ccf83cc0902faf459f2ea1d50ef6790f408014dab489f38603346458322a53cb

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
30/08/2023, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe
Size

192KB
MD5

edb8b3a91d60a8be436b90cc7a2ae624
SHA1

60eda678b72bb66778c9908b80a239fecd338699
SHA256

ccf83cc0902faf459f2ea1d50ef6790f408014dab489f38603346458322a53cb
SHA512

eda1f2d30f690fc536d3d96732e5e28e3886b6df632aedc9e8f14016e12fec52e9f3de00d2177597dffd8dc09cf1475c2b9cec5ed7411f8dc487b8d545227b9a
SSDEEP

1536:1EGh0oll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oll1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DEF7D91-EEA2-4d7a-8AA6-2838EA8CAF25}\stubpath = "C:\\Windows\\{4DEF7D91-EEA2-4d7a-8AA6-2838EA8CAF25}.exe"	{B915ABCB-8AD2-4997-AB46-C15A09ABC6C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D332207A-266C-4a81-B159-233AB9BDA85E}	{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BE2F277-297E-4d6b-9AEE-E874A01B13A2}	{D332207A-266C-4a81-B159-233AB9BDA85E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBB0DBD2-9C2E-42d7-854B-E756B45C633C}	{7BE2F277-297E-4d6b-9AEE-E874A01B13A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B915ABCB-8AD2-4997-AB46-C15A09ABC6C4}	{FBB0DBD2-9C2E-42d7-854B-E756B45C633C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DEF7D91-EEA2-4d7a-8AA6-2838EA8CAF25}	{B915ABCB-8AD2-4997-AB46-C15A09ABC6C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CA065EC-193F-4392-B83B-F54D60A2F901}	{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CA065EC-193F-4392-B83B-F54D60A2F901}\stubpath = "C:\\Windows\\{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe"	{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D5520FB-F15B-45e7-871A-F8A702881F68}\stubpath = "C:\\Windows\\{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe"	{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B915ABCB-8AD2-4997-AB46-C15A09ABC6C4}\stubpath = "C:\\Windows\\{B915ABCB-8AD2-4997-AB46-C15A09ABC6C4}.exe"	{FBB0DBD2-9C2E-42d7-854B-E756B45C633C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}\stubpath = "C:\\Windows\\{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe"	{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50D1D459-C1D4-4d6f-9823-54A7A8450176}\stubpath = "C:\\Windows\\{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe"	{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D332207A-266C-4a81-B159-233AB9BDA85E}\stubpath = "C:\\Windows\\{D332207A-266C-4a81-B159-233AB9BDA85E}.exe"	{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}	{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D5520FB-F15B-45e7-871A-F8A702881F68}	{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}	{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBB0DBD2-9C2E-42d7-854B-E756B45C633C}\stubpath = "C:\\Windows\\{FBB0DBD2-9C2E-42d7-854B-E756B45C633C}.exe"	{7BE2F277-297E-4d6b-9AEE-E874A01B13A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}\stubpath = "C:\\Windows\\{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe"	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}\stubpath = "C:\\Windows\\{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe"	{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50D1D459-C1D4-4d6f-9823-54A7A8450176}	{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BE2F277-297E-4d6b-9AEE-E874A01B13A2}\stubpath = "C:\\Windows\\{7BE2F277-297E-4d6b-9AEE-E874A01B13A2}.exe"	{D332207A-266C-4a81-B159-233AB9BDA85E}.exe

Deletes itself 1 IoCs

pid	Process
2404	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2992	{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe
2848	{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe
1980	{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe
2472	{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe
2728	{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe
2388	{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe
528	{D332207A-266C-4a81-B159-233AB9BDA85E}.exe
1268	{7BE2F277-297E-4d6b-9AEE-E874A01B13A2}.exe
1652	{FBB0DBD2-9C2E-42d7-854B-E756B45C633C}.exe
1860	{B915ABCB-8AD2-4997-AB46-C15A09ABC6C4}.exe
2344	{4DEF7D91-EEA2-4d7a-8AA6-2838EA8CAF25}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe	{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe
File created	C:\Windows\{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe	{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe
File created	C:\Windows\{7BE2F277-297E-4d6b-9AEE-E874A01B13A2}.exe	{D332207A-266C-4a81-B159-233AB9BDA85E}.exe
File created	C:\Windows\{FBB0DBD2-9C2E-42d7-854B-E756B45C633C}.exe	{7BE2F277-297E-4d6b-9AEE-E874A01B13A2}.exe
File created	C:\Windows\{B915ABCB-8AD2-4997-AB46-C15A09ABC6C4}.exe	{FBB0DBD2-9C2E-42d7-854B-E756B45C633C}.exe
File created	C:\Windows\{4DEF7D91-EEA2-4d7a-8AA6-2838EA8CAF25}.exe	{B915ABCB-8AD2-4997-AB46-C15A09ABC6C4}.exe
File created	C:\Windows\{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe
File created	C:\Windows\{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe	{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe
File created	C:\Windows\{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe	{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe
File created	C:\Windows\{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe	{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe
File created	C:\Windows\{D332207A-266C-4a81-B159-233AB9BDA85E}.exe	{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2428	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2992	{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe
Token: SeIncBasePriorityPrivilege	2848	{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe
Token: SeIncBasePriorityPrivilege	1980	{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe
Token: SeIncBasePriorityPrivilege	2472	{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe
Token: SeIncBasePriorityPrivilege	2728	{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe
Token: SeIncBasePriorityPrivilege	2388	{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe
Token: SeIncBasePriorityPrivilege	528	{D332207A-266C-4a81-B159-233AB9BDA85E}.exe
Token: SeIncBasePriorityPrivilege	1268	{7BE2F277-297E-4d6b-9AEE-E874A01B13A2}.exe
Token: SeIncBasePriorityPrivilege	1652	{FBB0DBD2-9C2E-42d7-854B-E756B45C633C}.exe
Token: SeIncBasePriorityPrivilege	1860	{B915ABCB-8AD2-4997-AB46-C15A09ABC6C4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2992	2428	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	28
PID 2428 wrote to memory of 2992	2428	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	28
PID 2428 wrote to memory of 2992	2428	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	28
PID 2428 wrote to memory of 2992	2428	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	28
PID 2428 wrote to memory of 2404	2428	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	29
PID 2428 wrote to memory of 2404	2428	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	29
PID 2428 wrote to memory of 2404	2428	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	29
PID 2428 wrote to memory of 2404	2428	edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe	29
PID 2992 wrote to memory of 2848	2992	{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe	30
PID 2992 wrote to memory of 2848	2992	{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe	30
PID 2992 wrote to memory of 2848	2992	{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe	30
PID 2992 wrote to memory of 2848	2992	{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe	30
PID 2992 wrote to memory of 2968	2992	{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe	31
PID 2992 wrote to memory of 2968	2992	{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe	31
PID 2992 wrote to memory of 2968	2992	{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe	31
PID 2992 wrote to memory of 2968	2992	{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe	31
PID 2848 wrote to memory of 1980	2848	{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe	34
PID 2848 wrote to memory of 1980	2848	{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe	34
PID 2848 wrote to memory of 1980	2848	{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe	34
PID 2848 wrote to memory of 1980	2848	{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe	34
PID 2848 wrote to memory of 1328	2848	{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe	35
PID 2848 wrote to memory of 1328	2848	{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe	35
PID 2848 wrote to memory of 1328	2848	{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe	35
PID 2848 wrote to memory of 1328	2848	{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe	35
PID 1980 wrote to memory of 2472	1980	{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe	36
PID 1980 wrote to memory of 2472	1980	{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe	36
PID 1980 wrote to memory of 2472	1980	{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe	36
PID 1980 wrote to memory of 2472	1980	{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe	36
PID 1980 wrote to memory of 2832	1980	{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe	37
PID 1980 wrote to memory of 2832	1980	{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe	37
PID 1980 wrote to memory of 2832	1980	{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe	37
PID 1980 wrote to memory of 2832	1980	{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe	37
PID 2472 wrote to memory of 2728	2472	{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe	38
PID 2472 wrote to memory of 2728	2472	{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe	38
PID 2472 wrote to memory of 2728	2472	{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe	38
PID 2472 wrote to memory of 2728	2472	{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe	38
PID 2472 wrote to memory of 2792	2472	{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe	39
PID 2472 wrote to memory of 2792	2472	{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe	39
PID 2472 wrote to memory of 2792	2472	{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe	39
PID 2472 wrote to memory of 2792	2472	{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe	39
PID 2728 wrote to memory of 2388	2728	{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe	40
PID 2728 wrote to memory of 2388	2728	{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe	40
PID 2728 wrote to memory of 2388	2728	{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe	40
PID 2728 wrote to memory of 2388	2728	{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe	40
PID 2728 wrote to memory of 2192	2728	{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe	41
PID 2728 wrote to memory of 2192	2728	{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe	41
PID 2728 wrote to memory of 2192	2728	{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe	41
PID 2728 wrote to memory of 2192	2728	{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe	41
PID 2388 wrote to memory of 528	2388	{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe	42
PID 2388 wrote to memory of 528	2388	{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe	42
PID 2388 wrote to memory of 528	2388	{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe	42
PID 2388 wrote to memory of 528	2388	{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe	42
PID 2388 wrote to memory of 800	2388	{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe	43
PID 2388 wrote to memory of 800	2388	{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe	43
PID 2388 wrote to memory of 800	2388	{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe	43
PID 2388 wrote to memory of 800	2388	{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe	43
PID 528 wrote to memory of 1268	528	{D332207A-266C-4a81-B159-233AB9BDA85E}.exe	44
PID 528 wrote to memory of 1268	528	{D332207A-266C-4a81-B159-233AB9BDA85E}.exe	44
PID 528 wrote to memory of 1268	528	{D332207A-266C-4a81-B159-233AB9BDA85E}.exe	44
PID 528 wrote to memory of 1268	528	{D332207A-266C-4a81-B159-233AB9BDA85E}.exe	44
PID 528 wrote to memory of 1632	528	{D332207A-266C-4a81-B159-233AB9BDA85E}.exe	45
PID 528 wrote to memory of 1632	528	{D332207A-266C-4a81-B159-233AB9BDA85E}.exe	45
PID 528 wrote to memory of 1632	528	{D332207A-266C-4a81-B159-233AB9BDA85E}.exe	45
PID 528 wrote to memory of 1632	528	{D332207A-266C-4a81-B159-233AB9BDA85E}.exe	45

C:\Users\Admin\AppData\Local\Temp\edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\edb8b3a91d60a8be436b90cc7a2ae624_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe
  C:\Windows\{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe
    C:\Windows\{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe
      C:\Windows\{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe
        
        C:\Windows\{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe
        
        C:\Windows\{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe
        
        C:\Windows\{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{D332207A-266C-4a81-B159-233AB9BDA85E}.exe
        
        C:\Windows\{D332207A-266C-4a81-B159-233AB9BDA85E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\{7BE2F277-297E-4d6b-9AEE-E874A01B13A2}.exe
        
        C:\Windows\{7BE2F277-297E-4d6b-9AEE-E874A01B13A2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\{FBB0DBD2-9C2E-42d7-854B-E756B45C633C}.exe
        
        C:\Windows\{FBB0DBD2-9C2E-42d7-854B-E756B45C633C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\{B915ABCB-8AD2-4997-AB46-C15A09ABC6C4}.exe
        
        C:\Windows\{B915ABCB-8AD2-4997-AB46-C15A09ABC6C4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\{4DEF7D91-EEA2-4d7a-8AA6-2838EA8CAF25}.exe
        
        C:\Windows\{4DEF7D91-EEA2-4d7a-8AA6-2838EA8CAF25}.exe
        12⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B915A~1.EXE > nul
        12⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBB0D~1.EXE > nul
        11⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BE2F~1.EXE > nul
        10⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3322~1.EXE > nul
        9⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50D1D~1.EXE > nul
        8⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA9E9~1.EXE > nul
        7⤵
        
        PID:2192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D552~1.EXE > nul
        6⤵
        
        PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CA06~1.EXE > nul
        5⤵
        
        PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{99FEB~1.EXE > nul
      4⤵
      PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E4C87~1.EXE > nul
    3⤵
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EDB8B3~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe

Filesize
192KB

MD5
01866456198a68d8e25268afb28e1b01

SHA1
4bc1a9cf8d4baccd38fd90db14693be5f9dfabb6

SHA256
c3911f8dd5bec3a93c903a5f27cc3ff8e96e0a0652d5d20790cb009e9a96c999

SHA512
038a52e1b9b19c6b4328c608cd3b09d593832d03554d452da010f46895bcc583a41b4a70ac6417b1077a8cd23850b14d455354744cf43bd2dcd58798699a6fdf

Download Submit
C:\Windows\{0CA065EC-193F-4392-B83B-F54D60A2F901}.exe

Filesize
192KB

MD5
01866456198a68d8e25268afb28e1b01

SHA1
4bc1a9cf8d4baccd38fd90db14693be5f9dfabb6

SHA256
c3911f8dd5bec3a93c903a5f27cc3ff8e96e0a0652d5d20790cb009e9a96c999

SHA512
038a52e1b9b19c6b4328c608cd3b09d593832d03554d452da010f46895bcc583a41b4a70ac6417b1077a8cd23850b14d455354744cf43bd2dcd58798699a6fdf

Download Submit
C:\Windows\{4DEF7D91-EEA2-4d7a-8AA6-2838EA8CAF25}.exe

Filesize
192KB

MD5
c8b94362a46211074883d6f9e7430a03

SHA1
c41e5d018e375d5d9ffb5dbeb1a3ebe04115fbbb

SHA256
c10868797b8fbf68b544527da15c5df9f008ebe484719590a494a2016f49b374

SHA512
4cfc04d2b9abcb0f4d6b662fc15a3de55b5c7197e6d6f0fc1a4df8fa2c8d09e30f26e56b7d1ea44ea9b32dce6f9082b669262d6e5595aafa706012c9f2717af9

Download Submit
C:\Windows\{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe

Filesize
192KB

MD5
34cc10907c78ea80f4ce55fe208c6744

SHA1
a19a697845eb2fbf2d8c50d98fc3175919bf6106

SHA256
e5bc30d12060a373549fadf28ccae9f7c83182f0ea23740dd462c6a2d774a640

SHA512
2ed51f022002f9d3229aedccdf59e198040b0454263e44f56e277010a7d6de39c78681039136eca3d1f3794fdd0f91fa3f97f7bd912e6f5678ba399887848e38

Download Submit
C:\Windows\{50D1D459-C1D4-4d6f-9823-54A7A8450176}.exe

Filesize
192KB

MD5
34cc10907c78ea80f4ce55fe208c6744

SHA1
a19a697845eb2fbf2d8c50d98fc3175919bf6106

SHA256
e5bc30d12060a373549fadf28ccae9f7c83182f0ea23740dd462c6a2d774a640

SHA512
2ed51f022002f9d3229aedccdf59e198040b0454263e44f56e277010a7d6de39c78681039136eca3d1f3794fdd0f91fa3f97f7bd912e6f5678ba399887848e38

Download Submit
C:\Windows\{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe

Filesize
192KB

MD5
6bc37ea74ad4e5997593b31b7c41924c

SHA1
79c517c15f91c2a31e26449b651fbd952e6181d1

SHA256
39e28dc578b205d1f2f89d16f39bdffe1a0f63c1032fd8d273af441d483f4427

SHA512
2d5af485e1d3ad87a467634686267e345897a24c3c2bd3c36d6b235352c85cb19462d220ffffe1796f8e6240a37612036e1bd01c4a1552d76f719fd6f3e4d4f9

Download Submit
C:\Windows\{5D5520FB-F15B-45e7-871A-F8A702881F68}.exe

Filesize
192KB

MD5
6bc37ea74ad4e5997593b31b7c41924c

SHA1
79c517c15f91c2a31e26449b651fbd952e6181d1

SHA256
39e28dc578b205d1f2f89d16f39bdffe1a0f63c1032fd8d273af441d483f4427

SHA512
2d5af485e1d3ad87a467634686267e345897a24c3c2bd3c36d6b235352c85cb19462d220ffffe1796f8e6240a37612036e1bd01c4a1552d76f719fd6f3e4d4f9

Download Submit
C:\Windows\{7BE2F277-297E-4d6b-9AEE-E874A01B13A2}.exe

Filesize
192KB

MD5
9e3866de61efddc5c344571da9267cbb

SHA1
2354abc26c420189270ac6ccf2b4b81bb2c3ab2b

SHA256
a28828a2e4794011f9ccd080ad84a3afa8791006be6fbfe2cba01500de7e54b5

SHA512
d53178fd64e4a6a46b5c6fe2005eebe14a42d1efe7a38615c24f0d60ce141bfdf10ddfc227531cc77317e7e0930eb88d3a3ae52a033e9ca227e83fc194df640d

Download Submit
C:\Windows\{7BE2F277-297E-4d6b-9AEE-E874A01B13A2}.exe

Filesize
192KB

MD5
9e3866de61efddc5c344571da9267cbb

SHA1
2354abc26c420189270ac6ccf2b4b81bb2c3ab2b

SHA256
a28828a2e4794011f9ccd080ad84a3afa8791006be6fbfe2cba01500de7e54b5

SHA512
d53178fd64e4a6a46b5c6fe2005eebe14a42d1efe7a38615c24f0d60ce141bfdf10ddfc227531cc77317e7e0930eb88d3a3ae52a033e9ca227e83fc194df640d

Download Submit
C:\Windows\{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe

Filesize
192KB

MD5
bfcd32698fcb4e23255aa084d9cf46b3

SHA1
e0aca8d75321e9f9c072664425859692242bf840

SHA256
018e86b849244ade32a8b437e35519fabdd9e7728a81eb22646cb88d58588360

SHA512
9a5507b60c681b47139207c377afb13436c930225a78a8a71be7bc8a02dbc6abc7e44d058a060bea9d2eaeacdc9e969579fe31ed14903bebba097aee851f8d0a

Download Submit
C:\Windows\{99FEBE02-F049-4f0c-B45A-C2A63C05C84E}.exe

Filesize
192KB

MD5
bfcd32698fcb4e23255aa084d9cf46b3

SHA1
e0aca8d75321e9f9c072664425859692242bf840

SHA256
018e86b849244ade32a8b437e35519fabdd9e7728a81eb22646cb88d58588360

SHA512
9a5507b60c681b47139207c377afb13436c930225a78a8a71be7bc8a02dbc6abc7e44d058a060bea9d2eaeacdc9e969579fe31ed14903bebba097aee851f8d0a

Download Submit
C:\Windows\{B915ABCB-8AD2-4997-AB46-C15A09ABC6C4}.exe

Filesize
192KB

MD5
cd0b360fcbbe8a68dba122bc7803c1a2

SHA1
a716f6e77e38b9df9637951d95f68a142a7b8eb6

SHA256
5b611952874627042cfcd38008e1eabb9d8e8d2cc4ae1ca69fb8602eb81c1f2b

SHA512
b801a73c0b209d953d490cefb4d03531a06d490cb173bd31dd47d15e388d4a296d7c8eb7604a5140fb08afb9c0cc90fb2ecc29b4b94987863474e73dcdaac213

Download Submit
C:\Windows\{B915ABCB-8AD2-4997-AB46-C15A09ABC6C4}.exe

Filesize
192KB

MD5
cd0b360fcbbe8a68dba122bc7803c1a2

SHA1
a716f6e77e38b9df9637951d95f68a142a7b8eb6

SHA256
5b611952874627042cfcd38008e1eabb9d8e8d2cc4ae1ca69fb8602eb81c1f2b

SHA512
b801a73c0b209d953d490cefb4d03531a06d490cb173bd31dd47d15e388d4a296d7c8eb7604a5140fb08afb9c0cc90fb2ecc29b4b94987863474e73dcdaac213

Download Submit
C:\Windows\{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe

Filesize
192KB

MD5
fb72ae73fbe3ef0deba8d556a916cbcd

SHA1
35e1ee333286854c14d7b07b39a0f87a2c319cca

SHA256
0ebd9a5165bb501cb0b757dab95e64fd41aa41ac07010423640740e7bbe25b16

SHA512
c9c90d804111ef0d8d63b89feda24a878fb92780354c884d0ab213561a4b4813a0c3cd6e8267a7ec9d29630e240691f7e567abacbb26c90b88779cbe2af13893

Download Submit
C:\Windows\{BA9E91F7-F29C-4cbe-86F1-FC83542DB759}.exe

Filesize
192KB

MD5
fb72ae73fbe3ef0deba8d556a916cbcd

SHA1
35e1ee333286854c14d7b07b39a0f87a2c319cca

SHA256
0ebd9a5165bb501cb0b757dab95e64fd41aa41ac07010423640740e7bbe25b16

SHA512
c9c90d804111ef0d8d63b89feda24a878fb92780354c884d0ab213561a4b4813a0c3cd6e8267a7ec9d29630e240691f7e567abacbb26c90b88779cbe2af13893

Download Submit
C:\Windows\{D332207A-266C-4a81-B159-233AB9BDA85E}.exe

Filesize
192KB

MD5
a37206ecefd68a51b0a678e2003fd4d0

SHA1
dc4072d30a61cb8e5e3bd35ee79c91e0a6229b7b

SHA256
6b8a34249684276d493f0699a9e8e3f7b9106d2c66f21ccce01bc1ac6807f9f6

SHA512
0792d1c262f42695b87e8141cb2ba3c2e706e94a2bdf95d377198d0a53272ddea05408596fc3d4ea21e3c09edec29185c5483586d257c62f12e1e6675508a3cb

Download Submit
C:\Windows\{D332207A-266C-4a81-B159-233AB9BDA85E}.exe

Filesize
192KB

MD5
a37206ecefd68a51b0a678e2003fd4d0

SHA1
dc4072d30a61cb8e5e3bd35ee79c91e0a6229b7b

SHA256
6b8a34249684276d493f0699a9e8e3f7b9106d2c66f21ccce01bc1ac6807f9f6

SHA512
0792d1c262f42695b87e8141cb2ba3c2e706e94a2bdf95d377198d0a53272ddea05408596fc3d4ea21e3c09edec29185c5483586d257c62f12e1e6675508a3cb

Download Submit
C:\Windows\{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe

Filesize
192KB

MD5
33901b4fafdd21fa8846a070d767b7c6

SHA1
76128454132fce7ab35cb77fad8594b78d836d92

SHA256
7585750c4fec52bc3962dc0faddea4fb995db1ac096bdfceac030fcbad6ebe61

SHA512
571487cb4401a8e770bf2152c3b5f7fcd8d0f8f0ee1169f76d63b0d03bd139e52f72d48c39af7c61a51b24f3b3aa2698ef73d16b26ae92086152e446045e788d

Download Submit
C:\Windows\{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe

Filesize
192KB

MD5
33901b4fafdd21fa8846a070d767b7c6

SHA1
76128454132fce7ab35cb77fad8594b78d836d92

SHA256
7585750c4fec52bc3962dc0faddea4fb995db1ac096bdfceac030fcbad6ebe61

SHA512
571487cb4401a8e770bf2152c3b5f7fcd8d0f8f0ee1169f76d63b0d03bd139e52f72d48c39af7c61a51b24f3b3aa2698ef73d16b26ae92086152e446045e788d

Download Submit
C:\Windows\{E4C87BAD-2136-4bf4-93D5-4AE5899442EF}.exe

Filesize
192KB

MD5
33901b4fafdd21fa8846a070d767b7c6

SHA1
76128454132fce7ab35cb77fad8594b78d836d92

SHA256
7585750c4fec52bc3962dc0faddea4fb995db1ac096bdfceac030fcbad6ebe61

SHA512
571487cb4401a8e770bf2152c3b5f7fcd8d0f8f0ee1169f76d63b0d03bd139e52f72d48c39af7c61a51b24f3b3aa2698ef73d16b26ae92086152e446045e788d

Download Submit
C:\Windows\{FBB0DBD2-9C2E-42d7-854B-E756B45C633C}.exe

Filesize
192KB

MD5
a737b9790ef81420d5c8a279b4e31925

SHA1
5c54d20218b620ec3f6de792a72dd05d7d70626f

SHA256
9b4158297addf8d1fb07b56114715e812a55c081fbe3aeec92f9b3697d477c91

SHA512
b46342f5ff6bc8ea131f0cda3e17fbb3c413adcb6ebb5cc39c8be6415856f3271c952ff6046139f99968c46249decbb37b5573b28645dcc627ba69e7e79fd796

Download Submit
C:\Windows\{FBB0DBD2-9C2E-42d7-854B-E756B45C633C}.exe

Filesize
192KB

MD5
a737b9790ef81420d5c8a279b4e31925

SHA1
5c54d20218b620ec3f6de792a72dd05d7d70626f

SHA256
9b4158297addf8d1fb07b56114715e812a55c081fbe3aeec92f9b3697d477c91

SHA512
b46342f5ff6bc8ea131f0cda3e17fbb3c413adcb6ebb5cc39c8be6415856f3271c952ff6046139f99968c46249decbb37b5573b28645dcc627ba69e7e79fd796

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads