f39537a62d8a5d31a96cafda303e5a1a65579ee5e314b1c3e489d913f854edad

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27/08/2023, 16:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe
Size

372KB
MD5

b2ccd1795978a4417be5235dd863233f
SHA1

c3cf7b42e9563ccb6f5406903816b7d06f44bd6b
SHA256

f39537a62d8a5d31a96cafda303e5a1a65579ee5e314b1c3e489d913f854edad
SHA512

408ccec25bee5faed4e9eb8550984809f060b8e7b87dfc15c8c898be1efc476f8e9bec6d6dfe3a4a8c294a70fb1fd7a435f0d9ed54a0dff692634459144545c0
SSDEEP

3072:CEGh0oamlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGNl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F754AD98-FBDE-406d-963C-FA65D14A6DD6}	{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EB81E22-710C-47a6-8F6F-DE5131700183}	{C72E8FE3-FC2B-453a-922D-1CD9BF7E8051}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}\stubpath = "C:\\Windows\\{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe"	{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16E6DD61-F976-41ee-9FF7-6AD83710E541}	{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}	{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}	{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C72E8FE3-FC2B-453a-922D-1CD9BF7E8051}\stubpath = "C:\\Windows\\{C72E8FE3-FC2B-453a-922D-1CD9BF7E8051}.exe"	{17DBAFC6-C7D9-4e81-A4A3-0D42A8DAE75B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B76F3C84-BB13-47d3-930A-72F22F67F506}\stubpath = "C:\\Windows\\{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe"	{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F902DA3-0CB5-4c90-8C33-88716DED19E1}	{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F902DA3-0CB5-4c90-8C33-88716DED19E1}\stubpath = "C:\\Windows\\{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe"	{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F754AD98-FBDE-406d-963C-FA65D14A6DD6}\stubpath = "C:\\Windows\\{F754AD98-FBDE-406d-963C-FA65D14A6DD6}.exe"	{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17DBAFC6-C7D9-4e81-A4A3-0D42A8DAE75B}\stubpath = "C:\\Windows\\{17DBAFC6-C7D9-4e81-A4A3-0D42A8DAE75B}.exe"	{F754AD98-FBDE-406d-963C-FA65D14A6DD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}	{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B76F3C84-BB13-47d3-930A-72F22F67F506}	{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}\stubpath = "C:\\Windows\\{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe"	{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}\stubpath = "C:\\Windows\\{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe"	{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17DBAFC6-C7D9-4e81-A4A3-0D42A8DAE75B}	{F754AD98-FBDE-406d-963C-FA65D14A6DD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C72E8FE3-FC2B-453a-922D-1CD9BF7E8051}	{17DBAFC6-C7D9-4e81-A4A3-0D42A8DAE75B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EB81E22-710C-47a6-8F6F-DE5131700183}\stubpath = "C:\\Windows\\{7EB81E22-710C-47a6-8F6F-DE5131700183}.exe"	{C72E8FE3-FC2B-453a-922D-1CD9BF7E8051}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188B8B5A-CEC4-45c5-BA79-844D31C7707A}	b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{188B8B5A-CEC4-45c5-BA79-844D31C7707A}\stubpath = "C:\\Windows\\{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe"	b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16E6DD61-F976-41ee-9FF7-6AD83710E541}\stubpath = "C:\\Windows\\{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe"	{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2628	{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe
1168	{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe
2828	{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe
2952	{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe
2096	{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe
2712	{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe
2856	{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe
2704	{F754AD98-FBDE-406d-963C-FA65D14A6DD6}.exe
2416	{17DBAFC6-C7D9-4e81-A4A3-0D42A8DAE75B}.exe
2664	{C72E8FE3-FC2B-453a-922D-1CD9BF7E8051}.exe
368	{7EB81E22-710C-47a6-8F6F-DE5131700183}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe	{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe
File created	C:\Windows\{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe	{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe
File created	C:\Windows\{F754AD98-FBDE-406d-963C-FA65D14A6DD6}.exe	{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe
File created	C:\Windows\{7EB81E22-710C-47a6-8F6F-DE5131700183}.exe	{C72E8FE3-FC2B-453a-922D-1CD9BF7E8051}.exe
File created	C:\Windows\{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe	b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe
File created	C:\Windows\{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe	{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe
File created	C:\Windows\{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe	{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe
File created	C:\Windows\{C72E8FE3-FC2B-453a-922D-1CD9BF7E8051}.exe	{17DBAFC6-C7D9-4e81-A4A3-0D42A8DAE75B}.exe
File created	C:\Windows\{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe	{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe
File created	C:\Windows\{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe	{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe
File created	C:\Windows\{17DBAFC6-C7D9-4e81-A4A3-0D42A8DAE75B}.exe	{F754AD98-FBDE-406d-963C-FA65D14A6DD6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1788	b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2628	{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe
Token: SeIncBasePriorityPrivilege	1168	{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe
Token: SeIncBasePriorityPrivilege	2828	{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe
Token: SeIncBasePriorityPrivilege	2952	{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe
Token: SeIncBasePriorityPrivilege	2096	{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe
Token: SeIncBasePriorityPrivilege	2712	{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe
Token: SeIncBasePriorityPrivilege	2856	{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe
Token: SeIncBasePriorityPrivilege	2704	{F754AD98-FBDE-406d-963C-FA65D14A6DD6}.exe
Token: SeIncBasePriorityPrivilege	2416	{17DBAFC6-C7D9-4e81-A4A3-0D42A8DAE75B}.exe
Token: SeIncBasePriorityPrivilege	2664	{C72E8FE3-FC2B-453a-922D-1CD9BF7E8051}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2628	1788	b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe	28
PID 1788 wrote to memory of 2628	1788	b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe	28
PID 1788 wrote to memory of 2628	1788	b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe	28
PID 1788 wrote to memory of 2628	1788	b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe	28
PID 1788 wrote to memory of 2600	1788	b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe	29
PID 1788 wrote to memory of 2600	1788	b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe	29
PID 1788 wrote to memory of 2600	1788	b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe	29
PID 1788 wrote to memory of 2600	1788	b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe	29
PID 2628 wrote to memory of 1168	2628	{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe	32
PID 2628 wrote to memory of 1168	2628	{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe	32
PID 2628 wrote to memory of 1168	2628	{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe	32
PID 2628 wrote to memory of 1168	2628	{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe	32
PID 2628 wrote to memory of 1496	2628	{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe	33
PID 2628 wrote to memory of 1496	2628	{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe	33
PID 2628 wrote to memory of 1496	2628	{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe	33
PID 2628 wrote to memory of 1496	2628	{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe	33
PID 1168 wrote to memory of 2828	1168	{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe	35
PID 1168 wrote to memory of 2828	1168	{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe	35
PID 1168 wrote to memory of 2828	1168	{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe	35
PID 1168 wrote to memory of 2828	1168	{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe	35
PID 1168 wrote to memory of 2904	1168	{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe	34
PID 1168 wrote to memory of 2904	1168	{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe	34
PID 1168 wrote to memory of 2904	1168	{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe	34
PID 1168 wrote to memory of 2904	1168	{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe	34
PID 2828 wrote to memory of 2952	2828	{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe	36
PID 2828 wrote to memory of 2952	2828	{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe	36
PID 2828 wrote to memory of 2952	2828	{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe	36
PID 2828 wrote to memory of 2952	2828	{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe	36
PID 2828 wrote to memory of 2808	2828	{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe	37
PID 2828 wrote to memory of 2808	2828	{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe	37
PID 2828 wrote to memory of 2808	2828	{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe	37
PID 2828 wrote to memory of 2808	2828	{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe	37
PID 2952 wrote to memory of 2096	2952	{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe	38
PID 2952 wrote to memory of 2096	2952	{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe	38
PID 2952 wrote to memory of 2096	2952	{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe	38
PID 2952 wrote to memory of 2096	2952	{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe	38
PID 2952 wrote to memory of 2800	2952	{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe	39
PID 2952 wrote to memory of 2800	2952	{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe	39
PID 2952 wrote to memory of 2800	2952	{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe	39
PID 2952 wrote to memory of 2800	2952	{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe	39
PID 2096 wrote to memory of 2712	2096	{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe	41
PID 2096 wrote to memory of 2712	2096	{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe	41
PID 2096 wrote to memory of 2712	2096	{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe	41
PID 2096 wrote to memory of 2712	2096	{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe	41
PID 2096 wrote to memory of 2476	2096	{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe	40
PID 2096 wrote to memory of 2476	2096	{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe	40
PID 2096 wrote to memory of 2476	2096	{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe	40
PID 2096 wrote to memory of 2476	2096	{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe	40
PID 2712 wrote to memory of 2856	2712	{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe	43
PID 2712 wrote to memory of 2856	2712	{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe	43
PID 2712 wrote to memory of 2856	2712	{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe	43
PID 2712 wrote to memory of 2856	2712	{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe	43
PID 2712 wrote to memory of 2740	2712	{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe	42
PID 2712 wrote to memory of 2740	2712	{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe	42
PID 2712 wrote to memory of 2740	2712	{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe	42
PID 2712 wrote to memory of 2740	2712	{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe	42
PID 2856 wrote to memory of 2704	2856	{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe	45
PID 2856 wrote to memory of 2704	2856	{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe	45
PID 2856 wrote to memory of 2704	2856	{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe	45
PID 2856 wrote to memory of 2704	2856	{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe	45
PID 2856 wrote to memory of 2760	2856	{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe	44
PID 2856 wrote to memory of 2760	2856	{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe	44
PID 2856 wrote to memory of 2760	2856	{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe	44
PID 2856 wrote to memory of 2760	2856	{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe	44

C:\Users\Admin\AppData\Local\Temp\b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\b2ccd1795978a4417be5235dd863233f_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe
  C:\Windows\{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe
    C:\Windows\{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF60~1.EXE > nul
      4⤵
      PID:2904
  - - C:\Windows\{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe
      C:\Windows\{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe
        
        C:\Windows\{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe
        
        C:\Windows\{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F902~1.EXE > nul
        7⤵
        
        PID:2476
        
        C:\Windows\{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe
        
        C:\Windows\{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1803~1.EXE > nul
        8⤵
        
        PID:2740
        
        C:\Windows\{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe
        
        C:\Windows\{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B72D1~1.EXE > nul
        9⤵
        
        PID:2760
        
        C:\Windows\{F754AD98-FBDE-406d-963C-FA65D14A6DD6}.exe
        
        C:\Windows\{F754AD98-FBDE-406d-963C-FA65D14A6DD6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\{17DBAFC6-C7D9-4e81-A4A3-0D42A8DAE75B}.exe
        
        C:\Windows\{17DBAFC6-C7D9-4e81-A4A3-0D42A8DAE75B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\{C72E8FE3-FC2B-453a-922D-1CD9BF7E8051}.exe
        
        C:\Windows\{C72E8FE3-FC2B-453a-922D-1CD9BF7E8051}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\{7EB81E22-710C-47a6-8F6F-DE5131700183}.exe
        
        C:\Windows\{7EB81E22-710C-47a6-8F6F-DE5131700183}.exe
        12⤵
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C72E8~1.EXE > nul
        12⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17DBA~1.EXE > nul
        11⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F754A~1.EXE > nul
        10⤵
        
        PID:2064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B76F3~1.EXE > nul
        6⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16E6D~1.EXE > nul
        5⤵
        
        PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{188B8~1.EXE > nul
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B2CCD1~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe

Filesize
372KB

MD5
2269e155ef815c822054e3aeb165623e

SHA1
f37a20c1b20ee5c5df0fe39ab2767f176058acaf

SHA256
bb417675f01126bdd99b7802b63f8ef12c12f64a993e05eccaad804de03089bc

SHA512
b76e2b5c5e194ca0ff5690342cc405a9b3a02314838249a444b549daf6bf497bcc4b589e438547882480d0c0c62e3c131233bc5351ef6e4be2ac90bb81fed867

Download Submit
C:\Windows\{16E6DD61-F976-41ee-9FF7-6AD83710E541}.exe

Filesize
372KB

MD5
2269e155ef815c822054e3aeb165623e

SHA1
f37a20c1b20ee5c5df0fe39ab2767f176058acaf

SHA256
bb417675f01126bdd99b7802b63f8ef12c12f64a993e05eccaad804de03089bc

SHA512
b76e2b5c5e194ca0ff5690342cc405a9b3a02314838249a444b549daf6bf497bcc4b589e438547882480d0c0c62e3c131233bc5351ef6e4be2ac90bb81fed867

Download Submit
C:\Windows\{17DBAFC6-C7D9-4e81-A4A3-0D42A8DAE75B}.exe

Filesize
372KB

MD5
6e834d66d751f22640fd4154224893cf

SHA1
e73772dc6174fdd31222091490a10b5be6f29d12

SHA256
8d3043066337bb8ba30f03b889c0b52f1b67915d1eec130f531c5a2916d65564

SHA512
a87e31c9b239b85ef334614aa5c979637c36878ef863345214ddbff4833b449e3d7baee932ceb4bae555670fc45bf70989aa268eb73ac04b5c61eb4985dcc9cf

Download Submit
C:\Windows\{17DBAFC6-C7D9-4e81-A4A3-0D42A8DAE75B}.exe

Filesize
372KB

MD5
6e834d66d751f22640fd4154224893cf

SHA1
e73772dc6174fdd31222091490a10b5be6f29d12

SHA256
8d3043066337bb8ba30f03b889c0b52f1b67915d1eec130f531c5a2916d65564

SHA512
a87e31c9b239b85ef334614aa5c979637c36878ef863345214ddbff4833b449e3d7baee932ceb4bae555670fc45bf70989aa268eb73ac04b5c61eb4985dcc9cf

Download Submit
C:\Windows\{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe

Filesize
372KB

MD5
a35946f379909484a43ae760e321b803

SHA1
9000c033585a9d9271ae217b0d3191a08fca5196

SHA256
22fe3af4fb72fc85ea2094d53153aae8d12de4a82ea41d4e175d20a18448fae8

SHA512
682cf4b9a63e247595efb9b6ed5728a57572de3180cf32d45dc3130a38e88e218b749a169482c5c7cdf16149d8659d0b06ae6f1fad5cdb192794d28a232b7fda

Download Submit
C:\Windows\{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe

Filesize
372KB

MD5
a35946f379909484a43ae760e321b803

SHA1
9000c033585a9d9271ae217b0d3191a08fca5196

SHA256
22fe3af4fb72fc85ea2094d53153aae8d12de4a82ea41d4e175d20a18448fae8

SHA512
682cf4b9a63e247595efb9b6ed5728a57572de3180cf32d45dc3130a38e88e218b749a169482c5c7cdf16149d8659d0b06ae6f1fad5cdb192794d28a232b7fda

Download Submit
C:\Windows\{188B8B5A-CEC4-45c5-BA79-844D31C7707A}.exe

Filesize
372KB

MD5
a35946f379909484a43ae760e321b803

SHA1
9000c033585a9d9271ae217b0d3191a08fca5196

SHA256
22fe3af4fb72fc85ea2094d53153aae8d12de4a82ea41d4e175d20a18448fae8

SHA512
682cf4b9a63e247595efb9b6ed5728a57572de3180cf32d45dc3130a38e88e218b749a169482c5c7cdf16149d8659d0b06ae6f1fad5cdb192794d28a232b7fda

Download Submit
C:\Windows\{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe

Filesize
372KB

MD5
124e1422299972dec1117db5adb53683

SHA1
cfde19181c355cf4eb8536db04ab03bbd4e4ecc8

SHA256
b507e12ec329d46c0e4e1421638431bc8cfe07fb534497b6fd9ab6ddcccb23ca

SHA512
55f05f0c20fe71ceeceab3c45e7ebdf607d6ac102f17bc5565ce30390082e21e0141339a07c3cdb0f049cfc2b2c75b3b0675ee55b477ac72ddfbc569d58e9565

Download Submit
C:\Windows\{2F902DA3-0CB5-4c90-8C33-88716DED19E1}.exe

Filesize
372KB

MD5
124e1422299972dec1117db5adb53683

SHA1
cfde19181c355cf4eb8536db04ab03bbd4e4ecc8

SHA256
b507e12ec329d46c0e4e1421638431bc8cfe07fb534497b6fd9ab6ddcccb23ca

SHA512
55f05f0c20fe71ceeceab3c45e7ebdf607d6ac102f17bc5565ce30390082e21e0141339a07c3cdb0f049cfc2b2c75b3b0675ee55b477ac72ddfbc569d58e9565

Download Submit
C:\Windows\{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe

Filesize
372KB

MD5
bebf6e862d2aef473c94fa0155c3f38a

SHA1
57a5eab9da62f8d30264ee352bedbc39be168e55

SHA256
06c09b4a38f112c7c8f010a4186b134286137180844750d92db8a10556738127

SHA512
22e549abc4e70e93ee06fc08aedc4e89288b29c654fd4b2c16fb9a86123bed2b580a5d5d3e575184951319bdc4ecab3cc2041aab1f3a73dc6e3e6ae04e388296

Download Submit
C:\Windows\{5FF60533-BBD1-4afd-92DE-1E36D6C3291A}.exe

Filesize
372KB

MD5
bebf6e862d2aef473c94fa0155c3f38a

SHA1
57a5eab9da62f8d30264ee352bedbc39be168e55

SHA256
06c09b4a38f112c7c8f010a4186b134286137180844750d92db8a10556738127

SHA512
22e549abc4e70e93ee06fc08aedc4e89288b29c654fd4b2c16fb9a86123bed2b580a5d5d3e575184951319bdc4ecab3cc2041aab1f3a73dc6e3e6ae04e388296

Download Submit
C:\Windows\{7EB81E22-710C-47a6-8F6F-DE5131700183}.exe

Filesize
372KB

MD5
ee00651843b8a35cded321bce3bebead

SHA1
4c8bb1c800401481dda2aadf4de80e90b47021a4

SHA256
3eaa881bb3f61c7b7c8a2b1b73fe5dd8e90953ce8354f3df46f8aa314d163514

SHA512
4c104ddce609600152ecdf2e1fc68eec5b6a1ade436d0e90ab4c30ce246c4865fd0dcba2f5fb35ed493977fcbb969367b2bc8fabccb7cf1067e4da8fd8b5ebbb

Download Submit
C:\Windows\{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe

Filesize
372KB

MD5
c85d35b06d89bfdaca0c282acee4fd42

SHA1
cc72742733dcbab36606a9bfb7b8ff7f93fbd2aa

SHA256
28896fcf4c11b53a6648066ca27cc5721ce30a7301d67d4e7850236bbdcae310

SHA512
a0811bc994353e90ad39671d0067a22dd25db318fc183626872ccc1d0601a44c8da1e65530a39c2a0e685a04577b51ae513a8983289ef1b0d133310881735c53

Download Submit
C:\Windows\{B1803F0D-2ABB-4542-9AEC-5331CCE7840D}.exe

Filesize
372KB

MD5
c85d35b06d89bfdaca0c282acee4fd42

SHA1
cc72742733dcbab36606a9bfb7b8ff7f93fbd2aa

SHA256
28896fcf4c11b53a6648066ca27cc5721ce30a7301d67d4e7850236bbdcae310

SHA512
a0811bc994353e90ad39671d0067a22dd25db318fc183626872ccc1d0601a44c8da1e65530a39c2a0e685a04577b51ae513a8983289ef1b0d133310881735c53

Download Submit
C:\Windows\{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe

Filesize
372KB

MD5
63102df90877dbb9774c0dbfcaa906f9

SHA1
00f4c94c13d54e9d74f8ce08cb279f5af08a7587

SHA256
89c33bc73a813309e38cf3bdad38c51d2064348ef197d6f133cf2a73dbbdaabb

SHA512
4833dc0878db95ebadb467b7d2c128f67f6134bd82b41ab44ba6857b57cd66db9e8a2d3896d7eb19ff4074374c2e36fdd70f9c641d896ed8326c5c9f2ec7f304

Download Submit
C:\Windows\{B72D1384-2AF2-491a-8BAF-6C5D25CE933B}.exe

Filesize
372KB

MD5
63102df90877dbb9774c0dbfcaa906f9

SHA1
00f4c94c13d54e9d74f8ce08cb279f5af08a7587

SHA256
89c33bc73a813309e38cf3bdad38c51d2064348ef197d6f133cf2a73dbbdaabb

SHA512
4833dc0878db95ebadb467b7d2c128f67f6134bd82b41ab44ba6857b57cd66db9e8a2d3896d7eb19ff4074374c2e36fdd70f9c641d896ed8326c5c9f2ec7f304

Download Submit
C:\Windows\{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe

Filesize
372KB

MD5
ce790d8e93f462716fc60498e7f84dd8

SHA1
ded53b2f63c06bc5e4806038359bc79854567249

SHA256
9651164ce7d66cb243e0c606377ed804b1d8da17dd7aa7abf37a338ef35a9ced

SHA512
00e096085bf90bc5884194ea3fac416093d478697535198058c31f47d83aadef9cddb6e83e4c39157aa338cacb99608e5bee7e96537bed484c5b9defe03b3c72

Download Submit
C:\Windows\{B76F3C84-BB13-47d3-930A-72F22F67F506}.exe

Filesize
372KB

MD5
ce790d8e93f462716fc60498e7f84dd8

SHA1
ded53b2f63c06bc5e4806038359bc79854567249

SHA256
9651164ce7d66cb243e0c606377ed804b1d8da17dd7aa7abf37a338ef35a9ced

SHA512
00e096085bf90bc5884194ea3fac416093d478697535198058c31f47d83aadef9cddb6e83e4c39157aa338cacb99608e5bee7e96537bed484c5b9defe03b3c72

Download Submit
C:\Windows\{C72E8FE3-FC2B-453a-922D-1CD9BF7E8051}.exe

Filesize
372KB

MD5
67e5817332d9bfb0d5f252575b927a7b

SHA1
285c75307a4e1140695f463844d05e776ebbdb42

SHA256
a6310c1703cf41557b10e8c73263cc736e49f05c838669b750867e63faf5eaaa

SHA512
04c86ae3d57ccfab8fb3ba0d048351085c7fa7664b44bdfddbc522fc3fb6ffe6fb8d544f4090286f21bd8b8d45356f6fbad88690372480e33500e21ac15b4026

Download Submit
C:\Windows\{C72E8FE3-FC2B-453a-922D-1CD9BF7E8051}.exe

Filesize
372KB

MD5
67e5817332d9bfb0d5f252575b927a7b

SHA1
285c75307a4e1140695f463844d05e776ebbdb42

SHA256
a6310c1703cf41557b10e8c73263cc736e49f05c838669b750867e63faf5eaaa

SHA512
04c86ae3d57ccfab8fb3ba0d048351085c7fa7664b44bdfddbc522fc3fb6ffe6fb8d544f4090286f21bd8b8d45356f6fbad88690372480e33500e21ac15b4026

Download Submit
C:\Windows\{F754AD98-FBDE-406d-963C-FA65D14A6DD6}.exe

Filesize
372KB

MD5
2973abb7d3d148bb55fef9cffcacd2f2

SHA1
a4b133795492edb1760e542b63444bd53cc0de0d

SHA256
a1b66f43c0d1878b88fdb3baa9563f619fabf1a3bf4f2e9c751a6b6a84b97ccc

SHA512
00940a641c9670756daa4c5b736b9c798ea37772be162fb3588dd3b1a8e4a5eb8edb39ed7eba8fa76caf103e76c957711ebc56af3e26cd948ce85d160ee6cc1f

Download Submit
C:\Windows\{F754AD98-FBDE-406d-963C-FA65D14A6DD6}.exe

Filesize
372KB

MD5
2973abb7d3d148bb55fef9cffcacd2f2

SHA1
a4b133795492edb1760e542b63444bd53cc0de0d

SHA256
a1b66f43c0d1878b88fdb3baa9563f619fabf1a3bf4f2e9c751a6b6a84b97ccc

SHA512
00940a641c9670756daa4c5b736b9c798ea37772be162fb3588dd3b1a8e4a5eb8edb39ed7eba8fa76caf103e76c957711ebc56af3e26cd948ce85d160ee6cc1f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads