700a789183d05343bd8184ae0acd3b8ce3cdb8f657f513e8616f18c8aa9ec37c

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 16:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe
Size

180KB
MD5

66ecaaa2fef6957e6cdcd20f836eb509
SHA1

dec2b132dd0f5d1aaddbfdc2a6f517d662699787
SHA256

700a789183d05343bd8184ae0acd3b8ce3cdb8f657f513e8616f18c8aa9ec37c
SHA512

08d1d47c28f3013f3a9392a29cebe496df0ca36f8c095eb1d38cef3ad94d7fa6488be65e61c8ea58863747861efa7de4f1e3f720ff0c072318248d7b98e2b4ba
SSDEEP

3072:jEGh0ovlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGhl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B9E97CD-3856-4fb0-9533-FAE81E16120D}	{1B4C28D4-D6C2-4137-BFAE-4F825ED856A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{844F8C0F-D720-41af-A610-B7A84C4A1B6A}	{8B9E97CD-3856-4fb0-9533-FAE81E16120D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{844F8C0F-D720-41af-A610-B7A84C4A1B6A}\stubpath = "C:\\Windows\\{844F8C0F-D720-41af-A610-B7A84C4A1B6A}.exe"	{8B9E97CD-3856-4fb0-9533-FAE81E16120D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E09E19A-293F-46d0-A162-423B74D4E3E9}	NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}\stubpath = "C:\\Windows\\{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe"	{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46CDE81C-E94D-4928-81F1-EB4CD869E102}\stubpath = "C:\\Windows\\{46CDE81C-E94D-4928-81F1-EB4CD869E102}.exe"	{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B4C28D4-D6C2-4137-BFAE-4F825ED856A7}	{46CDE81C-E94D-4928-81F1-EB4CD869E102}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B4C28D4-D6C2-4137-BFAE-4F825ED856A7}\stubpath = "C:\\Windows\\{1B4C28D4-D6C2-4137-BFAE-4F825ED856A7}.exe"	{46CDE81C-E94D-4928-81F1-EB4CD869E102}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E09E19A-293F-46d0-A162-423B74D4E3E9}\stubpath = "C:\\Windows\\{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe"	NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A0698A2-13C8-48bc-A75C-665A885BFE88}\stubpath = "C:\\Windows\\{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe"	{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}\stubpath = "C:\\Windows\\{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe"	{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}	{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}	{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}	{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B9E97CD-3856-4fb0-9533-FAE81E16120D}\stubpath = "C:\\Windows\\{8B9E97CD-3856-4fb0-9533-FAE81E16120D}.exe"	{1B4C28D4-D6C2-4137-BFAE-4F825ED856A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A0698A2-13C8-48bc-A75C-665A885BFE88}	{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}	{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}\stubpath = "C:\\Windows\\{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe"	{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85643409-DFA5-4df1-A48D-BCE11C97D21A}	{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85643409-DFA5-4df1-A48D-BCE11C97D21A}\stubpath = "C:\\Windows\\{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe"	{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}\stubpath = "C:\\Windows\\{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe"	{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46CDE81C-E94D-4928-81F1-EB4CD869E102}	{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe

Deletes itself 1 IoCs

pid	Process
2336	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3024	{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe
2776	{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe
2536	{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe
2648	{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe
2540	{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe
2972	{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe
2492	{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe
1672	{46CDE81C-E94D-4928-81F1-EB4CD869E102}.exe
2568	{1B4C28D4-D6C2-4137-BFAE-4F825ED856A7}.exe
2752	{8B9E97CD-3856-4fb0-9533-FAE81E16120D}.exe
2000	{844F8C0F-D720-41af-A610-B7A84C4A1B6A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe	{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe
File created	C:\Windows\{46CDE81C-E94D-4928-81F1-EB4CD869E102}.exe	{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe
File created	C:\Windows\{1B4C28D4-D6C2-4137-BFAE-4F825ED856A7}.exe	{46CDE81C-E94D-4928-81F1-EB4CD869E102}.exe
File created	C:\Windows\{8B9E97CD-3856-4fb0-9533-FAE81E16120D}.exe	{1B4C28D4-D6C2-4137-BFAE-4F825ED856A7}.exe
File created	C:\Windows\{844F8C0F-D720-41af-A610-B7A84C4A1B6A}.exe	{8B9E97CD-3856-4fb0-9533-FAE81E16120D}.exe
File created	C:\Windows\{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe	NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe
File created	C:\Windows\{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe	{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe
File created	C:\Windows\{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe	{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe
File created	C:\Windows\{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe	{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe
File created	C:\Windows\{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe	{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe
File created	C:\Windows\{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe	{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2340	NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3024	{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe
Token: SeIncBasePriorityPrivilege	2776	{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe
Token: SeIncBasePriorityPrivilege	2536	{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe
Token: SeIncBasePriorityPrivilege	2648	{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe
Token: SeIncBasePriorityPrivilege	2540	{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe
Token: SeIncBasePriorityPrivilege	2972	{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe
Token: SeIncBasePriorityPrivilege	2492	{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe
Token: SeIncBasePriorityPrivilege	1672	{46CDE81C-E94D-4928-81F1-EB4CD869E102}.exe
Token: SeIncBasePriorityPrivilege	2568	{1B4C28D4-D6C2-4137-BFAE-4F825ED856A7}.exe
Token: SeIncBasePriorityPrivilege	2752	{8B9E97CD-3856-4fb0-9533-FAE81E16120D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3024	2340	NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe	28
PID 2340 wrote to memory of 3024	2340	NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe	28
PID 2340 wrote to memory of 3024	2340	NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe	28
PID 2340 wrote to memory of 3024	2340	NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe	28
PID 2340 wrote to memory of 2336	2340	NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe	29
PID 2340 wrote to memory of 2336	2340	NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe	29
PID 2340 wrote to memory of 2336	2340	NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe	29
PID 2340 wrote to memory of 2336	2340	NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe	29
PID 3024 wrote to memory of 2776	3024	{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe	32
PID 3024 wrote to memory of 2776	3024	{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe	32
PID 3024 wrote to memory of 2776	3024	{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe	32
PID 3024 wrote to memory of 2776	3024	{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe	32
PID 3024 wrote to memory of 2784	3024	{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe	33
PID 3024 wrote to memory of 2784	3024	{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe	33
PID 3024 wrote to memory of 2784	3024	{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe	33
PID 3024 wrote to memory of 2784	3024	{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe	33
PID 2776 wrote to memory of 2536	2776	{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe	34
PID 2776 wrote to memory of 2536	2776	{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe	34
PID 2776 wrote to memory of 2536	2776	{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe	34
PID 2776 wrote to memory of 2536	2776	{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe	34
PID 2776 wrote to memory of 2532	2776	{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe	35
PID 2776 wrote to memory of 2532	2776	{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe	35
PID 2776 wrote to memory of 2532	2776	{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe	35
PID 2776 wrote to memory of 2532	2776	{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe	35
PID 2536 wrote to memory of 2648	2536	{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe	36
PID 2536 wrote to memory of 2648	2536	{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe	36
PID 2536 wrote to memory of 2648	2536	{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe	36
PID 2536 wrote to memory of 2648	2536	{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe	36
PID 2536 wrote to memory of 2428	2536	{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe	37
PID 2536 wrote to memory of 2428	2536	{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe	37
PID 2536 wrote to memory of 2428	2536	{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe	37
PID 2536 wrote to memory of 2428	2536	{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe	37
PID 2648 wrote to memory of 2540	2648	{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe	38
PID 2648 wrote to memory of 2540	2648	{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe	38
PID 2648 wrote to memory of 2540	2648	{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe	38
PID 2648 wrote to memory of 2540	2648	{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe	38
PID 2648 wrote to memory of 2632	2648	{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe	39
PID 2648 wrote to memory of 2632	2648	{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe	39
PID 2648 wrote to memory of 2632	2648	{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe	39
PID 2648 wrote to memory of 2632	2648	{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe	39
PID 2540 wrote to memory of 2972	2540	{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe	40
PID 2540 wrote to memory of 2972	2540	{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe	40
PID 2540 wrote to memory of 2972	2540	{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe	40
PID 2540 wrote to memory of 2972	2540	{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe	40
PID 2540 wrote to memory of 2984	2540	{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe	41
PID 2540 wrote to memory of 2984	2540	{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe	41
PID 2540 wrote to memory of 2984	2540	{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe	41
PID 2540 wrote to memory of 2984	2540	{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe	41
PID 2972 wrote to memory of 2492	2972	{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe	42
PID 2972 wrote to memory of 2492	2972	{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe	42
PID 2972 wrote to memory of 2492	2972	{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe	42
PID 2972 wrote to memory of 2492	2972	{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe	42
PID 2972 wrote to memory of 956	2972	{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe	43
PID 2972 wrote to memory of 956	2972	{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe	43
PID 2972 wrote to memory of 956	2972	{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe	43
PID 2972 wrote to memory of 956	2972	{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe	43
PID 2492 wrote to memory of 1672	2492	{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe	44
PID 2492 wrote to memory of 1672	2492	{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe	44
PID 2492 wrote to memory of 1672	2492	{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe	44
PID 2492 wrote to memory of 1672	2492	{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe	44
PID 2492 wrote to memory of 852	2492	{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe	45
PID 2492 wrote to memory of 852	2492	{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe	45
PID 2492 wrote to memory of 852	2492	{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe	45
PID 2492 wrote to memory of 852	2492	{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-07_66ecaaa2fef6957e6cdcd20f836eb509_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe
  C:\Windows\{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe
    C:\Windows\{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe
      C:\Windows\{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe
        
        C:\Windows\{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe
        
        C:\Windows\{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe
        
        C:\Windows\{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe
        
        C:\Windows\{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\{46CDE81C-E94D-4928-81F1-EB4CD869E102}.exe
        
        C:\Windows\{46CDE81C-E94D-4928-81F1-EB4CD869E102}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\{1B4C28D4-D6C2-4137-BFAE-4F825ED856A7}.exe
        
        C:\Windows\{1B4C28D4-D6C2-4137-BFAE-4F825ED856A7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B4C2~1.EXE > nul
        11⤵
        
        PID:2864
        
        C:\Windows\{8B9E97CD-3856-4fb0-9533-FAE81E16120D}.exe
        
        C:\Windows\{8B9E97CD-3856-4fb0-9533-FAE81E16120D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\{844F8C0F-D720-41af-A610-B7A84C4A1B6A}.exe
        
        C:\Windows\{844F8C0F-D720-41af-A610-B7A84C4A1B6A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B9E9~1.EXE > nul
        12⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46CDE~1.EXE > nul
        10⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46C09~1.EXE > nul
        9⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85643~1.EXE > nul
        8⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E287B~1.EXE > nul
        7⤵
        
        PID:2984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF575~1.EXE > nul
        6⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5ACBA~1.EXE > nul
        5⤵
        
        PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9A069~1.EXE > nul
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8E09E~1.EXE > nul
    3⤵
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B4C28D4-D6C2-4137-BFAE-4F825ED856A7}.exe

Filesize
180KB

MD5
9fd887df2019ea8fdb6984df3e3c16db

SHA1
32d4c2ae0e393c8f730c36073f6df036e90b285b

SHA256
e765fb85aaf773ad8212a10cbd9f1a9cf1ed033fe1774aade36bc7ac74c95efc

SHA512
55a739515b1d02b17d930994faabc51306b59d026047b329dc4aef08639d0ddba97319b9676531f3cd8012834d38e2fa9ff7bcbb914577b6158251bdca97b8e3

Download Submit
C:\Windows\{1B4C28D4-D6C2-4137-BFAE-4F825ED856A7}.exe

Filesize
180KB

MD5
9fd887df2019ea8fdb6984df3e3c16db

SHA1
32d4c2ae0e393c8f730c36073f6df036e90b285b

SHA256
e765fb85aaf773ad8212a10cbd9f1a9cf1ed033fe1774aade36bc7ac74c95efc

SHA512
55a739515b1d02b17d930994faabc51306b59d026047b329dc4aef08639d0ddba97319b9676531f3cd8012834d38e2fa9ff7bcbb914577b6158251bdca97b8e3

Download Submit
C:\Windows\{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe

Filesize
180KB

MD5
862101e4ce816460e3ec3e844dca6a4d

SHA1
50a3be3bda4dc9b9569f888d5454927bd5cd824c

SHA256
e191974fc26501c9fd7ef1bf54561920d3edf20e829640fce3e6e0ee2113b096

SHA512
7e8c160b9c2e9dc8ff7aa9739c83f609bc5ba050b79fe2070fffd142e8e2bfefaf44624c632d762c670b6555449d0cffcb237b3b85d8518b14559520ffa757b5

Download Submit
C:\Windows\{46C0999B-B6A3-41cc-ACE4-1F26B24141A4}.exe

Filesize
180KB

MD5
862101e4ce816460e3ec3e844dca6a4d

SHA1
50a3be3bda4dc9b9569f888d5454927bd5cd824c

SHA256
e191974fc26501c9fd7ef1bf54561920d3edf20e829640fce3e6e0ee2113b096

SHA512
7e8c160b9c2e9dc8ff7aa9739c83f609bc5ba050b79fe2070fffd142e8e2bfefaf44624c632d762c670b6555449d0cffcb237b3b85d8518b14559520ffa757b5

Download Submit
C:\Windows\{46CDE81C-E94D-4928-81F1-EB4CD869E102}.exe

Filesize
180KB

MD5
83ff3241d58002cacbe82801414f99d9

SHA1
209089517055cac51744707f1f5272dfdfe2fffe

SHA256
4932ffac3a7abe82f8d7098677d41836375558badbcdfc16da36adc3c3e2e7a2

SHA512
c5540d690f0016624ebdf4fbb5f04e778a8564fdd0be992b0e29c55a565e58f699301adaf854135a3d032b4effe48bdc0813e43de10a59443cd599993fe93de3

Download Submit
C:\Windows\{46CDE81C-E94D-4928-81F1-EB4CD869E102}.exe

Filesize
180KB

MD5
83ff3241d58002cacbe82801414f99d9

SHA1
209089517055cac51744707f1f5272dfdfe2fffe

SHA256
4932ffac3a7abe82f8d7098677d41836375558badbcdfc16da36adc3c3e2e7a2

SHA512
c5540d690f0016624ebdf4fbb5f04e778a8564fdd0be992b0e29c55a565e58f699301adaf854135a3d032b4effe48bdc0813e43de10a59443cd599993fe93de3

Download Submit
C:\Windows\{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe

Filesize
180KB

MD5
d641af428f573799d1bba07e849ad93b

SHA1
8c0da6acb64257703bdfc405b79b96779091e2d2

SHA256
e6c12ecf28f7f2317f43970e1119f862ebe9bf70a45dd1310832853df0c76390

SHA512
412c52923a5239a8deaa87787dbe312192b3ce9442a71185a61059370b4232616f1067a3aae0760e8df484667eeeb026f0de14b1227e379a928e2d5a93608ee3

Download Submit
C:\Windows\{5ACBA68E-D806-4fa0-BD0B-1A6FA9369DE4}.exe

Filesize
180KB

MD5
d641af428f573799d1bba07e849ad93b

SHA1
8c0da6acb64257703bdfc405b79b96779091e2d2

SHA256
e6c12ecf28f7f2317f43970e1119f862ebe9bf70a45dd1310832853df0c76390

SHA512
412c52923a5239a8deaa87787dbe312192b3ce9442a71185a61059370b4232616f1067a3aae0760e8df484667eeeb026f0de14b1227e379a928e2d5a93608ee3

Download Submit
C:\Windows\{844F8C0F-D720-41af-A610-B7A84C4A1B6A}.exe

Filesize
180KB

MD5
128053110303191691d315d5ccaf8a63

SHA1
dbda5d69c8e64a05e29d5b552a6f3092c917c593

SHA256
f2850abb0435f56aa33481af1ad8e39add4cbb488eb6656d4920686b1029d077

SHA512
2f5a4dc4dfd9f5bcb701032455b8bd41a3291cae3f0e4ec0e79bfa4530fefde101bbc01777f484672d155ea7f4e71466d987a09abc3ed1c9464c5095e01b2e08

Download Submit
C:\Windows\{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe

Filesize
180KB

MD5
a2e3a68c1c591a1cd35b6f08b8e95cc1

SHA1
865b467e03cd2b56fb2bc91d1589812f98d05c32

SHA256
c2589a57ec317f0042fb30ac56f6583d4d2db3bdd5fd17977b0255fee77f50b8

SHA512
ee2148cb96219512a2a86608cb250f5a9750da27825141e54e457350ca5818bf8c2273bf63c305da271841ba099689d95d20e6912eac38cd674987bc127f5630

Download Submit
C:\Windows\{85643409-DFA5-4df1-A48D-BCE11C97D21A}.exe

Filesize
180KB

MD5
a2e3a68c1c591a1cd35b6f08b8e95cc1

SHA1
865b467e03cd2b56fb2bc91d1589812f98d05c32

SHA256
c2589a57ec317f0042fb30ac56f6583d4d2db3bdd5fd17977b0255fee77f50b8

SHA512
ee2148cb96219512a2a86608cb250f5a9750da27825141e54e457350ca5818bf8c2273bf63c305da271841ba099689d95d20e6912eac38cd674987bc127f5630

Download Submit
C:\Windows\{8B9E97CD-3856-4fb0-9533-FAE81E16120D}.exe

Filesize
180KB

MD5
7f4ef559c51f8daa1f040a89677ddda1

SHA1
94a5c7bd58f7e40482fbd5f664244ac387528783

SHA256
b8a3c73abc251dd47a73a2a2991489ad76cc4942060dde6ee895dfc04eeed19b

SHA512
bc65481d9c78751ca41e2d6003b0f0bae46fd8c8baa3577ef4cfbd6ef30729428147cb933cb59b2c63c76add4b636deaeef64e2218aca8cbe201c9933d6ec2e9

Download Submit
C:\Windows\{8B9E97CD-3856-4fb0-9533-FAE81E16120D}.exe

Filesize
180KB

MD5
7f4ef559c51f8daa1f040a89677ddda1

SHA1
94a5c7bd58f7e40482fbd5f664244ac387528783

SHA256
b8a3c73abc251dd47a73a2a2991489ad76cc4942060dde6ee895dfc04eeed19b

SHA512
bc65481d9c78751ca41e2d6003b0f0bae46fd8c8baa3577ef4cfbd6ef30729428147cb933cb59b2c63c76add4b636deaeef64e2218aca8cbe201c9933d6ec2e9

Download Submit
C:\Windows\{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe

Filesize
180KB

MD5
dbb0cc0b5757f6a6384b20a5c8cb38cc

SHA1
ff089d77b163404429b6bec84cc5143590a85a7e

SHA256
bb31185136b43fc703c42d93d1c99af1bf1779e2eccd9eda71892a46906bc05a

SHA512
bbc188a964f23ef58c15f0ec03e9ec99f193a8461d17b8594f81cb30abcfc4beb6d88e6ccda8c7ca00dd82bf45465062f7e8f76a341ee6e4764de0a43d306442

Download Submit
C:\Windows\{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe

Filesize
180KB

MD5
dbb0cc0b5757f6a6384b20a5c8cb38cc

SHA1
ff089d77b163404429b6bec84cc5143590a85a7e

SHA256
bb31185136b43fc703c42d93d1c99af1bf1779e2eccd9eda71892a46906bc05a

SHA512
bbc188a964f23ef58c15f0ec03e9ec99f193a8461d17b8594f81cb30abcfc4beb6d88e6ccda8c7ca00dd82bf45465062f7e8f76a341ee6e4764de0a43d306442

Download Submit
C:\Windows\{8E09E19A-293F-46d0-A162-423B74D4E3E9}.exe

Filesize
180KB

MD5
dbb0cc0b5757f6a6384b20a5c8cb38cc

SHA1
ff089d77b163404429b6bec84cc5143590a85a7e

SHA256
bb31185136b43fc703c42d93d1c99af1bf1779e2eccd9eda71892a46906bc05a

SHA512
bbc188a964f23ef58c15f0ec03e9ec99f193a8461d17b8594f81cb30abcfc4beb6d88e6ccda8c7ca00dd82bf45465062f7e8f76a341ee6e4764de0a43d306442

Download Submit
C:\Windows\{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe

Filesize
180KB

MD5
43a6aef2681a57432814938c0094ada4

SHA1
769a615f2d63e555e0275f0cec6e03b6c726b995

SHA256
bd7c7805378468430ead85b64ba9ae5845b642ae3c5c989f264d843d0787e183

SHA512
375918694047f416a8d1f5cbc5982ab93a6d2c1de4d4d23191618f1b15a8e69b7829fe2aa1c11a32d00c98cb20df0fb91b0753cf45db1b5a9797a3780b982242

Download Submit
C:\Windows\{9A0698A2-13C8-48bc-A75C-665A885BFE88}.exe

Filesize
180KB

MD5
43a6aef2681a57432814938c0094ada4

SHA1
769a615f2d63e555e0275f0cec6e03b6c726b995

SHA256
bd7c7805378468430ead85b64ba9ae5845b642ae3c5c989f264d843d0787e183

SHA512
375918694047f416a8d1f5cbc5982ab93a6d2c1de4d4d23191618f1b15a8e69b7829fe2aa1c11a32d00c98cb20df0fb91b0753cf45db1b5a9797a3780b982242

Download Submit
C:\Windows\{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe

Filesize
180KB

MD5
68caea20d21a3913c5880b7308a3928d

SHA1
d5c11c1a85e8028c4460bc80d09cfeeb2b44220d

SHA256
64eb98490f64129d3230f4ef2689c6bdd46442378b980503185f9d75177e1f08

SHA512
c400f27bb23c1ce5d01e92c6a2ffd2ff3e731326c2684bfc83f1194e92bd20ed70d6d98dd6f4440fda9b417654e37471ca0b40583c46daa640fe7ea8d5227b34

Download Submit
C:\Windows\{BF57511D-9FDE-48df-BFA2-E35ADF75E0BF}.exe

Filesize
180KB

MD5
68caea20d21a3913c5880b7308a3928d

SHA1
d5c11c1a85e8028c4460bc80d09cfeeb2b44220d

SHA256
64eb98490f64129d3230f4ef2689c6bdd46442378b980503185f9d75177e1f08

SHA512
c400f27bb23c1ce5d01e92c6a2ffd2ff3e731326c2684bfc83f1194e92bd20ed70d6d98dd6f4440fda9b417654e37471ca0b40583c46daa640fe7ea8d5227b34

Download Submit
C:\Windows\{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe

Filesize
180KB

MD5
96438673cf6302f2186bb028052edc3e

SHA1
6df7fed5d577c1c671b3b603d44935ff1a00bb80

SHA256
cf665a1724b20710ede5c90985d83cf7a94992858d47125650c7fda99bf3caa8

SHA512
691e149279df2769126d5bdae05915928dcfbf5dc265f5a3794eb19be672917c2ff22d5db90a2c72818a39aafea3a5286bbc97e885e7089c1cc40850b7f03b8e

Download Submit
C:\Windows\{E287B7D5-1CEE-415d-BF4B-62E36138D3D9}.exe

Filesize
180KB

MD5
96438673cf6302f2186bb028052edc3e

SHA1
6df7fed5d577c1c671b3b603d44935ff1a00bb80

SHA256
cf665a1724b20710ede5c90985d83cf7a94992858d47125650c7fda99bf3caa8

SHA512
691e149279df2769126d5bdae05915928dcfbf5dc265f5a3794eb19be672917c2ff22d5db90a2c72818a39aafea3a5286bbc97e885e7089c1cc40850b7f03b8e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads