de74c607e9c375a2d390907eb9876ceb2fcb3db3cde0f3fd61d768a9258f05c0

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe
Size

216KB
MD5

fcc9ae0536f3d780277b4f3c3cf37a0e
SHA1

9f09981c2b184f2770d54a36f55aed3144557b69
SHA256

de74c607e9c375a2d390907eb9876ceb2fcb3db3cde0f3fd61d768a9258f05c0
SHA512

bea4fa73c80cfc57f19045f3242aad293b9a5b5330c79b5e0e5b21c8fc9a09c1e1b1345f32936fa0158a3bfb20fdd02d98f297edb8722b4636b5c4101f2153f6
SSDEEP

3072:jEGh0oUl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGqlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6118561B-E251-4e60-96B3-B56F4D7EE7E8}	{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}	{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{184B9C14-BFF1-467d-BE11-36B414CA9ACE}	{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D039E1BF-BB80-4e14-A112-5B1F93865FB5}\stubpath = "C:\\Windows\\{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe"	{0D509D33-A1C5-473b-A005-A5278758C46B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29BBF575-CB9C-4517-9E02-74F79C20741B}	{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}\stubpath = "C:\\Windows\\{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe"	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{184B9C14-BFF1-467d-BE11-36B414CA9ACE}\stubpath = "C:\\Windows\\{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe"	{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D509D33-A1C5-473b-A005-A5278758C46B}\stubpath = "C:\\Windows\\{0D509D33-A1C5-473b-A005-A5278758C46B}.exe"	{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}	{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0163B837-81FD-4a7a-AE80-E36A314CEA5F}	{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29BBF575-CB9C-4517-9E02-74F79C20741B}\stubpath = "C:\\Windows\\{29BBF575-CB9C-4517-9E02-74F79C20741B}.exe"	{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}	{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}\stubpath = "C:\\Windows\\{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe"	{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}	{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}\stubpath = "C:\\Windows\\{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe"	{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D039E1BF-BB80-4e14-A112-5B1F93865FB5}	{0D509D33-A1C5-473b-A005-A5278758C46B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0163B837-81FD-4a7a-AE80-E36A314CEA5F}\stubpath = "C:\\Windows\\{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe"	{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32E8EE15-5E9C-411d-9CF2-DB6C3B10C5F2}	{29BBF575-CB9C-4517-9E02-74F79C20741B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32E8EE15-5E9C-411d-9CF2-DB6C3B10C5F2}\stubpath = "C:\\Windows\\{32E8EE15-5E9C-411d-9CF2-DB6C3B10C5F2}.exe"	{29BBF575-CB9C-4517-9E02-74F79C20741B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}\stubpath = "C:\\Windows\\{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe"	{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6118561B-E251-4e60-96B3-B56F4D7EE7E8}\stubpath = "C:\\Windows\\{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe"	{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D509D33-A1C5-473b-A005-A5278758C46B}	{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}\stubpath = "C:\\Windows\\{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe"	{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe

Executes dropped EXE 12 IoCs

pid	Process
2384	{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe
4132	{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe
3732	{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe
1728	{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe
2192	{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe
4128	{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe
3520	{0D509D33-A1C5-473b-A005-A5278758C46B}.exe
1760	{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe
4672	{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe
3784	{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe
3844	{29BBF575-CB9C-4517-9E02-74F79C20741B}.exe
3228	{32E8EE15-5E9C-411d-9CF2-DB6C3B10C5F2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe	{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe
File created	C:\Windows\{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe	{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe
File created	C:\Windows\{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe	{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe
File created	C:\Windows\{0D509D33-A1C5-473b-A005-A5278758C46B}.exe	{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe
File created	C:\Windows\{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe	{0D509D33-A1C5-473b-A005-A5278758C46B}.exe
File created	C:\Windows\{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe	{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe
File created	C:\Windows\{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe
File created	C:\Windows\{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe	{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe
File created	C:\Windows\{32E8EE15-5E9C-411d-9CF2-DB6C3B10C5F2}.exe	{29BBF575-CB9C-4517-9E02-74F79C20741B}.exe
File created	C:\Windows\{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe	{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe
File created	C:\Windows\{29BBF575-CB9C-4517-9E02-74F79C20741B}.exe	{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe
File created	C:\Windows\{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe	{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1764	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2384	{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe
Token: SeIncBasePriorityPrivilege	4132	{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe
Token: SeIncBasePriorityPrivilege	3732	{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe
Token: SeIncBasePriorityPrivilege	1728	{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe
Token: SeIncBasePriorityPrivilege	2192	{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe
Token: SeIncBasePriorityPrivilege	4128	{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe
Token: SeIncBasePriorityPrivilege	3520	{0D509D33-A1C5-473b-A005-A5278758C46B}.exe
Token: SeIncBasePriorityPrivilege	1760	{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe
Token: SeIncBasePriorityPrivilege	4672	{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe
Token: SeIncBasePriorityPrivilege	3784	{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe
Token: SeIncBasePriorityPrivilege	3844	{29BBF575-CB9C-4517-9E02-74F79C20741B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2384	1764	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	89
PID 1764 wrote to memory of 2384	1764	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	89
PID 1764 wrote to memory of 2384	1764	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	89
PID 1764 wrote to memory of 3996	1764	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	90
PID 1764 wrote to memory of 3996	1764	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	90
PID 1764 wrote to memory of 3996	1764	fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe	90
PID 2384 wrote to memory of 4132	2384	{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe	91
PID 2384 wrote to memory of 4132	2384	{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe	91
PID 2384 wrote to memory of 4132	2384	{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe	91
PID 2384 wrote to memory of 2220	2384	{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe	92
PID 2384 wrote to memory of 2220	2384	{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe	92
PID 2384 wrote to memory of 2220	2384	{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe	92
PID 4132 wrote to memory of 3732	4132	{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe	95
PID 4132 wrote to memory of 3732	4132	{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe	95
PID 4132 wrote to memory of 3732	4132	{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe	95
PID 4132 wrote to memory of 1340	4132	{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe	94
PID 4132 wrote to memory of 1340	4132	{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe	94
PID 4132 wrote to memory of 1340	4132	{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe	94
PID 3732 wrote to memory of 1728	3732	{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe	96
PID 3732 wrote to memory of 1728	3732	{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe	96
PID 3732 wrote to memory of 1728	3732	{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe	96
PID 3732 wrote to memory of 712	3732	{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe	97
PID 3732 wrote to memory of 712	3732	{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe	97
PID 3732 wrote to memory of 712	3732	{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe	97
PID 1728 wrote to memory of 2192	1728	{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe	98
PID 1728 wrote to memory of 2192	1728	{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe	98
PID 1728 wrote to memory of 2192	1728	{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe	98
PID 1728 wrote to memory of 4600	1728	{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe	99
PID 1728 wrote to memory of 4600	1728	{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe	99
PID 1728 wrote to memory of 4600	1728	{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe	99
PID 2192 wrote to memory of 4128	2192	{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe	100
PID 2192 wrote to memory of 4128	2192	{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe	100
PID 2192 wrote to memory of 4128	2192	{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe	100
PID 2192 wrote to memory of 3128	2192	{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe	101
PID 2192 wrote to memory of 3128	2192	{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe	101
PID 2192 wrote to memory of 3128	2192	{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe	101
PID 4128 wrote to memory of 3520	4128	{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe	102
PID 4128 wrote to memory of 3520	4128	{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe	102
PID 4128 wrote to memory of 3520	4128	{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe	102
PID 4128 wrote to memory of 412	4128	{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe	103
PID 4128 wrote to memory of 412	4128	{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe	103
PID 4128 wrote to memory of 412	4128	{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe	103
PID 3520 wrote to memory of 1760	3520	{0D509D33-A1C5-473b-A005-A5278758C46B}.exe	104
PID 3520 wrote to memory of 1760	3520	{0D509D33-A1C5-473b-A005-A5278758C46B}.exe	104
PID 3520 wrote to memory of 1760	3520	{0D509D33-A1C5-473b-A005-A5278758C46B}.exe	104
PID 3520 wrote to memory of 2240	3520	{0D509D33-A1C5-473b-A005-A5278758C46B}.exe	105
PID 3520 wrote to memory of 2240	3520	{0D509D33-A1C5-473b-A005-A5278758C46B}.exe	105
PID 3520 wrote to memory of 2240	3520	{0D509D33-A1C5-473b-A005-A5278758C46B}.exe	105
PID 1760 wrote to memory of 4672	1760	{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe	106
PID 1760 wrote to memory of 4672	1760	{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe	106
PID 1760 wrote to memory of 4672	1760	{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe	106
PID 1760 wrote to memory of 1556	1760	{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe	107
PID 1760 wrote to memory of 1556	1760	{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe	107
PID 1760 wrote to memory of 1556	1760	{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe	107
PID 4672 wrote to memory of 3784	4672	{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe	108
PID 4672 wrote to memory of 3784	4672	{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe	108
PID 4672 wrote to memory of 3784	4672	{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe	108
PID 4672 wrote to memory of 4112	4672	{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe	109
PID 4672 wrote to memory of 4112	4672	{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe	109
PID 4672 wrote to memory of 4112	4672	{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe	109
PID 3784 wrote to memory of 3844	3784	{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe	110
PID 3784 wrote to memory of 3844	3784	{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe	110
PID 3784 wrote to memory of 3844	3784	{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe	110
PID 3784 wrote to memory of 3800	3784	{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe	111

C:\Users\Admin\AppData\Local\Temp\fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fcc9ae0536f3d780277b4f3c3cf37a0e_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe
  C:\Windows\{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe
    C:\Windows\{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C03EA~1.EXE > nul
      4⤵
      PID:1340
  - - C:\Windows\{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe
      C:\Windows\{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3732
    - - C:\Windows\{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe
        
        C:\Windows\{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - C:\Windows\{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe
        
        C:\Windows\{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe
        
        C:\Windows\{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\{0D509D33-A1C5-473b-A005-A5278758C46B}.exe
        
        C:\Windows\{0D509D33-A1C5-473b-A005-A5278758C46B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe
        
        C:\Windows\{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe
        
        C:\Windows\{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe
        
        C:\Windows\{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\{29BBF575-CB9C-4517-9E02-74F79C20741B}.exe
        
        C:\Windows\{29BBF575-CB9C-4517-9E02-74F79C20741B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
        
        C:\Windows\{32E8EE15-5E9C-411d-9CF2-DB6C3B10C5F2}.exe
        
        C:\Windows\{32E8EE15-5E9C-411d-9CF2-DB6C3B10C5F2}.exe
        13⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29BBF~1.EXE > nul
        13⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0163B~1.EXE > nul
        12⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EAD8~1.EXE > nul
        11⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D039E~1.EXE > nul
        10⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D509~1.EXE > nul
        9⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{184B9~1.EXE > nul
        8⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F6AC~1.EXE > nul
        7⤵
        
        PID:3128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61185~1.EXE > nul
        6⤵
        
        PID:4600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1419F~1.EXE > nul
        5⤵
        
        PID:712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A4FA~1.EXE > nul
    3⤵
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FCC9AE~1.EXE > nul
  2⤵
  PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe

Filesize
216KB

MD5
89883a1a6c92a4fd6495ca633869fe8a

SHA1
0bb6e2bf512e42cb5e4b111680af009bc8024db2

SHA256
7276be29541bbb6d8198ee8291828218d0fa02112404b81ca409a117bddd4c6f

SHA512
c3a36c6630a0a10436448bbbda28ba55ef69273a9bade60866e6d70fc53f1f218cd6fa16dba4af69267f6e5cb3ed15ff3b837ae1dab44e2517b5b8d9a70ea334

Download Submit
C:\Windows\{0163B837-81FD-4a7a-AE80-E36A314CEA5F}.exe

Filesize
216KB

MD5
89883a1a6c92a4fd6495ca633869fe8a

SHA1
0bb6e2bf512e42cb5e4b111680af009bc8024db2

SHA256
7276be29541bbb6d8198ee8291828218d0fa02112404b81ca409a117bddd4c6f

SHA512
c3a36c6630a0a10436448bbbda28ba55ef69273a9bade60866e6d70fc53f1f218cd6fa16dba4af69267f6e5cb3ed15ff3b837ae1dab44e2517b5b8d9a70ea334

Download Submit
C:\Windows\{0D509D33-A1C5-473b-A005-A5278758C46B}.exe

Filesize
216KB

MD5
c5d36b2b861ba86c6a587ac29a7fa4b8

SHA1
4cb5e642543cfb5216499693ed7e4ecbf121158e

SHA256
393f5b313d0463ec8ebc34ad7ffb74b78d8ad660b311db7a6af4750caabd8016

SHA512
bf9730eb2afc39b009e6cb3cb9b913b57fd72545f723b2bd56100713f7376d3a522532a659d4b65c9b235196e05aa0958fa6424e55dd8c5d6aca523c50e559e2

Download Submit
C:\Windows\{0D509D33-A1C5-473b-A005-A5278758C46B}.exe

Filesize
216KB

MD5
c5d36b2b861ba86c6a587ac29a7fa4b8

SHA1
4cb5e642543cfb5216499693ed7e4ecbf121158e

SHA256
393f5b313d0463ec8ebc34ad7ffb74b78d8ad660b311db7a6af4750caabd8016

SHA512
bf9730eb2afc39b009e6cb3cb9b913b57fd72545f723b2bd56100713f7376d3a522532a659d4b65c9b235196e05aa0958fa6424e55dd8c5d6aca523c50e559e2

Download Submit
C:\Windows\{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe

Filesize
216KB

MD5
fe9f17c7128cc8ede44e694393b7639b

SHA1
9ea9c5539c73e8203b42ab12a068d439732cb125

SHA256
6d3a4e61703e9183ff74955c41a1e0419e48d575061b2e0697e5987e9e667470

SHA512
e0ae827944cd4178c4304a6b47eab5d54bf4fd3b8860594b3901f3140c292e42e6a12cbdd49c9e8870e9c26227f94da99da15366d50e02cfd44f607e9b6229d6

Download Submit
C:\Windows\{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe

Filesize
216KB

MD5
fe9f17c7128cc8ede44e694393b7639b

SHA1
9ea9c5539c73e8203b42ab12a068d439732cb125

SHA256
6d3a4e61703e9183ff74955c41a1e0419e48d575061b2e0697e5987e9e667470

SHA512
e0ae827944cd4178c4304a6b47eab5d54bf4fd3b8860594b3901f3140c292e42e6a12cbdd49c9e8870e9c26227f94da99da15366d50e02cfd44f607e9b6229d6

Download Submit
C:\Windows\{1419FAB7-95B2-4f36-8E49-C614D68E1A9B}.exe

Filesize
216KB

MD5
fe9f17c7128cc8ede44e694393b7639b

SHA1
9ea9c5539c73e8203b42ab12a068d439732cb125

SHA256
6d3a4e61703e9183ff74955c41a1e0419e48d575061b2e0697e5987e9e667470

SHA512
e0ae827944cd4178c4304a6b47eab5d54bf4fd3b8860594b3901f3140c292e42e6a12cbdd49c9e8870e9c26227f94da99da15366d50e02cfd44f607e9b6229d6

Download Submit
C:\Windows\{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe

Filesize
216KB

MD5
154e08f70eac14a34fd8475d903c623d

SHA1
41f17c992be5f92873dce4ecdf0ead49b1c91d03

SHA256
7beb204a462ce35a18d38cdeee6e7661503387219e8eb32a339810d11b715120

SHA512
fa47ce3b6a78af7aae3ee9c7e88ae4b7b201bcfc68c25fb11230a17855c3274fc424ec02fb7215a0a13a78007d961244c2daba341c0e65026700a5dc9c7e7745

Download Submit
C:\Windows\{184B9C14-BFF1-467d-BE11-36B414CA9ACE}.exe

Filesize
216KB

MD5
154e08f70eac14a34fd8475d903c623d

SHA1
41f17c992be5f92873dce4ecdf0ead49b1c91d03

SHA256
7beb204a462ce35a18d38cdeee6e7661503387219e8eb32a339810d11b715120

SHA512
fa47ce3b6a78af7aae3ee9c7e88ae4b7b201bcfc68c25fb11230a17855c3274fc424ec02fb7215a0a13a78007d961244c2daba341c0e65026700a5dc9c7e7745

Download Submit
C:\Windows\{29BBF575-CB9C-4517-9E02-74F79C20741B}.exe

Filesize
216KB

MD5
f12186d50e06b343282b8a2f03b04fe9

SHA1
f8689098b9cfb57b89022e125782933c8587a904

SHA256
bac95f8e276e95ed0bb049b3f6ce4af6a89c3b69c6da7aa7c91dc92da135805c

SHA512
dba0d0256ac2d3567bb42e25e3ad6f0d15c55d22d27b473d4b8670894e1bcf892516fa3cdf3c3b19b6e754bb09a9a7dfa96349140887b9e3007b11a97373d608

Download Submit
C:\Windows\{29BBF575-CB9C-4517-9E02-74F79C20741B}.exe

Filesize
216KB

MD5
f12186d50e06b343282b8a2f03b04fe9

SHA1
f8689098b9cfb57b89022e125782933c8587a904

SHA256
bac95f8e276e95ed0bb049b3f6ce4af6a89c3b69c6da7aa7c91dc92da135805c

SHA512
dba0d0256ac2d3567bb42e25e3ad6f0d15c55d22d27b473d4b8670894e1bcf892516fa3cdf3c3b19b6e754bb09a9a7dfa96349140887b9e3007b11a97373d608

Download Submit
C:\Windows\{32E8EE15-5E9C-411d-9CF2-DB6C3B10C5F2}.exe

Filesize
216KB

MD5
4b351ae12c6ee25741dc3f89d78df0b6

SHA1
e9a3f70cde7fff513b1a252326966aff2f420597

SHA256
63afcce7b7d3e5c5a6ad5e8033ea518b73154a1d34c2716b3e3f812b21ed9eb2

SHA512
61b9d9a638dfd9d0ac8558c0cd65afbc80f5941f44a92f5753ccd6aa47798b74b3a3600f73835af311841a3939cb6036f5aeb577ce7d7528c561dffcedc9e756

Download Submit
C:\Windows\{32E8EE15-5E9C-411d-9CF2-DB6C3B10C5F2}.exe

Filesize
216KB

MD5
4b351ae12c6ee25741dc3f89d78df0b6

SHA1
e9a3f70cde7fff513b1a252326966aff2f420597

SHA256
63afcce7b7d3e5c5a6ad5e8033ea518b73154a1d34c2716b3e3f812b21ed9eb2

SHA512
61b9d9a638dfd9d0ac8558c0cd65afbc80f5941f44a92f5753ccd6aa47798b74b3a3600f73835af311841a3939cb6036f5aeb577ce7d7528c561dffcedc9e756

Download Submit
C:\Windows\{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe

Filesize
216KB

MD5
d1b29fcfc9a72a77744350767d1826cf

SHA1
9a50835858f1ae3c62bee9b8b6bcb222f356f97a

SHA256
02a984528b70b1294c4faf1be220dfdb7c21cc4b6349fc15ada695fcd330c038

SHA512
c1a1b54f5e945fb3d6b12730079f45739e3ffef2e6595fe1a589550c6138002a9c2e51146aa446a523848ed7cf36421df510b3caf16a86b155cda4dfbc913da5

Download Submit
C:\Windows\{5F6ACB3E-552B-4fc9-B7E9-DF831D89EACA}.exe

Filesize
216KB

MD5
d1b29fcfc9a72a77744350767d1826cf

SHA1
9a50835858f1ae3c62bee9b8b6bcb222f356f97a

SHA256
02a984528b70b1294c4faf1be220dfdb7c21cc4b6349fc15ada695fcd330c038

SHA512
c1a1b54f5e945fb3d6b12730079f45739e3ffef2e6595fe1a589550c6138002a9c2e51146aa446a523848ed7cf36421df510b3caf16a86b155cda4dfbc913da5

Download Submit
C:\Windows\{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe

Filesize
216KB

MD5
18a24af8af16399d147a0d74f50c9bbc

SHA1
a6cbc689db4f49a24785e69812b523d853dc41a4

SHA256
ff22089f4e458b76fb7277704db70cf0ca745eaf5c0be57801979b87eda028bf

SHA512
70eb7f86c7bc2a848c86e936fc198ba0f62156064e635c8256b9fafef3c4a7e272e7c37c6a9207afe42bb2b7700f7d4f5db09aaaf9a4d69c0ef45b1e0b8c6e91

Download Submit
C:\Windows\{6118561B-E251-4e60-96B3-B56F4D7EE7E8}.exe

Filesize
216KB

MD5
18a24af8af16399d147a0d74f50c9bbc

SHA1
a6cbc689db4f49a24785e69812b523d853dc41a4

SHA256
ff22089f4e458b76fb7277704db70cf0ca745eaf5c0be57801979b87eda028bf

SHA512
70eb7f86c7bc2a848c86e936fc198ba0f62156064e635c8256b9fafef3c4a7e272e7c37c6a9207afe42bb2b7700f7d4f5db09aaaf9a4d69c0ef45b1e0b8c6e91

Download Submit
C:\Windows\{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe

Filesize
216KB

MD5
c2b156cde545aa421696c8723c2618e2

SHA1
fcec4ea322419dffebcf13a9bd01659600a56081

SHA256
cbdbb85d40737d43648cb8be7d9367d30fe4cc22eab32e6babea61d6d13eb948

SHA512
fbc773f2f250704c27962bc67dedfa9ceec99186ed8cbbb281b30c93dd7c848477875842100ef3be829ebbc81ad0849c8a320e461be1ccd8ed467d332e3f498e

Download Submit
C:\Windows\{7A4FA716-9B1B-4f48-BD45-F31A5D20C9FF}.exe

Filesize
216KB

MD5
c2b156cde545aa421696c8723c2618e2

SHA1
fcec4ea322419dffebcf13a9bd01659600a56081

SHA256
cbdbb85d40737d43648cb8be7d9367d30fe4cc22eab32e6babea61d6d13eb948

SHA512
fbc773f2f250704c27962bc67dedfa9ceec99186ed8cbbb281b30c93dd7c848477875842100ef3be829ebbc81ad0849c8a320e461be1ccd8ed467d332e3f498e

Download Submit
C:\Windows\{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe

Filesize
216KB

MD5
6598abed2a25bd12aa9a49832f80d95e

SHA1
cf19c6f52dc7e2f673fab91de8efef066f372bae

SHA256
93a2dda5f53f01b55b5bd353eac0b1514f66077860adfe964a8ae11eb3144a3f

SHA512
9fce9e7b80f6a13ee5fec332cb79d9d77e4db5046bfa16bfd50ab20b3fe7abfbd0036d62b9479e7949b62669f5d4fdd97e60ee656d0e4bfbcdb119e00fe9d0a0

Download Submit
C:\Windows\{9EAD878B-8DA1-48e1-9913-9A70C8DFDEDF}.exe

Filesize
216KB

MD5
6598abed2a25bd12aa9a49832f80d95e

SHA1
cf19c6f52dc7e2f673fab91de8efef066f372bae

SHA256
93a2dda5f53f01b55b5bd353eac0b1514f66077860adfe964a8ae11eb3144a3f

SHA512
9fce9e7b80f6a13ee5fec332cb79d9d77e4db5046bfa16bfd50ab20b3fe7abfbd0036d62b9479e7949b62669f5d4fdd97e60ee656d0e4bfbcdb119e00fe9d0a0

Download Submit
C:\Windows\{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe

Filesize
216KB

MD5
c08acec2d67f5ee0a1b84e2bcf89a3d6

SHA1
e39adac5b8ed8422583892087298dfda0d875f79

SHA256
174bd6bac857ecfdacd65686510d766bc685d768bae2eb58f743a55592136cf5

SHA512
74e74ca7a1dd5148747cb525f4dae1824a28247ed1795e478dd37b1e6524a34e90620fe17a6b12afd191976ea95bbaf8094c8b5b2a37c8a64341cd55efe8b7e1

Download Submit
C:\Windows\{C03EAE7F-E324-4bbb-B1FF-9DE1C16CD2E2}.exe

Filesize
216KB

MD5
c08acec2d67f5ee0a1b84e2bcf89a3d6

SHA1
e39adac5b8ed8422583892087298dfda0d875f79

SHA256
174bd6bac857ecfdacd65686510d766bc685d768bae2eb58f743a55592136cf5

SHA512
74e74ca7a1dd5148747cb525f4dae1824a28247ed1795e478dd37b1e6524a34e90620fe17a6b12afd191976ea95bbaf8094c8b5b2a37c8a64341cd55efe8b7e1

Download Submit
C:\Windows\{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe

Filesize
216KB

MD5
bf912ad2bb9dff42cbd37a1273effa3a

SHA1
4dc2645fbb75e0c5564b1f504358146099cf9f4f

SHA256
233e3556566a81f098bd558ce0fd76f461d7f13aebd8006f1c0f684b4e7a52d1

SHA512
f90319f6127e7d858d3dc897c8f0585e5ddd0ac89e9407dfbd406544ac897ff728bc6de123ab4ed8471afc2c96dcd40edf3b226954fece779bdb9907f762324a

Download Submit
C:\Windows\{D039E1BF-BB80-4e14-A112-5B1F93865FB5}.exe

Filesize
216KB

MD5
bf912ad2bb9dff42cbd37a1273effa3a

SHA1
4dc2645fbb75e0c5564b1f504358146099cf9f4f

SHA256
233e3556566a81f098bd558ce0fd76f461d7f13aebd8006f1c0f684b4e7a52d1

SHA512
f90319f6127e7d858d3dc897c8f0585e5ddd0ac89e9407dfbd406544ac897ff728bc6de123ab4ed8471afc2c96dcd40edf3b226954fece779bdb9907f762324a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads