de74c607e9c375a2d390907eb9876ceb2fcb3db3cde0f3fd61d768a9258f05c0

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31-08-2023 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe
Size

216KB
MD5

fcc9ae0536f3d780277b4f3c3cf37a0e
SHA1

9f09981c2b184f2770d54a36f55aed3144557b69
SHA256

de74c607e9c375a2d390907eb9876ceb2fcb3db3cde0f3fd61d768a9258f05c0
SHA512

bea4fa73c80cfc57f19045f3242aad293b9a5b5330c79b5e0e5b21c8fc9a09c1e1b1345f32936fa0158a3bfb20fdd02d98f297edb8722b4636b5c4101f2153f6
SSDEEP

3072:jEGh0oUl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGqlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FA82BA8-C485-4c7d-9972-E79C22C24CFD}	{03793AA2-7ECD-438f-A318-DC95AC31C486}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03793AA2-7ECD-438f-A318-DC95AC31C486}	{BBB379FA-E986-4aac-B215-1F8B134E7C95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03793AA2-7ECD-438f-A318-DC95AC31C486}\stubpath = "C:\\Windows\\{03793AA2-7ECD-438f-A318-DC95AC31C486}.exe"	{BBB379FA-E986-4aac-B215-1F8B134E7C95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3133621-DB40-4015-9C4D-95A91C46F7DE}\stubpath = "C:\\Windows\\{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe"	{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{940102F0-1EE2-4235-8838-66D87DDE9BA4}\stubpath = "C:\\Windows\\{940102F0-1EE2-4235-8838-66D87DDE9BA4}.exe"	{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBB379FA-E986-4aac-B215-1F8B134E7C95}\stubpath = "C:\\Windows\\{BBB379FA-E986-4aac-B215-1F8B134E7C95}.exe"	{940102F0-1EE2-4235-8838-66D87DDE9BA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8004AD55-603F-4ef9-B755-071E0F58D3AC}\stubpath = "C:\\Windows\\{8004AD55-603F-4ef9-B755-071E0F58D3AC}.exe"	{5FA82BA8-C485-4c7d-9972-E79C22C24CFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{037FE855-B3E2-457d-8200-58ADA038A6BB}\stubpath = "C:\\Windows\\{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe"	{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3133621-DB40-4015-9C4D-95A91C46F7DE}	{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0236D1C-70BE-437f-AF87-68D2634EFB62}	{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0236D1C-70BE-437f-AF87-68D2634EFB62}\stubpath = "C:\\Windows\\{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe"	{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}	{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}\stubpath = "C:\\Windows\\{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe"	{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{940102F0-1EE2-4235-8838-66D87DDE9BA4}	{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8004AD55-603F-4ef9-B755-071E0F58D3AC}	{5FA82BA8-C485-4c7d-9972-E79C22C24CFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}\stubpath = "C:\\Windows\\{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe"	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{037FE855-B3E2-457d-8200-58ADA038A6BB}	{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{281AABC7-930D-4671-AC48-DB1E1917C17E}\stubpath = "C:\\Windows\\{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe"	{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}	{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}\stubpath = "C:\\Windows\\{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe"	{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBB379FA-E986-4aac-B215-1F8B134E7C95}	{940102F0-1EE2-4235-8838-66D87DDE9BA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FA82BA8-C485-4c7d-9972-E79C22C24CFD}\stubpath = "C:\\Windows\\{5FA82BA8-C485-4c7d-9972-E79C22C24CFD}.exe"	{03793AA2-7ECD-438f-A318-DC95AC31C486}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{281AABC7-930D-4671-AC48-DB1E1917C17E}	{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe

Deletes itself 1 IoCs

pid	Process
2208	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2564	{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe
2628	{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe
548	{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe
2548	{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe
2908	{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe
2160	{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe
2476	{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe
944	{940102F0-1EE2-4235-8838-66D87DDE9BA4}.exe
2676	{BBB379FA-E986-4aac-B215-1F8B134E7C95}.exe
2796	{03793AA2-7ECD-438f-A318-DC95AC31C486}.exe
2344	{5FA82BA8-C485-4c7d-9972-E79C22C24CFD}.exe
1588	{8004AD55-603F-4ef9-B755-071E0F58D3AC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe	{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe
File created	C:\Windows\{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe	{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe
File created	C:\Windows\{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe	{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe
File created	C:\Windows\{8004AD55-603F-4ef9-B755-071E0F58D3AC}.exe	{5FA82BA8-C485-4c7d-9972-E79C22C24CFD}.exe
File created	C:\Windows\{BBB379FA-E986-4aac-B215-1F8B134E7C95}.exe	{940102F0-1EE2-4235-8838-66D87DDE9BA4}.exe
File created	C:\Windows\{03793AA2-7ECD-438f-A318-DC95AC31C486}.exe	{BBB379FA-E986-4aac-B215-1F8B134E7C95}.exe
File created	C:\Windows\{5FA82BA8-C485-4c7d-9972-E79C22C24CFD}.exe	{03793AA2-7ECD-438f-A318-DC95AC31C486}.exe
File created	C:\Windows\{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe
File created	C:\Windows\{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe	{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe
File created	C:\Windows\{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe	{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe
File created	C:\Windows\{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe	{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe
File created	C:\Windows\{940102F0-1EE2-4235-8838-66D87DDE9BA4}.exe	{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2224	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2564	{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe
Token: SeIncBasePriorityPrivilege	2628	{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe
Token: SeIncBasePriorityPrivilege	548	{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe
Token: SeIncBasePriorityPrivilege	2548	{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe
Token: SeIncBasePriorityPrivilege	2908	{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe
Token: SeIncBasePriorityPrivilege	2160	{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe
Token: SeIncBasePriorityPrivilege	2476	{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe
Token: SeIncBasePriorityPrivilege	944	{940102F0-1EE2-4235-8838-66D87DDE9BA4}.exe
Token: SeIncBasePriorityPrivilege	2676	{BBB379FA-E986-4aac-B215-1F8B134E7C95}.exe
Token: SeIncBasePriorityPrivilege	2796	{03793AA2-7ECD-438f-A318-DC95AC31C486}.exe
Token: SeIncBasePriorityPrivilege	2344	{5FA82BA8-C485-4c7d-9972-E79C22C24CFD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2564	2224	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	30
PID 2224 wrote to memory of 2564	2224	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	30
PID 2224 wrote to memory of 2564	2224	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	30
PID 2224 wrote to memory of 2564	2224	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	30
PID 2224 wrote to memory of 2208	2224	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	31
PID 2224 wrote to memory of 2208	2224	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	31
PID 2224 wrote to memory of 2208	2224	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	31
PID 2224 wrote to memory of 2208	2224	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	31
PID 2564 wrote to memory of 2628	2564	{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe	32
PID 2564 wrote to memory of 2628	2564	{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe	32
PID 2564 wrote to memory of 2628	2564	{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe	32
PID 2564 wrote to memory of 2628	2564	{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe	32
PID 2564 wrote to memory of 2436	2564	{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe	33
PID 2564 wrote to memory of 2436	2564	{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe	33
PID 2564 wrote to memory of 2436	2564	{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe	33
PID 2564 wrote to memory of 2436	2564	{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe	33
PID 2628 wrote to memory of 548	2628	{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe	34
PID 2628 wrote to memory of 548	2628	{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe	34
PID 2628 wrote to memory of 548	2628	{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe	34
PID 2628 wrote to memory of 548	2628	{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe	34
PID 2628 wrote to memory of 2400	2628	{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe	35
PID 2628 wrote to memory of 2400	2628	{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe	35
PID 2628 wrote to memory of 2400	2628	{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe	35
PID 2628 wrote to memory of 2400	2628	{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe	35
PID 548 wrote to memory of 2548	548	{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe	36
PID 548 wrote to memory of 2548	548	{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe	36
PID 548 wrote to memory of 2548	548	{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe	36
PID 548 wrote to memory of 2548	548	{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe	36
PID 548 wrote to memory of 2416	548	{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe	37
PID 548 wrote to memory of 2416	548	{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe	37
PID 548 wrote to memory of 2416	548	{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe	37
PID 548 wrote to memory of 2416	548	{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe	37
PID 2548 wrote to memory of 2908	2548	{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe	38
PID 2548 wrote to memory of 2908	2548	{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe	38
PID 2548 wrote to memory of 2908	2548	{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe	38
PID 2548 wrote to memory of 2908	2548	{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe	38
PID 2548 wrote to memory of 3000	2548	{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe	39
PID 2548 wrote to memory of 3000	2548	{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe	39
PID 2548 wrote to memory of 3000	2548	{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe	39
PID 2548 wrote to memory of 3000	2548	{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe	39
PID 2908 wrote to memory of 2160	2908	{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe	40
PID 2908 wrote to memory of 2160	2908	{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe	40
PID 2908 wrote to memory of 2160	2908	{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe	40
PID 2908 wrote to memory of 2160	2908	{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe	40
PID 2908 wrote to memory of 2964	2908	{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe	41
PID 2908 wrote to memory of 2964	2908	{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe	41
PID 2908 wrote to memory of 2964	2908	{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe	41
PID 2908 wrote to memory of 2964	2908	{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe	41
PID 2160 wrote to memory of 2476	2160	{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe	42
PID 2160 wrote to memory of 2476	2160	{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe	42
PID 2160 wrote to memory of 2476	2160	{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe	42
PID 2160 wrote to memory of 2476	2160	{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe	42
PID 2160 wrote to memory of 2872	2160	{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe	43
PID 2160 wrote to memory of 2872	2160	{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe	43
PID 2160 wrote to memory of 2872	2160	{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe	43
PID 2160 wrote to memory of 2872	2160	{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe	43
PID 2476 wrote to memory of 944	2476	{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe	45
PID 2476 wrote to memory of 944	2476	{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe	45
PID 2476 wrote to memory of 944	2476	{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe	45
PID 2476 wrote to memory of 944	2476	{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe	45
PID 2476 wrote to memory of 2392	2476	{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe	44
PID 2476 wrote to memory of 2392	2476	{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe	44
PID 2476 wrote to memory of 2392	2476	{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe	44
PID 2476 wrote to memory of 2392	2476	{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe	44

C:\Users\Admin\AppData\Local\Temp\fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe
  C:\Windows\{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe
    C:\Windows\{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe
      C:\Windows\{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe
        
        C:\Windows\{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe
        
        C:\Windows\{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe
        
        C:\Windows\{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe
        
        C:\Windows\{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C1BE~1.EXE > nul
        9⤵
        
        PID:2392
        
        C:\Windows\{940102F0-1EE2-4235-8838-66D87DDE9BA4}.exe
        
        C:\Windows\{940102F0-1EE2-4235-8838-66D87DDE9BA4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94010~1.EXE > nul
        10⤵
        
        PID:2756
        
        C:\Windows\{BBB379FA-E986-4aac-B215-1F8B134E7C95}.exe
        
        C:\Windows\{BBB379FA-E986-4aac-B215-1F8B134E7C95}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\{03793AA2-7ECD-438f-A318-DC95AC31C486}.exe
        
        C:\Windows\{03793AA2-7ECD-438f-A318-DC95AC31C486}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\{5FA82BA8-C485-4c7d-9972-E79C22C24CFD}.exe
        
        C:\Windows\{5FA82BA8-C485-4c7d-9972-E79C22C24CFD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FA82~1.EXE > nul
        13⤵
        
        PID:2556
        
        C:\Windows\{8004AD55-603F-4ef9-B755-071E0F58D3AC}.exe
        
        C:\Windows\{8004AD55-603F-4ef9-B755-071E0F58D3AC}.exe
        13⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03793~1.EXE > nul
        12⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBB37~1.EXE > nul
        11⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3133~1.EXE > nul
        8⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08D67~1.EXE > nul
        7⤵
        
        PID:2964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{281AA~1.EXE > nul
        6⤵
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0236~1.EXE > nul
        5⤵
        
        PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{037FE~1.EXE > nul
      4⤵
      PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8C0BD~1.EXE > nul
    3⤵
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FCC9AE~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03793AA2-7ECD-438f-A318-DC95AC31C486}.exe

Filesize
216KB

MD5
8ec8be75a30000421c57c1541c1008ce

SHA1
f2d3edf94c2057f69d9910c2c59a5b8bc28f7904

SHA256
b09e9207c7dfc683a1ece6518cd991b7263050ac37a29e6a05fadde317db7e04

SHA512
cd08c0f1a4c71e80592024ec00860df3c8219d1f43499ebf5bcfe8a25470f1e29142aca798273512e54909c442516241e2bef2256a92712cf7cf5e94d4ddea0c

Download Submit
C:\Windows\{03793AA2-7ECD-438f-A318-DC95AC31C486}.exe

Filesize
216KB

MD5
8ec8be75a30000421c57c1541c1008ce

SHA1
f2d3edf94c2057f69d9910c2c59a5b8bc28f7904

SHA256
b09e9207c7dfc683a1ece6518cd991b7263050ac37a29e6a05fadde317db7e04

SHA512
cd08c0f1a4c71e80592024ec00860df3c8219d1f43499ebf5bcfe8a25470f1e29142aca798273512e54909c442516241e2bef2256a92712cf7cf5e94d4ddea0c

Download Submit
C:\Windows\{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe

Filesize
216KB

MD5
36532c70b7d66a6f9669513fb36ad91c

SHA1
525f34859e7423755fe32f9291410df92f538085

SHA256
c87fae5e9b45830f100b1a02cfc1f1bc2cdf31868b7ae8c81786325fd977be07

SHA512
5eca173c0b5cc90584476ba09c9474b45b1966f7e7a42fe4691a6d6d9f604ff8a4661891fb92ece08568c20f033ee4767db2d997baf9e004b00abb72ff5198ff

Download Submit
C:\Windows\{037FE855-B3E2-457d-8200-58ADA038A6BB}.exe

Filesize
216KB

MD5
36532c70b7d66a6f9669513fb36ad91c

SHA1
525f34859e7423755fe32f9291410df92f538085

SHA256
c87fae5e9b45830f100b1a02cfc1f1bc2cdf31868b7ae8c81786325fd977be07

SHA512
5eca173c0b5cc90584476ba09c9474b45b1966f7e7a42fe4691a6d6d9f604ff8a4661891fb92ece08568c20f033ee4767db2d997baf9e004b00abb72ff5198ff

Download Submit
C:\Windows\{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe

Filesize
216KB

MD5
4fd4bd1e42d2760714dd7abae811021a

SHA1
14b94e89caa1b348b729de0ae820912dd8922c02

SHA256
fd7d8aa75e2f0aca273da8793e20b5877a93864b83dc65462eb4a261d29c9d23

SHA512
230470520ecf83a2612907af08b30336dc04879499987c6612ae8d0cb669c0a09bd4b79212deada9e3e7b234cebebdac281be51b0638daa42027b208d8a77464

Download Submit
C:\Windows\{08D67A39-37A0-42c4-AAF4-9C849FC13AA8}.exe

Filesize
216KB

MD5
4fd4bd1e42d2760714dd7abae811021a

SHA1
14b94e89caa1b348b729de0ae820912dd8922c02

SHA256
fd7d8aa75e2f0aca273da8793e20b5877a93864b83dc65462eb4a261d29c9d23

SHA512
230470520ecf83a2612907af08b30336dc04879499987c6612ae8d0cb669c0a09bd4b79212deada9e3e7b234cebebdac281be51b0638daa42027b208d8a77464

Download Submit
C:\Windows\{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe

Filesize
216KB

MD5
1268c04e336b1640f82a0c9a72895c18

SHA1
ccb4002ff28338bab0ab0e2b9d9ab6014f5f3b1f

SHA256
be36bbb93614b46218ce6f7db26dcb3075035842833e920e1b69e911f493e24a

SHA512
d3dc30e6aa764a10aea895e02b108c2f5d9ed963ed3c6673928184116d57aedd2d2f0d26a6144b6830db29f9edd89a6400b20c8b5fa3beab15dba96f4b7a9be9

Download Submit
C:\Windows\{281AABC7-930D-4671-AC48-DB1E1917C17E}.exe

Filesize
216KB

MD5
1268c04e336b1640f82a0c9a72895c18

SHA1
ccb4002ff28338bab0ab0e2b9d9ab6014f5f3b1f

SHA256
be36bbb93614b46218ce6f7db26dcb3075035842833e920e1b69e911f493e24a

SHA512
d3dc30e6aa764a10aea895e02b108c2f5d9ed963ed3c6673928184116d57aedd2d2f0d26a6144b6830db29f9edd89a6400b20c8b5fa3beab15dba96f4b7a9be9

Download Submit
C:\Windows\{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe

Filesize
216KB

MD5
1e394078cd177815fde6e4450aea5ba3

SHA1
75f9fd227040f421d198ad49e3a99db5b43da676

SHA256
c096fd86c1d81747c87529f31ad8355cd9e553a0ec2e8ae022d7ebeb793dd0cd

SHA512
4a79500dbd4548ed23f6fed0069b284cddb9ea85a022b7c0db42b686584732ce2b7d95120d018ff61fe2a215ab285e8d848f904be6253155aac8c9be69b814d1

Download Submit
C:\Windows\{5C1BE1DB-1CBB-4a27-945A-C3DB13EFDEE3}.exe

Filesize
216KB

MD5
1e394078cd177815fde6e4450aea5ba3

SHA1
75f9fd227040f421d198ad49e3a99db5b43da676

SHA256
c096fd86c1d81747c87529f31ad8355cd9e553a0ec2e8ae022d7ebeb793dd0cd

SHA512
4a79500dbd4548ed23f6fed0069b284cddb9ea85a022b7c0db42b686584732ce2b7d95120d018ff61fe2a215ab285e8d848f904be6253155aac8c9be69b814d1

Download Submit
C:\Windows\{5FA82BA8-C485-4c7d-9972-E79C22C24CFD}.exe

Filesize
216KB

MD5
05c4912fbac7d0023ffc1e54a01da87a

SHA1
3a9403a472a714bcac8475ba25fde96ff1b2d859

SHA256
056817ddf7010e6ec1cfd615995c53a1502550eb3d1351e95e8c0f4b8d549a38

SHA512
1e53a38ce6dd125089384e1af52eb2f57c71881bfaa7ca8aabd97100eb76553324f3cdeb9bb1b1a23d44d3f14701cbd3a465ffb59e4403ffa32a67632c362b08

Download Submit
C:\Windows\{5FA82BA8-C485-4c7d-9972-E79C22C24CFD}.exe

Filesize
216KB

MD5
05c4912fbac7d0023ffc1e54a01da87a

SHA1
3a9403a472a714bcac8475ba25fde96ff1b2d859

SHA256
056817ddf7010e6ec1cfd615995c53a1502550eb3d1351e95e8c0f4b8d549a38

SHA512
1e53a38ce6dd125089384e1af52eb2f57c71881bfaa7ca8aabd97100eb76553324f3cdeb9bb1b1a23d44d3f14701cbd3a465ffb59e4403ffa32a67632c362b08

Download Submit
C:\Windows\{8004AD55-603F-4ef9-B755-071E0F58D3AC}.exe

Filesize
216KB

MD5
32445ac3b3ee6671c332e4a5e46bc7f4

SHA1
8105c4923d2bbb7a6da8c205e087f03379775ee5

SHA256
499c64dd8386d37b41ec11f5872d7761b541138b84f276ad058460e1c2fc999a

SHA512
9be491c26e88749b73d7f7a6d062c6f073cfe8f078b034a3e49b30f75aca2eeaa6d26518105f3f6582dafa336401b0c5f79ed578ea6e3522bc237f556d58cf4b

Download Submit
C:\Windows\{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe

Filesize
216KB

MD5
5c63746c8c89a09ed7b127b91e8b53e0

SHA1
f72a348c3e4bd57ac3ff217e89de6d36862a1155

SHA256
60b58b59290ef51fa7acffac7faa96d2b3fd5e6ef6dceea46fa195c2fe52a0a1

SHA512
4fd6ed3951a725309ca1a6009e46d380606f87ebcac8a286652954a4a9a942657c4774770add2bfc2fc1ff4ba9eb996c3404c973f3e521aaf40899b8372c0938

Download Submit
C:\Windows\{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe

Filesize
216KB

MD5
5c63746c8c89a09ed7b127b91e8b53e0

SHA1
f72a348c3e4bd57ac3ff217e89de6d36862a1155

SHA256
60b58b59290ef51fa7acffac7faa96d2b3fd5e6ef6dceea46fa195c2fe52a0a1

SHA512
4fd6ed3951a725309ca1a6009e46d380606f87ebcac8a286652954a4a9a942657c4774770add2bfc2fc1ff4ba9eb996c3404c973f3e521aaf40899b8372c0938

Download Submit
C:\Windows\{8C0BDD73-0E22-4acf-98B8-AE4E6733A25E}.exe

Filesize
216KB

MD5
5c63746c8c89a09ed7b127b91e8b53e0

SHA1
f72a348c3e4bd57ac3ff217e89de6d36862a1155

SHA256
60b58b59290ef51fa7acffac7faa96d2b3fd5e6ef6dceea46fa195c2fe52a0a1

SHA512
4fd6ed3951a725309ca1a6009e46d380606f87ebcac8a286652954a4a9a942657c4774770add2bfc2fc1ff4ba9eb996c3404c973f3e521aaf40899b8372c0938

Download Submit
C:\Windows\{940102F0-1EE2-4235-8838-66D87DDE9BA4}.exe

Filesize
216KB

MD5
33f6f5df64ef128ad93b25a412b26db9

SHA1
5e1e00bc58dd4b22564a4cef88ebb273cf003f9c

SHA256
07976c12a2000675a52e9b4ecb85afaf5448467f2da1ce1027e5046a8343f668

SHA512
0f7769d62b718225e5cd2c7344bca047315e9d15e2cb6574b14e18f548840cd14cc85d4d44ef17c1f0f035d9fa4b9ca1f5609d488ddd2cdaa6621f91064b776c

Download Submit
C:\Windows\{940102F0-1EE2-4235-8838-66D87DDE9BA4}.exe

Filesize
216KB

MD5
33f6f5df64ef128ad93b25a412b26db9

SHA1
5e1e00bc58dd4b22564a4cef88ebb273cf003f9c

SHA256
07976c12a2000675a52e9b4ecb85afaf5448467f2da1ce1027e5046a8343f668

SHA512
0f7769d62b718225e5cd2c7344bca047315e9d15e2cb6574b14e18f548840cd14cc85d4d44ef17c1f0f035d9fa4b9ca1f5609d488ddd2cdaa6621f91064b776c

Download Submit
C:\Windows\{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe

Filesize
216KB

MD5
308f3f0e4b1664b254d00c899ac6f21b

SHA1
fa8d709bb27625a1d396c607108c43fc21ec3f95

SHA256
340125f39eb036729f1a80a5b8235badc1f307536e0633c5b4da71f3a883a80e

SHA512
e1d9179ea36ae1d46611e344cdc030279aad6b6403863ebd72c777e81a06e6898fe1475b7de76dac4f2de185ff02d860daefefda278624f8a84c2218f2f00e33

Download Submit
C:\Windows\{A0236D1C-70BE-437f-AF87-68D2634EFB62}.exe

Filesize
216KB

MD5
308f3f0e4b1664b254d00c899ac6f21b

SHA1
fa8d709bb27625a1d396c607108c43fc21ec3f95

SHA256
340125f39eb036729f1a80a5b8235badc1f307536e0633c5b4da71f3a883a80e

SHA512
e1d9179ea36ae1d46611e344cdc030279aad6b6403863ebd72c777e81a06e6898fe1475b7de76dac4f2de185ff02d860daefefda278624f8a84c2218f2f00e33

Download Submit
C:\Windows\{BBB379FA-E986-4aac-B215-1F8B134E7C95}.exe

Filesize
216KB

MD5
350a4e4b72a5f03b8a974fd466b7b698

SHA1
c88bd46a1796b75a9cf063e5ea0be84fa6570734

SHA256
a7f41a2534179f9ac7ee589be37479ff89f29d9e689e06cfba1beb3b237a1771

SHA512
e5d106c39700ed52b66245fb98361348ef44e96a75f3a9e70e00be7b3f23bf3dd2177b3581fb744575f157787eb2f1fff7600133ed20c5d6328dbd00bc4ec7c3

Download Submit
C:\Windows\{BBB379FA-E986-4aac-B215-1F8B134E7C95}.exe

Filesize
216KB

MD5
350a4e4b72a5f03b8a974fd466b7b698

SHA1
c88bd46a1796b75a9cf063e5ea0be84fa6570734

SHA256
a7f41a2534179f9ac7ee589be37479ff89f29d9e689e06cfba1beb3b237a1771

SHA512
e5d106c39700ed52b66245fb98361348ef44e96a75f3a9e70e00be7b3f23bf3dd2177b3581fb744575f157787eb2f1fff7600133ed20c5d6328dbd00bc4ec7c3

Download Submit
C:\Windows\{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe

Filesize
216KB

MD5
469ca068fb1e3c7bab533621a8aa55a7

SHA1
fdc759f19a354948cc56abe7b0c8593e1e2e32a8

SHA256
d0262182dbe629f3e0a647be89e89c0ab11f84462a6dae36383cdd666416a4a3

SHA512
c7e2462fb97d0229ace36d5fde0e8421cdedf8717857ad76ce9c8596b6bbb24ef30eaff6c1f40c6b6b4063c846ddc5c9577b4e68109f525602232d77a3ec213b

Download Submit
C:\Windows\{D3133621-DB40-4015-9C4D-95A91C46F7DE}.exe

Filesize
216KB

MD5
469ca068fb1e3c7bab533621a8aa55a7

SHA1
fdc759f19a354948cc56abe7b0c8593e1e2e32a8

SHA256
d0262182dbe629f3e0a647be89e89c0ab11f84462a6dae36383cdd666416a4a3

SHA512
c7e2462fb97d0229ace36d5fde0e8421cdedf8717857ad76ce9c8596b6bbb24ef30eaff6c1f40c6b6b4063c846ddc5c9577b4e68109f525602232d77a3ec213b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads