7f32027e3dc235d8744d27a9017f339bb902666bb63b6ae725f07517a9fc5382

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/08/2023, 17:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe
Size

168KB
MD5

7d4804cb5c93582a3d6a16256357a86a
SHA1

477f7e5c9f84bca3c279acfbc6de3aeeee1b0160
SHA256

7f32027e3dc235d8744d27a9017f339bb902666bb63b6ae725f07517a9fc5382
SHA512

aac9a07203ddccd9ba11a0bdb93f9101314c72d4aaf1db372cb13619c436d16fdd3492c2525271c360b4537a4b19262fd9213d6a340d4bd6525d4da4660d3e85
SSDEEP

1536:1EGh0otlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0otlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}\stubpath = "C:\\Windows\\{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe"	{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB01E1D3-46A3-499c-9BBA-92A6913E9228}\stubpath = "C:\\Windows\\{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe"	{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE727377-4D4D-42d7-B084-6B1C922D5E6E}	{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EDAB34C-F4AE-44e6-9CC6-5DCAC3FBA355}	{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EDAB34C-F4AE-44e6-9CC6-5DCAC3FBA355}\stubpath = "C:\\Windows\\{6EDAB34C-F4AE-44e6-9CC6-5DCAC3FBA355}.exe"	{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCABC5DF-D197-4bd8-95DD-8EEF9312B8C6}	{6EDAB34C-F4AE-44e6-9CC6-5DCAC3FBA355}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DCA2E29-6EC6-4baa-ADD2-CFBCEDAF3632}\stubpath = "C:\\Windows\\{5DCA2E29-6EC6-4baa-ADD2-CFBCEDAF3632}.exe"	{FCABC5DF-D197-4bd8-95DD-8EEF9312B8C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}	{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}\stubpath = "C:\\Windows\\{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe"	{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE727377-4D4D-42d7-B084-6B1C922D5E6E}\stubpath = "C:\\Windows\\{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe"	{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCABC5DF-D197-4bd8-95DD-8EEF9312B8C6}\stubpath = "C:\\Windows\\{FCABC5DF-D197-4bd8-95DD-8EEF9312B8C6}.exe"	{6EDAB34C-F4AE-44e6-9CC6-5DCAC3FBA355}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DCA2E29-6EC6-4baa-ADD2-CFBCEDAF3632}	{FCABC5DF-D197-4bd8-95DD-8EEF9312B8C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A9A2FD8-89D8-4453-99E5-BD76B459F9F0}\stubpath = "C:\\Windows\\{6A9A2FD8-89D8-4453-99E5-BD76B459F9F0}.exe"	{5DCA2E29-6EC6-4baa-ADD2-CFBCEDAF3632}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}	{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}\stubpath = "C:\\Windows\\{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe"	{641B6A3A-710F-4924-9045-13181C9DC26D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB01E1D3-46A3-499c-9BBA-92A6913E9228}	{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{641B6A3A-710F-4924-9045-13181C9DC26D}\stubpath = "C:\\Windows\\{641B6A3A-710F-4924-9045-13181C9DC26D}.exe"	7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}	{641B6A3A-710F-4924-9045-13181C9DC26D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}	{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}\stubpath = "C:\\Windows\\{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe"	{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A9A2FD8-89D8-4453-99E5-BD76B459F9F0}	{5DCA2E29-6EC6-4baa-ADD2-CFBCEDAF3632}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{641B6A3A-710F-4924-9045-13181C9DC26D}	7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe

Deletes itself 1 IoCs

pid	Process
2008	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2540	{641B6A3A-710F-4924-9045-13181C9DC26D}.exe
1108	{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe
2828	{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe
2952	{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe
2928	{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe
2712	{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe
2856	{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe
2704	{6EDAB34C-F4AE-44e6-9CC6-5DCAC3FBA355}.exe
2416	{FCABC5DF-D197-4bd8-95DD-8EEF9312B8C6}.exe
2664	{5DCA2E29-6EC6-4baa-ADD2-CFBCEDAF3632}.exe
368	{6A9A2FD8-89D8-4453-99E5-BD76B459F9F0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6EDAB34C-F4AE-44e6-9CC6-5DCAC3FBA355}.exe	{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe
File created	C:\Windows\{5DCA2E29-6EC6-4baa-ADD2-CFBCEDAF3632}.exe	{FCABC5DF-D197-4bd8-95DD-8EEF9312B8C6}.exe
File created	C:\Windows\{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe	{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe
File created	C:\Windows\{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe	{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe
File created	C:\Windows\{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe	{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe
File created	C:\Windows\{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe	{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe
File created	C:\Windows\{FCABC5DF-D197-4bd8-95DD-8EEF9312B8C6}.exe	{6EDAB34C-F4AE-44e6-9CC6-5DCAC3FBA355}.exe
File created	C:\Windows\{6A9A2FD8-89D8-4453-99E5-BD76B459F9F0}.exe	{5DCA2E29-6EC6-4baa-ADD2-CFBCEDAF3632}.exe
File created	C:\Windows\{641B6A3A-710F-4924-9045-13181C9DC26D}.exe	7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe
File created	C:\Windows\{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe	{641B6A3A-710F-4924-9045-13181C9DC26D}.exe
File created	C:\Windows\{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe	{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1472	7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2540	{641B6A3A-710F-4924-9045-13181C9DC26D}.exe
Token: SeIncBasePriorityPrivilege	1108	{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe
Token: SeIncBasePriorityPrivilege	2828	{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe
Token: SeIncBasePriorityPrivilege	2952	{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe
Token: SeIncBasePriorityPrivilege	2928	{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe
Token: SeIncBasePriorityPrivilege	2712	{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe
Token: SeIncBasePriorityPrivilege	2856	{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe
Token: SeIncBasePriorityPrivilege	2704	{6EDAB34C-F4AE-44e6-9CC6-5DCAC3FBA355}.exe
Token: SeIncBasePriorityPrivilege	2416	{FCABC5DF-D197-4bd8-95DD-8EEF9312B8C6}.exe
Token: SeIncBasePriorityPrivilege	2664	{5DCA2E29-6EC6-4baa-ADD2-CFBCEDAF3632}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 2540	1472	7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe	28
PID 1472 wrote to memory of 2540	1472	7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe	28
PID 1472 wrote to memory of 2540	1472	7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe	28
PID 1472 wrote to memory of 2540	1472	7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe	28
PID 1472 wrote to memory of 2008	1472	7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe	29
PID 1472 wrote to memory of 2008	1472	7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe	29
PID 1472 wrote to memory of 2008	1472	7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe	29
PID 1472 wrote to memory of 2008	1472	7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe	29
PID 2540 wrote to memory of 1108	2540	{641B6A3A-710F-4924-9045-13181C9DC26D}.exe	32
PID 2540 wrote to memory of 1108	2540	{641B6A3A-710F-4924-9045-13181C9DC26D}.exe	32
PID 2540 wrote to memory of 1108	2540	{641B6A3A-710F-4924-9045-13181C9DC26D}.exe	32
PID 2540 wrote to memory of 1108	2540	{641B6A3A-710F-4924-9045-13181C9DC26D}.exe	32
PID 2540 wrote to memory of 1484	2540	{641B6A3A-710F-4924-9045-13181C9DC26D}.exe	33
PID 2540 wrote to memory of 1484	2540	{641B6A3A-710F-4924-9045-13181C9DC26D}.exe	33
PID 2540 wrote to memory of 1484	2540	{641B6A3A-710F-4924-9045-13181C9DC26D}.exe	33
PID 2540 wrote to memory of 1484	2540	{641B6A3A-710F-4924-9045-13181C9DC26D}.exe	33
PID 1108 wrote to memory of 2828	1108	{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe	35
PID 1108 wrote to memory of 2828	1108	{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe	35
PID 1108 wrote to memory of 2828	1108	{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe	35
PID 1108 wrote to memory of 2828	1108	{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe	35
PID 1108 wrote to memory of 2904	1108	{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe	34
PID 1108 wrote to memory of 2904	1108	{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe	34
PID 1108 wrote to memory of 2904	1108	{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe	34
PID 1108 wrote to memory of 2904	1108	{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe	34
PID 2828 wrote to memory of 2952	2828	{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe	36
PID 2828 wrote to memory of 2952	2828	{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe	36
PID 2828 wrote to memory of 2952	2828	{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe	36
PID 2828 wrote to memory of 2952	2828	{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe	36
PID 2828 wrote to memory of 2808	2828	{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe	37
PID 2828 wrote to memory of 2808	2828	{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe	37
PID 2828 wrote to memory of 2808	2828	{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe	37
PID 2828 wrote to memory of 2808	2828	{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe	37
PID 2952 wrote to memory of 2928	2952	{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe	38
PID 2952 wrote to memory of 2928	2952	{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe	38
PID 2952 wrote to memory of 2928	2952	{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe	38
PID 2952 wrote to memory of 2928	2952	{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe	38
PID 2952 wrote to memory of 2844	2952	{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe	39
PID 2952 wrote to memory of 2844	2952	{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe	39
PID 2952 wrote to memory of 2844	2952	{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe	39
PID 2952 wrote to memory of 2844	2952	{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe	39
PID 2928 wrote to memory of 2712	2928	{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe	40
PID 2928 wrote to memory of 2712	2928	{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe	40
PID 2928 wrote to memory of 2712	2928	{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe	40
PID 2928 wrote to memory of 2712	2928	{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe	40
PID 2928 wrote to memory of 2476	2928	{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe	41
PID 2928 wrote to memory of 2476	2928	{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe	41
PID 2928 wrote to memory of 2476	2928	{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe	41
PID 2928 wrote to memory of 2476	2928	{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe	41
PID 2712 wrote to memory of 2856	2712	{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe	42
PID 2712 wrote to memory of 2856	2712	{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe	42
PID 2712 wrote to memory of 2856	2712	{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe	42
PID 2712 wrote to memory of 2856	2712	{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe	42
PID 2712 wrote to memory of 2740	2712	{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe	43
PID 2712 wrote to memory of 2740	2712	{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe	43
PID 2712 wrote to memory of 2740	2712	{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe	43
PID 2712 wrote to memory of 2740	2712	{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe	43
PID 2856 wrote to memory of 2704	2856	{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe	44
PID 2856 wrote to memory of 2704	2856	{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe	44
PID 2856 wrote to memory of 2704	2856	{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe	44
PID 2856 wrote to memory of 2704	2856	{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe	44
PID 2856 wrote to memory of 2760	2856	{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe	45
PID 2856 wrote to memory of 2760	2856	{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe	45
PID 2856 wrote to memory of 2760	2856	{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe	45
PID 2856 wrote to memory of 2760	2856	{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe	45

C:\Users\Admin\AppData\Local\Temp\7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7d4804cb5c93582a3d6a16256357a86a_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\{641B6A3A-710F-4924-9045-13181C9DC26D}.exe
  C:\Windows\{641B6A3A-710F-4924-9045-13181C9DC26D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe
    C:\Windows\{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FC0C0~1.EXE > nul
      4⤵
      PID:2904
  - - C:\Windows\{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe
      C:\Windows\{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe
        
        C:\Windows\{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe
        
        C:\Windows\{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe
        
        C:\Windows\{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe
        
        C:\Windows\{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{6EDAB34C-F4AE-44e6-9CC6-5DCAC3FBA355}.exe
        
        C:\Windows\{6EDAB34C-F4AE-44e6-9CC6-5DCAC3FBA355}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\{FCABC5DF-D197-4bd8-95DD-8EEF9312B8C6}.exe
        
        C:\Windows\{FCABC5DF-D197-4bd8-95DD-8EEF9312B8C6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCABC~1.EXE > nul
        11⤵
        
        PID:572
        
        C:\Windows\{5DCA2E29-6EC6-4baa-ADD2-CFBCEDAF3632}.exe
        
        C:\Windows\{5DCA2E29-6EC6-4baa-ADD2-CFBCEDAF3632}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DCA2~1.EXE > nul
        12⤵
        
        PID:3012
        
        C:\Windows\{6A9A2FD8-89D8-4453-99E5-BD76B459F9F0}.exe
        
        C:\Windows\{6A9A2FD8-89D8-4453-99E5-BD76B459F9F0}.exe
        12⤵
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EDAB~1.EXE > nul
        10⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DA6D~1.EXE > nul
        9⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE727~1.EXE > nul
        8⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB01E~1.EXE > nul
        7⤵
        
        PID:2476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EDFD~1.EXE > nul
        6⤵
        
        PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA16A~1.EXE > nul
        5⤵
        
        PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{641B6~1.EXE > nul
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7D4804~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe

Filesize
168KB

MD5
defb17b0021f525a84942354285858d6

SHA1
7a766fa3bf2fb0d6b1ef9823f78785dfada582f7

SHA256
3977dd90f4efe37c0ed8356a2182e3d3434fe82284144cef3243c35fd5d00a93

SHA512
b41e1f06d372edab5babbd7d4af2f2dfa995aab6da5d79a5b3cb3443273f18a5b1d2df0f76e7f26b6a102c47af4fa741e2dccd9f2a960aad61eca1c2b98d3b56

Download Submit
C:\Windows\{3DA6D0F1-C35C-43fd-8552-975EC000F8CC}.exe

Filesize
168KB

MD5
defb17b0021f525a84942354285858d6

SHA1
7a766fa3bf2fb0d6b1ef9823f78785dfada582f7

SHA256
3977dd90f4efe37c0ed8356a2182e3d3434fe82284144cef3243c35fd5d00a93

SHA512
b41e1f06d372edab5babbd7d4af2f2dfa995aab6da5d79a5b3cb3443273f18a5b1d2df0f76e7f26b6a102c47af4fa741e2dccd9f2a960aad61eca1c2b98d3b56

Download Submit
C:\Windows\{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe

Filesize
168KB

MD5
50bc21288d89c4cc9c7d3052cdb613ad

SHA1
8d6ea738e50cc680ba0a51bb2b1f6a0080dc4c41

SHA256
5510d53b8251e1e59a8c4ac15b353148b3b61b97055615ef933edf8a54c8c260

SHA512
a60c8a32b9caf174ef556147270af9a8d0666bb9fe20ee5cbb26673ac5b072c7bc3e1307268e4342df4e5c0678384ea1bff18126554e6aa0fd7562f1b6980026

Download Submit
C:\Windows\{3EDFDE95-2F77-4557-9C1C-5FFDCA01F62C}.exe

Filesize
168KB

MD5
50bc21288d89c4cc9c7d3052cdb613ad

SHA1
8d6ea738e50cc680ba0a51bb2b1f6a0080dc4c41

SHA256
5510d53b8251e1e59a8c4ac15b353148b3b61b97055615ef933edf8a54c8c260

SHA512
a60c8a32b9caf174ef556147270af9a8d0666bb9fe20ee5cbb26673ac5b072c7bc3e1307268e4342df4e5c0678384ea1bff18126554e6aa0fd7562f1b6980026

Download Submit
C:\Windows\{5DCA2E29-6EC6-4baa-ADD2-CFBCEDAF3632}.exe

Filesize
168KB

MD5
d72dd0b016c5ca8b57cc762e2c1e0784

SHA1
775bce665536bc6cacf4215c2750139aa2850a5f

SHA256
0dde225a3e22545fbd224ff223f7ea0b0a3c4fce6aecf8cd30c7cf158f586209

SHA512
08009d2ae82f3a2b1998903e96e56a202b807fad45a894045488dc5faddaf1b59bb296c52dfafc1af3d11f85812e7d362b5cabb918dd995c5848192a32d57fbb

Download Submit
C:\Windows\{5DCA2E29-6EC6-4baa-ADD2-CFBCEDAF3632}.exe

Filesize
168KB

MD5
d72dd0b016c5ca8b57cc762e2c1e0784

SHA1
775bce665536bc6cacf4215c2750139aa2850a5f

SHA256
0dde225a3e22545fbd224ff223f7ea0b0a3c4fce6aecf8cd30c7cf158f586209

SHA512
08009d2ae82f3a2b1998903e96e56a202b807fad45a894045488dc5faddaf1b59bb296c52dfafc1af3d11f85812e7d362b5cabb918dd995c5848192a32d57fbb

Download Submit
C:\Windows\{641B6A3A-710F-4924-9045-13181C9DC26D}.exe

Filesize
168KB

MD5
3b9130248cc7bc772bab01db387de4ed

SHA1
e9cc1b23fcbc2ab9447ad38ce9a2837c13968245

SHA256
fd92d4c23bb3b6b09d38bdeb4a533ee84223e17e67b40d6c37e6720d983d88df

SHA512
c66955f738f727845c00777c98ad428bcb362c22107ba36fee8618d4d72fde8bfcd2fd77f2f86e55a2636c02cd5f24e2b81321804efb4149327f92294399842d

Download Submit
C:\Windows\{641B6A3A-710F-4924-9045-13181C9DC26D}.exe

Filesize
168KB

MD5
3b9130248cc7bc772bab01db387de4ed

SHA1
e9cc1b23fcbc2ab9447ad38ce9a2837c13968245

SHA256
fd92d4c23bb3b6b09d38bdeb4a533ee84223e17e67b40d6c37e6720d983d88df

SHA512
c66955f738f727845c00777c98ad428bcb362c22107ba36fee8618d4d72fde8bfcd2fd77f2f86e55a2636c02cd5f24e2b81321804efb4149327f92294399842d

Download Submit
C:\Windows\{641B6A3A-710F-4924-9045-13181C9DC26D}.exe

Filesize
168KB

MD5
3b9130248cc7bc772bab01db387de4ed

SHA1
e9cc1b23fcbc2ab9447ad38ce9a2837c13968245

SHA256
fd92d4c23bb3b6b09d38bdeb4a533ee84223e17e67b40d6c37e6720d983d88df

SHA512
c66955f738f727845c00777c98ad428bcb362c22107ba36fee8618d4d72fde8bfcd2fd77f2f86e55a2636c02cd5f24e2b81321804efb4149327f92294399842d

Download Submit
C:\Windows\{6A9A2FD8-89D8-4453-99E5-BD76B459F9F0}.exe

Filesize
168KB

MD5
7a6171a58e932fb96029ece750209065

SHA1
e39cd07150ce06181f01ae602fe0043cad75f0ae

SHA256
390bb5c6fb1a029023612745c3b2aa1131b74f479153b8d9dd5d6146303a531f

SHA512
a78c3f2e2bb3f44a28d1dc5d66d9446a843038241f1a07aa8707c2c79284dce25642fca846fccbc5f4cd6fa7b1599cfbf038a942d2fc15a8eb7f9b9007fc4c4e

Download Submit
C:\Windows\{6EDAB34C-F4AE-44e6-9CC6-5DCAC3FBA355}.exe

Filesize
168KB

MD5
436b8a09c1238f16065f87ef907dacad

SHA1
85987f32dbabcc08fb0e1f81dfdd6737ac74a00c

SHA256
c66ca652ea086aa2cde6e89f88c97b39d83fc48f54e0a32d0d5ff04cf40478e4

SHA512
212b69106d54c2e76325cbef0b97ac2e7e72f256d9718924cb72e08f649bff0da6da3303caffb47ab6bd66e5f615513f0f551cce72427198bd444e4ecf07d679

Download Submit
C:\Windows\{6EDAB34C-F4AE-44e6-9CC6-5DCAC3FBA355}.exe

Filesize
168KB

MD5
436b8a09c1238f16065f87ef907dacad

SHA1
85987f32dbabcc08fb0e1f81dfdd6737ac74a00c

SHA256
c66ca652ea086aa2cde6e89f88c97b39d83fc48f54e0a32d0d5ff04cf40478e4

SHA512
212b69106d54c2e76325cbef0b97ac2e7e72f256d9718924cb72e08f649bff0da6da3303caffb47ab6bd66e5f615513f0f551cce72427198bd444e4ecf07d679

Download Submit
C:\Windows\{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe

Filesize
168KB

MD5
b335e15cf469e4486438ea698ee884e6

SHA1
bf8471f8cecc4aa918b4f84abf07cad786ae733e

SHA256
663826008568b4fc45562ff7a4f54bd9a20e3a8d638854c9b35c35d3c1912190

SHA512
ba098a9d4c768e1be88ad7e3349b39900dd2c4040cb6de0cb6ecfbe38bff156e757819196faae924edcf6cc842038a58f6bce3f550ddfc4af413f268f78628c4

Download Submit
C:\Windows\{DA16A06E-4D08-43e9-9BCA-2FF27755DEE6}.exe

Filesize
168KB

MD5
b335e15cf469e4486438ea698ee884e6

SHA1
bf8471f8cecc4aa918b4f84abf07cad786ae733e

SHA256
663826008568b4fc45562ff7a4f54bd9a20e3a8d638854c9b35c35d3c1912190

SHA512
ba098a9d4c768e1be88ad7e3349b39900dd2c4040cb6de0cb6ecfbe38bff156e757819196faae924edcf6cc842038a58f6bce3f550ddfc4af413f268f78628c4

Download Submit
C:\Windows\{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe

Filesize
168KB

MD5
c9f46e532d3db73c2b30dd8519c0303a

SHA1
02d3e9511e0e5d66a9373a1c26c244c436ab42ec

SHA256
4d5d88b243740b6fe11eda529f274278089633a652d968510bd42459c2f5a4f5

SHA512
b4d4bc4cfe03d3cf18a22deb3d97acfc57e3ac9d2f9e0bbc98f039a0710a68001ce68c7c10f1de43b4c23cef23234c1da7f515b67efb553b97c53419d9145aad

Download Submit
C:\Windows\{DB01E1D3-46A3-499c-9BBA-92A6913E9228}.exe

Filesize
168KB

MD5
c9f46e532d3db73c2b30dd8519c0303a

SHA1
02d3e9511e0e5d66a9373a1c26c244c436ab42ec

SHA256
4d5d88b243740b6fe11eda529f274278089633a652d968510bd42459c2f5a4f5

SHA512
b4d4bc4cfe03d3cf18a22deb3d97acfc57e3ac9d2f9e0bbc98f039a0710a68001ce68c7c10f1de43b4c23cef23234c1da7f515b67efb553b97c53419d9145aad

Download Submit
C:\Windows\{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe

Filesize
168KB

MD5
006778deffdc6fd13f3613753ff8252b

SHA1
d7a6cb94b8a473c6cc8b080d28ef186b2ece64fd

SHA256
f605829ef9692adced908808055efde288fe5324ad1ae6623ae2141e0705088e

SHA512
934c27857594b6d28841db2383c7f19bc5be3c84bb462bdc63b422930ae619404e3192aaed23548405fbfe3580e84d4297b0977caa7582b922a77e0df9ff4c87

Download Submit
C:\Windows\{EE727377-4D4D-42d7-B084-6B1C922D5E6E}.exe

Filesize
168KB

MD5
006778deffdc6fd13f3613753ff8252b

SHA1
d7a6cb94b8a473c6cc8b080d28ef186b2ece64fd

SHA256
f605829ef9692adced908808055efde288fe5324ad1ae6623ae2141e0705088e

SHA512
934c27857594b6d28841db2383c7f19bc5be3c84bb462bdc63b422930ae619404e3192aaed23548405fbfe3580e84d4297b0977caa7582b922a77e0df9ff4c87

Download Submit
C:\Windows\{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe

Filesize
168KB

MD5
1b7a52ae4884fa8502884208c73454fe

SHA1
08ab926f8bc412aca02df66dad9744d09b953a6b

SHA256
2a2e77e5ccacdd566c59e7007989d152229a0fa629d3d0e8c0b31c0afff84981

SHA512
b76ebd9c4a629e5d3e5c878d1ccf61a06306a1576545a817af2d844b7ef2a0a0f22b462546af1f9cfc68354b045741c479efb59bad350fce3f1141e10aa90ac6

Download Submit
C:\Windows\{FC0C0D7B-095A-45ba-9E5F-446AED63CDED}.exe

Filesize
168KB

MD5
1b7a52ae4884fa8502884208c73454fe

SHA1
08ab926f8bc412aca02df66dad9744d09b953a6b

SHA256
2a2e77e5ccacdd566c59e7007989d152229a0fa629d3d0e8c0b31c0afff84981

SHA512
b76ebd9c4a629e5d3e5c878d1ccf61a06306a1576545a817af2d844b7ef2a0a0f22b462546af1f9cfc68354b045741c479efb59bad350fce3f1141e10aa90ac6

Download Submit
C:\Windows\{FCABC5DF-D197-4bd8-95DD-8EEF9312B8C6}.exe

Filesize
168KB

MD5
e38be0b1523f6ae9ef06a1c8754c1ad5

SHA1
600315190fc6ffd6203a10ba33cf0006bcc2f459

SHA256
036b5faf16cc95547aa8ce2a69871b38d51fe2f4fccb07d259abb00b246c8895

SHA512
fffc80ab20dd54bc61124c64501e0c03355fe5f882e6e9db6677a2ff6db5e9e9ea965344fcb8bf18d589f4dd1764a5d3a6ea3c24993d6c75ffdf311a4c8d3b57

Download Submit
C:\Windows\{FCABC5DF-D197-4bd8-95DD-8EEF9312B8C6}.exe

Filesize
168KB

MD5
e38be0b1523f6ae9ef06a1c8754c1ad5

SHA1
600315190fc6ffd6203a10ba33cf0006bcc2f459

SHA256
036b5faf16cc95547aa8ce2a69871b38d51fe2f4fccb07d259abb00b246c8895

SHA512
fffc80ab20dd54bc61124c64501e0c03355fe5f882e6e9db6677a2ff6db5e9e9ea965344fcb8bf18d589f4dd1764a5d3a6ea3c24993d6c75ffdf311a4c8d3b57

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads