93241cf333b19bc2872de58724359c9adcee84fffaacc67ea9eda6d5c7cac52b

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 19:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe
Size

408KB
MD5

73efc7b1182d52acddcb2d39510e4787
SHA1

7f8b1ca78758aeeae11c3ec1642b8ce560b33c52
SHA256

93241cf333b19bc2872de58724359c9adcee84fffaacc67ea9eda6d5c7cac52b
SHA512

368870ba3c6d3611b3d184d1c976a6da5919f2b26f4f236e733acd4bf4362c8a6b2243c210f8f925a63db684a77a415e0935f2833b90e8c1de05d961751bb720
SSDEEP

3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG8ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C1E7755-6544-4377-A444-AFB668C68849}	{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A431D3DB-50DF-49ed-A582-6987525DD0A6}	{DB59AE5B-865D-40bc-A4CE-9652361BE2FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A5DC9D4-578B-4171-A00E-3DAE1E888123}	{A431D3DB-50DF-49ed-A582-6987525DD0A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE4BA902-B350-43df-B1B7-B6DEE5C3C3ED}	{4A5DC9D4-578B-4171-A00E-3DAE1E888123}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}\stubpath = "C:\\Windows\\{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe"	{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C1E7755-6544-4377-A444-AFB668C68849}\stubpath = "C:\\Windows\\{7C1E7755-6544-4377-A444-AFB668C68849}.exe"	{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B256229-4F38-49ab-92BF-3136BDBDB9A6}\stubpath = "C:\\Windows\\{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe"	{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A431D3DB-50DF-49ed-A582-6987525DD0A6}\stubpath = "C:\\Windows\\{A431D3DB-50DF-49ed-A582-6987525DD0A6}.exe"	{DB59AE5B-865D-40bc-A4CE-9652361BE2FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A5DC9D4-578B-4171-A00E-3DAE1E888123}\stubpath = "C:\\Windows\\{4A5DC9D4-578B-4171-A00E-3DAE1E888123}.exe"	{A431D3DB-50DF-49ed-A582-6987525DD0A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68655AF3-471B-4e10-9C6C-FFF700E8E436}\stubpath = "C:\\Windows\\{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe"	{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}\stubpath = "C:\\Windows\\{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe"	{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB59AE5B-865D-40bc-A4CE-9652361BE2FF}	{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE4BA902-B350-43df-B1B7-B6DEE5C3C3ED}\stubpath = "C:\\Windows\\{EE4BA902-B350-43df-B1B7-B6DEE5C3C3ED}.exe"	{4A5DC9D4-578B-4171-A00E-3DAE1E888123}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}\stubpath = "C:\\Windows\\{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe"	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}	{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7CE8718-492B-4acd-ABFE-42366FFB350C}	{7C1E7755-6544-4377-A444-AFB668C68849}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7CE8718-492B-4acd-ABFE-42366FFB350C}\stubpath = "C:\\Windows\\{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe"	{7C1E7755-6544-4377-A444-AFB668C68849}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B256229-4F38-49ab-92BF-3136BDBDB9A6}	{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB59AE5B-865D-40bc-A4CE-9652361BE2FF}\stubpath = "C:\\Windows\\{DB59AE5B-865D-40bc-A4CE-9652361BE2FF}.exe"	{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68655AF3-471B-4e10-9C6C-FFF700E8E436}	{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}	{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1144	{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe
2668	{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe
2680	{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe
2548	{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe
2812	{7C1E7755-6544-4377-A444-AFB668C68849}.exe
2392	{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe
476	{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe
2316	{DB59AE5B-865D-40bc-A4CE-9652361BE2FF}.exe
2768	{A431D3DB-50DF-49ed-A582-6987525DD0A6}.exe
1536	{4A5DC9D4-578B-4171-A00E-3DAE1E888123}.exe
2780	{EE4BA902-B350-43df-B1B7-B6DEE5C3C3ED}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DB59AE5B-865D-40bc-A4CE-9652361BE2FF}.exe	{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe
File created	C:\Windows\{A431D3DB-50DF-49ed-A582-6987525DD0A6}.exe	{DB59AE5B-865D-40bc-A4CE-9652361BE2FF}.exe
File created	C:\Windows\{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe
File created	C:\Windows\{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe	{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe
File created	C:\Windows\{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe	{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe
File created	C:\Windows\{7C1E7755-6544-4377-A444-AFB668C68849}.exe	{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe
File created	C:\Windows\{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe	{7C1E7755-6544-4377-A444-AFB668C68849}.exe
File created	C:\Windows\{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe	{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe
File created	C:\Windows\{4A5DC9D4-578B-4171-A00E-3DAE1E888123}.exe	{A431D3DB-50DF-49ed-A582-6987525DD0A6}.exe
File created	C:\Windows\{EE4BA902-B350-43df-B1B7-B6DEE5C3C3ED}.exe	{4A5DC9D4-578B-4171-A00E-3DAE1E888123}.exe
File created	C:\Windows\{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe	{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2828	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1144	{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe
Token: SeIncBasePriorityPrivilege	2668	{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe
Token: SeIncBasePriorityPrivilege	2680	{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe
Token: SeIncBasePriorityPrivilege	2548	{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe
Token: SeIncBasePriorityPrivilege	2812	{7C1E7755-6544-4377-A444-AFB668C68849}.exe
Token: SeIncBasePriorityPrivilege	2392	{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe
Token: SeIncBasePriorityPrivilege	476	{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe
Token: SeIncBasePriorityPrivilege	2316	{DB59AE5B-865D-40bc-A4CE-9652361BE2FF}.exe
Token: SeIncBasePriorityPrivilege	2768	{A431D3DB-50DF-49ed-A582-6987525DD0A6}.exe
Token: SeIncBasePriorityPrivilege	1536	{4A5DC9D4-578B-4171-A00E-3DAE1E888123}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 1144	2828	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	28
PID 2828 wrote to memory of 1144	2828	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	28
PID 2828 wrote to memory of 1144	2828	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	28
PID 2828 wrote to memory of 1144	2828	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	28
PID 2828 wrote to memory of 2800	2828	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	29
PID 2828 wrote to memory of 2800	2828	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	29
PID 2828 wrote to memory of 2800	2828	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	29
PID 2828 wrote to memory of 2800	2828	NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe	29
PID 1144 wrote to memory of 2668	1144	{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe	30
PID 1144 wrote to memory of 2668	1144	{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe	30
PID 1144 wrote to memory of 2668	1144	{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe	30
PID 1144 wrote to memory of 2668	1144	{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe	30
PID 1144 wrote to memory of 2960	1144	{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe	31
PID 1144 wrote to memory of 2960	1144	{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe	31
PID 1144 wrote to memory of 2960	1144	{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe	31
PID 1144 wrote to memory of 2960	1144	{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe	31
PID 2668 wrote to memory of 2680	2668	{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe	34
PID 2668 wrote to memory of 2680	2668	{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe	34
PID 2668 wrote to memory of 2680	2668	{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe	34
PID 2668 wrote to memory of 2680	2668	{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe	34
PID 2668 wrote to memory of 1660	2668	{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe	35
PID 2668 wrote to memory of 1660	2668	{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe	35
PID 2668 wrote to memory of 1660	2668	{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe	35
PID 2668 wrote to memory of 1660	2668	{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe	35
PID 2680 wrote to memory of 2548	2680	{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe	36
PID 2680 wrote to memory of 2548	2680	{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe	36
PID 2680 wrote to memory of 2548	2680	{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe	36
PID 2680 wrote to memory of 2548	2680	{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe	36
PID 2680 wrote to memory of 2636	2680	{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe	37
PID 2680 wrote to memory of 2636	2680	{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe	37
PID 2680 wrote to memory of 2636	2680	{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe	37
PID 2680 wrote to memory of 2636	2680	{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe	37
PID 2548 wrote to memory of 2812	2548	{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe	38
PID 2548 wrote to memory of 2812	2548	{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe	38
PID 2548 wrote to memory of 2812	2548	{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe	38
PID 2548 wrote to memory of 2812	2548	{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe	38
PID 2548 wrote to memory of 1716	2548	{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe	39
PID 2548 wrote to memory of 1716	2548	{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe	39
PID 2548 wrote to memory of 1716	2548	{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe	39
PID 2548 wrote to memory of 1716	2548	{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe	39
PID 2812 wrote to memory of 2392	2812	{7C1E7755-6544-4377-A444-AFB668C68849}.exe	40
PID 2812 wrote to memory of 2392	2812	{7C1E7755-6544-4377-A444-AFB668C68849}.exe	40
PID 2812 wrote to memory of 2392	2812	{7C1E7755-6544-4377-A444-AFB668C68849}.exe	40
PID 2812 wrote to memory of 2392	2812	{7C1E7755-6544-4377-A444-AFB668C68849}.exe	40
PID 2812 wrote to memory of 580	2812	{7C1E7755-6544-4377-A444-AFB668C68849}.exe	41
PID 2812 wrote to memory of 580	2812	{7C1E7755-6544-4377-A444-AFB668C68849}.exe	41
PID 2812 wrote to memory of 580	2812	{7C1E7755-6544-4377-A444-AFB668C68849}.exe	41
PID 2812 wrote to memory of 580	2812	{7C1E7755-6544-4377-A444-AFB668C68849}.exe	41
PID 2392 wrote to memory of 476	2392	{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe	43
PID 2392 wrote to memory of 476	2392	{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe	43
PID 2392 wrote to memory of 476	2392	{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe	43
PID 2392 wrote to memory of 476	2392	{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe	43
PID 2392 wrote to memory of 2900	2392	{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe	42
PID 2392 wrote to memory of 2900	2392	{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe	42
PID 2392 wrote to memory of 2900	2392	{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe	42
PID 2392 wrote to memory of 2900	2392	{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe	42
PID 476 wrote to memory of 2316	476	{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe	44
PID 476 wrote to memory of 2316	476	{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe	44
PID 476 wrote to memory of 2316	476	{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe	44
PID 476 wrote to memory of 2316	476	{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe	44
PID 476 wrote to memory of 2388	476	{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe	45
PID 476 wrote to memory of 2388	476	{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe	45
PID 476 wrote to memory of 2388	476	{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe	45
PID 476 wrote to memory of 2388	476	{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_73efc7b1182d52acddcb2d39510e4787_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe
  C:\Windows\{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe
    C:\Windows\{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe
      C:\Windows\{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe
        
        C:\Windows\{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\{7C1E7755-6544-4377-A444-AFB668C68849}.exe
        
        C:\Windows\{7C1E7755-6544-4377-A444-AFB668C68849}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe
        
        C:\Windows\{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7CE8~1.EXE > nul
        8⤵
        
        PID:2900
        
        C:\Windows\{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe
        
        C:\Windows\{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\{DB59AE5B-865D-40bc-A4CE-9652361BE2FF}.exe
        
        C:\Windows\{DB59AE5B-865D-40bc-A4CE-9652361BE2FF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB59A~1.EXE > nul
        10⤵
        
        PID:2504
        
        C:\Windows\{A431D3DB-50DF-49ed-A582-6987525DD0A6}.exe
        
        C:\Windows\{A431D3DB-50DF-49ed-A582-6987525DD0A6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A431D~1.EXE > nul
        11⤵
        
        PID:1260
        
        C:\Windows\{4A5DC9D4-578B-4171-A00E-3DAE1E888123}.exe
        
        C:\Windows\{4A5DC9D4-578B-4171-A00E-3DAE1E888123}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\{EE4BA902-B350-43df-B1B7-B6DEE5C3C3ED}.exe
        
        C:\Windows\{EE4BA902-B350-43df-B1B7-B6DEE5C3C3ED}.exe
        12⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A5DC~1.EXE > nul
        12⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B256~1.EXE > nul
        9⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C1E7~1.EXE > nul
        7⤵
        
        PID:580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{927A3~1.EXE > nul
        6⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E384~1.EXE > nul
        5⤵
        
        PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{68655~1.EXE > nul
      4⤵
      PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A22C9~1.EXE > nul
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe

Filesize
408KB

MD5
256969e717be74e19484b717c4808617

SHA1
b71d4e0ef00425a4399e43e9dfdf10e3e40ab741

SHA256
c00269d11ab38521f4393f234e057c549b4d5dfd2af79db18c67b99717e44cbb

SHA512
5b5b66cd34ad06ddf957ca9d2409ca9e435f029f93e0b3897ce4251ecf7a67da645bb476e7c1821072dcc1778b09bae6c203e8dde1f55a160e7c8f6e5f605745

Download Submit
C:\Windows\{2E384510-A2E0-4b54-B9B1-46AEE8F41A5D}.exe

Filesize
408KB

MD5
256969e717be74e19484b717c4808617

SHA1
b71d4e0ef00425a4399e43e9dfdf10e3e40ab741

SHA256
c00269d11ab38521f4393f234e057c549b4d5dfd2af79db18c67b99717e44cbb

SHA512
5b5b66cd34ad06ddf957ca9d2409ca9e435f029f93e0b3897ce4251ecf7a67da645bb476e7c1821072dcc1778b09bae6c203e8dde1f55a160e7c8f6e5f605745

Download Submit
C:\Windows\{4A5DC9D4-578B-4171-A00E-3DAE1E888123}.exe

Filesize
408KB

MD5
51a2f57fd8367f3bdc40cf86f20fcc2c

SHA1
92d67a5b2ef30a1775c12bf4842fd16c8990b9d4

SHA256
83c2544ddedcaf633ae6c1ca0312cfe87f7175f95bb07ea7293656b24137d046

SHA512
7183586298aa7e5ed214a89b60a9f4fee96e24a936aeb4414c588f83d12705ad6de24ae9d5b0151229a18df77625ce4f2eb55ba14cc0defef94b30cbc7fe57ee

Download Submit
C:\Windows\{4A5DC9D4-578B-4171-A00E-3DAE1E888123}.exe

Filesize
408KB

MD5
51a2f57fd8367f3bdc40cf86f20fcc2c

SHA1
92d67a5b2ef30a1775c12bf4842fd16c8990b9d4

SHA256
83c2544ddedcaf633ae6c1ca0312cfe87f7175f95bb07ea7293656b24137d046

SHA512
7183586298aa7e5ed214a89b60a9f4fee96e24a936aeb4414c588f83d12705ad6de24ae9d5b0151229a18df77625ce4f2eb55ba14cc0defef94b30cbc7fe57ee

Download Submit
C:\Windows\{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe

Filesize
408KB

MD5
154d37da1a75246967759a921209fdc1

SHA1
16900266e7373c28af7bad5b6139eda8a10e64cd

SHA256
0bd4b320cfbfed6c43a6b25471f03cf5d820e139e15411c95785d17ea234c38c

SHA512
114bfa4d150becdb49ad6d71ac0be4466d339fe9ddf67eaf7905a17cae91c674db5d4512b8955ea78d0633b6af7479fa758f7ae6058d2b525e3abf9dd4a134e4

Download Submit
C:\Windows\{4B256229-4F38-49ab-92BF-3136BDBDB9A6}.exe

Filesize
408KB

MD5
154d37da1a75246967759a921209fdc1

SHA1
16900266e7373c28af7bad5b6139eda8a10e64cd

SHA256
0bd4b320cfbfed6c43a6b25471f03cf5d820e139e15411c95785d17ea234c38c

SHA512
114bfa4d150becdb49ad6d71ac0be4466d339fe9ddf67eaf7905a17cae91c674db5d4512b8955ea78d0633b6af7479fa758f7ae6058d2b525e3abf9dd4a134e4

Download Submit
C:\Windows\{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe

Filesize
408KB

MD5
b72ffb39ed81b2ad9c57ae4ba1e7ca6c

SHA1
c4fdd555ffbf475fb359bda452b30fae80b13e4c

SHA256
58d7174fcafccc77c164112a80780fcc52a072953b1276dc6ab170c01b4b86b3

SHA512
a0889b748d6d459174ef874ebe5f83941fc93926776dd1f184917019119eb5ea0b4419064fb34b21b93c464d2891f0beabee515554d9d94152b99a8294ec07c1

Download Submit
C:\Windows\{68655AF3-471B-4e10-9C6C-FFF700E8E436}.exe

Filesize
408KB

MD5
b72ffb39ed81b2ad9c57ae4ba1e7ca6c

SHA1
c4fdd555ffbf475fb359bda452b30fae80b13e4c

SHA256
58d7174fcafccc77c164112a80780fcc52a072953b1276dc6ab170c01b4b86b3

SHA512
a0889b748d6d459174ef874ebe5f83941fc93926776dd1f184917019119eb5ea0b4419064fb34b21b93c464d2891f0beabee515554d9d94152b99a8294ec07c1

Download Submit
C:\Windows\{7C1E7755-6544-4377-A444-AFB668C68849}.exe

Filesize
408KB

MD5
9b06be24b465e331a1253cfceaced303

SHA1
c98161d2e66bf33522fe686892e93675667ac75b

SHA256
b77698dedcd3529df5f416a0b013b8f29c6b4561eaba76aa9bc9f7feee4132f3

SHA512
7b59cbcd3f1b12c0305681d004582c0fe0c9325d513c12b4bb7575b2b993ca8164e726badafc96f1337c2daa975c64490d977e548764caa891875f7d8dea1f4b

Download Submit
C:\Windows\{7C1E7755-6544-4377-A444-AFB668C68849}.exe

Filesize
408KB

MD5
9b06be24b465e331a1253cfceaced303

SHA1
c98161d2e66bf33522fe686892e93675667ac75b

SHA256
b77698dedcd3529df5f416a0b013b8f29c6b4561eaba76aa9bc9f7feee4132f3

SHA512
7b59cbcd3f1b12c0305681d004582c0fe0c9325d513c12b4bb7575b2b993ca8164e726badafc96f1337c2daa975c64490d977e548764caa891875f7d8dea1f4b

Download Submit
C:\Windows\{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe

Filesize
408KB

MD5
3662f619046bc532ec9e42f75d6c61f0

SHA1
40771672cb0666a9074d7efbcd0bb367656917a2

SHA256
817f2b248e836ff8403152b83d8b45b41e178476aa46d5bfccdb76c649d11368

SHA512
ff8a73c9257e21d9f44be8a66e9093ff6583d0428e1ba19eb9f1789ec833d13d6ad3d1fb579d6215c71ed43025319546f82e66c35819f9f544676646d942c54b

Download Submit
C:\Windows\{927A35EF-3AFA-4133-BCD5-AA0760F6D3E5}.exe

Filesize
408KB

MD5
3662f619046bc532ec9e42f75d6c61f0

SHA1
40771672cb0666a9074d7efbcd0bb367656917a2

SHA256
817f2b248e836ff8403152b83d8b45b41e178476aa46d5bfccdb76c649d11368

SHA512
ff8a73c9257e21d9f44be8a66e9093ff6583d0428e1ba19eb9f1789ec833d13d6ad3d1fb579d6215c71ed43025319546f82e66c35819f9f544676646d942c54b

Download Submit
C:\Windows\{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe

Filesize
408KB

MD5
975a9d16068dfb4009b758e56c61902c

SHA1
43a1ae574c8bbb42f2faadb44d697e6414094d2c

SHA256
30dee0cbe7a078529567d371fb86b2a8380504c91fbbf1d5f335c230e33c29b3

SHA512
dec0d3039cc1d6ef9c514236511da9f3f76e26b923588f86d7dcc70b771af3878c3fff3d0207a1994382889ce41defc514843fbf9235334780a20eebaa56f939

Download Submit
C:\Windows\{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe

Filesize
408KB

MD5
975a9d16068dfb4009b758e56c61902c

SHA1
43a1ae574c8bbb42f2faadb44d697e6414094d2c

SHA256
30dee0cbe7a078529567d371fb86b2a8380504c91fbbf1d5f335c230e33c29b3

SHA512
dec0d3039cc1d6ef9c514236511da9f3f76e26b923588f86d7dcc70b771af3878c3fff3d0207a1994382889ce41defc514843fbf9235334780a20eebaa56f939

Download Submit
C:\Windows\{A22C95CF-F45A-4b7a-8AF8-214ECB03A58C}.exe

Filesize
408KB

MD5
975a9d16068dfb4009b758e56c61902c

SHA1
43a1ae574c8bbb42f2faadb44d697e6414094d2c

SHA256
30dee0cbe7a078529567d371fb86b2a8380504c91fbbf1d5f335c230e33c29b3

SHA512
dec0d3039cc1d6ef9c514236511da9f3f76e26b923588f86d7dcc70b771af3878c3fff3d0207a1994382889ce41defc514843fbf9235334780a20eebaa56f939

Download Submit
C:\Windows\{A431D3DB-50DF-49ed-A582-6987525DD0A6}.exe

Filesize
408KB

MD5
9196a0318efd8c73a30fc60fa801a743

SHA1
474c577c8f13fb1d1f4523cfb82600ba2285aa65

SHA256
ccbd4b9c8540862862fd744c6f1a338bd330c32a577589255e6b33e9b619127a

SHA512
eef72b963c68bcabee438d5569c4b8b04735b35f59900b5026a16e1c09a4cfa994ebfb5fe8ffa37da6b31b1dfc09504cbc0e01978dc365735873e0dc7b7c328c

Download Submit
C:\Windows\{A431D3DB-50DF-49ed-A582-6987525DD0A6}.exe

Filesize
408KB

MD5
9196a0318efd8c73a30fc60fa801a743

SHA1
474c577c8f13fb1d1f4523cfb82600ba2285aa65

SHA256
ccbd4b9c8540862862fd744c6f1a338bd330c32a577589255e6b33e9b619127a

SHA512
eef72b963c68bcabee438d5569c4b8b04735b35f59900b5026a16e1c09a4cfa994ebfb5fe8ffa37da6b31b1dfc09504cbc0e01978dc365735873e0dc7b7c328c

Download Submit
C:\Windows\{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe

Filesize
408KB

MD5
402bcdf4260d315a5fdc56a65b64e715

SHA1
0bb094fe08b6d9829711042b90811672edd0f8ac

SHA256
24356b4994213726da66c9e717db65875b60e17e6c7cfea98e949229212bb940

SHA512
7b89f97b66681c99fbd4dae01be5f7c8b6ab2f1711aa0662f1f968a87577db6c6d9851dbfd58712a370074ad0e49f3b2a6bb5c77abf5563d4d06e1ef3795c248

Download Submit
C:\Windows\{A7CE8718-492B-4acd-ABFE-42366FFB350C}.exe

Filesize
408KB

MD5
402bcdf4260d315a5fdc56a65b64e715

SHA1
0bb094fe08b6d9829711042b90811672edd0f8ac

SHA256
24356b4994213726da66c9e717db65875b60e17e6c7cfea98e949229212bb940

SHA512
7b89f97b66681c99fbd4dae01be5f7c8b6ab2f1711aa0662f1f968a87577db6c6d9851dbfd58712a370074ad0e49f3b2a6bb5c77abf5563d4d06e1ef3795c248

Download Submit
C:\Windows\{DB59AE5B-865D-40bc-A4CE-9652361BE2FF}.exe

Filesize
408KB

MD5
38635abdc36fdb10a4d232284bb86646

SHA1
5d0ea0a85604b4b1db7c544636dab9cfbc4666b1

SHA256
845d0fdd089092a7b7aa20ce86cf71705d0a1098cebfae7c58a14a043c8af0e1

SHA512
0e7f31b55eb9104fb81c52a7abc1db2c6b1dbf47bd43c45a3c0c9b721a8df06c06b6d2c3e1ad2f3cf4408d1ef37e5beb76a623d2d1d967f5f92a46b33cf4b1e0

Download Submit
C:\Windows\{DB59AE5B-865D-40bc-A4CE-9652361BE2FF}.exe

Filesize
408KB

MD5
38635abdc36fdb10a4d232284bb86646

SHA1
5d0ea0a85604b4b1db7c544636dab9cfbc4666b1

SHA256
845d0fdd089092a7b7aa20ce86cf71705d0a1098cebfae7c58a14a043c8af0e1

SHA512
0e7f31b55eb9104fb81c52a7abc1db2c6b1dbf47bd43c45a3c0c9b721a8df06c06b6d2c3e1ad2f3cf4408d1ef37e5beb76a623d2d1d967f5f92a46b33cf4b1e0

Download Submit
C:\Windows\{EE4BA902-B350-43df-B1B7-B6DEE5C3C3ED}.exe

Filesize
408KB

MD5
bbcb5abda8f7f0f83458415853dbcdd4

SHA1
5db146c985654a2f70433172dbe1dd202ee62a75

SHA256
7175b0665a61ce211e7b1cff1bde1d74151554297673f4467a0680b06151b574

SHA512
6b138095a09907097990c7c8843c05468f7a7c5a84d926eac8e4aafcb4833c14fac994e218224d3507e08313bf28f85bf6d6c0968ffd4daa7f74227863c0affe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads