62cb4ea3c8937e54ff8b33294e6e4f17625263712bac36d6497195aeffc11f13

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe
Size

408KB
MD5

91f00239143da54e5ce6f99dddfb8933
SHA1

92e85c819bb2b71d5411c9cd442ec7f02a5bece5
SHA256

62cb4ea3c8937e54ff8b33294e6e4f17625263712bac36d6497195aeffc11f13
SHA512

762f93a938e25e604f0d4d1d8b9a835acaaa44dd1a1b420e12447c128a29259209ba4834f0d8cb41d5072a14a430a98fd27268d8a885706e948abd19764bff44
SSDEEP

3072:CEGh0oGl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGEldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A692CE-3E87-4e19-A844-B862491F9067}	{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A692CE-3E87-4e19-A844-B862491F9067}\stubpath = "C:\\Windows\\{71A692CE-3E87-4e19-A844-B862491F9067}.exe"	{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B47B2CB1-358D-4acf-87CE-0E784D940ABE}\stubpath = "C:\\Windows\\{B47B2CB1-358D-4acf-87CE-0E784D940ABE}.exe"	{80700A82-F308-4812-A366-C8C6629B2B5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A53D98B-3196-498b-AA14-3675BBED4618}	{B47B2CB1-358D-4acf-87CE-0E784D940ABE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A53D98B-3196-498b-AA14-3675BBED4618}\stubpath = "C:\\Windows\\{4A53D98B-3196-498b-AA14-3675BBED4618}.exe"	{B47B2CB1-358D-4acf-87CE-0E784D940ABE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD547667-6B96-461b-9CA7-9659D7E3EEF1}	{4A53D98B-3196-498b-AA14-3675BBED4618}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE6AD960-D94B-4a2d-874C-4B652F2A8041}	NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D780103-DD33-4568-8905-B741932B24B7}	{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}	{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}\stubpath = "C:\\Windows\\{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe"	{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}	{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D780103-DD33-4568-8905-B741932B24B7}\stubpath = "C:\\Windows\\{5D780103-DD33-4568-8905-B741932B24B7}.exe"	{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81AAC4FC-1A91-4e17-B512-52F30361715A}\stubpath = "C:\\Windows\\{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe"	{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80700A82-F308-4812-A366-C8C6629B2B5E}	{71A692CE-3E87-4e19-A844-B862491F9067}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD547667-6B96-461b-9CA7-9659D7E3EEF1}\stubpath = "C:\\Windows\\{BD547667-6B96-461b-9CA7-9659D7E3EEF1}.exe"	{4A53D98B-3196-498b-AA14-3675BBED4618}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE6AD960-D94B-4a2d-874C-4B652F2A8041}\stubpath = "C:\\Windows\\{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe"	NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41E084D4-338C-4068-9BD8-4BFFE00C4680}\stubpath = "C:\\Windows\\{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe"	{5D780103-DD33-4568-8905-B741932B24B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}\stubpath = "C:\\Windows\\{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe"	{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80700A82-F308-4812-A366-C8C6629B2B5E}\stubpath = "C:\\Windows\\{80700A82-F308-4812-A366-C8C6629B2B5E}.exe"	{71A692CE-3E87-4e19-A844-B862491F9067}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B47B2CB1-358D-4acf-87CE-0E784D940ABE}	{80700A82-F308-4812-A366-C8C6629B2B5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41E084D4-338C-4068-9BD8-4BFFE00C4680}	{5D780103-DD33-4568-8905-B741932B24B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81AAC4FC-1A91-4e17-B512-52F30361715A}	{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe

Deletes itself 1 IoCs

pid	Process
2976	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1744	{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe
3036	{5D780103-DD33-4568-8905-B741932B24B7}.exe
2228	{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe
2764	{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe
2904	{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe
2752	{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe
1704	{71A692CE-3E87-4e19-A844-B862491F9067}.exe
3004	{80700A82-F308-4812-A366-C8C6629B2B5E}.exe
2864	{B47B2CB1-358D-4acf-87CE-0E784D940ABE}.exe
1872	{4A53D98B-3196-498b-AA14-3675BBED4618}.exe
1520	{BD547667-6B96-461b-9CA7-9659D7E3EEF1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe	{5D780103-DD33-4568-8905-B741932B24B7}.exe
File created	C:\Windows\{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe	{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe
File created	C:\Windows\{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe	{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe
File created	C:\Windows\{B47B2CB1-358D-4acf-87CE-0E784D940ABE}.exe	{80700A82-F308-4812-A366-C8C6629B2B5E}.exe
File created	C:\Windows\{4A53D98B-3196-498b-AA14-3675BBED4618}.exe	{B47B2CB1-358D-4acf-87CE-0E784D940ABE}.exe
File created	C:\Windows\{BD547667-6B96-461b-9CA7-9659D7E3EEF1}.exe	{4A53D98B-3196-498b-AA14-3675BBED4618}.exe
File created	C:\Windows\{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe	NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe
File created	C:\Windows\{5D780103-DD33-4568-8905-B741932B24B7}.exe	{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe
File created	C:\Windows\{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe	{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe
File created	C:\Windows\{71A692CE-3E87-4e19-A844-B862491F9067}.exe	{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe
File created	C:\Windows\{80700A82-F308-4812-A366-C8C6629B2B5E}.exe	{71A692CE-3E87-4e19-A844-B862491F9067}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1676	NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1744	{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe
Token: SeIncBasePriorityPrivilege	3036	{5D780103-DD33-4568-8905-B741932B24B7}.exe
Token: SeIncBasePriorityPrivilege	2228	{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe
Token: SeIncBasePriorityPrivilege	2764	{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe
Token: SeIncBasePriorityPrivilege	2904	{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe
Token: SeIncBasePriorityPrivilege	2752	{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe
Token: SeIncBasePriorityPrivilege	1704	{71A692CE-3E87-4e19-A844-B862491F9067}.exe
Token: SeIncBasePriorityPrivilege	3004	{80700A82-F308-4812-A366-C8C6629B2B5E}.exe
Token: SeIncBasePriorityPrivilege	2864	{B47B2CB1-358D-4acf-87CE-0E784D940ABE}.exe
Token: SeIncBasePriorityPrivilege	1872	{4A53D98B-3196-498b-AA14-3675BBED4618}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1744	1676	NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe	28
PID 1676 wrote to memory of 1744	1676	NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe	28
PID 1676 wrote to memory of 1744	1676	NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe	28
PID 1676 wrote to memory of 1744	1676	NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe	28
PID 1676 wrote to memory of 2976	1676	NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe	29
PID 1676 wrote to memory of 2976	1676	NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe	29
PID 1676 wrote to memory of 2976	1676	NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe	29
PID 1676 wrote to memory of 2976	1676	NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe	29
PID 1744 wrote to memory of 3036	1744	{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe	30
PID 1744 wrote to memory of 3036	1744	{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe	30
PID 1744 wrote to memory of 3036	1744	{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe	30
PID 1744 wrote to memory of 3036	1744	{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe	30
PID 1744 wrote to memory of 2908	1744	{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe	31
PID 1744 wrote to memory of 2908	1744	{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe	31
PID 1744 wrote to memory of 2908	1744	{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe	31
PID 1744 wrote to memory of 2908	1744	{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe	31
PID 3036 wrote to memory of 2228	3036	{5D780103-DD33-4568-8905-B741932B24B7}.exe	33
PID 3036 wrote to memory of 2228	3036	{5D780103-DD33-4568-8905-B741932B24B7}.exe	33
PID 3036 wrote to memory of 2228	3036	{5D780103-DD33-4568-8905-B741932B24B7}.exe	33
PID 3036 wrote to memory of 2228	3036	{5D780103-DD33-4568-8905-B741932B24B7}.exe	33
PID 3036 wrote to memory of 2604	3036	{5D780103-DD33-4568-8905-B741932B24B7}.exe	32
PID 3036 wrote to memory of 2604	3036	{5D780103-DD33-4568-8905-B741932B24B7}.exe	32
PID 3036 wrote to memory of 2604	3036	{5D780103-DD33-4568-8905-B741932B24B7}.exe	32
PID 3036 wrote to memory of 2604	3036	{5D780103-DD33-4568-8905-B741932B24B7}.exe	32
PID 2228 wrote to memory of 2764	2228	{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe	37
PID 2228 wrote to memory of 2764	2228	{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe	37
PID 2228 wrote to memory of 2764	2228	{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe	37
PID 2228 wrote to memory of 2764	2228	{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe	37
PID 2228 wrote to memory of 2920	2228	{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe	36
PID 2228 wrote to memory of 2920	2228	{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe	36
PID 2228 wrote to memory of 2920	2228	{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe	36
PID 2228 wrote to memory of 2920	2228	{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe	36
PID 2764 wrote to memory of 2904	2764	{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe	39
PID 2764 wrote to memory of 2904	2764	{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe	39
PID 2764 wrote to memory of 2904	2764	{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe	39
PID 2764 wrote to memory of 2904	2764	{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe	39
PID 2764 wrote to memory of 2612	2764	{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe	38
PID 2764 wrote to memory of 2612	2764	{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe	38
PID 2764 wrote to memory of 2612	2764	{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe	38
PID 2764 wrote to memory of 2612	2764	{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe	38
PID 2904 wrote to memory of 2752	2904	{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe	41
PID 2904 wrote to memory of 2752	2904	{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe	41
PID 2904 wrote to memory of 2752	2904	{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe	41
PID 2904 wrote to memory of 2752	2904	{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe	41
PID 2904 wrote to memory of 2496	2904	{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe	40
PID 2904 wrote to memory of 2496	2904	{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe	40
PID 2904 wrote to memory of 2496	2904	{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe	40
PID 2904 wrote to memory of 2496	2904	{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe	40
PID 2752 wrote to memory of 1704	2752	{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe	42
PID 2752 wrote to memory of 1704	2752	{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe	42
PID 2752 wrote to memory of 1704	2752	{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe	42
PID 2752 wrote to memory of 1704	2752	{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe	42
PID 2752 wrote to memory of 3000	2752	{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe	43
PID 2752 wrote to memory of 3000	2752	{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe	43
PID 2752 wrote to memory of 3000	2752	{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe	43
PID 2752 wrote to memory of 3000	2752	{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe	43
PID 1704 wrote to memory of 3004	1704	{71A692CE-3E87-4e19-A844-B862491F9067}.exe	45
PID 1704 wrote to memory of 3004	1704	{71A692CE-3E87-4e19-A844-B862491F9067}.exe	45
PID 1704 wrote to memory of 3004	1704	{71A692CE-3E87-4e19-A844-B862491F9067}.exe	45
PID 1704 wrote to memory of 3004	1704	{71A692CE-3E87-4e19-A844-B862491F9067}.exe	45
PID 1704 wrote to memory of 2032	1704	{71A692CE-3E87-4e19-A844-B862491F9067}.exe	44
PID 1704 wrote to memory of 2032	1704	{71A692CE-3E87-4e19-A844-B862491F9067}.exe	44
PID 1704 wrote to memory of 2032	1704	{71A692CE-3E87-4e19-A844-B862491F9067}.exe	44
PID 1704 wrote to memory of 2032	1704	{71A692CE-3E87-4e19-A844-B862491F9067}.exe	44

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-25_91f00239143da54e5ce6f99dddfb8933_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe
  C:\Windows\{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\{5D780103-DD33-4568-8905-B741932B24B7}.exe
    C:\Windows\{5D780103-DD33-4568-8905-B741932B24B7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5D780~1.EXE > nul
      4⤵
      PID:2604
  - - C:\Windows\{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe
      C:\Windows\{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41E08~1.EXE > nul
        5⤵
        
        PID:2920
    - - C:\Windows\{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe
        
        C:\Windows\{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81AAC~1.EXE > nul
        6⤵
        
        PID:2612
      - C:\Windows\{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe
        
        C:\Windows\{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0252C~1.EXE > nul
        7⤵
        
        PID:2496
        
        C:\Windows\{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe
        
        C:\Windows\{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{71A692CE-3E87-4e19-A844-B862491F9067}.exe
        
        C:\Windows\{71A692CE-3E87-4e19-A844-B862491F9067}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71A69~1.EXE > nul
        9⤵
        
        PID:2032
        
        C:\Windows\{80700A82-F308-4812-A366-C8C6629B2B5E}.exe
        
        C:\Windows\{80700A82-F308-4812-A366-C8C6629B2B5E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80700~1.EXE > nul
        10⤵
        
        PID:2680
        
        C:\Windows\{B47B2CB1-358D-4acf-87CE-0E784D940ABE}.exe
        
        C:\Windows\{B47B2CB1-358D-4acf-87CE-0E784D940ABE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B47B2~1.EXE > nul
        11⤵
        
        PID:1340
        
        C:\Windows\{4A53D98B-3196-498b-AA14-3675BBED4618}.exe
        
        C:\Windows\{4A53D98B-3196-498b-AA14-3675BBED4618}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A53D~1.EXE > nul
        12⤵
        
        PID:1876
        
        C:\Windows\{BD547667-6B96-461b-9CA7-9659D7E3EEF1}.exe
        
        C:\Windows\{BD547667-6B96-461b-9CA7-9659D7E3EEF1}.exe
        12⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E67B~1.EXE > nul
        8⤵
        
        PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CE6AD~1.EXE > nul
    3⤵
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe

Filesize
408KB

MD5
a1ad5f41d28695323afe4bbe6ad768e2

SHA1
0c5b50317a12b95841554fc7249276b8b32f8cbf

SHA256
f1be0dbd09a0ce86ae900946a585a5bf889b9124f7863c72527f31306f075a44

SHA512
f6ee6da996c9c327f1c2ecc43cb158fe9f298e653f3cc1d792efd3ec50b90da361dd42280c22221a49acdc1ba167af4f5427a7b918a48295c91bf8b06c1c9b61

Download Submit
C:\Windows\{0252C4EF-4844-46e2-B9EE-5E5C37CB6DA8}.exe

Filesize
408KB

MD5
a1ad5f41d28695323afe4bbe6ad768e2

SHA1
0c5b50317a12b95841554fc7249276b8b32f8cbf

SHA256
f1be0dbd09a0ce86ae900946a585a5bf889b9124f7863c72527f31306f075a44

SHA512
f6ee6da996c9c327f1c2ecc43cb158fe9f298e653f3cc1d792efd3ec50b90da361dd42280c22221a49acdc1ba167af4f5427a7b918a48295c91bf8b06c1c9b61

Download Submit
C:\Windows\{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe

Filesize
408KB

MD5
e2c6d451e2b8dcaf2cf2c105b6fdfb5b

SHA1
c18ea0714f22c4b091fde78d3cfc0a771333b1d2

SHA256
072950551368178707a3525d4ce595aa1fed8a9be3d497044ee888bd758d41a5

SHA512
d31b41bd3ea6a554d0259ab4850553e48b60e62e40b2983d7b0ca1d8d55c3bbcb9819a6dd914df20afa846ed92d82d5fc6e2bb94ea4297a8ed36e315ce2d8889

Download Submit
C:\Windows\{41E084D4-338C-4068-9BD8-4BFFE00C4680}.exe

Filesize
408KB

MD5
e2c6d451e2b8dcaf2cf2c105b6fdfb5b

SHA1
c18ea0714f22c4b091fde78d3cfc0a771333b1d2

SHA256
072950551368178707a3525d4ce595aa1fed8a9be3d497044ee888bd758d41a5

SHA512
d31b41bd3ea6a554d0259ab4850553e48b60e62e40b2983d7b0ca1d8d55c3bbcb9819a6dd914df20afa846ed92d82d5fc6e2bb94ea4297a8ed36e315ce2d8889

Download Submit
C:\Windows\{4A53D98B-3196-498b-AA14-3675BBED4618}.exe

Filesize
408KB

MD5
97a69f791c8a871387fdcd7313c1cde8

SHA1
5a8e6a51bd75198273ab9b685c6a2cd25a0ccb5d

SHA256
9f32e69c231ddb08ff36ee16512f4e34662495c11c7ff09387c593d3dae99614

SHA512
3a94ca5cd3c68f5eb43f3397e1ebb018fc40ae52ad5757100f57aff22be3fe66e8422a78bb37fbb6da65335b4b9c87f84d74347e00456413f78bcec39d1eca0f

Download Submit
C:\Windows\{4A53D98B-3196-498b-AA14-3675BBED4618}.exe

Filesize
408KB

MD5
97a69f791c8a871387fdcd7313c1cde8

SHA1
5a8e6a51bd75198273ab9b685c6a2cd25a0ccb5d

SHA256
9f32e69c231ddb08ff36ee16512f4e34662495c11c7ff09387c593d3dae99614

SHA512
3a94ca5cd3c68f5eb43f3397e1ebb018fc40ae52ad5757100f57aff22be3fe66e8422a78bb37fbb6da65335b4b9c87f84d74347e00456413f78bcec39d1eca0f

Download Submit
C:\Windows\{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe

Filesize
408KB

MD5
129133ebe41b5f999ee66a2bcf5c8e85

SHA1
75adbc708a46da6a92a531f0ba7b77c225e7e32e

SHA256
8f0b596fdaf86d99860e55ecdcb3a0de23fd76a3b128e722f84bf8e381c11339

SHA512
5acd59d0fb164c9dd27493d162dd1fa6b2ae65beaa1ac292a0b5fff7dd417cf03a3b34148ffb91ba85cee74e33925771d9750243fad62a4b2ee46d7f827e86f0

Download Submit
C:\Windows\{4E67BFE6-F68C-4b99-8CB2-E58C3E0C894F}.exe

Filesize
408KB

MD5
129133ebe41b5f999ee66a2bcf5c8e85

SHA1
75adbc708a46da6a92a531f0ba7b77c225e7e32e

SHA256
8f0b596fdaf86d99860e55ecdcb3a0de23fd76a3b128e722f84bf8e381c11339

SHA512
5acd59d0fb164c9dd27493d162dd1fa6b2ae65beaa1ac292a0b5fff7dd417cf03a3b34148ffb91ba85cee74e33925771d9750243fad62a4b2ee46d7f827e86f0

Download Submit
C:\Windows\{5D780103-DD33-4568-8905-B741932B24B7}.exe

Filesize
408KB

MD5
abf0243aab9010c0ba7e22b8f7ca3cd2

SHA1
ab3b01c074e52d26cc035c9769e0fddc00d7abb8

SHA256
9fdb497a6104ba0a63140eec04df48244862f88933858a761f788b3df568891f

SHA512
ec0b9939e6f55c20facf6ca2a623bbdb186d41de512bb5a771d151d0ebc6a1157b252c7f1e6f565389c2acffd8d50012567b7317f5db28f8b1b8f7a890539023

Download Submit
C:\Windows\{5D780103-DD33-4568-8905-B741932B24B7}.exe

Filesize
408KB

MD5
abf0243aab9010c0ba7e22b8f7ca3cd2

SHA1
ab3b01c074e52d26cc035c9769e0fddc00d7abb8

SHA256
9fdb497a6104ba0a63140eec04df48244862f88933858a761f788b3df568891f

SHA512
ec0b9939e6f55c20facf6ca2a623bbdb186d41de512bb5a771d151d0ebc6a1157b252c7f1e6f565389c2acffd8d50012567b7317f5db28f8b1b8f7a890539023

Download Submit
C:\Windows\{71A692CE-3E87-4e19-A844-B862491F9067}.exe

Filesize
408KB

MD5
25e29e93c043d66051fce702a2d431f2

SHA1
ccde6e24e789e9543bb95b00fb9ad035ab1a4994

SHA256
b36ef2d73b5c4caf75766af62238b1e472bdee26e6f4cadfa63cc6540ee77ea1

SHA512
f74719bb00f2f3d87fb282a168ad2590a01543bccc43c8de399812b1cbfcea465673c70b54da16c422457541567dfb0dcbb1e69d06662b717b5c1e5d2cc26d80

Download Submit
C:\Windows\{71A692CE-3E87-4e19-A844-B862491F9067}.exe

Filesize
408KB

MD5
25e29e93c043d66051fce702a2d431f2

SHA1
ccde6e24e789e9543bb95b00fb9ad035ab1a4994

SHA256
b36ef2d73b5c4caf75766af62238b1e472bdee26e6f4cadfa63cc6540ee77ea1

SHA512
f74719bb00f2f3d87fb282a168ad2590a01543bccc43c8de399812b1cbfcea465673c70b54da16c422457541567dfb0dcbb1e69d06662b717b5c1e5d2cc26d80

Download Submit
C:\Windows\{80700A82-F308-4812-A366-C8C6629B2B5E}.exe

Filesize
408KB

MD5
8555745a08621ae16c3b181ec9db1a36

SHA1
6870f9b3f47dc13b45bb7748f4376e0e346f68a4

SHA256
29588628b85ca38725d791410ed01cc2529a0783675763b9afab8f8f2bf50b00

SHA512
05839e61a1ec3950f17dcfa404948cd9abb46068936a9ac34c31c92d8c736896c29c282239e1378f183b2707dd2e3528163eaf9fb5bb3a18cbb192f15478ecc0

Download Submit
C:\Windows\{80700A82-F308-4812-A366-C8C6629B2B5E}.exe

Filesize
408KB

MD5
8555745a08621ae16c3b181ec9db1a36

SHA1
6870f9b3f47dc13b45bb7748f4376e0e346f68a4

SHA256
29588628b85ca38725d791410ed01cc2529a0783675763b9afab8f8f2bf50b00

SHA512
05839e61a1ec3950f17dcfa404948cd9abb46068936a9ac34c31c92d8c736896c29c282239e1378f183b2707dd2e3528163eaf9fb5bb3a18cbb192f15478ecc0

Download Submit
C:\Windows\{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe

Filesize
408KB

MD5
a937602e7f1eeff431565766a644cdc9

SHA1
8fd4d1fe58dee56384caefb9d8194f7cd9028133

SHA256
dad4b20b9a5a3f5b4a96a87e4d8c3539181e0a4313185c92a2c0abdfc0547de2

SHA512
35bf61beee62ec2c729318de10739ecbfeebd8494d7746ca5d6ad94cdc54990c26e2c27b6ce8deaedc0d7c975d811bbd7fd96c26ec9b841391005c7d24283f81

Download Submit
C:\Windows\{81AAC4FC-1A91-4e17-B512-52F30361715A}.exe

Filesize
408KB

MD5
a937602e7f1eeff431565766a644cdc9

SHA1
8fd4d1fe58dee56384caefb9d8194f7cd9028133

SHA256
dad4b20b9a5a3f5b4a96a87e4d8c3539181e0a4313185c92a2c0abdfc0547de2

SHA512
35bf61beee62ec2c729318de10739ecbfeebd8494d7746ca5d6ad94cdc54990c26e2c27b6ce8deaedc0d7c975d811bbd7fd96c26ec9b841391005c7d24283f81

Download Submit
C:\Windows\{B47B2CB1-358D-4acf-87CE-0E784D940ABE}.exe

Filesize
408KB

MD5
703f421dc048e8493b14bbe22bb5ac9b

SHA1
c6cca55e4584ceafb3df1f2e889a2fa7a04fdedc

SHA256
2d1a1cb76d3170021699f5e5d47c7e42cdac62dffdd7402f996387ee3d2c9646

SHA512
577e768737c95bd9cd6dc6bcc8310a687030b9ec270519b1a7c58475934e282e5ad2dc58985294c7a7d03fa123082eecfd220ce3ee52dacc670673ebc66542f3

Download Submit
C:\Windows\{B47B2CB1-358D-4acf-87CE-0E784D940ABE}.exe

Filesize
408KB

MD5
703f421dc048e8493b14bbe22bb5ac9b

SHA1
c6cca55e4584ceafb3df1f2e889a2fa7a04fdedc

SHA256
2d1a1cb76d3170021699f5e5d47c7e42cdac62dffdd7402f996387ee3d2c9646

SHA512
577e768737c95bd9cd6dc6bcc8310a687030b9ec270519b1a7c58475934e282e5ad2dc58985294c7a7d03fa123082eecfd220ce3ee52dacc670673ebc66542f3

Download Submit
C:\Windows\{BD547667-6B96-461b-9CA7-9659D7E3EEF1}.exe

Filesize
408KB

MD5
24e143d3e0419cc10aea97a69bb152e8

SHA1
362ea68abfee7c624114f4236fda34f133bf7b20

SHA256
f1e6f96c90573a542df0a3f293a5f5f74b1036c408edcdf5dc6b4738fd191e6d

SHA512
3e299de0c7004ea50925f7aa880f5606d46ffa22b3caead91371b7be6d86ffa0c6a2019493e5514813d2db5dec19debcde7e0ef7f0e329c0ce72e91ce8aa7cc3

Download Submit
C:\Windows\{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe

Filesize
408KB

MD5
ac1dec249a602b8b0776d350e5a25303

SHA1
d9a48589ff5f57e3832f088629071f75124a14e7

SHA256
797d9f58d304edb2a732fc362f6b3123dfb2b7c8785965e1169f26c2823698b2

SHA512
3e25d1cda00125e0bd3a509c344e37f17a255df629ff2e25064be1b640f5e18c00272c854c3c6caa0ab0c7c003871be648e0ee50e4aae7fe6825365c3f346706

Download Submit
C:\Windows\{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe

Filesize
408KB

MD5
ac1dec249a602b8b0776d350e5a25303

SHA1
d9a48589ff5f57e3832f088629071f75124a14e7

SHA256
797d9f58d304edb2a732fc362f6b3123dfb2b7c8785965e1169f26c2823698b2

SHA512
3e25d1cda00125e0bd3a509c344e37f17a255df629ff2e25064be1b640f5e18c00272c854c3c6caa0ab0c7c003871be648e0ee50e4aae7fe6825365c3f346706

Download Submit
C:\Windows\{CE6AD960-D94B-4a2d-874C-4B652F2A8041}.exe

Filesize
408KB

MD5
ac1dec249a602b8b0776d350e5a25303

SHA1
d9a48589ff5f57e3832f088629071f75124a14e7

SHA256
797d9f58d304edb2a732fc362f6b3123dfb2b7c8785965e1169f26c2823698b2

SHA512
3e25d1cda00125e0bd3a509c344e37f17a255df629ff2e25064be1b640f5e18c00272c854c3c6caa0ab0c7c003871be648e0ee50e4aae7fe6825365c3f346706

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads