90e7b60eb9842770010598d81271ac0916154a4defcbea583d5843ed38111e1a

Analysis

max time kernel
149s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe
Size

168KB
MD5

e1b2c2a6754eefd8852dae88e505ab37
SHA1

f81ac56644802f170ae6601020421baa0a862846
SHA256

90e7b60eb9842770010598d81271ac0916154a4defcbea583d5843ed38111e1a
SHA512

16d9f80c4f520ebfa675c03177c3c0c7416aaecc0b33d42f0e2c3f2aedf331d190101d103ada9415986708319a1e6ebf994d0f6b2bed6f11b51eee63203d7f27
SSDEEP

1536:1EGh0oflq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oflqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}	{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91F55CE2-F618-49aa-94BC-B0E6C94DF13A}\stubpath = "C:\\Windows\\{91F55CE2-F618-49aa-94BC-B0E6C94DF13A}.exe"	{439FE25B-EB2C-4f74-88EC-D5AF8CC865F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9725D0BF-09AD-49d2-8FA8-DF778996430F}\stubpath = "C:\\Windows\\{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe"	{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}\stubpath = "C:\\Windows\\{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe"	{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3137FF64-BB17-4d17-85DE-BE1D97C258FA}\stubpath = "C:\\Windows\\{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe"	{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5311CB24-F42D-4120-A768-29E0DA246202}\stubpath = "C:\\Windows\\{5311CB24-F42D-4120-A768-29E0DA246202}.exe"	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}	{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3137FF64-BB17-4d17-85DE-BE1D97C258FA}	{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5FF3DD3-CF12-4435-8588-16C46543F062}\stubpath = "C:\\Windows\\{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe"	{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{439FE25B-EB2C-4f74-88EC-D5AF8CC865F9}	{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5311CB24-F42D-4120-A768-29E0DA246202}	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B63523F-8008-4ae9-AB8E-992F1F0384CF}\stubpath = "C:\\Windows\\{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe"	{5311CB24-F42D-4120-A768-29E0DA246202}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}	{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}\stubpath = "C:\\Windows\\{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe"	{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39B3873D-1AA9-4fcb-B33E-4CBB87548036}	{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39B3873D-1AA9-4fcb-B33E-4CBB87548036}\stubpath = "C:\\Windows\\{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe"	{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9725D0BF-09AD-49d2-8FA8-DF778996430F}	{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46D9625D-C649-471c-96CF-96D4BF314FCD}	{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B63523F-8008-4ae9-AB8E-992F1F0384CF}	{5311CB24-F42D-4120-A768-29E0DA246202}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}\stubpath = "C:\\Windows\\{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe"	{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5FF3DD3-CF12-4435-8588-16C46543F062}	{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{439FE25B-EB2C-4f74-88EC-D5AF8CC865F9}\stubpath = "C:\\Windows\\{439FE25B-EB2C-4f74-88EC-D5AF8CC865F9}.exe"	{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91F55CE2-F618-49aa-94BC-B0E6C94DF13A}	{439FE25B-EB2C-4f74-88EC-D5AF8CC865F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46D9625D-C649-471c-96CF-96D4BF314FCD}\stubpath = "C:\\Windows\\{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe"	{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe

Executes dropped EXE 11 IoCs

pid	Process
3776	{5311CB24-F42D-4120-A768-29E0DA246202}.exe
4484	{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe
4820	{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe
1148	{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe
2380	{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe
1528	{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe
2544	{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe
3800	{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe
3872	{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe
1876	{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe
2948	{439FE25B-EB2C-4f74-88EC-D5AF8CC865F9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe	{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe
File created	C:\Windows\{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe	{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe
File created	C:\Windows\{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe	{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe
File created	C:\Windows\{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe	{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe
File created	C:\Windows\{439FE25B-EB2C-4f74-88EC-D5AF8CC865F9}.exe	{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe
File created	C:\Windows\{5311CB24-F42D-4120-A768-29E0DA246202}.exe	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe
File created	C:\Windows\{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe	{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe
File created	C:\Windows\{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe	{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe
File created	C:\Windows\{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe	{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe
File created	C:\Windows\{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe	{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe
File created	C:\Windows\{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe	{5311CB24-F42D-4120-A768-29E0DA246202}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1020	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3776	{5311CB24-F42D-4120-A768-29E0DA246202}.exe
Token: SeIncBasePriorityPrivilege	4484	{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe
Token: SeIncBasePriorityPrivilege	4820	{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe
Token: SeIncBasePriorityPrivilege	1148	{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe
Token: SeIncBasePriorityPrivilege	2380	{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe
Token: SeIncBasePriorityPrivilege	1528	{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe
Token: SeIncBasePriorityPrivilege	2544	{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe
Token: SeIncBasePriorityPrivilege	3800	{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe
Token: SeIncBasePriorityPrivilege	3872	{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe
Token: SeIncBasePriorityPrivilege	1876	{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 3776	1020	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	90
PID 1020 wrote to memory of 3776	1020	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	90
PID 1020 wrote to memory of 3776	1020	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	90
PID 1020 wrote to memory of 4808	1020	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	91
PID 1020 wrote to memory of 4808	1020	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	91
PID 1020 wrote to memory of 4808	1020	NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe	91
PID 3776 wrote to memory of 4484	3776	{5311CB24-F42D-4120-A768-29E0DA246202}.exe	92
PID 3776 wrote to memory of 4484	3776	{5311CB24-F42D-4120-A768-29E0DA246202}.exe	92
PID 3776 wrote to memory of 4484	3776	{5311CB24-F42D-4120-A768-29E0DA246202}.exe	92
PID 3776 wrote to memory of 3512	3776	{5311CB24-F42D-4120-A768-29E0DA246202}.exe	93
PID 3776 wrote to memory of 3512	3776	{5311CB24-F42D-4120-A768-29E0DA246202}.exe	93
PID 3776 wrote to memory of 3512	3776	{5311CB24-F42D-4120-A768-29E0DA246202}.exe	93
PID 4484 wrote to memory of 4820	4484	{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe	97
PID 4484 wrote to memory of 4820	4484	{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe	97
PID 4484 wrote to memory of 4820	4484	{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe	97
PID 4484 wrote to memory of 1948	4484	{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe	96
PID 4484 wrote to memory of 1948	4484	{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe	96
PID 4484 wrote to memory of 1948	4484	{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe	96
PID 4820 wrote to memory of 1148	4820	{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe	100
PID 4820 wrote to memory of 1148	4820	{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe	100
PID 4820 wrote to memory of 1148	4820	{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe	100
PID 4820 wrote to memory of 920	4820	{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe	101
PID 4820 wrote to memory of 920	4820	{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe	101
PID 4820 wrote to memory of 920	4820	{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe	101
PID 1148 wrote to memory of 2380	1148	{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe	102
PID 1148 wrote to memory of 2380	1148	{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe	102
PID 1148 wrote to memory of 2380	1148	{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe	102
PID 1148 wrote to memory of 668	1148	{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe	103
PID 1148 wrote to memory of 668	1148	{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe	103
PID 1148 wrote to memory of 668	1148	{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe	103
PID 2380 wrote to memory of 1528	2380	{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe	104
PID 2380 wrote to memory of 1528	2380	{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe	104
PID 2380 wrote to memory of 1528	2380	{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe	104
PID 2380 wrote to memory of 4476	2380	{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe	105
PID 2380 wrote to memory of 4476	2380	{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe	105
PID 2380 wrote to memory of 4476	2380	{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe	105
PID 1528 wrote to memory of 2544	1528	{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe	106
PID 1528 wrote to memory of 2544	1528	{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe	106
PID 1528 wrote to memory of 2544	1528	{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe	106
PID 1528 wrote to memory of 1696	1528	{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe	107
PID 1528 wrote to memory of 1696	1528	{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe	107
PID 1528 wrote to memory of 1696	1528	{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe	107
PID 2544 wrote to memory of 3800	2544	{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe	108
PID 2544 wrote to memory of 3800	2544	{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe	108
PID 2544 wrote to memory of 3800	2544	{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe	108
PID 2544 wrote to memory of 1472	2544	{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe	109
PID 2544 wrote to memory of 1472	2544	{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe	109
PID 2544 wrote to memory of 1472	2544	{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe	109
PID 3800 wrote to memory of 3872	3800	{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe	110
PID 3800 wrote to memory of 3872	3800	{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe	110
PID 3800 wrote to memory of 3872	3800	{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe	110
PID 3800 wrote to memory of 2868	3800	{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe	111
PID 3800 wrote to memory of 2868	3800	{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe	111
PID 3800 wrote to memory of 2868	3800	{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe	111
PID 3872 wrote to memory of 1876	3872	{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe	112
PID 3872 wrote to memory of 1876	3872	{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe	112
PID 3872 wrote to memory of 1876	3872	{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe	112
PID 3872 wrote to memory of 2348	3872	{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe	113
PID 3872 wrote to memory of 2348	3872	{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe	113
PID 3872 wrote to memory of 2348	3872	{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe	113
PID 1876 wrote to memory of 2948	1876	{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe	114
PID 1876 wrote to memory of 2948	1876	{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe	114
PID 1876 wrote to memory of 2948	1876	{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe	114
PID 1876 wrote to memory of 4348	1876	{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe	115

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_e1b2c2a6754eefd8852dae88e505ab37_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\{5311CB24-F42D-4120-A768-29E0DA246202}.exe
  C:\Windows\{5311CB24-F42D-4120-A768-29E0DA246202}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe
    C:\Windows\{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0B635~1.EXE > nul
      4⤵
      PID:1948
  - - C:\Windows\{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe
      C:\Windows\{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe
        
        C:\Windows\{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Windows\{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe
        
        C:\Windows\{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe
        
        C:\Windows\{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe
        
        C:\Windows\{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe
        
        C:\Windows\{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe
        
        C:\Windows\{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe
        
        C:\Windows\{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\{439FE25B-EB2C-4f74-88EC-D5AF8CC865F9}.exe
        
        C:\Windows\{439FE25B-EB2C-4f74-88EC-D5AF8CC865F9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\{91F55CE2-F618-49aa-94BC-B0E6C94DF13A}.exe
        
        C:\Windows\{91F55CE2-F618-49aa-94BC-B0E6C94DF13A}.exe
        13⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{439FE~1.EXE > nul
        13⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5FF3~1.EXE > nul
        12⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03F22~1.EXE > nul
        11⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3137F~1.EXE > nul
        10⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46D96~1.EXE > nul
        9⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9725D~1.EXE > nul
        8⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39B38~1.EXE > nul
        7⤵
        
        PID:4476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4ACAE~1.EXE > nul
        6⤵
        
        PID:668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7D04~1.EXE > nul
        5⤵
        
        PID:920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5311C~1.EXE > nul
    3⤵
    PID:3512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe

Filesize
168KB

MD5
01951d5b6f6acb94ea06efd6148f8863

SHA1
1b3a3ced277ae7e5cba2de6743d97302555d2cd9

SHA256
f4f280793c12138e750c0a8b408e9edcb3619607a1f35343e43cc342151c6dcd

SHA512
827221d31d2a692a4b092c07beb7197b038b32c06171734ba53f6d04750263a7a1639e9d2777eea90545d60366750c5e7aeff0f5a3e82513b3dd49c9d7c70a7c

Download Submit
C:\Windows\{03F22D84-13AC-41e5-8F11-6ED4F648DB7F}.exe

Filesize
168KB

MD5
01951d5b6f6acb94ea06efd6148f8863

SHA1
1b3a3ced277ae7e5cba2de6743d97302555d2cd9

SHA256
f4f280793c12138e750c0a8b408e9edcb3619607a1f35343e43cc342151c6dcd

SHA512
827221d31d2a692a4b092c07beb7197b038b32c06171734ba53f6d04750263a7a1639e9d2777eea90545d60366750c5e7aeff0f5a3e82513b3dd49c9d7c70a7c

Download Submit
C:\Windows\{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe

Filesize
168KB

MD5
9c34a5a30bf917d7352d01d7b740913e

SHA1
69cfa3c5f1d9146b284bd4930abb32dadbc040df

SHA256
30649d556e3d67a4ee661e9cc46c32418104537377e49c3b0c515a1a0570b1bf

SHA512
0eadb1295cdc91c4dc7ee75090eddb2ebfc6ca48a2902b53dbd128f9b916608a46252d94d47b3ecf6c15e40b713bddacb110da83e4822f0e208efaa41cc5a32a

Download Submit
C:\Windows\{0B63523F-8008-4ae9-AB8E-992F1F0384CF}.exe

Filesize
168KB

MD5
9c34a5a30bf917d7352d01d7b740913e

SHA1
69cfa3c5f1d9146b284bd4930abb32dadbc040df

SHA256
30649d556e3d67a4ee661e9cc46c32418104537377e49c3b0c515a1a0570b1bf

SHA512
0eadb1295cdc91c4dc7ee75090eddb2ebfc6ca48a2902b53dbd128f9b916608a46252d94d47b3ecf6c15e40b713bddacb110da83e4822f0e208efaa41cc5a32a

Download Submit
C:\Windows\{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe

Filesize
168KB

MD5
66b9a947682aa6f4e232c590f99ea25d

SHA1
6674ea04cc2a9a1d1b72e0018a24712af6ec5e08

SHA256
b3032718865f09d603e1f977627e8cc89edb7b380daf918174ca9ae3679509cf

SHA512
139a89cc105fde890fd806c42492c21cec9205d7473564a4760ded2c7a58ba3108a83a544de5e233acfea7db077262883859766f47aeeae6d28b9e78b77d6a6d

Download Submit
C:\Windows\{3137FF64-BB17-4d17-85DE-BE1D97C258FA}.exe

Filesize
168KB

MD5
66b9a947682aa6f4e232c590f99ea25d

SHA1
6674ea04cc2a9a1d1b72e0018a24712af6ec5e08

SHA256
b3032718865f09d603e1f977627e8cc89edb7b380daf918174ca9ae3679509cf

SHA512
139a89cc105fde890fd806c42492c21cec9205d7473564a4760ded2c7a58ba3108a83a544de5e233acfea7db077262883859766f47aeeae6d28b9e78b77d6a6d

Download Submit
C:\Windows\{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe

Filesize
168KB

MD5
a6fd2ce93f1a1c3793542eda90d89b1f

SHA1
11147f3a97e6202bf5e6dca8218d800c28420922

SHA256
71cf2e1f84d4657b5490e6a15c1fa455cbc6d1910a5bfb88da9a53f33eecd0f3

SHA512
f5ae21cae32dde67d38c2fd7433cd85a83f2a455092443fdf490b9d44607fd6ee775e397a849c77a0cdf6a9f054476d7d8747d0c2e0354834c9e88aea4dbe263

Download Submit
C:\Windows\{39B3873D-1AA9-4fcb-B33E-4CBB87548036}.exe

Filesize
168KB

MD5
a6fd2ce93f1a1c3793542eda90d89b1f

SHA1
11147f3a97e6202bf5e6dca8218d800c28420922

SHA256
71cf2e1f84d4657b5490e6a15c1fa455cbc6d1910a5bfb88da9a53f33eecd0f3

SHA512
f5ae21cae32dde67d38c2fd7433cd85a83f2a455092443fdf490b9d44607fd6ee775e397a849c77a0cdf6a9f054476d7d8747d0c2e0354834c9e88aea4dbe263

Download Submit
C:\Windows\{439FE25B-EB2C-4f74-88EC-D5AF8CC865F9}.exe

Filesize
168KB

MD5
f1d12145d930782cbbb88b69757b4882

SHA1
62c3e1ff1bebc6d66576c514bfd8dca455bb8102

SHA256
f773828f65a87956d73916acf3dee561508ca291a7258b81af0f0ef3805e09a0

SHA512
c5720afc839299e9c96d03fa310f00d9f3cea5a56d989ee29153112a0003752fd4d45384d2ae07f0323297445f7c6b081ef492f1c91123aab8ebd35a8b1d43a9

Download Submit
C:\Windows\{439FE25B-EB2C-4f74-88EC-D5AF8CC865F9}.exe

Filesize
168KB

MD5
f1d12145d930782cbbb88b69757b4882

SHA1
62c3e1ff1bebc6d66576c514bfd8dca455bb8102

SHA256
f773828f65a87956d73916acf3dee561508ca291a7258b81af0f0ef3805e09a0

SHA512
c5720afc839299e9c96d03fa310f00d9f3cea5a56d989ee29153112a0003752fd4d45384d2ae07f0323297445f7c6b081ef492f1c91123aab8ebd35a8b1d43a9

Download Submit
C:\Windows\{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe

Filesize
168KB

MD5
7580e57d20518cf8a7102fd24d145fa6

SHA1
20aac4ebdd02e5c6c300ad68bc64bf355611a4a6

SHA256
c31a86416298975012fe6bd9a97e86afbb668d7adeb71caa6d7ce3b4a40b9222

SHA512
e5ff4613d0955aaa877f3c5bd1b1b7d46dc9e465df2e1a7199d2d3c6a871338ac9b4a116fbb60433c3a3aa811376323c3247cf4a0faffdb90b13e22dc0de11a6

Download Submit
C:\Windows\{46D9625D-C649-471c-96CF-96D4BF314FCD}.exe

Filesize
168KB

MD5
7580e57d20518cf8a7102fd24d145fa6

SHA1
20aac4ebdd02e5c6c300ad68bc64bf355611a4a6

SHA256
c31a86416298975012fe6bd9a97e86afbb668d7adeb71caa6d7ce3b4a40b9222

SHA512
e5ff4613d0955aaa877f3c5bd1b1b7d46dc9e465df2e1a7199d2d3c6a871338ac9b4a116fbb60433c3a3aa811376323c3247cf4a0faffdb90b13e22dc0de11a6

Download Submit
C:\Windows\{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe

Filesize
168KB

MD5
17beb95289796f470592f15d96d55759

SHA1
b8f6114dbe2b6d5baa466c4241b9310b6f62ebc7

SHA256
6d62c941d38a65d70f998e9f4aefae2651d9b50de6cd85870612aaf6e4a3000a

SHA512
6852a29a4e8dbbb6f4acc5c7b6c7b1f79c6bb3b24a592946fcd6e5f1ff40b08f900db8ca8e6cf7c62432aaf72433f7846295d8805be92915c0c404ccae684d95

Download Submit
C:\Windows\{4ACAEEB4-81E3-4c84-BDAC-4312364D2816}.exe

Filesize
168KB

MD5
17beb95289796f470592f15d96d55759

SHA1
b8f6114dbe2b6d5baa466c4241b9310b6f62ebc7

SHA256
6d62c941d38a65d70f998e9f4aefae2651d9b50de6cd85870612aaf6e4a3000a

SHA512
6852a29a4e8dbbb6f4acc5c7b6c7b1f79c6bb3b24a592946fcd6e5f1ff40b08f900db8ca8e6cf7c62432aaf72433f7846295d8805be92915c0c404ccae684d95

Download Submit
C:\Windows\{5311CB24-F42D-4120-A768-29E0DA246202}.exe

Filesize
168KB

MD5
368bbeca8cfc77ea09b054ae9e79e3b5

SHA1
09a30e25214b8ff699020ccfd17ea4dc581263d1

SHA256
bd04ef577c3ad56b503ebeb81274718bce51a0877ad91533c69db75a706c3f27

SHA512
15462ba76ddc8213b2e51cfe7100634083ec22ecfb7760e9331b513ef79eae8962355dbb62b87eac08209f22a839c2cd5454db7dfcae3b79e2e169989ea8f304

Download Submit
C:\Windows\{5311CB24-F42D-4120-A768-29E0DA246202}.exe

Filesize
168KB

MD5
368bbeca8cfc77ea09b054ae9e79e3b5

SHA1
09a30e25214b8ff699020ccfd17ea4dc581263d1

SHA256
bd04ef577c3ad56b503ebeb81274718bce51a0877ad91533c69db75a706c3f27

SHA512
15462ba76ddc8213b2e51cfe7100634083ec22ecfb7760e9331b513ef79eae8962355dbb62b87eac08209f22a839c2cd5454db7dfcae3b79e2e169989ea8f304

Download Submit
C:\Windows\{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe

Filesize
168KB

MD5
c2df6b93d27e5ac45972dba0aa7c4351

SHA1
f2170b24e3f037ad1bd9f1581d019d1492e84b9b

SHA256
6ef1fcb682603845564b4e41659fc10726694c2bfe5cfe4d8626ff82d0cc31c1

SHA512
9e2f4753a4a7f4547298f7a5b324e03922c5b2e5e5180bcc24924a426a52c7089d762fec820fecaa86533f9a04ed3d06cf46459002d24a61edae360b525da753

Download Submit
C:\Windows\{9725D0BF-09AD-49d2-8FA8-DF778996430F}.exe

Filesize
168KB

MD5
c2df6b93d27e5ac45972dba0aa7c4351

SHA1
f2170b24e3f037ad1bd9f1581d019d1492e84b9b

SHA256
6ef1fcb682603845564b4e41659fc10726694c2bfe5cfe4d8626ff82d0cc31c1

SHA512
9e2f4753a4a7f4547298f7a5b324e03922c5b2e5e5180bcc24924a426a52c7089d762fec820fecaa86533f9a04ed3d06cf46459002d24a61edae360b525da753

Download Submit
C:\Windows\{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe

Filesize
168KB

MD5
b586e269544b6119f35e508114024c93

SHA1
47facafe85930295e59f3f3c075c607298592fd3

SHA256
25d2e6e04a77836f9711553e3a0fb3db66df0e2d1dfc98fc899ed722d11bed75

SHA512
a3c90ed8b18c4c9afde43200d7a9eadefdc682f549455b3e9b2b6793ccf7f00d2f02fa1e5899c59e1c0f5606d2eb91a1eaac99716c13ed4eca332ee8a4150850

Download Submit
C:\Windows\{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe

Filesize
168KB

MD5
b586e269544b6119f35e508114024c93

SHA1
47facafe85930295e59f3f3c075c607298592fd3

SHA256
25d2e6e04a77836f9711553e3a0fb3db66df0e2d1dfc98fc899ed722d11bed75

SHA512
a3c90ed8b18c4c9afde43200d7a9eadefdc682f549455b3e9b2b6793ccf7f00d2f02fa1e5899c59e1c0f5606d2eb91a1eaac99716c13ed4eca332ee8a4150850

Download Submit
C:\Windows\{B7D04DBB-D0CD-4cbe-AAFA-94D1B5E322E7}.exe

Filesize
168KB

MD5
b586e269544b6119f35e508114024c93

SHA1
47facafe85930295e59f3f3c075c607298592fd3

SHA256
25d2e6e04a77836f9711553e3a0fb3db66df0e2d1dfc98fc899ed722d11bed75

SHA512
a3c90ed8b18c4c9afde43200d7a9eadefdc682f549455b3e9b2b6793ccf7f00d2f02fa1e5899c59e1c0f5606d2eb91a1eaac99716c13ed4eca332ee8a4150850

Download Submit
C:\Windows\{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe

Filesize
168KB

MD5
0b05a048f9c240718688e7db532c6804

SHA1
6af044bb129afe7ccf709a558bc6b8b50fe816ed

SHA256
2c318ca119374a1b15cd03b1adbe6694605a309c1f377bb061a3d02a7f58ec29

SHA512
82fb353d5f4777621bdc75fd86722bef2f4457320b1213a82a7c8b76e7eadaab95bee82776dc82955f8170b0ba2024f458eece6b729ab8a94eae013e5b23b49b

Download Submit
C:\Windows\{C5FF3DD3-CF12-4435-8588-16C46543F062}.exe

Filesize
168KB

MD5
0b05a048f9c240718688e7db532c6804

SHA1
6af044bb129afe7ccf709a558bc6b8b50fe816ed

SHA256
2c318ca119374a1b15cd03b1adbe6694605a309c1f377bb061a3d02a7f58ec29

SHA512
82fb353d5f4777621bdc75fd86722bef2f4457320b1213a82a7c8b76e7eadaab95bee82776dc82955f8170b0ba2024f458eece6b729ab8a94eae013e5b23b49b

Download Submit
memory/2948-44-0x00000000038E0000-0x00000000039BB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads