a7a7aece756440fc07a24ae1f456c7744678b49615109b134e5ef93169ed30ab

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 15:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe
Size

168KB
MD5

06f843f33730d01eb591f882da41dc07
SHA1

c3157f4ae69c3cca3aef7a00ca2ce5132b9fd118
SHA256

a7a7aece756440fc07a24ae1f456c7744678b49615109b134e5ef93169ed30ab
SHA512

a33256ef4ecbf2be9c4d2aa267ed10b2bfa5def4b1827618432091b0f5a488ed62704549e7b65881639eb7b7493058b76408bc4c40211cb44b5ca9d9be0ea665
SSDEEP

1536:1EGh0oTli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oTliOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B6E5A14-5464-44b4-8ED8-21807715D76D}\stubpath = "C:\\Windows\\{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe"	{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{838210DD-F859-4ef2-BE37-3621E8708B6D}	{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B7C2667-D666-43cf-BC2F-BFE112A2744E}\stubpath = "C:\\Windows\\{9B7C2667-D666-43cf-BC2F-BFE112A2744E}.exe"	{066FED94-550C-4dd9-B035-407092FDE9A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B6E5A14-5464-44b4-8ED8-21807715D76D}	{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}\stubpath = "C:\\Windows\\{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe"	{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40B6D889-08D8-414c-BC5B-7F5003FB7943}	{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DE5D2B2-9A3F-4edb-85BA-E5D344EC0285}	{E9B01D7F-8507-4516-8CC4-3A3E760AEBEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DE5D2B2-9A3F-4edb-85BA-E5D344EC0285}\stubpath = "C:\\Windows\\{2DE5D2B2-9A3F-4edb-85BA-E5D344EC0285}.exe"	{E9B01D7F-8507-4516-8CC4-3A3E760AEBEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9B01D7F-8507-4516-8CC4-3A3E760AEBEA}\stubpath = "C:\\Windows\\{E9B01D7F-8507-4516-8CC4-3A3E760AEBEA}.exe"	{9B7C2667-D666-43cf-BC2F-BFE112A2744E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6783278C-0B10-4354-AC1C-BB64A08665A8}\stubpath = "C:\\Windows\\{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe"	NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}	{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}\stubpath = "C:\\Windows\\{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe"	{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}	{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}	{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40B6D889-08D8-414c-BC5B-7F5003FB7943}\stubpath = "C:\\Windows\\{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe"	{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9B01D7F-8507-4516-8CC4-3A3E760AEBEA}	{9B7C2667-D666-43cf-BC2F-BFE112A2744E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6783278C-0B10-4354-AC1C-BB64A08665A8}	NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}\stubpath = "C:\\Windows\\{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe"	{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{838210DD-F859-4ef2-BE37-3621E8708B6D}\stubpath = "C:\\Windows\\{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe"	{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{066FED94-550C-4dd9-B035-407092FDE9A0}	{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{066FED94-550C-4dd9-B035-407092FDE9A0}\stubpath = "C:\\Windows\\{066FED94-550C-4dd9-B035-407092FDE9A0}.exe"	{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B7C2667-D666-43cf-BC2F-BFE112A2744E}	{066FED94-550C-4dd9-B035-407092FDE9A0}.exe

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1404	{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe
2712	{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe
2680	{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe
2596	{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe
2500	{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe
2368	{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe
2904	{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe
1728	{066FED94-550C-4dd9-B035-407092FDE9A0}.exe
940	{9B7C2667-D666-43cf-BC2F-BFE112A2744E}.exe
2200	{E9B01D7F-8507-4516-8CC4-3A3E760AEBEA}.exe
2160	{2DE5D2B2-9A3F-4edb-85BA-E5D344EC0285}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe	{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe
File created	C:\Windows\{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe	{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe
File created	C:\Windows\{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe	{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe
File created	C:\Windows\{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe	{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe
File created	C:\Windows\{066FED94-550C-4dd9-B035-407092FDE9A0}.exe	{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe
File created	C:\Windows\{2DE5D2B2-9A3F-4edb-85BA-E5D344EC0285}.exe	{E9B01D7F-8507-4516-8CC4-3A3E760AEBEA}.exe
File created	C:\Windows\{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe	NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe
File created	C:\Windows\{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe	{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe
File created	C:\Windows\{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe	{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe
File created	C:\Windows\{9B7C2667-D666-43cf-BC2F-BFE112A2744E}.exe	{066FED94-550C-4dd9-B035-407092FDE9A0}.exe
File created	C:\Windows\{E9B01D7F-8507-4516-8CC4-3A3E760AEBEA}.exe	{9B7C2667-D666-43cf-BC2F-BFE112A2744E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2864	NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1404	{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe
Token: SeIncBasePriorityPrivilege	2712	{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe
Token: SeIncBasePriorityPrivilege	2680	{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe
Token: SeIncBasePriorityPrivilege	2596	{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe
Token: SeIncBasePriorityPrivilege	2500	{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe
Token: SeIncBasePriorityPrivilege	2368	{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe
Token: SeIncBasePriorityPrivilege	2904	{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe
Token: SeIncBasePriorityPrivilege	1728	{066FED94-550C-4dd9-B035-407092FDE9A0}.exe
Token: SeIncBasePriorityPrivilege	940	{9B7C2667-D666-43cf-BC2F-BFE112A2744E}.exe
Token: SeIncBasePriorityPrivilege	2200	{E9B01D7F-8507-4516-8CC4-3A3E760AEBEA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 1404	2864	NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe	28
PID 2864 wrote to memory of 1404	2864	NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe	28
PID 2864 wrote to memory of 1404	2864	NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe	28
PID 2864 wrote to memory of 1404	2864	NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe	28
PID 2864 wrote to memory of 2780	2864	NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe	29
PID 2864 wrote to memory of 2780	2864	NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe	29
PID 2864 wrote to memory of 2780	2864	NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe	29
PID 2864 wrote to memory of 2780	2864	NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe	29
PID 1404 wrote to memory of 2712	1404	{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe	32
PID 1404 wrote to memory of 2712	1404	{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe	32
PID 1404 wrote to memory of 2712	1404	{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe	32
PID 1404 wrote to memory of 2712	1404	{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe	32
PID 1404 wrote to memory of 2672	1404	{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe	33
PID 1404 wrote to memory of 2672	1404	{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe	33
PID 1404 wrote to memory of 2672	1404	{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe	33
PID 1404 wrote to memory of 2672	1404	{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe	33
PID 2712 wrote to memory of 2680	2712	{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe	34
PID 2712 wrote to memory of 2680	2712	{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe	34
PID 2712 wrote to memory of 2680	2712	{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe	34
PID 2712 wrote to memory of 2680	2712	{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe	34
PID 2712 wrote to memory of 2532	2712	{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe	35
PID 2712 wrote to memory of 2532	2712	{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe	35
PID 2712 wrote to memory of 2532	2712	{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe	35
PID 2712 wrote to memory of 2532	2712	{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe	35
PID 2680 wrote to memory of 2596	2680	{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe	36
PID 2680 wrote to memory of 2596	2680	{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe	36
PID 2680 wrote to memory of 2596	2680	{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe	36
PID 2680 wrote to memory of 2596	2680	{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe	36
PID 2680 wrote to memory of 2448	2680	{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe	37
PID 2680 wrote to memory of 2448	2680	{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe	37
PID 2680 wrote to memory of 2448	2680	{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe	37
PID 2680 wrote to memory of 2448	2680	{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe	37
PID 2596 wrote to memory of 2500	2596	{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe	38
PID 2596 wrote to memory of 2500	2596	{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe	38
PID 2596 wrote to memory of 2500	2596	{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe	38
PID 2596 wrote to memory of 2500	2596	{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe	38
PID 2596 wrote to memory of 2540	2596	{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe	39
PID 2596 wrote to memory of 2540	2596	{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe	39
PID 2596 wrote to memory of 2540	2596	{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe	39
PID 2596 wrote to memory of 2540	2596	{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe	39
PID 2500 wrote to memory of 2368	2500	{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe	40
PID 2500 wrote to memory of 2368	2500	{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe	40
PID 2500 wrote to memory of 2368	2500	{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe	40
PID 2500 wrote to memory of 2368	2500	{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe	40
PID 2500 wrote to memory of 3048	2500	{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe	41
PID 2500 wrote to memory of 3048	2500	{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe	41
PID 2500 wrote to memory of 3048	2500	{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe	41
PID 2500 wrote to memory of 3048	2500	{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe	41
PID 2368 wrote to memory of 2904	2368	{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe	42
PID 2368 wrote to memory of 2904	2368	{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe	42
PID 2368 wrote to memory of 2904	2368	{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe	42
PID 2368 wrote to memory of 2904	2368	{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe	42
PID 2368 wrote to memory of 696	2368	{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe	43
PID 2368 wrote to memory of 696	2368	{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe	43
PID 2368 wrote to memory of 696	2368	{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe	43
PID 2368 wrote to memory of 696	2368	{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe	43
PID 2904 wrote to memory of 1728	2904	{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe	44
PID 2904 wrote to memory of 1728	2904	{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe	44
PID 2904 wrote to memory of 1728	2904	{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe	44
PID 2904 wrote to memory of 1728	2904	{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe	44
PID 2904 wrote to memory of 2476	2904	{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe	45
PID 2904 wrote to memory of 2476	2904	{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe	45
PID 2904 wrote to memory of 2476	2904	{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe	45
PID 2904 wrote to memory of 2476	2904	{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_06f843f33730d01eb591f882da41dc07_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe
  C:\Windows\{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe
    C:\Windows\{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe
      C:\Windows\{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe
        
        C:\Windows\{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe
        
        C:\Windows\{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe
        
        C:\Windows\{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe
        
        C:\Windows\{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{066FED94-550C-4dd9-B035-407092FDE9A0}.exe
        
        C:\Windows\{066FED94-550C-4dd9-B035-407092FDE9A0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\{9B7C2667-D666-43cf-BC2F-BFE112A2744E}.exe
        
        C:\Windows\{9B7C2667-D666-43cf-BC2F-BFE112A2744E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\{E9B01D7F-8507-4516-8CC4-3A3E760AEBEA}.exe
        
        C:\Windows\{E9B01D7F-8507-4516-8CC4-3A3E760AEBEA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\{2DE5D2B2-9A3F-4edb-85BA-E5D344EC0285}.exe
        
        C:\Windows\{2DE5D2B2-9A3F-4edb-85BA-E5D344EC0285}.exe
        12⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9B01~1.EXE > nul
        12⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B7C2~1.EXE > nul
        11⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{066FE~1.EXE > nul
        10⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83821~1.EXE > nul
        9⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40B6D~1.EXE > nul
        8⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{805AE~1.EXE > nul
        7⤵
        
        PID:3048
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B6E5~1.EXE > nul
        6⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A641~1.EXE > nul
        5⤵
        
        PID:2448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7C3A5~1.EXE > nul
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{67832~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{066FED94-550C-4dd9-B035-407092FDE9A0}.exe

Filesize
168KB

MD5
da18c4b9dc593b19b113e2be4de28dfe

SHA1
fd6048ecf46d5ca68b468a1fe35d24cdccaa6691

SHA256
324920b332446fccc1f7a1ee061a8885fdf51bb93193ecc688441bde026ac568

SHA512
f4be8a622716693516312215c109f3170b9ba89f5d3702b336c0ed7d92e1c40ba274453a71a17b9ef667935e358cc33fe5cb2fa5d8eff52d5692bbcc8163a6a9

Download Submit
C:\Windows\{066FED94-550C-4dd9-B035-407092FDE9A0}.exe

Filesize
168KB

MD5
da18c4b9dc593b19b113e2be4de28dfe

SHA1
fd6048ecf46d5ca68b468a1fe35d24cdccaa6691

SHA256
324920b332446fccc1f7a1ee061a8885fdf51bb93193ecc688441bde026ac568

SHA512
f4be8a622716693516312215c109f3170b9ba89f5d3702b336c0ed7d92e1c40ba274453a71a17b9ef667935e358cc33fe5cb2fa5d8eff52d5692bbcc8163a6a9

Download Submit
C:\Windows\{2DE5D2B2-9A3F-4edb-85BA-E5D344EC0285}.exe

Filesize
168KB

MD5
4f0db4fc1b3c450aa944ef012bf95233

SHA1
21b19bda45b1d8e92b00b8c2865495163fb5e225

SHA256
5ba38cdbdc71e23beb77e02d54d8f549d06a8cdc4d986d042c01125b45083f30

SHA512
5c4307f9fbf32e4140f3b8fcca257bacb43e78dc44388abadc7393bbd3bebdfaeeee3aca41401ef05913ed72fbfd16e50eb4410f3e8ff1f57b65980f2a5e18e5

Download Submit
C:\Windows\{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe

Filesize
168KB

MD5
7e88fe07615493add230405f41901fbd

SHA1
c80049a17e7ff899f6ebfbd5ec406e612719302d

SHA256
e8e104426e1f564d33803e047e5680fea0c4f596e9b55e534c3c3bf2f99b5963

SHA512
02dab3e74f56b892ea8a40e733e64a1139e94bdea47f5c938781cf6e8a3daa9ccfd95f2588b9ddbea636ea33b1a5370d4e3d78abd389db5d9fd8c16d6c2e9726

Download Submit
C:\Windows\{40B6D889-08D8-414c-BC5B-7F5003FB7943}.exe

Filesize
168KB

MD5
7e88fe07615493add230405f41901fbd

SHA1
c80049a17e7ff899f6ebfbd5ec406e612719302d

SHA256
e8e104426e1f564d33803e047e5680fea0c4f596e9b55e534c3c3bf2f99b5963

SHA512
02dab3e74f56b892ea8a40e733e64a1139e94bdea47f5c938781cf6e8a3daa9ccfd95f2588b9ddbea636ea33b1a5370d4e3d78abd389db5d9fd8c16d6c2e9726

Download Submit
C:\Windows\{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe

Filesize
168KB

MD5
763ad827da8b0ed200ed22135c7fc6e5

SHA1
eb4eebffedfc040e8329af74e6bd5b2a3b55de25

SHA256
d77e8699f66b8822789459237c5b0c166dd42c12605af56a0c04bd8e27fa5d34

SHA512
cfe96978cd6b60bddc32356a76762cb6e838e5306f6cf56348315f4c5ac692156bfd36b4192c842db3a9f1215b0e824707316ce862c0e463d25af9e95a9db7c4

Download Submit
C:\Windows\{4A641BC7-D7CD-42f5-BD67-F9D1638FFB82}.exe

Filesize
168KB

MD5
763ad827da8b0ed200ed22135c7fc6e5

SHA1
eb4eebffedfc040e8329af74e6bd5b2a3b55de25

SHA256
d77e8699f66b8822789459237c5b0c166dd42c12605af56a0c04bd8e27fa5d34

SHA512
cfe96978cd6b60bddc32356a76762cb6e838e5306f6cf56348315f4c5ac692156bfd36b4192c842db3a9f1215b0e824707316ce862c0e463d25af9e95a9db7c4

Download Submit
C:\Windows\{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe

Filesize
168KB

MD5
68719931c1aef8a9c5716dc88df34eda

SHA1
653af8ea9b15b82ce8cb53d7dde4c2e444665280

SHA256
080f4dd890c2c275ffa6f0aa54715cb5540a00de3bff2628a9536491c25fcc92

SHA512
03e5bc0334d1248092e65a06263d238e6efe0eef94ce6e31cb6b9171a295b5f9698a36da8f6d1018edf96343fa4477a336dcae91a9ec036f5d092abe3bacc9d2

Download Submit
C:\Windows\{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe

Filesize
168KB

MD5
68719931c1aef8a9c5716dc88df34eda

SHA1
653af8ea9b15b82ce8cb53d7dde4c2e444665280

SHA256
080f4dd890c2c275ffa6f0aa54715cb5540a00de3bff2628a9536491c25fcc92

SHA512
03e5bc0334d1248092e65a06263d238e6efe0eef94ce6e31cb6b9171a295b5f9698a36da8f6d1018edf96343fa4477a336dcae91a9ec036f5d092abe3bacc9d2

Download Submit
C:\Windows\{6783278C-0B10-4354-AC1C-BB64A08665A8}.exe

Filesize
168KB

MD5
68719931c1aef8a9c5716dc88df34eda

SHA1
653af8ea9b15b82ce8cb53d7dde4c2e444665280

SHA256
080f4dd890c2c275ffa6f0aa54715cb5540a00de3bff2628a9536491c25fcc92

SHA512
03e5bc0334d1248092e65a06263d238e6efe0eef94ce6e31cb6b9171a295b5f9698a36da8f6d1018edf96343fa4477a336dcae91a9ec036f5d092abe3bacc9d2

Download Submit
C:\Windows\{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe

Filesize
168KB

MD5
7255ace31955196b85cbfa826b182d49

SHA1
0d11cc28bd26651d4c901ca18ca6a5726b070628

SHA256
2c66d7aefbc380ca860d5b6c03b25a9f9ec468d1c36e70694a23c5fc965ea520

SHA512
ee47c045607a3e524a950c5a6556fbf854a92c40998e3c12f0b354fbe18ab1eecb1f5494949e4c0e147692da5974b22ee4d81e51aeccbcecaadd1183861afb1d

Download Submit
C:\Windows\{6B6E5A14-5464-44b4-8ED8-21807715D76D}.exe

Filesize
168KB

MD5
7255ace31955196b85cbfa826b182d49

SHA1
0d11cc28bd26651d4c901ca18ca6a5726b070628

SHA256
2c66d7aefbc380ca860d5b6c03b25a9f9ec468d1c36e70694a23c5fc965ea520

SHA512
ee47c045607a3e524a950c5a6556fbf854a92c40998e3c12f0b354fbe18ab1eecb1f5494949e4c0e147692da5974b22ee4d81e51aeccbcecaadd1183861afb1d

Download Submit
C:\Windows\{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe

Filesize
168KB

MD5
cca517dd21efeea6d8e0e046f7e42e79

SHA1
f27a5e9729f8eb048986cb521d26688bab8e29cd

SHA256
ef2d6efecd98a90bb3be4388722a1e334e7f57d4227c6b761b8d80b8aab19312

SHA512
2b7fd438f442015b862c870cb51b12b38a4d58b40ca47e8dd3d29c6aabb8cf803dfd422507666a21e6b86b16ac9e46ffe20a107a2c2460114a67dab965e18a4d

Download Submit
C:\Windows\{7C3A5223-BCA2-4825-81E8-47BF7FAC571A}.exe

Filesize
168KB

MD5
cca517dd21efeea6d8e0e046f7e42e79

SHA1
f27a5e9729f8eb048986cb521d26688bab8e29cd

SHA256
ef2d6efecd98a90bb3be4388722a1e334e7f57d4227c6b761b8d80b8aab19312

SHA512
2b7fd438f442015b862c870cb51b12b38a4d58b40ca47e8dd3d29c6aabb8cf803dfd422507666a21e6b86b16ac9e46ffe20a107a2c2460114a67dab965e18a4d

Download Submit
C:\Windows\{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe

Filesize
168KB

MD5
dbf7b6fc18b05e445557b7f8920f5773

SHA1
798d3c844e294a037d571a858066acdf8f49d724

SHA256
935350a64fd2f902cf5b0b48acbb7813931660cc4945224bfb3f676d3c1bdff0

SHA512
cfe643840a69ea0a571cfe6ffca00307a9fcdff75a7324c67a19e51d1f587d90cab1aee17c757a7a9b7c52cb577ebf94d145e9f1f40508f361fcc959760ec44a

Download Submit
C:\Windows\{805AE4F9-028B-46db-8D6C-1CDD3DC3F448}.exe

Filesize
168KB

MD5
dbf7b6fc18b05e445557b7f8920f5773

SHA1
798d3c844e294a037d571a858066acdf8f49d724

SHA256
935350a64fd2f902cf5b0b48acbb7813931660cc4945224bfb3f676d3c1bdff0

SHA512
cfe643840a69ea0a571cfe6ffca00307a9fcdff75a7324c67a19e51d1f587d90cab1aee17c757a7a9b7c52cb577ebf94d145e9f1f40508f361fcc959760ec44a

Download Submit
C:\Windows\{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe

Filesize
168KB

MD5
a107fea2da32766d7d7f2cd7205a3a57

SHA1
f26c2f674c2055c07266240093932a1ac4392061

SHA256
65c1c3041bd151071eb301f21c80fcdb0d7a4130750d1c2ee410891134ea57d1

SHA512
8b6e15031d30d48472c3d27d5587d574ec858568b8c5cecdd7095424e255980914d22f5c2475713ec10a9580bd93d1be77d2701685fe161128c8d1642a51156f

Download Submit
C:\Windows\{838210DD-F859-4ef2-BE37-3621E8708B6D}.exe

Filesize
168KB

MD5
a107fea2da32766d7d7f2cd7205a3a57

SHA1
f26c2f674c2055c07266240093932a1ac4392061

SHA256
65c1c3041bd151071eb301f21c80fcdb0d7a4130750d1c2ee410891134ea57d1

SHA512
8b6e15031d30d48472c3d27d5587d574ec858568b8c5cecdd7095424e255980914d22f5c2475713ec10a9580bd93d1be77d2701685fe161128c8d1642a51156f

Download Submit
C:\Windows\{9B7C2667-D666-43cf-BC2F-BFE112A2744E}.exe

Filesize
168KB

MD5
8a4b0426dda4bfb2cc183b264a95bb2e

SHA1
36556e6e15ddd19a56a2a49453e4ec99ce3f2af8

SHA256
dee2fabe8f0865a08b9417126c2dbc935ec6ca618fc67afaa25b43f07d88a5d2

SHA512
1b2dd616fbe18550a5cf90d13e32bfbd954e8afd25bd67dc09fddbe191b2cd8f80ab8c685d0268dec6af796d36e42b3a2d78d1eeb87f3b38b32f90aa2cd00f4d

Download Submit
C:\Windows\{9B7C2667-D666-43cf-BC2F-BFE112A2744E}.exe

Filesize
168KB

MD5
8a4b0426dda4bfb2cc183b264a95bb2e

SHA1
36556e6e15ddd19a56a2a49453e4ec99ce3f2af8

SHA256
dee2fabe8f0865a08b9417126c2dbc935ec6ca618fc67afaa25b43f07d88a5d2

SHA512
1b2dd616fbe18550a5cf90d13e32bfbd954e8afd25bd67dc09fddbe191b2cd8f80ab8c685d0268dec6af796d36e42b3a2d78d1eeb87f3b38b32f90aa2cd00f4d

Download Submit
C:\Windows\{E9B01D7F-8507-4516-8CC4-3A3E760AEBEA}.exe

Filesize
168KB

MD5
c1d303c5e002766c2b26af67fea073d2

SHA1
ed74a2f1e01e93e9bfa3a91abc90ab87e87fcedc

SHA256
04f372f07b32fe86104fc61f070d77032833b07d9aba79d32e7a71e708459c14

SHA512
22e995f6b92811d288ffd94815db3aa352c41fc3666bcc0af2080bbb9cdd29edce29833de73bec0c889d0a95204aa960d234f6be32f33a9f59b707594d6f6960

Download Submit
C:\Windows\{E9B01D7F-8507-4516-8CC4-3A3E760AEBEA}.exe

Filesize
168KB

MD5
c1d303c5e002766c2b26af67fea073d2

SHA1
ed74a2f1e01e93e9bfa3a91abc90ab87e87fcedc

SHA256
04f372f07b32fe86104fc61f070d77032833b07d9aba79d32e7a71e708459c14

SHA512
22e995f6b92811d288ffd94815db3aa352c41fc3666bcc0af2080bbb9cdd29edce29833de73bec0c889d0a95204aa960d234f6be32f33a9f59b707594d6f6960

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads