA29-B857-4afa-AEB3-6A9D68FBBAF1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2192	1640	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	28
PID 1640 wrote to memory of 2192	1640	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	28
PID 1640 wrote to memory of 2192	1640	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	28
PID 1640 wrote to memory of 2192	1640	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	28
PID 1640 wrote to memory of 1376	1640	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	29
PID 1640 wrote to memory of 1376	1640	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	29
PID 1640 wrote to memory of 1376	1640	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	29
PID 1640 wrote to memory of 1376	1640	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	29
PID 2192 wrote to memory of 2440	2192	{28484747-177F-4d6b-8B8B-B078D9562047}.exe	30
PID 2192 wrote to memory of 2440	2192	{28484747-177F-4d6b-8B8B-B078D9562047}.exe	30
PID 2192 wrote to memory of 2440	2192	{28484747-177F-4d6b-8B8B-B078D9562047}.exe	30
PID 2192 wrote to memory of 2440	2192	{28484747-177F-4d6b-8B8B-B078D9562047}.exe	30
PID 2192 wrote to memory of 2396	2192	{28484747-177F-4d6b-8B8B-B078D9562047}.exe	31
PID 2192 wrote to memory of 2396	2192	{28484747-177F-4d6b-8B8B-B078D9562047}.exe	31
PID 2192 wrote to memory of 2396	2192	{28484747-177F-4d6b-8B8B-B078D9562047}.exe	31
PID 2192 wrote to memory of 2396	2192	{28484747-177F-4d6b-8B8B-B078D9562047}.exe	31
PID 2440 wrote to memory of 2848	2440	{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe	34
PID 2440 wrote to memory of 2848	2440	{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe	34
PID 2440 wrote to memory of 2848	2440	{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe	34
PID 2440 wrote to memory of 2848	2440	{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe	34
PID 2440 wrote to memory of 2728	2440	{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe	35
PID 2440 wrote to memory of 2728	2440	{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe	35
PID 2440 wrote to memory of 2728	2440	{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe	35
PID 2440 wrote to memory of 2728	2440	{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe	35
PID 2848 wrote to memory of 2580	2848	{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe	36
PID 2848 wrote to memory of 2580	2848	{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe	36
PID 2848 wrote to memory of 2580	2848	{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe	36
PID 2848 wrote to memory of 2580	2848	{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe	36
PID 2848 wrote to memory of 2956	2848	{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe	37
PID 2848 wrote to memory of 2956	2848	{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe	37
PID 2848 wrote to memory of 2956	2848	{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe	37
PID 2848 wrote to memory of 2956	2848	{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe	37
PID 2580 wrote to memory of 1984	2580	{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe	38
PID 2580 wrote to memory of 1984	2580	{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe	38
PID 2580 wrote to memory of 1984	2580	{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe	38
PID 2580 wrote to memory of 1984	2580	{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe	38
PID 2580 wrote to memory of 2876	2580	{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe	39
PID 2580 wrote to memory of 2876	2580	{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe	39
PID 2580 wrote to memory of 2876	2580	{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe	39
PID 2580 wrote to memory of 2876	2580	{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe	39
PID 1984 wrote to memory of 2616	1984	{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe	41
PID 1984 wrote to memory of 2616	1984	{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe	41
PID 1984 wrote to memory of 2616	1984	{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe	41
PID 1984 wrote to memory of 2616	1984	{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe	41
PID 1984 wrote to memory of 2744	1984	{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe	40
PID 1984 wrote to memory of 2744	1984	{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe	40
PID 1984 wrote to memory of 2744	1984	{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe	40
PID 1984 wrote to memory of 2744	1984	{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe	40
PID 2616 wrote to memory of 2588	2616	{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe	43
PID 2616 wrote to memory of 2588	2616	{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe	43
PID 2616 wrote to memory of 2588	2616	{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe	43
PID 2616 wrote to memory of 2588	2616	{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe	43
PID 2616 wrote to memory of 2648	2616	{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe	42
PID 2616 wrote to memory of 2648	2616	{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe	42
PID 2616 wrote to memory of 2648	2616	{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe	42
PID 2616 wrote to memory of 2648	2616	{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe	42
PID 2588 wrote to memory of 2312	2588	{1D3AD677-CB7C-402a-8217-E079F238E178}.exe	45
PID 2588 wrote to memory of 2312	2588	{1D3AD677-CB7C-402a-8217-E079F238E178}.exe	45
PID 2588 wrote to memory of 2312	2588	{1D3AD677-CB7C-402a-8217-E079F238E178}.exe	45
PID 2588 wrote to memory of 2312	2588	{1D3AD677-CB7C-402a-8217-E079F238E178}.exe	45
PID 2588 wrote to memory of 2552	2588	{1D3AD677-CB7C-402a-8217-E079F238E178}.exe	44
PID 2588 wrote to memory of 2552	2588	{1D3AD677-CB7C-402a-8217-E079F238E178}.exe	44
PID 2588 wrote to memory of 2552	2588	{1D3AD677-CB7C-402a-8217-E079F238E178}.exe	44
PID 2588 wrote to memory of 2552	2588	{1D3AD677-CB7C-402a-8217-E079F238E178}.exe	44

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\{28484747-177F-4d6b-8B8B-B078D9562047}.exe
  C:\Windows\{28484747-177F-4d6b-8B8B-B078D9562047}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe
    C:\Windows\{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe
      C:\Windows\{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe
        
        C:\Windows\{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe
        
        C:\Windows\{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E0BE~1.EXE > nul
        7⤵
        
        PID:2744
        
        C:\Windows\{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe
        
        C:\Windows\{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60D66~1.EXE > nul
        8⤵
        
        PID:2648
        
        C:\Windows\{1D3AD677-CB7C-402a-8217-E079F238E178}.exe
        
        C:\Windows\{1D3AD677-CB7C-402a-8217-E079F238E178}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D3AD~1.EXE > nul
        9⤵
        
        PID:2552
        
        C:\Windows\{29F50670-8AEB-46b3-8EB7-7AB49F117AC9}.exe
        
        C:\Windows\{29F50670-8AEB-46b3-8EB7-7AB49F117AC9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\{5981AC1C-2D83-4167-A478-6D24DC3C3F4F}.exe
        
        C:\Windows\{5981AC1C-2D83-4167-A478-6D24DC3C3F4F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5981A~1.EXE > nul
        11⤵
        
        PID:1064
        
        C:\Windows\{4C42BA29-B857-4afa-AEB3-6A9D68FBBAF1}.exe
        
        C:\Windows\{4C42BA29-B857-4afa-AEB3-6A9D68FBBAF1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\{29093515-C224-4b65-A4F4-E62CB611CC7D}.exe
        
        C:\Windows\{29093515-C224-4b65-A4F4-E62CB611CC7D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C42B~1.EXE > nul
        12⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29F50~1.EXE > nul
        10⤵
        
        PID:696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9317C~1.EXE > nul
        6⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF32F~1.EXE > nul
        5⤵
        
        PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{991F1~1.EXE > nul
      4⤵
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{28484~1.EXE > nul
    3⤵
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D3AD677-CB7C-402a-8217-E079F238E178}.exe

Filesize
372KB

MD5
65c94f48e2600847859ba124fbb4f3b2

SHA1
fce6fb9e53ecdf6e1a385bf61c9147c89639a676

SHA256
635929de8980caf818e0d77001a91305ba11d193ad9c28f924af3ad4f555d090

SHA512
1f8b32ceaa309c5fc7f9fb4cb6e488eef748f1c32d466d1865a38b81c1ff3b98c03575f5bf1ac0a14ceb17c0690f6b8b148c6fd7f613dee9a4fa2b421e9db727

Download Submit
C:\Windows\{1D3AD677-CB7C-402a-8217-E079F238E178}.exe

Filesize
372KB

MD5
65c94f48e2600847859ba124fbb4f3b2

SHA1
fce6fb9e53ecdf6e1a385bf61c9147c89639a676

SHA256
635929de8980caf818e0d77001a91305ba11d193ad9c28f924af3ad4f555d090

SHA512
1f8b32ceaa309c5fc7f9fb4cb6e488eef748f1c32d466d1865a38b81c1ff3b98c03575f5bf1ac0a14ceb17c0690f6b8b148c6fd7f613dee9a4fa2b421e9db727

Download Submit
C:\Windows\{28484747-177F-4d6b-8B8B-B078D9562047}.exe

Filesize
372KB

MD5
49b9d2a106ec3654f5eb13c481f7cb6f

SHA1
a70c770080187fc414da4027ca8b5ed784672e97

SHA256
3a8ffc2759c93753b86193506d9e47e930785ad74fa7321ca8d6ca2a8f5d468e

SHA512
f5575170ef4a14f7193aedc0f30eccd340688098048082d7870f20698227bb6518e0a72bbe77d7e050c1f93b011b2d90c3ce520cc70c1860f7aa2ab326de1e13

Download Submit
C:\Windows\{28484747-177F-4d6b-8B8B-B078D9562047}.exe

Filesize
372KB

MD5
49b9d2a106ec3654f5eb13c481f7cb6f

SHA1
a70c770080187fc414da4027ca8b5ed784672e97

SHA256
3a8ffc2759c93753b86193506d9e47e930785ad74fa7321ca8d6ca2a8f5d468e

SHA512
f5575170ef4a14f7193aedc0f30eccd340688098048082d7870f20698227bb6518e0a72bbe77d7e050c1f93b011b2d90c3ce520cc70c1860f7aa2ab326de1e13

Download Submit
C:\Windows\{28484747-177F-4d6b-8B8B-B078D9562047}.exe

Filesize
372KB

MD5
49b9d2a106ec3654f5eb13c481f7cb6f

SHA1
a70c770080187fc414da4027ca8b5ed784672e97

SHA256
3a8ffc2759c93753b86193506d9e47e930785ad74fa7321ca8d6ca2a8f5d468e

SHA512
f5575170ef4a14f7193aedc0f30eccd340688098048082d7870f20698227bb6518e0a72bbe77d7e050c1f93b011b2d90c3ce520cc70c1860f7aa2ab326de1e13

Download Submit
C:\Windows\{29093515-C224-4b65-A4F4-E62CB611CC7D}.exe

Filesize
372KB

MD5
cf6af0156d5a619eed32fc7d9aece8c3

SHA1
cab2da8230a5e6d63089cd059aff17e94c3b3756

SHA256
3dcc7e0463caa3c61921aaa74f559bd671da88792803acb6689adf490ce741a4

SHA512
d702a9373bfe90c1f9d020855a97f4f98f7984901ec09f853c9c81878c60e44281ed061884ba30ccfafac2ad9350bc211b5750992236e5e58dea552dd8d82bce

Download Submit
C:\Windows\{29F50670-8AEB-46b3-8EB7-7AB49F117AC9}.exe

Filesize
372KB

MD5
86e36b560c525e68bfee8fa04c65f542

SHA1
3519c224de955890cff048173499235a9a704144

SHA256
a40a07d83d3d0a8001eeceeac2d2d10f2ad033f69c8ebfa4a9ebaf7e845cb1d8

SHA512
5e9e6ab8624a1d981f8faf7691467046f00bacdc9983217b185c0fa05a21d4dc639594e11460720b126445bc2b691fc25c89cfe7d550f83a0846ff5cbf970cec

Download Submit
C:\Windows\{29F50670-8AEB-46b3-8EB7-7AB49F117AC9}.exe

Filesize
372KB

MD5
86e36b560c525e68bfee8fa04c65f542

SHA1
3519c224de955890cff048173499235a9a704144

SHA256
a40a07d83d3d0a8001eeceeac2d2d10f2ad033f69c8ebfa4a9ebaf7e845cb1d8

SHA512
5e9e6ab8624a1d981f8faf7691467046f00bacdc9983217b185c0fa05a21d4dc639594e11460720b126445bc2b691fc25c89cfe7d550f83a0846ff5cbf970cec

Download Submit
C:\Windows\{4C42BA29-B857-4afa-AEB3-6A9D68FBBAF1}.exe

Filesize
372KB

MD5
e41a0532f77f9428e669f93f51428e14

SHA1
0df7b2ad7c45035d4c7aed9755e0972c6a8a946b

SHA256
7e540ff3881acb1fb5e95c702e8887273f45a1638440c315e3b50404c85ea7f5

SHA512
d3bda2070031e3c50ce85517860d678d57ceb7c56ee3db0b265ba81655a489bc24a037d3ca69e3dd2a77ac29490aa979f2c099f4a8135d4d82b651b0f1c7b994

Download Submit
C:\Windows\{4C42BA29-B857-4afa-AEB3-6A9D68FBBAF1}.exe

Filesize
372KB

MD5
e41a0532f77f9428e669f93f51428e14

SHA1
0df7b2ad7c45035d4c7aed9755e0972c6a8a946b

SHA256
7e540ff3881acb1fb5e95c702e8887273f45a1638440c315e3b50404c85ea7f5

SHA512
d3bda2070031e3c50ce85517860d678d57ceb7c56ee3db0b265ba81655a489bc24a037d3ca69e3dd2a77ac29490aa979f2c099f4a8135d4d82b651b0f1c7b994

Download Submit
C:\Windows\{5981AC1C-2D83-4167-A478-6D24DC3C3F4F}.exe

Filesize
372KB

MD5
b2d7f535e102aebb03e5a051a506e016

SHA1
0339f82029768f7ddacebf6eff913bb60085a67f

SHA256
bc0d7d9c332de2b7731ffdecb89fb0bccc635bebc643943378575c70c32a09e0

SHA512
76b1278f16d1e7bcc5c223c879167122169a9a631b0809b05fa1b9508f984fa187d55900c3995cba3983cc9f92fd18d7c08942f61749ded83c9c5e369aa115e8

Download Submit
C:\Windows\{5981AC1C-2D83-4167-A478-6D24DC3C3F4F}.exe

Filesize
372KB

MD5
b2d7f535e102aebb03e5a051a506e016

SHA1
0339f82029768f7ddacebf6eff913bb60085a67f

SHA256
bc0d7d9c332de2b7731ffdecb89fb0bccc635bebc643943378575c70c32a09e0

SHA512
76b1278f16d1e7bcc5c223c879167122169a9a631b0809b05fa1b9508f984fa187d55900c3995cba3983cc9f92fd18d7c08942f61749ded83c9c5e369aa115e8

Download Submit
C:\Windows\{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe

Filesize
372KB

MD5
b8660b3dc57720e35346152774fd99d7

SHA1
0297942cbaea3ce6e4d96d41a0226854dc4b3e08

SHA256
13e8dabd2a0beeb092e241f67625961210a017e089cf08005c9bf94af6d1c686

SHA512
257bfafcb19a40603c0113723506bc746d559766c607875ed746fce2e32cd291d53d7bbdd87876e0e2f63eead69d22e57789868446a178468c1a361522b850c3

Download Submit
C:\Windows\{60D66B78-7A8A-4ea7-8B35-A19B021BFC69}.exe

Filesize
372KB

MD5
b8660b3dc57720e35346152774fd99d7

SHA1
0297942cbaea3ce6e4d96d41a0226854dc4b3e08

SHA256
13e8dabd2a0beeb092e241f67625961210a017e089cf08005c9bf94af6d1c686

SHA512
257bfafcb19a40603c0113723506bc746d559766c607875ed746fce2e32cd291d53d7bbdd87876e0e2f63eead69d22e57789868446a178468c1a361522b850c3

Download Submit
C:\Windows\{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe

Filesize
372KB

MD5
779a58c9cf5342c8077f05dd020f7f45

SHA1
c649aa3d3e8c7e5dc7c4a10be4c9753b74fdc85f

SHA256
e502b031e81daf6dfb05b96c121d59410779741ca307febb0f909718759857d5

SHA512
759b18496cdb4832198087468f73e260e20955aef9fbaa42635d218849fa014ae3beb10e52f034bbcb10681173b0a255eaa5765b428e4d4ea5d3537808478fe6

Download Submit
C:\Windows\{7E0BEE16-51CB-4fa6-AF18-66B8D98DD9CC}.exe

Filesize
372KB

MD5
779a58c9cf5342c8077f05dd020f7f45

SHA1
c649aa3d3e8c7e5dc7c4a10be4c9753b74fdc85f

SHA256
e502b031e81daf6dfb05b96c121d59410779741ca307febb0f909718759857d5

SHA512
759b18496cdb4832198087468f73e260e20955aef9fbaa42635d218849fa014ae3beb10e52f034bbcb10681173b0a255eaa5765b428e4d4ea5d3537808478fe6

Download Submit
C:\Windows\{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe

Filesize
372KB

MD5
c4d72466a3b9e8c47c199114535cf19f

SHA1
6ab0da5c686ece6991e40635e9d1b6cc31573ef8

SHA256
9dfee3ca41294542fa64917c6631340f8a694d47b72b614b80f359d53e914e04

SHA512
dae2d2bb258fe052b626dd64e82fe574f78102eff5445d2bf7e7aa2742d9226bf5e6218d0276cd9a19a7fdf4eed4b86017516d097707ce1a6288e6e57e0f8710

Download Submit
C:\Windows\{9317C6FB-AE80-433b-8731-4A1DC821FB84}.exe

Filesize
372KB

MD5
c4d72466a3b9e8c47c199114535cf19f

SHA1
6ab0da5c686ece6991e40635e9d1b6cc31573ef8

SHA256
9dfee3ca41294542fa64917c6631340f8a694d47b72b614b80f359d53e914e04

SHA512
dae2d2bb258fe052b626dd64e82fe574f78102eff5445d2bf7e7aa2742d9226bf5e6218d0276cd9a19a7fdf4eed4b86017516d097707ce1a6288e6e57e0f8710

Download Submit
C:\Windows\{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe

Filesize
372KB

MD5
ff2ac63792f21baa7d93bbf667192e55

SHA1
81b67c0c5f7e09694f9bd34a24fc2d68742777f3

SHA256
98fbdc9ff6e2604f74f8775b614b281aa274d2925beabb8078ebdef3d2798a9d

SHA512
01e75a826fdd77b2f408f291ee080141d8e28199cd5bcfbf0cc46effc9f2dfce5ae5cd0314c321188b08743a47f3ca11074b2db78e42ae5321b11ef2675455eb

Download Submit
C:\Windows\{991F143B-F025-4fa9-B812-BAE6E5837B69}.exe

Filesize
372KB

MD5
ff2ac63792f21baa7d93bbf667192e55

SHA1
81b67c0c5f7e09694f9bd34a24fc2d68742777f3

SHA256
98fbdc9ff6e2604f74f8775b614b281aa274d2925beabb8078ebdef3d2798a9d

SHA512
01e75a826fdd77b2f408f291ee080141d8e28199cd5bcfbf0cc46effc9f2dfce5ae5cd0314c321188b08743a47f3ca11074b2db78e42ae5321b11ef2675455eb

Download Submit
C:\Windows\{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe

Filesize
372KB

MD5
bc6b25f433b1742fea51652ca7a07e77

SHA1
84f86992c4429614c71db687660625bce29d64b2

SHA256
a7568e7c776a70edcbfd6d90d1c7d9fa3c9bdb88bdb7480dcab1c811567fa889

SHA512
c953cf055ca7202ee8ab8bb98fcc50d07afe819625ecdfa160bc30490781de1eef9793cc626425a5c2c26d02d76d01868f2cbe0cd1b9dff7d6e2cb9101c92816

Download Submit
C:\Windows\{CF32FC10-3517-467a-8D5A-D6C1EF3E1C06}.exe

Filesize
372KB

MD5
bc6b25f433b1742fea51652ca7a07e77

SHA1
84f86992c4429614c71db687660625bce29d64b2

SHA256
a7568e7c776a70edcbfd6d90d1c7d9fa3c9bdb88bdb7480dcab1c811567fa889

SHA512
c953cf055ca7202ee8ab8bb98fcc50d07afe819625ecdfa160bc30490781de1eef9793cc626425a5c2c26d02d76d01868f2cbe0cd1b9dff7d6e2cb9101c92816

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads