989040eb18cc155aa768a52c6e1426fe2f906065349b3dbd0816ad695be17d16

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe
Size

408KB
MD5

ab621bbe559184a856cd7753204ea8e5
SHA1

fcc81626ba714525cf84dca3451804050d3e41a9
SHA256

989040eb18cc155aa768a52c6e1426fe2f906065349b3dbd0816ad695be17d16
SHA512

1b36681abcd93e5e1a286cd39775f41ce791b5fbf30a2019274ced068b774bc1fb48fc5d84c12234143cd94647aced1c24043ba86edde581136513e75a06447f
SSDEEP

3072:CEGh0o1l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG/ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDB88ADC-B3F9-4eea-A269-DCDCB582AEFF}	{6C341D58-46C0-487b-9D55-E865525248EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0952413-B3F4-42b3-8B19-B3E5BE252BF6}	{16B1AC2B-460F-495c-9FE2-98ABF4603448}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07877B91-D5EE-44ea-8794-A5EF2F2E1527}	NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}	{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}\stubpath = "C:\\Windows\\{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe"	{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C341D58-46C0-487b-9D55-E865525248EE}	{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C341D58-46C0-487b-9D55-E865525248EE}\stubpath = "C:\\Windows\\{6C341D58-46C0-487b-9D55-E865525248EE}.exe"	{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BAA25C2-EF1A-4c63-963C-3478EDD41ED7}	{BDB88ADC-B3F9-4eea-A269-DCDCB582AEFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}	{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}\stubpath = "C:\\Windows\\{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe"	{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7022C749-9638-427b-83D7-AACF0B069953}	{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7022C749-9638-427b-83D7-AACF0B069953}\stubpath = "C:\\Windows\\{7022C749-9638-427b-83D7-AACF0B069953}.exe"	{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F5D04DC-5437-42b9-A537-C8FE7772A964}\stubpath = "C:\\Windows\\{4F5D04DC-5437-42b9-A537-C8FE7772A964}.exe"	{E0952413-B3F4-42b3-8B19-B3E5BE252BF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDB88ADC-B3F9-4eea-A269-DCDCB582AEFF}\stubpath = "C:\\Windows\\{BDB88ADC-B3F9-4eea-A269-DCDCB582AEFF}.exe"	{6C341D58-46C0-487b-9D55-E865525248EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16B1AC2B-460F-495c-9FE2-98ABF4603448}\stubpath = "C:\\Windows\\{16B1AC2B-460F-495c-9FE2-98ABF4603448}.exe"	{8BAA25C2-EF1A-4c63-963C-3478EDD41ED7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0952413-B3F4-42b3-8B19-B3E5BE252BF6}\stubpath = "C:\\Windows\\{E0952413-B3F4-42b3-8B19-B3E5BE252BF6}.exe"	{16B1AC2B-460F-495c-9FE2-98ABF4603448}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F5D04DC-5437-42b9-A537-C8FE7772A964}	{E0952413-B3F4-42b3-8B19-B3E5BE252BF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}\stubpath = "C:\\Windows\\{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe"	{7022C749-9638-427b-83D7-AACF0B069953}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BAA25C2-EF1A-4c63-963C-3478EDD41ED7}\stubpath = "C:\\Windows\\{8BAA25C2-EF1A-4c63-963C-3478EDD41ED7}.exe"	{BDB88ADC-B3F9-4eea-A269-DCDCB582AEFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16B1AC2B-460F-495c-9FE2-98ABF4603448}	{8BAA25C2-EF1A-4c63-963C-3478EDD41ED7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07877B91-D5EE-44ea-8794-A5EF2F2E1527}\stubpath = "C:\\Windows\\{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe"	NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F8E0983-F297-4e47-A69B-B266CF04F824}	{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F8E0983-F297-4e47-A69B-B266CF04F824}\stubpath = "C:\\Windows\\{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe"	{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}	{7022C749-9638-427b-83D7-AACF0B069953}.exe

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2908	{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe
2628	{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe
2648	{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe
2624	{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe
2484	{7022C749-9638-427b-83D7-AACF0B069953}.exe
3000	{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe
2468	{6C341D58-46C0-487b-9D55-E865525248EE}.exe
2864	{BDB88ADC-B3F9-4eea-A269-DCDCB582AEFF}.exe
2396	{8BAA25C2-EF1A-4c63-963C-3478EDD41ED7}.exe
2892	{16B1AC2B-460F-495c-9FE2-98ABF4603448}.exe
320	{E0952413-B3F4-42b3-8B19-B3E5BE252BF6}.exe
1916	{4F5D04DC-5437-42b9-A537-C8FE7772A964}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6C341D58-46C0-487b-9D55-E865525248EE}.exe	{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe
File created	C:\Windows\{BDB88ADC-B3F9-4eea-A269-DCDCB582AEFF}.exe	{6C341D58-46C0-487b-9D55-E865525248EE}.exe
File created	C:\Windows\{8BAA25C2-EF1A-4c63-963C-3478EDD41ED7}.exe	{BDB88ADC-B3F9-4eea-A269-DCDCB582AEFF}.exe
File created	C:\Windows\{16B1AC2B-460F-495c-9FE2-98ABF4603448}.exe	{8BAA25C2-EF1A-4c63-963C-3478EDD41ED7}.exe
File created	C:\Windows\{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe	NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe
File created	C:\Windows\{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe	{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe
File created	C:\Windows\{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe	{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe
File created	C:\Windows\{7022C749-9638-427b-83D7-AACF0B069953}.exe	{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe
File created	C:\Windows\{E0952413-B3F4-42b3-8B19-B3E5BE252BF6}.exe	{16B1AC2B-460F-495c-9FE2-98ABF4603448}.exe
File created	C:\Windows\{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe	{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe
File created	C:\Windows\{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe	{7022C749-9638-427b-83D7-AACF0B069953}.exe
File created	C:\Windows\{4F5D04DC-5437-42b9-A537-C8FE7772A964}.exe	{E0952413-B3F4-42b3-8B19-B3E5BE252BF6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2984	NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2908	{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe
Token: SeIncBasePriorityPrivilege	2628	{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe
Token: SeIncBasePriorityPrivilege	2648	{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe
Token: SeIncBasePriorityPrivilege	2624	{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe
Token: SeIncBasePriorityPrivilege	2484	{7022C749-9638-427b-83D7-AACF0B069953}.exe
Token: SeIncBasePriorityPrivilege	3000	{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe
Token: SeIncBasePriorityPrivilege	2468	{6C341D58-46C0-487b-9D55-E865525248EE}.exe
Token: SeIncBasePriorityPrivilege	2864	{BDB88ADC-B3F9-4eea-A269-DCDCB582AEFF}.exe
Token: SeIncBasePriorityPrivilege	2396	{8BAA25C2-EF1A-4c63-963C-3478EDD41ED7}.exe
Token: SeIncBasePriorityPrivilege	2892	{16B1AC2B-460F-495c-9FE2-98ABF4603448}.exe
Token: SeIncBasePriorityPrivilege	320	{E0952413-B3F4-42b3-8B19-B3E5BE252BF6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2908	2984	NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe	28
PID 2984 wrote to memory of 2908	2984	NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe	28
PID 2984 wrote to memory of 2908	2984	NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe	28
PID 2984 wrote to memory of 2908	2984	NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe	28
PID 2984 wrote to memory of 2708	2984	NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe	29
PID 2984 wrote to memory of 2708	2984	NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe	29
PID 2984 wrote to memory of 2708	2984	NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe	29
PID 2984 wrote to memory of 2708	2984	NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe	29
PID 2908 wrote to memory of 2628	2908	{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe	31
PID 2908 wrote to memory of 2628	2908	{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe	31
PID 2908 wrote to memory of 2628	2908	{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe	31
PID 2908 wrote to memory of 2628	2908	{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe	31
PID 2908 wrote to memory of 2692	2908	{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe	30
PID 2908 wrote to memory of 2692	2908	{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe	30
PID 2908 wrote to memory of 2692	2908	{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe	30
PID 2908 wrote to memory of 2692	2908	{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe	30
PID 2628 wrote to memory of 2648	2628	{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe	34
PID 2628 wrote to memory of 2648	2628	{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe	34
PID 2628 wrote to memory of 2648	2628	{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe	34
PID 2628 wrote to memory of 2648	2628	{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe	34
PID 2628 wrote to memory of 2904	2628	{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe	35
PID 2628 wrote to memory of 2904	2628	{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe	35
PID 2628 wrote to memory of 2904	2628	{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe	35
PID 2628 wrote to memory of 2904	2628	{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe	35
PID 2648 wrote to memory of 2624	2648	{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe	37
PID 2648 wrote to memory of 2624	2648	{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe	37
PID 2648 wrote to memory of 2624	2648	{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe	37
PID 2648 wrote to memory of 2624	2648	{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe	37
PID 2648 wrote to memory of 2544	2648	{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe	36
PID 2648 wrote to memory of 2544	2648	{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe	36
PID 2648 wrote to memory of 2544	2648	{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe	36
PID 2648 wrote to memory of 2544	2648	{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe	36
PID 2624 wrote to memory of 2484	2624	{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe	38
PID 2624 wrote to memory of 2484	2624	{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe	38
PID 2624 wrote to memory of 2484	2624	{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe	38
PID 2624 wrote to memory of 2484	2624	{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe	38
PID 2624 wrote to memory of 2540	2624	{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe	39
PID 2624 wrote to memory of 2540	2624	{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe	39
PID 2624 wrote to memory of 2540	2624	{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe	39
PID 2624 wrote to memory of 2540	2624	{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe	39
PID 2484 wrote to memory of 3000	2484	{7022C749-9638-427b-83D7-AACF0B069953}.exe	41
PID 2484 wrote to memory of 3000	2484	{7022C749-9638-427b-83D7-AACF0B069953}.exe	41
PID 2484 wrote to memory of 3000	2484	{7022C749-9638-427b-83D7-AACF0B069953}.exe	41
PID 2484 wrote to memory of 3000	2484	{7022C749-9638-427b-83D7-AACF0B069953}.exe	41
PID 2484 wrote to memory of 2252	2484	{7022C749-9638-427b-83D7-AACF0B069953}.exe	40
PID 2484 wrote to memory of 2252	2484	{7022C749-9638-427b-83D7-AACF0B069953}.exe	40
PID 2484 wrote to memory of 2252	2484	{7022C749-9638-427b-83D7-AACF0B069953}.exe	40
PID 2484 wrote to memory of 2252	2484	{7022C749-9638-427b-83D7-AACF0B069953}.exe	40
PID 3000 wrote to memory of 2468	3000	{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe	42
PID 3000 wrote to memory of 2468	3000	{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe	42
PID 3000 wrote to memory of 2468	3000	{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe	42
PID 3000 wrote to memory of 2468	3000	{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe	42
PID 3000 wrote to memory of 2836	3000	{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe	43
PID 3000 wrote to memory of 2836	3000	{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe	43
PID 3000 wrote to memory of 2836	3000	{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe	43
PID 3000 wrote to memory of 2836	3000	{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe	43
PID 2468 wrote to memory of 2864	2468	{6C341D58-46C0-487b-9D55-E865525248EE}.exe	44
PID 2468 wrote to memory of 2864	2468	{6C341D58-46C0-487b-9D55-E865525248EE}.exe	44
PID 2468 wrote to memory of 2864	2468	{6C341D58-46C0-487b-9D55-E865525248EE}.exe	44
PID 2468 wrote to memory of 2864	2468	{6C341D58-46C0-487b-9D55-E865525248EE}.exe	44
PID 2468 wrote to memory of 2884	2468	{6C341D58-46C0-487b-9D55-E865525248EE}.exe	45
PID 2468 wrote to memory of 2884	2468	{6C341D58-46C0-487b-9D55-E865525248EE}.exe	45
PID 2468 wrote to memory of 2884	2468	{6C341D58-46C0-487b-9D55-E865525248EE}.exe	45
PID 2468 wrote to memory of 2884	2468	{6C341D58-46C0-487b-9D55-E865525248EE}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_ab621bbe559184a856cd7753204ea8e5_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe
  C:\Windows\{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{07877~1.EXE > nul
    3⤵
    PID:2692
- - C:\Windows\{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe
    C:\Windows\{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe
      C:\Windows\{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F8E0~1.EXE > nul
        5⤵
        
        PID:2544
    - - C:\Windows\{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe
        
        C:\Windows\{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\{7022C749-9638-427b-83D7-AACF0B069953}.exe
        
        C:\Windows\{7022C749-9638-427b-83D7-AACF0B069953}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7022C~1.EXE > nul
        7⤵
        
        PID:2252
        
        C:\Windows\{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe
        
        C:\Windows\{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{6C341D58-46C0-487b-9D55-E865525248EE}.exe
        
        C:\Windows\{6C341D58-46C0-487b-9D55-E865525248EE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{BDB88ADC-B3F9-4eea-A269-DCDCB582AEFF}.exe
        
        C:\Windows\{BDB88ADC-B3F9-4eea-A269-DCDCB582AEFF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\{8BAA25C2-EF1A-4c63-963C-3478EDD41ED7}.exe
        
        C:\Windows\{8BAA25C2-EF1A-4c63-963C-3478EDD41ED7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\{16B1AC2B-460F-495c-9FE2-98ABF4603448}.exe
        
        C:\Windows\{16B1AC2B-460F-495c-9FE2-98ABF4603448}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16B1A~1.EXE > nul
        12⤵
        
        PID:760
        
        C:\Windows\{E0952413-B3F4-42b3-8B19-B3E5BE252BF6}.exe
        
        C:\Windows\{E0952413-B3F4-42b3-8B19-B3E5BE252BF6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\{4F5D04DC-5437-42b9-A537-C8FE7772A964}.exe
        
        C:\Windows\{4F5D04DC-5437-42b9-A537-C8FE7772A964}.exe
        13⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0952~1.EXE > nul
        13⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BAA2~1.EXE > nul
        11⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDB88~1.EXE > nul
        10⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C341~1.EXE > nul
        9⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F56A~1.EXE > nul
        8⤵
        
        PID:2836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FF6C~1.EXE > nul
        6⤵
        
        PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B652D~1.EXE > nul
      4⤵
      PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe

Filesize
408KB

MD5
383138969dad0389c427181e5856ab50

SHA1
42b66e49fa194a05b8fd53ee31ff47af08fd3f1e

SHA256
5b23042375df91045ca6076e553c2a34c0c4b8f055e7225e13a6437e4cd83190

SHA512
f867200a130090c96e55be1c79227bbf0d5f50e9a745c0a1c62f42872210aa2bbe200ae2e089629680beb1231a0a026f344a381e0bb3335f90601227793221f3

Download Submit
C:\Windows\{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe

Filesize
408KB

MD5
383138969dad0389c427181e5856ab50

SHA1
42b66e49fa194a05b8fd53ee31ff47af08fd3f1e

SHA256
5b23042375df91045ca6076e553c2a34c0c4b8f055e7225e13a6437e4cd83190

SHA512
f867200a130090c96e55be1c79227bbf0d5f50e9a745c0a1c62f42872210aa2bbe200ae2e089629680beb1231a0a026f344a381e0bb3335f90601227793221f3

Download Submit
C:\Windows\{07877B91-D5EE-44ea-8794-A5EF2F2E1527}.exe

Filesize
408KB

MD5
383138969dad0389c427181e5856ab50

SHA1
42b66e49fa194a05b8fd53ee31ff47af08fd3f1e

SHA256
5b23042375df91045ca6076e553c2a34c0c4b8f055e7225e13a6437e4cd83190

SHA512
f867200a130090c96e55be1c79227bbf0d5f50e9a745c0a1c62f42872210aa2bbe200ae2e089629680beb1231a0a026f344a381e0bb3335f90601227793221f3

Download Submit
C:\Windows\{16B1AC2B-460F-495c-9FE2-98ABF4603448}.exe

Filesize
408KB

MD5
b0f2ec229505aad6ff99e97aeb9a7ce5

SHA1
13e4b3f161cbc2d0fafab742543e9669be27e1ad

SHA256
42f9f561139077c6b1440f6e055027ffb6c72ea15f228db9b9f72d2b4f3b6ab4

SHA512
a746e058843f7b6607302e9e837bd7e3a055b3aabe61b036364c4c78af063b082622f5286e732ee27b2baf045ff46bd69b825baa909d4118147c37038b336a9f

Download Submit
C:\Windows\{16B1AC2B-460F-495c-9FE2-98ABF4603448}.exe

Filesize
408KB

MD5
b0f2ec229505aad6ff99e97aeb9a7ce5

SHA1
13e4b3f161cbc2d0fafab742543e9669be27e1ad

SHA256
42f9f561139077c6b1440f6e055027ffb6c72ea15f228db9b9f72d2b4f3b6ab4

SHA512
a746e058843f7b6607302e9e837bd7e3a055b3aabe61b036364c4c78af063b082622f5286e732ee27b2baf045ff46bd69b825baa909d4118147c37038b336a9f

Download Submit
C:\Windows\{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe

Filesize
408KB

MD5
cc86fd95091ff1296c24606162b91896

SHA1
57ac83d4fc0497d73619e5a44d09ec8c6ae60be4

SHA256
9e7d22a10f2646f95a686e01457469c4100c4874a8ec83c22be795f0359e9f00

SHA512
42abb462f9ab0b96cf79a44486615009fc9ae03b0a58b959341a01be339fae945e65bdbdae46be11c8d6a4fdabc13c0c7154081ecd94c347d10fafc9cc2a032c

Download Submit
C:\Windows\{2F56A8CC-53C6-4725-9BD8-BA7CF215E87F}.exe

Filesize
408KB

MD5
cc86fd95091ff1296c24606162b91896

SHA1
57ac83d4fc0497d73619e5a44d09ec8c6ae60be4

SHA256
9e7d22a10f2646f95a686e01457469c4100c4874a8ec83c22be795f0359e9f00

SHA512
42abb462f9ab0b96cf79a44486615009fc9ae03b0a58b959341a01be339fae945e65bdbdae46be11c8d6a4fdabc13c0c7154081ecd94c347d10fafc9cc2a032c

Download Submit
C:\Windows\{4F5D04DC-5437-42b9-A537-C8FE7772A964}.exe

Filesize
408KB

MD5
d83aa40a43a69fb06cffb7ba15670e3b

SHA1
d10a481ab90fda35f6b61af4f199cbf9443e3d4e

SHA256
eca9db77fdce1635fea9b512f6699dc916c88d2534e6d1d5ad62ce317057893a

SHA512
121447e25c5b203df8aadf3e3421aa10eee59c0625b92ee7b1aaefb5526530b0ee9c86a7e5cff4485e28503ed5756bdec76bde315926450ec5e1fe5a88cf95b7

Download Submit
C:\Windows\{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe

Filesize
408KB

MD5
f372bbd8b70085446ece049fb55da55e

SHA1
bcbe472191f3d3c06948bd7eb0c30cc0c15e69f4

SHA256
f4a1159e66d5b6b8a65153ff625da35b5b5d7da47ec1d13e122f469a7a831e53

SHA512
fddb6233880292c680d6a9f56308e4465824e17e15529a2c97e6f98b249776f16fbf7df3ed9f061941941bc7d3b0bc66a47af2738fd47be4f5df89ba0798f2ab

Download Submit
C:\Windows\{5F8E0983-F297-4e47-A69B-B266CF04F824}.exe

Filesize
408KB

MD5
f372bbd8b70085446ece049fb55da55e

SHA1
bcbe472191f3d3c06948bd7eb0c30cc0c15e69f4

SHA256
f4a1159e66d5b6b8a65153ff625da35b5b5d7da47ec1d13e122f469a7a831e53

SHA512
fddb6233880292c680d6a9f56308e4465824e17e15529a2c97e6f98b249776f16fbf7df3ed9f061941941bc7d3b0bc66a47af2738fd47be4f5df89ba0798f2ab

Download Submit
C:\Windows\{6C341D58-46C0-487b-9D55-E865525248EE}.exe

Filesize
408KB

MD5
19ec76c57bf7e52d9333797fb79df1d5

SHA1
174cc0b43b3cfb14a99b0e61562c620bb666cd4f

SHA256
5e601908a95a73af19ce0129c71efaa06f1a098b2f031a59b02ce1e68bfa1648

SHA512
04b2b81f1eb00f18993069d5deb071e2c4fa817c6307d83806d7031f92c7cd0d5fe019a15c98af370d9cea47938df842d379ef5dfe2832eb03aea7920c4a38aa

Download Submit
C:\Windows\{6C341D58-46C0-487b-9D55-E865525248EE}.exe

Filesize
408KB

MD5
19ec76c57bf7e52d9333797fb79df1d5

SHA1
174cc0b43b3cfb14a99b0e61562c620bb666cd4f

SHA256
5e601908a95a73af19ce0129c71efaa06f1a098b2f031a59b02ce1e68bfa1648

SHA512
04b2b81f1eb00f18993069d5deb071e2c4fa817c6307d83806d7031f92c7cd0d5fe019a15c98af370d9cea47938df842d379ef5dfe2832eb03aea7920c4a38aa

Download Submit
C:\Windows\{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe

Filesize
408KB

MD5
09b6b9fe4ad67fc941b63bc8410dbaa5

SHA1
960e9a4f139ffb9b5b3e15ebdee80878d69baf37

SHA256
e9131532bd4702350f4ab21b3e0920cda7c915a6f1b06bdc7c60761067c67601

SHA512
8c7b395b843cf83167ac6c2d2a2a7b26d113a66eaea79b3144b72fefc0a1d7da697abcf6d1ef272cbe4319477aee4214b0fe7a93feec6d612350ef74c2a35c83

Download Submit
C:\Windows\{6FF6C73A-6F5B-492f-A557-F9BC4797AF4C}.exe

Filesize
408KB

MD5
09b6b9fe4ad67fc941b63bc8410dbaa5

SHA1
960e9a4f139ffb9b5b3e15ebdee80878d69baf37

SHA256
e9131532bd4702350f4ab21b3e0920cda7c915a6f1b06bdc7c60761067c67601

SHA512
8c7b395b843cf83167ac6c2d2a2a7b26d113a66eaea79b3144b72fefc0a1d7da697abcf6d1ef272cbe4319477aee4214b0fe7a93feec6d612350ef74c2a35c83

Download Submit
C:\Windows\{7022C749-9638-427b-83D7-AACF0B069953}.exe

Filesize
408KB

MD5
117a736fbc4717bedaf123dd41999541

SHA1
41699e6eddd0d9aac86c1670ae5796c392d3c86d

SHA256
66bf2501304c1d1d9ad44dab6b1818bbb580df261bdcf8cf84bf9484030ad4df

SHA512
466d0a491e1ca1d300253996a74384c92e3c6050d7e8afa9338f85ceccc4a47dece06b7f9224ee9053cfc124add788f954398127310c8b78cf7d4071e81e68a8

Download Submit
C:\Windows\{7022C749-9638-427b-83D7-AACF0B069953}.exe

Filesize
408KB

MD5
117a736fbc4717bedaf123dd41999541

SHA1
41699e6eddd0d9aac86c1670ae5796c392d3c86d

SHA256
66bf2501304c1d1d9ad44dab6b1818bbb580df261bdcf8cf84bf9484030ad4df

SHA512
466d0a491e1ca1d300253996a74384c92e3c6050d7e8afa9338f85ceccc4a47dece06b7f9224ee9053cfc124add788f954398127310c8b78cf7d4071e81e68a8

Download Submit
C:\Windows\{8BAA25C2-EF1A-4c63-963C-3478EDD41ED7}.exe

Filesize
408KB

MD5
94c2cebe92213fc7382b54a3f0c3dc8e

SHA1
d1ac744bffcbaed7dde747f2324114b2ec79f22d

SHA256
78c6850fdbbb32117eb857ff8821b48ff6e5327600d99b04672f264f5a5891b9

SHA512
8477089e3e03921e8bf65cc6e515bd4902e13031a87c971270f32b83fbfae318c4d108992fc59e749f1538da147c283c1b28e7b461f34c6bdbefadd5c3a276f4

Download Submit
C:\Windows\{8BAA25C2-EF1A-4c63-963C-3478EDD41ED7}.exe

Filesize
408KB

MD5
94c2cebe92213fc7382b54a3f0c3dc8e

SHA1
d1ac744bffcbaed7dde747f2324114b2ec79f22d

SHA256
78c6850fdbbb32117eb857ff8821b48ff6e5327600d99b04672f264f5a5891b9

SHA512
8477089e3e03921e8bf65cc6e515bd4902e13031a87c971270f32b83fbfae318c4d108992fc59e749f1538da147c283c1b28e7b461f34c6bdbefadd5c3a276f4

Download Submit
C:\Windows\{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe

Filesize
408KB

MD5
7391a9c652ef2deca8b9bb1e4c5abe80

SHA1
3d6e8e8fdcd85019a4948780007318b5332f8c61

SHA256
673f6152b9034fd9b20e7d558f617facf65d9935210984c071538b0a63b5545d

SHA512
bf29c35b0b8c2331335b111315b9674ee3a79c842eff743e18c1a75907097429a4d4d250fc37d588422fcc28f768abc78ab7ad5230dc87a88ef440aa3e5b9b7f

Download Submit
C:\Windows\{B652DC47-EE60-41bf-B8DE-BDF9C538C4B0}.exe

Filesize
408KB

MD5
7391a9c652ef2deca8b9bb1e4c5abe80

SHA1
3d6e8e8fdcd85019a4948780007318b5332f8c61

SHA256
673f6152b9034fd9b20e7d558f617facf65d9935210984c071538b0a63b5545d

SHA512
bf29c35b0b8c2331335b111315b9674ee3a79c842eff743e18c1a75907097429a4d4d250fc37d588422fcc28f768abc78ab7ad5230dc87a88ef440aa3e5b9b7f

Download Submit
C:\Windows\{BDB88ADC-B3F9-4eea-A269-DCDCB582AEFF}.exe

Filesize
408KB

MD5
c7d629818c792cfa356e05479137737a

SHA1
154d6b5338c971ea789b953bd5afe67d9227c75d

SHA256
396162c194267daced117df49ee32443bd40664f2c121b84d8dd7ce61ff70ccc

SHA512
c5b818a4846231b6bfe9140e6ea616592b99811bae444ea3fbcfd734b847e5ca53bf0c169848ab9a0eea11c2cb33be75e15cfd9f9510dd9fa1e93e860253f692

Download Submit
C:\Windows\{BDB88ADC-B3F9-4eea-A269-DCDCB582AEFF}.exe

Filesize
408KB

MD5
c7d629818c792cfa356e05479137737a

SHA1
154d6b5338c971ea789b953bd5afe67d9227c75d

SHA256
396162c194267daced117df49ee32443bd40664f2c121b84d8dd7ce61ff70ccc

SHA512
c5b818a4846231b6bfe9140e6ea616592b99811bae444ea3fbcfd734b847e5ca53bf0c169848ab9a0eea11c2cb33be75e15cfd9f9510dd9fa1e93e860253f692

Download Submit
C:\Windows\{E0952413-B3F4-42b3-8B19-B3E5BE252BF6}.exe

Filesize
408KB

MD5
4e269588aa02ab6a5345b0131e8dd5de

SHA1
8f4a9e14382099b644b6b989557fe5e73409c4ce

SHA256
5d3efecd16fd42fbcd570eaa187f483702984d9441c9415aaee175e35e9c7ebc

SHA512
eb5c1be60c6d59d459e2a51fe3cdb3fa337542afb3402df7ea1c31db79ae705752a814cebef41362efe9b9b939ee83222cadb295f809cdfcd6eb2694fc37d8b0

Download Submit
C:\Windows\{E0952413-B3F4-42b3-8B19-B3E5BE252BF6}.exe

Filesize
408KB

MD5
4e269588aa02ab6a5345b0131e8dd5de

SHA1
8f4a9e14382099b644b6b989557fe5e73409c4ce

SHA256
5d3efecd16fd42fbcd570eaa187f483702984d9441c9415aaee175e35e9c7ebc

SHA512
eb5c1be60c6d59d459e2a51fe3cdb3fa337542afb3402df7ea1c31db79ae705752a814cebef41362efe9b9b939ee83222cadb295f809cdfcd6eb2694fc37d8b0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads