45b8d42535eecdc7c9a56ee1278c0d99a67fe9ec793d3387e37c79d7f296921c

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27/08/2023, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe
Size

408KB
MD5

ad5e72c752bd82c6ac41f121f8be97ca
SHA1

efb994deb0ffdc9ce406ecd442f860a9d74fddd5
SHA256

45b8d42535eecdc7c9a56ee1278c0d99a67fe9ec793d3387e37c79d7f296921c
SHA512

22d5c061b77ef9e477f15a8969261c0dfef8fe493cd925e6fbbba826c6a0c537b98ed1f51dda0647cf85bc2e9d78ee0eaa3df7e514defaed4ab1771d6859b208
SSDEEP

3072:CEGh0opl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}\stubpath = "C:\\Windows\\{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe"	{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67260893-7C77-4769-AAAB-DFC86BAD4B27}\stubpath = "C:\\Windows\\{67260893-7C77-4769-AAAB-DFC86BAD4B27}.exe"	{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CF047C9-77A2-4f82-BCE7-51687F0656F8}\stubpath = "C:\\Windows\\{1CF047C9-77A2-4f82-BCE7-51687F0656F8}.exe"	{635531EA-2469-40e5-B745-A71AB0A8D0D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00613B22-B37B-4f20-9160-2B60334DBD61}\stubpath = "C:\\Windows\\{00613B22-B37B-4f20-9160-2B60334DBD61}.exe"	{1CF047C9-77A2-4f82-BCE7-51687F0656F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}\stubpath = "C:\\Windows\\{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe"	{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1265E83A-0293-49a8-8A67-3D1C16BA2741}	{34678611-C74C-452b-9FBB-7A698BFDA237}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{522156A7-4E49-43f7-9E87-96E157EEBEA9}	{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}	{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{635531EA-2469-40e5-B745-A71AB0A8D0D7}	{67260893-7C77-4769-AAAB-DFC86BAD4B27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}	{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}	{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{522156A7-4E49-43f7-9E87-96E157EEBEA9}\stubpath = "C:\\Windows\\{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe"	{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1265E83A-0293-49a8-8A67-3D1C16BA2741}\stubpath = "C:\\Windows\\{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe"	{34678611-C74C-452b-9FBB-7A698BFDA237}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}\stubpath = "C:\\Windows\\{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe"	{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{635531EA-2469-40e5-B745-A71AB0A8D0D7}\stubpath = "C:\\Windows\\{635531EA-2469-40e5-B745-A71AB0A8D0D7}.exe"	{67260893-7C77-4769-AAAB-DFC86BAD4B27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00613B22-B37B-4f20-9160-2B60334DBD61}	{1CF047C9-77A2-4f82-BCE7-51687F0656F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}	ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}\stubpath = "C:\\Windows\\{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe"	ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34678611-C74C-452b-9FBB-7A698BFDA237}	{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34678611-C74C-452b-9FBB-7A698BFDA237}\stubpath = "C:\\Windows\\{34678611-C74C-452b-9FBB-7A698BFDA237}.exe"	{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67260893-7C77-4769-AAAB-DFC86BAD4B27}	{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CF047C9-77A2-4f82-BCE7-51687F0656F8}	{635531EA-2469-40e5-B745-A71AB0A8D0D7}.exe

Deletes itself 1 IoCs

pid	Process
2468	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1508	{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe
3068	{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe
2928	{34678611-C74C-452b-9FBB-7A698BFDA237}.exe
3052	{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe
2416	{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe
2296	{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe
2732	{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe
2460	{67260893-7C77-4769-AAAB-DFC86BAD4B27}.exe
1996	{635531EA-2469-40e5-B745-A71AB0A8D0D7}.exe
1932	{1CF047C9-77A2-4f82-BCE7-51687F0656F8}.exe
1628	{00613B22-B37B-4f20-9160-2B60334DBD61}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe	{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe
File created	C:\Windows\{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe	{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe
File created	C:\Windows\{635531EA-2469-40e5-B745-A71AB0A8D0D7}.exe	{67260893-7C77-4769-AAAB-DFC86BAD4B27}.exe
File created	C:\Windows\{00613B22-B37B-4f20-9160-2B60334DBD61}.exe	{1CF047C9-77A2-4f82-BCE7-51687F0656F8}.exe
File created	C:\Windows\{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe	ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe
File created	C:\Windows\{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe	{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe
File created	C:\Windows\{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe	{34678611-C74C-452b-9FBB-7A698BFDA237}.exe
File created	C:\Windows\{67260893-7C77-4769-AAAB-DFC86BAD4B27}.exe	{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe
File created	C:\Windows\{1CF047C9-77A2-4f82-BCE7-51687F0656F8}.exe	{635531EA-2469-40e5-B745-A71AB0A8D0D7}.exe
File created	C:\Windows\{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe	{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe
File created	C:\Windows\{34678611-C74C-452b-9FBB-7A698BFDA237}.exe	{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1080	ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1508	{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe
Token: SeIncBasePriorityPrivilege	3068	{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe
Token: SeIncBasePriorityPrivilege	2928	{34678611-C74C-452b-9FBB-7A698BFDA237}.exe
Token: SeIncBasePriorityPrivilege	3052	{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe
Token: SeIncBasePriorityPrivilege	2416	{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe
Token: SeIncBasePriorityPrivilege	2296	{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe
Token: SeIncBasePriorityPrivilege	2732	{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe
Token: SeIncBasePriorityPrivilege	2460	{67260893-7C77-4769-AAAB-DFC86BAD4B27}.exe
Token: SeIncBasePriorityPrivilege	1996	{635531EA-2469-40e5-B745-A71AB0A8D0D7}.exe
Token: SeIncBasePriorityPrivilege	1932	{1CF047C9-77A2-4f82-BCE7-51687F0656F8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1508	1080	ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe	28
PID 1080 wrote to memory of 1508	1080	ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe	28
PID 1080 wrote to memory of 1508	1080	ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe	28
PID 1080 wrote to memory of 1508	1080	ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe	28
PID 1080 wrote to memory of 2468	1080	ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe	29
PID 1080 wrote to memory of 2468	1080	ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe	29
PID 1080 wrote to memory of 2468	1080	ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe	29
PID 1080 wrote to memory of 2468	1080	ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe	29
PID 1508 wrote to memory of 3068	1508	{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe	32
PID 1508 wrote to memory of 3068	1508	{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe	32
PID 1508 wrote to memory of 3068	1508	{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe	32
PID 1508 wrote to memory of 3068	1508	{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe	32
PID 1508 wrote to memory of 2444	1508	{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe	33
PID 1508 wrote to memory of 2444	1508	{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe	33
PID 1508 wrote to memory of 2444	1508	{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe	33
PID 1508 wrote to memory of 2444	1508	{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe	33
PID 3068 wrote to memory of 2928	3068	{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe	35
PID 3068 wrote to memory of 2928	3068	{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe	35
PID 3068 wrote to memory of 2928	3068	{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe	35
PID 3068 wrote to memory of 2928	3068	{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe	35
PID 3068 wrote to memory of 2976	3068	{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe	34
PID 3068 wrote to memory of 2976	3068	{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe	34
PID 3068 wrote to memory of 2976	3068	{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe	34
PID 3068 wrote to memory of 2976	3068	{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe	34
PID 2928 wrote to memory of 3052	2928	{34678611-C74C-452b-9FBB-7A698BFDA237}.exe	36
PID 2928 wrote to memory of 3052	2928	{34678611-C74C-452b-9FBB-7A698BFDA237}.exe	36
PID 2928 wrote to memory of 3052	2928	{34678611-C74C-452b-9FBB-7A698BFDA237}.exe	36
PID 2928 wrote to memory of 3052	2928	{34678611-C74C-452b-9FBB-7A698BFDA237}.exe	36
PID 2928 wrote to memory of 2992	2928	{34678611-C74C-452b-9FBB-7A698BFDA237}.exe	37
PID 2928 wrote to memory of 2992	2928	{34678611-C74C-452b-9FBB-7A698BFDA237}.exe	37
PID 2928 wrote to memory of 2992	2928	{34678611-C74C-452b-9FBB-7A698BFDA237}.exe	37
PID 2928 wrote to memory of 2992	2928	{34678611-C74C-452b-9FBB-7A698BFDA237}.exe	37
PID 3052 wrote to memory of 2416	3052	{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe	38
PID 3052 wrote to memory of 2416	3052	{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe	38
PID 3052 wrote to memory of 2416	3052	{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe	38
PID 3052 wrote to memory of 2416	3052	{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe	38
PID 3052 wrote to memory of 2872	3052	{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe	39
PID 3052 wrote to memory of 2872	3052	{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe	39
PID 3052 wrote to memory of 2872	3052	{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe	39
PID 3052 wrote to memory of 2872	3052	{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe	39
PID 2416 wrote to memory of 2296	2416	{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe	41
PID 2416 wrote to memory of 2296	2416	{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe	41
PID 2416 wrote to memory of 2296	2416	{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe	41
PID 2416 wrote to memory of 2296	2416	{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe	41
PID 2416 wrote to memory of 2428	2416	{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe	40
PID 2416 wrote to memory of 2428	2416	{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe	40
PID 2416 wrote to memory of 2428	2416	{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe	40
PID 2416 wrote to memory of 2428	2416	{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe	40
PID 2296 wrote to memory of 2732	2296	{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe	42
PID 2296 wrote to memory of 2732	2296	{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe	42
PID 2296 wrote to memory of 2732	2296	{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe	42
PID 2296 wrote to memory of 2732	2296	{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe	42
PID 2296 wrote to memory of 2832	2296	{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe	43
PID 2296 wrote to memory of 2832	2296	{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe	43
PID 2296 wrote to memory of 2832	2296	{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe	43
PID 2296 wrote to memory of 2832	2296	{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe	43
PID 2732 wrote to memory of 2460	2732	{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe	44
PID 2732 wrote to memory of 2460	2732	{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe	44
PID 2732 wrote to memory of 2460	2732	{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe	44
PID 2732 wrote to memory of 2460	2732	{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe	44
PID 2732 wrote to memory of 320	2732	{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe	45
PID 2732 wrote to memory of 320	2732	{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe	45
PID 2732 wrote to memory of 320	2732	{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe	45
PID 2732 wrote to memory of 320	2732	{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe	45

C:\Users\Admin\AppData\Local\Temp\ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\ad5e72c752bd82c6ac41f121f8be97ca_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe
  C:\Windows\{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe
    C:\Windows\{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7A020~1.EXE > nul
      4⤵
      PID:2976
  - - C:\Windows\{34678611-C74C-452b-9FBB-7A698BFDA237}.exe
      C:\Windows\{34678611-C74C-452b-9FBB-7A698BFDA237}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe
        
        C:\Windows\{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe
        
        C:\Windows\{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B1D6~1.EXE > nul
        7⤵
        
        PID:2428
        
        C:\Windows\{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe
        
        C:\Windows\{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe
        
        C:\Windows\{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{67260893-7C77-4769-AAAB-DFC86BAD4B27}.exe
        
        C:\Windows\{67260893-7C77-4769-AAAB-DFC86BAD4B27}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\{635531EA-2469-40e5-B745-A71AB0A8D0D7}.exe
        
        C:\Windows\{635531EA-2469-40e5-B745-A71AB0A8D0D7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\{1CF047C9-77A2-4f82-BCE7-51687F0656F8}.exe
        
        C:\Windows\{1CF047C9-77A2-4f82-BCE7-51687F0656F8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\{00613B22-B37B-4f20-9160-2B60334DBD61}.exe
        
        C:\Windows\{00613B22-B37B-4f20-9160-2B60334DBD61}.exe
        12⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CF04~1.EXE > nul
        12⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63553~1.EXE > nul
        11⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67260~1.EXE > nul
        10⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9EDE~1.EXE > nul
        9⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52215~1.EXE > nul
        8⤵
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1265E~1.EXE > nul
        6⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34678~1.EXE > nul
        5⤵
        
        PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3039C~1.EXE > nul
    3⤵
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AD5E72~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00613B22-B37B-4f20-9160-2B60334DBD61}.exe

Filesize
408KB

MD5
f9fb20bfb85b65e2be9fd91be6510e26

SHA1
e75ce3f7514b73ebbecfc30b88a46a7867ad13cd

SHA256
ba5f08a62624a2883bb66d84c7d0b10997a6c064a0e5f7204c9470ed746fc382

SHA512
98c8f814af11075ffcfe425c362ddf004a71f3de7643273cab0a972f29ac2afff55c55abd9834b5e7efeca5ffd8f53b0a2ff6a978eb875e133513ba8ecf67326

Download Submit
C:\Windows\{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe

Filesize
408KB

MD5
c23eb9db75ac02e56ab047bc6e77cc59

SHA1
caa75baf484fd9a398556d2b4a930e341b09ff60

SHA256
344aabb735fbfbebcef0cfdb5c5e451414caef71ca267555432e16aec18c0cac

SHA512
31aee3c2adb3851ffd90d4fdbab4a75de1c3b2c21e78cce16f56f7f01c9e2543335691eb913330050a714f70941d09a08470a1f9a702706a44e4fa66e557d39c

Download Submit
C:\Windows\{1265E83A-0293-49a8-8A67-3D1C16BA2741}.exe

Filesize
408KB

MD5
c23eb9db75ac02e56ab047bc6e77cc59

SHA1
caa75baf484fd9a398556d2b4a930e341b09ff60

SHA256
344aabb735fbfbebcef0cfdb5c5e451414caef71ca267555432e16aec18c0cac

SHA512
31aee3c2adb3851ffd90d4fdbab4a75de1c3b2c21e78cce16f56f7f01c9e2543335691eb913330050a714f70941d09a08470a1f9a702706a44e4fa66e557d39c

Download Submit
C:\Windows\{1CF047C9-77A2-4f82-BCE7-51687F0656F8}.exe

Filesize
408KB

MD5
cbd6fd664c32838690aa5a887e34551a

SHA1
210a78b35b7021ba17817da2c236dcadf6fd4773

SHA256
06f9102bb80b2e425dbb60748bc4501b3b0f2fa8b0230c9ef16c2f2626c2fd5e

SHA512
9806bb06c9d423c5e69a0dd78f03cbb94bf679f60dd1b449f6e1f99b989ce93a9cd2757e685894d41308b9beb0fbc0330cd072510070ca67793f02af9286ad40

Download Submit
C:\Windows\{1CF047C9-77A2-4f82-BCE7-51687F0656F8}.exe

Filesize
408KB

MD5
cbd6fd664c32838690aa5a887e34551a

SHA1
210a78b35b7021ba17817da2c236dcadf6fd4773

SHA256
06f9102bb80b2e425dbb60748bc4501b3b0f2fa8b0230c9ef16c2f2626c2fd5e

SHA512
9806bb06c9d423c5e69a0dd78f03cbb94bf679f60dd1b449f6e1f99b989ce93a9cd2757e685894d41308b9beb0fbc0330cd072510070ca67793f02af9286ad40

Download Submit
C:\Windows\{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe

Filesize
408KB

MD5
84fde2e3f70ee398e4da5cffe62d3162

SHA1
8ef515ca2ad52bd2cfa37585196fb49c94219f6f

SHA256
3b75bcb01d5a552bfb8236fabecb1bac85d453e986c81c03e8e6b7f0bbd13b54

SHA512
043dcfc90d0e16e4925cb4292084d7e653c50b13b8af6331ee6b88db82e16793bac6786c1af6a7423c14dab70ef4313e792e216b9dda657963364625c3d426b3

Download Submit
C:\Windows\{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe

Filesize
408KB

MD5
84fde2e3f70ee398e4da5cffe62d3162

SHA1
8ef515ca2ad52bd2cfa37585196fb49c94219f6f

SHA256
3b75bcb01d5a552bfb8236fabecb1bac85d453e986c81c03e8e6b7f0bbd13b54

SHA512
043dcfc90d0e16e4925cb4292084d7e653c50b13b8af6331ee6b88db82e16793bac6786c1af6a7423c14dab70ef4313e792e216b9dda657963364625c3d426b3

Download Submit
C:\Windows\{3039C7F1-C3A4-42d7-90F5-FFCE7D7B3910}.exe

Filesize
408KB

MD5
84fde2e3f70ee398e4da5cffe62d3162

SHA1
8ef515ca2ad52bd2cfa37585196fb49c94219f6f

SHA256
3b75bcb01d5a552bfb8236fabecb1bac85d453e986c81c03e8e6b7f0bbd13b54

SHA512
043dcfc90d0e16e4925cb4292084d7e653c50b13b8af6331ee6b88db82e16793bac6786c1af6a7423c14dab70ef4313e792e216b9dda657963364625c3d426b3

Download Submit
C:\Windows\{34678611-C74C-452b-9FBB-7A698BFDA237}.exe

Filesize
408KB

MD5
7c9e804e9fb9448ac8674003d608b94f

SHA1
03fdcf26cf9305896cb21d95e438d8bf6ced8648

SHA256
e2c873ee14290d1543662b4dbec1ee1f798c2804d2a93e573eeaefd2e79831f4

SHA512
10da609cf1d875d775c4c6555318f4f8b4338a58a44cfcdf2e7232ea425997b83d42252fc213921f3b9690148385e0aa54a08434aeca88266f235e428570fb4f

Download Submit
C:\Windows\{34678611-C74C-452b-9FBB-7A698BFDA237}.exe

Filesize
408KB

MD5
7c9e804e9fb9448ac8674003d608b94f

SHA1
03fdcf26cf9305896cb21d95e438d8bf6ced8648

SHA256
e2c873ee14290d1543662b4dbec1ee1f798c2804d2a93e573eeaefd2e79831f4

SHA512
10da609cf1d875d775c4c6555318f4f8b4338a58a44cfcdf2e7232ea425997b83d42252fc213921f3b9690148385e0aa54a08434aeca88266f235e428570fb4f

Download Submit
C:\Windows\{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe

Filesize
408KB

MD5
c8d5b7cf7bfa5ff28cd203aad62eafd1

SHA1
1b36d9b84837bc0f9cdf1f2fa171568de49f2c36

SHA256
86b34ffe8fee289ceb54f832b14c01dcd3d781e1e60e38a8a83087975c8dde54

SHA512
a01867ce8897faf083d60100d47ceec2164822188a1c22d9f8138ab0af8b6462da3b1e454eb166e5d3f02571a802bcdc937de77f36a677d1be7009c1ce8c8559

Download Submit
C:\Windows\{4B1D6B97-6D43-47e6-AE7C-6C19FCBA7EF3}.exe

Filesize
408KB

MD5
c8d5b7cf7bfa5ff28cd203aad62eafd1

SHA1
1b36d9b84837bc0f9cdf1f2fa171568de49f2c36

SHA256
86b34ffe8fee289ceb54f832b14c01dcd3d781e1e60e38a8a83087975c8dde54

SHA512
a01867ce8897faf083d60100d47ceec2164822188a1c22d9f8138ab0af8b6462da3b1e454eb166e5d3f02571a802bcdc937de77f36a677d1be7009c1ce8c8559

Download Submit
C:\Windows\{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe

Filesize
408KB

MD5
3ab9a91dc445dc5313662dda6ce59a08

SHA1
e68e727f1fbaa317471be0eb4f16964218515faa

SHA256
4dccc570194b1fd2c9c3d7cd7473937ce8eae90ceda2dbe044ebb25904caf4f8

SHA512
7b78d85575417e4a3daf9a5e1be4604164460ea2a905cc588332573edef56fcfa82f1e07cf5d55bdf9fb82bfc40ba5c2007c86f642b6d232a51bafe262285a29

Download Submit
C:\Windows\{522156A7-4E49-43f7-9E87-96E157EEBEA9}.exe

Filesize
408KB

MD5
3ab9a91dc445dc5313662dda6ce59a08

SHA1
e68e727f1fbaa317471be0eb4f16964218515faa

SHA256
4dccc570194b1fd2c9c3d7cd7473937ce8eae90ceda2dbe044ebb25904caf4f8

SHA512
7b78d85575417e4a3daf9a5e1be4604164460ea2a905cc588332573edef56fcfa82f1e07cf5d55bdf9fb82bfc40ba5c2007c86f642b6d232a51bafe262285a29

Download Submit
C:\Windows\{635531EA-2469-40e5-B745-A71AB0A8D0D7}.exe

Filesize
408KB

MD5
f04d7d2069bc3ba6d42ab62259a70458

SHA1
678b854ae14283fc05409beae26fe720ccbd2223

SHA256
95bd69a20d1bc0c0edcee99dda48ef683d088cefbc08345a9fb48490e02e5b51

SHA512
90f9d0d488828cdffc244b7553a925e29d3b5676557e59bf68a5151cfcd03e22cfcfe40654f9ba03816da8bbf3dda7ead6126d1fefc6501db47d662ccdc86ce9

Download Submit
C:\Windows\{635531EA-2469-40e5-B745-A71AB0A8D0D7}.exe

Filesize
408KB

MD5
f04d7d2069bc3ba6d42ab62259a70458

SHA1
678b854ae14283fc05409beae26fe720ccbd2223

SHA256
95bd69a20d1bc0c0edcee99dda48ef683d088cefbc08345a9fb48490e02e5b51

SHA512
90f9d0d488828cdffc244b7553a925e29d3b5676557e59bf68a5151cfcd03e22cfcfe40654f9ba03816da8bbf3dda7ead6126d1fefc6501db47d662ccdc86ce9

Download Submit
C:\Windows\{67260893-7C77-4769-AAAB-DFC86BAD4B27}.exe

Filesize
408KB

MD5
0dd761c28a470c1a0b5f392c7d9f3a19

SHA1
56f314427667d71415b5a3be30040cc211f0b72d

SHA256
8a6a3ff5ccd767d3c57075abcebdfc4aa68c2e7fb4861e8bb3dd7fab4b21edc7

SHA512
1388adcae16f231e1ba041f3826842f074f546d19f44932c3f6476382424738b3197856e2553be90b8f00367bc3ce1ec1b3fdfdbade04038514b91b4627ea2a8

Download Submit
C:\Windows\{67260893-7C77-4769-AAAB-DFC86BAD4B27}.exe

Filesize
408KB

MD5
0dd761c28a470c1a0b5f392c7d9f3a19

SHA1
56f314427667d71415b5a3be30040cc211f0b72d

SHA256
8a6a3ff5ccd767d3c57075abcebdfc4aa68c2e7fb4861e8bb3dd7fab4b21edc7

SHA512
1388adcae16f231e1ba041f3826842f074f546d19f44932c3f6476382424738b3197856e2553be90b8f00367bc3ce1ec1b3fdfdbade04038514b91b4627ea2a8

Download Submit
C:\Windows\{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe

Filesize
408KB

MD5
309b9cfaa1492d28fbb5775d78458232

SHA1
bbce9c131c2df45c7368bf65dc18717af10b9668

SHA256
ed71a25a7b04de38b880981e0cbc1e294ae9919a96f315992620a63526fd8073

SHA512
6032ed81f416743a936bacc2b1cfb644d01b6b5164449d5e0c721aee2fe2ba82baa3ae59c55ae02e657931d667ed8fa06cbe465b5f43feeb27df04b6fb6aa618

Download Submit
C:\Windows\{7A0201F0-3DBC-4ce2-8398-7ABF43856D40}.exe

Filesize
408KB

MD5
309b9cfaa1492d28fbb5775d78458232

SHA1
bbce9c131c2df45c7368bf65dc18717af10b9668

SHA256
ed71a25a7b04de38b880981e0cbc1e294ae9919a96f315992620a63526fd8073

SHA512
6032ed81f416743a936bacc2b1cfb644d01b6b5164449d5e0c721aee2fe2ba82baa3ae59c55ae02e657931d667ed8fa06cbe465b5f43feeb27df04b6fb6aa618

Download Submit
C:\Windows\{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe

Filesize
408KB

MD5
8ee00105995a3b421a6cf3b7b24f3df0

SHA1
c3bd4db0175d4ba7729edcd19aa0b45d56f1b9ee

SHA256
1a0abe0ed3bc8288bf53dfd510cca7a03c408b44517989b0694d382eeda9e077

SHA512
8225187ba386201f9297d557ebeae3cdb6a9938d02ed0c971a3f6fca1be9c64cace28922268b7a99cd89edd4cadaf680c986f7551c3c56cba9e1702729c7e526

Download Submit
C:\Windows\{F9EDE021-9994-47c5-888D-C5F79ADBEB0A}.exe

Filesize
408KB

MD5
8ee00105995a3b421a6cf3b7b24f3df0

SHA1
c3bd4db0175d4ba7729edcd19aa0b45d56f1b9ee

SHA256
1a0abe0ed3bc8288bf53dfd510cca7a03c408b44517989b0694d382eeda9e077

SHA512
8225187ba386201f9297d557ebeae3cdb6a9938d02ed0c971a3f6fca1be9c64cace28922268b7a99cd89edd4cadaf680c986f7551c3c56cba9e1702729c7e526

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads