8b6c01dc0f2fff884c1f69024fa3838ac015512ea3aee5f697747fe910529c5c

Analysis

max time kernel
159s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-06_a4ab6eda59d7f305851751d448e2ee0b_goldeneye_JC.exe
Size

204KB
MD5

a4ab6eda59d7f305851751d448e2ee0b
SHA1

dd36e107edf35428e0a0f9f916d6384eff8c5d08
SHA256

8b6c01dc0f2fff884c1f69024fa3838ac015512ea3aee5f697747fe910529c5c
SHA512

edda665e9083a573de4166bd6a813ae3ebf094f1095c9dfba48541957fe6ec77bba003a8c57fb2d0c9597b95a91376579593307288b352e0c96ff8777d3a6b08
SSDEEP

1536:1EGh0oZl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oZl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E215E617-6513-4725-ACB6-DEBAD76B5B0A}\stubpath = "C:\\Windows\\{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe"	{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{256480DA-20A2-45b9-A63A-D7FA00603C37}	{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6A2AAB8-25FE-435d-9234-F62732011BE9}	{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{256480DA-20A2-45b9-A63A-D7FA00603C37}\stubpath = "C:\\Windows\\{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe"	{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06064C5F-0ECB-4ca7-AA80-C628320D5995}	{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E013A9B-7870-4e2b-BFD2-5BE8CA41E43F}	{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E013A9B-7870-4e2b-BFD2-5BE8CA41E43F}\stubpath = "C:\\Windows\\{6E013A9B-7870-4e2b-BFD2-5BE8CA41E43F}.exe"	{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}	{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AF452A4-077E-4ec7-AF26-314C8D73A955}\stubpath = "C:\\Windows\\{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe"	{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{749BD971-0A48-4c50-94CF-333A2EDDCA65}\stubpath = "C:\\Windows\\{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe"	{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EC2180F-F3F7-46e9-9363-A188E500DFDC}\stubpath = "C:\\Windows\\{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe"	{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06064C5F-0ECB-4ca7-AA80-C628320D5995}\stubpath = "C:\\Windows\\{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe"	{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}	{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}\stubpath = "C:\\Windows\\{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe"	{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AF452A4-077E-4ec7-AF26-314C8D73A955}	{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{749BD971-0A48-4c50-94CF-333A2EDDCA65}	{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EC2180F-F3F7-46e9-9363-A188E500DFDC}	{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E215E617-6513-4725-ACB6-DEBAD76B5B0A}	{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6A2AAB8-25FE-435d-9234-F62732011BE9}\stubpath = "C:\\Windows\\{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe"	{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D64B35C-3B3D-4132-A51A-01218D0FD18F}	NEAS.2023-09-06_a4ab6eda59d7f305851751d448e2ee0b_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D64B35C-3B3D-4132-A51A-01218D0FD18F}\stubpath = "C:\\Windows\\{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe"	NEAS.2023-09-06_a4ab6eda59d7f305851751d448e2ee0b_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}\stubpath = "C:\\Windows\\{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe"	{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe

Executes dropped EXE 11 IoCs

pid	Process
3828	{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe
1064	{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe
876	{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe
740	{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe
1812	{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe
4900	{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe
1020	{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe
3900	{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe
1648	{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe
4292	{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe
64	{6E013A9B-7870-4e2b-BFD2-5BE8CA41E43F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe	{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe
File created	C:\Windows\{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe	{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe
File created	C:\Windows\{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe	{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe
File created	C:\Windows\{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe	{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe
File created	C:\Windows\{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe	NEAS.2023-09-06_a4ab6eda59d7f305851751d448e2ee0b_goldeneye_JC.exe
File created	C:\Windows\{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe	{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe
File created	C:\Windows\{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe	{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe
File created	C:\Windows\{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe	{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe
File created	C:\Windows\{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe	{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe
File created	C:\Windows\{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe	{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe
File created	C:\Windows\{6E013A9B-7870-4e2b-BFD2-5BE8CA41E43F}.exe	{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3584	NEAS.2023-09-06_a4ab6eda59d7f305851751d448e2ee0b_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3828	{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe
Token: SeIncBasePriorityPrivilege	1064	{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe
Token: SeIncBasePriorityPrivilege	876	{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe
Token: SeIncBasePriorityPrivilege	740	{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe
Token: SeIncBasePriorityPrivilege	1812	{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe
Token: SeIncBasePriorityPrivilege	4900	{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe
Token: SeIncBasePriorityPrivilege	1020	{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe
Token: SeIncBasePriorityPrivilege	3900	{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe
Token: SeIncBasePriorityPrivilege	1648	{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe
Token: SeIncBasePriorityPrivilege	4292	{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 3828	3584	NEAS.2023-09-06_a4ab6eda59d7f305851751d448e2ee0b_goldeneye_JC.exe	84
PID 3584 wrote to memory of 3828	3584	NEAS.2023-09-06_a4ab6eda59d7f305851751d448e2ee0b_goldeneye_JC.exe	84
PID 3584 wrote to memory of 3828	3584	NEAS.2023-09-06_a4ab6eda59d7f305851751d448e2ee0b_goldeneye_JC.exe	84
PID 3584 wrote to memory of 636	3584	NEAS.2023-09-06_a4ab6eda59d7f305851751d448e2ee0b_goldeneye_JC.exe	85
PID 3584 wrote to memory of 636	3584	NEAS.2023-09-06_a4ab6eda59d7f305851751d448e2ee0b_goldeneye_JC.exe	85
PID 3584 wrote to memory of 636	3584	NEAS.2023-09-06_a4ab6eda59d7f305851751d448e2ee0b_goldeneye_JC.exe	85
PID 3828 wrote to memory of 1064	3828	{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe	86
PID 3828 wrote to memory of 1064	3828	{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe	86
PID 3828 wrote to memory of 1064	3828	{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe	86
PID 3828 wrote to memory of 4916	3828	{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe	87
PID 3828 wrote to memory of 4916	3828	{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe	87
PID 3828 wrote to memory of 4916	3828	{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe	87
PID 1064 wrote to memory of 876	1064	{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe	88
PID 1064 wrote to memory of 876	1064	{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe	88
PID 1064 wrote to memory of 876	1064	{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe	88
PID 1064 wrote to memory of 5116	1064	{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe	89
PID 1064 wrote to memory of 5116	1064	{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe	89
PID 1064 wrote to memory of 5116	1064	{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe	89
PID 876 wrote to memory of 740	876	{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe	90
PID 876 wrote to memory of 740	876	{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe	90
PID 876 wrote to memory of 740	876	{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe	90
PID 876 wrote to memory of 1204	876	{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe	91
PID 876 wrote to memory of 1204	876	{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe	91
PID 876 wrote to memory of 1204	876	{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe	91
PID 740 wrote to memory of 1812	740	{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe	92
PID 740 wrote to memory of 1812	740	{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe	92
PID 740 wrote to memory of 1812	740	{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe	92
PID 740 wrote to memory of 336	740	{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe	93
PID 740 wrote to memory of 336	740	{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe	93
PID 740 wrote to memory of 336	740	{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe	93
PID 1812 wrote to memory of 4900	1812	{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe	94
PID 1812 wrote to memory of 4900	1812	{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe	94
PID 1812 wrote to memory of 4900	1812	{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe	94
PID 1812 wrote to memory of 1156	1812	{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe	95
PID 1812 wrote to memory of 1156	1812	{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe	95
PID 1812 wrote to memory of 1156	1812	{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe	95
PID 4900 wrote to memory of 1020	4900	{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe	96
PID 4900 wrote to memory of 1020	4900	{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe	96
PID 4900 wrote to memory of 1020	4900	{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe	96
PID 4900 wrote to memory of 4516	4900	{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe	97
PID 4900 wrote to memory of 4516	4900	{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe	97
PID 4900 wrote to memory of 4516	4900	{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe	97
PID 1020 wrote to memory of 3900	1020	{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe	98
PID 1020 wrote to memory of 3900	1020	{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe	98
PID 1020 wrote to memory of 3900	1020	{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe	98
PID 1020 wrote to memory of 3660	1020	{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe	99
PID 1020 wrote to memory of 3660	1020	{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe	99
PID 1020 wrote to memory of 3660	1020	{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe	99
PID 3900 wrote to memory of 1648	3900	{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe	100
PID 3900 wrote to memory of 1648	3900	{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe	100
PID 3900 wrote to memory of 1648	3900	{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe	100
PID 3900 wrote to memory of 1172	3900	{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe	101
PID 3900 wrote to memory of 1172	3900	{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe	101
PID 3900 wrote to memory of 1172	3900	{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe	101
PID 1648 wrote to memory of 4292	1648	{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe	102
PID 1648 wrote to memory of 4292	1648	{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe	102
PID 1648 wrote to memory of 4292	1648	{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe	102
PID 1648 wrote to memory of 3416	1648	{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe	103
PID 1648 wrote to memory of 3416	1648	{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe	103
PID 1648 wrote to memory of 3416	1648	{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe	103
PID 4292 wrote to memory of 64	4292	{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe	104
PID 4292 wrote to memory of 64	4292	{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe	104
PID 4292 wrote to memory of 64	4292	{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe	104
PID 4292 wrote to memory of 4464	4292	{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_a4ab6eda59d7f305851751d448e2ee0b_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_a4ab6eda59d7f305851751d448e2ee0b_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe
  C:\Windows\{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe
    C:\Windows\{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe
      C:\Windows\{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Windows\{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe
        
        C:\Windows\{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:740
      - C:\Windows\{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe
        
        C:\Windows\{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe
        
        C:\Windows\{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe
        
        C:\Windows\{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe
        
        C:\Windows\{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe
        
        C:\Windows\{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe
        
        C:\Windows\{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\{6E013A9B-7870-4e2b-BFD2-5BE8CA41E43F}.exe
        
        C:\Windows\{6E013A9B-7870-4e2b-BFD2-5BE8CA41E43F}.exe
        12⤵
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55CBC~1.EXE > nul
        12⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6A2A~1.EXE > nul
        11⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06064~1.EXE > nul
        10⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EC21~1.EXE > nul
        9⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25648~1.EXE > nul
        8⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E215E~1.EXE > nul
        7⤵
        
        PID:1156
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{749BD~1.EXE > nul
        6⤵
        
        PID:336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AF45~1.EXE > nul
        5⤵
        
        PID:1204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2A4C2~1.EXE > nul
      4⤵
      PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3D64B~1.EXE > nul
    3⤵
    PID:4916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe

Filesize
204KB

MD5
5e8f5b81822d1a9f704d1375e487951b

SHA1
d0ec6463ed2b9cd377865f2b2b97769beafb521e

SHA256
03bd4b3c85dae39542e667869c58318d2ba8e2a8863126adcf3adcc007979476

SHA512
e0eb26446b5089c5913bab3d19c0b9bd998b65ed4af6236f7fb150619270a47f16710d9da40f1efbd9adbe47829e1cdae1f3a1d4f908faa86e0460f5f5eaf3a2

Download Submit
C:\Windows\{06064C5F-0ECB-4ca7-AA80-C628320D5995}.exe

Filesize
204KB

MD5
5e8f5b81822d1a9f704d1375e487951b

SHA1
d0ec6463ed2b9cd377865f2b2b97769beafb521e

SHA256
03bd4b3c85dae39542e667869c58318d2ba8e2a8863126adcf3adcc007979476

SHA512
e0eb26446b5089c5913bab3d19c0b9bd998b65ed4af6236f7fb150619270a47f16710d9da40f1efbd9adbe47829e1cdae1f3a1d4f908faa86e0460f5f5eaf3a2

Download Submit
C:\Windows\{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe

Filesize
204KB

MD5
bb4969848354394d9406656bf94722af

SHA1
03af1197e21e4e7a3ee35dcdbafecd051499ee2d

SHA256
84f1efb0cf8e2018b85a691d7bf18db79bd5e22f7b1aa4def54b5ccbdc63fe5b

SHA512
a9a9be4452d218be139f3ad23d3e120ad80fe4fca0cd9061f497972fb680e541e833c352d50b70b9384cad3abd1da129456330107b236ee0834560191f137405

Download Submit
C:\Windows\{256480DA-20A2-45b9-A63A-D7FA00603C37}.exe

Filesize
204KB

MD5
bb4969848354394d9406656bf94722af

SHA1
03af1197e21e4e7a3ee35dcdbafecd051499ee2d

SHA256
84f1efb0cf8e2018b85a691d7bf18db79bd5e22f7b1aa4def54b5ccbdc63fe5b

SHA512
a9a9be4452d218be139f3ad23d3e120ad80fe4fca0cd9061f497972fb680e541e833c352d50b70b9384cad3abd1da129456330107b236ee0834560191f137405

Download Submit
C:\Windows\{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe

Filesize
204KB

MD5
0ff80156b66ff4055a18965431b5140b

SHA1
386031f09090e3687cc269dae52b8007a2802bbf

SHA256
4b128e141f2f7bbd81c0b06a47d1dec1ec7952eb5c27bde3a04d6ad66611cb19

SHA512
cc7264d7d4917904a33a67dc31cd03342b061dc5c08950ca13d5c090f1182400ad64521c5519c3ceb3544768bc711af21ee02e44fc01fad9a058009ca92a91cb

Download Submit
C:\Windows\{2A4C2ED2-E43E-45fd-9BFC-AF451A995148}.exe

Filesize
204KB

MD5
0ff80156b66ff4055a18965431b5140b

SHA1
386031f09090e3687cc269dae52b8007a2802bbf

SHA256
4b128e141f2f7bbd81c0b06a47d1dec1ec7952eb5c27bde3a04d6ad66611cb19

SHA512
cc7264d7d4917904a33a67dc31cd03342b061dc5c08950ca13d5c090f1182400ad64521c5519c3ceb3544768bc711af21ee02e44fc01fad9a058009ca92a91cb

Download Submit
C:\Windows\{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe

Filesize
204KB

MD5
4bce471f41ca2743ae1ce599833693b6

SHA1
394d69f99f6c4848c8740f430cf31c92001b5860

SHA256
576fcb6cbc3411f97bc4005467c66c04ce192e37478e53fbd564aa8d1706649a

SHA512
6a12f4faed4f84609165df3dd49f5377520e37959cf8857853715f6493a51c991f4804acfb05317ce2d7496a30d0290c1ab7f324f9ec7bbd650ebf881eab6ed5

Download Submit
C:\Windows\{3D64B35C-3B3D-4132-A51A-01218D0FD18F}.exe

Filesize
204KB

MD5
4bce471f41ca2743ae1ce599833693b6

SHA1
394d69f99f6c4848c8740f430cf31c92001b5860

SHA256
576fcb6cbc3411f97bc4005467c66c04ce192e37478e53fbd564aa8d1706649a

SHA512
6a12f4faed4f84609165df3dd49f5377520e37959cf8857853715f6493a51c991f4804acfb05317ce2d7496a30d0290c1ab7f324f9ec7bbd650ebf881eab6ed5

Download Submit
C:\Windows\{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe

Filesize
204KB

MD5
5b289fb81eda538bab7c8509e9804c56

SHA1
f07e0b94aab161ed94acfb9659be245afa4f8377

SHA256
4a4e95b9daa48ca475dc232c026e19ded94bc2b34d7f5ba9509186ff1b41956e

SHA512
d7861b23ff2674e2c9a54264e1c8871f85990e5bb84f275816fd9240441aee7e55f9e840f92e556c524422e7f1ec72922a15172086c82bfc5ab95be02dfda898

Download Submit
C:\Windows\{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe

Filesize
204KB

MD5
5b289fb81eda538bab7c8509e9804c56

SHA1
f07e0b94aab161ed94acfb9659be245afa4f8377

SHA256
4a4e95b9daa48ca475dc232c026e19ded94bc2b34d7f5ba9509186ff1b41956e

SHA512
d7861b23ff2674e2c9a54264e1c8871f85990e5bb84f275816fd9240441aee7e55f9e840f92e556c524422e7f1ec72922a15172086c82bfc5ab95be02dfda898

Download Submit
C:\Windows\{4AF452A4-077E-4ec7-AF26-314C8D73A955}.exe

Filesize
204KB

MD5
5b289fb81eda538bab7c8509e9804c56

SHA1
f07e0b94aab161ed94acfb9659be245afa4f8377

SHA256
4a4e95b9daa48ca475dc232c026e19ded94bc2b34d7f5ba9509186ff1b41956e

SHA512
d7861b23ff2674e2c9a54264e1c8871f85990e5bb84f275816fd9240441aee7e55f9e840f92e556c524422e7f1ec72922a15172086c82bfc5ab95be02dfda898

Download Submit
C:\Windows\{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe

Filesize
204KB

MD5
7078d96a562865fdfd33a2022a5e096a

SHA1
52db1bb723619f5ed9d18bddf67ba62be439abd2

SHA256
553c84fcc85a195c41893b46681e49cae3a10d570437883a6c07e87ed498a810

SHA512
3988c9bdbb72f958d9783388aca5bff8cec49a62c7fe4246611f564fb135e68080f9befd427122f930aa6c53cf6f7b82d0f3f5f0bb220e5d016b4645e6f5b61a

Download Submit
C:\Windows\{4EC2180F-F3F7-46e9-9363-A188E500DFDC}.exe

Filesize
204KB

MD5
7078d96a562865fdfd33a2022a5e096a

SHA1
52db1bb723619f5ed9d18bddf67ba62be439abd2

SHA256
553c84fcc85a195c41893b46681e49cae3a10d570437883a6c07e87ed498a810

SHA512
3988c9bdbb72f958d9783388aca5bff8cec49a62c7fe4246611f564fb135e68080f9befd427122f930aa6c53cf6f7b82d0f3f5f0bb220e5d016b4645e6f5b61a

Download Submit
C:\Windows\{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe

Filesize
204KB

MD5
bea6e104527d9c630919d1e6430d2ce6

SHA1
3cd141ea589d36babd9158d214471bcc801c0f03

SHA256
59493a32eb8b5c95473744120bc17d69d4d9fa06981a9ec570c65d749c858e3f

SHA512
a00e55a8c8a3bcc304a57b5ab433905153d6163606022db0f1d0b2b8dc4f0f6173f356557ee97ddea16c196a5550cb80b947cc41589bf584f11b81aa8c91d707

Download Submit
C:\Windows\{55CBC842-3DC8-4cb4-969A-0349F0AE75CD}.exe

Filesize
204KB

MD5
bea6e104527d9c630919d1e6430d2ce6

SHA1
3cd141ea589d36babd9158d214471bcc801c0f03

SHA256
59493a32eb8b5c95473744120bc17d69d4d9fa06981a9ec570c65d749c858e3f

SHA512
a00e55a8c8a3bcc304a57b5ab433905153d6163606022db0f1d0b2b8dc4f0f6173f356557ee97ddea16c196a5550cb80b947cc41589bf584f11b81aa8c91d707

Download Submit
C:\Windows\{6E013A9B-7870-4e2b-BFD2-5BE8CA41E43F}.exe

Filesize
204KB

MD5
17da44e5a3acc14721bf6bb473f96ab8

SHA1
400cb0e368d29a4ceb75bee55f05370ffcc6f7ed

SHA256
57879f6a36e35ba1c519d7b7996de00071b64f4e7504ba5f4be3f70a7184e76f

SHA512
1a71a3c6d697328a60aa1fd74249e5302b959e8c0304e94d5b6b6ba049fa35175f28d0e28e9c6dc23f3e2af87e175417d6c5d974562f62c12124d49b3d8271e0

Download Submit
C:\Windows\{6E013A9B-7870-4e2b-BFD2-5BE8CA41E43F}.exe

Filesize
204KB

MD5
17da44e5a3acc14721bf6bb473f96ab8

SHA1
400cb0e368d29a4ceb75bee55f05370ffcc6f7ed

SHA256
57879f6a36e35ba1c519d7b7996de00071b64f4e7504ba5f4be3f70a7184e76f

SHA512
1a71a3c6d697328a60aa1fd74249e5302b959e8c0304e94d5b6b6ba049fa35175f28d0e28e9c6dc23f3e2af87e175417d6c5d974562f62c12124d49b3d8271e0

Download Submit
C:\Windows\{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe

Filesize
204KB

MD5
2073146e0c57e8cae98e67d4018b0a5b

SHA1
3c6a640377b5bdcb63e2e74eac7153bf64071dbd

SHA256
564724795e7cfcc5a63213f79f1051961a16d71d9b3023e5882e6d41e4a952d4

SHA512
26183398c04345815185aba23ad133d370398faa9e76ea1206d22a3aa11f69bf0b4157a4caf48a0ba20953c818808ad5fb1a05b39b410f6ef0d1ce88caaef1ef

Download Submit
C:\Windows\{749BD971-0A48-4c50-94CF-333A2EDDCA65}.exe

Filesize
204KB

MD5
2073146e0c57e8cae98e67d4018b0a5b

SHA1
3c6a640377b5bdcb63e2e74eac7153bf64071dbd

SHA256
564724795e7cfcc5a63213f79f1051961a16d71d9b3023e5882e6d41e4a952d4

SHA512
26183398c04345815185aba23ad133d370398faa9e76ea1206d22a3aa11f69bf0b4157a4caf48a0ba20953c818808ad5fb1a05b39b410f6ef0d1ce88caaef1ef

Download Submit
C:\Windows\{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe

Filesize
204KB

MD5
bba7b017630045d4860236ee6159783d

SHA1
080cfe1918f0c95b742e4f6e1bbf3ea673f914a3

SHA256
d8b17f5a6a7282a94bb5ca94a1b1126d89f2a9a3cbe8f2fefd8f306f4e6b6ef9

SHA512
6da54751f06f851417deae4755ed356386fd96f7eb392fa5d3f0df56e9f84d11666328087d8a86acbb568abe020ed2ff390d313b212406ec7ed7aae329155013

Download Submit
C:\Windows\{E215E617-6513-4725-ACB6-DEBAD76B5B0A}.exe

Filesize
204KB

MD5
bba7b017630045d4860236ee6159783d

SHA1
080cfe1918f0c95b742e4f6e1bbf3ea673f914a3

SHA256
d8b17f5a6a7282a94bb5ca94a1b1126d89f2a9a3cbe8f2fefd8f306f4e6b6ef9

SHA512
6da54751f06f851417deae4755ed356386fd96f7eb392fa5d3f0df56e9f84d11666328087d8a86acbb568abe020ed2ff390d313b212406ec7ed7aae329155013

Download Submit
C:\Windows\{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe

Filesize
204KB

MD5
3a89a0ee4fe7285155885ab1fdc7edc5

SHA1
027273547fded5a76c663e10fe5e7eb1fb6ca2fb

SHA256
b939b9f396beb6dad582cf442218238ce22fd083fe49cf079ea017e70356559e

SHA512
8b792a981632e6e268c7e5882b55c1637e895b8a32a134c0d7f3e72af5362b2e739d3120c3001588b221c7b5f1275b4c986f065314eb3f55522746f05d58f019

Download Submit
C:\Windows\{E6A2AAB8-25FE-435d-9234-F62732011BE9}.exe

Filesize
204KB

MD5
3a89a0ee4fe7285155885ab1fdc7edc5

SHA1
027273547fded5a76c663e10fe5e7eb1fb6ca2fb

SHA256
b939b9f396beb6dad582cf442218238ce22fd083fe49cf079ea017e70356559e

SHA512
8b792a981632e6e268c7e5882b55c1637e895b8a32a134c0d7f3e72af5362b2e739d3120c3001588b221c7b5f1275b4c986f065314eb3f55522746f05d58f019

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads