620a8381da401216e9d8e4c1fec37bffcffa8dd0576d7ecee97a52b56a5a04f8

Analysis

max time kernel
151s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2023 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe
Size

408KB
MD5

17842c8951a159c36adafd753a087ab4
SHA1

e49960ac8cbe0338a74e717485bbd6815066d2c7
SHA256

620a8381da401216e9d8e4c1fec37bffcffa8dd0576d7ecee97a52b56a5a04f8
SHA512

ac8346ee01db1cb5326663065f3d083e0e8336a5fbb96ad5db336d111018bab28d2867824c87fba8e51f65148538f9a147a86eadca06b83472faa157349b217e
SSDEEP

3072:CEGh0owl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGGldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}\stubpath = "C:\\Windows\\{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe"	{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5486798-DD8F-477e-9B96-6EA2E7C17089}	{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}\stubpath = "C:\\Windows\\{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe"	{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A623A62E-E1C7-4b94-8FE9-92877314F9EC}	{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23E7C32A-7BA1-4f6a-85B2-F6B3C78DA774}	{A623A62E-E1C7-4b94-8FE9-92877314F9EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}\stubpath = "C:\\Windows\\{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe"	{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}	{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}	{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FED87F9-7C61-49a0-BB4A-3982260E9B65}	{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B689D567-7AFD-4c86-866A-4903DC0F3DF9}\stubpath = "C:\\Windows\\{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe"	{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}	{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23E7C32A-7BA1-4f6a-85B2-F6B3C78DA774}\stubpath = "C:\\Windows\\{23E7C32A-7BA1-4f6a-85B2-F6B3C78DA774}.exe"	{A623A62E-E1C7-4b94-8FE9-92877314F9EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20D114F9-F67F-4f2a-85F0-3A7644338752}	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}	{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}\stubpath = "C:\\Windows\\{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe"	{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B689D567-7AFD-4c86-866A-4903DC0F3DF9}	{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A623A62E-E1C7-4b94-8FE9-92877314F9EC}\stubpath = "C:\\Windows\\{A623A62E-E1C7-4b94-8FE9-92877314F9EC}.exe"	{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20D114F9-F67F-4f2a-85F0-3A7644338752}\stubpath = "C:\\Windows\\{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe"	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}	{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}	{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}\stubpath = "C:\\Windows\\{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe"	{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}\stubpath = "C:\\Windows\\{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe"	{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FED87F9-7C61-49a0-BB4A-3982260E9B65}\stubpath = "C:\\Windows\\{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe"	{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5486798-DD8F-477e-9B96-6EA2E7C17089}\stubpath = "C:\\Windows\\{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe"	{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe

Executes dropped EXE 12 IoCs

pid	Process
1652	{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe
4240	{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe
2548	{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe
1584	{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe
3996	{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe
2396	{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe
3448	{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe
2612	{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe
2412	{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe
3136	{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe
5028	{A623A62E-E1C7-4b94-8FE9-92877314F9EC}.exe
3284	{23E7C32A-7BA1-4f6a-85B2-F6B3C78DA774}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe	{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe
File created	C:\Windows\{A623A62E-E1C7-4b94-8FE9-92877314F9EC}.exe	{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe
File created	C:\Windows\{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe
File created	C:\Windows\{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe	{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe
File created	C:\Windows\{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe	{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe
File created	C:\Windows\{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe	{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe
File created	C:\Windows\{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe	{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe
File created	C:\Windows\{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe	{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe
File created	C:\Windows\{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe	{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe
File created	C:\Windows\{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe	{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe
File created	C:\Windows\{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe	{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe
File created	C:\Windows\{23E7C32A-7BA1-4f6a-85B2-F6B3C78DA774}.exe	{A623A62E-E1C7-4b94-8FE9-92877314F9EC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4724	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1652	{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe
Token: SeIncBasePriorityPrivilege	4240	{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe
Token: SeIncBasePriorityPrivilege	2548	{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe
Token: SeIncBasePriorityPrivilege	1584	{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe
Token: SeIncBasePriorityPrivilege	3996	{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe
Token: SeIncBasePriorityPrivilege	2396	{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe
Token: SeIncBasePriorityPrivilege	3448	{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe
Token: SeIncBasePriorityPrivilege	2612	{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe
Token: SeIncBasePriorityPrivilege	2412	{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe
Token: SeIncBasePriorityPrivilege	3136	{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe
Token: SeIncBasePriorityPrivilege	5028	{A623A62E-E1C7-4b94-8FE9-92877314F9EC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 1652	4724	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	85
PID 4724 wrote to memory of 1652	4724	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	85
PID 4724 wrote to memory of 1652	4724	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	85
PID 4724 wrote to memory of 4036	4724	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	86
PID 4724 wrote to memory of 4036	4724	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	86
PID 4724 wrote to memory of 4036	4724	17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe	86
PID 1652 wrote to memory of 4240	1652	{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe	90
PID 1652 wrote to memory of 4240	1652	{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe	90
PID 1652 wrote to memory of 4240	1652	{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe	90
PID 1652 wrote to memory of 4264	1652	{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe	91
PID 1652 wrote to memory of 4264	1652	{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe	91
PID 1652 wrote to memory of 4264	1652	{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe	91
PID 4240 wrote to memory of 2548	4240	{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe	93
PID 4240 wrote to memory of 2548	4240	{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe	93
PID 4240 wrote to memory of 2548	4240	{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe	93
PID 4240 wrote to memory of 4896	4240	{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe	94
PID 4240 wrote to memory of 4896	4240	{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe	94
PID 4240 wrote to memory of 4896	4240	{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe	94
PID 2548 wrote to memory of 1584	2548	{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe	95
PID 2548 wrote to memory of 1584	2548	{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe	95
PID 2548 wrote to memory of 1584	2548	{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe	95
PID 2548 wrote to memory of 3940	2548	{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe	96
PID 2548 wrote to memory of 3940	2548	{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe	96
PID 2548 wrote to memory of 3940	2548	{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe	96
PID 1584 wrote to memory of 3996	1584	{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe	97
PID 1584 wrote to memory of 3996	1584	{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe	97
PID 1584 wrote to memory of 3996	1584	{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe	97
PID 1584 wrote to memory of 1816	1584	{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe	98
PID 1584 wrote to memory of 1816	1584	{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe	98
PID 1584 wrote to memory of 1816	1584	{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe	98
PID 3996 wrote to memory of 2396	3996	{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe	99
PID 3996 wrote to memory of 2396	3996	{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe	99
PID 3996 wrote to memory of 2396	3996	{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe	99
PID 3996 wrote to memory of 1684	3996	{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe	100
PID 3996 wrote to memory of 1684	3996	{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe	100
PID 3996 wrote to memory of 1684	3996	{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe	100
PID 2396 wrote to memory of 3448	2396	{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe	102
PID 2396 wrote to memory of 3448	2396	{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe	102
PID 2396 wrote to memory of 3448	2396	{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe	102
PID 2396 wrote to memory of 4120	2396	{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe	101
PID 2396 wrote to memory of 4120	2396	{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe	101
PID 2396 wrote to memory of 4120	2396	{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe	101
PID 3448 wrote to memory of 2612	3448	{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe	104
PID 3448 wrote to memory of 2612	3448	{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe	104
PID 3448 wrote to memory of 2612	3448	{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe	104
PID 3448 wrote to memory of 1940	3448	{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe	103
PID 3448 wrote to memory of 1940	3448	{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe	103
PID 3448 wrote to memory of 1940	3448	{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe	103
PID 2612 wrote to memory of 2412	2612	{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe	106
PID 2612 wrote to memory of 2412	2612	{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe	106
PID 2612 wrote to memory of 2412	2612	{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe	106
PID 2612 wrote to memory of 5072	2612	{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe	105
PID 2612 wrote to memory of 5072	2612	{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe	105
PID 2612 wrote to memory of 5072	2612	{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe	105
PID 2412 wrote to memory of 3136	2412	{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe	108
PID 2412 wrote to memory of 3136	2412	{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe	108
PID 2412 wrote to memory of 3136	2412	{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe	108
PID 2412 wrote to memory of 4280	2412	{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe	107
PID 2412 wrote to memory of 4280	2412	{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe	107
PID 2412 wrote to memory of 4280	2412	{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe	107
PID 3136 wrote to memory of 5028	3136	{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe	109
PID 3136 wrote to memory of 5028	3136	{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe	109
PID 3136 wrote to memory of 5028	3136	{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe	109
PID 3136 wrote to memory of 1688	3136	{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe	110

C:\Users\Admin\AppData\Local\Temp\17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\17842c8951a159c36adafd753a087ab4_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe
  C:\Windows\{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe
    C:\Windows\{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Windows\{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe
      C:\Windows\{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe
        
        C:\Windows\{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe
        
        C:\Windows\{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe
        
        C:\Windows\{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FED8~1.EXE > nul
        8⤵
        
        PID:4120
        
        C:\Windows\{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe
        
        C:\Windows\{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5486~1.EXE > nul
        9⤵
        
        PID:1940
        
        C:\Windows\{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe
        
        C:\Windows\{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06B61~1.EXE > nul
        10⤵
        
        PID:5072
        
        C:\Windows\{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe
        
        C:\Windows\{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B689D~1.EXE > nul
        11⤵
        
        PID:4280
        
        C:\Windows\{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe
        
        C:\Windows\{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\{A623A62E-E1C7-4b94-8FE9-92877314F9EC}.exe
        
        C:\Windows\{A623A62E-E1C7-4b94-8FE9-92877314F9EC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\{23E7C32A-7BA1-4f6a-85B2-F6B3C78DA774}.exe
        
        C:\Windows\{23E7C32A-7BA1-4f6a-85B2-F6B3C78DA774}.exe
        13⤵
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A623A~1.EXE > nul
        13⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73C5F~1.EXE > nul
        12⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A902~1.EXE > nul
        7⤵
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98CF3~1.EXE > nul
        6⤵
        
        PID:1816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84A0C~1.EXE > nul
        5⤵
        
        PID:3940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{653B7~1.EXE > nul
      4⤵
      PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{20D11~1.EXE > nul
    3⤵
    PID:4264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\17842C~1.EXE > nul
  2⤵
  PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe

Filesize
408KB

MD5
9107ff3c3964ac21beef2c1280c8f871

SHA1
fd3a1082b0c3bf151cb9227a83910de140dbaf97

SHA256
70b6c79144e1403790f7e747f2017dc41989959f11fa579d44aa8f7ee38604bb

SHA512
fb1894072887f7c73b002d76802f7d6021d881c946ab80bce2055426642a88ac9f9ed119610f24b346bcaa13ff712d30e7e54046c413def6f8d01ab2ad4e78d8

Download Submit
C:\Windows\{06B615AA-D178-4f69-A71C-BBC25DE2BE9B}.exe

Filesize
408KB

MD5
9107ff3c3964ac21beef2c1280c8f871

SHA1
fd3a1082b0c3bf151cb9227a83910de140dbaf97

SHA256
70b6c79144e1403790f7e747f2017dc41989959f11fa579d44aa8f7ee38604bb

SHA512
fb1894072887f7c73b002d76802f7d6021d881c946ab80bce2055426642a88ac9f9ed119610f24b346bcaa13ff712d30e7e54046c413def6f8d01ab2ad4e78d8

Download Submit
C:\Windows\{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe

Filesize
408KB

MD5
d8c7c98fab0210dd1c125e1b03ea203b

SHA1
04d9e934828145f898081924af3982959a29c1d0

SHA256
321645faee6abe4e882a92b6841a11a10300b3ca2b5324bfc9a767c1f56e8b66

SHA512
3c2ac5b22e13f64e604ba09989e4525462b19cc7ad5875db784f1421f014d517782ab937370d7538b6489b12a0363d04fb1a4d239279001bace3cc5fc08fe2fb

Download Submit
C:\Windows\{20D114F9-F67F-4f2a-85F0-3A7644338752}.exe

Filesize
408KB

MD5
d8c7c98fab0210dd1c125e1b03ea203b

SHA1
04d9e934828145f898081924af3982959a29c1d0

SHA256
321645faee6abe4e882a92b6841a11a10300b3ca2b5324bfc9a767c1f56e8b66

SHA512
3c2ac5b22e13f64e604ba09989e4525462b19cc7ad5875db784f1421f014d517782ab937370d7538b6489b12a0363d04fb1a4d239279001bace3cc5fc08fe2fb

Download Submit
C:\Windows\{23E7C32A-7BA1-4f6a-85B2-F6B3C78DA774}.exe

Filesize
408KB

MD5
eb9d246a22163726c838fe505f3845cd

SHA1
5aca4fa4e417a7cedfbb97af7547cd41893220f8

SHA256
063ae992327fda0d3cce755d62f54425dc1ea2cd4550771d6c255c74a4f45cbb

SHA512
37d476e13198070cc70df3b72dcb8c1d285f2fc6f88530728e8d529d1b40ead692ee1bd43f2fba7ae88958e889e90d6237b9ff6c0cc17cf8d7baccdaf1e9e7f5

Download Submit
C:\Windows\{23E7C32A-7BA1-4f6a-85B2-F6B3C78DA774}.exe

Filesize
408KB

MD5
eb9d246a22163726c838fe505f3845cd

SHA1
5aca4fa4e417a7cedfbb97af7547cd41893220f8

SHA256
063ae992327fda0d3cce755d62f54425dc1ea2cd4550771d6c255c74a4f45cbb

SHA512
37d476e13198070cc70df3b72dcb8c1d285f2fc6f88530728e8d529d1b40ead692ee1bd43f2fba7ae88958e889e90d6237b9ff6c0cc17cf8d7baccdaf1e9e7f5

Download Submit
C:\Windows\{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe

Filesize
408KB

MD5
570e1f80047cf3952eb7149acac7d25e

SHA1
efb7f2bec06c802ec55037c455200f58608030d6

SHA256
8173c1451cf84448ac44bae36380d15f83d88ccc5aca572b8f76a0180c4c2363

SHA512
e01c5fe8b1984953658dceb978dfe009c0b3bc279952b743d5e1da95d19d8a464b3534b1b46ea567d6f9f0e4ef008c04904d328675740af89904c1e3ffb94c24

Download Submit
C:\Windows\{4FED87F9-7C61-49a0-BB4A-3982260E9B65}.exe

Filesize
408KB

MD5
570e1f80047cf3952eb7149acac7d25e

SHA1
efb7f2bec06c802ec55037c455200f58608030d6

SHA256
8173c1451cf84448ac44bae36380d15f83d88ccc5aca572b8f76a0180c4c2363

SHA512
e01c5fe8b1984953658dceb978dfe009c0b3bc279952b743d5e1da95d19d8a464b3534b1b46ea567d6f9f0e4ef008c04904d328675740af89904c1e3ffb94c24

Download Submit
C:\Windows\{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe

Filesize
408KB

MD5
b202eb76a374014163bebbd4291a1ef9

SHA1
79fd2449475c291906bc05ebc459eff15a10c68f

SHA256
e44e9c71c5c0ccfcd0b829b8a826cb861eba7e40cd69d6467c0e8318e4357f72

SHA512
a46c625aa94799c3505a3254607888195d4bdb84e75cff9a820a6c79c643a20bf74cef8f5443c0495b34201747ce97b7abecd214e88db0f5fdf162ef4f890ab2

Download Submit
C:\Windows\{653B7F47-DE94-4bfe-BA78-4E31F3F43BA8}.exe

Filesize
408KB

MD5
b202eb76a374014163bebbd4291a1ef9

SHA1
79fd2449475c291906bc05ebc459eff15a10c68f

SHA256
e44e9c71c5c0ccfcd0b829b8a826cb861eba7e40cd69d6467c0e8318e4357f72

SHA512
a46c625aa94799c3505a3254607888195d4bdb84e75cff9a820a6c79c643a20bf74cef8f5443c0495b34201747ce97b7abecd214e88db0f5fdf162ef4f890ab2

Download Submit
C:\Windows\{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe

Filesize
408KB

MD5
b96aaac273d967f2aaa0314e2921e024

SHA1
05737fa9f43e8b3b9db937a4c4d19a39be5c2450

SHA256
17187452843c60548022ebb107470708ee4f2812c3c00d62b395d86df55d3289

SHA512
ec2c64130999beb0ac401a7644cc8f5518ba099178c3f5290e7c5083cc2a908e0172fbd79390de9549995ba6fc57c7642958ee050acd4c36fa6914c73c326fc5

Download Submit
C:\Windows\{73C5F095-6DFA-4d57-8FB0-5163075E7EB1}.exe

Filesize
408KB

MD5
b96aaac273d967f2aaa0314e2921e024

SHA1
05737fa9f43e8b3b9db937a4c4d19a39be5c2450

SHA256
17187452843c60548022ebb107470708ee4f2812c3c00d62b395d86df55d3289

SHA512
ec2c64130999beb0ac401a7644cc8f5518ba099178c3f5290e7c5083cc2a908e0172fbd79390de9549995ba6fc57c7642958ee050acd4c36fa6914c73c326fc5

Download Submit
C:\Windows\{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe

Filesize
408KB

MD5
f22a20b103aac0f71fefe4b25131ea99

SHA1
9b814e520f6b0c4388c04201aaa4dc730a00260c

SHA256
ee4f308cd4b4b2113618724dda82f1d1f95e511489e8b17b44accd626d962a09

SHA512
e7a3e9079603e0d0ccd212b67337b8934bed07770ab8b2f9c5f0add88b03379c176ca69662922c4d7e6dab4467747caf5a50e1d8a52798f3e16aa3e8c27517a2

Download Submit
C:\Windows\{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe

Filesize
408KB

MD5
f22a20b103aac0f71fefe4b25131ea99

SHA1
9b814e520f6b0c4388c04201aaa4dc730a00260c

SHA256
ee4f308cd4b4b2113618724dda82f1d1f95e511489e8b17b44accd626d962a09

SHA512
e7a3e9079603e0d0ccd212b67337b8934bed07770ab8b2f9c5f0add88b03379c176ca69662922c4d7e6dab4467747caf5a50e1d8a52798f3e16aa3e8c27517a2

Download Submit
C:\Windows\{84A0C72A-FB77-4e89-A6F8-26FBDFD18E15}.exe

Filesize
408KB

MD5
f22a20b103aac0f71fefe4b25131ea99

SHA1
9b814e520f6b0c4388c04201aaa4dc730a00260c

SHA256
ee4f308cd4b4b2113618724dda82f1d1f95e511489e8b17b44accd626d962a09

SHA512
e7a3e9079603e0d0ccd212b67337b8934bed07770ab8b2f9c5f0add88b03379c176ca69662922c4d7e6dab4467747caf5a50e1d8a52798f3e16aa3e8c27517a2

Download Submit
C:\Windows\{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe

Filesize
408KB

MD5
db47e0f19c163d5e031f04bf550b7a02

SHA1
e46e4941e942736597265349bea56255d31d6417

SHA256
79c15d82e412271af9e990b769c9404d0c99dc04089bc62a0aeb856d547153d3

SHA512
6b6dc0644e8f04ff7353622703cfca38fd6538417fc3ca8ebcce6522079f63c1cd0950a2457952047ed6b5bdbbcc83678c8ea7e8ffa2ecf0f18ca22e202167d6

Download Submit
C:\Windows\{8A902E0D-4D42-4a5f-8C65-717F9C91C93F}.exe

Filesize
408KB

MD5
db47e0f19c163d5e031f04bf550b7a02

SHA1
e46e4941e942736597265349bea56255d31d6417

SHA256
79c15d82e412271af9e990b769c9404d0c99dc04089bc62a0aeb856d547153d3

SHA512
6b6dc0644e8f04ff7353622703cfca38fd6538417fc3ca8ebcce6522079f63c1cd0950a2457952047ed6b5bdbbcc83678c8ea7e8ffa2ecf0f18ca22e202167d6

Download Submit
C:\Windows\{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe

Filesize
408KB

MD5
f77262edc5efe88265f340a977ff6032

SHA1
93c79dfda682840f26cb99e39d13d9bd3eb7bba4

SHA256
474d7cf2356d64fb7b058d385da430a0aaf4c612e7e2f508c2bcce37e3e588b8

SHA512
31dc5731023874c856543ba093f526521bf45c5e8d62b11a6ee33a0830273b8c4ba00c5c9eb2085673b395c0b8574a2142d3325cb7db30dc1c8a385c5b4131a7

Download Submit
C:\Windows\{98CF3EDA-BF4C-4cb1-90FC-D1851E3B5DE6}.exe

Filesize
408KB

MD5
f77262edc5efe88265f340a977ff6032

SHA1
93c79dfda682840f26cb99e39d13d9bd3eb7bba4

SHA256
474d7cf2356d64fb7b058d385da430a0aaf4c612e7e2f508c2bcce37e3e588b8

SHA512
31dc5731023874c856543ba093f526521bf45c5e8d62b11a6ee33a0830273b8c4ba00c5c9eb2085673b395c0b8574a2142d3325cb7db30dc1c8a385c5b4131a7

Download Submit
C:\Windows\{A623A62E-E1C7-4b94-8FE9-92877314F9EC}.exe

Filesize
408KB

MD5
5f3a658622d2a845bba5d8e036931973

SHA1
64669f0ac9baab76752a84b00fbde4e01e04aff2

SHA256
629a223ffd3b3f710f8bf4ebee6433208a77588ffe68fc759a2b9ab9fc3c2667

SHA512
f6ebce24cf2c80f1b225e30c96929b518fa8a80431967755bb89ea858562ff229d4b18039fe3c4e6e054270bdcd28abc8b4bb5479f1d48c31dba72538efd4e2e

Download Submit
C:\Windows\{A623A62E-E1C7-4b94-8FE9-92877314F9EC}.exe

Filesize
408KB

MD5
5f3a658622d2a845bba5d8e036931973

SHA1
64669f0ac9baab76752a84b00fbde4e01e04aff2

SHA256
629a223ffd3b3f710f8bf4ebee6433208a77588ffe68fc759a2b9ab9fc3c2667

SHA512
f6ebce24cf2c80f1b225e30c96929b518fa8a80431967755bb89ea858562ff229d4b18039fe3c4e6e054270bdcd28abc8b4bb5479f1d48c31dba72538efd4e2e

Download Submit
C:\Windows\{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe

Filesize
408KB

MD5
b93cc1ae73277222374f97eb8a4ce0e2

SHA1
dfcd0033330b6c6a44bf2dc94341135f99a9bf20

SHA256
b5bb972df06d06373cf30f77d278663d46e8d07739b21da4e85c575075d2531a

SHA512
ade0227fa2cff471c6d65e9550a64cb98f7d3903762710d4d0090474b11caea08bab308fcaa29d0aea259d0e39f03086d1c5858d9869fe4d554bac360eb46777

Download Submit
C:\Windows\{B689D567-7AFD-4c86-866A-4903DC0F3DF9}.exe

Filesize
408KB

MD5
b93cc1ae73277222374f97eb8a4ce0e2

SHA1
dfcd0033330b6c6a44bf2dc94341135f99a9bf20

SHA256
b5bb972df06d06373cf30f77d278663d46e8d07739b21da4e85c575075d2531a

SHA512
ade0227fa2cff471c6d65e9550a64cb98f7d3903762710d4d0090474b11caea08bab308fcaa29d0aea259d0e39f03086d1c5858d9869fe4d554bac360eb46777

Download Submit
C:\Windows\{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe

Filesize
408KB

MD5
1ef0e8f61dc2ad8ca3d0a0a29359488f

SHA1
5b199c0bee455bf01fc6b759fc1e66fedfb14913

SHA256
a116648d4183439736c39577ad93afe17547641a0918becaa5c5e96ceb12d0d9

SHA512
8e623c799fd3db4a7496bb5e776340aba1cce1a631949c126d986e887caac7610dd8003e466d0026f6b13cdae3aebd48f046db8d360b92a9623454df418c0a82

Download Submit
C:\Windows\{C5486798-DD8F-477e-9B96-6EA2E7C17089}.exe

Filesize
408KB

MD5
1ef0e8f61dc2ad8ca3d0a0a29359488f

SHA1
5b199c0bee455bf01fc6b759fc1e66fedfb14913

SHA256
a116648d4183439736c39577ad93afe17547641a0918becaa5c5e96ceb12d0d9

SHA512
8e623c799fd3db4a7496bb5e776340aba1cce1a631949c126d986e887caac7610dd8003e466d0026f6b13cdae3aebd48f046db8d360b92a9623454df418c0a82

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads