68df4e960d069175b6d658da810bc3363d35423f07322039782f15203dd8fa57

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe
Size

380KB
MD5

b67c2368c4ac0ad5f2c198aa01350a52
SHA1

2abf1dd1360ce8429fc419d3b3939ebed549d9d6
SHA256

68df4e960d069175b6d658da810bc3363d35423f07322039782f15203dd8fa57
SHA512

1da0db321a7c3ea5ab350aadcccffbaf0a18eac933063b5aa13265837365014388af6a09b02a6c4ce82b5331716b1e61bb4077c1be92d349d9e5e13c8b7bf21a
SSDEEP

3072:mEGh0oIlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG2l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{405B0A81-3018-47a1-BF21-0F35330593B6}	{5F7CA063-27AB-4696-BB6D-524B6AB8558C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{405B0A81-3018-47a1-BF21-0F35330593B6}\stubpath = "C:\\Windows\\{405B0A81-3018-47a1-BF21-0F35330593B6}.exe"	{5F7CA063-27AB-4696-BB6D-524B6AB8558C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEBA3318-0892-42aa-A405-FF7252155179}\stubpath = "C:\\Windows\\{FEBA3318-0892-42aa-A405-FF7252155179}.exe"	{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76687C20-2AA2-40b0-B33A-A891A11F8CFA}\stubpath = "C:\\Windows\\{76687C20-2AA2-40b0-B33A-A891A11F8CFA}.exe"	{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A717AEC-CBFD-4c26-8F5A-B2D131047305}	{FEBA3318-0892-42aa-A405-FF7252155179}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C05636A-1305-4263-84FF-0D0302C60E4E}\stubpath = "C:\\Windows\\{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe"	{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A91D4FBF-9ECE-4693-BAE3-54A993AEEA28}\stubpath = "C:\\Windows\\{A91D4FBF-9ECE-4693-BAE3-54A993AEEA28}.exe"	{76687C20-2AA2-40b0-B33A-A891A11F8CFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}\stubpath = "C:\\Windows\\{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe"	{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}\stubpath = "C:\\Windows\\{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe"	{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A91D4FBF-9ECE-4693-BAE3-54A993AEEA28}	{76687C20-2AA2-40b0-B33A-A891A11F8CFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}	{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}\stubpath = "C:\\Windows\\{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe"	{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}	{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}	{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C05636A-1305-4263-84FF-0D0302C60E4E}	{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76687C20-2AA2-40b0-B33A-A891A11F8CFA}	{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F7CA063-27AB-4696-BB6D-524B6AB8558C}	{A91D4FBF-9ECE-4693-BAE3-54A993AEEA28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F7CA063-27AB-4696-BB6D-524B6AB8558C}\stubpath = "C:\\Windows\\{5F7CA063-27AB-4696-BB6D-524B6AB8558C}.exe"	{A91D4FBF-9ECE-4693-BAE3-54A993AEEA28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}\stubpath = "C:\\Windows\\{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe"	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEBA3318-0892-42aa-A405-FF7252155179}	{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A717AEC-CBFD-4c26-8F5A-B2D131047305}\stubpath = "C:\\Windows\\{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe"	{FEBA3318-0892-42aa-A405-FF7252155179}.exe

Deletes itself 1 IoCs

pid	Process
2604	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3052	{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe
2588	{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe
2624	{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe
1568	{FEBA3318-0892-42aa-A405-FF7252155179}.exe
2556	{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe
1560	{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe
1564	{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe
1168	{76687C20-2AA2-40b0-B33A-A891A11F8CFA}.exe
2240	{A91D4FBF-9ECE-4693-BAE3-54A993AEEA28}.exe
536	{5F7CA063-27AB-4696-BB6D-524B6AB8558C}.exe
1780	{405B0A81-3018-47a1-BF21-0F35330593B6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{405B0A81-3018-47a1-BF21-0F35330593B6}.exe	{5F7CA063-27AB-4696-BB6D-524B6AB8558C}.exe
File created	C:\Windows\{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe
File created	C:\Windows\{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe	{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe
File created	C:\Windows\{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe	{FEBA3318-0892-42aa-A405-FF7252155179}.exe
File created	C:\Windows\{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe	{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe
File created	C:\Windows\{76687C20-2AA2-40b0-B33A-A891A11F8CFA}.exe	{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe
File created	C:\Windows\{5F7CA063-27AB-4696-BB6D-524B6AB8558C}.exe	{A91D4FBF-9ECE-4693-BAE3-54A993AEEA28}.exe
File created	C:\Windows\{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe	{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe
File created	C:\Windows\{FEBA3318-0892-42aa-A405-FF7252155179}.exe	{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe
File created	C:\Windows\{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe	{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe
File created	C:\Windows\{A91D4FBF-9ECE-4693-BAE3-54A993AEEA28}.exe	{76687C20-2AA2-40b0-B33A-A891A11F8CFA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1976	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3052	{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe
Token: SeIncBasePriorityPrivilege	2588	{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe
Token: SeIncBasePriorityPrivilege	2624	{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe
Token: SeIncBasePriorityPrivilege	1568	{FEBA3318-0892-42aa-A405-FF7252155179}.exe
Token: SeIncBasePriorityPrivilege	2556	{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe
Token: SeIncBasePriorityPrivilege	1560	{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe
Token: SeIncBasePriorityPrivilege	1564	{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe
Token: SeIncBasePriorityPrivilege	1168	{76687C20-2AA2-40b0-B33A-A891A11F8CFA}.exe
Token: SeIncBasePriorityPrivilege	2240	{A91D4FBF-9ECE-4693-BAE3-54A993AEEA28}.exe
Token: SeIncBasePriorityPrivilege	536	{5F7CA063-27AB-4696-BB6D-524B6AB8558C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3052	1976	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 3052	1976	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 3052	1976	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 3052	1976	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 2604	1976	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	29
PID 1976 wrote to memory of 2604	1976	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	29
PID 1976 wrote to memory of 2604	1976	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	29
PID 1976 wrote to memory of 2604	1976	20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe	29
PID 3052 wrote to memory of 2588	3052	{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe	30
PID 3052 wrote to memory of 2588	3052	{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe	30
PID 3052 wrote to memory of 2588	3052	{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe	30
PID 3052 wrote to memory of 2588	3052	{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe	30
PID 3052 wrote to memory of 2840	3052	{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe	31
PID 3052 wrote to memory of 2840	3052	{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe	31
PID 3052 wrote to memory of 2840	3052	{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe	31
PID 3052 wrote to memory of 2840	3052	{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe	31
PID 2588 wrote to memory of 2624	2588	{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe	32
PID 2588 wrote to memory of 2624	2588	{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe	32
PID 2588 wrote to memory of 2624	2588	{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe	32
PID 2588 wrote to memory of 2624	2588	{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe	32
PID 2588 wrote to memory of 2568	2588	{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe	33
PID 2588 wrote to memory of 2568	2588	{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe	33
PID 2588 wrote to memory of 2568	2588	{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe	33
PID 2588 wrote to memory of 2568	2588	{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe	33
PID 2624 wrote to memory of 1568	2624	{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe	36
PID 2624 wrote to memory of 1568	2624	{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe	36
PID 2624 wrote to memory of 1568	2624	{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe	36
PID 2624 wrote to memory of 1568	2624	{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe	36
PID 2624 wrote to memory of 2120	2624	{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe	37
PID 2624 wrote to memory of 2120	2624	{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe	37
PID 2624 wrote to memory of 2120	2624	{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe	37
PID 2624 wrote to memory of 2120	2624	{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe	37
PID 1568 wrote to memory of 2556	1568	{FEBA3318-0892-42aa-A405-FF7252155179}.exe	38
PID 1568 wrote to memory of 2556	1568	{FEBA3318-0892-42aa-A405-FF7252155179}.exe	38
PID 1568 wrote to memory of 2556	1568	{FEBA3318-0892-42aa-A405-FF7252155179}.exe	38
PID 1568 wrote to memory of 2556	1568	{FEBA3318-0892-42aa-A405-FF7252155179}.exe	38
PID 1568 wrote to memory of 2760	1568	{FEBA3318-0892-42aa-A405-FF7252155179}.exe	39
PID 1568 wrote to memory of 2760	1568	{FEBA3318-0892-42aa-A405-FF7252155179}.exe	39
PID 1568 wrote to memory of 2760	1568	{FEBA3318-0892-42aa-A405-FF7252155179}.exe	39
PID 1568 wrote to memory of 2760	1568	{FEBA3318-0892-42aa-A405-FF7252155179}.exe	39
PID 2556 wrote to memory of 1560	2556	{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe	40
PID 2556 wrote to memory of 1560	2556	{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe	40
PID 2556 wrote to memory of 1560	2556	{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe	40
PID 2556 wrote to memory of 1560	2556	{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe	40
PID 2556 wrote to memory of 1616	2556	{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe	41
PID 2556 wrote to memory of 1616	2556	{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe	41
PID 2556 wrote to memory of 1616	2556	{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe	41
PID 2556 wrote to memory of 1616	2556	{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe	41
PID 1560 wrote to memory of 1564	1560	{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe	42
PID 1560 wrote to memory of 1564	1560	{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe	42
PID 1560 wrote to memory of 1564	1560	{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe	42
PID 1560 wrote to memory of 1564	1560	{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe	42
PID 1560 wrote to memory of 1664	1560	{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe	43
PID 1560 wrote to memory of 1664	1560	{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe	43
PID 1560 wrote to memory of 1664	1560	{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe	43
PID 1560 wrote to memory of 1664	1560	{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe	43
PID 1564 wrote to memory of 1168	1564	{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe	44
PID 1564 wrote to memory of 1168	1564	{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe	44
PID 1564 wrote to memory of 1168	1564	{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe	44
PID 1564 wrote to memory of 1168	1564	{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe	44
PID 1564 wrote to memory of 2024	1564	{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe	45
PID 1564 wrote to memory of 2024	1564	{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe	45
PID 1564 wrote to memory of 2024	1564	{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe	45
PID 1564 wrote to memory of 2024	1564	{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe	45

C:\Users\Admin\AppData\Local\Temp\20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\20240520b67c2368c4ac0ad5f2c198aa01350a52goldeneye_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe
  C:\Windows\{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe
    C:\Windows\{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe
      C:\Windows\{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\{FEBA3318-0892-42aa-A405-FF7252155179}.exe
        
        C:\Windows\{FEBA3318-0892-42aa-A405-FF7252155179}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Windows\{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe
        
        C:\Windows\{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe
        
        C:\Windows\{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe
        
        C:\Windows\{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{76687C20-2AA2-40b0-B33A-A891A11F8CFA}.exe
        
        C:\Windows\{76687C20-2AA2-40b0-B33A-A891A11F8CFA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\{A91D4FBF-9ECE-4693-BAE3-54A993AEEA28}.exe
        
        C:\Windows\{A91D4FBF-9ECE-4693-BAE3-54A993AEEA28}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\{5F7CA063-27AB-4696-BB6D-524B6AB8558C}.exe
        
        C:\Windows\{5F7CA063-27AB-4696-BB6D-524B6AB8558C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\{405B0A81-3018-47a1-BF21-0F35330593B6}.exe
        
        C:\Windows\{405B0A81-3018-47a1-BF21-0F35330593B6}.exe
        12⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F7CA~1.EXE > nul
        12⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A91D4~1.EXE > nul
        11⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76687~1.EXE > nul
        10⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C056~1.EXE > nul
        9⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF0E3~1.EXE > nul
        8⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A717~1.EXE > nul
        7⤵
        
        PID:1616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEBA3~1.EXE > nul
        6⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2525B~1.EXE > nul
        5⤵
        
        PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{783D8~1.EXE > nul
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E8314~1.EXE > nul
    3⤵
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202405~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2525BBDB-3532-41bb-BD03-D1B5EA795FCE}.exe

Filesize
380KB

MD5
fc1cffbb1aa69d994c368d401ce21ae1

SHA1
d85d563abc6eb9062c15715852cc91b8885958de

SHA256
349f1eac4e18b74d6f91b41d5834da43f9a810858d7e5a55a761aef9f41e6634

SHA512
029972d8c4ef6d062cfafc260f6c1d79d913115ec36cf7fbf58c0e6210237bcad14e5afe1a7deeacda67555f75c48b914bdb7ee4061b3a5d127a637079f9894f

Download Submit
C:\Windows\{2C05636A-1305-4263-84FF-0D0302C60E4E}.exe

Filesize
380KB

MD5
12c94e9500a818400b94b97760564dbf

SHA1
435034d8325c4ae73696877cfd0fbfb6f52bf0e2

SHA256
cad7abee0ac2ad31a83fbe4ac0df15b7b74a3720faf2a453b8f1c5013ae1a494

SHA512
2d1a75d7114ab4b64a5cc886eef18bb8b4a41970977131a2e95519f2f1b65b1d7b6df77206241225f408393d7a8db14336b27bb269ad3469de9542e5c49c2b7c

Download Submit
C:\Windows\{405B0A81-3018-47a1-BF21-0F35330593B6}.exe

Filesize
380KB

MD5
7549b153ea97b268a4c34de81e4aee8c

SHA1
bbaa2e6ed120e0b69cbbd6e6f25242c3b643d0ec

SHA256
620bcb4d1b6131127e71abd66dd2b95789affb0172551ff49bffc47cb3545f64

SHA512
b70d737c5bf5af41437e06edf3df26cd3c834db618f910ec9545da7cf2d388b8c69ef6a64500bb778c54b0012ee973f713342e918a90ef63db577ec78d543c8e

Download Submit
C:\Windows\{5F7CA063-27AB-4696-BB6D-524B6AB8558C}.exe

Filesize
380KB

MD5
6f5845da81b1040f73ced49ab63b344c

SHA1
d92c402f05180bce4a847ca12fca0216eb073deb

SHA256
022ccb3e3b7c4c9fe3d010e25f945de506f67b03675439450aee5934812ac6a6

SHA512
fc50636c39446775c1aff6301fa27310cea10404b8219308e0168e61aee7e2c6cc1b0d7fc30145effb0fbacce5fc61f4b11bf272d19e017d580ac5d39b6270c0

Download Submit
C:\Windows\{6A717AEC-CBFD-4c26-8F5A-B2D131047305}.exe

Filesize
380KB

MD5
d701a280f53837bc4fc0e14d7323c89e

SHA1
22459676cbfcec167c679b5a4e3bcf9c7fb323f4

SHA256
cc3998750920e5de96eec8b37998d9c40ecc598708f24adc71371a20a74ea58d

SHA512
ed8767e32c57f5ff7022020bd01072d6e007effc21e16583f028aa4264e67b97dba1546085c46ae0fdcf55a491ac520e871889cecb1c55a46fe5703a8e1b652c

Download Submit
C:\Windows\{76687C20-2AA2-40b0-B33A-A891A11F8CFA}.exe

Filesize
380KB

MD5
f9d29041e33ef3a0f8d64ba5a45f95ee

SHA1
fba3a3666513c9712504dc8da0246aff27f39b18

SHA256
090adeccd679e8f695987410daea53a3764dcd5d196804374c3725742b8e332d

SHA512
77861ee51fa221d0fc280f93755c668830965b68a2ff0bd42c9c364e8405559b85adfa11d879703712c8e5d5b0aaf76b447496cd951886af5b81f06022ed1337

Download Submit
C:\Windows\{783D84D2-1160-4d70-BF9A-CAE483ACDAB7}.exe

Filesize
380KB

MD5
e7fd9c6f4e02118a4e5ca0bf7e55652c

SHA1
072dd16fe024c989399443c774dc76790e7860f2

SHA256
90b2c360d050a9f6d8d780c0e51e5e37d73b972a240fc61f73f672784fafdd83

SHA512
e14c122afecfe4efea7d366a4710b5545869f3ea362213da10bfe233aa25d9207372f8937a0410a2423a653498e5b9754c9b43377706ad7381c740427cc24ead

Download Submit
C:\Windows\{A91D4FBF-9ECE-4693-BAE3-54A993AEEA28}.exe

Filesize
380KB

MD5
c637fada1a4c4b82d1a7e2aeed828517

SHA1
7eca573ad2814f3c5ac2b5e605fa06924bcddbd9

SHA256
1d42a640659b14ba94c6f18348198f2d35fff7867dfd043cd03b7032f367c09c

SHA512
c617e9ef3000e9e016c62fbc4b77fd3e9832e1276c7ad838cfe6f55ed4692e2f65734fd882956321a154a34abf6c7f33e565e3d518ef0ade0f3e05f538bed23d

Download Submit
C:\Windows\{BF0E3C8A-06AE-497e-A49C-BB8E3A8CC6AE}.exe

Filesize
380KB

MD5
9575a655ac845db8d50f838ae7718be2

SHA1
cd8a30b803d7f2ae42aa412d58b22c49cd1fc5f8

SHA256
868ec2038945499ac7d3d05e8e90433e05550a6d5eec9320e7bd37e1c11abb30

SHA512
b7a7ed9f028c739eb7b3178897949cfe5dc7c9760011b28ab0f887c17621ed79cee9e0f68a984d0b5f28d8fb0dc342f8b7f1f8020859e8b9278f894a70069e20

Download Submit
C:\Windows\{E831434D-AA1B-4965-9A3E-A3B8D69B3ACD}.exe

Filesize
380KB

MD5
5f01ba4e27728c3a3e16766d9f21a1fc

SHA1
4ad45b11cf40f4d50795c23ce74067a28b394a42

SHA256
5ec9920d8677b03140bb1226da0fe68b76cb02cb4436a091460b989d983862b6

SHA512
d1faa5a82a6e33b44794fcb896cf4bc6f0bf882ec3a32c05aa9a1c495891af4bb86519f95bf2efacefbad8160be94a2e4fb213ec41fc25a2f8aaddc5ec544b29

Download Submit
C:\Windows\{FEBA3318-0892-42aa-A405-FF7252155179}.exe

Filesize
380KB

MD5
92e731f5184cc3cac5e86a81a6a1e810

SHA1
116f921672bfa3683f957f616f521b91ceca9c43

SHA256
0c43a74249966afe0133388f102d7bbe9dfcf505defda75768df66fca11de598

SHA512
66901d5fcfb3351ad4b96ae2c41eeb53679dfd7c47dd1d0da1413102d00dece84cb204f42ac70065698f43867db09a491d61162fa0ba561b6948c136f5cffb31

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads