aace4ca0ebe96527fbb6960ee5ecc599788fa2787caedd124178b4c620894020

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39fe53a8fd5a24185de6f3d1cd889578_goldeneye_JC.exe
Size

168KB
MD5

39fe53a8fd5a24185de6f3d1cd889578
SHA1

8a79a186061690f75589ad9b922f6c51fe9c4cfc
SHA256

aace4ca0ebe96527fbb6960ee5ecc599788fa2787caedd124178b4c620894020
SHA512

0f7d6351ed63711b0c17e89d1ced8d5e46f9e0e7a99f7d63b5b58d0d045564431fa77c91564c32de90d12df95c9d30cc01d4c55c4ce6df415cb1aaaf64bd2e41
SSDEEP

1536:1EGh0owlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0owlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}	39fe53a8fd5a24185de6f3d1cd889578_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9BF29FD-72E0-4063-9620-20C129EBB0EF}	{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9BF29FD-72E0-4063-9620-20C129EBB0EF}\stubpath = "C:\\Windows\\{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe"	{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6C53692-35BF-4e40-9960-B4F167C25622}	{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}	{E6C53692-35BF-4e40-9960-B4F167C25622}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}	{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB559776-4480-4a85-ADC2-0EF5B8D99B74}	{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8010FF8E-D5FC-47ea-876E-1D0395A09A43}\stubpath = "C:\\Windows\\{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe"	{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}\stubpath = "C:\\Windows\\{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe"	{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6C53692-35BF-4e40-9960-B4F167C25622}\stubpath = "C:\\Windows\\{E6C53692-35BF-4e40-9960-B4F167C25622}.exe"	{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2972E96E-1642-4231-AA16-5A6369EF9664}\stubpath = "C:\\Windows\\{2972E96E-1642-4231-AA16-5A6369EF9664}.exe"	{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4358AE3-BE50-4438-98D8-7654E266DA43}	{2972E96E-1642-4231-AA16-5A6369EF9664}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8010FF8E-D5FC-47ea-876E-1D0395A09A43}	{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}	{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}\stubpath = "C:\\Windows\\{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe"	{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DED43813-AA0B-424a-9F72-309FB2C096DA}	{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DED43813-AA0B-424a-9F72-309FB2C096DA}\stubpath = "C:\\Windows\\{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe"	{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}\stubpath = "C:\\Windows\\{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe"	{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2972E96E-1642-4231-AA16-5A6369EF9664}	{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4358AE3-BE50-4438-98D8-7654E266DA43}\stubpath = "C:\\Windows\\{F4358AE3-BE50-4438-98D8-7654E266DA43}.exe"	{2972E96E-1642-4231-AA16-5A6369EF9664}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}\stubpath = "C:\\Windows\\{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe"	39fe53a8fd5a24185de6f3d1cd889578_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}	{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}\stubpath = "C:\\Windows\\{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe"	{E6C53692-35BF-4e40-9960-B4F167C25622}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB559776-4480-4a85-ADC2-0EF5B8D99B74}\stubpath = "C:\\Windows\\{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe"	{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4112	{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe
3024	{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe
4900	{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe
912	{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe
4468	{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe
5048	{E6C53692-35BF-4e40-9960-B4F167C25622}.exe
3824	{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe
728	{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe
4320	{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe
1308	{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe
2436	{2972E96E-1642-4231-AA16-5A6369EF9664}.exe
4080	{F4358AE3-BE50-4438-98D8-7654E266DA43}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe	{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe
File created	C:\Windows\{2972E96E-1642-4231-AA16-5A6369EF9664}.exe	{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe
File created	C:\Windows\{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe	39fe53a8fd5a24185de6f3d1cd889578_goldeneye_JC.exe
File created	C:\Windows\{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe	{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe
File created	C:\Windows\{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe	{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe
File created	C:\Windows\{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe	{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe
File created	C:\Windows\{E6C53692-35BF-4e40-9960-B4F167C25622}.exe	{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe
File created	C:\Windows\{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe	{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe
File created	C:\Windows\{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe	{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe
File created	C:\Windows\{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe	{E6C53692-35BF-4e40-9960-B4F167C25622}.exe
File created	C:\Windows\{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe	{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe
File created	C:\Windows\{F4358AE3-BE50-4438-98D8-7654E266DA43}.exe	{2972E96E-1642-4231-AA16-5A6369EF9664}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2044	39fe53a8fd5a24185de6f3d1cd889578_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4112	{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe
Token: SeIncBasePriorityPrivilege	3024	{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe
Token: SeIncBasePriorityPrivilege	4900	{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe
Token: SeIncBasePriorityPrivilege	912	{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe
Token: SeIncBasePriorityPrivilege	4468	{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe
Token: SeIncBasePriorityPrivilege	5048	{E6C53692-35BF-4e40-9960-B4F167C25622}.exe
Token: SeIncBasePriorityPrivilege	3824	{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe
Token: SeIncBasePriorityPrivilege	728	{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe
Token: SeIncBasePriorityPrivilege	4320	{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe
Token: SeIncBasePriorityPrivilege	1308	{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe
Token: SeIncBasePriorityPrivilege	2436	{2972E96E-1642-4231-AA16-5A6369EF9664}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 4112	2044	39fe53a8fd5a24185de6f3d1cd889578_goldeneye_JC.exe	90
PID 2044 wrote to memory of 4112	2044	39fe53a8fd5a24185de6f3d1cd889578_goldeneye_JC.exe	90
PID 2044 wrote to memory of 4112	2044	39fe53a8fd5a24185de6f3d1cd889578_goldeneye_JC.exe	90
PID 2044 wrote to memory of 3124	2044	39fe53a8fd5a24185de6f3d1cd889578_goldeneye_JC.exe	91
PID 2044 wrote to memory of 3124	2044	39fe53a8fd5a24185de6f3d1cd889578_goldeneye_JC.exe	91
PID 2044 wrote to memory of 3124	2044	39fe53a8fd5a24185de6f3d1cd889578_goldeneye_JC.exe	91
PID 4112 wrote to memory of 3024	4112	{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe	92
PID 4112 wrote to memory of 3024	4112	{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe	92
PID 4112 wrote to memory of 3024	4112	{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe	92
PID 4112 wrote to memory of 4488	4112	{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe	93
PID 4112 wrote to memory of 4488	4112	{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe	93
PID 4112 wrote to memory of 4488	4112	{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe	93
PID 3024 wrote to memory of 4900	3024	{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe	95
PID 3024 wrote to memory of 4900	3024	{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe	95
PID 3024 wrote to memory of 4900	3024	{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe	95
PID 3024 wrote to memory of 4704	3024	{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe	96
PID 3024 wrote to memory of 4704	3024	{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe	96
PID 3024 wrote to memory of 4704	3024	{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe	96
PID 4900 wrote to memory of 912	4900	{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe	97
PID 4900 wrote to memory of 912	4900	{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe	97
PID 4900 wrote to memory of 912	4900	{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe	97
PID 4900 wrote to memory of 3708	4900	{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe	98
PID 4900 wrote to memory of 3708	4900	{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe	98
PID 4900 wrote to memory of 3708	4900	{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe	98
PID 912 wrote to memory of 4468	912	{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe	100
PID 912 wrote to memory of 4468	912	{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe	100
PID 912 wrote to memory of 4468	912	{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe	100
PID 912 wrote to memory of 1972	912	{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe	99
PID 912 wrote to memory of 1972	912	{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe	99
PID 912 wrote to memory of 1972	912	{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe	99
PID 4468 wrote to memory of 5048	4468	{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe	101
PID 4468 wrote to memory of 5048	4468	{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe	101
PID 4468 wrote to memory of 5048	4468	{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe	101
PID 4468 wrote to memory of 1316	4468	{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe	102
PID 4468 wrote to memory of 1316	4468	{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe	102
PID 4468 wrote to memory of 1316	4468	{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe	102
PID 5048 wrote to memory of 3824	5048	{E6C53692-35BF-4e40-9960-B4F167C25622}.exe	103
PID 5048 wrote to memory of 3824	5048	{E6C53692-35BF-4e40-9960-B4F167C25622}.exe	103
PID 5048 wrote to memory of 3824	5048	{E6C53692-35BF-4e40-9960-B4F167C25622}.exe	103
PID 5048 wrote to memory of 4888	5048	{E6C53692-35BF-4e40-9960-B4F167C25622}.exe	104
PID 5048 wrote to memory of 4888	5048	{E6C53692-35BF-4e40-9960-B4F167C25622}.exe	104
PID 5048 wrote to memory of 4888	5048	{E6C53692-35BF-4e40-9960-B4F167C25622}.exe	104
PID 3824 wrote to memory of 728	3824	{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe	105
PID 3824 wrote to memory of 728	3824	{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe	105
PID 3824 wrote to memory of 728	3824	{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe	105
PID 3824 wrote to memory of 2596	3824	{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe	106
PID 3824 wrote to memory of 2596	3824	{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe	106
PID 3824 wrote to memory of 2596	3824	{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe	106
PID 728 wrote to memory of 4320	728	{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe	107
PID 728 wrote to memory of 4320	728	{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe	107
PID 728 wrote to memory of 4320	728	{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe	107
PID 728 wrote to memory of 1472	728	{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe	108
PID 728 wrote to memory of 1472	728	{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe	108
PID 728 wrote to memory of 1472	728	{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe	108
PID 4320 wrote to memory of 1308	4320	{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe	109
PID 4320 wrote to memory of 1308	4320	{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe	109
PID 4320 wrote to memory of 1308	4320	{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe	109
PID 4320 wrote to memory of 2924	4320	{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe	110
PID 4320 wrote to memory of 2924	4320	{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe	110
PID 4320 wrote to memory of 2924	4320	{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe	110
PID 1308 wrote to memory of 2436	1308	{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe	111
PID 1308 wrote to memory of 2436	1308	{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe	111
PID 1308 wrote to memory of 2436	1308	{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe	111
PID 1308 wrote to memory of 908	1308	{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe	112

C:\Users\Admin\AppData\Local\Temp\39fe53a8fd5a24185de6f3d1cd889578_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\39fe53a8fd5a24185de6f3d1cd889578_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe
  C:\Windows\{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe
    C:\Windows\{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe
      C:\Windows\{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe
        
        C:\Windows\{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F55AE~1.EXE > nul
        6⤵
        
        PID:1972
      - C:\Windows\{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe
        
        C:\Windows\{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\{E6C53692-35BF-4e40-9960-B4F167C25622}.exe
        
        C:\Windows\{E6C53692-35BF-4e40-9960-B4F167C25622}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe
        
        C:\Windows\{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe
        
        C:\Windows\{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe
        
        C:\Windows\{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe
        
        C:\Windows\{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\{2972E96E-1642-4231-AA16-5A6369EF9664}.exe
        
        C:\Windows\{2972E96E-1642-4231-AA16-5A6369EF9664}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\{F4358AE3-BE50-4438-98D8-7654E266DA43}.exe
        
        C:\Windows\{F4358AE3-BE50-4438-98D8-7654E266DA43}.exe
        13⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2972E~1.EXE > nul
        13⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB559~1.EXE > nul
        12⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDA0A~1.EXE > nul
        11⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DED43~1.EXE > nul
        10⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB1DE~1.EXE > nul
        9⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6C53~1.EXE > nul
        8⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9BF2~1.EXE > nul
        7⤵
        
        PID:1316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E526D~1.EXE > nul
        5⤵
        
        PID:3708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8010F~1.EXE > nul
      4⤵
      PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{35511~1.EXE > nul
    3⤵
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\39FE53~1.EXE > nul
  2⤵
  PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2972E96E-1642-4231-AA16-5A6369EF9664}.exe

Filesize
168KB

MD5
fcc7732ed6ca30391b0a3a455731b5c0

SHA1
917d0b3bc204a1448c4c894684a64591852767cb

SHA256
b50d90cdab2d2cc684c40306ce4c7f0582229e07ac93972a731d00d00fdc76df

SHA512
58dcb7f0c15f3588df2957989701c3a2d9637e5d774c809a059ce174112cf01cef6c806b5a0716ac31d912b4171e93459f10ab72bea912baf0ed6adab68f01b5

Download Submit
C:\Windows\{2972E96E-1642-4231-AA16-5A6369EF9664}.exe

Filesize
168KB

MD5
fcc7732ed6ca30391b0a3a455731b5c0

SHA1
917d0b3bc204a1448c4c894684a64591852767cb

SHA256
b50d90cdab2d2cc684c40306ce4c7f0582229e07ac93972a731d00d00fdc76df

SHA512
58dcb7f0c15f3588df2957989701c3a2d9637e5d774c809a059ce174112cf01cef6c806b5a0716ac31d912b4171e93459f10ab72bea912baf0ed6adab68f01b5

Download Submit
C:\Windows\{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe

Filesize
168KB

MD5
3bf44f5c5e0deccda422efe27ca87770

SHA1
b5bd4db30f3c8250c17f8ffaa857e9cfac51a97f

SHA256
b63692225761d58c07cdd6b89cf45cfbba91c9d63d6e6a2a754a1b93c00cc87d

SHA512
887d2b56f5fa55a8c0278bf12c4682fe3d3fba83a4604f101abc0221524620bfee30a58dc1bb99852d6815ac892c8c025e106cd67375377778782574005aaf93

Download Submit
C:\Windows\{35511F0B-0D56-4fad-8C7C-ECDA1B00ECA5}.exe

Filesize
168KB

MD5
3bf44f5c5e0deccda422efe27ca87770

SHA1
b5bd4db30f3c8250c17f8ffaa857e9cfac51a97f

SHA256
b63692225761d58c07cdd6b89cf45cfbba91c9d63d6e6a2a754a1b93c00cc87d

SHA512
887d2b56f5fa55a8c0278bf12c4682fe3d3fba83a4604f101abc0221524620bfee30a58dc1bb99852d6815ac892c8c025e106cd67375377778782574005aaf93

Download Submit
C:\Windows\{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe

Filesize
168KB

MD5
97f903bd801be2f349ca4e722356da37

SHA1
f1cf8de1b7777d6c0625af6d146617ad20f102c6

SHA256
8045e07e09085c671114aa1d96310673dc3e48879d15487d2a9433973ef2b507

SHA512
07409f0035bf30f1075ea323d299eb167f7bdd1f20b1f385c064b0b394a0c9e306680f1476361b1927f33ca7e376340ffd56f728c256486dba7025d43526d52b

Download Submit
C:\Windows\{8010FF8E-D5FC-47ea-876E-1D0395A09A43}.exe

Filesize
168KB

MD5
97f903bd801be2f349ca4e722356da37

SHA1
f1cf8de1b7777d6c0625af6d146617ad20f102c6

SHA256
8045e07e09085c671114aa1d96310673dc3e48879d15487d2a9433973ef2b507

SHA512
07409f0035bf30f1075ea323d299eb167f7bdd1f20b1f385c064b0b394a0c9e306680f1476361b1927f33ca7e376340ffd56f728c256486dba7025d43526d52b

Download Submit
C:\Windows\{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe

Filesize
168KB

MD5
d394a73aaadb824cb406461cc26564e3

SHA1
5339743cf95438aea034457f04863566b2f0a931

SHA256
9d3532d6cd55779d7e53a16a7067012136a89c1c2214da42409b48330fc27943

SHA512
479d15e951e54eb56255631c36a267fe04562afb673b9d78d2092cf48cc9c233a9d7a34fb2817b741a4411a0bc03b3ddbcea7028fd89acebe0486baeb5d57230

Download Submit
C:\Windows\{AB1DE97F-5A16-4aa8-BC9B-D63FA4D89BD8}.exe

Filesize
168KB

MD5
d394a73aaadb824cb406461cc26564e3

SHA1
5339743cf95438aea034457f04863566b2f0a931

SHA256
9d3532d6cd55779d7e53a16a7067012136a89c1c2214da42409b48330fc27943

SHA512
479d15e951e54eb56255631c36a267fe04562afb673b9d78d2092cf48cc9c233a9d7a34fb2817b741a4411a0bc03b3ddbcea7028fd89acebe0486baeb5d57230

Download Submit
C:\Windows\{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe

Filesize
168KB

MD5
d481041bb331f99a5e1b0ab4cfd73cef

SHA1
d2f72af8a43feb9b613345300ed5a9528b7a0b33

SHA256
eb8abdb3d4e618cd11b09cde79dd93b9e7f62d096f29d4c644b4e092e398e27a

SHA512
6a43446f744120eab0f09b453389a276e1f89b6e50dee97218eeeb647c9261d2172e920d10708d994092c05a95c601b6cbb30f0b657b2abe023d1bd7923ec06b

Download Submit
C:\Windows\{D9BF29FD-72E0-4063-9620-20C129EBB0EF}.exe

Filesize
168KB

MD5
d481041bb331f99a5e1b0ab4cfd73cef

SHA1
d2f72af8a43feb9b613345300ed5a9528b7a0b33

SHA256
eb8abdb3d4e618cd11b09cde79dd93b9e7f62d096f29d4c644b4e092e398e27a

SHA512
6a43446f744120eab0f09b453389a276e1f89b6e50dee97218eeeb647c9261d2172e920d10708d994092c05a95c601b6cbb30f0b657b2abe023d1bd7923ec06b

Download Submit
C:\Windows\{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe

Filesize
168KB

MD5
74590a10d7eeb279931bc8086e79b4c0

SHA1
314c3447c73b115f9d2489e4a916a537b21d85b6

SHA256
b11bf6826a99ccd5bee5b40f042a864c008f63a197be5c0d00bf54d14068eeea

SHA512
686fa7b23a563c81a9b850ce7942abe1de70a64c23fd005394c856a77d2400867fdccdab1b036180d72edf3f83c624bcea92f79b804526b25192be48448d019d

Download Submit
C:\Windows\{DB559776-4480-4a85-ADC2-0EF5B8D99B74}.exe

Filesize
168KB

MD5
74590a10d7eeb279931bc8086e79b4c0

SHA1
314c3447c73b115f9d2489e4a916a537b21d85b6

SHA256
b11bf6826a99ccd5bee5b40f042a864c008f63a197be5c0d00bf54d14068eeea

SHA512
686fa7b23a563c81a9b850ce7942abe1de70a64c23fd005394c856a77d2400867fdccdab1b036180d72edf3f83c624bcea92f79b804526b25192be48448d019d

Download Submit
C:\Windows\{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe

Filesize
168KB

MD5
e155cc6bf8be3e3f43f820776b46376f

SHA1
a2c802a1e29fb376a6cbce9e1e1d89a4a91a7c09

SHA256
5ec8682413116c00064938627eddef3e05d452b96566cfed835339a365086262

SHA512
311d2fbfb01c200a258f447b0ac16f40f758bb2b35917d8abf62e01bee6ccf68451abdb44a17d937b641672deaf97724c649ae6ee4a14401ce556699ee891faf

Download Submit
C:\Windows\{DED43813-AA0B-424a-9F72-309FB2C096DA}.exe

Filesize
168KB

MD5
e155cc6bf8be3e3f43f820776b46376f

SHA1
a2c802a1e29fb376a6cbce9e1e1d89a4a91a7c09

SHA256
5ec8682413116c00064938627eddef3e05d452b96566cfed835339a365086262

SHA512
311d2fbfb01c200a258f447b0ac16f40f758bb2b35917d8abf62e01bee6ccf68451abdb44a17d937b641672deaf97724c649ae6ee4a14401ce556699ee891faf

Download Submit
C:\Windows\{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe

Filesize
168KB

MD5
267ec7e0ab6dafe99a3d88ad1a09f269

SHA1
0dc9c2d2ecdd2baf76e33f234a335c822002021f

SHA256
3bb11dcc2a996e5b0c8068296abf0580e7839f7cb0a4e6b84f2608efc40e07e4

SHA512
de63cd816594c893670cd538cac3e63da9fbb19d31e678b5c93bae1723ec1c5fa907a64a621e62ad024413eadf7e38b390d968d1647d3dc71ba85340a0e3b8da

Download Submit
C:\Windows\{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe

Filesize
168KB

MD5
267ec7e0ab6dafe99a3d88ad1a09f269

SHA1
0dc9c2d2ecdd2baf76e33f234a335c822002021f

SHA256
3bb11dcc2a996e5b0c8068296abf0580e7839f7cb0a4e6b84f2608efc40e07e4

SHA512
de63cd816594c893670cd538cac3e63da9fbb19d31e678b5c93bae1723ec1c5fa907a64a621e62ad024413eadf7e38b390d968d1647d3dc71ba85340a0e3b8da

Download Submit
C:\Windows\{E526DC7D-FD7B-46b2-9D40-2DDB7F7D7912}.exe

Filesize
168KB

MD5
267ec7e0ab6dafe99a3d88ad1a09f269

SHA1
0dc9c2d2ecdd2baf76e33f234a335c822002021f

SHA256
3bb11dcc2a996e5b0c8068296abf0580e7839f7cb0a4e6b84f2608efc40e07e4

SHA512
de63cd816594c893670cd538cac3e63da9fbb19d31e678b5c93bae1723ec1c5fa907a64a621e62ad024413eadf7e38b390d968d1647d3dc71ba85340a0e3b8da

Download Submit
C:\Windows\{E6C53692-35BF-4e40-9960-B4F167C25622}.exe

Filesize
168KB

MD5
1d68ca7f6d626e7c19bbb24f73c9b3b5

SHA1
daaf6b828bb684ee9174d6930bfef15b6f15be63

SHA256
bdb713430ada4b11c538ec441313962f102f718ecefa284c797518edb65cdb19

SHA512
b2ab48a8cd239818d919d418f0f7bee037f2399446abeee0de730a365b06eb9c1fbdcbba9ca637ea7dfb8fc206a144f4874d943ff6036c50d1721dde0a79c062

Download Submit
C:\Windows\{E6C53692-35BF-4e40-9960-B4F167C25622}.exe

Filesize
168KB

MD5
1d68ca7f6d626e7c19bbb24f73c9b3b5

SHA1
daaf6b828bb684ee9174d6930bfef15b6f15be63

SHA256
bdb713430ada4b11c538ec441313962f102f718ecefa284c797518edb65cdb19

SHA512
b2ab48a8cd239818d919d418f0f7bee037f2399446abeee0de730a365b06eb9c1fbdcbba9ca637ea7dfb8fc206a144f4874d943ff6036c50d1721dde0a79c062

Download Submit
C:\Windows\{F4358AE3-BE50-4438-98D8-7654E266DA43}.exe

Filesize
168KB

MD5
e6303685d7caeece4e27604e08e654c8

SHA1
14821221161ad682178b9fcaa7c2eb977a5838d0

SHA256
4e827da3f13916b65b913dbf0ce1a3e75b1dbead100f6ed8cd81204c44d0b211

SHA512
ceef499c9fbaf0382c9968ff567bfe4ae0444c1327b69a714c4bae1ddc848394687f63dd540a1fe64b1efc73fae4339f07795062a50f7744c45306e5316309e8

Download Submit
C:\Windows\{F4358AE3-BE50-4438-98D8-7654E266DA43}.exe

Filesize
168KB

MD5
e6303685d7caeece4e27604e08e654c8

SHA1
14821221161ad682178b9fcaa7c2eb977a5838d0

SHA256
4e827da3f13916b65b913dbf0ce1a3e75b1dbead100f6ed8cd81204c44d0b211

SHA512
ceef499c9fbaf0382c9968ff567bfe4ae0444c1327b69a714c4bae1ddc848394687f63dd540a1fe64b1efc73fae4339f07795062a50f7744c45306e5316309e8

Download Submit
C:\Windows\{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe

Filesize
168KB

MD5
580f8b7051c39732be6609b93499fb03

SHA1
52747cbf1de8705b9d7cf654d78eb0d68aa0203c

SHA256
892651cc7ef348870251b0f21cecdd049c2da38e7be12da9e905e512d0aeceef

SHA512
cf32329bd1234ca2e988e4fe82baebc5d1407446cf35cf9476e643ae799e972dd7035af9a6f37795ace1c22a687692e033a7f4407ccd5beb6116d70a91103f3a

Download Submit
C:\Windows\{F55AE84A-7DD6-4ff2-A3CC-71A7B36EFAEE}.exe

Filesize
168KB

MD5
580f8b7051c39732be6609b93499fb03

SHA1
52747cbf1de8705b9d7cf654d78eb0d68aa0203c

SHA256
892651cc7ef348870251b0f21cecdd049c2da38e7be12da9e905e512d0aeceef

SHA512
cf32329bd1234ca2e988e4fe82baebc5d1407446cf35cf9476e643ae799e972dd7035af9a6f37795ace1c22a687692e033a7f4407ccd5beb6116d70a91103f3a

Download Submit
C:\Windows\{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe

Filesize
168KB

MD5
1be086992b3d7ed5269cf8fc13cffa65

SHA1
2139510c1e4279ef95c44b1392288376e96a3833

SHA256
492505d33d345d042d0af9a2adfa9a06c981a19467373eaa812b465779796d54

SHA512
70b5f56c548284a61e64375938a7d032e08eb1430cb9d4b51813427a7cc9e68eda4a0f7205149445e3d367b33b32504406d027c9f23c0c81c5501733db29c51b

Download Submit
C:\Windows\{FDA0ADCD-01DF-4f5c-A030-8271C7140C9E}.exe

Filesize
168KB

MD5
1be086992b3d7ed5269cf8fc13cffa65

SHA1
2139510c1e4279ef95c44b1392288376e96a3833

SHA256
492505d33d345d042d0af9a2adfa9a06c981a19467373eaa812b465779796d54

SHA512
70b5f56c548284a61e64375938a7d032e08eb1430cb9d4b51813427a7cc9e68eda4a0f7205149445e3d367b33b32504406d027c9f23c0c81c5501733db29c51b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads