fa3d49157af8789c15858aa4330148040316ec5fff11000f3e8c262c44dfe7c8

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
29/08/2023, 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe
Size

408KB
MD5

cc6fd83dcac9559938940a0a6f4124d4
SHA1

8108d8585fb8b403b1e6e9f05bce3a6a4034f0aa
SHA256

fa3d49157af8789c15858aa4330148040316ec5fff11000f3e8c262c44dfe7c8
SHA512

3e1f593764ac9a182c62ad552c41356b1f49fbe71a3a94cd344140d939a802435962a00e3e2130fd7bba481c726ce271dafbbd3b6f78044e8fed73a15659e956
SSDEEP

3072:CEGh0oIl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG6ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF9A1254-6A0A-4561-B030-5474650A452F}	{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09181435-5B31-4382-926E-B940645E3B2F}	{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E6ADA62-446F-4335-9E89-C85B340ED92D}\stubpath = "C:\\Windows\\{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe"	{09181435-5B31-4382-926E-B940645E3B2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF8F3176-668D-4d79-9773-55F50EDF79C7}\stubpath = "C:\\Windows\\{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe"	{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BBE55D6-E3E4-4b2a-BCF3-147391E55EB6}	{50F3D5CA-8625-4a83-B4C9-53419EA7689E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}\stubpath = "C:\\Windows\\{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe"	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07B25AA8-8153-43af-BE43-260B7E9BD9B3}	{AF9A1254-6A0A-4561-B030-5474650A452F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BBE55D6-E3E4-4b2a-BCF3-147391E55EB6}\stubpath = "C:\\Windows\\{3BBE55D6-E3E4-4b2a-BCF3-147391E55EB6}.exe"	{50F3D5CA-8625-4a83-B4C9-53419EA7689E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{071A6B33-5189-448a-94EA-B33E8613590C}	{3BBE55D6-E3E4-4b2a-BCF3-147391E55EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{071A6B33-5189-448a-94EA-B33E8613590C}\stubpath = "C:\\Windows\\{071A6B33-5189-448a-94EA-B33E8613590C}.exe"	{3BBE55D6-E3E4-4b2a-BCF3-147391E55EB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07B25AA8-8153-43af-BE43-260B7E9BD9B3}\stubpath = "C:\\Windows\\{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe"	{AF9A1254-6A0A-4561-B030-5474650A452F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09181435-5B31-4382-926E-B940645E3B2F}\stubpath = "C:\\Windows\\{09181435-5B31-4382-926E-B940645E3B2F}.exe"	{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E6ADA62-446F-4335-9E89-C85B340ED92D}	{09181435-5B31-4382-926E-B940645E3B2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF8F3176-668D-4d79-9773-55F50EDF79C7}	{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50F3D5CA-8625-4a83-B4C9-53419EA7689E}	{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF9A1254-6A0A-4561-B030-5474650A452F}\stubpath = "C:\\Windows\\{AF9A1254-6A0A-4561-B030-5474650A452F}.exe"	{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF270088-FF3D-44cd-B06D-D03B436461CA}	{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF270088-FF3D-44cd-B06D-D03B436461CA}\stubpath = "C:\\Windows\\{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe"	{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50F3D5CA-8625-4a83-B4C9-53419EA7689E}\stubpath = "C:\\Windows\\{50F3D5CA-8625-4a83-B4C9-53419EA7689E}.exe"	{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5198E6B1-88EF-4ea7-9DF4-C8D3279F442A}	{071A6B33-5189-448a-94EA-B33E8613590C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5198E6B1-88EF-4ea7-9DF4-C8D3279F442A}\stubpath = "C:\\Windows\\{5198E6B1-88EF-4ea7-9DF4-C8D3279F442A}.exe"	{071A6B33-5189-448a-94EA-B33E8613590C}.exe

Deletes itself 1 IoCs

pid	Process
2068	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2188	{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe
2992	{AF9A1254-6A0A-4561-B030-5474650A452F}.exe
2972	{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe
2872	{09181435-5B31-4382-926E-B940645E3B2F}.exe
2724	{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe
2288	{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe
1192	{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe
1492	{50F3D5CA-8625-4a83-B4C9-53419EA7689E}.exe
108	{3BBE55D6-E3E4-4b2a-BCF3-147391E55EB6}.exe
2300	{071A6B33-5189-448a-94EA-B33E8613590C}.exe
2332	{5198E6B1-88EF-4ea7-9DF4-C8D3279F442A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{09181435-5B31-4382-926E-B940645E3B2F}.exe	{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe
File created	C:\Windows\{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe	{09181435-5B31-4382-926E-B940645E3B2F}.exe
File created	C:\Windows\{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe	{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe
File created	C:\Windows\{50F3D5CA-8625-4a83-B4C9-53419EA7689E}.exe	{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe
File created	C:\Windows\{5198E6B1-88EF-4ea7-9DF4-C8D3279F442A}.exe	{071A6B33-5189-448a-94EA-B33E8613590C}.exe
File created	C:\Windows\{AF9A1254-6A0A-4561-B030-5474650A452F}.exe	{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe
File created	C:\Windows\{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe	{AF9A1254-6A0A-4561-B030-5474650A452F}.exe
File created	C:\Windows\{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe	{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe
File created	C:\Windows\{3BBE55D6-E3E4-4b2a-BCF3-147391E55EB6}.exe	{50F3D5CA-8625-4a83-B4C9-53419EA7689E}.exe
File created	C:\Windows\{071A6B33-5189-448a-94EA-B33E8613590C}.exe	{3BBE55D6-E3E4-4b2a-BCF3-147391E55EB6}.exe
File created	C:\Windows\{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2256	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2188	{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe
Token: SeIncBasePriorityPrivilege	2992	{AF9A1254-6A0A-4561-B030-5474650A452F}.exe
Token: SeIncBasePriorityPrivilege	2972	{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe
Token: SeIncBasePriorityPrivilege	2872	{09181435-5B31-4382-926E-B940645E3B2F}.exe
Token: SeIncBasePriorityPrivilege	2724	{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe
Token: SeIncBasePriorityPrivilege	2288	{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe
Token: SeIncBasePriorityPrivilege	1192	{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe
Token: SeIncBasePriorityPrivilege	1492	{50F3D5CA-8625-4a83-B4C9-53419EA7689E}.exe
Token: SeIncBasePriorityPrivilege	108	{3BBE55D6-E3E4-4b2a-BCF3-147391E55EB6}.exe
Token: SeIncBasePriorityPrivilege	2300	{071A6B33-5189-448a-94EA-B33E8613590C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2188	2256	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	28
PID 2256 wrote to memory of 2188	2256	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	28
PID 2256 wrote to memory of 2188	2256	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	28
PID 2256 wrote to memory of 2188	2256	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	28
PID 2256 wrote to memory of 2068	2256	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	29
PID 2256 wrote to memory of 2068	2256	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	29
PID 2256 wrote to memory of 2068	2256	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	29
PID 2256 wrote to memory of 2068	2256	cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe	29
PID 2188 wrote to memory of 2992	2188	{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe	32
PID 2188 wrote to memory of 2992	2188	{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe	32
PID 2188 wrote to memory of 2992	2188	{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe	32
PID 2188 wrote to memory of 2992	2188	{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe	32
PID 2188 wrote to memory of 2896	2188	{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe	33
PID 2188 wrote to memory of 2896	2188	{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe	33
PID 2188 wrote to memory of 2896	2188	{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe	33
PID 2188 wrote to memory of 2896	2188	{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe	33
PID 2992 wrote to memory of 2972	2992	{AF9A1254-6A0A-4561-B030-5474650A452F}.exe	34
PID 2992 wrote to memory of 2972	2992	{AF9A1254-6A0A-4561-B030-5474650A452F}.exe	34
PID 2992 wrote to memory of 2972	2992	{AF9A1254-6A0A-4561-B030-5474650A452F}.exe	34
PID 2992 wrote to memory of 2972	2992	{AF9A1254-6A0A-4561-B030-5474650A452F}.exe	34
PID 2992 wrote to memory of 2916	2992	{AF9A1254-6A0A-4561-B030-5474650A452F}.exe	35
PID 2992 wrote to memory of 2916	2992	{AF9A1254-6A0A-4561-B030-5474650A452F}.exe	35
PID 2992 wrote to memory of 2916	2992	{AF9A1254-6A0A-4561-B030-5474650A452F}.exe	35
PID 2992 wrote to memory of 2916	2992	{AF9A1254-6A0A-4561-B030-5474650A452F}.exe	35
PID 2972 wrote to memory of 2872	2972	{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe	36
PID 2972 wrote to memory of 2872	2972	{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe	36
PID 2972 wrote to memory of 2872	2972	{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe	36
PID 2972 wrote to memory of 2872	2972	{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe	36
PID 2972 wrote to memory of 2768	2972	{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe	37
PID 2972 wrote to memory of 2768	2972	{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe	37
PID 2972 wrote to memory of 2768	2972	{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe	37
PID 2972 wrote to memory of 2768	2972	{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe	37
PID 2872 wrote to memory of 2724	2872	{09181435-5B31-4382-926E-B940645E3B2F}.exe	38
PID 2872 wrote to memory of 2724	2872	{09181435-5B31-4382-926E-B940645E3B2F}.exe	38
PID 2872 wrote to memory of 2724	2872	{09181435-5B31-4382-926E-B940645E3B2F}.exe	38
PID 2872 wrote to memory of 2724	2872	{09181435-5B31-4382-926E-B940645E3B2F}.exe	38
PID 2872 wrote to memory of 2776	2872	{09181435-5B31-4382-926E-B940645E3B2F}.exe	39
PID 2872 wrote to memory of 2776	2872	{09181435-5B31-4382-926E-B940645E3B2F}.exe	39
PID 2872 wrote to memory of 2776	2872	{09181435-5B31-4382-926E-B940645E3B2F}.exe	39
PID 2872 wrote to memory of 2776	2872	{09181435-5B31-4382-926E-B940645E3B2F}.exe	39
PID 2724 wrote to memory of 2288	2724	{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe	40
PID 2724 wrote to memory of 2288	2724	{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe	40
PID 2724 wrote to memory of 2288	2724	{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe	40
PID 2724 wrote to memory of 2288	2724	{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe	40
PID 2724 wrote to memory of 2364	2724	{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe	41
PID 2724 wrote to memory of 2364	2724	{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe	41
PID 2724 wrote to memory of 2364	2724	{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe	41
PID 2724 wrote to memory of 2364	2724	{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe	41
PID 2288 wrote to memory of 1192	2288	{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe	42
PID 2288 wrote to memory of 1192	2288	{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe	42
PID 2288 wrote to memory of 1192	2288	{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe	42
PID 2288 wrote to memory of 1192	2288	{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe	42
PID 2288 wrote to memory of 1356	2288	{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe	43
PID 2288 wrote to memory of 1356	2288	{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe	43
PID 2288 wrote to memory of 1356	2288	{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe	43
PID 2288 wrote to memory of 1356	2288	{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe	43
PID 1192 wrote to memory of 1492	1192	{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe	44
PID 1192 wrote to memory of 1492	1192	{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe	44
PID 1192 wrote to memory of 1492	1192	{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe	44
PID 1192 wrote to memory of 1492	1192	{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe	44
PID 1192 wrote to memory of 2696	1192	{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe	45
PID 1192 wrote to memory of 2696	1192	{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe	45
PID 1192 wrote to memory of 2696	1192	{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe	45
PID 1192 wrote to memory of 2696	1192	{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe	45

C:\Users\Admin\AppData\Local\Temp\cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\cc6fd83dcac9559938940a0a6f4124d4_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe
  C:\Windows\{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\{AF9A1254-6A0A-4561-B030-5474650A452F}.exe
    C:\Windows\{AF9A1254-6A0A-4561-B030-5474650A452F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe
      C:\Windows\{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\{09181435-5B31-4382-926E-B940645E3B2F}.exe
        
        C:\Windows\{09181435-5B31-4382-926E-B940645E3B2F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
      - C:\Windows\{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe
        
        C:\Windows\{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe
        
        C:\Windows\{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe
        
        C:\Windows\{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\{50F3D5CA-8625-4a83-B4C9-53419EA7689E}.exe
        
        C:\Windows\{50F3D5CA-8625-4a83-B4C9-53419EA7689E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\{3BBE55D6-E3E4-4b2a-BCF3-147391E55EB6}.exe
        
        C:\Windows\{3BBE55D6-E3E4-4b2a-BCF3-147391E55EB6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
        
        C:\Windows\{071A6B33-5189-448a-94EA-B33E8613590C}.exe
        
        C:\Windows\{071A6B33-5189-448a-94EA-B33E8613590C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\{5198E6B1-88EF-4ea7-9DF4-C8D3279F442A}.exe
        
        C:\Windows\{5198E6B1-88EF-4ea7-9DF4-C8D3279F442A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{071A6~1.EXE > nul
        12⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BBE5~1.EXE > nul
        11⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50F3D~1.EXE > nul
        10⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF8F3~1.EXE > nul
        9⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF270~1.EXE > nul
        8⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E6AD~1.EXE > nul
        7⤵
        
        PID:2364
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09181~1.EXE > nul
        6⤵
        
        PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07B25~1.EXE > nul
        5⤵
        
        PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AF9A1~1.EXE > nul
      4⤵
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B4FDD~1.EXE > nul
    3⤵
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CC6FD8~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{071A6B33-5189-448a-94EA-B33E8613590C}.exe

Filesize
408KB

MD5
ddb9c83db6b6e5698ae6bd3b3aed1b82

SHA1
f04214521d12feb701e0a640e946a25b6657f02e

SHA256
8259ff6c8a6e3dbbe4bba5327fc206e94ad4d87e968937b93739ffb381bd6ae7

SHA512
73bf841c00e46dc0aa3d9de976ba3a5307d0a9bb86db183b38f8f17bd9642206dd6e96218ddb135a2fd301912702cfec1b090cc35a8924e24601350267bd3198

Download Submit
C:\Windows\{071A6B33-5189-448a-94EA-B33E8613590C}.exe

Filesize
408KB

MD5
ddb9c83db6b6e5698ae6bd3b3aed1b82

SHA1
f04214521d12feb701e0a640e946a25b6657f02e

SHA256
8259ff6c8a6e3dbbe4bba5327fc206e94ad4d87e968937b93739ffb381bd6ae7

SHA512
73bf841c00e46dc0aa3d9de976ba3a5307d0a9bb86db183b38f8f17bd9642206dd6e96218ddb135a2fd301912702cfec1b090cc35a8924e24601350267bd3198

Download Submit
C:\Windows\{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe

Filesize
408KB

MD5
5f64606860998f0b4d853d30e099b5ec

SHA1
608ad4ad39cc7892753d73f5085d550266a00cab

SHA256
a8ce4472c50335f79a36e9ab352037b990f37ada7b967c2762171b058c7a1885

SHA512
232265852d0989d32c68b1410cd44820c165d8f6fe7ce65806b0e8f38112630dd3db7eeec1949eb557a9f95640c554c439a940ff95ae1563704078c32c01a10d

Download Submit
C:\Windows\{07B25AA8-8153-43af-BE43-260B7E9BD9B3}.exe

Filesize
408KB

MD5
5f64606860998f0b4d853d30e099b5ec

SHA1
608ad4ad39cc7892753d73f5085d550266a00cab

SHA256
a8ce4472c50335f79a36e9ab352037b990f37ada7b967c2762171b058c7a1885

SHA512
232265852d0989d32c68b1410cd44820c165d8f6fe7ce65806b0e8f38112630dd3db7eeec1949eb557a9f95640c554c439a940ff95ae1563704078c32c01a10d

Download Submit
C:\Windows\{09181435-5B31-4382-926E-B940645E3B2F}.exe

Filesize
408KB

MD5
5ac3f45bde22ff72e379f6662003ef26

SHA1
922729b9939b30bc675e860c33f86f6e27616cc9

SHA256
9ffddf0b7e400c4b0150edb33529abfb3ba4656e3f1b37570393b466d8f44ac4

SHA512
79dbdac8947976fe425109875354d6b38425e8c9bf233b9473d9a058b4238d9c1c9c44912f5ff9fe6d1b2ec9e6dae862296439175fd9c631abc80abe40a09c7a

Download Submit
C:\Windows\{09181435-5B31-4382-926E-B940645E3B2F}.exe

Filesize
408KB

MD5
5ac3f45bde22ff72e379f6662003ef26

SHA1
922729b9939b30bc675e860c33f86f6e27616cc9

SHA256
9ffddf0b7e400c4b0150edb33529abfb3ba4656e3f1b37570393b466d8f44ac4

SHA512
79dbdac8947976fe425109875354d6b38425e8c9bf233b9473d9a058b4238d9c1c9c44912f5ff9fe6d1b2ec9e6dae862296439175fd9c631abc80abe40a09c7a

Download Submit
C:\Windows\{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe

Filesize
408KB

MD5
6a68e7f0f2f192ba92a63eed8c5b8efd

SHA1
1c090262b78758611e469590d8957240cdfcc967

SHA256
259adf26c2eadfb176d4331a46d1232721dbf2e0880161ff7bc28eafe0e9dd77

SHA512
049bccc437aa02bcc975f8fa6341c7e8330a8d684fbc6c70d8dd9f4a158616194de36a39694911cc8be263d8a1bf1774082cdeac1250ed4c395408e2260021f0

Download Submit
C:\Windows\{1E6ADA62-446F-4335-9E89-C85B340ED92D}.exe

Filesize
408KB

MD5
6a68e7f0f2f192ba92a63eed8c5b8efd

SHA1
1c090262b78758611e469590d8957240cdfcc967

SHA256
259adf26c2eadfb176d4331a46d1232721dbf2e0880161ff7bc28eafe0e9dd77

SHA512
049bccc437aa02bcc975f8fa6341c7e8330a8d684fbc6c70d8dd9f4a158616194de36a39694911cc8be263d8a1bf1774082cdeac1250ed4c395408e2260021f0

Download Submit
C:\Windows\{3BBE55D6-E3E4-4b2a-BCF3-147391E55EB6}.exe

Filesize
408KB

MD5
bd24b8e7a59165a5209e7365526ef19e

SHA1
14660f861d662d3e58ece35669ab3a6ee8221357

SHA256
ef71edd55277b8dca7e00ead3693b2347d232326ed00fce9979b1281f3f4760b

SHA512
89116f804df11701f938f59b16cad745bb9385b53eb97f5db08a1cd9bcb3f1b3d314b2423d70fbad5cadf360152adee481d03c798154a340b46e18424754d328

Download Submit
C:\Windows\{3BBE55D6-E3E4-4b2a-BCF3-147391E55EB6}.exe

Filesize
408KB

MD5
bd24b8e7a59165a5209e7365526ef19e

SHA1
14660f861d662d3e58ece35669ab3a6ee8221357

SHA256
ef71edd55277b8dca7e00ead3693b2347d232326ed00fce9979b1281f3f4760b

SHA512
89116f804df11701f938f59b16cad745bb9385b53eb97f5db08a1cd9bcb3f1b3d314b2423d70fbad5cadf360152adee481d03c798154a340b46e18424754d328

Download Submit
C:\Windows\{50F3D5CA-8625-4a83-B4C9-53419EA7689E}.exe

Filesize
408KB

MD5
3e849b152a4953b4e5fcb80c1306c4e0

SHA1
b18f9d19e3cd95b476ee7bfb0fb5c2d5812ada80

SHA256
544aa0818ab298dc523bd673b646fa1ea3176b9fd53b09ab1ce12e17789a3506

SHA512
5f0b5e27cd7d2d8acc0601240b35aeb04069fb6f4abd265d2eca04e18a6f8538420d95682dea94799f18f3c20ba4cbc361ea5a3786907e8f929712509b3efcc2

Download Submit
C:\Windows\{50F3D5CA-8625-4a83-B4C9-53419EA7689E}.exe

Filesize
408KB

MD5
3e849b152a4953b4e5fcb80c1306c4e0

SHA1
b18f9d19e3cd95b476ee7bfb0fb5c2d5812ada80

SHA256
544aa0818ab298dc523bd673b646fa1ea3176b9fd53b09ab1ce12e17789a3506

SHA512
5f0b5e27cd7d2d8acc0601240b35aeb04069fb6f4abd265d2eca04e18a6f8538420d95682dea94799f18f3c20ba4cbc361ea5a3786907e8f929712509b3efcc2

Download Submit
C:\Windows\{5198E6B1-88EF-4ea7-9DF4-C8D3279F442A}.exe

Filesize
408KB

MD5
1afdbf477c151e4e36769314d7b41eb1

SHA1
cd8e1390359d070e2c819ee3c86189ab2eae7997

SHA256
0533fb132e6a1f2d4c4d8f9bf3417b3065cead12582b8cf680efcfac545f9c13

SHA512
ea846f604527300ebe2959c4d694b2afdbdafad7304d883eec31c5541eb683d908111347c94085184bb4fb4fa11ef98b066bf7365995e7e35c7dbf3955afb9e2

Download Submit
C:\Windows\{AF9A1254-6A0A-4561-B030-5474650A452F}.exe

Filesize
408KB

MD5
74cee9be02fadcd1d37bc736e0d1467f

SHA1
9491af44d71f994256f817dab6949eba6c9e9fd7

SHA256
f01c9d667bfa3ca30bd86a11fb65d402a5ac6fe2bdb3547d8f788d5870bed24a

SHA512
33d39fdc46a0390a4880381aa01956cc9d787f4a5e1b1b3a097b250466d2713577bdbd4fe10d317c1d33a0b2d23e3e643c191adf39e1e1165e61d73ae16ba7aa

Download Submit
C:\Windows\{AF9A1254-6A0A-4561-B030-5474650A452F}.exe

Filesize
408KB

MD5
74cee9be02fadcd1d37bc736e0d1467f

SHA1
9491af44d71f994256f817dab6949eba6c9e9fd7

SHA256
f01c9d667bfa3ca30bd86a11fb65d402a5ac6fe2bdb3547d8f788d5870bed24a

SHA512
33d39fdc46a0390a4880381aa01956cc9d787f4a5e1b1b3a097b250466d2713577bdbd4fe10d317c1d33a0b2d23e3e643c191adf39e1e1165e61d73ae16ba7aa

Download Submit
C:\Windows\{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe

Filesize
408KB

MD5
d9e71754ac07519d04f97dd76f5bcafa

SHA1
dfc9abfda3c676eac3e3735ec1b40f83c8511155

SHA256
b6c23cd1058e511690eff643547fadcd8f804e689aa7c251bd7a671449509384

SHA512
50d3bf0c211be9f281204a328f462c9963b110901d5f0eccfab9c45a665cb93a4e78f07e2c4591de039e1d787dafcc2f46c2df69e334f15be581e3b6baea1617

Download Submit
C:\Windows\{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe

Filesize
408KB

MD5
d9e71754ac07519d04f97dd76f5bcafa

SHA1
dfc9abfda3c676eac3e3735ec1b40f83c8511155

SHA256
b6c23cd1058e511690eff643547fadcd8f804e689aa7c251bd7a671449509384

SHA512
50d3bf0c211be9f281204a328f462c9963b110901d5f0eccfab9c45a665cb93a4e78f07e2c4591de039e1d787dafcc2f46c2df69e334f15be581e3b6baea1617

Download Submit
C:\Windows\{B4FDD59F-F92A-4a5c-9F9C-58926965D8D9}.exe

Filesize
408KB

MD5
d9e71754ac07519d04f97dd76f5bcafa

SHA1
dfc9abfda3c676eac3e3735ec1b40f83c8511155

SHA256
b6c23cd1058e511690eff643547fadcd8f804e689aa7c251bd7a671449509384

SHA512
50d3bf0c211be9f281204a328f462c9963b110901d5f0eccfab9c45a665cb93a4e78f07e2c4591de039e1d787dafcc2f46c2df69e334f15be581e3b6baea1617

Download Submit
C:\Windows\{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe

Filesize
408KB

MD5
a7155c9fef05397e37e0402361c74430

SHA1
27e1a0f57497baf9e5920840a08452cc8375b0fd

SHA256
1ec791696dcbcd2b32347cba36dac400cf5b329adc367fcf8632d1bcc79b4c57

SHA512
397acda97bfbb9c2bd8690baf7b5e50e65c4e0291b76df06453e39383c9975502893bb0e945e3b7c88c67d44f2f6ddc4e7092f896dc29acf49da0b59f6080b6f

Download Submit
C:\Windows\{CF270088-FF3D-44cd-B06D-D03B436461CA}.exe

Filesize
408KB

MD5
a7155c9fef05397e37e0402361c74430

SHA1
27e1a0f57497baf9e5920840a08452cc8375b0fd

SHA256
1ec791696dcbcd2b32347cba36dac400cf5b329adc367fcf8632d1bcc79b4c57

SHA512
397acda97bfbb9c2bd8690baf7b5e50e65c4e0291b76df06453e39383c9975502893bb0e945e3b7c88c67d44f2f6ddc4e7092f896dc29acf49da0b59f6080b6f

Download Submit
C:\Windows\{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe

Filesize
408KB

MD5
41709fe9b2005aa40e340eafd42fe387

SHA1
34b4b24afd5624a5a9c0135c130ccff36b052152

SHA256
48ea83713681cf919e6a0b194e83a290c5563be322dc4b87bb8c2cca1b312a03

SHA512
cebd154ae0530e7dc91a082f3cb9a7ce0120e1d866ea41a45107c046f539f76df7998684cc5cf976c656a5b63f5b15519296ff32d81b96321684b41b41328f80

Download Submit
C:\Windows\{DF8F3176-668D-4d79-9773-55F50EDF79C7}.exe

Filesize
408KB

MD5
41709fe9b2005aa40e340eafd42fe387

SHA1
34b4b24afd5624a5a9c0135c130ccff36b052152

SHA256
48ea83713681cf919e6a0b194e83a290c5563be322dc4b87bb8c2cca1b312a03

SHA512
cebd154ae0530e7dc91a082f3cb9a7ce0120e1d866ea41a45107c046f539f76df7998684cc5cf976c656a5b63f5b15519296ff32d81b96321684b41b41328f80

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads