35e956347367c16452e62a78cd4727adcec5a3a2f9b55c7d50fb6e1c95677f49

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe
Size

168KB
MD5

e4135739ecf0793970ab3b43497f591c
SHA1

809c0ca61247735186b6cf488a15d600453f6803
SHA256

35e956347367c16452e62a78cd4727adcec5a3a2f9b55c7d50fb6e1c95677f49
SHA512

b03cc13c1fe8f6bc2d132990b38ee03494a1c59bbfbfcdb17fefe43fb8ccb4b4eb8944d0d03b09e3ae0b66c3ca2f2a2c7f383c046ada46a59092c0ded7ed64d5
SSDEEP

1536:1EGh0oKli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKliOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}	{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}	{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{766B14FE-6466-4fb6-8C0B-617077F23AF9}	{93F14860-8E5C-464f-90C4-789484157BEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2903B541-A449-4fe2-9533-90C03C885C5B}	{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBD39D39-47D8-4e52-B8A9-EF0A2687F5BB}	{FF07CE63-A4E7-488c-BC1B-8F17B3AA548B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{700B9D75-2C9F-4868-9739-33C9BDA604C3}	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93F14860-8E5C-464f-90C4-789484157BEF}\stubpath = "C:\\Windows\\{93F14860-8E5C-464f-90C4-789484157BEF}.exe"	{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}	{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2903B541-A449-4fe2-9533-90C03C885C5B}\stubpath = "C:\\Windows\\{2903B541-A449-4fe2-9533-90C03C885C5B}.exe"	{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF07CE63-A4E7-488c-BC1B-8F17B3AA548B}\stubpath = "C:\\Windows\\{FF07CE63-A4E7-488c-BC1B-8F17B3AA548B}.exe"	{2903B541-A449-4fe2-9533-90C03C885C5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBD39D39-47D8-4e52-B8A9-EF0A2687F5BB}\stubpath = "C:\\Windows\\{CBD39D39-47D8-4e52-B8A9-EF0A2687F5BB}.exe"	{FF07CE63-A4E7-488c-BC1B-8F17B3AA548B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}\stubpath = "C:\\Windows\\{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe"	{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A889D043-0AED-42f9-A3CF-5FE5A12459AD}	{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A889D043-0AED-42f9-A3CF-5FE5A12459AD}\stubpath = "C:\\Windows\\{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe"	{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}\stubpath = "C:\\Windows\\{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe"	{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{766B14FE-6466-4fb6-8C0B-617077F23AF9}\stubpath = "C:\\Windows\\{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe"	{93F14860-8E5C-464f-90C4-789484157BEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}\stubpath = "C:\\Windows\\{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe"	{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF07CE63-A4E7-488c-BC1B-8F17B3AA548B}	{2903B541-A449-4fe2-9533-90C03C885C5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5CDAF24-F297-4112-A140-6DD14AC8181C}	{CBD39D39-47D8-4e52-B8A9-EF0A2687F5BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{700B9D75-2C9F-4868-9739-33C9BDA604C3}\stubpath = "C:\\Windows\\{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe"	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5CDAF24-F297-4112-A140-6DD14AC8181C}\stubpath = "C:\\Windows\\{B5CDAF24-F297-4112-A140-6DD14AC8181C}.exe"	{CBD39D39-47D8-4e52-B8A9-EF0A2687F5BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93F14860-8E5C-464f-90C4-789484157BEF}	{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1532	{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe
2636	{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe
2864	{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe
2536	{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe
2560	{93F14860-8E5C-464f-90C4-789484157BEF}.exe
2040	{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe
2400	{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe
2868	{2903B541-A449-4fe2-9533-90C03C885C5B}.exe
596	{FF07CE63-A4E7-488c-BC1B-8F17B3AA548B}.exe
2752	{CBD39D39-47D8-4e52-B8A9-EF0A2687F5BB}.exe
1184	{B5CDAF24-F297-4112-A140-6DD14AC8181C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe
File created	C:\Windows\{93F14860-8E5C-464f-90C4-789484157BEF}.exe	{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe
File created	C:\Windows\{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe	{93F14860-8E5C-464f-90C4-789484157BEF}.exe
File created	C:\Windows\{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe	{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe
File created	C:\Windows\{2903B541-A449-4fe2-9533-90C03C885C5B}.exe	{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe
File created	C:\Windows\{FF07CE63-A4E7-488c-BC1B-8F17B3AA548B}.exe	{2903B541-A449-4fe2-9533-90C03C885C5B}.exe
File created	C:\Windows\{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe	{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe
File created	C:\Windows\{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe	{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe
File created	C:\Windows\{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe	{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe
File created	C:\Windows\{CBD39D39-47D8-4e52-B8A9-EF0A2687F5BB}.exe	{FF07CE63-A4E7-488c-BC1B-8F17B3AA548B}.exe
File created	C:\Windows\{B5CDAF24-F297-4112-A140-6DD14AC8181C}.exe	{CBD39D39-47D8-4e52-B8A9-EF0A2687F5BB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2188	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1532	{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe
Token: SeIncBasePriorityPrivilege	2636	{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe
Token: SeIncBasePriorityPrivilege	2864	{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe
Token: SeIncBasePriorityPrivilege	2536	{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe
Token: SeIncBasePriorityPrivilege	2560	{93F14860-8E5C-464f-90C4-789484157BEF}.exe
Token: SeIncBasePriorityPrivilege	2040	{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe
Token: SeIncBasePriorityPrivilege	2400	{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe
Token: SeIncBasePriorityPrivilege	2868	{2903B541-A449-4fe2-9533-90C03C885C5B}.exe
Token: SeIncBasePriorityPrivilege	596	{FF07CE63-A4E7-488c-BC1B-8F17B3AA548B}.exe
Token: SeIncBasePriorityPrivilege	2752	{CBD39D39-47D8-4e52-B8A9-EF0A2687F5BB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1532	2188	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	28
PID 2188 wrote to memory of 1532	2188	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	28
PID 2188 wrote to memory of 1532	2188	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	28
PID 2188 wrote to memory of 1532	2188	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	28
PID 2188 wrote to memory of 2580	2188	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	29
PID 2188 wrote to memory of 2580	2188	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	29
PID 2188 wrote to memory of 2580	2188	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	29
PID 2188 wrote to memory of 2580	2188	NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe	29
PID 1532 wrote to memory of 2636	1532	{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe	30
PID 1532 wrote to memory of 2636	1532	{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe	30
PID 1532 wrote to memory of 2636	1532	{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe	30
PID 1532 wrote to memory of 2636	1532	{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe	30
PID 1532 wrote to memory of 2704	1532	{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe	31
PID 1532 wrote to memory of 2704	1532	{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe	31
PID 1532 wrote to memory of 2704	1532	{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe	31
PID 1532 wrote to memory of 2704	1532	{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe	31
PID 2636 wrote to memory of 2864	2636	{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe	34
PID 2636 wrote to memory of 2864	2636	{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe	34
PID 2636 wrote to memory of 2864	2636	{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe	34
PID 2636 wrote to memory of 2864	2636	{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe	34
PID 2636 wrote to memory of 2216	2636	{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe	35
PID 2636 wrote to memory of 2216	2636	{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe	35
PID 2636 wrote to memory of 2216	2636	{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe	35
PID 2636 wrote to memory of 2216	2636	{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe	35
PID 2864 wrote to memory of 2536	2864	{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe	36
PID 2864 wrote to memory of 2536	2864	{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe	36
PID 2864 wrote to memory of 2536	2864	{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe	36
PID 2864 wrote to memory of 2536	2864	{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe	36
PID 2864 wrote to memory of 2492	2864	{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe	37
PID 2864 wrote to memory of 2492	2864	{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe	37
PID 2864 wrote to memory of 2492	2864	{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe	37
PID 2864 wrote to memory of 2492	2864	{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe	37
PID 2536 wrote to memory of 2560	2536	{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe	38
PID 2536 wrote to memory of 2560	2536	{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe	38
PID 2536 wrote to memory of 2560	2536	{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe	38
PID 2536 wrote to memory of 2560	2536	{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe	38
PID 2536 wrote to memory of 3000	2536	{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe	39
PID 2536 wrote to memory of 3000	2536	{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe	39
PID 2536 wrote to memory of 3000	2536	{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe	39
PID 2536 wrote to memory of 3000	2536	{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe	39
PID 2560 wrote to memory of 2040	2560	{93F14860-8E5C-464f-90C4-789484157BEF}.exe	40
PID 2560 wrote to memory of 2040	2560	{93F14860-8E5C-464f-90C4-789484157BEF}.exe	40
PID 2560 wrote to memory of 2040	2560	{93F14860-8E5C-464f-90C4-789484157BEF}.exe	40
PID 2560 wrote to memory of 2040	2560	{93F14860-8E5C-464f-90C4-789484157BEF}.exe	40
PID 2560 wrote to memory of 2472	2560	{93F14860-8E5C-464f-90C4-789484157BEF}.exe	41
PID 2560 wrote to memory of 2472	2560	{93F14860-8E5C-464f-90C4-789484157BEF}.exe	41
PID 2560 wrote to memory of 2472	2560	{93F14860-8E5C-464f-90C4-789484157BEF}.exe	41
PID 2560 wrote to memory of 2472	2560	{93F14860-8E5C-464f-90C4-789484157BEF}.exe	41
PID 2040 wrote to memory of 2400	2040	{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe	42
PID 2040 wrote to memory of 2400	2040	{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe	42
PID 2040 wrote to memory of 2400	2040	{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe	42
PID 2040 wrote to memory of 2400	2040	{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe	42
PID 2040 wrote to memory of 2768	2040	{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe	43
PID 2040 wrote to memory of 2768	2040	{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe	43
PID 2040 wrote to memory of 2768	2040	{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe	43
PID 2040 wrote to memory of 2768	2040	{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe	43
PID 2400 wrote to memory of 2868	2400	{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe	44
PID 2400 wrote to memory of 2868	2400	{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe	44
PID 2400 wrote to memory of 2868	2400	{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe	44
PID 2400 wrote to memory of 2868	2400	{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe	44
PID 2400 wrote to memory of 2968	2400	{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe	45
PID 2400 wrote to memory of 2968	2400	{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe	45
PID 2400 wrote to memory of 2968	2400	{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe	45
PID 2400 wrote to memory of 2968	2400	{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-26_e4135739ecf0793970ab3b43497f591c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe
  C:\Windows\{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe
    C:\Windows\{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe
      C:\Windows\{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe
        
        C:\Windows\{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\{93F14860-8E5C-464f-90C4-789484157BEF}.exe
        
        C:\Windows\{93F14860-8E5C-464f-90C4-789484157BEF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe
        
        C:\Windows\{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe
        
        C:\Windows\{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\{2903B541-A449-4fe2-9533-90C03C885C5B}.exe
        
        C:\Windows\{2903B541-A449-4fe2-9533-90C03C885C5B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2903B~1.EXE > nul
        10⤵
        
        PID:268
        
        C:\Windows\{FF07CE63-A4E7-488c-BC1B-8F17B3AA548B}.exe
        
        C:\Windows\{FF07CE63-A4E7-488c-BC1B-8F17B3AA548B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
        
        C:\Windows\{CBD39D39-47D8-4e52-B8A9-EF0A2687F5BB}.exe
        
        C:\Windows\{CBD39D39-47D8-4e52-B8A9-EF0A2687F5BB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\{B5CDAF24-F297-4112-A140-6DD14AC8181C}.exe
        
        C:\Windows\{B5CDAF24-F297-4112-A140-6DD14AC8181C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBD39~1.EXE > nul
        12⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF07C~1.EXE > nul
        11⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{962FE~1.EXE > nul
        9⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{766B1~1.EXE > nul
        8⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93F14~1.EXE > nul
        7⤵
        
        PID:2472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24E9C~1.EXE > nul
        6⤵
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5B9F~1.EXE > nul
        5⤵
        
        PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A889D~1.EXE > nul
      4⤵
      PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{700B9~1.EXE > nul
    3⤵
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe

Filesize
168KB

MD5
d96d578dcae5db4350535512d70f983a

SHA1
17b7e96f5a26cd99bbbf0adb9761c3dc6db092ee

SHA256
37d590e4dec8c8f4e55ffa1da6a424581f730160f4e5d4961d649031e12c6866

SHA512
80163da6b281b5b9aa12a3ff94ae80f8690f2b8f76fc4ad34dd27f8e4c0949de754190a9f4cb834a2feb17729ac6264c2f008d0106002eaeb275e3655c84811f

Download Submit
C:\Windows\{24E9CC42-BFD2-46bd-91C7-E50C3C1D27AF}.exe

Filesize
168KB

MD5
d96d578dcae5db4350535512d70f983a

SHA1
17b7e96f5a26cd99bbbf0adb9761c3dc6db092ee

SHA256
37d590e4dec8c8f4e55ffa1da6a424581f730160f4e5d4961d649031e12c6866

SHA512
80163da6b281b5b9aa12a3ff94ae80f8690f2b8f76fc4ad34dd27f8e4c0949de754190a9f4cb834a2feb17729ac6264c2f008d0106002eaeb275e3655c84811f

Download Submit
C:\Windows\{2903B541-A449-4fe2-9533-90C03C885C5B}.exe

Filesize
168KB

MD5
a827f860270e9dd02609eb96ead14250

SHA1
58817f08c49f95aab3aab451cb5b73cf663ed0d9

SHA256
c4e1008e31085ad14cbe200d08824b1819281ad78cb7f129fad0c9f59d55d250

SHA512
77f40669d9268d143fe7b33a171f80e26084a6d84bd9c7904504f22c8c59c0b2733efdd654048bdee6dbc90cd081db1b4d0769a679903cee691e38cb95e2fea5

Download Submit
C:\Windows\{2903B541-A449-4fe2-9533-90C03C885C5B}.exe

Filesize
168KB

MD5
a827f860270e9dd02609eb96ead14250

SHA1
58817f08c49f95aab3aab451cb5b73cf663ed0d9

SHA256
c4e1008e31085ad14cbe200d08824b1819281ad78cb7f129fad0c9f59d55d250

SHA512
77f40669d9268d143fe7b33a171f80e26084a6d84bd9c7904504f22c8c59c0b2733efdd654048bdee6dbc90cd081db1b4d0769a679903cee691e38cb95e2fea5

Download Submit
C:\Windows\{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe

Filesize
168KB

MD5
f1d7d1c8d8ac272f266519032eda5a67

SHA1
e829e562346a061106a1c3602868e6f67342f1df

SHA256
f9626af56d1b9e77a908b6203fd64cc53abfdbd324bdce5b0367ab7640f60155

SHA512
6e96946b0b76d71699222aeec36dd6df225524ef50545306b0b5d5920e067a0e71df655f449afc2164ebe9c0e78fec5f79eca596dc0c6edbd8944843b946adbd

Download Submit
C:\Windows\{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe

Filesize
168KB

MD5
f1d7d1c8d8ac272f266519032eda5a67

SHA1
e829e562346a061106a1c3602868e6f67342f1df

SHA256
f9626af56d1b9e77a908b6203fd64cc53abfdbd324bdce5b0367ab7640f60155

SHA512
6e96946b0b76d71699222aeec36dd6df225524ef50545306b0b5d5920e067a0e71df655f449afc2164ebe9c0e78fec5f79eca596dc0c6edbd8944843b946adbd

Download Submit
C:\Windows\{700B9D75-2C9F-4868-9739-33C9BDA604C3}.exe

Filesize
168KB

MD5
f1d7d1c8d8ac272f266519032eda5a67

SHA1
e829e562346a061106a1c3602868e6f67342f1df

SHA256
f9626af56d1b9e77a908b6203fd64cc53abfdbd324bdce5b0367ab7640f60155

SHA512
6e96946b0b76d71699222aeec36dd6df225524ef50545306b0b5d5920e067a0e71df655f449afc2164ebe9c0e78fec5f79eca596dc0c6edbd8944843b946adbd

Download Submit
C:\Windows\{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe

Filesize
168KB

MD5
b8d8da3c6fb38d5af3007e3a44b8ed6d

SHA1
d283fb16465addd84297e230b45b0fe1fe6652eb

SHA256
e96f50840545643863e90596b2977e0bbd64be2c1767d1ac9aca52befd0cf7a1

SHA512
a35ad8eb0a94d47c58cb6e0f57ec6247548ca139a24402fe4d7eafbb60394b06816a589b2596021a977e91978e42a0a5e03529d20645238ee1ac783481f2131d

Download Submit
C:\Windows\{766B14FE-6466-4fb6-8C0B-617077F23AF9}.exe

Filesize
168KB

MD5
b8d8da3c6fb38d5af3007e3a44b8ed6d

SHA1
d283fb16465addd84297e230b45b0fe1fe6652eb

SHA256
e96f50840545643863e90596b2977e0bbd64be2c1767d1ac9aca52befd0cf7a1

SHA512
a35ad8eb0a94d47c58cb6e0f57ec6247548ca139a24402fe4d7eafbb60394b06816a589b2596021a977e91978e42a0a5e03529d20645238ee1ac783481f2131d

Download Submit
C:\Windows\{93F14860-8E5C-464f-90C4-789484157BEF}.exe

Filesize
168KB

MD5
a1528964761a73e9fde4ee70ed26d439

SHA1
8ae3d7c6c34f68a59ab4db39cdc88b2105977795

SHA256
646177a267d5c8cc3b214bab1afa1f1e29590760137141639132cabd66c5dec1

SHA512
21595833cbbd49686c9afd817ba6ab5d2afe189a2dca14d31865acfd575911841cfe90c2b786bb340ec277afe76dafe3aec23975a06080739618cad14c540de3

Download Submit
C:\Windows\{93F14860-8E5C-464f-90C4-789484157BEF}.exe

Filesize
168KB

MD5
a1528964761a73e9fde4ee70ed26d439

SHA1
8ae3d7c6c34f68a59ab4db39cdc88b2105977795

SHA256
646177a267d5c8cc3b214bab1afa1f1e29590760137141639132cabd66c5dec1

SHA512
21595833cbbd49686c9afd817ba6ab5d2afe189a2dca14d31865acfd575911841cfe90c2b786bb340ec277afe76dafe3aec23975a06080739618cad14c540de3

Download Submit
C:\Windows\{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe

Filesize
168KB

MD5
bd9bdac5ff49d8f128e12ad5ce87eff9

SHA1
d1453e89b61449e41f135c7903007d57992402e6

SHA256
aca05294cab4645bc5fbbae1c4fd7e7f7dd4f1c192155877684aeca36848e4b4

SHA512
dcc064f52c4603c4cf0c5c0a7d71e5a2a8aa93f3749c8c056fcdd649e2a66cb28ba4128fbad691fb51ce56c7c2e079796e4cf689856f53069e05d3e0d59fea2e

Download Submit
C:\Windows\{962FE871-D4F7-47c8-BBE9-D5E6AAD5B915}.exe

Filesize
168KB

MD5
bd9bdac5ff49d8f128e12ad5ce87eff9

SHA1
d1453e89b61449e41f135c7903007d57992402e6

SHA256
aca05294cab4645bc5fbbae1c4fd7e7f7dd4f1c192155877684aeca36848e4b4

SHA512
dcc064f52c4603c4cf0c5c0a7d71e5a2a8aa93f3749c8c056fcdd649e2a66cb28ba4128fbad691fb51ce56c7c2e079796e4cf689856f53069e05d3e0d59fea2e

Download Submit
C:\Windows\{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe

Filesize
168KB

MD5
f91a947b6c56e7504d15289492d2baed

SHA1
9d8f933d67469aac2b4a88bdce24659f5e4dae74

SHA256
33d79d2031fdc7fa9b8866c2308a9911fdb8ab41dad3375a17cf1b46b99f16fd

SHA512
1ebe3b43b32e94906d9fa0c7691b2277d5d8db45cdba3e0a4567cdc878d116e9d237b8bff15bfe4e8e352f85bec155f2bfd4664945b2d8fb10b7774351608026

Download Submit
C:\Windows\{A889D043-0AED-42f9-A3CF-5FE5A12459AD}.exe

Filesize
168KB

MD5
f91a947b6c56e7504d15289492d2baed

SHA1
9d8f933d67469aac2b4a88bdce24659f5e4dae74

SHA256
33d79d2031fdc7fa9b8866c2308a9911fdb8ab41dad3375a17cf1b46b99f16fd

SHA512
1ebe3b43b32e94906d9fa0c7691b2277d5d8db45cdba3e0a4567cdc878d116e9d237b8bff15bfe4e8e352f85bec155f2bfd4664945b2d8fb10b7774351608026

Download Submit
C:\Windows\{B5CDAF24-F297-4112-A140-6DD14AC8181C}.exe

Filesize
168KB

MD5
e8973f960d8d94e3699ea3be92f5634b

SHA1
ffd95d528edb84250d6960d67cc5b24b469752f9

SHA256
914daa7c3a479a2372c64144c23bdc5b65ec2bf146391f446af2cc7d83525f74

SHA512
2c93da41de2024ed6d158c0bb4a278975264ca18d6ff0f71a0e5dbe73055dd112a35eb6ba970fe4651d670efa445d0035f13f159b23039c364c0bf7584e5f4d6

Download Submit
C:\Windows\{CBD39D39-47D8-4e52-B8A9-EF0A2687F5BB}.exe

Filesize
168KB

MD5
cfe19ab75d140fa73fc843ff1cced644

SHA1
fa1987bb5f236a66ccbb128b8d54f5867fbc5a76

SHA256
65a5485964640efa25b6c300db142bddd8f22331373fd933901a61250c356dd9

SHA512
5480e0878adbd3c87232321902c6791b7030d9789817f67738fbef410b6517235d275e6cc1ae4120ce10a7d230268455e5b563a6b9444ecc971cc4785f4504bf

Download Submit
C:\Windows\{CBD39D39-47D8-4e52-B8A9-EF0A2687F5BB}.exe

Filesize
168KB

MD5
cfe19ab75d140fa73fc843ff1cced644

SHA1
fa1987bb5f236a66ccbb128b8d54f5867fbc5a76

SHA256
65a5485964640efa25b6c300db142bddd8f22331373fd933901a61250c356dd9

SHA512
5480e0878adbd3c87232321902c6791b7030d9789817f67738fbef410b6517235d275e6cc1ae4120ce10a7d230268455e5b563a6b9444ecc971cc4785f4504bf

Download Submit
C:\Windows\{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe

Filesize
168KB

MD5
bd82d30f19cf0fa699a150e9ab7819bd

SHA1
c4c4bfcc100f89db82a46d44c8f2ddbeb75cbc59

SHA256
f3bb6e6cbf24dfcbff3a6c077ab332f315067874371bbd186e74ac165f3a9205

SHA512
20c8749b9f994f9ba2519a8270e46bc917152562c2c0aaaf43b66798fa90cc34e8094f028d2c5934d2c29a47822a8e341814889f7e810eda087b752d280e7742

Download Submit
C:\Windows\{D5B9FBBB-7667-4a3f-BB9E-4AAEDBC2D060}.exe

Filesize
168KB

MD5
bd82d30f19cf0fa699a150e9ab7819bd

SHA1
c4c4bfcc100f89db82a46d44c8f2ddbeb75cbc59

SHA256
f3bb6e6cbf24dfcbff3a6c077ab332f315067874371bbd186e74ac165f3a9205

SHA512
20c8749b9f994f9ba2519a8270e46bc917152562c2c0aaaf43b66798fa90cc34e8094f028d2c5934d2c29a47822a8e341814889f7e810eda087b752d280e7742

Download Submit
C:\Windows\{FF07CE63-A4E7-488c-BC1B-8F17B3AA548B}.exe

Filesize
168KB

MD5
9e918cf805a94e593d1f2871a48d23ca

SHA1
88ed9ae98890746298c14d3754bccb2a7f8ecf76

SHA256
5397528d61687f1e3f99d29ca4cd28d9b610d7f28e03ff28208f1e59593e89c9

SHA512
e1540021debcf0930d86be97bba36cabe6bbbf37b0382e7ed893cade1ec5597840a0d9f2ff88a20012abdc01e385da343531145f43149c0da89174c3d6248409

Download Submit
C:\Windows\{FF07CE63-A4E7-488c-BC1B-8F17B3AA548B}.exe

Filesize
168KB

MD5
9e918cf805a94e593d1f2871a48d23ca

SHA1
88ed9ae98890746298c14d3754bccb2a7f8ecf76

SHA256
5397528d61687f1e3f99d29ca4cd28d9b610d7f28e03ff28208f1e59593e89c9

SHA512
e1540021debcf0930d86be97bba36cabe6bbbf37b0382e7ed893cade1ec5597840a0d9f2ff88a20012abdc01e385da343531145f43149c0da89174c3d6248409

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads