2b22d8ec3d67af6f85acfce5ab6c5dde67ac34b69e60df3abdb48c98e7ec505b

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21/08/2023, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe
Size

216KB
MD5

65c869d688b6cd1972b79cf52cb69e96
SHA1

b22b4c9b8e06cb7d7282b3ab7e8aa1ed102e9178
SHA256

2b22d8ec3d67af6f85acfce5ab6c5dde67ac34b69e60df3abdb48c98e7ec505b
SHA512

0dd47265c2c5ed4d001091205bc159b7f973afd698e899b9e770abf0321e78043ec0355588cdebf1b492daeb86c766478239dcfadab240397b8671a47d07bb58
SSDEEP

3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGdlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30FCCAD1-C952-4c39-A76B-3E68C172E947}\stubpath = "C:\\Windows\\{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe"	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}\stubpath = "C:\\Windows\\{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe"	{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF0C8888-21A0-4344-810D-A39527F37C1B}	{03812C4B-586D-47d8-B702-3C0248064B2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23D6E86D-33D0-4c05-80CE-9FDD2281E9F4}\stubpath = "C:\\Windows\\{23D6E86D-33D0-4c05-80CE-9FDD2281E9F4}.exe"	{5FC5A473-43A4-46d6-AE2F-D07737CF710F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E533E6E-76AF-4968-BDF0-124F67DAE14E}\stubpath = "C:\\Windows\\{5E533E6E-76AF-4968-BDF0-124F67DAE14E}.exe"	{23D6E86D-33D0-4c05-80CE-9FDD2281E9F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30FCCAD1-C952-4c39-A76B-3E68C172E947}	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}	{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}	{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF0C8888-21A0-4344-810D-A39527F37C1B}\stubpath = "C:\\Windows\\{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe"	{03812C4B-586D-47d8-B702-3C0248064B2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FC5A473-43A4-46d6-AE2F-D07737CF710F}\stubpath = "C:\\Windows\\{5FC5A473-43A4-46d6-AE2F-D07737CF710F}.exe"	{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23D6E86D-33D0-4c05-80CE-9FDD2281E9F4}	{5FC5A473-43A4-46d6-AE2F-D07737CF710F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03812C4B-586D-47d8-B702-3C0248064B2D}\stubpath = "C:\\Windows\\{03812C4B-586D-47d8-B702-3C0248064B2D}.exe"	{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FC5A473-43A4-46d6-AE2F-D07737CF710F}	{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{371D3B7E-3B13-4108-A76C-6AF7705FC01A}\stubpath = "C:\\Windows\\{371D3B7E-3B13-4108-A76C-6AF7705FC01A}.exe"	{5E533E6E-76AF-4968-BDF0-124F67DAE14E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}	{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}\stubpath = "C:\\Windows\\{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe"	{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}	{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}\stubpath = "C:\\Windows\\{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe"	{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}\stubpath = "C:\\Windows\\{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe"	{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03812C4B-586D-47d8-B702-3C0248064B2D}	{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E533E6E-76AF-4968-BDF0-124F67DAE14E}	{23D6E86D-33D0-4c05-80CE-9FDD2281E9F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{371D3B7E-3B13-4108-A76C-6AF7705FC01A}	{5E533E6E-76AF-4968-BDF0-124F67DAE14E}.exe

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2304	{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe
1344	{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe
2804	{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe
2852	{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe
2704	{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe
2868	{03812C4B-586D-47d8-B702-3C0248064B2D}.exe
2812	{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe
2728	{5FC5A473-43A4-46d6-AE2F-D07737CF710F}.exe
2480	{23D6E86D-33D0-4c05-80CE-9FDD2281E9F4}.exe
1052	{5E533E6E-76AF-4968-BDF0-124F67DAE14E}.exe
1740	{371D3B7E-3B13-4108-A76C-6AF7705FC01A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5E533E6E-76AF-4968-BDF0-124F67DAE14E}.exe	{23D6E86D-33D0-4c05-80CE-9FDD2281E9F4}.exe
File created	C:\Windows\{371D3B7E-3B13-4108-A76C-6AF7705FC01A}.exe	{5E533E6E-76AF-4968-BDF0-124F67DAE14E}.exe
File created	C:\Windows\{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe
File created	C:\Windows\{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe	{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe
File created	C:\Windows\{03812C4B-586D-47d8-B702-3C0248064B2D}.exe	{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe
File created	C:\Windows\{23D6E86D-33D0-4c05-80CE-9FDD2281E9F4}.exe	{5FC5A473-43A4-46d6-AE2F-D07737CF710F}.exe
File created	C:\Windows\{5FC5A473-43A4-46d6-AE2F-D07737CF710F}.exe	{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe
File created	C:\Windows\{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe	{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe
File created	C:\Windows\{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe	{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe
File created	C:\Windows\{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe	{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe
File created	C:\Windows\{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe	{03812C4B-586D-47d8-B702-3C0248064B2D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2292	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2304	{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe
Token: SeIncBasePriorityPrivilege	1344	{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe
Token: SeIncBasePriorityPrivilege	2804	{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe
Token: SeIncBasePriorityPrivilege	2852	{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe
Token: SeIncBasePriorityPrivilege	2704	{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe
Token: SeIncBasePriorityPrivilege	2868	{03812C4B-586D-47d8-B702-3C0248064B2D}.exe
Token: SeIncBasePriorityPrivilege	2812	{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe
Token: SeIncBasePriorityPrivilege	2728	{5FC5A473-43A4-46d6-AE2F-D07737CF710F}.exe
Token: SeIncBasePriorityPrivilege	2480	{23D6E86D-33D0-4c05-80CE-9FDD2281E9F4}.exe
Token: SeIncBasePriorityPrivilege	1052	{5E533E6E-76AF-4968-BDF0-124F67DAE14E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2304	2292	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	28
PID 2292 wrote to memory of 2304	2292	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	28
PID 2292 wrote to memory of 2304	2292	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	28
PID 2292 wrote to memory of 2304	2292	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	28
PID 2292 wrote to memory of 2560	2292	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	29
PID 2292 wrote to memory of 2560	2292	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	29
PID 2292 wrote to memory of 2560	2292	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	29
PID 2292 wrote to memory of 2560	2292	65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe	29
PID 2304 wrote to memory of 1344	2304	{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe	32
PID 2304 wrote to memory of 1344	2304	{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe	32
PID 2304 wrote to memory of 1344	2304	{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe	32
PID 2304 wrote to memory of 1344	2304	{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe	32
PID 2304 wrote to memory of 2452	2304	{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe	33
PID 2304 wrote to memory of 2452	2304	{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe	33
PID 2304 wrote to memory of 2452	2304	{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe	33
PID 2304 wrote to memory of 2452	2304	{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe	33
PID 1344 wrote to memory of 2804	1344	{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe	34
PID 1344 wrote to memory of 2804	1344	{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe	34
PID 1344 wrote to memory of 2804	1344	{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe	34
PID 1344 wrote to memory of 2804	1344	{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe	34
PID 1344 wrote to memory of 2980	1344	{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe	35
PID 1344 wrote to memory of 2980	1344	{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe	35
PID 1344 wrote to memory of 2980	1344	{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe	35
PID 1344 wrote to memory of 2980	1344	{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe	35
PID 2804 wrote to memory of 2852	2804	{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe	36
PID 2804 wrote to memory of 2852	2804	{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe	36
PID 2804 wrote to memory of 2852	2804	{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe	36
PID 2804 wrote to memory of 2852	2804	{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe	36
PID 2804 wrote to memory of 1648	2804	{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe	37
PID 2804 wrote to memory of 1648	2804	{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe	37
PID 2804 wrote to memory of 1648	2804	{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe	37
PID 2804 wrote to memory of 1648	2804	{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe	37
PID 2852 wrote to memory of 2704	2852	{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe	38
PID 2852 wrote to memory of 2704	2852	{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe	38
PID 2852 wrote to memory of 2704	2852	{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe	38
PID 2852 wrote to memory of 2704	2852	{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe	38
PID 2852 wrote to memory of 2860	2852	{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe	39
PID 2852 wrote to memory of 2860	2852	{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe	39
PID 2852 wrote to memory of 2860	2852	{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe	39
PID 2852 wrote to memory of 2860	2852	{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe	39
PID 2704 wrote to memory of 2868	2704	{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe	40
PID 2704 wrote to memory of 2868	2704	{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe	40
PID 2704 wrote to memory of 2868	2704	{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe	40
PID 2704 wrote to memory of 2868	2704	{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe	40
PID 2704 wrote to memory of 2720	2704	{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe	41
PID 2704 wrote to memory of 2720	2704	{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe	41
PID 2704 wrote to memory of 2720	2704	{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe	41
PID 2704 wrote to memory of 2720	2704	{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe	41
PID 2868 wrote to memory of 2812	2868	{03812C4B-586D-47d8-B702-3C0248064B2D}.exe	42
PID 2868 wrote to memory of 2812	2868	{03812C4B-586D-47d8-B702-3C0248064B2D}.exe	42
PID 2868 wrote to memory of 2812	2868	{03812C4B-586D-47d8-B702-3C0248064B2D}.exe	42
PID 2868 wrote to memory of 2812	2868	{03812C4B-586D-47d8-B702-3C0248064B2D}.exe	42
PID 2868 wrote to memory of 2692	2868	{03812C4B-586D-47d8-B702-3C0248064B2D}.exe	43
PID 2868 wrote to memory of 2692	2868	{03812C4B-586D-47d8-B702-3C0248064B2D}.exe	43
PID 2868 wrote to memory of 2692	2868	{03812C4B-586D-47d8-B702-3C0248064B2D}.exe	43
PID 2868 wrote to memory of 2692	2868	{03812C4B-586D-47d8-B702-3C0248064B2D}.exe	43
PID 2812 wrote to memory of 2728	2812	{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe	44
PID 2812 wrote to memory of 2728	2812	{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe	44
PID 2812 wrote to memory of 2728	2812	{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe	44
PID 2812 wrote to memory of 2728	2812	{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe	44
PID 2812 wrote to memory of 1732	2812	{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe	45
PID 2812 wrote to memory of 1732	2812	{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe	45
PID 2812 wrote to memory of 1732	2812	{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe	45
PID 2812 wrote to memory of 1732	2812	{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe	45

C:\Users\Admin\AppData\Local\Temp\65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\65c869d688b6cd1972b79cf52cb69e96_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe
  C:\Windows\{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe
    C:\Windows\{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe
      C:\Windows\{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe
        
        C:\Windows\{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe
        
        C:\Windows\{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{03812C4B-586D-47d8-B702-3C0248064B2D}.exe
        
        C:\Windows\{03812C4B-586D-47d8-B702-3C0248064B2D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe
        
        C:\Windows\{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{5FC5A473-43A4-46d6-AE2F-D07737CF710F}.exe
        
        C:\Windows\{5FC5A473-43A4-46d6-AE2F-D07737CF710F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{23D6E86D-33D0-4c05-80CE-9FDD2281E9F4}.exe
        
        C:\Windows\{23D6E86D-33D0-4c05-80CE-9FDD2281E9F4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23D6E~1.EXE > nul
        11⤵
        
        PID:2676
        
        C:\Windows\{5E533E6E-76AF-4968-BDF0-124F67DAE14E}.exe
        
        C:\Windows\{5E533E6E-76AF-4968-BDF0-124F67DAE14E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\{371D3B7E-3B13-4108-A76C-6AF7705FC01A}.exe
        
        C:\Windows\{371D3B7E-3B13-4108-A76C-6AF7705FC01A}.exe
        12⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E533~1.EXE > nul
        12⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FC5A~1.EXE > nul
        10⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF0C8~1.EXE > nul
        9⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03812~1.EXE > nul
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA6CF~1.EXE > nul
        7⤵
        
        PID:2720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F993B~1.EXE > nul
        6⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6B9A~1.EXE > nul
        5⤵
        
        PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D3804~1.EXE > nul
      4⤵
      PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{30FCC~1.EXE > nul
    3⤵
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\65C869~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03812C4B-586D-47d8-B702-3C0248064B2D}.exe

Filesize
216KB

MD5
763698725a5487b533426c315fec2c38

SHA1
5a617fc067b7e071027baf0a6e8b65f005d2dc81

SHA256
7ab43729be52ee1333bfd9dc983c231d49349b5424c2124ab40b32f9060bc994

SHA512
13f20ccb6e7b4fa0e1f149950e55499d60a8d18919c3df0659160a83d0c92b3a28488fbca1ab11bfd801d79501ae247905697e36d8588c47b212dff7476001fd

Download Submit
C:\Windows\{03812C4B-586D-47d8-B702-3C0248064B2D}.exe

Filesize
216KB

MD5
763698725a5487b533426c315fec2c38

SHA1
5a617fc067b7e071027baf0a6e8b65f005d2dc81

SHA256
7ab43729be52ee1333bfd9dc983c231d49349b5424c2124ab40b32f9060bc994

SHA512
13f20ccb6e7b4fa0e1f149950e55499d60a8d18919c3df0659160a83d0c92b3a28488fbca1ab11bfd801d79501ae247905697e36d8588c47b212dff7476001fd

Download Submit
C:\Windows\{23D6E86D-33D0-4c05-80CE-9FDD2281E9F4}.exe

Filesize
216KB

MD5
484165cdcd7201f8f03b8e5d13c0d444

SHA1
36907979394dc33395b2bb230b4597579614d9d5

SHA256
082218ea730e1e531a4467cc57502994cbb88c774b894d2e7260685e697c1747

SHA512
2e44bafa531de9585ed67bd081fd61b3362db6ca99b458143f8bd638a36d82f0d473c5b3b096d3e15e5057aa75ca5479aaeffd91ee95eb5363544e16e803cc6b

Download Submit
C:\Windows\{23D6E86D-33D0-4c05-80CE-9FDD2281E9F4}.exe

Filesize
216KB

MD5
484165cdcd7201f8f03b8e5d13c0d444

SHA1
36907979394dc33395b2bb230b4597579614d9d5

SHA256
082218ea730e1e531a4467cc57502994cbb88c774b894d2e7260685e697c1747

SHA512
2e44bafa531de9585ed67bd081fd61b3362db6ca99b458143f8bd638a36d82f0d473c5b3b096d3e15e5057aa75ca5479aaeffd91ee95eb5363544e16e803cc6b

Download Submit
C:\Windows\{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe

Filesize
216KB

MD5
92567b75f79ef52ca5a3619407a36602

SHA1
3f5a115bde2369f130d95039f4a430d4e9ef6b54

SHA256
35b4abbf408521d60635943328bd287965039e9d6e40b7b3cb197a70d0e8d744

SHA512
bf40a4b13d42faea59f677e19be43f96ffdcf7bc633a9767e2f617c1015d0615cb620ddd92d7ef970fa03947d19439593f96b405179fdc0015be8c05df72621c

Download Submit
C:\Windows\{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe

Filesize
216KB

MD5
92567b75f79ef52ca5a3619407a36602

SHA1
3f5a115bde2369f130d95039f4a430d4e9ef6b54

SHA256
35b4abbf408521d60635943328bd287965039e9d6e40b7b3cb197a70d0e8d744

SHA512
bf40a4b13d42faea59f677e19be43f96ffdcf7bc633a9767e2f617c1015d0615cb620ddd92d7ef970fa03947d19439593f96b405179fdc0015be8c05df72621c

Download Submit
C:\Windows\{30FCCAD1-C952-4c39-A76B-3E68C172E947}.exe

Filesize
216KB

MD5
92567b75f79ef52ca5a3619407a36602

SHA1
3f5a115bde2369f130d95039f4a430d4e9ef6b54

SHA256
35b4abbf408521d60635943328bd287965039e9d6e40b7b3cb197a70d0e8d744

SHA512
bf40a4b13d42faea59f677e19be43f96ffdcf7bc633a9767e2f617c1015d0615cb620ddd92d7ef970fa03947d19439593f96b405179fdc0015be8c05df72621c

Download Submit
C:\Windows\{371D3B7E-3B13-4108-A76C-6AF7705FC01A}.exe

Filesize
216KB

MD5
df2e6bf1483e667635680becd02c00ab

SHA1
b7be80b73ef0fdee05a086d4519aa885d3b55a4d

SHA256
04e3afadce43c1727f392700fe627d7d043b777ed99e26c57e08177cb80e3872

SHA512
178c11b7a2a0455e4169979496939f4e96c8293972d773ebbb8c3f6ae8a6d2c702d7cd33b6e6346c6166c21f98636b8c9c426fc47503f31b994e87dcc8329f44

Download Submit
C:\Windows\{5E533E6E-76AF-4968-BDF0-124F67DAE14E}.exe

Filesize
216KB

MD5
777cdf85c5c0b84f50576c3bb3f93bf7

SHA1
a3bff0777bcf7204881b9e781f89ddcb082d3d07

SHA256
3dd24663c11735c7758387654c84e4b546edf343a9362b9f0ae89d60d6601252

SHA512
91361c096ce8cf282c3582b557300fcd22a0e14fd0d6fcf61ff7d3f7041365d4f48826850c1daaf20f6d72b8bdb7f64a7c7588c719b0213ba15095eedb5db0cb

Download Submit
C:\Windows\{5E533E6E-76AF-4968-BDF0-124F67DAE14E}.exe

Filesize
216KB

MD5
777cdf85c5c0b84f50576c3bb3f93bf7

SHA1
a3bff0777bcf7204881b9e781f89ddcb082d3d07

SHA256
3dd24663c11735c7758387654c84e4b546edf343a9362b9f0ae89d60d6601252

SHA512
91361c096ce8cf282c3582b557300fcd22a0e14fd0d6fcf61ff7d3f7041365d4f48826850c1daaf20f6d72b8bdb7f64a7c7588c719b0213ba15095eedb5db0cb

Download Submit
C:\Windows\{5FC5A473-43A4-46d6-AE2F-D07737CF710F}.exe

Filesize
216KB

MD5
33bb658cb41d40e285d485618c1937aa

SHA1
52b507d5bfcb5b0575385a94fb7ef428cfa6cc34

SHA256
3f226dbaa95fe1cca4aeedc0659d9fa60426b5a22d1d06e6bbfba63e8f2c8f5a

SHA512
d38542bce98e6e26e9a1b1c610e096e1a58b043051421e49d2f8a974b757c6e2593a4e2270b2e951b5ff876b53fbf6d268a19864292d1f9d4d34b4474cff6f47

Download Submit
C:\Windows\{5FC5A473-43A4-46d6-AE2F-D07737CF710F}.exe

Filesize
216KB

MD5
33bb658cb41d40e285d485618c1937aa

SHA1
52b507d5bfcb5b0575385a94fb7ef428cfa6cc34

SHA256
3f226dbaa95fe1cca4aeedc0659d9fa60426b5a22d1d06e6bbfba63e8f2c8f5a

SHA512
d38542bce98e6e26e9a1b1c610e096e1a58b043051421e49d2f8a974b757c6e2593a4e2270b2e951b5ff876b53fbf6d268a19864292d1f9d4d34b4474cff6f47

Download Submit
C:\Windows\{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe

Filesize
216KB

MD5
c062cc16c1c8ed0fddc417bf5b688474

SHA1
12e7a37d0d391652042958887c67cf2d56c50594

SHA256
c8e8f74c61d9deb11a2e2d73348e1016a7c58fbf96c965cd51766a8417ab8ab4

SHA512
e02522c6f0143b00f49984f44f870685c344b9daa5d0714dbca8d7545ad4db5d00c7b03de98dbd84ea854b90fb3a142253e8c36e54444a2b0447995c350d9810

Download Submit
C:\Windows\{A6B9A961-0EA4-48c4-ABE6-6E1B76064336}.exe

Filesize
216KB

MD5
c062cc16c1c8ed0fddc417bf5b688474

SHA1
12e7a37d0d391652042958887c67cf2d56c50594

SHA256
c8e8f74c61d9deb11a2e2d73348e1016a7c58fbf96c965cd51766a8417ab8ab4

SHA512
e02522c6f0143b00f49984f44f870685c344b9daa5d0714dbca8d7545ad4db5d00c7b03de98dbd84ea854b90fb3a142253e8c36e54444a2b0447995c350d9810

Download Submit
C:\Windows\{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe

Filesize
216KB

MD5
13f2ca9f3d7c7c69eb8ad9accd031e8d

SHA1
eac4fbf75195165d7122de02c4263b17d10ac6f2

SHA256
64deba36fdac7b80134c966bb28dc2500c2e9c50940841108cee440b972ed699

SHA512
e55c597b35989b4f6dca1ccce5b5ab77c7650f6eb7eb2aeddf00da92cf604b615f969157a62a05a651abb13ddfa0447a2d08fd5ccf6e58415ac72c5f08cb72a6

Download Submit
C:\Windows\{BA6CFE7D-D019-47c7-9CDE-313CF2E68F13}.exe

Filesize
216KB

MD5
13f2ca9f3d7c7c69eb8ad9accd031e8d

SHA1
eac4fbf75195165d7122de02c4263b17d10ac6f2

SHA256
64deba36fdac7b80134c966bb28dc2500c2e9c50940841108cee440b972ed699

SHA512
e55c597b35989b4f6dca1ccce5b5ab77c7650f6eb7eb2aeddf00da92cf604b615f969157a62a05a651abb13ddfa0447a2d08fd5ccf6e58415ac72c5f08cb72a6

Download Submit
C:\Windows\{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe

Filesize
216KB

MD5
7d1fe818efbd0581d87d4570a7049961

SHA1
f1dd09ac0340f66e42752ca407e19c2032fe2906

SHA256
ef4fbae6710f5e37d61da64029ba08d4e97497c2060eeab1e3188b3db2eac15a

SHA512
38079679cc0937d91e4ff8382d8f47d44676909f8e4f704e390d11a8b271ecd5b65d859a450f7a5095395a05bb16ebf0c101aed9410b2268182a7933137ade17

Download Submit
C:\Windows\{CF0C8888-21A0-4344-810D-A39527F37C1B}.exe

Filesize
216KB

MD5
7d1fe818efbd0581d87d4570a7049961

SHA1
f1dd09ac0340f66e42752ca407e19c2032fe2906

SHA256
ef4fbae6710f5e37d61da64029ba08d4e97497c2060eeab1e3188b3db2eac15a

SHA512
38079679cc0937d91e4ff8382d8f47d44676909f8e4f704e390d11a8b271ecd5b65d859a450f7a5095395a05bb16ebf0c101aed9410b2268182a7933137ade17

Download Submit
C:\Windows\{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe

Filesize
216KB

MD5
50f57815c9c67f61db150adf8c1d5df6

SHA1
9a6f3a681d5be2a039c0e2a289d4b35b6ecce319

SHA256
b2fcfa6b8ae3574e2228e6b8cd2f47b984f6674bdedee77c49ef126658003e76

SHA512
1f84b531e9a7c1c895c4dc97e1cf09dd7c0bab8807b90e2f3e32a5ade41e4ce1a652567ff680216ac7b03dce95d29d733e1b8320930304462c904fe10c4ee551

Download Submit
C:\Windows\{D3804E2E-7F3E-4f10-BAA1-0874DE0E0A33}.exe

Filesize
216KB

MD5
50f57815c9c67f61db150adf8c1d5df6

SHA1
9a6f3a681d5be2a039c0e2a289d4b35b6ecce319

SHA256
b2fcfa6b8ae3574e2228e6b8cd2f47b984f6674bdedee77c49ef126658003e76

SHA512
1f84b531e9a7c1c895c4dc97e1cf09dd7c0bab8807b90e2f3e32a5ade41e4ce1a652567ff680216ac7b03dce95d29d733e1b8320930304462c904fe10c4ee551

Download Submit
C:\Windows\{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe

Filesize
216KB

MD5
fac772ff8bfb12721d014fc04fd91b03

SHA1
a393980de2e2301b5bdbdd3d1263eb161c7bdd17

SHA256
c16f53f8f453d91b74b94cf36bb5cfda7949cac8a32831c7e2f95d76405872c4

SHA512
e4ecd0852f6907f3aaeba0a7eac82124e5bf0213def93456b85f326e022c1bdf4bd302136483f363612fabd9a8d5d14d9391ea34213f14ceed744bf03e6acff6

Download Submit
C:\Windows\{F993B231-866D-4e50-8BEC-F9F9FEE0AA5A}.exe

Filesize
216KB

MD5
fac772ff8bfb12721d014fc04fd91b03

SHA1
a393980de2e2301b5bdbdd3d1263eb161c7bdd17

SHA256
c16f53f8f453d91b74b94cf36bb5cfda7949cac8a32831c7e2f95d76405872c4

SHA512
e4ecd0852f6907f3aaeba0a7eac82124e5bf0213def93456b85f326e022c1bdf4bd302136483f363612fabd9a8d5d14d9391ea34213f14ceed744bf03e6acff6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads