6ec5028d625cf958de21696573756ff63fdc546e35342c9458ab99ea8aaff909

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21/08/2023, 18:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe
Size

408KB
MD5

6575ae25999e48969e5b78952137a4ec
SHA1

436db547c9c6a127845362f959e8d9686a7a2b25
SHA256

6ec5028d625cf958de21696573756ff63fdc546e35342c9458ab99ea8aaff909
SHA512

b37e66ea0a5a7a61f24ec24cff9fb5ca7e22abe13a852a062a0cffa5e0b7172c1a5267e93a503f8bd27babd2fbcd0eeb8cfff0cbee40e75aebd6418c86cfcba7
SSDEEP

3072:CEGh0oHl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGlldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{759A2F64-256C-4063-867D-70956DCD005F}\stubpath = "C:\\Windows\\{759A2F64-256C-4063-867D-70956DCD005F}.exe"	{AE953F94-32A5-449e-8F7A-DA8668ED1E91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88C963CC-B92F-47ea-887A-49A55B4BE7C4}\stubpath = "C:\\Windows\\{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe"	{1656826C-54DB-4715-867B-BC46B5128F72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}	{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}	{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C32F8699-4CE2-40ee-BF74-94E345370828}	{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{759A2F64-256C-4063-867D-70956DCD005F}	{AE953F94-32A5-449e-8F7A-DA8668ED1E91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FA27651-8D5E-4167-8B0D-627E20C6F061}	6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88C963CC-B92F-47ea-887A-49A55B4BE7C4}	{1656826C-54DB-4715-867B-BC46B5128F72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358AC987-6F7C-49be-8E23-0BFE09A9B87E}	{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358AC987-6F7C-49be-8E23-0BFE09A9B87E}\stubpath = "C:\\Windows\\{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe"	{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EB81AAD-A116-4c5b-A322-266B2DE603D5}\stubpath = "C:\\Windows\\{9EB81AAD-A116-4c5b-A322-266B2DE603D5}.exe"	{759A2F64-256C-4063-867D-70956DCD005F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04369E5D-DB83-4e35-A4B3-35779FC528CD}	{9EB81AAD-A116-4c5b-A322-266B2DE603D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04369E5D-DB83-4e35-A4B3-35779FC528CD}\stubpath = "C:\\Windows\\{04369E5D-DB83-4e35-A4B3-35779FC528CD}.exe"	{9EB81AAD-A116-4c5b-A322-266B2DE603D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FA27651-8D5E-4167-8B0D-627E20C6F061}\stubpath = "C:\\Windows\\{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe"	6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1656826C-54DB-4715-867B-BC46B5128F72}\stubpath = "C:\\Windows\\{1656826C-54DB-4715-867B-BC46B5128F72}.exe"	{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C32F8699-4CE2-40ee-BF74-94E345370828}\stubpath = "C:\\Windows\\{C32F8699-4CE2-40ee-BF74-94E345370828}.exe"	{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE953F94-32A5-449e-8F7A-DA8668ED1E91}	{C32F8699-4CE2-40ee-BF74-94E345370828}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EB81AAD-A116-4c5b-A322-266B2DE603D5}	{759A2F64-256C-4063-867D-70956DCD005F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1656826C-54DB-4715-867B-BC46B5128F72}	{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}\stubpath = "C:\\Windows\\{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe"	{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}\stubpath = "C:\\Windows\\{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe"	{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE953F94-32A5-449e-8F7A-DA8668ED1E91}\stubpath = "C:\\Windows\\{AE953F94-32A5-449e-8F7A-DA8668ED1E91}.exe"	{C32F8699-4CE2-40ee-BF74-94E345370828}.exe

Deletes itself 1 IoCs

pid	Process
1080	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2572	{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe
2952	{1656826C-54DB-4715-867B-BC46B5128F72}.exe
3016	{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe
2980	{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe
2404	{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe
2708	{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe
1824	{C32F8699-4CE2-40ee-BF74-94E345370828}.exe
768	{AE953F94-32A5-449e-8F7A-DA8668ED1E91}.exe
1360	{759A2F64-256C-4063-867D-70956DCD005F}.exe
1192	{9EB81AAD-A116-4c5b-A322-266B2DE603D5}.exe
2160	{04369E5D-DB83-4e35-A4B3-35779FC528CD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1656826C-54DB-4715-867B-BC46B5128F72}.exe	{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe
File created	C:\Windows\{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe	{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe
File created	C:\Windows\{C32F8699-4CE2-40ee-BF74-94E345370828}.exe	{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe
File created	C:\Windows\{759A2F64-256C-4063-867D-70956DCD005F}.exe	{AE953F94-32A5-449e-8F7A-DA8668ED1E91}.exe
File created	C:\Windows\{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe	6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe
File created	C:\Windows\{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe	{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe
File created	C:\Windows\{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe	{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe
File created	C:\Windows\{AE953F94-32A5-449e-8F7A-DA8668ED1E91}.exe	{C32F8699-4CE2-40ee-BF74-94E345370828}.exe
File created	C:\Windows\{9EB81AAD-A116-4c5b-A322-266B2DE603D5}.exe	{759A2F64-256C-4063-867D-70956DCD005F}.exe
File created	C:\Windows\{04369E5D-DB83-4e35-A4B3-35779FC528CD}.exe	{9EB81AAD-A116-4c5b-A322-266B2DE603D5}.exe
File created	C:\Windows\{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe	{1656826C-54DB-4715-867B-BC46B5128F72}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2464	6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2572	{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe
Token: SeIncBasePriorityPrivilege	2952	{1656826C-54DB-4715-867B-BC46B5128F72}.exe
Token: SeIncBasePriorityPrivilege	3016	{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe
Token: SeIncBasePriorityPrivilege	2980	{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe
Token: SeIncBasePriorityPrivilege	2404	{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe
Token: SeIncBasePriorityPrivilege	2708	{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe
Token: SeIncBasePriorityPrivilege	1824	{C32F8699-4CE2-40ee-BF74-94E345370828}.exe
Token: SeIncBasePriorityPrivilege	768	{AE953F94-32A5-449e-8F7A-DA8668ED1E91}.exe
Token: SeIncBasePriorityPrivilege	1360	{759A2F64-256C-4063-867D-70956DCD005F}.exe
Token: SeIncBasePriorityPrivilege	1192	{9EB81AAD-A116-4c5b-A322-266B2DE603D5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2572	2464	6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe	28
PID 2464 wrote to memory of 2572	2464	6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe	28
PID 2464 wrote to memory of 2572	2464	6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe	28
PID 2464 wrote to memory of 2572	2464	6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe	28
PID 2464 wrote to memory of 1080	2464	6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe	29
PID 2464 wrote to memory of 1080	2464	6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe	29
PID 2464 wrote to memory of 1080	2464	6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe	29
PID 2464 wrote to memory of 1080	2464	6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe	29
PID 2572 wrote to memory of 2952	2572	{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe	32
PID 2572 wrote to memory of 2952	2572	{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe	32
PID 2572 wrote to memory of 2952	2572	{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe	32
PID 2572 wrote to memory of 2952	2572	{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe	32
PID 2572 wrote to memory of 2296	2572	{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe	33
PID 2572 wrote to memory of 2296	2572	{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe	33
PID 2572 wrote to memory of 2296	2572	{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe	33
PID 2572 wrote to memory of 2296	2572	{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe	33
PID 2952 wrote to memory of 3016	2952	{1656826C-54DB-4715-867B-BC46B5128F72}.exe	34
PID 2952 wrote to memory of 3016	2952	{1656826C-54DB-4715-867B-BC46B5128F72}.exe	34
PID 2952 wrote to memory of 3016	2952	{1656826C-54DB-4715-867B-BC46B5128F72}.exe	34
PID 2952 wrote to memory of 3016	2952	{1656826C-54DB-4715-867B-BC46B5128F72}.exe	34
PID 2952 wrote to memory of 2416	2952	{1656826C-54DB-4715-867B-BC46B5128F72}.exe	35
PID 2952 wrote to memory of 2416	2952	{1656826C-54DB-4715-867B-BC46B5128F72}.exe	35
PID 2952 wrote to memory of 2416	2952	{1656826C-54DB-4715-867B-BC46B5128F72}.exe	35
PID 2952 wrote to memory of 2416	2952	{1656826C-54DB-4715-867B-BC46B5128F72}.exe	35
PID 3016 wrote to memory of 2980	3016	{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe	36
PID 3016 wrote to memory of 2980	3016	{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe	36
PID 3016 wrote to memory of 2980	3016	{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe	36
PID 3016 wrote to memory of 2980	3016	{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe	36
PID 3016 wrote to memory of 1204	3016	{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe	37
PID 3016 wrote to memory of 1204	3016	{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe	37
PID 3016 wrote to memory of 1204	3016	{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe	37
PID 3016 wrote to memory of 1204	3016	{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe	37
PID 2980 wrote to memory of 2404	2980	{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe	38
PID 2980 wrote to memory of 2404	2980	{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe	38
PID 2980 wrote to memory of 2404	2980	{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe	38
PID 2980 wrote to memory of 2404	2980	{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe	38
PID 2980 wrote to memory of 2816	2980	{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe	39
PID 2980 wrote to memory of 2816	2980	{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe	39
PID 2980 wrote to memory of 2816	2980	{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe	39
PID 2980 wrote to memory of 2816	2980	{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe	39
PID 2404 wrote to memory of 2708	2404	{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe	40
PID 2404 wrote to memory of 2708	2404	{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe	40
PID 2404 wrote to memory of 2708	2404	{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe	40
PID 2404 wrote to memory of 2708	2404	{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe	40
PID 2404 wrote to memory of 2748	2404	{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe	41
PID 2404 wrote to memory of 2748	2404	{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe	41
PID 2404 wrote to memory of 2748	2404	{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe	41
PID 2404 wrote to memory of 2748	2404	{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe	41
PID 2708 wrote to memory of 1824	2708	{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe	42
PID 2708 wrote to memory of 1824	2708	{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe	42
PID 2708 wrote to memory of 1824	2708	{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe	42
PID 2708 wrote to memory of 1824	2708	{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe	42
PID 2708 wrote to memory of 1992	2708	{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe	43
PID 2708 wrote to memory of 1992	2708	{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe	43
PID 2708 wrote to memory of 1992	2708	{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe	43
PID 2708 wrote to memory of 1992	2708	{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe	43
PID 1824 wrote to memory of 768	1824	{C32F8699-4CE2-40ee-BF74-94E345370828}.exe	44
PID 1824 wrote to memory of 768	1824	{C32F8699-4CE2-40ee-BF74-94E345370828}.exe	44
PID 1824 wrote to memory of 768	1824	{C32F8699-4CE2-40ee-BF74-94E345370828}.exe	44
PID 1824 wrote to memory of 768	1824	{C32F8699-4CE2-40ee-BF74-94E345370828}.exe	44
PID 1824 wrote to memory of 984	1824	{C32F8699-4CE2-40ee-BF74-94E345370828}.exe	45
PID 1824 wrote to memory of 984	1824	{C32F8699-4CE2-40ee-BF74-94E345370828}.exe	45
PID 1824 wrote to memory of 984	1824	{C32F8699-4CE2-40ee-BF74-94E345370828}.exe	45
PID 1824 wrote to memory of 984	1824	{C32F8699-4CE2-40ee-BF74-94E345370828}.exe	45

C:\Users\Admin\AppData\Local\Temp\6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6575ae25999e48969e5b78952137a4ec_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe
  C:\Windows\{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\{1656826C-54DB-4715-867B-BC46B5128F72}.exe
    C:\Windows\{1656826C-54DB-4715-867B-BC46B5128F72}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe
      C:\Windows\{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe
        
        C:\Windows\{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe
        
        C:\Windows\{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe
        
        C:\Windows\{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\{C32F8699-4CE2-40ee-BF74-94E345370828}.exe
        
        C:\Windows\{C32F8699-4CE2-40ee-BF74-94E345370828}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{AE953F94-32A5-449e-8F7A-DA8668ED1E91}.exe
        
        C:\Windows\{AE953F94-32A5-449e-8F7A-DA8668ED1E91}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\{759A2F64-256C-4063-867D-70956DCD005F}.exe
        
        C:\Windows\{759A2F64-256C-4063-867D-70956DCD005F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\{9EB81AAD-A116-4c5b-A322-266B2DE603D5}.exe
        
        C:\Windows\{9EB81AAD-A116-4c5b-A322-266B2DE603D5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\{04369E5D-DB83-4e35-A4B3-35779FC528CD}.exe
        
        C:\Windows\{04369E5D-DB83-4e35-A4B3-35779FC528CD}.exe
        12⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EB81~1.EXE > nul
        12⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{759A2~1.EXE > nul
        11⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE953~1.EXE > nul
        10⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C32F8~1.EXE > nul
        9⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C5AB~1.EXE > nul
        8⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{358AC~1.EXE > nul
        7⤵
        
        PID:2748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4005~1.EXE > nul
        6⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88C96~1.EXE > nul
        5⤵
        
        PID:1204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{16568~1.EXE > nul
      4⤵
      PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3FA27~1.EXE > nul
    3⤵
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6575AE~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04369E5D-DB83-4e35-A4B3-35779FC528CD}.exe

Filesize
408KB

MD5
6544a455012d8e1bcad331e66b7babc7

SHA1
51efb1218198711a258e064042aee228cf577256

SHA256
7aa4c8f778e6b4448b6be9f749845fad11987a51b79b0ca0e6f51d21aa493615

SHA512
b7fcbaf793832608138d18f6edaf2deb89ed75d57aba5fdd842c25a39aaf009e49217c38ee111e885ed5d99439a96b7cf4396c5eb24206772266ddb2659c4f8a

Download Submit
C:\Windows\{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe

Filesize
408KB

MD5
9d0f7281a1ad97efa084d40bb065786f

SHA1
5bbf3417f38f9da5afeabeda1ade575d27e20530

SHA256
b6ec2dd0437bba2903e5d2da0a76df1b5151393d5ee3eb4ed817a62359fa987b

SHA512
9eeacd513cdd6ea87a1556e83af6f4c7f91dfe5400117e3b6b811c4c54033f18958def884894f8563ecfb12ffc28068bd62027a56cc0f226c1158b4a2b1e14cd

Download Submit
C:\Windows\{0C5AB0E5-8870-4727-9B84-4C8779CEE06B}.exe

Filesize
408KB

MD5
9d0f7281a1ad97efa084d40bb065786f

SHA1
5bbf3417f38f9da5afeabeda1ade575d27e20530

SHA256
b6ec2dd0437bba2903e5d2da0a76df1b5151393d5ee3eb4ed817a62359fa987b

SHA512
9eeacd513cdd6ea87a1556e83af6f4c7f91dfe5400117e3b6b811c4c54033f18958def884894f8563ecfb12ffc28068bd62027a56cc0f226c1158b4a2b1e14cd

Download Submit
C:\Windows\{1656826C-54DB-4715-867B-BC46B5128F72}.exe

Filesize
408KB

MD5
9937b70fbee01e29dd6907bacbe45369

SHA1
241e9b2f29c9ad521f91ee5107dc64dfc6c4da3a

SHA256
7cbb0147b9b5fcf46e6d6468d732bc96e46ad923ecb5a05a6bc2a9d81859fc0c

SHA512
7f4f07b21288a8fc5139ad89da010711804a6963a658bca7be82fe78687d1968ee8dbf1f927f573204bc1ced4ab66a53e68c371ead2cade4a5464cde715e5c06

Download Submit
C:\Windows\{1656826C-54DB-4715-867B-BC46B5128F72}.exe

Filesize
408KB

MD5
9937b70fbee01e29dd6907bacbe45369

SHA1
241e9b2f29c9ad521f91ee5107dc64dfc6c4da3a

SHA256
7cbb0147b9b5fcf46e6d6468d732bc96e46ad923ecb5a05a6bc2a9d81859fc0c

SHA512
7f4f07b21288a8fc5139ad89da010711804a6963a658bca7be82fe78687d1968ee8dbf1f927f573204bc1ced4ab66a53e68c371ead2cade4a5464cde715e5c06

Download Submit
C:\Windows\{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe

Filesize
408KB

MD5
4f6e3088f8432c68fa9fa7acba691644

SHA1
fda7893da82741bb04ea923da44ad32bac3975cb

SHA256
784cd90510d0c0fa25bb8b874d70cc213103f8bfb45b57e6d275c08048bd8ced

SHA512
c100aea4fd909e30583c29b8cced739d39073f0cb73dac9e02bca91af02d4387135382a71fecee2ffe7f4352ba7d8572fca7860f89e8bd4940c0770096093a7a

Download Submit
C:\Windows\{358AC987-6F7C-49be-8E23-0BFE09A9B87E}.exe

Filesize
408KB

MD5
4f6e3088f8432c68fa9fa7acba691644

SHA1
fda7893da82741bb04ea923da44ad32bac3975cb

SHA256
784cd90510d0c0fa25bb8b874d70cc213103f8bfb45b57e6d275c08048bd8ced

SHA512
c100aea4fd909e30583c29b8cced739d39073f0cb73dac9e02bca91af02d4387135382a71fecee2ffe7f4352ba7d8572fca7860f89e8bd4940c0770096093a7a

Download Submit
C:\Windows\{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe

Filesize
408KB

MD5
1797ce35726b87960cb36ab14d124aad

SHA1
94be9e8f8a363fc0998b07ac5809692df43c53d7

SHA256
b4b620f62fc05b1aebc961bdf191344c1fa5837dfe80b16597d1c599fc242717

SHA512
fed4f1850df07a7be754c3adb5aa1f37a832218ef6b5f98a2ba00304de3e1590e96f42f164e5eaef7ec3a0f16fc15bb6063867727c63e367706168b84d15335f

Download Submit
C:\Windows\{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe

Filesize
408KB

MD5
1797ce35726b87960cb36ab14d124aad

SHA1
94be9e8f8a363fc0998b07ac5809692df43c53d7

SHA256
b4b620f62fc05b1aebc961bdf191344c1fa5837dfe80b16597d1c599fc242717

SHA512
fed4f1850df07a7be754c3adb5aa1f37a832218ef6b5f98a2ba00304de3e1590e96f42f164e5eaef7ec3a0f16fc15bb6063867727c63e367706168b84d15335f

Download Submit
C:\Windows\{3FA27651-8D5E-4167-8B0D-627E20C6F061}.exe

Filesize
408KB

MD5
1797ce35726b87960cb36ab14d124aad

SHA1
94be9e8f8a363fc0998b07ac5809692df43c53d7

SHA256
b4b620f62fc05b1aebc961bdf191344c1fa5837dfe80b16597d1c599fc242717

SHA512
fed4f1850df07a7be754c3adb5aa1f37a832218ef6b5f98a2ba00304de3e1590e96f42f164e5eaef7ec3a0f16fc15bb6063867727c63e367706168b84d15335f

Download Submit
C:\Windows\{759A2F64-256C-4063-867D-70956DCD005F}.exe

Filesize
408KB

MD5
f79d5d584cb95b09e7873079830a96bf

SHA1
4f7fa492c8b976d4331d214742e00592f9a0c7a3

SHA256
0b9de1d2fee636d805095a87af21c57e2678d850c59a9940cc4dcebb95ac5cef

SHA512
5c81a7f6dc70dfb6fe06b149dff8e6d11f4f048b7ec738a630e9ad7b9d58ba0dc6a45456f39709161070c035747e001a8db2b39e2ba7efb21ae8dafa1a6a7cfa

Download Submit
C:\Windows\{759A2F64-256C-4063-867D-70956DCD005F}.exe

Filesize
408KB

MD5
f79d5d584cb95b09e7873079830a96bf

SHA1
4f7fa492c8b976d4331d214742e00592f9a0c7a3

SHA256
0b9de1d2fee636d805095a87af21c57e2678d850c59a9940cc4dcebb95ac5cef

SHA512
5c81a7f6dc70dfb6fe06b149dff8e6d11f4f048b7ec738a630e9ad7b9d58ba0dc6a45456f39709161070c035747e001a8db2b39e2ba7efb21ae8dafa1a6a7cfa

Download Submit
C:\Windows\{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe

Filesize
408KB

MD5
a51e32f748f25041a30d70a3978ddacf

SHA1
9239faf2182bb749cd6fc24f8844886dea774c41

SHA256
184b29a996f3c216b02441ce27cfaeb604ed089f58aa68b1939c4f6fb9537ebf

SHA512
bab85e89928f31af839cbc2fec27846a696240ab334842c51cb25311c8eda929bb1a89dc0faf0ba3359a111bebffb84c019134d7507aeb5007c115477c59a80a

Download Submit
C:\Windows\{88C963CC-B92F-47ea-887A-49A55B4BE7C4}.exe

Filesize
408KB

MD5
a51e32f748f25041a30d70a3978ddacf

SHA1
9239faf2182bb749cd6fc24f8844886dea774c41

SHA256
184b29a996f3c216b02441ce27cfaeb604ed089f58aa68b1939c4f6fb9537ebf

SHA512
bab85e89928f31af839cbc2fec27846a696240ab334842c51cb25311c8eda929bb1a89dc0faf0ba3359a111bebffb84c019134d7507aeb5007c115477c59a80a

Download Submit
C:\Windows\{9EB81AAD-A116-4c5b-A322-266B2DE603D5}.exe

Filesize
408KB

MD5
3801c316a7a51aa2768ed5fd82c77887

SHA1
bdc07ab80ad8be036d0455e369137f393e3feb47

SHA256
a74091db162292984553d89c5c4defd774f95eeb71ce62df799ee1eacb37a2c7

SHA512
3c9ec63ada99297ba59f2b245539a75576d4b8fb019b757378ab5061435d19803282e5ec33f93246807fe8197008651bedd084434923e40ddabc49d42593a235

Download Submit
C:\Windows\{9EB81AAD-A116-4c5b-A322-266B2DE603D5}.exe

Filesize
408KB

MD5
3801c316a7a51aa2768ed5fd82c77887

SHA1
bdc07ab80ad8be036d0455e369137f393e3feb47

SHA256
a74091db162292984553d89c5c4defd774f95eeb71ce62df799ee1eacb37a2c7

SHA512
3c9ec63ada99297ba59f2b245539a75576d4b8fb019b757378ab5061435d19803282e5ec33f93246807fe8197008651bedd084434923e40ddabc49d42593a235

Download Submit
C:\Windows\{AE953F94-32A5-449e-8F7A-DA8668ED1E91}.exe

Filesize
408KB

MD5
e0a1663e4034cc2495f2e4a88d946325

SHA1
c8c46dfab42bba68ad628c500ea56a5060415464

SHA256
68c5aa8e43a210858f1fe5ace271c1f9f3f8f221d47f59258652eda04da9f55b

SHA512
2726e6f975eefa0eb9a71a42d336f2728ffba3d2f5243c090de5932a0594d179ea6e9b29aa533fbdb48e61ef5372e4159884699bdd2b374567727d1457bec737

Download Submit
C:\Windows\{AE953F94-32A5-449e-8F7A-DA8668ED1E91}.exe

Filesize
408KB

MD5
e0a1663e4034cc2495f2e4a88d946325

SHA1
c8c46dfab42bba68ad628c500ea56a5060415464

SHA256
68c5aa8e43a210858f1fe5ace271c1f9f3f8f221d47f59258652eda04da9f55b

SHA512
2726e6f975eefa0eb9a71a42d336f2728ffba3d2f5243c090de5932a0594d179ea6e9b29aa533fbdb48e61ef5372e4159884699bdd2b374567727d1457bec737

Download Submit
C:\Windows\{C32F8699-4CE2-40ee-BF74-94E345370828}.exe

Filesize
408KB

MD5
6567839896f51565e4ba31c28c6fb6be

SHA1
834e03321ca0ab0e68efc1ba301ee9ae98348134

SHA256
b881272bb3e90ace899d5dd9c3006678f32516dd98ab821472fddc2824e688b4

SHA512
27a1fe54d96437cc58cdec95c794a697351ba0d76795451d980a0e754a6321bec0be7b97a263e30e79a1af881881a557ba684d417f1ebee75bfe0708f8ad5180

Download Submit
C:\Windows\{C32F8699-4CE2-40ee-BF74-94E345370828}.exe

Filesize
408KB

MD5
6567839896f51565e4ba31c28c6fb6be

SHA1
834e03321ca0ab0e68efc1ba301ee9ae98348134

SHA256
b881272bb3e90ace899d5dd9c3006678f32516dd98ab821472fddc2824e688b4

SHA512
27a1fe54d96437cc58cdec95c794a697351ba0d76795451d980a0e754a6321bec0be7b97a263e30e79a1af881881a557ba684d417f1ebee75bfe0708f8ad5180

Download Submit
C:\Windows\{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe

Filesize
408KB

MD5
ac6271c3ab39241249894d55a5830ff2

SHA1
8473d325af2bb95f71fb25949eebb38d0620e1ed

SHA256
8a52d00fbfafe1e26bd1ede98eb5b4f5f7fa9e91b233b2697be7e66d94001b9d

SHA512
767ebd481797008093d76cbe18b508e8b0bb3edd12e54e8e36bf08917701adf9149d65eb098e40c7ea2ed22e4cd6a5110bd6b4858b7f888f24b7e5a6f120a162

Download Submit
C:\Windows\{E4005C2D-EBD8-42fe-B5BE-3908E66A604A}.exe

Filesize
408KB

MD5
ac6271c3ab39241249894d55a5830ff2

SHA1
8473d325af2bb95f71fb25949eebb38d0620e1ed

SHA256
8a52d00fbfafe1e26bd1ede98eb5b4f5f7fa9e91b233b2697be7e66d94001b9d

SHA512
767ebd481797008093d76cbe18b508e8b0bb3edd12e54e8e36bf08917701adf9149d65eb098e40c7ea2ed22e4cd6a5110bd6b4858b7f888f24b7e5a6f120a162

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads