844906e4e94df3e2350274116ef1c84b205212bf21d617c2f7631870931e3519

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 20:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe
Size

180KB
MD5

4afa3a61db7bca21a58eb1a8f68e4226
SHA1

2118305b56efeff45ea36176aa9e578ea5174d15
SHA256

844906e4e94df3e2350274116ef1c84b205212bf21d617c2f7631870931e3519
SHA512

32278016e236d2abb7e6313b4b9e69fe887cc9f57ec6c8570f24f653779573abe04a3808758f2e23f825aabb88bf1b982fa1cad8c97ad1dfded360a6bde3ee58
SSDEEP

3072:jEGh0oOlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGMl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F47CED7-BAFE-4034-AD45-878F03B2027A}	{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}	{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C99291DE-5491-4056-9577-6CE537468B67}	{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C99291DE-5491-4056-9577-6CE537468B67}\stubpath = "C:\\Windows\\{C99291DE-5491-4056-9577-6CE537468B67}.exe"	{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C73AB67-F988-4b58-A342-F68C1D9A2E61}	{C99291DE-5491-4056-9577-6CE537468B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{548D8F6D-FE85-4922-AE48-628C29E4C6DE}	{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}	NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}	{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C75A438C-0FAD-4ce6-80AC-2EA18C9C905A}\stubpath = "C:\\Windows\\{C75A438C-0FAD-4ce6-80AC-2EA18C9C905A}.exe"	{BCBCE7CB-101A-4e9f-AABE-2B8829396DA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CBA82F8-1FA1-4085-A0E4-DAE830133A93}\stubpath = "C:\\Windows\\{2CBA82F8-1FA1-4085-A0E4-DAE830133A93}.exe"	{C75A438C-0FAD-4ce6-80AC-2EA18C9C905A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12F4E001-C69E-4818-83EC-7896F4FEE862}\stubpath = "C:\\Windows\\{12F4E001-C69E-4818-83EC-7896F4FEE862}.exe"	{2CBA82F8-1FA1-4085-A0E4-DAE830133A93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{548D8F6D-FE85-4922-AE48-628C29E4C6DE}\stubpath = "C:\\Windows\\{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe"	{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C75A438C-0FAD-4ce6-80AC-2EA18C9C905A}	{BCBCE7CB-101A-4e9f-AABE-2B8829396DA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}\stubpath = "C:\\Windows\\{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe"	{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C73AB67-F988-4b58-A342-F68C1D9A2E61}\stubpath = "C:\\Windows\\{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe"	{C99291DE-5491-4056-9577-6CE537468B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CBA82F8-1FA1-4085-A0E4-DAE830133A93}	{C75A438C-0FAD-4ce6-80AC-2EA18C9C905A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12F4E001-C69E-4818-83EC-7896F4FEE862}	{2CBA82F8-1FA1-4085-A0E4-DAE830133A93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}\stubpath = "C:\\Windows\\{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe"	NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}\stubpath = "C:\\Windows\\{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe"	{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCBCE7CB-101A-4e9f-AABE-2B8829396DA7}\stubpath = "C:\\Windows\\{BCBCE7CB-101A-4e9f-AABE-2B8829396DA7}.exe"	{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F47CED7-BAFE-4034-AD45-878F03B2027A}\stubpath = "C:\\Windows\\{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe"	{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCBCE7CB-101A-4e9f-AABE-2B8829396DA7}	{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe

Deletes itself 1 IoCs

pid	Process
2388	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2212	{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe
1076	{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe
2144	{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe
2504	{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe
2816	{C99291DE-5491-4056-9577-6CE537468B67}.exe
2756	{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe
2568	{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe
1204	{BCBCE7CB-101A-4e9f-AABE-2B8829396DA7}.exe
2788	{C75A438C-0FAD-4ce6-80AC-2EA18C9C905A}.exe
2000	{2CBA82F8-1FA1-4085-A0E4-DAE830133A93}.exe
2016	{12F4E001-C69E-4818-83EC-7896F4FEE862}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe	{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe
File created	C:\Windows\{BCBCE7CB-101A-4e9f-AABE-2B8829396DA7}.exe	{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe
File created	C:\Windows\{2CBA82F8-1FA1-4085-A0E4-DAE830133A93}.exe	{C75A438C-0FAD-4ce6-80AC-2EA18C9C905A}.exe
File created	C:\Windows\{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe	NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe
File created	C:\Windows\{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe	{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe
File created	C:\Windows\{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe	{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe
File created	C:\Windows\{C99291DE-5491-4056-9577-6CE537468B67}.exe	{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe
File created	C:\Windows\{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe	{C99291DE-5491-4056-9577-6CE537468B67}.exe
File created	C:\Windows\{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe	{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe
File created	C:\Windows\{C75A438C-0FAD-4ce6-80AC-2EA18C9C905A}.exe	{BCBCE7CB-101A-4e9f-AABE-2B8829396DA7}.exe
File created	C:\Windows\{12F4E001-C69E-4818-83EC-7896F4FEE862}.exe	{2CBA82F8-1FA1-4085-A0E4-DAE830133A93}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2944	NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2212	{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe
Token: SeIncBasePriorityPrivilege	1076	{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe
Token: SeIncBasePriorityPrivilege	2144	{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe
Token: SeIncBasePriorityPrivilege	2504	{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe
Token: SeIncBasePriorityPrivilege	2816	{C99291DE-5491-4056-9577-6CE537468B67}.exe
Token: SeIncBasePriorityPrivilege	2756	{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe
Token: SeIncBasePriorityPrivilege	2568	{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe
Token: SeIncBasePriorityPrivilege	1204	{BCBCE7CB-101A-4e9f-AABE-2B8829396DA7}.exe
Token: SeIncBasePriorityPrivilege	2788	{C75A438C-0FAD-4ce6-80AC-2EA18C9C905A}.exe
Token: SeIncBasePriorityPrivilege	2000	{2CBA82F8-1FA1-4085-A0E4-DAE830133A93}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2212	2944	NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe	28
PID 2944 wrote to memory of 2212	2944	NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe	28
PID 2944 wrote to memory of 2212	2944	NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe	28
PID 2944 wrote to memory of 2212	2944	NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe	28
PID 2944 wrote to memory of 2388	2944	NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe	29
PID 2944 wrote to memory of 2388	2944	NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe	29
PID 2944 wrote to memory of 2388	2944	NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe	29
PID 2944 wrote to memory of 2388	2944	NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe	29
PID 2212 wrote to memory of 1076	2212	{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe	30
PID 2212 wrote to memory of 1076	2212	{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe	30
PID 2212 wrote to memory of 1076	2212	{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe	30
PID 2212 wrote to memory of 1076	2212	{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe	30
PID 2212 wrote to memory of 2588	2212	{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe	31
PID 2212 wrote to memory of 2588	2212	{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe	31
PID 2212 wrote to memory of 2588	2212	{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe	31
PID 2212 wrote to memory of 2588	2212	{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe	31
PID 1076 wrote to memory of 2144	1076	{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe	32
PID 1076 wrote to memory of 2144	1076	{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe	32
PID 1076 wrote to memory of 2144	1076	{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe	32
PID 1076 wrote to memory of 2144	1076	{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe	32
PID 1076 wrote to memory of 2644	1076	{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe	33
PID 1076 wrote to memory of 2644	1076	{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe	33
PID 1076 wrote to memory of 2644	1076	{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe	33
PID 1076 wrote to memory of 2644	1076	{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe	33
PID 2144 wrote to memory of 2504	2144	{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe	36
PID 2144 wrote to memory of 2504	2144	{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe	36
PID 2144 wrote to memory of 2504	2144	{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe	36
PID 2144 wrote to memory of 2504	2144	{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe	36
PID 2144 wrote to memory of 2656	2144	{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe	37
PID 2144 wrote to memory of 2656	2144	{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe	37
PID 2144 wrote to memory of 2656	2144	{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe	37
PID 2144 wrote to memory of 2656	2144	{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe	37
PID 2504 wrote to memory of 2816	2504	{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe	38
PID 2504 wrote to memory of 2816	2504	{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe	38
PID 2504 wrote to memory of 2816	2504	{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe	38
PID 2504 wrote to memory of 2816	2504	{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe	38
PID 2504 wrote to memory of 2632	2504	{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe	39
PID 2504 wrote to memory of 2632	2504	{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe	39
PID 2504 wrote to memory of 2632	2504	{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe	39
PID 2504 wrote to memory of 2632	2504	{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe	39
PID 2816 wrote to memory of 2756	2816	{C99291DE-5491-4056-9577-6CE537468B67}.exe	40
PID 2816 wrote to memory of 2756	2816	{C99291DE-5491-4056-9577-6CE537468B67}.exe	40
PID 2816 wrote to memory of 2756	2816	{C99291DE-5491-4056-9577-6CE537468B67}.exe	40
PID 2816 wrote to memory of 2756	2816	{C99291DE-5491-4056-9577-6CE537468B67}.exe	40
PID 2816 wrote to memory of 2492	2816	{C99291DE-5491-4056-9577-6CE537468B67}.exe	41
PID 2816 wrote to memory of 2492	2816	{C99291DE-5491-4056-9577-6CE537468B67}.exe	41
PID 2816 wrote to memory of 2492	2816	{C99291DE-5491-4056-9577-6CE537468B67}.exe	41
PID 2816 wrote to memory of 2492	2816	{C99291DE-5491-4056-9577-6CE537468B67}.exe	41
PID 2756 wrote to memory of 2568	2756	{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe	42
PID 2756 wrote to memory of 2568	2756	{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe	42
PID 2756 wrote to memory of 2568	2756	{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe	42
PID 2756 wrote to memory of 2568	2756	{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe	42
PID 2756 wrote to memory of 2984	2756	{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe	43
PID 2756 wrote to memory of 2984	2756	{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe	43
PID 2756 wrote to memory of 2984	2756	{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe	43
PID 2756 wrote to memory of 2984	2756	{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe	43
PID 2568 wrote to memory of 1204	2568	{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe	44
PID 2568 wrote to memory of 1204	2568	{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe	44
PID 2568 wrote to memory of 1204	2568	{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe	44
PID 2568 wrote to memory of 1204	2568	{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe	44
PID 2568 wrote to memory of 1784	2568	{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe	45
PID 2568 wrote to memory of 1784	2568	{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe	45
PID 2568 wrote to memory of 1784	2568	{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe	45
PID 2568 wrote to memory of 1784	2568	{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-27_4afa3a61db7bca21a58eb1a8f68e4226_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe
  C:\Windows\{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe
    C:\Windows\{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe
      C:\Windows\{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe
        
        C:\Windows\{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\{C99291DE-5491-4056-9577-6CE537468B67}.exe
        
        C:\Windows\{C99291DE-5491-4056-9577-6CE537468B67}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe
        
        C:\Windows\{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe
        
        C:\Windows\{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\{BCBCE7CB-101A-4e9f-AABE-2B8829396DA7}.exe
        
        C:\Windows\{BCBCE7CB-101A-4e9f-AABE-2B8829396DA7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\{C75A438C-0FAD-4ce6-80AC-2EA18C9C905A}.exe
        
        C:\Windows\{C75A438C-0FAD-4ce6-80AC-2EA18C9C905A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\{2CBA82F8-1FA1-4085-A0E4-DAE830133A93}.exe
        
        C:\Windows\{2CBA82F8-1FA1-4085-A0E4-DAE830133A93}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\{12F4E001-C69E-4818-83EC-7896F4FEE862}.exe
        
        C:\Windows\{12F4E001-C69E-4818-83EC-7896F4FEE862}.exe
        12⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CBA8~1.EXE > nul
        12⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C75A4~1.EXE > nul
        11⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCBCE~1.EXE > nul
        10⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{548D8~1.EXE > nul
        9⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C73A~1.EXE > nul
        8⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9929~1.EXE > nul
        7⤵
        
        PID:2492
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{986D6~1.EXE > nul
        6⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F47C~1.EXE > nul
        5⤵
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9C884~1.EXE > nul
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AFA94~1.EXE > nul
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12F4E001-C69E-4818-83EC-7896F4FEE862}.exe

Filesize
180KB

MD5
8be998b3aac99a7fd15270b6686b78cf

SHA1
1a7103e10326998355ba3e42ba0a48582864050b

SHA256
e2f6d89fa789a8f9112e7994313699ed9ffb0e92389f3c09f6963dee45b4a5c6

SHA512
054dad9f5e50af589a5c3307e5a5ac36d96b7f6cd0c27cc5d893718d5b7745f0df2ff38f397b1c7adf8dd7e4dd2c79d53569a032008210af2290f7c38d6db990

Download Submit
C:\Windows\{2CBA82F8-1FA1-4085-A0E4-DAE830133A93}.exe

Filesize
180KB

MD5
857e4e633e445e6e70b57379f04f0ad5

SHA1
e6674c8a225180b5299f3314cf5bd8a2ec348df6

SHA256
58bfead62a38f74f61d9bedc908b1727fbf69bb55287d5d5b324031d6d158124

SHA512
1cb3f43ed083ed49f5036983437de1730628fd09f352106ee8af65ec3ab9d277c1e432ed570257a2913b7e2f190e7a44025b4a878ec0258eac060a98496955bf

Download Submit
C:\Windows\{2CBA82F8-1FA1-4085-A0E4-DAE830133A93}.exe

Filesize
180KB

MD5
857e4e633e445e6e70b57379f04f0ad5

SHA1
e6674c8a225180b5299f3314cf5bd8a2ec348df6

SHA256
58bfead62a38f74f61d9bedc908b1727fbf69bb55287d5d5b324031d6d158124

SHA512
1cb3f43ed083ed49f5036983437de1730628fd09f352106ee8af65ec3ab9d277c1e432ed570257a2913b7e2f190e7a44025b4a878ec0258eac060a98496955bf

Download Submit
C:\Windows\{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe

Filesize
180KB

MD5
d5ed6a4bb597a11b5ee2fc656515191c

SHA1
ba60f0a1e21d2626c9bec38cf5682141633dd68c

SHA256
4718b652b19e46eca3ab2c42556ef49b221f2667069b1727b0eb5096f16dad86

SHA512
4e25cbee4a711633ab5c7faa23b4d36335ebb4f296fa319ac8114b61ea0d1a85b4b4530587242fa6049bd7b326cbcc628c8fe26c44a1248dd36a834f002e0b52

Download Submit
C:\Windows\{548D8F6D-FE85-4922-AE48-628C29E4C6DE}.exe

Filesize
180KB

MD5
d5ed6a4bb597a11b5ee2fc656515191c

SHA1
ba60f0a1e21d2626c9bec38cf5682141633dd68c

SHA256
4718b652b19e46eca3ab2c42556ef49b221f2667069b1727b0eb5096f16dad86

SHA512
4e25cbee4a711633ab5c7faa23b4d36335ebb4f296fa319ac8114b61ea0d1a85b4b4530587242fa6049bd7b326cbcc628c8fe26c44a1248dd36a834f002e0b52

Download Submit
C:\Windows\{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe

Filesize
180KB

MD5
ce9d8145fb22ebfc5730d288b7839f48

SHA1
ff9608f8c3f75fdc304fa55547a9eed67fa8f255

SHA256
7208546d40d8b390df4bbebecdedc0c50e0179791450bcdf455ac1096e81ff03

SHA512
9cdce876b982ef4818c4e77dcee77724bb67e077bca32d33357c49e495408128c9ebb3507ef1c76d1b71dbcce5a28cd1e33654db66935299c93228348c853e38

Download Submit
C:\Windows\{5C73AB67-F988-4b58-A342-F68C1D9A2E61}.exe

Filesize
180KB

MD5
ce9d8145fb22ebfc5730d288b7839f48

SHA1
ff9608f8c3f75fdc304fa55547a9eed67fa8f255

SHA256
7208546d40d8b390df4bbebecdedc0c50e0179791450bcdf455ac1096e81ff03

SHA512
9cdce876b982ef4818c4e77dcee77724bb67e077bca32d33357c49e495408128c9ebb3507ef1c76d1b71dbcce5a28cd1e33654db66935299c93228348c853e38

Download Submit
C:\Windows\{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe

Filesize
180KB

MD5
5537f7be1f448d0ec8e8adddd75ce700

SHA1
ada51337b8c93f553f2e85b68c3d7b9c24a176d9

SHA256
42426ae88b994931e970172ee64aa4ca9532ea62010a70d58f1e561fbaf14893

SHA512
ed940d1679f7381bca6e88852a8ab472a8a9a3f3f09a8cbb56fac4857e00c8ec8dac3620dfc70fdba8a646aadcb26d7930a615c4d365ded9f247fd2a15e1cfdd

Download Submit
C:\Windows\{7F47CED7-BAFE-4034-AD45-878F03B2027A}.exe

Filesize
180KB

MD5
5537f7be1f448d0ec8e8adddd75ce700

SHA1
ada51337b8c93f553f2e85b68c3d7b9c24a176d9

SHA256
42426ae88b994931e970172ee64aa4ca9532ea62010a70d58f1e561fbaf14893

SHA512
ed940d1679f7381bca6e88852a8ab472a8a9a3f3f09a8cbb56fac4857e00c8ec8dac3620dfc70fdba8a646aadcb26d7930a615c4d365ded9f247fd2a15e1cfdd

Download Submit
C:\Windows\{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe

Filesize
180KB

MD5
75e18ff46ff66e8ce396b291ab332fe5

SHA1
4a1b71f3fab91676e47c9289fc640a6c35e18939

SHA256
ce6e078c66977ef9e9d5edbd7c874bf67fa8073fa0fbb8e1893e6e940ba693da

SHA512
b0350a3dec342c0421b822f9601ca3a81a3af03dd555ff95576c689fca72be0dae2e816adbcadb48003764141f14fd83ab62085a60def864a8a6868226f48331

Download Submit
C:\Windows\{986D625D-FB58-4dfe-AEDE-F2B1CF1DE5AC}.exe

Filesize
180KB

MD5
75e18ff46ff66e8ce396b291ab332fe5

SHA1
4a1b71f3fab91676e47c9289fc640a6c35e18939

SHA256
ce6e078c66977ef9e9d5edbd7c874bf67fa8073fa0fbb8e1893e6e940ba693da

SHA512
b0350a3dec342c0421b822f9601ca3a81a3af03dd555ff95576c689fca72be0dae2e816adbcadb48003764141f14fd83ab62085a60def864a8a6868226f48331

Download Submit
C:\Windows\{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe

Filesize
180KB

MD5
b34d5e5f136e3aeaf3cc1c65195b6ac8

SHA1
d4db65cc84b4c4ed5f4dba2275bbb8c6e26c3666

SHA256
c830040577b16187f1ffb1f3db54e50ff005ba150bb7052bba877d76f3e216c1

SHA512
d641c9365e959aec01198c23b9af35fae880e24b9c3256deaf7c96ceb28a20c2d0fc428a29b5d86e1fe23063009e632133e36263e385aeed241d6f853956a5f6

Download Submit
C:\Windows\{9C884FCA-A9E8-440b-8D8B-F71227A0FC90}.exe

Filesize
180KB

MD5
b34d5e5f136e3aeaf3cc1c65195b6ac8

SHA1
d4db65cc84b4c4ed5f4dba2275bbb8c6e26c3666

SHA256
c830040577b16187f1ffb1f3db54e50ff005ba150bb7052bba877d76f3e216c1

SHA512
d641c9365e959aec01198c23b9af35fae880e24b9c3256deaf7c96ceb28a20c2d0fc428a29b5d86e1fe23063009e632133e36263e385aeed241d6f853956a5f6

Download Submit
C:\Windows\{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe

Filesize
180KB

MD5
d3605f57a6cf1ef4acee42c94fade4a7

SHA1
cb184f07520cee47476af36acbffb5ffda105060

SHA256
1388d74b04dcd43b7a3aef050a8454c3ef68e8885d338f703ae5a45e7083cbc6

SHA512
0a34e229c6e89500e732fab8c40c69d49535194ad39224ec16b652102ce8e8fb0e1ebdd1b09fecc45b31087647b0c3b2808c65606f584aa0d615731ffd0c2618

Download Submit
C:\Windows\{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe

Filesize
180KB

MD5
d3605f57a6cf1ef4acee42c94fade4a7

SHA1
cb184f07520cee47476af36acbffb5ffda105060

SHA256
1388d74b04dcd43b7a3aef050a8454c3ef68e8885d338f703ae5a45e7083cbc6

SHA512
0a34e229c6e89500e732fab8c40c69d49535194ad39224ec16b652102ce8e8fb0e1ebdd1b09fecc45b31087647b0c3b2808c65606f584aa0d615731ffd0c2618

Download Submit
C:\Windows\{AFA941A2-98CB-4ec3-A2C1-DB14C9DCBE2E}.exe

Filesize
180KB

MD5
d3605f57a6cf1ef4acee42c94fade4a7

SHA1
cb184f07520cee47476af36acbffb5ffda105060

SHA256
1388d74b04dcd43b7a3aef050a8454c3ef68e8885d338f703ae5a45e7083cbc6

SHA512
0a34e229c6e89500e732fab8c40c69d49535194ad39224ec16b652102ce8e8fb0e1ebdd1b09fecc45b31087647b0c3b2808c65606f584aa0d615731ffd0c2618

Download Submit
C:\Windows\{BCBCE7CB-101A-4e9f-AABE-2B8829396DA7}.exe

Filesize
180KB

MD5
5b10af8dc3308f1a339c318426e569b9

SHA1
9187859ae9275e91d48d3bdb8ecabaabad806f72

SHA256
628bf4a876e5a6300e1675b6c1d8627cb706f207e5f4560ffbacfb3bc7f9b899

SHA512
8d1f0bbd3033122197e1dbcb6f5b4e866725de34a93a92d63216ed9260c8a3352268450c0a2e0a9b295a7785422f751653f6d14fa52a2e1cbf1eaac5127269ca

Download Submit
C:\Windows\{BCBCE7CB-101A-4e9f-AABE-2B8829396DA7}.exe

Filesize
180KB

MD5
5b10af8dc3308f1a339c318426e569b9

SHA1
9187859ae9275e91d48d3bdb8ecabaabad806f72

SHA256
628bf4a876e5a6300e1675b6c1d8627cb706f207e5f4560ffbacfb3bc7f9b899

SHA512
8d1f0bbd3033122197e1dbcb6f5b4e866725de34a93a92d63216ed9260c8a3352268450c0a2e0a9b295a7785422f751653f6d14fa52a2e1cbf1eaac5127269ca

Download Submit
C:\Windows\{C75A438C-0FAD-4ce6-80AC-2EA18C9C905A}.exe

Filesize
180KB

MD5
135a197d6cfbaa97abebccb41df75b1e

SHA1
3fd5ef1e4aee851f46d4ed7d29e4b1be6b4a32a9

SHA256
70de057b67575a329bf5bd20d61c0c5751fa4410efa0a23da59537f5da20a20b

SHA512
691cf14ed0ecb0c78524947eb18fb844a203812904b6a0cdbe1613f8042bc3435143234ba27ad03ed38d1ac02c67117cab4fb8b59d47bc0f5558a8a3512eab3a

Download Submit
C:\Windows\{C75A438C-0FAD-4ce6-80AC-2EA18C9C905A}.exe

Filesize
180KB

MD5
135a197d6cfbaa97abebccb41df75b1e

SHA1
3fd5ef1e4aee851f46d4ed7d29e4b1be6b4a32a9

SHA256
70de057b67575a329bf5bd20d61c0c5751fa4410efa0a23da59537f5da20a20b

SHA512
691cf14ed0ecb0c78524947eb18fb844a203812904b6a0cdbe1613f8042bc3435143234ba27ad03ed38d1ac02c67117cab4fb8b59d47bc0f5558a8a3512eab3a

Download Submit
C:\Windows\{C99291DE-5491-4056-9577-6CE537468B67}.exe

Filesize
180KB

MD5
755ad6504fe67241ab1770a616f02251

SHA1
a0f04d7abf7657f42de655d584e4e01bcb338f0c

SHA256
e791f93abadab05dcbeb15d54998ca28d5acb352497b5bedb7c1253aab95c67f

SHA512
3aebcdbeff8bb04a039a324382b144e9dddbf966cedf29798728decc723bc9e60cc9f7ee61e5e2d8963effad8dba31a7895eea7a46ccd138b7453eaa01122193

Download Submit
C:\Windows\{C99291DE-5491-4056-9577-6CE537468B67}.exe

Filesize
180KB

MD5
755ad6504fe67241ab1770a616f02251

SHA1
a0f04d7abf7657f42de655d584e4e01bcb338f0c

SHA256
e791f93abadab05dcbeb15d54998ca28d5acb352497b5bedb7c1253aab95c67f

SHA512
3aebcdbeff8bb04a039a324382b144e9dddbf966cedf29798728decc723bc9e60cc9f7ee61e5e2d8963effad8dba31a7895eea7a46ccd138b7453eaa01122193

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads