a9e70626ad9eb370d7d96e5bfa7cfc89430e220e7e04f144b2f28b0f20286629

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19/08/2023, 12:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe
Size

380KB
MD5

3bd2c1b130b1eb1b68ef74b8910261d3
SHA1

61eccbe8077e768b313c05501d4228ced2ec533c
SHA256

a9e70626ad9eb370d7d96e5bfa7cfc89430e220e7e04f144b2f28b0f20286629
SHA512

35d78cd3d091322b605b9056718371eaa545d9e44fe61158a815849f54e9876a1dbd30d5b08f8c4c1c05fbc7ff1370a61e19ee2c3aa91926dd90d254aea0c18a
SSDEEP

3072:mEGh0oJlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG7l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}\stubpath = "C:\\Windows\\{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe"	{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}\stubpath = "C:\\Windows\\{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe"	{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D9F4218-648B-4f8b-84F6-1580CF7DDB34}	{25E2B775-DB4B-4f72-9D99-7891FABCAD29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4614E59E-F362-48a5-B71B-C1D000533A0A}	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}	{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B06482F-859E-4b07-B5A8-6682C23C5A4D}	{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B06482F-859E-4b07-B5A8-6682C23C5A4D}\stubpath = "C:\\Windows\\{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe"	{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{940D42DB-00D4-4962-A43D-DF3E4D40ECC4}	{591A55E6-A986-41ee-93BD-A605EBE94302}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{940D42DB-00D4-4962-A43D-DF3E4D40ECC4}\stubpath = "C:\\Windows\\{940D42DB-00D4-4962-A43D-DF3E4D40ECC4}.exe"	{591A55E6-A986-41ee-93BD-A605EBE94302}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D9F4218-648B-4f8b-84F6-1580CF7DDB34}\stubpath = "C:\\Windows\\{2D9F4218-648B-4f8b-84F6-1580CF7DDB34}.exe"	{25E2B775-DB4B-4f72-9D99-7891FABCAD29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}	{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}\stubpath = "C:\\Windows\\{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe"	{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{591A55E6-A986-41ee-93BD-A605EBE94302}	{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{591A55E6-A986-41ee-93BD-A605EBE94302}\stubpath = "C:\\Windows\\{591A55E6-A986-41ee-93BD-A605EBE94302}.exe"	{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4928D16-D6A1-49d0-B735-857863A8B40E}	{940D42DB-00D4-4962-A43D-DF3E4D40ECC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25E2B775-DB4B-4f72-9D99-7891FABCAD29}	{C4928D16-D6A1-49d0-B735-857863A8B40E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25E2B775-DB4B-4f72-9D99-7891FABCAD29}\stubpath = "C:\\Windows\\{25E2B775-DB4B-4f72-9D99-7891FABCAD29}.exe"	{C4928D16-D6A1-49d0-B735-857863A8B40E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4614E59E-F362-48a5-B71B-C1D000533A0A}\stubpath = "C:\\Windows\\{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe"	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}	{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4928D16-D6A1-49d0-B735-857863A8B40E}\stubpath = "C:\\Windows\\{C4928D16-D6A1-49d0-B735-857863A8B40E}.exe"	{940D42DB-00D4-4962-A43D-DF3E4D40ECC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}	{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}\stubpath = "C:\\Windows\\{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe"	{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe

Deletes itself 1 IoCs

pid	Process
1824	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1408	{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe
2840	{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe
2300	{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe
1140	{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe
2756	{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe
632	{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe
2956	{591A55E6-A986-41ee-93BD-A605EBE94302}.exe
912	{940D42DB-00D4-4962-A43D-DF3E4D40ECC4}.exe
1508	{C4928D16-D6A1-49d0-B735-857863A8B40E}.exe
2960	{25E2B775-DB4B-4f72-9D99-7891FABCAD29}.exe
1620	{2D9F4218-648B-4f8b-84F6-1580CF7DDB34}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{591A55E6-A986-41ee-93BD-A605EBE94302}.exe	{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe
File created	C:\Windows\{940D42DB-00D4-4962-A43D-DF3E4D40ECC4}.exe	{591A55E6-A986-41ee-93BD-A605EBE94302}.exe
File created	C:\Windows\{C4928D16-D6A1-49d0-B735-857863A8B40E}.exe	{940D42DB-00D4-4962-A43D-DF3E4D40ECC4}.exe
File created	C:\Windows\{25E2B775-DB4B-4f72-9D99-7891FABCAD29}.exe	{C4928D16-D6A1-49d0-B735-857863A8B40E}.exe
File created	C:\Windows\{2D9F4218-648B-4f8b-84F6-1580CF7DDB34}.exe	{25E2B775-DB4B-4f72-9D99-7891FABCAD29}.exe
File created	C:\Windows\{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe
File created	C:\Windows\{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe	{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe
File created	C:\Windows\{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe	{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe
File created	C:\Windows\{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe	{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe
File created	C:\Windows\{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe	{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe
File created	C:\Windows\{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe	{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2496	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1408	{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe
Token: SeIncBasePriorityPrivilege	2840	{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe
Token: SeIncBasePriorityPrivilege	2300	{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe
Token: SeIncBasePriorityPrivilege	1140	{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe
Token: SeIncBasePriorityPrivilege	2756	{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe
Token: SeIncBasePriorityPrivilege	632	{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe
Token: SeIncBasePriorityPrivilege	2956	{591A55E6-A986-41ee-93BD-A605EBE94302}.exe
Token: SeIncBasePriorityPrivilege	912	{940D42DB-00D4-4962-A43D-DF3E4D40ECC4}.exe
Token: SeIncBasePriorityPrivilege	1508	{C4928D16-D6A1-49d0-B735-857863A8B40E}.exe
Token: SeIncBasePriorityPrivilege	2960	{25E2B775-DB4B-4f72-9D99-7891FABCAD29}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 1408	2496	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	28
PID 2496 wrote to memory of 1408	2496	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	28
PID 2496 wrote to memory of 1408	2496	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	28
PID 2496 wrote to memory of 1408	2496	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	28
PID 2496 wrote to memory of 1824	2496	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	29
PID 2496 wrote to memory of 1824	2496	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	29
PID 2496 wrote to memory of 1824	2496	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	29
PID 2496 wrote to memory of 1824	2496	3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe	29
PID 1408 wrote to memory of 2840	1408	{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe	30
PID 1408 wrote to memory of 2840	1408	{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe	30
PID 1408 wrote to memory of 2840	1408	{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe	30
PID 1408 wrote to memory of 2840	1408	{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe	30
PID 1408 wrote to memory of 2944	1408	{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe	31
PID 1408 wrote to memory of 2944	1408	{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe	31
PID 1408 wrote to memory of 2944	1408	{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe	31
PID 1408 wrote to memory of 2944	1408	{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe	31
PID 2840 wrote to memory of 2300	2840	{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe	34
PID 2840 wrote to memory of 2300	2840	{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe	34
PID 2840 wrote to memory of 2300	2840	{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe	34
PID 2840 wrote to memory of 2300	2840	{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe	34
PID 2840 wrote to memory of 2872	2840	{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe	35
PID 2840 wrote to memory of 2872	2840	{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe	35
PID 2840 wrote to memory of 2872	2840	{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe	35
PID 2840 wrote to memory of 2872	2840	{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe	35
PID 2300 wrote to memory of 1140	2300	{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe	36
PID 2300 wrote to memory of 1140	2300	{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe	36
PID 2300 wrote to memory of 1140	2300	{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe	36
PID 2300 wrote to memory of 1140	2300	{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe	36
PID 2300 wrote to memory of 2700	2300	{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe	37
PID 2300 wrote to memory of 2700	2300	{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe	37
PID 2300 wrote to memory of 2700	2300	{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe	37
PID 2300 wrote to memory of 2700	2300	{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe	37
PID 1140 wrote to memory of 2756	1140	{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe	38
PID 1140 wrote to memory of 2756	1140	{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe	38
PID 1140 wrote to memory of 2756	1140	{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe	38
PID 1140 wrote to memory of 2756	1140	{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe	38
PID 1140 wrote to memory of 2416	1140	{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe	39
PID 1140 wrote to memory of 2416	1140	{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe	39
PID 1140 wrote to memory of 2416	1140	{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe	39
PID 1140 wrote to memory of 2416	1140	{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe	39
PID 2756 wrote to memory of 632	2756	{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe	40
PID 2756 wrote to memory of 632	2756	{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe	40
PID 2756 wrote to memory of 632	2756	{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe	40
PID 2756 wrote to memory of 632	2756	{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe	40
PID 2756 wrote to memory of 2684	2756	{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe	41
PID 2756 wrote to memory of 2684	2756	{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe	41
PID 2756 wrote to memory of 2684	2756	{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe	41
PID 2756 wrote to memory of 2684	2756	{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe	41
PID 632 wrote to memory of 2956	632	{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe	42
PID 632 wrote to memory of 2956	632	{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe	42
PID 632 wrote to memory of 2956	632	{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe	42
PID 632 wrote to memory of 2956	632	{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe	42
PID 632 wrote to memory of 468	632	{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe	43
PID 632 wrote to memory of 468	632	{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe	43
PID 632 wrote to memory of 468	632	{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe	43
PID 632 wrote to memory of 468	632	{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe	43
PID 2956 wrote to memory of 912	2956	{591A55E6-A986-41ee-93BD-A605EBE94302}.exe	44
PID 2956 wrote to memory of 912	2956	{591A55E6-A986-41ee-93BD-A605EBE94302}.exe	44
PID 2956 wrote to memory of 912	2956	{591A55E6-A986-41ee-93BD-A605EBE94302}.exe	44
PID 2956 wrote to memory of 912	2956	{591A55E6-A986-41ee-93BD-A605EBE94302}.exe	44
PID 2956 wrote to memory of 1048	2956	{591A55E6-A986-41ee-93BD-A605EBE94302}.exe	45
PID 2956 wrote to memory of 1048	2956	{591A55E6-A986-41ee-93BD-A605EBE94302}.exe	45
PID 2956 wrote to memory of 1048	2956	{591A55E6-A986-41ee-93BD-A605EBE94302}.exe	45
PID 2956 wrote to memory of 1048	2956	{591A55E6-A986-41ee-93BD-A605EBE94302}.exe	45

C:\Users\Admin\AppData\Local\Temp\3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3bd2c1b130b1eb1b68ef74b8910261d3_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe
  C:\Windows\{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe
    C:\Windows\{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe
      C:\Windows\{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe
        
        C:\Windows\{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
      - C:\Windows\{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe
        
        C:\Windows\{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe
        
        C:\Windows\{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\{591A55E6-A986-41ee-93BD-A605EBE94302}.exe
        
        C:\Windows\{591A55E6-A986-41ee-93BD-A605EBE94302}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{940D42DB-00D4-4962-A43D-DF3E4D40ECC4}.exe
        
        C:\Windows\{940D42DB-00D4-4962-A43D-DF3E4D40ECC4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\{C4928D16-D6A1-49d0-B735-857863A8B40E}.exe
        
        C:\Windows\{C4928D16-D6A1-49d0-B735-857863A8B40E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\{25E2B775-DB4B-4f72-9D99-7891FABCAD29}.exe
        
        C:\Windows\{25E2B775-DB4B-4f72-9D99-7891FABCAD29}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\{2D9F4218-648B-4f8b-84F6-1580CF7DDB34}.exe
        
        C:\Windows\{2D9F4218-648B-4f8b-84F6-1580CF7DDB34}.exe
        12⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25E2B~1.EXE > nul
        12⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4928~1.EXE > nul
        11⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{940D4~1.EXE > nul
        10⤵
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{591A5~1.EXE > nul
        9⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B064~1.EXE > nul
        8⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25D5C~1.EXE > nul
        7⤵
        
        PID:2684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C93A7~1.EXE > nul
        6⤵
        
        PID:2416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D0C6~1.EXE > nul
        5⤵
        
        PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{92C3B~1.EXE > nul
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4614E~1.EXE > nul
    3⤵
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3BD2C1~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe

Filesize
380KB

MD5
215615285ef50369cf277a6d50a4141a

SHA1
57edb3118c6cfe0016a34b33ce467b7db3f4d729

SHA256
bba53807b433fc1dbe61f713f8401f22f248460bf8cade23063f205141160b90

SHA512
5eee130732da798ae2a2939298432122285b2ca7caacf4f5a340f089e37ecaf6127350bbc342a7827bfbed48d140a65e6559714523d6d8d8f16db499c8ffcc01

Download Submit
C:\Windows\{0B06482F-859E-4b07-B5A8-6682C23C5A4D}.exe

Filesize
380KB

MD5
215615285ef50369cf277a6d50a4141a

SHA1
57edb3118c6cfe0016a34b33ce467b7db3f4d729

SHA256
bba53807b433fc1dbe61f713f8401f22f248460bf8cade23063f205141160b90

SHA512
5eee130732da798ae2a2939298432122285b2ca7caacf4f5a340f089e37ecaf6127350bbc342a7827bfbed48d140a65e6559714523d6d8d8f16db499c8ffcc01

Download Submit
C:\Windows\{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe

Filesize
380KB

MD5
bfa781330d3761409d18cf7c1ea29087

SHA1
3b40f7cb7a48fd56719cb3f55e63079be91b0036

SHA256
8de01922beaaf376b1c7a5d68653cef09c959aaf0271195e8034bf18cc583510

SHA512
8484a6f883da934ec21b693c44159a26019d3ea896da38d76442b140aa76312d87570204285414cf7111fe1f56aff832fd781ac379ccc75af5fd78ead2cd3eb8

Download Submit
C:\Windows\{25D5C4EF-B8C1-4cb1-9845-5CF0C6819427}.exe

Filesize
380KB

MD5
bfa781330d3761409d18cf7c1ea29087

SHA1
3b40f7cb7a48fd56719cb3f55e63079be91b0036

SHA256
8de01922beaaf376b1c7a5d68653cef09c959aaf0271195e8034bf18cc583510

SHA512
8484a6f883da934ec21b693c44159a26019d3ea896da38d76442b140aa76312d87570204285414cf7111fe1f56aff832fd781ac379ccc75af5fd78ead2cd3eb8

Download Submit
C:\Windows\{25E2B775-DB4B-4f72-9D99-7891FABCAD29}.exe

Filesize
380KB

MD5
9883ba373247d91f820aef26fff541d8

SHA1
e39bc1f7a3b2068cc81aa0f7dba6ec5786c8825d

SHA256
65b5486268d41d38d2ce10da96a9a5ad76113e2c379d944dab70415e13e4c4e5

SHA512
2f1b49ebf4f8a87cc0b74c9ff4f10b6493e18c39e8f0a21b8d876484afbbda6fa9759c0b47028c46f4534ed00c38ba84a137493585680c2604eb80025b1aa0a1

Download Submit
C:\Windows\{25E2B775-DB4B-4f72-9D99-7891FABCAD29}.exe

Filesize
380KB

MD5
9883ba373247d91f820aef26fff541d8

SHA1
e39bc1f7a3b2068cc81aa0f7dba6ec5786c8825d

SHA256
65b5486268d41d38d2ce10da96a9a5ad76113e2c379d944dab70415e13e4c4e5

SHA512
2f1b49ebf4f8a87cc0b74c9ff4f10b6493e18c39e8f0a21b8d876484afbbda6fa9759c0b47028c46f4534ed00c38ba84a137493585680c2604eb80025b1aa0a1

Download Submit
C:\Windows\{2D9F4218-648B-4f8b-84F6-1580CF7DDB34}.exe

Filesize
380KB

MD5
e992571377a30496177c618ca3939df8

SHA1
a83e8273c4a8dc7dc1bc0d12cc2934abc6d71133

SHA256
48f0b42f0d12db6bdf6d24661f93df74d65f1eba727c5d244b5a70e5d68c3111

SHA512
be9e067de30f01128a2b54c500d45c0ba3dfa6d97de8d649e4db992704d91946b5311ea9e207e952c351a37bc0bba245ef92d087e1bb75eca80da8d6df4c9512

Download Submit
C:\Windows\{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe

Filesize
380KB

MD5
3e6381bf93cd305c196b74810e74d6b6

SHA1
78f447dbb249916d678666c34af549c9a985e8a2

SHA256
a095fb0490420be7747dcd06012d214d2558f8d784afa160038798a72f8dcec1

SHA512
f13ae7ecf62b9638de7ecd5f0779f104150868a62950b127b30e585f1b963889d66bbb0041e009e630a7995e28d815affd2a006721f7075123023f1f27e78db6

Download Submit
C:\Windows\{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe

Filesize
380KB

MD5
3e6381bf93cd305c196b74810e74d6b6

SHA1
78f447dbb249916d678666c34af549c9a985e8a2

SHA256
a095fb0490420be7747dcd06012d214d2558f8d784afa160038798a72f8dcec1

SHA512
f13ae7ecf62b9638de7ecd5f0779f104150868a62950b127b30e585f1b963889d66bbb0041e009e630a7995e28d815affd2a006721f7075123023f1f27e78db6

Download Submit
C:\Windows\{4614E59E-F362-48a5-B71B-C1D000533A0A}.exe

Filesize
380KB

MD5
3e6381bf93cd305c196b74810e74d6b6

SHA1
78f447dbb249916d678666c34af549c9a985e8a2

SHA256
a095fb0490420be7747dcd06012d214d2558f8d784afa160038798a72f8dcec1

SHA512
f13ae7ecf62b9638de7ecd5f0779f104150868a62950b127b30e585f1b963889d66bbb0041e009e630a7995e28d815affd2a006721f7075123023f1f27e78db6

Download Submit
C:\Windows\{591A55E6-A986-41ee-93BD-A605EBE94302}.exe

Filesize
380KB

MD5
aad0b360755dd404eb39fa09e06ae94f

SHA1
67c52c425f747703ab94fd98606a3f5b812a2fd9

SHA256
780c2292784a157d4e9c4530cc6356a0f0d0d67f72b95c5338aed59cd3faaf9c

SHA512
86b5a32bd896e380fb189fc7123170104f964adcbc0e390437add0638f7482ccdbfce883474a9e0276da0463729d4c3a03cfd4ed0394fec40ce5a1cab8a74e77

Download Submit
C:\Windows\{591A55E6-A986-41ee-93BD-A605EBE94302}.exe

Filesize
380KB

MD5
aad0b360755dd404eb39fa09e06ae94f

SHA1
67c52c425f747703ab94fd98606a3f5b812a2fd9

SHA256
780c2292784a157d4e9c4530cc6356a0f0d0d67f72b95c5338aed59cd3faaf9c

SHA512
86b5a32bd896e380fb189fc7123170104f964adcbc0e390437add0638f7482ccdbfce883474a9e0276da0463729d4c3a03cfd4ed0394fec40ce5a1cab8a74e77

Download Submit
C:\Windows\{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe

Filesize
380KB

MD5
afbee0ac332d838f9bb76d03db3b4dcd

SHA1
5c8eb31db955ff66d1d5a328a2c5cc43c0a1a227

SHA256
6778737e34add40480c57583efdb919b30dd05dc3cee0e0e779367b2d29bfd88

SHA512
e688961334dc54a06ab0f8bb079bd9d38f7fc18199a6d131d4f63aca5e88df2a4635bcece3317f34ba63435c13bc7932c648cca7be1fe516177d159036d2e674

Download Submit
C:\Windows\{6D0C6F74-59BE-4937-99A8-D19BF98EE4D5}.exe

Filesize
380KB

MD5
afbee0ac332d838f9bb76d03db3b4dcd

SHA1
5c8eb31db955ff66d1d5a328a2c5cc43c0a1a227

SHA256
6778737e34add40480c57583efdb919b30dd05dc3cee0e0e779367b2d29bfd88

SHA512
e688961334dc54a06ab0f8bb079bd9d38f7fc18199a6d131d4f63aca5e88df2a4635bcece3317f34ba63435c13bc7932c648cca7be1fe516177d159036d2e674

Download Submit
C:\Windows\{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe

Filesize
380KB

MD5
70e2a147d0ce7063b70dfe0fa958d65f

SHA1
10d89b0d3d1f1d0b02242a4d74f9e13ec3df4d41

SHA256
266b1c00c9366162b12fc04101f3c5282dab6391b2ec010443daba616d77ec56

SHA512
369ab1ebd2ff461547cc044461ba024d6b2e2af3c80cda65f4e356180a9b6794d88c1eba68b0a62c2d0e69de2bebd6fe1fc41e9b0ea8fbe2a0c8ced6e3ff1e26

Download Submit
C:\Windows\{92C3B0F0-D56B-4da8-B92E-C766D05BA0F9}.exe

Filesize
380KB

MD5
70e2a147d0ce7063b70dfe0fa958d65f

SHA1
10d89b0d3d1f1d0b02242a4d74f9e13ec3df4d41

SHA256
266b1c00c9366162b12fc04101f3c5282dab6391b2ec010443daba616d77ec56

SHA512
369ab1ebd2ff461547cc044461ba024d6b2e2af3c80cda65f4e356180a9b6794d88c1eba68b0a62c2d0e69de2bebd6fe1fc41e9b0ea8fbe2a0c8ced6e3ff1e26

Download Submit
C:\Windows\{940D42DB-00D4-4962-A43D-DF3E4D40ECC4}.exe

Filesize
380KB

MD5
7ff1f0b1640963b888657d9a90a52879

SHA1
07ebc58f0f6a5c1a54d497a30262c497c222a3c5

SHA256
77827abdc5b94132e7e1a7f7ad249ab8703394dfad17d719aae10a25d18d795d

SHA512
eb813334c58359eb133edff54f74ed10e025ddd6fc5f57569ec2d47070ffc2634917458ad40193f878f620a079350a9ff3e9d339d6c0cc7aec3bd3b0109f437a

Download Submit
C:\Windows\{940D42DB-00D4-4962-A43D-DF3E4D40ECC4}.exe

Filesize
380KB

MD5
7ff1f0b1640963b888657d9a90a52879

SHA1
07ebc58f0f6a5c1a54d497a30262c497c222a3c5

SHA256
77827abdc5b94132e7e1a7f7ad249ab8703394dfad17d719aae10a25d18d795d

SHA512
eb813334c58359eb133edff54f74ed10e025ddd6fc5f57569ec2d47070ffc2634917458ad40193f878f620a079350a9ff3e9d339d6c0cc7aec3bd3b0109f437a

Download Submit
C:\Windows\{C4928D16-D6A1-49d0-B735-857863A8B40E}.exe

Filesize
380KB

MD5
15bc686eb834c377753b9b77b2e7c76b

SHA1
581adbda83684afdb0cdb11b7ca7da03ac543163

SHA256
ad132296b5358639fbc436c76b5153beae71bc714cd1720cb936daebedececdf

SHA512
6f708bbea8965918c04627e04ee6fa6618807839827e9cc2c9e3869770df3125954a26e754a7fb6bb69328895ff37132dba34eebc45285bdd0a01f46126d862c

Download Submit
C:\Windows\{C4928D16-D6A1-49d0-B735-857863A8B40E}.exe

Filesize
380KB

MD5
15bc686eb834c377753b9b77b2e7c76b

SHA1
581adbda83684afdb0cdb11b7ca7da03ac543163

SHA256
ad132296b5358639fbc436c76b5153beae71bc714cd1720cb936daebedececdf

SHA512
6f708bbea8965918c04627e04ee6fa6618807839827e9cc2c9e3869770df3125954a26e754a7fb6bb69328895ff37132dba34eebc45285bdd0a01f46126d862c

Download Submit
C:\Windows\{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe

Filesize
380KB

MD5
0ff1a66acbcc04a3f25fa25c8c92cb0a

SHA1
c7ce757063f1ae0fe397c6eda375f8f7ae73d9da

SHA256
e649be224b5fb79a25417d8ea1b8d051a221d5ac91e00474eae467ca0bbad148

SHA512
45fa55417e29fe0e39c2085e53d9896c7961655d89e4fcb9e4291e12d5de5e6458e44816c118fac2821a032fdd83dd8805297c5eeffc688f0c4aaca1e8628c49

Download Submit
C:\Windows\{C93A72FB-A0E4-4bb2-8B5D-8C6EF5530DC2}.exe

Filesize
380KB

MD5
0ff1a66acbcc04a3f25fa25c8c92cb0a

SHA1
c7ce757063f1ae0fe397c6eda375f8f7ae73d9da

SHA256
e649be224b5fb79a25417d8ea1b8d051a221d5ac91e00474eae467ca0bbad148

SHA512
45fa55417e29fe0e39c2085e53d9896c7961655d89e4fcb9e4291e12d5de5e6458e44816c118fac2821a032fdd83dd8805297c5eeffc688f0c4aaca1e8628c49

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads