1354354b7a80f3699a3057c0c9877b3436f82090a2aaf1863b33925a7c61efd6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 17:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe
Size

180KB
MD5

89aea4141dfcf2c69587f2cc687ef622
SHA1

a04df1958066fca540aee86a1a26034c0db49894
SHA256

1354354b7a80f3699a3057c0c9877b3436f82090a2aaf1863b33925a7c61efd6
SHA512

5d083ad7149e86baf1bbc4157adcac813dfd444909c7d6cc586a63fedf30a2622e8571bd1894a5854dc84175897d74546f40df346605c37135b17dcd2427d815
SSDEEP

3072:jEGh0oslfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG2l5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0E34796-ACB4-4e99-9893-239D48ACBC5B}\stubpath = "C:\\Windows\\{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe"	{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6568335-C6CE-4de5-A97B-42E5D2E877B6}	{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81DE84BF-2C26-43ad-A0C0-D7CCAF6ECFFF}	{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E661DBDB-98D0-445d-8E2F-DFF53E2F63DF}	{81DE84BF-2C26-43ad-A0C0-D7CCAF6ECFFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}\stubpath = "C:\\Windows\\{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe"	{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{282B433A-C5E1-481c-9EC2-301F563A7182}\stubpath = "C:\\Windows\\{282B433A-C5E1-481c-9EC2-301F563A7182}.exe"	{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}\stubpath = "C:\\Windows\\{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe"	{282B433A-C5E1-481c-9EC2-301F563A7182}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}\stubpath = "C:\\Windows\\{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe"	{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C833CF-7DA0-4b35-85B7-22293DB42C51}	{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}\stubpath = "C:\\Windows\\{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe"	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}	{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{282B433A-C5E1-481c-9EC2-301F563A7182}	{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E767D34-29E2-4e5d-8F33-4922E1091B49}\stubpath = "C:\\Windows\\{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe"	{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81DE84BF-2C26-43ad-A0C0-D7CCAF6ECFFF}\stubpath = "C:\\Windows\\{81DE84BF-2C26-43ad-A0C0-D7CCAF6ECFFF}.exe"	{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95516CAE-C96E-4f1b-94A7-19191856D6BB}\stubpath = "C:\\Windows\\{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe"	{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}	{282B433A-C5E1-481c-9EC2-301F563A7182}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}	{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E767D34-29E2-4e5d-8F33-4922E1091B49}	{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E661DBDB-98D0-445d-8E2F-DFF53E2F63DF}\stubpath = "C:\\Windows\\{E661DBDB-98D0-445d-8E2F-DFF53E2F63DF}.exe"	{81DE84BF-2C26-43ad-A0C0-D7CCAF6ECFFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95516CAE-C96E-4f1b-94A7-19191856D6BB}	{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0E34796-ACB4-4e99-9893-239D48ACBC5B}	{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C833CF-7DA0-4b35-85B7-22293DB42C51}\stubpath = "C:\\Windows\\{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe"	{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6568335-C6CE-4de5-A97B-42E5D2E877B6}\stubpath = "C:\\Windows\\{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe"	{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe

Executes dropped EXE 12 IoCs

pid	Process
764	{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe
116	{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe
2572	{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe
2388	{282B433A-C5E1-481c-9EC2-301F563A7182}.exe
1868	{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe
2836	{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe
4348	{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe
3876	{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe
1492	{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe
3992	{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe
2552	{81DE84BF-2C26-43ad-A0C0-D7CCAF6ECFFF}.exe
4060	{E661DBDB-98D0-445d-8E2F-DFF53E2F63DF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe	{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe
File created	C:\Windows\{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe	{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe
File created	C:\Windows\{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe	{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe
File created	C:\Windows\{E661DBDB-98D0-445d-8E2F-DFF53E2F63DF}.exe	{81DE84BF-2C26-43ad-A0C0-D7CCAF6ECFFF}.exe
File created	C:\Windows\{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe	{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe
File created	C:\Windows\{282B433A-C5E1-481c-9EC2-301F563A7182}.exe	{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe
File created	C:\Windows\{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe	{282B433A-C5E1-481c-9EC2-301F563A7182}.exe
File created	C:\Windows\{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe	{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe
File created	C:\Windows\{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe	{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe
File created	C:\Windows\{81DE84BF-2C26-43ad-A0C0-D7CCAF6ECFFF}.exe	{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe
File created	C:\Windows\{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe
File created	C:\Windows\{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe	{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1096	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	764	{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe
Token: SeIncBasePriorityPrivilege	116	{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe
Token: SeIncBasePriorityPrivilege	2572	{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe
Token: SeIncBasePriorityPrivilege	2388	{282B433A-C5E1-481c-9EC2-301F563A7182}.exe
Token: SeIncBasePriorityPrivilege	1868	{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe
Token: SeIncBasePriorityPrivilege	2836	{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe
Token: SeIncBasePriorityPrivilege	4348	{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe
Token: SeIncBasePriorityPrivilege	3876	{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe
Token: SeIncBasePriorityPrivilege	1492	{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe
Token: SeIncBasePriorityPrivilege	3992	{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe
Token: SeIncBasePriorityPrivilege	2552	{81DE84BF-2C26-43ad-A0C0-D7CCAF6ECFFF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 764	1096	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	90
PID 1096 wrote to memory of 764	1096	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	90
PID 1096 wrote to memory of 764	1096	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	90
PID 1096 wrote to memory of 3440	1096	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	91
PID 1096 wrote to memory of 3440	1096	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	91
PID 1096 wrote to memory of 3440	1096	NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe	91
PID 764 wrote to memory of 116	764	{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe	92
PID 764 wrote to memory of 116	764	{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe	92
PID 764 wrote to memory of 116	764	{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe	92
PID 764 wrote to memory of 4408	764	{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe	93
PID 764 wrote to memory of 4408	764	{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe	93
PID 764 wrote to memory of 4408	764	{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe	93
PID 116 wrote to memory of 2572	116	{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe	96
PID 116 wrote to memory of 2572	116	{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe	96
PID 116 wrote to memory of 2572	116	{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe	96
PID 116 wrote to memory of 3084	116	{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe	97
PID 116 wrote to memory of 3084	116	{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe	97
PID 116 wrote to memory of 3084	116	{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe	97
PID 2572 wrote to memory of 2388	2572	{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe	99
PID 2572 wrote to memory of 2388	2572	{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe	99
PID 2572 wrote to memory of 2388	2572	{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe	99
PID 2572 wrote to memory of 1144	2572	{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe	100
PID 2572 wrote to memory of 1144	2572	{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe	100
PID 2572 wrote to memory of 1144	2572	{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe	100
PID 2388 wrote to memory of 1868	2388	{282B433A-C5E1-481c-9EC2-301F563A7182}.exe	101
PID 2388 wrote to memory of 1868	2388	{282B433A-C5E1-481c-9EC2-301F563A7182}.exe	101
PID 2388 wrote to memory of 1868	2388	{282B433A-C5E1-481c-9EC2-301F563A7182}.exe	101
PID 2388 wrote to memory of 4964	2388	{282B433A-C5E1-481c-9EC2-301F563A7182}.exe	102
PID 2388 wrote to memory of 4964	2388	{282B433A-C5E1-481c-9EC2-301F563A7182}.exe	102
PID 2388 wrote to memory of 4964	2388	{282B433A-C5E1-481c-9EC2-301F563A7182}.exe	102
PID 1868 wrote to memory of 2836	1868	{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe	103
PID 1868 wrote to memory of 2836	1868	{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe	103
PID 1868 wrote to memory of 2836	1868	{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe	103
PID 1868 wrote to memory of 396	1868	{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe	104
PID 1868 wrote to memory of 396	1868	{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe	104
PID 1868 wrote to memory of 396	1868	{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe	104
PID 2836 wrote to memory of 4348	2836	{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe	105
PID 2836 wrote to memory of 4348	2836	{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe	105
PID 2836 wrote to memory of 4348	2836	{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe	105
PID 2836 wrote to memory of 4032	2836	{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe	106
PID 2836 wrote to memory of 4032	2836	{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe	106
PID 2836 wrote to memory of 4032	2836	{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe	106
PID 4348 wrote to memory of 3876	4348	{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe	107
PID 4348 wrote to memory of 3876	4348	{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe	107
PID 4348 wrote to memory of 3876	4348	{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe	107
PID 4348 wrote to memory of 2752	4348	{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe	108
PID 4348 wrote to memory of 2752	4348	{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe	108
PID 4348 wrote to memory of 2752	4348	{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe	108
PID 3876 wrote to memory of 1492	3876	{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe	109
PID 3876 wrote to memory of 1492	3876	{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe	109
PID 3876 wrote to memory of 1492	3876	{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe	109
PID 3876 wrote to memory of 4808	3876	{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe	110
PID 3876 wrote to memory of 4808	3876	{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe	110
PID 3876 wrote to memory of 4808	3876	{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe	110
PID 1492 wrote to memory of 3992	1492	{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe	111
PID 1492 wrote to memory of 3992	1492	{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe	111
PID 1492 wrote to memory of 3992	1492	{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe	111
PID 1492 wrote to memory of 4976	1492	{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe	112
PID 1492 wrote to memory of 4976	1492	{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe	112
PID 1492 wrote to memory of 4976	1492	{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe	112
PID 3992 wrote to memory of 2552	3992	{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe	113
PID 3992 wrote to memory of 2552	3992	{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe	113
PID 3992 wrote to memory of 2552	3992	{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe	113
PID 3992 wrote to memory of 5008	3992	{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe	114

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_89aea4141dfcf2c69587f2cc687ef622_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe
  C:\Windows\{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe
    C:\Windows\{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe
      C:\Windows\{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\{282B433A-C5E1-481c-9EC2-301F563A7182}.exe
        
        C:\Windows\{282B433A-C5E1-481c-9EC2-301F563A7182}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe
        
        C:\Windows\{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe
        
        C:\Windows\{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe
        
        C:\Windows\{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe
        
        C:\Windows\{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe
        
        C:\Windows\{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe
        
        C:\Windows\{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\{81DE84BF-2C26-43ad-A0C0-D7CCAF6ECFFF}.exe
        
        C:\Windows\{81DE84BF-2C26-43ad-A0C0-D7CCAF6ECFFF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\{E661DBDB-98D0-445d-8E2F-DFF53E2F63DF}.exe
        
        C:\Windows\{E661DBDB-98D0-445d-8E2F-DFF53E2F63DF}.exe
        13⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81DE8~1.EXE > nul
        13⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E767~1.EXE > nul
        12⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6568~1.EXE > nul
        11⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15C83~1.EXE > nul
        10⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0E34~1.EXE > nul
        9⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F1BE~1.EXE > nul
        8⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADC4B~1.EXE > nul
        7⤵
        
        PID:396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{282B4~1.EXE > nul
        6⤵
        
        PID:4964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A641C~1.EXE > nul
        5⤵
        
        PID:1144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{95516~1.EXE > nul
      4⤵
      PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1A0F2~1.EXE > nul
    3⤵
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe

Filesize
180KB

MD5
966620c5dc3606e0529d721f429e7df5

SHA1
fd97949c68f73bc25efb357e621bb3d2c2827173

SHA256
b1eeb6f1d698d03b1e89cf09c5fae84f0c2b0f04b71b22366ba84d528720c05c

SHA512
6afd1aadaedef819c4fe0f5affc3c8ce9aa187205e77633b59958eca69b60533a20f788c377e02262320fd1cb075bdd949250b6de15de3712377fe5514066795

Download Submit
C:\Windows\{15C833CF-7DA0-4b35-85B7-22293DB42C51}.exe

Filesize
180KB

MD5
966620c5dc3606e0529d721f429e7df5

SHA1
fd97949c68f73bc25efb357e621bb3d2c2827173

SHA256
b1eeb6f1d698d03b1e89cf09c5fae84f0c2b0f04b71b22366ba84d528720c05c

SHA512
6afd1aadaedef819c4fe0f5affc3c8ce9aa187205e77633b59958eca69b60533a20f788c377e02262320fd1cb075bdd949250b6de15de3712377fe5514066795

Download Submit
C:\Windows\{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe

Filesize
180KB

MD5
c9352e88aa73eb3ffb45a380cb1c8c60

SHA1
b5480bb859914f963d0e1ea908acb6c4db00952c

SHA256
813cdb2d7d521e86ce04bc07ca44f776aac94e6d81254cf36523cb653f4995ef

SHA512
499c8d79d4dbac060a3dda3cd5915f911ac776a5f272f1730c7dfc3a9e141f1c27f0b43f6e00da4d52995f7643cc669138a290eba5c25ede2c9527b38619ac2e

Download Submit
C:\Windows\{1A0F2CFA-1159-40d9-B08E-BE83013EF17C}.exe

Filesize
180KB

MD5
c9352e88aa73eb3ffb45a380cb1c8c60

SHA1
b5480bb859914f963d0e1ea908acb6c4db00952c

SHA256
813cdb2d7d521e86ce04bc07ca44f776aac94e6d81254cf36523cb653f4995ef

SHA512
499c8d79d4dbac060a3dda3cd5915f911ac776a5f272f1730c7dfc3a9e141f1c27f0b43f6e00da4d52995f7643cc669138a290eba5c25ede2c9527b38619ac2e

Download Submit
C:\Windows\{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe

Filesize
180KB

MD5
25a7d1f3f62a496d7d2c34f970ceea21

SHA1
b6398ffda5f90a4d76755e0abf267b7ec73ed18c

SHA256
e2db041a36c3ed38dda9cf3761f335aac17545874273dc3b9757ee676e3a16d3

SHA512
b0076b0a0dd97a7f11d249cba5d7b0605ad93f040083237cfa69f23807d15ddde521cdd085036b4820739f4f6983fdd00a42c81a45cba733834d7810ee5178b6

Download Submit
C:\Windows\{1E767D34-29E2-4e5d-8F33-4922E1091B49}.exe

Filesize
180KB

MD5
25a7d1f3f62a496d7d2c34f970ceea21

SHA1
b6398ffda5f90a4d76755e0abf267b7ec73ed18c

SHA256
e2db041a36c3ed38dda9cf3761f335aac17545874273dc3b9757ee676e3a16d3

SHA512
b0076b0a0dd97a7f11d249cba5d7b0605ad93f040083237cfa69f23807d15ddde521cdd085036b4820739f4f6983fdd00a42c81a45cba733834d7810ee5178b6

Download Submit
C:\Windows\{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe

Filesize
180KB

MD5
4fd4cd206a9769fbf927d3692dee2177

SHA1
8bcbe7249b8fcb35f3b0633a86a97892caf0b34f

SHA256
40d072ccced548ee3675aac0456a48ce8cbaa3680d0bf06deea41a31ab445127

SHA512
969c46c3b62b275ea91cd1567d2ee8552b9856c4b1493b78a499ad163a03e3d9e5665a20e0c835c78b8c0ebe2c150b0e0f32ede16ad94de52dc222fc9db42d56

Download Submit
C:\Windows\{1F1BEBAC-B13A-4c24-8F30-12063E009BDC}.exe

Filesize
180KB

MD5
4fd4cd206a9769fbf927d3692dee2177

SHA1
8bcbe7249b8fcb35f3b0633a86a97892caf0b34f

SHA256
40d072ccced548ee3675aac0456a48ce8cbaa3680d0bf06deea41a31ab445127

SHA512
969c46c3b62b275ea91cd1567d2ee8552b9856c4b1493b78a499ad163a03e3d9e5665a20e0c835c78b8c0ebe2c150b0e0f32ede16ad94de52dc222fc9db42d56

Download Submit
C:\Windows\{282B433A-C5E1-481c-9EC2-301F563A7182}.exe

Filesize
180KB

MD5
15f7a79fbb0a5b70bd8e450cd77a2a6a

SHA1
106cd78cd891259c55f940c1ac16af0a709b9856

SHA256
1d4205d048510ad91b9d6c133262bafd71cfc995770c6290c36a82afe314c62e

SHA512
d31188aa254787220924e85f18bb1312d72e7bfc32b0d64814ea49eba71a4a15180438c0167ef8107e195d51053818a759b795b53c0bf69225b81023d5345620

Download Submit
C:\Windows\{282B433A-C5E1-481c-9EC2-301F563A7182}.exe

Filesize
180KB

MD5
15f7a79fbb0a5b70bd8e450cd77a2a6a

SHA1
106cd78cd891259c55f940c1ac16af0a709b9856

SHA256
1d4205d048510ad91b9d6c133262bafd71cfc995770c6290c36a82afe314c62e

SHA512
d31188aa254787220924e85f18bb1312d72e7bfc32b0d64814ea49eba71a4a15180438c0167ef8107e195d51053818a759b795b53c0bf69225b81023d5345620

Download Submit
C:\Windows\{81DE84BF-2C26-43ad-A0C0-D7CCAF6ECFFF}.exe

Filesize
180KB

MD5
2a7c141c537b804228bfeafeeb5fae4b

SHA1
ac2e14151a7541fceaa27f54c87b16a5bf06bb13

SHA256
9b0e5712786dcb05126a38ce9e703fc7085d93d819ce271e374722d6bfb359df

SHA512
850eb1f1966a1a96a73b04ed77c910c86ec088f58e872e5898889ad87e7ab9c4a706bcdc6f9dd8a6b60cb6a25fa18a52b4d49f7fad9b467ea40dc2712a0b2033

Download Submit
C:\Windows\{81DE84BF-2C26-43ad-A0C0-D7CCAF6ECFFF}.exe

Filesize
180KB

MD5
2a7c141c537b804228bfeafeeb5fae4b

SHA1
ac2e14151a7541fceaa27f54c87b16a5bf06bb13

SHA256
9b0e5712786dcb05126a38ce9e703fc7085d93d819ce271e374722d6bfb359df

SHA512
850eb1f1966a1a96a73b04ed77c910c86ec088f58e872e5898889ad87e7ab9c4a706bcdc6f9dd8a6b60cb6a25fa18a52b4d49f7fad9b467ea40dc2712a0b2033

Download Submit
C:\Windows\{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe

Filesize
180KB

MD5
a2327ab990026246c65d0597d8ff3f47

SHA1
04cde7432d2e201b1aeb87cf8c73fb3082475ca7

SHA256
e3a26d3b51557bb9a9b84734c5536b488e17a266b25a22bb875542003786dfed

SHA512
d052edab80db6462ef24a819d5d1b038ccab8242a984e5246b0673a0ff8932b6b9861ef903330f17643979c42fc2391a1b8454b525daee1898adb5604d95e3b6

Download Submit
C:\Windows\{95516CAE-C96E-4f1b-94A7-19191856D6BB}.exe

Filesize
180KB

MD5
a2327ab990026246c65d0597d8ff3f47

SHA1
04cde7432d2e201b1aeb87cf8c73fb3082475ca7

SHA256
e3a26d3b51557bb9a9b84734c5536b488e17a266b25a22bb875542003786dfed

SHA512
d052edab80db6462ef24a819d5d1b038ccab8242a984e5246b0673a0ff8932b6b9861ef903330f17643979c42fc2391a1b8454b525daee1898adb5604d95e3b6

Download Submit
C:\Windows\{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe

Filesize
180KB

MD5
2e0df85cbf171d60314d185f2a674731

SHA1
e91a66edfd697ea272baa1e37978f7b507423a33

SHA256
2a955b075d8c4804db9afbdac53b27e9147656d2943524f7144be16f15672085

SHA512
066223a8f3ed42ecea0f2e4d71c2b9b24ddf34eb45bee7cd068783ba83e6feed45d781e08f57ffe183f66a7c4ec961966e6a1d41bc2d0b1a07fbdaf450229090

Download Submit
C:\Windows\{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe

Filesize
180KB

MD5
2e0df85cbf171d60314d185f2a674731

SHA1
e91a66edfd697ea272baa1e37978f7b507423a33

SHA256
2a955b075d8c4804db9afbdac53b27e9147656d2943524f7144be16f15672085

SHA512
066223a8f3ed42ecea0f2e4d71c2b9b24ddf34eb45bee7cd068783ba83e6feed45d781e08f57ffe183f66a7c4ec961966e6a1d41bc2d0b1a07fbdaf450229090

Download Submit
C:\Windows\{A641C1F1-822C-4e4d-8D0A-B6E03DC76BE3}.exe

Filesize
180KB

MD5
2e0df85cbf171d60314d185f2a674731

SHA1
e91a66edfd697ea272baa1e37978f7b507423a33

SHA256
2a955b075d8c4804db9afbdac53b27e9147656d2943524f7144be16f15672085

SHA512
066223a8f3ed42ecea0f2e4d71c2b9b24ddf34eb45bee7cd068783ba83e6feed45d781e08f57ffe183f66a7c4ec961966e6a1d41bc2d0b1a07fbdaf450229090

Download Submit
C:\Windows\{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe

Filesize
180KB

MD5
17e0a790a876d14b85c0b25b6f8f6022

SHA1
04c3608d511e2febe82245e9ca79250148b4ee10

SHA256
e3e1b06d9f596edac693b1528d8be8f8ec89c9d93dbbbf6967626384c1e38d0c

SHA512
38354705053b8e1c8b0ad6b03c8f6c13715a6092316b76baf83e887c14a42d740d454569228876843e8c18d250491ad6a11c7e4aa3ecbdb4ee6b9cdd943fe374

Download Submit
C:\Windows\{ADC4BE4D-DB58-4729-94FA-EC3D88D68A40}.exe

Filesize
180KB

MD5
17e0a790a876d14b85c0b25b6f8f6022

SHA1
04c3608d511e2febe82245e9ca79250148b4ee10

SHA256
e3e1b06d9f596edac693b1528d8be8f8ec89c9d93dbbbf6967626384c1e38d0c

SHA512
38354705053b8e1c8b0ad6b03c8f6c13715a6092316b76baf83e887c14a42d740d454569228876843e8c18d250491ad6a11c7e4aa3ecbdb4ee6b9cdd943fe374

Download Submit
C:\Windows\{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe

Filesize
180KB

MD5
254c780dbb25c935712cc9ee2f0852f7

SHA1
7b3035fb9b602ff73a074872e0e0071e08dd9a0a

SHA256
7bc7ea3e6e3130653a43438ac091fb62ce7013fea455e86e07990c4f12d2a6f3

SHA512
f507a792d0e3dfa295eb6f6acf5b6e446a779eefee76f148e447b4697f0d611d7f694d139a1123ddad74768377c1e045dd0ceccebe37fe09708a8f00ba2d3545

Download Submit
C:\Windows\{B6568335-C6CE-4de5-A97B-42E5D2E877B6}.exe

Filesize
180KB

MD5
254c780dbb25c935712cc9ee2f0852f7

SHA1
7b3035fb9b602ff73a074872e0e0071e08dd9a0a

SHA256
7bc7ea3e6e3130653a43438ac091fb62ce7013fea455e86e07990c4f12d2a6f3

SHA512
f507a792d0e3dfa295eb6f6acf5b6e446a779eefee76f148e447b4697f0d611d7f694d139a1123ddad74768377c1e045dd0ceccebe37fe09708a8f00ba2d3545

Download Submit
C:\Windows\{E661DBDB-98D0-445d-8E2F-DFF53E2F63DF}.exe

Filesize
180KB

MD5
5aa3c85560c7e7aa3dcc95fad43cb2b2

SHA1
7fcea69d49105d41109394cb2fa6885e961cc19e

SHA256
7807e5b27432ec43da0a45590af2d9bff673200e1e87322595256f8a1294c166

SHA512
30403f0ce7cb799487267b291d6a0b30b0c6060e8a0ff3e8d96f9a86947a0cbe6cfb62e3eb731a38e54f468d1e2517ae8b03e699675e1d2f23b511f686c58689

Download Submit
C:\Windows\{E661DBDB-98D0-445d-8E2F-DFF53E2F63DF}.exe

Filesize
180KB

MD5
5aa3c85560c7e7aa3dcc95fad43cb2b2

SHA1
7fcea69d49105d41109394cb2fa6885e961cc19e

SHA256
7807e5b27432ec43da0a45590af2d9bff673200e1e87322595256f8a1294c166

SHA512
30403f0ce7cb799487267b291d6a0b30b0c6060e8a0ff3e8d96f9a86947a0cbe6cfb62e3eb731a38e54f468d1e2517ae8b03e699675e1d2f23b511f686c58689

Download Submit
C:\Windows\{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe

Filesize
180KB

MD5
b97e7bbd231bc26ba336a86373fd39e3

SHA1
13d48e70ce8f46d189e476d1373d797d3c0799b5

SHA256
124e1923fdfe65e88b20f1f1355401d38b41f687b2a5e9bd02f27f50d2ff7ad8

SHA512
73eacb90ab0356aca3fe593bb3d084c064a51f857cb3b2ce20f97f3bba3c0568b4265740c498183cf4439c6724ac315776d9d33861b361629a8f4e1de1a59aa6

Download Submit
C:\Windows\{F0E34796-ACB4-4e99-9893-239D48ACBC5B}.exe

Filesize
180KB

MD5
b97e7bbd231bc26ba336a86373fd39e3

SHA1
13d48e70ce8f46d189e476d1373d797d3c0799b5

SHA256
124e1923fdfe65e88b20f1f1355401d38b41f687b2a5e9bd02f27f50d2ff7ad8

SHA512
73eacb90ab0356aca3fe593bb3d084c064a51f857cb3b2ce20f97f3bba3c0568b4265740c498183cf4439c6724ac315776d9d33861b361629a8f4e1de1a59aa6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads