e0c1bd10baf59fb97c16f72c2879adef8453713dfb838f48e694c25964daf5c6

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
30/08/2023, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe
Size

216KB
MD5

e513ec73a054108973e01df3687c50cb
SHA1

74ef34fafe9fad1b00a51c7ea3f238f114e19952
SHA256

e0c1bd10baf59fb97c16f72c2879adef8453713dfb838f48e694c25964daf5c6
SHA512

ccdf8c95ff3081ffbd430ac061086aeb4cd28f1431c68e37e38d8a6b70186f14b7db99d4c83ea9e77bf6179ba4c42e83ceadcb8e84c33014134aef92f6cb17f2
SSDEEP

3072:jEGh0onl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG1lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7AE26DD-8B15-42be-AF12-295EE2195541}\stubpath = "C:\\Windows\\{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe"	{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{808E443D-F269-4921-9100-C7A8862CD69C}\stubpath = "C:\\Windows\\{808E443D-F269-4921-9100-C7A8862CD69C}.exe"	{16315A0C-7861-40a5-8A48-898FC9A189F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2780397-B95C-45c7-B42B-04206B19A954}	{808E443D-F269-4921-9100-C7A8862CD69C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{837F028E-FAC1-460c-976A-688923094E7B}	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7AE26DD-8B15-42be-AF12-295EE2195541}	{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}\stubpath = "C:\\Windows\\{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe"	{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCBFBEAF-5683-447e-BF94-22473A6F0CFD}\stubpath = "C:\\Windows\\{CCBFBEAF-5683-447e-BF94-22473A6F0CFD}.exe"	{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16315A0C-7861-40a5-8A48-898FC9A189F3}\stubpath = "C:\\Windows\\{16315A0C-7861-40a5-8A48-898FC9A189F3}.exe"	{CCBFBEAF-5683-447e-BF94-22473A6F0CFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{808E443D-F269-4921-9100-C7A8862CD69C}	{16315A0C-7861-40a5-8A48-898FC9A189F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D37478A-C205-4510-92B7-F0E721E10ED1}	{D2780397-B95C-45c7-B42B-04206B19A954}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}	{837F028E-FAC1-460c-976A-688923094E7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}\stubpath = "C:\\Windows\\{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe"	{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}	{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}	{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}\stubpath = "C:\\Windows\\{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe"	{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F696DE6-2533-4a76-A43F-7494EF584CCA}\stubpath = "C:\\Windows\\{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe"	{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCBFBEAF-5683-447e-BF94-22473A6F0CFD}	{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16315A0C-7861-40a5-8A48-898FC9A189F3}	{CCBFBEAF-5683-447e-BF94-22473A6F0CFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}\stubpath = "C:\\Windows\\{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe"	{837F028E-FAC1-460c-976A-688923094E7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}	{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D37478A-C205-4510-92B7-F0E721E10ED1}\stubpath = "C:\\Windows\\{3D37478A-C205-4510-92B7-F0E721E10ED1}.exe"	{D2780397-B95C-45c7-B42B-04206B19A954}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2780397-B95C-45c7-B42B-04206B19A954}\stubpath = "C:\\Windows\\{D2780397-B95C-45c7-B42B-04206B19A954}.exe"	{808E443D-F269-4921-9100-C7A8862CD69C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{837F028E-FAC1-460c-976A-688923094E7B}\stubpath = "C:\\Windows\\{837F028E-FAC1-460c-976A-688923094E7B}.exe"	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F696DE6-2533-4a76-A43F-7494EF584CCA}	{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe

Deletes itself 1 IoCs

pid	Process
620	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2304	{837F028E-FAC1-460c-976A-688923094E7B}.exe
2860	{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe
2988	{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe
2708	{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe
2736	{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe
2764	{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe
2904	{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe
1088	{CCBFBEAF-5683-447e-BF94-22473A6F0CFD}.exe
2592	{16315A0C-7861-40a5-8A48-898FC9A189F3}.exe
2628	{808E443D-F269-4921-9100-C7A8862CD69C}.exe
1460	{D2780397-B95C-45c7-B42B-04206B19A954}.exe
1364	{3D37478A-C205-4510-92B7-F0E721E10ED1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{837F028E-FAC1-460c-976A-688923094E7B}.exe	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe
File created	C:\Windows\{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe	{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe
File created	C:\Windows\{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe	{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe
File created	C:\Windows\{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe	{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe
File created	C:\Windows\{CCBFBEAF-5683-447e-BF94-22473A6F0CFD}.exe	{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe
File created	C:\Windows\{D2780397-B95C-45c7-B42B-04206B19A954}.exe	{808E443D-F269-4921-9100-C7A8862CD69C}.exe
File created	C:\Windows\{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe	{837F028E-FAC1-460c-976A-688923094E7B}.exe
File created	C:\Windows\{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe	{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe
File created	C:\Windows\{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe	{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe
File created	C:\Windows\{16315A0C-7861-40a5-8A48-898FC9A189F3}.exe	{CCBFBEAF-5683-447e-BF94-22473A6F0CFD}.exe
File created	C:\Windows\{808E443D-F269-4921-9100-C7A8862CD69C}.exe	{16315A0C-7861-40a5-8A48-898FC9A189F3}.exe
File created	C:\Windows\{3D37478A-C205-4510-92B7-F0E721E10ED1}.exe	{D2780397-B95C-45c7-B42B-04206B19A954}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1740	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2304	{837F028E-FAC1-460c-976A-688923094E7B}.exe
Token: SeIncBasePriorityPrivilege	2860	{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe
Token: SeIncBasePriorityPrivilege	2988	{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe
Token: SeIncBasePriorityPrivilege	2708	{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe
Token: SeIncBasePriorityPrivilege	2736	{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe
Token: SeIncBasePriorityPrivilege	2764	{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe
Token: SeIncBasePriorityPrivilege	2904	{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe
Token: SeIncBasePriorityPrivilege	1088	{CCBFBEAF-5683-447e-BF94-22473A6F0CFD}.exe
Token: SeIncBasePriorityPrivilege	2592	{16315A0C-7861-40a5-8A48-898FC9A189F3}.exe
Token: SeIncBasePriorityPrivilege	2628	{808E443D-F269-4921-9100-C7A8862CD69C}.exe
Token: SeIncBasePriorityPrivilege	1460	{D2780397-B95C-45c7-B42B-04206B19A954}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2304	1740	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	29
PID 1740 wrote to memory of 2304	1740	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	29
PID 1740 wrote to memory of 2304	1740	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	29
PID 1740 wrote to memory of 2304	1740	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	29
PID 1740 wrote to memory of 620	1740	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	30
PID 1740 wrote to memory of 620	1740	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	30
PID 1740 wrote to memory of 620	1740	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	30
PID 1740 wrote to memory of 620	1740	e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe	30
PID 2304 wrote to memory of 2860	2304	{837F028E-FAC1-460c-976A-688923094E7B}.exe	31
PID 2304 wrote to memory of 2860	2304	{837F028E-FAC1-460c-976A-688923094E7B}.exe	31
PID 2304 wrote to memory of 2860	2304	{837F028E-FAC1-460c-976A-688923094E7B}.exe	31
PID 2304 wrote to memory of 2860	2304	{837F028E-FAC1-460c-976A-688923094E7B}.exe	31
PID 2304 wrote to memory of 2664	2304	{837F028E-FAC1-460c-976A-688923094E7B}.exe	32
PID 2304 wrote to memory of 2664	2304	{837F028E-FAC1-460c-976A-688923094E7B}.exe	32
PID 2304 wrote to memory of 2664	2304	{837F028E-FAC1-460c-976A-688923094E7B}.exe	32
PID 2304 wrote to memory of 2664	2304	{837F028E-FAC1-460c-976A-688923094E7B}.exe	32
PID 2860 wrote to memory of 2988	2860	{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe	33
PID 2860 wrote to memory of 2988	2860	{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe	33
PID 2860 wrote to memory of 2988	2860	{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe	33
PID 2860 wrote to memory of 2988	2860	{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe	33
PID 2860 wrote to memory of 2996	2860	{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe	34
PID 2860 wrote to memory of 2996	2860	{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe	34
PID 2860 wrote to memory of 2996	2860	{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe	34
PID 2860 wrote to memory of 2996	2860	{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe	34
PID 2988 wrote to memory of 2708	2988	{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe	35
PID 2988 wrote to memory of 2708	2988	{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe	35
PID 2988 wrote to memory of 2708	2988	{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe	35
PID 2988 wrote to memory of 2708	2988	{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe	35
PID 2988 wrote to memory of 2796	2988	{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe	36
PID 2988 wrote to memory of 2796	2988	{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe	36
PID 2988 wrote to memory of 2796	2988	{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe	36
PID 2988 wrote to memory of 2796	2988	{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe	36
PID 2708 wrote to memory of 2736	2708	{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe	37
PID 2708 wrote to memory of 2736	2708	{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe	37
PID 2708 wrote to memory of 2736	2708	{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe	37
PID 2708 wrote to memory of 2736	2708	{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe	37
PID 2708 wrote to memory of 2344	2708	{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe	38
PID 2708 wrote to memory of 2344	2708	{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe	38
PID 2708 wrote to memory of 2344	2708	{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe	38
PID 2708 wrote to memory of 2344	2708	{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe	38
PID 2736 wrote to memory of 2764	2736	{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe	40
PID 2736 wrote to memory of 2764	2736	{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe	40
PID 2736 wrote to memory of 2764	2736	{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe	40
PID 2736 wrote to memory of 2764	2736	{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe	40
PID 2736 wrote to memory of 2740	2736	{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe	39
PID 2736 wrote to memory of 2740	2736	{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe	39
PID 2736 wrote to memory of 2740	2736	{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe	39
PID 2736 wrote to memory of 2740	2736	{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe	39
PID 2764 wrote to memory of 2904	2764	{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe	41
PID 2764 wrote to memory of 2904	2764	{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe	41
PID 2764 wrote to memory of 2904	2764	{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe	41
PID 2764 wrote to memory of 2904	2764	{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe	41
PID 2764 wrote to memory of 2412	2764	{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe	42
PID 2764 wrote to memory of 2412	2764	{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe	42
PID 2764 wrote to memory of 2412	2764	{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe	42
PID 2764 wrote to memory of 2412	2764	{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe	42
PID 2904 wrote to memory of 1088	2904	{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe	43
PID 2904 wrote to memory of 1088	2904	{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe	43
PID 2904 wrote to memory of 1088	2904	{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe	43
PID 2904 wrote to memory of 1088	2904	{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe	43
PID 2904 wrote to memory of 2632	2904	{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe	44
PID 2904 wrote to memory of 2632	2904	{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe	44
PID 2904 wrote to memory of 2632	2904	{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe	44
PID 2904 wrote to memory of 2632	2904	{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe	44

C:\Users\Admin\AppData\Local\Temp\e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e513ec73a054108973e01df3687c50cb_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\{837F028E-FAC1-460c-976A-688923094E7B}.exe
  C:\Windows\{837F028E-FAC1-460c-976A-688923094E7B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe
    C:\Windows\{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe
      C:\Windows\{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe
        
        C:\Windows\{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe
        
        C:\Windows\{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67B3B~1.EXE > nul
        7⤵
        
        PID:2740
        
        C:\Windows\{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe
        
        C:\Windows\{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe
        
        C:\Windows\{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{CCBFBEAF-5683-447e-BF94-22473A6F0CFD}.exe
        
        C:\Windows\{CCBFBEAF-5683-447e-BF94-22473A6F0CFD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCBFB~1.EXE > nul
        10⤵
        
        PID:2656
        
        C:\Windows\{16315A0C-7861-40a5-8A48-898FC9A189F3}.exe
        
        C:\Windows\{16315A0C-7861-40a5-8A48-898FC9A189F3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16315~1.EXE > nul
        11⤵
        
        PID:3052
        
        C:\Windows\{808E443D-F269-4921-9100-C7A8862CD69C}.exe
        
        C:\Windows\{808E443D-F269-4921-9100-C7A8862CD69C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\{D2780397-B95C-45c7-B42B-04206B19A954}.exe
        
        C:\Windows\{D2780397-B95C-45c7-B42B-04206B19A954}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\{3D37478A-C205-4510-92B7-F0E721E10ED1}.exe
        
        C:\Windows\{3D37478A-C205-4510-92B7-F0E721E10ED1}.exe
        13⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2780~1.EXE > nul
        13⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{808E4~1.EXE > nul
        12⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F696~1.EXE > nul
        9⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B85B~1.EXE > nul
        8⤵
        
        PID:2412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E1D8~1.EXE > nul
        6⤵
        
        PID:2344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7AE2~1.EXE > nul
        5⤵
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1C38B~1.EXE > nul
      4⤵
      PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{837F0~1.EXE > nul
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E513EC~1.EXE > nul
  2⤵
  - Deletes itself
  PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16315A0C-7861-40a5-8A48-898FC9A189F3}.exe

Filesize
216KB

MD5
58b7b9aebeab368d93933b7c529f615b

SHA1
2558019a1bbbf06b6b50e5350a213bfebeb29156

SHA256
4c5f058aaf38bcd95315eb33f9f7e04634cfc80787085e01265681ce5e80fad7

SHA512
c9f1152f2669c9c5f0273c041af8159f282ca1343433fef48d5a875d55ccd19583dfba0c29b7d5beadfc164c906b9f4d8386c1178e2d4d727a54ccd2ecf3236f

Download Submit
C:\Windows\{16315A0C-7861-40a5-8A48-898FC9A189F3}.exe

Filesize
216KB

MD5
58b7b9aebeab368d93933b7c529f615b

SHA1
2558019a1bbbf06b6b50e5350a213bfebeb29156

SHA256
4c5f058aaf38bcd95315eb33f9f7e04634cfc80787085e01265681ce5e80fad7

SHA512
c9f1152f2669c9c5f0273c041af8159f282ca1343433fef48d5a875d55ccd19583dfba0c29b7d5beadfc164c906b9f4d8386c1178e2d4d727a54ccd2ecf3236f

Download Submit
C:\Windows\{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe

Filesize
216KB

MD5
003c0e1461fc8f1ad060ec391dcf9766

SHA1
c3494ab5fe1bd28b587b4b663b25c17488477b43

SHA256
9944b365fcb9cf00f43cd3262a6b705f10cb4096cc80f3a8a38514b338ffa1c5

SHA512
af70eeb68a05dd41e0b35d3c269d749c4b2ba696d85edf0ea8310b889dbf2c28b01a3c17f32bd5669c39932f8475690ef988a1fe8d7ffd545266814c97f6b5fd

Download Submit
C:\Windows\{1C38B336-E6ED-4792-9B5F-B3C0FC4307D7}.exe

Filesize
216KB

MD5
003c0e1461fc8f1ad060ec391dcf9766

SHA1
c3494ab5fe1bd28b587b4b663b25c17488477b43

SHA256
9944b365fcb9cf00f43cd3262a6b705f10cb4096cc80f3a8a38514b338ffa1c5

SHA512
af70eeb68a05dd41e0b35d3c269d749c4b2ba696d85edf0ea8310b889dbf2c28b01a3c17f32bd5669c39932f8475690ef988a1fe8d7ffd545266814c97f6b5fd

Download Submit
C:\Windows\{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe

Filesize
216KB

MD5
f7b11c3eccfb7265856fb45cd8e76b73

SHA1
9bdee52ef0ca38c2384cb791a24e8a51ba51645b

SHA256
0ff30363df495bdd857850cddbbcacbef0f672705c575dbcbb10f01f87a76298

SHA512
f35bd9ba2b0873f43506bc2ce179e4c5685d823a7d54326cabdc4f567497345648e058aecede9d765dac1a41733bd975b0cc0ea1c669523c513aa64e7444571e

Download Submit
C:\Windows\{3B85B1E4-6702-47de-9D5B-4370BC51EC6D}.exe

Filesize
216KB

MD5
f7b11c3eccfb7265856fb45cd8e76b73

SHA1
9bdee52ef0ca38c2384cb791a24e8a51ba51645b

SHA256
0ff30363df495bdd857850cddbbcacbef0f672705c575dbcbb10f01f87a76298

SHA512
f35bd9ba2b0873f43506bc2ce179e4c5685d823a7d54326cabdc4f567497345648e058aecede9d765dac1a41733bd975b0cc0ea1c669523c513aa64e7444571e

Download Submit
C:\Windows\{3D37478A-C205-4510-92B7-F0E721E10ED1}.exe

Filesize
216KB

MD5
a59d6bcfb8bac6f69af3a85c46ab3ea1

SHA1
287edd2e416da1e966dd032baddccbbc4a554c3c

SHA256
98e2e20416cdceae426e9bb33cc5dbab6a96f034be291b61d2919f2b4dbca32c

SHA512
0ffac697bc85ecd98e5d113dacebf52727d43939912e314fd0cefb17feb609ec5617ad55ae6af8588ef1d4fc46520bfbd770f2ab4bd15021a82d881820d23462

Download Submit
C:\Windows\{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe

Filesize
216KB

MD5
208d45537b57778fa679f82819f084c6

SHA1
c40112f594422ad9490baf2eef9d860dbff6f237

SHA256
6ef72dcc0a383207d29fc4dc2ef746d9b5074316121ad0b44ef97a6f832479da

SHA512
4f1466f03974758a842a2b07112dc7b8ae9c882b97209fe4c9f7a95116e677d7312f0b08bd412edb8f0681e2de50280939c6efd51e1e88094293c5dca6209f73

Download Submit
C:\Windows\{67B3B8E3-0024-47f3-AB2A-D57C3E722B2B}.exe

Filesize
216KB

MD5
208d45537b57778fa679f82819f084c6

SHA1
c40112f594422ad9490baf2eef9d860dbff6f237

SHA256
6ef72dcc0a383207d29fc4dc2ef746d9b5074316121ad0b44ef97a6f832479da

SHA512
4f1466f03974758a842a2b07112dc7b8ae9c882b97209fe4c9f7a95116e677d7312f0b08bd412edb8f0681e2de50280939c6efd51e1e88094293c5dca6209f73

Download Submit
C:\Windows\{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe

Filesize
216KB

MD5
2e2ac64c1ad5c0874a720de5832c1659

SHA1
ce9e4efc0a4aead44fc7a63a6b75225c2496cfb1

SHA256
9ded6de8b9cf8739d2392cdfb3822c23d88509bb9f9456b953d23add65a5440a

SHA512
86a9c64173c7b95d4f6936a5a72c7fd45f75d7240b97645d6c59c668b2a5c51ec60db3117e5a99b0a0d0042cd874808615ae77aec61e7a995e9a231646a65658

Download Submit
C:\Windows\{7E1D8A5B-E1D7-4189-8DCF-F349DFC0852C}.exe

Filesize
216KB

MD5
2e2ac64c1ad5c0874a720de5832c1659

SHA1
ce9e4efc0a4aead44fc7a63a6b75225c2496cfb1

SHA256
9ded6de8b9cf8739d2392cdfb3822c23d88509bb9f9456b953d23add65a5440a

SHA512
86a9c64173c7b95d4f6936a5a72c7fd45f75d7240b97645d6c59c668b2a5c51ec60db3117e5a99b0a0d0042cd874808615ae77aec61e7a995e9a231646a65658

Download Submit
C:\Windows\{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe

Filesize
216KB

MD5
f1ecb0d28e7b33dd6ae9286e65f40048

SHA1
5f2317a64997f1c3fd66de99fe7910865aa32404

SHA256
9766b5c00c573d5a74be57d7cb169fcaa2f2a421cbb60e4a6e5be577a61d2a2c

SHA512
63766269453bc7c61390a855887e11479bfb4819fa1780a940bbee5265d4c64a2816dd6081d528e537cb02c9a51c5f97ff5876098f6012a895ffb8043d091efa

Download Submit
C:\Windows\{7F696DE6-2533-4a76-A43F-7494EF584CCA}.exe

Filesize
216KB

MD5
f1ecb0d28e7b33dd6ae9286e65f40048

SHA1
5f2317a64997f1c3fd66de99fe7910865aa32404

SHA256
9766b5c00c573d5a74be57d7cb169fcaa2f2a421cbb60e4a6e5be577a61d2a2c

SHA512
63766269453bc7c61390a855887e11479bfb4819fa1780a940bbee5265d4c64a2816dd6081d528e537cb02c9a51c5f97ff5876098f6012a895ffb8043d091efa

Download Submit
C:\Windows\{808E443D-F269-4921-9100-C7A8862CD69C}.exe

Filesize
216KB

MD5
19a2e5d6045eb880facd80ea108a82d1

SHA1
77b459d49d01bb7cb4c115c71fa645384b9edde6

SHA256
372408cb140a8d6176d43336b3446436f55453b3f1be7f466a99401154b41b45

SHA512
6188791f51d956fb43cd89d9d3767c29210b35afbd7895c95f91552852b2a59fa0f45793fa2defb5040e37f04f573a06f9294cfd77f848a01f647430a675a78b

Download Submit
C:\Windows\{808E443D-F269-4921-9100-C7A8862CD69C}.exe

Filesize
216KB

MD5
19a2e5d6045eb880facd80ea108a82d1

SHA1
77b459d49d01bb7cb4c115c71fa645384b9edde6

SHA256
372408cb140a8d6176d43336b3446436f55453b3f1be7f466a99401154b41b45

SHA512
6188791f51d956fb43cd89d9d3767c29210b35afbd7895c95f91552852b2a59fa0f45793fa2defb5040e37f04f573a06f9294cfd77f848a01f647430a675a78b

Download Submit
C:\Windows\{837F028E-FAC1-460c-976A-688923094E7B}.exe

Filesize
216KB

MD5
c3cbbb13aa30b27440cb94afcaee1ca3

SHA1
db87b87665e0d8e287c88b4e771ff9ab9a188f6a

SHA256
564ab8197655155c7400538ab09fa18f8d8ac2ad7ab3c199c625acc6ae8c4b24

SHA512
5f14d350fad94dd159731b7dcc5a65786d2dc188af1ca82de6937af46a7ec60ec8547b9b799b4328c4c98b07c32d2985b8bbe202e0aba268f6f9d4290b6987e7

Download Submit
C:\Windows\{837F028E-FAC1-460c-976A-688923094E7B}.exe

Filesize
216KB

MD5
c3cbbb13aa30b27440cb94afcaee1ca3

SHA1
db87b87665e0d8e287c88b4e771ff9ab9a188f6a

SHA256
564ab8197655155c7400538ab09fa18f8d8ac2ad7ab3c199c625acc6ae8c4b24

SHA512
5f14d350fad94dd159731b7dcc5a65786d2dc188af1ca82de6937af46a7ec60ec8547b9b799b4328c4c98b07c32d2985b8bbe202e0aba268f6f9d4290b6987e7

Download Submit
C:\Windows\{837F028E-FAC1-460c-976A-688923094E7B}.exe

Filesize
216KB

MD5
c3cbbb13aa30b27440cb94afcaee1ca3

SHA1
db87b87665e0d8e287c88b4e771ff9ab9a188f6a

SHA256
564ab8197655155c7400538ab09fa18f8d8ac2ad7ab3c199c625acc6ae8c4b24

SHA512
5f14d350fad94dd159731b7dcc5a65786d2dc188af1ca82de6937af46a7ec60ec8547b9b799b4328c4c98b07c32d2985b8bbe202e0aba268f6f9d4290b6987e7

Download Submit
C:\Windows\{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe

Filesize
216KB

MD5
a5ee3e7e96b350c9d7c35130feafcde6

SHA1
3f494769ba60740894b67a7b6f4d24892791fae4

SHA256
dce87f92d870b501e33bdaec4db393d84aab9a2d322fba544825d049967c49a1

SHA512
67129f2f920ff6a8a66134e0fc216bf03b4cbff7f5950130ef37e9698cbc0333d6946945f6ac5cdabff68bfcab0a1da07591e4c55e947447229aaf5bf4e041d2

Download Submit
C:\Windows\{A7AE26DD-8B15-42be-AF12-295EE2195541}.exe

Filesize
216KB

MD5
a5ee3e7e96b350c9d7c35130feafcde6

SHA1
3f494769ba60740894b67a7b6f4d24892791fae4

SHA256
dce87f92d870b501e33bdaec4db393d84aab9a2d322fba544825d049967c49a1

SHA512
67129f2f920ff6a8a66134e0fc216bf03b4cbff7f5950130ef37e9698cbc0333d6946945f6ac5cdabff68bfcab0a1da07591e4c55e947447229aaf5bf4e041d2

Download Submit
C:\Windows\{CCBFBEAF-5683-447e-BF94-22473A6F0CFD}.exe

Filesize
216KB

MD5
7e46422a922b9a1b67ec1f12a7d09a33

SHA1
f94a9ea9726301220e066a336775b64ba2d1a121

SHA256
9acf6eeaf5505b89646fec601e071e0991f566fb0f0684f6bba8547aaae06bc8

SHA512
050e2293ed26fa8cab04a88c9df914948c7e778319a2acb11b2328d12b24458a82f6495a1653e59165e4d57aed2fc4d306af3a90f38c97376c36aa70e6ed498f

Download Submit
C:\Windows\{CCBFBEAF-5683-447e-BF94-22473A6F0CFD}.exe

Filesize
216KB

MD5
7e46422a922b9a1b67ec1f12a7d09a33

SHA1
f94a9ea9726301220e066a336775b64ba2d1a121

SHA256
9acf6eeaf5505b89646fec601e071e0991f566fb0f0684f6bba8547aaae06bc8

SHA512
050e2293ed26fa8cab04a88c9df914948c7e778319a2acb11b2328d12b24458a82f6495a1653e59165e4d57aed2fc4d306af3a90f38c97376c36aa70e6ed498f

Download Submit
C:\Windows\{D2780397-B95C-45c7-B42B-04206B19A954}.exe

Filesize
216KB

MD5
8a3844353fb8c97b0549e05f743cbc10

SHA1
2d68eb83797cc966545a3b19326ed1e32fd51f50

SHA256
63a52de01de7fa2769207c9fec87c6f941ae925264c76ead72b410181a428972

SHA512
31f60a9237ff250a97d3525a5da19f07021dec2c7e0530ba213f656ea32c55fe94312b2bed900e2bf7c5ac2f501b9dc396936d7f78d760bf84718049a59cd541

Download Submit
C:\Windows\{D2780397-B95C-45c7-B42B-04206B19A954}.exe

Filesize
216KB

MD5
8a3844353fb8c97b0549e05f743cbc10

SHA1
2d68eb83797cc966545a3b19326ed1e32fd51f50

SHA256
63a52de01de7fa2769207c9fec87c6f941ae925264c76ead72b410181a428972

SHA512
31f60a9237ff250a97d3525a5da19f07021dec2c7e0530ba213f656ea32c55fe94312b2bed900e2bf7c5ac2f501b9dc396936d7f78d760bf84718049a59cd541

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads