ad5a719f2d9803c36dcbf8c420203465ec899740b6faab17cb0f6e27e0d24d67

Analysis

max time kernel
163s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31-10-2023 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe
Size

216KB
MD5

2ed2041f037129158b144dd14ccd2237
SHA1

970d2faff3e2caa8c6102d4f6747180a65eeb433
SHA256

ad5a719f2d9803c36dcbf8c420203465ec899740b6faab17cb0f6e27e0d24d67
SHA512

71d8373e19f84c303c96f522e32d4276baac9aa02cd79121c57af4973335d32dc201c74f33cf232152c3f9c6aaaa534c0c57b4d36530c61b612fd8d6e4fd6fa7
SSDEEP

3072:jEGh0oEl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGqlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02812ECE-247B-4e28-91FC-C8B8BE912774}	{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB1AA1CC-18D5-48b4-8665-45384ED5F186}	{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB1AA1CC-18D5-48b4-8665-45384ED5F186}\stubpath = "C:\\Windows\\{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe"	{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}	NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}\stubpath = "C:\\Windows\\{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe"	{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB5A721F-30E5-4705-9570-4990EE6AF5E5}\stubpath = "C:\\Windows\\{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe"	{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44C9AF5D-E1E7-4285-AE24-0CCFC8961E7A}	{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A492D4E-B780-4289-8C65-473222909DD7}	{A777D67B-81FB-47f3-A348-2CE8FBCB50E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}	{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}	{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDB8FE48-472F-425a-A938-0A886C9253A2}	{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A492D4E-B780-4289-8C65-473222909DD7}\stubpath = "C:\\Windows\\{1A492D4E-B780-4289-8C65-473222909DD7}.exe"	{A777D67B-81FB-47f3-A348-2CE8FBCB50E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}\stubpath = "C:\\Windows\\{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe"	{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02812ECE-247B-4e28-91FC-C8B8BE912774}\stubpath = "C:\\Windows\\{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe"	{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A777D67B-81FB-47f3-A348-2CE8FBCB50E0}\stubpath = "C:\\Windows\\{A777D67B-81FB-47f3-A348-2CE8FBCB50E0}.exe"	{DA5ED79F-7556-4e43-A12F-F7B8108A5F3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44C9AF5D-E1E7-4285-AE24-0CCFC8961E7A}\stubpath = "C:\\Windows\\{44C9AF5D-E1E7-4285-AE24-0CCFC8961E7A}.exe"	{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA5ED79F-7556-4e43-A12F-F7B8108A5F3E}	{44C9AF5D-E1E7-4285-AE24-0CCFC8961E7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA5ED79F-7556-4e43-A12F-F7B8108A5F3E}\stubpath = "C:\\Windows\\{DA5ED79F-7556-4e43-A12F-F7B8108A5F3E}.exe"	{44C9AF5D-E1E7-4285-AE24-0CCFC8961E7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A777D67B-81FB-47f3-A348-2CE8FBCB50E0}	{DA5ED79F-7556-4e43-A12F-F7B8108A5F3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BEBA2C8-9BEC-4502-8DAE-DF297A00F157}	{1A492D4E-B780-4289-8C65-473222909DD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}\stubpath = "C:\\Windows\\{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe"	NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB5A721F-30E5-4705-9570-4990EE6AF5E5}	{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDB8FE48-472F-425a-A938-0A886C9253A2}\stubpath = "C:\\Windows\\{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe"	{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BEBA2C8-9BEC-4502-8DAE-DF297A00F157}\stubpath = "C:\\Windows\\{2BEBA2C8-9BEC-4502-8DAE-DF297A00F157}.exe"	{1A492D4E-B780-4289-8C65-473222909DD7}.exe

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
3000	{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe
2708	{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe
2668	{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe
2632	{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe
2524	{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe
3044	{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe
1392	{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe
2884	{44C9AF5D-E1E7-4285-AE24-0CCFC8961E7A}.exe
2904	{DA5ED79F-7556-4e43-A12F-F7B8108A5F3E}.exe
776	{A777D67B-81FB-47f3-A348-2CE8FBCB50E0}.exe
2156	{1A492D4E-B780-4289-8C65-473222909DD7}.exe
760	{2BEBA2C8-9BEC-4502-8DAE-DF297A00F157}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe	{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe
File created	C:\Windows\{44C9AF5D-E1E7-4285-AE24-0CCFC8961E7A}.exe	{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe
File created	C:\Windows\{DA5ED79F-7556-4e43-A12F-F7B8108A5F3E}.exe	{44C9AF5D-E1E7-4285-AE24-0CCFC8961E7A}.exe
File created	C:\Windows\{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe	NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe
File created	C:\Windows\{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe	{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe
File created	C:\Windows\{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe	{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe
File created	C:\Windows\{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe	{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe
File created	C:\Windows\{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe	{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe
File created	C:\Windows\{A777D67B-81FB-47f3-A348-2CE8FBCB50E0}.exe	{DA5ED79F-7556-4e43-A12F-F7B8108A5F3E}.exe
File created	C:\Windows\{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe	{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe
File created	C:\Windows\{1A492D4E-B780-4289-8C65-473222909DD7}.exe	{A777D67B-81FB-47f3-A348-2CE8FBCB50E0}.exe
File created	C:\Windows\{2BEBA2C8-9BEC-4502-8DAE-DF297A00F157}.exe	{1A492D4E-B780-4289-8C65-473222909DD7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1868	NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3000	{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe
Token: SeIncBasePriorityPrivilege	2708	{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe
Token: SeIncBasePriorityPrivilege	2668	{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe
Token: SeIncBasePriorityPrivilege	2632	{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe
Token: SeIncBasePriorityPrivilege	2524	{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe
Token: SeIncBasePriorityPrivilege	3044	{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe
Token: SeIncBasePriorityPrivilege	1392	{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe
Token: SeIncBasePriorityPrivilege	2884	{44C9AF5D-E1E7-4285-AE24-0CCFC8961E7A}.exe
Token: SeIncBasePriorityPrivilege	2904	{DA5ED79F-7556-4e43-A12F-F7B8108A5F3E}.exe
Token: SeIncBasePriorityPrivilege	776	{A777D67B-81FB-47f3-A348-2CE8FBCB50E0}.exe
Token: SeIncBasePriorityPrivilege	2156	{1A492D4E-B780-4289-8C65-473222909DD7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 3000	1868	NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe	27
PID 1868 wrote to memory of 3000	1868	NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe	27
PID 1868 wrote to memory of 3000	1868	NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe	27
PID 1868 wrote to memory of 3000	1868	NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe	27
PID 1868 wrote to memory of 2624	1868	NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe	28
PID 1868 wrote to memory of 2624	1868	NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe	28
PID 1868 wrote to memory of 2624	1868	NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe	28
PID 1868 wrote to memory of 2624	1868	NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe	28
PID 3000 wrote to memory of 2708	3000	{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe	31
PID 3000 wrote to memory of 2708	3000	{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe	31
PID 3000 wrote to memory of 2708	3000	{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe	31
PID 3000 wrote to memory of 2708	3000	{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe	31
PID 3000 wrote to memory of 2276	3000	{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe	32
PID 3000 wrote to memory of 2276	3000	{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe	32
PID 3000 wrote to memory of 2276	3000	{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe	32
PID 3000 wrote to memory of 2276	3000	{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe	32
PID 2708 wrote to memory of 2668	2708	{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe	34
PID 2708 wrote to memory of 2668	2708	{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe	34
PID 2708 wrote to memory of 2668	2708	{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe	34
PID 2708 wrote to memory of 2668	2708	{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe	34
PID 2708 wrote to memory of 2992	2708	{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe	33
PID 2708 wrote to memory of 2992	2708	{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe	33
PID 2708 wrote to memory of 2992	2708	{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe	33
PID 2708 wrote to memory of 2992	2708	{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe	33
PID 2668 wrote to memory of 2632	2668	{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe	36
PID 2668 wrote to memory of 2632	2668	{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe	36
PID 2668 wrote to memory of 2632	2668	{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe	36
PID 2668 wrote to memory of 2632	2668	{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe	36
PID 2668 wrote to memory of 2492	2668	{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe	35
PID 2668 wrote to memory of 2492	2668	{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe	35
PID 2668 wrote to memory of 2492	2668	{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe	35
PID 2668 wrote to memory of 2492	2668	{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe	35
PID 2632 wrote to memory of 2524	2632	{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe	37
PID 2632 wrote to memory of 2524	2632	{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe	37
PID 2632 wrote to memory of 2524	2632	{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe	37
PID 2632 wrote to memory of 2524	2632	{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe	37
PID 2632 wrote to memory of 2616	2632	{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe	38
PID 2632 wrote to memory of 2616	2632	{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe	38
PID 2632 wrote to memory of 2616	2632	{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe	38
PID 2632 wrote to memory of 2616	2632	{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe	38
PID 2524 wrote to memory of 3044	2524	{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe	39
PID 2524 wrote to memory of 3044	2524	{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe	39
PID 2524 wrote to memory of 3044	2524	{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe	39
PID 2524 wrote to memory of 3044	2524	{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe	39
PID 2524 wrote to memory of 2428	2524	{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe	40
PID 2524 wrote to memory of 2428	2524	{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe	40
PID 2524 wrote to memory of 2428	2524	{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe	40
PID 2524 wrote to memory of 2428	2524	{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe	40
PID 3044 wrote to memory of 1392	3044	{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe	41
PID 3044 wrote to memory of 1392	3044	{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe	41
PID 3044 wrote to memory of 1392	3044	{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe	41
PID 3044 wrote to memory of 1392	3044	{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe	41
PID 3044 wrote to memory of 2836	3044	{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe	42
PID 3044 wrote to memory of 2836	3044	{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe	42
PID 3044 wrote to memory of 2836	3044	{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe	42
PID 3044 wrote to memory of 2836	3044	{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe	42
PID 1392 wrote to memory of 2884	1392	{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe	43
PID 1392 wrote to memory of 2884	1392	{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe	43
PID 1392 wrote to memory of 2884	1392	{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe	43
PID 1392 wrote to memory of 2884	1392	{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe	43
PID 1392 wrote to memory of 2856	1392	{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe	44
PID 1392 wrote to memory of 2856	1392	{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe	44
PID 1392 wrote to memory of 2856	1392	{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe	44
PID 1392 wrote to memory of 2856	1392	{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe	44

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_2ed2041f037129158b144dd14ccd2237_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe
  C:\Windows\{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe
    C:\Windows\{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5130F~1.EXE > nul
      4⤵
      PID:2992
  - - C:\Windows\{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe
      C:\Windows\{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{504B6~1.EXE > nul
        5⤵
        
        PID:2492
    - - C:\Windows\{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe
        
        C:\Windows\{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe
        
        C:\Windows\{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe
        
        C:\Windows\{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe
        
        C:\Windows\{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\{44C9AF5D-E1E7-4285-AE24-0CCFC8961E7A}.exe
        
        C:\Windows\{44C9AF5D-E1E7-4285-AE24-0CCFC8961E7A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\{DA5ED79F-7556-4e43-A12F-F7B8108A5F3E}.exe
        
        C:\Windows\{DA5ED79F-7556-4e43-A12F-F7B8108A5F3E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\{A777D67B-81FB-47f3-A348-2CE8FBCB50E0}.exe
        
        C:\Windows\{A777D67B-81FB-47f3-A348-2CE8FBCB50E0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\{1A492D4E-B780-4289-8C65-473222909DD7}.exe
        
        C:\Windows\{1A492D4E-B780-4289-8C65-473222909DD7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\{2BEBA2C8-9BEC-4502-8DAE-DF297A00F157}.exe
        
        C:\Windows\{2BEBA2C8-9BEC-4502-8DAE-DF297A00F157}.exe
        13⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A492~1.EXE > nul
        13⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A777D~1.EXE > nul
        12⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA5ED~1.EXE > nul
        11⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44C9A~1.EXE > nul
        10⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB1AA~1.EXE > nul
        9⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDB8F~1.EXE > nul
        8⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02812~1.EXE > nul
        7⤵
        
        PID:2428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB5A7~1.EXE > nul
        6⤵
        
        PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2338E~1.EXE > nul
    3⤵
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe

Filesize
216KB

MD5
75b81dd0f8e0cca1b82a99e4c3cecc75

SHA1
97d35c5cb5febeb60966dc4304b51d72f8003726

SHA256
38f4793e8fe6ddb920f9eb2450a2e8e44ae5a0d245c50b66abcdfadce270442d

SHA512
f37d123dd2bfa080f5ee478a304e2ed9384d7b30bbb08bbf65166dbce1488580835eb55984bd6edc098d62db58d6bbf754293a8a303d526191108ceda3b81dd9

Download Submit
C:\Windows\{02812ECE-247B-4e28-91FC-C8B8BE912774}.exe

Filesize
216KB

MD5
75b81dd0f8e0cca1b82a99e4c3cecc75

SHA1
97d35c5cb5febeb60966dc4304b51d72f8003726

SHA256
38f4793e8fe6ddb920f9eb2450a2e8e44ae5a0d245c50b66abcdfadce270442d

SHA512
f37d123dd2bfa080f5ee478a304e2ed9384d7b30bbb08bbf65166dbce1488580835eb55984bd6edc098d62db58d6bbf754293a8a303d526191108ceda3b81dd9

Download Submit
C:\Windows\{1A492D4E-B780-4289-8C65-473222909DD7}.exe

Filesize
216KB

MD5
33e53b8e4eea458e4316af08a509834b

SHA1
054d4bad791f6a815b7a65a71f1959f12bd94b2b

SHA256
453f2d287ae4f612a6086dc308d62b8e26aeb5b0cb8251b6419532d8e5977971

SHA512
2761973888836926dee0b5ab62a916b85147f0b82b0184d56aa2fb8f42e3d91ac9c5fb2d11315cfcad2693f229f406ddf85d7654bccdc581adb64dc5a3e11e79

Download Submit
C:\Windows\{1A492D4E-B780-4289-8C65-473222909DD7}.exe

Filesize
216KB

MD5
33e53b8e4eea458e4316af08a509834b

SHA1
054d4bad791f6a815b7a65a71f1959f12bd94b2b

SHA256
453f2d287ae4f612a6086dc308d62b8e26aeb5b0cb8251b6419532d8e5977971

SHA512
2761973888836926dee0b5ab62a916b85147f0b82b0184d56aa2fb8f42e3d91ac9c5fb2d11315cfcad2693f229f406ddf85d7654bccdc581adb64dc5a3e11e79

Download Submit
C:\Windows\{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe

Filesize
216KB

MD5
0964800f4f9237d5c4106a3639812a60

SHA1
cedf0f2ed9d1135482ff9af513c05503f4f572cb

SHA256
43954e685ce30e739ba211fc22c17d1821d37aef6f0d6d5693cebc672205f4be

SHA512
67f92d35a310cb529be48a4fa09ff31d43c544cf559005110c66da99cff5700b99a020be6d2d49f7617be8ba753efef2ad3b3ba1aed0f2e053c5622c732fb605

Download Submit
C:\Windows\{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe

Filesize
216KB

MD5
0964800f4f9237d5c4106a3639812a60

SHA1
cedf0f2ed9d1135482ff9af513c05503f4f572cb

SHA256
43954e685ce30e739ba211fc22c17d1821d37aef6f0d6d5693cebc672205f4be

SHA512
67f92d35a310cb529be48a4fa09ff31d43c544cf559005110c66da99cff5700b99a020be6d2d49f7617be8ba753efef2ad3b3ba1aed0f2e053c5622c732fb605

Download Submit
C:\Windows\{2338EE51-92BA-450c-8E5B-142F3BAFF3E4}.exe

Filesize
216KB

MD5
0964800f4f9237d5c4106a3639812a60

SHA1
cedf0f2ed9d1135482ff9af513c05503f4f572cb

SHA256
43954e685ce30e739ba211fc22c17d1821d37aef6f0d6d5693cebc672205f4be

SHA512
67f92d35a310cb529be48a4fa09ff31d43c544cf559005110c66da99cff5700b99a020be6d2d49f7617be8ba753efef2ad3b3ba1aed0f2e053c5622c732fb605

Download Submit
C:\Windows\{2BEBA2C8-9BEC-4502-8DAE-DF297A00F157}.exe

Filesize
216KB

MD5
88ad58888717faadc621d1aaffdec2b0

SHA1
b036ef48e43e10d32e8f4baf24b41275c3cbee49

SHA256
b069a1ee49389ee12c4c06ddbd4282bca7cb46776ee30bae647645448d0a598f

SHA512
733dd8300ce460e9f410aba885b4a3b1c0d782210d0de091c93a511372f90a964a430708faf9d17ebedcf2b6492ae66c6d12d6353d142edc44197b9f42769f51

Download Submit
C:\Windows\{44C9AF5D-E1E7-4285-AE24-0CCFC8961E7A}.exe

Filesize
216KB

MD5
3e47881d26271a6b8b7995356cefffc2

SHA1
a101fd9d555b95eeffbc3c4dd9cb962b77f7aa96

SHA256
11626b33b57eb8c2101dcb076987e48bddf4dfe9291fd1d2cc90fbc05559b8be

SHA512
f46b06230fd0f590236ad8ad6ee77f9c3e34197cbb962b7ce0a2ad4af64368fc8add29a409a65262c03089ab38cec05c8da2fc568016f8e1da5b795782c4469d

Download Submit
C:\Windows\{44C9AF5D-E1E7-4285-AE24-0CCFC8961E7A}.exe

Filesize
216KB

MD5
3e47881d26271a6b8b7995356cefffc2

SHA1
a101fd9d555b95eeffbc3c4dd9cb962b77f7aa96

SHA256
11626b33b57eb8c2101dcb076987e48bddf4dfe9291fd1d2cc90fbc05559b8be

SHA512
f46b06230fd0f590236ad8ad6ee77f9c3e34197cbb962b7ce0a2ad4af64368fc8add29a409a65262c03089ab38cec05c8da2fc568016f8e1da5b795782c4469d

Download Submit
C:\Windows\{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe

Filesize
216KB

MD5
2346271e5f1ad187a64ece02ca100a0b

SHA1
6e86a4e45febdff88450db0b702686ceddbad698

SHA256
432415bdf78d7492cb951650b2b3b0b327ae4cb36f820cc46a88c52ef32f780d

SHA512
3f74b19df132146cd3b4ddf632c18bdf8d8130d0b031d896c0b00643836a00adb870e3ae14df8ec2c85ddacf6ba6c736a43141a0fb584a4c08a8db4490e6d1b2

Download Submit
C:\Windows\{504B6AE5-B74C-4f0e-9B8A-FAD414F9B284}.exe

Filesize
216KB

MD5
2346271e5f1ad187a64ece02ca100a0b

SHA1
6e86a4e45febdff88450db0b702686ceddbad698

SHA256
432415bdf78d7492cb951650b2b3b0b327ae4cb36f820cc46a88c52ef32f780d

SHA512
3f74b19df132146cd3b4ddf632c18bdf8d8130d0b031d896c0b00643836a00adb870e3ae14df8ec2c85ddacf6ba6c736a43141a0fb584a4c08a8db4490e6d1b2

Download Submit
C:\Windows\{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe

Filesize
216KB

MD5
19050127707cafdf0ab3ee2adbef64a6

SHA1
720380356554c658b3ccef66c36749f5cd8b80e9

SHA256
578a999c2844cc9199de2309a30592472e5d5bd3cc53eaef4c52fc7d8b0d74eb

SHA512
302fc77a386ec1c379b676b87059f9aa6c9442e919d5d50e6722cf569a37194444d960668dde7f95a8d6ce563bf864796dedefb61a88acb2eca7d8ce7c3e1af3

Download Submit
C:\Windows\{5130FAF4-2AD0-47d1-9AB3-1F66E5EFE90D}.exe

Filesize
216KB

MD5
19050127707cafdf0ab3ee2adbef64a6

SHA1
720380356554c658b3ccef66c36749f5cd8b80e9

SHA256
578a999c2844cc9199de2309a30592472e5d5bd3cc53eaef4c52fc7d8b0d74eb

SHA512
302fc77a386ec1c379b676b87059f9aa6c9442e919d5d50e6722cf569a37194444d960668dde7f95a8d6ce563bf864796dedefb61a88acb2eca7d8ce7c3e1af3

Download Submit
C:\Windows\{A777D67B-81FB-47f3-A348-2CE8FBCB50E0}.exe

Filesize
216KB

MD5
664ea42c33de08b957b7b097a8e0b537

SHA1
05cd0c56d4bf8ddb8eb84d66923aa1cdb471ab52

SHA256
43f7098d2ebf08bf3a85a7c5751e55a1c48ff21e162adfa88a8dfd027c73c361

SHA512
700ea6c350f8695c8d50b14cd6ae0d9415848bbd4c7f8614fc69caf1de7daf65b2c58d0ccae9865cef1d2ba3eb639c497e2dd358ec3e74e2d731ee2a5ccafb52

Download Submit
C:\Windows\{A777D67B-81FB-47f3-A348-2CE8FBCB50E0}.exe

Filesize
216KB

MD5
664ea42c33de08b957b7b097a8e0b537

SHA1
05cd0c56d4bf8ddb8eb84d66923aa1cdb471ab52

SHA256
43f7098d2ebf08bf3a85a7c5751e55a1c48ff21e162adfa88a8dfd027c73c361

SHA512
700ea6c350f8695c8d50b14cd6ae0d9415848bbd4c7f8614fc69caf1de7daf65b2c58d0ccae9865cef1d2ba3eb639c497e2dd358ec3e74e2d731ee2a5ccafb52

Download Submit
C:\Windows\{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe

Filesize
216KB

MD5
98750181ceb327a98a26d23d8c2e4902

SHA1
c69206185f6702250a613ba4ce2a48088d74f7bf

SHA256
9936aa3b65d958983d265a2a4deb04d83824d2ecb175f1e9cf0b61900c495987

SHA512
c168f0d7e6f9f418c7015184efd4dd2bf9d9a5195004ae1edbd99a7784e154be779965e830c50912e636f30cf3938bf88543d085e9cc88ebdf5876475638c5da

Download Submit
C:\Windows\{BB5A721F-30E5-4705-9570-4990EE6AF5E5}.exe

Filesize
216KB

MD5
98750181ceb327a98a26d23d8c2e4902

SHA1
c69206185f6702250a613ba4ce2a48088d74f7bf

SHA256
9936aa3b65d958983d265a2a4deb04d83824d2ecb175f1e9cf0b61900c495987

SHA512
c168f0d7e6f9f418c7015184efd4dd2bf9d9a5195004ae1edbd99a7784e154be779965e830c50912e636f30cf3938bf88543d085e9cc88ebdf5876475638c5da

Download Submit
C:\Windows\{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe

Filesize
216KB

MD5
14c05cf805f04e6c27e7c5fd2ede9a01

SHA1
5241a5c994d6bb8ec52ec7be691f440c1ed89d0a

SHA256
e60e6b3e7f50acddb083c5e83c47921f9782b22ed3922d1a086b61b296ac8980

SHA512
17641479857085da2bc1260cc11b72cc9ec7df68c273613a743a6dc47f023631f56fe3b04f60d320daed4339270cde8376ffbea1c4c309f408cb18463d3a825d

Download Submit
C:\Windows\{CDB8FE48-472F-425a-A938-0A886C9253A2}.exe

Filesize
216KB

MD5
14c05cf805f04e6c27e7c5fd2ede9a01

SHA1
5241a5c994d6bb8ec52ec7be691f440c1ed89d0a

SHA256
e60e6b3e7f50acddb083c5e83c47921f9782b22ed3922d1a086b61b296ac8980

SHA512
17641479857085da2bc1260cc11b72cc9ec7df68c273613a743a6dc47f023631f56fe3b04f60d320daed4339270cde8376ffbea1c4c309f408cb18463d3a825d

Download Submit
C:\Windows\{DA5ED79F-7556-4e43-A12F-F7B8108A5F3E}.exe

Filesize
216KB

MD5
78882e38e126c6ac31b3b217c054bead

SHA1
770b67c7992300cc4fc61df5ec9d827343c30e76

SHA256
fa369296ad9d0a8013332b099294afc50a60a7ee8c95615b762867e5937e4f29

SHA512
24166dfc952f0f1ea1327c957cab63005fcf362cb7d8ba60438e50101481464dc6a27d39049ddcf52ba887a4ac2b0b6117351c84601ceea0bd61ca8aeb7a7201

Download Submit
C:\Windows\{DA5ED79F-7556-4e43-A12F-F7B8108A5F3E}.exe

Filesize
216KB

MD5
78882e38e126c6ac31b3b217c054bead

SHA1
770b67c7992300cc4fc61df5ec9d827343c30e76

SHA256
fa369296ad9d0a8013332b099294afc50a60a7ee8c95615b762867e5937e4f29

SHA512
24166dfc952f0f1ea1327c957cab63005fcf362cb7d8ba60438e50101481464dc6a27d39049ddcf52ba887a4ac2b0b6117351c84601ceea0bd61ca8aeb7a7201

Download Submit
C:\Windows\{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe

Filesize
216KB

MD5
924621a96e8ddd7adba96671c0dad2d7

SHA1
fd527552dd5303ca84381b4129fd9caf9ed4044f

SHA256
18d6e8265c96948f58276b2c189ac4f33c7f6102bb1c29fbd44abf4341a37a8c

SHA512
e608e6db83155c7ca60f80587bfa2de520ea90c0bce5d8ae44c7c0be84f6c34d9ade3ccd0b0634f539e10677d4386d9d4976c44d1544e4961fe1ea33816f06ba

Download Submit
C:\Windows\{FB1AA1CC-18D5-48b4-8665-45384ED5F186}.exe

Filesize
216KB

MD5
924621a96e8ddd7adba96671c0dad2d7

SHA1
fd527552dd5303ca84381b4129fd9caf9ed4044f

SHA256
18d6e8265c96948f58276b2c189ac4f33c7f6102bb1c29fbd44abf4341a37a8c

SHA512
e608e6db83155c7ca60f80587bfa2de520ea90c0bce5d8ae44c7c0be84f6c34d9ade3ccd0b0634f539e10677d4386d9d4976c44d1544e4961fe1ea33816f06ba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads