bd9d441809fd2bcfc05f2510e08fc127508cac663313607495a9e1f157cb88d9

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
29/08/2023, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe
Size

168KB
MD5

d99e93b2b0ab3a94f080df015fdf8475
SHA1

b64e68e6491c320963a31e5dfd67ee130aa26704
SHA256

bd9d441809fd2bcfc05f2510e08fc127508cac663313607495a9e1f157cb88d9
SHA512

fee408c95b607137d3cbc767373d5b0e4c9ffa463fc47beace1f000e21b049bf81476970492509c96855dce7e3d19db0ac9955cdc4ef82f69793a7f496d79072
SSDEEP

1536:1EGh0oDlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oDlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A13FD95-A6B5-4837-8A53-E9B30819F655}	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D821735-F27F-4ec5-AE8D-179EED02B385}	{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD899A58-353F-47c5-A540-4B9243F2BE52}\stubpath = "C:\\Windows\\{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe"	{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}\stubpath = "C:\\Windows\\{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe"	{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4F591BA-3C8B-4eca-A33A-0761E3D80859}\stubpath = "C:\\Windows\\{D4F591BA-3C8B-4eca-A33A-0761E3D80859}.exe"	{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{240E18AF-DCA9-421c-9DDF-943CE19F614A}	{FA2B1649-C0F8-42f5-9F3E-0555E13C60B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{240E18AF-DCA9-421c-9DDF-943CE19F614A}\stubpath = "C:\\Windows\\{240E18AF-DCA9-421c-9DDF-943CE19F614A}.exe"	{FA2B1649-C0F8-42f5-9F3E-0555E13C60B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1507C40A-EF4D-44ac-83CA-89945302B58B}\stubpath = "C:\\Windows\\{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe"	{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D821735-F27F-4ec5-AE8D-179EED02B385}\stubpath = "C:\\Windows\\{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe"	{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD899A58-353F-47c5-A540-4B9243F2BE52}	{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6DB90B9-3A4D-4bdd-9D7D-1AB7889655D8}	{240E18AF-DCA9-421c-9DDF-943CE19F614A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6DB90B9-3A4D-4bdd-9D7D-1AB7889655D8}\stubpath = "C:\\Windows\\{C6DB90B9-3A4D-4bdd-9D7D-1AB7889655D8}.exe"	{240E18AF-DCA9-421c-9DDF-943CE19F614A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A13FD95-A6B5-4837-8A53-E9B30819F655}\stubpath = "C:\\Windows\\{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe"	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1507C40A-EF4D-44ac-83CA-89945302B58B}	{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4F591BA-3C8B-4eca-A33A-0761E3D80859}	{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}\stubpath = "C:\\Windows\\{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe"	{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}	{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA2B1649-C0F8-42f5-9F3E-0555E13C60B2}	{D4F591BA-3C8B-4eca-A33A-0761E3D80859}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA2B1649-C0F8-42f5-9F3E-0555E13C60B2}\stubpath = "C:\\Windows\\{FA2B1649-C0F8-42f5-9F3E-0555E13C60B2}.exe"	{D4F591BA-3C8B-4eca-A33A-0761E3D80859}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E891B034-89F1-49d9-9724-7E720BC1CA32}	{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E891B034-89F1-49d9-9724-7E720BC1CA32}\stubpath = "C:\\Windows\\{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe"	{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}	{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1640	{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe
2960	{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe
2400	{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe
2952	{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe
2944	{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe
2704	{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe
2308	{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe
1016	{D4F591BA-3C8B-4eca-A33A-0761E3D80859}.exe
1112	{FA2B1649-C0F8-42f5-9F3E-0555E13C60B2}.exe
824	{240E18AF-DCA9-421c-9DDF-943CE19F614A}.exe
2288	{C6DB90B9-3A4D-4bdd-9D7D-1AB7889655D8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe	{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe
File created	C:\Windows\{D4F591BA-3C8B-4eca-A33A-0761E3D80859}.exe	{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe
File created	C:\Windows\{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe	{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe
File created	C:\Windows\{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe	{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe
File created	C:\Windows\{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe	{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe
File created	C:\Windows\{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe	{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe
File created	C:\Windows\{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe	{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe
File created	C:\Windows\{FA2B1649-C0F8-42f5-9F3E-0555E13C60B2}.exe	{D4F591BA-3C8B-4eca-A33A-0761E3D80859}.exe
File created	C:\Windows\{240E18AF-DCA9-421c-9DDF-943CE19F614A}.exe	{FA2B1649-C0F8-42f5-9F3E-0555E13C60B2}.exe
File created	C:\Windows\{C6DB90B9-3A4D-4bdd-9D7D-1AB7889655D8}.exe	{240E18AF-DCA9-421c-9DDF-943CE19F614A}.exe
File created	C:\Windows\{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2476	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1640	{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe
Token: SeIncBasePriorityPrivilege	2960	{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe
Token: SeIncBasePriorityPrivilege	2400	{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe
Token: SeIncBasePriorityPrivilege	2952	{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe
Token: SeIncBasePriorityPrivilege	2944	{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe
Token: SeIncBasePriorityPrivilege	2704	{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe
Token: SeIncBasePriorityPrivilege	2308	{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe
Token: SeIncBasePriorityPrivilege	1016	{D4F591BA-3C8B-4eca-A33A-0761E3D80859}.exe
Token: SeIncBasePriorityPrivilege	1112	{FA2B1649-C0F8-42f5-9F3E-0555E13C60B2}.exe
Token: SeIncBasePriorityPrivilege	824	{240E18AF-DCA9-421c-9DDF-943CE19F614A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1640	2476	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	28
PID 2476 wrote to memory of 1640	2476	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	28
PID 2476 wrote to memory of 1640	2476	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	28
PID 2476 wrote to memory of 1640	2476	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	28
PID 2476 wrote to memory of 2580	2476	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	29
PID 2476 wrote to memory of 2580	2476	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	29
PID 2476 wrote to memory of 2580	2476	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	29
PID 2476 wrote to memory of 2580	2476	d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe	29
PID 1640 wrote to memory of 2960	1640	{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe	32
PID 1640 wrote to memory of 2960	1640	{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe	32
PID 1640 wrote to memory of 2960	1640	{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe	32
PID 1640 wrote to memory of 2960	1640	{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe	32
PID 1640 wrote to memory of 2848	1640	{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe	33
PID 1640 wrote to memory of 2848	1640	{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe	33
PID 1640 wrote to memory of 2848	1640	{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe	33
PID 1640 wrote to memory of 2848	1640	{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe	33
PID 2960 wrote to memory of 2400	2960	{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe	34
PID 2960 wrote to memory of 2400	2960	{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe	34
PID 2960 wrote to memory of 2400	2960	{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe	34
PID 2960 wrote to memory of 2400	2960	{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe	34
PID 2960 wrote to memory of 2396	2960	{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe	35
PID 2960 wrote to memory of 2396	2960	{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe	35
PID 2960 wrote to memory of 2396	2960	{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe	35
PID 2960 wrote to memory of 2396	2960	{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe	35
PID 2400 wrote to memory of 2952	2400	{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe	36
PID 2400 wrote to memory of 2952	2400	{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe	36
PID 2400 wrote to memory of 2952	2400	{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe	36
PID 2400 wrote to memory of 2952	2400	{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe	36
PID 2400 wrote to memory of 1208	2400	{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe	37
PID 2400 wrote to memory of 1208	2400	{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe	37
PID 2400 wrote to memory of 1208	2400	{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe	37
PID 2400 wrote to memory of 1208	2400	{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe	37
PID 2952 wrote to memory of 2944	2952	{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe	38
PID 2952 wrote to memory of 2944	2952	{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe	38
PID 2952 wrote to memory of 2944	2952	{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe	38
PID 2952 wrote to memory of 2944	2952	{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe	38
PID 2952 wrote to memory of 2748	2952	{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe	39
PID 2952 wrote to memory of 2748	2952	{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe	39
PID 2952 wrote to memory of 2748	2952	{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe	39
PID 2952 wrote to memory of 2748	2952	{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe	39
PID 2944 wrote to memory of 2704	2944	{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe	40
PID 2944 wrote to memory of 2704	2944	{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe	40
PID 2944 wrote to memory of 2704	2944	{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe	40
PID 2944 wrote to memory of 2704	2944	{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe	40
PID 2944 wrote to memory of 1288	2944	{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe	41
PID 2944 wrote to memory of 1288	2944	{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe	41
PID 2944 wrote to memory of 1288	2944	{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe	41
PID 2944 wrote to memory of 1288	2944	{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe	41
PID 2704 wrote to memory of 2308	2704	{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe	42
PID 2704 wrote to memory of 2308	2704	{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe	42
PID 2704 wrote to memory of 2308	2704	{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe	42
PID 2704 wrote to memory of 2308	2704	{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe	42
PID 2704 wrote to memory of 328	2704	{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe	43
PID 2704 wrote to memory of 328	2704	{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe	43
PID 2704 wrote to memory of 328	2704	{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe	43
PID 2704 wrote to memory of 328	2704	{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe	43
PID 2308 wrote to memory of 1016	2308	{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe	44
PID 2308 wrote to memory of 1016	2308	{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe	44
PID 2308 wrote to memory of 1016	2308	{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe	44
PID 2308 wrote to memory of 1016	2308	{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe	44
PID 2308 wrote to memory of 580	2308	{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe	45
PID 2308 wrote to memory of 580	2308	{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe	45
PID 2308 wrote to memory of 580	2308	{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe	45
PID 2308 wrote to memory of 580	2308	{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe	45

C:\Users\Admin\AppData\Local\Temp\d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\d99e93b2b0ab3a94f080df015fdf8475_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe
  C:\Windows\{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe
    C:\Windows\{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe
      C:\Windows\{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe
        
        C:\Windows\{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe
        
        C:\Windows\{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe
        
        C:\Windows\{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe
        
        C:\Windows\{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\{D4F591BA-3C8B-4eca-A33A-0761E3D80859}.exe
        
        C:\Windows\{D4F591BA-3C8B-4eca-A33A-0761E3D80859}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\{FA2B1649-C0F8-42f5-9F3E-0555E13C60B2}.exe
        
        C:\Windows\{FA2B1649-C0F8-42f5-9F3E-0555E13C60B2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\{240E18AF-DCA9-421c-9DDF-943CE19F614A}.exe
        
        C:\Windows\{240E18AF-DCA9-421c-9DDF-943CE19F614A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Windows\{C6DB90B9-3A4D-4bdd-9D7D-1AB7889655D8}.exe
        
        C:\Windows\{C6DB90B9-3A4D-4bdd-9D7D-1AB7889655D8}.exe
        12⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{240E1~1.EXE > nul
        12⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA2B1~1.EXE > nul
        11⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4F59~1.EXE > nul
        10⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C434F~1.EXE > nul
        9⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD899~1.EXE > nul
        8⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD638~1.EXE > nul
        7⤵
        
        PID:1288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E891B~1.EXE > nul
        6⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D821~1.EXE > nul
        5⤵
        
        PID:1208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1507C~1.EXE > nul
      4⤵
      PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9A13F~1.EXE > nul
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D99E93~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe

Filesize
168KB

MD5
7711ff5e99c05047704cbfd1a5cc484e

SHA1
02ae707c91f3d06772bf21223a3ff3912f28a817

SHA256
5871a5399fe294d2863bca3b8fc01ad6f0b0c22ca2e45aba5e2949f4db853e6c

SHA512
d6692cd7bff0d67d4d4614b6057af183a31e2966a4cf3df5c6c4c90a99c202658756425f683e93e30d952bcbd9a8c89cde8aa91645d8cf23f1f4524fdbcbbbc6

Download Submit
C:\Windows\{1507C40A-EF4D-44ac-83CA-89945302B58B}.exe

Filesize
168KB

MD5
7711ff5e99c05047704cbfd1a5cc484e

SHA1
02ae707c91f3d06772bf21223a3ff3912f28a817

SHA256
5871a5399fe294d2863bca3b8fc01ad6f0b0c22ca2e45aba5e2949f4db853e6c

SHA512
d6692cd7bff0d67d4d4614b6057af183a31e2966a4cf3df5c6c4c90a99c202658756425f683e93e30d952bcbd9a8c89cde8aa91645d8cf23f1f4524fdbcbbbc6

Download Submit
C:\Windows\{240E18AF-DCA9-421c-9DDF-943CE19F614A}.exe

Filesize
168KB

MD5
f0385d63161a94b0c522c4c6e7c74c72

SHA1
0fef27fa4cafb463325295858d6bf80a74cb3404

SHA256
a136a709705d6dc50d714d5906e37bb50f264f52ae01873dfaa748dcdd899c2f

SHA512
7126d8c4328a662c79cd788636c634bf88db7bc9dab445dc59e0832974f2edbdbdd9667e50e13b800017096d45dc4b598cd62955350a6cdf38f326a114c1cc3e

Download Submit
C:\Windows\{240E18AF-DCA9-421c-9DDF-943CE19F614A}.exe

Filesize
168KB

MD5
f0385d63161a94b0c522c4c6e7c74c72

SHA1
0fef27fa4cafb463325295858d6bf80a74cb3404

SHA256
a136a709705d6dc50d714d5906e37bb50f264f52ae01873dfaa748dcdd899c2f

SHA512
7126d8c4328a662c79cd788636c634bf88db7bc9dab445dc59e0832974f2edbdbdd9667e50e13b800017096d45dc4b598cd62955350a6cdf38f326a114c1cc3e

Download Submit
C:\Windows\{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe

Filesize
168KB

MD5
7608c3b991ec8feed54a00ea1485d61b

SHA1
3b6ca17ce025c5ec4bc5e31c505e837bde3fa260

SHA256
4f33cb707bd8f9a50d17dc7afbebf8a454c23c9b848c2b12b8bfa6c8be3fbf1b

SHA512
716a3f96ff8e739a509cbe95acf7f916bda34f74b2254bd6d0e2a35c9b4fac824724920f3eb1ef2a2d841ad5a9779d885d21875b635fdd10065ab7f57bac8e94

Download Submit
C:\Windows\{5D821735-F27F-4ec5-AE8D-179EED02B385}.exe

Filesize
168KB

MD5
7608c3b991ec8feed54a00ea1485d61b

SHA1
3b6ca17ce025c5ec4bc5e31c505e837bde3fa260

SHA256
4f33cb707bd8f9a50d17dc7afbebf8a454c23c9b848c2b12b8bfa6c8be3fbf1b

SHA512
716a3f96ff8e739a509cbe95acf7f916bda34f74b2254bd6d0e2a35c9b4fac824724920f3eb1ef2a2d841ad5a9779d885d21875b635fdd10065ab7f57bac8e94

Download Submit
C:\Windows\{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe

Filesize
168KB

MD5
3c2c437c8a056e5158ea4c673456d22c

SHA1
b3d404424c732d892c570567ca3a781fa6888511

SHA256
18ef4b6ede4aff2b7796e1102ad272b57c9e853d947a8176c2e234b2dfb6936d

SHA512
4adca252b242421ca6d86df4d646aa39e35e137836aaa03f7062418ce2bc43673466d8941233b55191930b25b9acd03a6ba859630567485c1a2198207a095797

Download Submit
C:\Windows\{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe

Filesize
168KB

MD5
3c2c437c8a056e5158ea4c673456d22c

SHA1
b3d404424c732d892c570567ca3a781fa6888511

SHA256
18ef4b6ede4aff2b7796e1102ad272b57c9e853d947a8176c2e234b2dfb6936d

SHA512
4adca252b242421ca6d86df4d646aa39e35e137836aaa03f7062418ce2bc43673466d8941233b55191930b25b9acd03a6ba859630567485c1a2198207a095797

Download Submit
C:\Windows\{9A13FD95-A6B5-4837-8A53-E9B30819F655}.exe

Filesize
168KB

MD5
3c2c437c8a056e5158ea4c673456d22c

SHA1
b3d404424c732d892c570567ca3a781fa6888511

SHA256
18ef4b6ede4aff2b7796e1102ad272b57c9e853d947a8176c2e234b2dfb6936d

SHA512
4adca252b242421ca6d86df4d646aa39e35e137836aaa03f7062418ce2bc43673466d8941233b55191930b25b9acd03a6ba859630567485c1a2198207a095797

Download Submit
C:\Windows\{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe

Filesize
168KB

MD5
1533e98a8b2e8c5feb3b90a1efdcdf7b

SHA1
c161d6dbbf8de120ff85e346953064f891e874ab

SHA256
02bd50e669f0930bbd53fbb2792ee60034a4b6700736072a9e14aa392c5ab5fe

SHA512
2d7246ae8b9ed3148834377021fedc3623e67477ec6b404debd8e499fb9a35a03611cfa52d636ec8fee7ea053fe3eb9d6ff62413c1b1e8a1230ab983ee9b13a6

Download Submit
C:\Windows\{C434FC90-3A61-4e47-8CB4-7EA3FE9FFC8C}.exe

Filesize
168KB

MD5
1533e98a8b2e8c5feb3b90a1efdcdf7b

SHA1
c161d6dbbf8de120ff85e346953064f891e874ab

SHA256
02bd50e669f0930bbd53fbb2792ee60034a4b6700736072a9e14aa392c5ab5fe

SHA512
2d7246ae8b9ed3148834377021fedc3623e67477ec6b404debd8e499fb9a35a03611cfa52d636ec8fee7ea053fe3eb9d6ff62413c1b1e8a1230ab983ee9b13a6

Download Submit
C:\Windows\{C6DB90B9-3A4D-4bdd-9D7D-1AB7889655D8}.exe

Filesize
168KB

MD5
2df78322c9d920c8fa4088b70cd1a900

SHA1
33ecd446cd11026f4d7f919d93a0e84105a71427

SHA256
058241d2ac79a718d47bcddd67f4a3c0d67a1df7ac7403938328f29c194ba726

SHA512
085f665da660d987ce7b4fc7712e3d58faa331b51f57751e66827269dbccc88bcc6827ca5ed248f23a48ea855f75f095700bc227a2a9f19a85be78cb2bdabdd9

Download Submit
C:\Windows\{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe

Filesize
168KB

MD5
0681b2ee30cacc98c5f5c80b21196ff0

SHA1
1ea7db3be61632e3b0a34fa0062e9cee6e2e05fc

SHA256
0c771d41499dbe52637c4ba6c450600a09380d3a40b8251d07a17415081f994e

SHA512
5f7c3e5243f8f97b2dd1d895406010442a776e2d6c9ff29d05835716a947424dd21dc8ec20c5220261bdb2ca6cfe21d0e10bb01577f8263f152c9a03b258268e

Download Submit
C:\Windows\{CD899A58-353F-47c5-A540-4B9243F2BE52}.exe

Filesize
168KB

MD5
0681b2ee30cacc98c5f5c80b21196ff0

SHA1
1ea7db3be61632e3b0a34fa0062e9cee6e2e05fc

SHA256
0c771d41499dbe52637c4ba6c450600a09380d3a40b8251d07a17415081f994e

SHA512
5f7c3e5243f8f97b2dd1d895406010442a776e2d6c9ff29d05835716a947424dd21dc8ec20c5220261bdb2ca6cfe21d0e10bb01577f8263f152c9a03b258268e

Download Submit
C:\Windows\{D4F591BA-3C8B-4eca-A33A-0761E3D80859}.exe

Filesize
168KB

MD5
1c4e9abcd9d24ce4730a5bcb662a597a

SHA1
e50e528a5190c77244671a31a926a76802c79d2e

SHA256
eb0af9ab6ef6bb08f5cffcb9f1812140fac3fd67423c45b9f0e6d08ebaf78658

SHA512
83dd285b3dd4f1423467e9fd9f7bbeff1b0c0eeedbf0575043fc73bf7be1769ea44f680e73c761d8d1679ea289a1d3d33bb5c7a2d76fcbe6524cd3fc0d07e381

Download Submit
C:\Windows\{D4F591BA-3C8B-4eca-A33A-0761E3D80859}.exe

Filesize
168KB

MD5
1c4e9abcd9d24ce4730a5bcb662a597a

SHA1
e50e528a5190c77244671a31a926a76802c79d2e

SHA256
eb0af9ab6ef6bb08f5cffcb9f1812140fac3fd67423c45b9f0e6d08ebaf78658

SHA512
83dd285b3dd4f1423467e9fd9f7bbeff1b0c0eeedbf0575043fc73bf7be1769ea44f680e73c761d8d1679ea289a1d3d33bb5c7a2d76fcbe6524cd3fc0d07e381

Download Submit
C:\Windows\{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe

Filesize
168KB

MD5
d61b0de404058e628b107b4bbf15f495

SHA1
3094f706ba1a87889254085d417cb287c658cb7d

SHA256
7ede1cd7d7a2be265aa653d7e95e81883bfb2813d96926f0fde5208d52b38e51

SHA512
b23f32124f81d93e28409c1d56625ba8e24954c5e6b40c1f5a10361d2d2aebf3958236e1a527928e416cc72514af572a5cf6a1782246b0c5acc3edeb3b5cfc0b

Download Submit
C:\Windows\{DD638365-5423-4d3b-BFB9-4BDA81F7EF53}.exe

Filesize
168KB

MD5
d61b0de404058e628b107b4bbf15f495

SHA1
3094f706ba1a87889254085d417cb287c658cb7d

SHA256
7ede1cd7d7a2be265aa653d7e95e81883bfb2813d96926f0fde5208d52b38e51

SHA512
b23f32124f81d93e28409c1d56625ba8e24954c5e6b40c1f5a10361d2d2aebf3958236e1a527928e416cc72514af572a5cf6a1782246b0c5acc3edeb3b5cfc0b

Download Submit
C:\Windows\{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe

Filesize
168KB

MD5
53af028c491dce67dc77fe6abebbaf9f

SHA1
a3dbebf491f3132ab3936c7bb828aa868563f6f2

SHA256
1e011effb0f13fc8b36c01aac98260b63ba0e2444febbf6a9b494fb8a6d82da3

SHA512
1e48e3873f35c1b8a2262bb294161bc3d8445e22600dc2374b9f2edfd23ee32434b252338576af52815bb5523e96296a25afe3ba491880d0e526707bcaede41f

Download Submit
C:\Windows\{E891B034-89F1-49d9-9724-7E720BC1CA32}.exe

Filesize
168KB

MD5
53af028c491dce67dc77fe6abebbaf9f

SHA1
a3dbebf491f3132ab3936c7bb828aa868563f6f2

SHA256
1e011effb0f13fc8b36c01aac98260b63ba0e2444febbf6a9b494fb8a6d82da3

SHA512
1e48e3873f35c1b8a2262bb294161bc3d8445e22600dc2374b9f2edfd23ee32434b252338576af52815bb5523e96296a25afe3ba491880d0e526707bcaede41f

Download Submit
C:\Windows\{FA2B1649-C0F8-42f5-9F3E-0555E13C60B2}.exe

Filesize
168KB

MD5
18932587a798537a715c510fbb6310d6

SHA1
b7e324705b7e5e7bf7f4064a60fcfeb59fe4d479

SHA256
d8f405f68e1318009e34153d1d74529555225250aca5798659cd79d2bbaa1ae1

SHA512
addeabe5d5a854d53e7724d30f762cfc899b47d881bf2bdf3f1c7a3b4db63510b8a79840c383e948af5bff4b5f9983b1c8a3a45a383c5716bc83e08eed88e777

Download Submit
C:\Windows\{FA2B1649-C0F8-42f5-9F3E-0555E13C60B2}.exe

Filesize
168KB

MD5
18932587a798537a715c510fbb6310d6

SHA1
b7e324705b7e5e7bf7f4064a60fcfeb59fe4d479

SHA256
d8f405f68e1318009e34153d1d74529555225250aca5798659cd79d2bbaa1ae1

SHA512
addeabe5d5a854d53e7724d30f762cfc899b47d881bf2bdf3f1c7a3b4db63510b8a79840c383e948af5bff4b5f9983b1c8a3a45a383c5716bc83e08eed88e777

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads