5da0cbe9379b128876bee526ded508a00a5a5110fcc3308ed3a439952e614f47

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
05-11-2023 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe
Size

380KB
MD5

5396539bc01bc2ce4b6595740997c0a1
SHA1

8db110a0c7c67ae47412e656dafac811b404458a
SHA256

5da0cbe9379b128876bee526ded508a00a5a5110fcc3308ed3a439952e614f47
SHA512

764a407880ba9e3747d2daef385b6734dd3cf750a907507f292dac4ccd9ce0f40c51f3c11ca1277b52c487090d1ba3fdaedf5292a943c19e4fb38065e8f523e4
SSDEEP

3072:mEGh0oUlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG+l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5BFD120-2A24-47a8-B2A8-9336525B8E99}	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E5BA167-EFF6-456f-92B0-7467D668FEBF}\stubpath = "C:\\Windows\\{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe"	{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B644EEDF-17B3-4d43-9A01-C555B28A7455}\stubpath = "C:\\Windows\\{B644EEDF-17B3-4d43-9A01-C555B28A7455}.exe"	{170BA3A7-53AA-4bdd-A18D-A3CB5A82C041}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6446BA1-48FA-4a5b-BFB3-58EF4926D71D}	{B644EEDF-17B3-4d43-9A01-C555B28A7455}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6446BA1-48FA-4a5b-BFB3-58EF4926D71D}\stubpath = "C:\\Windows\\{B6446BA1-48FA-4a5b-BFB3-58EF4926D71D}.exe"	{B644EEDF-17B3-4d43-9A01-C555B28A7455}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE1B9DB6-490F-423e-BF1D-77E6884A5951}\stubpath = "C:\\Windows\\{AE1B9DB6-490F-423e-BF1D-77E6884A5951}.exe"	{B6446BA1-48FA-4a5b-BFB3-58EF4926D71D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B644EEDF-17B3-4d43-9A01-C555B28A7455}	{170BA3A7-53AA-4bdd-A18D-A3CB5A82C041}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}	{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E5BA167-EFF6-456f-92B0-7467D668FEBF}	{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}	{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{698D1217-FB84-4932-B463-D27DCAB5311F}	{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54BE1CE0-6DC3-4145-B11D-17058C937489}	{698D1217-FB84-4932-B463-D27DCAB5311F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{170BA3A7-53AA-4bdd-A18D-A3CB5A82C041}	{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{170BA3A7-53AA-4bdd-A18D-A3CB5A82C041}\stubpath = "C:\\Windows\\{170BA3A7-53AA-4bdd-A18D-A3CB5A82C041}.exe"	{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}\stubpath = "C:\\Windows\\{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe"	{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B30959C-E419-4fa3-918B-A65D469EB6C5}\stubpath = "C:\\Windows\\{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe"	{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54BE1CE0-6DC3-4145-B11D-17058C937489}\stubpath = "C:\\Windows\\{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe"	{698D1217-FB84-4932-B463-D27DCAB5311F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5BFD120-2A24-47a8-B2A8-9336525B8E99}\stubpath = "C:\\Windows\\{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe"	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B30959C-E419-4fa3-918B-A65D469EB6C5}	{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}\stubpath = "C:\\Windows\\{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe"	{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{698D1217-FB84-4932-B463-D27DCAB5311F}\stubpath = "C:\\Windows\\{698D1217-FB84-4932-B463-D27DCAB5311F}.exe"	{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE1B9DB6-490F-423e-BF1D-77E6884A5951}	{B6446BA1-48FA-4a5b-BFB3-58EF4926D71D}.exe

Deletes itself 1 IoCs

pid	Process
2004	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2424	{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe
2704	{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe
2664	{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe
2672	{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe
2504	{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe
3060	{698D1217-FB84-4932-B463-D27DCAB5311F}.exe
1964	{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe
2884	{170BA3A7-53AA-4bdd-A18D-A3CB5A82C041}.exe
2440	{B644EEDF-17B3-4d43-9A01-C555B28A7455}.exe
1136	{B6446BA1-48FA-4a5b-BFB3-58EF4926D71D}.exe
620	{AE1B9DB6-490F-423e-BF1D-77E6884A5951}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{170BA3A7-53AA-4bdd-A18D-A3CB5A82C041}.exe	{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe
File created	C:\Windows\{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe	{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe
File created	C:\Windows\{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe	{698D1217-FB84-4932-B463-D27DCAB5311F}.exe
File created	C:\Windows\{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe	{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe
File created	C:\Windows\{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe	{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe
File created	C:\Windows\{698D1217-FB84-4932-B463-D27DCAB5311F}.exe	{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe
File created	C:\Windows\{B644EEDF-17B3-4d43-9A01-C555B28A7455}.exe	{170BA3A7-53AA-4bdd-A18D-A3CB5A82C041}.exe
File created	C:\Windows\{B6446BA1-48FA-4a5b-BFB3-58EF4926D71D}.exe	{B644EEDF-17B3-4d43-9A01-C555B28A7455}.exe
File created	C:\Windows\{AE1B9DB6-490F-423e-BF1D-77E6884A5951}.exe	{B6446BA1-48FA-4a5b-BFB3-58EF4926D71D}.exe
File created	C:\Windows\{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe
File created	C:\Windows\{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe	{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1712	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2424	{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe
Token: SeIncBasePriorityPrivilege	2704	{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe
Token: SeIncBasePriorityPrivilege	2664	{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe
Token: SeIncBasePriorityPrivilege	2672	{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe
Token: SeIncBasePriorityPrivilege	2504	{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe
Token: SeIncBasePriorityPrivilege	3060	{698D1217-FB84-4932-B463-D27DCAB5311F}.exe
Token: SeIncBasePriorityPrivilege	1964	{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe
Token: SeIncBasePriorityPrivilege	2884	{170BA3A7-53AA-4bdd-A18D-A3CB5A82C041}.exe
Token: SeIncBasePriorityPrivilege	2440	{B644EEDF-17B3-4d43-9A01-C555B28A7455}.exe
Token: SeIncBasePriorityPrivilege	1136	{B6446BA1-48FA-4a5b-BFB3-58EF4926D71D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2424	1712	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	28
PID 1712 wrote to memory of 2424	1712	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	28
PID 1712 wrote to memory of 2424	1712	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	28
PID 1712 wrote to memory of 2424	1712	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	28
PID 1712 wrote to memory of 2004	1712	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	29
PID 1712 wrote to memory of 2004	1712	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	29
PID 1712 wrote to memory of 2004	1712	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	29
PID 1712 wrote to memory of 2004	1712	NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe	29
PID 2424 wrote to memory of 2704	2424	{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe	31
PID 2424 wrote to memory of 2704	2424	{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe	31
PID 2424 wrote to memory of 2704	2424	{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe	31
PID 2424 wrote to memory of 2704	2424	{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe	31
PID 2424 wrote to memory of 2744	2424	{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe	30
PID 2424 wrote to memory of 2744	2424	{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe	30
PID 2424 wrote to memory of 2744	2424	{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe	30
PID 2424 wrote to memory of 2744	2424	{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe	30
PID 2704 wrote to memory of 2664	2704	{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe	33
PID 2704 wrote to memory of 2664	2704	{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe	33
PID 2704 wrote to memory of 2664	2704	{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe	33
PID 2704 wrote to memory of 2664	2704	{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe	33
PID 2704 wrote to memory of 2924	2704	{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe	32
PID 2704 wrote to memory of 2924	2704	{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe	32
PID 2704 wrote to memory of 2924	2704	{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe	32
PID 2704 wrote to memory of 2924	2704	{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe	32
PID 2664 wrote to memory of 2672	2664	{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe	37
PID 2664 wrote to memory of 2672	2664	{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe	37
PID 2664 wrote to memory of 2672	2664	{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe	37
PID 2664 wrote to memory of 2672	2664	{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe	37
PID 2664 wrote to memory of 2220	2664	{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe	36
PID 2664 wrote to memory of 2220	2664	{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe	36
PID 2664 wrote to memory of 2220	2664	{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe	36
PID 2664 wrote to memory of 2220	2664	{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe	36
PID 2672 wrote to memory of 2504	2672	{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe	39
PID 2672 wrote to memory of 2504	2672	{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe	39
PID 2672 wrote to memory of 2504	2672	{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe	39
PID 2672 wrote to memory of 2504	2672	{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe	39
PID 2672 wrote to memory of 2572	2672	{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe	38
PID 2672 wrote to memory of 2572	2672	{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe	38
PID 2672 wrote to memory of 2572	2672	{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe	38
PID 2672 wrote to memory of 2572	2672	{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe	38
PID 2504 wrote to memory of 3060	2504	{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe	41
PID 2504 wrote to memory of 3060	2504	{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe	41
PID 2504 wrote to memory of 3060	2504	{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe	41
PID 2504 wrote to memory of 3060	2504	{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe	41
PID 2504 wrote to memory of 2388	2504	{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe	40
PID 2504 wrote to memory of 2388	2504	{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe	40
PID 2504 wrote to memory of 2388	2504	{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe	40
PID 2504 wrote to memory of 2388	2504	{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe	40
PID 3060 wrote to memory of 1964	3060	{698D1217-FB84-4932-B463-D27DCAB5311F}.exe	43
PID 3060 wrote to memory of 1964	3060	{698D1217-FB84-4932-B463-D27DCAB5311F}.exe	43
PID 3060 wrote to memory of 1964	3060	{698D1217-FB84-4932-B463-D27DCAB5311F}.exe	43
PID 3060 wrote to memory of 1964	3060	{698D1217-FB84-4932-B463-D27DCAB5311F}.exe	43
PID 3060 wrote to memory of 2848	3060	{698D1217-FB84-4932-B463-D27DCAB5311F}.exe	42
PID 3060 wrote to memory of 2848	3060	{698D1217-FB84-4932-B463-D27DCAB5311F}.exe	42
PID 3060 wrote to memory of 2848	3060	{698D1217-FB84-4932-B463-D27DCAB5311F}.exe	42
PID 3060 wrote to memory of 2848	3060	{698D1217-FB84-4932-B463-D27DCAB5311F}.exe	42
PID 1964 wrote to memory of 2884	1964	{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe	45
PID 1964 wrote to memory of 2884	1964	{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe	45
PID 1964 wrote to memory of 2884	1964	{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe	45
PID 1964 wrote to memory of 2884	1964	{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe	45
PID 1964 wrote to memory of 2980	1964	{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe	44
PID 1964 wrote to memory of 2980	1964	{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe	44
PID 1964 wrote to memory of 2980	1964	{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe	44
PID 1964 wrote to memory of 2980	1964	{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe	44

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-28_5396539bc01bc2ce4b6595740997c0a1_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe
  C:\Windows\{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F5BFD~1.EXE > nul
    3⤵
    PID:2744
- - C:\Windows\{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe
    C:\Windows\{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3B7E1~1.EXE > nul
      4⤵
      PID:2924
  - - C:\Windows\{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe
      C:\Windows\{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B309~1.EXE > nul
        5⤵
        
        PID:2220
    - - C:\Windows\{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe
        
        C:\Windows\{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E5BA~1.EXE > nul
        6⤵
        
        PID:2572
      - C:\Windows\{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe
        
        C:\Windows\{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C35CD~1.EXE > nul
        7⤵
        
        PID:2388
        
        C:\Windows\{698D1217-FB84-4932-B463-D27DCAB5311F}.exe
        
        C:\Windows\{698D1217-FB84-4932-B463-D27DCAB5311F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{698D1~1.EXE > nul
        8⤵
        
        PID:2848
        
        C:\Windows\{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe
        
        C:\Windows\{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54BE1~1.EXE > nul
        9⤵
        
        PID:2980
        
        C:\Windows\{170BA3A7-53AA-4bdd-A18D-A3CB5A82C041}.exe
        
        C:\Windows\{170BA3A7-53AA-4bdd-A18D-A3CB5A82C041}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{170BA~1.EXE > nul
        10⤵
        
        PID:3056
        
        C:\Windows\{B644EEDF-17B3-4d43-9A01-C555B28A7455}.exe
        
        C:\Windows\{B644EEDF-17B3-4d43-9A01-C555B28A7455}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B644E~1.EXE > nul
        11⤵
        
        PID:1520
        
        C:\Windows\{B6446BA1-48FA-4a5b-BFB3-58EF4926D71D}.exe
        
        C:\Windows\{B6446BA1-48FA-4a5b-BFB3-58EF4926D71D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6446~1.EXE > nul
        12⤵
        
        PID:2804
        
        C:\Windows\{AE1B9DB6-490F-423e-BF1D-77E6884A5951}.exe
        
        C:\Windows\{AE1B9DB6-490F-423e-BF1D-77E6884A5951}.exe
        12⤵
        Executes dropped EXE
        
        PID:620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{170BA3A7-53AA-4bdd-A18D-A3CB5A82C041}.exe

Filesize
380KB

MD5
2dd73b4d2bef8596d6e770628b89ba24

SHA1
9cd282936ef9d9a31a5c6682cd4f98079187b581

SHA256
2fa88b22b42c7f385f89324cc0d039038c0183c1d2393e60c2420a60c3466141

SHA512
f86b3e4b15fa1d646e3493398c445d808beae9205feba17dde22b46f0721b688d9a3c06eab8f83212a49d53e7a3e98bf52f676fb2b542ea82b68c7368da4536b

Download Submit
C:\Windows\{170BA3A7-53AA-4bdd-A18D-A3CB5A82C041}.exe

Filesize
380KB

MD5
2dd73b4d2bef8596d6e770628b89ba24

SHA1
9cd282936ef9d9a31a5c6682cd4f98079187b581

SHA256
2fa88b22b42c7f385f89324cc0d039038c0183c1d2393e60c2420a60c3466141

SHA512
f86b3e4b15fa1d646e3493398c445d808beae9205feba17dde22b46f0721b688d9a3c06eab8f83212a49d53e7a3e98bf52f676fb2b542ea82b68c7368da4536b

Download Submit
C:\Windows\{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe

Filesize
380KB

MD5
255140e1bbff9d2eeabb202f070db9a8

SHA1
12b1e4998469dd61c4c153c6d8eb0ab61d0fa43a

SHA256
a94f6b975bed8e3e5c9a04ed7c069136e207a1e050a427e2494c852d09b392ff

SHA512
5d09428a1fec7f24c5b706f5bd5f89f3ab96a478e4859494907bd112634d37a572af2790a2f3861242abc58f9f54c1b550038be9ae89c49643c090bb332317bf

Download Submit
C:\Windows\{3B7E1D2B-373F-44e6-82E1-FE37F23A9E67}.exe

Filesize
380KB

MD5
255140e1bbff9d2eeabb202f070db9a8

SHA1
12b1e4998469dd61c4c153c6d8eb0ab61d0fa43a

SHA256
a94f6b975bed8e3e5c9a04ed7c069136e207a1e050a427e2494c852d09b392ff

SHA512
5d09428a1fec7f24c5b706f5bd5f89f3ab96a478e4859494907bd112634d37a572af2790a2f3861242abc58f9f54c1b550038be9ae89c49643c090bb332317bf

Download Submit
C:\Windows\{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe

Filesize
380KB

MD5
303589a0085ccb6f81c87c76b62041a4

SHA1
feab164282f6e3a028c87d8495669af5cfa930b0

SHA256
1e2e9d7485a84e99a1e9ebe98130810e8f331a5be90d560551e56d002a0753e7

SHA512
228218094fea65e535337ec1d2896db4625c4fd5bb5a0485e6ddfb434f34c7ca04c6eb2112deaafca3f3e464fb4c31cb6a388dbec9cbc2c7ff3ef3318306e6a4

Download Submit
C:\Windows\{3E5BA167-EFF6-456f-92B0-7467D668FEBF}.exe

Filesize
380KB

MD5
303589a0085ccb6f81c87c76b62041a4

SHA1
feab164282f6e3a028c87d8495669af5cfa930b0

SHA256
1e2e9d7485a84e99a1e9ebe98130810e8f331a5be90d560551e56d002a0753e7

SHA512
228218094fea65e535337ec1d2896db4625c4fd5bb5a0485e6ddfb434f34c7ca04c6eb2112deaafca3f3e464fb4c31cb6a388dbec9cbc2c7ff3ef3318306e6a4

Download Submit
C:\Windows\{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe

Filesize
380KB

MD5
af07afc81edc783ec4e4cf8b23fab54a

SHA1
9490ef4742ec013b43f5adaf229e0ce72f62d941

SHA256
28596737071248006e0d7d13db5f7a594acd4f377a2f7df45dc7b35125cead2a

SHA512
71c41902f087744ac428bbe519d25d1c18f4b864c5a743d4edd216bc3b78324c93c7a02ad9430a05982270b819203be6591ee656de8c45368fe3bbee2dd9b525

Download Submit
C:\Windows\{54BE1CE0-6DC3-4145-B11D-17058C937489}.exe

Filesize
380KB

MD5
af07afc81edc783ec4e4cf8b23fab54a

SHA1
9490ef4742ec013b43f5adaf229e0ce72f62d941

SHA256
28596737071248006e0d7d13db5f7a594acd4f377a2f7df45dc7b35125cead2a

SHA512
71c41902f087744ac428bbe519d25d1c18f4b864c5a743d4edd216bc3b78324c93c7a02ad9430a05982270b819203be6591ee656de8c45368fe3bbee2dd9b525

Download Submit
C:\Windows\{698D1217-FB84-4932-B463-D27DCAB5311F}.exe

Filesize
380KB

MD5
8346fa90ae195669ca5ac52414fcff7e

SHA1
3672ba2343b53639a2c10545e89f0589e6fdd577

SHA256
6dea68c897af75624e7b7781a67f7567b885187d6be2b6bd8c920d1055fda9a6

SHA512
9c257b6511b832ab4c534efd80edab30c7281f26578827dafbc79b421f79a014a5e82d9baccaceb2273687d95c139c8a6e83c40935bdb765e89f957a5ee6ab3f

Download Submit
C:\Windows\{698D1217-FB84-4932-B463-D27DCAB5311F}.exe

Filesize
380KB

MD5
8346fa90ae195669ca5ac52414fcff7e

SHA1
3672ba2343b53639a2c10545e89f0589e6fdd577

SHA256
6dea68c897af75624e7b7781a67f7567b885187d6be2b6bd8c920d1055fda9a6

SHA512
9c257b6511b832ab4c534efd80edab30c7281f26578827dafbc79b421f79a014a5e82d9baccaceb2273687d95c139c8a6e83c40935bdb765e89f957a5ee6ab3f

Download Submit
C:\Windows\{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe

Filesize
380KB

MD5
4dcdeaa6824f8c6b4c071de490df6ad6

SHA1
f665c0ce8273a63f7f480347c2e95e751bbd997b

SHA256
f64503368f2f3ac0dfe2291382f6ce9afe0d9a2789a8a54b27085429d4a3dda9

SHA512
665c5fd3ab3dce31475eaac9e8676f51fc0161254858a61800918979c1a1bab16b9fe7c028e30e073e2e42e440ee4132078ad379b1a231026a02d0265fc679d6

Download Submit
C:\Windows\{8B30959C-E419-4fa3-918B-A65D469EB6C5}.exe

Filesize
380KB

MD5
4dcdeaa6824f8c6b4c071de490df6ad6

SHA1
f665c0ce8273a63f7f480347c2e95e751bbd997b

SHA256
f64503368f2f3ac0dfe2291382f6ce9afe0d9a2789a8a54b27085429d4a3dda9

SHA512
665c5fd3ab3dce31475eaac9e8676f51fc0161254858a61800918979c1a1bab16b9fe7c028e30e073e2e42e440ee4132078ad379b1a231026a02d0265fc679d6

Download Submit
C:\Windows\{AE1B9DB6-490F-423e-BF1D-77E6884A5951}.exe

Filesize
380KB

MD5
4e5629f68531a69a7f35372e5ac8250c

SHA1
9aa1698a202c95843edc92b497bf9cf3394c1001

SHA256
3aa36959a68ddaabd4a85b47fbe7776f720c70d6d70d389d8ef8465a902900e2

SHA512
582037a92dace5d73dd4a530ac69437b8dad46a1113d99f6ad7f9e56dddb6c548822c29d52dbd4344ae0ce9b204d3b801628c09a5323936bbaaed56ac549a4c0

Download Submit
C:\Windows\{B6446BA1-48FA-4a5b-BFB3-58EF4926D71D}.exe

Filesize
380KB

MD5
ba0846f64c7b55d2c9b299f87db17016

SHA1
34e3759221ddcb544eb33d558caa2922bb13c440

SHA256
7e8a8fe425fa2a1853a9977061fd4240473f41d297cb417e1fec7ef4bce788b4

SHA512
a9da2b3acd1d28cd9491e248fc3646aba8bf4e3552bc1c645ad8f0f3f528b6e91380190c97596fe23d718508e71f2290d90ba4427e61d0131f4d6cda636ffa1a

Download Submit
C:\Windows\{B6446BA1-48FA-4a5b-BFB3-58EF4926D71D}.exe

Filesize
380KB

MD5
ba0846f64c7b55d2c9b299f87db17016

SHA1
34e3759221ddcb544eb33d558caa2922bb13c440

SHA256
7e8a8fe425fa2a1853a9977061fd4240473f41d297cb417e1fec7ef4bce788b4

SHA512
a9da2b3acd1d28cd9491e248fc3646aba8bf4e3552bc1c645ad8f0f3f528b6e91380190c97596fe23d718508e71f2290d90ba4427e61d0131f4d6cda636ffa1a

Download Submit
C:\Windows\{B644EEDF-17B3-4d43-9A01-C555B28A7455}.exe

Filesize
380KB

MD5
e4b4324f1a4ac3873a27b14ba3388ce3

SHA1
9d2fdfc96a732e7ab4b2a7ea448239f578059920

SHA256
37f49c7e3f8b3b4f295e9b877e0553a694bd768e95a9874dce1bc3372090122d

SHA512
8e4d44903ce096b0e973a1359ff2f98855c09cc8d1142d007a4a3abebdb7a076af36f4ba9cca20a1e0252a1e430af41d89e89f377501eb035760f916dcbe43d6

Download Submit
C:\Windows\{B644EEDF-17B3-4d43-9A01-C555B28A7455}.exe

Filesize
380KB

MD5
e4b4324f1a4ac3873a27b14ba3388ce3

SHA1
9d2fdfc96a732e7ab4b2a7ea448239f578059920

SHA256
37f49c7e3f8b3b4f295e9b877e0553a694bd768e95a9874dce1bc3372090122d

SHA512
8e4d44903ce096b0e973a1359ff2f98855c09cc8d1142d007a4a3abebdb7a076af36f4ba9cca20a1e0252a1e430af41d89e89f377501eb035760f916dcbe43d6

Download Submit
C:\Windows\{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe

Filesize
380KB

MD5
a7ce81d63a6918dfc08c79fbd535a6e6

SHA1
6a19f41a6319def8fb57c1ef4ac7939b0ff4f6e3

SHA256
56f34ce2b6592c1881c12346fadb4576526117ce7297fa760134491028892ce8

SHA512
7ef355b861d04d4f829bb064c95b6fe6c64331d9dc5b08e206d44fa48b23c423506e2664efe9534b1804d7d58d0d82cd9fc432d1addf5bfb4a32dd884ecd107c

Download Submit
C:\Windows\{C35CDCB7-1A4D-4b6f-90E1-A6719B050256}.exe

Filesize
380KB

MD5
a7ce81d63a6918dfc08c79fbd535a6e6

SHA1
6a19f41a6319def8fb57c1ef4ac7939b0ff4f6e3

SHA256
56f34ce2b6592c1881c12346fadb4576526117ce7297fa760134491028892ce8

SHA512
7ef355b861d04d4f829bb064c95b6fe6c64331d9dc5b08e206d44fa48b23c423506e2664efe9534b1804d7d58d0d82cd9fc432d1addf5bfb4a32dd884ecd107c

Download Submit
C:\Windows\{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe

Filesize
380KB

MD5
b22e13f4e3b0bfbfabbc11f1ccf15af1

SHA1
8e5823ea93ac41631c8038903a8c12ec004b1f44

SHA256
f6e1606f404957a419694599c755aeece8525eb03774e1659c9b659c2614a557

SHA512
3ff155a93973b4db90f5c89dadb9e3051367a2cd67b46f18a2055b45fb155be3f55469cf6a80f6ab99a17380a7103c5243bb645034ceb8841b27dc6abfd891f1

Download Submit
C:\Windows\{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe

Filesize
380KB

MD5
b22e13f4e3b0bfbfabbc11f1ccf15af1

SHA1
8e5823ea93ac41631c8038903a8c12ec004b1f44

SHA256
f6e1606f404957a419694599c755aeece8525eb03774e1659c9b659c2614a557

SHA512
3ff155a93973b4db90f5c89dadb9e3051367a2cd67b46f18a2055b45fb155be3f55469cf6a80f6ab99a17380a7103c5243bb645034ceb8841b27dc6abfd891f1

Download Submit
C:\Windows\{F5BFD120-2A24-47a8-B2A8-9336525B8E99}.exe

Filesize
380KB

MD5
b22e13f4e3b0bfbfabbc11f1ccf15af1

SHA1
8e5823ea93ac41631c8038903a8c12ec004b1f44

SHA256
f6e1606f404957a419694599c755aeece8525eb03774e1659c9b659c2614a557

SHA512
3ff155a93973b4db90f5c89dadb9e3051367a2cd67b46f18a2055b45fb155be3f55469cf6a80f6ab99a17380a7103c5243bb645034ceb8841b27dc6abfd891f1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads