24df8c79ad2d7677ea36619f03c932561baa0d0b03510e903100ef6284bea433

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe
Size

380KB
MD5

bb3c9af958810ad697b39a6f2b7f4756
SHA1

c0053bcce07850a3dd881ac9a84cfa9856e67258
SHA256

24df8c79ad2d7677ea36619f03c932561baa0d0b03510e903100ef6284bea433
SHA512

61af8f961830a36ec5477c0b80986273d4a92e8c71ae1ba138cd05ff075211002f555b78429f53ccf0d20076e089d3535e8d9986f8b99822e345ed1823c7b908
SSDEEP

3072:mEGh0o6lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG0l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}	{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}	{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C47C3D0-BD8C-4485-B407-99C3DDB1E1E5}\stubpath = "C:\\Windows\\{0C47C3D0-BD8C-4485-B407-99C3DDB1E1E5}.exe"	{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98725AD1-EB70-41f0-9429-BCCD26ADD1FD}\stubpath = "C:\\Windows\\{98725AD1-EB70-41f0-9429-BCCD26ADD1FD}.exe"	{A643910E-A8F7-4b5c-9BFE-D424585D6AE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B3DB5DC-B096-4e0f-99C1-413FDF87F761}	{0C47C3D0-BD8C-4485-B407-99C3DDB1E1E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A643910E-A8F7-4b5c-9BFE-D424585D6AE2}	{7B3DB5DC-B096-4e0f-99C1-413FDF87F761}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A643910E-A8F7-4b5c-9BFE-D424585D6AE2}\stubpath = "C:\\Windows\\{A643910E-A8F7-4b5c-9BFE-D424585D6AE2}.exe"	{7B3DB5DC-B096-4e0f-99C1-413FDF87F761}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A01ED6F-08BD-4681-B5CD-8BF06D364206}\stubpath = "C:\\Windows\\{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe"	{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C588EC8-3E03-41fd-9778-F4430F644FF6}	{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}	{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}\stubpath = "C:\\Windows\\{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe"	{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98725AD1-EB70-41f0-9429-BCCD26ADD1FD}	{A643910E-A8F7-4b5c-9BFE-D424585D6AE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C588EC8-3E03-41fd-9778-F4430F644FF6}\stubpath = "C:\\Windows\\{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe"	{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}\stubpath = "C:\\Windows\\{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe"	{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}\stubpath = "C:\\Windows\\{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe"	{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C47C3D0-BD8C-4485-B407-99C3DDB1E1E5}	{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B3DB5DC-B096-4e0f-99C1-413FDF87F761}\stubpath = "C:\\Windows\\{7B3DB5DC-B096-4e0f-99C1-413FDF87F761}.exe"	{0C47C3D0-BD8C-4485-B407-99C3DDB1E1E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}\stubpath = "C:\\Windows\\{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe"	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}\stubpath = "C:\\Windows\\{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe"	{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A01ED6F-08BD-4681-B5CD-8BF06D364206}	{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}	{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe

Deletes itself 1 IoCs

pid	Process
2204	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1748	{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe
2952	{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe
2936	{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe
2988	{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe
2924	{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe
2716	{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe
2128	{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe
560	{0C47C3D0-BD8C-4485-B407-99C3DDB1E1E5}.exe
1532	{7B3DB5DC-B096-4e0f-99C1-413FDF87F761}.exe
1844	{A643910E-A8F7-4b5c-9BFE-D424585D6AE2}.exe
2280	{98725AD1-EB70-41f0-9429-BCCD26ADD1FD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe	{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe
File created	C:\Windows\{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe	{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe
File created	C:\Windows\{0C47C3D0-BD8C-4485-B407-99C3DDB1E1E5}.exe	{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe
File created	C:\Windows\{98725AD1-EB70-41f0-9429-BCCD26ADD1FD}.exe	{A643910E-A8F7-4b5c-9BFE-D424585D6AE2}.exe
File created	C:\Windows\{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe	{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe
File created	C:\Windows\{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe	{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe
File created	C:\Windows\{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe	{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe
File created	C:\Windows\{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe	{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe
File created	C:\Windows\{7B3DB5DC-B096-4e0f-99C1-413FDF87F761}.exe	{0C47C3D0-BD8C-4485-B407-99C3DDB1E1E5}.exe
File created	C:\Windows\{A643910E-A8F7-4b5c-9BFE-D424585D6AE2}.exe	{7B3DB5DC-B096-4e0f-99C1-413FDF87F761}.exe
File created	C:\Windows\{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2600	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1748	{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe
Token: SeIncBasePriorityPrivilege	2952	{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe
Token: SeIncBasePriorityPrivilege	2936	{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe
Token: SeIncBasePriorityPrivilege	2988	{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe
Token: SeIncBasePriorityPrivilege	2924	{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe
Token: SeIncBasePriorityPrivilege	2716	{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe
Token: SeIncBasePriorityPrivilege	2128	{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe
Token: SeIncBasePriorityPrivilege	560	{0C47C3D0-BD8C-4485-B407-99C3DDB1E1E5}.exe
Token: SeIncBasePriorityPrivilege	1532	{7B3DB5DC-B096-4e0f-99C1-413FDF87F761}.exe
Token: SeIncBasePriorityPrivilege	1844	{A643910E-A8F7-4b5c-9BFE-D424585D6AE2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 1748	2600	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	28
PID 2600 wrote to memory of 1748	2600	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	28
PID 2600 wrote to memory of 1748	2600	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	28
PID 2600 wrote to memory of 1748	2600	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	28
PID 2600 wrote to memory of 2204	2600	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	29
PID 2600 wrote to memory of 2204	2600	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	29
PID 2600 wrote to memory of 2204	2600	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	29
PID 2600 wrote to memory of 2204	2600	bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe	29
PID 1748 wrote to memory of 2952	1748	{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe	32
PID 1748 wrote to memory of 2952	1748	{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe	32
PID 1748 wrote to memory of 2952	1748	{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe	32
PID 1748 wrote to memory of 2952	1748	{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe	32
PID 1748 wrote to memory of 2828	1748	{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe	33
PID 1748 wrote to memory of 2828	1748	{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe	33
PID 1748 wrote to memory of 2828	1748	{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe	33
PID 1748 wrote to memory of 2828	1748	{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe	33
PID 2952 wrote to memory of 2936	2952	{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe	35
PID 2952 wrote to memory of 2936	2952	{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe	35
PID 2952 wrote to memory of 2936	2952	{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe	35
PID 2952 wrote to memory of 2936	2952	{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe	35
PID 2952 wrote to memory of 2092	2952	{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe	34
PID 2952 wrote to memory of 2092	2952	{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe	34
PID 2952 wrote to memory of 2092	2952	{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe	34
PID 2952 wrote to memory of 2092	2952	{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe	34
PID 2936 wrote to memory of 2988	2936	{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe	37
PID 2936 wrote to memory of 2988	2936	{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe	37
PID 2936 wrote to memory of 2988	2936	{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe	37
PID 2936 wrote to memory of 2988	2936	{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe	37
PID 2936 wrote to memory of 2292	2936	{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe	36
PID 2936 wrote to memory of 2292	2936	{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe	36
PID 2936 wrote to memory of 2292	2936	{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe	36
PID 2936 wrote to memory of 2292	2936	{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe	36
PID 2988 wrote to memory of 2924	2988	{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe	39
PID 2988 wrote to memory of 2924	2988	{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe	39
PID 2988 wrote to memory of 2924	2988	{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe	39
PID 2988 wrote to memory of 2924	2988	{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe	39
PID 2988 wrote to memory of 2816	2988	{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe	38
PID 2988 wrote to memory of 2816	2988	{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe	38
PID 2988 wrote to memory of 2816	2988	{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe	38
PID 2988 wrote to memory of 2816	2988	{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe	38
PID 2924 wrote to memory of 2716	2924	{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe	41
PID 2924 wrote to memory of 2716	2924	{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe	41
PID 2924 wrote to memory of 2716	2924	{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe	41
PID 2924 wrote to memory of 2716	2924	{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe	41
PID 2924 wrote to memory of 2776	2924	{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe	40
PID 2924 wrote to memory of 2776	2924	{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe	40
PID 2924 wrote to memory of 2776	2924	{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe	40
PID 2924 wrote to memory of 2776	2924	{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe	40
PID 2716 wrote to memory of 2128	2716	{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe	43
PID 2716 wrote to memory of 2128	2716	{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe	43
PID 2716 wrote to memory of 2128	2716	{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe	43
PID 2716 wrote to memory of 2128	2716	{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe	43
PID 2716 wrote to memory of 2148	2716	{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe	42
PID 2716 wrote to memory of 2148	2716	{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe	42
PID 2716 wrote to memory of 2148	2716	{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe	42
PID 2716 wrote to memory of 2148	2716	{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe	42
PID 2128 wrote to memory of 560	2128	{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe	45
PID 2128 wrote to memory of 560	2128	{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe	45
PID 2128 wrote to memory of 560	2128	{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe	45
PID 2128 wrote to memory of 560	2128	{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe	45
PID 2128 wrote to memory of 1288	2128	{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe	44
PID 2128 wrote to memory of 1288	2128	{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe	44
PID 2128 wrote to memory of 1288	2128	{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe	44
PID 2128 wrote to memory of 1288	2128	{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe	44

C:\Users\Admin\AppData\Local\Temp\bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\bb3c9af958810ad697b39a6f2b7f4756_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe
  C:\Windows\{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe
    C:\Windows\{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DDEA8~1.EXE > nul
      4⤵
      PID:2092
  - - C:\Windows\{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe
      C:\Windows\{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A01E~1.EXE > nul
        5⤵
        
        PID:2292
    - - C:\Windows\{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe
        
        C:\Windows\{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C588~1.EXE > nul
        6⤵
        
        PID:2816
      - C:\Windows\{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe
        
        C:\Windows\{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCE90~1.EXE > nul
        7⤵
        
        PID:2776
        
        C:\Windows\{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe
        
        C:\Windows\{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD482~1.EXE > nul
        8⤵
        
        PID:2148
        
        C:\Windows\{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe
        
        C:\Windows\{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BE1B~1.EXE > nul
        9⤵
        
        PID:1288
        
        C:\Windows\{0C47C3D0-BD8C-4485-B407-99C3DDB1E1E5}.exe
        
        C:\Windows\{0C47C3D0-BD8C-4485-B407-99C3DDB1E1E5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C47C~1.EXE > nul
        10⤵
        
        PID:2044
        
        C:\Windows\{7B3DB5DC-B096-4e0f-99C1-413FDF87F761}.exe
        
        C:\Windows\{7B3DB5DC-B096-4e0f-99C1-413FDF87F761}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\{A643910E-A8F7-4b5c-9BFE-D424585D6AE2}.exe
        
        C:\Windows\{A643910E-A8F7-4b5c-9BFE-D424585D6AE2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\{98725AD1-EB70-41f0-9429-BCCD26ADD1FD}.exe
        
        C:\Windows\{98725AD1-EB70-41f0-9429-BCCD26ADD1FD}.exe
        12⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6439~1.EXE > nul
        12⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B3DB~1.EXE > nul
        11⤵
        
        PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5BBEC~1.EXE > nul
    3⤵
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BB3C9A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C47C3D0-BD8C-4485-B407-99C3DDB1E1E5}.exe

Filesize
380KB

MD5
aa7756c48f56deef4fc5048e443ff9a0

SHA1
686dc74a86d4abafdee255448c8581dbbe11366b

SHA256
234651c73b3f61b2516a49ad8dd7eecd7b5013ba02715828ed7568439666aa06

SHA512
e20651275e98923385d4dc414904bc136b34188ac9360a8b7d6548785ccb5ef9fe4e5077b8c90c8efd14321c14a7120c1ecb5b480629ed38430c45ddd9df9a76

Download Submit
C:\Windows\{0C47C3D0-BD8C-4485-B407-99C3DDB1E1E5}.exe

Filesize
380KB

MD5
aa7756c48f56deef4fc5048e443ff9a0

SHA1
686dc74a86d4abafdee255448c8581dbbe11366b

SHA256
234651c73b3f61b2516a49ad8dd7eecd7b5013ba02715828ed7568439666aa06

SHA512
e20651275e98923385d4dc414904bc136b34188ac9360a8b7d6548785ccb5ef9fe4e5077b8c90c8efd14321c14a7120c1ecb5b480629ed38430c45ddd9df9a76

Download Submit
C:\Windows\{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe

Filesize
380KB

MD5
7613474af55724852f08db5f3250feba

SHA1
5ff6e1f33760085fa81a9ca81dd4d306206c6550

SHA256
9c7b4b08a9829cfa08eff8982f94169d0d14459754d7de6e07097c16eb18d694

SHA512
f5cb499c79ec35e91c0675a21195949f56a7684269e1ff213561f249e8baa96a1500851de1de8f2e77c067d7c91e7090eaf7a11dad0e4dfffc6b9c1ccbc9981e

Download Submit
C:\Windows\{0C588EC8-3E03-41fd-9778-F4430F644FF6}.exe

Filesize
380KB

MD5
7613474af55724852f08db5f3250feba

SHA1
5ff6e1f33760085fa81a9ca81dd4d306206c6550

SHA256
9c7b4b08a9829cfa08eff8982f94169d0d14459754d7de6e07097c16eb18d694

SHA512
f5cb499c79ec35e91c0675a21195949f56a7684269e1ff213561f249e8baa96a1500851de1de8f2e77c067d7c91e7090eaf7a11dad0e4dfffc6b9c1ccbc9981e

Download Submit
C:\Windows\{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe

Filesize
380KB

MD5
aec20bbbc25e3aa5685987ddda899ff1

SHA1
0cb6021a7bc60211f1d9917989fd97c16c469421

SHA256
d8ef871603c028af468ea306385105650c4b0894acb9a57ef19f85c7757d702b

SHA512
8779b2c55adfa555188bc1f5fa1c5344cbef64537e541b0ee7ba8eda513fdbd15f63d7873a9e78cfcff6360c569243900f9ff49b617f47b259f6ae43ff48abca

Download Submit
C:\Windows\{5A01ED6F-08BD-4681-B5CD-8BF06D364206}.exe

Filesize
380KB

MD5
aec20bbbc25e3aa5685987ddda899ff1

SHA1
0cb6021a7bc60211f1d9917989fd97c16c469421

SHA256
d8ef871603c028af468ea306385105650c4b0894acb9a57ef19f85c7757d702b

SHA512
8779b2c55adfa555188bc1f5fa1c5344cbef64537e541b0ee7ba8eda513fdbd15f63d7873a9e78cfcff6360c569243900f9ff49b617f47b259f6ae43ff48abca

Download Submit
C:\Windows\{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe

Filesize
380KB

MD5
89ab45982f7a3e2705bc6690733daace

SHA1
5ff885427b19a2455c9d21e7e3fbe7130ddf7a19

SHA256
c04016ec34eb3485bdeb346c1bb4246ec2eaec0e366e0dd534f0a773878882b3

SHA512
045eb6a7d725329e4c5435a89d684a577db5b607f013fa36c15d565017140b438feb165ee9e28a159580e7032f6eca4c86a8986cac9e9ab0e703e77a6047f103

Download Submit
C:\Windows\{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe

Filesize
380KB

MD5
89ab45982f7a3e2705bc6690733daace

SHA1
5ff885427b19a2455c9d21e7e3fbe7130ddf7a19

SHA256
c04016ec34eb3485bdeb346c1bb4246ec2eaec0e366e0dd534f0a773878882b3

SHA512
045eb6a7d725329e4c5435a89d684a577db5b607f013fa36c15d565017140b438feb165ee9e28a159580e7032f6eca4c86a8986cac9e9ab0e703e77a6047f103

Download Submit
C:\Windows\{5BBEC5F2-DD14-479e-91F8-DAE043DA60C7}.exe

Filesize
380KB

MD5
89ab45982f7a3e2705bc6690733daace

SHA1
5ff885427b19a2455c9d21e7e3fbe7130ddf7a19

SHA256
c04016ec34eb3485bdeb346c1bb4246ec2eaec0e366e0dd534f0a773878882b3

SHA512
045eb6a7d725329e4c5435a89d684a577db5b607f013fa36c15d565017140b438feb165ee9e28a159580e7032f6eca4c86a8986cac9e9ab0e703e77a6047f103

Download Submit
C:\Windows\{7B3DB5DC-B096-4e0f-99C1-413FDF87F761}.exe

Filesize
380KB

MD5
84b8703c9f9f6b4401ed1cbe81be43df

SHA1
1c8f97868ef3db031b2dcc50c93bb17469e371ae

SHA256
52c70a411fd469014f8f3ca362e9b8af5a51a7415e51d74ec06ba98ca61f46a0

SHA512
179396afd1d174c96c5ef769e2fc32d1fd529970915eee64d5e40e2e4c128fcfc3e89f6e0ff65329ee85f037792acb7a54dfac03992ee44cbf80b0b2b373af4b

Download Submit
C:\Windows\{7B3DB5DC-B096-4e0f-99C1-413FDF87F761}.exe

Filesize
380KB

MD5
84b8703c9f9f6b4401ed1cbe81be43df

SHA1
1c8f97868ef3db031b2dcc50c93bb17469e371ae

SHA256
52c70a411fd469014f8f3ca362e9b8af5a51a7415e51d74ec06ba98ca61f46a0

SHA512
179396afd1d174c96c5ef769e2fc32d1fd529970915eee64d5e40e2e4c128fcfc3e89f6e0ff65329ee85f037792acb7a54dfac03992ee44cbf80b0b2b373af4b

Download Submit
C:\Windows\{98725AD1-EB70-41f0-9429-BCCD26ADD1FD}.exe

Filesize
380KB

MD5
92d56004856ebfdb0e98addcfc20d790

SHA1
8e481e075b2f85ef7f5f58e52c7c81b7042a0919

SHA256
04aa9360c361feaefa8afb57666a22556f6f65321d6f737b6b3fdfd8c7e169f7

SHA512
56aad137aa018ddc6d6d305ca97a7ace16178f8f88c80d75bd31231b9a2f8de802fc3e021acef943ac3721ffdd4955ab4ed222c44badaf45a4aef9ce8c6d4de9

Download Submit
C:\Windows\{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe

Filesize
380KB

MD5
9f052fb58d906f3a953ecf2ce942185b

SHA1
09982e6e60f4ccc624906b4349ece101002afacd

SHA256
ab28db8a4c095b28c874c3071fd721ed701a5d1f001b89d7ed47e55eb9d274d2

SHA512
b720640deb8aa3fee23b0aefd815139d39f43c7a56a91970a7a8d43c61682570892e565a4b7fe384759a0e0dfa63f667931e23454e67e8439524b8eb5636e873

Download Submit
C:\Windows\{9BE1B7EF-AEE1-4a40-8369-A54B57E680B6}.exe

Filesize
380KB

MD5
9f052fb58d906f3a953ecf2ce942185b

SHA1
09982e6e60f4ccc624906b4349ece101002afacd

SHA256
ab28db8a4c095b28c874c3071fd721ed701a5d1f001b89d7ed47e55eb9d274d2

SHA512
b720640deb8aa3fee23b0aefd815139d39f43c7a56a91970a7a8d43c61682570892e565a4b7fe384759a0e0dfa63f667931e23454e67e8439524b8eb5636e873

Download Submit
C:\Windows\{A643910E-A8F7-4b5c-9BFE-D424585D6AE2}.exe

Filesize
380KB

MD5
5b463b33959a64469afde848a7e4ba3c

SHA1
b65c2835dc9b22dabf289539699bb0e4759cf0ec

SHA256
1ab7a1a630618d23a3cfd5c652ebbc56829ed51497ecfdadc7257a55ae1c7721

SHA512
584eca69c60c3e03ea7b080b0e096bf659a661eb0a27baa4b598a6883f12bfcb9129f605d3e261fe57c626348a186ef49feaccc4d4d57ce82055095a56cfe3d0

Download Submit
C:\Windows\{A643910E-A8F7-4b5c-9BFE-D424585D6AE2}.exe

Filesize
380KB

MD5
5b463b33959a64469afde848a7e4ba3c

SHA1
b65c2835dc9b22dabf289539699bb0e4759cf0ec

SHA256
1ab7a1a630618d23a3cfd5c652ebbc56829ed51497ecfdadc7257a55ae1c7721

SHA512
584eca69c60c3e03ea7b080b0e096bf659a661eb0a27baa4b598a6883f12bfcb9129f605d3e261fe57c626348a186ef49feaccc4d4d57ce82055095a56cfe3d0

Download Submit
C:\Windows\{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe

Filesize
380KB

MD5
8bb8c3a4b44882bb8013dd40965670fd

SHA1
57d5a31b0d30efc614eb8f136c3afe58a713f50c

SHA256
ba3fb47552fa4797dad3fc299d6dcd29e49425c7fdc0809222e8087873641ffa

SHA512
cd314f66b82921dd6c1aa13171287a4b82a1dac042efb8a50a95e95dde2381d726ae9f9ba3410dabc47a8e8aaddccd24a822188831a42a9db6ca92f1d207ee8b

Download Submit
C:\Windows\{DD482B43-00C1-4ca7-82A1-0013D5D31B2E}.exe

Filesize
380KB

MD5
8bb8c3a4b44882bb8013dd40965670fd

SHA1
57d5a31b0d30efc614eb8f136c3afe58a713f50c

SHA256
ba3fb47552fa4797dad3fc299d6dcd29e49425c7fdc0809222e8087873641ffa

SHA512
cd314f66b82921dd6c1aa13171287a4b82a1dac042efb8a50a95e95dde2381d726ae9f9ba3410dabc47a8e8aaddccd24a822188831a42a9db6ca92f1d207ee8b

Download Submit
C:\Windows\{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe

Filesize
380KB

MD5
7d2b3de568a1b2afde433d690216674f

SHA1
4357bc99fdaf9d758cb6c795fdc8ac8143095491

SHA256
e4880024cfee7d185d756d629dc1d98884bf975fceeafac3c8f5f6814ce0b8da

SHA512
a470d4a864c7b5d6776d6153bfa3c05e710b67d488cd394420254be23e5501f588b9fa44209f8bdfdf14040330afb94dc109b7bc2487ea99373a43aae0b40454

Download Submit
C:\Windows\{DDEA881C-2AE2-44b7-A3C6-CC538C5B6370}.exe

Filesize
380KB

MD5
7d2b3de568a1b2afde433d690216674f

SHA1
4357bc99fdaf9d758cb6c795fdc8ac8143095491

SHA256
e4880024cfee7d185d756d629dc1d98884bf975fceeafac3c8f5f6814ce0b8da

SHA512
a470d4a864c7b5d6776d6153bfa3c05e710b67d488cd394420254be23e5501f588b9fa44209f8bdfdf14040330afb94dc109b7bc2487ea99373a43aae0b40454

Download Submit
C:\Windows\{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe

Filesize
380KB

MD5
dbf6eb3ca5addf55a1273ffbe2b76df0

SHA1
a4f8b77f65d498d36361836f3e6ab440eeeaea21

SHA256
1e44c5410139711496efd1576995cdfd12893e0614884189e7262fb240402f62

SHA512
b5833edf7cfa2b5e3f406b5d4129366a08b0891764f73482a1c6647cddd07b9cc21204abb103314477dc4242ee9de2537e0e196fe15efd1499ad8485bd7bc027

Download Submit
C:\Windows\{FCE90331-CE62-4c5b-AD83-516BDBB7EBBC}.exe

Filesize
380KB

MD5
dbf6eb3ca5addf55a1273ffbe2b76df0

SHA1
a4f8b77f65d498d36361836f3e6ab440eeeaea21

SHA256
1e44c5410139711496efd1576995cdfd12893e0614884189e7262fb240402f62

SHA512
b5833edf7cfa2b5e3f406b5d4129366a08b0891764f73482a1c6647cddd07b9cc21204abb103314477dc4242ee9de2537e0e196fe15efd1499ad8485bd7bc027

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads