cc635754814853b9e9384506eede4b83919929bc3104a6793f74c6f04401cef1

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26-08-2023 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe
Size

408KB
MD5

a67bae0884cf06d43ea8c9cafb4715e3
SHA1

8e0e4f18feb020117f2597f20fbdd477bcda3fec
SHA256

cc635754814853b9e9384506eede4b83919929bc3104a6793f74c6f04401cef1
SHA512

de06ff599b372b94a2f86e964f1b62901ac457ef2784de9c7e095075cff1935d72517fe6ae348f4e1582c55571277c9d84ad60ffdd59ab997643f046ae55e447
SSDEEP

3072:CEGh0oxl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGXldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEE73E41-8D0C-4bde-859F-74420BC39376}\stubpath = "C:\\Windows\\{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe"	{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5D9F65B-8243-4ceb-865A-8DC4BECA5AC7}	{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58298EE4-F264-40d5-B8DB-23C60AE1FAB7}	{C5D9F65B-8243-4ceb-865A-8DC4BECA5AC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEE73E41-8D0C-4bde-859F-74420BC39376}	{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6522FDC2-77C5-4739-AE86-EECEE769EDC3}	{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}\stubpath = "C:\\Windows\\{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe"	{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5D9F65B-8243-4ceb-865A-8DC4BECA5AC7}\stubpath = "C:\\Windows\\{C5D9F65B-8243-4ceb-865A-8DC4BECA5AC7}.exe"	{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACBBD225-7425-4639-B740-58227D842907}\stubpath = "C:\\Windows\\{ACBBD225-7425-4639-B740-58227D842907}.exe"	{58298EE4-F264-40d5-B8DB-23C60AE1FAB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A04CAA22-C69E-4013-90A4-97FE95DC7EC7}\stubpath = "C:\\Windows\\{A04CAA22-C69E-4013-90A4-97FE95DC7EC7}.exe"	{ACBBD225-7425-4639-B740-58227D842907}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C42BCC1C-2603-435c-916F-1F865B3D2584}	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}	{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}	{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}	{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58298EE4-F264-40d5-B8DB-23C60AE1FAB7}\stubpath = "C:\\Windows\\{58298EE4-F264-40d5-B8DB-23C60AE1FAB7}.exe"	{C5D9F65B-8243-4ceb-865A-8DC4BECA5AC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACBBD225-7425-4639-B740-58227D842907}	{58298EE4-F264-40d5-B8DB-23C60AE1FAB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}	{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}\stubpath = "C:\\Windows\\{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe"	{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6522FDC2-77C5-4739-AE86-EECEE769EDC3}\stubpath = "C:\\Windows\\{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe"	{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}\stubpath = "C:\\Windows\\{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe"	{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}\stubpath = "C:\\Windows\\{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe"	{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A04CAA22-C69E-4013-90A4-97FE95DC7EC7}	{ACBBD225-7425-4639-B740-58227D842907}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C42BCC1C-2603-435c-916F-1F865B3D2584}\stubpath = "C:\\Windows\\{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe"	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe

Deletes itself 1 IoCs

pid	Process
2492	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1168	{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe
2904	{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe
2732	{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe
2868	{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe
2716	{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe
1584	{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe
592	{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe
1964	{C5D9F65B-8243-4ceb-865A-8DC4BECA5AC7}.exe
2980	{58298EE4-F264-40d5-B8DB-23C60AE1FAB7}.exe
2376	{ACBBD225-7425-4639-B740-58227D842907}.exe
2596	{A04CAA22-C69E-4013-90A4-97FE95DC7EC7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe	{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe
File created	C:\Windows\{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe	{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe
File created	C:\Windows\{58298EE4-F264-40d5-B8DB-23C60AE1FAB7}.exe	{C5D9F65B-8243-4ceb-865A-8DC4BECA5AC7}.exe
File created	C:\Windows\{ACBBD225-7425-4639-B740-58227D842907}.exe	{58298EE4-F264-40d5-B8DB-23C60AE1FAB7}.exe
File created	C:\Windows\{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe
File created	C:\Windows\{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe	{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe
File created	C:\Windows\{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe	{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe
File created	C:\Windows\{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe	{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe
File created	C:\Windows\{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe	{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe
File created	C:\Windows\{C5D9F65B-8243-4ceb-865A-8DC4BECA5AC7}.exe	{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe
File created	C:\Windows\{A04CAA22-C69E-4013-90A4-97FE95DC7EC7}.exe	{ACBBD225-7425-4639-B740-58227D842907}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	864	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1168	{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe
Token: SeIncBasePriorityPrivilege	2904	{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe
Token: SeIncBasePriorityPrivilege	2732	{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe
Token: SeIncBasePriorityPrivilege	2868	{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe
Token: SeIncBasePriorityPrivilege	2716	{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe
Token: SeIncBasePriorityPrivilege	1584	{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe
Token: SeIncBasePriorityPrivilege	592	{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe
Token: SeIncBasePriorityPrivilege	1964	{C5D9F65B-8243-4ceb-865A-8DC4BECA5AC7}.exe
Token: SeIncBasePriorityPrivilege	2980	{58298EE4-F264-40d5-B8DB-23C60AE1FAB7}.exe
Token: SeIncBasePriorityPrivilege	2376	{ACBBD225-7425-4639-B740-58227D842907}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1168	864	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	28
PID 864 wrote to memory of 1168	864	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	28
PID 864 wrote to memory of 1168	864	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	28
PID 864 wrote to memory of 1168	864	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	28
PID 864 wrote to memory of 2492	864	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	29
PID 864 wrote to memory of 2492	864	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	29
PID 864 wrote to memory of 2492	864	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	29
PID 864 wrote to memory of 2492	864	a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe	29
PID 1168 wrote to memory of 2904	1168	{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe	32
PID 1168 wrote to memory of 2904	1168	{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe	32
PID 1168 wrote to memory of 2904	1168	{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe	32
PID 1168 wrote to memory of 2904	1168	{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe	32
PID 1168 wrote to memory of 2296	1168	{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe	33
PID 1168 wrote to memory of 2296	1168	{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe	33
PID 1168 wrote to memory of 2296	1168	{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe	33
PID 1168 wrote to memory of 2296	1168	{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe	33
PID 2904 wrote to memory of 2732	2904	{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe	35
PID 2904 wrote to memory of 2732	2904	{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe	35
PID 2904 wrote to memory of 2732	2904	{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe	35
PID 2904 wrote to memory of 2732	2904	{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe	35
PID 2904 wrote to memory of 2148	2904	{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe	34
PID 2904 wrote to memory of 2148	2904	{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe	34
PID 2904 wrote to memory of 2148	2904	{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe	34
PID 2904 wrote to memory of 2148	2904	{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe	34
PID 2732 wrote to memory of 2868	2732	{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe	37
PID 2732 wrote to memory of 2868	2732	{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe	37
PID 2732 wrote to memory of 2868	2732	{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe	37
PID 2732 wrote to memory of 2868	2732	{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe	37
PID 2732 wrote to memory of 2752	2732	{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe	36
PID 2732 wrote to memory of 2752	2732	{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe	36
PID 2732 wrote to memory of 2752	2732	{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe	36
PID 2732 wrote to memory of 2752	2732	{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe	36
PID 2868 wrote to memory of 2716	2868	{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe	39
PID 2868 wrote to memory of 2716	2868	{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe	39
PID 2868 wrote to memory of 2716	2868	{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe	39
PID 2868 wrote to memory of 2716	2868	{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe	39
PID 2868 wrote to memory of 2820	2868	{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe	38
PID 2868 wrote to memory of 2820	2868	{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe	38
PID 2868 wrote to memory of 2820	2868	{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe	38
PID 2868 wrote to memory of 2820	2868	{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe	38
PID 2716 wrote to memory of 1584	2716	{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe	40
PID 2716 wrote to memory of 1584	2716	{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe	40
PID 2716 wrote to memory of 1584	2716	{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe	40
PID 2716 wrote to memory of 1584	2716	{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe	40
PID 2716 wrote to memory of 2444	2716	{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe	41
PID 2716 wrote to memory of 2444	2716	{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe	41
PID 2716 wrote to memory of 2444	2716	{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe	41
PID 2716 wrote to memory of 2444	2716	{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe	41
PID 1584 wrote to memory of 592	1584	{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe	43
PID 1584 wrote to memory of 592	1584	{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe	43
PID 1584 wrote to memory of 592	1584	{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe	43
PID 1584 wrote to memory of 592	1584	{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe	43
PID 1584 wrote to memory of 1640	1584	{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe	42
PID 1584 wrote to memory of 1640	1584	{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe	42
PID 1584 wrote to memory of 1640	1584	{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe	42
PID 1584 wrote to memory of 1640	1584	{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe	42
PID 592 wrote to memory of 1964	592	{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe	45
PID 592 wrote to memory of 1964	592	{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe	45
PID 592 wrote to memory of 1964	592	{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe	45
PID 592 wrote to memory of 1964	592	{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe	45
PID 592 wrote to memory of 988	592	{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe	44
PID 592 wrote to memory of 988	592	{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe	44
PID 592 wrote to memory of 988	592	{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe	44
PID 592 wrote to memory of 988	592	{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe	44

C:\Users\Admin\AppData\Local\Temp\a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a67bae0884cf06d43ea8c9cafb4715e3_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe
  C:\Windows\{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe
    C:\Windows\{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E32CE~1.EXE > nul
      4⤵
      PID:2148
  - - C:\Windows\{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe
      C:\Windows\{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6522F~1.EXE > nul
        5⤵
        
        PID:2752
    - - C:\Windows\{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe
        
        C:\Windows\{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C76D0~1.EXE > nul
        6⤵
        
        PID:2820
      - C:\Windows\{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe
        
        C:\Windows\{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe
        
        C:\Windows\{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D881B~1.EXE > nul
        8⤵
        
        PID:1640
        
        C:\Windows\{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe
        
        C:\Windows\{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEE73~1.EXE > nul
        9⤵
        
        PID:988
        
        C:\Windows\{C5D9F65B-8243-4ceb-865A-8DC4BECA5AC7}.exe
        
        C:\Windows\{C5D9F65B-8243-4ceb-865A-8DC4BECA5AC7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{58298EE4-F264-40d5-B8DB-23C60AE1FAB7}.exe
        
        C:\Windows\{58298EE4-F264-40d5-B8DB-23C60AE1FAB7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58298~1.EXE > nul
        11⤵
        
        PID:2360
        
        C:\Windows\{ACBBD225-7425-4639-B740-58227D842907}.exe
        
        C:\Windows\{ACBBD225-7425-4639-B740-58227D842907}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\{A04CAA22-C69E-4013-90A4-97FE95DC7EC7}.exe
        
        C:\Windows\{A04CAA22-C69E-4013-90A4-97FE95DC7EC7}.exe
        12⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACBBD~1.EXE > nul
        12⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5D9F~1.EXE > nul
        10⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F15A~1.EXE > nul
        7⤵
        
        PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C42BC~1.EXE > nul
    3⤵
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A67BAE~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{58298EE4-F264-40d5-B8DB-23C60AE1FAB7}.exe

Filesize
408KB

MD5
f068156bcddf6512c5b9d641c771a92b

SHA1
3cd3da788ac036e104d01b705f2c5e79104e84c6

SHA256
bd8f6bc11d20cfbd1867bcbe838697ab858146b8f94cf5c1fb1d0e8d7ec8a749

SHA512
c3d04eb026e929037fc084eeac7424cde9eb06b5a07363a0afcaba2db9bb39e7b533784d86d8ea67050781d8abe8d5ef21523564994088c7a7b80c0492cb74d2

Download Submit
C:\Windows\{58298EE4-F264-40d5-B8DB-23C60AE1FAB7}.exe

Filesize
408KB

MD5
f068156bcddf6512c5b9d641c771a92b

SHA1
3cd3da788ac036e104d01b705f2c5e79104e84c6

SHA256
bd8f6bc11d20cfbd1867bcbe838697ab858146b8f94cf5c1fb1d0e8d7ec8a749

SHA512
c3d04eb026e929037fc084eeac7424cde9eb06b5a07363a0afcaba2db9bb39e7b533784d86d8ea67050781d8abe8d5ef21523564994088c7a7b80c0492cb74d2

Download Submit
C:\Windows\{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe

Filesize
408KB

MD5
fef039b6522d6567b98207f01ebc0c44

SHA1
2be3e56dd958b3119cc61b14747883c1a0544508

SHA256
1082a5406be124b3839a12e18c98d281a3242307940e04f21cd6b1eb3da59b18

SHA512
308378aa76616922d942c7afb1a90519c7b30d4317f5c303900f3354d90b126e7e27567a6f18463bb1397431b799144fd3f7830cc4b4e672af418ecc44d64084

Download Submit
C:\Windows\{6522FDC2-77C5-4739-AE86-EECEE769EDC3}.exe

Filesize
408KB

MD5
fef039b6522d6567b98207f01ebc0c44

SHA1
2be3e56dd958b3119cc61b14747883c1a0544508

SHA256
1082a5406be124b3839a12e18c98d281a3242307940e04f21cd6b1eb3da59b18

SHA512
308378aa76616922d942c7afb1a90519c7b30d4317f5c303900f3354d90b126e7e27567a6f18463bb1397431b799144fd3f7830cc4b4e672af418ecc44d64084

Download Submit
C:\Windows\{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe

Filesize
408KB

MD5
fb49db463cf816aac87e0b34a0f0a276

SHA1
b4e367f764415ceedb84945e26ca01f2e777398a

SHA256
5d04e077951197d0e43753f76c119166e172fa492b22c09d2e8b5444d027206f

SHA512
29abcde6a215333db5418b5039f2869a37559b5353ae972f6b0b787f07e7e8f745acb96a90f62a37a0140eb984e298fbbecd7ffdbc5af68517d78a2c0e9d9c25

Download Submit
C:\Windows\{6F15AE0C-AF9C-4993-B30D-75097B0BCF47}.exe

Filesize
408KB

MD5
fb49db463cf816aac87e0b34a0f0a276

SHA1
b4e367f764415ceedb84945e26ca01f2e777398a

SHA256
5d04e077951197d0e43753f76c119166e172fa492b22c09d2e8b5444d027206f

SHA512
29abcde6a215333db5418b5039f2869a37559b5353ae972f6b0b787f07e7e8f745acb96a90f62a37a0140eb984e298fbbecd7ffdbc5af68517d78a2c0e9d9c25

Download Submit
C:\Windows\{A04CAA22-C69E-4013-90A4-97FE95DC7EC7}.exe

Filesize
408KB

MD5
2ac4157743872dc4361ffa7e0d9d8e1c

SHA1
2ecdbd671d2b794926ea18b5f3d00d22937e12d2

SHA256
a5773c8060aca4a64fb094477a654f225287c9366f3e55d396ac0ffd0b3b99f6

SHA512
9ef33cf22966ad2a8d61855d3649e335bfb0ae5ce95611c9532bb78b2dece8686fa0c5d124968a5abec4125855d06c2d00f5e4787f9dc74b44565e2bf1e12ecb

Download Submit
C:\Windows\{ACBBD225-7425-4639-B740-58227D842907}.exe

Filesize
408KB

MD5
1f47f2e86ecf2c7daef3d643b0dd234f

SHA1
056dbc4d009c2048e22c370fbda72746b5bcc6e2

SHA256
e5b87bd24f666582e7a5bb488b01b052b96a8999b328bc858fc18e385186754b

SHA512
f0a667dcb3a2fff5f71c7e2c2c4aeb0cb413a33e6937cb9db5536ba9f494b2c8543b4cfdad5466cd47ea2176d9398f5a8fa8e490e0d609762f1091345a3e6033

Download Submit
C:\Windows\{ACBBD225-7425-4639-B740-58227D842907}.exe

Filesize
408KB

MD5
1f47f2e86ecf2c7daef3d643b0dd234f

SHA1
056dbc4d009c2048e22c370fbda72746b5bcc6e2

SHA256
e5b87bd24f666582e7a5bb488b01b052b96a8999b328bc858fc18e385186754b

SHA512
f0a667dcb3a2fff5f71c7e2c2c4aeb0cb413a33e6937cb9db5536ba9f494b2c8543b4cfdad5466cd47ea2176d9398f5a8fa8e490e0d609762f1091345a3e6033

Download Submit
C:\Windows\{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe

Filesize
408KB

MD5
2d742ae8a9f5d3daceb11039f946cba7

SHA1
b07ec85d43e4e745b914e08bc3164db27a0ad437

SHA256
8b683183e7a2969763ad48870500ae785747f7a94d29a0c9aa5f554a74058fc9

SHA512
bb59bd9d42e50949b346cc5d8cfbcb16e110e0420c6357804da836d10803b96219927559d9a889570ac3a394fe10eaf26f2df14a40d45545168fd22bce6a6435

Download Submit
C:\Windows\{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe

Filesize
408KB

MD5
2d742ae8a9f5d3daceb11039f946cba7

SHA1
b07ec85d43e4e745b914e08bc3164db27a0ad437

SHA256
8b683183e7a2969763ad48870500ae785747f7a94d29a0c9aa5f554a74058fc9

SHA512
bb59bd9d42e50949b346cc5d8cfbcb16e110e0420c6357804da836d10803b96219927559d9a889570ac3a394fe10eaf26f2df14a40d45545168fd22bce6a6435

Download Submit
C:\Windows\{C42BCC1C-2603-435c-916F-1F865B3D2584}.exe

Filesize
408KB

MD5
2d742ae8a9f5d3daceb11039f946cba7

SHA1
b07ec85d43e4e745b914e08bc3164db27a0ad437

SHA256
8b683183e7a2969763ad48870500ae785747f7a94d29a0c9aa5f554a74058fc9

SHA512
bb59bd9d42e50949b346cc5d8cfbcb16e110e0420c6357804da836d10803b96219927559d9a889570ac3a394fe10eaf26f2df14a40d45545168fd22bce6a6435

Download Submit
C:\Windows\{C5D9F65B-8243-4ceb-865A-8DC4BECA5AC7}.exe

Filesize
408KB

MD5
649a4f70099094951aa3649eb9319855

SHA1
7cbb525361fae3e13ebf4ff6c5478aca66c883b4

SHA256
5eb93a9bb91a708894085fbfd4988cae198a2c070d11f790adfe37f6e3e65a49

SHA512
f466d8ad595beae73217508612e4a9fbcdd9228262ee8e8c44b1896e476a70df765bde40a80e7f497ae347412d7b48a95530ff3b858898c7e640f6f20d165040

Download Submit
C:\Windows\{C5D9F65B-8243-4ceb-865A-8DC4BECA5AC7}.exe

Filesize
408KB

MD5
649a4f70099094951aa3649eb9319855

SHA1
7cbb525361fae3e13ebf4ff6c5478aca66c883b4

SHA256
5eb93a9bb91a708894085fbfd4988cae198a2c070d11f790adfe37f6e3e65a49

SHA512
f466d8ad595beae73217508612e4a9fbcdd9228262ee8e8c44b1896e476a70df765bde40a80e7f497ae347412d7b48a95530ff3b858898c7e640f6f20d165040

Download Submit
C:\Windows\{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe

Filesize
408KB

MD5
3ec2580c9e031bbc7d5343f1eaf1c0fb

SHA1
246ec3c64fa3452f3656dba43b51c8a4317d5884

SHA256
b2af92b9c3b97a2df2ec94c483278ff1badfcdc44d6dcb3320c3cbaa707422c5

SHA512
fcc33f0b46e1da1805a696922be100808230d3984fe6bacbb711479f748acb2bc682b897921e68a2e8fe6fa082c857912409b0561e7980f0ebda86ecab0015cc

Download Submit
C:\Windows\{C76D0D73-B1ED-4b40-ADEA-52E9F6B2BC3F}.exe

Filesize
408KB

MD5
3ec2580c9e031bbc7d5343f1eaf1c0fb

SHA1
246ec3c64fa3452f3656dba43b51c8a4317d5884

SHA256
b2af92b9c3b97a2df2ec94c483278ff1badfcdc44d6dcb3320c3cbaa707422c5

SHA512
fcc33f0b46e1da1805a696922be100808230d3984fe6bacbb711479f748acb2bc682b897921e68a2e8fe6fa082c857912409b0561e7980f0ebda86ecab0015cc

Download Submit
C:\Windows\{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe

Filesize
408KB

MD5
f71ccd0804e3789ec25e7b642d54b2ec

SHA1
048ddb7ef29fe4e456250881518e9e76ff452cbd

SHA256
0758327c2add0dba75a7f951eebc03b7697e33c34e9d2b693c7563eba8e7b12c

SHA512
6a277a2b4948082759044489857d38a421fc9008b5225136f8cc62a0852e008b3abc439cd720728c4ff2b5537e019096c2f7330bf241498a2bd1eba21e300d3e

Download Submit
C:\Windows\{D881BE23-A52E-41aa-9AD8-1A42DC477D0B}.exe

Filesize
408KB

MD5
f71ccd0804e3789ec25e7b642d54b2ec

SHA1
048ddb7ef29fe4e456250881518e9e76ff452cbd

SHA256
0758327c2add0dba75a7f951eebc03b7697e33c34e9d2b693c7563eba8e7b12c

SHA512
6a277a2b4948082759044489857d38a421fc9008b5225136f8cc62a0852e008b3abc439cd720728c4ff2b5537e019096c2f7330bf241498a2bd1eba21e300d3e

Download Submit
C:\Windows\{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe

Filesize
408KB

MD5
d9ca6bd9aee499f357f06bab94c31b3f

SHA1
9ac8f0dccd10944f6288bbc4d07c2580ab56e294

SHA256
c841200c808b48de45997d7e1e35fcc78d290e83abc10b412aa916a892d7a5bc

SHA512
ae3b90eb0282035965747aad1297e6533f143c473c69c606c10c8a6671d7c0b9fc50c9fa46830ff761e03ffa29525ad255ce76ea25aba627e8873dcc8a56d299

Download Submit
C:\Windows\{E32CE1E5-F79E-4362-AAF0-8AF042FBD4A8}.exe

Filesize
408KB

MD5
d9ca6bd9aee499f357f06bab94c31b3f

SHA1
9ac8f0dccd10944f6288bbc4d07c2580ab56e294

SHA256
c841200c808b48de45997d7e1e35fcc78d290e83abc10b412aa916a892d7a5bc

SHA512
ae3b90eb0282035965747aad1297e6533f143c473c69c606c10c8a6671d7c0b9fc50c9fa46830ff761e03ffa29525ad255ce76ea25aba627e8873dcc8a56d299

Download Submit
C:\Windows\{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe

Filesize
408KB

MD5
0136ae38edf4f1873b5daa969cf1bac5

SHA1
c3a356a7e40fab0c86e43a73064d1e539da08840

SHA256
7d53b4462a092417c6b0b9ab6906b31ade0bb5664d0118b3a0f0751ac432843f

SHA512
db8f0e7319e2dae9ecd0e61bba481ac864c3c88a81f8f4cfc293aad641b09505351ca5464020339301ed13df8ea96ebc5fbc7f131aa7132e9930cddceaa6881f

Download Submit
C:\Windows\{EEE73E41-8D0C-4bde-859F-74420BC39376}.exe

Filesize
408KB

MD5
0136ae38edf4f1873b5daa969cf1bac5

SHA1
c3a356a7e40fab0c86e43a73064d1e539da08840

SHA256
7d53b4462a092417c6b0b9ab6906b31ade0bb5664d0118b3a0f0751ac432843f

SHA512
db8f0e7319e2dae9ecd0e61bba481ac864c3c88a81f8f4cfc293aad641b09505351ca5464020339301ed13df8ea96ebc5fbc7f131aa7132e9930cddceaa6881f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads