e0edb12f8049d29dd7f4236440d8e4d441c3d88db5580b3ca452c0cd86b7b2fc

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
06-11-2023 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe
Size

180KB
MD5

a2b2562fe4da69f1a9d0564471abb379
SHA1

301b5c102d502c0a1e8deab1220a2d911586760b
SHA256

e0edb12f8049d29dd7f4236440d8e4d441c3d88db5580b3ca452c0cd86b7b2fc
SHA512

5446303b913264c3a148f646bedf8b0d0eb634e27e0a39f99382617784f0a6377731ef70ec2ee30508a356d25fa94c98afabbf4f5fc7619a3fb1e270a572bf81
SSDEEP

3072:jEGh0o2lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGQl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}\stubpath = "C:\\Windows\\{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe"	{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25254AC6-41E7-48b0-BE60-D4253C534F3A}	{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25254AC6-41E7-48b0-BE60-D4253C534F3A}\stubpath = "C:\\Windows\\{25254AC6-41E7-48b0-BE60-D4253C534F3A}.exe"	{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{251C23C3-E513-421b-BE51-7758118293AF}	{25254AC6-41E7-48b0-BE60-D4253C534F3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C373404-92D6-4191-A277-C11F68D880CF}\stubpath = "C:\\Windows\\{0C373404-92D6-4191-A277-C11F68D880CF}.exe"	{251C23C3-E513-421b-BE51-7758118293AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2766621C-0E47-45e1-AED0-3B700E3A6676}\stubpath = "C:\\Windows\\{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe"	{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}	{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C373404-92D6-4191-A277-C11F68D880CF}	{251C23C3-E513-421b-BE51-7758118293AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2766621C-0E47-45e1-AED0-3B700E3A6676}	{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}\stubpath = "C:\\Windows\\{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe"	{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}	{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}	{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{251C23C3-E513-421b-BE51-7758118293AF}\stubpath = "C:\\Windows\\{251C23C3-E513-421b-BE51-7758118293AF}.exe"	{25254AC6-41E7-48b0-BE60-D4253C534F3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97194E6B-B691-4aba-8BE9-38BABE232E5F}	{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97194E6B-B691-4aba-8BE9-38BABE232E5F}\stubpath = "C:\\Windows\\{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe"	{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}\stubpath = "C:\\Windows\\{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe"	{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}\stubpath = "C:\\Windows\\{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe"	{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}	{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27565BEA-A3F2-40cd-9B47-436B9E12942C}	{0C373404-92D6-4191-A277-C11F68D880CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27565BEA-A3F2-40cd-9B47-436B9E12942C}\stubpath = "C:\\Windows\\{27565BEA-A3F2-40cd-9B47-436B9E12942C}.exe"	{0C373404-92D6-4191-A277-C11F68D880CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}\stubpath = "C:\\Windows\\{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe"	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2688	{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe
2648	{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe
2560	{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe
2568	{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe
2080	{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe
1548	{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe
2880	{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe
2884	{25254AC6-41E7-48b0-BE60-D4253C534F3A}.exe
1500	{251C23C3-E513-421b-BE51-7758118293AF}.exe
536	{0C373404-92D6-4191-A277-C11F68D880CF}.exe
1936	{27565BEA-A3F2-40cd-9B47-436B9E12942C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe	{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe
File created	C:\Windows\{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe	{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe
File created	C:\Windows\{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe	{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe
File created	C:\Windows\{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe	{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe
File created	C:\Windows\{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe
File created	C:\Windows\{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe	{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe
File created	C:\Windows\{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe	{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe
File created	C:\Windows\{25254AC6-41E7-48b0-BE60-D4253C534F3A}.exe	{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe
File created	C:\Windows\{251C23C3-E513-421b-BE51-7758118293AF}.exe	{25254AC6-41E7-48b0-BE60-D4253C534F3A}.exe
File created	C:\Windows\{0C373404-92D6-4191-A277-C11F68D880CF}.exe	{251C23C3-E513-421b-BE51-7758118293AF}.exe
File created	C:\Windows\{27565BEA-A3F2-40cd-9B47-436B9E12942C}.exe	{0C373404-92D6-4191-A277-C11F68D880CF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2136	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2688	{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe
Token: SeIncBasePriorityPrivilege	2648	{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe
Token: SeIncBasePriorityPrivilege	2560	{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe
Token: SeIncBasePriorityPrivilege	2568	{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe
Token: SeIncBasePriorityPrivilege	2080	{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe
Token: SeIncBasePriorityPrivilege	1548	{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe
Token: SeIncBasePriorityPrivilege	2880	{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe
Token: SeIncBasePriorityPrivilege	2884	{25254AC6-41E7-48b0-BE60-D4253C534F3A}.exe
Token: SeIncBasePriorityPrivilege	1500	{251C23C3-E513-421b-BE51-7758118293AF}.exe
Token: SeIncBasePriorityPrivilege	536	{0C373404-92D6-4191-A277-C11F68D880CF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2688	2136	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	28
PID 2136 wrote to memory of 2688	2136	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	28
PID 2136 wrote to memory of 2688	2136	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	28
PID 2136 wrote to memory of 2688	2136	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	28
PID 2136 wrote to memory of 2788	2136	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	29
PID 2136 wrote to memory of 2788	2136	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	29
PID 2136 wrote to memory of 2788	2136	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	29
PID 2136 wrote to memory of 2788	2136	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	29
PID 2688 wrote to memory of 2648	2688	{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe	30
PID 2688 wrote to memory of 2648	2688	{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe	30
PID 2688 wrote to memory of 2648	2688	{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe	30
PID 2688 wrote to memory of 2648	2688	{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe	30
PID 2688 wrote to memory of 2672	2688	{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe	31
PID 2688 wrote to memory of 2672	2688	{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe	31
PID 2688 wrote to memory of 2672	2688	{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe	31
PID 2688 wrote to memory of 2672	2688	{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe	31
PID 2648 wrote to memory of 2560	2648	{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe	33
PID 2648 wrote to memory of 2560	2648	{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe	33
PID 2648 wrote to memory of 2560	2648	{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe	33
PID 2648 wrote to memory of 2560	2648	{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe	33
PID 2648 wrote to memory of 2712	2648	{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe	35
PID 2648 wrote to memory of 2712	2648	{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe	35
PID 2648 wrote to memory of 2712	2648	{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe	35
PID 2648 wrote to memory of 2712	2648	{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe	35
PID 2560 wrote to memory of 2568	2560	{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe	36
PID 2560 wrote to memory of 2568	2560	{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe	36
PID 2560 wrote to memory of 2568	2560	{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe	36
PID 2560 wrote to memory of 2568	2560	{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe	36
PID 2560 wrote to memory of 3024	2560	{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe	37
PID 2560 wrote to memory of 3024	2560	{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe	37
PID 2560 wrote to memory of 3024	2560	{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe	37
PID 2560 wrote to memory of 3024	2560	{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe	37
PID 2568 wrote to memory of 2080	2568	{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe	38
PID 2568 wrote to memory of 2080	2568	{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe	38
PID 2568 wrote to memory of 2080	2568	{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe	38
PID 2568 wrote to memory of 2080	2568	{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe	38
PID 2568 wrote to memory of 3040	2568	{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe	39
PID 2568 wrote to memory of 3040	2568	{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe	39
PID 2568 wrote to memory of 3040	2568	{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe	39
PID 2568 wrote to memory of 3040	2568	{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe	39
PID 2080 wrote to memory of 1548	2080	{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe	40
PID 2080 wrote to memory of 1548	2080	{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe	40
PID 2080 wrote to memory of 1548	2080	{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe	40
PID 2080 wrote to memory of 1548	2080	{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe	40
PID 2080 wrote to memory of 2832	2080	{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe	41
PID 2080 wrote to memory of 2832	2080	{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe	41
PID 2080 wrote to memory of 2832	2080	{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe	41
PID 2080 wrote to memory of 2832	2080	{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe	41
PID 1548 wrote to memory of 2880	1548	{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe	42
PID 1548 wrote to memory of 2880	1548	{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe	42
PID 1548 wrote to memory of 2880	1548	{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe	42
PID 1548 wrote to memory of 2880	1548	{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe	42
PID 1548 wrote to memory of 2904	1548	{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe	43
PID 1548 wrote to memory of 2904	1548	{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe	43
PID 1548 wrote to memory of 2904	1548	{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe	43
PID 1548 wrote to memory of 2904	1548	{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe	43
PID 2880 wrote to memory of 2884	2880	{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe	44
PID 2880 wrote to memory of 2884	2880	{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe	44
PID 2880 wrote to memory of 2884	2880	{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe	44
PID 2880 wrote to memory of 2884	2880	{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe	44
PID 2880 wrote to memory of 2260	2880	{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe	45
PID 2880 wrote to memory of 2260	2880	{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe	45
PID 2880 wrote to memory of 2260	2880	{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe	45
PID 2880 wrote to memory of 2260	2880	{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe
  C:\Windows\{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe
    C:\Windows\{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe
      C:\Windows\{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe
        
        C:\Windows\{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe
        
        C:\Windows\{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe
        
        C:\Windows\{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe
        
        C:\Windows\{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\{25254AC6-41E7-48b0-BE60-D4253C534F3A}.exe
        
        C:\Windows\{25254AC6-41E7-48b0-BE60-D4253C534F3A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\{251C23C3-E513-421b-BE51-7758118293AF}.exe
        
        C:\Windows\{251C23C3-E513-421b-BE51-7758118293AF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\{0C373404-92D6-4191-A277-C11F68D880CF}.exe
        
        C:\Windows\{0C373404-92D6-4191-A277-C11F68D880CF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\{27565BEA-A3F2-40cd-9B47-436B9E12942C}.exe
        
        C:\Windows\{27565BEA-A3F2-40cd-9B47-436B9E12942C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C373~1.EXE > nul
        12⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{251C2~1.EXE > nul
        11⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25254~1.EXE > nul
        10⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A542A~1.EXE > nul
        9⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{139BF~1.EXE > nul
        8⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C22D~1.EXE > nul
        7⤵
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27666~1.EXE > nul
        6⤵
        
        PID:3040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F53C~1.EXE > nul
        5⤵
        
        PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{97194~1.EXE > nul
      4⤵
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8DD71~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe

Filesize
180KB

MD5
25632421e32a0f668d4872fc5e65e0d0

SHA1
80f4f66ef08a74a30ac472f7816cab1992454964

SHA256
8b6d98073555e84dcfb24bd9f93acf4bc7eebcaf55687cab9995039fc2b99a60

SHA512
d9fa72280578945af253762094c1ddb573d130b01b59d6f9331bcd05d603e87f524248055dd05c5459f9e37af989d7d1c81d6f69dd63878bf432b9a2b0a651b7

Download Submit
C:\Windows\{0C22D54F-DBC5-4f3e-9353-36F87F9AE6E3}.exe

Filesize
180KB

MD5
25632421e32a0f668d4872fc5e65e0d0

SHA1
80f4f66ef08a74a30ac472f7816cab1992454964

SHA256
8b6d98073555e84dcfb24bd9f93acf4bc7eebcaf55687cab9995039fc2b99a60

SHA512
d9fa72280578945af253762094c1ddb573d130b01b59d6f9331bcd05d603e87f524248055dd05c5459f9e37af989d7d1c81d6f69dd63878bf432b9a2b0a651b7

Download Submit
C:\Windows\{0C373404-92D6-4191-A277-C11F68D880CF}.exe

Filesize
180KB

MD5
3760e93492688f1d2366f4050b480bde

SHA1
8e43ee178474c6e8798b3bea55640d89ce821b22

SHA256
f72020b0505234d673e678178c901f897152c4f214a17d1d5d598edb6649fc4d

SHA512
2c01e6a592c6c86c4bcd23759b68d3f607a0ee2da8c22550ed67d9b62cdd61a3c68ae015453ead3d0f828ab50d4fcfa374bd6d37d8a168ff93f8e444b1dad388

Download Submit
C:\Windows\{0C373404-92D6-4191-A277-C11F68D880CF}.exe

Filesize
180KB

MD5
3760e93492688f1d2366f4050b480bde

SHA1
8e43ee178474c6e8798b3bea55640d89ce821b22

SHA256
f72020b0505234d673e678178c901f897152c4f214a17d1d5d598edb6649fc4d

SHA512
2c01e6a592c6c86c4bcd23759b68d3f607a0ee2da8c22550ed67d9b62cdd61a3c68ae015453ead3d0f828ab50d4fcfa374bd6d37d8a168ff93f8e444b1dad388

Download Submit
C:\Windows\{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe

Filesize
180KB

MD5
407d0e21950eae658af037f0829bb578

SHA1
68ffb98ed927fbe35dc28452c35829d58a7aa63c

SHA256
dc368da7cd43d0f15cd2bb288839cf8ea4929008fd16f423cfd55e3e1cb81b69

SHA512
d0c882e7c83c8f4077fc2256232ec8237c0f04310a6e45ba831d84df7323f57b579afadb81bcb0f58bac5c8141b43f3213189bb8ee6376ed39d417037b54ea8d

Download Submit
C:\Windows\{139BFEFC-94ED-45e1-BBF0-C0C0CFC78F42}.exe

Filesize
180KB

MD5
407d0e21950eae658af037f0829bb578

SHA1
68ffb98ed927fbe35dc28452c35829d58a7aa63c

SHA256
dc368da7cd43d0f15cd2bb288839cf8ea4929008fd16f423cfd55e3e1cb81b69

SHA512
d0c882e7c83c8f4077fc2256232ec8237c0f04310a6e45ba831d84df7323f57b579afadb81bcb0f58bac5c8141b43f3213189bb8ee6376ed39d417037b54ea8d

Download Submit
C:\Windows\{251C23C3-E513-421b-BE51-7758118293AF}.exe

Filesize
180KB

MD5
c0e113ddf8bb908408de72c229c4b905

SHA1
b7797f8811b47e9e89fcf9b8d2191c233554a2aa

SHA256
7298486fd3e6d35fce9289044e4c3a931d59b9573386fe28d9a30c4497900222

SHA512
6938c7b9e5f53f5351bd9e3eac6d605e57504dabf12202f6de30507c88d3689523b6d3b039c9cedba25d5a5faf26fe826876c338d78661d4cb8bdf9e32719734

Download Submit
C:\Windows\{251C23C3-E513-421b-BE51-7758118293AF}.exe

Filesize
180KB

MD5
c0e113ddf8bb908408de72c229c4b905

SHA1
b7797f8811b47e9e89fcf9b8d2191c233554a2aa

SHA256
7298486fd3e6d35fce9289044e4c3a931d59b9573386fe28d9a30c4497900222

SHA512
6938c7b9e5f53f5351bd9e3eac6d605e57504dabf12202f6de30507c88d3689523b6d3b039c9cedba25d5a5faf26fe826876c338d78661d4cb8bdf9e32719734

Download Submit
C:\Windows\{25254AC6-41E7-48b0-BE60-D4253C534F3A}.exe

Filesize
180KB

MD5
2ee430611ec2627acb26724170e2f9cd

SHA1
5aff533d6e13575a3c568f9b5370635d6cfd2ddc

SHA256
25d9f9e03479301baca7bfa63bfe411c558a129f8580cd5e5eb46ff6b9871b48

SHA512
cbe56acd88e8062b4a00f66b39a81732b7e139bc99c53f9c9166e5ab0b59b91cddcc2d563978a79d4d4f044c9efe3e725aa085e78f50845fe9c0f6c3d29060ea

Download Submit
C:\Windows\{25254AC6-41E7-48b0-BE60-D4253C534F3A}.exe

Filesize
180KB

MD5
2ee430611ec2627acb26724170e2f9cd

SHA1
5aff533d6e13575a3c568f9b5370635d6cfd2ddc

SHA256
25d9f9e03479301baca7bfa63bfe411c558a129f8580cd5e5eb46ff6b9871b48

SHA512
cbe56acd88e8062b4a00f66b39a81732b7e139bc99c53f9c9166e5ab0b59b91cddcc2d563978a79d4d4f044c9efe3e725aa085e78f50845fe9c0f6c3d29060ea

Download Submit
C:\Windows\{27565BEA-A3F2-40cd-9B47-436B9E12942C}.exe

Filesize
180KB

MD5
a46177d37f8ee9d52eff860b797f5160

SHA1
c0a3cb0c26aaee15d905b34f17eb2ed47f28a92e

SHA256
b0915b971876d9c91c3ab208a65209e57d5825b48277fa576b71fb8a8fd2e577

SHA512
a646c2734723dc881e3a9bddce1ab7f499e421d063fefe8fa8085a12bd2ca0b4700c3ebe08208dd421a28e68aa26553a3555c167984c68d05cf319ddc1afddf7

Download Submit
C:\Windows\{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe

Filesize
180KB

MD5
a4ec278c9ce94c6dff734ac7da8b5ea4

SHA1
a9a95639d2823bac82c33405ce5130141c9b49e0

SHA256
8121646593d8709432adb6e236266ce94abf8d7addfdf292d4daf1f32f3df073

SHA512
9e7193ac38e8a090982d098116ca23824522adb94e311beac701dc00149cf11b14e22455d48f1d2728b01875b1775fd7fadc81d4ee996ccd189e984496581d5c

Download Submit
C:\Windows\{2766621C-0E47-45e1-AED0-3B700E3A6676}.exe

Filesize
180KB

MD5
a4ec278c9ce94c6dff734ac7da8b5ea4

SHA1
a9a95639d2823bac82c33405ce5130141c9b49e0

SHA256
8121646593d8709432adb6e236266ce94abf8d7addfdf292d4daf1f32f3df073

SHA512
9e7193ac38e8a090982d098116ca23824522adb94e311beac701dc00149cf11b14e22455d48f1d2728b01875b1775fd7fadc81d4ee996ccd189e984496581d5c

Download Submit
C:\Windows\{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe

Filesize
180KB

MD5
61b026b4396779b19d607c50e4e6e96b

SHA1
314e14eaac81784ef012b42bb2cfeca764f723fd

SHA256
91b77c7c6ba722b4a03b678fedfd7f5ad2085f7b651b226e7ede5eb8cc4a09bb

SHA512
c68a228f191dd953068883167acf7fc4f5f48e9eab3523e28a6bc5cf2aa18d1382255249824e3aaeba17a9004e6adbdf59580d5a7fa00d5cc33e9f3966116901

Download Submit
C:\Windows\{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe

Filesize
180KB

MD5
61b026b4396779b19d607c50e4e6e96b

SHA1
314e14eaac81784ef012b42bb2cfeca764f723fd

SHA256
91b77c7c6ba722b4a03b678fedfd7f5ad2085f7b651b226e7ede5eb8cc4a09bb

SHA512
c68a228f191dd953068883167acf7fc4f5f48e9eab3523e28a6bc5cf2aa18d1382255249824e3aaeba17a9004e6adbdf59580d5a7fa00d5cc33e9f3966116901

Download Submit
C:\Windows\{8DD71F8A-BA09-49f3-8CA5-FD66BC40DA8F}.exe

Filesize
180KB

MD5
61b026b4396779b19d607c50e4e6e96b

SHA1
314e14eaac81784ef012b42bb2cfeca764f723fd

SHA256
91b77c7c6ba722b4a03b678fedfd7f5ad2085f7b651b226e7ede5eb8cc4a09bb

SHA512
c68a228f191dd953068883167acf7fc4f5f48e9eab3523e28a6bc5cf2aa18d1382255249824e3aaeba17a9004e6adbdf59580d5a7fa00d5cc33e9f3966116901

Download Submit
C:\Windows\{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe

Filesize
180KB

MD5
69c77e5ff1ae9a4514b255c57c066e19

SHA1
39ff0d090e072f00ba6eb2aeaabee9956811aeb5

SHA256
e9f28ea9fba4f550aef29a03d8e403e03b1114fe155df5d04c6d1e185cdc86b4

SHA512
790000a92076c3b446ad5966c6428e52e777fcb93ebeed071550a2656d9b09b3a5c7184afce84d6ee3379373300ca7f39544ee7a46a9fbe3f087c21ec9daa1b7

Download Submit
C:\Windows\{97194E6B-B691-4aba-8BE9-38BABE232E5F}.exe

Filesize
180KB

MD5
69c77e5ff1ae9a4514b255c57c066e19

SHA1
39ff0d090e072f00ba6eb2aeaabee9956811aeb5

SHA256
e9f28ea9fba4f550aef29a03d8e403e03b1114fe155df5d04c6d1e185cdc86b4

SHA512
790000a92076c3b446ad5966c6428e52e777fcb93ebeed071550a2656d9b09b3a5c7184afce84d6ee3379373300ca7f39544ee7a46a9fbe3f087c21ec9daa1b7

Download Submit
C:\Windows\{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe

Filesize
180KB

MD5
f5712a2881e96fea57e046087d6ea813

SHA1
85bbfb040f0d56303b6f34ead278bbf81da3c1cc

SHA256
1e6fe40bdfb165e1792fad82149d2e86d605ae692fe24881d93d0f78c2120c9d

SHA512
80add1b97c396150431da199fe3255de55082b62e086d1cf19390ca556be3b10930dd05d2c932eb3ef4a3ef8beb27c093afe0d9e0c8da5d97a1f9ecec7937448

Download Submit
C:\Windows\{9F53C2F4-B0DF-410f-B9F8-A1AB063093D3}.exe

Filesize
180KB

MD5
f5712a2881e96fea57e046087d6ea813

SHA1
85bbfb040f0d56303b6f34ead278bbf81da3c1cc

SHA256
1e6fe40bdfb165e1792fad82149d2e86d605ae692fe24881d93d0f78c2120c9d

SHA512
80add1b97c396150431da199fe3255de55082b62e086d1cf19390ca556be3b10930dd05d2c932eb3ef4a3ef8beb27c093afe0d9e0c8da5d97a1f9ecec7937448

Download Submit
C:\Windows\{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe

Filesize
180KB

MD5
254a36634ec7d30bce98490b2247a284

SHA1
0f273c47993736363fab32b2001f275c39420d46

SHA256
77e40265ccc1c1e4ceb99d0eb7742b6f2f78b782ca41eda85360c8c132359ed4

SHA512
6f08239b2b5d446c8b081e25e598a4699e156c014b6d140716f9833d44256942a52edfb79b98f329521db75b835d44b152cacd9bf915957b8eb0a8fa4fbd2534

Download Submit
C:\Windows\{A542A89A-1FD6-4e6a-A433-6B8116D5E1A3}.exe

Filesize
180KB

MD5
254a36634ec7d30bce98490b2247a284

SHA1
0f273c47993736363fab32b2001f275c39420d46

SHA256
77e40265ccc1c1e4ceb99d0eb7742b6f2f78b782ca41eda85360c8c132359ed4

SHA512
6f08239b2b5d446c8b081e25e598a4699e156c014b6d140716f9833d44256942a52edfb79b98f329521db75b835d44b152cacd9bf915957b8eb0a8fa4fbd2534

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads