c5372bcfac0c6a2004e79d5066b4ea5d2bcf7c928b0ee858b7a99aee7908e8fa

Analysis

max time kernel
151s
max time network
133s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23-10-2023 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe
Size

204KB
MD5

b1df2b49a467e951c8f3ca31031daf7c
SHA1

b5eb6864ea7ac424407944365a894c3859c37112
SHA256

c5372bcfac0c6a2004e79d5066b4ea5d2bcf7c928b0ee858b7a99aee7908e8fa
SHA512

4da6d38335887bcc01520f932730cb7a3950592c119b1f8d2dc01312f3e29e417873db21756f49eb0d01deb36edb3d70b10c1e5613523324fb5d591c0d05ac96
SSDEEP

1536:1EGh0oKl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oKl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1F32DF2-D8CE-4235-BC1D-151AA6DD1E17}	{636DF0F4-B44B-4fac-8A69-CE2C95229C30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCB87554-02E6-4195-9331-77CEF00D8C14}	{B1F32DF2-D8CE-4235-BC1D-151AA6DD1E17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D777A68-ECFC-4892-9637-26F52F6B0B75}	{CCB87554-02E6-4195-9331-77CEF00D8C14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A40D46-F786-4e5b-BD20-352AFB99CB70}\stubpath = "C:\\Windows\\{66A40D46-F786-4e5b-BD20-352AFB99CB70}.exe"	{3D777A68-ECFC-4892-9637-26F52F6B0B75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}	{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}\stubpath = "C:\\Windows\\{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe"	{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}	{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}\stubpath = "C:\\Windows\\{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe"	{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}\stubpath = "C:\\Windows\\{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe"	{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1F32DF2-D8CE-4235-BC1D-151AA6DD1E17}\stubpath = "C:\\Windows\\{B1F32DF2-D8CE-4235-BC1D-151AA6DD1E17}.exe"	{636DF0F4-B44B-4fac-8A69-CE2C95229C30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCB87554-02E6-4195-9331-77CEF00D8C14}\stubpath = "C:\\Windows\\{CCB87554-02E6-4195-9331-77CEF00D8C14}.exe"	{B1F32DF2-D8CE-4235-BC1D-151AA6DD1E17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D777A68-ECFC-4892-9637-26F52F6B0B75}\stubpath = "C:\\Windows\\{3D777A68-ECFC-4892-9637-26F52F6B0B75}.exe"	{CCB87554-02E6-4195-9331-77CEF00D8C14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}\stubpath = "C:\\Windows\\{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe"	{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}	{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}\stubpath = "C:\\Windows\\{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe"	{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}	{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A40D46-F786-4e5b-BD20-352AFB99CB70}	{3D777A68-ECFC-4892-9637-26F52F6B0B75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABDC79C5-169D-434f-9413-93A9DEFB24F2}	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABDC79C5-169D-434f-9413-93A9DEFB24F2}\stubpath = "C:\\Windows\\{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe"	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{636DF0F4-B44B-4fac-8A69-CE2C95229C30}	{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{636DF0F4-B44B-4fac-8A69-CE2C95229C30}\stubpath = "C:\\Windows\\{636DF0F4-B44B-4fac-8A69-CE2C95229C30}.exe"	{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}\stubpath = "C:\\Windows\\{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe"	{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}	{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}	{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe

Deletes itself 1 IoCs

pid	Process
2492	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2532	{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe
2964	{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe
2868	{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe
2912	{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe
2500	{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe
2604	{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe
3040	{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe
588	{636DF0F4-B44B-4fac-8A69-CE2C95229C30}.exe
984	{B1F32DF2-D8CE-4235-BC1D-151AA6DD1E17}.exe
2548	{CCB87554-02E6-4195-9331-77CEF00D8C14}.exe
2800	{3D777A68-ECFC-4892-9637-26F52F6B0B75}.exe
2924	{66A40D46-F786-4e5b-BD20-352AFB99CB70}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CCB87554-02E6-4195-9331-77CEF00D8C14}.exe	{B1F32DF2-D8CE-4235-BC1D-151AA6DD1E17}.exe
File created	C:\Windows\{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe
File created	C:\Windows\{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe	{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe
File created	C:\Windows\{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe	{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe
File created	C:\Windows\{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe	{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe
File created	C:\Windows\{636DF0F4-B44B-4fac-8A69-CE2C95229C30}.exe	{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe
File created	C:\Windows\{66A40D46-F786-4e5b-BD20-352AFB99CB70}.exe	{3D777A68-ECFC-4892-9637-26F52F6B0B75}.exe
File created	C:\Windows\{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe	{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe
File created	C:\Windows\{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe	{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe
File created	C:\Windows\{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe	{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe
File created	C:\Windows\{B1F32DF2-D8CE-4235-BC1D-151AA6DD1E17}.exe	{636DF0F4-B44B-4fac-8A69-CE2C95229C30}.exe
File created	C:\Windows\{3D777A68-ECFC-4892-9637-26F52F6B0B75}.exe	{CCB87554-02E6-4195-9331-77CEF00D8C14}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1968	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2532	{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe
Token: SeIncBasePriorityPrivilege	2964	{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe
Token: SeIncBasePriorityPrivilege	2868	{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe
Token: SeIncBasePriorityPrivilege	2912	{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe
Token: SeIncBasePriorityPrivilege	2500	{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe
Token: SeIncBasePriorityPrivilege	2604	{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe
Token: SeIncBasePriorityPrivilege	3040	{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe
Token: SeIncBasePriorityPrivilege	588	{636DF0F4-B44B-4fac-8A69-CE2C95229C30}.exe
Token: SeIncBasePriorityPrivilege	984	{B1F32DF2-D8CE-4235-BC1D-151AA6DD1E17}.exe
Token: SeIncBasePriorityPrivilege	2548	{CCB87554-02E6-4195-9331-77CEF00D8C14}.exe
Token: SeIncBasePriorityPrivilege	2800	{3D777A68-ECFC-4892-9637-26F52F6B0B75}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2532	1968	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	28
PID 1968 wrote to memory of 2532	1968	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	28
PID 1968 wrote to memory of 2532	1968	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	28
PID 1968 wrote to memory of 2532	1968	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	28
PID 1968 wrote to memory of 2492	1968	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	29
PID 1968 wrote to memory of 2492	1968	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	29
PID 1968 wrote to memory of 2492	1968	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	29
PID 1968 wrote to memory of 2492	1968	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	29
PID 2532 wrote to memory of 2964	2532	{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe	32
PID 2532 wrote to memory of 2964	2532	{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe	32
PID 2532 wrote to memory of 2964	2532	{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe	32
PID 2532 wrote to memory of 2964	2532	{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe	32
PID 2532 wrote to memory of 2692	2532	{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe	33
PID 2532 wrote to memory of 2692	2532	{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe	33
PID 2532 wrote to memory of 2692	2532	{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe	33
PID 2532 wrote to memory of 2692	2532	{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe	33
PID 2964 wrote to memory of 2868	2964	{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe	34
PID 2964 wrote to memory of 2868	2964	{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe	34
PID 2964 wrote to memory of 2868	2964	{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe	34
PID 2964 wrote to memory of 2868	2964	{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe	34
PID 2964 wrote to memory of 2840	2964	{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe	35
PID 2964 wrote to memory of 2840	2964	{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe	35
PID 2964 wrote to memory of 2840	2964	{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe	35
PID 2964 wrote to memory of 2840	2964	{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe	35
PID 2868 wrote to memory of 2912	2868	{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe	36
PID 2868 wrote to memory of 2912	2868	{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe	36
PID 2868 wrote to memory of 2912	2868	{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe	36
PID 2868 wrote to memory of 2912	2868	{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe	36
PID 2868 wrote to memory of 2696	2868	{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe	37
PID 2868 wrote to memory of 2696	2868	{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe	37
PID 2868 wrote to memory of 2696	2868	{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe	37
PID 2868 wrote to memory of 2696	2868	{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe	37
PID 2912 wrote to memory of 2500	2912	{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe	38
PID 2912 wrote to memory of 2500	2912	{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe	38
PID 2912 wrote to memory of 2500	2912	{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe	38
PID 2912 wrote to memory of 2500	2912	{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe	38
PID 2912 wrote to memory of 2572	2912	{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe	39
PID 2912 wrote to memory of 2572	2912	{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe	39
PID 2912 wrote to memory of 2572	2912	{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe	39
PID 2912 wrote to memory of 2572	2912	{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe	39
PID 2500 wrote to memory of 2604	2500	{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe	40
PID 2500 wrote to memory of 2604	2500	{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe	40
PID 2500 wrote to memory of 2604	2500	{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe	40
PID 2500 wrote to memory of 2604	2500	{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe	40
PID 2500 wrote to memory of 1700	2500	{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe	41
PID 2500 wrote to memory of 1700	2500	{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe	41
PID 2500 wrote to memory of 1700	2500	{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe	41
PID 2500 wrote to memory of 1700	2500	{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe	41
PID 2604 wrote to memory of 3040	2604	{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe	42
PID 2604 wrote to memory of 3040	2604	{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe	42
PID 2604 wrote to memory of 3040	2604	{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe	42
PID 2604 wrote to memory of 3040	2604	{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe	42
PID 2604 wrote to memory of 2856	2604	{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe	43
PID 2604 wrote to memory of 2856	2604	{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe	43
PID 2604 wrote to memory of 2856	2604	{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe	43
PID 2604 wrote to memory of 2856	2604	{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe	43
PID 3040 wrote to memory of 588	3040	{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe	44
PID 3040 wrote to memory of 588	3040	{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe	44
PID 3040 wrote to memory of 588	3040	{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe	44
PID 3040 wrote to memory of 588	3040	{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe	44
PID 3040 wrote to memory of 784	3040	{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe	45
PID 3040 wrote to memory of 784	3040	{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe	45
PID 3040 wrote to memory of 784	3040	{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe	45
PID 3040 wrote to memory of 784	3040	{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe
  C:\Windows\{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe
    C:\Windows\{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe
      C:\Windows\{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe
        
        C:\Windows\{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe
        
        C:\Windows\{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe
        
        C:\Windows\{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe
        
        C:\Windows\{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\{636DF0F4-B44B-4fac-8A69-CE2C95229C30}.exe
        
        C:\Windows\{636DF0F4-B44B-4fac-8A69-CE2C95229C30}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\{B1F32DF2-D8CE-4235-BC1D-151AA6DD1E17}.exe
        
        C:\Windows\{B1F32DF2-D8CE-4235-BC1D-151AA6DD1E17}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\{CCB87554-02E6-4195-9331-77CEF00D8C14}.exe
        
        C:\Windows\{CCB87554-02E6-4195-9331-77CEF00D8C14}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCB87~1.EXE > nul
        12⤵
        
        PID:2784
        
        C:\Windows\{3D777A68-ECFC-4892-9637-26F52F6B0B75}.exe
        
        C:\Windows\{3D777A68-ECFC-4892-9637-26F52F6B0B75}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\{66A40D46-F786-4e5b-BD20-352AFB99CB70}.exe
        
        C:\Windows\{66A40D46-F786-4e5b-BD20-352AFB99CB70}.exe
        13⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D777~1.EXE > nul
        13⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1F32~1.EXE > nul
        11⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{636DF~1.EXE > nul
        10⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E420B~1.EXE > nul
        9⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD9EB~1.EXE > nul
        8⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FF6F~1.EXE > nul
        7⤵
        
        PID:1700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAEE9~1.EXE > nul
        6⤵
        
        PID:2572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FF36~1.EXE > nul
        5⤵
        
        PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7A3C7~1.EXE > nul
      4⤵
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ABDC7~1.EXE > nul
    3⤵
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe

Filesize
204KB

MD5
476e3e96b0196b0b24ef3d87ba868132

SHA1
e3b35e0827299e35bceeff7130e20e34918f1408

SHA256
95352ee9946fa2670de0f45e6660c2a4e4db1d32d394307cdb33715c4e11c25e

SHA512
5b3136dc2b19e4da1cd68529b1188ff962c7b4d39bf5b1c294fc90c36ab0dab075022032afe01205558f437a71422aa00d06a437f3d1497bf344af88f00653b5

Download Submit
C:\Windows\{2FF6F465-CE6C-418e-BF32-3E2BD20159E1}.exe

Filesize
204KB

MD5
476e3e96b0196b0b24ef3d87ba868132

SHA1
e3b35e0827299e35bceeff7130e20e34918f1408

SHA256
95352ee9946fa2670de0f45e6660c2a4e4db1d32d394307cdb33715c4e11c25e

SHA512
5b3136dc2b19e4da1cd68529b1188ff962c7b4d39bf5b1c294fc90c36ab0dab075022032afe01205558f437a71422aa00d06a437f3d1497bf344af88f00653b5

Download Submit
C:\Windows\{3D777A68-ECFC-4892-9637-26F52F6B0B75}.exe

Filesize
204KB

MD5
66fbcca23254d7e156d66f22bc9201f5

SHA1
ad034a95dc8a2e6749c00c03ff25ea2c8366faa7

SHA256
f77a3f157856a25bc31a7a5c80194bab7e0c6bc59e59492529d3623e0e58202e

SHA512
2d238446b954d9933955bdd513a12b1396618fd51de714af1ea860a96f413a7c73051b37dd3a2c7c2d6801983c5c5c39645034d23725d4400a87417bb076ccdf

Download Submit
C:\Windows\{3D777A68-ECFC-4892-9637-26F52F6B0B75}.exe

Filesize
204KB

MD5
66fbcca23254d7e156d66f22bc9201f5

SHA1
ad034a95dc8a2e6749c00c03ff25ea2c8366faa7

SHA256
f77a3f157856a25bc31a7a5c80194bab7e0c6bc59e59492529d3623e0e58202e

SHA512
2d238446b954d9933955bdd513a12b1396618fd51de714af1ea860a96f413a7c73051b37dd3a2c7c2d6801983c5c5c39645034d23725d4400a87417bb076ccdf

Download Submit
C:\Windows\{636DF0F4-B44B-4fac-8A69-CE2C95229C30}.exe

Filesize
204KB

MD5
980ecea2ea852dbd47f9f167d5ded0d9

SHA1
f1d9ec89045d73d32fed15d47496341aa0ae6c9e

SHA256
3dc332bc2f565e4bfc5b92550228852be6f8903adafbaa0a147a0eff6eab5304

SHA512
7319961073d50deb27eb17120656143c7b680359e7548976ee05ead693e3fae5a81c723aa36f69c970693be46d89fc5359b35d3af0f4ab9c9e6f64da2792b169

Download Submit
C:\Windows\{636DF0F4-B44B-4fac-8A69-CE2C95229C30}.exe

Filesize
204KB

MD5
980ecea2ea852dbd47f9f167d5ded0d9

SHA1
f1d9ec89045d73d32fed15d47496341aa0ae6c9e

SHA256
3dc332bc2f565e4bfc5b92550228852be6f8903adafbaa0a147a0eff6eab5304

SHA512
7319961073d50deb27eb17120656143c7b680359e7548976ee05ead693e3fae5a81c723aa36f69c970693be46d89fc5359b35d3af0f4ab9c9e6f64da2792b169

Download Submit
C:\Windows\{66A40D46-F786-4e5b-BD20-352AFB99CB70}.exe

Filesize
204KB

MD5
35aaa155105369cf86fe951bcc6672a9

SHA1
ebc2f501b501ea8aa1d12b23618c049179bc0f83

SHA256
892cd4b95e88ef0849ee4b1f736e1a46af4d7ed4372e2e60c5f1f69518962a07

SHA512
de4c1160edfe29e13bc0d3b8b318148b6fd41ef49f5d12d384ddd5e1d926bccc0caf6dc6c9c120d7f00137f9801b083eb627bbfbb2932621cb524e842d98753c

Download Submit
C:\Windows\{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe

Filesize
204KB

MD5
d2866c14dfb72d8e223bdcf233e1125a

SHA1
216da3189c809a3a097ab1d5918923cb3e28ceb7

SHA256
eb65465754b437f904db56eede57bca7318f62508cabb519b853c85097ac0493

SHA512
ac1ace2ed5a5aec02f10932068721f6a419c3f2dbf50fd596ff0195d80288302e2f8a121df4533e0e2585199132312db976c0b0f101dc1ca4e6d7fe529653b41

Download Submit
C:\Windows\{7A3C7D38-0EF0-4c4e-A7FD-B73582164FCC}.exe

Filesize
204KB

MD5
d2866c14dfb72d8e223bdcf233e1125a

SHA1
216da3189c809a3a097ab1d5918923cb3e28ceb7

SHA256
eb65465754b437f904db56eede57bca7318f62508cabb519b853c85097ac0493

SHA512
ac1ace2ed5a5aec02f10932068721f6a419c3f2dbf50fd596ff0195d80288302e2f8a121df4533e0e2585199132312db976c0b0f101dc1ca4e6d7fe529653b41

Download Submit
C:\Windows\{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe

Filesize
204KB

MD5
34d25f9348d4af946eba286fc98d39d9

SHA1
39d9b4d5548b667c40b14c64f539733eb4273544

SHA256
bb774b6355bb52eb7f8640af5de70aafff505b130a4f55c27f5260a9553b9cb1

SHA512
415c0164b5c28813f4989c700541bb4d97a491c1aefa8861a1ad7be6d4a38b05e79846e057bdfdf019dfade2bcf7a66476e498c1205d99a54b0718f54a91ca60

Download Submit
C:\Windows\{7FF36E83-E4E5-40db-A3C3-1AB9CE7BC94D}.exe

Filesize
204KB

MD5
34d25f9348d4af946eba286fc98d39d9

SHA1
39d9b4d5548b667c40b14c64f539733eb4273544

SHA256
bb774b6355bb52eb7f8640af5de70aafff505b130a4f55c27f5260a9553b9cb1

SHA512
415c0164b5c28813f4989c700541bb4d97a491c1aefa8861a1ad7be6d4a38b05e79846e057bdfdf019dfade2bcf7a66476e498c1205d99a54b0718f54a91ca60

Download Submit
C:\Windows\{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe

Filesize
204KB

MD5
1827a8f8ffc7dd6b546c373a95ff053c

SHA1
17bc940cbba4a51410b76f6fd423872ec2b54e86

SHA256
9dc7a0f75d6d355d8bee23c776df5fe68de0df3cbedd2ee0c66f7bfd431217f6

SHA512
e4e30dc5afcedfc47f7a214ad8e146f059d2feb7b79a620f9783c45bb2e8f89cc9b4dde0bc8a3d91ec1e378b5230308936e78586d477db2cb644cea5a843e581

Download Submit
C:\Windows\{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe

Filesize
204KB

MD5
1827a8f8ffc7dd6b546c373a95ff053c

SHA1
17bc940cbba4a51410b76f6fd423872ec2b54e86

SHA256
9dc7a0f75d6d355d8bee23c776df5fe68de0df3cbedd2ee0c66f7bfd431217f6

SHA512
e4e30dc5afcedfc47f7a214ad8e146f059d2feb7b79a620f9783c45bb2e8f89cc9b4dde0bc8a3d91ec1e378b5230308936e78586d477db2cb644cea5a843e581

Download Submit
C:\Windows\{ABDC79C5-169D-434f-9413-93A9DEFB24F2}.exe

Filesize
204KB

MD5
1827a8f8ffc7dd6b546c373a95ff053c

SHA1
17bc940cbba4a51410b76f6fd423872ec2b54e86

SHA256
9dc7a0f75d6d355d8bee23c776df5fe68de0df3cbedd2ee0c66f7bfd431217f6

SHA512
e4e30dc5afcedfc47f7a214ad8e146f059d2feb7b79a620f9783c45bb2e8f89cc9b4dde0bc8a3d91ec1e378b5230308936e78586d477db2cb644cea5a843e581

Download Submit
C:\Windows\{B1F32DF2-D8CE-4235-BC1D-151AA6DD1E17}.exe

Filesize
204KB

MD5
ebcf6bb6a667db3be437b7a3284848d3

SHA1
8f625e21b72063eda60854952b2f2b3089e78944

SHA256
c59f8e758e98c6cc5d7af91116853a45a6e9828ecf0c04a08f7b9156b90f21a2

SHA512
425b39c160758e0462fd8b6ac86d8711a6a565a496d180454c095a738d5284ead269f5851ef8be70f887eb55ecb2749a7c8fb7093e94ba63819396d4b979411e

Download Submit
C:\Windows\{B1F32DF2-D8CE-4235-BC1D-151AA6DD1E17}.exe

Filesize
204KB

MD5
ebcf6bb6a667db3be437b7a3284848d3

SHA1
8f625e21b72063eda60854952b2f2b3089e78944

SHA256
c59f8e758e98c6cc5d7af91116853a45a6e9828ecf0c04a08f7b9156b90f21a2

SHA512
425b39c160758e0462fd8b6ac86d8711a6a565a496d180454c095a738d5284ead269f5851ef8be70f887eb55ecb2749a7c8fb7093e94ba63819396d4b979411e

Download Submit
C:\Windows\{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe

Filesize
204KB

MD5
c5798c6197d0e6f7fdf22b3f71acaefd

SHA1
6ee287226edb395afffd4d2f74d102f47d466d22

SHA256
6ff9e755caf5a45f6b1862a5a02028772bf54f29bd0d0367af0af3a2957f73ce

SHA512
a145f01dc84f67dc3d4eb3df49990a49273be88615487d94c3a66db52248b73248ba051d030fb006fc4442cd572bf3b7cca832b9cd52025e38c17de22a6f0862

Download Submit
C:\Windows\{CAEE9AC8-5B5B-476b-B6BA-2506AAEA0341}.exe

Filesize
204KB

MD5
c5798c6197d0e6f7fdf22b3f71acaefd

SHA1
6ee287226edb395afffd4d2f74d102f47d466d22

SHA256
6ff9e755caf5a45f6b1862a5a02028772bf54f29bd0d0367af0af3a2957f73ce

SHA512
a145f01dc84f67dc3d4eb3df49990a49273be88615487d94c3a66db52248b73248ba051d030fb006fc4442cd572bf3b7cca832b9cd52025e38c17de22a6f0862

Download Submit
C:\Windows\{CCB87554-02E6-4195-9331-77CEF00D8C14}.exe

Filesize
204KB

MD5
2d258ff21ad921cb87efa7c4630c8738

SHA1
7e3fe0de1f6c01d742c3a9bbce6a860545c37243

SHA256
dd497a508acaf8913ce98f33ef81e3e0a86c205073b37195411eac5df6394296

SHA512
194b133eea91a622a368a495a29b2512b0a90d05d404c90c99dcfb6462532bb3f6ab208bd4215001bac1dcda508d5e8f54f0f1c56ac44bfcb701d3d09e415880

Download Submit
C:\Windows\{CCB87554-02E6-4195-9331-77CEF00D8C14}.exe

Filesize
204KB

MD5
2d258ff21ad921cb87efa7c4630c8738

SHA1
7e3fe0de1f6c01d742c3a9bbce6a860545c37243

SHA256
dd497a508acaf8913ce98f33ef81e3e0a86c205073b37195411eac5df6394296

SHA512
194b133eea91a622a368a495a29b2512b0a90d05d404c90c99dcfb6462532bb3f6ab208bd4215001bac1dcda508d5e8f54f0f1c56ac44bfcb701d3d09e415880

Download Submit
C:\Windows\{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe

Filesize
204KB

MD5
349039bb69368f7eb094a199cff6bed1

SHA1
c29470eb2b8ca3f3e7c938145950db5dd4629c13

SHA256
2d2f4138e329ab2bc728e320e34773aaa6209898a55d6be9351b9c974f2ad7a9

SHA512
dcf31464d4c9c49002bdb984a2c00a2f35d6aaf218b4406471b85a19831473e0cf0fb2d80cd8433c144b9da269105b5b9724040917adb8b9559105fd9531a865

Download Submit
C:\Windows\{CD9EB9AE-EE27-43fb-A55D-BD32F81869D8}.exe

Filesize
204KB

MD5
349039bb69368f7eb094a199cff6bed1

SHA1
c29470eb2b8ca3f3e7c938145950db5dd4629c13

SHA256
2d2f4138e329ab2bc728e320e34773aaa6209898a55d6be9351b9c974f2ad7a9

SHA512
dcf31464d4c9c49002bdb984a2c00a2f35d6aaf218b4406471b85a19831473e0cf0fb2d80cd8433c144b9da269105b5b9724040917adb8b9559105fd9531a865

Download Submit
C:\Windows\{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe

Filesize
204KB

MD5
cbee813403ca7c7ee3325484d49fc68e

SHA1
ec66b41097b66048b809702fb90cbfaa7b89e62b

SHA256
4a838023f838f23bc85c5829994e77dcca26a8e30f9610d23b932ef37d010b2c

SHA512
19287cc1adfc40b227f7e9bbf572fad784aec38584a126d6da32b1817b9a483a4efbd557a07c48a68dccb8a13f7dbe40a1c7fe7c20641dc8373769e8277278b2

Download Submit
C:\Windows\{E420BAFE-0C63-43c1-8FE5-E8B0FF8C3777}.exe

Filesize
204KB

MD5
cbee813403ca7c7ee3325484d49fc68e

SHA1
ec66b41097b66048b809702fb90cbfaa7b89e62b

SHA256
4a838023f838f23bc85c5829994e77dcca26a8e30f9610d23b932ef37d010b2c

SHA512
19287cc1adfc40b227f7e9bbf572fad784aec38584a126d6da32b1817b9a483a4efbd557a07c48a68dccb8a13f7dbe40a1c7fe7c20641dc8373769e8277278b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads