2edc6b0ec326b6292d06a3417b3973012c8d6a5e4ec68d0c69b6ed535feb9577

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe
Size

372KB
MD5

d8ab6304238628efee257e128b5ac649
SHA1

d7561440334f36def6469616a6556ed6db99625c
SHA256

2edc6b0ec326b6292d06a3417b3973012c8d6a5e4ec68d0c69b6ed535feb9577
SHA512

6d27ebbf130fb07aa37bca353b979f32f687e50de2002c073d86b4646b770133f03eb3a7f34cc868041cef24dc88d994bb6030fd9bf90720f13d3d24f20e1dda
SSDEEP

3072:CEGh0oylMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGQlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8961640-E0D5-432c-944F-17D7DCAEBF17}	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8961640-E0D5-432c-944F-17D7DCAEBF17}\stubpath = "C:\\Windows\\{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe"	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}	{CD60D311-909E-4322-BA99-1F7DB775D446}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C772919B-349E-4842-BD05-280CAC209A1F}	{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{044A3C6A-E0BF-4713-AA0D-29618BD83FEA}\stubpath = "C:\\Windows\\{044A3C6A-E0BF-4713-AA0D-29618BD83FEA}.exe"	{C772919B-349E-4842-BD05-280CAC209A1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7BE18DB-E2E8-4c2e-B31E-DF29A7EF7A1B}\stubpath = "C:\\Windows\\{A7BE18DB-E2E8-4c2e-B31E-DF29A7EF7A1B}.exe"	{D662AA03-07F6-42f7-8784-CFECB40C03DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}	{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03543480-4B23-4b68-835A-117306CC88D7}	{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03543480-4B23-4b68-835A-117306CC88D7}\stubpath = "C:\\Windows\\{03543480-4B23-4b68-835A-117306CC88D7}.exe"	{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD60D311-909E-4322-BA99-1F7DB775D446}\stubpath = "C:\\Windows\\{CD60D311-909E-4322-BA99-1F7DB775D446}.exe"	{C620E294-6DD6-425d-9F09-57A07F66E641}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}\stubpath = "C:\\Windows\\{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe"	{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C772919B-349E-4842-BD05-280CAC209A1F}\stubpath = "C:\\Windows\\{C772919B-349E-4842-BD05-280CAC209A1F}.exe"	{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D662AA03-07F6-42f7-8784-CFECB40C03DD}	{044A3C6A-E0BF-4713-AA0D-29618BD83FEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D662AA03-07F6-42f7-8784-CFECB40C03DD}\stubpath = "C:\\Windows\\{D662AA03-07F6-42f7-8784-CFECB40C03DD}.exe"	{044A3C6A-E0BF-4713-AA0D-29618BD83FEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82535418-2327-4c24-97C8-59DC94FC8989}	{A7BE18DB-E2E8-4c2e-B31E-DF29A7EF7A1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C620E294-6DD6-425d-9F09-57A07F66E641}	{03543480-4B23-4b68-835A-117306CC88D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C620E294-6DD6-425d-9F09-57A07F66E641}\stubpath = "C:\\Windows\\{C620E294-6DD6-425d-9F09-57A07F66E641}.exe"	{03543480-4B23-4b68-835A-117306CC88D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD60D311-909E-4322-BA99-1F7DB775D446}	{C620E294-6DD6-425d-9F09-57A07F66E641}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}\stubpath = "C:\\Windows\\{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe"	{CD60D311-909E-4322-BA99-1F7DB775D446}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{044A3C6A-E0BF-4713-AA0D-29618BD83FEA}	{C772919B-349E-4842-BD05-280CAC209A1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7BE18DB-E2E8-4c2e-B31E-DF29A7EF7A1B}	{D662AA03-07F6-42f7-8784-CFECB40C03DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82535418-2327-4c24-97C8-59DC94FC8989}\stubpath = "C:\\Windows\\{82535418-2327-4c24-97C8-59DC94FC8989}.exe"	{A7BE18DB-E2E8-4c2e-B31E-DF29A7EF7A1B}.exe

Deletes itself 1 IoCs

pid	Process
1876	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2120	{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe
1544	{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe
2136	{03543480-4B23-4b68-835A-117306CC88D7}.exe
2960	{C620E294-6DD6-425d-9F09-57A07F66E641}.exe
2668	{CD60D311-909E-4322-BA99-1F7DB775D446}.exe
2824	{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe
2820	{C772919B-349E-4842-BD05-280CAC209A1F}.exe
2460	{044A3C6A-E0BF-4713-AA0D-29618BD83FEA}.exe
2480	{D662AA03-07F6-42f7-8784-CFECB40C03DD}.exe
2904	{A7BE18DB-E2E8-4c2e-B31E-DF29A7EF7A1B}.exe
1648	{82535418-2327-4c24-97C8-59DC94FC8989}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CD60D311-909E-4322-BA99-1F7DB775D446}.exe	{C620E294-6DD6-425d-9F09-57A07F66E641}.exe
File created	C:\Windows\{D662AA03-07F6-42f7-8784-CFECB40C03DD}.exe	{044A3C6A-E0BF-4713-AA0D-29618BD83FEA}.exe
File created	C:\Windows\{A7BE18DB-E2E8-4c2e-B31E-DF29A7EF7A1B}.exe	{D662AA03-07F6-42f7-8784-CFECB40C03DD}.exe
File created	C:\Windows\{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe	{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe
File created	C:\Windows\{03543480-4B23-4b68-835A-117306CC88D7}.exe	{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe
File created	C:\Windows\{C620E294-6DD6-425d-9F09-57A07F66E641}.exe	{03543480-4B23-4b68-835A-117306CC88D7}.exe
File created	C:\Windows\{044A3C6A-E0BF-4713-AA0D-29618BD83FEA}.exe	{C772919B-349E-4842-BD05-280CAC209A1F}.exe
File created	C:\Windows\{82535418-2327-4c24-97C8-59DC94FC8989}.exe	{A7BE18DB-E2E8-4c2e-B31E-DF29A7EF7A1B}.exe
File created	C:\Windows\{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe
File created	C:\Windows\{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe	{CD60D311-909E-4322-BA99-1F7DB775D446}.exe
File created	C:\Windows\{C772919B-349E-4842-BD05-280CAC209A1F}.exe	{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1080	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2120	{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe
Token: SeIncBasePriorityPrivilege	1544	{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe
Token: SeIncBasePriorityPrivilege	2136	{03543480-4B23-4b68-835A-117306CC88D7}.exe
Token: SeIncBasePriorityPrivilege	2960	{C620E294-6DD6-425d-9F09-57A07F66E641}.exe
Token: SeIncBasePriorityPrivilege	2668	{CD60D311-909E-4322-BA99-1F7DB775D446}.exe
Token: SeIncBasePriorityPrivilege	2824	{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe
Token: SeIncBasePriorityPrivilege	2820	{C772919B-349E-4842-BD05-280CAC209A1F}.exe
Token: SeIncBasePriorityPrivilege	2460	{044A3C6A-E0BF-4713-AA0D-29618BD83FEA}.exe
Token: SeIncBasePriorityPrivilege	2480	{D662AA03-07F6-42f7-8784-CFECB40C03DD}.exe
Token: SeIncBasePriorityPrivilege	2904	{A7BE18DB-E2E8-4c2e-B31E-DF29A7EF7A1B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2120	1080	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	28
PID 1080 wrote to memory of 2120	1080	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	28
PID 1080 wrote to memory of 2120	1080	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	28
PID 1080 wrote to memory of 2120	1080	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	28
PID 1080 wrote to memory of 1876	1080	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	29
PID 1080 wrote to memory of 1876	1080	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	29
PID 1080 wrote to memory of 1876	1080	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	29
PID 1080 wrote to memory of 1876	1080	NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe	29
PID 2120 wrote to memory of 1544	2120	{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe	32
PID 2120 wrote to memory of 1544	2120	{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe	32
PID 2120 wrote to memory of 1544	2120	{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe	32
PID 2120 wrote to memory of 1544	2120	{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe	32
PID 2120 wrote to memory of 2152	2120	{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe	33
PID 2120 wrote to memory of 2152	2120	{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe	33
PID 2120 wrote to memory of 2152	2120	{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe	33
PID 2120 wrote to memory of 2152	2120	{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe	33
PID 1544 wrote to memory of 2136	1544	{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe	34
PID 1544 wrote to memory of 2136	1544	{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe	34
PID 1544 wrote to memory of 2136	1544	{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe	34
PID 1544 wrote to memory of 2136	1544	{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe	34
PID 1544 wrote to memory of 2808	1544	{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe	35
PID 1544 wrote to memory of 2808	1544	{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe	35
PID 1544 wrote to memory of 2808	1544	{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe	35
PID 1544 wrote to memory of 2808	1544	{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe	35
PID 2136 wrote to memory of 2960	2136	{03543480-4B23-4b68-835A-117306CC88D7}.exe	36
PID 2136 wrote to memory of 2960	2136	{03543480-4B23-4b68-835A-117306CC88D7}.exe	36
PID 2136 wrote to memory of 2960	2136	{03543480-4B23-4b68-835A-117306CC88D7}.exe	36
PID 2136 wrote to memory of 2960	2136	{03543480-4B23-4b68-835A-117306CC88D7}.exe	36
PID 2136 wrote to memory of 2592	2136	{03543480-4B23-4b68-835A-117306CC88D7}.exe	37
PID 2136 wrote to memory of 2592	2136	{03543480-4B23-4b68-835A-117306CC88D7}.exe	37
PID 2136 wrote to memory of 2592	2136	{03543480-4B23-4b68-835A-117306CC88D7}.exe	37
PID 2136 wrote to memory of 2592	2136	{03543480-4B23-4b68-835A-117306CC88D7}.exe	37
PID 2960 wrote to memory of 2668	2960	{C620E294-6DD6-425d-9F09-57A07F66E641}.exe	39
PID 2960 wrote to memory of 2668	2960	{C620E294-6DD6-425d-9F09-57A07F66E641}.exe	39
PID 2960 wrote to memory of 2668	2960	{C620E294-6DD6-425d-9F09-57A07F66E641}.exe	39
PID 2960 wrote to memory of 2668	2960	{C620E294-6DD6-425d-9F09-57A07F66E641}.exe	39
PID 2960 wrote to memory of 2652	2960	{C620E294-6DD6-425d-9F09-57A07F66E641}.exe	38
PID 2960 wrote to memory of 2652	2960	{C620E294-6DD6-425d-9F09-57A07F66E641}.exe	38
PID 2960 wrote to memory of 2652	2960	{C620E294-6DD6-425d-9F09-57A07F66E641}.exe	38
PID 2960 wrote to memory of 2652	2960	{C620E294-6DD6-425d-9F09-57A07F66E641}.exe	38
PID 2668 wrote to memory of 2824	2668	{CD60D311-909E-4322-BA99-1F7DB775D446}.exe	40
PID 2668 wrote to memory of 2824	2668	{CD60D311-909E-4322-BA99-1F7DB775D446}.exe	40
PID 2668 wrote to memory of 2824	2668	{CD60D311-909E-4322-BA99-1F7DB775D446}.exe	40
PID 2668 wrote to memory of 2824	2668	{CD60D311-909E-4322-BA99-1F7DB775D446}.exe	40
PID 2668 wrote to memory of 2624	2668	{CD60D311-909E-4322-BA99-1F7DB775D446}.exe	41
PID 2668 wrote to memory of 2624	2668	{CD60D311-909E-4322-BA99-1F7DB775D446}.exe	41
PID 2668 wrote to memory of 2624	2668	{CD60D311-909E-4322-BA99-1F7DB775D446}.exe	41
PID 2668 wrote to memory of 2624	2668	{CD60D311-909E-4322-BA99-1F7DB775D446}.exe	41
PID 2824 wrote to memory of 2820	2824	{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe	42
PID 2824 wrote to memory of 2820	2824	{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe	42
PID 2824 wrote to memory of 2820	2824	{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe	42
PID 2824 wrote to memory of 2820	2824	{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe	42
PID 2824 wrote to memory of 2464	2824	{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe	43
PID 2824 wrote to memory of 2464	2824	{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe	43
PID 2824 wrote to memory of 2464	2824	{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe	43
PID 2824 wrote to memory of 2464	2824	{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe	43
PID 2820 wrote to memory of 2460	2820	{C772919B-349E-4842-BD05-280CAC209A1F}.exe	45
PID 2820 wrote to memory of 2460	2820	{C772919B-349E-4842-BD05-280CAC209A1F}.exe	45
PID 2820 wrote to memory of 2460	2820	{C772919B-349E-4842-BD05-280CAC209A1F}.exe	45
PID 2820 wrote to memory of 2460	2820	{C772919B-349E-4842-BD05-280CAC209A1F}.exe	45
PID 2820 wrote to memory of 2492	2820	{C772919B-349E-4842-BD05-280CAC209A1F}.exe	44
PID 2820 wrote to memory of 2492	2820	{C772919B-349E-4842-BD05-280CAC209A1F}.exe	44
PID 2820 wrote to memory of 2492	2820	{C772919B-349E-4842-BD05-280CAC209A1F}.exe	44
PID 2820 wrote to memory of 2492	2820	{C772919B-349E-4842-BD05-280CAC209A1F}.exe	44

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-28_d8ab6304238628efee257e128b5ac649_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe
  C:\Windows\{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe
    C:\Windows\{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\{03543480-4B23-4b68-835A-117306CC88D7}.exe
      C:\Windows\{03543480-4B23-4b68-835A-117306CC88D7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\{C620E294-6DD6-425d-9F09-57A07F66E641}.exe
        
        C:\Windows\{C620E294-6DD6-425d-9F09-57A07F66E641}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C620E~1.EXE > nul
        6⤵
        
        PID:2652
      - C:\Windows\{CD60D311-909E-4322-BA99-1F7DB775D446}.exe
        
        C:\Windows\{CD60D311-909E-4322-BA99-1F7DB775D446}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe
        
        C:\Windows\{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\{C772919B-349E-4842-BD05-280CAC209A1F}.exe
        
        C:\Windows\{C772919B-349E-4842-BD05-280CAC209A1F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7729~1.EXE > nul
        9⤵
        
        PID:2492
        
        C:\Windows\{044A3C6A-E0BF-4713-AA0D-29618BD83FEA}.exe
        
        C:\Windows\{044A3C6A-E0BF-4713-AA0D-29618BD83FEA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\{D662AA03-07F6-42f7-8784-CFECB40C03DD}.exe
        
        C:\Windows\{D662AA03-07F6-42f7-8784-CFECB40C03DD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D662A~1.EXE > nul
        11⤵
        
        PID:952
        
        C:\Windows\{A7BE18DB-E2E8-4c2e-B31E-DF29A7EF7A1B}.exe
        
        C:\Windows\{A7BE18DB-E2E8-4c2e-B31E-DF29A7EF7A1B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\{82535418-2327-4c24-97C8-59DC94FC8989}.exe
        
        C:\Windows\{82535418-2327-4c24-97C8-59DC94FC8989}.exe
        12⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7BE1~1.EXE > nul
        12⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{044A3~1.EXE > nul
        10⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFAEB~1.EXE > nul
        8⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD60D~1.EXE > nul
        7⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03543~1.EXE > nul
        5⤵
        
        PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5F5A7~1.EXE > nul
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E8961~1.EXE > nul
    3⤵
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03543480-4B23-4b68-835A-117306CC88D7}.exe

Filesize
372KB

MD5
b4efe1bcb02d8b529b291c1be7f9d0a9

SHA1
6a3b91be878e73b5f888d334ec6f8cb70729f26a

SHA256
9ffc4f1fbb937621eef242623441d02bb9019de986432390ca8b5393da592622

SHA512
a754b25493e9bbdad564ad696460f99b7ffeb1be610df8ef4e97a9d1e8eb278e754af6b1d1780427cd893d728ff6f7b208ba3c7df5df2ea8808839e57e7509e3

Download Submit
C:\Windows\{03543480-4B23-4b68-835A-117306CC88D7}.exe

Filesize
372KB

MD5
b4efe1bcb02d8b529b291c1be7f9d0a9

SHA1
6a3b91be878e73b5f888d334ec6f8cb70729f26a

SHA256
9ffc4f1fbb937621eef242623441d02bb9019de986432390ca8b5393da592622

SHA512
a754b25493e9bbdad564ad696460f99b7ffeb1be610df8ef4e97a9d1e8eb278e754af6b1d1780427cd893d728ff6f7b208ba3c7df5df2ea8808839e57e7509e3

Download Submit
C:\Windows\{044A3C6A-E0BF-4713-AA0D-29618BD83FEA}.exe

Filesize
372KB

MD5
dd20df05c412a88ebc20dea0aa1e6602

SHA1
4fd1bf11a0e757416b68b84891a68d7dfaf7293f

SHA256
656eadcebd00f56bd467fb0a870b54da42aad5ea2cf74247e44a80efe8049263

SHA512
e82e0a503a7e1ad84fd0da3c09cd4dbd9c746df2e80e223153cc13c05032aecfa2a1093e751352977fa0e2d649ba1bcabc6048537a48939db888be38ba97fe9c

Download Submit
C:\Windows\{044A3C6A-E0BF-4713-AA0D-29618BD83FEA}.exe

Filesize
372KB

MD5
dd20df05c412a88ebc20dea0aa1e6602

SHA1
4fd1bf11a0e757416b68b84891a68d7dfaf7293f

SHA256
656eadcebd00f56bd467fb0a870b54da42aad5ea2cf74247e44a80efe8049263

SHA512
e82e0a503a7e1ad84fd0da3c09cd4dbd9c746df2e80e223153cc13c05032aecfa2a1093e751352977fa0e2d649ba1bcabc6048537a48939db888be38ba97fe9c

Download Submit
C:\Windows\{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe

Filesize
372KB

MD5
789f0debf5b2de37a102b8af4c19566c

SHA1
91d7e6c68125e2fa1c1a12373effee82640e2a87

SHA256
c9aa6797fba66823e38fea4834e6c81561be8632235b42b9f6f155dc9899c268

SHA512
19732619f02a086802809c4dc0f58eae887ebbac2aa17e32b7c45c6627aeedbf09ae89a07a93b15c23ff026132d790d9ae528a3c288fff6e90aa31d65215b6f4

Download Submit
C:\Windows\{5F5A7B51-4913-4f31-869A-EFC7C70AEED2}.exe

Filesize
372KB

MD5
789f0debf5b2de37a102b8af4c19566c

SHA1
91d7e6c68125e2fa1c1a12373effee82640e2a87

SHA256
c9aa6797fba66823e38fea4834e6c81561be8632235b42b9f6f155dc9899c268

SHA512
19732619f02a086802809c4dc0f58eae887ebbac2aa17e32b7c45c6627aeedbf09ae89a07a93b15c23ff026132d790d9ae528a3c288fff6e90aa31d65215b6f4

Download Submit
C:\Windows\{82535418-2327-4c24-97C8-59DC94FC8989}.exe

Filesize
372KB

MD5
5e5dca352b662c3ec35ce7c3739d45de

SHA1
0da798dbcb6a7a455d597ca03c2e32279892988a

SHA256
62f7d195a7fcd1213a43e4f955cbdbdd1a9edb362fe0cc865f304cd6f760a5c6

SHA512
345f0719f4a74a269e5f9af7791a39b2bac35498826f0a78c4cea32cea3b9945faeda7ab70c8e8bb8cde7034dab276888c47e13ebe5f3c213a1277986b996d75

Download Submit
C:\Windows\{A7BE18DB-E2E8-4c2e-B31E-DF29A7EF7A1B}.exe

Filesize
372KB

MD5
0e6f67a0a0dc2a32d4866adbaf1117d1

SHA1
be95da791a1377273210ae0e170da6ba1576428d

SHA256
9af598440915aa68c7f8f5b3a33b8322a8333b07afee9ec52ddee1e96e8b4f07

SHA512
50b30608a19afad030366d2c2de5315da40fce32021d361e70bc0828e7c4e6408537ba0fe6885b974b460e2fb9f704f26988c307d2ca3eb54e667c23f4bddb37

Download Submit
C:\Windows\{A7BE18DB-E2E8-4c2e-B31E-DF29A7EF7A1B}.exe

Filesize
372KB

MD5
0e6f67a0a0dc2a32d4866adbaf1117d1

SHA1
be95da791a1377273210ae0e170da6ba1576428d

SHA256
9af598440915aa68c7f8f5b3a33b8322a8333b07afee9ec52ddee1e96e8b4f07

SHA512
50b30608a19afad030366d2c2de5315da40fce32021d361e70bc0828e7c4e6408537ba0fe6885b974b460e2fb9f704f26988c307d2ca3eb54e667c23f4bddb37

Download Submit
C:\Windows\{C620E294-6DD6-425d-9F09-57A07F66E641}.exe

Filesize
372KB

MD5
5460faa4b340105aed7e1ed15c054e2c

SHA1
a87a34c42e950d2efb3c5c74bbc6e579163f96d8

SHA256
bfc255d0f8a145d9d8c33856cab690059a111adad61ed16d7b80f2e37d993116

SHA512
1edf26d15643ec4848126381a5abdd5faf72cb0bd4d25a5f8833cceec12318b3a1c4ad2da8a3feded9087ef302ad134b92edb296e37c9bd93e042d493d2ac2a6

Download Submit
C:\Windows\{C620E294-6DD6-425d-9F09-57A07F66E641}.exe

Filesize
372KB

MD5
5460faa4b340105aed7e1ed15c054e2c

SHA1
a87a34c42e950d2efb3c5c74bbc6e579163f96d8

SHA256
bfc255d0f8a145d9d8c33856cab690059a111adad61ed16d7b80f2e37d993116

SHA512
1edf26d15643ec4848126381a5abdd5faf72cb0bd4d25a5f8833cceec12318b3a1c4ad2da8a3feded9087ef302ad134b92edb296e37c9bd93e042d493d2ac2a6

Download Submit
C:\Windows\{C772919B-349E-4842-BD05-280CAC209A1F}.exe

Filesize
372KB

MD5
b27d5dc5fbe63fb48eeadea968dfa6d4

SHA1
939ac7969b5c626e3beaae55485f51bfb241fb35

SHA256
1330fb2b4e3ee910bfc3463bf673f3e92cce36379d2bca577bb9748506a21a2b

SHA512
ab8b9bc5555c357a67348db4688b10fecced6b5a31aff02eea45720953db633ef24c2722c52fb43db2b2a100300d5e12cac79803febc1ed92e3a4c89a97aa5f0

Download Submit
C:\Windows\{C772919B-349E-4842-BD05-280CAC209A1F}.exe

Filesize
372KB

MD5
b27d5dc5fbe63fb48eeadea968dfa6d4

SHA1
939ac7969b5c626e3beaae55485f51bfb241fb35

SHA256
1330fb2b4e3ee910bfc3463bf673f3e92cce36379d2bca577bb9748506a21a2b

SHA512
ab8b9bc5555c357a67348db4688b10fecced6b5a31aff02eea45720953db633ef24c2722c52fb43db2b2a100300d5e12cac79803febc1ed92e3a4c89a97aa5f0

Download Submit
C:\Windows\{CD60D311-909E-4322-BA99-1F7DB775D446}.exe

Filesize
372KB

MD5
c40b3ae11485e2bc48eaac67399a9fb4

SHA1
bad5da791dae5b6f184060cd33feb143e999d96f

SHA256
fe43ce6357b7a0d22f8e2a699f812d227abbd18e9b4ded5f0a53eabfd3cc4ad9

SHA512
5cfcfd385f07b79dc4a0375e5534d325d22a9da10a65f246f8c3dcd5529929b87031ed0fd383c5367156716810a13497b1eaf76d0fc0d07987fd96590004cf10

Download Submit
C:\Windows\{CD60D311-909E-4322-BA99-1F7DB775D446}.exe

Filesize
372KB

MD5
c40b3ae11485e2bc48eaac67399a9fb4

SHA1
bad5da791dae5b6f184060cd33feb143e999d96f

SHA256
fe43ce6357b7a0d22f8e2a699f812d227abbd18e9b4ded5f0a53eabfd3cc4ad9

SHA512
5cfcfd385f07b79dc4a0375e5534d325d22a9da10a65f246f8c3dcd5529929b87031ed0fd383c5367156716810a13497b1eaf76d0fc0d07987fd96590004cf10

Download Submit
C:\Windows\{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe

Filesize
372KB

MD5
98a5f118928d0db5514dea34311d6ff9

SHA1
b578a2ceeb658193134a13995c7b61833e2095de

SHA256
f6091bfa6ab7752de67a238a1e39928259d9e5aa4baa6c001e8261941f207f30

SHA512
1f5a17d0b0fb066fbce0294878b3b1bfa2208a4bfe46fc0f24b9a29355c83fd0d8eab2912b06668b8fd8867257d75c4c93991e5ac81dbebe1e95823ce65ace77

Download Submit
C:\Windows\{CFAEBC82-39AE-4a3a-861E-F79208BFBE5F}.exe

Filesize
372KB

MD5
98a5f118928d0db5514dea34311d6ff9

SHA1
b578a2ceeb658193134a13995c7b61833e2095de

SHA256
f6091bfa6ab7752de67a238a1e39928259d9e5aa4baa6c001e8261941f207f30

SHA512
1f5a17d0b0fb066fbce0294878b3b1bfa2208a4bfe46fc0f24b9a29355c83fd0d8eab2912b06668b8fd8867257d75c4c93991e5ac81dbebe1e95823ce65ace77

Download Submit
C:\Windows\{D662AA03-07F6-42f7-8784-CFECB40C03DD}.exe

Filesize
372KB

MD5
7bc12acd363762c933c72ad0ed38d5eb

SHA1
96013e53860078e90cea66fa7ba65fbb07dc9044

SHA256
0fca673a83ba6252b8882abecc2f170d9940540bf0b3b950d2c6a57641af0836

SHA512
6a9cae998207ec59c1023d3520437522521e33508b2797e79f0bcf5ba85eb6ac246f24e6b3cd90e423a044b31f2f9d440d4a3782c2d2b3e01e161b418fec5793

Download Submit
C:\Windows\{D662AA03-07F6-42f7-8784-CFECB40C03DD}.exe

Filesize
372KB

MD5
7bc12acd363762c933c72ad0ed38d5eb

SHA1
96013e53860078e90cea66fa7ba65fbb07dc9044

SHA256
0fca673a83ba6252b8882abecc2f170d9940540bf0b3b950d2c6a57641af0836

SHA512
6a9cae998207ec59c1023d3520437522521e33508b2797e79f0bcf5ba85eb6ac246f24e6b3cd90e423a044b31f2f9d440d4a3782c2d2b3e01e161b418fec5793

Download Submit
C:\Windows\{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe

Filesize
372KB

MD5
3a0265adc25e2ec3169dc404b1f03f8f

SHA1
148f3164ef0f29ce147ef56b17d0f89d22a30865

SHA256
ff9b859c5c27008f27a806775f4a3e34174c9207465772efc2371679e1273658

SHA512
483f5cb826eca8c9b94eec384723036d16d307f90b40dc46ec62d10edd959d8a4385ff5bb7bd199e15838c6f6fe56f221f5f086db4c7c4dc5eb6d5fcef616e68

Download Submit
C:\Windows\{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe

Filesize
372KB

MD5
3a0265adc25e2ec3169dc404b1f03f8f

SHA1
148f3164ef0f29ce147ef56b17d0f89d22a30865

SHA256
ff9b859c5c27008f27a806775f4a3e34174c9207465772efc2371679e1273658

SHA512
483f5cb826eca8c9b94eec384723036d16d307f90b40dc46ec62d10edd959d8a4385ff5bb7bd199e15838c6f6fe56f221f5f086db4c7c4dc5eb6d5fcef616e68

Download Submit
C:\Windows\{E8961640-E0D5-432c-944F-17D7DCAEBF17}.exe

Filesize
372KB

MD5
3a0265adc25e2ec3169dc404b1f03f8f

SHA1
148f3164ef0f29ce147ef56b17d0f89d22a30865

SHA256
ff9b859c5c27008f27a806775f4a3e34174c9207465772efc2371679e1273658

SHA512
483f5cb826eca8c9b94eec384723036d16d307f90b40dc46ec62d10edd959d8a4385ff5bb7bd199e15838c6f6fe56f221f5f086db4c7c4dc5eb6d5fcef616e68

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads