045d2e4a71d63016798af23763e7a844f139726f344cde3d3e4b1a5676e946ab

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 20:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe
Size

204KB
MD5

3304d8db6dbc78a9ec51e4b82dfc0cc5
SHA1

c90d9efdce5c46ea2e8e51d87ac61a53090373cd
SHA256

045d2e4a71d63016798af23763e7a844f139726f344cde3d3e4b1a5676e946ab
SHA512

e407729224e01f2c90dc9e4fe17c4110f10ce8e12e17542a1fa83546cc5b129e6ad3ebb747e3b19329f56fa5e40300042d0b2f461411b96173ba7ff5cdac0421
SSDEEP

1536:1EGh0oBl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oBl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9037C3BB-F8E8-48d6-9E55-407E366CE106}	{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}	{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BC3AB5D-539D-4943-993A-FCE601E2A07B}	{2B2A960A-9512-45e1-8E52-1F1E9661C6C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BC3AB5D-539D-4943-993A-FCE601E2A07B}\stubpath = "C:\\Windows\\{0BC3AB5D-539D-4943-993A-FCE601E2A07B}.exe"	{2B2A960A-9512-45e1-8E52-1F1E9661C6C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{729589F3-569D-465f-8993-73DFF128C702}	{0BC3AB5D-539D-4943-993A-FCE601E2A07B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F633A8B2-3E13-4b35-B1FF-6567D3E5EABA}	{729589F3-569D-465f-8993-73DFF128C702}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{363A5E10-7077-484f-BC5E-41272B0D11DF}	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{363A5E10-7077-484f-BC5E-41272B0D11DF}\stubpath = "C:\\Windows\\{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe"	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}\stubpath = "C:\\Windows\\{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe"	{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F7627AF-C2FE-491f-BC78-D3959C73DA77}	{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{729589F3-569D-465f-8993-73DFF128C702}\stubpath = "C:\\Windows\\{729589F3-569D-465f-8993-73DFF128C702}.exe"	{0BC3AB5D-539D-4943-993A-FCE601E2A07B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9037C3BB-F8E8-48d6-9E55-407E366CE106}\stubpath = "C:\\Windows\\{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe"	{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D477DC2-8D42-4afe-9276-20EBF039773C}\stubpath = "C:\\Windows\\{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe"	{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19B345A2-4505-41fa-A80F-B3B443D6C313}	{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19B345A2-4505-41fa-A80F-B3B443D6C313}\stubpath = "C:\\Windows\\{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe"	{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F7627AF-C2FE-491f-BC78-D3959C73DA77}\stubpath = "C:\\Windows\\{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe"	{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B2A960A-9512-45e1-8E52-1F1E9661C6C4}\stubpath = "C:\\Windows\\{2B2A960A-9512-45e1-8E52-1F1E9661C6C4}.exe"	{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F633A8B2-3E13-4b35-B1FF-6567D3E5EABA}\stubpath = "C:\\Windows\\{F633A8B2-3E13-4b35-B1FF-6567D3E5EABA}.exe"	{729589F3-569D-465f-8993-73DFF128C702}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}\stubpath = "C:\\Windows\\{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe"	{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}	{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D477DC2-8D42-4afe-9276-20EBF039773C}	{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B2A960A-9512-45e1-8E52-1F1E9661C6C4}	{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe

Deletes itself 1 IoCs

pid	Process
2428	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1172	{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe
2124	{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe
2720	{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe
2844	{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe
2960	{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe
2576	{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe
2656	{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe
1968	{2B2A960A-9512-45e1-8E52-1F1E9661C6C4}.exe
2968	{0BC3AB5D-539D-4943-993A-FCE601E2A07B}.exe
1696	{729589F3-569D-465f-8993-73DFF128C702}.exe
1964	{F633A8B2-3E13-4b35-B1FF-6567D3E5EABA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe	{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe
File created	C:\Windows\{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe	{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe
File created	C:\Windows\{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe	{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe
File created	C:\Windows\{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe	{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe
File created	C:\Windows\{2B2A960A-9512-45e1-8E52-1F1E9661C6C4}.exe	{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe
File created	C:\Windows\{0BC3AB5D-539D-4943-993A-FCE601E2A07B}.exe	{2B2A960A-9512-45e1-8E52-1F1E9661C6C4}.exe
File created	C:\Windows\{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe
File created	C:\Windows\{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe	{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe
File created	C:\Windows\{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe	{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe
File created	C:\Windows\{729589F3-569D-465f-8993-73DFF128C702}.exe	{0BC3AB5D-539D-4943-993A-FCE601E2A07B}.exe
File created	C:\Windows\{F633A8B2-3E13-4b35-B1FF-6567D3E5EABA}.exe	{729589F3-569D-465f-8993-73DFF128C702}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3068	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1172	{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe
Token: SeIncBasePriorityPrivilege	2124	{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe
Token: SeIncBasePriorityPrivilege	2720	{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe
Token: SeIncBasePriorityPrivilege	2844	{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe
Token: SeIncBasePriorityPrivilege	2960	{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe
Token: SeIncBasePriorityPrivilege	2576	{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe
Token: SeIncBasePriorityPrivilege	2656	{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe
Token: SeIncBasePriorityPrivilege	1968	{2B2A960A-9512-45e1-8E52-1F1E9661C6C4}.exe
Token: SeIncBasePriorityPrivilege	2968	{0BC3AB5D-539D-4943-993A-FCE601E2A07B}.exe
Token: SeIncBasePriorityPrivilege	1696	{729589F3-569D-465f-8993-73DFF128C702}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1172	3068	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	28
PID 3068 wrote to memory of 1172	3068	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	28
PID 3068 wrote to memory of 1172	3068	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	28
PID 3068 wrote to memory of 1172	3068	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	28
PID 3068 wrote to memory of 2428	3068	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	29
PID 3068 wrote to memory of 2428	3068	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	29
PID 3068 wrote to memory of 2428	3068	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	29
PID 3068 wrote to memory of 2428	3068	NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe	29
PID 1172 wrote to memory of 2124	1172	{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe	30
PID 1172 wrote to memory of 2124	1172	{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe	30
PID 1172 wrote to memory of 2124	1172	{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe	30
PID 1172 wrote to memory of 2124	1172	{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe	30
PID 1172 wrote to memory of 2672	1172	{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe	31
PID 1172 wrote to memory of 2672	1172	{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe	31
PID 1172 wrote to memory of 2672	1172	{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe	31
PID 1172 wrote to memory of 2672	1172	{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe	31
PID 2124 wrote to memory of 2720	2124	{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe	34
PID 2124 wrote to memory of 2720	2124	{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe	34
PID 2124 wrote to memory of 2720	2124	{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe	34
PID 2124 wrote to memory of 2720	2124	{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe	34
PID 2124 wrote to memory of 1420	2124	{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe	35
PID 2124 wrote to memory of 1420	2124	{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe	35
PID 2124 wrote to memory of 1420	2124	{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe	35
PID 2124 wrote to memory of 1420	2124	{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe	35
PID 2720 wrote to memory of 2844	2720	{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe	36
PID 2720 wrote to memory of 2844	2720	{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe	36
PID 2720 wrote to memory of 2844	2720	{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe	36
PID 2720 wrote to memory of 2844	2720	{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe	36
PID 2720 wrote to memory of 2836	2720	{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe	37
PID 2720 wrote to memory of 2836	2720	{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe	37
PID 2720 wrote to memory of 2836	2720	{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe	37
PID 2720 wrote to memory of 2836	2720	{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe	37
PID 2844 wrote to memory of 2960	2844	{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe	38
PID 2844 wrote to memory of 2960	2844	{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe	38
PID 2844 wrote to memory of 2960	2844	{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe	38
PID 2844 wrote to memory of 2960	2844	{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe	38
PID 2844 wrote to memory of 2748	2844	{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe	39
PID 2844 wrote to memory of 2748	2844	{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe	39
PID 2844 wrote to memory of 2748	2844	{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe	39
PID 2844 wrote to memory of 2748	2844	{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe	39
PID 2960 wrote to memory of 2576	2960	{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe	40
PID 2960 wrote to memory of 2576	2960	{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe	40
PID 2960 wrote to memory of 2576	2960	{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe	40
PID 2960 wrote to memory of 2576	2960	{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe	40
PID 2960 wrote to memory of 2608	2960	{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe	41
PID 2960 wrote to memory of 2608	2960	{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe	41
PID 2960 wrote to memory of 2608	2960	{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe	41
PID 2960 wrote to memory of 2608	2960	{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe	41
PID 2576 wrote to memory of 2656	2576	{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe	43
PID 2576 wrote to memory of 2656	2576	{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe	43
PID 2576 wrote to memory of 2656	2576	{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe	43
PID 2576 wrote to memory of 2656	2576	{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe	43
PID 2576 wrote to memory of 1952	2576	{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe	42
PID 2576 wrote to memory of 1952	2576	{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe	42
PID 2576 wrote to memory of 1952	2576	{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe	42
PID 2576 wrote to memory of 1952	2576	{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe	42
PID 2656 wrote to memory of 1968	2656	{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe	44
PID 2656 wrote to memory of 1968	2656	{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe	44
PID 2656 wrote to memory of 1968	2656	{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe	44
PID 2656 wrote to memory of 1968	2656	{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe	44
PID 2656 wrote to memory of 2928	2656	{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe	45
PID 2656 wrote to memory of 2928	2656	{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe	45
PID 2656 wrote to memory of 2928	2656	{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe	45
PID 2656 wrote to memory of 2928	2656	{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_3304d8db6dbc78a9ec51e4b82dfc0cc5_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe
  C:\Windows\{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe
    C:\Windows\{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe
      C:\Windows\{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe
        
        C:\Windows\{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe
        
        C:\Windows\{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe
        
        C:\Windows\{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19B34~1.EXE > nul
        8⤵
        
        PID:1952
        
        C:\Windows\{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe
        
        C:\Windows\{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\{2B2A960A-9512-45e1-8E52-1F1E9661C6C4}.exe
        
        C:\Windows\{2B2A960A-9512-45e1-8E52-1F1E9661C6C4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\{0BC3AB5D-539D-4943-993A-FCE601E2A07B}.exe
        
        C:\Windows\{0BC3AB5D-539D-4943-993A-FCE601E2A07B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{729589F3-569D-465f-8993-73DFF128C702}.exe
        
        C:\Windows\{729589F3-569D-465f-8993-73DFF128C702}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\{F633A8B2-3E13-4b35-B1FF-6567D3E5EABA}.exe
        
        C:\Windows\{F633A8B2-3E13-4b35-B1FF-6567D3E5EABA}.exe
        12⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72958~1.EXE > nul
        12⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BC3A~1.EXE > nul
        11⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B2A9~1.EXE > nul
        10⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F762~1.EXE > nul
        9⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABE3D~1.EXE > nul
        7⤵
        
        PID:2608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DE7C~1.EXE > nul
        6⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D477~1.EXE > nul
        5⤵
        
        PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9037C~1.EXE > nul
      4⤵
      PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{363A5~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BC3AB5D-539D-4943-993A-FCE601E2A07B}.exe

Filesize
204KB

MD5
f42ad9351bdeb291d2bf6739ce8e6f0a

SHA1
961de797b2a2ab6e0ed0f7a2ece7dcaf439b7879

SHA256
e9c2886af801f9854dc313428d64b53dcf2c7552784f051c29ed61a56be64823

SHA512
5aed73f332a5b758a7f8e49757983a0eaac67206aa17ca2381298e2a2222e5e87d380c3937508d784a9f711c43b6b231f07b02c883e1a565bcdc3d72d5533f00

Download Submit
C:\Windows\{0BC3AB5D-539D-4943-993A-FCE601E2A07B}.exe

Filesize
204KB

MD5
f42ad9351bdeb291d2bf6739ce8e6f0a

SHA1
961de797b2a2ab6e0ed0f7a2ece7dcaf439b7879

SHA256
e9c2886af801f9854dc313428d64b53dcf2c7552784f051c29ed61a56be64823

SHA512
5aed73f332a5b758a7f8e49757983a0eaac67206aa17ca2381298e2a2222e5e87d380c3937508d784a9f711c43b6b231f07b02c883e1a565bcdc3d72d5533f00

Download Submit
C:\Windows\{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe

Filesize
204KB

MD5
65d93108c720a248d7cd8d6c08de20aa

SHA1
3a7e85c075fd52e8bb13dd6965bcdf88baf6f388

SHA256
341576322111d041dbe5183568fdc2e97ca359e36ec457271de4ff5fd14433f5

SHA512
42b59b2deeea1e869c1367eec308ae90f9fa45a7fb4493ae83e48512c6ac92613b79d009eaae48f64b81eb7a10996ade5ad48a2734ca924155a375efc136c8c6

Download Submit
C:\Windows\{19B345A2-4505-41fa-A80F-B3B443D6C313}.exe

Filesize
204KB

MD5
65d93108c720a248d7cd8d6c08de20aa

SHA1
3a7e85c075fd52e8bb13dd6965bcdf88baf6f388

SHA256
341576322111d041dbe5183568fdc2e97ca359e36ec457271de4ff5fd14433f5

SHA512
42b59b2deeea1e869c1367eec308ae90f9fa45a7fb4493ae83e48512c6ac92613b79d009eaae48f64b81eb7a10996ade5ad48a2734ca924155a375efc136c8c6

Download Submit
C:\Windows\{2B2A960A-9512-45e1-8E52-1F1E9661C6C4}.exe

Filesize
204KB

MD5
6f86d8f39be6b44e1a0a603ffffab4c9

SHA1
e8a9f0eddc3f2b790a66af05f548f54e94daeadf

SHA256
a872cace2ad855a97b65a9b0eecdbf2f5a132df20277f76a3459aad10e77aeec

SHA512
9d14a912a922d6895a6e8be5fbd4a1e96ade526749ed1e7eb9aeaa34bfe532601d550d62ba68758a7d2665e3250c1cab19eaff4d2b50a3069098a0d6449a8c13

Download Submit
C:\Windows\{2B2A960A-9512-45e1-8E52-1F1E9661C6C4}.exe

Filesize
204KB

MD5
6f86d8f39be6b44e1a0a603ffffab4c9

SHA1
e8a9f0eddc3f2b790a66af05f548f54e94daeadf

SHA256
a872cace2ad855a97b65a9b0eecdbf2f5a132df20277f76a3459aad10e77aeec

SHA512
9d14a912a922d6895a6e8be5fbd4a1e96ade526749ed1e7eb9aeaa34bfe532601d550d62ba68758a7d2665e3250c1cab19eaff4d2b50a3069098a0d6449a8c13

Download Submit
C:\Windows\{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe

Filesize
204KB

MD5
c38c4a237a573e6dce79a2c173512874

SHA1
e09b9810ca7ef9def6ed46d54aef2ba4f679d175

SHA256
ba329c40e7805ba16b959b2772b144cc9651c8350e66b5e0163ec2c35fa14cf1

SHA512
16b9cbbb1f6d7a4ed26ae2255705dad7477a3c0f9f6721544819fe2737babe2f25592306a743ed28ed576f6d4631b2e9d0a139b8c8c8a1ba0ae70df7af8179f9

Download Submit
C:\Windows\{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe

Filesize
204KB

MD5
c38c4a237a573e6dce79a2c173512874

SHA1
e09b9810ca7ef9def6ed46d54aef2ba4f679d175

SHA256
ba329c40e7805ba16b959b2772b144cc9651c8350e66b5e0163ec2c35fa14cf1

SHA512
16b9cbbb1f6d7a4ed26ae2255705dad7477a3c0f9f6721544819fe2737babe2f25592306a743ed28ed576f6d4631b2e9d0a139b8c8c8a1ba0ae70df7af8179f9

Download Submit
C:\Windows\{363A5E10-7077-484f-BC5E-41272B0D11DF}.exe

Filesize
204KB

MD5
c38c4a237a573e6dce79a2c173512874

SHA1
e09b9810ca7ef9def6ed46d54aef2ba4f679d175

SHA256
ba329c40e7805ba16b959b2772b144cc9651c8350e66b5e0163ec2c35fa14cf1

SHA512
16b9cbbb1f6d7a4ed26ae2255705dad7477a3c0f9f6721544819fe2737babe2f25592306a743ed28ed576f6d4631b2e9d0a139b8c8c8a1ba0ae70df7af8179f9

Download Submit
C:\Windows\{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe

Filesize
204KB

MD5
0c7530413a9738956dc4a724b52d532c

SHA1
4c94ae8412cb95366aa884636baca520881ea685

SHA256
6e2fd06725648f62009a54201b3ca86000f751650c808e60e43013448feb9b67

SHA512
d9a963e10ec7c6651f93126364ded36a5b06da5b38a742b62bc500ed000c8b0d4ad092b90a3ff439f67df4cbadff37f19aea8b0963931f7ea85850869fffeba6

Download Submit
C:\Windows\{4D477DC2-8D42-4afe-9276-20EBF039773C}.exe

Filesize
204KB

MD5
0c7530413a9738956dc4a724b52d532c

SHA1
4c94ae8412cb95366aa884636baca520881ea685

SHA256
6e2fd06725648f62009a54201b3ca86000f751650c808e60e43013448feb9b67

SHA512
d9a963e10ec7c6651f93126364ded36a5b06da5b38a742b62bc500ed000c8b0d4ad092b90a3ff439f67df4cbadff37f19aea8b0963931f7ea85850869fffeba6

Download Submit
C:\Windows\{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe

Filesize
204KB

MD5
dbff2b8570392ec581daac216a9777e4

SHA1
9eaa193becd5edd9040de27cd2b141cdc43125d0

SHA256
3dd96b878cafec2d77a7dbc4480ccab1e28c8eceb8c6f4f964f03d8191794941

SHA512
40c87152b8bb3ce9daf23279fdd4e37dccb268862bc7dfe7fe1110fa67a8caaf770f2cef8b8abaf224d650be0092223fe04623cc0fd4231022a5467f07bdd5e3

Download Submit
C:\Windows\{6F7627AF-C2FE-491f-BC78-D3959C73DA77}.exe

Filesize
204KB

MD5
dbff2b8570392ec581daac216a9777e4

SHA1
9eaa193becd5edd9040de27cd2b141cdc43125d0

SHA256
3dd96b878cafec2d77a7dbc4480ccab1e28c8eceb8c6f4f964f03d8191794941

SHA512
40c87152b8bb3ce9daf23279fdd4e37dccb268862bc7dfe7fe1110fa67a8caaf770f2cef8b8abaf224d650be0092223fe04623cc0fd4231022a5467f07bdd5e3

Download Submit
C:\Windows\{729589F3-569D-465f-8993-73DFF128C702}.exe

Filesize
204KB

MD5
a12d483646c78ca0d041fb27ee43eee8

SHA1
bd638a92280650581fa9702882d3ed8baa79e588

SHA256
c778da923e5f0cf9ab908f9c441e25b039abf3a5aef8d066c558bcd37dbe5fc6

SHA512
36cf981d0c2fdb7d12b698dbafe09228348ffeab385035700d21e85920b7d3eb0fcde31daca93cc06ae3c21b413a27255bda6f01977b19936793f5f9646667dc

Download Submit
C:\Windows\{729589F3-569D-465f-8993-73DFF128C702}.exe

Filesize
204KB

MD5
a12d483646c78ca0d041fb27ee43eee8

SHA1
bd638a92280650581fa9702882d3ed8baa79e588

SHA256
c778da923e5f0cf9ab908f9c441e25b039abf3a5aef8d066c558bcd37dbe5fc6

SHA512
36cf981d0c2fdb7d12b698dbafe09228348ffeab385035700d21e85920b7d3eb0fcde31daca93cc06ae3c21b413a27255bda6f01977b19936793f5f9646667dc

Download Submit
C:\Windows\{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe

Filesize
204KB

MD5
2ca3fe8e2a657b4b568a903a3651df7e

SHA1
ec54f46ff85473cfe278488d3e59d91860e37e00

SHA256
82d0294be196e1d84c64fcd65804c282f701c9e8bfc970709c2b9875e0e6b940

SHA512
de0c24037029e551891dee71ba0dac3c7a0b4e9f4b225cac7907f51cf917e4d308a2050460da8e97b2987230ca7fa74c8a0153f93a0ce38f23b8408d06e358c7

Download Submit
C:\Windows\{9037C3BB-F8E8-48d6-9E55-407E366CE106}.exe

Filesize
204KB

MD5
2ca3fe8e2a657b4b568a903a3651df7e

SHA1
ec54f46ff85473cfe278488d3e59d91860e37e00

SHA256
82d0294be196e1d84c64fcd65804c282f701c9e8bfc970709c2b9875e0e6b940

SHA512
de0c24037029e551891dee71ba0dac3c7a0b4e9f4b225cac7907f51cf917e4d308a2050460da8e97b2987230ca7fa74c8a0153f93a0ce38f23b8408d06e358c7

Download Submit
C:\Windows\{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe

Filesize
204KB

MD5
8026d3593d01727374390a5abade9d8b

SHA1
329d8e9d4984897dc39ac38fa528cd2b4622b656

SHA256
c48109df9ccf4f7fe419eccee3dd93e4ec7451b604a136fb3fe132f562e47425

SHA512
775b0609568ab00d55914b2a110e3f56e5730da293a418791d76f3013d40908be687681cc9d78d95beb755cc509cace3e4abcd897f361b1417ff08b2b6a54082

Download Submit
C:\Windows\{9DE7C1B9-9132-4034-9F99-CB93EFFDCBBE}.exe

Filesize
204KB

MD5
8026d3593d01727374390a5abade9d8b

SHA1
329d8e9d4984897dc39ac38fa528cd2b4622b656

SHA256
c48109df9ccf4f7fe419eccee3dd93e4ec7451b604a136fb3fe132f562e47425

SHA512
775b0609568ab00d55914b2a110e3f56e5730da293a418791d76f3013d40908be687681cc9d78d95beb755cc509cace3e4abcd897f361b1417ff08b2b6a54082

Download Submit
C:\Windows\{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe

Filesize
204KB

MD5
8e935034969a25d7ab3288a8746823e5

SHA1
1c797ef348e06ed3886a9874a59725d2b82ef08d

SHA256
af0dafba52f4e6be68f86de4e88a9db2843f8fac4410314b858613546a0a88e1

SHA512
58eee52e772a13a517cffd4d2fc5681ebb78a4592610601d2ae53d7e7e77536db8129f7225efa0c631e97bfcfdb13790e4ede2ced6bf5094918adef4c0a55543

Download Submit
C:\Windows\{ABE3D1FA-9D91-4113-9AE0-A79F1B67EB27}.exe

Filesize
204KB

MD5
8e935034969a25d7ab3288a8746823e5

SHA1
1c797ef348e06ed3886a9874a59725d2b82ef08d

SHA256
af0dafba52f4e6be68f86de4e88a9db2843f8fac4410314b858613546a0a88e1

SHA512
58eee52e772a13a517cffd4d2fc5681ebb78a4592610601d2ae53d7e7e77536db8129f7225efa0c631e97bfcfdb13790e4ede2ced6bf5094918adef4c0a55543

Download Submit
C:\Windows\{F633A8B2-3E13-4b35-B1FF-6567D3E5EABA}.exe

Filesize
204KB

MD5
decd7247acae64b026599e2c5d28ae7a

SHA1
7fb151562964c09f1bd90c0c18579facc4262dce

SHA256
2ed17dfd52c53c3c2c7fb63ad58e960ecc38a51cc85ad5d7680789d175f1ba7d

SHA512
de063d91b0bb2b85d0b1803b7d6a4eaca2db53270dfcc24efe2d0cd8f17e68b878bf04d63676b7a563dddd2db2574c83b142cc41eafc91b2385de03e3e79fa99

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads