e54e7941fa3dcc0875f6566f7c3cc381ac47bd76e28eb1370f2760ba91340b6f

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2023, 18:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9b89fcb08348239d00e0fc585336c77_goldeneye_JC.exe
Size

168KB
MD5

b9b89fcb08348239d00e0fc585336c77
SHA1

b6fc2f2e3699d20dd9759f0112f47ad34cb20671
SHA256

e54e7941fa3dcc0875f6566f7c3cc381ac47bd76e28eb1370f2760ba91340b6f
SHA512

e5c89953afd72a81586a585366c0deab6571e182dfa7ea49160e6efeb0f349d16bf2b1464375b055998e20a81c8fbb2635c69aaa6bdccf46ab14243f5f4fbeb0
SSDEEP

1536:1EGh0oOlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oOlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F497D062-51C4-48a3-8AA3-854EBE820642}\stubpath = "C:\\Windows\\{F497D062-51C4-48a3-8AA3-854EBE820642}.exe"	{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4941164-A1CE-4e11-BB05-63BC25205DB5}	{F497D062-51C4-48a3-8AA3-854EBE820642}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4941164-A1CE-4e11-BB05-63BC25205DB5}\stubpath = "C:\\Windows\\{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe"	{F497D062-51C4-48a3-8AA3-854EBE820642}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D480DA15-637F-4f82-ABC2-538B4BC2EB05}	{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DEF93C5-6696-42a9-BC3E-97CEE3A247D6}	{537B8652-796D-4eed-8453-78EBC80C517E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32AF0811-74D0-4a8e-8AB4-D520B01437C8}	b9b89fcb08348239d00e0fc585336c77_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}	{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B0030AE-F53A-455b-87B3-059FED459EA9}	{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}	{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}\stubpath = "C:\\Windows\\{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe"	{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBA78DC4-890B-4eda-A421-5E93DCE25ACD}	{2DEF93C5-6696-42a9-BC3E-97CEE3A247D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32AF0811-74D0-4a8e-8AB4-D520B01437C8}\stubpath = "C:\\Windows\\{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe"	b9b89fcb08348239d00e0fc585336c77_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}	{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}\stubpath = "C:\\Windows\\{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe"	{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{537B8652-796D-4eed-8453-78EBC80C517E}	{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{537B8652-796D-4eed-8453-78EBC80C517E}\stubpath = "C:\\Windows\\{537B8652-796D-4eed-8453-78EBC80C517E}.exe"	{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DEF93C5-6696-42a9-BC3E-97CEE3A247D6}\stubpath = "C:\\Windows\\{2DEF93C5-6696-42a9-BC3E-97CEE3A247D6}.exe"	{537B8652-796D-4eed-8453-78EBC80C517E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}\stubpath = "C:\\Windows\\{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe"	{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F497D062-51C4-48a3-8AA3-854EBE820642}	{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D480DA15-637F-4f82-ABC2-538B4BC2EB05}\stubpath = "C:\\Windows\\{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe"	{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B0030AE-F53A-455b-87B3-059FED459EA9}\stubpath = "C:\\Windows\\{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe"	{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}	{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}\stubpath = "C:\\Windows\\{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe"	{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBA78DC4-890B-4eda-A421-5E93DCE25ACD}\stubpath = "C:\\Windows\\{BBA78DC4-890B-4eda-A421-5E93DCE25ACD}.exe"	{2DEF93C5-6696-42a9-BC3E-97CEE3A247D6}.exe

Executes dropped EXE 12 IoCs

pid	Process
3868	{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe
4124	{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe
1148	{F497D062-51C4-48a3-8AA3-854EBE820642}.exe
4148	{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe
3628	{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe
1116	{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe
3732	{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe
2020	{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe
4332	{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe
3588	{537B8652-796D-4eed-8453-78EBC80C517E}.exe
2788	{2DEF93C5-6696-42a9-BC3E-97CEE3A247D6}.exe
2724	{BBA78DC4-890B-4eda-A421-5E93DCE25ACD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe	{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe
File created	C:\Windows\{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe	{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe
File created	C:\Windows\{537B8652-796D-4eed-8453-78EBC80C517E}.exe	{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe
File created	C:\Windows\{BBA78DC4-890B-4eda-A421-5E93DCE25ACD}.exe	{2DEF93C5-6696-42a9-BC3E-97CEE3A247D6}.exe
File created	C:\Windows\{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe	b9b89fcb08348239d00e0fc585336c77_goldeneye_JC.exe
File created	C:\Windows\{F497D062-51C4-48a3-8AA3-854EBE820642}.exe	{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe
File created	C:\Windows\{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe	{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe
File created	C:\Windows\{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe	{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe
File created	C:\Windows\{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe	{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe
File created	C:\Windows\{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe	{F497D062-51C4-48a3-8AA3-854EBE820642}.exe
File created	C:\Windows\{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe	{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe
File created	C:\Windows\{2DEF93C5-6696-42a9-BC3E-97CEE3A247D6}.exe	{537B8652-796D-4eed-8453-78EBC80C517E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1240	b9b89fcb08348239d00e0fc585336c77_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3868	{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe
Token: SeIncBasePriorityPrivilege	4124	{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe
Token: SeIncBasePriorityPrivilege	1148	{F497D062-51C4-48a3-8AA3-854EBE820642}.exe
Token: SeIncBasePriorityPrivilege	4148	{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe
Token: SeIncBasePriorityPrivilege	3628	{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe
Token: SeIncBasePriorityPrivilege	1116	{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe
Token: SeIncBasePriorityPrivilege	3732	{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe
Token: SeIncBasePriorityPrivilege	2020	{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe
Token: SeIncBasePriorityPrivilege	4332	{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe
Token: SeIncBasePriorityPrivilege	3588	{537B8652-796D-4eed-8453-78EBC80C517E}.exe
Token: SeIncBasePriorityPrivilege	2788	{2DEF93C5-6696-42a9-BC3E-97CEE3A247D6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 3868	1240	b9b89fcb08348239d00e0fc585336c77_goldeneye_JC.exe	90
PID 1240 wrote to memory of 3868	1240	b9b89fcb08348239d00e0fc585336c77_goldeneye_JC.exe	90
PID 1240 wrote to memory of 3868	1240	b9b89fcb08348239d00e0fc585336c77_goldeneye_JC.exe	90
PID 1240 wrote to memory of 3600	1240	b9b89fcb08348239d00e0fc585336c77_goldeneye_JC.exe	91
PID 1240 wrote to memory of 3600	1240	b9b89fcb08348239d00e0fc585336c77_goldeneye_JC.exe	91
PID 1240 wrote to memory of 3600	1240	b9b89fcb08348239d00e0fc585336c77_goldeneye_JC.exe	91
PID 3868 wrote to memory of 4124	3868	{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe	92
PID 3868 wrote to memory of 4124	3868	{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe	92
PID 3868 wrote to memory of 4124	3868	{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe	92
PID 3868 wrote to memory of 3736	3868	{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe	93
PID 3868 wrote to memory of 3736	3868	{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe	93
PID 3868 wrote to memory of 3736	3868	{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe	93
PID 4124 wrote to memory of 1148	4124	{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe	96
PID 4124 wrote to memory of 1148	4124	{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe	96
PID 4124 wrote to memory of 1148	4124	{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe	96
PID 4124 wrote to memory of 5028	4124	{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe	95
PID 4124 wrote to memory of 5028	4124	{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe	95
PID 4124 wrote to memory of 5028	4124	{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe	95
PID 1148 wrote to memory of 4148	1148	{F497D062-51C4-48a3-8AA3-854EBE820642}.exe	97
PID 1148 wrote to memory of 4148	1148	{F497D062-51C4-48a3-8AA3-854EBE820642}.exe	97
PID 1148 wrote to memory of 4148	1148	{F497D062-51C4-48a3-8AA3-854EBE820642}.exe	97
PID 1148 wrote to memory of 1040	1148	{F497D062-51C4-48a3-8AA3-854EBE820642}.exe	98
PID 1148 wrote to memory of 1040	1148	{F497D062-51C4-48a3-8AA3-854EBE820642}.exe	98
PID 1148 wrote to memory of 1040	1148	{F497D062-51C4-48a3-8AA3-854EBE820642}.exe	98
PID 4148 wrote to memory of 3628	4148	{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe	99
PID 4148 wrote to memory of 3628	4148	{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe	99
PID 4148 wrote to memory of 3628	4148	{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe	99
PID 4148 wrote to memory of 1260	4148	{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe	100
PID 4148 wrote to memory of 1260	4148	{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe	100
PID 4148 wrote to memory of 1260	4148	{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe	100
PID 3628 wrote to memory of 1116	3628	{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe	101
PID 3628 wrote to memory of 1116	3628	{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe	101
PID 3628 wrote to memory of 1116	3628	{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe	101
PID 3628 wrote to memory of 1300	3628	{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe	102
PID 3628 wrote to memory of 1300	3628	{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe	102
PID 3628 wrote to memory of 1300	3628	{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe	102
PID 1116 wrote to memory of 3732	1116	{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe	103
PID 1116 wrote to memory of 3732	1116	{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe	103
PID 1116 wrote to memory of 3732	1116	{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe	103
PID 1116 wrote to memory of 1528	1116	{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe	104
PID 1116 wrote to memory of 1528	1116	{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe	104
PID 1116 wrote to memory of 1528	1116	{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe	104
PID 3732 wrote to memory of 2020	3732	{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe	105
PID 3732 wrote to memory of 2020	3732	{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe	105
PID 3732 wrote to memory of 2020	3732	{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe	105
PID 3732 wrote to memory of 2228	3732	{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe	106
PID 3732 wrote to memory of 2228	3732	{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe	106
PID 3732 wrote to memory of 2228	3732	{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe	106
PID 2020 wrote to memory of 4332	2020	{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe	107
PID 2020 wrote to memory of 4332	2020	{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe	107
PID 2020 wrote to memory of 4332	2020	{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe	107
PID 2020 wrote to memory of 3740	2020	{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe	108
PID 2020 wrote to memory of 3740	2020	{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe	108
PID 2020 wrote to memory of 3740	2020	{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe	108
PID 4332 wrote to memory of 3588	4332	{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe	109
PID 4332 wrote to memory of 3588	4332	{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe	109
PID 4332 wrote to memory of 3588	4332	{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe	109
PID 4332 wrote to memory of 1480	4332	{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe	110
PID 4332 wrote to memory of 1480	4332	{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe	110
PID 4332 wrote to memory of 1480	4332	{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe	110
PID 3588 wrote to memory of 2788	3588	{537B8652-796D-4eed-8453-78EBC80C517E}.exe	111
PID 3588 wrote to memory of 2788	3588	{537B8652-796D-4eed-8453-78EBC80C517E}.exe	111
PID 3588 wrote to memory of 2788	3588	{537B8652-796D-4eed-8453-78EBC80C517E}.exe	111
PID 3588 wrote to memory of 3568	3588	{537B8652-796D-4eed-8453-78EBC80C517E}.exe	112

C:\Users\Admin\AppData\Local\Temp\b9b89fcb08348239d00e0fc585336c77_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\b9b89fcb08348239d00e0fc585336c77_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe
  C:\Windows\{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe
    C:\Windows\{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4C94D~1.EXE > nul
      4⤵
      PID:5028
  - - C:\Windows\{F497D062-51C4-48a3-8AA3-854EBE820642}.exe
      C:\Windows\{F497D062-51C4-48a3-8AA3-854EBE820642}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe
        
        C:\Windows\{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4148
      - C:\Windows\{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe
        
        C:\Windows\{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe
        
        C:\Windows\{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe
        
        C:\Windows\{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe
        
        C:\Windows\{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe
        
        C:\Windows\{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\{537B8652-796D-4eed-8453-78EBC80C517E}.exe
        
        C:\Windows\{537B8652-796D-4eed-8453-78EBC80C517E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\{2DEF93C5-6696-42a9-BC3E-97CEE3A247D6}.exe
        
        C:\Windows\{2DEF93C5-6696-42a9-BC3E-97CEE3A247D6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\{BBA78DC4-890B-4eda-A421-5E93DCE25ACD}.exe
        
        C:\Windows\{BBA78DC4-890B-4eda-A421-5E93DCE25ACD}.exe
        13⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DEF9~1.EXE > nul
        13⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{537B8~1.EXE > nul
        12⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8323C~1.EXE > nul
        11⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9960~1.EXE > nul
        10⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B003~1.EXE > nul
        9⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D480D~1.EXE > nul
        8⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0348F~1.EXE > nul
        7⤵
        
        PID:1300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4941~1.EXE > nul
        6⤵
        
        PID:1260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F497D~1.EXE > nul
        5⤵
        
        PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{32AF0~1.EXE > nul
    3⤵
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B9B89F~1.EXE > nul
  2⤵
  PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe

Filesize
168KB

MD5
8efbd61689b1c9898057495e954a213c

SHA1
596b546804f4701425e3169bafe3a06c7aee9c02

SHA256
0dd3f6d2667d387b050902d952b19132dea07d2b1ca321389c73ade2be288b79

SHA512
c993cea334ef8142d438e26b9597b7993d04e82e4970857cfd6162887c2423c3c7dc5f26a2a36a8f88cd357752b764228c7e5d39281f576cf1677fa93aad82b3

Download Submit
C:\Windows\{0348FE62-DF0F-4b3c-9D66-A564707DAEF5}.exe

Filesize
168KB

MD5
8efbd61689b1c9898057495e954a213c

SHA1
596b546804f4701425e3169bafe3a06c7aee9c02

SHA256
0dd3f6d2667d387b050902d952b19132dea07d2b1ca321389c73ade2be288b79

SHA512
c993cea334ef8142d438e26b9597b7993d04e82e4970857cfd6162887c2423c3c7dc5f26a2a36a8f88cd357752b764228c7e5d39281f576cf1677fa93aad82b3

Download Submit
C:\Windows\{2DEF93C5-6696-42a9-BC3E-97CEE3A247D6}.exe

Filesize
168KB

MD5
a39876dd9154cd735a57f8ce84cb3ca3

SHA1
5ec0142ccaf52cb83cf1ef47623ae6e3c496e323

SHA256
2daae00eeea706c5f4df6bdc3410dd872306394c3b623426bc12db28d3eba008

SHA512
323cb25aafaecb6fb63e3108f5b667ff78c91d5587080dfc64613e8a6a6a8e0b874da7a58770f9e5d9d1cdd58a89c70f20d09912e28ed6a049488d9364ec81fc

Download Submit
C:\Windows\{2DEF93C5-6696-42a9-BC3E-97CEE3A247D6}.exe

Filesize
168KB

MD5
a39876dd9154cd735a57f8ce84cb3ca3

SHA1
5ec0142ccaf52cb83cf1ef47623ae6e3c496e323

SHA256
2daae00eeea706c5f4df6bdc3410dd872306394c3b623426bc12db28d3eba008

SHA512
323cb25aafaecb6fb63e3108f5b667ff78c91d5587080dfc64613e8a6a6a8e0b874da7a58770f9e5d9d1cdd58a89c70f20d09912e28ed6a049488d9364ec81fc

Download Submit
C:\Windows\{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe

Filesize
168KB

MD5
e244438925188f9aeff82bc6dc6ae353

SHA1
c4963a9534d53f057735d33457ea2ea480423432

SHA256
27f0af2e7435bb0969502bc403770f37a425f9f4e8a89c635429a227c61918d2

SHA512
310139fb3feccbd100369e4daa97a62f7fcdd6b8d68d4d84167fc127168e43a9aa3b63159e5d816459e6507d55a5697aadcc1d15ff051e6feccbec430c3fd29e

Download Submit
C:\Windows\{32AF0811-74D0-4a8e-8AB4-D520B01437C8}.exe

Filesize
168KB

MD5
e244438925188f9aeff82bc6dc6ae353

SHA1
c4963a9534d53f057735d33457ea2ea480423432

SHA256
27f0af2e7435bb0969502bc403770f37a425f9f4e8a89c635429a227c61918d2

SHA512
310139fb3feccbd100369e4daa97a62f7fcdd6b8d68d4d84167fc127168e43a9aa3b63159e5d816459e6507d55a5697aadcc1d15ff051e6feccbec430c3fd29e

Download Submit
C:\Windows\{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe

Filesize
168KB

MD5
adb4a6078bfd5666031202001deff445

SHA1
7734a59224e6d9b6a5cdd4e6f16c844c2e73a7d1

SHA256
178d6b00ae72fa4dca8bdedb5cf6a6a216fafdd7068a7e5519004f212e883730

SHA512
807df4bcff432447bb72a9d724ed8ba621665609638bc8db914a2ebfe64acde887b228674e9c30c80852ea6e8a4732b1c923d22bd9c9e35005109d1ce2f171d3

Download Submit
C:\Windows\{4C94D82B-3BA4-4b88-87AB-BE661DD1905C}.exe

Filesize
168KB

MD5
adb4a6078bfd5666031202001deff445

SHA1
7734a59224e6d9b6a5cdd4e6f16c844c2e73a7d1

SHA256
178d6b00ae72fa4dca8bdedb5cf6a6a216fafdd7068a7e5519004f212e883730

SHA512
807df4bcff432447bb72a9d724ed8ba621665609638bc8db914a2ebfe64acde887b228674e9c30c80852ea6e8a4732b1c923d22bd9c9e35005109d1ce2f171d3

Download Submit
C:\Windows\{537B8652-796D-4eed-8453-78EBC80C517E}.exe

Filesize
168KB

MD5
bc32e077c86cdf3dc547f2ecd1fe016a

SHA1
53bd7627c315b1484d086a685d7ddaf6a6297f05

SHA256
7e907e75f1209b4bd53b6c91f575578fcd65453f193965a5ef41c841cb00738b

SHA512
a9a57088bf7fa630ec040b1a33869f897a4b88082f4ec4258df875e8a46777c20e771cfb7a7b0064753687efc715bff9edaa0cdd33fee558ecd8683c335ba707

Download Submit
C:\Windows\{537B8652-796D-4eed-8453-78EBC80C517E}.exe

Filesize
168KB

MD5
bc32e077c86cdf3dc547f2ecd1fe016a

SHA1
53bd7627c315b1484d086a685d7ddaf6a6297f05

SHA256
7e907e75f1209b4bd53b6c91f575578fcd65453f193965a5ef41c841cb00738b

SHA512
a9a57088bf7fa630ec040b1a33869f897a4b88082f4ec4258df875e8a46777c20e771cfb7a7b0064753687efc715bff9edaa0cdd33fee558ecd8683c335ba707

Download Submit
C:\Windows\{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe

Filesize
168KB

MD5
4d1f254352f3adf26f0ea3281b3144ab

SHA1
28983bc2358c413f35407c3263f0ce7f6e5be1eb

SHA256
5a830422593c60aefdd79a01594d128fb0559fd36d01bfe0d48c385b1d69fb0e

SHA512
41282ca3ec7b2a3c6077695408a869f1dae5c606b68fe2f9450b0fbe3969fb0d89a2ccffa0a93cbdeba1fb5fd38dd0bcc12815a1a79c2428d1339b744d1c0a61

Download Submit
C:\Windows\{6B0030AE-F53A-455b-87B3-059FED459EA9}.exe

Filesize
168KB

MD5
4d1f254352f3adf26f0ea3281b3144ab

SHA1
28983bc2358c413f35407c3263f0ce7f6e5be1eb

SHA256
5a830422593c60aefdd79a01594d128fb0559fd36d01bfe0d48c385b1d69fb0e

SHA512
41282ca3ec7b2a3c6077695408a869f1dae5c606b68fe2f9450b0fbe3969fb0d89a2ccffa0a93cbdeba1fb5fd38dd0bcc12815a1a79c2428d1339b744d1c0a61

Download Submit
C:\Windows\{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe

Filesize
168KB

MD5
49c61488fef8e894f0fe74559f3baff9

SHA1
6f3da96cbbcc10795618744ffdf59b00b26999ea

SHA256
e27d3ba3a8bb96a8b061903b96d7ceac25a83e6b6f749bfac92e129f90e513ae

SHA512
56f0568d014fb6ec2e51269bc75e7c1cff17485e5daf080bed218c5dec6b49052163c4e3f8472df0562f750b3f3b62517a5895b09f7d7ad7397ca7c2530f6ea0

Download Submit
C:\Windows\{8323C0A2-9972-4516-99D4-3F4EF8CE4A5D}.exe

Filesize
168KB

MD5
49c61488fef8e894f0fe74559f3baff9

SHA1
6f3da96cbbcc10795618744ffdf59b00b26999ea

SHA256
e27d3ba3a8bb96a8b061903b96d7ceac25a83e6b6f749bfac92e129f90e513ae

SHA512
56f0568d014fb6ec2e51269bc75e7c1cff17485e5daf080bed218c5dec6b49052163c4e3f8472df0562f750b3f3b62517a5895b09f7d7ad7397ca7c2530f6ea0

Download Submit
C:\Windows\{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe

Filesize
168KB

MD5
6ffa2aaf9552f80ae47cd5bfb67a785d

SHA1
2ead673f45ef52d393dcbed99ce63bcb3fb97899

SHA256
ba76afab25327c31ae69e6ca11f14a4e784fb612c820c9f1312dcdaadc0eddd1

SHA512
ca89c6d88909f144bff46ef1268db6c54181a33245011fe13677974a92b6ba05debc774610f21dcdec20c3b12527360b1742d2959848f3df5544e313f502d740

Download Submit
C:\Windows\{A4941164-A1CE-4e11-BB05-63BC25205DB5}.exe

Filesize
168KB

MD5
6ffa2aaf9552f80ae47cd5bfb67a785d

SHA1
2ead673f45ef52d393dcbed99ce63bcb3fb97899

SHA256
ba76afab25327c31ae69e6ca11f14a4e784fb612c820c9f1312dcdaadc0eddd1

SHA512
ca89c6d88909f144bff46ef1268db6c54181a33245011fe13677974a92b6ba05debc774610f21dcdec20c3b12527360b1742d2959848f3df5544e313f502d740

Download Submit
C:\Windows\{BBA78DC4-890B-4eda-A421-5E93DCE25ACD}.exe

Filesize
168KB

MD5
bb9d9ed6a0e659e743e7727b51b97818

SHA1
8ed31cf4c5662d0690c22c303278801bb847fcfa

SHA256
a19788f22e65246647c1d488e2c232ae07d9aec8eb302cee303db154944c3a64

SHA512
574bef0c8e63014e11560141554a980432578158cc5f204c868f65822cadba3c2f8da016847e9689d1000625ec4979363a91d7382a39d5225be01e9cdf4f0133

Download Submit
C:\Windows\{BBA78DC4-890B-4eda-A421-5E93DCE25ACD}.exe

Filesize
168KB

MD5
bb9d9ed6a0e659e743e7727b51b97818

SHA1
8ed31cf4c5662d0690c22c303278801bb847fcfa

SHA256
a19788f22e65246647c1d488e2c232ae07d9aec8eb302cee303db154944c3a64

SHA512
574bef0c8e63014e11560141554a980432578158cc5f204c868f65822cadba3c2f8da016847e9689d1000625ec4979363a91d7382a39d5225be01e9cdf4f0133

Download Submit
C:\Windows\{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe

Filesize
168KB

MD5
3e1afd64d56fb48f1d79acf21b5b45e0

SHA1
1c6fd0f2ae1fcd72da35ba2a1d1a0b427671779b

SHA256
bb7a585827841eeabc5f5ace23c8aff145be03947609e0e4c962685f4692642b

SHA512
568c5a75533ced987d830badf600a39a2d4f9334b87455bc711b9d27f540da3ca20e7a99a9625fd296c5a6fdb109104074f0426502566de5291e0d185d961f17

Download Submit
C:\Windows\{D480DA15-637F-4f82-ABC2-538B4BC2EB05}.exe

Filesize
168KB

MD5
3e1afd64d56fb48f1d79acf21b5b45e0

SHA1
1c6fd0f2ae1fcd72da35ba2a1d1a0b427671779b

SHA256
bb7a585827841eeabc5f5ace23c8aff145be03947609e0e4c962685f4692642b

SHA512
568c5a75533ced987d830badf600a39a2d4f9334b87455bc711b9d27f540da3ca20e7a99a9625fd296c5a6fdb109104074f0426502566de5291e0d185d961f17

Download Submit
C:\Windows\{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe

Filesize
168KB

MD5
fbd8198a879a1863e0c2aa2e972b98f3

SHA1
5e34f26a49090e5f0d977147f3453b42d41142a4

SHA256
9e6f1ad91f43b14b300b3779d6ebabf58b6f366ebd10c065b83650494e0291ad

SHA512
f20ad5488fa17243649898a5aa606d13c14844041f2c5642f32e0bcd6b29a304a42a4c8c44bc831353212d59b1887b451a91a3f9742092a41c53ac07825fad9d

Download Submit
C:\Windows\{E99608ED-4973-47d5-A2C1-CD26E3B6A8DB}.exe

Filesize
168KB

MD5
fbd8198a879a1863e0c2aa2e972b98f3

SHA1
5e34f26a49090e5f0d977147f3453b42d41142a4

SHA256
9e6f1ad91f43b14b300b3779d6ebabf58b6f366ebd10c065b83650494e0291ad

SHA512
f20ad5488fa17243649898a5aa606d13c14844041f2c5642f32e0bcd6b29a304a42a4c8c44bc831353212d59b1887b451a91a3f9742092a41c53ac07825fad9d

Download Submit
C:\Windows\{F497D062-51C4-48a3-8AA3-854EBE820642}.exe

Filesize
168KB

MD5
b12037e7f97b535f1973f36907c6365d

SHA1
a2d417111ad714ae549674ae09479eacbd992eff

SHA256
f9220f32babf1ca8e7b071d85cb4cde62c537ec056183bf99f5b58f108c1a635

SHA512
7fed5db658c0a9f09699955ca35518dd841a72a1b7f5cf7a62988fab858c169efb349981db4e56d8b86fdc998431a80e57cd11916d5b9124d79766e48992d1d2

Download Submit
C:\Windows\{F497D062-51C4-48a3-8AA3-854EBE820642}.exe

Filesize
168KB

MD5
b12037e7f97b535f1973f36907c6365d

SHA1
a2d417111ad714ae549674ae09479eacbd992eff

SHA256
f9220f32babf1ca8e7b071d85cb4cde62c537ec056183bf99f5b58f108c1a635

SHA512
7fed5db658c0a9f09699955ca35518dd841a72a1b7f5cf7a62988fab858c169efb349981db4e56d8b86fdc998431a80e57cd11916d5b9124d79766e48992d1d2

Download Submit
C:\Windows\{F497D062-51C4-48a3-8AA3-854EBE820642}.exe

Filesize
168KB

MD5
b12037e7f97b535f1973f36907c6365d

SHA1
a2d417111ad714ae549674ae09479eacbd992eff

SHA256
f9220f32babf1ca8e7b071d85cb4cde62c537ec056183bf99f5b58f108c1a635

SHA512
7fed5db658c0a9f09699955ca35518dd841a72a1b7f5cf7a62988fab858c169efb349981db4e56d8b86fdc998431a80e57cd11916d5b9124d79766e48992d1d2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads