1354354b7a80f3699a3057c0c9877b3436f82090a2aaf1863b33925a7c61efd6

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe
Size

180KB
MD5

89aea4141dfcf2c69587f2cc687ef622
SHA1

a04df1958066fca540aee86a1a26034c0db49894
SHA256

1354354b7a80f3699a3057c0c9877b3436f82090a2aaf1863b33925a7c61efd6
SHA512

5d083ad7149e86baf1bbc4157adcac813dfd444909c7d6cc586a63fedf30a2622e8571bd1894a5854dc84175897d74546f40df346605c37135b17dcd2427d815
SSDEEP

3072:jEGh0oslfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG2l5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}\stubpath = "C:\\Windows\\{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe"	{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{931505B3-5712-4250-94D6-7CC6F0A77549}	{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{931505B3-5712-4250-94D6-7CC6F0A77549}\stubpath = "C:\\Windows\\{931505B3-5712-4250-94D6-7CC6F0A77549}.exe"	{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D80A8A6E-CD89-48b8-ADA8-01A0119EB74A}\stubpath = "C:\\Windows\\{D80A8A6E-CD89-48b8-ADA8-01A0119EB74A}.exe"	{1CA29DB2-9921-400f-9C95-C84785B31D5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B982E013-CF69-4f06-8C79-ECA1A9F41B35}	{99AC87F0-6B2D-45ea-A1EF-7B2696BF3BFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0256704-C1BE-4895-AFE6-8EE68939D045}	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0256704-C1BE-4895-AFE6-8EE68939D045}\stubpath = "C:\\Windows\\{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe"	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF84EF8A-8549-424f-8889-0AD35298A40D}\stubpath = "C:\\Windows\\{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe"	{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}	{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CA29DB2-9921-400f-9C95-C84785B31D5A}	{931505B3-5712-4250-94D6-7CC6F0A77549}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99AC87F0-6B2D-45ea-A1EF-7B2696BF3BFB}\stubpath = "C:\\Windows\\{99AC87F0-6B2D-45ea-A1EF-7B2696BF3BFB}.exe"	{D80A8A6E-CD89-48b8-ADA8-01A0119EB74A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B982E013-CF69-4f06-8C79-ECA1A9F41B35}\stubpath = "C:\\Windows\\{B982E013-CF69-4f06-8C79-ECA1A9F41B35}.exe"	{99AC87F0-6B2D-45ea-A1EF-7B2696BF3BFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}	{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2F1A60C-7616-47e2-8825-949A19D51DB1}\stubpath = "C:\\Windows\\{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe"	{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CA29DB2-9921-400f-9C95-C84785B31D5A}\stubpath = "C:\\Windows\\{1CA29DB2-9921-400f-9C95-C84785B31D5A}.exe"	{931505B3-5712-4250-94D6-7CC6F0A77549}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D80A8A6E-CD89-48b8-ADA8-01A0119EB74A}	{1CA29DB2-9921-400f-9C95-C84785B31D5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99AC87F0-6B2D-45ea-A1EF-7B2696BF3BFB}	{D80A8A6E-CD89-48b8-ADA8-01A0119EB74A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2F1A60C-7616-47e2-8825-949A19D51DB1}	{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF84EF8A-8549-424f-8889-0AD35298A40D}	{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}	{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}\stubpath = "C:\\Windows\\{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe"	{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}\stubpath = "C:\\Windows\\{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe"	{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DDA384E-693A-4c77-A9E9-F606C1327CF0}	{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DDA384E-693A-4c77-A9E9-F606C1327CF0}\stubpath = "C:\\Windows\\{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe"	{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe

Deletes itself 1 IoCs

pid	Process
2208	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2100	{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe
2064	{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe
2632	{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe
2648	{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe
3048	{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe
2500	{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe
2544	{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe
2468	{931505B3-5712-4250-94D6-7CC6F0A77549}.exe
2816	{1CA29DB2-9921-400f-9C95-C84785B31D5A}.exe
1720	{D80A8A6E-CD89-48b8-ADA8-01A0119EB74A}.exe
2420	{99AC87F0-6B2D-45ea-A1EF-7B2696BF3BFB}.exe
1516	{B982E013-CF69-4f06-8C79-ECA1A9F41B35}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe	{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe
File created	C:\Windows\{931505B3-5712-4250-94D6-7CC6F0A77549}.exe	{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe
File created	C:\Windows\{1CA29DB2-9921-400f-9C95-C84785B31D5A}.exe	{931505B3-5712-4250-94D6-7CC6F0A77549}.exe
File created	C:\Windows\{99AC87F0-6B2D-45ea-A1EF-7B2696BF3BFB}.exe	{D80A8A6E-CD89-48b8-ADA8-01A0119EB74A}.exe
File created	C:\Windows\{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe
File created	C:\Windows\{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe	{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe
File created	C:\Windows\{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe	{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe
File created	C:\Windows\{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe	{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe
File created	C:\Windows\{D80A8A6E-CD89-48b8-ADA8-01A0119EB74A}.exe	{1CA29DB2-9921-400f-9C95-C84785B31D5A}.exe
File created	C:\Windows\{B982E013-CF69-4f06-8C79-ECA1A9F41B35}.exe	{99AC87F0-6B2D-45ea-A1EF-7B2696BF3BFB}.exe
File created	C:\Windows\{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe	{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe
File created	C:\Windows\{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe	{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3060	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2100	{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe
Token: SeIncBasePriorityPrivilege	2064	{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe
Token: SeIncBasePriorityPrivilege	2632	{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe
Token: SeIncBasePriorityPrivilege	2648	{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe
Token: SeIncBasePriorityPrivilege	3048	{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe
Token: SeIncBasePriorityPrivilege	2500	{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe
Token: SeIncBasePriorityPrivilege	2544	{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe
Token: SeIncBasePriorityPrivilege	2468	{931505B3-5712-4250-94D6-7CC6F0A77549}.exe
Token: SeIncBasePriorityPrivilege	2816	{1CA29DB2-9921-400f-9C95-C84785B31D5A}.exe
Token: SeIncBasePriorityPrivilege	1720	{D80A8A6E-CD89-48b8-ADA8-01A0119EB74A}.exe
Token: SeIncBasePriorityPrivilege	2420	{99AC87F0-6B2D-45ea-A1EF-7B2696BF3BFB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2100	3060	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	28
PID 3060 wrote to memory of 2100	3060	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	28
PID 3060 wrote to memory of 2100	3060	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	28
PID 3060 wrote to memory of 2100	3060	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	28
PID 3060 wrote to memory of 2208	3060	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	29
PID 3060 wrote to memory of 2208	3060	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	29
PID 3060 wrote to memory of 2208	3060	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	29
PID 3060 wrote to memory of 2208	3060	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	29
PID 2100 wrote to memory of 2064	2100	{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe	30
PID 2100 wrote to memory of 2064	2100	{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe	30
PID 2100 wrote to memory of 2064	2100	{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe	30
PID 2100 wrote to memory of 2064	2100	{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe	30
PID 2100 wrote to memory of 2132	2100	{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe	31
PID 2100 wrote to memory of 2132	2100	{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe	31
PID 2100 wrote to memory of 2132	2100	{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe	31
PID 2100 wrote to memory of 2132	2100	{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe	31
PID 2064 wrote to memory of 2632	2064	{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe	32
PID 2064 wrote to memory of 2632	2064	{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe	32
PID 2064 wrote to memory of 2632	2064	{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe	32
PID 2064 wrote to memory of 2632	2064	{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe	32
PID 2064 wrote to memory of 2696	2064	{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe	33
PID 2064 wrote to memory of 2696	2064	{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe	33
PID 2064 wrote to memory of 2696	2064	{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe	33
PID 2064 wrote to memory of 2696	2064	{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe	33
PID 2632 wrote to memory of 2648	2632	{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe	36
PID 2632 wrote to memory of 2648	2632	{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe	36
PID 2632 wrote to memory of 2648	2632	{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe	36
PID 2632 wrote to memory of 2648	2632	{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe	36
PID 2632 wrote to memory of 2508	2632	{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe	37
PID 2632 wrote to memory of 2508	2632	{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe	37
PID 2632 wrote to memory of 2508	2632	{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe	37
PID 2632 wrote to memory of 2508	2632	{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe	37
PID 2648 wrote to memory of 3048	2648	{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe	38
PID 2648 wrote to memory of 3048	2648	{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe	38
PID 2648 wrote to memory of 3048	2648	{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe	38
PID 2648 wrote to memory of 3048	2648	{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe	38
PID 2648 wrote to memory of 2600	2648	{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe	39
PID 2648 wrote to memory of 2600	2648	{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe	39
PID 2648 wrote to memory of 2600	2648	{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe	39
PID 2648 wrote to memory of 2600	2648	{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe	39
PID 3048 wrote to memory of 2500	3048	{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe	40
PID 3048 wrote to memory of 2500	3048	{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe	40
PID 3048 wrote to memory of 2500	3048	{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe	40
PID 3048 wrote to memory of 2500	3048	{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe	40
PID 3048 wrote to memory of 2556	3048	{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe	41
PID 3048 wrote to memory of 2556	3048	{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe	41
PID 3048 wrote to memory of 2556	3048	{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe	41
PID 3048 wrote to memory of 2556	3048	{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe	41
PID 2500 wrote to memory of 2544	2500	{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe	42
PID 2500 wrote to memory of 2544	2500	{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe	42
PID 2500 wrote to memory of 2544	2500	{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe	42
PID 2500 wrote to memory of 2544	2500	{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe	42
PID 2500 wrote to memory of 1704	2500	{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe	43
PID 2500 wrote to memory of 1704	2500	{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe	43
PID 2500 wrote to memory of 1704	2500	{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe	43
PID 2500 wrote to memory of 1704	2500	{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe	43
PID 2544 wrote to memory of 2468	2544	{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe	44
PID 2544 wrote to memory of 2468	2544	{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe	44
PID 2544 wrote to memory of 2468	2544	{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe	44
PID 2544 wrote to memory of 2468	2544	{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe	44
PID 2544 wrote to memory of 1292	2544	{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe	45
PID 2544 wrote to memory of 1292	2544	{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe	45
PID 2544 wrote to memory of 1292	2544	{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe	45
PID 2544 wrote to memory of 1292	2544	{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe
  C:\Windows\{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe
    C:\Windows\{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe
      C:\Windows\{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe
        
        C:\Windows\{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe
        
        C:\Windows\{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe
        
        C:\Windows\{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe
        
        C:\Windows\{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\{931505B3-5712-4250-94D6-7CC6F0A77549}.exe
        
        C:\Windows\{931505B3-5712-4250-94D6-7CC6F0A77549}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\{1CA29DB2-9921-400f-9C95-C84785B31D5A}.exe
        
        C:\Windows\{1CA29DB2-9921-400f-9C95-C84785B31D5A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\{D80A8A6E-CD89-48b8-ADA8-01A0119EB74A}.exe
        
        C:\Windows\{D80A8A6E-CD89-48b8-ADA8-01A0119EB74A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\{99AC87F0-6B2D-45ea-A1EF-7B2696BF3BFB}.exe
        
        C:\Windows\{99AC87F0-6B2D-45ea-A1EF-7B2696BF3BFB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\{B982E013-CF69-4f06-8C79-ECA1A9F41B35}.exe
        
        C:\Windows\{B982E013-CF69-4f06-8C79-ECA1A9F41B35}.exe
        13⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99AC8~1.EXE > nul
        13⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D80A8~1.EXE > nul
        12⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CA29~1.EXE > nul
        11⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93150~1.EXE > nul
        10⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64EA0~1.EXE > nul
        9⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63FA9~1.EXE > nul
        8⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF84E~1.EXE > nul
        7⤵
        
        PID:2556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2F1A~1.EXE > nul
        6⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DDA3~1.EXE > nul
        5⤵
        
        PID:2508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C8F1E~1.EXE > nul
      4⤵
      PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E0256~1.EXE > nul
    3⤵
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CA29DB2-9921-400f-9C95-C84785B31D5A}.exe

Filesize
180KB

MD5
7127e255a2117afab2380d0efc7415e9

SHA1
23ff56a250f5c88cceda8b56a4ef7172ad8007bb

SHA256
1f314172511834eab0fb84eac060d9ccc56d56e35013caba7975755328e47b91

SHA512
8bc287b5788fb738db24cf2009674a981d3986bb719b1372919b28527048041e5cab3119b55fad4656ceca5a414d257d6617e6a79245f6511ed324a663ba14a9

Download Submit
C:\Windows\{1CA29DB2-9921-400f-9C95-C84785B31D5A}.exe

Filesize
180KB

MD5
7127e255a2117afab2380d0efc7415e9

SHA1
23ff56a250f5c88cceda8b56a4ef7172ad8007bb

SHA256
1f314172511834eab0fb84eac060d9ccc56d56e35013caba7975755328e47b91

SHA512
8bc287b5788fb738db24cf2009674a981d3986bb719b1372919b28527048041e5cab3119b55fad4656ceca5a414d257d6617e6a79245f6511ed324a663ba14a9

Download Submit
C:\Windows\{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe

Filesize
180KB

MD5
5925a38c3650d3cc0853db2e6d14b5fc

SHA1
6e9b86b197b5ffee31a3ffc961ceb028394eb727

SHA256
5ed6b8801fdc3716401a535c9fcb75b6c3b8e8caca9db809d9396708f738ffdc

SHA512
6bb05582db599e69490a747087303f2cb89c4c0bd7296a6de87f7c0af7e942787839de77d00366064a1c316fc9641aec978c330ee973790c68dc85db73fc4e8c

Download Submit
C:\Windows\{2DDA384E-693A-4c77-A9E9-F606C1327CF0}.exe

Filesize
180KB

MD5
5925a38c3650d3cc0853db2e6d14b5fc

SHA1
6e9b86b197b5ffee31a3ffc961ceb028394eb727

SHA256
5ed6b8801fdc3716401a535c9fcb75b6c3b8e8caca9db809d9396708f738ffdc

SHA512
6bb05582db599e69490a747087303f2cb89c4c0bd7296a6de87f7c0af7e942787839de77d00366064a1c316fc9641aec978c330ee973790c68dc85db73fc4e8c

Download Submit
C:\Windows\{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe

Filesize
180KB

MD5
a76af5409e8d146b7da5524ee2bac3ff

SHA1
10586c90ffe14ed2c6a08a8d12eb62048774f65d

SHA256
0b1516b11d23d06aa4edcb04279532dde4606abe2bae9c6566b2e09b92e8b496

SHA512
6717fdcdaba0b03bab418e90be68f69f8fb473b09b2a51f710e828a4bb7b186e409f5c6560a95db72eaaab2e6f005ae8ad93407dd5198b6bc674fc3e7941001a

Download Submit
C:\Windows\{63FA9880-2E94-457a-8D99-ADFF7ABB3A94}.exe

Filesize
180KB

MD5
a76af5409e8d146b7da5524ee2bac3ff

SHA1
10586c90ffe14ed2c6a08a8d12eb62048774f65d

SHA256
0b1516b11d23d06aa4edcb04279532dde4606abe2bae9c6566b2e09b92e8b496

SHA512
6717fdcdaba0b03bab418e90be68f69f8fb473b09b2a51f710e828a4bb7b186e409f5c6560a95db72eaaab2e6f005ae8ad93407dd5198b6bc674fc3e7941001a

Download Submit
C:\Windows\{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe

Filesize
180KB

MD5
1c9afad8a04eb4be4c6cec877b5c9df6

SHA1
d0f32b401fff465bae4c97ed0df760a1fe8bfb9f

SHA256
d79ffa1f07df7b9a84e491ecddd76ae2f23a61222cfcebee84afdc2d23a387dd

SHA512
69fcf9dbaeb02d8e7bd6a958ce08f9a9864abfe5831d93b281d6bb948aaa984cc4ebca618b3e02d60973e8bdcad286e0131352426550b9d69a0746c5e287f20d

Download Submit
C:\Windows\{64EA0F0E-95F2-401e-AED3-42EFE99E52A5}.exe

Filesize
180KB

MD5
1c9afad8a04eb4be4c6cec877b5c9df6

SHA1
d0f32b401fff465bae4c97ed0df760a1fe8bfb9f

SHA256
d79ffa1f07df7b9a84e491ecddd76ae2f23a61222cfcebee84afdc2d23a387dd

SHA512
69fcf9dbaeb02d8e7bd6a958ce08f9a9864abfe5831d93b281d6bb948aaa984cc4ebca618b3e02d60973e8bdcad286e0131352426550b9d69a0746c5e287f20d

Download Submit
C:\Windows\{931505B3-5712-4250-94D6-7CC6F0A77549}.exe

Filesize
180KB

MD5
c013771b668b99270aedcbd14fe8eace

SHA1
e262bdded5bf1cf7b5ba3c7cabcadf3ba4926b53

SHA256
3eeab6432b01ee643ff8aeacf07cc18934a3ee3b97dffb89ab1b41d407ec09ff

SHA512
11394d1955b5a415b12a3f9a11ff990f328124a2e4cfb4b318b718c7da570f4167184a77bb0d0916f7015132abd874ada5884eda50d995846dd14b42141286e9

Download Submit
C:\Windows\{931505B3-5712-4250-94D6-7CC6F0A77549}.exe

Filesize
180KB

MD5
c013771b668b99270aedcbd14fe8eace

SHA1
e262bdded5bf1cf7b5ba3c7cabcadf3ba4926b53

SHA256
3eeab6432b01ee643ff8aeacf07cc18934a3ee3b97dffb89ab1b41d407ec09ff

SHA512
11394d1955b5a415b12a3f9a11ff990f328124a2e4cfb4b318b718c7da570f4167184a77bb0d0916f7015132abd874ada5884eda50d995846dd14b42141286e9

Download Submit
C:\Windows\{99AC87F0-6B2D-45ea-A1EF-7B2696BF3BFB}.exe

Filesize
180KB

MD5
2ba3daba63528fac10d28b626336acf2

SHA1
02c357fdea508cf9b2b0a5e0392d9fca75418d9d

SHA256
a17552dd15d2a9375aa04d1826b4e349df29f87145a91291abc96a105592805d

SHA512
1ba9acc5553807d70d562478129ed89e5027ec814b8ae5a676b2cf131f8f2d2ebec5f3751797ad8dbdb8876e1e4da388af405a2a1b4072aca63dbe3f493d2f29

Download Submit
C:\Windows\{99AC87F0-6B2D-45ea-A1EF-7B2696BF3BFB}.exe

Filesize
180KB

MD5
2ba3daba63528fac10d28b626336acf2

SHA1
02c357fdea508cf9b2b0a5e0392d9fca75418d9d

SHA256
a17552dd15d2a9375aa04d1826b4e349df29f87145a91291abc96a105592805d

SHA512
1ba9acc5553807d70d562478129ed89e5027ec814b8ae5a676b2cf131f8f2d2ebec5f3751797ad8dbdb8876e1e4da388af405a2a1b4072aca63dbe3f493d2f29

Download Submit
C:\Windows\{B982E013-CF69-4f06-8C79-ECA1A9F41B35}.exe

Filesize
180KB

MD5
b33ded4c067f6353b3bf1e3af8fffbe4

SHA1
b87e2f92bea3d1bad27388ad0e183ccc6b0f4532

SHA256
474b6c95c6798d5efa4280bea3e748a9b64a38b3e977c8b55415a8d4608f6bc8

SHA512
658ac6502e8db42d2d1b4737f091d8002bdd61e59e9cab9b2b9bf345553f5741cce7e0b0bd48c21c2401f802dd513c8b2efd55f57506a84bc5ce0e778530060a

Download Submit
C:\Windows\{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe

Filesize
180KB

MD5
3cf4f22dbe0ecb2d24f6ce96b4ab7a48

SHA1
0605a2e8fb6fca3bc00b61fbccafa370575f21f0

SHA256
05e82d2fb41ecad8023ce1dac0aca3d57655b750ca276250e45077aadcd931ec

SHA512
c7609eb78eaa8890c39847985a957f53b2b81452fa745a18af930065f7844ad21919cacbac5008761fcd3fb74e488ea5a83e14dd585305caea6a07a922cf38e5

Download Submit
C:\Windows\{BF84EF8A-8549-424f-8889-0AD35298A40D}.exe

Filesize
180KB

MD5
3cf4f22dbe0ecb2d24f6ce96b4ab7a48

SHA1
0605a2e8fb6fca3bc00b61fbccafa370575f21f0

SHA256
05e82d2fb41ecad8023ce1dac0aca3d57655b750ca276250e45077aadcd931ec

SHA512
c7609eb78eaa8890c39847985a957f53b2b81452fa745a18af930065f7844ad21919cacbac5008761fcd3fb74e488ea5a83e14dd585305caea6a07a922cf38e5

Download Submit
C:\Windows\{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe

Filesize
180KB

MD5
a3d60f094b8f4fdaacf3dc66a23c6b07

SHA1
bd1db389767acae09c14d449e0da1a29b7c9ba20

SHA256
afbbb1c8e48edf5eeb9e15cd206e9ac4966cde97bd8aa211192acdc438be8bd5

SHA512
eebbf13fa2fc3c531ad1b1e262a389551f98be5b965c58cd621a8c669eaa4d21a0e6cb9076729d29ba7fb5fc298e1fee0e79c4d2b6825f1d490f01bd9aadcdd8

Download Submit
C:\Windows\{C8F1E861-1F0E-4e42-B4C1-CC3A0423D5EF}.exe

Filesize
180KB

MD5
a3d60f094b8f4fdaacf3dc66a23c6b07

SHA1
bd1db389767acae09c14d449e0da1a29b7c9ba20

SHA256
afbbb1c8e48edf5eeb9e15cd206e9ac4966cde97bd8aa211192acdc438be8bd5

SHA512
eebbf13fa2fc3c531ad1b1e262a389551f98be5b965c58cd621a8c669eaa4d21a0e6cb9076729d29ba7fb5fc298e1fee0e79c4d2b6825f1d490f01bd9aadcdd8

Download Submit
C:\Windows\{D80A8A6E-CD89-48b8-ADA8-01A0119EB74A}.exe

Filesize
180KB

MD5
9df172bc177147a1b85b2365041d8f1a

SHA1
b76c713d853778d372a53f8e8c34426ea3005a43

SHA256
04cab40119804bb957f2b0b549cac7706d789fd4b662fc955667c39e8c3613be

SHA512
6d8d5642f6d5b72cca391a07386a40e1fc60b4be02646e87d0a940c69fde6ee32c232d89828588af80bf7df0f67f2f3c64abfbc9ea5ddf1df6b361ec2cc5fa17

Download Submit
C:\Windows\{D80A8A6E-CD89-48b8-ADA8-01A0119EB74A}.exe

Filesize
180KB

MD5
9df172bc177147a1b85b2365041d8f1a

SHA1
b76c713d853778d372a53f8e8c34426ea3005a43

SHA256
04cab40119804bb957f2b0b549cac7706d789fd4b662fc955667c39e8c3613be

SHA512
6d8d5642f6d5b72cca391a07386a40e1fc60b4be02646e87d0a940c69fde6ee32c232d89828588af80bf7df0f67f2f3c64abfbc9ea5ddf1df6b361ec2cc5fa17

Download Submit
C:\Windows\{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe

Filesize
180KB

MD5
a249f37b00f87d3b40bfc3481af91354

SHA1
268985c61d3350d57bd287702f6a1f419eaaa063

SHA256
6d55b434ea94922c76f2c6c2468bfb815458d043ad63f0604ac77fb783016709

SHA512
9733145fe932773238b61de5f6cc8b3c42ffd25b0aa5cc283ab54478e567225670d7af42f19770d6f9ae66765441a85097544df07b833416621cf46094028873

Download Submit
C:\Windows\{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe

Filesize
180KB

MD5
a249f37b00f87d3b40bfc3481af91354

SHA1
268985c61d3350d57bd287702f6a1f419eaaa063

SHA256
6d55b434ea94922c76f2c6c2468bfb815458d043ad63f0604ac77fb783016709

SHA512
9733145fe932773238b61de5f6cc8b3c42ffd25b0aa5cc283ab54478e567225670d7af42f19770d6f9ae66765441a85097544df07b833416621cf46094028873

Download Submit
C:\Windows\{E0256704-C1BE-4895-AFE6-8EE68939D045}.exe

Filesize
180KB

MD5
a249f37b00f87d3b40bfc3481af91354

SHA1
268985c61d3350d57bd287702f6a1f419eaaa063

SHA256
6d55b434ea94922c76f2c6c2468bfb815458d043ad63f0604ac77fb783016709

SHA512
9733145fe932773238b61de5f6cc8b3c42ffd25b0aa5cc283ab54478e567225670d7af42f19770d6f9ae66765441a85097544df07b833416621cf46094028873

Download Submit
C:\Windows\{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe

Filesize
180KB

MD5
27cd7dbb244e476f93a7e4a09c679b62

SHA1
6470b284f58bf77e4ac6fa1164fb32886a96702d

SHA256
73df0aa64f5edb965a600cb6f451f362172ef4ea49ed54c9c777ab0d863acd46

SHA512
1f3746ee8c7b3288ee2ca668c6ed3d73425f24498ec1cc179000d753b764c00f97a01f923be883d1d7abd80c2dc958e5b55bfae01a786d16e2d542ef88dd1c06

Download Submit
C:\Windows\{F2F1A60C-7616-47e2-8825-949A19D51DB1}.exe

Filesize
180KB

MD5
27cd7dbb244e476f93a7e4a09c679b62

SHA1
6470b284f58bf77e4ac6fa1164fb32886a96702d

SHA256
73df0aa64f5edb965a600cb6f451f362172ef4ea49ed54c9c777ab0d863acd46

SHA512
1f3746ee8c7b3288ee2ca668c6ed3d73425f24498ec1cc179000d753b764c00f97a01f923be883d1d7abd80c2dc958e5b55bfae01a786d16e2d542ef88dd1c06

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads