c3ad7ee7c2fd895a5fcd4c38b9e4802e00fb4c15e7b92033a1e9c4234102f487

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
29/08/2023, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe
Size

372KB
MD5

d2c54e9755d4fdae6f35918df0e35813
SHA1

268045d0e67b83f1f839c1143027c8986862946f
SHA256

c3ad7ee7c2fd895a5fcd4c38b9e4802e00fb4c15e7b92033a1e9c4234102f487
SHA512

abd613648f798291e95979dc5957b16ac0e82c204ed7d9d1e57813166d0fcffe1aa79f164926971aed0dc7ad7b45d572c81e9a0bc83497192128935b78bb00a8
SSDEEP

3072:CEGh0oQmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGLl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EBF0F4A-98DA-4ae0-B840-0A74FD894E58}\stubpath = "C:\\Windows\\{8EBF0F4A-98DA-4ae0-B840-0A74FD894E58}.exe"	{684C4FB4-91AA-4d2c-9816-005E05C2BB2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}	{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}\stubpath = "C:\\Windows\\{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe"	{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{041DD6B6-5D30-4ea1-8831-2B498DFA2609}	{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{041DD6B6-5D30-4ea1-8831-2B498DFA2609}\stubpath = "C:\\Windows\\{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe"	{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{684C4FB4-91AA-4d2c-9816-005E05C2BB2F}	{F146404E-FE4F-4453-BD07-F9EF6BF6C1D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583C2037-66FB-440c-A876-F71E5A464FD0}\stubpath = "C:\\Windows\\{583C2037-66FB-440c-A876-F71E5A464FD0}.exe"	{8078C001-306E-402b-83C9-06C094FA3AA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{684C4FB4-91AA-4d2c-9816-005E05C2BB2F}\stubpath = "C:\\Windows\\{684C4FB4-91AA-4d2c-9816-005E05C2BB2F}.exe"	{F146404E-FE4F-4453-BD07-F9EF6BF6C1D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EBF0F4A-98DA-4ae0-B840-0A74FD894E58}	{684C4FB4-91AA-4d2c-9816-005E05C2BB2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2256D10E-D1B0-439b-B7AB-1214E448AAB5}	{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C23C606-65E3-4fb7-B088-4BAF78338188}	{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C23C606-65E3-4fb7-B088-4BAF78338188}\stubpath = "C:\\Windows\\{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe"	{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD93D66C-6E7B-4d6b-9C92-DEF306637748}	{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8078C001-306E-402b-83C9-06C094FA3AA6}	{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}\stubpath = "C:\\Windows\\{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe"	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583C2037-66FB-440c-A876-F71E5A464FD0}	{8078C001-306E-402b-83C9-06C094FA3AA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146404E-FE4F-4453-BD07-F9EF6BF6C1D0}\stubpath = "C:\\Windows\\{F146404E-FE4F-4453-BD07-F9EF6BF6C1D0}.exe"	{583C2037-66FB-440c-A876-F71E5A464FD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2256D10E-D1B0-439b-B7AB-1214E448AAB5}\stubpath = "C:\\Windows\\{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe"	{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD93D66C-6E7B-4d6b-9C92-DEF306637748}\stubpath = "C:\\Windows\\{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe"	{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8078C001-306E-402b-83C9-06C094FA3AA6}\stubpath = "C:\\Windows\\{8078C001-306E-402b-83C9-06C094FA3AA6}.exe"	{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146404E-FE4F-4453-BD07-F9EF6BF6C1D0}	{583C2037-66FB-440c-A876-F71E5A464FD0}.exe

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2508	{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe
2956	{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe
2928	{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe
2732	{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe
2868	{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe
2716	{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe
2312	{8078C001-306E-402b-83C9-06C094FA3AA6}.exe
1292	{583C2037-66FB-440c-A876-F71E5A464FD0}.exe
2680	{F146404E-FE4F-4453-BD07-F9EF6BF6C1D0}.exe
3048	{684C4FB4-91AA-4d2c-9816-005E05C2BB2F}.exe
1444	{8EBF0F4A-98DA-4ae0-B840-0A74FD894E58}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{684C4FB4-91AA-4d2c-9816-005E05C2BB2F}.exe	{F146404E-FE4F-4453-BD07-F9EF6BF6C1D0}.exe
File created	C:\Windows\{8EBF0F4A-98DA-4ae0-B840-0A74FD894E58}.exe	{684C4FB4-91AA-4d2c-9816-005E05C2BB2F}.exe
File created	C:\Windows\{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe
File created	C:\Windows\{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe	{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe
File created	C:\Windows\{8078C001-306E-402b-83C9-06C094FA3AA6}.exe	{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe
File created	C:\Windows\{583C2037-66FB-440c-A876-F71E5A464FD0}.exe	{8078C001-306E-402b-83C9-06C094FA3AA6}.exe
File created	C:\Windows\{F146404E-FE4F-4453-BD07-F9EF6BF6C1D0}.exe	{583C2037-66FB-440c-A876-F71E5A464FD0}.exe
File created	C:\Windows\{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe	{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe
File created	C:\Windows\{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe	{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe
File created	C:\Windows\{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe	{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe
File created	C:\Windows\{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe	{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1796	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2508	{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe
Token: SeIncBasePriorityPrivilege	2956	{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe
Token: SeIncBasePriorityPrivilege	2928	{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe
Token: SeIncBasePriorityPrivilege	2732	{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe
Token: SeIncBasePriorityPrivilege	2868	{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe
Token: SeIncBasePriorityPrivilege	2716	{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe
Token: SeIncBasePriorityPrivilege	2312	{8078C001-306E-402b-83C9-06C094FA3AA6}.exe
Token: SeIncBasePriorityPrivilege	1292	{583C2037-66FB-440c-A876-F71E5A464FD0}.exe
Token: SeIncBasePriorityPrivilege	2680	{F146404E-FE4F-4453-BD07-F9EF6BF6C1D0}.exe
Token: SeIncBasePriorityPrivilege	3048	{684C4FB4-91AA-4d2c-9816-005E05C2BB2F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2508	1796	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	30
PID 1796 wrote to memory of 2508	1796	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	30
PID 1796 wrote to memory of 2508	1796	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	30
PID 1796 wrote to memory of 2508	1796	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	30
PID 1796 wrote to memory of 2840	1796	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	31
PID 1796 wrote to memory of 2840	1796	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	31
PID 1796 wrote to memory of 2840	1796	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	31
PID 1796 wrote to memory of 2840	1796	d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe	31
PID 2508 wrote to memory of 2956	2508	{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe	32
PID 2508 wrote to memory of 2956	2508	{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe	32
PID 2508 wrote to memory of 2956	2508	{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe	32
PID 2508 wrote to memory of 2956	2508	{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe	32
PID 2508 wrote to memory of 1684	2508	{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe	33
PID 2508 wrote to memory of 1684	2508	{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe	33
PID 2508 wrote to memory of 1684	2508	{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe	33
PID 2508 wrote to memory of 1684	2508	{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe	33
PID 2956 wrote to memory of 2928	2956	{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe	35
PID 2956 wrote to memory of 2928	2956	{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe	35
PID 2956 wrote to memory of 2928	2956	{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe	35
PID 2956 wrote to memory of 2928	2956	{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe	35
PID 2956 wrote to memory of 2124	2956	{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe	34
PID 2956 wrote to memory of 2124	2956	{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe	34
PID 2956 wrote to memory of 2124	2956	{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe	34
PID 2956 wrote to memory of 2124	2956	{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe	34
PID 2928 wrote to memory of 2732	2928	{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe	37
PID 2928 wrote to memory of 2732	2928	{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe	37
PID 2928 wrote to memory of 2732	2928	{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe	37
PID 2928 wrote to memory of 2732	2928	{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe	37
PID 2928 wrote to memory of 3064	2928	{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe	36
PID 2928 wrote to memory of 3064	2928	{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe	36
PID 2928 wrote to memory of 3064	2928	{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe	36
PID 2928 wrote to memory of 3064	2928	{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe	36
PID 2732 wrote to memory of 2868	2732	{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe	39
PID 2732 wrote to memory of 2868	2732	{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe	39
PID 2732 wrote to memory of 2868	2732	{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe	39
PID 2732 wrote to memory of 2868	2732	{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe	39
PID 2732 wrote to memory of 2572	2732	{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe	38
PID 2732 wrote to memory of 2572	2732	{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe	38
PID 2732 wrote to memory of 2572	2732	{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe	38
PID 2732 wrote to memory of 2572	2732	{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe	38
PID 2868 wrote to memory of 2716	2868	{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe	40
PID 2868 wrote to memory of 2716	2868	{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe	40
PID 2868 wrote to memory of 2716	2868	{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe	40
PID 2868 wrote to memory of 2716	2868	{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe	40
PID 2868 wrote to memory of 2768	2868	{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe	41
PID 2868 wrote to memory of 2768	2868	{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe	41
PID 2868 wrote to memory of 2768	2868	{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe	41
PID 2868 wrote to memory of 2768	2868	{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe	41
PID 2716 wrote to memory of 2312	2716	{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe	42
PID 2716 wrote to memory of 2312	2716	{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe	42
PID 2716 wrote to memory of 2312	2716	{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe	42
PID 2716 wrote to memory of 2312	2716	{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe	42
PID 2716 wrote to memory of 2432	2716	{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe	43
PID 2716 wrote to memory of 2432	2716	{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe	43
PID 2716 wrote to memory of 2432	2716	{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe	43
PID 2716 wrote to memory of 2432	2716	{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe	43
PID 2312 wrote to memory of 1292	2312	{8078C001-306E-402b-83C9-06C094FA3AA6}.exe	45
PID 2312 wrote to memory of 1292	2312	{8078C001-306E-402b-83C9-06C094FA3AA6}.exe	45
PID 2312 wrote to memory of 1292	2312	{8078C001-306E-402b-83C9-06C094FA3AA6}.exe	45
PID 2312 wrote to memory of 1292	2312	{8078C001-306E-402b-83C9-06C094FA3AA6}.exe	45
PID 2312 wrote to memory of 1456	2312	{8078C001-306E-402b-83C9-06C094FA3AA6}.exe	44
PID 2312 wrote to memory of 1456	2312	{8078C001-306E-402b-83C9-06C094FA3AA6}.exe	44
PID 2312 wrote to memory of 1456	2312	{8078C001-306E-402b-83C9-06C094FA3AA6}.exe	44
PID 2312 wrote to memory of 1456	2312	{8078C001-306E-402b-83C9-06C094FA3AA6}.exe	44

C:\Users\Admin\AppData\Local\Temp\d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d2c54e9755d4fdae6f35918df0e35813_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe
  C:\Windows\{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe
    C:\Windows\{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F85A7~1.EXE > nul
      4⤵
      PID:2124
  - - C:\Windows\{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe
      C:\Windows\{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2256D~1.EXE > nul
        5⤵
        
        PID:3064
    - - C:\Windows\{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe
        
        C:\Windows\{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C23C~1.EXE > nul
        6⤵
        
        PID:2572
      - C:\Windows\{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe
        
        C:\Windows\{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe
        
        C:\Windows\{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{8078C001-306E-402b-83C9-06C094FA3AA6}.exe
        
        C:\Windows\{8078C001-306E-402b-83C9-06C094FA3AA6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8078C~1.EXE > nul
        9⤵
        
        PID:1456
        
        C:\Windows\{583C2037-66FB-440c-A876-F71E5A464FD0}.exe
        
        C:\Windows\{583C2037-66FB-440c-A876-F71E5A464FD0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{583C2~1.EXE > nul
        10⤵
        
        PID:2028
        
        C:\Windows\{F146404E-FE4F-4453-BD07-F9EF6BF6C1D0}.exe
        
        C:\Windows\{F146404E-FE4F-4453-BD07-F9EF6BF6C1D0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1464~1.EXE > nul
        11⤵
        
        PID:3008
        
        C:\Windows\{684C4FB4-91AA-4d2c-9816-005E05C2BB2F}.exe
        
        C:\Windows\{684C4FB4-91AA-4d2c-9816-005E05C2BB2F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{684C4~1.EXE > nul
        12⤵
        
        PID:2256
        
        C:\Windows\{8EBF0F4A-98DA-4ae0-B840-0A74FD894E58}.exe
        
        C:\Windows\{8EBF0F4A-98DA-4ae0-B840-0A74FD894E58}.exe
        12⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{041DD~1.EXE > nul
        8⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD93D~1.EXE > nul
        7⤵
        
        PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3902E~1.EXE > nul
    3⤵
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D2C54E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe

Filesize
372KB

MD5
18a114c3d24bdf739cae1f42a2216ee1

SHA1
285d71a9f509c93d35354b390bb2b99a7bb40c55

SHA256
e00cc92bb478f7086d3e735ea5b7d409a0d702b776040c636114d17c22647109

SHA512
65b934fd74ab431b710ee8050e2ded2cdf462132c58524e63c9f7acabbce89305edad91dd623b862cb3cec68385385b6f27e492bcdefab888144afe3414c60db

Download Submit
C:\Windows\{041DD6B6-5D30-4ea1-8831-2B498DFA2609}.exe

Filesize
372KB

MD5
18a114c3d24bdf739cae1f42a2216ee1

SHA1
285d71a9f509c93d35354b390bb2b99a7bb40c55

SHA256
e00cc92bb478f7086d3e735ea5b7d409a0d702b776040c636114d17c22647109

SHA512
65b934fd74ab431b710ee8050e2ded2cdf462132c58524e63c9f7acabbce89305edad91dd623b862cb3cec68385385b6f27e492bcdefab888144afe3414c60db

Download Submit
C:\Windows\{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe

Filesize
372KB

MD5
8e4797314652147cab02a32ff21dda6a

SHA1
9c018c4da82ca3450bfd969f67034db34c6f297f

SHA256
89a913e90136f3550025eb369d306f53bfbbfef889db9ddc7d4fb08941753368

SHA512
eb60f54a54a04f133e09454d695255515e7d8f82a44d211d8426093c45a685736b7acf8243097810b81330e4057e9971bfb5e19a3718d7a66a767a1f6696915c

Download Submit
C:\Windows\{2256D10E-D1B0-439b-B7AB-1214E448AAB5}.exe

Filesize
372KB

MD5
8e4797314652147cab02a32ff21dda6a

SHA1
9c018c4da82ca3450bfd969f67034db34c6f297f

SHA256
89a913e90136f3550025eb369d306f53bfbbfef889db9ddc7d4fb08941753368

SHA512
eb60f54a54a04f133e09454d695255515e7d8f82a44d211d8426093c45a685736b7acf8243097810b81330e4057e9971bfb5e19a3718d7a66a767a1f6696915c

Download Submit
C:\Windows\{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe

Filesize
372KB

MD5
333b16060c5eb034d24b6c9bf25dc322

SHA1
0a310c64be1c7cc3da9cde2f52f914b247242b74

SHA256
422ffa0bfbd6d14708922d4dcf5644308a16c08a0812609014668f4c65a7f9aa

SHA512
1bf70571c32cd87f5dd8407ad0db7957b277650af42c56b640cff94db1c5566c446390a0ba99604802f295cb82d6adca12da7b66a391caf07bf5a2a9b6df9014

Download Submit
C:\Windows\{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe

Filesize
372KB

MD5
333b16060c5eb034d24b6c9bf25dc322

SHA1
0a310c64be1c7cc3da9cde2f52f914b247242b74

SHA256
422ffa0bfbd6d14708922d4dcf5644308a16c08a0812609014668f4c65a7f9aa

SHA512
1bf70571c32cd87f5dd8407ad0db7957b277650af42c56b640cff94db1c5566c446390a0ba99604802f295cb82d6adca12da7b66a391caf07bf5a2a9b6df9014

Download Submit
C:\Windows\{3902E0E3-A5F4-4c7c-81D4-27FFDE3969CC}.exe

Filesize
372KB

MD5
333b16060c5eb034d24b6c9bf25dc322

SHA1
0a310c64be1c7cc3da9cde2f52f914b247242b74

SHA256
422ffa0bfbd6d14708922d4dcf5644308a16c08a0812609014668f4c65a7f9aa

SHA512
1bf70571c32cd87f5dd8407ad0db7957b277650af42c56b640cff94db1c5566c446390a0ba99604802f295cb82d6adca12da7b66a391caf07bf5a2a9b6df9014

Download Submit
C:\Windows\{583C2037-66FB-440c-A876-F71E5A464FD0}.exe

Filesize
372KB

MD5
aeaee18df426dac30400ceac2ace5771

SHA1
aca653b882113ff71818461bf587cb0cc1ed0f2e

SHA256
0128acd135a0e36d26650f13a552070b4d8a114cdb85f3fef80238a7704475a1

SHA512
e12042a0a0ddc1c35756b81157cf85d36b48266fd412ec85e5edf44cb72f83e206813b0c7f170a828d685fd7c80d5a3fd710435b182f358ae5c20321b9ca2f3c

Download Submit
C:\Windows\{583C2037-66FB-440c-A876-F71E5A464FD0}.exe

Filesize
372KB

MD5
aeaee18df426dac30400ceac2ace5771

SHA1
aca653b882113ff71818461bf587cb0cc1ed0f2e

SHA256
0128acd135a0e36d26650f13a552070b4d8a114cdb85f3fef80238a7704475a1

SHA512
e12042a0a0ddc1c35756b81157cf85d36b48266fd412ec85e5edf44cb72f83e206813b0c7f170a828d685fd7c80d5a3fd710435b182f358ae5c20321b9ca2f3c

Download Submit
C:\Windows\{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe

Filesize
372KB

MD5
7c3e09e3a85b334dd2a219008edcdd8f

SHA1
ff76e0d7f3fe9066a60c4855933dddd4a8557d82

SHA256
08f3e7f3a11962bdcda639dcc73f3c22b25d040ea00eb07d8a4571957ededc41

SHA512
4c2ab53aee9903035ca820969f04b949d090827f78ffc23d9227509739807789d9ba6e833b7969b811b10be1470819e2ce704568de67f3edd43510942b045dc5

Download Submit
C:\Windows\{5C23C606-65E3-4fb7-B088-4BAF78338188}.exe

Filesize
372KB

MD5
7c3e09e3a85b334dd2a219008edcdd8f

SHA1
ff76e0d7f3fe9066a60c4855933dddd4a8557d82

SHA256
08f3e7f3a11962bdcda639dcc73f3c22b25d040ea00eb07d8a4571957ededc41

SHA512
4c2ab53aee9903035ca820969f04b949d090827f78ffc23d9227509739807789d9ba6e833b7969b811b10be1470819e2ce704568de67f3edd43510942b045dc5

Download Submit
C:\Windows\{684C4FB4-91AA-4d2c-9816-005E05C2BB2F}.exe

Filesize
372KB

MD5
aa13b8534c0de53b97a5ae7ce3eeb250

SHA1
e13ca6cadcda6f46499437cb2c9b51cc2a84d02e

SHA256
b7cab649fe1979a2f7ac09010fed336d29a72ab7945e10f0b55febe30182f46c

SHA512
881402f135a84d1b2509abb956602019af0006b6b6ab0ebc205b5b52fe3444796f8bdb0e3a01c23b3799b9ea809d9805f6c3396f66f15d273751629f74586fe3

Download Submit
C:\Windows\{684C4FB4-91AA-4d2c-9816-005E05C2BB2F}.exe

Filesize
372KB

MD5
aa13b8534c0de53b97a5ae7ce3eeb250

SHA1
e13ca6cadcda6f46499437cb2c9b51cc2a84d02e

SHA256
b7cab649fe1979a2f7ac09010fed336d29a72ab7945e10f0b55febe30182f46c

SHA512
881402f135a84d1b2509abb956602019af0006b6b6ab0ebc205b5b52fe3444796f8bdb0e3a01c23b3799b9ea809d9805f6c3396f66f15d273751629f74586fe3

Download Submit
C:\Windows\{8078C001-306E-402b-83C9-06C094FA3AA6}.exe

Filesize
372KB

MD5
a761048665b91b4081bc6025d95c6a13

SHA1
395b5606cfe273533cf85bdfe5ac5b8715b89431

SHA256
c0cd47928e29706a879e4fccc016e6e2c53b86669c6c9804a7698c7399c262d1

SHA512
ee1ae10238a73d5cc788b18ff0be7ea5d2764c6d9fe1db9c516abdf3824c72d89de3b0b1be53d37795c63bf95d94356ce4f7d8fd33241031c89a371c128b41c7

Download Submit
C:\Windows\{8078C001-306E-402b-83C9-06C094FA3AA6}.exe

Filesize
372KB

MD5
a761048665b91b4081bc6025d95c6a13

SHA1
395b5606cfe273533cf85bdfe5ac5b8715b89431

SHA256
c0cd47928e29706a879e4fccc016e6e2c53b86669c6c9804a7698c7399c262d1

SHA512
ee1ae10238a73d5cc788b18ff0be7ea5d2764c6d9fe1db9c516abdf3824c72d89de3b0b1be53d37795c63bf95d94356ce4f7d8fd33241031c89a371c128b41c7

Download Submit
C:\Windows\{8EBF0F4A-98DA-4ae0-B840-0A74FD894E58}.exe

Filesize
372KB

MD5
ae174c93f1676802efc41effd67d42f4

SHA1
54c7045c02adc2e9cf325ac1f8bb2b808bf367f8

SHA256
2b7c934fb6bd6afb5fc73708e7b74952c10e39c2f4c3a357d37183491091d4ad

SHA512
9ab6d3e661e0b92bc003435c5905048f7bd58761cfe958fe31cb0530cdea76462c293f547e71f38a749c233f155bfbef9eeb451a3cf5fb162d199c1fcb918b73

Download Submit
C:\Windows\{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe

Filesize
372KB

MD5
319b7223225e3cbe76ad9fc0ac1fc2b4

SHA1
753adf0de36454fe096762119f09e97317cd57be

SHA256
3720da5aded6c39fa8ef187222e73823c88b78ca90586a9e030484908cbc079d

SHA512
9104cfe217a2dd714b00ae9a9683bbdac9f060ee42e2770f0a24828064c6e3302812133983b6f66d7fcb85d7c9477df9c77f14acc212fdfaa0f4ca960d7b6b66

Download Submit
C:\Windows\{BD93D66C-6E7B-4d6b-9C92-DEF306637748}.exe

Filesize
372KB

MD5
319b7223225e3cbe76ad9fc0ac1fc2b4

SHA1
753adf0de36454fe096762119f09e97317cd57be

SHA256
3720da5aded6c39fa8ef187222e73823c88b78ca90586a9e030484908cbc079d

SHA512
9104cfe217a2dd714b00ae9a9683bbdac9f060ee42e2770f0a24828064c6e3302812133983b6f66d7fcb85d7c9477df9c77f14acc212fdfaa0f4ca960d7b6b66

Download Submit
C:\Windows\{F146404E-FE4F-4453-BD07-F9EF6BF6C1D0}.exe

Filesize
372KB

MD5
e3e84088d3a2100dbf23b779ce6838ef

SHA1
980c8aa9f7cb81cc7b41f7ea849878e3b2385494

SHA256
677f89714385b513e5ade58debc51cc735da0f2a2df41d18de6894cf531fbb51

SHA512
535dc90bc4fe2b1084f6f93d322ed2573e4ec65ab25aa0f8a14cb97987000ac831ef7811bf31c8004912fd7bd99326256e0ece888d3eaeaa13335a6ae752f08b

Download Submit
C:\Windows\{F146404E-FE4F-4453-BD07-F9EF6BF6C1D0}.exe

Filesize
372KB

MD5
e3e84088d3a2100dbf23b779ce6838ef

SHA1
980c8aa9f7cb81cc7b41f7ea849878e3b2385494

SHA256
677f89714385b513e5ade58debc51cc735da0f2a2df41d18de6894cf531fbb51

SHA512
535dc90bc4fe2b1084f6f93d322ed2573e4ec65ab25aa0f8a14cb97987000ac831ef7811bf31c8004912fd7bd99326256e0ece888d3eaeaa13335a6ae752f08b

Download Submit
C:\Windows\{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe

Filesize
372KB

MD5
fe473bcb43719d91af68852c0026050a

SHA1
f25efd7192faa62ed57de9d1b4768a692ba64401

SHA256
cd2fab78629456c23d5a8b7ac4ed7459c61adcc68f4dfa932843613f5f41811c

SHA512
7220deb70996267f4e111d264ab105ccccc5bec46ed9a140eb46e26657b5505929e83c7f26e19488ab0239b4a3377acd86814207341b570e54c0caf7e822caae

Download Submit
C:\Windows\{F85A7F4C-B433-4b03-A862-4E5FAA7E4F84}.exe

Filesize
372KB

MD5
fe473bcb43719d91af68852c0026050a

SHA1
f25efd7192faa62ed57de9d1b4768a692ba64401

SHA256
cd2fab78629456c23d5a8b7ac4ed7459c61adcc68f4dfa932843613f5f41811c

SHA512
7220deb70996267f4e111d264ab105ccccc5bec46ed9a140eb46e26657b5505929e83c7f26e19488ab0239b4a3377acd86814207341b570e54c0caf7e822caae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads