27802f412b56d841b17eb3b9fa50e690f9b348d729dee17a916edc3949264ef4

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe
Size

372KB
MD5

2bf6b9770a4ec5163fe735b3dc619cee
SHA1

30809301238323dfb7ea76f694b90ce37a71df0d
SHA256

27802f412b56d841b17eb3b9fa50e690f9b348d729dee17a916edc3949264ef4
SHA512

0c8a2a2a2928cbaa98871df8c7ac2db52500a2d926d2fe3d776444443302f3a2397ca5a316ca9495908d94870df05e59d3c709044c7ca056ddc936d329801d2b
SSDEEP

3072:CEGh0ogmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGbl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}\stubpath = "C:\\Windows\\{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe"	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77924DCA-1C73-42ee-B0A9-93CE244A7C45}	{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}	{D832C78C-3748-4967-BEAD-57D449088F63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}	{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B95B6543-BA01-4694-865D-23844FA49D3A}\stubpath = "C:\\Windows\\{B95B6543-BA01-4694-865D-23844FA49D3A}.exe"	{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD53ABC0-DC7F-4804-BCDD-F83D7EA1782E}	{B95B6543-BA01-4694-865D-23844FA49D3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD53ABC0-DC7F-4804-BCDD-F83D7EA1782E}\stubpath = "C:\\Windows\\{CD53ABC0-DC7F-4804-BCDD-F83D7EA1782E}.exe"	{B95B6543-BA01-4694-865D-23844FA49D3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{560FC175-120D-4e2d-921D-CD1CBF82CD16}\stubpath = "C:\\Windows\\{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe"	{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9006927-F7A0-4f68-920F-602F8F1668B6}\stubpath = "C:\\Windows\\{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe"	{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D832C78C-3748-4967-BEAD-57D449088F63}	{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D832C78C-3748-4967-BEAD-57D449088F63}\stubpath = "C:\\Windows\\{D832C78C-3748-4967-BEAD-57D449088F63}.exe"	{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}\stubpath = "C:\\Windows\\{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe"	{D832C78C-3748-4967-BEAD-57D449088F63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}	{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69D393FC-3B4B-4819-BCB7-790A2ED353E6}\stubpath = "C:\\Windows\\{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe"	{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}\stubpath = "C:\\Windows\\{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe"	{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}\stubpath = "C:\\Windows\\{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe"	{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B95B6543-BA01-4694-865D-23844FA49D3A}	{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{560FC175-120D-4e2d-921D-CD1CBF82CD16}	{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69D393FC-3B4B-4819-BCB7-790A2ED353E6}	{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}	{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9006927-F7A0-4f68-920F-602F8F1668B6}	{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77924DCA-1C73-42ee-B0A9-93CE244A7C45}\stubpath = "C:\\Windows\\{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe"	{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}\stubpath = "C:\\Windows\\{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe"	{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe

Executes dropped EXE 12 IoCs

pid	Process
4172	{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe
1376	{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe
3892	{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe
2108	{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe
1156	{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe
5012	{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe
3408	{D832C78C-3748-4967-BEAD-57D449088F63}.exe
476	{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe
3568	{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe
2136	{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe
4144	{B95B6543-BA01-4694-865D-23844FA49D3A}.exe
3268	{CD53ABC0-DC7F-4804-BCDD-F83D7EA1782E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe	{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe
File created	C:\Windows\{B95B6543-BA01-4694-865D-23844FA49D3A}.exe	{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe
File created	C:\Windows\{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe	{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe
File created	C:\Windows\{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe	{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe
File created	C:\Windows\{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe	{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe
File created	C:\Windows\{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe	{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe
File created	C:\Windows\{D832C78C-3748-4967-BEAD-57D449088F63}.exe	{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe
File created	C:\Windows\{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe	{D832C78C-3748-4967-BEAD-57D449088F63}.exe
File created	C:\Windows\{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe	{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe
File created	C:\Windows\{CD53ABC0-DC7F-4804-BCDD-F83D7EA1782E}.exe	{B95B6543-BA01-4694-865D-23844FA49D3A}.exe
File created	C:\Windows\{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe
File created	C:\Windows\{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe	{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2924	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4172	{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe
Token: SeIncBasePriorityPrivilege	1376	{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe
Token: SeIncBasePriorityPrivilege	3892	{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe
Token: SeIncBasePriorityPrivilege	2108	{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe
Token: SeIncBasePriorityPrivilege	1156	{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe
Token: SeIncBasePriorityPrivilege	5012	{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe
Token: SeIncBasePriorityPrivilege	3408	{D832C78C-3748-4967-BEAD-57D449088F63}.exe
Token: SeIncBasePriorityPrivilege	476	{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe
Token: SeIncBasePriorityPrivilege	3568	{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe
Token: SeIncBasePriorityPrivilege	2136	{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe
Token: SeIncBasePriorityPrivilege	4144	{B95B6543-BA01-4694-865D-23844FA49D3A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4172	2924	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	85
PID 2924 wrote to memory of 4172	2924	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	85
PID 2924 wrote to memory of 4172	2924	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	85
PID 2924 wrote to memory of 1168	2924	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	86
PID 2924 wrote to memory of 1168	2924	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	86
PID 2924 wrote to memory of 1168	2924	NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe	86
PID 4172 wrote to memory of 1376	4172	{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe	87
PID 4172 wrote to memory of 1376	4172	{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe	87
PID 4172 wrote to memory of 1376	4172	{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe	87
PID 4172 wrote to memory of 2540	4172	{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe	88
PID 4172 wrote to memory of 2540	4172	{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe	88
PID 4172 wrote to memory of 2540	4172	{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe	88
PID 1376 wrote to memory of 3892	1376	{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe	89
PID 1376 wrote to memory of 3892	1376	{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe	89
PID 1376 wrote to memory of 3892	1376	{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe	89
PID 1376 wrote to memory of 1456	1376	{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe	90
PID 1376 wrote to memory of 1456	1376	{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe	90
PID 1376 wrote to memory of 1456	1376	{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe	90
PID 3892 wrote to memory of 2108	3892	{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe	91
PID 3892 wrote to memory of 2108	3892	{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe	91
PID 3892 wrote to memory of 2108	3892	{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe	91
PID 3892 wrote to memory of 4680	3892	{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe	92
PID 3892 wrote to memory of 4680	3892	{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe	92
PID 3892 wrote to memory of 4680	3892	{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe	92
PID 2108 wrote to memory of 1156	2108	{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe	93
PID 2108 wrote to memory of 1156	2108	{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe	93
PID 2108 wrote to memory of 1156	2108	{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe	93
PID 2108 wrote to memory of 4256	2108	{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe	94
PID 2108 wrote to memory of 4256	2108	{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe	94
PID 2108 wrote to memory of 4256	2108	{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe	94
PID 1156 wrote to memory of 5012	1156	{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe	95
PID 1156 wrote to memory of 5012	1156	{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe	95
PID 1156 wrote to memory of 5012	1156	{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe	95
PID 1156 wrote to memory of 3684	1156	{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe	96
PID 1156 wrote to memory of 3684	1156	{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe	96
PID 1156 wrote to memory of 3684	1156	{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe	96
PID 5012 wrote to memory of 3408	5012	{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe	97
PID 5012 wrote to memory of 3408	5012	{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe	97
PID 5012 wrote to memory of 3408	5012	{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe	97
PID 5012 wrote to memory of 2024	5012	{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe	98
PID 5012 wrote to memory of 2024	5012	{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe	98
PID 5012 wrote to memory of 2024	5012	{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe	98
PID 3408 wrote to memory of 476	3408	{D832C78C-3748-4967-BEAD-57D449088F63}.exe	99
PID 3408 wrote to memory of 476	3408	{D832C78C-3748-4967-BEAD-57D449088F63}.exe	99
PID 3408 wrote to memory of 476	3408	{D832C78C-3748-4967-BEAD-57D449088F63}.exe	99
PID 3408 wrote to memory of 2312	3408	{D832C78C-3748-4967-BEAD-57D449088F63}.exe	100
PID 3408 wrote to memory of 2312	3408	{D832C78C-3748-4967-BEAD-57D449088F63}.exe	100
PID 3408 wrote to memory of 2312	3408	{D832C78C-3748-4967-BEAD-57D449088F63}.exe	100
PID 476 wrote to memory of 3568	476	{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe	101
PID 476 wrote to memory of 3568	476	{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe	101
PID 476 wrote to memory of 3568	476	{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe	101
PID 476 wrote to memory of 1804	476	{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe	102
PID 476 wrote to memory of 1804	476	{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe	102
PID 476 wrote to memory of 1804	476	{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe	102
PID 3568 wrote to memory of 2136	3568	{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe	103
PID 3568 wrote to memory of 2136	3568	{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe	103
PID 3568 wrote to memory of 2136	3568	{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe	103
PID 3568 wrote to memory of 4616	3568	{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe	104
PID 3568 wrote to memory of 4616	3568	{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe	104
PID 3568 wrote to memory of 4616	3568	{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe	104
PID 2136 wrote to memory of 4144	2136	{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe	105
PID 2136 wrote to memory of 4144	2136	{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe	105
PID 2136 wrote to memory of 4144	2136	{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe	105
PID 2136 wrote to memory of 3988	2136	{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe	106

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_2bf6b9770a4ec5163fe735b3dc619cee_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe
  C:\Windows\{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe
    C:\Windows\{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe
      C:\Windows\{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3892
    - - C:\Windows\{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe
        
        C:\Windows\{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe
        
        C:\Windows\{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe
        
        C:\Windows\{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{D832C78C-3748-4967-BEAD-57D449088F63}.exe
        
        C:\Windows\{D832C78C-3748-4967-BEAD-57D449088F63}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe
        
        C:\Windows\{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe
        
        C:\Windows\{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe
        
        C:\Windows\{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{B95B6543-BA01-4694-865D-23844FA49D3A}.exe
        
        C:\Windows\{B95B6543-BA01-4694-865D-23844FA49D3A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
        
        C:\Windows\{CD53ABC0-DC7F-4804-BCDD-F83D7EA1782E}.exe
        
        C:\Windows\{CD53ABC0-DC7F-4804-BCDD-F83D7EA1782E}.exe
        13⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B95B6~1.EXE > nul
        13⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DFA0~1.EXE > nul
        12⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61D9D~1.EXE > nul
        11⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AA2F~1.EXE > nul
        10⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D832C~1.EXE > nul
        9⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77924~1.EXE > nul
        8⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9006~1.EXE > nul
        7⤵
        
        PID:3684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF6F8~1.EXE > nul
        6⤵
        
        PID:4256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69D39~1.EXE > nul
        5⤵
        
        PID:4680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{560FC~1.EXE > nul
      4⤵
      PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0C2F5~1.EXE > nul
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe

Filesize
372KB

MD5
deef661d081930a8128faa4d6c255e23

SHA1
c7ee97d17573d3e27d93cab37d7c516c2cc7b173

SHA256
8ea450521b1c47506145f3e092afca6b1c2b1be9e4236ba81ad990fb02a9c174

SHA512
7026676fc9e9e4e64bd9ca2a020e8eeef58275cbd6e48591357799ae5010ca7665890b3c1bbd83311352987f93ef4dfee77a88bd157786122e2b4b1fc949de04

Download Submit
C:\Windows\{0C2F57DE-EF20-4516-BAFD-90F58C63E03C}.exe

Filesize
372KB

MD5
deef661d081930a8128faa4d6c255e23

SHA1
c7ee97d17573d3e27d93cab37d7c516c2cc7b173

SHA256
8ea450521b1c47506145f3e092afca6b1c2b1be9e4236ba81ad990fb02a9c174

SHA512
7026676fc9e9e4e64bd9ca2a020e8eeef58275cbd6e48591357799ae5010ca7665890b3c1bbd83311352987f93ef4dfee77a88bd157786122e2b4b1fc949de04

Download Submit
C:\Windows\{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe

Filesize
372KB

MD5
5255ee73c78f7a13ec8d0bebd6d1fe92

SHA1
7e625f69f4cf261ddda9fa5c811c0b6451f90fec

SHA256
97dc078328153ce581680404a78059faded3cf5288b91c55f49dd781adb2ce52

SHA512
9f3379ff6f337ce0a0c3b2e1a3bc82f4219d6c0d59fc8d55e4dc26b8c69c6cddfab162dcd6492d6ae4cb63d17598a221db31f64d457dcf3360a2cf37b2fcbfc8

Download Submit
C:\Windows\{560FC175-120D-4e2d-921D-CD1CBF82CD16}.exe

Filesize
372KB

MD5
5255ee73c78f7a13ec8d0bebd6d1fe92

SHA1
7e625f69f4cf261ddda9fa5c811c0b6451f90fec

SHA256
97dc078328153ce581680404a78059faded3cf5288b91c55f49dd781adb2ce52

SHA512
9f3379ff6f337ce0a0c3b2e1a3bc82f4219d6c0d59fc8d55e4dc26b8c69c6cddfab162dcd6492d6ae4cb63d17598a221db31f64d457dcf3360a2cf37b2fcbfc8

Download Submit
C:\Windows\{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe

Filesize
372KB

MD5
e9268fea31c58058d07d4af0abbf0ee1

SHA1
1d28dde5e464beb1a32f0cbc9c6912d580ccd9f2

SHA256
2cba72ef64fb32fbe145c19d1685cb002f05b3a4a933844a3e6165528cbfd80c

SHA512
92c160d9d5c25552a8163e53ef8645c74d90d7665d96f5864c91a436e93d3a3108d3b2ce65ab00629be9e3df38a91a61f05ae9269ef86cf3923e4ec4a92b2439

Download Submit
C:\Windows\{61D9DCFB-B0CE-45dc-A96F-9B07368BF668}.exe

Filesize
372KB

MD5
e9268fea31c58058d07d4af0abbf0ee1

SHA1
1d28dde5e464beb1a32f0cbc9c6912d580ccd9f2

SHA256
2cba72ef64fb32fbe145c19d1685cb002f05b3a4a933844a3e6165528cbfd80c

SHA512
92c160d9d5c25552a8163e53ef8645c74d90d7665d96f5864c91a436e93d3a3108d3b2ce65ab00629be9e3df38a91a61f05ae9269ef86cf3923e4ec4a92b2439

Download Submit
C:\Windows\{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe

Filesize
372KB

MD5
e7883d0f6f5bff426d7d1d6573db4f74

SHA1
91d66e480bc001f1d9effde53d36d40d1851f95d

SHA256
a131ee8e6c722b553c47a347a37d132461f89a4fc8ac51ba80771c8047e657e3

SHA512
45ec322ba96459b97be106b97449e7b725d0dac617688e845243907eaaf0475b5df9b6d000f9abb2a55676d0b938c5dcf907c89f4213c8f7602889724bc81e1e

Download Submit
C:\Windows\{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe

Filesize
372KB

MD5
e7883d0f6f5bff426d7d1d6573db4f74

SHA1
91d66e480bc001f1d9effde53d36d40d1851f95d

SHA256
a131ee8e6c722b553c47a347a37d132461f89a4fc8ac51ba80771c8047e657e3

SHA512
45ec322ba96459b97be106b97449e7b725d0dac617688e845243907eaaf0475b5df9b6d000f9abb2a55676d0b938c5dcf907c89f4213c8f7602889724bc81e1e

Download Submit
C:\Windows\{69D393FC-3B4B-4819-BCB7-790A2ED353E6}.exe

Filesize
372KB

MD5
e7883d0f6f5bff426d7d1d6573db4f74

SHA1
91d66e480bc001f1d9effde53d36d40d1851f95d

SHA256
a131ee8e6c722b553c47a347a37d132461f89a4fc8ac51ba80771c8047e657e3

SHA512
45ec322ba96459b97be106b97449e7b725d0dac617688e845243907eaaf0475b5df9b6d000f9abb2a55676d0b938c5dcf907c89f4213c8f7602889724bc81e1e

Download Submit
C:\Windows\{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe

Filesize
372KB

MD5
f48c81754a58389aaaf9e0ced3e1000a

SHA1
ea951deda7b55b5deb81da211d8d6671f665c8fe

SHA256
057de727e6a5abe0e6291ade8a0cca8c97b3021a1a7baccdeffba8a5f05cdf05

SHA512
4249dc1f117f4a7b4e0a3ce90fe8d9229dfe9cd7da828e7924d3fd3e7d94308db2a3aff1d1fdad67e1d3a1eec9bb93405d342f953107da8c62df35621e6d29f0

Download Submit
C:\Windows\{77924DCA-1C73-42ee-B0A9-93CE244A7C45}.exe

Filesize
372KB

MD5
f48c81754a58389aaaf9e0ced3e1000a

SHA1
ea951deda7b55b5deb81da211d8d6671f665c8fe

SHA256
057de727e6a5abe0e6291ade8a0cca8c97b3021a1a7baccdeffba8a5f05cdf05

SHA512
4249dc1f117f4a7b4e0a3ce90fe8d9229dfe9cd7da828e7924d3fd3e7d94308db2a3aff1d1fdad67e1d3a1eec9bb93405d342f953107da8c62df35621e6d29f0

Download Submit
C:\Windows\{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe

Filesize
372KB

MD5
1d89629bacceb7ed35dc15c4a76a0670

SHA1
7f5dce6ac0b1dd93d72c5ccf5ac77119fd152889

SHA256
5372afaa261fbf406cac0e56c624de929561c4f8c827f2cb004da6ca8625fba6

SHA512
0e3a87a3bb0bedd3e48524cc55d50c8cec56ea280e88561a28f7da89fa59fe997462eaa620bfe962a2c6eac18a0824fb83a70c66448e58437fb8de8c8d8a9e67

Download Submit
C:\Windows\{9AA2F22C-6C81-48d2-995E-9C9B0CB44954}.exe

Filesize
372KB

MD5
1d89629bacceb7ed35dc15c4a76a0670

SHA1
7f5dce6ac0b1dd93d72c5ccf5ac77119fd152889

SHA256
5372afaa261fbf406cac0e56c624de929561c4f8c827f2cb004da6ca8625fba6

SHA512
0e3a87a3bb0bedd3e48524cc55d50c8cec56ea280e88561a28f7da89fa59fe997462eaa620bfe962a2c6eac18a0824fb83a70c66448e58437fb8de8c8d8a9e67

Download Submit
C:\Windows\{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe

Filesize
372KB

MD5
95efd99410849256543390d0f644b886

SHA1
cfbe3b6e3ca89024ade60a3447e365de1f2ca0b4

SHA256
5634e247a71f7f6f15dc71d6fc478eeb8c351149b6a54f0a843cecfbeffd92bd

SHA512
cbb03773b058883101c780fda185dc0039acd17d667166b91bdd8d8f4d981abc3b1ee255d0fe10a8b85dd40d00601d95a74c518675dee4ee7e0fa8fa3035bf8f

Download Submit
C:\Windows\{9DFA0FCB-C5E7-4e1c-B36B-EFE5031FB94E}.exe

Filesize
372KB

MD5
95efd99410849256543390d0f644b886

SHA1
cfbe3b6e3ca89024ade60a3447e365de1f2ca0b4

SHA256
5634e247a71f7f6f15dc71d6fc478eeb8c351149b6a54f0a843cecfbeffd92bd

SHA512
cbb03773b058883101c780fda185dc0039acd17d667166b91bdd8d8f4d981abc3b1ee255d0fe10a8b85dd40d00601d95a74c518675dee4ee7e0fa8fa3035bf8f

Download Submit
C:\Windows\{B95B6543-BA01-4694-865D-23844FA49D3A}.exe

Filesize
372KB

MD5
8f1349a88f99c1582f7fe4c2b839a9a4

SHA1
c68c73a2cba0f3398979155bfc1cb22e486cff07

SHA256
530f85e5269db9e8e2a9e7a01a519ff30cdc5502f54af5e92dfec3e81119e1c2

SHA512
de99957a239c7371617090a0153ef86616f3cfa70d75319c641817d8c85293c798743d8fdb3b72d918e9c3b09097927acf7705c11380074c3972ca7f669d6d80

Download Submit
C:\Windows\{B95B6543-BA01-4694-865D-23844FA49D3A}.exe

Filesize
372KB

MD5
8f1349a88f99c1582f7fe4c2b839a9a4

SHA1
c68c73a2cba0f3398979155bfc1cb22e486cff07

SHA256
530f85e5269db9e8e2a9e7a01a519ff30cdc5502f54af5e92dfec3e81119e1c2

SHA512
de99957a239c7371617090a0153ef86616f3cfa70d75319c641817d8c85293c798743d8fdb3b72d918e9c3b09097927acf7705c11380074c3972ca7f669d6d80

Download Submit
C:\Windows\{CD53ABC0-DC7F-4804-BCDD-F83D7EA1782E}.exe

Filesize
372KB

MD5
1b196c458888035081e2a5e705c251b4

SHA1
5563a1faeddc8cfdd7a3819dbc00d6767fa452c0

SHA256
db251513f9e56566a06426d947d01f7523e294e7d2771b90119bf15e109a59c7

SHA512
666873fd3862ae72a2bd926a07c76ddc4cb4629bfc054323b764ccdc13ba3e1ce10e1ae8e3acb2d5556e044afdb4dbaaec474d3831d0bc45db6d01dd9cf05a90

Download Submit
C:\Windows\{CD53ABC0-DC7F-4804-BCDD-F83D7EA1782E}.exe

Filesize
372KB

MD5
1b196c458888035081e2a5e705c251b4

SHA1
5563a1faeddc8cfdd7a3819dbc00d6767fa452c0

SHA256
db251513f9e56566a06426d947d01f7523e294e7d2771b90119bf15e109a59c7

SHA512
666873fd3862ae72a2bd926a07c76ddc4cb4629bfc054323b764ccdc13ba3e1ce10e1ae8e3acb2d5556e044afdb4dbaaec474d3831d0bc45db6d01dd9cf05a90

Download Submit
C:\Windows\{D832C78C-3748-4967-BEAD-57D449088F63}.exe

Filesize
372KB

MD5
8d83d8631311ec691a0c70f4ee8088d8

SHA1
3225a24de8fa98945ff1d190c63924c869c30f8a

SHA256
4e95c27d46effd3a43f397fea59685eda7b4a8926c3503dc6acf6697aebbe963

SHA512
c62b06dfc95b7a98d78fcb3c13962f4605c0c2bf621d3724b9d401e651c7dcd66606d98d86588d492c63e3dd397867a98cfeb87b93178ae3899633aae46dd2c0

Download Submit
C:\Windows\{D832C78C-3748-4967-BEAD-57D449088F63}.exe

Filesize
372KB

MD5
8d83d8631311ec691a0c70f4ee8088d8

SHA1
3225a24de8fa98945ff1d190c63924c869c30f8a

SHA256
4e95c27d46effd3a43f397fea59685eda7b4a8926c3503dc6acf6697aebbe963

SHA512
c62b06dfc95b7a98d78fcb3c13962f4605c0c2bf621d3724b9d401e651c7dcd66606d98d86588d492c63e3dd397867a98cfeb87b93178ae3899633aae46dd2c0

Download Submit
C:\Windows\{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe

Filesize
372KB

MD5
1afbc414f8c67c4595def7e582f2fe91

SHA1
1aa44216feea2e5abc060a8f7f181af77cdcf06e

SHA256
f8a886c44f4a6aa954c52bcf2741fe94b4d961fe3eb9b466d03844983d80f748

SHA512
e6d52156337bd0a156cf26628b70fff2540984c2fd7e2a47b8cf58e416cb6675ca384e1570285440b89b2482c4c0e3ab72c18356d771b36c3b2b28d858817fcc

Download Submit
C:\Windows\{E9006927-F7A0-4f68-920F-602F8F1668B6}.exe

Filesize
372KB

MD5
1afbc414f8c67c4595def7e582f2fe91

SHA1
1aa44216feea2e5abc060a8f7f181af77cdcf06e

SHA256
f8a886c44f4a6aa954c52bcf2741fe94b4d961fe3eb9b466d03844983d80f748

SHA512
e6d52156337bd0a156cf26628b70fff2540984c2fd7e2a47b8cf58e416cb6675ca384e1570285440b89b2482c4c0e3ab72c18356d771b36c3b2b28d858817fcc

Download Submit
C:\Windows\{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe

Filesize
372KB

MD5
45c6efd071967e35afcf99ada012adb2

SHA1
e14bdcade31b393cc1175e33315d291cfd72a666

SHA256
c9c65e0eb356cace31e898ed0003c366ae4e5cd0418d8f5c1b113f9fed4a718f

SHA512
5379ab3cb2fd6e54d2d4dc487f87d5796db4d2b78bd2fd889b2b42607000b891171fae65d3d595e01763a799f140b65ccdd10e06965f3ebc18e838df9e9cd990

Download Submit
C:\Windows\{EF6F8F71-BA77-4f2b-BBA7-2E0734CE2C90}.exe

Filesize
372KB

MD5
45c6efd071967e35afcf99ada012adb2

SHA1
e14bdcade31b393cc1175e33315d291cfd72a666

SHA256
c9c65e0eb356cace31e898ed0003c366ae4e5cd0418d8f5c1b113f9fed4a718f

SHA512
5379ab3cb2fd6e54d2d4dc487f87d5796db4d2b78bd2fd889b2b42607000b891171fae65d3d595e01763a799f140b65ccdd10e06965f3ebc18e838df9e9cd990

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads