1bd47387160488c804c92bdb866e88bd18acb726d22b32f506992555cac74370

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/08/2023, 15:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe
Size

216KB
MD5

2f53b4b78365f5acbb2cc12c3837cfa3
SHA1

a0f3e342c49f4a477c1ea3baa86e69d138ee03d2
SHA256

1bd47387160488c804c92bdb866e88bd18acb726d22b32f506992555cac74370
SHA512

8a8c1768fc50f3c2ce90b39fd410f0aee88e1ec4507655a113058e6310ae5b54471d6a380ef3ab88ecc2ce2532ef4a02a1868c118c81d23250917bcb4d706cd7
SSDEEP

3072:jEGh0oFl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG7lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66C60190-CD75-4375-A97B-D7EBDE06739B}	{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66C60190-CD75-4375-A97B-D7EBDE06739B}\stubpath = "C:\\Windows\\{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe"	{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{142EF391-BA17-4933-BAFA-886CF2D8B1F0}	{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{142EF391-BA17-4933-BAFA-886CF2D8B1F0}\stubpath = "C:\\Windows\\{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe"	{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57F78B40-C9ED-4285-8130-A2BCD117F6FE}	{739E0FA4-29D8-4e90-968F-50493BFBB782}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4174479-A376-43be-8AD9-DEBF1A5B7708}\stubpath = "C:\\Windows\\{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe"	{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}\stubpath = "C:\\Windows\\{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe"	{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}	{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A050647-8305-4b74-A2E5-7036135E5E4D}	{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57F78B40-C9ED-4285-8130-A2BCD117F6FE}\stubpath = "C:\\Windows\\{57F78B40-C9ED-4285-8130-A2BCD117F6FE}.exe"	{739E0FA4-29D8-4e90-968F-50493BFBB782}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4174479-A376-43be-8AD9-DEBF1A5B7708}	{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}\stubpath = "C:\\Windows\\{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe"	{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{739E0FA4-29D8-4e90-968F-50493BFBB782}	{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{739E0FA4-29D8-4e90-968F-50493BFBB782}\stubpath = "C:\\Windows\\{739E0FA4-29D8-4e90-968F-50493BFBB782}.exe"	{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BFD89D1-A202-428e-9ED5-374031CC63E9}\stubpath = "C:\\Windows\\{4BFD89D1-A202-428e-9ED5-374031CC63E9}.exe"	{57F78B40-C9ED-4285-8130-A2BCD117F6FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CA9B5F9-7907-41d9-B82F-9F431E822915}	{4BFD89D1-A202-428e-9ED5-374031CC63E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CA9B5F9-7907-41d9-B82F-9F431E822915}\stubpath = "C:\\Windows\\{3CA9B5F9-7907-41d9-B82F-9F431E822915}.exe"	{4BFD89D1-A202-428e-9ED5-374031CC63E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B42BC535-6686-4b33-AFEF-B8D76B2A9030}	2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B42BC535-6686-4b33-AFEF-B8D76B2A9030}\stubpath = "C:\\Windows\\{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe"	2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}	{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A050647-8305-4b74-A2E5-7036135E5E4D}\stubpath = "C:\\Windows\\{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe"	{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BFD89D1-A202-428e-9ED5-374031CC63E9}	{57F78B40-C9ED-4285-8130-A2BCD117F6FE}.exe

Deletes itself 1 IoCs

pid	Process
2628	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2636	{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe
2920	{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe
2448	{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe
2948	{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe
2764	{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe
2120	{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe
2456	{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe
804	{739E0FA4-29D8-4e90-968F-50493BFBB782}.exe
1484	{57F78B40-C9ED-4285-8130-A2BCD117F6FE}.exe
1684	{4BFD89D1-A202-428e-9ED5-374031CC63E9}.exe
2960	{3CA9B5F9-7907-41d9-B82F-9F431E822915}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe	{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe
File created	C:\Windows\{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe	{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe
File created	C:\Windows\{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe	{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe
File created	C:\Windows\{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe	{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe
File created	C:\Windows\{739E0FA4-29D8-4e90-968F-50493BFBB782}.exe	{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe
File created	C:\Windows\{3CA9B5F9-7907-41d9-B82F-9F431E822915}.exe	{4BFD89D1-A202-428e-9ED5-374031CC63E9}.exe
File created	C:\Windows\{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe	2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe
File created	C:\Windows\{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe	{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe
File created	C:\Windows\{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe	{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe
File created	C:\Windows\{57F78B40-C9ED-4285-8130-A2BCD117F6FE}.exe	{739E0FA4-29D8-4e90-968F-50493BFBB782}.exe
File created	C:\Windows\{4BFD89D1-A202-428e-9ED5-374031CC63E9}.exe	{57F78B40-C9ED-4285-8130-A2BCD117F6FE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1368	2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2636	{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe
Token: SeIncBasePriorityPrivilege	2920	{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe
Token: SeIncBasePriorityPrivilege	2448	{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe
Token: SeIncBasePriorityPrivilege	2948	{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe
Token: SeIncBasePriorityPrivilege	2764	{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe
Token: SeIncBasePriorityPrivilege	2120	{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe
Token: SeIncBasePriorityPrivilege	2456	{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe
Token: SeIncBasePriorityPrivilege	804	{739E0FA4-29D8-4e90-968F-50493BFBB782}.exe
Token: SeIncBasePriorityPrivilege	1484	{57F78B40-C9ED-4285-8130-A2BCD117F6FE}.exe
Token: SeIncBasePriorityPrivilege	1684	{4BFD89D1-A202-428e-9ED5-374031CC63E9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2636	1368	2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe	28
PID 1368 wrote to memory of 2636	1368	2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe	28
PID 1368 wrote to memory of 2636	1368	2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe	28
PID 1368 wrote to memory of 2636	1368	2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe	28
PID 1368 wrote to memory of 2628	1368	2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe	29
PID 1368 wrote to memory of 2628	1368	2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe	29
PID 1368 wrote to memory of 2628	1368	2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe	29
PID 1368 wrote to memory of 2628	1368	2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe	29
PID 2636 wrote to memory of 2920	2636	{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe	32
PID 2636 wrote to memory of 2920	2636	{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe	32
PID 2636 wrote to memory of 2920	2636	{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe	32
PID 2636 wrote to memory of 2920	2636	{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe	32
PID 2636 wrote to memory of 2864	2636	{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe	33
PID 2636 wrote to memory of 2864	2636	{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe	33
PID 2636 wrote to memory of 2864	2636	{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe	33
PID 2636 wrote to memory of 2864	2636	{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe	33
PID 2920 wrote to memory of 2448	2920	{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe	34
PID 2920 wrote to memory of 2448	2920	{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe	34
PID 2920 wrote to memory of 2448	2920	{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe	34
PID 2920 wrote to memory of 2448	2920	{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe	34
PID 2920 wrote to memory of 2060	2920	{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe	35
PID 2920 wrote to memory of 2060	2920	{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe	35
PID 2920 wrote to memory of 2060	2920	{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe	35
PID 2920 wrote to memory of 2060	2920	{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe	35
PID 2448 wrote to memory of 2948	2448	{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe	37
PID 2448 wrote to memory of 2948	2448	{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe	37
PID 2448 wrote to memory of 2948	2448	{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe	37
PID 2448 wrote to memory of 2948	2448	{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe	37
PID 2448 wrote to memory of 2388	2448	{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe	36
PID 2448 wrote to memory of 2388	2448	{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe	36
PID 2448 wrote to memory of 2388	2448	{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe	36
PID 2448 wrote to memory of 2388	2448	{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe	36
PID 2948 wrote to memory of 2764	2948	{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe	38
PID 2948 wrote to memory of 2764	2948	{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe	38
PID 2948 wrote to memory of 2764	2948	{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe	38
PID 2948 wrote to memory of 2764	2948	{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe	38
PID 2948 wrote to memory of 2720	2948	{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe	39
PID 2948 wrote to memory of 2720	2948	{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe	39
PID 2948 wrote to memory of 2720	2948	{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe	39
PID 2948 wrote to memory of 2720	2948	{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe	39
PID 2764 wrote to memory of 2120	2764	{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe	41
PID 2764 wrote to memory of 2120	2764	{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe	41
PID 2764 wrote to memory of 2120	2764	{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe	41
PID 2764 wrote to memory of 2120	2764	{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe	41
PID 2764 wrote to memory of 2296	2764	{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe	40
PID 2764 wrote to memory of 2296	2764	{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe	40
PID 2764 wrote to memory of 2296	2764	{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe	40
PID 2764 wrote to memory of 2296	2764	{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe	40
PID 2120 wrote to memory of 2456	2120	{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe	43
PID 2120 wrote to memory of 2456	2120	{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe	43
PID 2120 wrote to memory of 2456	2120	{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe	43
PID 2120 wrote to memory of 2456	2120	{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe	43
PID 2120 wrote to memory of 2712	2120	{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe	42
PID 2120 wrote to memory of 2712	2120	{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe	42
PID 2120 wrote to memory of 2712	2120	{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe	42
PID 2120 wrote to memory of 2712	2120	{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe	42
PID 2456 wrote to memory of 804	2456	{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe	44
PID 2456 wrote to memory of 804	2456	{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe	44
PID 2456 wrote to memory of 804	2456	{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe	44
PID 2456 wrote to memory of 804	2456	{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe	44
PID 2456 wrote to memory of 1056	2456	{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe	45
PID 2456 wrote to memory of 1056	2456	{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe	45
PID 2456 wrote to memory of 1056	2456	{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe	45
PID 2456 wrote to memory of 1056	2456	{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2f53b4b78365f5acbb2cc12c3837cfa3_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe
  C:\Windows\{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe
    C:\Windows\{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe
      C:\Windows\{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{142EF~1.EXE > nul
        5⤵
        
        PID:2388
    - - C:\Windows\{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe
        
        C:\Windows\{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe
        
        C:\Windows\{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C71B2~1.EXE > nul
        7⤵
        
        PID:2296
        
        C:\Windows\{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe
        
        C:\Windows\{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24D6F~1.EXE > nul
        8⤵
        
        PID:2712
        
        C:\Windows\{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe
        
        C:\Windows\{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\{739E0FA4-29D8-4e90-968F-50493BFBB782}.exe
        
        C:\Windows\{739E0FA4-29D8-4e90-968F-50493BFBB782}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{739E0~1.EXE > nul
        10⤵
        
        PID:2692
        
        C:\Windows\{57F78B40-C9ED-4285-8130-A2BCD117F6FE}.exe
        
        C:\Windows\{57F78B40-C9ED-4285-8130-A2BCD117F6FE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\{4BFD89D1-A202-428e-9ED5-374031CC63E9}.exe
        
        C:\Windows\{4BFD89D1-A202-428e-9ED5-374031CC63E9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BFD8~1.EXE > nul
        12⤵
        
        PID:272
        
        C:\Windows\{3CA9B5F9-7907-41d9-B82F-9F431E822915}.exe
        
        C:\Windows\{3CA9B5F9-7907-41d9-B82F-9F431E822915}.exe
        12⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57F78~1.EXE > nul
        11⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A050~1.EXE > nul
        9⤵
        
        PID:1056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4174~1.EXE > nul
        6⤵
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{66C60~1.EXE > nul
      4⤵
      PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B42BC~1.EXE > nul
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2F53B4~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe

Filesize
216KB

MD5
4c15195af9e7a4c5b19f088fe27373e6

SHA1
0235949f3e9ed0e11ab706e2f106fad040edf185

SHA256
240db74a9a7993697a5b78555f5532740491086a099ddfcdd18c9010ae1fcc28

SHA512
05c43f6250955232669bbd07396aafe68e93fb191e44233bd67d9e7012b31191dd191a2bcbba1ae7b43354de50264888c0c68f445cbe87d0dc6102a279dfab49

Download Submit
C:\Windows\{142EF391-BA17-4933-BAFA-886CF2D8B1F0}.exe

Filesize
216KB

MD5
4c15195af9e7a4c5b19f088fe27373e6

SHA1
0235949f3e9ed0e11ab706e2f106fad040edf185

SHA256
240db74a9a7993697a5b78555f5532740491086a099ddfcdd18c9010ae1fcc28

SHA512
05c43f6250955232669bbd07396aafe68e93fb191e44233bd67d9e7012b31191dd191a2bcbba1ae7b43354de50264888c0c68f445cbe87d0dc6102a279dfab49

Download Submit
C:\Windows\{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe

Filesize
216KB

MD5
73a8d01ca0f1425593820f144fa3db1b

SHA1
7cdf2f70ec367b7f05bc2e3376c2f5e5ff3b790c

SHA256
ea643ee4202682c14be836c0514ba3935653df07ba068f0baa3ebe46fd9016db

SHA512
b0485b6de5c82e9e834b38cac637ee8f9bfb77f54d1465640515e597b4633395fe2ad48a28d950a7c8218be8504443044cda09479c7f6fc491ad81a585d48013

Download Submit
C:\Windows\{24D6FCF6-41D5-4e49-9651-2E8437AEEA61}.exe

Filesize
216KB

MD5
73a8d01ca0f1425593820f144fa3db1b

SHA1
7cdf2f70ec367b7f05bc2e3376c2f5e5ff3b790c

SHA256
ea643ee4202682c14be836c0514ba3935653df07ba068f0baa3ebe46fd9016db

SHA512
b0485b6de5c82e9e834b38cac637ee8f9bfb77f54d1465640515e597b4633395fe2ad48a28d950a7c8218be8504443044cda09479c7f6fc491ad81a585d48013

Download Submit
C:\Windows\{3CA9B5F9-7907-41d9-B82F-9F431E822915}.exe

Filesize
216KB

MD5
5ffd031827d96f2a69e81788281d7e11

SHA1
8ac9591441ff4028832f7cb0b16928a0c76d6b2f

SHA256
e18445f559b763b1780137e3eda64be566ddc89b892919c045d0b72cf66d36d5

SHA512
79e0341c3f483f131d183bd783c48c1e697cb5aea6c4399fd434f94e4a7416c985fdc3d176b9b7a356f149458b1c3495585ebdcde41bab0fa91f3c20452d9c9c

Download Submit
C:\Windows\{4BFD89D1-A202-428e-9ED5-374031CC63E9}.exe

Filesize
216KB

MD5
f43cc767e25d5c74147b61a85f67921f

SHA1
d3d053f105ce0dab74a483e53a8bea25960cf344

SHA256
ef0c655f0752e622dddef5018758ebf9a0aaaf19785a564375ba91b2fb800487

SHA512
091839ea226412f4a27030d5e8c1324d20dc9a2e8975d6c841ba924eb8b328ff644155b5455d992502e3760893265fd38140b9fdfe0e1e022e37e301e0c6f61f

Download Submit
C:\Windows\{4BFD89D1-A202-428e-9ED5-374031CC63E9}.exe

Filesize
216KB

MD5
f43cc767e25d5c74147b61a85f67921f

SHA1
d3d053f105ce0dab74a483e53a8bea25960cf344

SHA256
ef0c655f0752e622dddef5018758ebf9a0aaaf19785a564375ba91b2fb800487

SHA512
091839ea226412f4a27030d5e8c1324d20dc9a2e8975d6c841ba924eb8b328ff644155b5455d992502e3760893265fd38140b9fdfe0e1e022e37e301e0c6f61f

Download Submit
C:\Windows\{57F78B40-C9ED-4285-8130-A2BCD117F6FE}.exe

Filesize
216KB

MD5
d5cd9b957713c7949d1c7cbf88e83881

SHA1
bf0ba82fb75e96347aa2f26fd23fc3d95186e716

SHA256
f9e1dd6a386ec1c9da909f4934bb5ca64508cb9285f2950d5e8ca7a13aab4c9b

SHA512
d8c56eb1652b6d046143b2828b25b167851f6e6719042a911b66e17521eaedce442af69af8d141da5fa658ffad619ca379b31cd687973dfea7869b1b0934971b

Download Submit
C:\Windows\{57F78B40-C9ED-4285-8130-A2BCD117F6FE}.exe

Filesize
216KB

MD5
d5cd9b957713c7949d1c7cbf88e83881

SHA1
bf0ba82fb75e96347aa2f26fd23fc3d95186e716

SHA256
f9e1dd6a386ec1c9da909f4934bb5ca64508cb9285f2950d5e8ca7a13aab4c9b

SHA512
d8c56eb1652b6d046143b2828b25b167851f6e6719042a911b66e17521eaedce442af69af8d141da5fa658ffad619ca379b31cd687973dfea7869b1b0934971b

Download Submit
C:\Windows\{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe

Filesize
216KB

MD5
80051a232a34f75175ad149105a867ce

SHA1
d31ea7b65a6a78a0193b1961e051bb88b558cb7e

SHA256
39f15c53f35eeaf9ff8f023465559533231288e24ca5337bacb474fd193c3247

SHA512
29bcd6dbc62325ed214aada1286db750aa04e66b303cf34d1b1cbc7d79525bb8122986668542d5b5d105eb28bebda45e3f76ec6529e13fc8ea5585d223471f2a

Download Submit
C:\Windows\{66C60190-CD75-4375-A97B-D7EBDE06739B}.exe

Filesize
216KB

MD5
80051a232a34f75175ad149105a867ce

SHA1
d31ea7b65a6a78a0193b1961e051bb88b558cb7e

SHA256
39f15c53f35eeaf9ff8f023465559533231288e24ca5337bacb474fd193c3247

SHA512
29bcd6dbc62325ed214aada1286db750aa04e66b303cf34d1b1cbc7d79525bb8122986668542d5b5d105eb28bebda45e3f76ec6529e13fc8ea5585d223471f2a

Download Submit
C:\Windows\{739E0FA4-29D8-4e90-968F-50493BFBB782}.exe

Filesize
216KB

MD5
6e134430a03b95409160a2123e6ee188

SHA1
982f5842bb6fd75fe9716348a442ec85d662f798

SHA256
62c1aca2251bbf35531cb0e53c1a90ef4842f0449eb1ccbc42013a4f94262773

SHA512
1059ed4ce74315ecc2828f56afb346d05799d14c1cc4b229acbfd3f1f3601551a2d3104435029b25d0b1d88d50989cfa722c5e8e769912eba5fa21195d23e01d

Download Submit
C:\Windows\{739E0FA4-29D8-4e90-968F-50493BFBB782}.exe

Filesize
216KB

MD5
6e134430a03b95409160a2123e6ee188

SHA1
982f5842bb6fd75fe9716348a442ec85d662f798

SHA256
62c1aca2251bbf35531cb0e53c1a90ef4842f0449eb1ccbc42013a4f94262773

SHA512
1059ed4ce74315ecc2828f56afb346d05799d14c1cc4b229acbfd3f1f3601551a2d3104435029b25d0b1d88d50989cfa722c5e8e769912eba5fa21195d23e01d

Download Submit
C:\Windows\{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe

Filesize
216KB

MD5
a8ab7910ffe2d1898cffc4e3b13b2e64

SHA1
c9c88955901215cafd61ee40f1a97d05cb5eb843

SHA256
85f6afdd12cfa18891882107cf6107c033e2f79938857fb3b90b715e2b5504c3

SHA512
35112e4318c73eac7e62d3eec41ecec3bf1431a57f9936d85c04ee1153f2545b8ebc4312bd0ab9f54523019f5717a5d53f3bc93d86c7ffa49ee6c83812051392

Download Submit
C:\Windows\{8A050647-8305-4b74-A2E5-7036135E5E4D}.exe

Filesize
216KB

MD5
a8ab7910ffe2d1898cffc4e3b13b2e64

SHA1
c9c88955901215cafd61ee40f1a97d05cb5eb843

SHA256
85f6afdd12cfa18891882107cf6107c033e2f79938857fb3b90b715e2b5504c3

SHA512
35112e4318c73eac7e62d3eec41ecec3bf1431a57f9936d85c04ee1153f2545b8ebc4312bd0ab9f54523019f5717a5d53f3bc93d86c7ffa49ee6c83812051392

Download Submit
C:\Windows\{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe

Filesize
216KB

MD5
92fd1a7831ad5657e1ea3993f80b2b73

SHA1
84443345063f8ff40588413cdc43acecd1c8b6a6

SHA256
7ce0c807f0b767ff6f844eefd321abb49cd694520551251d914a9d8a8d6847c3

SHA512
391b5ff4c3663f8cb1a9c319a8300222d95240a94e629cfdbc4998b08b3780ae9cdced154fa2e07c433541cd93778e06d335ddcdbfaafa283e15190008b1bd9e

Download Submit
C:\Windows\{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe

Filesize
216KB

MD5
92fd1a7831ad5657e1ea3993f80b2b73

SHA1
84443345063f8ff40588413cdc43acecd1c8b6a6

SHA256
7ce0c807f0b767ff6f844eefd321abb49cd694520551251d914a9d8a8d6847c3

SHA512
391b5ff4c3663f8cb1a9c319a8300222d95240a94e629cfdbc4998b08b3780ae9cdced154fa2e07c433541cd93778e06d335ddcdbfaafa283e15190008b1bd9e

Download Submit
C:\Windows\{B42BC535-6686-4b33-AFEF-B8D76B2A9030}.exe

Filesize
216KB

MD5
92fd1a7831ad5657e1ea3993f80b2b73

SHA1
84443345063f8ff40588413cdc43acecd1c8b6a6

SHA256
7ce0c807f0b767ff6f844eefd321abb49cd694520551251d914a9d8a8d6847c3

SHA512
391b5ff4c3663f8cb1a9c319a8300222d95240a94e629cfdbc4998b08b3780ae9cdced154fa2e07c433541cd93778e06d335ddcdbfaafa283e15190008b1bd9e

Download Submit
C:\Windows\{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe

Filesize
216KB

MD5
cf3857f9b46ddc2736eaf7fde88f1626

SHA1
159f986e81a56c3d0a8ddec3aaed726ea88444d2

SHA256
2c001ccf1d7c7355fffff117551dfcf76ba970baa567ceed379fa506ac720a1b

SHA512
4132aedcfc0b1aa3a1755749ce8b8eb96a68218ade12667f9277339a740e0ea5e8e4b282fd883c2046c8f25641e16659013e9202363ee55e8654f71a658bd007

Download Submit
C:\Windows\{C71B2CE0-6981-4e31-AD9A-C0355E5D79E3}.exe

Filesize
216KB

MD5
cf3857f9b46ddc2736eaf7fde88f1626

SHA1
159f986e81a56c3d0a8ddec3aaed726ea88444d2

SHA256
2c001ccf1d7c7355fffff117551dfcf76ba970baa567ceed379fa506ac720a1b

SHA512
4132aedcfc0b1aa3a1755749ce8b8eb96a68218ade12667f9277339a740e0ea5e8e4b282fd883c2046c8f25641e16659013e9202363ee55e8654f71a658bd007

Download Submit
C:\Windows\{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe

Filesize
216KB

MD5
8d39bce4e8718148cc465acbc99492bb

SHA1
5852160552838c8d4d80e2e1a9ca776862d0d700

SHA256
ac92e930bf699169eb2f85a53cd2b841003a9e6b7df768a8130c2e1fb42d0d1f

SHA512
d2a911d922f560136e42132292ed211464d6a01df54641f317a9b63a2f1610488ac1f52a603440a68068ae629fac70ed26a307b7fb2806447c190e97da60b102

Download Submit
C:\Windows\{E4174479-A376-43be-8AD9-DEBF1A5B7708}.exe

Filesize
216KB

MD5
8d39bce4e8718148cc465acbc99492bb

SHA1
5852160552838c8d4d80e2e1a9ca776862d0d700

SHA256
ac92e930bf699169eb2f85a53cd2b841003a9e6b7df768a8130c2e1fb42d0d1f

SHA512
d2a911d922f560136e42132292ed211464d6a01df54641f317a9b63a2f1610488ac1f52a603440a68068ae629fac70ed26a307b7fb2806447c190e97da60b102

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads