b461a8b55374c8d202501d4d898cf5eaf3b45c5249bcb0eb9c367dd6fe93df29

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
06/08/2023, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe
Size

168KB
MD5

ff29fab1b2ae1ab5030787c5644579db
SHA1

b57f74276b0bf1eed4c89ad78baeeeb6f424af1f
SHA256

b461a8b55374c8d202501d4d898cf5eaf3b45c5249bcb0eb9c367dd6fe93df29
SHA512

c3a630da08653cf0d70fb8059d80db28a17431e33a617af4ebc0ab2b2fea634373ed4790f1dcc5b46ba56b1d1d22e740c8605b8151c2e3accf21cd354d462721
SSDEEP

1536:1EGh0orlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0orlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58065C38-54DE-473f-BAF0-C5A2EDD3480B}	{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58065C38-54DE-473f-BAF0-C5A2EDD3480B}\stubpath = "C:\\Windows\\{58065C38-54DE-473f-BAF0-C5A2EDD3480B}.exe"	{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3AEC19C-C444-4f91-8CCC-A2EC301EE008}\stubpath = "C:\\Windows\\{A3AEC19C-C444-4f91-8CCC-A2EC301EE008}.exe"	{58065C38-54DE-473f-BAF0-C5A2EDD3480B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB0CC7C7-1219-4a3b-9402-8A8909E137A1}	{A3AEC19C-C444-4f91-8CCC-A2EC301EE008}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB0CC7C7-1219-4a3b-9402-8A8909E137A1}\stubpath = "C:\\Windows\\{AB0CC7C7-1219-4a3b-9402-8A8909E137A1}.exe"	{A3AEC19C-C444-4f91-8CCC-A2EC301EE008}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B312A42C-7095-46a5-AE01-6834841C0F79}	{AB0CC7C7-1219-4a3b-9402-8A8909E137A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{414D2910-77AD-430e-8AB3-04A60E0628FA}\stubpath = "C:\\Windows\\{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe"	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE202057-4FF8-48d6-A28A-035AA84A0029}	{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9038022D-1B47-4202-A665-F3E001D059B0}	{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62E66827-CBA5-4b12-B3BB-81950C83F806}	{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9038022D-1B47-4202-A665-F3E001D059B0}\stubpath = "C:\\Windows\\{9038022D-1B47-4202-A665-F3E001D059B0}.exe"	{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7A4F88C-F3E3-4086-AF50-570AE66216AE}	{9038022D-1B47-4202-A665-F3E001D059B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE202057-4FF8-48d6-A28A-035AA84A0029}\stubpath = "C:\\Windows\\{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe"	{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B312A42C-7095-46a5-AE01-6834841C0F79}\stubpath = "C:\\Windows\\{B312A42C-7095-46a5-AE01-6834841C0F79}.exe"	{AB0CC7C7-1219-4a3b-9402-8A8909E137A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{414D2910-77AD-430e-8AB3-04A60E0628FA}	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50A40B93-EA02-4201-8B2C-BB933B926BA7}	{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10EA5BF8-A18C-4471-9258-9EDE55007E18}\stubpath = "C:\\Windows\\{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe"	{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62E66827-CBA5-4b12-B3BB-81950C83F806}\stubpath = "C:\\Windows\\{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe"	{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7A4F88C-F3E3-4086-AF50-570AE66216AE}\stubpath = "C:\\Windows\\{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe"	{9038022D-1B47-4202-A665-F3E001D059B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3AEC19C-C444-4f91-8CCC-A2EC301EE008}	{58065C38-54DE-473f-BAF0-C5A2EDD3480B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50A40B93-EA02-4201-8B2C-BB933B926BA7}\stubpath = "C:\\Windows\\{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe"	{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10EA5BF8-A18C-4471-9258-9EDE55007E18}	{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1148	{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe
2808	{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe
2836	{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe
2684	{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe
2848	{9038022D-1B47-4202-A665-F3E001D059B0}.exe
2732	{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe
2744	{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe
2496	{58065C38-54DE-473f-BAF0-C5A2EDD3480B}.exe
268	{A3AEC19C-C444-4f91-8CCC-A2EC301EE008}.exe
1232	{AB0CC7C7-1219-4a3b-9402-8A8909E137A1}.exe
488	{B312A42C-7095-46a5-AE01-6834841C0F79}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe	{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe
File created	C:\Windows\{9038022D-1B47-4202-A665-F3E001D059B0}.exe	{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe
File created	C:\Windows\{58065C38-54DE-473f-BAF0-C5A2EDD3480B}.exe	{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe
File created	C:\Windows\{A3AEC19C-C444-4f91-8CCC-A2EC301EE008}.exe	{58065C38-54DE-473f-BAF0-C5A2EDD3480B}.exe
File created	C:\Windows\{AB0CC7C7-1219-4a3b-9402-8A8909E137A1}.exe	{A3AEC19C-C444-4f91-8CCC-A2EC301EE008}.exe
File created	C:\Windows\{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe	{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe
File created	C:\Windows\{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe	{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe
File created	C:\Windows\{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe	{9038022D-1B47-4202-A665-F3E001D059B0}.exe
File created	C:\Windows\{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe	{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe
File created	C:\Windows\{B312A42C-7095-46a5-AE01-6834841C0F79}.exe	{AB0CC7C7-1219-4a3b-9402-8A8909E137A1}.exe
File created	C:\Windows\{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2572	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1148	{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe
Token: SeIncBasePriorityPrivilege	2808	{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe
Token: SeIncBasePriorityPrivilege	2836	{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe
Token: SeIncBasePriorityPrivilege	2684	{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe
Token: SeIncBasePriorityPrivilege	2848	{9038022D-1B47-4202-A665-F3E001D059B0}.exe
Token: SeIncBasePriorityPrivilege	2732	{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe
Token: SeIncBasePriorityPrivilege	2744	{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe
Token: SeIncBasePriorityPrivilege	2496	{58065C38-54DE-473f-BAF0-C5A2EDD3480B}.exe
Token: SeIncBasePriorityPrivilege	268	{A3AEC19C-C444-4f91-8CCC-A2EC301EE008}.exe
Token: SeIncBasePriorityPrivilege	1232	{AB0CC7C7-1219-4a3b-9402-8A8909E137A1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 1148	2572	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	28
PID 2572 wrote to memory of 1148	2572	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	28
PID 2572 wrote to memory of 1148	2572	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	28
PID 2572 wrote to memory of 1148	2572	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	28
PID 2572 wrote to memory of 2584	2572	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	29
PID 2572 wrote to memory of 2584	2572	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	29
PID 2572 wrote to memory of 2584	2572	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	29
PID 2572 wrote to memory of 2584	2572	2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe	29
PID 1148 wrote to memory of 2808	1148	{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe	32
PID 1148 wrote to memory of 2808	1148	{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe	32
PID 1148 wrote to memory of 2808	1148	{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe	32
PID 1148 wrote to memory of 2808	1148	{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe	32
PID 1148 wrote to memory of 2920	1148	{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe	33
PID 1148 wrote to memory of 2920	1148	{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe	33
PID 1148 wrote to memory of 2920	1148	{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe	33
PID 1148 wrote to memory of 2920	1148	{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe	33
PID 2808 wrote to memory of 2836	2808	{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe	34
PID 2808 wrote to memory of 2836	2808	{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe	34
PID 2808 wrote to memory of 2836	2808	{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe	34
PID 2808 wrote to memory of 2836	2808	{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe	34
PID 2808 wrote to memory of 2944	2808	{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe	35
PID 2808 wrote to memory of 2944	2808	{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe	35
PID 2808 wrote to memory of 2944	2808	{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe	35
PID 2808 wrote to memory of 2944	2808	{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe	35
PID 2836 wrote to memory of 2684	2836	{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe	36
PID 2836 wrote to memory of 2684	2836	{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe	36
PID 2836 wrote to memory of 2684	2836	{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe	36
PID 2836 wrote to memory of 2684	2836	{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe	36
PID 2836 wrote to memory of 2904	2836	{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe	37
PID 2836 wrote to memory of 2904	2836	{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe	37
PID 2836 wrote to memory of 2904	2836	{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe	37
PID 2836 wrote to memory of 2904	2836	{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe	37
PID 2684 wrote to memory of 2848	2684	{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe	38
PID 2684 wrote to memory of 2848	2684	{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe	38
PID 2684 wrote to memory of 2848	2684	{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe	38
PID 2684 wrote to memory of 2848	2684	{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe	38
PID 2684 wrote to memory of 2344	2684	{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe	39
PID 2684 wrote to memory of 2344	2684	{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe	39
PID 2684 wrote to memory of 2344	2684	{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe	39
PID 2684 wrote to memory of 2344	2684	{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe	39
PID 2848 wrote to memory of 2732	2848	{9038022D-1B47-4202-A665-F3E001D059B0}.exe	40
PID 2848 wrote to memory of 2732	2848	{9038022D-1B47-4202-A665-F3E001D059B0}.exe	40
PID 2848 wrote to memory of 2732	2848	{9038022D-1B47-4202-A665-F3E001D059B0}.exe	40
PID 2848 wrote to memory of 2732	2848	{9038022D-1B47-4202-A665-F3E001D059B0}.exe	40
PID 2848 wrote to memory of 2688	2848	{9038022D-1B47-4202-A665-F3E001D059B0}.exe	41
PID 2848 wrote to memory of 2688	2848	{9038022D-1B47-4202-A665-F3E001D059B0}.exe	41
PID 2848 wrote to memory of 2688	2848	{9038022D-1B47-4202-A665-F3E001D059B0}.exe	41
PID 2848 wrote to memory of 2688	2848	{9038022D-1B47-4202-A665-F3E001D059B0}.exe	41
PID 2732 wrote to memory of 2744	2732	{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe	42
PID 2732 wrote to memory of 2744	2732	{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe	42
PID 2732 wrote to memory of 2744	2732	{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe	42
PID 2732 wrote to memory of 2744	2732	{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe	42
PID 2732 wrote to memory of 2252	2732	{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe	43
PID 2732 wrote to memory of 2252	2732	{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe	43
PID 2732 wrote to memory of 2252	2732	{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe	43
PID 2732 wrote to memory of 2252	2732	{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe	43
PID 2744 wrote to memory of 2496	2744	{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe	44
PID 2744 wrote to memory of 2496	2744	{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe	44
PID 2744 wrote to memory of 2496	2744	{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe	44
PID 2744 wrote to memory of 2496	2744	{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe	44
PID 2744 wrote to memory of 576	2744	{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe	45
PID 2744 wrote to memory of 576	2744	{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe	45
PID 2744 wrote to memory of 576	2744	{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe	45
PID 2744 wrote to memory of 576	2744	{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-05_ff29fab1b2ae1ab5030787c5644579db_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe
  C:\Windows\{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe
    C:\Windows\{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe
      C:\Windows\{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe
        
        C:\Windows\{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\{9038022D-1B47-4202-A665-F3E001D059B0}.exe
        
        C:\Windows\{9038022D-1B47-4202-A665-F3E001D059B0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe
        
        C:\Windows\{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe
        
        C:\Windows\{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{58065C38-54DE-473f-BAF0-C5A2EDD3480B}.exe
        
        C:\Windows\{58065C38-54DE-473f-BAF0-C5A2EDD3480B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\{A3AEC19C-C444-4f91-8CCC-A2EC301EE008}.exe
        
        C:\Windows\{A3AEC19C-C444-4f91-8CCC-A2EC301EE008}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{AB0CC7C7-1219-4a3b-9402-8A8909E137A1}.exe
        
        C:\Windows\{AB0CC7C7-1219-4a3b-9402-8A8909E137A1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB0CC~1.EXE > nul
        12⤵
        
        PID:2864
        
        C:\Windows\{B312A42C-7095-46a5-AE01-6834841C0F79}.exe
        
        C:\Windows\{B312A42C-7095-46a5-AE01-6834841C0F79}.exe
        12⤵
        Executes dropped EXE
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3AEC~1.EXE > nul
        11⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58065~1.EXE > nul
        10⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE202~1.EXE > nul
        9⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7A4F~1.EXE > nul
        8⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90380~1.EXE > nul
        7⤵
        
        PID:2688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62E66~1.EXE > nul
        6⤵
        
        PID:2344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10EA5~1.EXE > nul
        5⤵
        
        PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{50A40~1.EXE > nul
      4⤵
      PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{414D2~1.EXE > nul
    3⤵
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe

Filesize
168KB

MD5
d7d37c3c9cd0f8e08279f0e039a4ba78

SHA1
1c83bb9ed292c5a539f1edfc3e82299aa11958ac

SHA256
9d9032dc3b1e0d2493cd4f5f4d4d861a6375c6b211fbbabede557565a7209b41

SHA512
0e06e6a1a2292d11efcd80d1ab1a8b07e3c14d612de3046791d09b672c456741a26e2ae225703d6857b27aafd92bc3a95533f610c2b85d51cc61daa558211ff0

Download Submit
C:\Windows\{10EA5BF8-A18C-4471-9258-9EDE55007E18}.exe

Filesize
168KB

MD5
d7d37c3c9cd0f8e08279f0e039a4ba78

SHA1
1c83bb9ed292c5a539f1edfc3e82299aa11958ac

SHA256
9d9032dc3b1e0d2493cd4f5f4d4d861a6375c6b211fbbabede557565a7209b41

SHA512
0e06e6a1a2292d11efcd80d1ab1a8b07e3c14d612de3046791d09b672c456741a26e2ae225703d6857b27aafd92bc3a95533f610c2b85d51cc61daa558211ff0

Download Submit
C:\Windows\{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe

Filesize
168KB

MD5
4221bf3f0bff613169fcf08b71fc0b62

SHA1
73c23b808e7abfa019b1766ab9b4405cbbc891f7

SHA256
483bc89f5223d0085f45c3e1720a839a6c027c3b50e786b5f97a98e92f4befd8

SHA512
3a3318c7983e4a3e662d0b46b4c2ac70ac34a97401772b960c323ad2062c98c3a2c0fa6b629c6231c4bd502e2455c83f0b1ec0bf60d7af5c9605532d90e7ee9f

Download Submit
C:\Windows\{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe

Filesize
168KB

MD5
4221bf3f0bff613169fcf08b71fc0b62

SHA1
73c23b808e7abfa019b1766ab9b4405cbbc891f7

SHA256
483bc89f5223d0085f45c3e1720a839a6c027c3b50e786b5f97a98e92f4befd8

SHA512
3a3318c7983e4a3e662d0b46b4c2ac70ac34a97401772b960c323ad2062c98c3a2c0fa6b629c6231c4bd502e2455c83f0b1ec0bf60d7af5c9605532d90e7ee9f

Download Submit
C:\Windows\{414D2910-77AD-430e-8AB3-04A60E0628FA}.exe

Filesize
168KB

MD5
4221bf3f0bff613169fcf08b71fc0b62

SHA1
73c23b808e7abfa019b1766ab9b4405cbbc891f7

SHA256
483bc89f5223d0085f45c3e1720a839a6c027c3b50e786b5f97a98e92f4befd8

SHA512
3a3318c7983e4a3e662d0b46b4c2ac70ac34a97401772b960c323ad2062c98c3a2c0fa6b629c6231c4bd502e2455c83f0b1ec0bf60d7af5c9605532d90e7ee9f

Download Submit
C:\Windows\{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe

Filesize
168KB

MD5
ae63e7a7ed2117ff5a66f3afd3496a9b

SHA1
d948f7876e5f4d955d4b94ca14937665ef82dfc2

SHA256
498f763c766a7e769d4b61b44b18060e757f7ca50caece98d6293e5f98a67b11

SHA512
e856a80e44284cdecf42e2d827cea76e882f785377b9124bd56c04007a542d17d26ef80a8ba84646ba7c2011acf367cda4f5992bd405e56b18b885c6c6cc11bc

Download Submit
C:\Windows\{50A40B93-EA02-4201-8B2C-BB933B926BA7}.exe

Filesize
168KB

MD5
ae63e7a7ed2117ff5a66f3afd3496a9b

SHA1
d948f7876e5f4d955d4b94ca14937665ef82dfc2

SHA256
498f763c766a7e769d4b61b44b18060e757f7ca50caece98d6293e5f98a67b11

SHA512
e856a80e44284cdecf42e2d827cea76e882f785377b9124bd56c04007a542d17d26ef80a8ba84646ba7c2011acf367cda4f5992bd405e56b18b885c6c6cc11bc

Download Submit
C:\Windows\{58065C38-54DE-473f-BAF0-C5A2EDD3480B}.exe

Filesize
168KB

MD5
0040d8995aa7a78695320cf851620ab6

SHA1
dd02ec5eb19eae43551ebf18a0af6bfb818e09ed

SHA256
bf2df0d23d958d1802f6ddee03ec27d8b784cacd84005f8d1a34a05384c91707

SHA512
32bda8246fa56af3403cdeebf47e8742425ff7c0d9dc7976f927fdf509376895eb6c1bf946a86819fbcef4f9d3fe92f158a093bc1c1dd5d5d50c73139d6d2b9a

Download Submit
C:\Windows\{58065C38-54DE-473f-BAF0-C5A2EDD3480B}.exe

Filesize
168KB

MD5
0040d8995aa7a78695320cf851620ab6

SHA1
dd02ec5eb19eae43551ebf18a0af6bfb818e09ed

SHA256
bf2df0d23d958d1802f6ddee03ec27d8b784cacd84005f8d1a34a05384c91707

SHA512
32bda8246fa56af3403cdeebf47e8742425ff7c0d9dc7976f927fdf509376895eb6c1bf946a86819fbcef4f9d3fe92f158a093bc1c1dd5d5d50c73139d6d2b9a

Download Submit
C:\Windows\{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe

Filesize
168KB

MD5
b6017cfc3a08a249116c45a4cdcd9bca

SHA1
dd9247acd291061fa54f1cb831de6cd6375a3a2f

SHA256
ee7a6bde8671bd4ca8a99c88ae5c6e1aa60183637c2b1263122fc9760674fb5d

SHA512
aa84d66ef223eb1e6f45ffd40552f43d0d5a5bdf7fdb9345d1fe9cc8dcc22f41e07090b5d072a0ffa0b2eb7def5e6c02b165c128f9ff99640d98c9e128fa0ae5

Download Submit
C:\Windows\{62E66827-CBA5-4b12-B3BB-81950C83F806}.exe

Filesize
168KB

MD5
b6017cfc3a08a249116c45a4cdcd9bca

SHA1
dd9247acd291061fa54f1cb831de6cd6375a3a2f

SHA256
ee7a6bde8671bd4ca8a99c88ae5c6e1aa60183637c2b1263122fc9760674fb5d

SHA512
aa84d66ef223eb1e6f45ffd40552f43d0d5a5bdf7fdb9345d1fe9cc8dcc22f41e07090b5d072a0ffa0b2eb7def5e6c02b165c128f9ff99640d98c9e128fa0ae5

Download Submit
C:\Windows\{9038022D-1B47-4202-A665-F3E001D059B0}.exe

Filesize
168KB

MD5
9af83c607617b4cf7ef3548278761319

SHA1
143aeb5c0449a900bac6b72391382409b87cc150

SHA256
268dd1d0f0340e2216dc97852354da087ff227759a90d6af76fbc2f94eddb3cb

SHA512
ab2928f0e45f7a24e75dbbf64663a20f260acab0a1653b556958ac1e49376852eb129f30397a6b791882a545ace6fc71ab4d93220dcb124dcee18e4cdffedfdc

Download Submit
C:\Windows\{9038022D-1B47-4202-A665-F3E001D059B0}.exe

Filesize
168KB

MD5
9af83c607617b4cf7ef3548278761319

SHA1
143aeb5c0449a900bac6b72391382409b87cc150

SHA256
268dd1d0f0340e2216dc97852354da087ff227759a90d6af76fbc2f94eddb3cb

SHA512
ab2928f0e45f7a24e75dbbf64663a20f260acab0a1653b556958ac1e49376852eb129f30397a6b791882a545ace6fc71ab4d93220dcb124dcee18e4cdffedfdc

Download Submit
C:\Windows\{A3AEC19C-C444-4f91-8CCC-A2EC301EE008}.exe

Filesize
168KB

MD5
4ceacb1b836c1f46159b06730530bfd8

SHA1
d97699325294945bb159c95e8bd32082e3270841

SHA256
e07d17da9d9f6b4e9b3b1c27d4bd89ebd88ad57169ce66957873360b4506dc5b

SHA512
bcd1a1fc56bddc4264c702b08a138d31aef9c7f869055b1549b03b8d40222584eba466db4f51cc7164f946b6a43866a310943503d3eedd3e5e4439cb564366ed

Download Submit
C:\Windows\{A3AEC19C-C444-4f91-8CCC-A2EC301EE008}.exe

Filesize
168KB

MD5
4ceacb1b836c1f46159b06730530bfd8

SHA1
d97699325294945bb159c95e8bd32082e3270841

SHA256
e07d17da9d9f6b4e9b3b1c27d4bd89ebd88ad57169ce66957873360b4506dc5b

SHA512
bcd1a1fc56bddc4264c702b08a138d31aef9c7f869055b1549b03b8d40222584eba466db4f51cc7164f946b6a43866a310943503d3eedd3e5e4439cb564366ed

Download Submit
C:\Windows\{AB0CC7C7-1219-4a3b-9402-8A8909E137A1}.exe

Filesize
168KB

MD5
369a95b126c8e532e4bce51f5c90b0af

SHA1
cfa3f9d290a9a7667a9214a0fb7e6b7c037a2216

SHA256
de7c1e8be1cecd86561ad6dbf19dcc47d7876513c9035e23abe650c981dbc9c3

SHA512
25136c01a280407a40e6d025e92e561ae72d32ffa6bc239dcb70516be6953cfb4ea03ec9c997d9bab9195c57c46e8f2469f25b91ea6940b2770af7e74da48cb0

Download Submit
C:\Windows\{AB0CC7C7-1219-4a3b-9402-8A8909E137A1}.exe

Filesize
168KB

MD5
369a95b126c8e532e4bce51f5c90b0af

SHA1
cfa3f9d290a9a7667a9214a0fb7e6b7c037a2216

SHA256
de7c1e8be1cecd86561ad6dbf19dcc47d7876513c9035e23abe650c981dbc9c3

SHA512
25136c01a280407a40e6d025e92e561ae72d32ffa6bc239dcb70516be6953cfb4ea03ec9c997d9bab9195c57c46e8f2469f25b91ea6940b2770af7e74da48cb0

Download Submit
C:\Windows\{B312A42C-7095-46a5-AE01-6834841C0F79}.exe

Filesize
168KB

MD5
8d30ba057cedf868c4e6142b9296b9c7

SHA1
7f542c5b8b3ece14c88d42049d58f7727b13e442

SHA256
1f818529f5917db48cee723dc15ed1600bf1604e306380358e2be82be7f52210

SHA512
c8f71cc37f2ddff562bb122397d353bf67fb01da2f7d9b9dc68d0cfb167aa70138c6a4a6a170d88cfa3a5171a0fa1b33e39b307bea11d8b0799c86489e80efdd

Download Submit
C:\Windows\{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe

Filesize
168KB

MD5
fc45080cb79e71be2f67d56d917611d4

SHA1
b6ea390386b4cbc1f515be9ce03648679db35c5d

SHA256
e1bef435edfada0b846fb8081d760a7133d854aeada5040dd599434927a3c817

SHA512
bb20092ecf89c5f3c25e68ef465f57fb01a54eb7096cbf3283b12d9c169764e93bc8ba6fcc312e1c92fea53ef2f133e29b83585860fe4e99dbbba9e79fbd6f37

Download Submit
C:\Windows\{BE202057-4FF8-48d6-A28A-035AA84A0029}.exe

Filesize
168KB

MD5
fc45080cb79e71be2f67d56d917611d4

SHA1
b6ea390386b4cbc1f515be9ce03648679db35c5d

SHA256
e1bef435edfada0b846fb8081d760a7133d854aeada5040dd599434927a3c817

SHA512
bb20092ecf89c5f3c25e68ef465f57fb01a54eb7096cbf3283b12d9c169764e93bc8ba6fcc312e1c92fea53ef2f133e29b83585860fe4e99dbbba9e79fbd6f37

Download Submit
C:\Windows\{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe

Filesize
168KB

MD5
a199c9a44ab1b2227c8708be0417be3f

SHA1
967cd18a3d5ed065ea95c5bc107d255e878bca7c

SHA256
0fb69796b5edb2bc0edf3584500ab6b3716797f0110d9708927de60524686f64

SHA512
96934127571e76c4e24c340cf09cd9391fc606112793cc280f2b099a65a6e104d053fc44fb9d40a76d16e4bd6a52ae133df38f9c34930716bfc02bfb2e3d932a

Download Submit
C:\Windows\{E7A4F88C-F3E3-4086-AF50-570AE66216AE}.exe

Filesize
168KB

MD5
a199c9a44ab1b2227c8708be0417be3f

SHA1
967cd18a3d5ed065ea95c5bc107d255e878bca7c

SHA256
0fb69796b5edb2bc0edf3584500ab6b3716797f0110d9708927de60524686f64

SHA512
96934127571e76c4e24c340cf09cd9391fc606112793cc280f2b099a65a6e104d053fc44fb9d40a76d16e4bd6a52ae133df38f9c34930716bfc02bfb2e3d932a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads