c5372bcfac0c6a2004e79d5066b4ea5d2bcf7c928b0ee858b7a99aee7908e8fa

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe
Size

204KB
MD5

b1df2b49a467e951c8f3ca31031daf7c
SHA1

b5eb6864ea7ac424407944365a894c3859c37112
SHA256

c5372bcfac0c6a2004e79d5066b4ea5d2bcf7c928b0ee858b7a99aee7908e8fa
SHA512

4da6d38335887bcc01520f932730cb7a3950592c119b1f8d2dc01312f3e29e417873db21756f49eb0d01deb36edb3d70b10c1e5613523324fb5d591c0d05ac96
SSDEEP

1536:1EGh0oKl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oKl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}\stubpath = "C:\\Windows\\{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe"	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}	{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D09BCE01-A17B-4c13-8F2A-14FF75997B40}	{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE206298-AB5D-4444-9CC0-FF52D9755B87}	{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{692373C3-FCD2-4435-95F4-DAF6D4553ECC}	{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}\stubpath = "C:\\Windows\\{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe"	{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59C35734-671D-437f-BE9F-78EF94C2A2C4}\stubpath = "C:\\Windows\\{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe"	{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED075883-BCD3-4dda-9E12-3ECE6DE17437}\stubpath = "C:\\Windows\\{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe"	{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D09BCE01-A17B-4c13-8F2A-14FF75997B40}\stubpath = "C:\\Windows\\{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe"	{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}	{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0712B679-8869-4c23-A3F1-4B5E9A0D2607}	{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0712B679-8869-4c23-A3F1-4B5E9A0D2607}\stubpath = "C:\\Windows\\{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe"	{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{588C347C-6A0A-423b-A60C-B0A1853E5B20}\stubpath = "C:\\Windows\\{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe"	{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED075883-BCD3-4dda-9E12-3ECE6DE17437}	{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}\stubpath = "C:\\Windows\\{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe"	{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{692373C3-FCD2-4435-95F4-DAF6D4553ECC}\stubpath = "C:\\Windows\\{692373C3-FCD2-4435-95F4-DAF6D4553ECC}.exe"	{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AD7F0BE-40CB-4bc7-A121-4A0E80FCE9F8}	{692373C3-FCD2-4435-95F4-DAF6D4553ECC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}	{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}\stubpath = "C:\\Windows\\{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe"	{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{588C347C-6A0A-423b-A60C-B0A1853E5B20}	{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59C35734-671D-437f-BE9F-78EF94C2A2C4}	{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE206298-AB5D-4444-9CC0-FF52D9755B87}\stubpath = "C:\\Windows\\{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe"	{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AD7F0BE-40CB-4bc7-A121-4A0E80FCE9F8}\stubpath = "C:\\Windows\\{8AD7F0BE-40CB-4bc7-A121-4A0E80FCE9F8}.exe"	{692373C3-FCD2-4435-95F4-DAF6D4553ECC}.exe

Executes dropped EXE 12 IoCs

pid	Process
3588	{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe
456	{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe
2216	{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe
3752	{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe
3988	{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe
4792	{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe
1992	{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe
4992	{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe
4044	{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe
4960	{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe
4048	{692373C3-FCD2-4435-95F4-DAF6D4553ECC}.exe
2060	{8AD7F0BE-40CB-4bc7-A121-4A0E80FCE9F8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe	{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe
File created	C:\Windows\{8AD7F0BE-40CB-4bc7-A121-4A0E80FCE9F8}.exe	{692373C3-FCD2-4435-95F4-DAF6D4553ECC}.exe
File created	C:\Windows\{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe
File created	C:\Windows\{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe	{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe
File created	C:\Windows\{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe	{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe
File created	C:\Windows\{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe	{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe
File created	C:\Windows\{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe	{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe
File created	C:\Windows\{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe	{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe
File created	C:\Windows\{692373C3-FCD2-4435-95F4-DAF6D4553ECC}.exe	{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe
File created	C:\Windows\{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe	{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe
File created	C:\Windows\{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe	{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe
File created	C:\Windows\{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe	{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4960	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3588	{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe
Token: SeIncBasePriorityPrivilege	456	{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe
Token: SeIncBasePriorityPrivilege	2216	{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe
Token: SeIncBasePriorityPrivilege	3752	{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe
Token: SeIncBasePriorityPrivilege	3988	{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe
Token: SeIncBasePriorityPrivilege	4792	{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe
Token: SeIncBasePriorityPrivilege	1992	{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe
Token: SeIncBasePriorityPrivilege	4992	{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe
Token: SeIncBasePriorityPrivilege	4044	{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe
Token: SeIncBasePriorityPrivilege	4960	{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe
Token: SeIncBasePriorityPrivilege	4048	{692373C3-FCD2-4435-95F4-DAF6D4553ECC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 3588	4960	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	90
PID 4960 wrote to memory of 3588	4960	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	90
PID 4960 wrote to memory of 3588	4960	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	90
PID 4960 wrote to memory of 1380	4960	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	91
PID 4960 wrote to memory of 1380	4960	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	91
PID 4960 wrote to memory of 1380	4960	NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe	91
PID 3588 wrote to memory of 456	3588	{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe	92
PID 3588 wrote to memory of 456	3588	{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe	92
PID 3588 wrote to memory of 456	3588	{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe	92
PID 3588 wrote to memory of 5116	3588	{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe	93
PID 3588 wrote to memory of 5116	3588	{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe	93
PID 3588 wrote to memory of 5116	3588	{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe	93
PID 456 wrote to memory of 2216	456	{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe	99
PID 456 wrote to memory of 2216	456	{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe	99
PID 456 wrote to memory of 2216	456	{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe	99
PID 456 wrote to memory of 1828	456	{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe	98
PID 456 wrote to memory of 1828	456	{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe	98
PID 456 wrote to memory of 1828	456	{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe	98
PID 2216 wrote to memory of 3752	2216	{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe	100
PID 2216 wrote to memory of 3752	2216	{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe	100
PID 2216 wrote to memory of 3752	2216	{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe	100
PID 2216 wrote to memory of 1032	2216	{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe	101
PID 2216 wrote to memory of 1032	2216	{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe	101
PID 2216 wrote to memory of 1032	2216	{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe	101
PID 3752 wrote to memory of 3988	3752	{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe	102
PID 3752 wrote to memory of 3988	3752	{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe	102
PID 3752 wrote to memory of 3988	3752	{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe	102
PID 3752 wrote to memory of 3008	3752	{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe	103
PID 3752 wrote to memory of 3008	3752	{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe	103
PID 3752 wrote to memory of 3008	3752	{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe	103
PID 3988 wrote to memory of 4792	3988	{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe	104
PID 3988 wrote to memory of 4792	3988	{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe	104
PID 3988 wrote to memory of 4792	3988	{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe	104
PID 3988 wrote to memory of 884	3988	{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe	105
PID 3988 wrote to memory of 884	3988	{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe	105
PID 3988 wrote to memory of 884	3988	{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe	105
PID 4792 wrote to memory of 1992	4792	{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe	106
PID 4792 wrote to memory of 1992	4792	{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe	106
PID 4792 wrote to memory of 1992	4792	{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe	106
PID 4792 wrote to memory of 1292	4792	{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe	107
PID 4792 wrote to memory of 1292	4792	{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe	107
PID 4792 wrote to memory of 1292	4792	{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe	107
PID 1992 wrote to memory of 4992	1992	{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe	110
PID 1992 wrote to memory of 4992	1992	{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe	110
PID 1992 wrote to memory of 4992	1992	{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe	110
PID 1992 wrote to memory of 4336	1992	{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe	111
PID 1992 wrote to memory of 4336	1992	{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe	111
PID 1992 wrote to memory of 4336	1992	{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe	111
PID 4992 wrote to memory of 4044	4992	{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe	112
PID 4992 wrote to memory of 4044	4992	{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe	112
PID 4992 wrote to memory of 4044	4992	{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe	112
PID 4992 wrote to memory of 4260	4992	{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe	113
PID 4992 wrote to memory of 4260	4992	{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe	113
PID 4992 wrote to memory of 4260	4992	{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe	113
PID 4044 wrote to memory of 4960	4044	{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe	114
PID 4044 wrote to memory of 4960	4044	{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe	114
PID 4044 wrote to memory of 4960	4044	{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe	114
PID 4044 wrote to memory of 3532	4044	{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe	115
PID 4044 wrote to memory of 3532	4044	{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe	115
PID 4044 wrote to memory of 3532	4044	{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe	115
PID 4960 wrote to memory of 4048	4960	{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe	116
PID 4960 wrote to memory of 4048	4960	{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe	116
PID 4960 wrote to memory of 4048	4960	{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe	116
PID 4960 wrote to memory of 3016	4960	{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe	117

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_b1df2b49a467e951c8f3ca31031daf7c_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe
  C:\Windows\{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe
    C:\Windows\{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5E0A6~1.EXE > nul
      4⤵
      PID:1828
  - - C:\Windows\{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe
      C:\Windows\{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe
        
        C:\Windows\{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3752
      - C:\Windows\{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe
        
        C:\Windows\{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe
        
        C:\Windows\{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe
        
        C:\Windows\{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe
        
        C:\Windows\{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe
        
        C:\Windows\{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe
        
        C:\Windows\{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{692373C3-FCD2-4435-95F4-DAF6D4553ECC}.exe
        
        C:\Windows\{692373C3-FCD2-4435-95F4-DAF6D4553ECC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
        
        C:\Windows\{8AD7F0BE-40CB-4bc7-A121-4A0E80FCE9F8}.exe
        
        C:\Windows\{8AD7F0BE-40CB-4bc7-A121-4A0E80FCE9F8}.exe
        13⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69237~1.EXE > nul
        13⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE206~1.EXE > nul
        12⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42DFB~1.EXE > nul
        11⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D09BC~1.EXE > nul
        10⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED075~1.EXE > nul
        9⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59C35~1.EXE > nul
        8⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{588C3~1.EXE > nul
        7⤵
        
        PID:884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0712B~1.EXE > nul
        6⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DAC4~1.EXE > nul
        5⤵
        
        PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4329B~1.EXE > nul
    3⤵
    PID:5116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe

Filesize
204KB

MD5
871bf66e381dccc1101629da96b18405

SHA1
c948a69213f9e9cbd8666b61ac64bb3a3c39cab4

SHA256
c2a553582037ad459f34e94b15e5c662cb4572002cb494fa08aff1a251f4baf7

SHA512
b6e1b58fff2cc2d13d09a6f83f9b941d35ca75c8595da6a150d5d7b5d46cd2e5966aa63847dd5e79e3c11f23bba0d025533c03cf7eb58595d7bffe52b809d3e5

Download Submit
C:\Windows\{0712B679-8869-4c23-A3F1-4B5E9A0D2607}.exe

Filesize
204KB

MD5
871bf66e381dccc1101629da96b18405

SHA1
c948a69213f9e9cbd8666b61ac64bb3a3c39cab4

SHA256
c2a553582037ad459f34e94b15e5c662cb4572002cb494fa08aff1a251f4baf7

SHA512
b6e1b58fff2cc2d13d09a6f83f9b941d35ca75c8595da6a150d5d7b5d46cd2e5966aa63847dd5e79e3c11f23bba0d025533c03cf7eb58595d7bffe52b809d3e5

Download Submit
C:\Windows\{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe

Filesize
204KB

MD5
97dc2ff58023369ed86ee16d9711fd7b

SHA1
e299c6b938d3e195fc2b691b06153dc6edce7aaa

SHA256
3763ebc928a9941e08882dbf010bc7ef3a1eb563e4b1a2fb66eb21cd499d216f

SHA512
2f1cd6a543419b6230ece867c8a74bae61e2dd530dd1021fec4a74da78a4539b1ffd1430e885082bc82b6c9df8515b345a3f220974b545b4d91252f8c25dbc5d

Download Submit
C:\Windows\{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe

Filesize
204KB

MD5
97dc2ff58023369ed86ee16d9711fd7b

SHA1
e299c6b938d3e195fc2b691b06153dc6edce7aaa

SHA256
3763ebc928a9941e08882dbf010bc7ef3a1eb563e4b1a2fb66eb21cd499d216f

SHA512
2f1cd6a543419b6230ece867c8a74bae61e2dd530dd1021fec4a74da78a4539b1ffd1430e885082bc82b6c9df8515b345a3f220974b545b4d91252f8c25dbc5d

Download Submit
C:\Windows\{0DAC44E5-BAB4-4bb1-89A7-C49594995CD1}.exe

Filesize
204KB

MD5
97dc2ff58023369ed86ee16d9711fd7b

SHA1
e299c6b938d3e195fc2b691b06153dc6edce7aaa

SHA256
3763ebc928a9941e08882dbf010bc7ef3a1eb563e4b1a2fb66eb21cd499d216f

SHA512
2f1cd6a543419b6230ece867c8a74bae61e2dd530dd1021fec4a74da78a4539b1ffd1430e885082bc82b6c9df8515b345a3f220974b545b4d91252f8c25dbc5d

Download Submit
C:\Windows\{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe

Filesize
204KB

MD5
da86908b06a93c5c9beababf54c8b655

SHA1
4a10c18d9184a7b68940e537354e5e8e4c067e7c

SHA256
32da058b5d5e0af601341a61cc4655273a7e9dc425de9c1bb5c3eb56608c2946

SHA512
b5bdc0459267303504d85241659ac8a890bc825cdb85a2b0bf4103cee0e91480af3e96c08b6b16101874acdae6da912004f2ce4de0f56aff359e633999fe57d5

Download Submit
C:\Windows\{42DFBEB5-D0F5-41b2-A90F-FDF247F34D56}.exe

Filesize
204KB

MD5
da86908b06a93c5c9beababf54c8b655

SHA1
4a10c18d9184a7b68940e537354e5e8e4c067e7c

SHA256
32da058b5d5e0af601341a61cc4655273a7e9dc425de9c1bb5c3eb56608c2946

SHA512
b5bdc0459267303504d85241659ac8a890bc825cdb85a2b0bf4103cee0e91480af3e96c08b6b16101874acdae6da912004f2ce4de0f56aff359e633999fe57d5

Download Submit
C:\Windows\{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe

Filesize
204KB

MD5
e18cb1494a4034c615a85fafb3c5192b

SHA1
cbbc1ee5751293b430f47b90a5e52c48b7f80c4f

SHA256
5d300ab7d89ef15be59d4e49362d53a559dba1eeec8086f7a97130e00bf98768

SHA512
009b5adbe2bbc57dd5b8a2109b295de2c447c8a1e45b9080868aab95ad4ab553e4a25da3edea01b92d8f2a5012578e3fc39b9510788858e8270dfef67d22f0b8

Download Submit
C:\Windows\{4329BF18-A8F8-4b57-9D96-F6E7DD3726C0}.exe

Filesize
204KB

MD5
e18cb1494a4034c615a85fafb3c5192b

SHA1
cbbc1ee5751293b430f47b90a5e52c48b7f80c4f

SHA256
5d300ab7d89ef15be59d4e49362d53a559dba1eeec8086f7a97130e00bf98768

SHA512
009b5adbe2bbc57dd5b8a2109b295de2c447c8a1e45b9080868aab95ad4ab553e4a25da3edea01b92d8f2a5012578e3fc39b9510788858e8270dfef67d22f0b8

Download Submit
C:\Windows\{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe

Filesize
204KB

MD5
69059e06f4bf964dc08c1c186674502f

SHA1
1bc846f8d6108fe472271bf46235353b12a394da

SHA256
262a1146fbec43380db4b5aa79b0ba908689b2d998787a99af8c2148f52683b5

SHA512
3eb556e284010c03e81acbfc555e99879b56e5da74183b07d7124a52cb364672ea34c704f513fca8ba1b7305623fc09f72e1700464dbec2d7cd89eceaeb094f9

Download Submit
C:\Windows\{588C347C-6A0A-423b-A60C-B0A1853E5B20}.exe

Filesize
204KB

MD5
69059e06f4bf964dc08c1c186674502f

SHA1
1bc846f8d6108fe472271bf46235353b12a394da

SHA256
262a1146fbec43380db4b5aa79b0ba908689b2d998787a99af8c2148f52683b5

SHA512
3eb556e284010c03e81acbfc555e99879b56e5da74183b07d7124a52cb364672ea34c704f513fca8ba1b7305623fc09f72e1700464dbec2d7cd89eceaeb094f9

Download Submit
C:\Windows\{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe

Filesize
204KB

MD5
9f790dd17bf5508ba5b9e7bb2ed7c1eb

SHA1
34d726fede62d53665a4f4278bd3cd6a270a6b26

SHA256
29b2cf9f0c84ddf11d3be5fd1367d7b19e26e097c1968580a5f0474962c17a98

SHA512
f71b6275c75ba35387f74ca16b9f551b7740b2e62d540852ee1767575a84b9e582dd5791497b02853cd8f9838b519c82cef99dbc69bbf76837afa44b5ccb3760

Download Submit
C:\Windows\{59C35734-671D-437f-BE9F-78EF94C2A2C4}.exe

Filesize
204KB

MD5
9f790dd17bf5508ba5b9e7bb2ed7c1eb

SHA1
34d726fede62d53665a4f4278bd3cd6a270a6b26

SHA256
29b2cf9f0c84ddf11d3be5fd1367d7b19e26e097c1968580a5f0474962c17a98

SHA512
f71b6275c75ba35387f74ca16b9f551b7740b2e62d540852ee1767575a84b9e582dd5791497b02853cd8f9838b519c82cef99dbc69bbf76837afa44b5ccb3760

Download Submit
C:\Windows\{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe

Filesize
204KB

MD5
b9bb891af0793ae0618746a1bc839239

SHA1
184e9ec4d9a54cecb4ac441b83a7c84fb7461833

SHA256
19ae871749ca3dee1ec107f3b54b46c77447d4886843d608f9498dfa91f4dc22

SHA512
0a61b5643794cdf29eaf8f4cbcf3c9a787c441778f6b79a9f4567a6f8ce2deb12bb98ae5198087010b0564e4b50416247979362ee7dd0f41ac47b2e4cec66dd1

Download Submit
C:\Windows\{5E0A6BD4-0C41-4000-85E2-0C2A53497F38}.exe

Filesize
204KB

MD5
b9bb891af0793ae0618746a1bc839239

SHA1
184e9ec4d9a54cecb4ac441b83a7c84fb7461833

SHA256
19ae871749ca3dee1ec107f3b54b46c77447d4886843d608f9498dfa91f4dc22

SHA512
0a61b5643794cdf29eaf8f4cbcf3c9a787c441778f6b79a9f4567a6f8ce2deb12bb98ae5198087010b0564e4b50416247979362ee7dd0f41ac47b2e4cec66dd1

Download Submit
C:\Windows\{692373C3-FCD2-4435-95F4-DAF6D4553ECC}.exe

Filesize
204KB

MD5
58d7f51d974963946d8425caf1a10c20

SHA1
0508f26f14db04d4eeee58a002e35da081dbcba7

SHA256
953749be2a9d2a822c802141b1071861524d63fb920ad0163b8e677b9767b3c7

SHA512
97b4de540d1393d5e30e13d98e618b541b3bc903257919dbc011d1081fedc88a52440bdce39895fd907b5a35fe3417e6e34c132a1272abf889b44481cf8e191c

Download Submit
C:\Windows\{692373C3-FCD2-4435-95F4-DAF6D4553ECC}.exe

Filesize
204KB

MD5
58d7f51d974963946d8425caf1a10c20

SHA1
0508f26f14db04d4eeee58a002e35da081dbcba7

SHA256
953749be2a9d2a822c802141b1071861524d63fb920ad0163b8e677b9767b3c7

SHA512
97b4de540d1393d5e30e13d98e618b541b3bc903257919dbc011d1081fedc88a52440bdce39895fd907b5a35fe3417e6e34c132a1272abf889b44481cf8e191c

Download Submit
C:\Windows\{8AD7F0BE-40CB-4bc7-A121-4A0E80FCE9F8}.exe

Filesize
204KB

MD5
bd478140c57d30e71b2e60c3da1df5fa

SHA1
5a96c512de4fc1dc351c05d1ab1aa7bd79620b8b

SHA256
835f3311fa392663ade05db606211d5b9816d200d34998d22620ad47f5361e5c

SHA512
8a0d0404a45a703b27f5ac9a69286d6a353b3e071a55ae2ffcec2f64b1c20692606c9c5122a8d6e0859dd53af9088e0dbf46dbe8d57a92566c3e8f54208eff89

Download Submit
C:\Windows\{8AD7F0BE-40CB-4bc7-A121-4A0E80FCE9F8}.exe

Filesize
204KB

MD5
bd478140c57d30e71b2e60c3da1df5fa

SHA1
5a96c512de4fc1dc351c05d1ab1aa7bd79620b8b

SHA256
835f3311fa392663ade05db606211d5b9816d200d34998d22620ad47f5361e5c

SHA512
8a0d0404a45a703b27f5ac9a69286d6a353b3e071a55ae2ffcec2f64b1c20692606c9c5122a8d6e0859dd53af9088e0dbf46dbe8d57a92566c3e8f54208eff89

Download Submit
C:\Windows\{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe

Filesize
204KB

MD5
64023f068bdd032b61bf1e8b332ca3e9

SHA1
f829048f54dfd8eebd00b752995a9e6b6a067fd3

SHA256
ae74d918103fc7ebaa7b44d80ad35d673663c9a9e95af3536aa2f82930cf4cea

SHA512
14df91fe74151d0e480b9ae0e8a6595616880516175303c9a770ce3bb2afe166a2f3b0d2b26f1891f2b3934130c2360641b7ad9f07b09b186677aa7634316097

Download Submit
C:\Windows\{CE206298-AB5D-4444-9CC0-FF52D9755B87}.exe

Filesize
204KB

MD5
64023f068bdd032b61bf1e8b332ca3e9

SHA1
f829048f54dfd8eebd00b752995a9e6b6a067fd3

SHA256
ae74d918103fc7ebaa7b44d80ad35d673663c9a9e95af3536aa2f82930cf4cea

SHA512
14df91fe74151d0e480b9ae0e8a6595616880516175303c9a770ce3bb2afe166a2f3b0d2b26f1891f2b3934130c2360641b7ad9f07b09b186677aa7634316097

Download Submit
C:\Windows\{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe

Filesize
204KB

MD5
490d58ac8e97e1fa5e60533921a1815c

SHA1
1e0954147075747ad75530d0befd367ce0a48939

SHA256
43bedb1f224ee52b1905f2349f380515a6e974f9711c2f85d4ed0de491daec1c

SHA512
98e52ed37e493b247c8774e6ac1ea7d3c1e1d16964a6d7ce4ad146e0e6867597a303eee230707be02188487a69eac788c30fd968b385da96983867f5fd513935

Download Submit
C:\Windows\{D09BCE01-A17B-4c13-8F2A-14FF75997B40}.exe

Filesize
204KB

MD5
490d58ac8e97e1fa5e60533921a1815c

SHA1
1e0954147075747ad75530d0befd367ce0a48939

SHA256
43bedb1f224ee52b1905f2349f380515a6e974f9711c2f85d4ed0de491daec1c

SHA512
98e52ed37e493b247c8774e6ac1ea7d3c1e1d16964a6d7ce4ad146e0e6867597a303eee230707be02188487a69eac788c30fd968b385da96983867f5fd513935

Download Submit
C:\Windows\{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe

Filesize
204KB

MD5
fa59966fbab477004f11c51bea37843f

SHA1
3584f99565605636d260b2dd5a2aa131ae1df621

SHA256
b116f9f94fc955676907eb05457bfce6d55875135eec4ccd4031d5a27052a62e

SHA512
5be4f2a9fe4962282f33ed5c730f3ebf333869af877e23a9041a74b744078811ab581c6af5dff2bc35f8dbaafe56184018af1d51696c788cf08aecb6c6d9e2fe

Download Submit
C:\Windows\{ED075883-BCD3-4dda-9E12-3ECE6DE17437}.exe

Filesize
204KB

MD5
fa59966fbab477004f11c51bea37843f

SHA1
3584f99565605636d260b2dd5a2aa131ae1df621

SHA256
b116f9f94fc955676907eb05457bfce6d55875135eec4ccd4031d5a27052a62e

SHA512
5be4f2a9fe4962282f33ed5c730f3ebf333869af877e23a9041a74b744078811ab581c6af5dff2bc35f8dbaafe56184018af1d51696c788cf08aecb6c6d9e2fe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads