0e4f5f5267176f3bf1304fb6e61826191544f3be03f130e041143f1cc55d736a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe
Size

168KB
MD5

7d1abdf04fa94d5bdb72126e0d61b4d2
SHA1

506fffb5f13b91c5787db9e76d3995469ad63d2a
SHA256

0e4f5f5267176f3bf1304fb6e61826191544f3be03f130e041143f1cc55d736a
SHA512

a44d5431b35a44c398f074d1c6d47c1e27ee230b0cf1010a0a28a1ff5a3948b439256f1fb5cb538b1c984d613c58c86a32b5f4805b700d35dfc488f09707631f
SSDEEP

1536:1EGh0oylq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oylqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A479BA9-7D8A-47af-8FE8-499BFFE78899}	{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A479BA9-7D8A-47af-8FE8-499BFFE78899}\stubpath = "C:\\Windows\\{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe"	{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B56474CD-05D0-499d-99F1-65336FCBC390}\stubpath = "C:\\Windows\\{B56474CD-05D0-499d-99F1-65336FCBC390}.exe"	{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}\stubpath = "C:\\Windows\\{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe"	{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C3129FB-0D71-421c-9866-14378754BCFD}\stubpath = "C:\\Windows\\{2C3129FB-0D71-421c-9866-14378754BCFD}.exe"	{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EADB7DD-FBB7-435a-B590-28237D250EC3}\stubpath = "C:\\Windows\\{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe"	{2C3129FB-0D71-421c-9866-14378754BCFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24891AB9-AE6E-4448-8E9D-7AA031235273}	{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24891AB9-AE6E-4448-8E9D-7AA031235273}\stubpath = "C:\\Windows\\{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe"	{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE76179B-6AFD-4770-8169-E0C0651AC42D}\stubpath = "C:\\Windows\\{EE76179B-6AFD-4770-8169-E0C0651AC42D}.exe"	{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{701D14E1-1B22-43cf-8FBD-CD43686A051B}\stubpath = "C:\\Windows\\{701D14E1-1B22-43cf-8FBD-CD43686A051B}.exe"	{EE76179B-6AFD-4770-8169-E0C0651AC42D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}	{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}\stubpath = "C:\\Windows\\{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe"	{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC62EEA4-F3EA-468c-AD2D-65805374BECE}	{B56474CD-05D0-499d-99F1-65336FCBC390}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC62EEA4-F3EA-468c-AD2D-65805374BECE}\stubpath = "C:\\Windows\\{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe"	{B56474CD-05D0-499d-99F1-65336FCBC390}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}	{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C3129FB-0D71-421c-9866-14378754BCFD}	{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}	{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE76179B-6AFD-4770-8169-E0C0651AC42D}	{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}\stubpath = "C:\\Windows\\{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe"	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B56474CD-05D0-499d-99F1-65336FCBC390}	{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}\stubpath = "C:\\Windows\\{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe"	{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EADB7DD-FBB7-435a-B590-28237D250EC3}	{2C3129FB-0D71-421c-9866-14378754BCFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{701D14E1-1B22-43cf-8FBD-CD43686A051B}	{EE76179B-6AFD-4770-8169-E0C0651AC42D}.exe

Executes dropped EXE 12 IoCs

pid	Process
1196	{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe
4344	{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe
232	{B56474CD-05D0-499d-99F1-65336FCBC390}.exe
1060	{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe
4972	{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe
4272	{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe
5012	{2C3129FB-0D71-421c-9866-14378754BCFD}.exe
692	{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe
4716	{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe
556	{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe
3076	{EE76179B-6AFD-4770-8169-E0C0651AC42D}.exe
564	{701D14E1-1B22-43cf-8FBD-CD43686A051B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe
File created	C:\Windows\{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe	{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe
File created	C:\Windows\{B56474CD-05D0-499d-99F1-65336FCBC390}.exe	{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe
File created	C:\Windows\{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe	{B56474CD-05D0-499d-99F1-65336FCBC390}.exe
File created	C:\Windows\{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe	{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe
File created	C:\Windows\{EE76179B-6AFD-4770-8169-E0C0651AC42D}.exe	{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe
File created	C:\Windows\{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe	{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe
File created	C:\Windows\{2C3129FB-0D71-421c-9866-14378754BCFD}.exe	{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe
File created	C:\Windows\{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe	{2C3129FB-0D71-421c-9866-14378754BCFD}.exe
File created	C:\Windows\{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe	{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe
File created	C:\Windows\{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe	{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe
File created	C:\Windows\{701D14E1-1B22-43cf-8FBD-CD43686A051B}.exe	{EE76179B-6AFD-4770-8169-E0C0651AC42D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1372	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1196	{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe
Token: SeIncBasePriorityPrivilege	4344	{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe
Token: SeIncBasePriorityPrivilege	232	{B56474CD-05D0-499d-99F1-65336FCBC390}.exe
Token: SeIncBasePriorityPrivilege	1060	{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe
Token: SeIncBasePriorityPrivilege	4972	{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe
Token: SeIncBasePriorityPrivilege	4272	{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe
Token: SeIncBasePriorityPrivilege	5012	{2C3129FB-0D71-421c-9866-14378754BCFD}.exe
Token: SeIncBasePriorityPrivilege	692	{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe
Token: SeIncBasePriorityPrivilege	4716	{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe
Token: SeIncBasePriorityPrivilege	556	{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe
Token: SeIncBasePriorityPrivilege	3076	{EE76179B-6AFD-4770-8169-E0C0651AC42D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1196	1372	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	91
PID 1372 wrote to memory of 1196	1372	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	91
PID 1372 wrote to memory of 1196	1372	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	91
PID 1372 wrote to memory of 560	1372	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	92
PID 1372 wrote to memory of 560	1372	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	92
PID 1372 wrote to memory of 560	1372	NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe	92
PID 1196 wrote to memory of 4344	1196	{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe	100
PID 1196 wrote to memory of 4344	1196	{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe	100
PID 1196 wrote to memory of 4344	1196	{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe	100
PID 1196 wrote to memory of 2208	1196	{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe	101
PID 1196 wrote to memory of 2208	1196	{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe	101
PID 1196 wrote to memory of 2208	1196	{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe	101
PID 4344 wrote to memory of 232	4344	{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe	104
PID 4344 wrote to memory of 232	4344	{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe	104
PID 4344 wrote to memory of 232	4344	{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe	104
PID 4344 wrote to memory of 3508	4344	{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe	105
PID 4344 wrote to memory of 3508	4344	{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe	105
PID 4344 wrote to memory of 3508	4344	{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe	105
PID 232 wrote to memory of 1060	232	{B56474CD-05D0-499d-99F1-65336FCBC390}.exe	106
PID 232 wrote to memory of 1060	232	{B56474CD-05D0-499d-99F1-65336FCBC390}.exe	106
PID 232 wrote to memory of 1060	232	{B56474CD-05D0-499d-99F1-65336FCBC390}.exe	106
PID 232 wrote to memory of 2188	232	{B56474CD-05D0-499d-99F1-65336FCBC390}.exe	107
PID 232 wrote to memory of 2188	232	{B56474CD-05D0-499d-99F1-65336FCBC390}.exe	107
PID 232 wrote to memory of 2188	232	{B56474CD-05D0-499d-99F1-65336FCBC390}.exe	107
PID 1060 wrote to memory of 4972	1060	{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe	108
PID 1060 wrote to memory of 4972	1060	{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe	108
PID 1060 wrote to memory of 4972	1060	{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe	108
PID 1060 wrote to memory of 3708	1060	{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe	109
PID 1060 wrote to memory of 3708	1060	{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe	109
PID 1060 wrote to memory of 3708	1060	{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe	109
PID 4972 wrote to memory of 4272	4972	{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe	111
PID 4972 wrote to memory of 4272	4972	{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe	111
PID 4972 wrote to memory of 4272	4972	{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe	111
PID 4972 wrote to memory of 1504	4972	{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe	112
PID 4972 wrote to memory of 1504	4972	{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe	112
PID 4972 wrote to memory of 1504	4972	{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe	112
PID 4272 wrote to memory of 5012	4272	{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe	113
PID 4272 wrote to memory of 5012	4272	{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe	113
PID 4272 wrote to memory of 5012	4272	{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe	113
PID 4272 wrote to memory of 1880	4272	{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe	114
PID 4272 wrote to memory of 1880	4272	{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe	114
PID 4272 wrote to memory of 1880	4272	{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe	114
PID 5012 wrote to memory of 692	5012	{2C3129FB-0D71-421c-9866-14378754BCFD}.exe	116
PID 5012 wrote to memory of 692	5012	{2C3129FB-0D71-421c-9866-14378754BCFD}.exe	116
PID 5012 wrote to memory of 692	5012	{2C3129FB-0D71-421c-9866-14378754BCFD}.exe	116
PID 5012 wrote to memory of 5092	5012	{2C3129FB-0D71-421c-9866-14378754BCFD}.exe	115
PID 5012 wrote to memory of 5092	5012	{2C3129FB-0D71-421c-9866-14378754BCFD}.exe	115
PID 5012 wrote to memory of 5092	5012	{2C3129FB-0D71-421c-9866-14378754BCFD}.exe	115
PID 692 wrote to memory of 4716	692	{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe	125
PID 692 wrote to memory of 4716	692	{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe	125
PID 692 wrote to memory of 4716	692	{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe	125
PID 692 wrote to memory of 4204	692	{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe	126
PID 692 wrote to memory of 4204	692	{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe	126
PID 692 wrote to memory of 4204	692	{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe	126
PID 4716 wrote to memory of 556	4716	{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe	127
PID 4716 wrote to memory of 556	4716	{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe	127
PID 4716 wrote to memory of 556	4716	{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe	127
PID 4716 wrote to memory of 4424	4716	{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe	128
PID 4716 wrote to memory of 4424	4716	{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe	128
PID 4716 wrote to memory of 4424	4716	{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe	128
PID 556 wrote to memory of 3076	556	{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe	129
PID 556 wrote to memory of 3076	556	{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe	129
PID 556 wrote to memory of 3076	556	{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe	129
PID 556 wrote to memory of 464	556	{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe	130

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-29_7d1abdf04fa94d5bdb72126e0d61b4d2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe
  C:\Windows\{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe
    C:\Windows\{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\{B56474CD-05D0-499d-99F1-65336FCBC390}.exe
      C:\Windows\{B56474CD-05D0-499d-99F1-65336FCBC390}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:232
    - - C:\Windows\{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe
        
        C:\Windows\{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe
        
        C:\Windows\{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe
        
        C:\Windows\{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\{2C3129FB-0D71-421c-9866-14378754BCFD}.exe
        
        C:\Windows\{2C3129FB-0D71-421c-9866-14378754BCFD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C312~1.EXE > nul
        9⤵
        
        PID:5092
        
        C:\Windows\{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe
        
        C:\Windows\{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe
        
        C:\Windows\{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe
        
        C:\Windows\{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\{EE76179B-6AFD-4770-8169-E0C0651AC42D}.exe
        
        C:\Windows\{EE76179B-6AFD-4770-8169-E0C0651AC42D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3076
        
        C:\Windows\{701D14E1-1B22-43cf-8FBD-CD43686A051B}.exe
        
        C:\Windows\{701D14E1-1B22-43cf-8FBD-CD43686A051B}.exe
        13⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE761~1.EXE > nul
        13⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24891~1.EXE > nul
        12⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30B34~1.EXE > nul
        11⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EADB~1.EXE > nul
        10⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1F83~1.EXE > nul
        8⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F54A2~1.EXE > nul
        7⤵
        
        PID:1504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC62E~1.EXE > nul
        6⤵
        
        PID:3708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5647~1.EXE > nul
        5⤵
        
        PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9A479~1.EXE > nul
      4⤵
      PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D94E4~1.EXE > nul
    3⤵
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\NEAS20~1.EXE > nul
  2⤵
  PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe

Filesize
168KB

MD5
114fa6db38491f88bb3e8d0b80c14ac6

SHA1
46c6c4c6b730d9af5ef43628d1072a9e61a39860

SHA256
287fbc98628cb03ee047749df6d050bf7fa764c001ae360462ca8c56ca6e8261

SHA512
dc54e96e0785709677ba62e2c71d20140a44950da930d25226080288c635ecc46be9bbc5588ced0cfaa64c38a53a25f385353568912f4574696b439116ed7c60

Download Submit
C:\Windows\{24891AB9-AE6E-4448-8E9D-7AA031235273}.exe

Filesize
168KB

MD5
114fa6db38491f88bb3e8d0b80c14ac6

SHA1
46c6c4c6b730d9af5ef43628d1072a9e61a39860

SHA256
287fbc98628cb03ee047749df6d050bf7fa764c001ae360462ca8c56ca6e8261

SHA512
dc54e96e0785709677ba62e2c71d20140a44950da930d25226080288c635ecc46be9bbc5588ced0cfaa64c38a53a25f385353568912f4574696b439116ed7c60

Download Submit
C:\Windows\{2C3129FB-0D71-421c-9866-14378754BCFD}.exe

Filesize
168KB

MD5
fc7c0c41428cdce56878a75f31848b63

SHA1
b00d54ff251d170cf53c8e724f06a82d17dfd889

SHA256
2f479fe7ced30014ddc9b652d2ae343d0338fc61e0b8511f898c7291b9d3aa17

SHA512
97a781e94942ea026f827a5d5f10dc18d8b82912b2e21063016104eb6d492e71189aa2de9990cf401f4e0c1f4fe5b5ec34e09ebeec7d0d683050cd9c944b9d2f

Download Submit
C:\Windows\{2C3129FB-0D71-421c-9866-14378754BCFD}.exe

Filesize
168KB

MD5
fc7c0c41428cdce56878a75f31848b63

SHA1
b00d54ff251d170cf53c8e724f06a82d17dfd889

SHA256
2f479fe7ced30014ddc9b652d2ae343d0338fc61e0b8511f898c7291b9d3aa17

SHA512
97a781e94942ea026f827a5d5f10dc18d8b82912b2e21063016104eb6d492e71189aa2de9990cf401f4e0c1f4fe5b5ec34e09ebeec7d0d683050cd9c944b9d2f

Download Submit
C:\Windows\{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe

Filesize
168KB

MD5
771588bcec368276d736ae018a121249

SHA1
ed5044127f5ca04d745a281164797355d8f9db99

SHA256
eba69f78142fd32af1d4cff13c09be4cf03ecfa185e055b6ed4c49ee192c4612

SHA512
06d83761da1e56be9e50af6d20869be7c10993d94f2b7d5eca5c99a9ba447cf17bbe8aefd9670e4de58a963ae4d0339e1a2366c8e1c95fd0ba4d5112f24622f2

Download Submit
C:\Windows\{30B34CE3-DD16-4ff8-B7A9-C55DE9E81BE8}.exe

Filesize
168KB

MD5
771588bcec368276d736ae018a121249

SHA1
ed5044127f5ca04d745a281164797355d8f9db99

SHA256
eba69f78142fd32af1d4cff13c09be4cf03ecfa185e055b6ed4c49ee192c4612

SHA512
06d83761da1e56be9e50af6d20869be7c10993d94f2b7d5eca5c99a9ba447cf17bbe8aefd9670e4de58a963ae4d0339e1a2366c8e1c95fd0ba4d5112f24622f2

Download Submit
C:\Windows\{701D14E1-1B22-43cf-8FBD-CD43686A051B}.exe

Filesize
168KB

MD5
b033fdd563a41aa366152946a139503f

SHA1
463d2d145d7b411ed4176b9f109b802de93d5b01

SHA256
a18dc52e2b463aad20e98ea13d389d74b86c84688449d37619b3524a4b023f25

SHA512
43871881935979d6cd7e4b14ad49803e491052572d65ffb06b28fb4ca1004652a236ed8aa37fb319a5c0ada96d8737c226f9b87de81f258ef13c7bf4c5317a5b

Download Submit
C:\Windows\{701D14E1-1B22-43cf-8FBD-CD43686A051B}.exe

Filesize
168KB

MD5
b033fdd563a41aa366152946a139503f

SHA1
463d2d145d7b411ed4176b9f109b802de93d5b01

SHA256
a18dc52e2b463aad20e98ea13d389d74b86c84688449d37619b3524a4b023f25

SHA512
43871881935979d6cd7e4b14ad49803e491052572d65ffb06b28fb4ca1004652a236ed8aa37fb319a5c0ada96d8737c226f9b87de81f258ef13c7bf4c5317a5b

Download Submit
C:\Windows\{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe

Filesize
168KB

MD5
ec2f34e69691be59b39f20aae91b330a

SHA1
04b47f2d0ae680364c4f4b85ae9c2f2dbb1af5d4

SHA256
a9a7a75588ff554ba724b2fc4920462b7c9a030f45b1fd5dae6963033b3aa612

SHA512
5fa904202079125e418e3c9fddbc6f5c96dcf4673018ab0ca48e196657429b3987e4601e361ae508efbe523d0350f8e3626f274ef47dd1e85abb32357b6f8637

Download Submit
C:\Windows\{9A479BA9-7D8A-47af-8FE8-499BFFE78899}.exe

Filesize
168KB

MD5
ec2f34e69691be59b39f20aae91b330a

SHA1
04b47f2d0ae680364c4f4b85ae9c2f2dbb1af5d4

SHA256
a9a7a75588ff554ba724b2fc4920462b7c9a030f45b1fd5dae6963033b3aa612

SHA512
5fa904202079125e418e3c9fddbc6f5c96dcf4673018ab0ca48e196657429b3987e4601e361ae508efbe523d0350f8e3626f274ef47dd1e85abb32357b6f8637

Download Submit
C:\Windows\{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe

Filesize
168KB

MD5
e349e63fbf360e16cfc7e5e8f76cc2d5

SHA1
759f8be7e8155d7e4756532490be3a27b192a5c9

SHA256
b6285e92693e6b0c34771982c4d188d1730252179fd3884065fe18f0efbb55bb

SHA512
494511ac64a07903c301e27bed17084111570074806e707de465a7ffa8b3b17dc7ea5f23aaf24bf2c3a6d4302b57bfb994730621fb704956283ff6f451c3991b

Download Submit
C:\Windows\{9EADB7DD-FBB7-435a-B590-28237D250EC3}.exe

Filesize
168KB

MD5
e349e63fbf360e16cfc7e5e8f76cc2d5

SHA1
759f8be7e8155d7e4756532490be3a27b192a5c9

SHA256
b6285e92693e6b0c34771982c4d188d1730252179fd3884065fe18f0efbb55bb

SHA512
494511ac64a07903c301e27bed17084111570074806e707de465a7ffa8b3b17dc7ea5f23aaf24bf2c3a6d4302b57bfb994730621fb704956283ff6f451c3991b

Download Submit
C:\Windows\{B56474CD-05D0-499d-99F1-65336FCBC390}.exe

Filesize
168KB

MD5
517f3505fc4465b9e1eea7db12f3a514

SHA1
75477bc7a750f18a744f55b5b905e442fdacb5be

SHA256
b2ac5c16bc1be08540045986f9f1a496aa7fecce09360301f70962e8a0751209

SHA512
6d7286b3b0a57a37a753fa835c03dcb2321c8d45437672291319f93899f86bdc6019a2de9a082198603e98b3cf745309fb07db955ad34c7d3dd19d31fa090419

Download Submit
C:\Windows\{B56474CD-05D0-499d-99F1-65336FCBC390}.exe

Filesize
168KB

MD5
517f3505fc4465b9e1eea7db12f3a514

SHA1
75477bc7a750f18a744f55b5b905e442fdacb5be

SHA256
b2ac5c16bc1be08540045986f9f1a496aa7fecce09360301f70962e8a0751209

SHA512
6d7286b3b0a57a37a753fa835c03dcb2321c8d45437672291319f93899f86bdc6019a2de9a082198603e98b3cf745309fb07db955ad34c7d3dd19d31fa090419

Download Submit
C:\Windows\{B56474CD-05D0-499d-99F1-65336FCBC390}.exe

Filesize
168KB

MD5
517f3505fc4465b9e1eea7db12f3a514

SHA1
75477bc7a750f18a744f55b5b905e442fdacb5be

SHA256
b2ac5c16bc1be08540045986f9f1a496aa7fecce09360301f70962e8a0751209

SHA512
6d7286b3b0a57a37a753fa835c03dcb2321c8d45437672291319f93899f86bdc6019a2de9a082198603e98b3cf745309fb07db955ad34c7d3dd19d31fa090419

Download Submit
C:\Windows\{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe

Filesize
168KB

MD5
62297f93cbb188a55b45a07c5c965e27

SHA1
eb845d5de6710aabdc5bf1fc444913cfe93d5cd4

SHA256
ef6b47db9a5196cd4b1567823115b26f7c1bba49fd7dea8c88cd6848c7bb4d38

SHA512
437e4afbd6162fe74421d3eb5f942e10ad6a37bf95f4b4c71af688a9808f1ad40cf784d7df0a40bc5f0bf76cb13a79663cba353f46f42f86d1c52d2081f1ab8c

Download Submit
C:\Windows\{C1F8349E-BF8A-43cd-8C03-09F8EA8FABCB}.exe

Filesize
168KB

MD5
62297f93cbb188a55b45a07c5c965e27

SHA1
eb845d5de6710aabdc5bf1fc444913cfe93d5cd4

SHA256
ef6b47db9a5196cd4b1567823115b26f7c1bba49fd7dea8c88cd6848c7bb4d38

SHA512
437e4afbd6162fe74421d3eb5f942e10ad6a37bf95f4b4c71af688a9808f1ad40cf784d7df0a40bc5f0bf76cb13a79663cba353f46f42f86d1c52d2081f1ab8c

Download Submit
C:\Windows\{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe

Filesize
168KB

MD5
d6918cea4b1fd2f457f3edf5a8b84e61

SHA1
5c4f982573ff50adc55888d86ac20f0f5b0f318e

SHA256
0c001bed54ff46a00593b0b18697d0ae30dbd2f11928a65373d34dd75f1930a9

SHA512
00788362731c9d4daebe145eabdce3e43bfcf090b1939e34c5165e0c6a1a67a68dffb6d89b27acb36ee460e20993d33d5d01e02b75e6a52d2906718dd714f0eb

Download Submit
C:\Windows\{CC62EEA4-F3EA-468c-AD2D-65805374BECE}.exe

Filesize
168KB

MD5
d6918cea4b1fd2f457f3edf5a8b84e61

SHA1
5c4f982573ff50adc55888d86ac20f0f5b0f318e

SHA256
0c001bed54ff46a00593b0b18697d0ae30dbd2f11928a65373d34dd75f1930a9

SHA512
00788362731c9d4daebe145eabdce3e43bfcf090b1939e34c5165e0c6a1a67a68dffb6d89b27acb36ee460e20993d33d5d01e02b75e6a52d2906718dd714f0eb

Download Submit
C:\Windows\{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe

Filesize
168KB

MD5
6f8f5170cf9f87028fa9a4d3213146be

SHA1
f0eeddf7e62f1b5de5d08f98cf13d150a7d37be4

SHA256
8f34dcb647004f24ee1d6e2af78e1b64352e6c65facd0e773380826cb3be34e7

SHA512
4ce236025b471da021386aaead9a39913e9f3660ce130d93e149380a86e583142975847bc5532f6fe76bf242e291c6c95ca0b62edaab3cc1780ced8b6f1dc342

Download Submit
C:\Windows\{D94E4C81-D2CB-4181-BD19-D969EAAE7E70}.exe

Filesize
168KB

MD5
6f8f5170cf9f87028fa9a4d3213146be

SHA1
f0eeddf7e62f1b5de5d08f98cf13d150a7d37be4

SHA256
8f34dcb647004f24ee1d6e2af78e1b64352e6c65facd0e773380826cb3be34e7

SHA512
4ce236025b471da021386aaead9a39913e9f3660ce130d93e149380a86e583142975847bc5532f6fe76bf242e291c6c95ca0b62edaab3cc1780ced8b6f1dc342

Download Submit
C:\Windows\{EE76179B-6AFD-4770-8169-E0C0651AC42D}.exe

Filesize
168KB

MD5
88f44b31f6950e09254e846d90df4d41

SHA1
bb2e062b4ab7fd1864ecb280e0edd89c66c3f6fc

SHA256
ebea51004a0d231d5455aec660b1be2b1a7619adfbf536bab12806183747398e

SHA512
df989142298cf4ad781d2aab5399fbc95aa55593e741c5b57c8ee4af8707570890afa6cee84a936da60778d7312ce89de06ed17090aee7eb57728ca36a76d69a

Download Submit
C:\Windows\{EE76179B-6AFD-4770-8169-E0C0651AC42D}.exe

Filesize
168KB

MD5
88f44b31f6950e09254e846d90df4d41

SHA1
bb2e062b4ab7fd1864ecb280e0edd89c66c3f6fc

SHA256
ebea51004a0d231d5455aec660b1be2b1a7619adfbf536bab12806183747398e

SHA512
df989142298cf4ad781d2aab5399fbc95aa55593e741c5b57c8ee4af8707570890afa6cee84a936da60778d7312ce89de06ed17090aee7eb57728ca36a76d69a

Download Submit
C:\Windows\{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe

Filesize
168KB

MD5
64affba15cbd18d7a85416cdd186bda9

SHA1
4c62799c2d1650473ea507d1d64aa8cb6286401f

SHA256
affbdb63d3f0e929e0c94ef5c37dfac81bd36370f146876865d7afcfea8e5f2a

SHA512
e88c433b07ecb05a5074e34bf795b3262de05339606dff952f5a7e372d39c9025e358c17ce9cc849fce9ef2b7d30ac8b7b4b07ec2b060c4c9fd37811b8dfb385

Download Submit
C:\Windows\{F54A2AF4-FEAC-4d7d-91ED-7C6EB6593464}.exe

Filesize
168KB

MD5
64affba15cbd18d7a85416cdd186bda9

SHA1
4c62799c2d1650473ea507d1d64aa8cb6286401f

SHA256
affbdb63d3f0e929e0c94ef5c37dfac81bd36370f146876865d7afcfea8e5f2a

SHA512
e88c433b07ecb05a5074e34bf795b3262de05339606dff952f5a7e372d39c9025e358c17ce9cc849fce9ef2b7d30ac8b7b4b07ec2b060c4c9fd37811b8dfb385

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads