a34e69d45ebc6d6c911d3abf6f6d90fb9088fc4c4256bcd60d817722decb02ce

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19-08-2023 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe
Size

372KB
MD5

4469d6d1558a553420db4e4511c7c968
SHA1

86f8c94dc9733b69aa52ac22508a265ec9c4e71e
SHA256

a34e69d45ebc6d6c911d3abf6f6d90fb9088fc4c4256bcd60d817722decb02ce
SHA512

72f02b5b8228098c7d6d01017f0b93dff6c55ccecd22f7369a6fff7332a9cf984ed18a798380061a5a0eeb38d7c5e112756635c7d0b013433f2d81e38a24413c
SSDEEP

3072:CEGh0odmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGCl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}\stubpath = "C:\\Windows\\{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe"	{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{808EC74E-FBB5-4769-9C70-4727478ECAE4}\stubpath = "C:\\Windows\\{808EC74E-FBB5-4769-9C70-4727478ECAE4}.exe"	{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C073821D-8C69-46c9-AB9E-F2F7D0FA0625}	{0C4A0FCC-3C4C-4f1e-9713-660087F3E66E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02636851-A22C-4e81-B7EA-E252CAA42EF0}\stubpath = "C:\\Windows\\{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe"	{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36487C75-08B8-4795-A964-662D47899592}	{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36487C75-08B8-4795-A964-662D47899592}\stubpath = "C:\\Windows\\{36487C75-08B8-4795-A964-662D47899592}.exe"	{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}\stubpath = "C:\\Windows\\{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe"	{C238E453-C06A-41b4-B172-3C1B339271AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37993C5F-F917-4649-BAC2-B74B641D9D0A}	{C073821D-8C69-46c9-AB9E-F2F7D0FA0625}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}\stubpath = "C:\\Windows\\{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe"	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23B9DAEB-8294-49db-8D09-C6E52322DF72}	{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C238E453-C06A-41b4-B172-3C1B339271AB}\stubpath = "C:\\Windows\\{C238E453-C06A-41b4-B172-3C1B339271AB}.exe"	{36487C75-08B8-4795-A964-662D47899592}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37993C5F-F917-4649-BAC2-B74B641D9D0A}\stubpath = "C:\\Windows\\{37993C5F-F917-4649-BAC2-B74B641D9D0A}.exe"	{C073821D-8C69-46c9-AB9E-F2F7D0FA0625}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02636851-A22C-4e81-B7EA-E252CAA42EF0}	{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C238E453-C06A-41b4-B172-3C1B339271AB}	{36487C75-08B8-4795-A964-662D47899592}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}	{C238E453-C06A-41b4-B172-3C1B339271AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}	{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{808EC74E-FBB5-4769-9C70-4727478ECAE4}	{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C4A0FCC-3C4C-4f1e-9713-660087F3E66E}	{808EC74E-FBB5-4769-9C70-4727478ECAE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C4A0FCC-3C4C-4f1e-9713-660087F3E66E}\stubpath = "C:\\Windows\\{0C4A0FCC-3C4C-4f1e-9713-660087F3E66E}.exe"	{808EC74E-FBB5-4769-9C70-4727478ECAE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C073821D-8C69-46c9-AB9E-F2F7D0FA0625}\stubpath = "C:\\Windows\\{C073821D-8C69-46c9-AB9E-F2F7D0FA0625}.exe"	{0C4A0FCC-3C4C-4f1e-9713-660087F3E66E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23B9DAEB-8294-49db-8D09-C6E52322DF72}\stubpath = "C:\\Windows\\{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe"	{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe

Deletes itself 1 IoCs

pid	Process
1544	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2496	{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe
2920	{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe
2868	{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe
2444	{36487C75-08B8-4795-A964-662D47899592}.exe
2708	{C238E453-C06A-41b4-B172-3C1B339271AB}.exe
1984	{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe
1092	{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe
764	{808EC74E-FBB5-4769-9C70-4727478ECAE4}.exe
2168	{0C4A0FCC-3C4C-4f1e-9713-660087F3E66E}.exe
2308	{C073821D-8C69-46c9-AB9E-F2F7D0FA0625}.exe
2088	{37993C5F-F917-4649-BAC2-B74B641D9D0A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0C4A0FCC-3C4C-4f1e-9713-660087F3E66E}.exe	{808EC74E-FBB5-4769-9C70-4727478ECAE4}.exe
File created	C:\Windows\{C073821D-8C69-46c9-AB9E-F2F7D0FA0625}.exe	{0C4A0FCC-3C4C-4f1e-9713-660087F3E66E}.exe
File created	C:\Windows\{36487C75-08B8-4795-A964-662D47899592}.exe	{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe
File created	C:\Windows\{808EC74E-FBB5-4769-9C70-4727478ECAE4}.exe	{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe
File created	C:\Windows\{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe	{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe
File created	C:\Windows\{C238E453-C06A-41b4-B172-3C1B339271AB}.exe	{36487C75-08B8-4795-A964-662D47899592}.exe
File created	C:\Windows\{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe	{C238E453-C06A-41b4-B172-3C1B339271AB}.exe
File created	C:\Windows\{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe	{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe
File created	C:\Windows\{37993C5F-F917-4649-BAC2-B74B641D9D0A}.exe	{C073821D-8C69-46c9-AB9E-F2F7D0FA0625}.exe
File created	C:\Windows\{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe
File created	C:\Windows\{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe	{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2528	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2496	{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe
Token: SeIncBasePriorityPrivilege	2920	{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe
Token: SeIncBasePriorityPrivilege	2868	{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe
Token: SeIncBasePriorityPrivilege	2444	{36487C75-08B8-4795-A964-662D47899592}.exe
Token: SeIncBasePriorityPrivilege	2708	{C238E453-C06A-41b4-B172-3C1B339271AB}.exe
Token: SeIncBasePriorityPrivilege	1984	{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe
Token: SeIncBasePriorityPrivilege	1092	{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe
Token: SeIncBasePriorityPrivilege	764	{808EC74E-FBB5-4769-9C70-4727478ECAE4}.exe
Token: SeIncBasePriorityPrivilege	2168	{0C4A0FCC-3C4C-4f1e-9713-660087F3E66E}.exe
Token: SeIncBasePriorityPrivilege	2308	{C073821D-8C69-46c9-AB9E-F2F7D0FA0625}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2496	2528	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	28
PID 2528 wrote to memory of 2496	2528	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	28
PID 2528 wrote to memory of 2496	2528	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	28
PID 2528 wrote to memory of 2496	2528	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	28
PID 2528 wrote to memory of 1544	2528	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	29
PID 2528 wrote to memory of 1544	2528	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	29
PID 2528 wrote to memory of 1544	2528	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	29
PID 2528 wrote to memory of 1544	2528	4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe	29
PID 2496 wrote to memory of 2920	2496	{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe	32
PID 2496 wrote to memory of 2920	2496	{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe	32
PID 2496 wrote to memory of 2920	2496	{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe	32
PID 2496 wrote to memory of 2920	2496	{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe	32
PID 2496 wrote to memory of 2932	2496	{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe	33
PID 2496 wrote to memory of 2932	2496	{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe	33
PID 2496 wrote to memory of 2932	2496	{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe	33
PID 2496 wrote to memory of 2932	2496	{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe	33
PID 2920 wrote to memory of 2868	2920	{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe	34
PID 2920 wrote to memory of 2868	2920	{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe	34
PID 2920 wrote to memory of 2868	2920	{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe	34
PID 2920 wrote to memory of 2868	2920	{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe	34
PID 2920 wrote to memory of 3032	2920	{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe	35
PID 2920 wrote to memory of 3032	2920	{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe	35
PID 2920 wrote to memory of 3032	2920	{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe	35
PID 2920 wrote to memory of 3032	2920	{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe	35
PID 2868 wrote to memory of 2444	2868	{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe	36
PID 2868 wrote to memory of 2444	2868	{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe	36
PID 2868 wrote to memory of 2444	2868	{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe	36
PID 2868 wrote to memory of 2444	2868	{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe	36
PID 2868 wrote to memory of 2820	2868	{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe	37
PID 2868 wrote to memory of 2820	2868	{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe	37
PID 2868 wrote to memory of 2820	2868	{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe	37
PID 2868 wrote to memory of 2820	2868	{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe	37
PID 2444 wrote to memory of 2708	2444	{36487C75-08B8-4795-A964-662D47899592}.exe	38
PID 2444 wrote to memory of 2708	2444	{36487C75-08B8-4795-A964-662D47899592}.exe	38
PID 2444 wrote to memory of 2708	2444	{36487C75-08B8-4795-A964-662D47899592}.exe	38
PID 2444 wrote to memory of 2708	2444	{36487C75-08B8-4795-A964-662D47899592}.exe	38
PID 2444 wrote to memory of 2764	2444	{36487C75-08B8-4795-A964-662D47899592}.exe	39
PID 2444 wrote to memory of 2764	2444	{36487C75-08B8-4795-A964-662D47899592}.exe	39
PID 2444 wrote to memory of 2764	2444	{36487C75-08B8-4795-A964-662D47899592}.exe	39
PID 2444 wrote to memory of 2764	2444	{36487C75-08B8-4795-A964-662D47899592}.exe	39
PID 2708 wrote to memory of 1984	2708	{C238E453-C06A-41b4-B172-3C1B339271AB}.exe	40
PID 2708 wrote to memory of 1984	2708	{C238E453-C06A-41b4-B172-3C1B339271AB}.exe	40
PID 2708 wrote to memory of 1984	2708	{C238E453-C06A-41b4-B172-3C1B339271AB}.exe	40
PID 2708 wrote to memory of 1984	2708	{C238E453-C06A-41b4-B172-3C1B339271AB}.exe	40
PID 2708 wrote to memory of 2976	2708	{C238E453-C06A-41b4-B172-3C1B339271AB}.exe	41
PID 2708 wrote to memory of 2976	2708	{C238E453-C06A-41b4-B172-3C1B339271AB}.exe	41
PID 2708 wrote to memory of 2976	2708	{C238E453-C06A-41b4-B172-3C1B339271AB}.exe	41
PID 2708 wrote to memory of 2976	2708	{C238E453-C06A-41b4-B172-3C1B339271AB}.exe	41
PID 1984 wrote to memory of 1092	1984	{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe	42
PID 1984 wrote to memory of 1092	1984	{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe	42
PID 1984 wrote to memory of 1092	1984	{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe	42
PID 1984 wrote to memory of 1092	1984	{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe	42
PID 1984 wrote to memory of 1296	1984	{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe	43
PID 1984 wrote to memory of 1296	1984	{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe	43
PID 1984 wrote to memory of 1296	1984	{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe	43
PID 1984 wrote to memory of 1296	1984	{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe	43
PID 1092 wrote to memory of 764	1092	{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe	44
PID 1092 wrote to memory of 764	1092	{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe	44
PID 1092 wrote to memory of 764	1092	{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe	44
PID 1092 wrote to memory of 764	1092	{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe	44
PID 1092 wrote to memory of 1128	1092	{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe	45
PID 1092 wrote to memory of 1128	1092	{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe	45
PID 1092 wrote to memory of 1128	1092	{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe	45
PID 1092 wrote to memory of 1128	1092	{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe	45

C:\Users\Admin\AppData\Local\Temp\4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4469d6d1558a553420db4e4511c7c968_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe
  C:\Windows\{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe
    C:\Windows\{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe
      C:\Windows\{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\{36487C75-08B8-4795-A964-662D47899592}.exe
        
        C:\Windows\{36487C75-08B8-4795-A964-662D47899592}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\{C238E453-C06A-41b4-B172-3C1B339271AB}.exe
        
        C:\Windows\{C238E453-C06A-41b4-B172-3C1B339271AB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe
        
        C:\Windows\{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe
        
        C:\Windows\{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\{808EC74E-FBB5-4769-9C70-4727478ECAE4}.exe
        
        C:\Windows\{808EC74E-FBB5-4769-9C70-4727478ECAE4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\{0C4A0FCC-3C4C-4f1e-9713-660087F3E66E}.exe
        
        C:\Windows\{0C4A0FCC-3C4C-4f1e-9713-660087F3E66E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\{C073821D-8C69-46c9-AB9E-F2F7D0FA0625}.exe
        
        C:\Windows\{C073821D-8C69-46c9-AB9E-F2F7D0FA0625}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\{37993C5F-F917-4649-BAC2-B74B641D9D0A}.exe
        
        C:\Windows\{37993C5F-F917-4649-BAC2-B74B641D9D0A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0738~1.EXE > nul
        12⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C4A0~1.EXE > nul
        11⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{808EC~1.EXE > nul
        10⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8C35~1.EXE > nul
        9⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD297~1.EXE > nul
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C238E~1.EXE > nul
        7⤵
        
        PID:2976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36487~1.EXE > nul
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23B9D~1.EXE > nul
        5⤵
        
        PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{02636~1.EXE > nul
      4⤵
      PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7CAA1~1.EXE > nul
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4469D6~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe

Filesize
372KB

MD5
502996cb7cac74c99e0c93ab69960162

SHA1
327b83ee2084ac1d9e808a1279d0d17181cfa1a1

SHA256
75ff30510cdebb82d6309a26042c0d5a74e7e4140d4e298ed4659305a3957668

SHA512
6fe19266c76f40f12a1f443347792ce358c89a72ee6ac1ea25f285e45c4e59322c11f90bf2b42c1ba4fdf719b5148880e2ba7e96794074a521c84fff4e9bb817

Download Submit
C:\Windows\{02636851-A22C-4e81-B7EA-E252CAA42EF0}.exe

Filesize
372KB

MD5
502996cb7cac74c99e0c93ab69960162

SHA1
327b83ee2084ac1d9e808a1279d0d17181cfa1a1

SHA256
75ff30510cdebb82d6309a26042c0d5a74e7e4140d4e298ed4659305a3957668

SHA512
6fe19266c76f40f12a1f443347792ce358c89a72ee6ac1ea25f285e45c4e59322c11f90bf2b42c1ba4fdf719b5148880e2ba7e96794074a521c84fff4e9bb817

Download Submit
C:\Windows\{0C4A0FCC-3C4C-4f1e-9713-660087F3E66E}.exe

Filesize
372KB

MD5
ffe12784c17ac47c175ac782915e2ef0

SHA1
f468ceb8bd0c6180bb02835865b4734fd903c05d

SHA256
6252e1f934147542310542204882560424abd375281ac0b343b256a1f62d78cc

SHA512
c7809b19efd059cd894e17ca4ca1d7d4ddb891deb82666a4118144c300f791b75f0376ad056797e99fd7b5ff3dd539400ab36cd58245b9001f963965cdafa978

Download Submit
C:\Windows\{0C4A0FCC-3C4C-4f1e-9713-660087F3E66E}.exe

Filesize
372KB

MD5
ffe12784c17ac47c175ac782915e2ef0

SHA1
f468ceb8bd0c6180bb02835865b4734fd903c05d

SHA256
6252e1f934147542310542204882560424abd375281ac0b343b256a1f62d78cc

SHA512
c7809b19efd059cd894e17ca4ca1d7d4ddb891deb82666a4118144c300f791b75f0376ad056797e99fd7b5ff3dd539400ab36cd58245b9001f963965cdafa978

Download Submit
C:\Windows\{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe

Filesize
372KB

MD5
cf960fecfc6c4adffc923a32127c7003

SHA1
66c8a3baa5cc2aa7a19e6285e3c8a9ae86e0590a

SHA256
3f5338c176d40e421c4fddab500ad32e7e6afea027043c1b7ee8ec974a0288cb

SHA512
ca6abf91c79c313e77823b469a95c5fc5d6c5a28660af906cacd82a10fb5d1afb495855905f23715f74beff76df0b306816e041c5c955a7a54a8094c42152e3e

Download Submit
C:\Windows\{23B9DAEB-8294-49db-8D09-C6E52322DF72}.exe

Filesize
372KB

MD5
cf960fecfc6c4adffc923a32127c7003

SHA1
66c8a3baa5cc2aa7a19e6285e3c8a9ae86e0590a

SHA256
3f5338c176d40e421c4fddab500ad32e7e6afea027043c1b7ee8ec974a0288cb

SHA512
ca6abf91c79c313e77823b469a95c5fc5d6c5a28660af906cacd82a10fb5d1afb495855905f23715f74beff76df0b306816e041c5c955a7a54a8094c42152e3e

Download Submit
C:\Windows\{36487C75-08B8-4795-A964-662D47899592}.exe

Filesize
372KB

MD5
08cd9db35a67560708ec060bc5f00091

SHA1
0e676766e5e3afd35dd86ea3297f42e05447ef10

SHA256
84d081a8483767ca2dd1a8df11bbea06691b0c1b50b58c4d6a385591df44201d

SHA512
c13641e3c98ad6a8ed0f11b86d7bfd7695b5d6c64cad5f09d903d011105d5a969fc19ec6af1324a7489e35cfc0ef182cf217e47ebeb0727b1d7fa04f4ef83a9d

Download Submit
C:\Windows\{36487C75-08B8-4795-A964-662D47899592}.exe

Filesize
372KB

MD5
08cd9db35a67560708ec060bc5f00091

SHA1
0e676766e5e3afd35dd86ea3297f42e05447ef10

SHA256
84d081a8483767ca2dd1a8df11bbea06691b0c1b50b58c4d6a385591df44201d

SHA512
c13641e3c98ad6a8ed0f11b86d7bfd7695b5d6c64cad5f09d903d011105d5a969fc19ec6af1324a7489e35cfc0ef182cf217e47ebeb0727b1d7fa04f4ef83a9d

Download Submit
C:\Windows\{37993C5F-F917-4649-BAC2-B74B641D9D0A}.exe

Filesize
372KB

MD5
f6657ed2ce3a075056afd38dd10a73d4

SHA1
35d1f134a9b5ed475e09462e092e17dea4dfc788

SHA256
2fb6ce772c123f4711d09701ff5cbb464cc9f4b0a6a585dbef363add5710ca98

SHA512
70823404e9e57d94d6895bef603919a6bca33be301d8a9a910f7eeaa82d8a0fc7aa10f807c41c2c825ca6a75dfb7d0a53cce6801d074397964e87f914ecf250d

Download Submit
C:\Windows\{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe

Filesize
372KB

MD5
9ec7d85dfdc2928fd90c41a2f1a1d4b0

SHA1
6253877759edc34a52b073976d6fc66ebc8b0714

SHA256
1992ac2b4e6359180145e4d2c06b71a79ed8a6c8a1dc71e6fc296d52d161fcfe

SHA512
4950f5deea759af50d7eb0828056eb78f9b2a71b3fe3e249385a5fd5c36e82176032d03f4831be4fe0db8a76972a395a99ce0e22755ba295070e1ba91f1ee557

Download Submit
C:\Windows\{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe

Filesize
372KB

MD5
9ec7d85dfdc2928fd90c41a2f1a1d4b0

SHA1
6253877759edc34a52b073976d6fc66ebc8b0714

SHA256
1992ac2b4e6359180145e4d2c06b71a79ed8a6c8a1dc71e6fc296d52d161fcfe

SHA512
4950f5deea759af50d7eb0828056eb78f9b2a71b3fe3e249385a5fd5c36e82176032d03f4831be4fe0db8a76972a395a99ce0e22755ba295070e1ba91f1ee557

Download Submit
C:\Windows\{7CAA109C-20E3-4e63-ABBE-32B96E3C782F}.exe

Filesize
372KB

MD5
9ec7d85dfdc2928fd90c41a2f1a1d4b0

SHA1
6253877759edc34a52b073976d6fc66ebc8b0714

SHA256
1992ac2b4e6359180145e4d2c06b71a79ed8a6c8a1dc71e6fc296d52d161fcfe

SHA512
4950f5deea759af50d7eb0828056eb78f9b2a71b3fe3e249385a5fd5c36e82176032d03f4831be4fe0db8a76972a395a99ce0e22755ba295070e1ba91f1ee557

Download Submit
C:\Windows\{808EC74E-FBB5-4769-9C70-4727478ECAE4}.exe

Filesize
372KB

MD5
8f11eb516452220c2955cab201dc05a2

SHA1
e45129590d139abffa40c1feade75d9c620d3067

SHA256
fe5f4246c1cc12581c6ea35c92e8f1ce705976cc5241c03ce8ef2a29d6aa94e3

SHA512
34fbba85b2955859d2a50798c443735a0da75b16f0b01e90a6e7901e812805397ce4f39f5594bace14147bfae5f4c9d8edf96b0758c8bd5b2c5c1bfb2eebae50

Download Submit
C:\Windows\{808EC74E-FBB5-4769-9C70-4727478ECAE4}.exe

Filesize
372KB

MD5
8f11eb516452220c2955cab201dc05a2

SHA1
e45129590d139abffa40c1feade75d9c620d3067

SHA256
fe5f4246c1cc12581c6ea35c92e8f1ce705976cc5241c03ce8ef2a29d6aa94e3

SHA512
34fbba85b2955859d2a50798c443735a0da75b16f0b01e90a6e7901e812805397ce4f39f5594bace14147bfae5f4c9d8edf96b0758c8bd5b2c5c1bfb2eebae50

Download Submit
C:\Windows\{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe

Filesize
372KB

MD5
57a15649e10a76875c60aef412a7d7db

SHA1
2b33eec6d16d51c51b9900799c4ab8f9d73d1115

SHA256
bd47a26d75b534f4439f8698543d56cce7b256d99074d7bde917ff904c9831cf

SHA512
7230b4250ccf71a8f9e61906788e68b04f889ba88eb053304ecf7df4761a6c4e5ce203247a6024946c8891353113efdbbfc909f46dc31928afb307abb0658ab0

Download Submit
C:\Windows\{AD297EF3-C09F-4f6e-B996-A6DE4ADD32AB}.exe

Filesize
372KB

MD5
57a15649e10a76875c60aef412a7d7db

SHA1
2b33eec6d16d51c51b9900799c4ab8f9d73d1115

SHA256
bd47a26d75b534f4439f8698543d56cce7b256d99074d7bde917ff904c9831cf

SHA512
7230b4250ccf71a8f9e61906788e68b04f889ba88eb053304ecf7df4761a6c4e5ce203247a6024946c8891353113efdbbfc909f46dc31928afb307abb0658ab0

Download Submit
C:\Windows\{C073821D-8C69-46c9-AB9E-F2F7D0FA0625}.exe

Filesize
372KB

MD5
9a722e3f76daf89b86c14ad6d0aee315

SHA1
c2fcb06cfa7d09ed7d379f97a71461430a69b4da

SHA256
e2325b23ba6bb0d0008f2fbb3f31e2da90d8c203e4644eb88fcb54dbdc193606

SHA512
0c95eb1f8fc58c23c9f616dc6174eb6ae5970dc814b2eded0162aaa59aee2cb1be009d3dc4a7a98080eb7d9051103b7d219c9893e3e4c66f2b5db7032c6059d4

Download Submit
C:\Windows\{C073821D-8C69-46c9-AB9E-F2F7D0FA0625}.exe

Filesize
372KB

MD5
9a722e3f76daf89b86c14ad6d0aee315

SHA1
c2fcb06cfa7d09ed7d379f97a71461430a69b4da

SHA256
e2325b23ba6bb0d0008f2fbb3f31e2da90d8c203e4644eb88fcb54dbdc193606

SHA512
0c95eb1f8fc58c23c9f616dc6174eb6ae5970dc814b2eded0162aaa59aee2cb1be009d3dc4a7a98080eb7d9051103b7d219c9893e3e4c66f2b5db7032c6059d4

Download Submit
C:\Windows\{C238E453-C06A-41b4-B172-3C1B339271AB}.exe

Filesize
372KB

MD5
ca4aa04d0c78d2b1327faa3628d469c8

SHA1
cbf8a407c713159d00523ecd0628fd9c64d68dd3

SHA256
469b0164cdb0988d394d3299f0c4eb0e04fa148b9605af6c0f510925a486e0ac

SHA512
dfa7c97a9c5425e2a834372f5b8c6d5f37010c65a35972561911ec482b3ef77c8c0c358ee528be9f8ddbc70c7104c4195d6d35ca84144bdaee48311ec54f7a13

Download Submit
C:\Windows\{C238E453-C06A-41b4-B172-3C1B339271AB}.exe

Filesize
372KB

MD5
ca4aa04d0c78d2b1327faa3628d469c8

SHA1
cbf8a407c713159d00523ecd0628fd9c64d68dd3

SHA256
469b0164cdb0988d394d3299f0c4eb0e04fa148b9605af6c0f510925a486e0ac

SHA512
dfa7c97a9c5425e2a834372f5b8c6d5f37010c65a35972561911ec482b3ef77c8c0c358ee528be9f8ddbc70c7104c4195d6d35ca84144bdaee48311ec54f7a13

Download Submit
C:\Windows\{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe

Filesize
372KB

MD5
840bef19dc124423531cb049c42d68cd

SHA1
cc7e4c05fe7650c71a492f17063b35d855fc27ca

SHA256
a6681c6b28f8cd2d87970522ef268f4fb8640f9ac5c92bb7c0ab2a7fc04d93a9

SHA512
f1cbf6b81efce0f57e5c28d0d91cac699f328793dde1cebcc1b7c6c60c685e4da6156e8921c83e94d22f035d333b818fc4a4ac9c183274e0877b5bfd41dee763

Download Submit
C:\Windows\{E8C35AE9-8EF1-469c-B24A-35DF8EA01629}.exe

Filesize
372KB

MD5
840bef19dc124423531cb049c42d68cd

SHA1
cc7e4c05fe7650c71a492f17063b35d855fc27ca

SHA256
a6681c6b28f8cd2d87970522ef268f4fb8640f9ac5c92bb7c0ab2a7fc04d93a9

SHA512
f1cbf6b81efce0f57e5c28d0d91cac699f328793dde1cebcc1b7c6c60c685e4da6156e8921c83e94d22f035d333b818fc4a4ac9c183274e0877b5bfd41dee763

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads