1508e2ef646afe0b6deb11d57f1b080caf3d65ed4cc6183cd53f6bc6ca68bcee

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe
Size

372KB
MD5

99dbcb1fa9dcd5fcf5588f056974b704
SHA1

22d91498e4e9b7196ac27b47307bbd186b1ba974
SHA256

1508e2ef646afe0b6deb11d57f1b080caf3d65ed4cc6183cd53f6bc6ca68bcee
SHA512

93daeccccb9e5e856086c3c8a166058d53a975e3853f710819ee09e79a5fa37ff7e8f24059cbd3349904f0a6de00084e56af9d07639cd6eec8e7a725a4f6dbf4
SSDEEP

3072:CEGh0oumlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGZl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}	{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACD4BACA-7146-491a-8947-4E629DF3849D}\stubpath = "C:\\Windows\\{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe"	{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E309E59-CD37-4c97-A3E9-A112C4836FAB}	{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3A8AD38-9CBA-4ebe-8EC6-6F2ABC22EA67}	{4DD1EB0D-5475-4801-9E20-3B3D9C39C7F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA2A9BC5-A65E-4770-B58E-5CB1AF41EFC2}	{A3A8AD38-9CBA-4ebe-8EC6-6F2ABC22EA67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA649C70-F010-4cf9-876D-EEC27A87DCDA}\stubpath = "C:\\Windows\\{DA649C70-F010-4cf9-876D-EEC27A87DCDA}.exe"	{FA2A9BC5-A65E-4770-B58E-5CB1AF41EFC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3A8AD38-9CBA-4ebe-8EC6-6F2ABC22EA67}\stubpath = "C:\\Windows\\{A3A8AD38-9CBA-4ebe-8EC6-6F2ABC22EA67}.exe"	{4DD1EB0D-5475-4801-9E20-3B3D9C39C7F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF54B270-AD90-4cee-917B-DFF91FC07088}	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}\stubpath = "C:\\Windows\\{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe"	{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACD4BACA-7146-491a-8947-4E629DF3849D}	{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E0BE7BD-543B-4171-A712-9856E7E3A14B}	{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{082DA1AF-73A0-494a-90AC-4C98119CED2D}\stubpath = "C:\\Windows\\{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe"	{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DD1EB0D-5475-4801-9E20-3B3D9C39C7F6}\stubpath = "C:\\Windows\\{4DD1EB0D-5475-4801-9E20-3B3D9C39C7F6}.exe"	{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DD1EB0D-5475-4801-9E20-3B3D9C39C7F6}	{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA2A9BC5-A65E-4770-B58E-5CB1AF41EFC2}\stubpath = "C:\\Windows\\{FA2A9BC5-A65E-4770-B58E-5CB1AF41EFC2}.exe"	{A3A8AD38-9CBA-4ebe-8EC6-6F2ABC22EA67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF54B270-AD90-4cee-917B-DFF91FC07088}\stubpath = "C:\\Windows\\{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe"	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}	{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}\stubpath = "C:\\Windows\\{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe"	{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E309E59-CD37-4c97-A3E9-A112C4836FAB}\stubpath = "C:\\Windows\\{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe"	{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E0BE7BD-543B-4171-A712-9856E7E3A14B}\stubpath = "C:\\Windows\\{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe"	{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{082DA1AF-73A0-494a-90AC-4C98119CED2D}	{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA649C70-F010-4cf9-876D-EEC27A87DCDA}	{FA2A9BC5-A65E-4770-B58E-5CB1AF41EFC2}.exe

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1696	{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe
2600	{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe
2608	{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe
3008	{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe
2496	{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe
2612	{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe
2476	{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe
1168	{4DD1EB0D-5475-4801-9E20-3B3D9C39C7F6}.exe
1156	{A3A8AD38-9CBA-4ebe-8EC6-6F2ABC22EA67}.exe
2868	{FA2A9BC5-A65E-4770-B58E-5CB1AF41EFC2}.exe
2668	{DA649C70-F010-4cf9-876D-EEC27A87DCDA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FA2A9BC5-A65E-4770-B58E-5CB1AF41EFC2}.exe	{A3A8AD38-9CBA-4ebe-8EC6-6F2ABC22EA67}.exe
File created	C:\Windows\{DA649C70-F010-4cf9-876D-EEC27A87DCDA}.exe	{FA2A9BC5-A65E-4770-B58E-5CB1AF41EFC2}.exe
File created	C:\Windows\{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe	{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe
File created	C:\Windows\{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe	{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe
File created	C:\Windows\{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe	{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe
File created	C:\Windows\{A3A8AD38-9CBA-4ebe-8EC6-6F2ABC22EA67}.exe	{4DD1EB0D-5475-4801-9E20-3B3D9C39C7F6}.exe
File created	C:\Windows\{4DD1EB0D-5475-4801-9E20-3B3D9C39C7F6}.exe	{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe
File created	C:\Windows\{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe
File created	C:\Windows\{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe	{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe
File created	C:\Windows\{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe	{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe
File created	C:\Windows\{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe	{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2164	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1696	{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe
Token: SeIncBasePriorityPrivilege	2600	{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe
Token: SeIncBasePriorityPrivilege	2608	{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe
Token: SeIncBasePriorityPrivilege	3008	{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe
Token: SeIncBasePriorityPrivilege	2496	{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe
Token: SeIncBasePriorityPrivilege	2612	{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe
Token: SeIncBasePriorityPrivilege	2476	{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe
Token: SeIncBasePriorityPrivilege	1168	{4DD1EB0D-5475-4801-9E20-3B3D9C39C7F6}.exe
Token: SeIncBasePriorityPrivilege	1156	{A3A8AD38-9CBA-4ebe-8EC6-6F2ABC22EA67}.exe
Token: SeIncBasePriorityPrivilege	2868	{FA2A9BC5-A65E-4770-B58E-5CB1AF41EFC2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1696	2164	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	28
PID 2164 wrote to memory of 1696	2164	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	28
PID 2164 wrote to memory of 1696	2164	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	28
PID 2164 wrote to memory of 1696	2164	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	28
PID 2164 wrote to memory of 3004	2164	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	29
PID 2164 wrote to memory of 3004	2164	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	29
PID 2164 wrote to memory of 3004	2164	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	29
PID 2164 wrote to memory of 3004	2164	NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe	29
PID 1696 wrote to memory of 2600	1696	{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe	30
PID 1696 wrote to memory of 2600	1696	{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe	30
PID 1696 wrote to memory of 2600	1696	{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe	30
PID 1696 wrote to memory of 2600	1696	{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe	30
PID 1696 wrote to memory of 2704	1696	{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe	31
PID 1696 wrote to memory of 2704	1696	{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe	31
PID 1696 wrote to memory of 2704	1696	{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe	31
PID 1696 wrote to memory of 2704	1696	{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe	31
PID 2600 wrote to memory of 2608	2600	{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe	35
PID 2600 wrote to memory of 2608	2600	{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe	35
PID 2600 wrote to memory of 2608	2600	{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe	35
PID 2600 wrote to memory of 2608	2600	{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe	35
PID 2600 wrote to memory of 2520	2600	{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe	34
PID 2600 wrote to memory of 2520	2600	{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe	34
PID 2600 wrote to memory of 2520	2600	{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe	34
PID 2600 wrote to memory of 2520	2600	{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe	34
PID 2608 wrote to memory of 3008	2608	{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe	36
PID 2608 wrote to memory of 3008	2608	{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe	36
PID 2608 wrote to memory of 3008	2608	{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe	36
PID 2608 wrote to memory of 3008	2608	{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe	36
PID 2608 wrote to memory of 2468	2608	{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe	37
PID 2608 wrote to memory of 2468	2608	{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe	37
PID 2608 wrote to memory of 2468	2608	{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe	37
PID 2608 wrote to memory of 2468	2608	{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe	37
PID 3008 wrote to memory of 2496	3008	{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe	38
PID 3008 wrote to memory of 2496	3008	{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe	38
PID 3008 wrote to memory of 2496	3008	{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe	38
PID 3008 wrote to memory of 2496	3008	{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe	38
PID 3008 wrote to memory of 2536	3008	{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe	39
PID 3008 wrote to memory of 2536	3008	{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe	39
PID 3008 wrote to memory of 2536	3008	{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe	39
PID 3008 wrote to memory of 2536	3008	{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe	39
PID 2496 wrote to memory of 2612	2496	{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe	41
PID 2496 wrote to memory of 2612	2496	{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe	41
PID 2496 wrote to memory of 2612	2496	{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe	41
PID 2496 wrote to memory of 2612	2496	{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe	41
PID 2496 wrote to memory of 2744	2496	{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe	40
PID 2496 wrote to memory of 2744	2496	{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe	40
PID 2496 wrote to memory of 2744	2496	{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe	40
PID 2496 wrote to memory of 2744	2496	{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe	40
PID 2612 wrote to memory of 2476	2612	{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe	43
PID 2612 wrote to memory of 2476	2612	{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe	43
PID 2612 wrote to memory of 2476	2612	{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe	43
PID 2612 wrote to memory of 2476	2612	{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe	43
PID 2612 wrote to memory of 1880	2612	{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe	42
PID 2612 wrote to memory of 1880	2612	{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe	42
PID 2612 wrote to memory of 1880	2612	{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe	42
PID 2612 wrote to memory of 1880	2612	{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe	42
PID 2476 wrote to memory of 1168	2476	{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe	45
PID 2476 wrote to memory of 1168	2476	{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe	45
PID 2476 wrote to memory of 1168	2476	{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe	45
PID 2476 wrote to memory of 1168	2476	{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe	45
PID 2476 wrote to memory of 1480	2476	{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe	44
PID 2476 wrote to memory of 1480	2476	{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe	44
PID 2476 wrote to memory of 1480	2476	{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe	44
PID 2476 wrote to memory of 1480	2476	{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe	44

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_99dbcb1fa9dcd5fcf5588f056974b704_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe
  C:\Windows\{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe
    C:\Windows\{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FFD42~1.EXE > nul
      4⤵
      PID:2520
  - - C:\Windows\{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe
      C:\Windows\{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe
        
        C:\Windows\{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe
        
        C:\Windows\{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E309~1.EXE > nul
        7⤵
        
        PID:2744
        
        C:\Windows\{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe
        
        C:\Windows\{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E0BE~1.EXE > nul
        8⤵
        
        PID:1880
        
        C:\Windows\{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe
        
        C:\Windows\{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{082DA~1.EXE > nul
        9⤵
        
        PID:1480
        
        C:\Windows\{4DD1EB0D-5475-4801-9E20-3B3D9C39C7F6}.exe
        
        C:\Windows\{4DD1EB0D-5475-4801-9E20-3B3D9C39C7F6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DD1E~1.EXE > nul
        10⤵
        
        PID:2580
        
        C:\Windows\{A3A8AD38-9CBA-4ebe-8EC6-6F2ABC22EA67}.exe
        
        C:\Windows\{A3A8AD38-9CBA-4ebe-8EC6-6F2ABC22EA67}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3A8A~1.EXE > nul
        11⤵
        
        PID:2880
        
        C:\Windows\{FA2A9BC5-A65E-4770-B58E-5CB1AF41EFC2}.exe
        
        C:\Windows\{FA2A9BC5-A65E-4770-B58E-5CB1AF41EFC2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA2A9~1.EXE > nul
        12⤵
        
        PID:940
        
        C:\Windows\{DA649C70-F010-4cf9-876D-EEC27A87DCDA}.exe
        
        C:\Windows\{DA649C70-F010-4cf9-876D-EEC27A87DCDA}.exe
        12⤵
        Executes dropped EXE
        
        PID:2668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACD4B~1.EXE > nul
        6⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{402C0~1.EXE > nul
        5⤵
        
        PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DF54B~1.EXE > nul
    3⤵
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe

Filesize
372KB

MD5
7405848fd81ae176957522043451986b

SHA1
427d173cf64f468f5f47ab6d01dd913fbd352381

SHA256
5b5765db7a58f64eaa7abc8d8e517a2653151d022bc659ff15a5fb83f83bfe92

SHA512
bdb999bfd791e9f5e7a08730aae9f8b29b292631a95cc200e0948a25d2aa8462b068ca14293ed350a79516febf7e2d4e241c7f1e0372eff2b30bb8968a2587af

Download Submit
C:\Windows\{082DA1AF-73A0-494a-90AC-4C98119CED2D}.exe

Filesize
372KB

MD5
7405848fd81ae176957522043451986b

SHA1
427d173cf64f468f5f47ab6d01dd913fbd352381

SHA256
5b5765db7a58f64eaa7abc8d8e517a2653151d022bc659ff15a5fb83f83bfe92

SHA512
bdb999bfd791e9f5e7a08730aae9f8b29b292631a95cc200e0948a25d2aa8462b068ca14293ed350a79516febf7e2d4e241c7f1e0372eff2b30bb8968a2587af

Download Submit
C:\Windows\{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe

Filesize
372KB

MD5
2287f5132a4710e0af153de32f4894ac

SHA1
f41d48b171cc33f95bd587c6bd381499e3ea55b2

SHA256
ac2bf12ed090b5f40a62f1976e4ca9d7754d7061daa253ea7a19c00a76c41eff

SHA512
61f4eab515854238c58bc2ab9f1811c89d89d93ce090175ef4042fbbb4d1c4b8639ad12f8c2a81a857fd50ae22de0fd59a59ab6d9731a69c83c21a4c97e1d895

Download Submit
C:\Windows\{402C0ADF-34BB-4b9f-BB14-DE5EA6FB3C1C}.exe

Filesize
372KB

MD5
2287f5132a4710e0af153de32f4894ac

SHA1
f41d48b171cc33f95bd587c6bd381499e3ea55b2

SHA256
ac2bf12ed090b5f40a62f1976e4ca9d7754d7061daa253ea7a19c00a76c41eff

SHA512
61f4eab515854238c58bc2ab9f1811c89d89d93ce090175ef4042fbbb4d1c4b8639ad12f8c2a81a857fd50ae22de0fd59a59ab6d9731a69c83c21a4c97e1d895

Download Submit
C:\Windows\{4DD1EB0D-5475-4801-9E20-3B3D9C39C7F6}.exe

Filesize
372KB

MD5
b08b09bebec5add952e68ab1d78f0fca

SHA1
478d2ed5e2df6c1b19b8ea39a8a5030f00561762

SHA256
dcad9f770049882fe3a8a2e16c57b1b5b63bbc12bb8d5e17c30893b5c1741ad8

SHA512
688c2e55950e1bdcb833ca4d290f4ffea926d06729f229ac835a590d79639b58457bedc0fc2f007aa8b9c8d2d1a30205ae6923bd53cd9f796fc76f0279635081

Download Submit
C:\Windows\{4DD1EB0D-5475-4801-9E20-3B3D9C39C7F6}.exe

Filesize
372KB

MD5
b08b09bebec5add952e68ab1d78f0fca

SHA1
478d2ed5e2df6c1b19b8ea39a8a5030f00561762

SHA256
dcad9f770049882fe3a8a2e16c57b1b5b63bbc12bb8d5e17c30893b5c1741ad8

SHA512
688c2e55950e1bdcb833ca4d290f4ffea926d06729f229ac835a590d79639b58457bedc0fc2f007aa8b9c8d2d1a30205ae6923bd53cd9f796fc76f0279635081

Download Submit
C:\Windows\{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe

Filesize
372KB

MD5
0f8e00f8b3fab311277390d6d73328e0

SHA1
b9f2b69ad13df46d19d1c2c2dcb97b2486a41c51

SHA256
a6e289b0f4f3f8b4ede80c7f695ce25bf90bb24216b923e7fd589bec58bcd875

SHA512
2bb2e597e4e651830e8c4bd31dd082dd4f673ff9c0d318964fe6e456c50936a6de049584a64a8a6de4af02ae7abcce165700f66c5d903f9a0785606ba81260c6

Download Submit
C:\Windows\{6E309E59-CD37-4c97-A3E9-A112C4836FAB}.exe

Filesize
372KB

MD5
0f8e00f8b3fab311277390d6d73328e0

SHA1
b9f2b69ad13df46d19d1c2c2dcb97b2486a41c51

SHA256
a6e289b0f4f3f8b4ede80c7f695ce25bf90bb24216b923e7fd589bec58bcd875

SHA512
2bb2e597e4e651830e8c4bd31dd082dd4f673ff9c0d318964fe6e456c50936a6de049584a64a8a6de4af02ae7abcce165700f66c5d903f9a0785606ba81260c6

Download Submit
C:\Windows\{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe

Filesize
372KB

MD5
b9683c59c736e592ae5c12a8c659169d

SHA1
768b4f19edbaf6b669dafaf40156edf2c4933c0c

SHA256
26b2a2d14bf6cf4c5a5f100b67e026515f62c14511d6171779c63295b9b9f06d

SHA512
9fc3e2d416ea03e8f09e922addf0a30ac5a5f425212d39ff4d2911c0e5523e2a3ddcf2ec052a790445ed968587de0b9fbbc5a1c1ce1bca92372d89864b8e94d5

Download Submit
C:\Windows\{9E0BE7BD-543B-4171-A712-9856E7E3A14B}.exe

Filesize
372KB

MD5
b9683c59c736e592ae5c12a8c659169d

SHA1
768b4f19edbaf6b669dafaf40156edf2c4933c0c

SHA256
26b2a2d14bf6cf4c5a5f100b67e026515f62c14511d6171779c63295b9b9f06d

SHA512
9fc3e2d416ea03e8f09e922addf0a30ac5a5f425212d39ff4d2911c0e5523e2a3ddcf2ec052a790445ed968587de0b9fbbc5a1c1ce1bca92372d89864b8e94d5

Download Submit
C:\Windows\{A3A8AD38-9CBA-4ebe-8EC6-6F2ABC22EA67}.exe

Filesize
372KB

MD5
3deb1bf05809ef3d36114798379e4a7e

SHA1
319ce95c410fcf3ececb57e44c7297ee89b23406

SHA256
226b26905f594b9c81cb371b37db9cfc759db87099fc1c2d6f536aa8ddba00dd

SHA512
f696793b379b0334d5dd895a575ff83e46fe8f18c2ed0fc86d49e681cd3224b62b18a116cb9328ef64fdbc86fc3d2662d85d34ac8882bf38b979da034d0d3fb6

Download Submit
C:\Windows\{A3A8AD38-9CBA-4ebe-8EC6-6F2ABC22EA67}.exe

Filesize
372KB

MD5
3deb1bf05809ef3d36114798379e4a7e

SHA1
319ce95c410fcf3ececb57e44c7297ee89b23406

SHA256
226b26905f594b9c81cb371b37db9cfc759db87099fc1c2d6f536aa8ddba00dd

SHA512
f696793b379b0334d5dd895a575ff83e46fe8f18c2ed0fc86d49e681cd3224b62b18a116cb9328ef64fdbc86fc3d2662d85d34ac8882bf38b979da034d0d3fb6

Download Submit
C:\Windows\{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe

Filesize
372KB

MD5
bf89eb9ac042281f3fbfcabd0dc0c5ce

SHA1
07c1ecc3ae35b708fd6ebea15603a44ee5cb88b8

SHA256
72415085a661f9e812fbcbd86e131d23f7d8e0078079f9472b9a34295c1ed16f

SHA512
6ba224cb6829e72bbb3314949c46d40ad0fd5cd1444d2e56c3c66216381953424deb77b62ff6e8e5cb4d8b4fc4fc7b14374e45d6dabaa5c321b343347f9e28ed

Download Submit
C:\Windows\{ACD4BACA-7146-491a-8947-4E629DF3849D}.exe

Filesize
372KB

MD5
bf89eb9ac042281f3fbfcabd0dc0c5ce

SHA1
07c1ecc3ae35b708fd6ebea15603a44ee5cb88b8

SHA256
72415085a661f9e812fbcbd86e131d23f7d8e0078079f9472b9a34295c1ed16f

SHA512
6ba224cb6829e72bbb3314949c46d40ad0fd5cd1444d2e56c3c66216381953424deb77b62ff6e8e5cb4d8b4fc4fc7b14374e45d6dabaa5c321b343347f9e28ed

Download Submit
C:\Windows\{DA649C70-F010-4cf9-876D-EEC27A87DCDA}.exe

Filesize
372KB

MD5
11ea252e8f69f3d3b3b2307cdbdc25bc

SHA1
01f04d85ec082bbbfe4e0c01f7caa4d1f47a94a3

SHA256
4f857928eb730de113b0769ee256cb106f6832970e9b0fd98e2d500a2734b0ee

SHA512
da2575e436cbfff33c67841872d2394bd0ba211dea626c055aae79247cd4833a9e46c9fcd702b6c4cc9de59b1c48d92918b2830e3a39430448ec707d55707a86

Download Submit
C:\Windows\{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe

Filesize
372KB

MD5
21b64d8646d4eb343f7ed1d532df430e

SHA1
eea03a32ebea345b782c9e2bf054605775283c59

SHA256
0a7f496ce72b8caa9688986bab0b91ade36aab65a6f7200a88ca7324f9d8c48f

SHA512
9e9db33521d563e29743892c51d72907e7cf6b8f74ba02a9c0ffba26e3cb6562c7699bd5f74405a727a359d13e5e869eb69004c5680eba41d6fe3ba2d28e5604

Download Submit
C:\Windows\{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe

Filesize
372KB

MD5
21b64d8646d4eb343f7ed1d532df430e

SHA1
eea03a32ebea345b782c9e2bf054605775283c59

SHA256
0a7f496ce72b8caa9688986bab0b91ade36aab65a6f7200a88ca7324f9d8c48f

SHA512
9e9db33521d563e29743892c51d72907e7cf6b8f74ba02a9c0ffba26e3cb6562c7699bd5f74405a727a359d13e5e869eb69004c5680eba41d6fe3ba2d28e5604

Download Submit
C:\Windows\{DF54B270-AD90-4cee-917B-DFF91FC07088}.exe

Filesize
372KB

MD5
21b64d8646d4eb343f7ed1d532df430e

SHA1
eea03a32ebea345b782c9e2bf054605775283c59

SHA256
0a7f496ce72b8caa9688986bab0b91ade36aab65a6f7200a88ca7324f9d8c48f

SHA512
9e9db33521d563e29743892c51d72907e7cf6b8f74ba02a9c0ffba26e3cb6562c7699bd5f74405a727a359d13e5e869eb69004c5680eba41d6fe3ba2d28e5604

Download Submit
C:\Windows\{FA2A9BC5-A65E-4770-B58E-5CB1AF41EFC2}.exe

Filesize
372KB

MD5
c027d2555b7938be2b6d6072aec82d35

SHA1
fde11f522a6ba0ac00457f86fb4da3be997f05a2

SHA256
ceb5801b899c9426ae494c40c066e1afec2b1361b1a6c9ab0fcceb33a670bf51

SHA512
497dc3956e9286966da4b2c37556d91977043eed92771d4a5ddd87a64bccb5fc4a60b98994ea7fa4ac06099da610bc980b71091aa84ec051db9c1602addad84c

Download Submit
C:\Windows\{FA2A9BC5-A65E-4770-B58E-5CB1AF41EFC2}.exe

Filesize
372KB

MD5
c027d2555b7938be2b6d6072aec82d35

SHA1
fde11f522a6ba0ac00457f86fb4da3be997f05a2

SHA256
ceb5801b899c9426ae494c40c066e1afec2b1361b1a6c9ab0fcceb33a670bf51

SHA512
497dc3956e9286966da4b2c37556d91977043eed92771d4a5ddd87a64bccb5fc4a60b98994ea7fa4ac06099da610bc980b71091aa84ec051db9c1602addad84c

Download Submit
C:\Windows\{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe

Filesize
372KB

MD5
ed0a8049b0ebf42a8ef46b9a33e81c3e

SHA1
5e68e49f5d9bff6206cce71ba6c371bce3419d30

SHA256
535e07af33dd7cdd4fc1e998be5d4d9ae1dd4ecc71820a8246a2f2c7456bc54c

SHA512
4362aac0bfa89170313da2a5069b3910ee5da9e41b7fcb6362b658303bbb59eb68196aa8715d50f8623db6bc277a5e987c4c878dc1355f5e23638b357bfaef41

Download Submit
C:\Windows\{FFD42CA1-B46A-47bb-8C22-46E7004C4A30}.exe

Filesize
372KB

MD5
ed0a8049b0ebf42a8ef46b9a33e81c3e

SHA1
5e68e49f5d9bff6206cce71ba6c371bce3419d30

SHA256
535e07af33dd7cdd4fc1e998be5d4d9ae1dd4ecc71820a8246a2f2c7456bc54c

SHA512
4362aac0bfa89170313da2a5069b3910ee5da9e41b7fcb6362b658303bbb59eb68196aa8715d50f8623db6bc277a5e987c4c878dc1355f5e23638b357bfaef41

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads