ebd80508ef73e48298b2c797407c1daf1fc964321a71a6319c9e9a7faae980be

Analysis

max time kernel
169s
max time network
140s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 15:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe
Size

380KB
MD5

725eb2ae7e39241349cc3a3828801505
SHA1

f062100e623e9011edf497cd42dcc290988ff080
SHA256

ebd80508ef73e48298b2c797407c1daf1fc964321a71a6319c9e9a7faae980be
SHA512

292cc3f675633ccadcfe3a1b759ef85dafa4b39d97be3b2299636d31232bfc873229f40379257680df4cdbb258883238e08c57de3863141f7eb947de864c85a4
SSDEEP

3072:mEGh0ohlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGfl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B270E63-C930-47d5-B856-3085E83F79DE}	{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF76D7DE-9B2A-4622-AD3A-11676B1F6369}\stubpath = "C:\\Windows\\{BF76D7DE-9B2A-4622-AD3A-11676B1F6369}.exe"	{17D90091-C34B-40d9-A40F-866E835720E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}	{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}	{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6A046E6-0090-488b-BBB4-DA44D3ADD8AD}	{DC79C45A-AA4F-4ccb-97F0-4B676C58A60A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D90091-C34B-40d9-A40F-866E835720E1}	{A6A046E6-0090-488b-BBB4-DA44D3ADD8AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C986350-2C46-4b41-9DA8-B75D800E9368}\stubpath = "C:\\Windows\\{9C986350-2C46-4b41-9DA8-B75D800E9368}.exe"	{BF76D7DE-9B2A-4622-AD3A-11676B1F6369}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6071B3B-1437-4784-A8B5-F1BA5792A239}\stubpath = "C:\\Windows\\{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe"	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD636BB9-800B-4d06-AB4D-46303A36DE65}	{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E96BF64-5EFF-4010-977E-DF3644D37489}	{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}\stubpath = "C:\\Windows\\{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe"	{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}\stubpath = "C:\\Windows\\{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe"	{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6A046E6-0090-488b-BBB4-DA44D3ADD8AD}\stubpath = "C:\\Windows\\{A6A046E6-0090-488b-BBB4-DA44D3ADD8AD}.exe"	{DC79C45A-AA4F-4ccb-97F0-4B676C58A60A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D90091-C34B-40d9-A40F-866E835720E1}\stubpath = "C:\\Windows\\{17D90091-C34B-40d9-A40F-866E835720E1}.exe"	{A6A046E6-0090-488b-BBB4-DA44D3ADD8AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF76D7DE-9B2A-4622-AD3A-11676B1F6369}	{17D90091-C34B-40d9-A40F-866E835720E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6071B3B-1437-4784-A8B5-F1BA5792A239}	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD636BB9-800B-4d06-AB4D-46303A36DE65}\stubpath = "C:\\Windows\\{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe"	{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}	{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C986350-2C46-4b41-9DA8-B75D800E9368}	{BF76D7DE-9B2A-4622-AD3A-11676B1F6369}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC79C45A-AA4F-4ccb-97F0-4B676C58A60A}	{6B270E63-C930-47d5-B856-3085E83F79DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC79C45A-AA4F-4ccb-97F0-4B676C58A60A}\stubpath = "C:\\Windows\\{DC79C45A-AA4F-4ccb-97F0-4B676C58A60A}.exe"	{6B270E63-C930-47d5-B856-3085E83F79DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E96BF64-5EFF-4010-977E-DF3644D37489}\stubpath = "C:\\Windows\\{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe"	{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}\stubpath = "C:\\Windows\\{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe"	{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B270E63-C930-47d5-B856-3085E83F79DE}\stubpath = "C:\\Windows\\{6B270E63-C930-47d5-B856-3085E83F79DE}.exe"	{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe

Deletes itself 1 IoCs

pid	Process
1640	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2748	{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe
2548	{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe
2624	{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe
2568	{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe
2820	{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe
528	{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe
324	{6B270E63-C930-47d5-B856-3085E83F79DE}.exe
2056	{DC79C45A-AA4F-4ccb-97F0-4B676C58A60A}.exe
1208	{A6A046E6-0090-488b-BBB4-DA44D3ADD8AD}.exe
2752	{17D90091-C34B-40d9-A40F-866E835720E1}.exe
760	{BF76D7DE-9B2A-4622-AD3A-11676B1F6369}.exe
1096	{9C986350-2C46-4b41-9DA8-B75D800E9368}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A6A046E6-0090-488b-BBB4-DA44D3ADD8AD}.exe	{DC79C45A-AA4F-4ccb-97F0-4B676C58A60A}.exe
File created	C:\Windows\{17D90091-C34B-40d9-A40F-866E835720E1}.exe	{A6A046E6-0090-488b-BBB4-DA44D3ADD8AD}.exe
File created	C:\Windows\{BF76D7DE-9B2A-4622-AD3A-11676B1F6369}.exe	{17D90091-C34B-40d9-A40F-866E835720E1}.exe
File created	C:\Windows\{9C986350-2C46-4b41-9DA8-B75D800E9368}.exe	{BF76D7DE-9B2A-4622-AD3A-11676B1F6369}.exe
File created	C:\Windows\{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe	{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe
File created	C:\Windows\{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe	{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe
File created	C:\Windows\{DC79C45A-AA4F-4ccb-97F0-4B676C58A60A}.exe	{6B270E63-C930-47d5-B856-3085E83F79DE}.exe
File created	C:\Windows\{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe	{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe
File created	C:\Windows\{6B270E63-C930-47d5-B856-3085E83F79DE}.exe	{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe
File created	C:\Windows\{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe
File created	C:\Windows\{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe	{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe
File created	C:\Windows\{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe	{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1352	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2748	{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe
Token: SeIncBasePriorityPrivilege	2548	{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe
Token: SeIncBasePriorityPrivilege	2624	{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe
Token: SeIncBasePriorityPrivilege	2568	{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe
Token: SeIncBasePriorityPrivilege	2820	{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe
Token: SeIncBasePriorityPrivilege	528	{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe
Token: SeIncBasePriorityPrivilege	324	{6B270E63-C930-47d5-B856-3085E83F79DE}.exe
Token: SeIncBasePriorityPrivilege	2056	{DC79C45A-AA4F-4ccb-97F0-4B676C58A60A}.exe
Token: SeIncBasePriorityPrivilege	1208	{A6A046E6-0090-488b-BBB4-DA44D3ADD8AD}.exe
Token: SeIncBasePriorityPrivilege	2752	{17D90091-C34B-40d9-A40F-866E835720E1}.exe
Token: SeIncBasePriorityPrivilege	760	{BF76D7DE-9B2A-4622-AD3A-11676B1F6369}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2748	1352	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	29
PID 1352 wrote to memory of 2748	1352	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	29
PID 1352 wrote to memory of 2748	1352	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	29
PID 1352 wrote to memory of 2748	1352	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	29
PID 1352 wrote to memory of 1640	1352	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	30
PID 1352 wrote to memory of 1640	1352	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	30
PID 1352 wrote to memory of 1640	1352	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	30
PID 1352 wrote to memory of 1640	1352	NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe	30
PID 2748 wrote to memory of 2548	2748	{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe	31
PID 2748 wrote to memory of 2548	2748	{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe	31
PID 2748 wrote to memory of 2548	2748	{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe	31
PID 2748 wrote to memory of 2548	2748	{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe	31
PID 2748 wrote to memory of 2840	2748	{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe	32
PID 2748 wrote to memory of 2840	2748	{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe	32
PID 2748 wrote to memory of 2840	2748	{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe	32
PID 2748 wrote to memory of 2840	2748	{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe	32
PID 2548 wrote to memory of 2624	2548	{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe	34
PID 2548 wrote to memory of 2624	2548	{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe	34
PID 2548 wrote to memory of 2624	2548	{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe	34
PID 2548 wrote to memory of 2624	2548	{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe	34
PID 2548 wrote to memory of 2508	2548	{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe	33
PID 2548 wrote to memory of 2508	2548	{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe	33
PID 2548 wrote to memory of 2508	2548	{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe	33
PID 2548 wrote to memory of 2508	2548	{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe	33
PID 2624 wrote to memory of 2568	2624	{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe	36
PID 2624 wrote to memory of 2568	2624	{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe	36
PID 2624 wrote to memory of 2568	2624	{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe	36
PID 2624 wrote to memory of 2568	2624	{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe	36
PID 2624 wrote to memory of 1804	2624	{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe	35
PID 2624 wrote to memory of 1804	2624	{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe	35
PID 2624 wrote to memory of 1804	2624	{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe	35
PID 2624 wrote to memory of 1804	2624	{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe	35
PID 2568 wrote to memory of 2820	2568	{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe	38
PID 2568 wrote to memory of 2820	2568	{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe	38
PID 2568 wrote to memory of 2820	2568	{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe	38
PID 2568 wrote to memory of 2820	2568	{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe	38
PID 2568 wrote to memory of 3032	2568	{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe	37
PID 2568 wrote to memory of 3032	2568	{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe	37
PID 2568 wrote to memory of 3032	2568	{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe	37
PID 2568 wrote to memory of 3032	2568	{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe	37
PID 2820 wrote to memory of 528	2820	{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe	40
PID 2820 wrote to memory of 528	2820	{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe	40
PID 2820 wrote to memory of 528	2820	{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe	40
PID 2820 wrote to memory of 528	2820	{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe	40
PID 2820 wrote to memory of 584	2820	{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe	39
PID 2820 wrote to memory of 584	2820	{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe	39
PID 2820 wrote to memory of 584	2820	{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe	39
PID 2820 wrote to memory of 584	2820	{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe	39
PID 528 wrote to memory of 324	528	{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe	42
PID 528 wrote to memory of 324	528	{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe	42
PID 528 wrote to memory of 324	528	{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe	42
PID 528 wrote to memory of 324	528	{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe	42
PID 528 wrote to memory of 3036	528	{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe	41
PID 528 wrote to memory of 3036	528	{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe	41
PID 528 wrote to memory of 3036	528	{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe	41
PID 528 wrote to memory of 3036	528	{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe	41
PID 324 wrote to memory of 2056	324	{6B270E63-C930-47d5-B856-3085E83F79DE}.exe	44
PID 324 wrote to memory of 2056	324	{6B270E63-C930-47d5-B856-3085E83F79DE}.exe	44
PID 324 wrote to memory of 2056	324	{6B270E63-C930-47d5-B856-3085E83F79DE}.exe	44
PID 324 wrote to memory of 2056	324	{6B270E63-C930-47d5-B856-3085E83F79DE}.exe	44
PID 324 wrote to memory of 1632	324	{6B270E63-C930-47d5-B856-3085E83F79DE}.exe	43
PID 324 wrote to memory of 1632	324	{6B270E63-C930-47d5-B856-3085E83F79DE}.exe	43
PID 324 wrote to memory of 1632	324	{6B270E63-C930-47d5-B856-3085E83F79DE}.exe	43
PID 324 wrote to memory of 1632	324	{6B270E63-C930-47d5-B856-3085E83F79DE}.exe	43

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_725eb2ae7e39241349cc3a3828801505_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe
  C:\Windows\{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe
    C:\Windows\{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CD636~1.EXE > nul
      4⤵
      PID:2508
  - - C:\Windows\{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe
      C:\Windows\{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDE01~1.EXE > nul
        5⤵
        
        PID:1804
    - - C:\Windows\{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe
        
        C:\Windows\{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E96B~1.EXE > nul
        6⤵
        
        PID:3032
      - C:\Windows\{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe
        
        C:\Windows\{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ACD3~1.EXE > nul
        7⤵
        
        PID:584
        
        C:\Windows\{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe
        
        C:\Windows\{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D83B~1.EXE > nul
        8⤵
        
        PID:3036
        
        C:\Windows\{6B270E63-C930-47d5-B856-3085E83F79DE}.exe
        
        C:\Windows\{6B270E63-C930-47d5-B856-3085E83F79DE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B270~1.EXE > nul
        9⤵
        
        PID:1632
        
        C:\Windows\{DC79C45A-AA4F-4ccb-97F0-4B676C58A60A}.exe
        
        C:\Windows\{DC79C45A-AA4F-4ccb-97F0-4B676C58A60A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC79C~1.EXE > nul
        10⤵
        
        PID:1060
        
        C:\Windows\{A6A046E6-0090-488b-BBB4-DA44D3ADD8AD}.exe
        
        C:\Windows\{A6A046E6-0090-488b-BBB4-DA44D3ADD8AD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6A04~1.EXE > nul
        11⤵
        
        PID:1068
        
        C:\Windows\{17D90091-C34B-40d9-A40F-866E835720E1}.exe
        
        C:\Windows\{17D90091-C34B-40d9-A40F-866E835720E1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\{BF76D7DE-9B2A-4622-AD3A-11676B1F6369}.exe
        
        C:\Windows\{BF76D7DE-9B2A-4622-AD3A-11676B1F6369}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF76D~1.EXE > nul
        13⤵
        
        PID:1216
        
        C:\Windows\{9C986350-2C46-4b41-9DA8-B75D800E9368}.exe
        
        C:\Windows\{9C986350-2C46-4b41-9DA8-B75D800E9368}.exe
        13⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17D90~1.EXE > nul
        12⤵
        
        PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D6071~1.EXE > nul
    3⤵
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17D90091-C34B-40d9-A40F-866E835720E1}.exe

Filesize
380KB

MD5
c4f0affdd0618e36a8ce3832cc118a12

SHA1
6cc173637c0d22936af4a1c93023e91f3ed0dd64

SHA256
793e2b1943bf768e15fa101d61a202c4821e60903734c85564bff6ee643839aa

SHA512
6b990da44a427bf6676b30be3c77932e495db53ab0706808c3ca9a72aa6ca1eb76067b6714eb5583c1d8bb5b54887918024f9d7dc1648de9c0d9e39dc25b55a8

Download Submit
C:\Windows\{17D90091-C34B-40d9-A40F-866E835720E1}.exe

Filesize
380KB

MD5
c4f0affdd0618e36a8ce3832cc118a12

SHA1
6cc173637c0d22936af4a1c93023e91f3ed0dd64

SHA256
793e2b1943bf768e15fa101d61a202c4821e60903734c85564bff6ee643839aa

SHA512
6b990da44a427bf6676b30be3c77932e495db53ab0706808c3ca9a72aa6ca1eb76067b6714eb5583c1d8bb5b54887918024f9d7dc1648de9c0d9e39dc25b55a8

Download Submit
C:\Windows\{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe

Filesize
380KB

MD5
665ce0717ae552cf055b363585974c42

SHA1
b1ca723ab35fb39a41a47ea04bd4d526adf0c756

SHA256
e51c010b7df89ccf213ec056ba9a1719aba6b25cea62f10b346dea3599c9123f

SHA512
753ed65c21ae56221836156e348dc150c85a8f6a568b3b6eab56dc5769691503e4b1b63b10c34418d7ff094c172c166294ab66e78fefda00ce7d38ae0ef96170

Download Submit
C:\Windows\{2E96BF64-5EFF-4010-977E-DF3644D37489}.exe

Filesize
380KB

MD5
665ce0717ae552cf055b363585974c42

SHA1
b1ca723ab35fb39a41a47ea04bd4d526adf0c756

SHA256
e51c010b7df89ccf213ec056ba9a1719aba6b25cea62f10b346dea3599c9123f

SHA512
753ed65c21ae56221836156e348dc150c85a8f6a568b3b6eab56dc5769691503e4b1b63b10c34418d7ff094c172c166294ab66e78fefda00ce7d38ae0ef96170

Download Submit
C:\Windows\{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe

Filesize
380KB

MD5
b983fc1acb7d8868adbc35f760430a10

SHA1
7d6f50d188b922be9a02e02ebbdc76d9a3462920

SHA256
0bf8cd4aac760c2134d2c2dcacd0fc0d06c545e4c02033ce08c30e314e9bf06d

SHA512
d5b689faa9270b545735ae9240dfe5c3146e1e3a2c8bb3246b0a5b66f2b3f6055a81251a01a29e489cd89f6a216acb0f5727ac63905f1283088d6a982cda99a2

Download Submit
C:\Windows\{5D83BEAB-EC7D-4fcc-9439-5D4A3319BB90}.exe

Filesize
380KB

MD5
b983fc1acb7d8868adbc35f760430a10

SHA1
7d6f50d188b922be9a02e02ebbdc76d9a3462920

SHA256
0bf8cd4aac760c2134d2c2dcacd0fc0d06c545e4c02033ce08c30e314e9bf06d

SHA512
d5b689faa9270b545735ae9240dfe5c3146e1e3a2c8bb3246b0a5b66f2b3f6055a81251a01a29e489cd89f6a216acb0f5727ac63905f1283088d6a982cda99a2

Download Submit
C:\Windows\{6B270E63-C930-47d5-B856-3085E83F79DE}.exe

Filesize
380KB

MD5
dea1685e2bd1978cea5f5e4ba20201cf

SHA1
ddbdbaf23d80af574ecec0f61379b0196c2e90c7

SHA256
b8272bbac3d5ae6f211c88c485aaa81f7942202535c240a8f4e03291cd0e5aed

SHA512
75c3e27108664afaefc63bda9ebe03092294e332475c37ce1b6f259cb0438852e3851dc0b82b283cb0c44cbcce94151d9847eac74a9bd643d9f6e4455bbddec5

Download Submit
C:\Windows\{6B270E63-C930-47d5-B856-3085E83F79DE}.exe

Filesize
380KB

MD5
dea1685e2bd1978cea5f5e4ba20201cf

SHA1
ddbdbaf23d80af574ecec0f61379b0196c2e90c7

SHA256
b8272bbac3d5ae6f211c88c485aaa81f7942202535c240a8f4e03291cd0e5aed

SHA512
75c3e27108664afaefc63bda9ebe03092294e332475c37ce1b6f259cb0438852e3851dc0b82b283cb0c44cbcce94151d9847eac74a9bd643d9f6e4455bbddec5

Download Submit
C:\Windows\{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe

Filesize
380KB

MD5
69235efa86df03c1be9b6ab95c6d9b7d

SHA1
cd6156d3598ad05db9b15c12f60e7aa3a91183a4

SHA256
ab85cdb7943d2e1145ba4d3a4238c4c467535ab0a065ceb7c3622043c61d5869

SHA512
245bf84f6abd20d1c0b3800220039e7ece5c7bef26385af9f099d149b16e26ed3a8d21c75d5fe4e7f60784b8b6b0bed3809596d8d6db528d27a424a2e8406c52

Download Submit
C:\Windows\{7ACD3A72-CDA3-4f75-A862-DE26083A1F27}.exe

Filesize
380KB

MD5
69235efa86df03c1be9b6ab95c6d9b7d

SHA1
cd6156d3598ad05db9b15c12f60e7aa3a91183a4

SHA256
ab85cdb7943d2e1145ba4d3a4238c4c467535ab0a065ceb7c3622043c61d5869

SHA512
245bf84f6abd20d1c0b3800220039e7ece5c7bef26385af9f099d149b16e26ed3a8d21c75d5fe4e7f60784b8b6b0bed3809596d8d6db528d27a424a2e8406c52

Download Submit
C:\Windows\{9C986350-2C46-4b41-9DA8-B75D800E9368}.exe

Filesize
380KB

MD5
d7cfae0e1fa425573f7f713f3180c4a3

SHA1
6b9cbea4635d4e457def76477cce269c2654a76a

SHA256
7da62543a3dc95df2d7859a56aef8a05929a69fb8569a01e85aad3897409fb9a

SHA512
36361209a79ab6e39707ce48b8fe90f3bcef3f786a1128cf21b283a1c61c5d2f99c7cefb43ae95d921a0cba1642728475bd27170edeb9ff7424e2e93c6418a19

Download Submit
C:\Windows\{A6A046E6-0090-488b-BBB4-DA44D3ADD8AD}.exe

Filesize
380KB

MD5
a3a93d9e8a400290407a83aba767bf5b

SHA1
52fccbcdbe5defe79d1c1d5ad783f329e5bfd3fe

SHA256
0f04dbefb8e29f6af1bd09cc28c7146a98ccb878569d13f348ff2770461f6ac8

SHA512
f0c198de3a1477394a98c91d16823aeb6e197aed553d5e307e9f12c00b5eeb629da78b0f67c07973b7593373d7f4590e070c83c43ff010da41c9cab9a6b024ad

Download Submit
C:\Windows\{A6A046E6-0090-488b-BBB4-DA44D3ADD8AD}.exe

Filesize
380KB

MD5
a3a93d9e8a400290407a83aba767bf5b

SHA1
52fccbcdbe5defe79d1c1d5ad783f329e5bfd3fe

SHA256
0f04dbefb8e29f6af1bd09cc28c7146a98ccb878569d13f348ff2770461f6ac8

SHA512
f0c198de3a1477394a98c91d16823aeb6e197aed553d5e307e9f12c00b5eeb629da78b0f67c07973b7593373d7f4590e070c83c43ff010da41c9cab9a6b024ad

Download Submit
C:\Windows\{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe

Filesize
380KB

MD5
f72f3e91bf3f5618d40394af09d1c6cc

SHA1
e41c96aa6c57e337159a707b7f0419d68092a649

SHA256
76668e0180de4cfa3afc05c04ed2b24eb2276a099a8163962767241eeabc6144

SHA512
4282b9054efebf18d5d8f959f8e544653d5cdb65a3e8ac0db1151a3444046b6fd5904b5b3d04d82e0d02e7e5dad47dbbe4dc59aa129b9b5740f1cce1328b7966

Download Submit
C:\Windows\{BDE01EE0-57D1-4563-95AD-B9B11D2CC704}.exe

Filesize
380KB

MD5
f72f3e91bf3f5618d40394af09d1c6cc

SHA1
e41c96aa6c57e337159a707b7f0419d68092a649

SHA256
76668e0180de4cfa3afc05c04ed2b24eb2276a099a8163962767241eeabc6144

SHA512
4282b9054efebf18d5d8f959f8e544653d5cdb65a3e8ac0db1151a3444046b6fd5904b5b3d04d82e0d02e7e5dad47dbbe4dc59aa129b9b5740f1cce1328b7966

Download Submit
C:\Windows\{BF76D7DE-9B2A-4622-AD3A-11676B1F6369}.exe

Filesize
380KB

MD5
9d8a45422a545aecd6670a843c4037fa

SHA1
0bf9ca6f787aaf6b06d6e3125998540aeb32a359

SHA256
a1ba381f7632ea8108c75d4f44414da706db8ea2d167466f440fdeba797b76f6

SHA512
31ea1e7081376af71bd26b1ba2bb43917b549078d689366e39ba8441903a11f530e1c40423140635cf42ede2d25544887f2f4658cf3f82c7b57fdce85b047122

Download Submit
C:\Windows\{BF76D7DE-9B2A-4622-AD3A-11676B1F6369}.exe

Filesize
380KB

MD5
9d8a45422a545aecd6670a843c4037fa

SHA1
0bf9ca6f787aaf6b06d6e3125998540aeb32a359

SHA256
a1ba381f7632ea8108c75d4f44414da706db8ea2d167466f440fdeba797b76f6

SHA512
31ea1e7081376af71bd26b1ba2bb43917b549078d689366e39ba8441903a11f530e1c40423140635cf42ede2d25544887f2f4658cf3f82c7b57fdce85b047122

Download Submit
C:\Windows\{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe

Filesize
380KB

MD5
6524bff859d5c1a0f4d951b383b756e3

SHA1
90498716ed4c1a8b77ad0584ff9f4fa2b1192ca6

SHA256
39cc0e5212c4cf92ebfa63d8b0f4f8d7d8f77afaf254f03809331d70b7406267

SHA512
0135c2d48965538a7601ca80de93db4685319b123346d48a6039d6854ff4cc4b264003fcc5d2cdaab90024214bfb89dfcb3095e04d3545c75f61ed7a46a131b0

Download Submit
C:\Windows\{CD636BB9-800B-4d06-AB4D-46303A36DE65}.exe

Filesize
380KB

MD5
6524bff859d5c1a0f4d951b383b756e3

SHA1
90498716ed4c1a8b77ad0584ff9f4fa2b1192ca6

SHA256
39cc0e5212c4cf92ebfa63d8b0f4f8d7d8f77afaf254f03809331d70b7406267

SHA512
0135c2d48965538a7601ca80de93db4685319b123346d48a6039d6854ff4cc4b264003fcc5d2cdaab90024214bfb89dfcb3095e04d3545c75f61ed7a46a131b0

Download Submit
C:\Windows\{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe

Filesize
380KB

MD5
a057fdf93eba387584f8997236a44575

SHA1
2c680c058ae960323b778a6583278e5b1933f7e6

SHA256
d7c127638bcd7fe5b41a74f61591fd8a6be8451176ef8ba682a48bc1e0e1ba7a

SHA512
ed7041d68ad2634f415c1e4b3f07842e1b95ccf0cc3b226b0f7d3bf0ed712ed8dbad5dc6a16a7c11f8b4a6acc82113b1274528c672c2eebb78a385e05a6071ed

Download Submit
C:\Windows\{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe

Filesize
380KB

MD5
a057fdf93eba387584f8997236a44575

SHA1
2c680c058ae960323b778a6583278e5b1933f7e6

SHA256
d7c127638bcd7fe5b41a74f61591fd8a6be8451176ef8ba682a48bc1e0e1ba7a

SHA512
ed7041d68ad2634f415c1e4b3f07842e1b95ccf0cc3b226b0f7d3bf0ed712ed8dbad5dc6a16a7c11f8b4a6acc82113b1274528c672c2eebb78a385e05a6071ed

Download Submit
C:\Windows\{D6071B3B-1437-4784-A8B5-F1BA5792A239}.exe

Filesize
380KB

MD5
a057fdf93eba387584f8997236a44575

SHA1
2c680c058ae960323b778a6583278e5b1933f7e6

SHA256
d7c127638bcd7fe5b41a74f61591fd8a6be8451176ef8ba682a48bc1e0e1ba7a

SHA512
ed7041d68ad2634f415c1e4b3f07842e1b95ccf0cc3b226b0f7d3bf0ed712ed8dbad5dc6a16a7c11f8b4a6acc82113b1274528c672c2eebb78a385e05a6071ed

Download Submit
C:\Windows\{DC79C45A-AA4F-4ccb-97F0-4B676C58A60A}.exe

Filesize
380KB

MD5
1483d5701f0954857923bdce8c14d172

SHA1
e4187c1147f47257ca810c7e4332fff6526dcc17

SHA256
01d4aa683cb492ab88550d53a31757bc2456635d11b1a9ab6fd69cbdb28712dd

SHA512
00b13018b61fac394b4234093c32e9aa853c5f139e85a26c65ce3072f3abda72fd5a56c1399dfe4d3f5aea8867280dd22a6aea8cefdf817875399dfd464804c4

Download Submit
C:\Windows\{DC79C45A-AA4F-4ccb-97F0-4B676C58A60A}.exe

Filesize
380KB

MD5
1483d5701f0954857923bdce8c14d172

SHA1
e4187c1147f47257ca810c7e4332fff6526dcc17

SHA256
01d4aa683cb492ab88550d53a31757bc2456635d11b1a9ab6fd69cbdb28712dd

SHA512
00b13018b61fac394b4234093c32e9aa853c5f139e85a26c65ce3072f3abda72fd5a56c1399dfe4d3f5aea8867280dd22a6aea8cefdf817875399dfd464804c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads