9f44b4f6405f15a84fc59f6fbf2a86d5ba491e577cc15910278a872975f4ad41

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe
Size

216KB
MD5

76a40e7c7a1f662607746d677f4c06c0
SHA1

97d54fce0c560efc6f6299606ecdd6c31e155643
SHA256

9f44b4f6405f15a84fc59f6fbf2a86d5ba491e577cc15910278a872975f4ad41
SHA512

5c9218baf666032f54ab80938acfa89d39e5a4549ea90141986249279f9618e6b4e1869a49d606b914166fbb1aee0c27eadc906b02057ed8b1299ae0a5799097
SSDEEP

3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGQlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}	{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}	{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD33447-3AE1-4aea-AA9C-9A13103206FC}\stubpath = "C:\\Windows\\{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe"	{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{979F601F-9A97-455b-84C1-5FE91E657673}	{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AC72153-8BA9-4b89-896C-7FA8FDC31517}\stubpath = "C:\\Windows\\{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe"	{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D98840A-5A7D-4b84-A34B-0D899170F7B4}\stubpath = "C:\\Windows\\{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe"	{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}	{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{979F601F-9A97-455b-84C1-5FE91E657673}\stubpath = "C:\\Windows\\{979F601F-9A97-455b-84C1-5FE91E657673}.exe"	{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD33447-3AE1-4aea-AA9C-9A13103206FC}	{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}	{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}\stubpath = "C:\\Windows\\{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe"	{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D4A5380-7D45-4a31-85F2-EF281112D9DD}\stubpath = "C:\\Windows\\{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe"	{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}	{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}\stubpath = "C:\\Windows\\{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe"	{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65EE62E-C2B4-4f9a-AB80-59EDCE894DE2}\stubpath = "C:\\Windows\\{B65EE62E-C2B4-4f9a-AB80-59EDCE894DE2}.exe"	{979F601F-9A97-455b-84C1-5FE91E657673}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}\stubpath = "C:\\Windows\\{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe"	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}\stubpath = "C:\\Windows\\{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe"	{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D4A5380-7D45-4a31-85F2-EF281112D9DD}	{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AC72153-8BA9-4b89-896C-7FA8FDC31517}	{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}\stubpath = "C:\\Windows\\{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe"	{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D98840A-5A7D-4b84-A34B-0D899170F7B4}	{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65EE62E-C2B4-4f9a-AB80-59EDCE894DE2}	{979F601F-9A97-455b-84C1-5FE91E657673}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}\stubpath = "C:\\Windows\\{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe"	{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe

Executes dropped EXE 12 IoCs

pid	Process
5096	{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe
4340	{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe
2128	{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe
4540	{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe
2524	{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe
2132	{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe
2372	{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe
996	{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe
3688	{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe
912	{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe
1764	{979F601F-9A97-455b-84C1-5FE91E657673}.exe
688	{B65EE62E-C2B4-4f9a-AB80-59EDCE894DE2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B65EE62E-C2B4-4f9a-AB80-59EDCE894DE2}.exe	{979F601F-9A97-455b-84C1-5FE91E657673}.exe
File created	C:\Windows\{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe	{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe
File created	C:\Windows\{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe	{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe
File created	C:\Windows\{979F601F-9A97-455b-84C1-5FE91E657673}.exe	{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe
File created	C:\Windows\{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe	{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe
File created	C:\Windows\{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe	{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe
File created	C:\Windows\{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe	{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe
File created	C:\Windows\{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe	{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe
File created	C:\Windows\{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe	{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe
File created	C:\Windows\{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe
File created	C:\Windows\{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe	{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe
File created	C:\Windows\{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe	{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	448	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	5096	{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe
Token: SeIncBasePriorityPrivilege	4340	{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe
Token: SeIncBasePriorityPrivilege	2128	{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe
Token: SeIncBasePriorityPrivilege	4540	{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe
Token: SeIncBasePriorityPrivilege	2524	{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe
Token: SeIncBasePriorityPrivilege	2132	{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe
Token: SeIncBasePriorityPrivilege	2372	{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe
Token: SeIncBasePriorityPrivilege	996	{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe
Token: SeIncBasePriorityPrivilege	3688	{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe
Token: SeIncBasePriorityPrivilege	912	{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe
Token: SeIncBasePriorityPrivilege	1764	{979F601F-9A97-455b-84C1-5FE91E657673}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 5096	448	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	91
PID 448 wrote to memory of 5096	448	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	91
PID 448 wrote to memory of 5096	448	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	91
PID 448 wrote to memory of 4376	448	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	92
PID 448 wrote to memory of 4376	448	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	92
PID 448 wrote to memory of 4376	448	76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe	92
PID 5096 wrote to memory of 4340	5096	{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe	93
PID 5096 wrote to memory of 4340	5096	{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe	93
PID 5096 wrote to memory of 4340	5096	{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe	93
PID 5096 wrote to memory of 4124	5096	{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe	94
PID 5096 wrote to memory of 4124	5096	{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe	94
PID 5096 wrote to memory of 4124	5096	{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe	94
PID 4340 wrote to memory of 2128	4340	{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe	97
PID 4340 wrote to memory of 2128	4340	{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe	97
PID 4340 wrote to memory of 2128	4340	{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe	97
PID 4340 wrote to memory of 1148	4340	{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe	96
PID 4340 wrote to memory of 1148	4340	{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe	96
PID 4340 wrote to memory of 1148	4340	{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe	96
PID 2128 wrote to memory of 4540	2128	{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe	98
PID 2128 wrote to memory of 4540	2128	{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe	98
PID 2128 wrote to memory of 4540	2128	{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe	98
PID 2128 wrote to memory of 3788	2128	{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe	99
PID 2128 wrote to memory of 3788	2128	{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe	99
PID 2128 wrote to memory of 3788	2128	{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe	99
PID 4540 wrote to memory of 2524	4540	{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe	100
PID 4540 wrote to memory of 2524	4540	{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe	100
PID 4540 wrote to memory of 2524	4540	{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe	100
PID 4540 wrote to memory of 2720	4540	{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe	101
PID 4540 wrote to memory of 2720	4540	{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe	101
PID 4540 wrote to memory of 2720	4540	{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe	101
PID 2524 wrote to memory of 2132	2524	{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe	103
PID 2524 wrote to memory of 2132	2524	{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe	103
PID 2524 wrote to memory of 2132	2524	{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe	103
PID 2524 wrote to memory of 4524	2524	{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe	102
PID 2524 wrote to memory of 4524	2524	{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe	102
PID 2524 wrote to memory of 4524	2524	{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe	102
PID 2132 wrote to memory of 2372	2132	{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe	104
PID 2132 wrote to memory of 2372	2132	{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe	104
PID 2132 wrote to memory of 2372	2132	{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe	104
PID 2132 wrote to memory of 4028	2132	{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe	105
PID 2132 wrote to memory of 4028	2132	{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe	105
PID 2132 wrote to memory of 4028	2132	{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe	105
PID 2372 wrote to memory of 996	2372	{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe	106
PID 2372 wrote to memory of 996	2372	{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe	106
PID 2372 wrote to memory of 996	2372	{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe	106
PID 2372 wrote to memory of 3380	2372	{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe	107
PID 2372 wrote to memory of 3380	2372	{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe	107
PID 2372 wrote to memory of 3380	2372	{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe	107
PID 996 wrote to memory of 3688	996	{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe	109
PID 996 wrote to memory of 3688	996	{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe	109
PID 996 wrote to memory of 3688	996	{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe	109
PID 996 wrote to memory of 1664	996	{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe	108
PID 996 wrote to memory of 1664	996	{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe	108
PID 996 wrote to memory of 1664	996	{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe	108
PID 3688 wrote to memory of 912	3688	{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe	110
PID 3688 wrote to memory of 912	3688	{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe	110
PID 3688 wrote to memory of 912	3688	{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe	110
PID 3688 wrote to memory of 2208	3688	{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe	111
PID 3688 wrote to memory of 2208	3688	{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe	111
PID 3688 wrote to memory of 2208	3688	{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe	111
PID 912 wrote to memory of 1764	912	{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe	112
PID 912 wrote to memory of 1764	912	{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe	112
PID 912 wrote to memory of 1764	912	{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe	112
PID 912 wrote to memory of 2788	912	{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe	113

C:\Users\Admin\AppData\Local\Temp\76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\76a40e7c7a1f662607746d677f4c06c0_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe
  C:\Windows\{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe
    C:\Windows\{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A39B7~1.EXE > nul
      4⤵
      PID:1148
  - - C:\Windows\{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe
      C:\Windows\{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe
        
        C:\Windows\{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Windows\{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe
        
        C:\Windows\{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D4A5~1.EXE > nul
        7⤵
        
        PID:4524
        
        C:\Windows\{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe
        
        C:\Windows\{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe
        
        C:\Windows\{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe
        
        C:\Windows\{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A23F~1.EXE > nul
        10⤵
        
        PID:1664
        
        C:\Windows\{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe
        
        C:\Windows\{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe
        
        C:\Windows\{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\{979F601F-9A97-455b-84C1-5FE91E657673}.exe
        
        C:\Windows\{979F601F-9A97-455b-84C1-5FE91E657673}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\{B65EE62E-C2B4-4f9a-AB80-59EDCE894DE2}.exe
        
        C:\Windows\{B65EE62E-C2B4-4f9a-AB80-59EDCE894DE2}.exe
        13⤵
        Executes dropped EXE
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{979F6~1.EXE > nul
        13⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01D58~1.EXE > nul
        12⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D988~1.EXE > nul
        11⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AC72~1.EXE > nul
        9⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CD33~1.EXE > nul
        8⤵
        
        PID:4028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2EA1~1.EXE > nul
        6⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{374DA~1.EXE > nul
        5⤵
        
        PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E1E75~1.EXE > nul
    3⤵
    PID:4124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\76A40E~1.EXE > nul
  2⤵
  PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe

Filesize
216KB

MD5
331511c0e92c3b9788c54977d580bcd8

SHA1
d6c466afaaa8216e96d68500c433115ef6072e80

SHA256
7197968010c56dcf6332c1b86c219ff30dde9b0a2e62c930764963a09e40d29d

SHA512
bae8d6066add4b3efb53f5385a93a863e8cae30e7a1155103edf9443a9ccc5b61613b3330ef9de68154cb8388551f310c475830a650d8df475f28f1fc04dd817

Download Submit
C:\Windows\{01D58B9E-2E7A-40a3-BC3A-8A63B200868D}.exe

Filesize
216KB

MD5
331511c0e92c3b9788c54977d580bcd8

SHA1
d6c466afaaa8216e96d68500c433115ef6072e80

SHA256
7197968010c56dcf6332c1b86c219ff30dde9b0a2e62c930764963a09e40d29d

SHA512
bae8d6066add4b3efb53f5385a93a863e8cae30e7a1155103edf9443a9ccc5b61613b3330ef9de68154cb8388551f310c475830a650d8df475f28f1fc04dd817

Download Submit
C:\Windows\{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe

Filesize
216KB

MD5
67e3a5d00d16c35fec45a543de5d5cf3

SHA1
4840c084f69d82636d7c818742cbc815160e2461

SHA256
f4b2786b543e76a9832b0fbf92aeb65d7a0f9e9325ad534862d2b2ecf6e1cd88

SHA512
db5852eaa9e9323620e2513fc05016ca5073f2b0acfea04c9ab5caa8056d38aa333e961de94f1dba629c645b39ebbab8b5d906ca1e38b6cd1a9091f96385e62b

Download Submit
C:\Windows\{2AC72153-8BA9-4b89-896C-7FA8FDC31517}.exe

Filesize
216KB

MD5
67e3a5d00d16c35fec45a543de5d5cf3

SHA1
4840c084f69d82636d7c818742cbc815160e2461

SHA256
f4b2786b543e76a9832b0fbf92aeb65d7a0f9e9325ad534862d2b2ecf6e1cd88

SHA512
db5852eaa9e9323620e2513fc05016ca5073f2b0acfea04c9ab5caa8056d38aa333e961de94f1dba629c645b39ebbab8b5d906ca1e38b6cd1a9091f96385e62b

Download Submit
C:\Windows\{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe

Filesize
216KB

MD5
7ccb684a0c38a642c8ce909c1edc8d85

SHA1
a65a8d09498c77a522a03704970ae68302e76134

SHA256
8f498b72bd48d74f049deb707323081021ddd69d0d22031229d0125aea236da0

SHA512
a0f83116f53ff067ee7eb77082793a95a2e75a00e9f47f880180e8ce8ae1e40dc3a3b97760ed57a115462d86cf61d6d110c9cf3bc1e5c6961e558cbd82be443b

Download Submit
C:\Windows\{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe

Filesize
216KB

MD5
7ccb684a0c38a642c8ce909c1edc8d85

SHA1
a65a8d09498c77a522a03704970ae68302e76134

SHA256
8f498b72bd48d74f049deb707323081021ddd69d0d22031229d0125aea236da0

SHA512
a0f83116f53ff067ee7eb77082793a95a2e75a00e9f47f880180e8ce8ae1e40dc3a3b97760ed57a115462d86cf61d6d110c9cf3bc1e5c6961e558cbd82be443b

Download Submit
C:\Windows\{374DA0B9-990A-4ce0-9ADC-1D7833B99E05}.exe

Filesize
216KB

MD5
7ccb684a0c38a642c8ce909c1edc8d85

SHA1
a65a8d09498c77a522a03704970ae68302e76134

SHA256
8f498b72bd48d74f049deb707323081021ddd69d0d22031229d0125aea236da0

SHA512
a0f83116f53ff067ee7eb77082793a95a2e75a00e9f47f880180e8ce8ae1e40dc3a3b97760ed57a115462d86cf61d6d110c9cf3bc1e5c6961e558cbd82be443b

Download Submit
C:\Windows\{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe

Filesize
216KB

MD5
dd50a467a07e5f1fb9c3281c1bb7d6d7

SHA1
48aed7f3492b1125ce079ad7d18448e053a1bddd

SHA256
2bc869e12bace6982fc5a8bd7a203c0bd6c127dbc5408f47fdb1f24b78470b6a

SHA512
90942966ed0585a7a28068882f278d0044e6ed8192edfd99c9c058792396dc7c9b6fb5e9cfbf0b6fab347df53c09ba5ffb01e51b647408e6074d371c143209ce

Download Submit
C:\Windows\{6D98840A-5A7D-4b84-A34B-0D899170F7B4}.exe

Filesize
216KB

MD5
dd50a467a07e5f1fb9c3281c1bb7d6d7

SHA1
48aed7f3492b1125ce079ad7d18448e053a1bddd

SHA256
2bc869e12bace6982fc5a8bd7a203c0bd6c127dbc5408f47fdb1f24b78470b6a

SHA512
90942966ed0585a7a28068882f278d0044e6ed8192edfd99c9c058792396dc7c9b6fb5e9cfbf0b6fab347df53c09ba5ffb01e51b647408e6074d371c143209ce

Download Submit
C:\Windows\{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe

Filesize
216KB

MD5
8cfbe9002ecffd61940042797e3fa760

SHA1
4b8c6ac99eb1402a687684e827568fef2a01a57e

SHA256
e52952fb7d7db8dc55f4af5596e122ab0ddbf8235f26e64e98e8ceda03211ba7

SHA512
0d2522ad3c932e5c3d7cddf1b11175b4842fdf03a94f9caf70a91f03bf29b291e1a2502f701e5a458dbedf3cf6b46bd9fcf32fa9ade71c70024335c168a6e42b

Download Submit
C:\Windows\{7A23F59F-5538-4b7e-9F03-CCF9F1D42012}.exe

Filesize
216KB

MD5
8cfbe9002ecffd61940042797e3fa760

SHA1
4b8c6ac99eb1402a687684e827568fef2a01a57e

SHA256
e52952fb7d7db8dc55f4af5596e122ab0ddbf8235f26e64e98e8ceda03211ba7

SHA512
0d2522ad3c932e5c3d7cddf1b11175b4842fdf03a94f9caf70a91f03bf29b291e1a2502f701e5a458dbedf3cf6b46bd9fcf32fa9ade71c70024335c168a6e42b

Download Submit
C:\Windows\{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe

Filesize
216KB

MD5
7c73909e887d5518816e73b4bc8582fb

SHA1
f5b24f6fc9095d5475332fd8495a7e778297e759

SHA256
133887271bf9167857f35adec58502d3556be8506e11c2612c16dc4dde37c628

SHA512
6c2b6b6b699c4286f99cfece2bcdefece44b89c9f693ea1135a471d0121b67b704075252a893fdd66128799180f6d61dfdb8b361ee4fa8d372a90fd547f72363

Download Submit
C:\Windows\{7CD33447-3AE1-4aea-AA9C-9A13103206FC}.exe

Filesize
216KB

MD5
7c73909e887d5518816e73b4bc8582fb

SHA1
f5b24f6fc9095d5475332fd8495a7e778297e759

SHA256
133887271bf9167857f35adec58502d3556be8506e11c2612c16dc4dde37c628

SHA512
6c2b6b6b699c4286f99cfece2bcdefece44b89c9f693ea1135a471d0121b67b704075252a893fdd66128799180f6d61dfdb8b361ee4fa8d372a90fd547f72363

Download Submit
C:\Windows\{979F601F-9A97-455b-84C1-5FE91E657673}.exe

Filesize
216KB

MD5
abb6a202916219d14cf746d0e37e333c

SHA1
f36c980fe43a207ef404cfa15ca06205709dce2f

SHA256
9761bbe3ae8455e847d4b8277d5382c5356dc2b727a91ec11355b0130881b370

SHA512
19ad04d8cebe6cb47771948ff9f4921faf7522be5c2f25e82eab1e1a368db1f310e444a13332e439919b802ff5b91ad7ffa80b13f8a14e801cfcd2787476a0e0

Download Submit
C:\Windows\{979F601F-9A97-455b-84C1-5FE91E657673}.exe

Filesize
216KB

MD5
abb6a202916219d14cf746d0e37e333c

SHA1
f36c980fe43a207ef404cfa15ca06205709dce2f

SHA256
9761bbe3ae8455e847d4b8277d5382c5356dc2b727a91ec11355b0130881b370

SHA512
19ad04d8cebe6cb47771948ff9f4921faf7522be5c2f25e82eab1e1a368db1f310e444a13332e439919b802ff5b91ad7ffa80b13f8a14e801cfcd2787476a0e0

Download Submit
C:\Windows\{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe

Filesize
216KB

MD5
c23e64b76287d146dfdc9ab8067c9bd6

SHA1
4a8213ad480c81aa71f248e819fc636f3c250b4c

SHA256
49db979565953886c073e0ccd0507fec43b1f8543295df5692fc5bdf3e111b52

SHA512
04f31ced6ebb93920f76d92c3bb46e6c802ea9af28b22f0d5c310d556b0db08aac599c250093c464b46bb01a089dd1bcfda4b09048f9b0d01701eadfa9480f85

Download Submit
C:\Windows\{9D4A5380-7D45-4a31-85F2-EF281112D9DD}.exe

Filesize
216KB

MD5
c23e64b76287d146dfdc9ab8067c9bd6

SHA1
4a8213ad480c81aa71f248e819fc636f3c250b4c

SHA256
49db979565953886c073e0ccd0507fec43b1f8543295df5692fc5bdf3e111b52

SHA512
04f31ced6ebb93920f76d92c3bb46e6c802ea9af28b22f0d5c310d556b0db08aac599c250093c464b46bb01a089dd1bcfda4b09048f9b0d01701eadfa9480f85

Download Submit
C:\Windows\{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe

Filesize
216KB

MD5
f8e0cc8871cac512fa40e03a5d0e494f

SHA1
dee57f27c80abcf4146ce9ce7a4bdf293524ab80

SHA256
902bdf26671e5bc739f51ac73e35c87de2f7076d8960d25fc70905befa535e63

SHA512
953d15f3606b153b1285b67ec9f1f333d343e1d6e02405408e070eb699c79025c5212881ac56ac17c40661018b3d1394489b5b94559b7c6c127e9c36c06b6e62

Download Submit
C:\Windows\{A39B7FB6-3F8C-4dcf-9E4A-146170819A3F}.exe

Filesize
216KB

MD5
f8e0cc8871cac512fa40e03a5d0e494f

SHA1
dee57f27c80abcf4146ce9ce7a4bdf293524ab80

SHA256
902bdf26671e5bc739f51ac73e35c87de2f7076d8960d25fc70905befa535e63

SHA512
953d15f3606b153b1285b67ec9f1f333d343e1d6e02405408e070eb699c79025c5212881ac56ac17c40661018b3d1394489b5b94559b7c6c127e9c36c06b6e62

Download Submit
C:\Windows\{B65EE62E-C2B4-4f9a-AB80-59EDCE894DE2}.exe

Filesize
216KB

MD5
eec8be2014f4eb007934b7d7c593fb50

SHA1
75161cace616f0da5c39d8828387a376d85c0398

SHA256
26d35d0a15c8e0a4687ff9b2b6e7cec58fad43556e142f5d416425fde74886b5

SHA512
017931abab1d4d6baf5587a477780964d597677b6e8e5cdc7d8c1cf083372ef925e6a925d6eef69ee6e7fd9d782f5ec6408c0e99e96865a33ddd2d93d3f42ec6

Download Submit
C:\Windows\{B65EE62E-C2B4-4f9a-AB80-59EDCE894DE2}.exe

Filesize
216KB

MD5
eec8be2014f4eb007934b7d7c593fb50

SHA1
75161cace616f0da5c39d8828387a376d85c0398

SHA256
26d35d0a15c8e0a4687ff9b2b6e7cec58fad43556e142f5d416425fde74886b5

SHA512
017931abab1d4d6baf5587a477780964d597677b6e8e5cdc7d8c1cf083372ef925e6a925d6eef69ee6e7fd9d782f5ec6408c0e99e96865a33ddd2d93d3f42ec6

Download Submit
C:\Windows\{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe

Filesize
216KB

MD5
e9e09d5c0bcab05d4d09164a4efcf3af

SHA1
65671a64252e39facd248a7e87ba861073f05a38

SHA256
39757ae00003932f4bb78b74cb185f49546e177631819ffe702504c7332aedcf

SHA512
558b45e0af31c5c4acf1006861521eda07db60cf35188be689e6ea453d4aa7aec81cec0b0fea79ac2b16fbc83605ac25cb06c42a9a6e64d1588d5b257915492e

Download Submit
C:\Windows\{D2EA185A-588B-4d1f-A723-6C0DA9809CB2}.exe

Filesize
216KB

MD5
e9e09d5c0bcab05d4d09164a4efcf3af

SHA1
65671a64252e39facd248a7e87ba861073f05a38

SHA256
39757ae00003932f4bb78b74cb185f49546e177631819ffe702504c7332aedcf

SHA512
558b45e0af31c5c4acf1006861521eda07db60cf35188be689e6ea453d4aa7aec81cec0b0fea79ac2b16fbc83605ac25cb06c42a9a6e64d1588d5b257915492e

Download Submit
C:\Windows\{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe

Filesize
216KB

MD5
e822b2637b132098af436cd9dd0212c1

SHA1
f4bc33106b4c023df09845f8b2181ef3e76ffe21

SHA256
e1b231af7bcb205655af6b322632b6f20232fc1558511d7b174afbcdac96778a

SHA512
acad902a378e4fd8d0f5628132897693772eb621b7d6758259c281d1a05debb83df1f47d67e47931bd7a3a66d597f71d5810e8c3d10548805d5c1d03530bc61d

Download Submit
C:\Windows\{E1E75B96-EEF1-4dd6-A3DA-F8F7FB54F9CF}.exe

Filesize
216KB

MD5
e822b2637b132098af436cd9dd0212c1

SHA1
f4bc33106b4c023df09845f8b2181ef3e76ffe21

SHA256
e1b231af7bcb205655af6b322632b6f20232fc1558511d7b174afbcdac96778a

SHA512
acad902a378e4fd8d0f5628132897693772eb621b7d6758259c281d1a05debb83df1f47d67e47931bd7a3a66d597f71d5810e8c3d10548805d5c1d03530bc61d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads