598e06417db3ddf61f1046dd109ba618f67e9af2b89005147ca074ab1dd8a551

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240520236bbd686a95a43c1121d7a749b4cdccgoldeneye_NeikiAnalytics.exe
Size

380KB
MD5

236bbd686a95a43c1121d7a749b4cdcc
SHA1

8c518773cfd4d14c88533b14f0257782b1f8bcc1
SHA256

598e06417db3ddf61f1046dd109ba618f67e9af2b89005147ca074ab1dd8a551
SHA512

32c91e65d95cf9ac9c04a54c6cc2a135b473481e99859cdd33b9b8d442bd469628e6b86b25e2ecdef983779ebbb428e94fa2c8c86dc0d51770ae8a998980b8e0
SSDEEP

3072:mEGh0oklPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGGl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7264E848-C96F-4d72-9EB9-AC809DC751E6}\stubpath = "C:\\Windows\\{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe"	{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}\stubpath = "C:\\Windows\\{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe"	{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{975A69D2-809F-47e0-BC4D-C59748B400E5}\stubpath = "C:\\Windows\\{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe"	{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F4080C8-E866-4e49-A4A0-9A6BE407A645}\stubpath = "C:\\Windows\\{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe"	{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E906A20-99DD-479a-B681-53E0F02DFD4A}\stubpath = "C:\\Windows\\{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe"	{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}	{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}\stubpath = "C:\\Windows\\{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe"	{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEA73F36-AD6B-446d-9518-8D8600C5578C}\stubpath = "C:\\Windows\\{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe"	{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}	{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7264E848-C96F-4d72-9EB9-AC809DC751E6}	{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}\stubpath = "C:\\Windows\\{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe"	20240520236bbd686a95a43c1121d7a749b4cdccgoldeneye_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B029B9F-814E-4b1e-95E7-A624DCCBF297}	{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}\stubpath = "C:\\Windows\\{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe"	{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{519DB727-9C45-4e46-B72E-767F6CAC640A}	{57005FCD-6175-4cbb-8530-3585B7C39C1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B029B9F-814E-4b1e-95E7-A624DCCBF297}\stubpath = "C:\\Windows\\{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe"	{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEA73F36-AD6B-446d-9518-8D8600C5578C}	{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E906A20-99DD-479a-B681-53E0F02DFD4A}	{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}	{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{975A69D2-809F-47e0-BC4D-C59748B400E5}	{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57005FCD-6175-4cbb-8530-3585B7C39C1C}	{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57005FCD-6175-4cbb-8530-3585B7C39C1C}\stubpath = "C:\\Windows\\{57005FCD-6175-4cbb-8530-3585B7C39C1C}.exe"	{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{519DB727-9C45-4e46-B72E-767F6CAC640A}\stubpath = "C:\\Windows\\{519DB727-9C45-4e46-B72E-767F6CAC640A}.exe"	{57005FCD-6175-4cbb-8530-3585B7C39C1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}	20240520236bbd686a95a43c1121d7a749b4cdccgoldeneye_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F4080C8-E866-4e49-A4A0-9A6BE407A645}	{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe

Executes dropped EXE 12 IoCs

pid	Process
5000	{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe
3276	{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe
2444	{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe
1852	{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe
2436	{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe
3944	{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe
4640	{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe
4572	{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe
2664	{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe
1400	{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe
4028	{57005FCD-6175-4cbb-8530-3585B7C39C1C}.exe
5084	{519DB727-9C45-4e46-B72E-767F6CAC640A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe	{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe
File created	C:\Windows\{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe	{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe
File created	C:\Windows\{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe	{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe
File created	C:\Windows\{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe	{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe
File created	C:\Windows\{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe	{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe
File created	C:\Windows\{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe	{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe
File created	C:\Windows\{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe	{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe
File created	C:\Windows\{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe	{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe
File created	C:\Windows\{519DB727-9C45-4e46-B72E-767F6CAC640A}.exe	{57005FCD-6175-4cbb-8530-3585B7C39C1C}.exe
File created	C:\Windows\{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe	20240520236bbd686a95a43c1121d7a749b4cdccgoldeneye_NeikiAnalytics.exe
File created	C:\Windows\{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe	{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe
File created	C:\Windows\{57005FCD-6175-4cbb-8530-3585B7C39C1C}.exe	{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2156	20240520236bbd686a95a43c1121d7a749b4cdccgoldeneye_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	5000	{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe
Token: SeIncBasePriorityPrivilege	3276	{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe
Token: SeIncBasePriorityPrivilege	2444	{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe
Token: SeIncBasePriorityPrivilege	1852	{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe
Token: SeIncBasePriorityPrivilege	2436	{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe
Token: SeIncBasePriorityPrivilege	3944	{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe
Token: SeIncBasePriorityPrivilege	4640	{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe
Token: SeIncBasePriorityPrivilege	4572	{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe
Token: SeIncBasePriorityPrivilege	2664	{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe
Token: SeIncBasePriorityPrivilege	1400	{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe
Token: SeIncBasePriorityPrivilege	4028	{57005FCD-6175-4cbb-8530-3585B7C39C1C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 5000	2156	20240520236bbd686a95a43c1121d7a749b4cdccgoldeneye_NeikiAnalytics.exe	94
PID 2156 wrote to memory of 5000	2156	20240520236bbd686a95a43c1121d7a749b4cdccgoldeneye_NeikiAnalytics.exe	94
PID 2156 wrote to memory of 5000	2156	20240520236bbd686a95a43c1121d7a749b4cdccgoldeneye_NeikiAnalytics.exe	94
PID 2156 wrote to memory of 3352	2156	20240520236bbd686a95a43c1121d7a749b4cdccgoldeneye_NeikiAnalytics.exe	95
PID 2156 wrote to memory of 3352	2156	20240520236bbd686a95a43c1121d7a749b4cdccgoldeneye_NeikiAnalytics.exe	95
PID 2156 wrote to memory of 3352	2156	20240520236bbd686a95a43c1121d7a749b4cdccgoldeneye_NeikiAnalytics.exe	95
PID 5000 wrote to memory of 3276	5000	{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe	98
PID 5000 wrote to memory of 3276	5000	{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe	98
PID 5000 wrote to memory of 3276	5000	{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe	98
PID 5000 wrote to memory of 736	5000	{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe	99
PID 5000 wrote to memory of 736	5000	{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe	99
PID 5000 wrote to memory of 736	5000	{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe	99
PID 3276 wrote to memory of 2444	3276	{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe	101
PID 3276 wrote to memory of 2444	3276	{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe	101
PID 3276 wrote to memory of 2444	3276	{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe	101
PID 3276 wrote to memory of 372	3276	{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe	102
PID 3276 wrote to memory of 372	3276	{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe	102
PID 3276 wrote to memory of 372	3276	{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe	102
PID 2444 wrote to memory of 1852	2444	{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe	104
PID 2444 wrote to memory of 1852	2444	{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe	104
PID 2444 wrote to memory of 1852	2444	{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe	104
PID 2444 wrote to memory of 3832	2444	{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe	105
PID 2444 wrote to memory of 3832	2444	{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe	105
PID 2444 wrote to memory of 3832	2444	{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe	105
PID 1852 wrote to memory of 2436	1852	{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe	106
PID 1852 wrote to memory of 2436	1852	{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe	106
PID 1852 wrote to memory of 2436	1852	{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe	106
PID 1852 wrote to memory of 3544	1852	{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe	107
PID 1852 wrote to memory of 3544	1852	{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe	107
PID 1852 wrote to memory of 3544	1852	{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe	107
PID 2436 wrote to memory of 3944	2436	{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe	109
PID 2436 wrote to memory of 3944	2436	{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe	109
PID 2436 wrote to memory of 3944	2436	{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe	109
PID 2436 wrote to memory of 4592	2436	{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe	110
PID 2436 wrote to memory of 4592	2436	{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe	110
PID 2436 wrote to memory of 4592	2436	{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe	110
PID 3944 wrote to memory of 4640	3944	{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe	111
PID 3944 wrote to memory of 4640	3944	{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe	111
PID 3944 wrote to memory of 4640	3944	{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe	111
PID 3944 wrote to memory of 4296	3944	{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe	112
PID 3944 wrote to memory of 4296	3944	{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe	112
PID 3944 wrote to memory of 4296	3944	{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe	112
PID 4640 wrote to memory of 4572	4640	{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe	113
PID 4640 wrote to memory of 4572	4640	{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe	113
PID 4640 wrote to memory of 4572	4640	{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe	113
PID 4640 wrote to memory of 3352	4640	{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe	114
PID 4640 wrote to memory of 3352	4640	{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe	114
PID 4640 wrote to memory of 3352	4640	{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe	114
PID 4572 wrote to memory of 2664	4572	{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe	121
PID 4572 wrote to memory of 2664	4572	{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe	121
PID 4572 wrote to memory of 2664	4572	{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe	121
PID 4572 wrote to memory of 3068	4572	{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe	122
PID 4572 wrote to memory of 3068	4572	{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe	122
PID 4572 wrote to memory of 3068	4572	{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe	122
PID 2664 wrote to memory of 1400	2664	{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe	123
PID 2664 wrote to memory of 1400	2664	{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe	123
PID 2664 wrote to memory of 1400	2664	{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe	123
PID 2664 wrote to memory of 3644	2664	{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe	124
PID 2664 wrote to memory of 3644	2664	{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe	124
PID 2664 wrote to memory of 3644	2664	{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe	124
PID 1400 wrote to memory of 4028	1400	{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe	125
PID 1400 wrote to memory of 4028	1400	{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe	125
PID 1400 wrote to memory of 4028	1400	{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe	125
PID 1400 wrote to memory of 3128	1400	{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe	126

C:\Users\Admin\AppData\Local\Temp\20240520236bbd686a95a43c1121d7a749b4cdccgoldeneye_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\20240520236bbd686a95a43c1121d7a749b4cdccgoldeneye_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe
  C:\Windows\{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe
    C:\Windows\{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe
      C:\Windows\{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe
        
        C:\Windows\{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Windows\{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe
        
        C:\Windows\{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe
        
        C:\Windows\{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe
        
        C:\Windows\{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe
        
        C:\Windows\{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe
        
        C:\Windows\{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe
        
        C:\Windows\{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\{57005FCD-6175-4cbb-8530-3585B7C39C1C}.exe
        
        C:\Windows\{57005FCD-6175-4cbb-8530-3585B7C39C1C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
        
        C:\Windows\{519DB727-9C45-4e46-B72E-767F6CAC640A}.exe
        
        C:\Windows\{519DB727-9C45-4e46-B72E-767F6CAC640A}.exe
        13⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57005~1.EXE > nul
        13⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{975A6~1.EXE > nul
        12⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF8EC~1.EXE > nul
        11⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7264E~1.EXE > nul
        10⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E906~1.EXE > nul
        9⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7628~1.EXE > nul
        8⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F408~1.EXE > nul
        7⤵
        
        PID:4592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEA73~1.EXE > nul
        6⤵
        
        PID:3544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC5B6~1.EXE > nul
        5⤵
        
        PID:3832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9B029~1.EXE > nul
      4⤵
      PID:372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7B47B~1.EXE > nul
    3⤵
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202405~1.EXE > nul
  2⤵
  PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F4080C8-E866-4e49-A4A0-9A6BE407A645}.exe

Filesize
380KB

MD5
81830d3aea12813860b15f978f41d11f

SHA1
f539ffc8eef37fbdf9ba234750d236adc1a27fd3

SHA256
031d376335d3a72c53430386624ccf82303bfedb41f5493fc60d2a2daff8fbb7

SHA512
f731aa53dd7f931e079c6496d092308e3e7825b2f251819b22530109d8b6aadc2d9765ca7b0a06217cda7c80d70d7114591744dd6402b5c5a01ee06dfad43000

Download Submit
C:\Windows\{519DB727-9C45-4e46-B72E-767F6CAC640A}.exe

Filesize
380KB

MD5
71b3decf887122cad464d9a07077b7b5

SHA1
6e539cb99ef1ae32b77e139918c90e561ddb6319

SHA256
7bfd7820054f68d8809880fef011ad74d5fcb9b3fb1cb512ec6078eeb43aa7f6

SHA512
4b8f1ccda922515eeceaced8d8ceab7cb40feaba43322e74dfc40d8c7d3b4f51a219e5c32b7f137c6d20f446c30b06620a14db5fdbfdff1dce009f8fcce3414f

Download Submit
C:\Windows\{57005FCD-6175-4cbb-8530-3585B7C39C1C}.exe

Filesize
380KB

MD5
1bacfc0d0f95b99e20cdfad675ccd925

SHA1
91910040d002bc781a8a1f51c75cc91f4b8fa57d

SHA256
d3d8678cbbac9defa4800b1c1895cad2213748a07645e24bc4e942aa170f0a81

SHA512
487f5f99d23d2074b67d7fce12b911feae000f91ea81b3b67b61a81e6240349e5edbd9f6707370484ecef09a8ebf5aa2bf744cc2f122b21c5d61f110f5d264bd

Download Submit
C:\Windows\{7264E848-C96F-4d72-9EB9-AC809DC751E6}.exe

Filesize
380KB

MD5
49dd929bde171b6b4470aac2c20b767d

SHA1
9d84824b03743a85ab7799a92d6f450975526f00

SHA256
0fbd382115bcb24c2a2dacca05f723343b576fbfcfbe7f27b4a9091f234b4bce

SHA512
e25c2fa45f829159e60cba01b0e8bb669b24dd1fdc6015e500d33fb7c76de54d50a0ed94d0990ac129c51db9fb12fa0ae3d60db648cf4b30983d24fe690c39a4

Download Submit
C:\Windows\{7B47B3FD-F9DA-4b6e-94E1-D8A9B1E1111C}.exe

Filesize
380KB

MD5
1bbd44cb6b6df79aba98704d6597fdc9

SHA1
6e255a899be133deaa89741dad7b6974efbf95bd

SHA256
e95796578c17a490fb0f9e36bad5b2d21c7154b2d13a87a0289e2158d0b5064e

SHA512
ec78e7ab26a7f8825d9eec5fbb7d2c24cdce339816183ba40740bf6084868cb48d2d749f2da95beb35ab0db3d81cd2ec8db5b11084acba5a2b69b4ce998e25ee

Download Submit
C:\Windows\{975A69D2-809F-47e0-BC4D-C59748B400E5}.exe

Filesize
380KB

MD5
0d67edeb8159bef931d82ac865482420

SHA1
020b9003db84c3c6b0fce4279b1055e5fb3fdf86

SHA256
2131d1484989f29c7f67b0a545a1e5187b4c8777cd5e24bf6a4cb80dac0afe13

SHA512
d359503a02874e127910fd0d9eae0ce96a61128d627e4af82ae3182a10de1aeb94de134cf4617d37be9f3f316e92f5e3db60e15f10f202f3b24518c45f8f6f22

Download Submit
C:\Windows\{9B029B9F-814E-4b1e-95E7-A624DCCBF297}.exe

Filesize
380KB

MD5
5a88adffd4769f277da0948b4ec47acd

SHA1
d8f763f3746955de42c34a06ee4ba48607e99314

SHA256
e71dfe938aadd329843de0ebd893ef9d1cfa3da0783ef973119a40b7eb1c5c88

SHA512
7470a6fb33da465a0a7a1e30f1c98e6927d0e38ee217760136de991aed6287bca62e382ad83be17510b27573fe4b1474054e785b9fae91186684821a9a935799

Download Submit
C:\Windows\{9E906A20-99DD-479a-B681-53E0F02DFD4A}.exe

Filesize
380KB

MD5
60e281bbe6790cd3a0e85f337d72fe74

SHA1
97862e56698e7e2b12789e611a9fd6a7e8eced36

SHA256
2e4c0e75e24be6f20bccccd6b3922f7a36bd5a492f948aa1f5133166168effa4

SHA512
9f67604632711e30d316bc41a4bd8adaad3e96d0f94fbe727544b7f15dc636a47c40644a45b7afd6624aeae45c0ca42c1623c939b1337c0567e541532766b314

Download Submit
C:\Windows\{A7628DE6-3307-4d2f-A5CE-F330E2EAA0AD}.exe

Filesize
380KB

MD5
4396fd86ed259a90679b1c6e59253188

SHA1
b0bf78f1271c1cc8efffd332c6833d2cda4723d0

SHA256
7b476379b4874d9fa351f05de8a4392de1746a6b96cda20a1e34a052485fe969

SHA512
0e7b6d4de69624cb0d46cd28b1b66d0f72a376e60f4a8e9f33ea5a72cbcb0347f63289a7900821871dacc1aee677ee20b574292eeeb883e5c56d9aff7ad4a4d0

Download Submit
C:\Windows\{CF8EC5FD-97BB-4b82-BE4D-0E9F00EA66E8}.exe

Filesize
380KB

MD5
54ea71e50a25728cda51ec2fc2570f54

SHA1
d79554826844f03e24536c6b97ae700e27850868

SHA256
1207b2942da99dc41035dfdd14669902f67ba0f493c030fad4e345f7214a7d27

SHA512
d8ec1dd515499e97995a807e09b7a62184518d2c614b0ce280ec09edd46a67fb355580142d5609963679b1b131f0cfa429a865af808a9adfbc83ca91ec1e22ac

Download Submit
C:\Windows\{EEA73F36-AD6B-446d-9518-8D8600C5578C}.exe

Filesize
380KB

MD5
ad491dc54a8938d56e59fc8a3b276c95

SHA1
18a70b5cb9aa12b1b29d28f1dfdb79e04e9eb895

SHA256
64af4591bfdb8f2f4cf197a13271685d3488725043e08faa95e063a42ad6a4f6

SHA512
77b976ec2d546e821da6167adc7550397fdbcca2f321ac6f397db2b0100956642d8af9d0db9c6bd431f44f7c6614f1658c4713715afcdaf5f4059a576f4ac7ae

Download Submit
C:\Windows\{FC5B6105-01DA-493e-8AD7-234ED8BAD28A}.exe

Filesize
380KB

MD5
117091932d2148117f6b23ee06552889

SHA1
0165baa4a4a18ed20c24d624874961a146f98a4e

SHA256
5796e1df45b74c2c5de8dcef371ef4010ccf756b375133a8db83a757fcae319d

SHA512
1bf8b7c393d2e5caa42f51c6d45cfba3a1f5de70fed7e1c1264221df9aff03dcb604f410c5a5a7a753af82ed5681f51f5fcf5504eb2c6ffc9af13a2cb034c1bb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads