d9e0ba45cf90e2128c0f2bc98c24a3de20d4e88a4ffec5b0cda4dfcbf4edf4c0

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23-10-2023 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe
Size

372KB
MD5

3f496d12128d4dc64d342aac7b9a6df4
SHA1

d64858fce829fefa77ad2616a4f2ab26d8d8aeaf
SHA256

d9e0ba45cf90e2128c0f2bc98c24a3de20d4e88a4ffec5b0cda4dfcbf4edf4c0
SHA512

bf830b0fd4ef2742be8e9d4e06588d30b85d46acbec57574a4c2305e52c6df023805c2c015f40caf38471ea03647fecdcbeb50bf369f2ffbb5ab8400f27cffc5
SSDEEP

3072:CEGh0oOmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGJl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BC2E093-B26E-4626-930C-C60DD819B5CC}\stubpath = "C:\\Windows\\{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe"	{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87F46619-3BCE-457b-AE46-A848B68B8942}	{3C7AF6DC-2710-41b1-80BE-76153A023437}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C0B6585-6439-4b0c-8549-93CEAA735E74}\stubpath = "C:\\Windows\\{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe"	{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}	{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B4682E-28FD-4e88-8EF3-E7789217345C}\stubpath = "C:\\Windows\\{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe"	{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03B70B5C-13D9-4ad7-9382-D31E42365909}	{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BC2E093-B26E-4626-930C-C60DD819B5CC}	{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A807D65E-8D7A-4ad1-B35C-8E7ED61EEB0A}\stubpath = "C:\\Windows\\{A807D65E-8D7A-4ad1-B35C-8E7ED61EEB0A}.exe"	{87F46619-3BCE-457b-AE46-A848B68B8942}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}\stubpath = "C:\\Windows\\{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe"	{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}\stubpath = "C:\\Windows\\{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe"	{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B4682E-28FD-4e88-8EF3-E7789217345C}	{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03B70B5C-13D9-4ad7-9382-D31E42365909}\stubpath = "C:\\Windows\\{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe"	{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C7AF6DC-2710-41b1-80BE-76153A023437}	{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87F46619-3BCE-457b-AE46-A848B68B8942}\stubpath = "C:\\Windows\\{87F46619-3BCE-457b-AE46-A848B68B8942}.exe"	{3C7AF6DC-2710-41b1-80BE-76153A023437}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2224F7C1-E8AF-4da3-A03B-F753FC2FF7B5}\stubpath = "C:\\Windows\\{2224F7C1-E8AF-4da3-A03B-F753FC2FF7B5}.exe"	{A807D65E-8D7A-4ad1-B35C-8E7ED61EEB0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}	NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}\stubpath = "C:\\Windows\\{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe"	NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C0B6585-6439-4b0c-8549-93CEAA735E74}	{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2224F7C1-E8AF-4da3-A03B-F753FC2FF7B5}	{A807D65E-8D7A-4ad1-B35C-8E7ED61EEB0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}	{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C7AF6DC-2710-41b1-80BE-76153A023437}\stubpath = "C:\\Windows\\{3C7AF6DC-2710-41b1-80BE-76153A023437}.exe"	{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A807D65E-8D7A-4ad1-B35C-8E7ED61EEB0A}	{87F46619-3BCE-457b-AE46-A848B68B8942}.exe

Deletes itself 1 IoCs

pid	Process
2320	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2400	{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe
2836	{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe
1868	{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe
2728	{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe
2580	{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe
2256	{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe
2548	{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe
3060	{3C7AF6DC-2710-41b1-80BE-76153A023437}.exe
2756	{87F46619-3BCE-457b-AE46-A848B68B8942}.exe
2092	{A807D65E-8D7A-4ad1-B35C-8E7ED61EEB0A}.exe
2944	{2224F7C1-E8AF-4da3-A03B-F753FC2FF7B5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe	{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe
File created	C:\Windows\{87F46619-3BCE-457b-AE46-A848B68B8942}.exe	{3C7AF6DC-2710-41b1-80BE-76153A023437}.exe
File created	C:\Windows\{2224F7C1-E8AF-4da3-A03B-F753FC2FF7B5}.exe	{A807D65E-8D7A-4ad1-B35C-8E7ED61EEB0A}.exe
File created	C:\Windows\{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe	NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe
File created	C:\Windows\{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe	{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe
File created	C:\Windows\{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe	{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe
File created	C:\Windows\{3C7AF6DC-2710-41b1-80BE-76153A023437}.exe	{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe
File created	C:\Windows\{A807D65E-8D7A-4ad1-B35C-8E7ED61EEB0A}.exe	{87F46619-3BCE-457b-AE46-A848B68B8942}.exe
File created	C:\Windows\{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe	{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe
File created	C:\Windows\{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe	{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe
File created	C:\Windows\{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe	{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2336	NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2400	{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe
Token: SeIncBasePriorityPrivilege	2836	{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe
Token: SeIncBasePriorityPrivilege	1868	{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe
Token: SeIncBasePriorityPrivilege	2728	{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe
Token: SeIncBasePriorityPrivilege	2580	{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe
Token: SeIncBasePriorityPrivilege	2256	{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe
Token: SeIncBasePriorityPrivilege	2548	{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe
Token: SeIncBasePriorityPrivilege	3060	{3C7AF6DC-2710-41b1-80BE-76153A023437}.exe
Token: SeIncBasePriorityPrivilege	2756	{87F46619-3BCE-457b-AE46-A848B68B8942}.exe
Token: SeIncBasePriorityPrivilege	2092	{A807D65E-8D7A-4ad1-B35C-8E7ED61EEB0A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2400	2336	NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe	28
PID 2336 wrote to memory of 2400	2336	NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe	28
PID 2336 wrote to memory of 2400	2336	NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe	28
PID 2336 wrote to memory of 2400	2336	NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe	28
PID 2336 wrote to memory of 2320	2336	NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe	29
PID 2336 wrote to memory of 2320	2336	NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe	29
PID 2336 wrote to memory of 2320	2336	NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe	29
PID 2336 wrote to memory of 2320	2336	NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe	29
PID 2400 wrote to memory of 2836	2400	{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe	30
PID 2400 wrote to memory of 2836	2400	{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe	30
PID 2400 wrote to memory of 2836	2400	{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe	30
PID 2400 wrote to memory of 2836	2400	{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe	30
PID 2400 wrote to memory of 2964	2400	{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe	31
PID 2400 wrote to memory of 2964	2400	{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe	31
PID 2400 wrote to memory of 2964	2400	{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe	31
PID 2400 wrote to memory of 2964	2400	{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe	31
PID 2836 wrote to memory of 1868	2836	{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe	33
PID 2836 wrote to memory of 1868	2836	{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe	33
PID 2836 wrote to memory of 1868	2836	{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe	33
PID 2836 wrote to memory of 1868	2836	{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe	33
PID 2836 wrote to memory of 2568	2836	{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe	32
PID 2836 wrote to memory of 2568	2836	{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe	32
PID 2836 wrote to memory of 2568	2836	{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe	32
PID 2836 wrote to memory of 2568	2836	{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe	32
PID 1868 wrote to memory of 2728	1868	{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe	36
PID 1868 wrote to memory of 2728	1868	{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe	36
PID 1868 wrote to memory of 2728	1868	{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe	36
PID 1868 wrote to memory of 2728	1868	{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe	36
PID 1868 wrote to memory of 2560	1868	{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe	37
PID 1868 wrote to memory of 2560	1868	{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe	37
PID 1868 wrote to memory of 2560	1868	{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe	37
PID 1868 wrote to memory of 2560	1868	{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe	37
PID 2728 wrote to memory of 2580	2728	{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe	38
PID 2728 wrote to memory of 2580	2728	{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe	38
PID 2728 wrote to memory of 2580	2728	{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe	38
PID 2728 wrote to memory of 2580	2728	{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe	38
PID 2728 wrote to memory of 2636	2728	{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe	39
PID 2728 wrote to memory of 2636	2728	{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe	39
PID 2728 wrote to memory of 2636	2728	{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe	39
PID 2728 wrote to memory of 2636	2728	{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe	39
PID 2580 wrote to memory of 2256	2580	{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe	40
PID 2580 wrote to memory of 2256	2580	{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe	40
PID 2580 wrote to memory of 2256	2580	{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe	40
PID 2580 wrote to memory of 2256	2580	{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe	40
PID 2580 wrote to memory of 1636	2580	{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe	41
PID 2580 wrote to memory of 1636	2580	{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe	41
PID 2580 wrote to memory of 1636	2580	{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe	41
PID 2580 wrote to memory of 1636	2580	{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe	41
PID 2256 wrote to memory of 2548	2256	{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe	42
PID 2256 wrote to memory of 2548	2256	{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe	42
PID 2256 wrote to memory of 2548	2256	{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe	42
PID 2256 wrote to memory of 2548	2256	{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe	42
PID 2256 wrote to memory of 3056	2256	{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe	43
PID 2256 wrote to memory of 3056	2256	{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe	43
PID 2256 wrote to memory of 3056	2256	{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe	43
PID 2256 wrote to memory of 3056	2256	{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe	43
PID 2548 wrote to memory of 3060	2548	{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe	44
PID 2548 wrote to memory of 3060	2548	{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe	44
PID 2548 wrote to memory of 3060	2548	{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe	44
PID 2548 wrote to memory of 3060	2548	{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe	44
PID 2548 wrote to memory of 1680	2548	{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe	45
PID 2548 wrote to memory of 1680	2548	{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe	45
PID 2548 wrote to memory of 1680	2548	{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe	45
PID 2548 wrote to memory of 1680	2548	{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_3f496d12128d4dc64d342aac7b9a6df4_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe
  C:\Windows\{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe
    C:\Windows\{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1C0B6~1.EXE > nul
      4⤵
      PID:2568
  - - C:\Windows\{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe
      C:\Windows\{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe
        
        C:\Windows\{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe
        
        C:\Windows\{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe
        
        C:\Windows\{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe
        
        C:\Windows\{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\{3C7AF6DC-2710-41b1-80BE-76153A023437}.exe
        
        C:\Windows\{3C7AF6DC-2710-41b1-80BE-76153A023437}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\{87F46619-3BCE-457b-AE46-A848B68B8942}.exe
        
        C:\Windows\{87F46619-3BCE-457b-AE46-A848B68B8942}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{A807D65E-8D7A-4ad1-B35C-8E7ED61EEB0A}.exe
        
        C:\Windows\{A807D65E-8D7A-4ad1-B35C-8E7ED61EEB0A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\{2224F7C1-E8AF-4da3-A03B-F753FC2FF7B5}.exe
        
        C:\Windows\{2224F7C1-E8AF-4da3-A03B-F753FC2FF7B5}.exe
        12⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A807D~1.EXE > nul
        12⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87F46~1.EXE > nul
        11⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C7AF~1.EXE > nul
        10⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BC2E~1.EXE > nul
        9⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03B70~1.EXE > nul
        8⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2B46~1.EXE > nul
        7⤵
        
        PID:1636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6D65~1.EXE > nul
        6⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CFBF~1.EXE > nul
        5⤵
        
        PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4CA42~1.EXE > nul
    3⤵
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe

Filesize
372KB

MD5
8b4286ae9f04a0d39ea232166dd4b1b9

SHA1
4a03f356370be36afea531a55dadc83d1d979f74

SHA256
f9ee9a44a3419fad244319bd726120ed08e80efbead56346a79d733603ad738d

SHA512
3b273bdd0df2481cd3eb13a64bead5e02be4aafaf3014c77856d2a444d18b6b17eed721a4210117f4b7cabcf1ebdd6a57ea4c45a23b05b712d9da8743e76b2c6

Download Submit
C:\Windows\{03B70B5C-13D9-4ad7-9382-D31E42365909}.exe

Filesize
372KB

MD5
8b4286ae9f04a0d39ea232166dd4b1b9

SHA1
4a03f356370be36afea531a55dadc83d1d979f74

SHA256
f9ee9a44a3419fad244319bd726120ed08e80efbead56346a79d733603ad738d

SHA512
3b273bdd0df2481cd3eb13a64bead5e02be4aafaf3014c77856d2a444d18b6b17eed721a4210117f4b7cabcf1ebdd6a57ea4c45a23b05b712d9da8743e76b2c6

Download Submit
C:\Windows\{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe

Filesize
372KB

MD5
d32147c3eb3e9f66e54a9851274270bd

SHA1
2460990778807908c2124a1683705ce3be9d4b6f

SHA256
3f912e423d6e8c921f68ea95890f98aa2c39cdc0225848a108ba91b8e52d3596

SHA512
bc4fe0181ee70b8d0688361ccaedbf31f06cd8f33b6d9bac759422d51c21ea23ad6fae70b925cb56a36c0eef002e671f6039a78633d6032a90496b9168971434

Download Submit
C:\Windows\{1C0B6585-6439-4b0c-8549-93CEAA735E74}.exe

Filesize
372KB

MD5
d32147c3eb3e9f66e54a9851274270bd

SHA1
2460990778807908c2124a1683705ce3be9d4b6f

SHA256
3f912e423d6e8c921f68ea95890f98aa2c39cdc0225848a108ba91b8e52d3596

SHA512
bc4fe0181ee70b8d0688361ccaedbf31f06cd8f33b6d9bac759422d51c21ea23ad6fae70b925cb56a36c0eef002e671f6039a78633d6032a90496b9168971434

Download Submit
C:\Windows\{2224F7C1-E8AF-4da3-A03B-F753FC2FF7B5}.exe

Filesize
372KB

MD5
79286c37b80dbc3bcd7f4aa55debd586

SHA1
990d22bc3d951e3feffec821d4bf04e0288bb19e

SHA256
2ef33b67be3d26bba29181edc35a8a2451a59709ef28fb660c1a2129e161c565

SHA512
bab8f3ee050b53c21e3fed0e71c69a01776acbbb6a02993b45641a1bce6873d9c6803c51570d0dbc84ff9cbbbef92ae2fc58c12ec44c746034aedf90795ed29d

Download Submit
C:\Windows\{3C7AF6DC-2710-41b1-80BE-76153A023437}.exe

Filesize
372KB

MD5
200955302f9e8e392480e9d33e5742f2

SHA1
71f0cd04d786c2bfcb018959f1c542fb4862876f

SHA256
ec5314971a22ad57cd48db4551f30a88cf7da589cb2686273f57500c145df0a7

SHA512
369b4c60b93635d1f68549d4c6b846d5aa9bedd840e59348e067e82b517861792a7f992927908864f9b276aa08d9c9b306c8a7c19490fc4716d0402a3262f0a1

Download Submit
C:\Windows\{3C7AF6DC-2710-41b1-80BE-76153A023437}.exe

Filesize
372KB

MD5
200955302f9e8e392480e9d33e5742f2

SHA1
71f0cd04d786c2bfcb018959f1c542fb4862876f

SHA256
ec5314971a22ad57cd48db4551f30a88cf7da589cb2686273f57500c145df0a7

SHA512
369b4c60b93635d1f68549d4c6b846d5aa9bedd840e59348e067e82b517861792a7f992927908864f9b276aa08d9c9b306c8a7c19490fc4716d0402a3262f0a1

Download Submit
C:\Windows\{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe

Filesize
372KB

MD5
3ff31639c64af4d71c1f58b2b8a2766d

SHA1
6523233132b99e07b8fc222aa83739aa81816bab

SHA256
534e5b7b286b8635166d48ee4d9cb4a1cef81b17cfdde6d551964793b0ccbe39

SHA512
1b10c1b4971c63ec7a0303d1d215ba9b2a3f3a5c0f248f284e4efe64a54ca9fc01e8e4439fe62eef85a42ca7fe00e019a49c9519f1aa5c2662e63a209bf2d4fc

Download Submit
C:\Windows\{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe

Filesize
372KB

MD5
3ff31639c64af4d71c1f58b2b8a2766d

SHA1
6523233132b99e07b8fc222aa83739aa81816bab

SHA256
534e5b7b286b8635166d48ee4d9cb4a1cef81b17cfdde6d551964793b0ccbe39

SHA512
1b10c1b4971c63ec7a0303d1d215ba9b2a3f3a5c0f248f284e4efe64a54ca9fc01e8e4439fe62eef85a42ca7fe00e019a49c9519f1aa5c2662e63a209bf2d4fc

Download Submit
C:\Windows\{4CA42ABC-75E0-4482-8F9A-247FE714B8BC}.exe

Filesize
372KB

MD5
3ff31639c64af4d71c1f58b2b8a2766d

SHA1
6523233132b99e07b8fc222aa83739aa81816bab

SHA256
534e5b7b286b8635166d48ee4d9cb4a1cef81b17cfdde6d551964793b0ccbe39

SHA512
1b10c1b4971c63ec7a0303d1d215ba9b2a3f3a5c0f248f284e4efe64a54ca9fc01e8e4439fe62eef85a42ca7fe00e019a49c9519f1aa5c2662e63a209bf2d4fc

Download Submit
C:\Windows\{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe

Filesize
372KB

MD5
4bfb4aef81c5d59ae5bd0ba58eabe626

SHA1
e69f6b8d3980d8d9df6a4db2559c3b1b01093423

SHA256
0323890b2f16565ad749077f0060de475cf666f4dde3a03b7a09a9a269a94f01

SHA512
4c5af7d133a3c9a50dcdaca1760640799c11573f0d0f66e50c8bf194edbcf4ef62524381f14952a1f1d7424bb2114a60bced70f7fbb67df2c3fe4f3c3032a632

Download Submit
C:\Windows\{4CFBF326-18FA-4201-A325-1A9DAE0A7F5B}.exe

Filesize
372KB

MD5
4bfb4aef81c5d59ae5bd0ba58eabe626

SHA1
e69f6b8d3980d8d9df6a4db2559c3b1b01093423

SHA256
0323890b2f16565ad749077f0060de475cf666f4dde3a03b7a09a9a269a94f01

SHA512
4c5af7d133a3c9a50dcdaca1760640799c11573f0d0f66e50c8bf194edbcf4ef62524381f14952a1f1d7424bb2114a60bced70f7fbb67df2c3fe4f3c3032a632

Download Submit
C:\Windows\{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe

Filesize
372KB

MD5
eddc2ab17f458dfc099d2cf1c2225f5a

SHA1
87e962b70c93b5db665b6e0dd3aa8353d46ef73d

SHA256
d80076e5af04ef6f242982ae85f285953f661e0853888a4493cf87532386d967

SHA512
97212b7b516ef7e3b60f660dd442e3d81b8c0ab069bc46747762f2dda1285ac91590e838b9d6e1336ad2f32976daf474fa1667184de6939d7e5a514f2f4ab9ba

Download Submit
C:\Windows\{6BC2E093-B26E-4626-930C-C60DD819B5CC}.exe

Filesize
372KB

MD5
eddc2ab17f458dfc099d2cf1c2225f5a

SHA1
87e962b70c93b5db665b6e0dd3aa8353d46ef73d

SHA256
d80076e5af04ef6f242982ae85f285953f661e0853888a4493cf87532386d967

SHA512
97212b7b516ef7e3b60f660dd442e3d81b8c0ab069bc46747762f2dda1285ac91590e838b9d6e1336ad2f32976daf474fa1667184de6939d7e5a514f2f4ab9ba

Download Submit
C:\Windows\{87F46619-3BCE-457b-AE46-A848B68B8942}.exe

Filesize
372KB

MD5
1304feec2f93ed2847ff884714ad5577

SHA1
136283021c38bd6a6c79c9a2aa9b762b80c4e594

SHA256
7a6233545dff7592d8d746387c758668034ea1c3e1f978f9a21fe256cb590a65

SHA512
7f3fac309547aaedae0352833d0061aca95afa194b7ce991e16ba58c8433110b3c57939175bfe61b80e5234140381fb645384709bca31ce4794dd220a64c2eae

Download Submit
C:\Windows\{87F46619-3BCE-457b-AE46-A848B68B8942}.exe

Filesize
372KB

MD5
1304feec2f93ed2847ff884714ad5577

SHA1
136283021c38bd6a6c79c9a2aa9b762b80c4e594

SHA256
7a6233545dff7592d8d746387c758668034ea1c3e1f978f9a21fe256cb590a65

SHA512
7f3fac309547aaedae0352833d0061aca95afa194b7ce991e16ba58c8433110b3c57939175bfe61b80e5234140381fb645384709bca31ce4794dd220a64c2eae

Download Submit
C:\Windows\{A807D65E-8D7A-4ad1-B35C-8E7ED61EEB0A}.exe

Filesize
372KB

MD5
e46fec531c92208448348a4f1d897df8

SHA1
db44edb125632fae274a50580494af91f01466b6

SHA256
8999970f40fb4ed7af8ac14d9df0cc971181f24ba77fa23244ea29739d408dc9

SHA512
6a70583aff8f76462f3f20729a9be9627f4d6fd1dc09031d9012aaa5a621c38dcf25802b86df17efd791b15bb8dfcc96776161c198dd488fef50bc248f43ef44

Download Submit
C:\Windows\{A807D65E-8D7A-4ad1-B35C-8E7ED61EEB0A}.exe

Filesize
372KB

MD5
e46fec531c92208448348a4f1d897df8

SHA1
db44edb125632fae274a50580494af91f01466b6

SHA256
8999970f40fb4ed7af8ac14d9df0cc971181f24ba77fa23244ea29739d408dc9

SHA512
6a70583aff8f76462f3f20729a9be9627f4d6fd1dc09031d9012aaa5a621c38dcf25802b86df17efd791b15bb8dfcc96776161c198dd488fef50bc248f43ef44

Download Submit
C:\Windows\{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe

Filesize
372KB

MD5
485129dd032320721fa58af96e8ee79c

SHA1
aa16d6f005515935151855fbbc2fcaedcd10fdc7

SHA256
49bd5bcc074f7cc12fe8589b59cdaea6991db15b0031d4fe98d707ac74abfed1

SHA512
3341645d85731acd22149cfb7f7df260b0e7a111f61c8bfc9e36053262b77bf54773d11c3df7f11fd5ca8f7ea22119baa39119786a85316c58c18f2a6afd060b

Download Submit
C:\Windows\{C2B4682E-28FD-4e88-8EF3-E7789217345C}.exe

Filesize
372KB

MD5
485129dd032320721fa58af96e8ee79c

SHA1
aa16d6f005515935151855fbbc2fcaedcd10fdc7

SHA256
49bd5bcc074f7cc12fe8589b59cdaea6991db15b0031d4fe98d707ac74abfed1

SHA512
3341645d85731acd22149cfb7f7df260b0e7a111f61c8bfc9e36053262b77bf54773d11c3df7f11fd5ca8f7ea22119baa39119786a85316c58c18f2a6afd060b

Download Submit
C:\Windows\{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe

Filesize
372KB

MD5
dfb55f7490ed90c6d44aeebc477a7f42

SHA1
45807af0ee454874f9973bcda96e8baf383b1a55

SHA256
6087b358c30548fb43181dbaa2cbdf63f389dce69940c209a0c64ea30ceaf9ab

SHA512
d28cc9c6c86854ac79c2f921b95daf8e83ae4d94925b26f2aa99f022e17d82e3a6b9c6cfa59cb13f7989623f543efb1335a7a372349122339d0108203a574ebe

Download Submit
C:\Windows\{E6D65B3B-44F6-4670-A5E7-D768E2DE2E1F}.exe

Filesize
372KB

MD5
dfb55f7490ed90c6d44aeebc477a7f42

SHA1
45807af0ee454874f9973bcda96e8baf383b1a55

SHA256
6087b358c30548fb43181dbaa2cbdf63f389dce69940c209a0c64ea30ceaf9ab

SHA512
d28cc9c6c86854ac79c2f921b95daf8e83ae4d94925b26f2aa99f022e17d82e3a6b9c6cfa59cb13f7989623f543efb1335a7a372349122339d0108203a574ebe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads