9835e11a382c7ab5b8b840d5b52e05f507c780a2e396c5a779f5eaf2e5c3c16c

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
29/08/2023, 15:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe
Size

380KB
MD5

cf3fe50b0052ae574ac02c18badb57c5
SHA1

97143fc0dd170a78d58a53216afe025a4280cb58
SHA256

9835e11a382c7ab5b8b840d5b52e05f507c780a2e396c5a779f5eaf2e5c3c16c
SHA512

bec11216c63fccf66e9dc56ea5107d4e5755b980a41c7e1cdb9ea7cc978552eb4dcec7314b7582a42c996e25242a82fde9cd71e39caab49e477722795e8c136b
SSDEEP

3072:mEGh0oPlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGxl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD388FF5-BEF4-42ab-B3FA-4836FEBBE62E}	{9D834367-1C2D-44ff-8471-FBC4DF75F762}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97C709B8-36DD-46d9-9AA3-49904A558C0B}\stubpath = "C:\\Windows\\{97C709B8-36DD-46d9-9AA3-49904A558C0B}.exe"	{169B2B7C-EB12-4afa-B397-715CC8534F95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}\stubpath = "C:\\Windows\\{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe"	cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B540266-663F-4264-82BB-94391CEA0DBE}	{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C20ECE38-EB67-4021-8B90-928D40D4988A}\stubpath = "C:\\Windows\\{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe"	{6B540266-663F-4264-82BB-94391CEA0DBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85178A27-6EB0-403f-818D-520C99C404B7}	{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}	{85178A27-6EB0-403f-818D-520C99C404B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}	cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B540266-663F-4264-82BB-94391CEA0DBE}\stubpath = "C:\\Windows\\{6B540266-663F-4264-82BB-94391CEA0DBE}.exe"	{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85178A27-6EB0-403f-818D-520C99C404B7}\stubpath = "C:\\Windows\\{85178A27-6EB0-403f-818D-520C99C404B7}.exe"	{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD388FF5-BEF4-42ab-B3FA-4836FEBBE62E}\stubpath = "C:\\Windows\\{FD388FF5-BEF4-42ab-B3FA-4836FEBBE62E}.exe"	{9D834367-1C2D-44ff-8471-FBC4DF75F762}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97C709B8-36DD-46d9-9AA3-49904A558C0B}	{169B2B7C-EB12-4afa-B397-715CC8534F95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D834367-1C2D-44ff-8471-FBC4DF75F762}\stubpath = "C:\\Windows\\{9D834367-1C2D-44ff-8471-FBC4DF75F762}.exe"	{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C20ECE38-EB67-4021-8B90-928D40D4988A}	{6B540266-663F-4264-82BB-94391CEA0DBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}\stubpath = "C:\\Windows\\{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe"	{85178A27-6EB0-403f-818D-520C99C404B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}	{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}\stubpath = "C:\\Windows\\{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe"	{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F41B227-1E37-4c61-A1E5-FA66D3492A47}	{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F41B227-1E37-4c61-A1E5-FA66D3492A47}\stubpath = "C:\\Windows\\{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe"	{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D834367-1C2D-44ff-8471-FBC4DF75F762}	{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{169B2B7C-EB12-4afa-B397-715CC8534F95}	{FD388FF5-BEF4-42ab-B3FA-4836FEBBE62E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{169B2B7C-EB12-4afa-B397-715CC8534F95}\stubpath = "C:\\Windows\\{169B2B7C-EB12-4afa-B397-715CC8534F95}.exe"	{FD388FF5-BEF4-42ab-B3FA-4836FEBBE62E}.exe

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2256	{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe
2844	{6B540266-663F-4264-82BB-94391CEA0DBE}.exe
2900	{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe
2572	{85178A27-6EB0-403f-818D-520C99C404B7}.exe
2716	{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe
2512	{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe
2584	{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe
1476	{9D834367-1C2D-44ff-8471-FBC4DF75F762}.exe
1104	{FD388FF5-BEF4-42ab-B3FA-4836FEBBE62E}.exe
3020	{169B2B7C-EB12-4afa-B397-715CC8534F95}.exe
1072	{97C709B8-36DD-46d9-9AA3-49904A558C0B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6B540266-663F-4264-82BB-94391CEA0DBE}.exe	{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe
File created	C:\Windows\{9D834367-1C2D-44ff-8471-FBC4DF75F762}.exe	{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe
File created	C:\Windows\{FD388FF5-BEF4-42ab-B3FA-4836FEBBE62E}.exe	{9D834367-1C2D-44ff-8471-FBC4DF75F762}.exe
File created	C:\Windows\{97C709B8-36DD-46d9-9AA3-49904A558C0B}.exe	{169B2B7C-EB12-4afa-B397-715CC8534F95}.exe
File created	C:\Windows\{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe	cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe
File created	C:\Windows\{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe	{6B540266-663F-4264-82BB-94391CEA0DBE}.exe
File created	C:\Windows\{85178A27-6EB0-403f-818D-520C99C404B7}.exe	{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe
File created	C:\Windows\{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe	{85178A27-6EB0-403f-818D-520C99C404B7}.exe
File created	C:\Windows\{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe	{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe
File created	C:\Windows\{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe	{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe
File created	C:\Windows\{169B2B7C-EB12-4afa-B397-715CC8534F95}.exe	{FD388FF5-BEF4-42ab-B3FA-4836FEBBE62E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2372	cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2256	{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe
Token: SeIncBasePriorityPrivilege	2844	{6B540266-663F-4264-82BB-94391CEA0DBE}.exe
Token: SeIncBasePriorityPrivilege	2900	{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe
Token: SeIncBasePriorityPrivilege	2572	{85178A27-6EB0-403f-818D-520C99C404B7}.exe
Token: SeIncBasePriorityPrivilege	2716	{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe
Token: SeIncBasePriorityPrivilege	2512	{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe
Token: SeIncBasePriorityPrivilege	2584	{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe
Token: SeIncBasePriorityPrivilege	1476	{9D834367-1C2D-44ff-8471-FBC4DF75F762}.exe
Token: SeIncBasePriorityPrivilege	1104	{FD388FF5-BEF4-42ab-B3FA-4836FEBBE62E}.exe
Token: SeIncBasePriorityPrivilege	3020	{169B2B7C-EB12-4afa-B397-715CC8534F95}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2256	2372	cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe	28
PID 2372 wrote to memory of 2256	2372	cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe	28
PID 2372 wrote to memory of 2256	2372	cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe	28
PID 2372 wrote to memory of 2256	2372	cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe	28
PID 2372 wrote to memory of 2908	2372	cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe	29
PID 2372 wrote to memory of 2908	2372	cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe	29
PID 2372 wrote to memory of 2908	2372	cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe	29
PID 2372 wrote to memory of 2908	2372	cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe	29
PID 2256 wrote to memory of 2844	2256	{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe	32
PID 2256 wrote to memory of 2844	2256	{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe	32
PID 2256 wrote to memory of 2844	2256	{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe	32
PID 2256 wrote to memory of 2844	2256	{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe	32
PID 2256 wrote to memory of 2836	2256	{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe	33
PID 2256 wrote to memory of 2836	2256	{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe	33
PID 2256 wrote to memory of 2836	2256	{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe	33
PID 2256 wrote to memory of 2836	2256	{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe	33
PID 2844 wrote to memory of 2900	2844	{6B540266-663F-4264-82BB-94391CEA0DBE}.exe	34
PID 2844 wrote to memory of 2900	2844	{6B540266-663F-4264-82BB-94391CEA0DBE}.exe	34
PID 2844 wrote to memory of 2900	2844	{6B540266-663F-4264-82BB-94391CEA0DBE}.exe	34
PID 2844 wrote to memory of 2900	2844	{6B540266-663F-4264-82BB-94391CEA0DBE}.exe	34
PID 2844 wrote to memory of 2808	2844	{6B540266-663F-4264-82BB-94391CEA0DBE}.exe	35
PID 2844 wrote to memory of 2808	2844	{6B540266-663F-4264-82BB-94391CEA0DBE}.exe	35
PID 2844 wrote to memory of 2808	2844	{6B540266-663F-4264-82BB-94391CEA0DBE}.exe	35
PID 2844 wrote to memory of 2808	2844	{6B540266-663F-4264-82BB-94391CEA0DBE}.exe	35
PID 2900 wrote to memory of 2572	2900	{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe	36
PID 2900 wrote to memory of 2572	2900	{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe	36
PID 2900 wrote to memory of 2572	2900	{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe	36
PID 2900 wrote to memory of 2572	2900	{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe	36
PID 2900 wrote to memory of 2668	2900	{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe	37
PID 2900 wrote to memory of 2668	2900	{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe	37
PID 2900 wrote to memory of 2668	2900	{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe	37
PID 2900 wrote to memory of 2668	2900	{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe	37
PID 2572 wrote to memory of 2716	2572	{85178A27-6EB0-403f-818D-520C99C404B7}.exe	38
PID 2572 wrote to memory of 2716	2572	{85178A27-6EB0-403f-818D-520C99C404B7}.exe	38
PID 2572 wrote to memory of 2716	2572	{85178A27-6EB0-403f-818D-520C99C404B7}.exe	38
PID 2572 wrote to memory of 2716	2572	{85178A27-6EB0-403f-818D-520C99C404B7}.exe	38
PID 2572 wrote to memory of 2764	2572	{85178A27-6EB0-403f-818D-520C99C404B7}.exe	39
PID 2572 wrote to memory of 2764	2572	{85178A27-6EB0-403f-818D-520C99C404B7}.exe	39
PID 2572 wrote to memory of 2764	2572	{85178A27-6EB0-403f-818D-520C99C404B7}.exe	39
PID 2572 wrote to memory of 2764	2572	{85178A27-6EB0-403f-818D-520C99C404B7}.exe	39
PID 2716 wrote to memory of 2512	2716	{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe	40
PID 2716 wrote to memory of 2512	2716	{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe	40
PID 2716 wrote to memory of 2512	2716	{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe	40
PID 2716 wrote to memory of 2512	2716	{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe	40
PID 2716 wrote to memory of 2204	2716	{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe	41
PID 2716 wrote to memory of 2204	2716	{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe	41
PID 2716 wrote to memory of 2204	2716	{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe	41
PID 2716 wrote to memory of 2204	2716	{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe	41
PID 2512 wrote to memory of 2584	2512	{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe	42
PID 2512 wrote to memory of 2584	2512	{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe	42
PID 2512 wrote to memory of 2584	2512	{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe	42
PID 2512 wrote to memory of 2584	2512	{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe	42
PID 2512 wrote to memory of 1016	2512	{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe	43
PID 2512 wrote to memory of 1016	2512	{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe	43
PID 2512 wrote to memory of 1016	2512	{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe	43
PID 2512 wrote to memory of 1016	2512	{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe	43
PID 2584 wrote to memory of 1476	2584	{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe	45
PID 2584 wrote to memory of 1476	2584	{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe	45
PID 2584 wrote to memory of 1476	2584	{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe	45
PID 2584 wrote to memory of 1476	2584	{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe	45
PID 2584 wrote to memory of 2704	2584	{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe	44
PID 2584 wrote to memory of 2704	2584	{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe	44
PID 2584 wrote to memory of 2704	2584	{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe	44
PID 2584 wrote to memory of 2704	2584	{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe	44

C:\Users\Admin\AppData\Local\Temp\cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\cf3fe50b0052ae574ac02c18badb57c5_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe
  C:\Windows\{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\{6B540266-663F-4264-82BB-94391CEA0DBE}.exe
    C:\Windows\{6B540266-663F-4264-82BB-94391CEA0DBE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe
      C:\Windows\{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\{85178A27-6EB0-403f-818D-520C99C404B7}.exe
        
        C:\Windows\{85178A27-6EB0-403f-818D-520C99C404B7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe
        
        C:\Windows\{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe
        
        C:\Windows\{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe
        
        C:\Windows\{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F41B~1.EXE > nul
        9⤵
        
        PID:2704
        
        C:\Windows\{9D834367-1C2D-44ff-8471-FBC4DF75F762}.exe
        
        C:\Windows\{9D834367-1C2D-44ff-8471-FBC4DF75F762}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\{FD388FF5-BEF4-42ab-B3FA-4836FEBBE62E}.exe
        
        C:\Windows\{FD388FF5-BEF4-42ab-B3FA-4836FEBBE62E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\{169B2B7C-EB12-4afa-B397-715CC8534F95}.exe
        
        C:\Windows\{169B2B7C-EB12-4afa-B397-715CC8534F95}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\{97C709B8-36DD-46d9-9AA3-49904A558C0B}.exe
        
        C:\Windows\{97C709B8-36DD-46d9-9AA3-49904A558C0B}.exe
        12⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{169B2~1.EXE > nul
        12⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD388~1.EXE > nul
        11⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D834~1.EXE > nul
        10⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{238A3~1.EXE > nul
        8⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0343~1.EXE > nul
        7⤵
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85178~1.EXE > nul
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C20EC~1.EXE > nul
        5⤵
        
        PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6B540~1.EXE > nul
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9A985~1.EXE > nul
    3⤵
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CF3FE5~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{169B2B7C-EB12-4afa-B397-715CC8534F95}.exe

Filesize
380KB

MD5
1ca2b7c53bb165b6b5d599e8641dba85

SHA1
f9adc6681b4951518213601325170e7a7d8097f4

SHA256
fbb19ab1a8a143a4d8737bb2ddceddc8b87a6ed8bc4e6b5f2b8e47689bb7a6ae

SHA512
2fb1efa26ed8b5aa442effe5b9ba8eb12ba790d44e51615d97b67d7226a29488d860c34454aa62e2af86a1715656efcf8fd97941e79f2b1ade1fe6b11cfb548f

Download Submit
C:\Windows\{169B2B7C-EB12-4afa-B397-715CC8534F95}.exe

Filesize
380KB

MD5
1ca2b7c53bb165b6b5d599e8641dba85

SHA1
f9adc6681b4951518213601325170e7a7d8097f4

SHA256
fbb19ab1a8a143a4d8737bb2ddceddc8b87a6ed8bc4e6b5f2b8e47689bb7a6ae

SHA512
2fb1efa26ed8b5aa442effe5b9ba8eb12ba790d44e51615d97b67d7226a29488d860c34454aa62e2af86a1715656efcf8fd97941e79f2b1ade1fe6b11cfb548f

Download Submit
C:\Windows\{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe

Filesize
380KB

MD5
7b81c4bbaf37146e285eb1a097cb7abf

SHA1
ccc1627aa1fe112c7d21d9bdf516c6899fddeb87

SHA256
fec48499e4910c1aa201f8364c38b816a01c30dd041372f382946934a3d0524e

SHA512
1cc85babd25e3e93f2a42ba7a1697525aaf0c8b6f262b5bc02a7465a5d963c0d73533f2f0658b28d0df11e196a29f275acb2af73c981ef5f0829ed57518b9128

Download Submit
C:\Windows\{238A3B5B-3548-4cc4-9E00-7ACD5E69EB45}.exe

Filesize
380KB

MD5
7b81c4bbaf37146e285eb1a097cb7abf

SHA1
ccc1627aa1fe112c7d21d9bdf516c6899fddeb87

SHA256
fec48499e4910c1aa201f8364c38b816a01c30dd041372f382946934a3d0524e

SHA512
1cc85babd25e3e93f2a42ba7a1697525aaf0c8b6f262b5bc02a7465a5d963c0d73533f2f0658b28d0df11e196a29f275acb2af73c981ef5f0829ed57518b9128

Download Submit
C:\Windows\{6B540266-663F-4264-82BB-94391CEA0DBE}.exe

Filesize
380KB

MD5
5583fec5ff72fed7805d5ca9dda0d10c

SHA1
4c7263eaa2514d21c950f43ea4091efcf0630d32

SHA256
b2826094445d6e66737c55db6445805d79e7c7fab6bc847a7f81dff42b924e7d

SHA512
9ec5a9d5d8d50a5890650badc68ad431716f68d55b27ff6240fe2f69846bef8cd5eb5fbd564a8a3fc977c75e899e81d5a12ea5117ac2d488abad73991b64ca7d

Download Submit
C:\Windows\{6B540266-663F-4264-82BB-94391CEA0DBE}.exe

Filesize
380KB

MD5
5583fec5ff72fed7805d5ca9dda0d10c

SHA1
4c7263eaa2514d21c950f43ea4091efcf0630d32

SHA256
b2826094445d6e66737c55db6445805d79e7c7fab6bc847a7f81dff42b924e7d

SHA512
9ec5a9d5d8d50a5890650badc68ad431716f68d55b27ff6240fe2f69846bef8cd5eb5fbd564a8a3fc977c75e899e81d5a12ea5117ac2d488abad73991b64ca7d

Download Submit
C:\Windows\{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe

Filesize
380KB

MD5
222574532714740844c3146dde480e03

SHA1
a843b4b792fe56ecb09a6e235687fae82035c561

SHA256
ce14bcdeae3024824de0baa67f9d24e3ce13b9d884fef4b285cd673e6ca725f5

SHA512
3385aa3fbc44f7db873737d20462b4aad51f48fc99c088c6c5d89a743b82fe866ca2c2bbe4a8ac6dccb584c1a45efd6b3a93ee025e06567479f1751eccd162ad

Download Submit
C:\Windows\{7F41B227-1E37-4c61-A1E5-FA66D3492A47}.exe

Filesize
380KB

MD5
222574532714740844c3146dde480e03

SHA1
a843b4b792fe56ecb09a6e235687fae82035c561

SHA256
ce14bcdeae3024824de0baa67f9d24e3ce13b9d884fef4b285cd673e6ca725f5

SHA512
3385aa3fbc44f7db873737d20462b4aad51f48fc99c088c6c5d89a743b82fe866ca2c2bbe4a8ac6dccb584c1a45efd6b3a93ee025e06567479f1751eccd162ad

Download Submit
C:\Windows\{85178A27-6EB0-403f-818D-520C99C404B7}.exe

Filesize
380KB

MD5
c8bdc2d3e3c65a939558049e75b15f25

SHA1
7ea0367198b6df6d79f9dd785df086ab9800d1f4

SHA256
5fd591e70894303570a517f57055225dba82fb42c7c9f9d315d804cb1b90dc20

SHA512
7f17521586433553f43e3c64d2c9767a4fc1fb54f50f031ef7333d38298c0512509ca55adccc10ab8394b3a8179a5e827a6a2f594a06d1d09727fa2f760cab3c

Download Submit
C:\Windows\{85178A27-6EB0-403f-818D-520C99C404B7}.exe

Filesize
380KB

MD5
c8bdc2d3e3c65a939558049e75b15f25

SHA1
7ea0367198b6df6d79f9dd785df086ab9800d1f4

SHA256
5fd591e70894303570a517f57055225dba82fb42c7c9f9d315d804cb1b90dc20

SHA512
7f17521586433553f43e3c64d2c9767a4fc1fb54f50f031ef7333d38298c0512509ca55adccc10ab8394b3a8179a5e827a6a2f594a06d1d09727fa2f760cab3c

Download Submit
C:\Windows\{97C709B8-36DD-46d9-9AA3-49904A558C0B}.exe

Filesize
380KB

MD5
6ccf260bb280472d9720e71f3696ef59

SHA1
e501116e021ca4ed0abb7a4c6f9d5137083289a9

SHA256
e5ae608b68f1ce2181f372739546db1b77ae115e3257659b98edf4261ed51668

SHA512
1878c3570d4a0f86d19b4c280a2a1fe0d45e39314dc5e68d186517a2c93dd10b3fc679f9f8bd12d1920dc0eb3b3099bc8b05652a4489932369c2203606feece0

Download Submit
C:\Windows\{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe

Filesize
380KB

MD5
f74d8110bea7e0a80e6c2c045abe0e69

SHA1
01450e04f7c7f38d967b05b5af518f8a658b4e0d

SHA256
9af8d33c001f8ca923b7a61016a9ccdde544712e7e7cd42d3dff73e3bb7046c6

SHA512
7bf7cde17eb71abbc8506303b69e81aa99eff855323d02e35d68d84144f17d03004a34b55afdfd72ea4869135853cbe4e66b9ada29b9d6b9025d5ee283490236

Download Submit
C:\Windows\{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe

Filesize
380KB

MD5
f74d8110bea7e0a80e6c2c045abe0e69

SHA1
01450e04f7c7f38d967b05b5af518f8a658b4e0d

SHA256
9af8d33c001f8ca923b7a61016a9ccdde544712e7e7cd42d3dff73e3bb7046c6

SHA512
7bf7cde17eb71abbc8506303b69e81aa99eff855323d02e35d68d84144f17d03004a34b55afdfd72ea4869135853cbe4e66b9ada29b9d6b9025d5ee283490236

Download Submit
C:\Windows\{9A985C5F-DC4A-4ba9-8918-9BD44170A42A}.exe

Filesize
380KB

MD5
f74d8110bea7e0a80e6c2c045abe0e69

SHA1
01450e04f7c7f38d967b05b5af518f8a658b4e0d

SHA256
9af8d33c001f8ca923b7a61016a9ccdde544712e7e7cd42d3dff73e3bb7046c6

SHA512
7bf7cde17eb71abbc8506303b69e81aa99eff855323d02e35d68d84144f17d03004a34b55afdfd72ea4869135853cbe4e66b9ada29b9d6b9025d5ee283490236

Download Submit
C:\Windows\{9D834367-1C2D-44ff-8471-FBC4DF75F762}.exe

Filesize
380KB

MD5
c1e6b1eb71d6f569bfc97507f8598092

SHA1
d0cf66bdea2d880857f6c130e545031565f0bf31

SHA256
299e29a6451ac9a4f931d61ba306142fd4593dadc3dc9e26382cff9315a6f4b9

SHA512
1ba2b0e463a5f69e628b31ed4a60ddd5301e323149bf2a965b3c8d04648d59c0adeb6487d748172d09bd32bfdd9d4c55ad6c3cad06ce05465dae67263ff9273b

Download Submit
C:\Windows\{9D834367-1C2D-44ff-8471-FBC4DF75F762}.exe

Filesize
380KB

MD5
c1e6b1eb71d6f569bfc97507f8598092

SHA1
d0cf66bdea2d880857f6c130e545031565f0bf31

SHA256
299e29a6451ac9a4f931d61ba306142fd4593dadc3dc9e26382cff9315a6f4b9

SHA512
1ba2b0e463a5f69e628b31ed4a60ddd5301e323149bf2a965b3c8d04648d59c0adeb6487d748172d09bd32bfdd9d4c55ad6c3cad06ce05465dae67263ff9273b

Download Submit
C:\Windows\{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe

Filesize
380KB

MD5
9e4dd2b7a70fd30f23d3bde2df11831a

SHA1
0e24fdeea8890a4a06b666eb58f1a7f1ddf2ed95

SHA256
a2317b763464eb4cc0e17e0c638124be56734710a7b4f63fb9cf4de5cc42275f

SHA512
cc5c40b406f727f124f440eeaaee9358f80d6c38f8b3439c5560b76d1e34dc9d30e68aa3ddac8f2c71fd7e7c1006ae517f1290045b55dca99ac84f95cbe17729

Download Submit
C:\Windows\{C20ECE38-EB67-4021-8B90-928D40D4988A}.exe

Filesize
380KB

MD5
9e4dd2b7a70fd30f23d3bde2df11831a

SHA1
0e24fdeea8890a4a06b666eb58f1a7f1ddf2ed95

SHA256
a2317b763464eb4cc0e17e0c638124be56734710a7b4f63fb9cf4de5cc42275f

SHA512
cc5c40b406f727f124f440eeaaee9358f80d6c38f8b3439c5560b76d1e34dc9d30e68aa3ddac8f2c71fd7e7c1006ae517f1290045b55dca99ac84f95cbe17729

Download Submit
C:\Windows\{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe

Filesize
380KB

MD5
07513e2ad2faeae21c09a4d651be99a8

SHA1
335d6b3a278fc9edb3b1bbe4d62e73b281257dc5

SHA256
c4d4c145a3b1795dccaad39dcf57c035be043930a80204760d6b22f82e79d9ab

SHA512
b1280162ef0f224f2469491cbc593b4a25776d55112d4b771922146f14ea0e123efea588566b2445a54ba80bb4ccb7e1ee63eaca54eefe18893e9b86ec5aeefe

Download Submit
C:\Windows\{D0343A6A-B3B0-4e6b-B472-84E0E66B2F63}.exe

Filesize
380KB

MD5
07513e2ad2faeae21c09a4d651be99a8

SHA1
335d6b3a278fc9edb3b1bbe4d62e73b281257dc5

SHA256
c4d4c145a3b1795dccaad39dcf57c035be043930a80204760d6b22f82e79d9ab

SHA512
b1280162ef0f224f2469491cbc593b4a25776d55112d4b771922146f14ea0e123efea588566b2445a54ba80bb4ccb7e1ee63eaca54eefe18893e9b86ec5aeefe

Download Submit
C:\Windows\{FD388FF5-BEF4-42ab-B3FA-4836FEBBE62E}.exe

Filesize
380KB

MD5
5a8c80ee3f528aa27f9e12df6af467b7

SHA1
86fb31353547c28aa3dbda87ec5bbd4d1d0830a0

SHA256
8afb971288aa572841cb9963cd87e85edddb61a555896c4c57047a46d9f9ff7c

SHA512
e8b39166491bccdd4fd88feed46cb03ed2b9f575aecacd14e768d95b7e118b6d5de1cd3cfe336fac7f0c5d1e3425be41221cf52060882685833e592d45e28dfb

Download Submit
C:\Windows\{FD388FF5-BEF4-42ab-B3FA-4836FEBBE62E}.exe

Filesize
380KB

MD5
5a8c80ee3f528aa27f9e12df6af467b7

SHA1
86fb31353547c28aa3dbda87ec5bbd4d1d0830a0

SHA256
8afb971288aa572841cb9963cd87e85edddb61a555896c4c57047a46d9f9ff7c

SHA512
e8b39166491bccdd4fd88feed46cb03ed2b9f575aecacd14e768d95b7e118b6d5de1cd3cfe336fac7f0c5d1e3425be41221cf52060882685833e592d45e28dfb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads