aad782b5502e5a888edc93815834f8ca1caa64eb565c0a87ec607c69ef3fe837

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
23-10-2023 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe
Size

380KB
MD5

24df82d6be9eae5af410f74319310ec8
SHA1

8e3f0cbf90719f3e3c5d3cce21d5592305196d4c
SHA256

aad782b5502e5a888edc93815834f8ca1caa64eb565c0a87ec607c69ef3fe837
SHA512

6b9f01049684a7d75c84720c97ccb6ec3288dc20333c1cc9362aa1de4a4dc9c3d9d14f4c9ac2a607d89b91f3ba1ba2001c4872a6e5b3c8a0714dab2f7922e35f
SSDEEP

3072:mEGh0oylPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGUl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}\stubpath = "C:\\Windows\\{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe"	{FF5270A2-9902-4868-9A18-547A11138A28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F42FCDB-C096-4198-99AD-D8808560E931}	{594548B6-AB65-4faf-9745-B27D35B77A06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}\stubpath = "C:\\Windows\\{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe"	{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}	{FF5270A2-9902-4868-9A18-547A11138A28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}	{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF5270A2-9902-4868-9A18-547A11138A28}	{C613F74F-B230-4557-87BC-DBFACA761B54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E86A042C-03E0-4224-81FF-72D147C04193}	{3DEF90BE-0829-44a8-A4A6-2BF5F8FC0396}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{594548B6-AB65-4faf-9745-B27D35B77A06}\stubpath = "C:\\Windows\\{594548B6-AB65-4faf-9745-B27D35B77A06}.exe"	{E86A042C-03E0-4224-81FF-72D147C04193}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}\stubpath = "C:\\Windows\\{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe"	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8C8E6C6-3064-433e-B6C5-61987D9205DD}	{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8C8E6C6-3064-433e-B6C5-61987D9205DD}\stubpath = "C:\\Windows\\{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe"	{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A262C05-89A1-4070-9430-D572BA29EE28}	{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A262C05-89A1-4070-9430-D572BA29EE28}\stubpath = "C:\\Windows\\{0A262C05-89A1-4070-9430-D572BA29EE28}.exe"	{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{594548B6-AB65-4faf-9745-B27D35B77A06}	{E86A042C-03E0-4224-81FF-72D147C04193}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DEF90BE-0829-44a8-A4A6-2BF5F8FC0396}	{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DEF90BE-0829-44a8-A4A6-2BF5F8FC0396}\stubpath = "C:\\Windows\\{3DEF90BE-0829-44a8-A4A6-2BF5F8FC0396}.exe"	{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E86A042C-03E0-4224-81FF-72D147C04193}\stubpath = "C:\\Windows\\{E86A042C-03E0-4224-81FF-72D147C04193}.exe"	{3DEF90BE-0829-44a8-A4A6-2BF5F8FC0396}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F42FCDB-C096-4198-99AD-D8808560E931}\stubpath = "C:\\Windows\\{0F42FCDB-C096-4198-99AD-D8808560E931}.exe"	{594548B6-AB65-4faf-9745-B27D35B77A06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C613F74F-B230-4557-87BC-DBFACA761B54}	{0A262C05-89A1-4070-9430-D572BA29EE28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C613F74F-B230-4557-87BC-DBFACA761B54}\stubpath = "C:\\Windows\\{C613F74F-B230-4557-87BC-DBFACA761B54}.exe"	{0A262C05-89A1-4070-9430-D572BA29EE28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF5270A2-9902-4868-9A18-547A11138A28}\stubpath = "C:\\Windows\\{FF5270A2-9902-4868-9A18-547A11138A28}.exe"	{C613F74F-B230-4557-87BC-DBFACA761B54}.exe

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2104	{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe
2728	{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe
2872	{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe
320	{0A262C05-89A1-4070-9430-D572BA29EE28}.exe
2576	{C613F74F-B230-4557-87BC-DBFACA761B54}.exe
2304	{FF5270A2-9902-4868-9A18-547A11138A28}.exe
656	{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe
2764	{3DEF90BE-0829-44a8-A4A6-2BF5F8FC0396}.exe
1492	{E86A042C-03E0-4224-81FF-72D147C04193}.exe
2904	{594548B6-AB65-4faf-9745-B27D35B77A06}.exe
1640	{0F42FCDB-C096-4198-99AD-D8808560E931}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe	{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe
File created	C:\Windows\{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe	{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe
File created	C:\Windows\{FF5270A2-9902-4868-9A18-547A11138A28}.exe	{C613F74F-B230-4557-87BC-DBFACA761B54}.exe
File created	C:\Windows\{3DEF90BE-0829-44a8-A4A6-2BF5F8FC0396}.exe	{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe
File created	C:\Windows\{594548B6-AB65-4faf-9745-B27D35B77A06}.exe	{E86A042C-03E0-4224-81FF-72D147C04193}.exe
File created	C:\Windows\{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe
File created	C:\Windows\{0A262C05-89A1-4070-9430-D572BA29EE28}.exe	{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe
File created	C:\Windows\{C613F74F-B230-4557-87BC-DBFACA761B54}.exe	{0A262C05-89A1-4070-9430-D572BA29EE28}.exe
File created	C:\Windows\{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe	{FF5270A2-9902-4868-9A18-547A11138A28}.exe
File created	C:\Windows\{E86A042C-03E0-4224-81FF-72D147C04193}.exe	{3DEF90BE-0829-44a8-A4A6-2BF5F8FC0396}.exe
File created	C:\Windows\{0F42FCDB-C096-4198-99AD-D8808560E931}.exe	{594548B6-AB65-4faf-9745-B27D35B77A06}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2584	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2104	{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe
Token: SeIncBasePriorityPrivilege	2728	{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe
Token: SeIncBasePriorityPrivilege	2872	{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe
Token: SeIncBasePriorityPrivilege	320	{0A262C05-89A1-4070-9430-D572BA29EE28}.exe
Token: SeIncBasePriorityPrivilege	2576	{C613F74F-B230-4557-87BC-DBFACA761B54}.exe
Token: SeIncBasePriorityPrivilege	2304	{FF5270A2-9902-4868-9A18-547A11138A28}.exe
Token: SeIncBasePriorityPrivilege	656	{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe
Token: SeIncBasePriorityPrivilege	2764	{3DEF90BE-0829-44a8-A4A6-2BF5F8FC0396}.exe
Token: SeIncBasePriorityPrivilege	1492	{E86A042C-03E0-4224-81FF-72D147C04193}.exe
Token: SeIncBasePriorityPrivilege	2904	{594548B6-AB65-4faf-9745-B27D35B77A06}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2104	2584	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	28
PID 2584 wrote to memory of 2104	2584	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	28
PID 2584 wrote to memory of 2104	2584	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	28
PID 2584 wrote to memory of 2104	2584	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	28
PID 2584 wrote to memory of 2640	2584	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	29
PID 2584 wrote to memory of 2640	2584	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	29
PID 2584 wrote to memory of 2640	2584	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	29
PID 2584 wrote to memory of 2640	2584	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	29
PID 2104 wrote to memory of 2728	2104	{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe	30
PID 2104 wrote to memory of 2728	2104	{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe	30
PID 2104 wrote to memory of 2728	2104	{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe	30
PID 2104 wrote to memory of 2728	2104	{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe	30
PID 2104 wrote to memory of 2608	2104	{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe	31
PID 2104 wrote to memory of 2608	2104	{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe	31
PID 2104 wrote to memory of 2608	2104	{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe	31
PID 2104 wrote to memory of 2608	2104	{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe	31
PID 2728 wrote to memory of 2872	2728	{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe	34
PID 2728 wrote to memory of 2872	2728	{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe	34
PID 2728 wrote to memory of 2872	2728	{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe	34
PID 2728 wrote to memory of 2872	2728	{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe	34
PID 2728 wrote to memory of 2636	2728	{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe	35
PID 2728 wrote to memory of 2636	2728	{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe	35
PID 2728 wrote to memory of 2636	2728	{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe	35
PID 2728 wrote to memory of 2636	2728	{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe	35
PID 2872 wrote to memory of 320	2872	{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe	36
PID 2872 wrote to memory of 320	2872	{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe	36
PID 2872 wrote to memory of 320	2872	{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe	36
PID 2872 wrote to memory of 320	2872	{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe	36
PID 2872 wrote to memory of 2516	2872	{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe	37
PID 2872 wrote to memory of 2516	2872	{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe	37
PID 2872 wrote to memory of 2516	2872	{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe	37
PID 2872 wrote to memory of 2516	2872	{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe	37
PID 320 wrote to memory of 2576	320	{0A262C05-89A1-4070-9430-D572BA29EE28}.exe	39
PID 320 wrote to memory of 2576	320	{0A262C05-89A1-4070-9430-D572BA29EE28}.exe	39
PID 320 wrote to memory of 2576	320	{0A262C05-89A1-4070-9430-D572BA29EE28}.exe	39
PID 320 wrote to memory of 2576	320	{0A262C05-89A1-4070-9430-D572BA29EE28}.exe	39
PID 320 wrote to memory of 3008	320	{0A262C05-89A1-4070-9430-D572BA29EE28}.exe	38
PID 320 wrote to memory of 3008	320	{0A262C05-89A1-4070-9430-D572BA29EE28}.exe	38
PID 320 wrote to memory of 3008	320	{0A262C05-89A1-4070-9430-D572BA29EE28}.exe	38
PID 320 wrote to memory of 3008	320	{0A262C05-89A1-4070-9430-D572BA29EE28}.exe	38
PID 2576 wrote to memory of 2304	2576	{C613F74F-B230-4557-87BC-DBFACA761B54}.exe	40
PID 2576 wrote to memory of 2304	2576	{C613F74F-B230-4557-87BC-DBFACA761B54}.exe	40
PID 2576 wrote to memory of 2304	2576	{C613F74F-B230-4557-87BC-DBFACA761B54}.exe	40
PID 2576 wrote to memory of 2304	2576	{C613F74F-B230-4557-87BC-DBFACA761B54}.exe	40
PID 2576 wrote to memory of 288	2576	{C613F74F-B230-4557-87BC-DBFACA761B54}.exe	41
PID 2576 wrote to memory of 288	2576	{C613F74F-B230-4557-87BC-DBFACA761B54}.exe	41
PID 2576 wrote to memory of 288	2576	{C613F74F-B230-4557-87BC-DBFACA761B54}.exe	41
PID 2576 wrote to memory of 288	2576	{C613F74F-B230-4557-87BC-DBFACA761B54}.exe	41
PID 2304 wrote to memory of 656	2304	{FF5270A2-9902-4868-9A18-547A11138A28}.exe	42
PID 2304 wrote to memory of 656	2304	{FF5270A2-9902-4868-9A18-547A11138A28}.exe	42
PID 2304 wrote to memory of 656	2304	{FF5270A2-9902-4868-9A18-547A11138A28}.exe	42
PID 2304 wrote to memory of 656	2304	{FF5270A2-9902-4868-9A18-547A11138A28}.exe	42
PID 2304 wrote to memory of 2856	2304	{FF5270A2-9902-4868-9A18-547A11138A28}.exe	43
PID 2304 wrote to memory of 2856	2304	{FF5270A2-9902-4868-9A18-547A11138A28}.exe	43
PID 2304 wrote to memory of 2856	2304	{FF5270A2-9902-4868-9A18-547A11138A28}.exe	43
PID 2304 wrote to memory of 2856	2304	{FF5270A2-9902-4868-9A18-547A11138A28}.exe	43
PID 656 wrote to memory of 2764	656	{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe	44
PID 656 wrote to memory of 2764	656	{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe	44
PID 656 wrote to memory of 2764	656	{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe	44
PID 656 wrote to memory of 2764	656	{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe	44
PID 656 wrote to memory of 2852	656	{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe	45
PID 656 wrote to memory of 2852	656	{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe	45
PID 656 wrote to memory of 2852	656	{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe	45
PID 656 wrote to memory of 2852	656	{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe
  C:\Windows\{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe
    C:\Windows\{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe
      C:\Windows\{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\{0A262C05-89A1-4070-9430-D572BA29EE28}.exe
        
        C:\Windows\{0A262C05-89A1-4070-9430-D572BA29EE28}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A262~1.EXE > nul
        6⤵
        
        PID:3008
      - C:\Windows\{C613F74F-B230-4557-87BC-DBFACA761B54}.exe
        
        C:\Windows\{C613F74F-B230-4557-87BC-DBFACA761B54}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\{FF5270A2-9902-4868-9A18-547A11138A28}.exe
        
        C:\Windows\{FF5270A2-9902-4868-9A18-547A11138A28}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe
        
        C:\Windows\{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\{3DEF90BE-0829-44a8-A4A6-2BF5F8FC0396}.exe
        
        C:\Windows\{3DEF90BE-0829-44a8-A4A6-2BF5F8FC0396}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{E86A042C-03E0-4224-81FF-72D147C04193}.exe
        
        C:\Windows\{E86A042C-03E0-4224-81FF-72D147C04193}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\{594548B6-AB65-4faf-9745-B27D35B77A06}.exe
        
        C:\Windows\{594548B6-AB65-4faf-9745-B27D35B77A06}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59454~1.EXE > nul
        12⤵
        
        PID:1556
        
        C:\Windows\{0F42FCDB-C096-4198-99AD-D8808560E931}.exe
        
        C:\Windows\{0F42FCDB-C096-4198-99AD-D8808560E931}.exe
        12⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E86A0~1.EXE > nul
        11⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DEF9~1.EXE > nul
        10⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{935CE~1.EXE > nul
        9⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF527~1.EXE > nul
        8⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C613F~1.EXE > nul
        7⤵
        
        PID:288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B8AD~1.EXE > nul
        5⤵
        
        PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D8C8E~1.EXE > nul
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DC018~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A262C05-89A1-4070-9430-D572BA29EE28}.exe

Filesize
380KB

MD5
0fc9a2645b7e0b87ef5c30ee81be1b66

SHA1
482db2e2bdfd723b6f2df387882a9850542f6863

SHA256
51bc4d5a714de0d7fec8dea58798b0c31f42227ea327b065044ea5b1fc518144

SHA512
620fbb172bcac4184485264cfd00201930e97f893dd32678fd98d124a9bd70dc2d37fb8dc5eaf5cb77531f462b385c3986438d1f71d8baa982d21d9ed51a6553

Download Submit
C:\Windows\{0A262C05-89A1-4070-9430-D572BA29EE28}.exe

Filesize
380KB

MD5
0fc9a2645b7e0b87ef5c30ee81be1b66

SHA1
482db2e2bdfd723b6f2df387882a9850542f6863

SHA256
51bc4d5a714de0d7fec8dea58798b0c31f42227ea327b065044ea5b1fc518144

SHA512
620fbb172bcac4184485264cfd00201930e97f893dd32678fd98d124a9bd70dc2d37fb8dc5eaf5cb77531f462b385c3986438d1f71d8baa982d21d9ed51a6553

Download Submit
C:\Windows\{0F42FCDB-C096-4198-99AD-D8808560E931}.exe

Filesize
380KB

MD5
e271c66f9b9f007a0d3b3aec46c62793

SHA1
0767b9cfcceb6e1af09000225a847f0e53a6ca38

SHA256
cc1ed72c40e0ba468cb9d763d3661203e934efac4c4ae81a5cab0d0e8a0dba77

SHA512
d4451c064a928d019cafe1b0f18ed451ccd837a41572f40c046a6da78f6420ff5c0f451c8f9127547459a07d98e17f09fcbd27f21984d8204be30132d4e01125

Download Submit
C:\Windows\{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe

Filesize
380KB

MD5
38d71f9e76fe33b183dc02ba198786ba

SHA1
11e07be259697be0b5e47b616ba20eb63ae7fd4a

SHA256
62f02f3ba0fafe6f1c2973b2cc5d492ce1848b7a543f2f149e059153f176bb66

SHA512
9454f2d4088f6d52287128eea8fa2c12a11648e325c708c7122729ae8b67bac148df1fe1c482875e6cf9e1f0d91b397a707497c0aa92d4f9bf0efe2e13049207

Download Submit
C:\Windows\{2B8AD06E-95A3-4f63-BA89-7A5AE826FB5E}.exe

Filesize
380KB

MD5
38d71f9e76fe33b183dc02ba198786ba

SHA1
11e07be259697be0b5e47b616ba20eb63ae7fd4a

SHA256
62f02f3ba0fafe6f1c2973b2cc5d492ce1848b7a543f2f149e059153f176bb66

SHA512
9454f2d4088f6d52287128eea8fa2c12a11648e325c708c7122729ae8b67bac148df1fe1c482875e6cf9e1f0d91b397a707497c0aa92d4f9bf0efe2e13049207

Download Submit
C:\Windows\{3DEF90BE-0829-44a8-A4A6-2BF5F8FC0396}.exe

Filesize
380KB

MD5
186452027ae6319a83b2607ffb76284e

SHA1
5eb878728a909e8fa35431fafea42aeae8ff4d9f

SHA256
5a460192fcd72b67563a7b1d7b2857f48aeb7137b0991f615de25fd6ea84229d

SHA512
d53330b14a9308e4daaed73e6811e095738acd35eeeca33ef397a521be488379956d09c8042a6974a2cf7b6a472aa6f46ad5fcec1dbb5c55d63b2187385261a6

Download Submit
C:\Windows\{3DEF90BE-0829-44a8-A4A6-2BF5F8FC0396}.exe

Filesize
380KB

MD5
186452027ae6319a83b2607ffb76284e

SHA1
5eb878728a909e8fa35431fafea42aeae8ff4d9f

SHA256
5a460192fcd72b67563a7b1d7b2857f48aeb7137b0991f615de25fd6ea84229d

SHA512
d53330b14a9308e4daaed73e6811e095738acd35eeeca33ef397a521be488379956d09c8042a6974a2cf7b6a472aa6f46ad5fcec1dbb5c55d63b2187385261a6

Download Submit
C:\Windows\{594548B6-AB65-4faf-9745-B27D35B77A06}.exe

Filesize
380KB

MD5
edb98e78145e76ece77c0627df6bb330

SHA1
728d5d9e7d9b40885a4c6a7ab54005a2a9904151

SHA256
d5ee0cbf34e85a160bb91fada0cfb021115b51ec16101e59313d172317e701d8

SHA512
063773bb2510f408a3c146af17f6548ce527a46a46ac9465c42f7dcc04fb9e5ced7882fdefacfade14ae8e0526d87383934ad7b9c46378b5b8a44f3b595f0bba

Download Submit
C:\Windows\{594548B6-AB65-4faf-9745-B27D35B77A06}.exe

Filesize
380KB

MD5
edb98e78145e76ece77c0627df6bb330

SHA1
728d5d9e7d9b40885a4c6a7ab54005a2a9904151

SHA256
d5ee0cbf34e85a160bb91fada0cfb021115b51ec16101e59313d172317e701d8

SHA512
063773bb2510f408a3c146af17f6548ce527a46a46ac9465c42f7dcc04fb9e5ced7882fdefacfade14ae8e0526d87383934ad7b9c46378b5b8a44f3b595f0bba

Download Submit
C:\Windows\{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe

Filesize
380KB

MD5
3e3a96ffbc750689c025d247bef04620

SHA1
75f1ad8b18e9b4c72e6cf45b6f07821d1f4a0af1

SHA256
d0626de215c0e224794ae84fbe5de6a661a56c8ecb4961b568edf293ce08e29e

SHA512
26a7738bbbea09c2676066753401be5052f873655ade6477b070a0616b6899466ffa6d720bd40be9f8449ac3c550f476c931145dc5e0cb30f73578d800061b0a

Download Submit
C:\Windows\{935CEFCA-293F-49d4-A63F-C5FAF2B0EEE4}.exe

Filesize
380KB

MD5
3e3a96ffbc750689c025d247bef04620

SHA1
75f1ad8b18e9b4c72e6cf45b6f07821d1f4a0af1

SHA256
d0626de215c0e224794ae84fbe5de6a661a56c8ecb4961b568edf293ce08e29e

SHA512
26a7738bbbea09c2676066753401be5052f873655ade6477b070a0616b6899466ffa6d720bd40be9f8449ac3c550f476c931145dc5e0cb30f73578d800061b0a

Download Submit
C:\Windows\{C613F74F-B230-4557-87BC-DBFACA761B54}.exe

Filesize
380KB

MD5
25c8737a02dca7c14168f34f42db826a

SHA1
a976d953e44b4fe0dfa8ef2482ed6cbeb0bd6b37

SHA256
cdf676b333adc1786c5a2bde30000f37e70df6f55fede6688599608f1c3c3925

SHA512
a5a97d2cbd03abe928796ad86069078455b05c826bae2fb938f9a816d3e1bddf4e0afa0d8a63c6490873dcf704e8fcd3064776b56429f801058ba1cf6b3bb009

Download Submit
C:\Windows\{C613F74F-B230-4557-87BC-DBFACA761B54}.exe

Filesize
380KB

MD5
25c8737a02dca7c14168f34f42db826a

SHA1
a976d953e44b4fe0dfa8ef2482ed6cbeb0bd6b37

SHA256
cdf676b333adc1786c5a2bde30000f37e70df6f55fede6688599608f1c3c3925

SHA512
a5a97d2cbd03abe928796ad86069078455b05c826bae2fb938f9a816d3e1bddf4e0afa0d8a63c6490873dcf704e8fcd3064776b56429f801058ba1cf6b3bb009

Download Submit
C:\Windows\{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe

Filesize
380KB

MD5
89875bd7b84028099b1cf24440c0b935

SHA1
ec192a8c65722bd5bc328977bb5e51d3046b74a0

SHA256
c06ec3ecc511f078eb0518c92c2de45befd5671f949446cd42cac136baedd12d

SHA512
3efa23ecdccc537d9d88ca0ca2fab32c9bd8d4d2b4a6c4ddaaabb1825823cc0b0b5d737b2e34c3e62cd59e533a4cd86ab4ff84c15b08d22d9d0e3085a0d87e7e

Download Submit
C:\Windows\{D8C8E6C6-3064-433e-B6C5-61987D9205DD}.exe

Filesize
380KB

MD5
89875bd7b84028099b1cf24440c0b935

SHA1
ec192a8c65722bd5bc328977bb5e51d3046b74a0

SHA256
c06ec3ecc511f078eb0518c92c2de45befd5671f949446cd42cac136baedd12d

SHA512
3efa23ecdccc537d9d88ca0ca2fab32c9bd8d4d2b4a6c4ddaaabb1825823cc0b0b5d737b2e34c3e62cd59e533a4cd86ab4ff84c15b08d22d9d0e3085a0d87e7e

Download Submit
C:\Windows\{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe

Filesize
380KB

MD5
1ca311678c313e17a71b5863ebf0be8d

SHA1
2ee878a002ebc107bbf3698dca961d576f543fde

SHA256
23c581101db4067ff731d04ccc69841767675a72e76840160dbb74d4c387cfd0

SHA512
afaefeaf0d6e52caba0d5d71270be5c437e2010deecabcf49863b17915057652d2f66edf5d9b7999a3ef6e539c28fac95608f1d366caf10c84c4a3e2920b80d5

Download Submit
C:\Windows\{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe

Filesize
380KB

MD5
1ca311678c313e17a71b5863ebf0be8d

SHA1
2ee878a002ebc107bbf3698dca961d576f543fde

SHA256
23c581101db4067ff731d04ccc69841767675a72e76840160dbb74d4c387cfd0

SHA512
afaefeaf0d6e52caba0d5d71270be5c437e2010deecabcf49863b17915057652d2f66edf5d9b7999a3ef6e539c28fac95608f1d366caf10c84c4a3e2920b80d5

Download Submit
C:\Windows\{DC0181F6-DCFA-4936-8075-C2BFE5AB5725}.exe

Filesize
380KB

MD5
1ca311678c313e17a71b5863ebf0be8d

SHA1
2ee878a002ebc107bbf3698dca961d576f543fde

SHA256
23c581101db4067ff731d04ccc69841767675a72e76840160dbb74d4c387cfd0

SHA512
afaefeaf0d6e52caba0d5d71270be5c437e2010deecabcf49863b17915057652d2f66edf5d9b7999a3ef6e539c28fac95608f1d366caf10c84c4a3e2920b80d5

Download Submit
C:\Windows\{E86A042C-03E0-4224-81FF-72D147C04193}.exe

Filesize
380KB

MD5
73be8653b84cf61ecfd4b095ddd0757f

SHA1
4455371311f6ca9ca17e2e8a12ee561e3b8320da

SHA256
04425df029ef00dbd4da351f22717d3bc9b7655f970207d3baef5c2aab839638

SHA512
c011d4f8e7731cbcc0876d595ed12ef427cb7a60e0bc6a322a30c990e939b3aa0f3f9e9ac145c7de652913027b1cd09d76f5b94edd2c8880b5805b9c3c099bc1

Download Submit
C:\Windows\{E86A042C-03E0-4224-81FF-72D147C04193}.exe

Filesize
380KB

MD5
73be8653b84cf61ecfd4b095ddd0757f

SHA1
4455371311f6ca9ca17e2e8a12ee561e3b8320da

SHA256
04425df029ef00dbd4da351f22717d3bc9b7655f970207d3baef5c2aab839638

SHA512
c011d4f8e7731cbcc0876d595ed12ef427cb7a60e0bc6a322a30c990e939b3aa0f3f9e9ac145c7de652913027b1cd09d76f5b94edd2c8880b5805b9c3c099bc1

Download Submit
C:\Windows\{FF5270A2-9902-4868-9A18-547A11138A28}.exe

Filesize
380KB

MD5
9c45e544ac175b89fa154aca38de2f12

SHA1
9506e63cd68b91bb6452870a4bf26aee0f463c16

SHA256
3bbb0429617d15eb7d15553403dee01bcf244fc8540162b0e8bbb1d68975cdc0

SHA512
01aa1fcf6100b4e73262e9a72a408c8dbfa0090262b14c6ad4a5b48d6142599bf191d7fdfc9c7b56fdf14dea05ea59b08f835424f08a5ff2d430663f899aa3a7

Download Submit
C:\Windows\{FF5270A2-9902-4868-9A18-547A11138A28}.exe

Filesize
380KB

MD5
9c45e544ac175b89fa154aca38de2f12

SHA1
9506e63cd68b91bb6452870a4bf26aee0f463c16

SHA256
3bbb0429617d15eb7d15553403dee01bcf244fc8540162b0e8bbb1d68975cdc0

SHA512
01aa1fcf6100b4e73262e9a72a408c8dbfa0090262b14c6ad4a5b48d6142599bf191d7fdfc9c7b56fdf14dea05ea59b08f835424f08a5ff2d430663f899aa3a7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads