5baee6543677913858df40a3b072baf177d3730d86af39bb6eb4521fd5f9741e

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/08/2023, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe
Size

408KB
MD5

66f8593370eb098a83db693a9b0cd144
SHA1

e2e28df949e36dec249c98b5cef8c6f1035954b3
SHA256

5baee6543677913858df40a3b072baf177d3730d86af39bb6eb4521fd5f9741e
SHA512

f72dd4f4aa28a3fa434b1ac2189b6d63be45ac633e5393efc15479ec612f6b2cff7952b6211ef9000d1a7b13091ae054671b88405bd203a7d38cfacde72ad9c5
SSDEEP

3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGKldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7373C792-72EA-4564-80AC-1B9286F82C84}\stubpath = "C:\\Windows\\{7373C792-72EA-4564-80AC-1B9286F82C84}.exe"	{354111D4-77D7-4942-ACE4-99B298A642F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA390513-188F-4a84-A038-01D5B7B8208E}	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}	{CA390513-188F-4a84-A038-01D5B7B8208E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}\stubpath = "C:\\Windows\\{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe"	{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2747450-ECB6-4bf8-854A-64EBF6F900B4}	{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DFEE2C5-85D8-4b44-AEAB-AAA0FBD67B79}	{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B3FAF72-C1C8-42ec-951D-FC264D5E6ABE}	{8DFEE2C5-85D8-4b44-AEAB-AAA0FBD67B79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7373C792-72EA-4564-80AC-1B9286F82C84}	{354111D4-77D7-4942-ACE4-99B298A642F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA390513-188F-4a84-A038-01D5B7B8208E}\stubpath = "C:\\Windows\\{CA390513-188F-4a84-A038-01D5B7B8208E}.exe"	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15FBE87F-F949-486d-ADD2-1F7446E9A269}	{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15FBE87F-F949-486d-ADD2-1F7446E9A269}\stubpath = "C:\\Windows\\{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe"	{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4E5166C-10D7-45a8-9D36-22E688C22104}	{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}	{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4E5166C-10D7-45a8-9D36-22E688C22104}\stubpath = "C:\\Windows\\{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe"	{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DFEE2C5-85D8-4b44-AEAB-AAA0FBD67B79}\stubpath = "C:\\Windows\\{8DFEE2C5-85D8-4b44-AEAB-AAA0FBD67B79}.exe"	{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{354111D4-77D7-4942-ACE4-99B298A642F9}\stubpath = "C:\\Windows\\{354111D4-77D7-4942-ACE4-99B298A642F9}.exe"	{9B3FAF72-C1C8-42ec-951D-FC264D5E6ABE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B3FAF72-C1C8-42ec-951D-FC264D5E6ABE}\stubpath = "C:\\Windows\\{9B3FAF72-C1C8-42ec-951D-FC264D5E6ABE}.exe"	{8DFEE2C5-85D8-4b44-AEAB-AAA0FBD67B79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{354111D4-77D7-4942-ACE4-99B298A642F9}	{9B3FAF72-C1C8-42ec-951D-FC264D5E6ABE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}\stubpath = "C:\\Windows\\{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe"	{CA390513-188F-4a84-A038-01D5B7B8208E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C2CE965-5E08-4cd8-8D16-388693D9D42C}	{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C2CE965-5E08-4cd8-8D16-388693D9D42C}\stubpath = "C:\\Windows\\{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe"	{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2747450-ECB6-4bf8-854A-64EBF6F900B4}\stubpath = "C:\\Windows\\{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe"	{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe

Deletes itself 1 IoCs

pid	Process
2900	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1612	{CA390513-188F-4a84-A038-01D5B7B8208E}.exe
2832	{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe
2980	{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe
2736	{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe
2708	{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe
2780	{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe
1524	{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe
1068	{8DFEE2C5-85D8-4b44-AEAB-AAA0FBD67B79}.exe
2688	{9B3FAF72-C1C8-42ec-951D-FC264D5E6ABE}.exe
3064	{354111D4-77D7-4942-ACE4-99B298A642F9}.exe
2380	{7373C792-72EA-4564-80AC-1B9286F82C84}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CA390513-188F-4a84-A038-01D5B7B8208E}.exe	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe
File created	C:\Windows\{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe	{CA390513-188F-4a84-A038-01D5B7B8208E}.exe
File created	C:\Windows\{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe	{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe
File created	C:\Windows\{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe	{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe
File created	C:\Windows\{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe	{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe
File created	C:\Windows\{9B3FAF72-C1C8-42ec-951D-FC264D5E6ABE}.exe	{8DFEE2C5-85D8-4b44-AEAB-AAA0FBD67B79}.exe
File created	C:\Windows\{7373C792-72EA-4564-80AC-1B9286F82C84}.exe	{354111D4-77D7-4942-ACE4-99B298A642F9}.exe
File created	C:\Windows\{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe	{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe
File created	C:\Windows\{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe	{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe
File created	C:\Windows\{8DFEE2C5-85D8-4b44-AEAB-AAA0FBD67B79}.exe	{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe
File created	C:\Windows\{354111D4-77D7-4942-ACE4-99B298A642F9}.exe	{9B3FAF72-C1C8-42ec-951D-FC264D5E6ABE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2456	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1612	{CA390513-188F-4a84-A038-01D5B7B8208E}.exe
Token: SeIncBasePriorityPrivilege	2832	{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe
Token: SeIncBasePriorityPrivilege	2980	{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe
Token: SeIncBasePriorityPrivilege	2736	{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe
Token: SeIncBasePriorityPrivilege	2708	{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe
Token: SeIncBasePriorityPrivilege	2780	{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe
Token: SeIncBasePriorityPrivilege	1524	{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe
Token: SeIncBasePriorityPrivilege	1068	{8DFEE2C5-85D8-4b44-AEAB-AAA0FBD67B79}.exe
Token: SeIncBasePriorityPrivilege	2688	{9B3FAF72-C1C8-42ec-951D-FC264D5E6ABE}.exe
Token: SeIncBasePriorityPrivilege	3064	{354111D4-77D7-4942-ACE4-99B298A642F9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1612	2456	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	28
PID 2456 wrote to memory of 1612	2456	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	28
PID 2456 wrote to memory of 1612	2456	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	28
PID 2456 wrote to memory of 1612	2456	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	28
PID 2456 wrote to memory of 2900	2456	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	29
PID 2456 wrote to memory of 2900	2456	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	29
PID 2456 wrote to memory of 2900	2456	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	29
PID 2456 wrote to memory of 2900	2456	66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe	29
PID 1612 wrote to memory of 2832	1612	{CA390513-188F-4a84-A038-01D5B7B8208E}.exe	32
PID 1612 wrote to memory of 2832	1612	{CA390513-188F-4a84-A038-01D5B7B8208E}.exe	32
PID 1612 wrote to memory of 2832	1612	{CA390513-188F-4a84-A038-01D5B7B8208E}.exe	32
PID 1612 wrote to memory of 2832	1612	{CA390513-188F-4a84-A038-01D5B7B8208E}.exe	32
PID 1612 wrote to memory of 2992	1612	{CA390513-188F-4a84-A038-01D5B7B8208E}.exe	33
PID 1612 wrote to memory of 2992	1612	{CA390513-188F-4a84-A038-01D5B7B8208E}.exe	33
PID 1612 wrote to memory of 2992	1612	{CA390513-188F-4a84-A038-01D5B7B8208E}.exe	33
PID 1612 wrote to memory of 2992	1612	{CA390513-188F-4a84-A038-01D5B7B8208E}.exe	33
PID 2832 wrote to memory of 2980	2832	{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe	35
PID 2832 wrote to memory of 2980	2832	{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe	35
PID 2832 wrote to memory of 2980	2832	{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe	35
PID 2832 wrote to memory of 2980	2832	{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe	35
PID 2832 wrote to memory of 2876	2832	{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe	34
PID 2832 wrote to memory of 2876	2832	{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe	34
PID 2832 wrote to memory of 2876	2832	{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe	34
PID 2832 wrote to memory of 2876	2832	{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe	34
PID 2980 wrote to memory of 2736	2980	{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe	36
PID 2980 wrote to memory of 2736	2980	{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe	36
PID 2980 wrote to memory of 2736	2980	{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe	36
PID 2980 wrote to memory of 2736	2980	{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe	36
PID 2980 wrote to memory of 2872	2980	{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe	37
PID 2980 wrote to memory of 2872	2980	{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe	37
PID 2980 wrote to memory of 2872	2980	{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe	37
PID 2980 wrote to memory of 2872	2980	{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe	37
PID 2736 wrote to memory of 2708	2736	{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe	38
PID 2736 wrote to memory of 2708	2736	{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe	38
PID 2736 wrote to memory of 2708	2736	{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe	38
PID 2736 wrote to memory of 2708	2736	{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe	38
PID 2736 wrote to memory of 2752	2736	{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe	39
PID 2736 wrote to memory of 2752	2736	{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe	39
PID 2736 wrote to memory of 2752	2736	{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe	39
PID 2736 wrote to memory of 2752	2736	{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe	39
PID 2708 wrote to memory of 2780	2708	{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe	40
PID 2708 wrote to memory of 2780	2708	{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe	40
PID 2708 wrote to memory of 2780	2708	{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe	40
PID 2708 wrote to memory of 2780	2708	{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe	40
PID 2708 wrote to memory of 2444	2708	{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe	41
PID 2708 wrote to memory of 2444	2708	{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe	41
PID 2708 wrote to memory of 2444	2708	{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe	41
PID 2708 wrote to memory of 2444	2708	{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe	41
PID 2780 wrote to memory of 1524	2780	{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe	42
PID 2780 wrote to memory of 1524	2780	{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe	42
PID 2780 wrote to memory of 1524	2780	{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe	42
PID 2780 wrote to memory of 1524	2780	{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe	42
PID 2780 wrote to memory of 532	2780	{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe	43
PID 2780 wrote to memory of 532	2780	{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe	43
PID 2780 wrote to memory of 532	2780	{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe	43
PID 2780 wrote to memory of 532	2780	{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe	43
PID 1524 wrote to memory of 1068	1524	{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe	44
PID 1524 wrote to memory of 1068	1524	{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe	44
PID 1524 wrote to memory of 1068	1524	{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe	44
PID 1524 wrote to memory of 1068	1524	{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe	44
PID 1524 wrote to memory of 1488	1524	{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe	45
PID 1524 wrote to memory of 1488	1524	{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe	45
PID 1524 wrote to memory of 1488	1524	{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe	45
PID 1524 wrote to memory of 1488	1524	{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe	45

C:\Users\Admin\AppData\Local\Temp\66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\66f8593370eb098a83db693a9b0cd144_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\{CA390513-188F-4a84-A038-01D5B7B8208E}.exe
  C:\Windows\{CA390513-188F-4a84-A038-01D5B7B8208E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe
    C:\Windows\{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A1B4D~1.EXE > nul
      4⤵
      PID:2876
  - - C:\Windows\{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe
      C:\Windows\{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe
        
        C:\Windows\{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe
        
        C:\Windows\{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe
        
        C:\Windows\{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe
        
        C:\Windows\{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\{8DFEE2C5-85D8-4b44-AEAB-AAA0FBD67B79}.exe
        
        C:\Windows\{8DFEE2C5-85D8-4b44-AEAB-AAA0FBD67B79}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\{9B3FAF72-C1C8-42ec-951D-FC264D5E6ABE}.exe
        
        C:\Windows\{9B3FAF72-C1C8-42ec-951D-FC264D5E6ABE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\{354111D4-77D7-4942-ACE4-99B298A642F9}.exe
        
        C:\Windows\{354111D4-77D7-4942-ACE4-99B298A642F9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\{7373C792-72EA-4564-80AC-1B9286F82C84}.exe
        
        C:\Windows\{7373C792-72EA-4564-80AC-1B9286F82C84}.exe
        12⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35411~1.EXE > nul
        12⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B3FA~1.EXE > nul
        11⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DFEE~1.EXE > nul
        10⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4E51~1.EXE > nul
        9⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2747~1.EXE > nul
        8⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B210~1.EXE > nul
        7⤵
        
        PID:2444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15FBE~1.EXE > nul
        6⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C2CE~1.EXE > nul
        5⤵
        
        PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CA390~1.EXE > nul
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\66F859~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe

Filesize
408KB

MD5
5ed0f3c1f83b10e2e31235f7c2dcaa88

SHA1
0b72ab4c771573e9676981c896e079a64bd0b88b

SHA256
54b36c920f09453d54d7e818db6490eb091458e9d5875fc1c576c2bbcaf7699a

SHA512
49cb4db7eb68a2cc7e251eabb1d5eebe64b58c79d651439c1f035f7969cd1b9fa626dc5ccfcd2648075dadffc76650292f730f87e7194ff708e8f2f7c6a8c3a0

Download Submit
C:\Windows\{15FBE87F-F949-486d-ADD2-1F7446E9A269}.exe

Filesize
408KB

MD5
5ed0f3c1f83b10e2e31235f7c2dcaa88

SHA1
0b72ab4c771573e9676981c896e079a64bd0b88b

SHA256
54b36c920f09453d54d7e818db6490eb091458e9d5875fc1c576c2bbcaf7699a

SHA512
49cb4db7eb68a2cc7e251eabb1d5eebe64b58c79d651439c1f035f7969cd1b9fa626dc5ccfcd2648075dadffc76650292f730f87e7194ff708e8f2f7c6a8c3a0

Download Submit
C:\Windows\{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe

Filesize
408KB

MD5
c3b1fbf05c398ab5eb733ea26df6d2a3

SHA1
034b7615e1f527ff8b719e421d518458b712bf8b

SHA256
10eaf00a713e29834a4c82c9c1644e4d1930963ed6d9163f535eb49f01c57faf

SHA512
a9db98df15d8f6ed541a959fde90ff175dc76b3f81363d5fd5e4c689ccc0c9307b264453949cdc3a9bd49012882b19b9ea93ddb55db6683b955a4ee93e780bd3

Download Submit
C:\Windows\{1C2CE965-5E08-4cd8-8D16-388693D9D42C}.exe

Filesize
408KB

MD5
c3b1fbf05c398ab5eb733ea26df6d2a3

SHA1
034b7615e1f527ff8b719e421d518458b712bf8b

SHA256
10eaf00a713e29834a4c82c9c1644e4d1930963ed6d9163f535eb49f01c57faf

SHA512
a9db98df15d8f6ed541a959fde90ff175dc76b3f81363d5fd5e4c689ccc0c9307b264453949cdc3a9bd49012882b19b9ea93ddb55db6683b955a4ee93e780bd3

Download Submit
C:\Windows\{354111D4-77D7-4942-ACE4-99B298A642F9}.exe

Filesize
408KB

MD5
f21627fa9f705b1c421bb509feb2a8bd

SHA1
870340fef53aa4047bb1146e2a0736c0afa5901e

SHA256
5732d04fecd4b546e56bdf3ab8398653a0333f248d462881743787123a7888ac

SHA512
bb8783a6662ef6332363c429d5176a1b63cfd84063fc6712cbb0835cc197e049ae4cc67299b21eb0ff30ea0fb036341d9a8e67d11f4b54c1a2ec59f62d39c42e

Download Submit
C:\Windows\{354111D4-77D7-4942-ACE4-99B298A642F9}.exe

Filesize
408KB

MD5
f21627fa9f705b1c421bb509feb2a8bd

SHA1
870340fef53aa4047bb1146e2a0736c0afa5901e

SHA256
5732d04fecd4b546e56bdf3ab8398653a0333f248d462881743787123a7888ac

SHA512
bb8783a6662ef6332363c429d5176a1b63cfd84063fc6712cbb0835cc197e049ae4cc67299b21eb0ff30ea0fb036341d9a8e67d11f4b54c1a2ec59f62d39c42e

Download Submit
C:\Windows\{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe

Filesize
408KB

MD5
6df7a1efb0e30ca5ec4ffe9cb4d7bdb1

SHA1
f64142ca23ca2ed9d2b23d06a69154385a430267

SHA256
7f799221bdf2b457d96e9dca85d22ca267e87785bf3e6750058146f2963f8352

SHA512
8af7aa17688ca431297c284332862388c28b080768441712ff5faf327302cd4b811d84e53f9900404a4b4c1ed1cbdb0c4be47d415e859296788c623f939821ad

Download Submit
C:\Windows\{6B210BEC-CD55-472f-BE6C-4AC0F89965C8}.exe

Filesize
408KB

MD5
6df7a1efb0e30ca5ec4ffe9cb4d7bdb1

SHA1
f64142ca23ca2ed9d2b23d06a69154385a430267

SHA256
7f799221bdf2b457d96e9dca85d22ca267e87785bf3e6750058146f2963f8352

SHA512
8af7aa17688ca431297c284332862388c28b080768441712ff5faf327302cd4b811d84e53f9900404a4b4c1ed1cbdb0c4be47d415e859296788c623f939821ad

Download Submit
C:\Windows\{7373C792-72EA-4564-80AC-1B9286F82C84}.exe

Filesize
408KB

MD5
386e29c3713737dc488a33f99ac1cb5c

SHA1
fdd427d429f3a5436ef686d8efebb8c226b526ef

SHA256
21a32a3e0ddee92b1b9ebc4ad455b53150d2baaf03d0c3c35e2080eaa6794bd7

SHA512
28007b44e0bcb678847827f38e6def83664b19dee5546f3150ca03b8c30551076cc41164987c60584a0d369ee211b4f87186ff816465c6b90c8dd069f4b7643a

Download Submit
C:\Windows\{8DFEE2C5-85D8-4b44-AEAB-AAA0FBD67B79}.exe

Filesize
408KB

MD5
ba32e6f687fdb7694afeeaf561fa2ba4

SHA1
fcc664fbf18c8150e42f28766164a05bd0d4f3ae

SHA256
e85858b54ec065a1aa9ec4b9ed51b8bc1a8e5d7df37f0b9be5136b477b9c9f2c

SHA512
9f090874f2a67e1dd03a7403b90455f16d6c303e96ce0d482c618563b751144bc7c09d910b125af70e07fcdb204896e152375661689c3be0632559f2c03a5a11

Download Submit
C:\Windows\{8DFEE2C5-85D8-4b44-AEAB-AAA0FBD67B79}.exe

Filesize
408KB

MD5
ba32e6f687fdb7694afeeaf561fa2ba4

SHA1
fcc664fbf18c8150e42f28766164a05bd0d4f3ae

SHA256
e85858b54ec065a1aa9ec4b9ed51b8bc1a8e5d7df37f0b9be5136b477b9c9f2c

SHA512
9f090874f2a67e1dd03a7403b90455f16d6c303e96ce0d482c618563b751144bc7c09d910b125af70e07fcdb204896e152375661689c3be0632559f2c03a5a11

Download Submit
C:\Windows\{9B3FAF72-C1C8-42ec-951D-FC264D5E6ABE}.exe

Filesize
408KB

MD5
3da2530e14ce1cc7ae0b73c18be336f1

SHA1
718d5d63752cf79dc360a6c9d45c3792ea746068

SHA256
d1c427057dd2f02b0dd20d4efd115e72b5e74d2a85513e8aeff350fbb5d58938

SHA512
75ba05aebf55098bef52d5b98e01034e1da8ebb00e85f32c13885743d0bead98c5434988feda10d3f980d387440ea0a024ae336b1e9cc85accee204ee81f81b5

Download Submit
C:\Windows\{9B3FAF72-C1C8-42ec-951D-FC264D5E6ABE}.exe

Filesize
408KB

MD5
3da2530e14ce1cc7ae0b73c18be336f1

SHA1
718d5d63752cf79dc360a6c9d45c3792ea746068

SHA256
d1c427057dd2f02b0dd20d4efd115e72b5e74d2a85513e8aeff350fbb5d58938

SHA512
75ba05aebf55098bef52d5b98e01034e1da8ebb00e85f32c13885743d0bead98c5434988feda10d3f980d387440ea0a024ae336b1e9cc85accee204ee81f81b5

Download Submit
C:\Windows\{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe

Filesize
408KB

MD5
43da2d472350c590dbc378614d9703db

SHA1
d49f3651f276aabfca805d6c72091756173a1b50

SHA256
7effd3f7f9dc6f73342f3f4fa70db36e0e229cfb256e766266ac56adf248b39d

SHA512
b1880be638d91097a96d9d08843bbca0d6a8ac4950ebdeecb5f1277f51fb94a9b939b48ce775212d69cebfca16b62353b1ac23b27c3efd71f02e1ccc761646d4

Download Submit
C:\Windows\{A1B4DC30-9839-4941-88BA-C92E09EBE0D0}.exe

Filesize
408KB

MD5
43da2d472350c590dbc378614d9703db

SHA1
d49f3651f276aabfca805d6c72091756173a1b50

SHA256
7effd3f7f9dc6f73342f3f4fa70db36e0e229cfb256e766266ac56adf248b39d

SHA512
b1880be638d91097a96d9d08843bbca0d6a8ac4950ebdeecb5f1277f51fb94a9b939b48ce775212d69cebfca16b62353b1ac23b27c3efd71f02e1ccc761646d4

Download Submit
C:\Windows\{CA390513-188F-4a84-A038-01D5B7B8208E}.exe

Filesize
408KB

MD5
e550b1a98956cc3d37ea7de0f76aafaa

SHA1
7cfdc45f5458032df2e76f21ba2daabb0a6d8e06

SHA256
73dd7275544b23d7e146c85e064d439364ec7c5b23db0aabef9af488bb77e14f

SHA512
436ec07fad7846e1420ce7d276ef9119d5184a047cd68fb0491203451eeac1b20759dcdb99247872ed18ccff84dea835f54dc64868f97dae1f9cf51ac8a67824

Download Submit
C:\Windows\{CA390513-188F-4a84-A038-01D5B7B8208E}.exe

Filesize
408KB

MD5
e550b1a98956cc3d37ea7de0f76aafaa

SHA1
7cfdc45f5458032df2e76f21ba2daabb0a6d8e06

SHA256
73dd7275544b23d7e146c85e064d439364ec7c5b23db0aabef9af488bb77e14f

SHA512
436ec07fad7846e1420ce7d276ef9119d5184a047cd68fb0491203451eeac1b20759dcdb99247872ed18ccff84dea835f54dc64868f97dae1f9cf51ac8a67824

Download Submit
C:\Windows\{CA390513-188F-4a84-A038-01D5B7B8208E}.exe

Filesize
408KB

MD5
e550b1a98956cc3d37ea7de0f76aafaa

SHA1
7cfdc45f5458032df2e76f21ba2daabb0a6d8e06

SHA256
73dd7275544b23d7e146c85e064d439364ec7c5b23db0aabef9af488bb77e14f

SHA512
436ec07fad7846e1420ce7d276ef9119d5184a047cd68fb0491203451eeac1b20759dcdb99247872ed18ccff84dea835f54dc64868f97dae1f9cf51ac8a67824

Download Submit
C:\Windows\{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe

Filesize
408KB

MD5
9fb81f406162476bfa421eac93f60f12

SHA1
8f26f4a107c1097aab1cab9007242ea41a401747

SHA256
062705d2aa10569b8dbe2fc120323e7ec553e9e82be41adca4822e80f26a2502

SHA512
b0253c3713a06826c531d30808faea018ce9149ab38bad0e62416a66995e59df9ca936298fc0338dc4825ad281e2dfc1fc5c0d8492571894351764fd12203a90

Download Submit
C:\Windows\{E2747450-ECB6-4bf8-854A-64EBF6F900B4}.exe

Filesize
408KB

MD5
9fb81f406162476bfa421eac93f60f12

SHA1
8f26f4a107c1097aab1cab9007242ea41a401747

SHA256
062705d2aa10569b8dbe2fc120323e7ec553e9e82be41adca4822e80f26a2502

SHA512
b0253c3713a06826c531d30808faea018ce9149ab38bad0e62416a66995e59df9ca936298fc0338dc4825ad281e2dfc1fc5c0d8492571894351764fd12203a90

Download Submit
C:\Windows\{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe

Filesize
408KB

MD5
d78b6b0956686358dd5255abb0b013ea

SHA1
f51480d4570acb0592a25147f4be8d0a9e53873d

SHA256
8b8c4ef4909060ac9d16cdc6a11e06d3a2d7f2184bb2caee17239f2e9b9ebb1e

SHA512
338b0ce3fddd112eb5a197f8a2a443cf279ba6cc2567a5abf5aa56aead332c4b7645cd6eef7ba85aadd50ce3eb9715ec017fcd0295b143cfdd9eaa4f6beecb0a

Download Submit
C:\Windows\{F4E5166C-10D7-45a8-9D36-22E688C22104}.exe

Filesize
408KB

MD5
d78b6b0956686358dd5255abb0b013ea

SHA1
f51480d4570acb0592a25147f4be8d0a9e53873d

SHA256
8b8c4ef4909060ac9d16cdc6a11e06d3a2d7f2184bb2caee17239f2e9b9ebb1e

SHA512
338b0ce3fddd112eb5a197f8a2a443cf279ba6cc2567a5abf5aa56aead332c4b7645cd6eef7ba85aadd50ce3eb9715ec017fcd0295b143cfdd9eaa4f6beecb0a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads