41e5ac9936fb77ca125b226e9d08cca6e200e6aba1a0b296d8b463bc652c407a

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/09/2023, 15:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe
Size

192KB
MD5

19d96b40e5aec8a9db5a0ba86f7e5569
SHA1

ace117911a9f999652ec20fcc1b153fe5a887ee5
SHA256

41e5ac9936fb77ca125b226e9d08cca6e200e6aba1a0b296d8b463bc652c407a
SHA512

03c5109adfdc19ac1d4a283b89e00fc6a8a939635c2c104dab2c13743c462d34d11c6b8150e107e4b4b8eee23fa4f0ad5cc6f2c83d671dcaf7bb3f036275b697
SSDEEP

1536:1EGh0oFLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0opl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EFD5D46-1B73-4315-A44D-A0A9665B82FD}	{313AD82F-F276-4562-97C2-24135A67BE95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AA9F32E-35F0-417a-93C8-0E56D62279B0}\stubpath = "C:\\Windows\\{5AA9F32E-35F0-417a-93C8-0E56D62279B0}.exe"	{1A9DCE02-9FD0-442f-B758-6AC7D219FD96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34282C8B-228A-464f-B04D-520D290E2ED8}	{5AA9F32E-35F0-417a-93C8-0E56D62279B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}\stubpath = "C:\\Windows\\{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe"	2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5644283D-040B-4eee-B153-71BFFF87C505}\stubpath = "C:\\Windows\\{5644283D-040B-4eee-B153-71BFFF87C505}.exe"	{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}	{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{628897BD-1B1C-44f7-B523-C1B293EF953E}	{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{628897BD-1B1C-44f7-B523-C1B293EF953E}\stubpath = "C:\\Windows\\{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe"	{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C885838-93AF-4536-8EAC-A5AA8C26C10E}	{5644283D-040B-4eee-B153-71BFFF87C505}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{313AD82F-F276-4562-97C2-24135A67BE95}	{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EFD5D46-1B73-4315-A44D-A0A9665B82FD}\stubpath = "C:\\Windows\\{3EFD5D46-1B73-4315-A44D-A0A9665B82FD}.exe"	{313AD82F-F276-4562-97C2-24135A67BE95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A9DCE02-9FD0-442f-B758-6AC7D219FD96}\stubpath = "C:\\Windows\\{1A9DCE02-9FD0-442f-B758-6AC7D219FD96}.exe"	{3EFD5D46-1B73-4315-A44D-A0A9665B82FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C885838-93AF-4536-8EAC-A5AA8C26C10E}\stubpath = "C:\\Windows\\{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe"	{5644283D-040B-4eee-B153-71BFFF87C505}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC2C8E94-F553-4d55-9F19-4EEB493DF617}	{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC2C8E94-F553-4d55-9F19-4EEB493DF617}\stubpath = "C:\\Windows\\{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe"	{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{313AD82F-F276-4562-97C2-24135A67BE95}\stubpath = "C:\\Windows\\{313AD82F-F276-4562-97C2-24135A67BE95}.exe"	{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AA9F32E-35F0-417a-93C8-0E56D62279B0}	{1A9DCE02-9FD0-442f-B758-6AC7D219FD96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}	2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5644283D-040B-4eee-B153-71BFFF87C505}	{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}\stubpath = "C:\\Windows\\{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe"	{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A9DCE02-9FD0-442f-B758-6AC7D219FD96}	{3EFD5D46-1B73-4315-A44D-A0A9665B82FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34282C8B-228A-464f-B04D-520D290E2ED8}\stubpath = "C:\\Windows\\{34282C8B-228A-464f-B04D-520D290E2ED8}.exe"	{5AA9F32E-35F0-417a-93C8-0E56D62279B0}.exe

Deletes itself 1 IoCs

pid	Process
2096	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2224	{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe
2628	{5644283D-040B-4eee-B153-71BFFF87C505}.exe
2744	{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe
2556	{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe
2576	{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe
2588	{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe
848	{313AD82F-F276-4562-97C2-24135A67BE95}.exe
2912	{3EFD5D46-1B73-4315-A44D-A0A9665B82FD}.exe
1628	{1A9DCE02-9FD0-442f-B758-6AC7D219FD96}.exe
1072	{5AA9F32E-35F0-417a-93C8-0E56D62279B0}.exe
1596	{34282C8B-228A-464f-B04D-520D290E2ED8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3EFD5D46-1B73-4315-A44D-A0A9665B82FD}.exe	{313AD82F-F276-4562-97C2-24135A67BE95}.exe
File created	C:\Windows\{5AA9F32E-35F0-417a-93C8-0E56D62279B0}.exe	{1A9DCE02-9FD0-442f-B758-6AC7D219FD96}.exe
File created	C:\Windows\{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe	2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe
File created	C:\Windows\{5644283D-040B-4eee-B153-71BFFF87C505}.exe	{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe
File created	C:\Windows\{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe	{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe
File created	C:\Windows\{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe	{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe
File created	C:\Windows\{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe	{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe
File created	C:\Windows\{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe	{5644283D-040B-4eee-B153-71BFFF87C505}.exe
File created	C:\Windows\{313AD82F-F276-4562-97C2-24135A67BE95}.exe	{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe
File created	C:\Windows\{1A9DCE02-9FD0-442f-B758-6AC7D219FD96}.exe	{3EFD5D46-1B73-4315-A44D-A0A9665B82FD}.exe
File created	C:\Windows\{34282C8B-228A-464f-B04D-520D290E2ED8}.exe	{5AA9F32E-35F0-417a-93C8-0E56D62279B0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2204	2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2224	{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe
Token: SeIncBasePriorityPrivilege	2628	{5644283D-040B-4eee-B153-71BFFF87C505}.exe
Token: SeIncBasePriorityPrivilege	2744	{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe
Token: SeIncBasePriorityPrivilege	2556	{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe
Token: SeIncBasePriorityPrivilege	2576	{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe
Token: SeIncBasePriorityPrivilege	2588	{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe
Token: SeIncBasePriorityPrivilege	848	{313AD82F-F276-4562-97C2-24135A67BE95}.exe
Token: SeIncBasePriorityPrivilege	2912	{3EFD5D46-1B73-4315-A44D-A0A9665B82FD}.exe
Token: SeIncBasePriorityPrivilege	1628	{1A9DCE02-9FD0-442f-B758-6AC7D219FD96}.exe
Token: SeIncBasePriorityPrivilege	1072	{5AA9F32E-35F0-417a-93C8-0E56D62279B0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2224	2204	2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe	28
PID 2204 wrote to memory of 2224	2204	2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe	28
PID 2204 wrote to memory of 2224	2204	2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe	28
PID 2204 wrote to memory of 2224	2204	2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe	28
PID 2204 wrote to memory of 2096	2204	2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe	29
PID 2204 wrote to memory of 2096	2204	2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe	29
PID 2204 wrote to memory of 2096	2204	2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe	29
PID 2204 wrote to memory of 2096	2204	2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe	29
PID 2224 wrote to memory of 2628	2224	{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe	30
PID 2224 wrote to memory of 2628	2224	{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe	30
PID 2224 wrote to memory of 2628	2224	{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe	30
PID 2224 wrote to memory of 2628	2224	{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe	30
PID 2224 wrote to memory of 2720	2224	{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe	31
PID 2224 wrote to memory of 2720	2224	{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe	31
PID 2224 wrote to memory of 2720	2224	{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe	31
PID 2224 wrote to memory of 2720	2224	{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe	31
PID 2628 wrote to memory of 2744	2628	{5644283D-040B-4eee-B153-71BFFF87C505}.exe	32
PID 2628 wrote to memory of 2744	2628	{5644283D-040B-4eee-B153-71BFFF87C505}.exe	32
PID 2628 wrote to memory of 2744	2628	{5644283D-040B-4eee-B153-71BFFF87C505}.exe	32
PID 2628 wrote to memory of 2744	2628	{5644283D-040B-4eee-B153-71BFFF87C505}.exe	32
PID 2628 wrote to memory of 2680	2628	{5644283D-040B-4eee-B153-71BFFF87C505}.exe	33
PID 2628 wrote to memory of 2680	2628	{5644283D-040B-4eee-B153-71BFFF87C505}.exe	33
PID 2628 wrote to memory of 2680	2628	{5644283D-040B-4eee-B153-71BFFF87C505}.exe	33
PID 2628 wrote to memory of 2680	2628	{5644283D-040B-4eee-B153-71BFFF87C505}.exe	33
PID 2744 wrote to memory of 2556	2744	{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe	36
PID 2744 wrote to memory of 2556	2744	{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe	36
PID 2744 wrote to memory of 2556	2744	{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe	36
PID 2744 wrote to memory of 2556	2744	{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe	36
PID 2744 wrote to memory of 2900	2744	{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe	37
PID 2744 wrote to memory of 2900	2744	{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe	37
PID 2744 wrote to memory of 2900	2744	{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe	37
PID 2744 wrote to memory of 2900	2744	{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe	37
PID 2556 wrote to memory of 2576	2556	{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe	38
PID 2556 wrote to memory of 2576	2556	{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe	38
PID 2556 wrote to memory of 2576	2556	{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe	38
PID 2556 wrote to memory of 2576	2556	{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe	38
PID 2556 wrote to memory of 2532	2556	{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe	39
PID 2556 wrote to memory of 2532	2556	{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe	39
PID 2556 wrote to memory of 2532	2556	{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe	39
PID 2556 wrote to memory of 2532	2556	{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe	39
PID 2576 wrote to memory of 2588	2576	{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe	40
PID 2576 wrote to memory of 2588	2576	{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe	40
PID 2576 wrote to memory of 2588	2576	{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe	40
PID 2576 wrote to memory of 2588	2576	{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe	40
PID 2576 wrote to memory of 3024	2576	{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe	41
PID 2576 wrote to memory of 3024	2576	{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe	41
PID 2576 wrote to memory of 3024	2576	{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe	41
PID 2576 wrote to memory of 3024	2576	{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe	41
PID 2588 wrote to memory of 848	2588	{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe	42
PID 2588 wrote to memory of 848	2588	{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe	42
PID 2588 wrote to memory of 848	2588	{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe	42
PID 2588 wrote to memory of 848	2588	{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe	42
PID 2588 wrote to memory of 2408	2588	{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe	43
PID 2588 wrote to memory of 2408	2588	{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe	43
PID 2588 wrote to memory of 2408	2588	{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe	43
PID 2588 wrote to memory of 2408	2588	{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe	43
PID 848 wrote to memory of 2912	848	{313AD82F-F276-4562-97C2-24135A67BE95}.exe	45
PID 848 wrote to memory of 2912	848	{313AD82F-F276-4562-97C2-24135A67BE95}.exe	45
PID 848 wrote to memory of 2912	848	{313AD82F-F276-4562-97C2-24135A67BE95}.exe	45
PID 848 wrote to memory of 2912	848	{313AD82F-F276-4562-97C2-24135A67BE95}.exe	45
PID 848 wrote to memory of 3052	848	{313AD82F-F276-4562-97C2-24135A67BE95}.exe	44
PID 848 wrote to memory of 3052	848	{313AD82F-F276-4562-97C2-24135A67BE95}.exe	44
PID 848 wrote to memory of 3052	848	{313AD82F-F276-4562-97C2-24135A67BE95}.exe	44
PID 848 wrote to memory of 3052	848	{313AD82F-F276-4562-97C2-24135A67BE95}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_19d96b40e5aec8a9db5a0ba86f7e5569_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe
  C:\Windows\{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\{5644283D-040B-4eee-B153-71BFFF87C505}.exe
    C:\Windows\{5644283D-040B-4eee-B153-71BFFF87C505}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe
      C:\Windows\{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe
        
        C:\Windows\{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe
        
        C:\Windows\{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe
        
        C:\Windows\{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\{313AD82F-F276-4562-97C2-24135A67BE95}.exe
        
        C:\Windows\{313AD82F-F276-4562-97C2-24135A67BE95}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{313AD~1.EXE > nul
        9⤵
        
        PID:3052
        
        C:\Windows\{3EFD5D46-1B73-4315-A44D-A0A9665B82FD}.exe
        
        C:\Windows\{3EFD5D46-1B73-4315-A44D-A0A9665B82FD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EFD5~1.EXE > nul
        10⤵
        
        PID:1888
        
        C:\Windows\{1A9DCE02-9FD0-442f-B758-6AC7D219FD96}.exe
        
        C:\Windows\{1A9DCE02-9FD0-442f-B758-6AC7D219FD96}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\{5AA9F32E-35F0-417a-93C8-0E56D62279B0}.exe
        
        C:\Windows\{5AA9F32E-35F0-417a-93C8-0E56D62279B0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AA9F~1.EXE > nul
        12⤵
        
        PID:1096
        
        C:\Windows\{34282C8B-228A-464f-B04D-520D290E2ED8}.exe
        
        C:\Windows\{34282C8B-228A-464f-B04D-520D290E2ED8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A9DC~1.EXE > nul
        11⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62889~1.EXE > nul
        8⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC2C8~1.EXE > nul
        7⤵
        
        PID:3024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3C49~1.EXE > nul
        6⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C885~1.EXE > nul
        5⤵
        
        PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{56442~1.EXE > nul
      4⤵
      PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ABB84~1.EXE > nul
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A9DCE02-9FD0-442f-B758-6AC7D219FD96}.exe

Filesize
192KB

MD5
58b84b42f95c7f355d24d97bfd97a14f

SHA1
f51dfd61fe9f1c32fad3ca338fbe255a6edba87c

SHA256
f83373ddeea4e51be2224ca2e2203bf2afcabb55704340e70e50eadd86c57562

SHA512
4ec467eaf7bf4c95c8fa856d221e806ddc731b02708d5a42a86a2f51258f6ed7aea1f9b65030c4a1257588d07cd6bff1204be7955433a8d280032e9f6182af2b

Download Submit
C:\Windows\{1A9DCE02-9FD0-442f-B758-6AC7D219FD96}.exe

Filesize
192KB

MD5
58b84b42f95c7f355d24d97bfd97a14f

SHA1
f51dfd61fe9f1c32fad3ca338fbe255a6edba87c

SHA256
f83373ddeea4e51be2224ca2e2203bf2afcabb55704340e70e50eadd86c57562

SHA512
4ec467eaf7bf4c95c8fa856d221e806ddc731b02708d5a42a86a2f51258f6ed7aea1f9b65030c4a1257588d07cd6bff1204be7955433a8d280032e9f6182af2b

Download Submit
C:\Windows\{313AD82F-F276-4562-97C2-24135A67BE95}.exe

Filesize
192KB

MD5
cf04cf046417ebed33f2b2a05a38a21e

SHA1
2450286d88d783cb8cd66436a351fa000801d519

SHA256
2162ad977ec9c08029613cc08e6e06d6be33d4cbbc85eb7164ab69f6688637be

SHA512
948b499f41efb6a35b49340376cb3b22f751378d69652e82b0a30dc6fda9be339c418cb5a817dde22d56523ab7cef004d7ea7e3177016729915cc741edcdf9e1

Download Submit
C:\Windows\{313AD82F-F276-4562-97C2-24135A67BE95}.exe

Filesize
192KB

MD5
cf04cf046417ebed33f2b2a05a38a21e

SHA1
2450286d88d783cb8cd66436a351fa000801d519

SHA256
2162ad977ec9c08029613cc08e6e06d6be33d4cbbc85eb7164ab69f6688637be

SHA512
948b499f41efb6a35b49340376cb3b22f751378d69652e82b0a30dc6fda9be339c418cb5a817dde22d56523ab7cef004d7ea7e3177016729915cc741edcdf9e1

Download Submit
C:\Windows\{34282C8B-228A-464f-B04D-520D290E2ED8}.exe

Filesize
192KB

MD5
c3d23b05ed24648846568f6aba34bcc5

SHA1
1e09672d9c1bd64d2ef01b4382211a9af00cf1f6

SHA256
b42875f2786193a42c579994c840559cd3d17b441b370d649f4c9c4b59c50b13

SHA512
35bf937af71c42af092bc0e05b012a13263697bc3577d6f8109fd78617b0635678b29df065cac17a5ff91de91782559117c2d43b43bca1bc11f279863bd1b6cd

Download Submit
C:\Windows\{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe

Filesize
192KB

MD5
363ec9f9f7db304c6bfbccbae36f1734

SHA1
c95b2fa8a4ab2681f406067eec134c0b22593fc3

SHA256
e795af7dbc9319d3c48e615497c0dfef072a9e7053104dc61814a7ec45f8461d

SHA512
c83871f84d9b09c800f905083fa7c84da31cda61ba1c07eaa5d73bb5bfab4ddab9b8b77f3ff9916e08d91f2ad7cda61f0cae19c6f93c76fd5c50485beb522a27

Download Submit
C:\Windows\{3C885838-93AF-4536-8EAC-A5AA8C26C10E}.exe

Filesize
192KB

MD5
363ec9f9f7db304c6bfbccbae36f1734

SHA1
c95b2fa8a4ab2681f406067eec134c0b22593fc3

SHA256
e795af7dbc9319d3c48e615497c0dfef072a9e7053104dc61814a7ec45f8461d

SHA512
c83871f84d9b09c800f905083fa7c84da31cda61ba1c07eaa5d73bb5bfab4ddab9b8b77f3ff9916e08d91f2ad7cda61f0cae19c6f93c76fd5c50485beb522a27

Download Submit
C:\Windows\{3EFD5D46-1B73-4315-A44D-A0A9665B82FD}.exe

Filesize
192KB

MD5
df2856c1b34f081fccf7ca20f1038d84

SHA1
9e82c3111a77ab6ee31c54c5fa3f369c8d55b8b9

SHA256
ba219d353e11055ce8f5a6799aebcf104553d1f4c7152a0df8411f0008940a64

SHA512
ccb68e952af37c2097b1cb41eb673de183d5ec2667fb2b10d45ad261c68234de2865c6e01d1de84c55fb6582fec353aed621dfe700ccb674834bae330e76aecd

Download Submit
C:\Windows\{3EFD5D46-1B73-4315-A44D-A0A9665B82FD}.exe

Filesize
192KB

MD5
df2856c1b34f081fccf7ca20f1038d84

SHA1
9e82c3111a77ab6ee31c54c5fa3f369c8d55b8b9

SHA256
ba219d353e11055ce8f5a6799aebcf104553d1f4c7152a0df8411f0008940a64

SHA512
ccb68e952af37c2097b1cb41eb673de183d5ec2667fb2b10d45ad261c68234de2865c6e01d1de84c55fb6582fec353aed621dfe700ccb674834bae330e76aecd

Download Submit
C:\Windows\{5644283D-040B-4eee-B153-71BFFF87C505}.exe

Filesize
192KB

MD5
18c4175791d0a80d47a10b92d724a257

SHA1
d186463d493bdff0447b2e22ff375c6f0a2e2386

SHA256
c3aa4393738c681b58a386da028029fff5bb25dcf97136d2382ab3ef73077860

SHA512
1e88aa20cd61dbf6068d654877436b04c67bd7c449b0df749e7806f6aecc1169be775ffef6d7b626d1f0d3c33c8b20038917e929673d6123f6fa37db9c34b8ae

Download Submit
C:\Windows\{5644283D-040B-4eee-B153-71BFFF87C505}.exe

Filesize
192KB

MD5
18c4175791d0a80d47a10b92d724a257

SHA1
d186463d493bdff0447b2e22ff375c6f0a2e2386

SHA256
c3aa4393738c681b58a386da028029fff5bb25dcf97136d2382ab3ef73077860

SHA512
1e88aa20cd61dbf6068d654877436b04c67bd7c449b0df749e7806f6aecc1169be775ffef6d7b626d1f0d3c33c8b20038917e929673d6123f6fa37db9c34b8ae

Download Submit
C:\Windows\{5AA9F32E-35F0-417a-93C8-0E56D62279B0}.exe

Filesize
192KB

MD5
331098b6f7c576007b7132fd2912c331

SHA1
ed436f7c83f0a02bce0273940f9a25c8085aee93

SHA256
1b0781ef38111231963cac376c54678444f303d937e18c5ac2acf3f56e1839d9

SHA512
51c9833b36710f916efe66ecd47751a4c4a966a478dc046e8a0f484794726f79fbab94de349ffdc4ff9033345fc6e986770ec9f5542bd79c7c607a41dad2fe65

Download Submit
C:\Windows\{5AA9F32E-35F0-417a-93C8-0E56D62279B0}.exe

Filesize
192KB

MD5
331098b6f7c576007b7132fd2912c331

SHA1
ed436f7c83f0a02bce0273940f9a25c8085aee93

SHA256
1b0781ef38111231963cac376c54678444f303d937e18c5ac2acf3f56e1839d9

SHA512
51c9833b36710f916efe66ecd47751a4c4a966a478dc046e8a0f484794726f79fbab94de349ffdc4ff9033345fc6e986770ec9f5542bd79c7c607a41dad2fe65

Download Submit
C:\Windows\{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe

Filesize
192KB

MD5
bb2837fc0866e850d70c574f7ef77398

SHA1
47a12c84e544905e251fce518d16edf79c496f13

SHA256
90980274644c92a712e7dbac87e39442ee784d151722d267aee080e4eaee2e40

SHA512
9e67cf51f271b5a6bfffc4227b8e6724457483472dba76fb2c45ce12f8c750d9313d0775f69b503e14ce32a18800c1d2b8fd6b7a4768660d7d203a008171e8cb

Download Submit
C:\Windows\{628897BD-1B1C-44f7-B523-C1B293EF953E}.exe

Filesize
192KB

MD5
bb2837fc0866e850d70c574f7ef77398

SHA1
47a12c84e544905e251fce518d16edf79c496f13

SHA256
90980274644c92a712e7dbac87e39442ee784d151722d267aee080e4eaee2e40

SHA512
9e67cf51f271b5a6bfffc4227b8e6724457483472dba76fb2c45ce12f8c750d9313d0775f69b503e14ce32a18800c1d2b8fd6b7a4768660d7d203a008171e8cb

Download Submit
C:\Windows\{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe

Filesize
192KB

MD5
70383b4df94681a9a6d5b00a8c3939d8

SHA1
4a61c933c966c0a7445a96b15485e866ed515785

SHA256
9425a583b2d1270d59938f0e177804091c6eccbcd02e12b96a067981f57b725e

SHA512
73bc7afb5ff47d5b09818e69b053f86df4fb72339e15a1e0c26f293a1952782a107ff8d2dfaf45bbced68359b182cc6ad92e44bc7086f0f8228c6bbd405e6f9d

Download Submit
C:\Windows\{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe

Filesize
192KB

MD5
70383b4df94681a9a6d5b00a8c3939d8

SHA1
4a61c933c966c0a7445a96b15485e866ed515785

SHA256
9425a583b2d1270d59938f0e177804091c6eccbcd02e12b96a067981f57b725e

SHA512
73bc7afb5ff47d5b09818e69b053f86df4fb72339e15a1e0c26f293a1952782a107ff8d2dfaf45bbced68359b182cc6ad92e44bc7086f0f8228c6bbd405e6f9d

Download Submit
C:\Windows\{ABB84D4B-982C-4282-BD20-F6F76DA4F1ED}.exe

Filesize
192KB

MD5
70383b4df94681a9a6d5b00a8c3939d8

SHA1
4a61c933c966c0a7445a96b15485e866ed515785

SHA256
9425a583b2d1270d59938f0e177804091c6eccbcd02e12b96a067981f57b725e

SHA512
73bc7afb5ff47d5b09818e69b053f86df4fb72339e15a1e0c26f293a1952782a107ff8d2dfaf45bbced68359b182cc6ad92e44bc7086f0f8228c6bbd405e6f9d

Download Submit
C:\Windows\{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe

Filesize
192KB

MD5
d1cf1b4ac1b8b1f909babb0cf50f33e1

SHA1
b2fad9ed07ee5cc6ae7b2bd3e10b4d526529286b

SHA256
f6bc671a71d68b6088f2b429b4abfe3dcf99cf480d5297aedb762f783498fcef

SHA512
6195a27d49918afa4aeb2d61d9be5255c18cb8656701ac00200e0b113b3fdaf7e18a19617d17c9441c8f02e8f086abb271f8149cf1a95b837ba059beedf65b5a

Download Submit
C:\Windows\{DC2C8E94-F553-4d55-9F19-4EEB493DF617}.exe

Filesize
192KB

MD5
d1cf1b4ac1b8b1f909babb0cf50f33e1

SHA1
b2fad9ed07ee5cc6ae7b2bd3e10b4d526529286b

SHA256
f6bc671a71d68b6088f2b429b4abfe3dcf99cf480d5297aedb762f783498fcef

SHA512
6195a27d49918afa4aeb2d61d9be5255c18cb8656701ac00200e0b113b3fdaf7e18a19617d17c9441c8f02e8f086abb271f8149cf1a95b837ba059beedf65b5a

Download Submit
C:\Windows\{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe

Filesize
192KB

MD5
543aab72fe009870396165ac07e07f14

SHA1
ba0cc3e6ed7b1b47438e825c1ac2c15050b3a1c3

SHA256
2639b567059df87b5616e2baa2f7ffabb6ba049a2ed383a025ac4c7cab1cf160

SHA512
4ac4cd0d7ede25cd06feaa49dc8f095c7511ebebc8b2f7ad42341d8e8c001657c88c74feaa0fdbb842bc5cd8507f158d491df199fd4bd7d7597faf4f06a28e74

Download Submit
C:\Windows\{E3C491D2-E80F-4f3a-AEAD-0B14C9EA5CD6}.exe

Filesize
192KB

MD5
543aab72fe009870396165ac07e07f14

SHA1
ba0cc3e6ed7b1b47438e825c1ac2c15050b3a1c3

SHA256
2639b567059df87b5616e2baa2f7ffabb6ba049a2ed383a025ac4c7cab1cf160

SHA512
4ac4cd0d7ede25cd06feaa49dc8f095c7511ebebc8b2f7ad42341d8e8c001657c88c74feaa0fdbb842bc5cd8507f158d491df199fd4bd7d7597faf4f06a28e74

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads