c70f6bfe1ab21270b99bfe2e2b45d19961bd8815a1547f2af4f44fc181446699

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe
Size

380KB
MD5

f48e0cd81aa9dca2437067d8b4b14e83
SHA1

7baf4335782a0f95787eb9119353fecc527ab0ab
SHA256

c70f6bfe1ab21270b99bfe2e2b45d19961bd8815a1547f2af4f44fc181446699
SHA512

2eaac94e313bc3628de02a59405475b2668e0f8808cdac71589412cf08ab99f2b4761d45af9e9e438f34cd369a5922e6f32a91f9d1864a110e1bcde4571d87d8
SSDEEP

3072:mEGh0oslPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGal7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C15ACECB-3CE4-40df-99CB-F14E4B9F54DF}\stubpath = "C:\\Windows\\{C15ACECB-3CE4-40df-99CB-F14E4B9F54DF}.exe"	{03FA2599-B9D6-44ea-AEBF-A00A67D5E2EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0AF0884-E522-4036-AF4F-9C397C204A92}	{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0AF0884-E522-4036-AF4F-9C397C204A92}\stubpath = "C:\\Windows\\{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe"	{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7676A444-5A51-43f4-9A30-D1CE7625ACA4}\stubpath = "C:\\Windows\\{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe"	{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}	{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0A8754B-B7A6-48f7-8F8E-2E3E16A45F8A}\stubpath = "C:\\Windows\\{B0A8754B-B7A6-48f7-8F8E-2E3E16A45F8A}.exe"	{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{242C323D-EB53-4583-BB80-0EEE60789454}	{B0A8754B-B7A6-48f7-8F8E-2E3E16A45F8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57025CD0-7E12-4132-AB6E-2B6BDBAFA000}\stubpath = "C:\\Windows\\{57025CD0-7E12-4132-AB6E-2B6BDBAFA000}.exe"	{242C323D-EB53-4583-BB80-0EEE60789454}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{241B329F-20AD-4f86-B10E-51A8B4244B78}	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F562FF2B-3E3C-4e04-A143-200F844F6C22}	{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AD75C74-3812-4185-B856-706637081411}	{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0A8754B-B7A6-48f7-8F8E-2E3E16A45F8A}	{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57025CD0-7E12-4132-AB6E-2B6BDBAFA000}	{242C323D-EB53-4583-BB80-0EEE60789454}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03FA2599-B9D6-44ea-AEBF-A00A67D5E2EE}	{57025CD0-7E12-4132-AB6E-2B6BDBAFA000}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03FA2599-B9D6-44ea-AEBF-A00A67D5E2EE}\stubpath = "C:\\Windows\\{03FA2599-B9D6-44ea-AEBF-A00A67D5E2EE}.exe"	{57025CD0-7E12-4132-AB6E-2B6BDBAFA000}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{241B329F-20AD-4f86-B10E-51A8B4244B78}\stubpath = "C:\\Windows\\{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe"	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AD75C74-3812-4185-B856-706637081411}\stubpath = "C:\\Windows\\{8AD75C74-3812-4185-B856-706637081411}.exe"	{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5509B050-AB0F-415c-9B4F-2A568CC16CA6}\stubpath = "C:\\Windows\\{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe"	{8AD75C74-3812-4185-B856-706637081411}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7676A444-5A51-43f4-9A30-D1CE7625ACA4}	{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}\stubpath = "C:\\Windows\\{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe"	{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{242C323D-EB53-4583-BB80-0EEE60789454}\stubpath = "C:\\Windows\\{242C323D-EB53-4583-BB80-0EEE60789454}.exe"	{B0A8754B-B7A6-48f7-8F8E-2E3E16A45F8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C15ACECB-3CE4-40df-99CB-F14E4B9F54DF}	{03FA2599-B9D6-44ea-AEBF-A00A67D5E2EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F562FF2B-3E3C-4e04-A143-200F844F6C22}\stubpath = "C:\\Windows\\{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe"	{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5509B050-AB0F-415c-9B4F-2A568CC16CA6}	{8AD75C74-3812-4185-B856-706637081411}.exe

Deletes itself 1 IoCs

pid	Process
2596	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2140	{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe
2668	{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe
2076	{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe
2688	{8AD75C74-3812-4185-B856-706637081411}.exe
2652	{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe
2536	{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe
3000	{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe
572	{B0A8754B-B7A6-48f7-8F8E-2E3E16A45F8A}.exe
1416	{242C323D-EB53-4583-BB80-0EEE60789454}.exe
2796	{57025CD0-7E12-4132-AB6E-2B6BDBAFA000}.exe
1172	{03FA2599-B9D6-44ea-AEBF-A00A67D5E2EE}.exe
1976	{C15ACECB-3CE4-40df-99CB-F14E4B9F54DF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B0A8754B-B7A6-48f7-8F8E-2E3E16A45F8A}.exe	{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe
File created	C:\Windows\{C15ACECB-3CE4-40df-99CB-F14E4B9F54DF}.exe	{03FA2599-B9D6-44ea-AEBF-A00A67D5E2EE}.exe
File created	C:\Windows\{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe
File created	C:\Windows\{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe	{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe
File created	C:\Windows\{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe	{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe
File created	C:\Windows\{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe	{8AD75C74-3812-4185-B856-706637081411}.exe
File created	C:\Windows\{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe	{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe
File created	C:\Windows\{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe	{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe
File created	C:\Windows\{8AD75C74-3812-4185-B856-706637081411}.exe	{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe
File created	C:\Windows\{242C323D-EB53-4583-BB80-0EEE60789454}.exe	{B0A8754B-B7A6-48f7-8F8E-2E3E16A45F8A}.exe
File created	C:\Windows\{57025CD0-7E12-4132-AB6E-2B6BDBAFA000}.exe	{242C323D-EB53-4583-BB80-0EEE60789454}.exe
File created	C:\Windows\{03FA2599-B9D6-44ea-AEBF-A00A67D5E2EE}.exe	{57025CD0-7E12-4132-AB6E-2B6BDBAFA000}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1788	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2140	{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe
Token: SeIncBasePriorityPrivilege	2668	{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe
Token: SeIncBasePriorityPrivilege	2076	{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe
Token: SeIncBasePriorityPrivilege	2688	{8AD75C74-3812-4185-B856-706637081411}.exe
Token: SeIncBasePriorityPrivilege	2652	{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe
Token: SeIncBasePriorityPrivilege	2536	{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe
Token: SeIncBasePriorityPrivilege	3000	{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe
Token: SeIncBasePriorityPrivilege	572	{B0A8754B-B7A6-48f7-8F8E-2E3E16A45F8A}.exe
Token: SeIncBasePriorityPrivilege	1416	{242C323D-EB53-4583-BB80-0EEE60789454}.exe
Token: SeIncBasePriorityPrivilege	2796	{57025CD0-7E12-4132-AB6E-2B6BDBAFA000}.exe
Token: SeIncBasePriorityPrivilege	1172	{03FA2599-B9D6-44ea-AEBF-A00A67D5E2EE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2140	1788	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	28
PID 1788 wrote to memory of 2140	1788	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	28
PID 1788 wrote to memory of 2140	1788	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	28
PID 1788 wrote to memory of 2140	1788	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	28
PID 1788 wrote to memory of 2596	1788	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	29
PID 1788 wrote to memory of 2596	1788	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	29
PID 1788 wrote to memory of 2596	1788	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	29
PID 1788 wrote to memory of 2596	1788	NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe	29
PID 2140 wrote to memory of 2668	2140	{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe	32
PID 2140 wrote to memory of 2668	2140	{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe	32
PID 2140 wrote to memory of 2668	2140	{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe	32
PID 2140 wrote to memory of 2668	2140	{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe	32
PID 2140 wrote to memory of 2640	2140	{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe	33
PID 2140 wrote to memory of 2640	2140	{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe	33
PID 2140 wrote to memory of 2640	2140	{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe	33
PID 2140 wrote to memory of 2640	2140	{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe	33
PID 2668 wrote to memory of 2076	2668	{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe	34
PID 2668 wrote to memory of 2076	2668	{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe	34
PID 2668 wrote to memory of 2076	2668	{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe	34
PID 2668 wrote to memory of 2076	2668	{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe	34
PID 2668 wrote to memory of 2676	2668	{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe	35
PID 2668 wrote to memory of 2676	2668	{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe	35
PID 2668 wrote to memory of 2676	2668	{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe	35
PID 2668 wrote to memory of 2676	2668	{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe	35
PID 2076 wrote to memory of 2688	2076	{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe	36
PID 2076 wrote to memory of 2688	2076	{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe	36
PID 2076 wrote to memory of 2688	2076	{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe	36
PID 2076 wrote to memory of 2688	2076	{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe	36
PID 2076 wrote to memory of 2828	2076	{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe	37
PID 2076 wrote to memory of 2828	2076	{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe	37
PID 2076 wrote to memory of 2828	2076	{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe	37
PID 2076 wrote to memory of 2828	2076	{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe	37
PID 2688 wrote to memory of 2652	2688	{8AD75C74-3812-4185-B856-706637081411}.exe	38
PID 2688 wrote to memory of 2652	2688	{8AD75C74-3812-4185-B856-706637081411}.exe	38
PID 2688 wrote to memory of 2652	2688	{8AD75C74-3812-4185-B856-706637081411}.exe	38
PID 2688 wrote to memory of 2652	2688	{8AD75C74-3812-4185-B856-706637081411}.exe	38
PID 2688 wrote to memory of 2760	2688	{8AD75C74-3812-4185-B856-706637081411}.exe	39
PID 2688 wrote to memory of 2760	2688	{8AD75C74-3812-4185-B856-706637081411}.exe	39
PID 2688 wrote to memory of 2760	2688	{8AD75C74-3812-4185-B856-706637081411}.exe	39
PID 2688 wrote to memory of 2760	2688	{8AD75C74-3812-4185-B856-706637081411}.exe	39
PID 2652 wrote to memory of 2536	2652	{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe	40
PID 2652 wrote to memory of 2536	2652	{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe	40
PID 2652 wrote to memory of 2536	2652	{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe	40
PID 2652 wrote to memory of 2536	2652	{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe	40
PID 2652 wrote to memory of 2588	2652	{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe	41
PID 2652 wrote to memory of 2588	2652	{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe	41
PID 2652 wrote to memory of 2588	2652	{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe	41
PID 2652 wrote to memory of 2588	2652	{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe	41
PID 2536 wrote to memory of 3000	2536	{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe	42
PID 2536 wrote to memory of 3000	2536	{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe	42
PID 2536 wrote to memory of 3000	2536	{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe	42
PID 2536 wrote to memory of 3000	2536	{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe	42
PID 2536 wrote to memory of 648	2536	{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe	43
PID 2536 wrote to memory of 648	2536	{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe	43
PID 2536 wrote to memory of 648	2536	{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe	43
PID 2536 wrote to memory of 648	2536	{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe	43
PID 3000 wrote to memory of 572	3000	{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe	44
PID 3000 wrote to memory of 572	3000	{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe	44
PID 3000 wrote to memory of 572	3000	{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe	44
PID 3000 wrote to memory of 572	3000	{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe	44
PID 3000 wrote to memory of 2032	3000	{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe	45
PID 3000 wrote to memory of 2032	3000	{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe	45
PID 3000 wrote to memory of 2032	3000	{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe	45
PID 3000 wrote to memory of 2032	3000	{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_f48e0cd81aa9dca2437067d8b4b14e83_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe
  C:\Windows\{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe
    C:\Windows\{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe
      C:\Windows\{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\{8AD75C74-3812-4185-B856-706637081411}.exe
        
        C:\Windows\{8AD75C74-3812-4185-B856-706637081411}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe
        
        C:\Windows\{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe
        
        C:\Windows\{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe
        
        C:\Windows\{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{B0A8754B-B7A6-48f7-8F8E-2E3E16A45F8A}.exe
        
        C:\Windows\{B0A8754B-B7A6-48f7-8F8E-2E3E16A45F8A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\{242C323D-EB53-4583-BB80-0EEE60789454}.exe
        
        C:\Windows\{242C323D-EB53-4583-BB80-0EEE60789454}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Windows\{57025CD0-7E12-4132-AB6E-2B6BDBAFA000}.exe
        
        C:\Windows\{57025CD0-7E12-4132-AB6E-2B6BDBAFA000}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\{03FA2599-B9D6-44ea-AEBF-A00A67D5E2EE}.exe
        
        C:\Windows\{03FA2599-B9D6-44ea-AEBF-A00A67D5E2EE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
        
        C:\Windows\{C15ACECB-3CE4-40df-99CB-F14E4B9F54DF}.exe
        
        C:\Windows\{C15ACECB-3CE4-40df-99CB-F14E4B9F54DF}.exe
        13⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03FA2~1.EXE > nul
        13⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57025~1.EXE > nul
        12⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{242C3~1.EXE > nul
        11⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0A87~1.EXE > nul
        10⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC668~1.EXE > nul
        9⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7676A~1.EXE > nul
        8⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5509B~1.EXE > nul
        7⤵
        
        PID:2588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AD75~1.EXE > nul
        6⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F562F~1.EXE > nul
        5⤵
        
        PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F0AF0~1.EXE > nul
      4⤵
      PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{241B3~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03FA2599-B9D6-44ea-AEBF-A00A67D5E2EE}.exe

Filesize
380KB

MD5
931f063f3b66eacbb7d8fd68b5d8a0b3

SHA1
85ada1b298ebe2f1e48e0319633e55a4eb2d13a2

SHA256
8d931e3cb66c4f5c1cc38ca37a1e64cca8a2dbddcb25fdcfeed8c1d3e6909565

SHA512
5d264b8f2740b03ca8efa1957dc92b454e17219fd953e44477373bbe9c760ed7bea41e79142e38e7ba83f907468c7aa4fa9932e82683260acc1185a8dbbe3939

Download Submit
C:\Windows\{03FA2599-B9D6-44ea-AEBF-A00A67D5E2EE}.exe

Filesize
380KB

MD5
931f063f3b66eacbb7d8fd68b5d8a0b3

SHA1
85ada1b298ebe2f1e48e0319633e55a4eb2d13a2

SHA256
8d931e3cb66c4f5c1cc38ca37a1e64cca8a2dbddcb25fdcfeed8c1d3e6909565

SHA512
5d264b8f2740b03ca8efa1957dc92b454e17219fd953e44477373bbe9c760ed7bea41e79142e38e7ba83f907468c7aa4fa9932e82683260acc1185a8dbbe3939

Download Submit
C:\Windows\{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe

Filesize
380KB

MD5
db7390653914c763aee39c8751b4553f

SHA1
dedb105e7bf4997d92256fc914edcf3ef593f817

SHA256
e9db6ff4ea8de8c176a79eab402691d5797422057ee5bca7ce8ba578ddd0196e

SHA512
a4e6cd25e244e2fe7b3a074cab4143aa16707e23ad0d514c95677711386ec9f3b5975175c740a33ae467b69273c4bcc5592f394a08a0c915b31f9c3fdc261159

Download Submit
C:\Windows\{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe

Filesize
380KB

MD5
db7390653914c763aee39c8751b4553f

SHA1
dedb105e7bf4997d92256fc914edcf3ef593f817

SHA256
e9db6ff4ea8de8c176a79eab402691d5797422057ee5bca7ce8ba578ddd0196e

SHA512
a4e6cd25e244e2fe7b3a074cab4143aa16707e23ad0d514c95677711386ec9f3b5975175c740a33ae467b69273c4bcc5592f394a08a0c915b31f9c3fdc261159

Download Submit
C:\Windows\{241B329F-20AD-4f86-B10E-51A8B4244B78}.exe

Filesize
380KB

MD5
db7390653914c763aee39c8751b4553f

SHA1
dedb105e7bf4997d92256fc914edcf3ef593f817

SHA256
e9db6ff4ea8de8c176a79eab402691d5797422057ee5bca7ce8ba578ddd0196e

SHA512
a4e6cd25e244e2fe7b3a074cab4143aa16707e23ad0d514c95677711386ec9f3b5975175c740a33ae467b69273c4bcc5592f394a08a0c915b31f9c3fdc261159

Download Submit
C:\Windows\{242C323D-EB53-4583-BB80-0EEE60789454}.exe

Filesize
380KB

MD5
4ef2b32514a406c87fc928edeb4ddce2

SHA1
72506538215e825889f092da71b1f3b592e0389f

SHA256
ed69d816de6510bcff5b17d1037c4152a6b4a0433313c945602f7ff1f9519a89

SHA512
5c7f4729cf624fa686e4974b55da071a67e47e237edd24520bdcbead62397ff0a368691315d0ff725c5f845c9cdcd8dbbb6fa4f54d2e9ba2d0de053776f7672a

Download Submit
C:\Windows\{242C323D-EB53-4583-BB80-0EEE60789454}.exe

Filesize
380KB

MD5
4ef2b32514a406c87fc928edeb4ddce2

SHA1
72506538215e825889f092da71b1f3b592e0389f

SHA256
ed69d816de6510bcff5b17d1037c4152a6b4a0433313c945602f7ff1f9519a89

SHA512
5c7f4729cf624fa686e4974b55da071a67e47e237edd24520bdcbead62397ff0a368691315d0ff725c5f845c9cdcd8dbbb6fa4f54d2e9ba2d0de053776f7672a

Download Submit
C:\Windows\{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe

Filesize
380KB

MD5
67d2fd7d97f45cc5b82f50abee0ee2c1

SHA1
1b933dc185652caee4fa37332b31c462db3c7286

SHA256
b8b09848b207826fbc4f9eb73b2b6f9b3945ca1a9eb9d523fc007f9d75431bf9

SHA512
3c9279e8090adf33c6173375b0205279064b8e9c9f1dcfd81101533e86a27999173aa608c7fd075a72eacb76d5e862c3aca54373c3fb4e43f9988a4b6ad12725

Download Submit
C:\Windows\{5509B050-AB0F-415c-9B4F-2A568CC16CA6}.exe

Filesize
380KB

MD5
67d2fd7d97f45cc5b82f50abee0ee2c1

SHA1
1b933dc185652caee4fa37332b31c462db3c7286

SHA256
b8b09848b207826fbc4f9eb73b2b6f9b3945ca1a9eb9d523fc007f9d75431bf9

SHA512
3c9279e8090adf33c6173375b0205279064b8e9c9f1dcfd81101533e86a27999173aa608c7fd075a72eacb76d5e862c3aca54373c3fb4e43f9988a4b6ad12725

Download Submit
C:\Windows\{57025CD0-7E12-4132-AB6E-2B6BDBAFA000}.exe

Filesize
380KB

MD5
b571cca07f8a8f2c551137a7e57bec10

SHA1
4550d9ab8f0391e23ac9ed5631eb0bcfaa1de2d2

SHA256
f40c7112d09f979888b3d475036cf5d9df0d521ce325f0ba04445b9937e4773c

SHA512
be2037ebdc298fe19908426b8e2a56b113234b6c1d9c62f137a17e8f235416a8326d36fcf5eb15148168c1d76928a47fbfc15e147d814cd9263def2495a6bee7

Download Submit
C:\Windows\{57025CD0-7E12-4132-AB6E-2B6BDBAFA000}.exe

Filesize
380KB

MD5
b571cca07f8a8f2c551137a7e57bec10

SHA1
4550d9ab8f0391e23ac9ed5631eb0bcfaa1de2d2

SHA256
f40c7112d09f979888b3d475036cf5d9df0d521ce325f0ba04445b9937e4773c

SHA512
be2037ebdc298fe19908426b8e2a56b113234b6c1d9c62f137a17e8f235416a8326d36fcf5eb15148168c1d76928a47fbfc15e147d814cd9263def2495a6bee7

Download Submit
C:\Windows\{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe

Filesize
380KB

MD5
5b0c829fc0b5126b1b2c7f00501abd7a

SHA1
5f2ad5baf3ef51fcd5ac86cbfad41140d7eb99fc

SHA256
585f15a70fc4533a0bc78bd3c0e176a4f076b7efe18e2ad72b208698346b12e4

SHA512
31539e9674fbf23d903ea91b8a12added03224d2fbbf351ff49a6b4cec84dfeb083c7dfccf29b53af76d545676ea8868b3a1bebf5eb16702668a4f45c62261bf

Download Submit
C:\Windows\{7676A444-5A51-43f4-9A30-D1CE7625ACA4}.exe

Filesize
380KB

MD5
5b0c829fc0b5126b1b2c7f00501abd7a

SHA1
5f2ad5baf3ef51fcd5ac86cbfad41140d7eb99fc

SHA256
585f15a70fc4533a0bc78bd3c0e176a4f076b7efe18e2ad72b208698346b12e4

SHA512
31539e9674fbf23d903ea91b8a12added03224d2fbbf351ff49a6b4cec84dfeb083c7dfccf29b53af76d545676ea8868b3a1bebf5eb16702668a4f45c62261bf

Download Submit
C:\Windows\{8AD75C74-3812-4185-B856-706637081411}.exe

Filesize
380KB

MD5
b68ee34bbffd11bb073221ad855b1479

SHA1
26052a25b94946dabfb8d6b0f8f03cc839261c7e

SHA256
d030d4217ab4cf020ddb046958d3f238d459df4712e567ec40b031599690029b

SHA512
b46693c5fdefe9dd68fce7ada5c25311577fb7edba23eb9e1ba3df4c28b774edf060ff71710a37a300fb1c9790da5686fc7ed6b573bd05452d82cbec763c6ee7

Download Submit
C:\Windows\{8AD75C74-3812-4185-B856-706637081411}.exe

Filesize
380KB

MD5
b68ee34bbffd11bb073221ad855b1479

SHA1
26052a25b94946dabfb8d6b0f8f03cc839261c7e

SHA256
d030d4217ab4cf020ddb046958d3f238d459df4712e567ec40b031599690029b

SHA512
b46693c5fdefe9dd68fce7ada5c25311577fb7edba23eb9e1ba3df4c28b774edf060ff71710a37a300fb1c9790da5686fc7ed6b573bd05452d82cbec763c6ee7

Download Submit
C:\Windows\{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe

Filesize
380KB

MD5
8e8ea4f6c7369e5bc09443affed18833

SHA1
cc10ee2d342f0d9929ba01e2ee5865f02a6d7ebd

SHA256
e18546e3f06676878764e0053c23d5c4da74c0c7801c2c69362c5db1faced9b7

SHA512
9fbd12e8b74fe6ea373485609aaa2b90c7d43eb417e144e37d8980d0dcc749f7e6cf3fbfdf525cb045ae9cae1627b4390b0a59f73686740723fdca59afc6fbcd

Download Submit
C:\Windows\{AC6680CA-2DFF-47cf-B314-FFBDB5C27B6C}.exe

Filesize
380KB

MD5
8e8ea4f6c7369e5bc09443affed18833

SHA1
cc10ee2d342f0d9929ba01e2ee5865f02a6d7ebd

SHA256
e18546e3f06676878764e0053c23d5c4da74c0c7801c2c69362c5db1faced9b7

SHA512
9fbd12e8b74fe6ea373485609aaa2b90c7d43eb417e144e37d8980d0dcc749f7e6cf3fbfdf525cb045ae9cae1627b4390b0a59f73686740723fdca59afc6fbcd

Download Submit
C:\Windows\{B0A8754B-B7A6-48f7-8F8E-2E3E16A45F8A}.exe

Filesize
380KB

MD5
c1880b69233f46bdd113ef2aaf2a93a8

SHA1
7a9c5c1d65414d0f8050fe452143ac8cbf88e314

SHA256
3434a3ea4010d9cb9c492d77604fcc9623e5d4d7c1565afa6398945816fc58db

SHA512
0cbe36e7c1ffcc840ddf0813f636bec55e722f9dd5e8b86676b1ec6224c1037a5ec2356f30027a9a2c552598dc70b0de7507ed468a216edbb42b9c6069fcc782

Download Submit
C:\Windows\{B0A8754B-B7A6-48f7-8F8E-2E3E16A45F8A}.exe

Filesize
380KB

MD5
c1880b69233f46bdd113ef2aaf2a93a8

SHA1
7a9c5c1d65414d0f8050fe452143ac8cbf88e314

SHA256
3434a3ea4010d9cb9c492d77604fcc9623e5d4d7c1565afa6398945816fc58db

SHA512
0cbe36e7c1ffcc840ddf0813f636bec55e722f9dd5e8b86676b1ec6224c1037a5ec2356f30027a9a2c552598dc70b0de7507ed468a216edbb42b9c6069fcc782

Download Submit
C:\Windows\{C15ACECB-3CE4-40df-99CB-F14E4B9F54DF}.exe

Filesize
380KB

MD5
13dec17142c3b5ef2cd1b420ef90335e

SHA1
5ea818056342faf106d5b943f4d8b854058452e3

SHA256
7f938ec14cddcde9814440b6725f75cbf6be7447d981a78c202936507849a965

SHA512
f9e48894b560e17d241dab09432170cba3499d053929b239d91b9feceb6a390bbf702da2cd6b2a7f84317903efde82c4976afa8d614384f6f5c81e1560324924

Download Submit
C:\Windows\{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe

Filesize
380KB

MD5
49d772f8fbb69bc89b004932c2cfdcfb

SHA1
24d9dacb06fa63ef4b918823baf3206cb483a95b

SHA256
64d9e3e4720a1f8d771df2cfc7da517262c1f20f81b03a95290ab55b22e4dc89

SHA512
1f1ef8400abb5044a9384eb02bf11037bcab3d1a0a47613dbeb8bc33af6b554390bcc7c7eaef0166ede052ea3b2edc378be7631911739b20df6cf110520970f5

Download Submit
C:\Windows\{F0AF0884-E522-4036-AF4F-9C397C204A92}.exe

Filesize
380KB

MD5
49d772f8fbb69bc89b004932c2cfdcfb

SHA1
24d9dacb06fa63ef4b918823baf3206cb483a95b

SHA256
64d9e3e4720a1f8d771df2cfc7da517262c1f20f81b03a95290ab55b22e4dc89

SHA512
1f1ef8400abb5044a9384eb02bf11037bcab3d1a0a47613dbeb8bc33af6b554390bcc7c7eaef0166ede052ea3b2edc378be7631911739b20df6cf110520970f5

Download Submit
C:\Windows\{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe

Filesize
380KB

MD5
25658832fadb15732c25218419ea91ee

SHA1
92e830b68ecfad5199181ac68105e67042564f5d

SHA256
b40948c777b286f8f4441bc137aa7923bdaa800ca42da38ba487c0c4cf9fa3c9

SHA512
f2af5ff2eca5136d498117a2f7f7da7c2f3d5f2e425c9e7140e57010a40be5464fa2ce782a5f4ef68512a23ac7d59675ee04ea44e663ba0469c5cbfedda3e4fb

Download Submit
C:\Windows\{F562FF2B-3E3C-4e04-A143-200F844F6C22}.exe

Filesize
380KB

MD5
25658832fadb15732c25218419ea91ee

SHA1
92e830b68ecfad5199181ac68105e67042564f5d

SHA256
b40948c777b286f8f4441bc137aa7923bdaa800ca42da38ba487c0c4cf9fa3c9

SHA512
f2af5ff2eca5136d498117a2f7f7da7c2f3d5f2e425c9e7140e57010a40be5464fa2ce782a5f4ef68512a23ac7d59675ee04ea44e663ba0469c5cbfedda3e4fb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads