014080ec0aa8b9776f7e8b0f5e4caa9e984aa02b4c730e38954686458bbdde6b

Analysis

max time kernel
176s
max time network
140s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17-08-2023 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe
Size

216KB
MD5

205d912b9f32d457b53dd36243cd1f40
SHA1

fbfff73d4a6de5a0b942f811e7b133ea7f2cd765
SHA256

014080ec0aa8b9776f7e8b0f5e4caa9e984aa02b4c730e38954686458bbdde6b
SHA512

6e28870cdc37e584bb7ef57242c90ed0cebb1df3f05ad18e50101436fcf658fab9786a47b7c22c3e05a538d2d99461ea63dc152560bcc22f0349084a3ee69abd
SSDEEP

3072:jEGh0ohl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGblEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA674676-AB38-41cb-A557-A209C2C4BD14}	{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}	{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}	{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F13AE097-F7BA-49d9-8708-64291FB75B4D}\stubpath = "C:\\Windows\\{F13AE097-F7BA-49d9-8708-64291FB75B4D}.exe"	{D11899A9-FAA0-4831-B730-9F7F430EB149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F959B46-FB81-4efa-AFB4-5A1ADAD846FD}	{59A2E852-3032-4102-97DB-A9F8FFFE79EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58269CD3-2538-44b0-9499-18A4F8E8760E}	{F13AE097-F7BA-49d9-8708-64291FB75B4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F959B46-FB81-4efa-AFB4-5A1ADAD846FD}\stubpath = "C:\\Windows\\{7F959B46-FB81-4efa-AFB4-5A1ADAD846FD}.exe"	{59A2E852-3032-4102-97DB-A9F8FFFE79EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}\stubpath = "C:\\Windows\\{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe"	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}\stubpath = "C:\\Windows\\{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe"	{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}\stubpath = "C:\\Windows\\{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe"	{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}\stubpath = "C:\\Windows\\{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe"	{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D11899A9-FAA0-4831-B730-9F7F430EB149}	{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D11899A9-FAA0-4831-B730-9F7F430EB149}\stubpath = "C:\\Windows\\{D11899A9-FAA0-4831-B730-9F7F430EB149}.exe"	{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59A2E852-3032-4102-97DB-A9F8FFFE79EF}\stubpath = "C:\\Windows\\{59A2E852-3032-4102-97DB-A9F8FFFE79EF}.exe"	{58269CD3-2538-44b0-9499-18A4F8E8760E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA674676-AB38-41cb-A557-A209C2C4BD14}\stubpath = "C:\\Windows\\{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe"	{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12A6768D-9500-493b-BA04-F3D553A1B9BF}	{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}\stubpath = "C:\\Windows\\{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe"	{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}	{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58269CD3-2538-44b0-9499-18A4F8E8760E}\stubpath = "C:\\Windows\\{58269CD3-2538-44b0-9499-18A4F8E8760E}.exe"	{F13AE097-F7BA-49d9-8708-64291FB75B4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12A6768D-9500-493b-BA04-F3D553A1B9BF}\stubpath = "C:\\Windows\\{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe"	{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}	{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F13AE097-F7BA-49d9-8708-64291FB75B4D}	{D11899A9-FAA0-4831-B730-9F7F430EB149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59A2E852-3032-4102-97DB-A9F8FFFE79EF}	{58269CD3-2538-44b0-9499-18A4F8E8760E}.exe

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2960	{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe
2736	{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe
2708	{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe
2348	{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe
524	{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe
2696	{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe
1508	{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe
3056	{D11899A9-FAA0-4831-B730-9F7F430EB149}.exe
2544	{F13AE097-F7BA-49d9-8708-64291FB75B4D}.exe
1864	{58269CD3-2538-44b0-9499-18A4F8E8760E}.exe
2012	{59A2E852-3032-4102-97DB-A9F8FFFE79EF}.exe
1496	{7F959B46-FB81-4efa-AFB4-5A1ADAD846FD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe	{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe
File created	C:\Windows\{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe	{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe
File created	C:\Windows\{F13AE097-F7BA-49d9-8708-64291FB75B4D}.exe	{D11899A9-FAA0-4831-B730-9F7F430EB149}.exe
File created	C:\Windows\{7F959B46-FB81-4efa-AFB4-5A1ADAD846FD}.exe	{59A2E852-3032-4102-97DB-A9F8FFFE79EF}.exe
File created	C:\Windows\{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe	{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe
File created	C:\Windows\{D11899A9-FAA0-4831-B730-9F7F430EB149}.exe	{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe
File created	C:\Windows\{58269CD3-2538-44b0-9499-18A4F8E8760E}.exe	{F13AE097-F7BA-49d9-8708-64291FB75B4D}.exe
File created	C:\Windows\{59A2E852-3032-4102-97DB-A9F8FFFE79EF}.exe	{58269CD3-2538-44b0-9499-18A4F8E8760E}.exe
File created	C:\Windows\{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe
File created	C:\Windows\{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe	{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe
File created	C:\Windows\{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe	{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe
File created	C:\Windows\{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe	{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2836	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2960	{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe
Token: SeIncBasePriorityPrivilege	2736	{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe
Token: SeIncBasePriorityPrivilege	2708	{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe
Token: SeIncBasePriorityPrivilege	2348	{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe
Token: SeIncBasePriorityPrivilege	524	{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe
Token: SeIncBasePriorityPrivilege	2696	{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe
Token: SeIncBasePriorityPrivilege	1508	{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe
Token: SeIncBasePriorityPrivilege	3056	{D11899A9-FAA0-4831-B730-9F7F430EB149}.exe
Token: SeIncBasePriorityPrivilege	2544	{F13AE097-F7BA-49d9-8708-64291FB75B4D}.exe
Token: SeIncBasePriorityPrivilege	1864	{58269CD3-2538-44b0-9499-18A4F8E8760E}.exe
Token: SeIncBasePriorityPrivilege	2012	{59A2E852-3032-4102-97DB-A9F8FFFE79EF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2960	2836	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	29
PID 2836 wrote to memory of 2960	2836	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	29
PID 2836 wrote to memory of 2960	2836	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	29
PID 2836 wrote to memory of 2960	2836	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	29
PID 2836 wrote to memory of 2520	2836	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	30
PID 2836 wrote to memory of 2520	2836	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	30
PID 2836 wrote to memory of 2520	2836	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	30
PID 2836 wrote to memory of 2520	2836	205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe	30
PID 2960 wrote to memory of 2736	2960	{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe	31
PID 2960 wrote to memory of 2736	2960	{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe	31
PID 2960 wrote to memory of 2736	2960	{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe	31
PID 2960 wrote to memory of 2736	2960	{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe	31
PID 2960 wrote to memory of 2824	2960	{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe	32
PID 2960 wrote to memory of 2824	2960	{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe	32
PID 2960 wrote to memory of 2824	2960	{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe	32
PID 2960 wrote to memory of 2824	2960	{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe	32
PID 2736 wrote to memory of 2708	2736	{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe	33
PID 2736 wrote to memory of 2708	2736	{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe	33
PID 2736 wrote to memory of 2708	2736	{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe	33
PID 2736 wrote to memory of 2708	2736	{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe	33
PID 2736 wrote to memory of 2776	2736	{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe	34
PID 2736 wrote to memory of 2776	2736	{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe	34
PID 2736 wrote to memory of 2776	2736	{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe	34
PID 2736 wrote to memory of 2776	2736	{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe	34
PID 2708 wrote to memory of 2348	2708	{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe	35
PID 2708 wrote to memory of 2348	2708	{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe	35
PID 2708 wrote to memory of 2348	2708	{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe	35
PID 2708 wrote to memory of 2348	2708	{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe	35
PID 2708 wrote to memory of 280	2708	{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe	36
PID 2708 wrote to memory of 280	2708	{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe	36
PID 2708 wrote to memory of 280	2708	{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe	36
PID 2708 wrote to memory of 280	2708	{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe	36
PID 2348 wrote to memory of 524	2348	{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe	37
PID 2348 wrote to memory of 524	2348	{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe	37
PID 2348 wrote to memory of 524	2348	{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe	37
PID 2348 wrote to memory of 524	2348	{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe	37
PID 2348 wrote to memory of 472	2348	{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe	38
PID 2348 wrote to memory of 472	2348	{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe	38
PID 2348 wrote to memory of 472	2348	{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe	38
PID 2348 wrote to memory of 472	2348	{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe	38
PID 524 wrote to memory of 2696	524	{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe	39
PID 524 wrote to memory of 2696	524	{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe	39
PID 524 wrote to memory of 2696	524	{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe	39
PID 524 wrote to memory of 2696	524	{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe	39
PID 524 wrote to memory of 2016	524	{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe	40
PID 524 wrote to memory of 2016	524	{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe	40
PID 524 wrote to memory of 2016	524	{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe	40
PID 524 wrote to memory of 2016	524	{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe	40
PID 2696 wrote to memory of 1508	2696	{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe	41
PID 2696 wrote to memory of 1508	2696	{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe	41
PID 2696 wrote to memory of 1508	2696	{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe	41
PID 2696 wrote to memory of 1508	2696	{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe	41
PID 2696 wrote to memory of 340	2696	{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe	42
PID 2696 wrote to memory of 340	2696	{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe	42
PID 2696 wrote to memory of 340	2696	{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe	42
PID 2696 wrote to memory of 340	2696	{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe	42
PID 1508 wrote to memory of 3056	1508	{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe	43
PID 1508 wrote to memory of 3056	1508	{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe	43
PID 1508 wrote to memory of 3056	1508	{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe	43
PID 1508 wrote to memory of 3056	1508	{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe	43
PID 1508 wrote to memory of 2372	1508	{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe	44
PID 1508 wrote to memory of 2372	1508	{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe	44
PID 1508 wrote to memory of 2372	1508	{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe	44
PID 1508 wrote to memory of 2372	1508	{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe	44

C:\Users\Admin\AppData\Local\Temp\205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\205d912b9f32d457b53dd36243cd1f40_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe
  C:\Windows\{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe
    C:\Windows\{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe
      C:\Windows\{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe
        
        C:\Windows\{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe
        
        C:\Windows\{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe
        
        C:\Windows\{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe
        
        C:\Windows\{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{D11899A9-FAA0-4831-B730-9F7F430EB149}.exe
        
        C:\Windows\{D11899A9-FAA0-4831-B730-9F7F430EB149}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\{F13AE097-F7BA-49d9-8708-64291FB75B4D}.exe
        
        C:\Windows\{F13AE097-F7BA-49d9-8708-64291FB75B4D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\{58269CD3-2538-44b0-9499-18A4F8E8760E}.exe
        
        C:\Windows\{58269CD3-2538-44b0-9499-18A4F8E8760E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\{59A2E852-3032-4102-97DB-A9F8FFFE79EF}.exe
        
        C:\Windows\{59A2E852-3032-4102-97DB-A9F8FFFE79EF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\{7F959B46-FB81-4efa-AFB4-5A1ADAD846FD}.exe
        
        C:\Windows\{7F959B46-FB81-4efa-AFB4-5A1ADAD846FD}.exe
        13⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59A2E~1.EXE > nul
        13⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58269~1.EXE > nul
        12⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F13AE~1.EXE > nul
        11⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1189~1.EXE > nul
        10⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67679~1.EXE > nul
        9⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D6BD~1.EXE > nul
        8⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B5E6~1.EXE > nul
        7⤵
        
        PID:2016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BCA8~1.EXE > nul
        6⤵
        
        PID:472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12A67~1.EXE > nul
        5⤵
        
        PID:280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA674~1.EXE > nul
      4⤵
      PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4DBC4~1.EXE > nul
    3⤵
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\205D91~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe

Filesize
216KB

MD5
2e331d106a9418a6dbf2956c85be7197

SHA1
2307444cb19a5604cd95470a49977380f70f08d5

SHA256
2671494e81342b451708ae04022e7004312beb279605ced217685be21a8afbe7

SHA512
43a95e1517e27a8004becaea4d770de5c7f8aa9f5c7b03fe35cd8e7fded756ce545c7f861317760a2879dae00e39003a299ad30004193ba8f74c33c6c1fc0fad

Download Submit
C:\Windows\{0BCA89A0-5BEA-47e1-818F-62A5F33DB5A2}.exe

Filesize
216KB

MD5
2e331d106a9418a6dbf2956c85be7197

SHA1
2307444cb19a5604cd95470a49977380f70f08d5

SHA256
2671494e81342b451708ae04022e7004312beb279605ced217685be21a8afbe7

SHA512
43a95e1517e27a8004becaea4d770de5c7f8aa9f5c7b03fe35cd8e7fded756ce545c7f861317760a2879dae00e39003a299ad30004193ba8f74c33c6c1fc0fad

Download Submit
C:\Windows\{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe

Filesize
216KB

MD5
21dd4077663acc23889e512b89777576

SHA1
daadc65a49034edf5e5d66fb01984acd77b601e1

SHA256
23d6b0d8ffc6b8fdb6c47c2cf88d96e7438d88d057b5b368c21e72e004ca15f2

SHA512
22e05f5c99df2cdb456a31b53cf3650af939ee15cbaae206852191926860ebed165f3d6a315545a34ffa7a330cf69c86614f9d979915198e95b12f098978bd3a

Download Submit
C:\Windows\{12A6768D-9500-493b-BA04-F3D553A1B9BF}.exe

Filesize
216KB

MD5
21dd4077663acc23889e512b89777576

SHA1
daadc65a49034edf5e5d66fb01984acd77b601e1

SHA256
23d6b0d8ffc6b8fdb6c47c2cf88d96e7438d88d057b5b368c21e72e004ca15f2

SHA512
22e05f5c99df2cdb456a31b53cf3650af939ee15cbaae206852191926860ebed165f3d6a315545a34ffa7a330cf69c86614f9d979915198e95b12f098978bd3a

Download Submit
C:\Windows\{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe

Filesize
216KB

MD5
6429df6db479c6db0ca97bad1e440870

SHA1
0f7c820c9898372fd1041d4c4331baf3ae6075a7

SHA256
5e8aba450b09c25f042dacfe37e7ecf66a6ea1347bf1839e7d7f97460aebe57c

SHA512
765d0850d6eeb378b58a449101801913edece29389c2a027e556ec0b6c1adf78386680f1eb94495339bc43d4e3adfe6ad33391beebe2c2f8e5dfab9d327b36a8

Download Submit
C:\Windows\{1D6BD2D8-739A-48fa-A10E-5D1B78D54B79}.exe

Filesize
216KB

MD5
6429df6db479c6db0ca97bad1e440870

SHA1
0f7c820c9898372fd1041d4c4331baf3ae6075a7

SHA256
5e8aba450b09c25f042dacfe37e7ecf66a6ea1347bf1839e7d7f97460aebe57c

SHA512
765d0850d6eeb378b58a449101801913edece29389c2a027e556ec0b6c1adf78386680f1eb94495339bc43d4e3adfe6ad33391beebe2c2f8e5dfab9d327b36a8

Download Submit
C:\Windows\{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe

Filesize
216KB

MD5
79f1eb7ee4f69ae407dbd25d6216340c

SHA1
72f7e525c95f380a616cf3a371fe86ee0afef7e7

SHA256
3ec26691889b92be531716fba46c43fedccaaec128d3da0b88af112971ee5f16

SHA512
81d0cf3112407fced436d0271d754d6079409137942dcc7b7567e204964546cb512540f76052b1d734d3a3a66f1076fb8ce72a5354b49faaba2f66f2c260f879

Download Submit
C:\Windows\{2B5E6FC7-20CC-4bce-A8C9-7BE36D2CF916}.exe

Filesize
216KB

MD5
79f1eb7ee4f69ae407dbd25d6216340c

SHA1
72f7e525c95f380a616cf3a371fe86ee0afef7e7

SHA256
3ec26691889b92be531716fba46c43fedccaaec128d3da0b88af112971ee5f16

SHA512
81d0cf3112407fced436d0271d754d6079409137942dcc7b7567e204964546cb512540f76052b1d734d3a3a66f1076fb8ce72a5354b49faaba2f66f2c260f879

Download Submit
C:\Windows\{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe

Filesize
216KB

MD5
fd44d251c08e937183faaafe17c900b1

SHA1
2057e91786879fcb54902affdf4e76eda57e6433

SHA256
a74d8e231918104c9079fc3a69acdd0b9dc37b533e62389b64aa30e0333f879f

SHA512
f9c905e0b8b84056fefd116f8dc819486739fb655847d8545d00a4773363fa8572509ad2246c58eab60e1bb8836c76f5878924584618888592ef46eeeedc9e6e

Download Submit
C:\Windows\{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe

Filesize
216KB

MD5
fd44d251c08e937183faaafe17c900b1

SHA1
2057e91786879fcb54902affdf4e76eda57e6433

SHA256
a74d8e231918104c9079fc3a69acdd0b9dc37b533e62389b64aa30e0333f879f

SHA512
f9c905e0b8b84056fefd116f8dc819486739fb655847d8545d00a4773363fa8572509ad2246c58eab60e1bb8836c76f5878924584618888592ef46eeeedc9e6e

Download Submit
C:\Windows\{4DBC412F-8EE2-4a37-BB4A-48CA890EED89}.exe

Filesize
216KB

MD5
fd44d251c08e937183faaafe17c900b1

SHA1
2057e91786879fcb54902affdf4e76eda57e6433

SHA256
a74d8e231918104c9079fc3a69acdd0b9dc37b533e62389b64aa30e0333f879f

SHA512
f9c905e0b8b84056fefd116f8dc819486739fb655847d8545d00a4773363fa8572509ad2246c58eab60e1bb8836c76f5878924584618888592ef46eeeedc9e6e

Download Submit
C:\Windows\{58269CD3-2538-44b0-9499-18A4F8E8760E}.exe

Filesize
216KB

MD5
cb5df8abe1bd680d1122f8134e22a97e

SHA1
5d5cc15cdff19e023709155c632cc63ed2a0c81c

SHA256
4d41414f4869ea4899909a7f757534525ff7ab3f56f1e4cc8df044ea47d2043d

SHA512
0074ae1749d826f8e0a549c5694fe8288c7d1856db20f07ee47bea9516d68903df1165fa657ee423fd15a4cf9cf88d0d70a5a929ca6855d459399a895fbe3589

Download Submit
C:\Windows\{58269CD3-2538-44b0-9499-18A4F8E8760E}.exe

Filesize
216KB

MD5
cb5df8abe1bd680d1122f8134e22a97e

SHA1
5d5cc15cdff19e023709155c632cc63ed2a0c81c

SHA256
4d41414f4869ea4899909a7f757534525ff7ab3f56f1e4cc8df044ea47d2043d

SHA512
0074ae1749d826f8e0a549c5694fe8288c7d1856db20f07ee47bea9516d68903df1165fa657ee423fd15a4cf9cf88d0d70a5a929ca6855d459399a895fbe3589

Download Submit
C:\Windows\{59A2E852-3032-4102-97DB-A9F8FFFE79EF}.exe

Filesize
216KB

MD5
d351ad5d5a075e39d7dd3b6c5c3c6b7e

SHA1
38f9b692ef4c47fa9f15a79d7bdac29bb398992d

SHA256
05f1d2fbd75d97e97bdefc4a0c7e16985a694c0a374d2b667bdaf287ff4273bb

SHA512
0200e54231d261b7b19e5587c32c4e753d835cb56b92c27641ef16b5c8a24910f7f7c4e113de642ebddc5fab08f6f23bc2afb65ca787d6262a22f25376506c06

Download Submit
C:\Windows\{59A2E852-3032-4102-97DB-A9F8FFFE79EF}.exe

Filesize
216KB

MD5
d351ad5d5a075e39d7dd3b6c5c3c6b7e

SHA1
38f9b692ef4c47fa9f15a79d7bdac29bb398992d

SHA256
05f1d2fbd75d97e97bdefc4a0c7e16985a694c0a374d2b667bdaf287ff4273bb

SHA512
0200e54231d261b7b19e5587c32c4e753d835cb56b92c27641ef16b5c8a24910f7f7c4e113de642ebddc5fab08f6f23bc2afb65ca787d6262a22f25376506c06

Download Submit
C:\Windows\{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe

Filesize
216KB

MD5
9817ee3ebf46ed52b8b91441efdd91fb

SHA1
ea6c79088b369cdcf32ed91733051268a3f62ba2

SHA256
afa147687e7252569b1bf9fea1a65f3022fdf4592cbd87f1b29217242e8ebe4e

SHA512
fcbd240951d0171d49ec2ee2ee05049e92c977c523621023ce1fd1914f733ee234c24b2550b2f66e65e2a989d498815d3c7fbba77fbb1a88301bd3986daaec12

Download Submit
C:\Windows\{67679CF8-7D43-47d7-B2AF-42AAD70C14F4}.exe

Filesize
216KB

MD5
9817ee3ebf46ed52b8b91441efdd91fb

SHA1
ea6c79088b369cdcf32ed91733051268a3f62ba2

SHA256
afa147687e7252569b1bf9fea1a65f3022fdf4592cbd87f1b29217242e8ebe4e

SHA512
fcbd240951d0171d49ec2ee2ee05049e92c977c523621023ce1fd1914f733ee234c24b2550b2f66e65e2a989d498815d3c7fbba77fbb1a88301bd3986daaec12

Download Submit
C:\Windows\{7F959B46-FB81-4efa-AFB4-5A1ADAD846FD}.exe

Filesize
216KB

MD5
16fe07d7eee7eddcd84caadcfe115049

SHA1
123276f04a0976ad1f209cc421d1bbc3211b64ad

SHA256
a8a137b34356a54e87a0e106e147187f33caacce0b41a0c38d7063439e1dbff0

SHA512
5d86da4169ed1882dc25a648dd22b3c7b90df2b15cda38ea87cddd592400d6aeba5d6dbc6d30c4210725aca427b1f2fd19a519df8726163498c8f183c4e9bdcd

Download Submit
C:\Windows\{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe

Filesize
216KB

MD5
c7446ce97dc464d25c3b5d1743e690c2

SHA1
55febd2501bbee768a0707bc3954758f01c78ccf

SHA256
3a8277f64a03e3fb620957634527d06eb59c75d1d8f4f41568b3c51dd1814126

SHA512
fb74770d6b01afa769926482eb40c260f362768c1794895e9941ba26e5033df7cfd50a2c8a50d75c3fefe6bf7d3b96dff9351a1be0ff038f363604e5e2778b7a

Download Submit
C:\Windows\{AA674676-AB38-41cb-A557-A209C2C4BD14}.exe

Filesize
216KB

MD5
c7446ce97dc464d25c3b5d1743e690c2

SHA1
55febd2501bbee768a0707bc3954758f01c78ccf

SHA256
3a8277f64a03e3fb620957634527d06eb59c75d1d8f4f41568b3c51dd1814126

SHA512
fb74770d6b01afa769926482eb40c260f362768c1794895e9941ba26e5033df7cfd50a2c8a50d75c3fefe6bf7d3b96dff9351a1be0ff038f363604e5e2778b7a

Download Submit
C:\Windows\{D11899A9-FAA0-4831-B730-9F7F430EB149}.exe

Filesize
216KB

MD5
264db810321846b206ba2d41d8283fa7

SHA1
6e9057885bb1e0a6578d9f92cf586e62708bfd63

SHA256
e1fa38312040f6011cd7f072a9b57939bcd61552a1d35a4c6d5c1e6039d5f0be

SHA512
84e269df09b028ce5e74feb3dfe4fb93acad3625f561a50cbb7241a671af3e9a3735132a9e082144460d25efbcc36c19866d3a7040522fb54bf56d1795640f50

Download Submit
C:\Windows\{D11899A9-FAA0-4831-B730-9F7F430EB149}.exe

Filesize
216KB

MD5
264db810321846b206ba2d41d8283fa7

SHA1
6e9057885bb1e0a6578d9f92cf586e62708bfd63

SHA256
e1fa38312040f6011cd7f072a9b57939bcd61552a1d35a4c6d5c1e6039d5f0be

SHA512
84e269df09b028ce5e74feb3dfe4fb93acad3625f561a50cbb7241a671af3e9a3735132a9e082144460d25efbcc36c19866d3a7040522fb54bf56d1795640f50

Download Submit
C:\Windows\{F13AE097-F7BA-49d9-8708-64291FB75B4D}.exe

Filesize
216KB

MD5
1018b50f9491fc016ac483d0a971d6fe

SHA1
a00e3336dbe70a7d7214d1e83ba8e063ec8e8265

SHA256
6171adc10101bc0082149028d516475727eaf4e49573efce093b9dc0fe54d487

SHA512
efeeed465f1a5e5837e6c4bb6577787b90fdc4ee2bca98e8825de78688f68a0156eb3bc0fcbb084f55886084cc1941694a9def8e49eec372c55494a013b35b62

Download Submit
C:\Windows\{F13AE097-F7BA-49d9-8708-64291FB75B4D}.exe

Filesize
216KB

MD5
1018b50f9491fc016ac483d0a971d6fe

SHA1
a00e3336dbe70a7d7214d1e83ba8e063ec8e8265

SHA256
6171adc10101bc0082149028d516475727eaf4e49573efce093b9dc0fe54d487

SHA512
efeeed465f1a5e5837e6c4bb6577787b90fdc4ee2bca98e8825de78688f68a0156eb3bc0fcbb084f55886084cc1941694a9def8e49eec372c55494a013b35b62

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads