90e7b60eb9842770010598d81271ac0916154a4defcbea583d5843ed38111e1a

Analysis

max time kernel
150s
max time network
131s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
23-10-2023 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe
Size

168KB
MD5

e1b2c2a6754eefd8852dae88e505ab37
SHA1

f81ac56644802f170ae6601020421baa0a862846
SHA256

90e7b60eb9842770010598d81271ac0916154a4defcbea583d5843ed38111e1a
SHA512

16d9f80c4f520ebfa675c03177c3c0c7416aaecc0b33d42f0e2c3f2aedf331d190101d103ada9415986708319a1e6ebf994d0f6b2bed6f11b51eee63203d7f27
SSDEEP

1536:1EGh0oflq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oflqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2249C122-15B4-4e52-A431-02EE7C4C4752}\stubpath = "C:\\Windows\\{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe"	{EE44F532-678F-4695-BDE7-157CB9F43417}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}\stubpath = "C:\\Windows\\{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe"	{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{206BBC81-E485-4ac0-BE6B-EB860F3940AB}\stubpath = "C:\\Windows\\{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe"	{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BFA59AF-43F3-47db-84CC-BD84C6743944}\stubpath = "C:\\Windows\\{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe"	{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0FDF0EC-DA12-4dc2-AFB2-E116002D69BF}\stubpath = "C:\\Windows\\{F0FDF0EC-DA12-4dc2-AFB2-E116002D69BF}.exe"	{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}	{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{206BBC81-E485-4ac0-BE6B-EB860F3940AB}	{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8E4938E-5927-471c-AC5B-C4648A223D5C}\stubpath = "C:\\Windows\\{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe"	{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B91838D-4B82-44bf-89EE-A726B1DB11E2}	{F0FDF0EC-DA12-4dc2-AFB2-E116002D69BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5CCC39E-B04E-4c0c-8BD0-C9E65BB267B3}\stubpath = "C:\\Windows\\{A5CCC39E-B04E-4c0c-8BD0-C9E65BB267B3}.exe"	{8B91838D-4B82-44bf-89EE-A726B1DB11E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57421DAA-0452-4216-B816-8210CFF521D3}	{A5CCC39E-B04E-4c0c-8BD0-C9E65BB267B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B91838D-4B82-44bf-89EE-A726B1DB11E2}\stubpath = "C:\\Windows\\{8B91838D-4B82-44bf-89EE-A726B1DB11E2}.exe"	{F0FDF0EC-DA12-4dc2-AFB2-E116002D69BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B401A6D9-35F5-4ab8-87FE-EEB01523FD6D}	{57421DAA-0452-4216-B816-8210CFF521D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B401A6D9-35F5-4ab8-87FE-EEB01523FD6D}\stubpath = "C:\\Windows\\{B401A6D9-35F5-4ab8-87FE-EEB01523FD6D}.exe"	{57421DAA-0452-4216-B816-8210CFF521D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BFA59AF-43F3-47db-84CC-BD84C6743944}	{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0FDF0EC-DA12-4dc2-AFB2-E116002D69BF}	{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D11876D-0FB1-4c68-A414-5E7034E54E50}	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D11876D-0FB1-4c68-A414-5E7034E54E50}\stubpath = "C:\\Windows\\{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe"	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE44F532-678F-4695-BDE7-157CB9F43417}	{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE44F532-678F-4695-BDE7-157CB9F43417}\stubpath = "C:\\Windows\\{EE44F532-678F-4695-BDE7-157CB9F43417}.exe"	{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2249C122-15B4-4e52-A431-02EE7C4C4752}	{EE44F532-678F-4695-BDE7-157CB9F43417}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8E4938E-5927-471c-AC5B-C4648A223D5C}	{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5CCC39E-B04E-4c0c-8BD0-C9E65BB267B3}	{8B91838D-4B82-44bf-89EE-A726B1DB11E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57421DAA-0452-4216-B816-8210CFF521D3}\stubpath = "C:\\Windows\\{57421DAA-0452-4216-B816-8210CFF521D3}.exe"	{A5CCC39E-B04E-4c0c-8BD0-C9E65BB267B3}.exe

Deletes itself 1 IoCs

pid	Process
2824	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
1232	{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe
848	{EE44F532-678F-4695-BDE7-157CB9F43417}.exe
2632	{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe
2692	{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe
2636	{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe
2512	{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe
2920	{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe
2472	{F0FDF0EC-DA12-4dc2-AFB2-E116002D69BF}.exe
2560	{8B91838D-4B82-44bf-89EE-A726B1DB11E2}.exe
2428	{A5CCC39E-B04E-4c0c-8BD0-C9E65BB267B3}.exe
1744	{57421DAA-0452-4216-B816-8210CFF521D3}.exe
1900	{B401A6D9-35F5-4ab8-87FE-EEB01523FD6D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe	{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe
File created	C:\Windows\{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe	{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe
File created	C:\Windows\{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe	{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe
File created	C:\Windows\{F0FDF0EC-DA12-4dc2-AFB2-E116002D69BF}.exe	{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe
File created	C:\Windows\{8B91838D-4B82-44bf-89EE-A726B1DB11E2}.exe	{F0FDF0EC-DA12-4dc2-AFB2-E116002D69BF}.exe
File created	C:\Windows\{A5CCC39E-B04E-4c0c-8BD0-C9E65BB267B3}.exe	{8B91838D-4B82-44bf-89EE-A726B1DB11E2}.exe
File created	C:\Windows\{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe
File created	C:\Windows\{EE44F532-678F-4695-BDE7-157CB9F43417}.exe	{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe
File created	C:\Windows\{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe	{EE44F532-678F-4695-BDE7-157CB9F43417}.exe
File created	C:\Windows\{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe	{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe
File created	C:\Windows\{57421DAA-0452-4216-B816-8210CFF521D3}.exe	{A5CCC39E-B04E-4c0c-8BD0-C9E65BB267B3}.exe
File created	C:\Windows\{B401A6D9-35F5-4ab8-87FE-EEB01523FD6D}.exe	{57421DAA-0452-4216-B816-8210CFF521D3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1412	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1232	{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe
Token: SeIncBasePriorityPrivilege	848	{EE44F532-678F-4695-BDE7-157CB9F43417}.exe
Token: SeIncBasePriorityPrivilege	2632	{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe
Token: SeIncBasePriorityPrivilege	2692	{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe
Token: SeIncBasePriorityPrivilege	2636	{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe
Token: SeIncBasePriorityPrivilege	2512	{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe
Token: SeIncBasePriorityPrivilege	2920	{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe
Token: SeIncBasePriorityPrivilege	2472	{F0FDF0EC-DA12-4dc2-AFB2-E116002D69BF}.exe
Token: SeIncBasePriorityPrivilege	2560	{8B91838D-4B82-44bf-89EE-A726B1DB11E2}.exe
Token: SeIncBasePriorityPrivilege	2428	{A5CCC39E-B04E-4c0c-8BD0-C9E65BB267B3}.exe
Token: SeIncBasePriorityPrivilege	1744	{57421DAA-0452-4216-B816-8210CFF521D3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1232	1412	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	28
PID 1412 wrote to memory of 1232	1412	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	28
PID 1412 wrote to memory of 1232	1412	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	28
PID 1412 wrote to memory of 1232	1412	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	28
PID 1412 wrote to memory of 2824	1412	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	29
PID 1412 wrote to memory of 2824	1412	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	29
PID 1412 wrote to memory of 2824	1412	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	29
PID 1412 wrote to memory of 2824	1412	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	29
PID 1232 wrote to memory of 848	1232	{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe	30
PID 1232 wrote to memory of 848	1232	{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe	30
PID 1232 wrote to memory of 848	1232	{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe	30
PID 1232 wrote to memory of 848	1232	{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe	30
PID 1232 wrote to memory of 3052	1232	{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe	31
PID 1232 wrote to memory of 3052	1232	{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe	31
PID 1232 wrote to memory of 3052	1232	{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe	31
PID 1232 wrote to memory of 3052	1232	{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe	31
PID 848 wrote to memory of 2632	848	{EE44F532-678F-4695-BDE7-157CB9F43417}.exe	34
PID 848 wrote to memory of 2632	848	{EE44F532-678F-4695-BDE7-157CB9F43417}.exe	34
PID 848 wrote to memory of 2632	848	{EE44F532-678F-4695-BDE7-157CB9F43417}.exe	34
PID 848 wrote to memory of 2632	848	{EE44F532-678F-4695-BDE7-157CB9F43417}.exe	34
PID 848 wrote to memory of 2752	848	{EE44F532-678F-4695-BDE7-157CB9F43417}.exe	35
PID 848 wrote to memory of 2752	848	{EE44F532-678F-4695-BDE7-157CB9F43417}.exe	35
PID 848 wrote to memory of 2752	848	{EE44F532-678F-4695-BDE7-157CB9F43417}.exe	35
PID 848 wrote to memory of 2752	848	{EE44F532-678F-4695-BDE7-157CB9F43417}.exe	35
PID 2632 wrote to memory of 2692	2632	{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe	36
PID 2632 wrote to memory of 2692	2632	{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe	36
PID 2632 wrote to memory of 2692	2632	{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe	36
PID 2632 wrote to memory of 2692	2632	{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe	36
PID 2632 wrote to memory of 2676	2632	{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe	37
PID 2632 wrote to memory of 2676	2632	{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe	37
PID 2632 wrote to memory of 2676	2632	{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe	37
PID 2632 wrote to memory of 2676	2632	{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe	37
PID 2692 wrote to memory of 2636	2692	{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe	38
PID 2692 wrote to memory of 2636	2692	{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe	38
PID 2692 wrote to memory of 2636	2692	{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe	38
PID 2692 wrote to memory of 2636	2692	{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe	38
PID 2692 wrote to memory of 2544	2692	{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe	39
PID 2692 wrote to memory of 2544	2692	{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe	39
PID 2692 wrote to memory of 2544	2692	{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe	39
PID 2692 wrote to memory of 2544	2692	{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe	39
PID 2636 wrote to memory of 2512	2636	{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe	40
PID 2636 wrote to memory of 2512	2636	{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe	40
PID 2636 wrote to memory of 2512	2636	{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe	40
PID 2636 wrote to memory of 2512	2636	{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe	40
PID 2636 wrote to memory of 2572	2636	{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe	41
PID 2636 wrote to memory of 2572	2636	{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe	41
PID 2636 wrote to memory of 2572	2636	{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe	41
PID 2636 wrote to memory of 2572	2636	{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe	41
PID 2512 wrote to memory of 2920	2512	{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe	43
PID 2512 wrote to memory of 2920	2512	{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe	43
PID 2512 wrote to memory of 2920	2512	{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe	43
PID 2512 wrote to memory of 2920	2512	{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe	43
PID 2512 wrote to memory of 1592	2512	{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe	42
PID 2512 wrote to memory of 1592	2512	{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe	42
PID 2512 wrote to memory of 1592	2512	{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe	42
PID 2512 wrote to memory of 1592	2512	{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe	42
PID 2920 wrote to memory of 2472	2920	{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe	45
PID 2920 wrote to memory of 2472	2920	{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe	45
PID 2920 wrote to memory of 2472	2920	{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe	45
PID 2920 wrote to memory of 2472	2920	{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe	45
PID 2920 wrote to memory of 764	2920	{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe	44
PID 2920 wrote to memory of 764	2920	{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe	44
PID 2920 wrote to memory of 764	2920	{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe	44
PID 2920 wrote to memory of 764	2920	{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe	44

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe
  C:\Windows\{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\{EE44F532-678F-4695-BDE7-157CB9F43417}.exe
    C:\Windows\{EE44F532-678F-4695-BDE7-157CB9F43417}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe
      C:\Windows\{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe
        
        C:\Windows\{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe
        
        C:\Windows\{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe
        
        C:\Windows\{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8E49~1.EXE > nul
        8⤵
        
        PID:1592
        
        C:\Windows\{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe
        
        C:\Windows\{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BFA5~1.EXE > nul
        9⤵
        
        PID:764
        
        C:\Windows\{F0FDF0EC-DA12-4dc2-AFB2-E116002D69BF}.exe
        
        C:\Windows\{F0FDF0EC-DA12-4dc2-AFB2-E116002D69BF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0FDF~1.EXE > nul
        10⤵
        
        PID:1696
        
        C:\Windows\{8B91838D-4B82-44bf-89EE-A726B1DB11E2}.exe
        
        C:\Windows\{8B91838D-4B82-44bf-89EE-A726B1DB11E2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B918~1.EXE > nul
        11⤵
        
        PID:1064
        
        C:\Windows\{A5CCC39E-B04E-4c0c-8BD0-C9E65BB267B3}.exe
        
        C:\Windows\{A5CCC39E-B04E-4c0c-8BD0-C9E65BB267B3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5CCC~1.EXE > nul
        12⤵
        
        PID:1944
        
        C:\Windows\{57421DAA-0452-4216-B816-8210CFF521D3}.exe
        
        C:\Windows\{57421DAA-0452-4216-B816-8210CFF521D3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\{B401A6D9-35F5-4ab8-87FE-EEB01523FD6D}.exe
        
        C:\Windows\{B401A6D9-35F5-4ab8-87FE-EEB01523FD6D}.exe
        13⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57421~1.EXE > nul
        13⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{206BB~1.EXE > nul
        7⤵
        
        PID:2572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B40C8~1.EXE > nul
        6⤵
        
        PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2249C~1.EXE > nul
        5⤵
        
        PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EE44F~1.EXE > nul
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3D118~1.EXE > nul
    3⤵
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe

Filesize
168KB

MD5
3b2fc399b43d32c8aa04dcca5357e7eb

SHA1
568ec49b0722360355790705af2067a4ee9a851e

SHA256
2ca8baa18208f43cb5ec701d4010ffc42964bab3683fb6bd50ac02bb9fe9df1f

SHA512
eca966bc397b1d1af0f34a8205207c7fbcf8e8c87107ef09c74824a6c02a2d45a1a03fa77165a90ec6756692ad1f412b2fb5d7e5c38928a062835542d423312c

Download Submit
C:\Windows\{206BBC81-E485-4ac0-BE6B-EB860F3940AB}.exe

Filesize
168KB

MD5
3b2fc399b43d32c8aa04dcca5357e7eb

SHA1
568ec49b0722360355790705af2067a4ee9a851e

SHA256
2ca8baa18208f43cb5ec701d4010ffc42964bab3683fb6bd50ac02bb9fe9df1f

SHA512
eca966bc397b1d1af0f34a8205207c7fbcf8e8c87107ef09c74824a6c02a2d45a1a03fa77165a90ec6756692ad1f412b2fb5d7e5c38928a062835542d423312c

Download Submit
C:\Windows\{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe

Filesize
168KB

MD5
8a63cfb3ab8e41c4bcd3c9d091f90bf2

SHA1
a40b89fcae0bfa6043153cc9cc038952884f30a8

SHA256
dfb395eb1b48bad8658a7e2a0628e3b7e0a7f61a7d3ad1e4f16eb36fa85c5faf

SHA512
6837a46ded345814a1d7717813a6cbb74175d1d5d8b7da33c33f65f4ef09bad72e658003858bd10ca95ee1a9385cd5a425fd40048addbcbf557a4b372d7d83a6

Download Submit
C:\Windows\{2249C122-15B4-4e52-A431-02EE7C4C4752}.exe

Filesize
168KB

MD5
8a63cfb3ab8e41c4bcd3c9d091f90bf2

SHA1
a40b89fcae0bfa6043153cc9cc038952884f30a8

SHA256
dfb395eb1b48bad8658a7e2a0628e3b7e0a7f61a7d3ad1e4f16eb36fa85c5faf

SHA512
6837a46ded345814a1d7717813a6cbb74175d1d5d8b7da33c33f65f4ef09bad72e658003858bd10ca95ee1a9385cd5a425fd40048addbcbf557a4b372d7d83a6

Download Submit
C:\Windows\{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe

Filesize
168KB

MD5
dffe6ffcefb779fb0957981a1b8d74de

SHA1
1b008d48fc24d341cba0668dbbe785b1a638e50d

SHA256
9de9abd231a0667870c919944d248492781bacbb0d6aaec1359a8626d8353306

SHA512
17e65282be34853a3352727aa64d6c621a403604df8992c9635a04e59614301059d4930f9f29a186cb51b6ab8d8660521b4e22d243070e10ab4f6c38c8fc3be1

Download Submit
C:\Windows\{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe

Filesize
168KB

MD5
dffe6ffcefb779fb0957981a1b8d74de

SHA1
1b008d48fc24d341cba0668dbbe785b1a638e50d

SHA256
9de9abd231a0667870c919944d248492781bacbb0d6aaec1359a8626d8353306

SHA512
17e65282be34853a3352727aa64d6c621a403604df8992c9635a04e59614301059d4930f9f29a186cb51b6ab8d8660521b4e22d243070e10ab4f6c38c8fc3be1

Download Submit
C:\Windows\{3D11876D-0FB1-4c68-A414-5E7034E54E50}.exe

Filesize
168KB

MD5
dffe6ffcefb779fb0957981a1b8d74de

SHA1
1b008d48fc24d341cba0668dbbe785b1a638e50d

SHA256
9de9abd231a0667870c919944d248492781bacbb0d6aaec1359a8626d8353306

SHA512
17e65282be34853a3352727aa64d6c621a403604df8992c9635a04e59614301059d4930f9f29a186cb51b6ab8d8660521b4e22d243070e10ab4f6c38c8fc3be1

Download Submit
C:\Windows\{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe

Filesize
168KB

MD5
5474cd3ff6a73e1089c4204fdc7af543

SHA1
784a1be2de67bc0672ab51ab8e19d6ff1f1ff017

SHA256
23cd7ae24e79eb128abcabaa7a857031c496abefe3cf2d4e5ec93927abf7f492

SHA512
d768ecd6a806a47c37190790f033633acf04d12ba01e7f75ff3dfa0fd2e9e898b52fa62f4bd1b8a7c54a2ca32680533b3eab441a0246713d36cc950def9c499a

Download Submit
C:\Windows\{4BFA59AF-43F3-47db-84CC-BD84C6743944}.exe

Filesize
168KB

MD5
5474cd3ff6a73e1089c4204fdc7af543

SHA1
784a1be2de67bc0672ab51ab8e19d6ff1f1ff017

SHA256
23cd7ae24e79eb128abcabaa7a857031c496abefe3cf2d4e5ec93927abf7f492

SHA512
d768ecd6a806a47c37190790f033633acf04d12ba01e7f75ff3dfa0fd2e9e898b52fa62f4bd1b8a7c54a2ca32680533b3eab441a0246713d36cc950def9c499a

Download Submit
C:\Windows\{57421DAA-0452-4216-B816-8210CFF521D3}.exe

Filesize
168KB

MD5
4659386cb95a7e50c7a086363f3409e9

SHA1
803014ca36af2fdbe096534c17f760c80837acff

SHA256
ddbafb4e299855a1feec8baf5cd629711b041e4e6f514be152d671a4cfad5dbe

SHA512
7a9fffcdb308b1af245b48d87a59ab089a37e21f1374c1bea1607e8a29a0f9b5c7410166dc0ecba14685d9697026e7ccbcda888eebd83bad19311c95b60b4a03

Download Submit
C:\Windows\{57421DAA-0452-4216-B816-8210CFF521D3}.exe

Filesize
168KB

MD5
4659386cb95a7e50c7a086363f3409e9

SHA1
803014ca36af2fdbe096534c17f760c80837acff

SHA256
ddbafb4e299855a1feec8baf5cd629711b041e4e6f514be152d671a4cfad5dbe

SHA512
7a9fffcdb308b1af245b48d87a59ab089a37e21f1374c1bea1607e8a29a0f9b5c7410166dc0ecba14685d9697026e7ccbcda888eebd83bad19311c95b60b4a03

Download Submit
C:\Windows\{8B91838D-4B82-44bf-89EE-A726B1DB11E2}.exe

Filesize
168KB

MD5
48d9e84990646aee3705e07325a60996

SHA1
40ec26d3ea6697a052696b1e85b0916f707809f6

SHA256
e18e9f08d61cc21c2c2b6fd5c59ef5987d6bf168528b49352f66404579100eea

SHA512
ee283e6e3946fa68019250196a5d902f0ce40999f45d4ab605647d9e0f868d325d6e4bcfa5f6772ef518cd5267b8e221dbed833dae0fc07a4f1ba98c53b31dca

Download Submit
C:\Windows\{8B91838D-4B82-44bf-89EE-A726B1DB11E2}.exe

Filesize
168KB

MD5
48d9e84990646aee3705e07325a60996

SHA1
40ec26d3ea6697a052696b1e85b0916f707809f6

SHA256
e18e9f08d61cc21c2c2b6fd5c59ef5987d6bf168528b49352f66404579100eea

SHA512
ee283e6e3946fa68019250196a5d902f0ce40999f45d4ab605647d9e0f868d325d6e4bcfa5f6772ef518cd5267b8e221dbed833dae0fc07a4f1ba98c53b31dca

Download Submit
C:\Windows\{A5CCC39E-B04E-4c0c-8BD0-C9E65BB267B3}.exe

Filesize
168KB

MD5
c3279eb6a218a6d2858b2cf6f296570c

SHA1
823273d69c79d728cb4aaf2c8284c1e8d75bb089

SHA256
84f562edd06da5c5ad49e2de895740012e1abcd2c84a28a74c5c317a7f9b5175

SHA512
c275d232e17238ae6b34ab731777692ec043c60661ebac40678fb252a91f5b4ad82bba01b340464dd9626357e788c757761eb3d5b4570ccd613947285a618591

Download Submit
C:\Windows\{A5CCC39E-B04E-4c0c-8BD0-C9E65BB267B3}.exe

Filesize
168KB

MD5
c3279eb6a218a6d2858b2cf6f296570c

SHA1
823273d69c79d728cb4aaf2c8284c1e8d75bb089

SHA256
84f562edd06da5c5ad49e2de895740012e1abcd2c84a28a74c5c317a7f9b5175

SHA512
c275d232e17238ae6b34ab731777692ec043c60661ebac40678fb252a91f5b4ad82bba01b340464dd9626357e788c757761eb3d5b4570ccd613947285a618591

Download Submit
C:\Windows\{B401A6D9-35F5-4ab8-87FE-EEB01523FD6D}.exe

Filesize
168KB

MD5
1fa5e9c0ee1a1d49f5414b8ca1b4d175

SHA1
a9f7d40ecb4f0b9989a33ef7e0a611cb1615e3a3

SHA256
3dbb40302aeee76099ee62eb742eb7f469ebbcde2d5dc788513fd07b88a903c1

SHA512
2939e8e326022111c9b04525679e20b8e7047cd78966094aac7c2d4bb9e5e6586e5f6694d4d672df1940c2d9b355d0a2a6c305b45f9e5f796277d47c9ce38f5d

Download Submit
C:\Windows\{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe

Filesize
168KB

MD5
ba6a4726d3f51b9b96f9e3db2c9e2957

SHA1
db5c1316d9b7c9a19045a461a9361ac52b2d8127

SHA256
95a8ae3d669ab4ff9cb2a3ecfa1e5753d86fd04aedd5b5ed2d194e8ac4e66121

SHA512
181130f74cfd8d7fa8508774ad518eaa5434e53793e77c16b222cdac0d3e320b2d3a3a636e619ba62b7ff6c714b0ec0a9a8032bf0bec8b6af7079e7abe1166fa

Download Submit
C:\Windows\{B40C8B63-ABA4-4d3e-A82B-5B49745559D2}.exe

Filesize
168KB

MD5
ba6a4726d3f51b9b96f9e3db2c9e2957

SHA1
db5c1316d9b7c9a19045a461a9361ac52b2d8127

SHA256
95a8ae3d669ab4ff9cb2a3ecfa1e5753d86fd04aedd5b5ed2d194e8ac4e66121

SHA512
181130f74cfd8d7fa8508774ad518eaa5434e53793e77c16b222cdac0d3e320b2d3a3a636e619ba62b7ff6c714b0ec0a9a8032bf0bec8b6af7079e7abe1166fa

Download Submit
C:\Windows\{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe

Filesize
168KB

MD5
cc14dd7589df48496e2eb7c0b5e76d4c

SHA1
0048feae6dc11b8b92d037e8e418e18c7cac5eaf

SHA256
4d4ed7827c2f820582c0a49cb195360260064a5faf8f4498df666a6206f793cc

SHA512
20dd07025fd4dc6953a8c6174664bae956e6f4d19550da47dd20fb5ae367b65c4183b7be454b06645f1c504d85772be542abb7fa0e81b0ab3721f2a680dc3665

Download Submit
C:\Windows\{B8E4938E-5927-471c-AC5B-C4648A223D5C}.exe

Filesize
168KB

MD5
cc14dd7589df48496e2eb7c0b5e76d4c

SHA1
0048feae6dc11b8b92d037e8e418e18c7cac5eaf

SHA256
4d4ed7827c2f820582c0a49cb195360260064a5faf8f4498df666a6206f793cc

SHA512
20dd07025fd4dc6953a8c6174664bae956e6f4d19550da47dd20fb5ae367b65c4183b7be454b06645f1c504d85772be542abb7fa0e81b0ab3721f2a680dc3665

Download Submit
C:\Windows\{EE44F532-678F-4695-BDE7-157CB9F43417}.exe

Filesize
168KB

MD5
f8d1bf4e37cc3d1a0398f0443921e267

SHA1
20d237032bafc0fd14118c7f45deb44d4067fbeb

SHA256
e010a93c5625fa8551782a3ba271d6273a50ee0b1d4aabd5732e34f4a110ad00

SHA512
1dd8a980b35cd74c8ea6a8a107ac0eaf64fa756952f385da6ecd4fb4f4ff339ac27cbbe15f5e3997e3273701a366ba4f58beed118f6ed54f5d68e7fe0e7248c2

Download Submit
C:\Windows\{EE44F532-678F-4695-BDE7-157CB9F43417}.exe

Filesize
168KB

MD5
f8d1bf4e37cc3d1a0398f0443921e267

SHA1
20d237032bafc0fd14118c7f45deb44d4067fbeb

SHA256
e010a93c5625fa8551782a3ba271d6273a50ee0b1d4aabd5732e34f4a110ad00

SHA512
1dd8a980b35cd74c8ea6a8a107ac0eaf64fa756952f385da6ecd4fb4f4ff339ac27cbbe15f5e3997e3273701a366ba4f58beed118f6ed54f5d68e7fe0e7248c2

Download Submit
C:\Windows\{F0FDF0EC-DA12-4dc2-AFB2-E116002D69BF}.exe

Filesize
168KB

MD5
09fcaad796013e3e650ab87fdb61815a

SHA1
da17a2ab863991b5b6df2d534316ce4854603a81

SHA256
ae59b839f24bbd195fcbaebd64c844784bafa03ae35a8268300364df361bc096

SHA512
cf5412cd62074ad6609f1db11ac21e2b5457dd5cc6d0e32d51c36b3eb2aa177d20a3792fd5c6418f8948f7561eb6df3f42070ed79355309673b325cf5990758a

Download Submit
C:\Windows\{F0FDF0EC-DA12-4dc2-AFB2-E116002D69BF}.exe

Filesize
168KB

MD5
09fcaad796013e3e650ab87fdb61815a

SHA1
da17a2ab863991b5b6df2d534316ce4854603a81

SHA256
ae59b839f24bbd195fcbaebd64c844784bafa03ae35a8268300364df361bc096

SHA512
cf5412cd62074ad6609f1db11ac21e2b5457dd5cc6d0e32d51c36b3eb2aa177d20a3792fd5c6418f8948f7561eb6df3f42070ed79355309673b325cf5990758a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads