91232345b2d8062a0fb23370e1c07d2db136b435444523c8a0ec897b28443ef6

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 15:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe
Size

168KB
MD5

96d1c58a844c6ab70e4adbbb3e93a4d9
SHA1

816cf71ce12f3231ba1a5607c15690c11b64fdbe
SHA256

91232345b2d8062a0fb23370e1c07d2db136b435444523c8a0ec897b28443ef6
SHA512

16eab8facf3571a2a1b566cbcad9f13a90005edd781885ef4c7c1ee7137bdc751c1868db5a5db078276a607b52e912f5e4fee24d349cae20a2b3e505ea6f30c0
SSDEEP

1536:1EGh0oOlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oOlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}	{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8741C2C-9445-4111-B21E-1DA075511258}	{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D624BA6-8E0A-4ca8-9624-B361E949BD14}\stubpath = "C:\\Windows\\{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe"	{D8741C2C-9445-4111-B21E-1DA075511258}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47372DF9-FE63-4a30-A799-93DCB7FDEF38}	{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{067BE772-5B64-4dc5-923D-536789554912}\stubpath = "C:\\Windows\\{067BE772-5B64-4dc5-923D-536789554912}.exe"	{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93F364BE-4B91-4138-BEF5-3A904F273DB4}	{067BE772-5B64-4dc5-923D-536789554912}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{482E8B0C-C48C-4a60-8624-FF040D085CE4}	{93F364BE-4B91-4138-BEF5-3A904F273DB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A30B8EF-DCD3-4965-805F-74BACAFFB396}	NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{482E8B0C-C48C-4a60-8624-FF040D085CE4}\stubpath = "C:\\Windows\\{482E8B0C-C48C-4a60-8624-FF040D085CE4}.exe"	{93F364BE-4B91-4138-BEF5-3A904F273DB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}\stubpath = "C:\\Windows\\{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe"	{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{900585CE-4A4E-4158-AC27-AEF30B36CA32}\stubpath = "C:\\Windows\\{900585CE-4A4E-4158-AC27-AEF30B36CA32}.exe"	{BA0C3FEB-33BC-4761-B2FD-B7398BD1DEC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58DAE04D-7835-4031-B9E7-8BE5C407444E}\stubpath = "C:\\Windows\\{58DAE04D-7835-4031-B9E7-8BE5C407444E}.exe"	{900585CE-4A4E-4158-AC27-AEF30B36CA32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}\stubpath = "C:\\Windows\\{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe"	{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA0C3FEB-33BC-4761-B2FD-B7398BD1DEC7}\stubpath = "C:\\Windows\\{BA0C3FEB-33BC-4761-B2FD-B7398BD1DEC7}.exe"	{482E8B0C-C48C-4a60-8624-FF040D085CE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8741C2C-9445-4111-B21E-1DA075511258}\stubpath = "C:\\Windows\\{D8741C2C-9445-4111-B21E-1DA075511258}.exe"	{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D624BA6-8E0A-4ca8-9624-B361E949BD14}	{D8741C2C-9445-4111-B21E-1DA075511258}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47372DF9-FE63-4a30-A799-93DCB7FDEF38}\stubpath = "C:\\Windows\\{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe"	{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}	{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{067BE772-5B64-4dc5-923D-536789554912}	{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93F364BE-4B91-4138-BEF5-3A904F273DB4}\stubpath = "C:\\Windows\\{93F364BE-4B91-4138-BEF5-3A904F273DB4}.exe"	{067BE772-5B64-4dc5-923D-536789554912}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA0C3FEB-33BC-4761-B2FD-B7398BD1DEC7}	{482E8B0C-C48C-4a60-8624-FF040D085CE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{900585CE-4A4E-4158-AC27-AEF30B36CA32}	{BA0C3FEB-33BC-4761-B2FD-B7398BD1DEC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A30B8EF-DCD3-4965-805F-74BACAFFB396}\stubpath = "C:\\Windows\\{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe"	NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58DAE04D-7835-4031-B9E7-8BE5C407444E}	{900585CE-4A4E-4158-AC27-AEF30B36CA32}.exe

Deletes itself 1 IoCs

pid	Process
2204	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2476	{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe
2824	{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe
1824	{D8741C2C-9445-4111-B21E-1DA075511258}.exe
2572	{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe
3060	{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe
1884	{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe
268	{067BE772-5B64-4dc5-923D-536789554912}.exe
1652	{93F364BE-4B91-4138-BEF5-3A904F273DB4}.exe
2884	{482E8B0C-C48C-4a60-8624-FF040D085CE4}.exe
2848	{BA0C3FEB-33BC-4761-B2FD-B7398BD1DEC7}.exe
2956	{900585CE-4A4E-4158-AC27-AEF30B36CA32}.exe
1288	{58DAE04D-7835-4031-B9E7-8BE5C407444E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{482E8B0C-C48C-4a60-8624-FF040D085CE4}.exe	{93F364BE-4B91-4138-BEF5-3A904F273DB4}.exe
File created	C:\Windows\{900585CE-4A4E-4158-AC27-AEF30B36CA32}.exe	{BA0C3FEB-33BC-4761-B2FD-B7398BD1DEC7}.exe
File created	C:\Windows\{58DAE04D-7835-4031-B9E7-8BE5C407444E}.exe	{900585CE-4A4E-4158-AC27-AEF30B36CA32}.exe
File created	C:\Windows\{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe	NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe
File created	C:\Windows\{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe	{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe
File created	C:\Windows\{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe	{D8741C2C-9445-4111-B21E-1DA075511258}.exe
File created	C:\Windows\{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe	{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe
File created	C:\Windows\{067BE772-5B64-4dc5-923D-536789554912}.exe	{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe
File created	C:\Windows\{93F364BE-4B91-4138-BEF5-3A904F273DB4}.exe	{067BE772-5B64-4dc5-923D-536789554912}.exe
File created	C:\Windows\{BA0C3FEB-33BC-4761-B2FD-B7398BD1DEC7}.exe	{482E8B0C-C48C-4a60-8624-FF040D085CE4}.exe
File created	C:\Windows\{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe	{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe
File created	C:\Windows\{D8741C2C-9445-4111-B21E-1DA075511258}.exe	{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2136	NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2476	{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe
Token: SeIncBasePriorityPrivilege	2824	{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe
Token: SeIncBasePriorityPrivilege	1824	{D8741C2C-9445-4111-B21E-1DA075511258}.exe
Token: SeIncBasePriorityPrivilege	2572	{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe
Token: SeIncBasePriorityPrivilege	3060	{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe
Token: SeIncBasePriorityPrivilege	1884	{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe
Token: SeIncBasePriorityPrivilege	268	{067BE772-5B64-4dc5-923D-536789554912}.exe
Token: SeIncBasePriorityPrivilege	1652	{93F364BE-4B91-4138-BEF5-3A904F273DB4}.exe
Token: SeIncBasePriorityPrivilege	2884	{482E8B0C-C48C-4a60-8624-FF040D085CE4}.exe
Token: SeIncBasePriorityPrivilege	2848	{BA0C3FEB-33BC-4761-B2FD-B7398BD1DEC7}.exe
Token: SeIncBasePriorityPrivilege	2956	{900585CE-4A4E-4158-AC27-AEF30B36CA32}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2476	2136	NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe	28
PID 2136 wrote to memory of 2476	2136	NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe	28
PID 2136 wrote to memory of 2476	2136	NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe	28
PID 2136 wrote to memory of 2476	2136	NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe	28
PID 2136 wrote to memory of 2204	2136	NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe	29
PID 2136 wrote to memory of 2204	2136	NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe	29
PID 2136 wrote to memory of 2204	2136	NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe	29
PID 2136 wrote to memory of 2204	2136	NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe	29
PID 2476 wrote to memory of 2824	2476	{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe	30
PID 2476 wrote to memory of 2824	2476	{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe	30
PID 2476 wrote to memory of 2824	2476	{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe	30
PID 2476 wrote to memory of 2824	2476	{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe	30
PID 2476 wrote to memory of 2864	2476	{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe	31
PID 2476 wrote to memory of 2864	2476	{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe	31
PID 2476 wrote to memory of 2864	2476	{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe	31
PID 2476 wrote to memory of 2864	2476	{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe	31
PID 2824 wrote to memory of 1824	2824	{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe	34
PID 2824 wrote to memory of 1824	2824	{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe	34
PID 2824 wrote to memory of 1824	2824	{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe	34
PID 2824 wrote to memory of 1824	2824	{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe	34
PID 2824 wrote to memory of 2692	2824	{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe	35
PID 2824 wrote to memory of 2692	2824	{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe	35
PID 2824 wrote to memory of 2692	2824	{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe	35
PID 2824 wrote to memory of 2692	2824	{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe	35
PID 1824 wrote to memory of 2572	1824	{D8741C2C-9445-4111-B21E-1DA075511258}.exe	36
PID 1824 wrote to memory of 2572	1824	{D8741C2C-9445-4111-B21E-1DA075511258}.exe	36
PID 1824 wrote to memory of 2572	1824	{D8741C2C-9445-4111-B21E-1DA075511258}.exe	36
PID 1824 wrote to memory of 2572	1824	{D8741C2C-9445-4111-B21E-1DA075511258}.exe	36
PID 1824 wrote to memory of 2636	1824	{D8741C2C-9445-4111-B21E-1DA075511258}.exe	37
PID 1824 wrote to memory of 2636	1824	{D8741C2C-9445-4111-B21E-1DA075511258}.exe	37
PID 1824 wrote to memory of 2636	1824	{D8741C2C-9445-4111-B21E-1DA075511258}.exe	37
PID 1824 wrote to memory of 2636	1824	{D8741C2C-9445-4111-B21E-1DA075511258}.exe	37
PID 2572 wrote to memory of 3060	2572	{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe	38
PID 2572 wrote to memory of 3060	2572	{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe	38
PID 2572 wrote to memory of 3060	2572	{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe	38
PID 2572 wrote to memory of 3060	2572	{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe	38
PID 2572 wrote to memory of 2056	2572	{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe	39
PID 2572 wrote to memory of 2056	2572	{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe	39
PID 2572 wrote to memory of 2056	2572	{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe	39
PID 2572 wrote to memory of 2056	2572	{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe	39
PID 3060 wrote to memory of 1884	3060	{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe	40
PID 3060 wrote to memory of 1884	3060	{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe	40
PID 3060 wrote to memory of 1884	3060	{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe	40
PID 3060 wrote to memory of 1884	3060	{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe	40
PID 3060 wrote to memory of 580	3060	{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe	41
PID 3060 wrote to memory of 580	3060	{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe	41
PID 3060 wrote to memory of 580	3060	{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe	41
PID 3060 wrote to memory of 580	3060	{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe	41
PID 1884 wrote to memory of 268	1884	{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe	42
PID 1884 wrote to memory of 268	1884	{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe	42
PID 1884 wrote to memory of 268	1884	{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe	42
PID 1884 wrote to memory of 268	1884	{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe	42
PID 1884 wrote to memory of 1276	1884	{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe	43
PID 1884 wrote to memory of 1276	1884	{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe	43
PID 1884 wrote to memory of 1276	1884	{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe	43
PID 1884 wrote to memory of 1276	1884	{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe	43
PID 268 wrote to memory of 1652	268	{067BE772-5B64-4dc5-923D-536789554912}.exe	44
PID 268 wrote to memory of 1652	268	{067BE772-5B64-4dc5-923D-536789554912}.exe	44
PID 268 wrote to memory of 1652	268	{067BE772-5B64-4dc5-923D-536789554912}.exe	44
PID 268 wrote to memory of 1652	268	{067BE772-5B64-4dc5-923D-536789554912}.exe	44
PID 268 wrote to memory of 2776	268	{067BE772-5B64-4dc5-923D-536789554912}.exe	45
PID 268 wrote to memory of 2776	268	{067BE772-5B64-4dc5-923D-536789554912}.exe	45
PID 268 wrote to memory of 2776	268	{067BE772-5B64-4dc5-923D-536789554912}.exe	45
PID 268 wrote to memory of 2776	268	{067BE772-5B64-4dc5-923D-536789554912}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-28_96d1c58a844c6ab70e4adbbb3e93a4d9_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe
  C:\Windows\{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe
    C:\Windows\{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\{D8741C2C-9445-4111-B21E-1DA075511258}.exe
      C:\Windows\{D8741C2C-9445-4111-B21E-1DA075511258}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe
        
        C:\Windows\{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe
        
        C:\Windows\{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe
        
        C:\Windows\{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\{067BE772-5B64-4dc5-923D-536789554912}.exe
        
        C:\Windows\{067BE772-5B64-4dc5-923D-536789554912}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\{93F364BE-4B91-4138-BEF5-3A904F273DB4}.exe
        
        C:\Windows\{93F364BE-4B91-4138-BEF5-3A904F273DB4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\{482E8B0C-C48C-4a60-8624-FF040D085CE4}.exe
        
        C:\Windows\{482E8B0C-C48C-4a60-8624-FF040D085CE4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\{BA0C3FEB-33BC-4761-B2FD-B7398BD1DEC7}.exe
        
        C:\Windows\{BA0C3FEB-33BC-4761-B2FD-B7398BD1DEC7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\{900585CE-4A4E-4158-AC27-AEF30B36CA32}.exe
        
        C:\Windows\{900585CE-4A4E-4158-AC27-AEF30B36CA32}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\{58DAE04D-7835-4031-B9E7-8BE5C407444E}.exe
        
        C:\Windows\{58DAE04D-7835-4031-B9E7-8BE5C407444E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90058~1.EXE > nul
        13⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA0C3~1.EXE > nul
        12⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{482E8~1.EXE > nul
        11⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93F36~1.EXE > nul
        10⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{067BE~1.EXE > nul
        9⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2CC4~1.EXE > nul
        8⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47372~1.EXE > nul
        7⤵
        
        PID:580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D624~1.EXE > nul
        6⤵
        
        PID:2056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8741~1.EXE > nul
        5⤵
        
        PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{66886~1.EXE > nul
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5A30B~1.EXE > nul
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{067BE772-5B64-4dc5-923D-536789554912}.exe

Filesize
168KB

MD5
e5af2be9ec71838d891def41246e22a0

SHA1
0a9d84ceee9966269b091383c6e59ffe86b18a0a

SHA256
7aca1e5c93780a9e384f4b38bfcdc57363b7a15bbde21d5c9d02037451695961

SHA512
4bb7e80969c2a1af1c09d7bd0ff02b54df8ece94d2b0c8140ba0cc229cc7edf66a09750cf1b48ee20d3e9212e9974eaff07ac8e8a5df2633c5ffb020d9953552

Download Submit
C:\Windows\{067BE772-5B64-4dc5-923D-536789554912}.exe

Filesize
168KB

MD5
e5af2be9ec71838d891def41246e22a0

SHA1
0a9d84ceee9966269b091383c6e59ffe86b18a0a

SHA256
7aca1e5c93780a9e384f4b38bfcdc57363b7a15bbde21d5c9d02037451695961

SHA512
4bb7e80969c2a1af1c09d7bd0ff02b54df8ece94d2b0c8140ba0cc229cc7edf66a09750cf1b48ee20d3e9212e9974eaff07ac8e8a5df2633c5ffb020d9953552

Download Submit
C:\Windows\{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe

Filesize
168KB

MD5
122113cf30fb505bb5959b088d72212e

SHA1
069c3423d323dcbb404479b1ef087cf2b8d9703e

SHA256
585660a2bd4d639f07358a3a1fbdded4252e3ba87fbaae0c9e2aa53783976aa4

SHA512
2fa3e1cff344778c45b44494d182cc7e10551f226e5eda2a149d5d2c44bd5120157af4fb214a9131535394ed5d1ed2902018bfac6075e60cdd88b75572643fdb

Download Submit
C:\Windows\{3D624BA6-8E0A-4ca8-9624-B361E949BD14}.exe

Filesize
168KB

MD5
122113cf30fb505bb5959b088d72212e

SHA1
069c3423d323dcbb404479b1ef087cf2b8d9703e

SHA256
585660a2bd4d639f07358a3a1fbdded4252e3ba87fbaae0c9e2aa53783976aa4

SHA512
2fa3e1cff344778c45b44494d182cc7e10551f226e5eda2a149d5d2c44bd5120157af4fb214a9131535394ed5d1ed2902018bfac6075e60cdd88b75572643fdb

Download Submit
C:\Windows\{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe

Filesize
168KB

MD5
907080e70d3ccfcd19ecaa2d7344f8ae

SHA1
38eea3d540a7f5ef63fd33eba296147d7554adf1

SHA256
c2a58f6b93144a2ba2e72df69dd013cc2ef240e5ee768896a1b15cac2cebceae

SHA512
c6b957a49824e7b0de796da2a53419372aae655b69dbc5c0d14b2363ed69553a0e333a708f318da24d6a1e17209aa310e551d04e710063ca6132054457ed14ef

Download Submit
C:\Windows\{47372DF9-FE63-4a30-A799-93DCB7FDEF38}.exe

Filesize
168KB

MD5
907080e70d3ccfcd19ecaa2d7344f8ae

SHA1
38eea3d540a7f5ef63fd33eba296147d7554adf1

SHA256
c2a58f6b93144a2ba2e72df69dd013cc2ef240e5ee768896a1b15cac2cebceae

SHA512
c6b957a49824e7b0de796da2a53419372aae655b69dbc5c0d14b2363ed69553a0e333a708f318da24d6a1e17209aa310e551d04e710063ca6132054457ed14ef

Download Submit
C:\Windows\{482E8B0C-C48C-4a60-8624-FF040D085CE4}.exe

Filesize
168KB

MD5
e73f8945e85cad2543f97c1407e4f31f

SHA1
0dbe539dd17db6f32f54268fd5db1d326094165a

SHA256
c23d5578b1621807b5070b66f6bfb6285095b8a7844d5f026b76b6df7b0b5799

SHA512
7fa91bd052557ba9023dee4dbce3091570c7fb99153dcf6a3d8be05458061e5c1ab3716ff2423a6047065b00ee460e08521b7a366042bb4d88daba6a6c705d7a

Download Submit
C:\Windows\{482E8B0C-C48C-4a60-8624-FF040D085CE4}.exe

Filesize
168KB

MD5
e73f8945e85cad2543f97c1407e4f31f

SHA1
0dbe539dd17db6f32f54268fd5db1d326094165a

SHA256
c23d5578b1621807b5070b66f6bfb6285095b8a7844d5f026b76b6df7b0b5799

SHA512
7fa91bd052557ba9023dee4dbce3091570c7fb99153dcf6a3d8be05458061e5c1ab3716ff2423a6047065b00ee460e08521b7a366042bb4d88daba6a6c705d7a

Download Submit
C:\Windows\{58DAE04D-7835-4031-B9E7-8BE5C407444E}.exe

Filesize
168KB

MD5
7ff3b6a376ef9c3a5aba42cafb475858

SHA1
a0c666e629aac605c1e15e86877d41d791404c19

SHA256
7cc145f7e77d525fe774e610e68cb3660eb66ba765602608abaf0b4e304c18f9

SHA512
6529ff523d137cdf90ff6b316ac731a8b96447a79c1f194e170fc759f8909ea826e870dc79134f7c00f1aa7a20f5117a1551c16a1795c5f7115f73b6cd647c1b

Download Submit
C:\Windows\{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe

Filesize
168KB

MD5
79124f37c33fbb514639f554959baba1

SHA1
9bf8cc5f3b955f51dc9895ca03ed087ab2199696

SHA256
41155a853b496a389e529a9e3a162bb8d20f4158a212196b00702c0b0b9f0a6a

SHA512
8690681358bdc2d27ce3847c07d5c5f52d7cdf7f243038366ce76ec239b48a36a959b9dc82230c5ff72ffd434a1e64cba1347d8567aba7dd3733572b69b2299e

Download Submit
C:\Windows\{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe

Filesize
168KB

MD5
79124f37c33fbb514639f554959baba1

SHA1
9bf8cc5f3b955f51dc9895ca03ed087ab2199696

SHA256
41155a853b496a389e529a9e3a162bb8d20f4158a212196b00702c0b0b9f0a6a

SHA512
8690681358bdc2d27ce3847c07d5c5f52d7cdf7f243038366ce76ec239b48a36a959b9dc82230c5ff72ffd434a1e64cba1347d8567aba7dd3733572b69b2299e

Download Submit
C:\Windows\{5A30B8EF-DCD3-4965-805F-74BACAFFB396}.exe

Filesize
168KB

MD5
79124f37c33fbb514639f554959baba1

SHA1
9bf8cc5f3b955f51dc9895ca03ed087ab2199696

SHA256
41155a853b496a389e529a9e3a162bb8d20f4158a212196b00702c0b0b9f0a6a

SHA512
8690681358bdc2d27ce3847c07d5c5f52d7cdf7f243038366ce76ec239b48a36a959b9dc82230c5ff72ffd434a1e64cba1347d8567aba7dd3733572b69b2299e

Download Submit
C:\Windows\{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe

Filesize
168KB

MD5
af175665a217d13eb215989115f8ab8f

SHA1
934662b4acaac42b47b9592c7d1ffa3594f2f8ae

SHA256
9ca88cf2ce04df1e440c162b42896575e10f5677121bc01b60c3d915253034eb

SHA512
7833006143b0941e9b1e21175a29ed03b0b5b7c6f088adf0a252c5c43cc1f2510ab0b4d24adeda138f4714b270a47e1fa7786829952c1d3513a7e55e2dc9ce1c

Download Submit
C:\Windows\{66886CFF-A21C-4e7c-8001-3EF767EB2E3F}.exe

Filesize
168KB

MD5
af175665a217d13eb215989115f8ab8f

SHA1
934662b4acaac42b47b9592c7d1ffa3594f2f8ae

SHA256
9ca88cf2ce04df1e440c162b42896575e10f5677121bc01b60c3d915253034eb

SHA512
7833006143b0941e9b1e21175a29ed03b0b5b7c6f088adf0a252c5c43cc1f2510ab0b4d24adeda138f4714b270a47e1fa7786829952c1d3513a7e55e2dc9ce1c

Download Submit
C:\Windows\{900585CE-4A4E-4158-AC27-AEF30B36CA32}.exe

Filesize
168KB

MD5
7c238ab3c4a51f4afb39eee2f29bdbfb

SHA1
39208e3b77446a368df59fa241970a62a2448f35

SHA256
6c74a5c63ba5f628e24b7b4134f11fea1386be591ebfd866edd818c6541fd5ea

SHA512
4d5c7f6334955dc4b29fc24741396751b304c93015c056d1a3b88aa065d28c8b851b54fa532b3ee926ad4c061b651eb9d890636d37f34f208ba3775b204e010d

Download Submit
C:\Windows\{900585CE-4A4E-4158-AC27-AEF30B36CA32}.exe

Filesize
168KB

MD5
7c238ab3c4a51f4afb39eee2f29bdbfb

SHA1
39208e3b77446a368df59fa241970a62a2448f35

SHA256
6c74a5c63ba5f628e24b7b4134f11fea1386be591ebfd866edd818c6541fd5ea

SHA512
4d5c7f6334955dc4b29fc24741396751b304c93015c056d1a3b88aa065d28c8b851b54fa532b3ee926ad4c061b651eb9d890636d37f34f208ba3775b204e010d

Download Submit
C:\Windows\{93F364BE-4B91-4138-BEF5-3A904F273DB4}.exe

Filesize
168KB

MD5
933c476dbe5795004b22562cff4e0e37

SHA1
7077eec2de500985b8e735f8a8cee4bd0ecc794a

SHA256
6b667000d9beb3b7450f7188568f988c3979e4dc1e7db066d6dd5963df4b10ae

SHA512
aad6f1d0bbc1c25d953686b05dce15a133764cabba4db76143d3c9a487ffb9a4c3242da1bc21418947607200fc11da4dd294d0891a71c6495347ec2d7af4fc90

Download Submit
C:\Windows\{93F364BE-4B91-4138-BEF5-3A904F273DB4}.exe

Filesize
168KB

MD5
933c476dbe5795004b22562cff4e0e37

SHA1
7077eec2de500985b8e735f8a8cee4bd0ecc794a

SHA256
6b667000d9beb3b7450f7188568f988c3979e4dc1e7db066d6dd5963df4b10ae

SHA512
aad6f1d0bbc1c25d953686b05dce15a133764cabba4db76143d3c9a487ffb9a4c3242da1bc21418947607200fc11da4dd294d0891a71c6495347ec2d7af4fc90

Download Submit
C:\Windows\{BA0C3FEB-33BC-4761-B2FD-B7398BD1DEC7}.exe

Filesize
168KB

MD5
a113aa85884f5d4a88ec584f0856b253

SHA1
67c134dd1253bd0357b9272006732a5805d4abb3

SHA256
8a944a4e850b0f27146796f6e022547547d042cd464ac3c40e6bb20c048dcf33

SHA512
b937451d4d326d0885cfa2b53d5994852d6d71619d49b020d3f91bcde02d81d27263325b229d7a588b3c0aea4c7cf10e55555d7a49dc6f2460575b5cacc500a5

Download Submit
C:\Windows\{BA0C3FEB-33BC-4761-B2FD-B7398BD1DEC7}.exe

Filesize
168KB

MD5
a113aa85884f5d4a88ec584f0856b253

SHA1
67c134dd1253bd0357b9272006732a5805d4abb3

SHA256
8a944a4e850b0f27146796f6e022547547d042cd464ac3c40e6bb20c048dcf33

SHA512
b937451d4d326d0885cfa2b53d5994852d6d71619d49b020d3f91bcde02d81d27263325b229d7a588b3c0aea4c7cf10e55555d7a49dc6f2460575b5cacc500a5

Download Submit
C:\Windows\{D8741C2C-9445-4111-B21E-1DA075511258}.exe

Filesize
168KB

MD5
972cc06f70fd4a92108ba76829e7c339

SHA1
9416616750304a39483114b8765c285365b49880

SHA256
ad46c2890beb1c9253302c30d9ac2ea957278ae9c676f8a39139780d27c85e1f

SHA512
8d98cec50eb29aa7b3989a8c9146cec69839d2047de09b9edf34cb843cd043d2fd935982f962e00ecae129dfe32c5c71f909ed6d8c5101eed56488ee11d095db

Download Submit
C:\Windows\{D8741C2C-9445-4111-B21E-1DA075511258}.exe

Filesize
168KB

MD5
972cc06f70fd4a92108ba76829e7c339

SHA1
9416616750304a39483114b8765c285365b49880

SHA256
ad46c2890beb1c9253302c30d9ac2ea957278ae9c676f8a39139780d27c85e1f

SHA512
8d98cec50eb29aa7b3989a8c9146cec69839d2047de09b9edf34cb843cd043d2fd935982f962e00ecae129dfe32c5c71f909ed6d8c5101eed56488ee11d095db

Download Submit
C:\Windows\{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe

Filesize
168KB

MD5
34faf2c613a9e1a95acbe22c2dff8afa

SHA1
8c0761244eaf1116d10a7020d2fc8577d34ba303

SHA256
e740089ea38a7e42813a92ef7a958b1297451e6997bfb40f19d604e518c7c546

SHA512
972f27af82976794615ab40ee40ef2b7def8588eb52cca3bf0f803151676b043454fdb704bdcf0378754403d4ed5361aa3fc70821625607f0385147b0d6f5a38

Download Submit
C:\Windows\{E2CC4342-FBA0-4d92-B0C8-B8C7E06E9BCD}.exe

Filesize
168KB

MD5
34faf2c613a9e1a95acbe22c2dff8afa

SHA1
8c0761244eaf1116d10a7020d2fc8577d34ba303

SHA256
e740089ea38a7e42813a92ef7a958b1297451e6997bfb40f19d604e518c7c546

SHA512
972f27af82976794615ab40ee40ef2b7def8588eb52cca3bf0f803151676b043454fdb704bdcf0378754403d4ed5361aa3fc70821625607f0385147b0d6f5a38

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads