6c207349c2fd03218a0277cb02fee5327747ac62ae61b9814d7238d19cee6842

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25/08/2023, 15:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe
Size

408KB
MD5

9a372e501f53d7b9b8970919c01894ec
SHA1

d286ed9eb8970853a57f776990f386c852b76392
SHA256

6c207349c2fd03218a0277cb02fee5327747ac62ae61b9814d7238d19cee6842
SHA512

b6623f6de3f13a895c5f0a3f1aba75f555a27e5ec91ea6a67c87a9a937c4af38a9d2f17000a697756c3a1ae85c026182014a37074fbc7069deff97c5eb74df92
SSDEEP

3072:CEGh0o+l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}\stubpath = "C:\\Windows\\{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe"	{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01684B06-A08F-4b47-8325-6163BBEB63CB}\stubpath = "C:\\Windows\\{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe"	{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBBB8A41-2F05-4a3c-A8FE-BF7B30B7C5EB}\stubpath = "C:\\Windows\\{EBBB8A41-2F05-4a3c-A8FE-BF7B30B7C5EB}.exe"	{8C5F280C-8DEA-4b65-AE51-DF313E8F1F04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF1E6EE5-9C76-4dcc-B023-F862BBA9A21A}	{14E4BD38-F531-4c67-B9DC-9DDC6527C7B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA9E6817-AFB1-41d7-AF0F-9161195035AA}	{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA5AADD5-A259-409e-A71E-9C234E16997E}	{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA5AADD5-A259-409e-A71E-9C234E16997E}\stubpath = "C:\\Windows\\{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe"	{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBBB8A41-2F05-4a3c-A8FE-BF7B30B7C5EB}	{8C5F280C-8DEA-4b65-AE51-DF313E8F1F04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14E4BD38-F531-4c67-B9DC-9DDC6527C7B2}	{EBBB8A41-2F05-4a3c-A8FE-BF7B30B7C5EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14E4BD38-F531-4c67-B9DC-9DDC6527C7B2}\stubpath = "C:\\Windows\\{14E4BD38-F531-4c67-B9DC-9DDC6527C7B2}.exe"	{EBBB8A41-2F05-4a3c-A8FE-BF7B30B7C5EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}	{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}\stubpath = "C:\\Windows\\{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe"	{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}	{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}\stubpath = "C:\\Windows\\{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe"	{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C5F280C-8DEA-4b65-AE51-DF313E8F1F04}\stubpath = "C:\\Windows\\{8C5F280C-8DEA-4b65-AE51-DF313E8F1F04}.exe"	{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF1E6EE5-9C76-4dcc-B023-F862BBA9A21A}\stubpath = "C:\\Windows\\{EF1E6EE5-9C76-4dcc-B023-F862BBA9A21A}.exe"	{14E4BD38-F531-4c67-B9DC-9DDC6527C7B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}	9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}\stubpath = "C:\\Windows\\{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe"	9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA9E6817-AFB1-41d7-AF0F-9161195035AA}\stubpath = "C:\\Windows\\{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe"	{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}	{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01684B06-A08F-4b47-8325-6163BBEB63CB}	{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C5F280C-8DEA-4b65-AE51-DF313E8F1F04}	{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2460	{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe
2536	{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe
2308	{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe
2772	{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe
2892	{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe
2804	{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe
1044	{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe
1664	{8C5F280C-8DEA-4b65-AE51-DF313E8F1F04}.exe
2792	{EBBB8A41-2F05-4a3c-A8FE-BF7B30B7C5EB}.exe
2272	{14E4BD38-F531-4c67-B9DC-9DDC6527C7B2}.exe
2664	{EF1E6EE5-9C76-4dcc-B023-F862BBA9A21A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe	{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe
File created	C:\Windows\{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe	{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe
File created	C:\Windows\{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe	{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe
File created	C:\Windows\{8C5F280C-8DEA-4b65-AE51-DF313E8F1F04}.exe	{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe
File created	C:\Windows\{EF1E6EE5-9C76-4dcc-B023-F862BBA9A21A}.exe	{14E4BD38-F531-4c67-B9DC-9DDC6527C7B2}.exe
File created	C:\Windows\{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe	{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe
File created	C:\Windows\{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe	{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe
File created	C:\Windows\{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe	{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe
File created	C:\Windows\{EBBB8A41-2F05-4a3c-A8FE-BF7B30B7C5EB}.exe	{8C5F280C-8DEA-4b65-AE51-DF313E8F1F04}.exe
File created	C:\Windows\{14E4BD38-F531-4c67-B9DC-9DDC6527C7B2}.exe	{EBBB8A41-2F05-4a3c-A8FE-BF7B30B7C5EB}.exe
File created	C:\Windows\{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe	9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1732	9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2460	{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe
Token: SeIncBasePriorityPrivilege	2536	{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe
Token: SeIncBasePriorityPrivilege	2308	{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe
Token: SeIncBasePriorityPrivilege	2772	{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe
Token: SeIncBasePriorityPrivilege	2892	{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe
Token: SeIncBasePriorityPrivilege	2804	{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe
Token: SeIncBasePriorityPrivilege	1044	{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe
Token: SeIncBasePriorityPrivilege	1664	{8C5F280C-8DEA-4b65-AE51-DF313E8F1F04}.exe
Token: SeIncBasePriorityPrivilege	2792	{EBBB8A41-2F05-4a3c-A8FE-BF7B30B7C5EB}.exe
Token: SeIncBasePriorityPrivilege	2272	{14E4BD38-F531-4c67-B9DC-9DDC6527C7B2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2460	1732	9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe	30
PID 1732 wrote to memory of 2460	1732	9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe	30
PID 1732 wrote to memory of 2460	1732	9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe	30
PID 1732 wrote to memory of 2460	1732	9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe	30
PID 1732 wrote to memory of 2584	1732	9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe	31
PID 1732 wrote to memory of 2584	1732	9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe	31
PID 1732 wrote to memory of 2584	1732	9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe	31
PID 1732 wrote to memory of 2584	1732	9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe	31
PID 2460 wrote to memory of 2536	2460	{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe	32
PID 2460 wrote to memory of 2536	2460	{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe	32
PID 2460 wrote to memory of 2536	2460	{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe	32
PID 2460 wrote to memory of 2536	2460	{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe	32
PID 2460 wrote to memory of 1648	2460	{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe	33
PID 2460 wrote to memory of 1648	2460	{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe	33
PID 2460 wrote to memory of 1648	2460	{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe	33
PID 2460 wrote to memory of 1648	2460	{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe	33
PID 2536 wrote to memory of 2308	2536	{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe	35
PID 2536 wrote to memory of 2308	2536	{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe	35
PID 2536 wrote to memory of 2308	2536	{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe	35
PID 2536 wrote to memory of 2308	2536	{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe	35
PID 2536 wrote to memory of 2932	2536	{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe	34
PID 2536 wrote to memory of 2932	2536	{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe	34
PID 2536 wrote to memory of 2932	2536	{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe	34
PID 2536 wrote to memory of 2932	2536	{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe	34
PID 2308 wrote to memory of 2772	2308	{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe	36
PID 2308 wrote to memory of 2772	2308	{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe	36
PID 2308 wrote to memory of 2772	2308	{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe	36
PID 2308 wrote to memory of 2772	2308	{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe	36
PID 2308 wrote to memory of 2392	2308	{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe	37
PID 2308 wrote to memory of 2392	2308	{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe	37
PID 2308 wrote to memory of 2392	2308	{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe	37
PID 2308 wrote to memory of 2392	2308	{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe	37
PID 2772 wrote to memory of 2892	2772	{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe	39
PID 2772 wrote to memory of 2892	2772	{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe	39
PID 2772 wrote to memory of 2892	2772	{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe	39
PID 2772 wrote to memory of 2892	2772	{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe	39
PID 2772 wrote to memory of 2908	2772	{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe	38
PID 2772 wrote to memory of 2908	2772	{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe	38
PID 2772 wrote to memory of 2908	2772	{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe	38
PID 2772 wrote to memory of 2908	2772	{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe	38
PID 2892 wrote to memory of 2804	2892	{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe	40
PID 2892 wrote to memory of 2804	2892	{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe	40
PID 2892 wrote to memory of 2804	2892	{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe	40
PID 2892 wrote to memory of 2804	2892	{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe	40
PID 2892 wrote to memory of 2944	2892	{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe	41
PID 2892 wrote to memory of 2944	2892	{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe	41
PID 2892 wrote to memory of 2944	2892	{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe	41
PID 2892 wrote to memory of 2944	2892	{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe	41
PID 2804 wrote to memory of 1044	2804	{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe	43
PID 2804 wrote to memory of 1044	2804	{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe	43
PID 2804 wrote to memory of 1044	2804	{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe	43
PID 2804 wrote to memory of 1044	2804	{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe	43
PID 2804 wrote to memory of 2796	2804	{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe	42
PID 2804 wrote to memory of 2796	2804	{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe	42
PID 2804 wrote to memory of 2796	2804	{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe	42
PID 2804 wrote to memory of 2796	2804	{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe	42
PID 1044 wrote to memory of 1664	1044	{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe	45
PID 1044 wrote to memory of 1664	1044	{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe	45
PID 1044 wrote to memory of 1664	1044	{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe	45
PID 1044 wrote to memory of 1664	1044	{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe	45
PID 1044 wrote to memory of 2356	1044	{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe	44
PID 1044 wrote to memory of 2356	1044	{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe	44
PID 1044 wrote to memory of 2356	1044	{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe	44
PID 1044 wrote to memory of 2356	1044	{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe	44

C:\Users\Admin\AppData\Local\Temp\9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9a372e501f53d7b9b8970919c01894ec_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe
  C:\Windows\{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe
    C:\Windows\{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA9E6~1.EXE > nul
      4⤵
      PID:2932
  - - C:\Windows\{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe
      C:\Windows\{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe
        
        C:\Windows\{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2685B~1.EXE > nul
        6⤵
        
        PID:2908
      - C:\Windows\{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe
        
        C:\Windows\{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe
        
        C:\Windows\{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDA2F~1.EXE > nul
        8⤵
        
        PID:2796
        
        C:\Windows\{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe
        
        C:\Windows\{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01684~1.EXE > nul
        9⤵
        
        PID:2356
        
        C:\Windows\{8C5F280C-8DEA-4b65-AE51-DF313E8F1F04}.exe
        
        C:\Windows\{8C5F280C-8DEA-4b65-AE51-DF313E8F1F04}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C5F2~1.EXE > nul
        10⤵
        
        PID:2676
        
        C:\Windows\{EBBB8A41-2F05-4a3c-A8FE-BF7B30B7C5EB}.exe
        
        C:\Windows\{EBBB8A41-2F05-4a3c-A8FE-BF7B30B7C5EB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\{14E4BD38-F531-4c67-B9DC-9DDC6527C7B2}.exe
        
        C:\Windows\{14E4BD38-F531-4c67-B9DC-9DDC6527C7B2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\{EF1E6EE5-9C76-4dcc-B023-F862BBA9A21A}.exe
        
        C:\Windows\{EF1E6EE5-9C76-4dcc-B023-F862BBA9A21A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14E4B~1.EXE > nul
        12⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBBB8~1.EXE > nul
        11⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA5AA~1.EXE > nul
        7⤵
        
        PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C3B6~1.EXE > nul
        5⤵
        
        PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F0F96~1.EXE > nul
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9A372E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe

Filesize
408KB

MD5
6a965d595152ef4218edc181fb9eedac

SHA1
76ab54290f5d109634e841c071358e146e6a804a

SHA256
cc3d658cac56c1538e186ad129afdd6caa268be7b14ab27a800f1b329c163bbc

SHA512
e9f3d6981749b92bcefaca0fabb026b5e7e7c595665b563f30dabe9855ac0a4ff4108e9c5dcb75cde9ac7a6102f8be546bbdbb1e3c3524e6aca0949da3486d8a

Download Submit
C:\Windows\{01684B06-A08F-4b47-8325-6163BBEB63CB}.exe

Filesize
408KB

MD5
6a965d595152ef4218edc181fb9eedac

SHA1
76ab54290f5d109634e841c071358e146e6a804a

SHA256
cc3d658cac56c1538e186ad129afdd6caa268be7b14ab27a800f1b329c163bbc

SHA512
e9f3d6981749b92bcefaca0fabb026b5e7e7c595665b563f30dabe9855ac0a4ff4108e9c5dcb75cde9ac7a6102f8be546bbdbb1e3c3524e6aca0949da3486d8a

Download Submit
C:\Windows\{14E4BD38-F531-4c67-B9DC-9DDC6527C7B2}.exe

Filesize
408KB

MD5
bcfc2b8c5cf4964758c1951a539eee84

SHA1
70d844a793d7a5777dc3c65f298a61ef6fb2c633

SHA256
e539420c3c7395c40d5872c2246bc764b8e9a98708beda2d4cc32d25b8ffbe66

SHA512
1fa9518583680cdefa46464d2bbf12fd2262cee1f502ef6792fc448f2f53ef15633725208a8c24fbe311440035e998c38f47055f612dab3fd85377eca0f74ba0

Download Submit
C:\Windows\{14E4BD38-F531-4c67-B9DC-9DDC6527C7B2}.exe

Filesize
408KB

MD5
bcfc2b8c5cf4964758c1951a539eee84

SHA1
70d844a793d7a5777dc3c65f298a61ef6fb2c633

SHA256
e539420c3c7395c40d5872c2246bc764b8e9a98708beda2d4cc32d25b8ffbe66

SHA512
1fa9518583680cdefa46464d2bbf12fd2262cee1f502ef6792fc448f2f53ef15633725208a8c24fbe311440035e998c38f47055f612dab3fd85377eca0f74ba0

Download Submit
C:\Windows\{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe

Filesize
408KB

MD5
06226135d9bb2a5b3d7f10b9003b445b

SHA1
f48bc27db53cd0bd13dbf185f47c9101e9f4d5ef

SHA256
76a0ee302dc16d538fe6599feda09567c7053155e486ec30a4e06c9f424d6e06

SHA512
e0893994140ffa8cf65e2b373251ca3671cc1c8822233465f755180246e67ae7d61d2a0e7a7d8779d2c40e7b713a0cc08ffd4418502981a01366d9be83862338

Download Submit
C:\Windows\{2685BC3F-0E56-4e7e-AA3F-F6134F5BB014}.exe

Filesize
408KB

MD5
06226135d9bb2a5b3d7f10b9003b445b

SHA1
f48bc27db53cd0bd13dbf185f47c9101e9f4d5ef

SHA256
76a0ee302dc16d538fe6599feda09567c7053155e486ec30a4e06c9f424d6e06

SHA512
e0893994140ffa8cf65e2b373251ca3671cc1c8822233465f755180246e67ae7d61d2a0e7a7d8779d2c40e7b713a0cc08ffd4418502981a01366d9be83862338

Download Submit
C:\Windows\{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe

Filesize
408KB

MD5
8c57d26fae8abd5693b289c96bd7264b

SHA1
826cdedc743a657f494f5ad2aa3d158aa09a0b83

SHA256
a25c9babe94fe606419db164eb7121b66a8ba1ea1c044dc17692505c62fb4d57

SHA512
89be9137024c8b352a60780aa476de134e8a2ee2c9c0d7812c4e609e9b5da5b8ede09b2c9cf0676e73c82b915ea86a4b44ae10f633d2d02925c79d15f8ffcf32

Download Submit
C:\Windows\{2C3B6E0B-26C1-4b77-AADD-77A0312BA2A2}.exe

Filesize
408KB

MD5
8c57d26fae8abd5693b289c96bd7264b

SHA1
826cdedc743a657f494f5ad2aa3d158aa09a0b83

SHA256
a25c9babe94fe606419db164eb7121b66a8ba1ea1c044dc17692505c62fb4d57

SHA512
89be9137024c8b352a60780aa476de134e8a2ee2c9c0d7812c4e609e9b5da5b8ede09b2c9cf0676e73c82b915ea86a4b44ae10f633d2d02925c79d15f8ffcf32

Download Submit
C:\Windows\{8C5F280C-8DEA-4b65-AE51-DF313E8F1F04}.exe

Filesize
408KB

MD5
456a72b7e10809ad1f9615eb5593dee7

SHA1
225645ca5e18c7311f8a370b1b92129efa7c8649

SHA256
8fefcf80c110b2f5abd66aebf1f4f35da8a26cbafaff33ecb85f19408b4cc31b

SHA512
d78c3d1c41d5bf9faded4304f9ee4c605dae73fba7eb5347d017e1ef7f6cb5daafba642913d5c56da511e9ab1b9c3fff7fae5088503fbe045f62fbb6f133c2d7

Download Submit
C:\Windows\{8C5F280C-8DEA-4b65-AE51-DF313E8F1F04}.exe

Filesize
408KB

MD5
456a72b7e10809ad1f9615eb5593dee7

SHA1
225645ca5e18c7311f8a370b1b92129efa7c8649

SHA256
8fefcf80c110b2f5abd66aebf1f4f35da8a26cbafaff33ecb85f19408b4cc31b

SHA512
d78c3d1c41d5bf9faded4304f9ee4c605dae73fba7eb5347d017e1ef7f6cb5daafba642913d5c56da511e9ab1b9c3fff7fae5088503fbe045f62fbb6f133c2d7

Download Submit
C:\Windows\{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe

Filesize
408KB

MD5
b357ef02853714e008edea1be81bb5a8

SHA1
14cea4de0a3aca85815e373c3a0c0908a48d9f60

SHA256
96399ca73719c81fc58ca231196b6a7badad3d84174528c0eaa9a8ae9909fe34

SHA512
e985de6559d3a4938a39eef5315739b53f1fcc29052d595c616ae3eb5797ca870ccc3644008afefe97c2c611002ab39f36e8d70170a7cb34387600d1e244bd20

Download Submit
C:\Windows\{AA9E6817-AFB1-41d7-AF0F-9161195035AA}.exe

Filesize
408KB

MD5
b357ef02853714e008edea1be81bb5a8

SHA1
14cea4de0a3aca85815e373c3a0c0908a48d9f60

SHA256
96399ca73719c81fc58ca231196b6a7badad3d84174528c0eaa9a8ae9909fe34

SHA512
e985de6559d3a4938a39eef5315739b53f1fcc29052d595c616ae3eb5797ca870ccc3644008afefe97c2c611002ab39f36e8d70170a7cb34387600d1e244bd20

Download Submit
C:\Windows\{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe

Filesize
408KB

MD5
f12a06fed6215bba4afbcf8a11a8f19c

SHA1
c4808e3bf723ff01d0aa4768cbdb9e293dc6a853

SHA256
37330339ff5d6f21b72dd8a042994bf338f063a7944f0485e6d818953c1c5e03

SHA512
59ed0f5edd1fca7f7c4549574f51c5f8d19756b3bf6d35ef31adaf61c4954b562892d89e0ccafec536bbf78d89375761d0b61c10d2f5beaf0f5d97364638fca3

Download Submit
C:\Windows\{CDA2F36C-17F9-419c-964E-FADC7CB51C8E}.exe

Filesize
408KB

MD5
f12a06fed6215bba4afbcf8a11a8f19c

SHA1
c4808e3bf723ff01d0aa4768cbdb9e293dc6a853

SHA256
37330339ff5d6f21b72dd8a042994bf338f063a7944f0485e6d818953c1c5e03

SHA512
59ed0f5edd1fca7f7c4549574f51c5f8d19756b3bf6d35ef31adaf61c4954b562892d89e0ccafec536bbf78d89375761d0b61c10d2f5beaf0f5d97364638fca3

Download Submit
C:\Windows\{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe

Filesize
408KB

MD5
d4180366e2b1ee3e780650a89316e260

SHA1
bc28353da10e15b82727a9d7aa40f895cf13c03b

SHA256
c1e27be1d7507839234aae9b44e900d7c883e3ce830931a5857d791a3369465e

SHA512
eead937a28f01c1b00c7c376388a37967aa0b36c4fd6a060722da8d84161817e221f431daa5c38f1b5e4e41cfa28799520b50dde3a9f5fd818450acfe68de5d5

Download Submit
C:\Windows\{DA5AADD5-A259-409e-A71E-9C234E16997E}.exe

Filesize
408KB

MD5
d4180366e2b1ee3e780650a89316e260

SHA1
bc28353da10e15b82727a9d7aa40f895cf13c03b

SHA256
c1e27be1d7507839234aae9b44e900d7c883e3ce830931a5857d791a3369465e

SHA512
eead937a28f01c1b00c7c376388a37967aa0b36c4fd6a060722da8d84161817e221f431daa5c38f1b5e4e41cfa28799520b50dde3a9f5fd818450acfe68de5d5

Download Submit
C:\Windows\{EBBB8A41-2F05-4a3c-A8FE-BF7B30B7C5EB}.exe

Filesize
408KB

MD5
1cb2debdbdb84add85f26ecc2fa809e3

SHA1
b168e162576927e4217ec1b7b36c043d29b74f45

SHA256
03c7fe1cc1758ac6df98dd109193af87769868c0941cde62b380a3c099c29abb

SHA512
2597a65d69f8957d4a63aab1b23e53ba201c5fb994d52b770cd858ff2ac7f731f4adfcd0439d4a639d6e2b3cc5695d8adfacd31fbba0f3fb8ad237758a299ffa

Download Submit
C:\Windows\{EBBB8A41-2F05-4a3c-A8FE-BF7B30B7C5EB}.exe

Filesize
408KB

MD5
1cb2debdbdb84add85f26ecc2fa809e3

SHA1
b168e162576927e4217ec1b7b36c043d29b74f45

SHA256
03c7fe1cc1758ac6df98dd109193af87769868c0941cde62b380a3c099c29abb

SHA512
2597a65d69f8957d4a63aab1b23e53ba201c5fb994d52b770cd858ff2ac7f731f4adfcd0439d4a639d6e2b3cc5695d8adfacd31fbba0f3fb8ad237758a299ffa

Download Submit
C:\Windows\{EF1E6EE5-9C76-4dcc-B023-F862BBA9A21A}.exe

Filesize
408KB

MD5
9462e45acf022a35bfa6c68b20f07ab0

SHA1
e1b375afec14da655895d3afba42a1523778905d

SHA256
9293e89fe676278ec0270f21c607009888b65db87986880a1ffa794d9cdabebc

SHA512
ce5c306b7611db1830b571c8c7d2fe7ca940026f991ed1bc11df85b7150fce1ab0d11dd57d0f0692092857cb704c69ead45f386834936555e4721a31db19448b

Download Submit
C:\Windows\{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe

Filesize
408KB

MD5
6eeb5fd72c3f04e140c089f6c7f4736f

SHA1
d32d16a8ae070d7ab0bf2a1451eea58d84c2692a

SHA256
45ae0c200854200ea5242916cdf5339591d8f7402d0d114111eb19fff08174eb

SHA512
2b49f0d4c637220849861de4c61150a34ebae6295ea94a99f9bc2d3a06137f3f142e6ccb9302ee14ed18df626039f01fa7e479e8e27c0cd792137f38f87bf320

Download Submit
C:\Windows\{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe

Filesize
408KB

MD5
6eeb5fd72c3f04e140c089f6c7f4736f

SHA1
d32d16a8ae070d7ab0bf2a1451eea58d84c2692a

SHA256
45ae0c200854200ea5242916cdf5339591d8f7402d0d114111eb19fff08174eb

SHA512
2b49f0d4c637220849861de4c61150a34ebae6295ea94a99f9bc2d3a06137f3f142e6ccb9302ee14ed18df626039f01fa7e479e8e27c0cd792137f38f87bf320

Download Submit
C:\Windows\{F0F96FA9-57F0-4bf0-AA98-C7ABC912D774}.exe

Filesize
408KB

MD5
6eeb5fd72c3f04e140c089f6c7f4736f

SHA1
d32d16a8ae070d7ab0bf2a1451eea58d84c2692a

SHA256
45ae0c200854200ea5242916cdf5339591d8f7402d0d114111eb19fff08174eb

SHA512
2b49f0d4c637220849861de4c61150a34ebae6295ea94a99f9bc2d3a06137f3f142e6ccb9302ee14ed18df626039f01fa7e479e8e27c0cd792137f38f87bf320

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads