e0edb12f8049d29dd7f4236440d8e4d441c3d88db5580b3ca452c0cd86b7b2fc

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe
Size

180KB
MD5

a2b2562fe4da69f1a9d0564471abb379
SHA1

301b5c102d502c0a1e8deab1220a2d911586760b
SHA256

e0edb12f8049d29dd7f4236440d8e4d441c3d88db5580b3ca452c0cd86b7b2fc
SHA512

5446303b913264c3a148f646bedf8b0d0eb634e27e0a39f99382617784f0a6377731ef70ec2ee30508a356d25fa94c98afabbf4f5fc7619a3fb1e270a572bf81
SSDEEP

3072:jEGh0o2lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGQl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}\stubpath = "C:\\Windows\\{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe"	{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E241E27-402C-4b24-8005-2E3296EA9345}	{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{915175EF-1596-4a12-BBD0-467F82006711}\stubpath = "C:\\Windows\\{915175EF-1596-4a12-BBD0-467F82006711}.exe"	{3E241E27-402C-4b24-8005-2E3296EA9345}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F52AF956-9A7D-4f33-AD60-B4FC57642B18}\stubpath = "C:\\Windows\\{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe"	{915175EF-1596-4a12-BBD0-467F82006711}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67F33F04-D7DB-4d75-839A-443012BB8DF1}\stubpath = "C:\\Windows\\{67F33F04-D7DB-4d75-839A-443012BB8DF1}.exe"	{88BD2A7F-3028-4b6e-A731-A1A32E4481A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97865511-6560-4067-A26D-4F03D3615712}\stubpath = "C:\\Windows\\{97865511-6560-4067-A26D-4F03D3615712}.exe"	{97398082-AB0E-4917-BC02-8FAA15A40873}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97865511-6560-4067-A26D-4F03D3615712}	{97398082-AB0E-4917-BC02-8FAA15A40873}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37F71177-5E3B-46c9-AD84-B2D966F57EA3}	{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}	{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97398082-AB0E-4917-BC02-8FAA15A40873}	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37F71177-5E3B-46c9-AD84-B2D966F57EA3}\stubpath = "C:\\Windows\\{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe"	{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{915175EF-1596-4a12-BBD0-467F82006711}	{3E241E27-402C-4b24-8005-2E3296EA9345}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97398082-AB0E-4917-BC02-8FAA15A40873}\stubpath = "C:\\Windows\\{97398082-AB0E-4917-BC02-8FAA15A40873}.exe"	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}\stubpath = "C:\\Windows\\{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe"	{97865511-6560-4067-A26D-4F03D3615712}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}	{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}\stubpath = "C:\\Windows\\{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe"	{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}	{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}\stubpath = "C:\\Windows\\{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe"	{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E241E27-402C-4b24-8005-2E3296EA9345}\stubpath = "C:\\Windows\\{3E241E27-402C-4b24-8005-2E3296EA9345}.exe"	{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F52AF956-9A7D-4f33-AD60-B4FC57642B18}	{915175EF-1596-4a12-BBD0-467F82006711}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}	{97865511-6560-4067-A26D-4F03D3615712}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88BD2A7F-3028-4b6e-A731-A1A32E4481A9}\stubpath = "C:\\Windows\\{88BD2A7F-3028-4b6e-A731-A1A32E4481A9}.exe"	{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67F33F04-D7DB-4d75-839A-443012BB8DF1}	{88BD2A7F-3028-4b6e-A731-A1A32E4481A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88BD2A7F-3028-4b6e-A731-A1A32E4481A9}	{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe

Executes dropped EXE 11 IoCs

pid	Process
1560	{97398082-AB0E-4917-BC02-8FAA15A40873}.exe
2036	{97865511-6560-4067-A26D-4F03D3615712}.exe
1992	{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe
4164	{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe
5112	{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe
4800	{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe
4440	{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe
4352	{3E241E27-402C-4b24-8005-2E3296EA9345}.exe
1076	{915175EF-1596-4a12-BBD0-467F82006711}.exe
1808	{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe
4992	{88BD2A7F-3028-4b6e-A731-A1A32E4481A9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{97398082-AB0E-4917-BC02-8FAA15A40873}.exe	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe
File created	C:\Windows\{97865511-6560-4067-A26D-4F03D3615712}.exe	{97398082-AB0E-4917-BC02-8FAA15A40873}.exe
File created	C:\Windows\{915175EF-1596-4a12-BBD0-467F82006711}.exe	{3E241E27-402C-4b24-8005-2E3296EA9345}.exe
File created	C:\Windows\{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe	{915175EF-1596-4a12-BBD0-467F82006711}.exe
File created	C:\Windows\{88BD2A7F-3028-4b6e-A731-A1A32E4481A9}.exe	{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe
File created	C:\Windows\{3E241E27-402C-4b24-8005-2E3296EA9345}.exe	{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe
File created	C:\Windows\{67F33F04-D7DB-4d75-839A-443012BB8DF1}.exe	{88BD2A7F-3028-4b6e-A731-A1A32E4481A9}.exe
File created	C:\Windows\{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe	{97865511-6560-4067-A26D-4F03D3615712}.exe
File created	C:\Windows\{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe	{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe
File created	C:\Windows\{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe	{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe
File created	C:\Windows\{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe	{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe
File created	C:\Windows\{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe	{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3128	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1560	{97398082-AB0E-4917-BC02-8FAA15A40873}.exe
Token: SeIncBasePriorityPrivilege	2036	{97865511-6560-4067-A26D-4F03D3615712}.exe
Token: SeIncBasePriorityPrivilege	1992	{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe
Token: SeIncBasePriorityPrivilege	4164	{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe
Token: SeIncBasePriorityPrivilege	5112	{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe
Token: SeIncBasePriorityPrivilege	4800	{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe
Token: SeIncBasePriorityPrivilege	4440	{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe
Token: SeIncBasePriorityPrivilege	4352	{3E241E27-402C-4b24-8005-2E3296EA9345}.exe
Token: SeIncBasePriorityPrivilege	1076	{915175EF-1596-4a12-BBD0-467F82006711}.exe
Token: SeIncBasePriorityPrivilege	1808	{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe
Token: SeIncBasePriorityPrivilege	4992	{88BD2A7F-3028-4b6e-A731-A1A32E4481A9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 1560	3128	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	94
PID 3128 wrote to memory of 1560	3128	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	94
PID 3128 wrote to memory of 1560	3128	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	94
PID 3128 wrote to memory of 3968	3128	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	95
PID 3128 wrote to memory of 3968	3128	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	95
PID 3128 wrote to memory of 3968	3128	NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe	95
PID 1560 wrote to memory of 2036	1560	{97398082-AB0E-4917-BC02-8FAA15A40873}.exe	96
PID 1560 wrote to memory of 2036	1560	{97398082-AB0E-4917-BC02-8FAA15A40873}.exe	96
PID 1560 wrote to memory of 2036	1560	{97398082-AB0E-4917-BC02-8FAA15A40873}.exe	96
PID 1560 wrote to memory of 4944	1560	{97398082-AB0E-4917-BC02-8FAA15A40873}.exe	97
PID 1560 wrote to memory of 4944	1560	{97398082-AB0E-4917-BC02-8FAA15A40873}.exe	97
PID 1560 wrote to memory of 4944	1560	{97398082-AB0E-4917-BC02-8FAA15A40873}.exe	97
PID 2036 wrote to memory of 1992	2036	{97865511-6560-4067-A26D-4F03D3615712}.exe	102
PID 2036 wrote to memory of 1992	2036	{97865511-6560-4067-A26D-4F03D3615712}.exe	102
PID 2036 wrote to memory of 1992	2036	{97865511-6560-4067-A26D-4F03D3615712}.exe	102
PID 2036 wrote to memory of 2400	2036	{97865511-6560-4067-A26D-4F03D3615712}.exe	100
PID 2036 wrote to memory of 2400	2036	{97865511-6560-4067-A26D-4F03D3615712}.exe	100
PID 2036 wrote to memory of 2400	2036	{97865511-6560-4067-A26D-4F03D3615712}.exe	100
PID 1992 wrote to memory of 4164	1992	{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe	108
PID 1992 wrote to memory of 4164	1992	{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe	108
PID 1992 wrote to memory of 4164	1992	{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe	108
PID 1992 wrote to memory of 2068	1992	{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe	109
PID 1992 wrote to memory of 2068	1992	{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe	109
PID 1992 wrote to memory of 2068	1992	{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe	109
PID 4164 wrote to memory of 5112	4164	{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe	110
PID 4164 wrote to memory of 5112	4164	{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe	110
PID 4164 wrote to memory of 5112	4164	{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe	110
PID 4164 wrote to memory of 4336	4164	{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe	111
PID 4164 wrote to memory of 4336	4164	{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe	111
PID 4164 wrote to memory of 4336	4164	{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe	111
PID 5112 wrote to memory of 4800	5112	{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe	113
PID 5112 wrote to memory of 4800	5112	{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe	113
PID 5112 wrote to memory of 4800	5112	{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe	113
PID 5112 wrote to memory of 1560	5112	{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe	114
PID 5112 wrote to memory of 1560	5112	{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe	114
PID 5112 wrote to memory of 1560	5112	{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe	114
PID 4800 wrote to memory of 4440	4800	{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe	115
PID 4800 wrote to memory of 4440	4800	{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe	115
PID 4800 wrote to memory of 4440	4800	{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe	115
PID 4800 wrote to memory of 3956	4800	{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe	116
PID 4800 wrote to memory of 3956	4800	{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe	116
PID 4800 wrote to memory of 3956	4800	{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe	116
PID 4440 wrote to memory of 4352	4440	{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe	117
PID 4440 wrote to memory of 4352	4440	{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe	117
PID 4440 wrote to memory of 4352	4440	{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe	117
PID 4440 wrote to memory of 4636	4440	{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe	118
PID 4440 wrote to memory of 4636	4440	{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe	118
PID 4440 wrote to memory of 4636	4440	{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe	118
PID 4352 wrote to memory of 1076	4352	{3E241E27-402C-4b24-8005-2E3296EA9345}.exe	119
PID 4352 wrote to memory of 1076	4352	{3E241E27-402C-4b24-8005-2E3296EA9345}.exe	119
PID 4352 wrote to memory of 1076	4352	{3E241E27-402C-4b24-8005-2E3296EA9345}.exe	119
PID 4352 wrote to memory of 3144	4352	{3E241E27-402C-4b24-8005-2E3296EA9345}.exe	120
PID 4352 wrote to memory of 3144	4352	{3E241E27-402C-4b24-8005-2E3296EA9345}.exe	120
PID 4352 wrote to memory of 3144	4352	{3E241E27-402C-4b24-8005-2E3296EA9345}.exe	120
PID 1076 wrote to memory of 1808	1076	{915175EF-1596-4a12-BBD0-467F82006711}.exe	121
PID 1076 wrote to memory of 1808	1076	{915175EF-1596-4a12-BBD0-467F82006711}.exe	121
PID 1076 wrote to memory of 1808	1076	{915175EF-1596-4a12-BBD0-467F82006711}.exe	121
PID 1076 wrote to memory of 3012	1076	{915175EF-1596-4a12-BBD0-467F82006711}.exe	122
PID 1076 wrote to memory of 3012	1076	{915175EF-1596-4a12-BBD0-467F82006711}.exe	122
PID 1076 wrote to memory of 3012	1076	{915175EF-1596-4a12-BBD0-467F82006711}.exe	122
PID 1808 wrote to memory of 4992	1808	{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe	123
PID 1808 wrote to memory of 4992	1808	{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe	123
PID 1808 wrote to memory of 4992	1808	{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe	123
PID 1808 wrote to memory of 4840	1808	{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe	124

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_a2b2562fe4da69f1a9d0564471abb379_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\{97398082-AB0E-4917-BC02-8FAA15A40873}.exe
  C:\Windows\{97398082-AB0E-4917-BC02-8FAA15A40873}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\{97865511-6560-4067-A26D-4F03D3615712}.exe
    C:\Windows\{97865511-6560-4067-A26D-4F03D3615712}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{97865~1.EXE > nul
      4⤵
      PID:2400
  - - C:\Windows\{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe
      C:\Windows\{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe
        
        C:\Windows\{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
      - C:\Windows\{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe
        
        C:\Windows\{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe
        
        C:\Windows\{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe
        
        C:\Windows\{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\{3E241E27-402C-4b24-8005-2E3296EA9345}.exe
        
        C:\Windows\{3E241E27-402C-4b24-8005-2E3296EA9345}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\{915175EF-1596-4a12-BBD0-467F82006711}.exe
        
        C:\Windows\{915175EF-1596-4a12-BBD0-467F82006711}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe
        
        C:\Windows\{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{88BD2A7F-3028-4b6e-A731-A1A32E4481A9}.exe
        
        C:\Windows\{88BD2A7F-3028-4b6e-A731-A1A32E4481A9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Windows\{67F33F04-D7DB-4d75-839A-443012BB8DF1}.exe
        
        C:\Windows\{67F33F04-D7DB-4d75-839A-443012BB8DF1}.exe
        13⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F52AF~1.EXE > nul
        12⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91517~1.EXE > nul
        11⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E241~1.EXE > nul
        10⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADCF0~1.EXE > nul
        9⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CC8A~1.EXE > nul
        8⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDDEA~1.EXE > nul
        7⤵
        
        PID:1560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37F71~1.EXE > nul
        6⤵
        
        PID:4336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E972D~1.EXE > nul
        5⤵
        
        PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{97398~1.EXE > nul
    3⤵
    PID:4944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe

Filesize
180KB

MD5
411f7a3166c1268178554713dc371ec6

SHA1
b65e08ff1728c26a3a847407b9bf5352b09d8569

SHA256
73569a94d3937e4cac9062a8b013f453034d9583f604deca5eebe2cbfbc5b16e

SHA512
3ddfdef0e4a0e662273bd171f4e071b5297a1fa022ca87e278de2d139490b90beb2d95744a065489df41b763375d62469fd140a7537afb0d25553c7bf47a3c7d

Download Submit
C:\Windows\{37F71177-5E3B-46c9-AD84-B2D966F57EA3}.exe

Filesize
180KB

MD5
411f7a3166c1268178554713dc371ec6

SHA1
b65e08ff1728c26a3a847407b9bf5352b09d8569

SHA256
73569a94d3937e4cac9062a8b013f453034d9583f604deca5eebe2cbfbc5b16e

SHA512
3ddfdef0e4a0e662273bd171f4e071b5297a1fa022ca87e278de2d139490b90beb2d95744a065489df41b763375d62469fd140a7537afb0d25553c7bf47a3c7d

Download Submit
C:\Windows\{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe

Filesize
180KB

MD5
1b8855e74fcac2def7c454404bc97573

SHA1
8ce16e991bf6165906c21c96e453b920eaf066a2

SHA256
afbb51a78538db3c2fb40a3165e79e185418174adeeac8b47bfbbfca51c9edb7

SHA512
63ed93fde513ad52f0aae5de29d9dd987a74c34ba173e49317b2274eedf7a2607c07033604fcd0ac31ec34636425921655f53bb9346157156d3c1f730136a2c4

Download Submit
C:\Windows\{3CC8AFA7-0175-4a96-84D3-6D9013ABDD97}.exe

Filesize
180KB

MD5
1b8855e74fcac2def7c454404bc97573

SHA1
8ce16e991bf6165906c21c96e453b920eaf066a2

SHA256
afbb51a78538db3c2fb40a3165e79e185418174adeeac8b47bfbbfca51c9edb7

SHA512
63ed93fde513ad52f0aae5de29d9dd987a74c34ba173e49317b2274eedf7a2607c07033604fcd0ac31ec34636425921655f53bb9346157156d3c1f730136a2c4

Download Submit
C:\Windows\{3E241E27-402C-4b24-8005-2E3296EA9345}.exe

Filesize
180KB

MD5
f9bc94b0ba0cf7aa1b0198ce89342166

SHA1
34636a3dceea5d3df57bcdb7926f8d06f825af94

SHA256
c6b16e3fd53d1e1f971c6bb82eba4e3beaf02590655060fdb15fb48a5b44926c

SHA512
2eddee7dbf09ae89753961d1c65308c1a0497af28621823533ec7d0a4c38dfc8bba6e8aa3ce0dbecbfbe2040e992f01b1fbcf87994349ad570b4f93bd1972ad7

Download Submit
C:\Windows\{3E241E27-402C-4b24-8005-2E3296EA9345}.exe

Filesize
180KB

MD5
f9bc94b0ba0cf7aa1b0198ce89342166

SHA1
34636a3dceea5d3df57bcdb7926f8d06f825af94

SHA256
c6b16e3fd53d1e1f971c6bb82eba4e3beaf02590655060fdb15fb48a5b44926c

SHA512
2eddee7dbf09ae89753961d1c65308c1a0497af28621823533ec7d0a4c38dfc8bba6e8aa3ce0dbecbfbe2040e992f01b1fbcf87994349ad570b4f93bd1972ad7

Download Submit
C:\Windows\{88BD2A7F-3028-4b6e-A731-A1A32E4481A9}.exe

Filesize
180KB

MD5
238a381ee3d3cfbf39bde5510ebd34da

SHA1
aa909b35573a1f2cd77715671b2c9f4f0b9d258e

SHA256
77c88bcd88f29a6b2dd8d5de1bfba9702398462aaafab4a6c49fa672ab7d55b0

SHA512
74cb0194d8a20c7a0dfc9a13cf69e1c6cc6b4374325e3e1625025a329204135f67bfda3a1f071f566c16b34c3cc2a986a877c53788888c0552de55b84dcc6f8e

Download Submit
C:\Windows\{88BD2A7F-3028-4b6e-A731-A1A32E4481A9}.exe

Filesize
180KB

MD5
238a381ee3d3cfbf39bde5510ebd34da

SHA1
aa909b35573a1f2cd77715671b2c9f4f0b9d258e

SHA256
77c88bcd88f29a6b2dd8d5de1bfba9702398462aaafab4a6c49fa672ab7d55b0

SHA512
74cb0194d8a20c7a0dfc9a13cf69e1c6cc6b4374325e3e1625025a329204135f67bfda3a1f071f566c16b34c3cc2a986a877c53788888c0552de55b84dcc6f8e

Download Submit
C:\Windows\{915175EF-1596-4a12-BBD0-467F82006711}.exe

Filesize
180KB

MD5
1052c9283354a2c11f4465c642064b88

SHA1
dd1e71890ab8a9673f7184101f1a7fc540b67853

SHA256
79ad4b50fa9bbe433d0d81984dc7f08a8b8e40b2b115e105a7ed43ee6f3f5c3b

SHA512
a0b7f07f5321af7a067ce2d0c26781590262115c208ce7c1df655d5c283a7c3c0a60718de3eff07b593a1fac3a59718eae6b4a9cf7f620fbc22504ca2db42339

Download Submit
C:\Windows\{915175EF-1596-4a12-BBD0-467F82006711}.exe

Filesize
180KB

MD5
1052c9283354a2c11f4465c642064b88

SHA1
dd1e71890ab8a9673f7184101f1a7fc540b67853

SHA256
79ad4b50fa9bbe433d0d81984dc7f08a8b8e40b2b115e105a7ed43ee6f3f5c3b

SHA512
a0b7f07f5321af7a067ce2d0c26781590262115c208ce7c1df655d5c283a7c3c0a60718de3eff07b593a1fac3a59718eae6b4a9cf7f620fbc22504ca2db42339

Download Submit
C:\Windows\{97398082-AB0E-4917-BC02-8FAA15A40873}.exe

Filesize
180KB

MD5
022b3b0e985c0a4758b17c0f10ce85e3

SHA1
5ba624d2e3f50c705a688737cbbc050349c5d078

SHA256
5b8d04794e1036859d2855decc7630fa3b214547c34c42ae33fbe4ae3b6325fc

SHA512
51d44db32dd4363304f9a874619f7ce21499b0b3c41f470a4496ded76e4dd620ff7d2e91aace02dcdad71beacb1c8d4dda5e762cbf1b9bd3a86e002e96aef7f1

Download Submit
C:\Windows\{97398082-AB0E-4917-BC02-8FAA15A40873}.exe

Filesize
180KB

MD5
022b3b0e985c0a4758b17c0f10ce85e3

SHA1
5ba624d2e3f50c705a688737cbbc050349c5d078

SHA256
5b8d04794e1036859d2855decc7630fa3b214547c34c42ae33fbe4ae3b6325fc

SHA512
51d44db32dd4363304f9a874619f7ce21499b0b3c41f470a4496ded76e4dd620ff7d2e91aace02dcdad71beacb1c8d4dda5e762cbf1b9bd3a86e002e96aef7f1

Download Submit
C:\Windows\{97865511-6560-4067-A26D-4F03D3615712}.exe

Filesize
180KB

MD5
ea4a29c0438221a3a1b4c2619bc5a1b7

SHA1
a0e5fc783d7f2b8292d50f92b03f82041d86257e

SHA256
ae90a8492a900dc32c6fa4e3fe6b0a0b8e206725f73657f3df8c557eec92af9b

SHA512
f7c298edf26bf0b443a576d4fe1bbe8d8ca71ca30dbd38eb6daed4b61cd358f741b599ec2a3e33fbc2767c5b66adb921463a492c399dc9d54692c570136638e9

Download Submit
C:\Windows\{97865511-6560-4067-A26D-4F03D3615712}.exe

Filesize
180KB

MD5
ea4a29c0438221a3a1b4c2619bc5a1b7

SHA1
a0e5fc783d7f2b8292d50f92b03f82041d86257e

SHA256
ae90a8492a900dc32c6fa4e3fe6b0a0b8e206725f73657f3df8c557eec92af9b

SHA512
f7c298edf26bf0b443a576d4fe1bbe8d8ca71ca30dbd38eb6daed4b61cd358f741b599ec2a3e33fbc2767c5b66adb921463a492c399dc9d54692c570136638e9

Download Submit
C:\Windows\{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe

Filesize
180KB

MD5
7002c37d0c24245be0c7f0f5a1c917a0

SHA1
4fb4e6d792b168e3ff2cb7b4fc180b37e1e2d1d5

SHA256
ddfea5601222e7cd4ce72beafcebbe55ddd3ec673d03a42a502279242b28c76c

SHA512
9dcfc677cba2da38c4661fcd075360d25b642ec913fd23d714acdb05c45cb0229b279c10207e95f6c78d25634340db46de121826b535d385adfb81df7c34a4e8

Download Submit
C:\Windows\{ADCF0802-2723-498d-B6DE-C366A2C1EBC9}.exe

Filesize
180KB

MD5
7002c37d0c24245be0c7f0f5a1c917a0

SHA1
4fb4e6d792b168e3ff2cb7b4fc180b37e1e2d1d5

SHA256
ddfea5601222e7cd4ce72beafcebbe55ddd3ec673d03a42a502279242b28c76c

SHA512
9dcfc677cba2da38c4661fcd075360d25b642ec913fd23d714acdb05c45cb0229b279c10207e95f6c78d25634340db46de121826b535d385adfb81df7c34a4e8

Download Submit
C:\Windows\{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe

Filesize
180KB

MD5
d9d337ee4d76e3fa45238c1ce8af4b89

SHA1
da065b90aac9e943c94d110cba4449553adf3641

SHA256
b211fb79d9b0559b60755a1ba83cc0cf74ed7a5993a21409af9cba45b0dff9a7

SHA512
9b28c9c9d2e52ced576abe5c83dec9c9953817485674dcf30790d548b3a260aaeb42e443838e71d3fd4f42d4ef397cd68d21f8c36a6ccdf8ea166e3187925e6a

Download Submit
C:\Windows\{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe

Filesize
180KB

MD5
d9d337ee4d76e3fa45238c1ce8af4b89

SHA1
da065b90aac9e943c94d110cba4449553adf3641

SHA256
b211fb79d9b0559b60755a1ba83cc0cf74ed7a5993a21409af9cba45b0dff9a7

SHA512
9b28c9c9d2e52ced576abe5c83dec9c9953817485674dcf30790d548b3a260aaeb42e443838e71d3fd4f42d4ef397cd68d21f8c36a6ccdf8ea166e3187925e6a

Download Submit
C:\Windows\{E972D17C-66F8-4e7c-BB73-05F4B4109B9E}.exe

Filesize
180KB

MD5
d9d337ee4d76e3fa45238c1ce8af4b89

SHA1
da065b90aac9e943c94d110cba4449553adf3641

SHA256
b211fb79d9b0559b60755a1ba83cc0cf74ed7a5993a21409af9cba45b0dff9a7

SHA512
9b28c9c9d2e52ced576abe5c83dec9c9953817485674dcf30790d548b3a260aaeb42e443838e71d3fd4f42d4ef397cd68d21f8c36a6ccdf8ea166e3187925e6a

Download Submit
C:\Windows\{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe

Filesize
180KB

MD5
66d999371745f789235ed2eedc375186

SHA1
759dfd7264736922223fdf7f880218f75a63d980

SHA256
daed900569dcadd4aae656b85626052866e47f719d9bc610301e073142693828

SHA512
d71e50509553daa92840ebbd0f501f9c64d2581c107c7b93b2228cfce4485c6fab4b96f576e6e822aa6021fb2dbb37bb3e237622eb76fabc300b1cf2cee245a4

Download Submit
C:\Windows\{EDDEA2B5-0E19-4ca9-A4B3-B5175F05C58B}.exe

Filesize
180KB

MD5
66d999371745f789235ed2eedc375186

SHA1
759dfd7264736922223fdf7f880218f75a63d980

SHA256
daed900569dcadd4aae656b85626052866e47f719d9bc610301e073142693828

SHA512
d71e50509553daa92840ebbd0f501f9c64d2581c107c7b93b2228cfce4485c6fab4b96f576e6e822aa6021fb2dbb37bb3e237622eb76fabc300b1cf2cee245a4

Download Submit
C:\Windows\{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe

Filesize
180KB

MD5
a68171108415a4a98229fec2709425bd

SHA1
6d77e19709dea2588490a9288cf35c6bc95e2859

SHA256
91add554fa74eb5ae6891ae7b0a96ce7dc9ac0232856e559a6af8269dc4203af

SHA512
76350d26ad87591bbd51af5283b975829b26c93e393160ff2964a77067b976f91a9f5d6ac48e2faa5b1ccdfcd5f472bbedf935cb2c2080356e1820cea42c0212

Download Submit
C:\Windows\{F52AF956-9A7D-4f33-AD60-B4FC57642B18}.exe

Filesize
180KB

MD5
a68171108415a4a98229fec2709425bd

SHA1
6d77e19709dea2588490a9288cf35c6bc95e2859

SHA256
91add554fa74eb5ae6891ae7b0a96ce7dc9ac0232856e559a6af8269dc4203af

SHA512
76350d26ad87591bbd51af5283b975829b26c93e393160ff2964a77067b976f91a9f5d6ac48e2faa5b1ccdfcd5f472bbedf935cb2c2080356e1820cea42c0212

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads