6efc46860291a153140982c8c4aa098f5126e05178f461982f2bd17183a60e5e

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31/08/2023, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe
Size

408KB
MD5

fdbda32eaf9086a0cb7eea9682664395
SHA1

5b1a827f9a9396e67cb4afd0d36410eebe4770a5
SHA256

6efc46860291a153140982c8c4aa098f5126e05178f461982f2bd17183a60e5e
SHA512

86874256fb80b2f8f460f0d4cb3cb7e74d0da169fb42e808e11c1f79d51122d1f4e2fe412255df071ae4bd3f259fc215dd4d6f30eef14fafca63db21bbf83ec8
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}\stubpath = "C:\\Windows\\{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe"	{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}\stubpath = "C:\\Windows\\{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe"	{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEA60A8F-EE74-4903-A936-F3811B02D52B}\stubpath = "C:\\Windows\\{DEA60A8F-EE74-4903-A936-F3811B02D52B}.exe"	{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}	{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5652E33-51A3-46ba-8C8D-DC7297981520}	{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5652E33-51A3-46ba-8C8D-DC7297981520}\stubpath = "C:\\Windows\\{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe"	{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}	{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D97E0EEE-6076-41d6-B042-B080A9415C8D}	{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF6EC96-E69F-4362-AB0A-513824EB629C}	{EFF800B8-35B1-47b3-849D-44FC5350A50C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}\stubpath = "C:\\Windows\\{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe"	{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}	{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D97E0EEE-6076-41d6-B042-B080A9415C8D}\stubpath = "C:\\Windows\\{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe"	{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A62AFC5E-D3F8-41d1-A037-39904DD41068}	{DEA60A8F-EE74-4903-A936-F3811B02D52B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFF800B8-35B1-47b3-849D-44FC5350A50C}	{A62AFC5E-D3F8-41d1-A037-39904DD41068}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFF800B8-35B1-47b3-849D-44FC5350A50C}\stubpath = "C:\\Windows\\{EFF800B8-35B1-47b3-849D-44FC5350A50C}.exe"	{A62AFC5E-D3F8-41d1-A037-39904DD41068}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF6EC96-E69F-4362-AB0A-513824EB629C}\stubpath = "C:\\Windows\\{6FF6EC96-E69F-4362-AB0A-513824EB629C}.exe"	{EFF800B8-35B1-47b3-849D-44FC5350A50C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7014C871-6E57-462c-82E1-F7CB17E9E542}	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7014C871-6E57-462c-82E1-F7CB17E9E542}\stubpath = "C:\\Windows\\{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe"	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06C2C435-A55A-4695-8CFC-6FE75FE81A81}	{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06C2C435-A55A-4695-8CFC-6FE75FE81A81}\stubpath = "C:\\Windows\\{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe"	{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEA60A8F-EE74-4903-A936-F3811B02D52B}	{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A62AFC5E-D3F8-41d1-A037-39904DD41068}\stubpath = "C:\\Windows\\{A62AFC5E-D3F8-41d1-A037-39904DD41068}.exe"	{DEA60A8F-EE74-4903-A936-F3811B02D52B}.exe

Deletes itself 1 IoCs

pid	Process
1208	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2872	{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe
2876	{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe
2128	{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe
2852	{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe
2728	{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe
2152	{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe
108	{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe
1112	{DEA60A8F-EE74-4903-A936-F3811B02D52B}.exe
3004	{A62AFC5E-D3F8-41d1-A037-39904DD41068}.exe
2940	{EFF800B8-35B1-47b3-849D-44FC5350A50C}.exe
1084	{6FF6EC96-E69F-4362-AB0A-513824EB629C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe	{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe
File created	C:\Windows\{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe	{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe
File created	C:\Windows\{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe	{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe
File created	C:\Windows\{DEA60A8F-EE74-4903-A936-F3811B02D52B}.exe	{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe
File created	C:\Windows\{6FF6EC96-E69F-4362-AB0A-513824EB629C}.exe	{EFF800B8-35B1-47b3-849D-44FC5350A50C}.exe
File created	C:\Windows\{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe
File created	C:\Windows\{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe	{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe
File created	C:\Windows\{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe	{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe
File created	C:\Windows\{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe	{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe
File created	C:\Windows\{A62AFC5E-D3F8-41d1-A037-39904DD41068}.exe	{DEA60A8F-EE74-4903-A936-F3811B02D52B}.exe
File created	C:\Windows\{EFF800B8-35B1-47b3-849D-44FC5350A50C}.exe	{A62AFC5E-D3F8-41d1-A037-39904DD41068}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1996	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2872	{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe
Token: SeIncBasePriorityPrivilege	2876	{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe
Token: SeIncBasePriorityPrivilege	2128	{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe
Token: SeIncBasePriorityPrivilege	2852	{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe
Token: SeIncBasePriorityPrivilege	2728	{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe
Token: SeIncBasePriorityPrivilege	2152	{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe
Token: SeIncBasePriorityPrivilege	108	{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe
Token: SeIncBasePriorityPrivilege	1112	{DEA60A8F-EE74-4903-A936-F3811B02D52B}.exe
Token: SeIncBasePriorityPrivilege	3004	{A62AFC5E-D3F8-41d1-A037-39904DD41068}.exe
Token: SeIncBasePriorityPrivilege	2940	{EFF800B8-35B1-47b3-849D-44FC5350A50C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2872	1996	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	28
PID 1996 wrote to memory of 2872	1996	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	28
PID 1996 wrote to memory of 2872	1996	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	28
PID 1996 wrote to memory of 2872	1996	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	28
PID 1996 wrote to memory of 1208	1996	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	29
PID 1996 wrote to memory of 1208	1996	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	29
PID 1996 wrote to memory of 1208	1996	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	29
PID 1996 wrote to memory of 1208	1996	fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe	29
PID 2872 wrote to memory of 2876	2872	{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe	32
PID 2872 wrote to memory of 2876	2872	{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe	32
PID 2872 wrote to memory of 2876	2872	{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe	32
PID 2872 wrote to memory of 2876	2872	{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe	32
PID 2872 wrote to memory of 3060	2872	{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe	33
PID 2872 wrote to memory of 3060	2872	{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe	33
PID 2872 wrote to memory of 3060	2872	{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe	33
PID 2872 wrote to memory of 3060	2872	{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe	33
PID 2876 wrote to memory of 2128	2876	{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe	34
PID 2876 wrote to memory of 2128	2876	{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe	34
PID 2876 wrote to memory of 2128	2876	{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe	34
PID 2876 wrote to memory of 2128	2876	{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe	34
PID 2876 wrote to memory of 3020	2876	{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe	35
PID 2876 wrote to memory of 3020	2876	{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe	35
PID 2876 wrote to memory of 3020	2876	{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe	35
PID 2876 wrote to memory of 3020	2876	{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe	35
PID 2128 wrote to memory of 2852	2128	{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe	36
PID 2128 wrote to memory of 2852	2128	{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe	36
PID 2128 wrote to memory of 2852	2128	{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe	36
PID 2128 wrote to memory of 2852	2128	{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe	36
PID 2128 wrote to memory of 2684	2128	{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe	37
PID 2128 wrote to memory of 2684	2128	{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe	37
PID 2128 wrote to memory of 2684	2128	{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe	37
PID 2128 wrote to memory of 2684	2128	{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe	37
PID 2852 wrote to memory of 2728	2852	{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe	38
PID 2852 wrote to memory of 2728	2852	{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe	38
PID 2852 wrote to memory of 2728	2852	{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe	38
PID 2852 wrote to memory of 2728	2852	{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe	38
PID 2852 wrote to memory of 2808	2852	{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe	39
PID 2852 wrote to memory of 2808	2852	{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe	39
PID 2852 wrote to memory of 2808	2852	{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe	39
PID 2852 wrote to memory of 2808	2852	{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe	39
PID 2728 wrote to memory of 2152	2728	{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe	40
PID 2728 wrote to memory of 2152	2728	{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe	40
PID 2728 wrote to memory of 2152	2728	{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe	40
PID 2728 wrote to memory of 2152	2728	{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe	40
PID 2728 wrote to memory of 1752	2728	{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe	41
PID 2728 wrote to memory of 1752	2728	{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe	41
PID 2728 wrote to memory of 1752	2728	{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe	41
PID 2728 wrote to memory of 1752	2728	{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe	41
PID 2152 wrote to memory of 108	2152	{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe	43
PID 2152 wrote to memory of 108	2152	{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe	43
PID 2152 wrote to memory of 108	2152	{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe	43
PID 2152 wrote to memory of 108	2152	{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe	43
PID 2152 wrote to memory of 608	2152	{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe	42
PID 2152 wrote to memory of 608	2152	{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe	42
PID 2152 wrote to memory of 608	2152	{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe	42
PID 2152 wrote to memory of 608	2152	{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe	42
PID 108 wrote to memory of 1112	108	{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe	44
PID 108 wrote to memory of 1112	108	{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe	44
PID 108 wrote to memory of 1112	108	{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe	44
PID 108 wrote to memory of 1112	108	{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe	44
PID 108 wrote to memory of 2028	108	{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe	45
PID 108 wrote to memory of 2028	108	{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe	45
PID 108 wrote to memory of 2028	108	{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe	45
PID 108 wrote to memory of 2028	108	{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe	45

C:\Users\Admin\AppData\Local\Temp\fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\fdbda32eaf9086a0cb7eea9682664395_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe
  C:\Windows\{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe
    C:\Windows\{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe
      C:\Windows\{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe
        
        C:\Windows\{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe
        
        C:\Windows\{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe
        
        C:\Windows\{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D97E0~1.EXE > nul
        8⤵
        
        PID:608
        
        C:\Windows\{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe
        
        C:\Windows\{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\{DEA60A8F-EE74-4903-A936-F3811B02D52B}.exe
        
        C:\Windows\{DEA60A8F-EE74-4903-A936-F3811B02D52B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\{A62AFC5E-D3F8-41d1-A037-39904DD41068}.exe
        
        C:\Windows\{A62AFC5E-D3F8-41d1-A037-39904DD41068}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\{EFF800B8-35B1-47b3-849D-44FC5350A50C}.exe
        
        C:\Windows\{EFF800B8-35B1-47b3-849D-44FC5350A50C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\{6FF6EC96-E69F-4362-AB0A-513824EB629C}.exe
        
        C:\Windows\{6FF6EC96-E69F-4362-AB0A-513824EB629C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFF80~1.EXE > nul
        12⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A62AF~1.EXE > nul
        11⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEA60~1.EXE > nul
        10⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06C2C~1.EXE > nul
        9⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71BE1~1.EXE > nul
        7⤵
        
        PID:1752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5652~1.EXE > nul
        6⤵
        
        PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5E9C~1.EXE > nul
        5⤵
        
        PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{62B75~1.EXE > nul
      4⤵
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7014C~1.EXE > nul
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FDBDA3~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe

Filesize
408KB

MD5
fad9e6f12e1be2b9f29020bdb7962265

SHA1
09aa8cad4f96104be7672724e30d6cad51315d5a

SHA256
b61c02f9826e5da34e3b6d073a459a86dbd6df1544161fe1a37f7558e1c24a6b

SHA512
2473cc1d49f050733ff61544d6ac1c45058448d7eb2d7975f37e60facc7a792399b738619a75739b337f3ebaacd96e6cc0e5e62f9cea893b4e8fc5d444ebf783

Download Submit
C:\Windows\{06C2C435-A55A-4695-8CFC-6FE75FE81A81}.exe

Filesize
408KB

MD5
fad9e6f12e1be2b9f29020bdb7962265

SHA1
09aa8cad4f96104be7672724e30d6cad51315d5a

SHA256
b61c02f9826e5da34e3b6d073a459a86dbd6df1544161fe1a37f7558e1c24a6b

SHA512
2473cc1d49f050733ff61544d6ac1c45058448d7eb2d7975f37e60facc7a792399b738619a75739b337f3ebaacd96e6cc0e5e62f9cea893b4e8fc5d444ebf783

Download Submit
C:\Windows\{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe

Filesize
408KB

MD5
21297091e438431a6d04ff1730cad8fc

SHA1
3a03f83b19c2684670703836c2600fbaf82a92c5

SHA256
f095dd7f839d0392db711d0edf76c1cc0deafcd7df4d6897a8f6f30e5f86a441

SHA512
26741955ebceac1f08ddeae4fa2db1c2b5b9956bfcc4c38ada9f04afdb8e537c2817671fa67b10da6029df539213688ad99c2e53b59081d89e6adebb2acf971d

Download Submit
C:\Windows\{62B7585E-E9AA-40e6-9D3D-3B046D125F5E}.exe

Filesize
408KB

MD5
21297091e438431a6d04ff1730cad8fc

SHA1
3a03f83b19c2684670703836c2600fbaf82a92c5

SHA256
f095dd7f839d0392db711d0edf76c1cc0deafcd7df4d6897a8f6f30e5f86a441

SHA512
26741955ebceac1f08ddeae4fa2db1c2b5b9956bfcc4c38ada9f04afdb8e537c2817671fa67b10da6029df539213688ad99c2e53b59081d89e6adebb2acf971d

Download Submit
C:\Windows\{6FF6EC96-E69F-4362-AB0A-513824EB629C}.exe

Filesize
408KB

MD5
7da5ba0aac558d8425f0666f983adba0

SHA1
e1b87ae965f15ba819b0380df86389c62e3e49c1

SHA256
577ac8ceb828b8a280e1728d6483d00f0847a84cfbc4d01321bdb23d3f8ea3d3

SHA512
70d329056bc505ac144b6de5755287408bc20caf16a4744141b374ce8f941b202773e08994859ba2656a1e99b6cadb4fe5b2897d4b13e7064b7e8605ccdc6a7a

Download Submit
C:\Windows\{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe

Filesize
408KB

MD5
08fedf792229e8b50dd71d4f191690db

SHA1
fc88e744488f1c61408a10f95b4279d0e6c41a1a

SHA256
0a3351adcf5b047db50be883541e874ae11b168b8c1f613dfdaad87b188dc91c

SHA512
36bed361d677c9605dfac4b5cc5fc851d0b23af839486b2306f2cf7d9bbd9da3f1f33d12edb37179054f702c45451cfa732cb6754b181fb845f387e9093cc5e0

Download Submit
C:\Windows\{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe

Filesize
408KB

MD5
08fedf792229e8b50dd71d4f191690db

SHA1
fc88e744488f1c61408a10f95b4279d0e6c41a1a

SHA256
0a3351adcf5b047db50be883541e874ae11b168b8c1f613dfdaad87b188dc91c

SHA512
36bed361d677c9605dfac4b5cc5fc851d0b23af839486b2306f2cf7d9bbd9da3f1f33d12edb37179054f702c45451cfa732cb6754b181fb845f387e9093cc5e0

Download Submit
C:\Windows\{7014C871-6E57-462c-82E1-F7CB17E9E542}.exe

Filesize
408KB

MD5
08fedf792229e8b50dd71d4f191690db

SHA1
fc88e744488f1c61408a10f95b4279d0e6c41a1a

SHA256
0a3351adcf5b047db50be883541e874ae11b168b8c1f613dfdaad87b188dc91c

SHA512
36bed361d677c9605dfac4b5cc5fc851d0b23af839486b2306f2cf7d9bbd9da3f1f33d12edb37179054f702c45451cfa732cb6754b181fb845f387e9093cc5e0

Download Submit
C:\Windows\{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe

Filesize
408KB

MD5
fe91484ed3a7f427dce7a4ec3f18464c

SHA1
a9f56da3c2d88f24e88bb326ea8786e0c7afe29e

SHA256
af7182f5cfbaeef0640cff4d2783d4d8be1f879e9c762374b0e2cffba09c2065

SHA512
60a8944d08a64ec3f5d88afff873b6ece53abb16191c9257b8e4c5acbb896b2f92b1eff392a0c323f6e591806d348de28d2c2dbce67c685583cf732f96a5b3e7

Download Submit
C:\Windows\{71BE18E7-6DE0-4db1-9B77-47EA87D5D3EC}.exe

Filesize
408KB

MD5
fe91484ed3a7f427dce7a4ec3f18464c

SHA1
a9f56da3c2d88f24e88bb326ea8786e0c7afe29e

SHA256
af7182f5cfbaeef0640cff4d2783d4d8be1f879e9c762374b0e2cffba09c2065

SHA512
60a8944d08a64ec3f5d88afff873b6ece53abb16191c9257b8e4c5acbb896b2f92b1eff392a0c323f6e591806d348de28d2c2dbce67c685583cf732f96a5b3e7

Download Submit
C:\Windows\{A62AFC5E-D3F8-41d1-A037-39904DD41068}.exe

Filesize
408KB

MD5
de0140a3f15e8d1f2f17781e0445d429

SHA1
1ec1f497689af03694275152cce246f51d771b60

SHA256
7f44361bcfdc1c0c4c90480bc6f54b7a548dd1ef4e38bdac39325e77bd8e2c53

SHA512
67fcdfa7d37872bcffbcb3a5e15a915822750048809b76788a2a1014347c3685acb720894dd1e19a4b95a9a63bea02b91f277361c20ab737df2121e3c978ecbb

Download Submit
C:\Windows\{A62AFC5E-D3F8-41d1-A037-39904DD41068}.exe

Filesize
408KB

MD5
de0140a3f15e8d1f2f17781e0445d429

SHA1
1ec1f497689af03694275152cce246f51d771b60

SHA256
7f44361bcfdc1c0c4c90480bc6f54b7a548dd1ef4e38bdac39325e77bd8e2c53

SHA512
67fcdfa7d37872bcffbcb3a5e15a915822750048809b76788a2a1014347c3685acb720894dd1e19a4b95a9a63bea02b91f277361c20ab737df2121e3c978ecbb

Download Submit
C:\Windows\{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe

Filesize
408KB

MD5
08bc276464995cf5fea46bd59b0a9ce5

SHA1
742439fd9a6e2c33dbc833cefa37bbe16c7030bd

SHA256
d3245f55288a4ea24b12e02b6add1c537c7fc7d7d38b352efc0eabdd22387eec

SHA512
75288c2e8d072804c2b9cdb4c18d4cfe427e50c1588e4e7863b81a51b792f87a0ad23b3a16ad0efd6879de5cf4032c41b742b596bbfba7f8fdb6d6be954d15ff

Download Submit
C:\Windows\{C5E9CCD3-2044-4fea-8BAB-1F5DD0BC8089}.exe

Filesize
408KB

MD5
08bc276464995cf5fea46bd59b0a9ce5

SHA1
742439fd9a6e2c33dbc833cefa37bbe16c7030bd

SHA256
d3245f55288a4ea24b12e02b6add1c537c7fc7d7d38b352efc0eabdd22387eec

SHA512
75288c2e8d072804c2b9cdb4c18d4cfe427e50c1588e4e7863b81a51b792f87a0ad23b3a16ad0efd6879de5cf4032c41b742b596bbfba7f8fdb6d6be954d15ff

Download Submit
C:\Windows\{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe

Filesize
408KB

MD5
11f30ba299c6b34acab427e86ee82797

SHA1
d7e70e6a64eae47f4de038d2cf93fbd09bf2d28d

SHA256
405a38972233a120ef939e971346a35476ac5648ab3c4ee0e2f54f9d1e9c8a93

SHA512
cf83eef032b7210e763d9a6df27d3b43a0e865e40f5038d664ad38aa4bb504fc178b9dae6f1cefbe21329eca5293b8b95a5cdd792c80757123391147bf50489b

Download Submit
C:\Windows\{D97E0EEE-6076-41d6-B042-B080A9415C8D}.exe

Filesize
408KB

MD5
11f30ba299c6b34acab427e86ee82797

SHA1
d7e70e6a64eae47f4de038d2cf93fbd09bf2d28d

SHA256
405a38972233a120ef939e971346a35476ac5648ab3c4ee0e2f54f9d1e9c8a93

SHA512
cf83eef032b7210e763d9a6df27d3b43a0e865e40f5038d664ad38aa4bb504fc178b9dae6f1cefbe21329eca5293b8b95a5cdd792c80757123391147bf50489b

Download Submit
C:\Windows\{DEA60A8F-EE74-4903-A936-F3811B02D52B}.exe

Filesize
408KB

MD5
3aad7ea1c7b9d9a5c33955b33682dfc0

SHA1
c72c21d282ba302111739780e2abb6c795c26896

SHA256
f094c7a93c4bf360027773a98ba17d30fc7bf395cb6473fb55a1cedfcb7d6ed1

SHA512
e9e7e5a191e00b272bd256e6822f8d2d5a5e5574bf0f8065470a37dc89299b1749ea25a2c7898ad71eca613d7eaf2fcc2dc9f7840c0a8458be946a7c4515a9f6

Download Submit
C:\Windows\{DEA60A8F-EE74-4903-A936-F3811B02D52B}.exe

Filesize
408KB

MD5
3aad7ea1c7b9d9a5c33955b33682dfc0

SHA1
c72c21d282ba302111739780e2abb6c795c26896

SHA256
f094c7a93c4bf360027773a98ba17d30fc7bf395cb6473fb55a1cedfcb7d6ed1

SHA512
e9e7e5a191e00b272bd256e6822f8d2d5a5e5574bf0f8065470a37dc89299b1749ea25a2c7898ad71eca613d7eaf2fcc2dc9f7840c0a8458be946a7c4515a9f6

Download Submit
C:\Windows\{EFF800B8-35B1-47b3-849D-44FC5350A50C}.exe

Filesize
408KB

MD5
0af361d64b524dfe4db3dff3b6a18627

SHA1
d2a8ae9fa00d11bace916762f1c1d0aa0b0ed6a8

SHA256
8c637f5f4dc3f02bf55658bdd980274f8153ab37128399dd74484282eaed9349

SHA512
5ccce7e8d177308539eee41495a15d3b49c0221713f3bf1fb16ddb3cc81f3e8094fb4bfe88590ea640930bed68c5390053b4bc5ab49c5eed38716d379bafbd34

Download Submit
C:\Windows\{EFF800B8-35B1-47b3-849D-44FC5350A50C}.exe

Filesize
408KB

MD5
0af361d64b524dfe4db3dff3b6a18627

SHA1
d2a8ae9fa00d11bace916762f1c1d0aa0b0ed6a8

SHA256
8c637f5f4dc3f02bf55658bdd980274f8153ab37128399dd74484282eaed9349

SHA512
5ccce7e8d177308539eee41495a15d3b49c0221713f3bf1fb16ddb3cc81f3e8094fb4bfe88590ea640930bed68c5390053b4bc5ab49c5eed38716d379bafbd34

Download Submit
C:\Windows\{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe

Filesize
408KB

MD5
b67eaf207f59d07bcf05ffb514533062

SHA1
1016df36b745bdf8fd2bf4c0a8718fb44dea5f7f

SHA256
7e115809c260fbddc0710df556b3f3bb2b526d5c6a9d881b2696ac9e4f863f39

SHA512
4103761ea40edbbaff65e98aedf1667adb249c37eeee0e6fb4873f8db7e39c6e4a36cd7fff15d8bc8f98a0e042d43660c262ec1ffb76322e752c83255fc7a102

Download Submit
C:\Windows\{F5652E33-51A3-46ba-8C8D-DC7297981520}.exe

Filesize
408KB

MD5
b67eaf207f59d07bcf05ffb514533062

SHA1
1016df36b745bdf8fd2bf4c0a8718fb44dea5f7f

SHA256
7e115809c260fbddc0710df556b3f3bb2b526d5c6a9d881b2696ac9e4f863f39

SHA512
4103761ea40edbbaff65e98aedf1667adb249c37eeee0e6fb4873f8db7e39c6e4a36cd7fff15d8bc8f98a0e042d43660c262ec1ffb76322e752c83255fc7a102

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads