0e4f5f5267176f3bf1304fb6e61826191544f3be03f130e041143f1cc55d736a

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
06-11-2023 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe
Size

168KB
MD5

7d1abdf04fa94d5bdb72126e0d61b4d2
SHA1

506fffb5f13b91c5787db9e76d3995469ad63d2a
SHA256

0e4f5f5267176f3bf1304fb6e61826191544f3be03f130e041143f1cc55d736a
SHA512

a44d5431b35a44c398f074d1c6d47c1e27ee230b0cf1010a0a28a1ff5a3948b439256f1fb5cb538b1c984d613c58c86a32b5f4805b700d35dfc488f09707631f
SSDEEP

1536:1EGh0oylq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oylqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAAE5059-5F3A-431f-92E3-D388F942F506}	{8DDCF7F6-361D-42db-A733-A3FF3E0973E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3CB91B3-62AA-4fc7-A278-86A3139043C8}\stubpath = "C:\\Windows\\{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe"	{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B59F11C6-DC96-41b3-8142-00CB5246F77F}\stubpath = "C:\\Windows\\{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe"	{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}\stubpath = "C:\\Windows\\{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe"	{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A3AB33D-8466-47a0-BB01-08A8A1160204}\stubpath = "C:\\Windows\\{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe"	{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5792C62E-8FBB-4096-9A06-CA82185DDBAB}\stubpath = "C:\\Windows\\{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe"	{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{471305E5-9322-4169-B1BD-18087593D51B}	{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{471305E5-9322-4169-B1BD-18087593D51B}\stubpath = "C:\\Windows\\{471305E5-9322-4169-B1BD-18087593D51B}.exe"	{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DDCF7F6-361D-42db-A733-A3FF3E0973E1}\stubpath = "C:\\Windows\\{8DDCF7F6-361D-42db-A733-A3FF3E0973E1}.exe"	{471305E5-9322-4169-B1BD-18087593D51B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}\stubpath = "C:\\Windows\\{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe"	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4A1D025-03BB-4bca-BDB3-139A927F2581}	{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4A1D025-03BB-4bca-BDB3-139A927F2581}\stubpath = "C:\\Windows\\{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe"	{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4A5F61B-3DDF-4c73-800D-53416A6049AD}	{DAAE5059-5F3A-431f-92E3-D388F942F506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B59F11C6-DC96-41b3-8142-00CB5246F77F}	{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A3AB33D-8466-47a0-BB01-08A8A1160204}	{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5792C62E-8FBB-4096-9A06-CA82185DDBAB}	{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DDCF7F6-361D-42db-A733-A3FF3E0973E1}	{471305E5-9322-4169-B1BD-18087593D51B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAAE5059-5F3A-431f-92E3-D388F942F506}\stubpath = "C:\\Windows\\{DAAE5059-5F3A-431f-92E3-D388F942F506}.exe"	{8DDCF7F6-361D-42db-A733-A3FF3E0973E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4A5F61B-3DDF-4c73-800D-53416A6049AD}\stubpath = "C:\\Windows\\{D4A5F61B-3DDF-4c73-800D-53416A6049AD}.exe"	{DAAE5059-5F3A-431f-92E3-D388F942F506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3CB91B3-62AA-4fc7-A278-86A3139043C8}	{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}	{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe

Deletes itself 1 IoCs

pid	Process
2192	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1700	{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe
2840	{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe
2868	{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe
2648	{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe
2624	{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe
2644	{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe
1616	{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe
2804	{471305E5-9322-4169-B1BD-18087593D51B}.exe
1832	{8DDCF7F6-361D-42db-A733-A3FF3E0973E1}.exe
1284	{DAAE5059-5F3A-431f-92E3-D388F942F506}.exe
2256	{D4A5F61B-3DDF-4c73-800D-53416A6049AD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe	{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe
File created	C:\Windows\{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe	{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe
File created	C:\Windows\{DAAE5059-5F3A-431f-92E3-D388F942F506}.exe	{8DDCF7F6-361D-42db-A733-A3FF3E0973E1}.exe
File created	C:\Windows\{D4A5F61B-3DDF-4c73-800D-53416A6049AD}.exe	{DAAE5059-5F3A-431f-92E3-D388F942F506}.exe
File created	C:\Windows\{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe	{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe
File created	C:\Windows\{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe	{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe
File created	C:\Windows\{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe	{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe
File created	C:\Windows\{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe	{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe
File created	C:\Windows\{471305E5-9322-4169-B1BD-18087593D51B}.exe	{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe
File created	C:\Windows\{8DDCF7F6-361D-42db-A733-A3FF3E0973E1}.exe	{471305E5-9322-4169-B1BD-18087593D51B}.exe
File created	C:\Windows\{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	288	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1700	{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe
Token: SeIncBasePriorityPrivilege	2840	{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe
Token: SeIncBasePriorityPrivilege	2868	{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe
Token: SeIncBasePriorityPrivilege	2648	{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe
Token: SeIncBasePriorityPrivilege	2624	{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe
Token: SeIncBasePriorityPrivilege	2644	{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe
Token: SeIncBasePriorityPrivilege	1616	{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe
Token: SeIncBasePriorityPrivilege	2804	{471305E5-9322-4169-B1BD-18087593D51B}.exe
Token: SeIncBasePriorityPrivilege	1832	{8DDCF7F6-361D-42db-A733-A3FF3E0973E1}.exe
Token: SeIncBasePriorityPrivilege	1284	{DAAE5059-5F3A-431f-92E3-D388F942F506}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 1700	288	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	28
PID 288 wrote to memory of 1700	288	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	28
PID 288 wrote to memory of 1700	288	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	28
PID 288 wrote to memory of 1700	288	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	28
PID 288 wrote to memory of 2192	288	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	29
PID 288 wrote to memory of 2192	288	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	29
PID 288 wrote to memory of 2192	288	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	29
PID 288 wrote to memory of 2192	288	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	29
PID 1700 wrote to memory of 2840	1700	{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe	30
PID 1700 wrote to memory of 2840	1700	{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe	30
PID 1700 wrote to memory of 2840	1700	{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe	30
PID 1700 wrote to memory of 2840	1700	{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe	30
PID 1700 wrote to memory of 2836	1700	{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe	31
PID 1700 wrote to memory of 2836	1700	{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe	31
PID 1700 wrote to memory of 2836	1700	{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe	31
PID 1700 wrote to memory of 2836	1700	{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe	31
PID 2840 wrote to memory of 2868	2840	{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe	32
PID 2840 wrote to memory of 2868	2840	{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe	32
PID 2840 wrote to memory of 2868	2840	{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe	32
PID 2840 wrote to memory of 2868	2840	{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe	32
PID 2840 wrote to memory of 2872	2840	{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe	33
PID 2840 wrote to memory of 2872	2840	{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe	33
PID 2840 wrote to memory of 2872	2840	{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe	33
PID 2840 wrote to memory of 2872	2840	{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe	33
PID 2868 wrote to memory of 2648	2868	{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe	36
PID 2868 wrote to memory of 2648	2868	{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe	36
PID 2868 wrote to memory of 2648	2868	{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe	36
PID 2868 wrote to memory of 2648	2868	{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe	36
PID 2868 wrote to memory of 2596	2868	{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe	37
PID 2868 wrote to memory of 2596	2868	{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe	37
PID 2868 wrote to memory of 2596	2868	{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe	37
PID 2868 wrote to memory of 2596	2868	{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe	37
PID 2648 wrote to memory of 2624	2648	{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe	38
PID 2648 wrote to memory of 2624	2648	{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe	38
PID 2648 wrote to memory of 2624	2648	{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe	38
PID 2648 wrote to memory of 2624	2648	{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe	38
PID 2648 wrote to memory of 2716	2648	{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe	39
PID 2648 wrote to memory of 2716	2648	{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe	39
PID 2648 wrote to memory of 2716	2648	{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe	39
PID 2648 wrote to memory of 2716	2648	{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe	39
PID 2624 wrote to memory of 2644	2624	{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe	40
PID 2624 wrote to memory of 2644	2624	{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe	40
PID 2624 wrote to memory of 2644	2624	{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe	40
PID 2624 wrote to memory of 2644	2624	{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe	40
PID 2624 wrote to memory of 2576	2624	{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe	41
PID 2624 wrote to memory of 2576	2624	{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe	41
PID 2624 wrote to memory of 2576	2624	{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe	41
PID 2624 wrote to memory of 2576	2624	{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe	41
PID 2644 wrote to memory of 1616	2644	{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe	42
PID 2644 wrote to memory of 1616	2644	{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe	42
PID 2644 wrote to memory of 1616	2644	{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe	42
PID 2644 wrote to memory of 1616	2644	{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe	42
PID 2644 wrote to memory of 2664	2644	{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe	43
PID 2644 wrote to memory of 2664	2644	{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe	43
PID 2644 wrote to memory of 2664	2644	{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe	43
PID 2644 wrote to memory of 2664	2644	{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe	43
PID 1616 wrote to memory of 2804	1616	{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe	44
PID 1616 wrote to memory of 2804	1616	{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe	44
PID 1616 wrote to memory of 2804	1616	{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe	44
PID 1616 wrote to memory of 2804	1616	{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe	44
PID 1616 wrote to memory of 2772	1616	{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe	45
PID 1616 wrote to memory of 2772	1616	{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe	45
PID 1616 wrote to memory of 2772	1616	{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe	45
PID 1616 wrote to memory of 2772	1616	{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe	45

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe
  C:\Windows\{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe
    C:\Windows\{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe
      C:\Windows\{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe
        
        C:\Windows\{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe
        
        C:\Windows\{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe
        
        C:\Windows\{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe
        
        C:\Windows\{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{471305E5-9322-4169-B1BD-18087593D51B}.exe
        
        C:\Windows\{471305E5-9322-4169-B1BD-18087593D51B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\{8DDCF7F6-361D-42db-A733-A3FF3E0973E1}.exe
        
        C:\Windows\{8DDCF7F6-361D-42db-A733-A3FF3E0973E1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\{DAAE5059-5F3A-431f-92E3-D388F942F506}.exe
        
        C:\Windows\{DAAE5059-5F3A-431f-92E3-D388F942F506}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\{D4A5F61B-3DDF-4c73-800D-53416A6049AD}.exe
        
        C:\Windows\{D4A5F61B-3DDF-4c73-800D-53416A6049AD}.exe
        12⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAAE5~1.EXE > nul
        12⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DDCF~1.EXE > nul
        11⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47130~1.EXE > nul
        10⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4A1D~1.EXE > nul
        9⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5792C~1.EXE > nul
        8⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A3AB~1.EXE > nul
        7⤵
        
        PID:2576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C05CF~1.EXE > nul
        6⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B59F1~1.EXE > nul
        5⤵
        
        PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A3CB9~1.EXE > nul
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{479C5~1.EXE > nul
    3⤵
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe

Filesize
168KB

MD5
bab5cd4f64b62417fa6d5956d78be293

SHA1
9e0b42b3dd23560eedc2ee811285a37a03391df1

SHA256
cd6cc844eb5eb2f81e67739ae37f43c6d7ae56125cca576ef1bae7fbe682a4e9

SHA512
e006e5d487483f3ea38f949f9f9ce86bf123b9465a8dee71b9cf277d8a8290ce5cebcc8e3d154e0540baa26064e276ac2d695cf35bc9b31621ff4136de425cd6

Download Submit
C:\Windows\{3A3AB33D-8466-47a0-BB01-08A8A1160204}.exe

Filesize
168KB

MD5
bab5cd4f64b62417fa6d5956d78be293

SHA1
9e0b42b3dd23560eedc2ee811285a37a03391df1

SHA256
cd6cc844eb5eb2f81e67739ae37f43c6d7ae56125cca576ef1bae7fbe682a4e9

SHA512
e006e5d487483f3ea38f949f9f9ce86bf123b9465a8dee71b9cf277d8a8290ce5cebcc8e3d154e0540baa26064e276ac2d695cf35bc9b31621ff4136de425cd6

Download Submit
C:\Windows\{471305E5-9322-4169-B1BD-18087593D51B}.exe

Filesize
168KB

MD5
b0ef14354db705a609b8dd4d172f6500

SHA1
fe66bed6a44a8987f6309a3d6d4b753924023f12

SHA256
2bed321ebd6b8d09fc616b5baeb99d552496d97c2bd36096d4629055d25f7af3

SHA512
d4e231034276a45f5ebf5d17bd2e350badc70f9b663ba7ebdfdd5c2aee5ae64e0ae64536ca54e9950e05211203093adf760ed79cb98a3e7db50aa3ecedcc7653

Download Submit
C:\Windows\{471305E5-9322-4169-B1BD-18087593D51B}.exe

Filesize
168KB

MD5
b0ef14354db705a609b8dd4d172f6500

SHA1
fe66bed6a44a8987f6309a3d6d4b753924023f12

SHA256
2bed321ebd6b8d09fc616b5baeb99d552496d97c2bd36096d4629055d25f7af3

SHA512
d4e231034276a45f5ebf5d17bd2e350badc70f9b663ba7ebdfdd5c2aee5ae64e0ae64536ca54e9950e05211203093adf760ed79cb98a3e7db50aa3ecedcc7653

Download Submit
C:\Windows\{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe

Filesize
168KB

MD5
d5901ef4bab202bbe08ec0328b680bb5

SHA1
373804325af97e41593fef0ace330fb97250e060

SHA256
27660ffabe470911f593c9ff0ac0ac3e41208132e93bce3e3eb508e74ac86a82

SHA512
425469043b0e4cb4088999bd2c1bf8cc13b734ead4135c4751661efca97e15da97b5c0de91db40d41ceee241cecbd07358cd623a292054d6ffa0874d0d14c0d7

Download Submit
C:\Windows\{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe

Filesize
168KB

MD5
d5901ef4bab202bbe08ec0328b680bb5

SHA1
373804325af97e41593fef0ace330fb97250e060

SHA256
27660ffabe470911f593c9ff0ac0ac3e41208132e93bce3e3eb508e74ac86a82

SHA512
425469043b0e4cb4088999bd2c1bf8cc13b734ead4135c4751661efca97e15da97b5c0de91db40d41ceee241cecbd07358cd623a292054d6ffa0874d0d14c0d7

Download Submit
C:\Windows\{479C5CBE-A7A6-4488-A6A5-C1F51E279F74}.exe

Filesize
168KB

MD5
d5901ef4bab202bbe08ec0328b680bb5

SHA1
373804325af97e41593fef0ace330fb97250e060

SHA256
27660ffabe470911f593c9ff0ac0ac3e41208132e93bce3e3eb508e74ac86a82

SHA512
425469043b0e4cb4088999bd2c1bf8cc13b734ead4135c4751661efca97e15da97b5c0de91db40d41ceee241cecbd07358cd623a292054d6ffa0874d0d14c0d7

Download Submit
C:\Windows\{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe

Filesize
168KB

MD5
f42b8ea16f9d843adcbfb5d31a5fb095

SHA1
a03ebd9ff362f09807d70e3b2edc0de65e9d6e6c

SHA256
092641042f12bbbc64cfb12aed09407b430e554cf40d87b84cd2ae6f1d38da13

SHA512
f3eb6936e3205d001cde7989eff8d094dbcdf0b401e6f9db075ec22b3bfae322155c6e37cda946f819ae6ec31652b6f0c56efd2d4a374fa24886fa2163654642

Download Submit
C:\Windows\{5792C62E-8FBB-4096-9A06-CA82185DDBAB}.exe

Filesize
168KB

MD5
f42b8ea16f9d843adcbfb5d31a5fb095

SHA1
a03ebd9ff362f09807d70e3b2edc0de65e9d6e6c

SHA256
092641042f12bbbc64cfb12aed09407b430e554cf40d87b84cd2ae6f1d38da13

SHA512
f3eb6936e3205d001cde7989eff8d094dbcdf0b401e6f9db075ec22b3bfae322155c6e37cda946f819ae6ec31652b6f0c56efd2d4a374fa24886fa2163654642

Download Submit
C:\Windows\{8DDCF7F6-361D-42db-A733-A3FF3E0973E1}.exe

Filesize
168KB

MD5
1639ff68fe2f59c9c16942159782a512

SHA1
39544906ae8463de5531384e117a2ee87f814590

SHA256
150f721936c653f766c980da156297930b633706dc43583896ff7882b9710c0c

SHA512
0a34b5e30223ed80521fe94136d20b39621938637a016be611dd3f1704ce5a97bf4079c3a92cd40da39c93e989e9da2a6a720e0d6f9197fea875ee1c895767af

Download Submit
C:\Windows\{8DDCF7F6-361D-42db-A733-A3FF3E0973E1}.exe

Filesize
168KB

MD5
1639ff68fe2f59c9c16942159782a512

SHA1
39544906ae8463de5531384e117a2ee87f814590

SHA256
150f721936c653f766c980da156297930b633706dc43583896ff7882b9710c0c

SHA512
0a34b5e30223ed80521fe94136d20b39621938637a016be611dd3f1704ce5a97bf4079c3a92cd40da39c93e989e9da2a6a720e0d6f9197fea875ee1c895767af

Download Submit
C:\Windows\{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe

Filesize
168KB

MD5
ecde47476e84b526b04f69115fc69223

SHA1
b5b8280d475c3e69ef35f860247acdbcee288ac1

SHA256
ad09769056df9d4cfb513ed065b02970d2d5130705463b787326a89b66373bdc

SHA512
280d8a458664473b2bfb6309d3ac2f160ace360267f794996b57cd865bc90ea9cafb58b3435016393991493533753d96764b185ca6c65c605cb0d346e2e7c1a5

Download Submit
C:\Windows\{A3CB91B3-62AA-4fc7-A278-86A3139043C8}.exe

Filesize
168KB

MD5
ecde47476e84b526b04f69115fc69223

SHA1
b5b8280d475c3e69ef35f860247acdbcee288ac1

SHA256
ad09769056df9d4cfb513ed065b02970d2d5130705463b787326a89b66373bdc

SHA512
280d8a458664473b2bfb6309d3ac2f160ace360267f794996b57cd865bc90ea9cafb58b3435016393991493533753d96764b185ca6c65c605cb0d346e2e7c1a5

Download Submit
C:\Windows\{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe

Filesize
168KB

MD5
d9909c7bd553e1c2a7dd72a7c444576d

SHA1
3521ba75542f3c71a7ee9818d2e585ec91c6eeda

SHA256
464da2060b989e72a436613e6cb345b08c458868f8c8e85447b480f44b28b172

SHA512
cbd3864542375246097f1347e5c9ffc80278eaaee7654190f13c6194912866d640edf1221b25aab732b6f26a09f17becfa0fe05c20c1e0af66ef05673edb8a31

Download Submit
C:\Windows\{B59F11C6-DC96-41b3-8142-00CB5246F77F}.exe

Filesize
168KB

MD5
d9909c7bd553e1c2a7dd72a7c444576d

SHA1
3521ba75542f3c71a7ee9818d2e585ec91c6eeda

SHA256
464da2060b989e72a436613e6cb345b08c458868f8c8e85447b480f44b28b172

SHA512
cbd3864542375246097f1347e5c9ffc80278eaaee7654190f13c6194912866d640edf1221b25aab732b6f26a09f17becfa0fe05c20c1e0af66ef05673edb8a31

Download Submit
C:\Windows\{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe

Filesize
168KB

MD5
3799322e402fd47604da8a0b271105a6

SHA1
dd4049ed8570f4d658f2a3ddd9837efd61de32f8

SHA256
574871d748d0900173b05ee49252ca83d73fabcbe68c0c34425087442d5d0445

SHA512
497855fceb19cccaf854d4b5cc4b83ea5d687841c913f2d8cbfcbf0ad436d5be41ffcde2b0aeb116a780cc26807b9739d59ec84ba6241c597895634c25dcbba2

Download Submit
C:\Windows\{C05CF13B-FAE9-419c-A768-0D65F5D9BFCD}.exe

Filesize
168KB

MD5
3799322e402fd47604da8a0b271105a6

SHA1
dd4049ed8570f4d658f2a3ddd9837efd61de32f8

SHA256
574871d748d0900173b05ee49252ca83d73fabcbe68c0c34425087442d5d0445

SHA512
497855fceb19cccaf854d4b5cc4b83ea5d687841c913f2d8cbfcbf0ad436d5be41ffcde2b0aeb116a780cc26807b9739d59ec84ba6241c597895634c25dcbba2

Download Submit
C:\Windows\{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe

Filesize
168KB

MD5
9cb856cc9f02878bbdc62cf78a4711dd

SHA1
eb154e8f6c39c0c712e1e3464fe350b278a525df

SHA256
9551fb6448005394978c5c62cd2b9b17f01068995498eea7f7a10f1590bed650

SHA512
f05bf297d7aecbf067208c690929022a31ae0fd6ffafd06f10ef3c0430e58586435d752a7812b3a276568b6ea71bc768b1e5d68320a36142f4b13b1288773d5c

Download Submit
C:\Windows\{D4A1D025-03BB-4bca-BDB3-139A927F2581}.exe

Filesize
168KB

MD5
9cb856cc9f02878bbdc62cf78a4711dd

SHA1
eb154e8f6c39c0c712e1e3464fe350b278a525df

SHA256
9551fb6448005394978c5c62cd2b9b17f01068995498eea7f7a10f1590bed650

SHA512
f05bf297d7aecbf067208c690929022a31ae0fd6ffafd06f10ef3c0430e58586435d752a7812b3a276568b6ea71bc768b1e5d68320a36142f4b13b1288773d5c

Download Submit
C:\Windows\{D4A5F61B-3DDF-4c73-800D-53416A6049AD}.exe

Filesize
168KB

MD5
7e77a2be0e8924e209cd8017d97c284d

SHA1
5f32f9d9450de8aa674c4942fb0e759c9b1d2c06

SHA256
cc7ebc25b34d0cc1b0e41fd0660313074cf95cc5e610289c2234a88335ac24a1

SHA512
240fc744df01e794775dfb2b101970cddd831e7cb19e402e96d54c5ced21cb85b0c15d34c1173ca1a0b197ec51cc2441358b9953901d3d53dde9e5acfd962ee7

Download Submit
C:\Windows\{DAAE5059-5F3A-431f-92E3-D388F942F506}.exe

Filesize
168KB

MD5
a7864a685d7dc45ba74eaf264e3ab35c

SHA1
59e87cbce4d85698027d04d865c3d00eef9e16c4

SHA256
7f9b9012ca93d50d9ae0c76113b0516da1f2319e211653a99fcf49f210c4946f

SHA512
38181d7e87467013763bfac043e3d0ff1218c1d9373965cb11453baabbc0ffe95a090eb3496ec3fa94e3f1040e7cb7a7010b897101db515975b9694a437ede20

Download Submit
C:\Windows\{DAAE5059-5F3A-431f-92E3-D388F942F506}.exe

Filesize
168KB

MD5
a7864a685d7dc45ba74eaf264e3ab35c

SHA1
59e87cbce4d85698027d04d865c3d00eef9e16c4

SHA256
7f9b9012ca93d50d9ae0c76113b0516da1f2319e211653a99fcf49f210c4946f

SHA512
38181d7e87467013763bfac043e3d0ff1218c1d9373965cb11453baabbc0ffe95a090eb3496ec3fa94e3f1040e7cb7a7010b897101db515975b9694a437ede20

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads