9f44b4f6405f15a84fc59f6fbf2a86d5ba491e577cc15910278a872975f4ad41

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/08/2023, 16:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe
Size

216KB
MD5

76a40e7c7a1f662607746d677f4c06c0
SHA1

97d54fce0c560efc6f6299606ecdd6c31e155643
SHA256

9f44b4f6405f15a84fc59f6fbf2a86d5ba491e577cc15910278a872975f4ad41
SHA512

5c9218baf666032f54ab80938acfa89d39e5a4549ea90141986249279f9618e6b4e1869a49d606b914166fbb1aee0c27eadc906b02057ed8b1299ae0a5799097
SSDEEP

3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGQlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C989DA5-5CF1-446d-B64C-1B996BB82F80}	{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C989DA5-5CF1-446d-B64C-1B996BB82F80}\stubpath = "C:\\Windows\\{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe"	{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}	{C634962C-5006-48f6-96FC-1F3000051BEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32F144B4-BA02-40d4-8C05-7AAEB9AB3754}	{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1931F8A-3C68-493a-A0C6-A98D549930D7}\stubpath = "C:\\Windows\\{C1931F8A-3C68-493a-A0C6-A98D549930D7}.exe"	{32F144B4-BA02-40d4-8C05-7AAEB9AB3754}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}\stubpath = "C:\\Windows\\{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe"	{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C634962C-5006-48f6-96FC-1F3000051BEB}\stubpath = "C:\\Windows\\{C634962C-5006-48f6-96FC-1F3000051BEB}.exe"	{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F1DA7BC-7442-49bc-9447-AA68BBC9334D}	{C1931F8A-3C68-493a-A0C6-A98D549930D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1931F8A-3C68-493a-A0C6-A98D549930D7}	{32F144B4-BA02-40d4-8C05-7AAEB9AB3754}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1E55D52-A9BD-467f-9907-C82D26EF9D04}	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1E55D52-A9BD-467f-9907-C82D26EF9D04}\stubpath = "C:\\Windows\\{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe"	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}\stubpath = "C:\\Windows\\{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe"	{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}	{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}	{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}\stubpath = "C:\\Windows\\{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe"	{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32F144B4-BA02-40d4-8C05-7AAEB9AB3754}\stubpath = "C:\\Windows\\{32F144B4-BA02-40d4-8C05-7AAEB9AB3754}.exe"	{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F1DA7BC-7442-49bc-9447-AA68BBC9334D}\stubpath = "C:\\Windows\\{7F1DA7BC-7442-49bc-9447-AA68BBC9334D}.exe"	{C1931F8A-3C68-493a-A0C6-A98D549930D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD281996-0BEF-4d34-963E-E97431891ED1}	{7F1DA7BC-7442-49bc-9447-AA68BBC9334D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD281996-0BEF-4d34-963E-E97431891ED1}\stubpath = "C:\\Windows\\{CD281996-0BEF-4d34-963E-E97431891ED1}.exe"	{7F1DA7BC-7442-49bc-9447-AA68BBC9334D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D901F3A-8B1A-47cb-9ADB-8C9EA7C8A24A}\stubpath = "C:\\Windows\\{2D901F3A-8B1A-47cb-9ADB-8C9EA7C8A24A}.exe"	{CD281996-0BEF-4d34-963E-E97431891ED1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}	{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C634962C-5006-48f6-96FC-1F3000051BEB}	{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}\stubpath = "C:\\Windows\\{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe"	{C634962C-5006-48f6-96FC-1F3000051BEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D901F3A-8B1A-47cb-9ADB-8C9EA7C8A24A}	{CD281996-0BEF-4d34-963E-E97431891ED1}.exe

Deletes itself 1 IoCs

pid	Process
768	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
1904	{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe
2660	{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe
2924	{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe
2760	{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe
2776	{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe
2792	{C634962C-5006-48f6-96FC-1F3000051BEB}.exe
2544	{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe
564	{32F144B4-BA02-40d4-8C05-7AAEB9AB3754}.exe
1760	{C1931F8A-3C68-493a-A0C6-A98D549930D7}.exe
2916	{7F1DA7BC-7442-49bc-9447-AA68BBC9334D}.exe
2224	{CD281996-0BEF-4d34-963E-E97431891ED1}.exe
2032	{2D901F3A-8B1A-47cb-9ADB-8C9EA7C8A24A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe	{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe
File created	C:\Windows\{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe	{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe
File created	C:\Windows\{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe	{C634962C-5006-48f6-96FC-1F3000051BEB}.exe
File created	C:\Windows\{CD281996-0BEF-4d34-963E-E97431891ED1}.exe	{7F1DA7BC-7442-49bc-9447-AA68BBC9334D}.exe
File created	C:\Windows\{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe
File created	C:\Windows\{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe	{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe
File created	C:\Windows\{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe	{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe
File created	C:\Windows\{C634962C-5006-48f6-96FC-1F3000051BEB}.exe	{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe
File created	C:\Windows\{32F144B4-BA02-40d4-8C05-7AAEB9AB3754}.exe	{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe
File created	C:\Windows\{C1931F8A-3C68-493a-A0C6-A98D549930D7}.exe	{32F144B4-BA02-40d4-8C05-7AAEB9AB3754}.exe
File created	C:\Windows\{7F1DA7BC-7442-49bc-9447-AA68BBC9334D}.exe	{C1931F8A-3C68-493a-A0C6-A98D549930D7}.exe
File created	C:\Windows\{2D901F3A-8B1A-47cb-9ADB-8C9EA7C8A24A}.exe	{CD281996-0BEF-4d34-963E-E97431891ED1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2232	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1904	{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe
Token: SeIncBasePriorityPrivilege	2660	{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe
Token: SeIncBasePriorityPrivilege	2924	{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe
Token: SeIncBasePriorityPrivilege	2760	{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe
Token: SeIncBasePriorityPrivilege	2776	{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe
Token: SeIncBasePriorityPrivilege	2792	{C634962C-5006-48f6-96FC-1F3000051BEB}.exe
Token: SeIncBasePriorityPrivilege	2544	{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe
Token: SeIncBasePriorityPrivilege	564	{32F144B4-BA02-40d4-8C05-7AAEB9AB3754}.exe
Token: SeIncBasePriorityPrivilege	1760	{C1931F8A-3C68-493a-A0C6-A98D549930D7}.exe
Token: SeIncBasePriorityPrivilege	2916	{7F1DA7BC-7442-49bc-9447-AA68BBC9334D}.exe
Token: SeIncBasePriorityPrivilege	2224	{CD281996-0BEF-4d34-963E-E97431891ED1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1904	2232	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	28
PID 2232 wrote to memory of 1904	2232	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	28
PID 2232 wrote to memory of 1904	2232	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	28
PID 2232 wrote to memory of 1904	2232	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	28
PID 2232 wrote to memory of 768	2232	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	29
PID 2232 wrote to memory of 768	2232	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	29
PID 2232 wrote to memory of 768	2232	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	29
PID 2232 wrote to memory of 768	2232	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	29
PID 1904 wrote to memory of 2660	1904	{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe	32
PID 1904 wrote to memory of 2660	1904	{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe	32
PID 1904 wrote to memory of 2660	1904	{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe	32
PID 1904 wrote to memory of 2660	1904	{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe	32
PID 1904 wrote to memory of 2476	1904	{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe	33
PID 1904 wrote to memory of 2476	1904	{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe	33
PID 1904 wrote to memory of 2476	1904	{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe	33
PID 1904 wrote to memory of 2476	1904	{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe	33
PID 2660 wrote to memory of 2924	2660	{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe	34
PID 2660 wrote to memory of 2924	2660	{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe	34
PID 2660 wrote to memory of 2924	2660	{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe	34
PID 2660 wrote to memory of 2924	2660	{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe	34
PID 2660 wrote to memory of 2748	2660	{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe	35
PID 2660 wrote to memory of 2748	2660	{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe	35
PID 2660 wrote to memory of 2748	2660	{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe	35
PID 2660 wrote to memory of 2748	2660	{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe	35
PID 2924 wrote to memory of 2760	2924	{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe	36
PID 2924 wrote to memory of 2760	2924	{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe	36
PID 2924 wrote to memory of 2760	2924	{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe	36
PID 2924 wrote to memory of 2760	2924	{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe	36
PID 2924 wrote to memory of 2912	2924	{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe	37
PID 2924 wrote to memory of 2912	2924	{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe	37
PID 2924 wrote to memory of 2912	2924	{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe	37
PID 2924 wrote to memory of 2912	2924	{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe	37
PID 2760 wrote to memory of 2776	2760	{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe	38
PID 2760 wrote to memory of 2776	2760	{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe	38
PID 2760 wrote to memory of 2776	2760	{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe	38
PID 2760 wrote to memory of 2776	2760	{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe	38
PID 2760 wrote to memory of 2736	2760	{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe	39
PID 2760 wrote to memory of 2736	2760	{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe	39
PID 2760 wrote to memory of 2736	2760	{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe	39
PID 2760 wrote to memory of 2736	2760	{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe	39
PID 2776 wrote to memory of 2792	2776	{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe	40
PID 2776 wrote to memory of 2792	2776	{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe	40
PID 2776 wrote to memory of 2792	2776	{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe	40
PID 2776 wrote to memory of 2792	2776	{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe	40
PID 2776 wrote to memory of 2148	2776	{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe	41
PID 2776 wrote to memory of 2148	2776	{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe	41
PID 2776 wrote to memory of 2148	2776	{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe	41
PID 2776 wrote to memory of 2148	2776	{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe	41
PID 2792 wrote to memory of 2544	2792	{C634962C-5006-48f6-96FC-1F3000051BEB}.exe	42
PID 2792 wrote to memory of 2544	2792	{C634962C-5006-48f6-96FC-1F3000051BEB}.exe	42
PID 2792 wrote to memory of 2544	2792	{C634962C-5006-48f6-96FC-1F3000051BEB}.exe	42
PID 2792 wrote to memory of 2544	2792	{C634962C-5006-48f6-96FC-1F3000051BEB}.exe	42
PID 2792 wrote to memory of 748	2792	{C634962C-5006-48f6-96FC-1F3000051BEB}.exe	43
PID 2792 wrote to memory of 748	2792	{C634962C-5006-48f6-96FC-1F3000051BEB}.exe	43
PID 2792 wrote to memory of 748	2792	{C634962C-5006-48f6-96FC-1F3000051BEB}.exe	43
PID 2792 wrote to memory of 748	2792	{C634962C-5006-48f6-96FC-1F3000051BEB}.exe	43
PID 2544 wrote to memory of 564	2544	{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe	44
PID 2544 wrote to memory of 564	2544	{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe	44
PID 2544 wrote to memory of 564	2544	{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe	44
PID 2544 wrote to memory of 564	2544	{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe	44
PID 2544 wrote to memory of 1688	2544	{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe	45
PID 2544 wrote to memory of 1688	2544	{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe	45
PID 2544 wrote to memory of 1688	2544	{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe	45
PID 2544 wrote to memory of 1688	2544	{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe	45

C:\Users\Admin\AppData\Local\Temp\76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe
  C:\Windows\{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe
    C:\Windows\{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe
      C:\Windows\{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe
        
        C:\Windows\{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe
        
        C:\Windows\{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{C634962C-5006-48f6-96FC-1F3000051BEB}.exe
        
        C:\Windows\{C634962C-5006-48f6-96FC-1F3000051BEB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe
        
        C:\Windows\{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\{32F144B4-BA02-40d4-8C05-7AAEB9AB3754}.exe
        
        C:\Windows\{32F144B4-BA02-40d4-8C05-7AAEB9AB3754}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\{C1931F8A-3C68-493a-A0C6-A98D549930D7}.exe
        
        C:\Windows\{C1931F8A-3C68-493a-A0C6-A98D549930D7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\{7F1DA7BC-7442-49bc-9447-AA68BBC9334D}.exe
        
        C:\Windows\{7F1DA7BC-7442-49bc-9447-AA68BBC9334D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\{CD281996-0BEF-4d34-963E-E97431891ED1}.exe
        
        C:\Windows\{CD281996-0BEF-4d34-963E-E97431891ED1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\{2D901F3A-8B1A-47cb-9ADB-8C9EA7C8A24A}.exe
        
        C:\Windows\{2D901F3A-8B1A-47cb-9ADB-8C9EA7C8A24A}.exe
        13⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD281~1.EXE > nul
        13⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F1DA~1.EXE > nul
        12⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1931~1.EXE > nul
        11⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32F14~1.EXE > nul
        10⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CD2B~1.EXE > nul
        9⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6349~1.EXE > nul
        8⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8277E~1.EXE > nul
        7⤵
        
        PID:2148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44B46~1.EXE > nul
        6⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C989~1.EXE > nul
        5⤵
        
        PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1840D~1.EXE > nul
      4⤵
      PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A1E55~1.EXE > nul
    3⤵
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\76A40E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe

Filesize
216KB

MD5
f4662e9117aa725985c60e8e0c565bd4

SHA1
70e5a52ce2e85e6b2d68aed9218d05a2bf5abe3c

SHA256
ac18063dc6ee676125870880eea5a4df44dd54b63155e5580715c494a928a4ab

SHA512
87428d0d9dbbfb7b40e8962e84223864d062d3a5a582be2af407217da892b41f29e81aefcbe62e520762cb26cae55be77ebaec44b29b87e7a1273ea79f31a8ed

Download Submit
C:\Windows\{1840D685-AE16-42fe-8F56-BC7EE66AC2C4}.exe

Filesize
216KB

MD5
f4662e9117aa725985c60e8e0c565bd4

SHA1
70e5a52ce2e85e6b2d68aed9218d05a2bf5abe3c

SHA256
ac18063dc6ee676125870880eea5a4df44dd54b63155e5580715c494a928a4ab

SHA512
87428d0d9dbbfb7b40e8962e84223864d062d3a5a582be2af407217da892b41f29e81aefcbe62e520762cb26cae55be77ebaec44b29b87e7a1273ea79f31a8ed

Download Submit
C:\Windows\{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe

Filesize
216KB

MD5
c0f740e3142e1ef5345c05d1d1a6d024

SHA1
d1b6f885194e8711acb207b748ca92d4b4fd49c6

SHA256
5add59aeafd0cd09b77ffa610d7678a839232d002f3045169c002a3c4d535fe8

SHA512
b688f75d32be4bee523d6eef99017007c2c763b73248d26217fb313d441fc395fa96a043ea52af01e2f16c776c38b1736d7ca91cd8f0e99ec646880af76c3eff

Download Submit
C:\Windows\{1CD2B97D-9A08-4a22-B3E5-BE92BF3C753A}.exe

Filesize
216KB

MD5
c0f740e3142e1ef5345c05d1d1a6d024

SHA1
d1b6f885194e8711acb207b748ca92d4b4fd49c6

SHA256
5add59aeafd0cd09b77ffa610d7678a839232d002f3045169c002a3c4d535fe8

SHA512
b688f75d32be4bee523d6eef99017007c2c763b73248d26217fb313d441fc395fa96a043ea52af01e2f16c776c38b1736d7ca91cd8f0e99ec646880af76c3eff

Download Submit
C:\Windows\{2D901F3A-8B1A-47cb-9ADB-8C9EA7C8A24A}.exe

Filesize
216KB

MD5
1996f288fbf2a48786eb20fc7dfd0a2b

SHA1
a7798dcd28780561ff3fa051856149f28a90259a

SHA256
e8918d90ea180d7b956de1d9ad96f2b8d2353b9b19e6cffbed6729b3759c890f

SHA512
ade538475ad116dff4f5f4ed99a620fa2070d0852535d394b98ec92207ec68d0618afa3179ca030310be42196692fbbb8f92d38cfac8388020df18a5683f16a7

Download Submit
C:\Windows\{32F144B4-BA02-40d4-8C05-7AAEB9AB3754}.exe

Filesize
216KB

MD5
1650e1790f16ec804e5e2fca3282407c

SHA1
b26ff4daf024db4f164870e8346758033bfa0e72

SHA256
df0b3c5f886206fe59ed71565c86341a247e357107d60ebd1d68b1d3f28d6947

SHA512
3dee860e9f5aab4e82d53deecfe82f0c063a9d71eefb53038cb7a4b82a1edbff20a50f46a9349e9b0d42325f2906a3d3fb53fcb6f90a5b3b90e7a61e4d209093

Download Submit
C:\Windows\{32F144B4-BA02-40d4-8C05-7AAEB9AB3754}.exe

Filesize
216KB

MD5
1650e1790f16ec804e5e2fca3282407c

SHA1
b26ff4daf024db4f164870e8346758033bfa0e72

SHA256
df0b3c5f886206fe59ed71565c86341a247e357107d60ebd1d68b1d3f28d6947

SHA512
3dee860e9f5aab4e82d53deecfe82f0c063a9d71eefb53038cb7a4b82a1edbff20a50f46a9349e9b0d42325f2906a3d3fb53fcb6f90a5b3b90e7a61e4d209093

Download Submit
C:\Windows\{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe

Filesize
216KB

MD5
d46702af2c042cfdcd859befd0bfca87

SHA1
cb71681570de867b3021c386319adc503279f440

SHA256
f0234f5c3ba272faf4e5348ee57bda3e57dd8d8655d68bc1d28cba5109c552ca

SHA512
30a591ea38b3fb0d64ea0534987dded70ad79bfe5ff198627fb409ddffe8ba31a23e7e51dea43ea6f62e5efa2c989044f325c651d2b9383c3acc625d9c9f0fbf

Download Submit
C:\Windows\{44B46868-4FCA-4f43-AFD5-E60C6B70D9A0}.exe

Filesize
216KB

MD5
d46702af2c042cfdcd859befd0bfca87

SHA1
cb71681570de867b3021c386319adc503279f440

SHA256
f0234f5c3ba272faf4e5348ee57bda3e57dd8d8655d68bc1d28cba5109c552ca

SHA512
30a591ea38b3fb0d64ea0534987dded70ad79bfe5ff198627fb409ddffe8ba31a23e7e51dea43ea6f62e5efa2c989044f325c651d2b9383c3acc625d9c9f0fbf

Download Submit
C:\Windows\{7F1DA7BC-7442-49bc-9447-AA68BBC9334D}.exe

Filesize
216KB

MD5
06b51044c68eabd41ddeceb8960c2e17

SHA1
3b5139f962059b5eac052e2ef390214bca62db6b

SHA256
6a2a53a225a647915a658a6611c45bf90f1037501dc4719c0bb3fad79882f866

SHA512
1a83f0774f1e68627b9c8e4ceeecebba39336746468872363c2efa8f0d8c36c66de93f8ba47f18fff23604011cdc5f7775d922a7027cc249c1aeb0a16885886b

Download Submit
C:\Windows\{7F1DA7BC-7442-49bc-9447-AA68BBC9334D}.exe

Filesize
216KB

MD5
06b51044c68eabd41ddeceb8960c2e17

SHA1
3b5139f962059b5eac052e2ef390214bca62db6b

SHA256
6a2a53a225a647915a658a6611c45bf90f1037501dc4719c0bb3fad79882f866

SHA512
1a83f0774f1e68627b9c8e4ceeecebba39336746468872363c2efa8f0d8c36c66de93f8ba47f18fff23604011cdc5f7775d922a7027cc249c1aeb0a16885886b

Download Submit
C:\Windows\{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe

Filesize
216KB

MD5
439bece4a02eb4f97a864a9cad4e65b7

SHA1
b03da747490e358d5dc99c76bce96f04591edfa3

SHA256
860bb0d4545f2e6fa6df51c60c7c589fa95ca4230f813412e4387c329a9d9608

SHA512
1f076e0b4555eea9a3ba9ed2aa576ff473c7808549b77aa87d707b9939dd530ee0e98c6f2c791e3de005a3cb31c04d125d5fa849591438d54c191ed7d9a35ab1

Download Submit
C:\Windows\{8277EB4E-C417-4307-8E48-4F0CDDF9EF7D}.exe

Filesize
216KB

MD5
439bece4a02eb4f97a864a9cad4e65b7

SHA1
b03da747490e358d5dc99c76bce96f04591edfa3

SHA256
860bb0d4545f2e6fa6df51c60c7c589fa95ca4230f813412e4387c329a9d9608

SHA512
1f076e0b4555eea9a3ba9ed2aa576ff473c7808549b77aa87d707b9939dd530ee0e98c6f2c791e3de005a3cb31c04d125d5fa849591438d54c191ed7d9a35ab1

Download Submit
C:\Windows\{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe

Filesize
216KB

MD5
bd1278bc56f035b61b081601049bde2a

SHA1
3e91c81bf8182cdcbe8a29614147ef9cacffe9af

SHA256
9894e1fc33796ee3eb8ae9e4652b038f9aebc565c4ade8c59cabd087b0012bc3

SHA512
bf3d3543fa6445d14c68ea95627c416ab1345aba4263f82955adad62f8c069355b8eece4d187de9167a97991247da66d64f8b9fc1ba50d889310be566feda145

Download Submit
C:\Windows\{9C989DA5-5CF1-446d-B64C-1B996BB82F80}.exe

Filesize
216KB

MD5
bd1278bc56f035b61b081601049bde2a

SHA1
3e91c81bf8182cdcbe8a29614147ef9cacffe9af

SHA256
9894e1fc33796ee3eb8ae9e4652b038f9aebc565c4ade8c59cabd087b0012bc3

SHA512
bf3d3543fa6445d14c68ea95627c416ab1345aba4263f82955adad62f8c069355b8eece4d187de9167a97991247da66d64f8b9fc1ba50d889310be566feda145

Download Submit
C:\Windows\{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe

Filesize
216KB

MD5
8fa237dfb401cbc8a54a6d25fa14c2a9

SHA1
7466ce779b7ba7d02ce7a5bf19c4e9b8de62464f

SHA256
bbc3b60a1f155c2267fb103353ddfdfb1b9bab5232f971f1a5ea3fbbb58e022a

SHA512
9b2ed862f6287363960c73d1b5f88c0c7a673fb8a718e54c8f063cf077a5ff251857146e1c039deaaf8aea4360517714d12c1fb17f209f4adcc653a465bb42d7

Download Submit
C:\Windows\{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe

Filesize
216KB

MD5
8fa237dfb401cbc8a54a6d25fa14c2a9

SHA1
7466ce779b7ba7d02ce7a5bf19c4e9b8de62464f

SHA256
bbc3b60a1f155c2267fb103353ddfdfb1b9bab5232f971f1a5ea3fbbb58e022a

SHA512
9b2ed862f6287363960c73d1b5f88c0c7a673fb8a718e54c8f063cf077a5ff251857146e1c039deaaf8aea4360517714d12c1fb17f209f4adcc653a465bb42d7

Download Submit
C:\Windows\{A1E55D52-A9BD-467f-9907-C82D26EF9D04}.exe

Filesize
216KB

MD5
8fa237dfb401cbc8a54a6d25fa14c2a9

SHA1
7466ce779b7ba7d02ce7a5bf19c4e9b8de62464f

SHA256
bbc3b60a1f155c2267fb103353ddfdfb1b9bab5232f971f1a5ea3fbbb58e022a

SHA512
9b2ed862f6287363960c73d1b5f88c0c7a673fb8a718e54c8f063cf077a5ff251857146e1c039deaaf8aea4360517714d12c1fb17f209f4adcc653a465bb42d7

Download Submit
C:\Windows\{C1931F8A-3C68-493a-A0C6-A98D549930D7}.exe

Filesize
216KB

MD5
e777c53707c2e94223a600986d87f9e6

SHA1
1001bad731f4ec90f1367a96d0746b4d02ee7c8a

SHA256
61a89142a32145fb6879c3a39bfe37e9de8cf465b5d4ef02f3d8362f19fd26cc

SHA512
7acef75136f399aeec62cf6069f5929f76140e41cb657aeb96b4d4f376292ac594a0533aea1ed58e21128bf90997c6de316aec2e8500829c9362a617c46aa04d

Download Submit
C:\Windows\{C1931F8A-3C68-493a-A0C6-A98D549930D7}.exe

Filesize
216KB

MD5
e777c53707c2e94223a600986d87f9e6

SHA1
1001bad731f4ec90f1367a96d0746b4d02ee7c8a

SHA256
61a89142a32145fb6879c3a39bfe37e9de8cf465b5d4ef02f3d8362f19fd26cc

SHA512
7acef75136f399aeec62cf6069f5929f76140e41cb657aeb96b4d4f376292ac594a0533aea1ed58e21128bf90997c6de316aec2e8500829c9362a617c46aa04d

Download Submit
C:\Windows\{C634962C-5006-48f6-96FC-1F3000051BEB}.exe

Filesize
216KB

MD5
7e20a8ec83eacaa1473883ca75539851

SHA1
efa266ff3b77ce3cc58965ee890f44c461ccb4d1

SHA256
3bde464a0b928720bf7bdd68e51796110b07a8daefc8fd8d5ed153532ce09d9f

SHA512
a0480f46b8bb8bace26612310fd7c81ab54afd62f82c5cca754344a08e32266d5353fbd8f43997ea0e3b775fa61e858e0fcf436d36ed56497bef95b38ab2f9a2

Download Submit
C:\Windows\{C634962C-5006-48f6-96FC-1F3000051BEB}.exe

Filesize
216KB

MD5
7e20a8ec83eacaa1473883ca75539851

SHA1
efa266ff3b77ce3cc58965ee890f44c461ccb4d1

SHA256
3bde464a0b928720bf7bdd68e51796110b07a8daefc8fd8d5ed153532ce09d9f

SHA512
a0480f46b8bb8bace26612310fd7c81ab54afd62f82c5cca754344a08e32266d5353fbd8f43997ea0e3b775fa61e858e0fcf436d36ed56497bef95b38ab2f9a2

Download Submit
C:\Windows\{CD281996-0BEF-4d34-963E-E97431891ED1}.exe

Filesize
216KB

MD5
9f3746fca07595f3d460971b6648ed40

SHA1
2f0d3ef32efca353d51b3bdc79f1d1f75d78c556

SHA256
d0943061d8f2ec55452ec258e49d63e423d5eb17ca1c8bc4508e01740d6f6b06

SHA512
004051d28373aa6af72f67a4192c3c43a22137209cb6af304c08b37c81416035fcfe0570e2fda3535c3145a55124b6cc425a862c78ceadccb24f5f0bcbcd44e3

Download Submit
C:\Windows\{CD281996-0BEF-4d34-963E-E97431891ED1}.exe

Filesize
216KB

MD5
9f3746fca07595f3d460971b6648ed40

SHA1
2f0d3ef32efca353d51b3bdc79f1d1f75d78c556

SHA256
d0943061d8f2ec55452ec258e49d63e423d5eb17ca1c8bc4508e01740d6f6b06

SHA512
004051d28373aa6af72f67a4192c3c43a22137209cb6af304c08b37c81416035fcfe0570e2fda3535c3145a55124b6cc425a862c78ceadccb24f5f0bcbcd44e3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads