b8226b80cc041688b327ee5af495333fa4430c65c596267e68e55656398c4b1e

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23-10-2023 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe
Size

380KB
MD5

767115e7e1722ef9f59077aebf1330e9
SHA1

752693689cb2f89145aa98078f4292bd1d1ad6ce
SHA256

b8226b80cc041688b327ee5af495333fa4430c65c596267e68e55656398c4b1e
SHA512

9e3046b0da6b14bd80da28dc9912b68d12528b23d45fa052df88f2b75ae03a480b598cc4789dbf9ff44ed92faa5ff1801f69f96ccdf1856f576a3047ee087a70
SSDEEP

3072:mEGh0oYlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGil7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}\stubpath = "C:\\Windows\\{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe"	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8744A65-7611-45d7-B697-69F49EB3C273}	{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}\stubpath = "C:\\Windows\\{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe"	{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C196AE9B-35EF-482c-B1FD-66DB65CF39D5}\stubpath = "C:\\Windows\\{C196AE9B-35EF-482c-B1FD-66DB65CF39D5}.exe"	{8DE5CF6A-8068-4395-8BEC-F1732BB7AD6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}	{C8744A65-7611-45d7-B697-69F49EB3C273}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C788EA12-E301-4006-9582-70997DAA3132}\stubpath = "C:\\Windows\\{C788EA12-E301-4006-9582-70997DAA3132}.exe"	{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}	{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1168D6B8-ED6E-4083-BE07-1004D0F12840}\stubpath = "C:\\Windows\\{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe"	{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44716B74-CAC5-4d32-AF53-F1E604AACBC2}\stubpath = "C:\\Windows\\{44716B74-CAC5-4d32-AF53-F1E604AACBC2}.exe"	{C196AE9B-35EF-482c-B1FD-66DB65CF39D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57CA849A-B19D-4b75-A03C-D2299135EE7A}\stubpath = "C:\\Windows\\{57CA849A-B19D-4b75-A03C-D2299135EE7A}.exe"	{44716B74-CAC5-4d32-AF53-F1E604AACBC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}\stubpath = "C:\\Windows\\{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe"	{C8744A65-7611-45d7-B697-69F49EB3C273}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}\stubpath = "C:\\Windows\\{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe"	{C788EA12-E301-4006-9582-70997DAA3132}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1168D6B8-ED6E-4083-BE07-1004D0F12840}	{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DE5CF6A-8068-4395-8BEC-F1732BB7AD6C}	{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DE5CF6A-8068-4395-8BEC-F1732BB7AD6C}\stubpath = "C:\\Windows\\{8DE5CF6A-8068-4395-8BEC-F1732BB7AD6C}.exe"	{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57CA849A-B19D-4b75-A03C-D2299135EE7A}	{44716B74-CAC5-4d32-AF53-F1E604AACBC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8744A65-7611-45d7-B697-69F49EB3C273}\stubpath = "C:\\Windows\\{C8744A65-7611-45d7-B697-69F49EB3C273}.exe"	{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C788EA12-E301-4006-9582-70997DAA3132}	{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}	{C788EA12-E301-4006-9582-70997DAA3132}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C196AE9B-35EF-482c-B1FD-66DB65CF39D5}	{8DE5CF6A-8068-4395-8BEC-F1732BB7AD6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44716B74-CAC5-4d32-AF53-F1E604AACBC2}	{C196AE9B-35EF-482c-B1FD-66DB65CF39D5}.exe

Deletes itself 1 IoCs

pid	Process
1588	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2748	{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe
2572	{C8744A65-7611-45d7-B697-69F49EB3C273}.exe
2864	{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe
2612	{C788EA12-E301-4006-9582-70997DAA3132}.exe
2624	{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe
3004	{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe
592	{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe
652	{8DE5CF6A-8068-4395-8BEC-F1732BB7AD6C}.exe
564	{C196AE9B-35EF-482c-B1FD-66DB65CF39D5}.exe
1604	{44716B74-CAC5-4d32-AF53-F1E604AACBC2}.exe
2868	{57CA849A-B19D-4b75-A03C-D2299135EE7A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C8744A65-7611-45d7-B697-69F49EB3C273}.exe	{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe
File created	C:\Windows\{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe	{C8744A65-7611-45d7-B697-69F49EB3C273}.exe
File created	C:\Windows\{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe	{C788EA12-E301-4006-9582-70997DAA3132}.exe
File created	C:\Windows\{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe	{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe
File created	C:\Windows\{C196AE9B-35EF-482c-B1FD-66DB65CF39D5}.exe	{8DE5CF6A-8068-4395-8BEC-F1732BB7AD6C}.exe
File created	C:\Windows\{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe
File created	C:\Windows\{C788EA12-E301-4006-9582-70997DAA3132}.exe	{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe
File created	C:\Windows\{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe	{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe
File created	C:\Windows\{8DE5CF6A-8068-4395-8BEC-F1732BB7AD6C}.exe	{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe
File created	C:\Windows\{44716B74-CAC5-4d32-AF53-F1E604AACBC2}.exe	{C196AE9B-35EF-482c-B1FD-66DB65CF39D5}.exe
File created	C:\Windows\{57CA849A-B19D-4b75-A03C-D2299135EE7A}.exe	{44716B74-CAC5-4d32-AF53-F1E604AACBC2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2064	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2748	{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe
Token: SeIncBasePriorityPrivilege	2572	{C8744A65-7611-45d7-B697-69F49EB3C273}.exe
Token: SeIncBasePriorityPrivilege	2864	{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe
Token: SeIncBasePriorityPrivilege	2612	{C788EA12-E301-4006-9582-70997DAA3132}.exe
Token: SeIncBasePriorityPrivilege	2624	{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe
Token: SeIncBasePriorityPrivilege	3004	{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe
Token: SeIncBasePriorityPrivilege	592	{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe
Token: SeIncBasePriorityPrivilege	652	{8DE5CF6A-8068-4395-8BEC-F1732BB7AD6C}.exe
Token: SeIncBasePriorityPrivilege	564	{C196AE9B-35EF-482c-B1FD-66DB65CF39D5}.exe
Token: SeIncBasePriorityPrivilege	1604	{44716B74-CAC5-4d32-AF53-F1E604AACBC2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2748	2064	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	28
PID 2064 wrote to memory of 2748	2064	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	28
PID 2064 wrote to memory of 2748	2064	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	28
PID 2064 wrote to memory of 2748	2064	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	28
PID 2064 wrote to memory of 1588	2064	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	29
PID 2064 wrote to memory of 1588	2064	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	29
PID 2064 wrote to memory of 1588	2064	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	29
PID 2064 wrote to memory of 1588	2064	NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe	29
PID 2748 wrote to memory of 2572	2748	{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe	32
PID 2748 wrote to memory of 2572	2748	{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe	32
PID 2748 wrote to memory of 2572	2748	{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe	32
PID 2748 wrote to memory of 2572	2748	{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe	32
PID 2748 wrote to memory of 2760	2748	{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe	33
PID 2748 wrote to memory of 2760	2748	{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe	33
PID 2748 wrote to memory of 2760	2748	{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe	33
PID 2748 wrote to memory of 2760	2748	{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe	33
PID 2572 wrote to memory of 2864	2572	{C8744A65-7611-45d7-B697-69F49EB3C273}.exe	34
PID 2572 wrote to memory of 2864	2572	{C8744A65-7611-45d7-B697-69F49EB3C273}.exe	34
PID 2572 wrote to memory of 2864	2572	{C8744A65-7611-45d7-B697-69F49EB3C273}.exe	34
PID 2572 wrote to memory of 2864	2572	{C8744A65-7611-45d7-B697-69F49EB3C273}.exe	34
PID 2572 wrote to memory of 3020	2572	{C8744A65-7611-45d7-B697-69F49EB3C273}.exe	35
PID 2572 wrote to memory of 3020	2572	{C8744A65-7611-45d7-B697-69F49EB3C273}.exe	35
PID 2572 wrote to memory of 3020	2572	{C8744A65-7611-45d7-B697-69F49EB3C273}.exe	35
PID 2572 wrote to memory of 3020	2572	{C8744A65-7611-45d7-B697-69F49EB3C273}.exe	35
PID 2864 wrote to memory of 2612	2864	{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe	36
PID 2864 wrote to memory of 2612	2864	{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe	36
PID 2864 wrote to memory of 2612	2864	{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe	36
PID 2864 wrote to memory of 2612	2864	{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe	36
PID 2864 wrote to memory of 2560	2864	{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe	37
PID 2864 wrote to memory of 2560	2864	{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe	37
PID 2864 wrote to memory of 2560	2864	{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe	37
PID 2864 wrote to memory of 2560	2864	{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe	37
PID 2612 wrote to memory of 2624	2612	{C788EA12-E301-4006-9582-70997DAA3132}.exe	38
PID 2612 wrote to memory of 2624	2612	{C788EA12-E301-4006-9582-70997DAA3132}.exe	38
PID 2612 wrote to memory of 2624	2612	{C788EA12-E301-4006-9582-70997DAA3132}.exe	38
PID 2612 wrote to memory of 2624	2612	{C788EA12-E301-4006-9582-70997DAA3132}.exe	38
PID 2612 wrote to memory of 2992	2612	{C788EA12-E301-4006-9582-70997DAA3132}.exe	39
PID 2612 wrote to memory of 2992	2612	{C788EA12-E301-4006-9582-70997DAA3132}.exe	39
PID 2612 wrote to memory of 2992	2612	{C788EA12-E301-4006-9582-70997DAA3132}.exe	39
PID 2612 wrote to memory of 2992	2612	{C788EA12-E301-4006-9582-70997DAA3132}.exe	39
PID 2624 wrote to memory of 3004	2624	{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe	40
PID 2624 wrote to memory of 3004	2624	{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe	40
PID 2624 wrote to memory of 3004	2624	{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe	40
PID 2624 wrote to memory of 3004	2624	{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe	40
PID 2624 wrote to memory of 1236	2624	{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe	41
PID 2624 wrote to memory of 1236	2624	{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe	41
PID 2624 wrote to memory of 1236	2624	{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe	41
PID 2624 wrote to memory of 1236	2624	{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe	41
PID 3004 wrote to memory of 592	3004	{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe	42
PID 3004 wrote to memory of 592	3004	{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe	42
PID 3004 wrote to memory of 592	3004	{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe	42
PID 3004 wrote to memory of 592	3004	{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe	42
PID 3004 wrote to memory of 804	3004	{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe	43
PID 3004 wrote to memory of 804	3004	{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe	43
PID 3004 wrote to memory of 804	3004	{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe	43
PID 3004 wrote to memory of 804	3004	{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe	43
PID 592 wrote to memory of 652	592	{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe	44
PID 592 wrote to memory of 652	592	{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe	44
PID 592 wrote to memory of 652	592	{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe	44
PID 592 wrote to memory of 652	592	{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe	44
PID 592 wrote to memory of 1632	592	{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe	45
PID 592 wrote to memory of 1632	592	{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe	45
PID 592 wrote to memory of 1632	592	{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe	45
PID 592 wrote to memory of 1632	592	{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_767115e7e1722ef9f59077aebf1330e9_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe
  C:\Windows\{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\{C8744A65-7611-45d7-B697-69F49EB3C273}.exe
    C:\Windows\{C8744A65-7611-45d7-B697-69F49EB3C273}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe
      C:\Windows\{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\{C788EA12-E301-4006-9582-70997DAA3132}.exe
        
        C:\Windows\{C788EA12-E301-4006-9582-70997DAA3132}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe
        
        C:\Windows\{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe
        
        C:\Windows\{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe
        
        C:\Windows\{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\{8DE5CF6A-8068-4395-8BEC-F1732BB7AD6C}.exe
        
        C:\Windows\{8DE5CF6A-8068-4395-8BEC-F1732BB7AD6C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
        
        C:\Windows\{C196AE9B-35EF-482c-B1FD-66DB65CF39D5}.exe
        
        C:\Windows\{C196AE9B-35EF-482c-B1FD-66DB65CF39D5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\{44716B74-CAC5-4d32-AF53-F1E604AACBC2}.exe
        
        C:\Windows\{44716B74-CAC5-4d32-AF53-F1E604AACBC2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\{57CA849A-B19D-4b75-A03C-D2299135EE7A}.exe
        
        C:\Windows\{57CA849A-B19D-4b75-A03C-D2299135EE7A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44716~1.EXE > nul
        12⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C196A~1.EXE > nul
        11⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DE5C~1.EXE > nul
        10⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1168D~1.EXE > nul
        9⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B00C~1.EXE > nul
        8⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B048~1.EXE > nul
        7⤵
        
        PID:1236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C788E~1.EXE > nul
        6⤵
        
        PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C684~1.EXE > nul
        5⤵
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C8744~1.EXE > nul
      4⤵
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8BDA3~1.EXE > nul
    3⤵
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe

Filesize
380KB

MD5
f88a3f1ab9f3e93fcf19dada11bae125

SHA1
4af97d37bea0ab71d7c94fcd31e544c94709fa5f

SHA256
318f1b57ebd94558abf12cfb38c4a2c66e2ec344cfd5c58ea54225ff54cd0baf

SHA512
5abfe651af76bbfbc78d0897796b5607de15392af64caa61f47dcea8e263d3b7883743a6bdba635ff5de120f7b23fe124ef781482e97e21b54a0fa9099a77302

Download Submit
C:\Windows\{0B048B5B-5A39-4926-98B5-B7966CB0ABDD}.exe

Filesize
380KB

MD5
f88a3f1ab9f3e93fcf19dada11bae125

SHA1
4af97d37bea0ab71d7c94fcd31e544c94709fa5f

SHA256
318f1b57ebd94558abf12cfb38c4a2c66e2ec344cfd5c58ea54225ff54cd0baf

SHA512
5abfe651af76bbfbc78d0897796b5607de15392af64caa61f47dcea8e263d3b7883743a6bdba635ff5de120f7b23fe124ef781482e97e21b54a0fa9099a77302

Download Submit
C:\Windows\{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe

Filesize
380KB

MD5
9d046cfd5139b6513893f17f6eb92737

SHA1
c3a32ac6557f9917038d622e810f92c438716700

SHA256
e983267d3386493571a21633805a8df0071d616f76791866ea9ab5967e4e3f97

SHA512
23047d566cbd410aabfbd43b75d1d905300d721720af62cb9d6a1d624837cc45fd2b16eb407041fd2233c08cdea169fc5c6231cca155e632fe1824319abd3eca

Download Submit
C:\Windows\{1168D6B8-ED6E-4083-BE07-1004D0F12840}.exe

Filesize
380KB

MD5
9d046cfd5139b6513893f17f6eb92737

SHA1
c3a32ac6557f9917038d622e810f92c438716700

SHA256
e983267d3386493571a21633805a8df0071d616f76791866ea9ab5967e4e3f97

SHA512
23047d566cbd410aabfbd43b75d1d905300d721720af62cb9d6a1d624837cc45fd2b16eb407041fd2233c08cdea169fc5c6231cca155e632fe1824319abd3eca

Download Submit
C:\Windows\{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe

Filesize
380KB

MD5
8ddc78a30b4fa120311ae9e1416f7398

SHA1
4555d770a4bcbeb25ff041e9a27d0c0764633881

SHA256
2323aa43d3627a817776b3f7774a8862637660968248b96a1694908f45510cea

SHA512
5e912da7a93e86a7dbef6b2e2d5e0a0297adf6e78ff100d6880389684f7901abc7305c40780b1cdee5b0a14cadb5cf737d098086ab52e61abfd003b5b8319fa5

Download Submit
C:\Windows\{2B00CE2F-D2BF-4037-8625-CF458FC8CC6F}.exe

Filesize
380KB

MD5
8ddc78a30b4fa120311ae9e1416f7398

SHA1
4555d770a4bcbeb25ff041e9a27d0c0764633881

SHA256
2323aa43d3627a817776b3f7774a8862637660968248b96a1694908f45510cea

SHA512
5e912da7a93e86a7dbef6b2e2d5e0a0297adf6e78ff100d6880389684f7901abc7305c40780b1cdee5b0a14cadb5cf737d098086ab52e61abfd003b5b8319fa5

Download Submit
C:\Windows\{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe

Filesize
380KB

MD5
adef7e7d6196863bd2229d348779e8f1

SHA1
c7c004f2e182ebc61d65328a1ce8f71aa5545c40

SHA256
be5435cd7323acb02bafa8d16aaee8558a91319d6410af3b6a33124c27dd68b6

SHA512
d58c04972b61628e4e3b1ba82a5fca971047841b05ea68bc6ae08b462b5070897776cc3d6a6625662fd2d5a0ddb6209ef2120eecd9ef86fa20220644d5bca987

Download Submit
C:\Windows\{2C684C5C-6390-499e-AA6B-FBEC662BE1AD}.exe

Filesize
380KB

MD5
adef7e7d6196863bd2229d348779e8f1

SHA1
c7c004f2e182ebc61d65328a1ce8f71aa5545c40

SHA256
be5435cd7323acb02bafa8d16aaee8558a91319d6410af3b6a33124c27dd68b6

SHA512
d58c04972b61628e4e3b1ba82a5fca971047841b05ea68bc6ae08b462b5070897776cc3d6a6625662fd2d5a0ddb6209ef2120eecd9ef86fa20220644d5bca987

Download Submit
C:\Windows\{44716B74-CAC5-4d32-AF53-F1E604AACBC2}.exe

Filesize
380KB

MD5
31bb61ac69d7ad8041840fd918adaa93

SHA1
f892f10b9d4d83ffd3daa3d211e8aeb128ab4334

SHA256
ba8dee9a97ce80e23d9c11ec2800a88f226a2033f2ade7682a4909123427a219

SHA512
ce9bde22f20dcfb1316f8947f340483001c8bbec3b2d9f8b8083b0b26cc38d8ee9aad297ec83d12928cbf549cce587dd1547b3de982c3e108325f4e083760da4

Download Submit
C:\Windows\{44716B74-CAC5-4d32-AF53-F1E604AACBC2}.exe

Filesize
380KB

MD5
31bb61ac69d7ad8041840fd918adaa93

SHA1
f892f10b9d4d83ffd3daa3d211e8aeb128ab4334

SHA256
ba8dee9a97ce80e23d9c11ec2800a88f226a2033f2ade7682a4909123427a219

SHA512
ce9bde22f20dcfb1316f8947f340483001c8bbec3b2d9f8b8083b0b26cc38d8ee9aad297ec83d12928cbf549cce587dd1547b3de982c3e108325f4e083760da4

Download Submit
C:\Windows\{57CA849A-B19D-4b75-A03C-D2299135EE7A}.exe

Filesize
380KB

MD5
960a0a4a5d44c92a4703c10aa6e0c26c

SHA1
894567907d6adb6ff39dd06493f42dad807a89a5

SHA256
0a3a989df797e8fe94e2d8448e30c178bd1a1d89fbcc2d5526ae83c7c442507a

SHA512
c4088b3a681ec495df60d31da578f01872a956fef7b8766d9a756897e112fc87e33969560d15b24c5bc7a7e83300a8195976c26e98024ad8dab8b072d42d1ef3

Download Submit
C:\Windows\{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe

Filesize
380KB

MD5
55c6bc728bf172dc527c858ccf9fe14d

SHA1
8b989cad7dde92a79bd1437307c04a298af3b5b5

SHA256
bfff56f4bdb978c9f666d1e6a59b8206555899ecc347d831746f91f622919408

SHA512
cfb3f5ef34540cf40782b86f3e660ca80cd07f2b276b4e4dd5641283f2c0c462c074dbc1b288689a197e1945cd4040600cb8010e573fc1eb71c0bb0fc939b854

Download Submit
C:\Windows\{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe

Filesize
380KB

MD5
55c6bc728bf172dc527c858ccf9fe14d

SHA1
8b989cad7dde92a79bd1437307c04a298af3b5b5

SHA256
bfff56f4bdb978c9f666d1e6a59b8206555899ecc347d831746f91f622919408

SHA512
cfb3f5ef34540cf40782b86f3e660ca80cd07f2b276b4e4dd5641283f2c0c462c074dbc1b288689a197e1945cd4040600cb8010e573fc1eb71c0bb0fc939b854

Download Submit
C:\Windows\{8BDA3AFC-5768-49cf-B0F4-FA824BB5C18E}.exe

Filesize
380KB

MD5
55c6bc728bf172dc527c858ccf9fe14d

SHA1
8b989cad7dde92a79bd1437307c04a298af3b5b5

SHA256
bfff56f4bdb978c9f666d1e6a59b8206555899ecc347d831746f91f622919408

SHA512
cfb3f5ef34540cf40782b86f3e660ca80cd07f2b276b4e4dd5641283f2c0c462c074dbc1b288689a197e1945cd4040600cb8010e573fc1eb71c0bb0fc939b854

Download Submit
C:\Windows\{8DE5CF6A-8068-4395-8BEC-F1732BB7AD6C}.exe

Filesize
380KB

MD5
182b0e4eeaa2cd7557cb71a1ccb2d665

SHA1
91d1eb120578749107ee0e1094825d95e548c005

SHA256
ed81602c92e9200037e64e19c8a21664b214c958059b11ba6b5b9f900dbde7ad

SHA512
265c24c9073ba3c7092a3b778285df28c92bc247584b319568528fec90b813c5afb6597811426c4ddff373fe0f067588ee1191a812e9888816f8c5b4d084ed0d

Download Submit
C:\Windows\{8DE5CF6A-8068-4395-8BEC-F1732BB7AD6C}.exe

Filesize
380KB

MD5
182b0e4eeaa2cd7557cb71a1ccb2d665

SHA1
91d1eb120578749107ee0e1094825d95e548c005

SHA256
ed81602c92e9200037e64e19c8a21664b214c958059b11ba6b5b9f900dbde7ad

SHA512
265c24c9073ba3c7092a3b778285df28c92bc247584b319568528fec90b813c5afb6597811426c4ddff373fe0f067588ee1191a812e9888816f8c5b4d084ed0d

Download Submit
C:\Windows\{C196AE9B-35EF-482c-B1FD-66DB65CF39D5}.exe

Filesize
380KB

MD5
febd84f7a101d1e833803e4c2006da59

SHA1
aff5a75b4ec44676c49d5b648a1d1c6709329600

SHA256
dd9b0172553701ceae9e64ebf0acd8f0e4b7ebcd3d89f184640d1494fd65fe5f

SHA512
4e2de051d36d1999017b0026d56dfa8423b950f26ed51bfffeac97bba471016cd982150587f92c622306288bd037ba45836eb28f1420637047eaf1320b9aabab

Download Submit
C:\Windows\{C196AE9B-35EF-482c-B1FD-66DB65CF39D5}.exe

Filesize
380KB

MD5
febd84f7a101d1e833803e4c2006da59

SHA1
aff5a75b4ec44676c49d5b648a1d1c6709329600

SHA256
dd9b0172553701ceae9e64ebf0acd8f0e4b7ebcd3d89f184640d1494fd65fe5f

SHA512
4e2de051d36d1999017b0026d56dfa8423b950f26ed51bfffeac97bba471016cd982150587f92c622306288bd037ba45836eb28f1420637047eaf1320b9aabab

Download Submit
C:\Windows\{C788EA12-E301-4006-9582-70997DAA3132}.exe

Filesize
380KB

MD5
96f36632b008ea9c2925461ce41e3b09

SHA1
21d7285c8e9a6e95d1422946fcbadcdbc0e50549

SHA256
e105b557eb0628bb346fb24e8d3edbe1a0f8f71ae54b559b00db7844341aabf9

SHA512
e0b34fef0234b2ee2abc31bd2510675dd6c20d2d1386018f60ff27d173418803755b49daaddb2829d3ce1315988f547ee7e819108f1dfec36999508411700e06

Download Submit
C:\Windows\{C788EA12-E301-4006-9582-70997DAA3132}.exe

Filesize
380KB

MD5
96f36632b008ea9c2925461ce41e3b09

SHA1
21d7285c8e9a6e95d1422946fcbadcdbc0e50549

SHA256
e105b557eb0628bb346fb24e8d3edbe1a0f8f71ae54b559b00db7844341aabf9

SHA512
e0b34fef0234b2ee2abc31bd2510675dd6c20d2d1386018f60ff27d173418803755b49daaddb2829d3ce1315988f547ee7e819108f1dfec36999508411700e06

Download Submit
C:\Windows\{C8744A65-7611-45d7-B697-69F49EB3C273}.exe

Filesize
380KB

MD5
15c2157a0d2443b84186afde08fd58af

SHA1
f7c64f47341f71c0c26b0497c9116c0485d3f3d4

SHA256
627fd5f2bc634ad607854c8c0ab0126ab12f66dd62741366aae2791668df3f7b

SHA512
7c9226e9d9785fbe8e179786eb4472fbf6a90b6e175ad32b8b8dc3b4a628f48fc55dc431d463e1c701dcc73c69ad4f6b9891dcd9c9dd77f0c996cb4c48f18411

Download Submit
C:\Windows\{C8744A65-7611-45d7-B697-69F49EB3C273}.exe

Filesize
380KB

MD5
15c2157a0d2443b84186afde08fd58af

SHA1
f7c64f47341f71c0c26b0497c9116c0485d3f3d4

SHA256
627fd5f2bc634ad607854c8c0ab0126ab12f66dd62741366aae2791668df3f7b

SHA512
7c9226e9d9785fbe8e179786eb4472fbf6a90b6e175ad32b8b8dc3b4a628f48fc55dc431d463e1c701dcc73c69ad4f6b9891dcd9c9dd77f0c996cb4c48f18411

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads