a6ddb720e2096e9441fa1e6657ace7c1a3dd4496362d7aba51a85adb98d00262

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19/08/2023, 14:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

434701085cb18e57687009b54751fc5a_goldeneye_JC.exe
Size

216KB
MD5

434701085cb18e57687009b54751fc5a
SHA1

6468c71ba3604bc7cf255cd9857e9c2b1edaf5cd
SHA256

a6ddb720e2096e9441fa1e6657ace7c1a3dd4496362d7aba51a85adb98d00262
SHA512

55940f64f91ebb2d9d2dab08ec84b7f2e3e13d85ded55c77b08ee5bab8f28ae1dc00067fe0e30701136866773613e5ecedb05314559eda57cbe2f1b06cf7ae7f
SSDEEP

3072:jEGh0odl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG/lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}\stubpath = "C:\\Windows\\{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe"	{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77EE0D57-2C73-4200-BE4A-399311F2DD63}	{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}\stubpath = "C:\\Windows\\{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe"	{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{780A406E-ED96-4dcc-88DD-2810C657E2A4}	{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC58825B-7561-47e1-8F67-03E8ED6407EC}\stubpath = "C:\\Windows\\{FC58825B-7561-47e1-8F67-03E8ED6407EC}.exe"	{7A62FDE9-4337-483d-B9D3-BB384F7E11F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}\stubpath = "C:\\Windows\\{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe"	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{530BDD22-64B0-4174-9B75-E2060AD5B43E}\stubpath = "C:\\Windows\\{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe"	{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC58825B-7561-47e1-8F67-03E8ED6407EC}	{7A62FDE9-4337-483d-B9D3-BB384F7E11F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{530BDD22-64B0-4174-9B75-E2060AD5B43E}	{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A62FDE9-4337-483d-B9D3-BB384F7E11F4}	{A15B4834-21ED-45f4-82F3-283768503F03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77EE0D57-2C73-4200-BE4A-399311F2DD63}\stubpath = "C:\\Windows\\{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe"	{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}	{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}\stubpath = "C:\\Windows\\{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe"	{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A15B4834-21ED-45f4-82F3-283768503F03}\stubpath = "C:\\Windows\\{A15B4834-21ED-45f4-82F3-283768503F03}.exe"	{F9D9CA6F-802F-41d8-9616-840E2580027C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}	{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9D9CA6F-802F-41d8-9616-840E2580027C}	{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9D9CA6F-802F-41d8-9616-840E2580027C}\stubpath = "C:\\Windows\\{F9D9CA6F-802F-41d8-9616-840E2580027C}.exe"	{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A15B4834-21ED-45f4-82F3-283768503F03}	{F9D9CA6F-802F-41d8-9616-840E2580027C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A62FDE9-4337-483d-B9D3-BB384F7E11F4}\stubpath = "C:\\Windows\\{7A62FDE9-4337-483d-B9D3-BB384F7E11F4}.exe"	{A15B4834-21ED-45f4-82F3-283768503F03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}	{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{780A406E-ED96-4dcc-88DD-2810C657E2A4}\stubpath = "C:\\Windows\\{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe"	{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe

Deletes itself 1 IoCs

pid	Process
2236	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2576	{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe
2512	{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe
2420	{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe
2968	{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe
2808	{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe
2912	{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe
1692	{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe
2748	{F9D9CA6F-802F-41d8-9616-840E2580027C}.exe
2756	{A15B4834-21ED-45f4-82F3-283768503F03}.exe
2548	{7A62FDE9-4337-483d-B9D3-BB384F7E11F4}.exe
1928	{FC58825B-7561-47e1-8F67-03E8ED6407EC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe	{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe
File created	C:\Windows\{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe	{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe
File created	C:\Windows\{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe	{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe
File created	C:\Windows\{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe	{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe
File created	C:\Windows\{FC58825B-7561-47e1-8F67-03E8ED6407EC}.exe	{7A62FDE9-4337-483d-B9D3-BB384F7E11F4}.exe
File created	C:\Windows\{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe
File created	C:\Windows\{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe	{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe
File created	C:\Windows\{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe	{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe
File created	C:\Windows\{F9D9CA6F-802F-41d8-9616-840E2580027C}.exe	{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe
File created	C:\Windows\{A15B4834-21ED-45f4-82F3-283768503F03}.exe	{F9D9CA6F-802F-41d8-9616-840E2580027C}.exe
File created	C:\Windows\{7A62FDE9-4337-483d-B9D3-BB384F7E11F4}.exe	{A15B4834-21ED-45f4-82F3-283768503F03}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2540	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2576	{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe
Token: SeIncBasePriorityPrivilege	2512	{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe
Token: SeIncBasePriorityPrivilege	2420	{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe
Token: SeIncBasePriorityPrivilege	2968	{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe
Token: SeIncBasePriorityPrivilege	2808	{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe
Token: SeIncBasePriorityPrivilege	2912	{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe
Token: SeIncBasePriorityPrivilege	1692	{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe
Token: SeIncBasePriorityPrivilege	2748	{F9D9CA6F-802F-41d8-9616-840E2580027C}.exe
Token: SeIncBasePriorityPrivilege	2756	{A15B4834-21ED-45f4-82F3-283768503F03}.exe
Token: SeIncBasePriorityPrivilege	2548	{7A62FDE9-4337-483d-B9D3-BB384F7E11F4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2576	2540	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	28
PID 2540 wrote to memory of 2576	2540	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	28
PID 2540 wrote to memory of 2576	2540	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	28
PID 2540 wrote to memory of 2576	2540	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	28
PID 2540 wrote to memory of 2236	2540	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	29
PID 2540 wrote to memory of 2236	2540	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	29
PID 2540 wrote to memory of 2236	2540	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	29
PID 2540 wrote to memory of 2236	2540	434701085cb18e57687009b54751fc5a_goldeneye_JC.exe	29
PID 2576 wrote to memory of 2512	2576	{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe	32
PID 2576 wrote to memory of 2512	2576	{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe	32
PID 2576 wrote to memory of 2512	2576	{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe	32
PID 2576 wrote to memory of 2512	2576	{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe	32
PID 2576 wrote to memory of 2892	2576	{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe	33
PID 2576 wrote to memory of 2892	2576	{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe	33
PID 2576 wrote to memory of 2892	2576	{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe	33
PID 2576 wrote to memory of 2892	2576	{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe	33
PID 2512 wrote to memory of 2420	2512	{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe	34
PID 2512 wrote to memory of 2420	2512	{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe	34
PID 2512 wrote to memory of 2420	2512	{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe	34
PID 2512 wrote to memory of 2420	2512	{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe	34
PID 2512 wrote to memory of 2852	2512	{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe	35
PID 2512 wrote to memory of 2852	2512	{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe	35
PID 2512 wrote to memory of 2852	2512	{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe	35
PID 2512 wrote to memory of 2852	2512	{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe	35
PID 2420 wrote to memory of 2968	2420	{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe	36
PID 2420 wrote to memory of 2968	2420	{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe	36
PID 2420 wrote to memory of 2968	2420	{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe	36
PID 2420 wrote to memory of 2968	2420	{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe	36
PID 2420 wrote to memory of 2856	2420	{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe	37
PID 2420 wrote to memory of 2856	2420	{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe	37
PID 2420 wrote to memory of 2856	2420	{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe	37
PID 2420 wrote to memory of 2856	2420	{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe	37
PID 2968 wrote to memory of 2808	2968	{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe	38
PID 2968 wrote to memory of 2808	2968	{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe	38
PID 2968 wrote to memory of 2808	2968	{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe	38
PID 2968 wrote to memory of 2808	2968	{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe	38
PID 2968 wrote to memory of 2904	2968	{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe	39
PID 2968 wrote to memory of 2904	2968	{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe	39
PID 2968 wrote to memory of 2904	2968	{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe	39
PID 2968 wrote to memory of 2904	2968	{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe	39
PID 2808 wrote to memory of 2912	2808	{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe	40
PID 2808 wrote to memory of 2912	2808	{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe	40
PID 2808 wrote to memory of 2912	2808	{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe	40
PID 2808 wrote to memory of 2912	2808	{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe	40
PID 2808 wrote to memory of 2740	2808	{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe	41
PID 2808 wrote to memory of 2740	2808	{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe	41
PID 2808 wrote to memory of 2740	2808	{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe	41
PID 2808 wrote to memory of 2740	2808	{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe	41
PID 2912 wrote to memory of 1692	2912	{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe	42
PID 2912 wrote to memory of 1692	2912	{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe	42
PID 2912 wrote to memory of 1692	2912	{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe	42
PID 2912 wrote to memory of 1692	2912	{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe	42
PID 2912 wrote to memory of 2876	2912	{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe	43
PID 2912 wrote to memory of 2876	2912	{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe	43
PID 2912 wrote to memory of 2876	2912	{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe	43
PID 2912 wrote to memory of 2876	2912	{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe	43
PID 1692 wrote to memory of 2748	1692	{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe	44
PID 1692 wrote to memory of 2748	1692	{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe	44
PID 1692 wrote to memory of 2748	1692	{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe	44
PID 1692 wrote to memory of 2748	1692	{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe	44
PID 1692 wrote to memory of 2700	1692	{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe	45
PID 1692 wrote to memory of 2700	1692	{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe	45
PID 1692 wrote to memory of 2700	1692	{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe	45
PID 1692 wrote to memory of 2700	1692	{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe	45

C:\Users\Admin\AppData\Local\Temp\434701085cb18e57687009b54751fc5a_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\434701085cb18e57687009b54751fc5a_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe
  C:\Windows\{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe
    C:\Windows\{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe
      C:\Windows\{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Windows\{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe
        
        C:\Windows\{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe
        
        C:\Windows\{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe
        
        C:\Windows\{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe
        
        C:\Windows\{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\{F9D9CA6F-802F-41d8-9616-840E2580027C}.exe
        
        C:\Windows\{F9D9CA6F-802F-41d8-9616-840E2580027C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\{A15B4834-21ED-45f4-82F3-283768503F03}.exe
        
        C:\Windows\{A15B4834-21ED-45f4-82F3-283768503F03}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{7A62FDE9-4337-483d-B9D3-BB384F7E11F4}.exe
        
        C:\Windows\{7A62FDE9-4337-483d-B9D3-BB384F7E11F4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A62F~1.EXE > nul
        12⤵
        
        PID:3056
        
        C:\Windows\{FC58825B-7561-47e1-8F67-03E8ED6407EC}.exe
        
        C:\Windows\{FC58825B-7561-47e1-8F67-03E8ED6407EC}.exe
        12⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A15B4~1.EXE > nul
        11⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9D9C~1.EXE > nul
        10⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{780A4~1.EXE > nul
        9⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2942~1.EXE > nul
        8⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{964D1~1.EXE > nul
        7⤵
        
        PID:2740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77EE0~1.EXE > nul
        6⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{039CB~1.EXE > nul
        5⤵
        
        PID:2856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{530BD~1.EXE > nul
      4⤵
      PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0FB9A~1.EXE > nul
    3⤵
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\434701~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe

Filesize
216KB

MD5
05e7d44eb54bc1eaeff315c0ab8cdca6

SHA1
60b0c20e81e34bbfa31390ce7170886052be6153

SHA256
d12915adb9686687ad02848cf54784577c4a640d0f1fc389b601f3beff4d316a

SHA512
ae922a2a740e342312664ab31c3b5e418a866189e9cd23398f2552a1ca7ad49cd80d76856fd53508c5f7432f238ae20beb404083c49cc2fe3fc674972eca0a18

Download Submit
C:\Windows\{039CBD8C-FF80-4c88-80DE-7C67DF5A7C57}.exe

Filesize
216KB

MD5
05e7d44eb54bc1eaeff315c0ab8cdca6

SHA1
60b0c20e81e34bbfa31390ce7170886052be6153

SHA256
d12915adb9686687ad02848cf54784577c4a640d0f1fc389b601f3beff4d316a

SHA512
ae922a2a740e342312664ab31c3b5e418a866189e9cd23398f2552a1ca7ad49cd80d76856fd53508c5f7432f238ae20beb404083c49cc2fe3fc674972eca0a18

Download Submit
C:\Windows\{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe

Filesize
216KB

MD5
0c2ea6f6325c14e2f2b7d70576ed18eb

SHA1
6ec010b6f59ae171a797d6cb355b73f6b094e3a7

SHA256
8074b2ae3599dcb0e23c75669a8794140676ed5bc6ffe1104bba843e808c3328

SHA512
6274383e79a6b04c631f19bd6d0d8017ee4b6e72092d6e562ac6a72f0ee2a27333543403a1ed84b938769ec9826258ffddc4c78c1a54cdea022344213a9cd70f

Download Submit
C:\Windows\{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe

Filesize
216KB

MD5
0c2ea6f6325c14e2f2b7d70576ed18eb

SHA1
6ec010b6f59ae171a797d6cb355b73f6b094e3a7

SHA256
8074b2ae3599dcb0e23c75669a8794140676ed5bc6ffe1104bba843e808c3328

SHA512
6274383e79a6b04c631f19bd6d0d8017ee4b6e72092d6e562ac6a72f0ee2a27333543403a1ed84b938769ec9826258ffddc4c78c1a54cdea022344213a9cd70f

Download Submit
C:\Windows\{0FB9A016-5496-4d32-B5B8-BB566AEDBD25}.exe

Filesize
216KB

MD5
0c2ea6f6325c14e2f2b7d70576ed18eb

SHA1
6ec010b6f59ae171a797d6cb355b73f6b094e3a7

SHA256
8074b2ae3599dcb0e23c75669a8794140676ed5bc6ffe1104bba843e808c3328

SHA512
6274383e79a6b04c631f19bd6d0d8017ee4b6e72092d6e562ac6a72f0ee2a27333543403a1ed84b938769ec9826258ffddc4c78c1a54cdea022344213a9cd70f

Download Submit
C:\Windows\{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe

Filesize
216KB

MD5
7a67db9288e3840824c4d43c91de4b8c

SHA1
ba64b79fbdb4955a94c560aa613410dddf26f5e7

SHA256
a6e8ded65922a25fb2aa45477eacfacef26b029b98bb0ca1fddc8ef70c1f1ce3

SHA512
379ce713a1303bf99c5f52b176193331370f521cc8d40ff66d29284d51940286e49dc5931efe046ec3a515d81da0707d5471a92f12631369434e83bfd450f30d

Download Submit
C:\Windows\{530BDD22-64B0-4174-9B75-E2060AD5B43E}.exe

Filesize
216KB

MD5
7a67db9288e3840824c4d43c91de4b8c

SHA1
ba64b79fbdb4955a94c560aa613410dddf26f5e7

SHA256
a6e8ded65922a25fb2aa45477eacfacef26b029b98bb0ca1fddc8ef70c1f1ce3

SHA512
379ce713a1303bf99c5f52b176193331370f521cc8d40ff66d29284d51940286e49dc5931efe046ec3a515d81da0707d5471a92f12631369434e83bfd450f30d

Download Submit
C:\Windows\{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe

Filesize
216KB

MD5
1c3cd570585e9701fc02e504338a7195

SHA1
57592a29a1c8077d3eadd33344b60b988da752d1

SHA256
ccbab198380e9366defa4128513fceb00da6285c1df410ba581b9643e3fe6b5b

SHA512
412965994bcc442cb3f4e276a95ef05650aabc19d8118c90d852812d3c59bd2ea819347bc9a37630320ea0ea64d58fa8e4e880effd9dcbbfb36b70ac6a6e1ec9

Download Submit
C:\Windows\{77EE0D57-2C73-4200-BE4A-399311F2DD63}.exe

Filesize
216KB

MD5
1c3cd570585e9701fc02e504338a7195

SHA1
57592a29a1c8077d3eadd33344b60b988da752d1

SHA256
ccbab198380e9366defa4128513fceb00da6285c1df410ba581b9643e3fe6b5b

SHA512
412965994bcc442cb3f4e276a95ef05650aabc19d8118c90d852812d3c59bd2ea819347bc9a37630320ea0ea64d58fa8e4e880effd9dcbbfb36b70ac6a6e1ec9

Download Submit
C:\Windows\{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe

Filesize
216KB

MD5
1e08499c81b221082753c647026f409a

SHA1
2eab95f2bf7d9792c967db21d6a9802ffc93c50a

SHA256
f5c28cf5c503ae78a697d9ba679c3d9bcf15b6343ba74729fb5f14c48f5d5c11

SHA512
6c5000937307d2b7dc406cdff93d1ce5b17e422df9e3c24ba7eb69b39cb41ec4a5180ec6eea1e02815762a59ebdc0ff1637fe6eeac807df2be7117737b11a9d5

Download Submit
C:\Windows\{780A406E-ED96-4dcc-88DD-2810C657E2A4}.exe

Filesize
216KB

MD5
1e08499c81b221082753c647026f409a

SHA1
2eab95f2bf7d9792c967db21d6a9802ffc93c50a

SHA256
f5c28cf5c503ae78a697d9ba679c3d9bcf15b6343ba74729fb5f14c48f5d5c11

SHA512
6c5000937307d2b7dc406cdff93d1ce5b17e422df9e3c24ba7eb69b39cb41ec4a5180ec6eea1e02815762a59ebdc0ff1637fe6eeac807df2be7117737b11a9d5

Download Submit
C:\Windows\{7A62FDE9-4337-483d-B9D3-BB384F7E11F4}.exe

Filesize
216KB

MD5
50cc8a02569d0a6801a1fba9d0288ff0

SHA1
9f4fb0010c10cf04d0e5a2715d0f612290ecda59

SHA256
dcedaf69b2c08425bbf9d7884c1b0b9996df1775f98332ecfbdebd99ca0e6822

SHA512
7c8d16bf173d543b91dc28368fdf9045811b46f64852ac1ff907840572a6a11abd6c0515bfde38b9c2f1f9fdfc780735317e012de3e9b6c73cdfdee047a6dad4

Download Submit
C:\Windows\{7A62FDE9-4337-483d-B9D3-BB384F7E11F4}.exe

Filesize
216KB

MD5
50cc8a02569d0a6801a1fba9d0288ff0

SHA1
9f4fb0010c10cf04d0e5a2715d0f612290ecda59

SHA256
dcedaf69b2c08425bbf9d7884c1b0b9996df1775f98332ecfbdebd99ca0e6822

SHA512
7c8d16bf173d543b91dc28368fdf9045811b46f64852ac1ff907840572a6a11abd6c0515bfde38b9c2f1f9fdfc780735317e012de3e9b6c73cdfdee047a6dad4

Download Submit
C:\Windows\{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe

Filesize
216KB

MD5
010d33cc7bb3a71210cb70c8dde6cf4e

SHA1
1187e073e4f462d326774b797c1313ecf0a962ff

SHA256
cc9af8bb848d36e4f3c82d503a5626e917940b103845152d88150fae6ccf7c12

SHA512
38d85dd137ed74818614648f3461e89412727a7aad237838e34b499bc1d47f1a59941107c0ecc0bd6bba7792a63f8fdce88a34d5a882529a1ef26b162ea7d359

Download Submit
C:\Windows\{964D122D-C4E2-420e-9B03-F97A4CC5A8F6}.exe

Filesize
216KB

MD5
010d33cc7bb3a71210cb70c8dde6cf4e

SHA1
1187e073e4f462d326774b797c1313ecf0a962ff

SHA256
cc9af8bb848d36e4f3c82d503a5626e917940b103845152d88150fae6ccf7c12

SHA512
38d85dd137ed74818614648f3461e89412727a7aad237838e34b499bc1d47f1a59941107c0ecc0bd6bba7792a63f8fdce88a34d5a882529a1ef26b162ea7d359

Download Submit
C:\Windows\{A15B4834-21ED-45f4-82F3-283768503F03}.exe

Filesize
216KB

MD5
422689d2536a3988e02ad4aa0669911f

SHA1
d92c42a211b53800ab13aff8d0f69e4afac6e251

SHA256
37449affffd26e08a070e6053642d700dea606eae2bb2664c8858c47ae5e18fa

SHA512
510546fa2d31b17e36157ace2ddd4119f46dfd5682fbde82a8117f4d582fb9e7a67cde2ca5acb12d0662b3b17410c9980fcc39b96079feb9aa27833d3cb130cc

Download Submit
C:\Windows\{A15B4834-21ED-45f4-82F3-283768503F03}.exe

Filesize
216KB

MD5
422689d2536a3988e02ad4aa0669911f

SHA1
d92c42a211b53800ab13aff8d0f69e4afac6e251

SHA256
37449affffd26e08a070e6053642d700dea606eae2bb2664c8858c47ae5e18fa

SHA512
510546fa2d31b17e36157ace2ddd4119f46dfd5682fbde82a8117f4d582fb9e7a67cde2ca5acb12d0662b3b17410c9980fcc39b96079feb9aa27833d3cb130cc

Download Submit
C:\Windows\{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe

Filesize
216KB

MD5
fa3eab9fe6486a5d6fc5045653edefbe

SHA1
7dfb0433c9801fe240fce7aadd7ae04734db7e65

SHA256
c18305c13d5287d95fd740493aea3ca0358e38ad7b4f24ca3c18a9f0a76e6e78

SHA512
44f6bae508620f8a368d8c0b3e5fc7d227e523bb204f180716260ffe489dabca897388661042fc301dc44830177cb18d17f296de621fac0f8cda4caba3279043

Download Submit
C:\Windows\{D2942551-0DE5-41aa-AEE0-3E7FC37C4A60}.exe

Filesize
216KB

MD5
fa3eab9fe6486a5d6fc5045653edefbe

SHA1
7dfb0433c9801fe240fce7aadd7ae04734db7e65

SHA256
c18305c13d5287d95fd740493aea3ca0358e38ad7b4f24ca3c18a9f0a76e6e78

SHA512
44f6bae508620f8a368d8c0b3e5fc7d227e523bb204f180716260ffe489dabca897388661042fc301dc44830177cb18d17f296de621fac0f8cda4caba3279043

Download Submit
C:\Windows\{F9D9CA6F-802F-41d8-9616-840E2580027C}.exe

Filesize
216KB

MD5
c8d83d0ed1a3124975f374193689b841

SHA1
a935736d00177694bac4da52af2b7a37e4137b45

SHA256
be07a5f01e50c60f6d6906332395936d370f469880c0acc84ca9a5aa9da04904

SHA512
f4a451efabbc81ed6478a7e50a5d73f1ce548ddff5b66b7645f9e29fe52b17f287c85d64dfc6a089e43bc0f531b165309afb1e9a6bd7300cbae3656c2e1cf504

Download Submit
C:\Windows\{F9D9CA6F-802F-41d8-9616-840E2580027C}.exe

Filesize
216KB

MD5
c8d83d0ed1a3124975f374193689b841

SHA1
a935736d00177694bac4da52af2b7a37e4137b45

SHA256
be07a5f01e50c60f6d6906332395936d370f469880c0acc84ca9a5aa9da04904

SHA512
f4a451efabbc81ed6478a7e50a5d73f1ce548ddff5b66b7645f9e29fe52b17f287c85d64dfc6a089e43bc0f531b165309afb1e9a6bd7300cbae3656c2e1cf504

Download Submit
C:\Windows\{FC58825B-7561-47e1-8F67-03E8ED6407EC}.exe

Filesize
216KB

MD5
e6ddb93560a1df75cfe827624f7b0934

SHA1
f751044df3bdf86657b8279bfe62a4e36db29bd7

SHA256
2467d3e9ae5fa0065242506ecb487f7515378712d1eccc76ae7397752d1139c5

SHA512
187de56a82b4f36e24d248cc0a02456007bcd80564871fa3d34fef0052264ce48c35263b22500f314dc7fb5a44170aeae5b4fb0f510a22910ed35ccb5283f680

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads