aad782b5502e5a888edc93815834f8ca1caa64eb565c0a87ec607c69ef3fe837

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe
Size

380KB
MD5

24df82d6be9eae5af410f74319310ec8
SHA1

8e3f0cbf90719f3e3c5d3cce21d5592305196d4c
SHA256

aad782b5502e5a888edc93815834f8ca1caa64eb565c0a87ec607c69ef3fe837
SHA512

6b9f01049684a7d75c84720c97ccb6ec3288dc20333c1cc9362aa1de4a4dc9c3d9d14f4c9ac2a607d89b91f3ba1ba2001c4872a6e5b3c8a0714dab2f7922e35f
SSDEEP

3072:mEGh0oylPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGUl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{579B9969-7BBC-419a-BF90-5F9FB19D71AC}\stubpath = "C:\\Windows\\{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe"	{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{472343B9-F1C1-482c-B49F-BC3A9E732442}	{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D364B58C-4CAA-47a7-81ED-212695C74336}\stubpath = "C:\\Windows\\{D364B58C-4CAA-47a7-81ED-212695C74336}.exe"	{D932F633-9820-4907-BA68-3A65499DFDBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F32235C1-DAB8-40b9-94B7-F92184F902CB}	{D364B58C-4CAA-47a7-81ED-212695C74336}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11157D5F-4411-4e8b-8A0B-E1C672E5291A}\stubpath = "C:\\Windows\\{11157D5F-4411-4e8b-8A0B-E1C672E5291A}.exe"	{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}	{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{472343B9-F1C1-482c-B49F-BC3A9E732442}\stubpath = "C:\\Windows\\{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe"	{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D364B58C-4CAA-47a7-81ED-212695C74336}	{D932F633-9820-4907-BA68-3A65499DFDBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FF16C1E-B1D6-46f1-B641-99252621B1FE}\stubpath = "C:\\Windows\\{0FF16C1E-B1D6-46f1-B641-99252621B1FE}.exe"	{11157D5F-4411-4e8b-8A0B-E1C672E5291A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}\stubpath = "C:\\Windows\\{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe"	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9AFE39C-525B-4b02-A153-489191F66A2B}	{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}\stubpath = "C:\\Windows\\{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe"	{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}\stubpath = "C:\\Windows\\{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe"	{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}	{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D932F633-9820-4907-BA68-3A65499DFDBA}	{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F32235C1-DAB8-40b9-94B7-F92184F902CB}\stubpath = "C:\\Windows\\{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe"	{D364B58C-4CAA-47a7-81ED-212695C74336}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11157D5F-4411-4e8b-8A0B-E1C672E5291A}	{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FF16C1E-B1D6-46f1-B641-99252621B1FE}	{11157D5F-4411-4e8b-8A0B-E1C672E5291A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9AFE39C-525B-4b02-A153-489191F66A2B}\stubpath = "C:\\Windows\\{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe"	{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{579B9969-7BBC-419a-BF90-5F9FB19D71AC}	{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}	{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}\stubpath = "C:\\Windows\\{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe"	{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D932F633-9820-4907-BA68-3A65499DFDBA}\stubpath = "C:\\Windows\\{D932F633-9820-4907-BA68-3A65499DFDBA}.exe"	{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4852	{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe
3308	{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe
4568	{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe
1420	{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe
4548	{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe
1876	{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe
2176	{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe
2784	{D932F633-9820-4907-BA68-3A65499DFDBA}.exe
3744	{D364B58C-4CAA-47a7-81ED-212695C74336}.exe
4976	{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe
2756	{11157D5F-4411-4e8b-8A0B-E1C672E5291A}.exe
1464	{0FF16C1E-B1D6-46f1-B641-99252621B1FE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe	{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe
File created	C:\Windows\{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe	{D364B58C-4CAA-47a7-81ED-212695C74336}.exe
File created	C:\Windows\{11157D5F-4411-4e8b-8A0B-E1C672E5291A}.exe	{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe
File created	C:\Windows\{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe
File created	C:\Windows\{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe	{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe
File created	C:\Windows\{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe	{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe
File created	C:\Windows\{D932F633-9820-4907-BA68-3A65499DFDBA}.exe	{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe
File created	C:\Windows\{D364B58C-4CAA-47a7-81ED-212695C74336}.exe	{D932F633-9820-4907-BA68-3A65499DFDBA}.exe
File created	C:\Windows\{0FF16C1E-B1D6-46f1-B641-99252621B1FE}.exe	{11157D5F-4411-4e8b-8A0B-E1C672E5291A}.exe
File created	C:\Windows\{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe	{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe
File created	C:\Windows\{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe	{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe
File created	C:\Windows\{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe	{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3884	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4852	{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe
Token: SeIncBasePriorityPrivilege	3308	{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe
Token: SeIncBasePriorityPrivilege	4568	{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe
Token: SeIncBasePriorityPrivilege	1420	{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe
Token: SeIncBasePriorityPrivilege	4548	{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe
Token: SeIncBasePriorityPrivilege	1876	{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe
Token: SeIncBasePriorityPrivilege	2176	{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe
Token: SeIncBasePriorityPrivilege	2784	{D932F633-9820-4907-BA68-3A65499DFDBA}.exe
Token: SeIncBasePriorityPrivilege	3744	{D364B58C-4CAA-47a7-81ED-212695C74336}.exe
Token: SeIncBasePriorityPrivilege	4976	{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe
Token: SeIncBasePriorityPrivilege	2756	{11157D5F-4411-4e8b-8A0B-E1C672E5291A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 4852	3884	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	84
PID 3884 wrote to memory of 4852	3884	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	84
PID 3884 wrote to memory of 4852	3884	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	84
PID 3884 wrote to memory of 1332	3884	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	85
PID 3884 wrote to memory of 1332	3884	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	85
PID 3884 wrote to memory of 1332	3884	NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe	85
PID 4852 wrote to memory of 3308	4852	{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe	86
PID 4852 wrote to memory of 3308	4852	{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe	86
PID 4852 wrote to memory of 3308	4852	{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe	86
PID 4852 wrote to memory of 2260	4852	{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe	87
PID 4852 wrote to memory of 2260	4852	{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe	87
PID 4852 wrote to memory of 2260	4852	{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe	87
PID 3308 wrote to memory of 4568	3308	{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe	88
PID 3308 wrote to memory of 4568	3308	{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe	88
PID 3308 wrote to memory of 4568	3308	{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe	88
PID 3308 wrote to memory of 4372	3308	{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe	89
PID 3308 wrote to memory of 4372	3308	{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe	89
PID 3308 wrote to memory of 4372	3308	{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe	89
PID 4568 wrote to memory of 1420	4568	{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe	90
PID 4568 wrote to memory of 1420	4568	{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe	90
PID 4568 wrote to memory of 1420	4568	{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe	90
PID 4568 wrote to memory of 4280	4568	{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe	91
PID 4568 wrote to memory of 4280	4568	{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe	91
PID 4568 wrote to memory of 4280	4568	{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe	91
PID 1420 wrote to memory of 4548	1420	{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe	92
PID 1420 wrote to memory of 4548	1420	{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe	92
PID 1420 wrote to memory of 4548	1420	{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe	92
PID 1420 wrote to memory of 5116	1420	{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe	93
PID 1420 wrote to memory of 5116	1420	{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe	93
PID 1420 wrote to memory of 5116	1420	{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe	93
PID 4548 wrote to memory of 1876	4548	{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe	94
PID 4548 wrote to memory of 1876	4548	{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe	94
PID 4548 wrote to memory of 1876	4548	{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe	94
PID 4548 wrote to memory of 2280	4548	{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe	95
PID 4548 wrote to memory of 2280	4548	{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe	95
PID 4548 wrote to memory of 2280	4548	{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe	95
PID 1876 wrote to memory of 2176	1876	{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe	96
PID 1876 wrote to memory of 2176	1876	{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe	96
PID 1876 wrote to memory of 2176	1876	{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe	96
PID 1876 wrote to memory of 3612	1876	{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe	97
PID 1876 wrote to memory of 3612	1876	{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe	97
PID 1876 wrote to memory of 3612	1876	{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe	97
PID 2176 wrote to memory of 2784	2176	{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe	98
PID 2176 wrote to memory of 2784	2176	{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe	98
PID 2176 wrote to memory of 2784	2176	{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe	98
PID 2176 wrote to memory of 1828	2176	{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe	99
PID 2176 wrote to memory of 1828	2176	{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe	99
PID 2176 wrote to memory of 1828	2176	{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe	99
PID 2784 wrote to memory of 3744	2784	{D932F633-9820-4907-BA68-3A65499DFDBA}.exe	100
PID 2784 wrote to memory of 3744	2784	{D932F633-9820-4907-BA68-3A65499DFDBA}.exe	100
PID 2784 wrote to memory of 3744	2784	{D932F633-9820-4907-BA68-3A65499DFDBA}.exe	100
PID 2784 wrote to memory of 2324	2784	{D932F633-9820-4907-BA68-3A65499DFDBA}.exe	101
PID 2784 wrote to memory of 2324	2784	{D932F633-9820-4907-BA68-3A65499DFDBA}.exe	101
PID 2784 wrote to memory of 2324	2784	{D932F633-9820-4907-BA68-3A65499DFDBA}.exe	101
PID 3744 wrote to memory of 4976	3744	{D364B58C-4CAA-47a7-81ED-212695C74336}.exe	102
PID 3744 wrote to memory of 4976	3744	{D364B58C-4CAA-47a7-81ED-212695C74336}.exe	102
PID 3744 wrote to memory of 4976	3744	{D364B58C-4CAA-47a7-81ED-212695C74336}.exe	102
PID 3744 wrote to memory of 860	3744	{D364B58C-4CAA-47a7-81ED-212695C74336}.exe	103
PID 3744 wrote to memory of 860	3744	{D364B58C-4CAA-47a7-81ED-212695C74336}.exe	103
PID 3744 wrote to memory of 860	3744	{D364B58C-4CAA-47a7-81ED-212695C74336}.exe	103
PID 4976 wrote to memory of 2756	4976	{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe	104
PID 4976 wrote to memory of 2756	4976	{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe	104
PID 4976 wrote to memory of 2756	4976	{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe	104
PID 4976 wrote to memory of 3648	4976	{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_24df82d6be9eae5af410f74319310ec8_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe
  C:\Windows\{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe
    C:\Windows\{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe
      C:\Windows\{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe
        
        C:\Windows\{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
      - C:\Windows\{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe
        
        C:\Windows\{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe
        
        C:\Windows\{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe
        
        C:\Windows\{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\{D932F633-9820-4907-BA68-3A65499DFDBA}.exe
        
        C:\Windows\{D932F633-9820-4907-BA68-3A65499DFDBA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{D364B58C-4CAA-47a7-81ED-212695C74336}.exe
        
        C:\Windows\{D364B58C-4CAA-47a7-81ED-212695C74336}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe
        
        C:\Windows\{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\{11157D5F-4411-4e8b-8A0B-E1C672E5291A}.exe
        
        C:\Windows\{11157D5F-4411-4e8b-8A0B-E1C672E5291A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{0FF16C1E-B1D6-46f1-B641-99252621B1FE}.exe
        
        C:\Windows\{0FF16C1E-B1D6-46f1-B641-99252621B1FE}.exe
        13⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11157~1.EXE > nul
        13⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3223~1.EXE > nul
        12⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D364B~1.EXE > nul
        11⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D932F~1.EXE > nul
        10⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0F14~1.EXE > nul
        9⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47234~1.EXE > nul
        8⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E63E1~1.EXE > nul
        7⤵
        
        PID:2280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{579B9~1.EXE > nul
        6⤵
        
        PID:5116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA404~1.EXE > nul
        5⤵
        
        PID:4280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F9AFE~1.EXE > nul
      4⤵
      PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3B70F~1.EXE > nul
    3⤵
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FF16C1E-B1D6-46f1-B641-99252621B1FE}.exe

Filesize
380KB

MD5
8e97af58ef74c08c6944b507cdb2c2a2

SHA1
f00d2c24316773b35006e623c78c53543300aca0

SHA256
0d9aa279b98470fad40472141fe3119790c1877d085d1466ce2f26e4294d12a1

SHA512
a9714b663be4c5bfb1eb89ab53ffc5759b4bc098ff7abba69ff88ee1fcc83809b0e9755c8d4a47b379b6a6277a4b28cffa6d81d5de8c34aa28a24c4234629e50

Download Submit
C:\Windows\{0FF16C1E-B1D6-46f1-B641-99252621B1FE}.exe

Filesize
380KB

MD5
8e97af58ef74c08c6944b507cdb2c2a2

SHA1
f00d2c24316773b35006e623c78c53543300aca0

SHA256
0d9aa279b98470fad40472141fe3119790c1877d085d1466ce2f26e4294d12a1

SHA512
a9714b663be4c5bfb1eb89ab53ffc5759b4bc098ff7abba69ff88ee1fcc83809b0e9755c8d4a47b379b6a6277a4b28cffa6d81d5de8c34aa28a24c4234629e50

Download Submit
C:\Windows\{11157D5F-4411-4e8b-8A0B-E1C672E5291A}.exe

Filesize
380KB

MD5
01a5130adbd8080ebe827d9256905470

SHA1
a800d32b9f7ad07caf4ec9c65d542c750f428c5c

SHA256
a6bd8a22f37f2322d163d35041135c11f926dfb7b6a6c61d3c8573879a7be322

SHA512
6901dad2fb9315a9adc91edf561576c9d3bfd68d240cdafd43cfaceb94aac67e334a54972ed4bf870df21bffb1a65c87a7945a74d4ec58cf10426f03c88d23e5

Download Submit
C:\Windows\{11157D5F-4411-4e8b-8A0B-E1C672E5291A}.exe

Filesize
380KB

MD5
01a5130adbd8080ebe827d9256905470

SHA1
a800d32b9f7ad07caf4ec9c65d542c750f428c5c

SHA256
a6bd8a22f37f2322d163d35041135c11f926dfb7b6a6c61d3c8573879a7be322

SHA512
6901dad2fb9315a9adc91edf561576c9d3bfd68d240cdafd43cfaceb94aac67e334a54972ed4bf870df21bffb1a65c87a7945a74d4ec58cf10426f03c88d23e5

Download Submit
C:\Windows\{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe

Filesize
380KB

MD5
c0ad547a94bb5d46a10cf31d967e5e59

SHA1
1ea47f2c7ad3af018f382b44aa60dc0c990dd4a7

SHA256
8a3a0052c3eb6250027f8878bed560676575080f9207f3cdb0a9afb11ba0ecf2

SHA512
6d1fa279cfb0e901da3ac08837019e43c486548878dc6a79be0ab2c150503f11205f36d4de6141d475bc4df41d60e56ee4a685580ebf227fcac13843f7333a80

Download Submit
C:\Windows\{3B70F199-EAFC-45cd-9BF5-4B3BB72DA826}.exe

Filesize
380KB

MD5
c0ad547a94bb5d46a10cf31d967e5e59

SHA1
1ea47f2c7ad3af018f382b44aa60dc0c990dd4a7

SHA256
8a3a0052c3eb6250027f8878bed560676575080f9207f3cdb0a9afb11ba0ecf2

SHA512
6d1fa279cfb0e901da3ac08837019e43c486548878dc6a79be0ab2c150503f11205f36d4de6141d475bc4df41d60e56ee4a685580ebf227fcac13843f7333a80

Download Submit
C:\Windows\{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe

Filesize
380KB

MD5
c8ffa1d5d6841d2e45d05b9e9f527377

SHA1
d4fe714dcda48406c150fa68c3d811b7b0bca7b0

SHA256
60240ad5340f7e819d59f092b0812ce3c7ebc2bc168c8a0147ca768d5d12bc91

SHA512
9754c25d4bc029656b331b14d2c49c20f6f4b87a769dacc42d1c6edfa0a2be01456c1ebefb54c22a4882289b129adabe6139528dded53d4e1e7a3cf1eecbaad9

Download Submit
C:\Windows\{472343B9-F1C1-482c-B49F-BC3A9E732442}.exe

Filesize
380KB

MD5
c8ffa1d5d6841d2e45d05b9e9f527377

SHA1
d4fe714dcda48406c150fa68c3d811b7b0bca7b0

SHA256
60240ad5340f7e819d59f092b0812ce3c7ebc2bc168c8a0147ca768d5d12bc91

SHA512
9754c25d4bc029656b331b14d2c49c20f6f4b87a769dacc42d1c6edfa0a2be01456c1ebefb54c22a4882289b129adabe6139528dded53d4e1e7a3cf1eecbaad9

Download Submit
C:\Windows\{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe

Filesize
380KB

MD5
fdff80f29d1477ae6ea3d046016c11ff

SHA1
2b02a97f7dbdc10e1e5cacfafeaf579dfeb671a2

SHA256
b6332d6f7e15d596821c48eb12d0e21fdb98173903f72325c443405f99f887b5

SHA512
b419f0f4a3af3d09d276f968f4b6b36e0dcae7eb3b2dc5160ea9a7b8d228708d06190f405a381ab8d8a7d2b750f6bf2e98c811715f66ef5c9b05f4ae0a705884

Download Submit
C:\Windows\{579B9969-7BBC-419a-BF90-5F9FB19D71AC}.exe

Filesize
380KB

MD5
fdff80f29d1477ae6ea3d046016c11ff

SHA1
2b02a97f7dbdc10e1e5cacfafeaf579dfeb671a2

SHA256
b6332d6f7e15d596821c48eb12d0e21fdb98173903f72325c443405f99f887b5

SHA512
b419f0f4a3af3d09d276f968f4b6b36e0dcae7eb3b2dc5160ea9a7b8d228708d06190f405a381ab8d8a7d2b750f6bf2e98c811715f66ef5c9b05f4ae0a705884

Download Submit
C:\Windows\{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe

Filesize
380KB

MD5
db95bdcfe690a8dcbe4a8942eb33eb03

SHA1
31eae29776c072684c958e9fce6801498df2b1eb

SHA256
714280ea2350e486661717fc70e4ca3a6ef62ada495cf2b613661ca91b2ff407

SHA512
1ac46e6a24f75b2f07327379a897d84f5e730b33a9a8292c96aad7afc1e676606e0532fd8af8936a62a3d893a970bd290eb4d2bb7ad888962f57512a1c0f3462

Download Submit
C:\Windows\{D0F142A0-50F5-42c6-A110-B5C0EE6FB13E}.exe

Filesize
380KB

MD5
db95bdcfe690a8dcbe4a8942eb33eb03

SHA1
31eae29776c072684c958e9fce6801498df2b1eb

SHA256
714280ea2350e486661717fc70e4ca3a6ef62ada495cf2b613661ca91b2ff407

SHA512
1ac46e6a24f75b2f07327379a897d84f5e730b33a9a8292c96aad7afc1e676606e0532fd8af8936a62a3d893a970bd290eb4d2bb7ad888962f57512a1c0f3462

Download Submit
C:\Windows\{D364B58C-4CAA-47a7-81ED-212695C74336}.exe

Filesize
380KB

MD5
2f9d5068308c4a810b5b77e9881d0ded

SHA1
00476d2a250b6e939199e13891b0f305134360c8

SHA256
f1cbf9b30e620cc5bb3ac0afd5b0afe665cb92131fb295089e369b9c40f1aa2e

SHA512
9ea1bdd8f51f5704070888f2ee56b30c65f8df2ddf4da25e053e323b9b6692232f92398553306ad3bac614a5312bb92e478988551442dad655826e47cd887995

Download Submit
C:\Windows\{D364B58C-4CAA-47a7-81ED-212695C74336}.exe

Filesize
380KB

MD5
2f9d5068308c4a810b5b77e9881d0ded

SHA1
00476d2a250b6e939199e13891b0f305134360c8

SHA256
f1cbf9b30e620cc5bb3ac0afd5b0afe665cb92131fb295089e369b9c40f1aa2e

SHA512
9ea1bdd8f51f5704070888f2ee56b30c65f8df2ddf4da25e053e323b9b6692232f92398553306ad3bac614a5312bb92e478988551442dad655826e47cd887995

Download Submit
C:\Windows\{D932F633-9820-4907-BA68-3A65499DFDBA}.exe

Filesize
380KB

MD5
a0304a88ef34aac410e758ff6624093f

SHA1
66e7f9535b0929305f76f9929715b807ba875a5b

SHA256
e609c4a69e84116af09836ebc51837866a876b36d678936b128d4ee42e8e2846

SHA512
4339a17da3ebb5c89741ba3fb8aaec27da670bb27728c248292c74c9b7ea325b006463b44ee37d9f0bede029318b941da8e415b0c08b7350223681a113fcb3c4

Download Submit
C:\Windows\{D932F633-9820-4907-BA68-3A65499DFDBA}.exe

Filesize
380KB

MD5
a0304a88ef34aac410e758ff6624093f

SHA1
66e7f9535b0929305f76f9929715b807ba875a5b

SHA256
e609c4a69e84116af09836ebc51837866a876b36d678936b128d4ee42e8e2846

SHA512
4339a17da3ebb5c89741ba3fb8aaec27da670bb27728c248292c74c9b7ea325b006463b44ee37d9f0bede029318b941da8e415b0c08b7350223681a113fcb3c4

Download Submit
C:\Windows\{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe

Filesize
380KB

MD5
fe5bc981f29a3617681a2442310eaf86

SHA1
31455ee7ec89dd899076943c133a050c5b180dae

SHA256
655dc906dc035b4f72080f0ee68f81a57b548f1b1451e15882a5214a1a98c27a

SHA512
8880ef6efc913adf7165e14d03a4e970885327c5f3932df4950b748181abc7aa3c5507c10a5a4732f141464a4ca7c333a435b09a96be45ee2642bdba04f691cf

Download Submit
C:\Windows\{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe

Filesize
380KB

MD5
fe5bc981f29a3617681a2442310eaf86

SHA1
31455ee7ec89dd899076943c133a050c5b180dae

SHA256
655dc906dc035b4f72080f0ee68f81a57b548f1b1451e15882a5214a1a98c27a

SHA512
8880ef6efc913adf7165e14d03a4e970885327c5f3932df4950b748181abc7aa3c5507c10a5a4732f141464a4ca7c333a435b09a96be45ee2642bdba04f691cf

Download Submit
C:\Windows\{DA4041AD-CCC9-44eb-8294-0C6F3AE41FA2}.exe

Filesize
380KB

MD5
fe5bc981f29a3617681a2442310eaf86

SHA1
31455ee7ec89dd899076943c133a050c5b180dae

SHA256
655dc906dc035b4f72080f0ee68f81a57b548f1b1451e15882a5214a1a98c27a

SHA512
8880ef6efc913adf7165e14d03a4e970885327c5f3932df4950b748181abc7aa3c5507c10a5a4732f141464a4ca7c333a435b09a96be45ee2642bdba04f691cf

Download Submit
C:\Windows\{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe

Filesize
380KB

MD5
003c7d32b8448f4ea8793f07650b6752

SHA1
4947c70318c480738376d516c1190b4980b33ec9

SHA256
94de467bd6ac435a314f18e909508f58c5f084d83a39c8f493e79c5aa40ca165

SHA512
0c9e9ac52449ee7b2c96c210882c8315ec30301924aa002d625c94919cebbd7e60dbeb063452ed6c207cf922b54cc2aa70d0080dedf0f26340856cb7c07dc933

Download Submit
C:\Windows\{E63E113E-5C6C-474d-BE3E-EB60BB4482D7}.exe

Filesize
380KB

MD5
003c7d32b8448f4ea8793f07650b6752

SHA1
4947c70318c480738376d516c1190b4980b33ec9

SHA256
94de467bd6ac435a314f18e909508f58c5f084d83a39c8f493e79c5aa40ca165

SHA512
0c9e9ac52449ee7b2c96c210882c8315ec30301924aa002d625c94919cebbd7e60dbeb063452ed6c207cf922b54cc2aa70d0080dedf0f26340856cb7c07dc933

Download Submit
C:\Windows\{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe

Filesize
380KB

MD5
4036ae89500df6e6489a64a3b449caa5

SHA1
7e7f038ffc73d385c4560caed8652a1665e2cadf

SHA256
353b9b90a2d741b56ab2a85e8e10269423e48eae688cdab92c73f5c49250d8d9

SHA512
045370ccef153a68ce0d0a1c00d95961b9ce51bd31a76531d9ad9bea67a0c89add5784800e0076b2e3804b5827c730908cda2232469c796a2ee769fd7d387cc4

Download Submit
C:\Windows\{F32235C1-DAB8-40b9-94B7-F92184F902CB}.exe

Filesize
380KB

MD5
4036ae89500df6e6489a64a3b449caa5

SHA1
7e7f038ffc73d385c4560caed8652a1665e2cadf

SHA256
353b9b90a2d741b56ab2a85e8e10269423e48eae688cdab92c73f5c49250d8d9

SHA512
045370ccef153a68ce0d0a1c00d95961b9ce51bd31a76531d9ad9bea67a0c89add5784800e0076b2e3804b5827c730908cda2232469c796a2ee769fd7d387cc4

Download Submit
C:\Windows\{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe

Filesize
380KB

MD5
f396d65649dc793f0398a7643b77b3c7

SHA1
f33abf503f158fb4819d613920080477fd699381

SHA256
31a13ff87b92c5f907022fea564877e69574e936b9690ee17442b381ae3aaea3

SHA512
83dabbcf87908ed6b9f8c462fe42e7a8de13c7d2c1d8682b1ec8cfca3c3e18fa4e46021431cbb82ea16937d64699ff035f630add41cbf142533258cfc249c3fa

Download Submit
C:\Windows\{F9AFE39C-525B-4b02-A153-489191F66A2B}.exe

Filesize
380KB

MD5
f396d65649dc793f0398a7643b77b3c7

SHA1
f33abf503f158fb4819d613920080477fd699381

SHA256
31a13ff87b92c5f907022fea564877e69574e936b9690ee17442b381ae3aaea3

SHA512
83dabbcf87908ed6b9f8c462fe42e7a8de13c7d2c1d8682b1ec8cfca3c3e18fa4e46021431cbb82ea16937d64699ff035f630add41cbf142533258cfc249c3fa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads