73b77fc7822d0c419b52768202dde7afa1e3acb85731477162b1a0036bbc31a5

Analysis

max time kernel
151s
max time network
120s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe
Size

180KB
MD5

f6509d9a4235ea0037c683a6ec44d518
SHA1

8b723f0719662722a3392bd41f5dc630f0ae4501
SHA256

73b77fc7822d0c419b52768202dde7afa1e3acb85731477162b1a0036bbc31a5
SHA512

b88e05699d20d4730ab0b380d91ac0266a26d042e6f625cb8e1a8303a28deae497e63bcc653f766020dbd683a154311416269eb3ace5cc235166eeae02f19502
SSDEEP

3072:jEGh0oZAlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGfAl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}\stubpath = "C:\\Windows\\{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe"	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3E008BC-8DD0-4ef3-B3ED-04BE110172AA}	{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}	{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}\stubpath = "C:\\Windows\\{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe"	{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA87133F-33AE-4847-91A1-3AB50EC3A760}\stubpath = "C:\\Windows\\{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe"	{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA9174D5-745B-4213-8308-30BE8F8D2B74}	{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}\stubpath = "C:\\Windows\\{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe"	{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B10EF838-69D6-4cb6-9B4B-31146056FFA8}	{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}	{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3690187-4631-4f3f-BA89-08059F3B35C5}	{A3E008BC-8DD0-4ef3-B3ED-04BE110172AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{297E3B17-86D0-47c8-B26B-1DC5535BA2C5}\stubpath = "C:\\Windows\\{297E3B17-86D0-47c8-B26B-1DC5535BA2C5}.exe"	{A3690187-4631-4f3f-BA89-08059F3B35C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B07773FB-48F3-4167-AECA-BF7B5F6DCF2A}\stubpath = "C:\\Windows\\{B07773FB-48F3-4167-AECA-BF7B5F6DCF2A}.exe"	{BDE2DA52-EEF0-4c94-A2A3-91FB54518481}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDE2DA52-EEF0-4c94-A2A3-91FB54518481}	{297E3B17-86D0-47c8-B26B-1DC5535BA2C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDE2DA52-EEF0-4c94-A2A3-91FB54518481}\stubpath = "C:\\Windows\\{BDE2DA52-EEF0-4c94-A2A3-91FB54518481}.exe"	{297E3B17-86D0-47c8-B26B-1DC5535BA2C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B07773FB-48F3-4167-AECA-BF7B5F6DCF2A}	{BDE2DA52-EEF0-4c94-A2A3-91FB54518481}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}	{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B10EF838-69D6-4cb6-9B4B-31146056FFA8}\stubpath = "C:\\Windows\\{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe"	{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}\stubpath = "C:\\Windows\\{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe"	{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3E008BC-8DD0-4ef3-B3ED-04BE110172AA}\stubpath = "C:\\Windows\\{A3E008BC-8DD0-4ef3-B3ED-04BE110172AA}.exe"	{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA87133F-33AE-4847-91A1-3AB50EC3A760}	{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA9174D5-745B-4213-8308-30BE8F8D2B74}\stubpath = "C:\\Windows\\{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe"	{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3690187-4631-4f3f-BA89-08059F3B35C5}\stubpath = "C:\\Windows\\{A3690187-4631-4f3f-BA89-08059F3B35C5}.exe"	{A3E008BC-8DD0-4ef3-B3ED-04BE110172AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{297E3B17-86D0-47c8-B26B-1DC5535BA2C5}	{A3690187-4631-4f3f-BA89-08059F3B35C5}.exe

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2908	{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe
2628	{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe
2644	{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe
2624	{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe
2500	{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe
3000	{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe
2468	{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe
2756	{A3E008BC-8DD0-4ef3-B3ED-04BE110172AA}.exe
2584	{A3690187-4631-4f3f-BA89-08059F3B35C5}.exe
2556	{297E3B17-86D0-47c8-B26B-1DC5535BA2C5}.exe
2172	{BDE2DA52-EEF0-4c94-A2A3-91FB54518481}.exe
1628	{B07773FB-48F3-4167-AECA-BF7B5F6DCF2A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe	{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe
File created	C:\Windows\{297E3B17-86D0-47c8-B26B-1DC5535BA2C5}.exe	{A3690187-4631-4f3f-BA89-08059F3B35C5}.exe
File created	C:\Windows\{BDE2DA52-EEF0-4c94-A2A3-91FB54518481}.exe	{297E3B17-86D0-47c8-B26B-1DC5535BA2C5}.exe
File created	C:\Windows\{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe	{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe
File created	C:\Windows\{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe	{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe
File created	C:\Windows\{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe	{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe
File created	C:\Windows\{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe	{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe
File created	C:\Windows\{A3E008BC-8DD0-4ef3-B3ED-04BE110172AA}.exe	{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe
File created	C:\Windows\{A3690187-4631-4f3f-BA89-08059F3B35C5}.exe	{A3E008BC-8DD0-4ef3-B3ED-04BE110172AA}.exe
File created	C:\Windows\{B07773FB-48F3-4167-AECA-BF7B5F6DCF2A}.exe	{BDE2DA52-EEF0-4c94-A2A3-91FB54518481}.exe
File created	C:\Windows\{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe
File created	C:\Windows\{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe	{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2984	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2908	{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe
Token: SeIncBasePriorityPrivilege	2628	{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe
Token: SeIncBasePriorityPrivilege	2644	{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe
Token: SeIncBasePriorityPrivilege	2624	{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe
Token: SeIncBasePriorityPrivilege	2500	{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe
Token: SeIncBasePriorityPrivilege	3000	{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe
Token: SeIncBasePriorityPrivilege	2468	{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe
Token: SeIncBasePriorityPrivilege	2756	{A3E008BC-8DD0-4ef3-B3ED-04BE110172AA}.exe
Token: SeIncBasePriorityPrivilege	2584	{A3690187-4631-4f3f-BA89-08059F3B35C5}.exe
Token: SeIncBasePriorityPrivilege	2556	{297E3B17-86D0-47c8-B26B-1DC5535BA2C5}.exe
Token: SeIncBasePriorityPrivilege	2172	{BDE2DA52-EEF0-4c94-A2A3-91FB54518481}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2908	2984	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	28
PID 2984 wrote to memory of 2908	2984	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	28
PID 2984 wrote to memory of 2908	2984	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	28
PID 2984 wrote to memory of 2908	2984	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	28
PID 2984 wrote to memory of 2708	2984	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	29
PID 2984 wrote to memory of 2708	2984	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	29
PID 2984 wrote to memory of 2708	2984	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	29
PID 2984 wrote to memory of 2708	2984	NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe	29
PID 2908 wrote to memory of 2628	2908	{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe	30
PID 2908 wrote to memory of 2628	2908	{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe	30
PID 2908 wrote to memory of 2628	2908	{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe	30
PID 2908 wrote to memory of 2628	2908	{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe	30
PID 2908 wrote to memory of 2692	2908	{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe	31
PID 2908 wrote to memory of 2692	2908	{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe	31
PID 2908 wrote to memory of 2692	2908	{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe	31
PID 2908 wrote to memory of 2692	2908	{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe	31
PID 2628 wrote to memory of 2644	2628	{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe	32
PID 2628 wrote to memory of 2644	2628	{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe	32
PID 2628 wrote to memory of 2644	2628	{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe	32
PID 2628 wrote to memory of 2644	2628	{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe	32
PID 2628 wrote to memory of 2924	2628	{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe	33
PID 2628 wrote to memory of 2924	2628	{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe	33
PID 2628 wrote to memory of 2924	2628	{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe	33
PID 2628 wrote to memory of 2924	2628	{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe	33
PID 2644 wrote to memory of 2624	2644	{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe	37
PID 2644 wrote to memory of 2624	2644	{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe	37
PID 2644 wrote to memory of 2624	2644	{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe	37
PID 2644 wrote to memory of 2624	2644	{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe	37
PID 2644 wrote to memory of 2544	2644	{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe	36
PID 2644 wrote to memory of 2544	2644	{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe	36
PID 2644 wrote to memory of 2544	2644	{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe	36
PID 2644 wrote to memory of 2544	2644	{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe	36
PID 2624 wrote to memory of 2500	2624	{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe	38
PID 2624 wrote to memory of 2500	2624	{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe	38
PID 2624 wrote to memory of 2500	2624	{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe	38
PID 2624 wrote to memory of 2500	2624	{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe	38
PID 2624 wrote to memory of 2552	2624	{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe	39
PID 2624 wrote to memory of 2552	2624	{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe	39
PID 2624 wrote to memory of 2552	2624	{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe	39
PID 2624 wrote to memory of 2552	2624	{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe	39
PID 2500 wrote to memory of 3000	2500	{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe	40
PID 2500 wrote to memory of 3000	2500	{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe	40
PID 2500 wrote to memory of 3000	2500	{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe	40
PID 2500 wrote to memory of 3000	2500	{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe	40
PID 2500 wrote to memory of 2252	2500	{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe	41
PID 2500 wrote to memory of 2252	2500	{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe	41
PID 2500 wrote to memory of 2252	2500	{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe	41
PID 2500 wrote to memory of 2252	2500	{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe	41
PID 3000 wrote to memory of 2468	3000	{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe	42
PID 3000 wrote to memory of 2468	3000	{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe	42
PID 3000 wrote to memory of 2468	3000	{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe	42
PID 3000 wrote to memory of 2468	3000	{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe	42
PID 3000 wrote to memory of 2836	3000	{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe	43
PID 3000 wrote to memory of 2836	3000	{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe	43
PID 3000 wrote to memory of 2836	3000	{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe	43
PID 3000 wrote to memory of 2836	3000	{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe	43
PID 2468 wrote to memory of 2756	2468	{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe	44
PID 2468 wrote to memory of 2756	2468	{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe	44
PID 2468 wrote to memory of 2756	2468	{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe	44
PID 2468 wrote to memory of 2756	2468	{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe	44
PID 2468 wrote to memory of 2880	2468	{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe	45
PID 2468 wrote to memory of 2880	2468	{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe	45
PID 2468 wrote to memory of 2880	2468	{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe	45
PID 2468 wrote to memory of 2880	2468	{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_f6509d9a4235ea0037c683a6ec44d518_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe
  C:\Windows\{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe
    C:\Windows\{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe
      C:\Windows\{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B10EF~1.EXE > nul
        5⤵
        
        PID:2544
    - - C:\Windows\{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe
        
        C:\Windows\{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe
        
        C:\Windows\{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe
        
        C:\Windows\{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe
        
        C:\Windows\{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{A3E008BC-8DD0-4ef3-B3ED-04BE110172AA}.exe
        
        C:\Windows\{A3E008BC-8DD0-4ef3-B3ED-04BE110172AA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{A3690187-4631-4f3f-BA89-08059F3B35C5}.exe
        
        C:\Windows\{A3690187-4631-4f3f-BA89-08059F3B35C5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\{297E3B17-86D0-47c8-B26B-1DC5535BA2C5}.exe
        
        C:\Windows\{297E3B17-86D0-47c8-B26B-1DC5535BA2C5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\{BDE2DA52-EEF0-4c94-A2A3-91FB54518481}.exe
        
        C:\Windows\{BDE2DA52-EEF0-4c94-A2A3-91FB54518481}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDE2D~1.EXE > nul
        13⤵
        
        PID:2824
        
        C:\Windows\{B07773FB-48F3-4167-AECA-BF7B5F6DCF2A}.exe
        
        C:\Windows\{B07773FB-48F3-4167-AECA-BF7B5F6DCF2A}.exe
        13⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{297E3~1.EXE > nul
        12⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3690~1.EXE > nul
        11⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3E00~1.EXE > nul
        10⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA917~1.EXE > nul
        9⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA871~1.EXE > nul
        8⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{741B5~1.EXE > nul
        7⤵
        
        PID:2252
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECE9E~1.EXE > nul
        6⤵
        
        PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B9EF7~1.EXE > nul
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AAC72~1.EXE > nul
    3⤵
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{297E3B17-86D0-47c8-B26B-1DC5535BA2C5}.exe

Filesize
180KB

MD5
b846c7d1cbedc1bd34fafa424f818ed7

SHA1
9914f061ba1f8b4944900541e8304aa067f60f77

SHA256
7a4be7707d9dae63a8e6aaa5a47b4d096bd4f9815b08f91348ecb86b11e560d2

SHA512
b2d5f843a58798d74a17f8eeea96c0874c75fcd65b6a1e0ed38fc9490a42149c105130d9afd8bc86bca710c7a283a290f115cbf813c1380ccb17de4b833c2df1

Download Submit
C:\Windows\{297E3B17-86D0-47c8-B26B-1DC5535BA2C5}.exe

Filesize
180KB

MD5
b846c7d1cbedc1bd34fafa424f818ed7

SHA1
9914f061ba1f8b4944900541e8304aa067f60f77

SHA256
7a4be7707d9dae63a8e6aaa5a47b4d096bd4f9815b08f91348ecb86b11e560d2

SHA512
b2d5f843a58798d74a17f8eeea96c0874c75fcd65b6a1e0ed38fc9490a42149c105130d9afd8bc86bca710c7a283a290f115cbf813c1380ccb17de4b833c2df1

Download Submit
C:\Windows\{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe

Filesize
180KB

MD5
41d7ff355b582169fc12c0f6acfe387c

SHA1
4f95542c9b6a80eee5f40538cc1cfdf22e6e464f

SHA256
9a20e99fb3cec7bb75cedd24aa645338189d8faf31b94ee743f3087a224b386e

SHA512
0167b9da2141c9f03948614b493d8180685b73b0c1272f7026c16aa5330d5dc2e5a930d3499dc0a7bc2f47f959fcf536f03ff246114b51ce4451f826cb8d417b

Download Submit
C:\Windows\{741B5A04-D7D3-4b18-8B34-7ECD3C224C5A}.exe

Filesize
180KB

MD5
41d7ff355b582169fc12c0f6acfe387c

SHA1
4f95542c9b6a80eee5f40538cc1cfdf22e6e464f

SHA256
9a20e99fb3cec7bb75cedd24aa645338189d8faf31b94ee743f3087a224b386e

SHA512
0167b9da2141c9f03948614b493d8180685b73b0c1272f7026c16aa5330d5dc2e5a930d3499dc0a7bc2f47f959fcf536f03ff246114b51ce4451f826cb8d417b

Download Submit
C:\Windows\{A3690187-4631-4f3f-BA89-08059F3B35C5}.exe

Filesize
180KB

MD5
97404726618441ee80f4ba8aeca90a0d

SHA1
c25095d09012b050a3f2d3cbd0f92828b474f723

SHA256
df503d31a812ebb4d46b42d4d7e054c94f488955a6a9cb6cc40845b12023da87

SHA512
2eebaecf0c9d701f1ee6eeeb02ef73ac592d0c41ff14c1bf938e7e2dd001f94c347a66faa6b14991309d4bf09b153756d1c0f7ce78c7feb7ec8645c5d0929cb7

Download Submit
C:\Windows\{A3690187-4631-4f3f-BA89-08059F3B35C5}.exe

Filesize
180KB

MD5
97404726618441ee80f4ba8aeca90a0d

SHA1
c25095d09012b050a3f2d3cbd0f92828b474f723

SHA256
df503d31a812ebb4d46b42d4d7e054c94f488955a6a9cb6cc40845b12023da87

SHA512
2eebaecf0c9d701f1ee6eeeb02ef73ac592d0c41ff14c1bf938e7e2dd001f94c347a66faa6b14991309d4bf09b153756d1c0f7ce78c7feb7ec8645c5d0929cb7

Download Submit
C:\Windows\{A3E008BC-8DD0-4ef3-B3ED-04BE110172AA}.exe

Filesize
180KB

MD5
869c50512c0a43ca1232e87af0255595

SHA1
ecaeb4c560056c6ede05bc041b8adaf2f7ff479b

SHA256
1f20aa4e2a0c3f7681b3f99b92579e7ef2b9e617e897b05b9c62888f367cb77e

SHA512
9130c1204050693897b402049120d7df6cc4a389b991c12404ede3403f2c09eb06ae1c61a61d70a323140117df7da57ea8f2c12bef7a3e53df4962c11c12b8cd

Download Submit
C:\Windows\{A3E008BC-8DD0-4ef3-B3ED-04BE110172AA}.exe

Filesize
180KB

MD5
869c50512c0a43ca1232e87af0255595

SHA1
ecaeb4c560056c6ede05bc041b8adaf2f7ff479b

SHA256
1f20aa4e2a0c3f7681b3f99b92579e7ef2b9e617e897b05b9c62888f367cb77e

SHA512
9130c1204050693897b402049120d7df6cc4a389b991c12404ede3403f2c09eb06ae1c61a61d70a323140117df7da57ea8f2c12bef7a3e53df4962c11c12b8cd

Download Submit
C:\Windows\{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe

Filesize
180KB

MD5
8bc40bbe551fe953afed1e6025e12e7c

SHA1
6bd80997de60c8fc8b914b33002b02419ac54888

SHA256
de799cd55e14e95292463c0264057ebe6a6cea216c0540c8b28721d34621d5e3

SHA512
714a8acb8bbb6cbfa6ab528e7f910eb9aaea644818b8aeb82ec29333370866755f218182a73e5d437e1602aa88a103758e525a79162df3d02f611a2e365ccf4e

Download Submit
C:\Windows\{AA9174D5-745B-4213-8308-30BE8F8D2B74}.exe

Filesize
180KB

MD5
8bc40bbe551fe953afed1e6025e12e7c

SHA1
6bd80997de60c8fc8b914b33002b02419ac54888

SHA256
de799cd55e14e95292463c0264057ebe6a6cea216c0540c8b28721d34621d5e3

SHA512
714a8acb8bbb6cbfa6ab528e7f910eb9aaea644818b8aeb82ec29333370866755f218182a73e5d437e1602aa88a103758e525a79162df3d02f611a2e365ccf4e

Download Submit
C:\Windows\{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe

Filesize
180KB

MD5
cdd52d88aba0a1b912f7de3a86ea2454

SHA1
f6025d733bd0afbe0d17cebd43b6d1d1ba3b9864

SHA256
441185b895db5049835d1d1045caab8f29b90dba062273959b2492b209cc2388

SHA512
3f8a70dd335ae1f6fd3fa4db03984337d7ebf9ad8ba99dc33051148e4eaf1fa26364acbc467fe0d8cf2a22aa06f161f8d34a76b43dd0045a1f92bb7d9a337fa7

Download Submit
C:\Windows\{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe

Filesize
180KB

MD5
cdd52d88aba0a1b912f7de3a86ea2454

SHA1
f6025d733bd0afbe0d17cebd43b6d1d1ba3b9864

SHA256
441185b895db5049835d1d1045caab8f29b90dba062273959b2492b209cc2388

SHA512
3f8a70dd335ae1f6fd3fa4db03984337d7ebf9ad8ba99dc33051148e4eaf1fa26364acbc467fe0d8cf2a22aa06f161f8d34a76b43dd0045a1f92bb7d9a337fa7

Download Submit
C:\Windows\{AAC72156-04E3-4bb7-833A-7B0BE46D4B9B}.exe

Filesize
180KB

MD5
cdd52d88aba0a1b912f7de3a86ea2454

SHA1
f6025d733bd0afbe0d17cebd43b6d1d1ba3b9864

SHA256
441185b895db5049835d1d1045caab8f29b90dba062273959b2492b209cc2388

SHA512
3f8a70dd335ae1f6fd3fa4db03984337d7ebf9ad8ba99dc33051148e4eaf1fa26364acbc467fe0d8cf2a22aa06f161f8d34a76b43dd0045a1f92bb7d9a337fa7

Download Submit
C:\Windows\{B07773FB-48F3-4167-AECA-BF7B5F6DCF2A}.exe

Filesize
180KB

MD5
a03c225a674888577f71852108473887

SHA1
784c65a24d2eafe8842e1b9da9969d106052f2b1

SHA256
e0b357b65ea50fd30e69ffd11c9e72620d58393a6c86ca8cb412b6fa69d18fb0

SHA512
41f650c8e7c0ae099550358343d7ed446c03e5ad7a0c0c47a609a5458d64e4855f9e8d6577fa0e97fb9da7b52f2dbfde6b1f7a943a4f57c149027fd556dbbc05

Download Submit
C:\Windows\{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe

Filesize
180KB

MD5
bb08a7326c22d92ef1a972f1c8958f28

SHA1
a925620fdddf7338076204bd92e972b8f5572d66

SHA256
b7aebd59dedd2fd761dd908f3c3be4744733266e46f1b52d6e515bb89c1c3641

SHA512
053b9e229e9e0c0684da58cfcb65f6956a3478c68157131f53e7a48d096e4804276291fdc25cb5799dd0ee0eaa637a85a3bc61ce19b9d8baafe40dd75443f46f

Download Submit
C:\Windows\{B10EF838-69D6-4cb6-9B4B-31146056FFA8}.exe

Filesize
180KB

MD5
bb08a7326c22d92ef1a972f1c8958f28

SHA1
a925620fdddf7338076204bd92e972b8f5572d66

SHA256
b7aebd59dedd2fd761dd908f3c3be4744733266e46f1b52d6e515bb89c1c3641

SHA512
053b9e229e9e0c0684da58cfcb65f6956a3478c68157131f53e7a48d096e4804276291fdc25cb5799dd0ee0eaa637a85a3bc61ce19b9d8baafe40dd75443f46f

Download Submit
C:\Windows\{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe

Filesize
180KB

MD5
b30f42fb766f661a25a3ab6a0aee42de

SHA1
034c89804835d72423fce9bb512d50148d950da1

SHA256
54ddfb0e88aefc147f7634962dcc83b734d4f7d1d345250fb8bf9f099097ad20

SHA512
62035b63027a262b553a75a5546ff613c560d11cc4c238a6092451031117dc361ce46058209363cd71dc06f9dbddb6b5777b90808e5c8f7339d9c53a0653f972

Download Submit
C:\Windows\{B9EF7D61-D02D-4700-B5BA-17B0C26E6E7D}.exe

Filesize
180KB

MD5
b30f42fb766f661a25a3ab6a0aee42de

SHA1
034c89804835d72423fce9bb512d50148d950da1

SHA256
54ddfb0e88aefc147f7634962dcc83b734d4f7d1d345250fb8bf9f099097ad20

SHA512
62035b63027a262b553a75a5546ff613c560d11cc4c238a6092451031117dc361ce46058209363cd71dc06f9dbddb6b5777b90808e5c8f7339d9c53a0653f972

Download Submit
C:\Windows\{BDE2DA52-EEF0-4c94-A2A3-91FB54518481}.exe

Filesize
180KB

MD5
ccb7b4229eb04ed7432fea4027663437

SHA1
f884f640fdf55a9de538d2c5d5ac34c41e83fd93

SHA256
7f35185bf11b0939bf7a723d04b4a92a04727ded9803d7dcbca3099bd0dd5370

SHA512
69ce87eb25ae2d05a332e286df017e74880368e717aadd87afd5d5b09a26a56f6a387a41189954386a3c4236d15fa4b9d9a0a3da79703e95d032e0405f8016d3

Download Submit
C:\Windows\{BDE2DA52-EEF0-4c94-A2A3-91FB54518481}.exe

Filesize
180KB

MD5
ccb7b4229eb04ed7432fea4027663437

SHA1
f884f640fdf55a9de538d2c5d5ac34c41e83fd93

SHA256
7f35185bf11b0939bf7a723d04b4a92a04727ded9803d7dcbca3099bd0dd5370

SHA512
69ce87eb25ae2d05a332e286df017e74880368e717aadd87afd5d5b09a26a56f6a387a41189954386a3c4236d15fa4b9d9a0a3da79703e95d032e0405f8016d3

Download Submit
C:\Windows\{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe

Filesize
180KB

MD5
dee9140197df3a0476831dc42c54e96f

SHA1
7e93d95f5b89b3fa41e51d4a26dea01dc55ed170

SHA256
4585e6303fa643e756accbc4f728106f289ad87835ef36711b8403d8b3497edd

SHA512
538ad04cb3b856b03812da441c45ab84b7fb65adedeb74c52237e86e7bdbe339fdec996ab68d11692dde4a0e5ece93ffd994ccbdc5ccf964791e6f7ae5a9483b

Download Submit
C:\Windows\{ECE9ECCD-FDAA-4a5a-AE46-3BAF8E80AE0F}.exe

Filesize
180KB

MD5
dee9140197df3a0476831dc42c54e96f

SHA1
7e93d95f5b89b3fa41e51d4a26dea01dc55ed170

SHA256
4585e6303fa643e756accbc4f728106f289ad87835ef36711b8403d8b3497edd

SHA512
538ad04cb3b856b03812da441c45ab84b7fb65adedeb74c52237e86e7bdbe339fdec996ab68d11692dde4a0e5ece93ffd994ccbdc5ccf964791e6f7ae5a9483b

Download Submit
C:\Windows\{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe

Filesize
180KB

MD5
5b14c5ef2d1794ec22ad48489e800a02

SHA1
be90e8ca05ab94ff8651f45f0a11fe39d9cf1a5e

SHA256
8517590a0f4f38603ce77a548f3b0b6f850ff739ea46690bc9c1299c1ca82519

SHA512
40c74329f2d84ba9aabb989331b57eed31b35ec0c808da273d76c2dbb054a1041011bf968f43952583d89e44ab77934f36f1c6e4b18381b59f11cb1fc29d5441

Download Submit
C:\Windows\{FA87133F-33AE-4847-91A1-3AB50EC3A760}.exe

Filesize
180KB

MD5
5b14c5ef2d1794ec22ad48489e800a02

SHA1
be90e8ca05ab94ff8651f45f0a11fe39d9cf1a5e

SHA256
8517590a0f4f38603ce77a548f3b0b6f850ff739ea46690bc9c1299c1ca82519

SHA512
40c74329f2d84ba9aabb989331b57eed31b35ec0c808da273d76c2dbb054a1041011bf968f43952583d89e44ab77934f36f1c6e4b18381b59f11cb1fc29d5441

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads