7dcef3fd4f3cbab9e482ad4ce16ddeb052c83add7706236cdd96986d14842c36

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/09/2023, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe
Size

344KB
MD5

27b114bbff31ed0e16d430d3dcdf08cd
SHA1

b326baab2a0b4eafdb468a00f5b5e745576d91ba
SHA256

7dcef3fd4f3cbab9e482ad4ce16ddeb052c83add7706236cdd96986d14842c36
SHA512

13279cbb1c3ce39cfbdb380ead25d4da05ac226e0203566c4de2476052b7ceaddf1e5e062c0721279e5099dd5fbe730b035412b9c842a71087e70d7a58dceae1
SSDEEP

3072:mEGh0owlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGKlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0379136E-E2AA-4852-87C5-0FF954D145BA}\stubpath = "C:\\Windows\\{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe"	{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}\stubpath = "C:\\Windows\\{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe"	{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{114DE422-21AB-446b-9B3E-A1A8DE551854}\stubpath = "C:\\Windows\\{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe"	{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{557C1FCA-D6EB-4501-B6B7-B14AC566DAAF}	{CFEC8561-5331-48e4-AB07-E4575F28C4E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{557C1FCA-D6EB-4501-B6B7-B14AC566DAAF}\stubpath = "C:\\Windows\\{557C1FCA-D6EB-4501-B6B7-B14AC566DAAF}.exe"	{CFEC8561-5331-48e4-AB07-E4575F28C4E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}	{D216108D-0740-437d-9154-2517C5B60909}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}\stubpath = "C:\\Windows\\{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe"	{D216108D-0740-437d-9154-2517C5B60909}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0379136E-E2AA-4852-87C5-0FF954D145BA}	{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}	{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5651CA4-80B6-4ec3-84B8-D71AA332047D}	{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E8A72CD-5F2E-4128-B65B-6862DD755CF5}\stubpath = "C:\\Windows\\{3E8A72CD-5F2E-4128-B65B-6862DD755CF5}.exe"	{557C1FCA-D6EB-4501-B6B7-B14AC566DAAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFEC8561-5331-48e4-AB07-E4575F28C4E5}\stubpath = "C:\\Windows\\{CFEC8561-5331-48e4-AB07-E4575F28C4E5}.exe"	{D5651CA4-80B6-4ec3-84B8-D71AA332047D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E8A72CD-5F2E-4128-B65B-6862DD755CF5}	{557C1FCA-D6EB-4501-B6B7-B14AC566DAAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}	{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5651CA4-80B6-4ec3-84B8-D71AA332047D}\stubpath = "C:\\Windows\\{D5651CA4-80B6-4ec3-84B8-D71AA332047D}.exe"	{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFEC8561-5331-48e4-AB07-E4575F28C4E5}	{D5651CA4-80B6-4ec3-84B8-D71AA332047D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}	{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{114DE422-21AB-446b-9B3E-A1A8DE551854}	{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}\stubpath = "C:\\Windows\\{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe"	{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D216108D-0740-437d-9154-2517C5B60909}	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D216108D-0740-437d-9154-2517C5B60909}\stubpath = "C:\\Windows\\{D216108D-0740-437d-9154-2517C5B60909}.exe"	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}\stubpath = "C:\\Windows\\{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe"	{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe

Deletes itself 1 IoCs

pid	Process
1528	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2464	{D216108D-0740-437d-9154-2517C5B60909}.exe
3000	{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe
2672	{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe
2696	{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe
2544	{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe
2536	{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe
2932	{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe
1608	{D5651CA4-80B6-4ec3-84B8-D71AA332047D}.exe
1756	{CFEC8561-5331-48e4-AB07-E4575F28C4E5}.exe
1996	{557C1FCA-D6EB-4501-B6B7-B14AC566DAAF}.exe
1932	{3E8A72CD-5F2E-4128-B65B-6862DD755CF5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe	{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe
File created	C:\Windows\{CFEC8561-5331-48e4-AB07-E4575F28C4E5}.exe	{D5651CA4-80B6-4ec3-84B8-D71AA332047D}.exe
File created	C:\Windows\{3E8A72CD-5F2E-4128-B65B-6862DD755CF5}.exe	{557C1FCA-D6EB-4501-B6B7-B14AC566DAAF}.exe
File created	C:\Windows\{D216108D-0740-437d-9154-2517C5B60909}.exe	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe
File created	C:\Windows\{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe	{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe
File created	C:\Windows\{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe	{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe
File created	C:\Windows\{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe	{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe
File created	C:\Windows\{D5651CA4-80B6-4ec3-84B8-D71AA332047D}.exe	{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe
File created	C:\Windows\{557C1FCA-D6EB-4501-B6B7-B14AC566DAAF}.exe	{CFEC8561-5331-48e4-AB07-E4575F28C4E5}.exe
File created	C:\Windows\{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe	{D216108D-0740-437d-9154-2517C5B60909}.exe
File created	C:\Windows\{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe	{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1944	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2464	{D216108D-0740-437d-9154-2517C5B60909}.exe
Token: SeIncBasePriorityPrivilege	3000	{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe
Token: SeIncBasePriorityPrivilege	2672	{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe
Token: SeIncBasePriorityPrivilege	2696	{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe
Token: SeIncBasePriorityPrivilege	2544	{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe
Token: SeIncBasePriorityPrivilege	2536	{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe
Token: SeIncBasePriorityPrivilege	2932	{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe
Token: SeIncBasePriorityPrivilege	1608	{D5651CA4-80B6-4ec3-84B8-D71AA332047D}.exe
Token: SeIncBasePriorityPrivilege	1756	{CFEC8561-5331-48e4-AB07-E4575F28C4E5}.exe
Token: SeIncBasePriorityPrivilege	1996	{557C1FCA-D6EB-4501-B6B7-B14AC566DAAF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2464	1944	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	28
PID 1944 wrote to memory of 2464	1944	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	28
PID 1944 wrote to memory of 2464	1944	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	28
PID 1944 wrote to memory of 2464	1944	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	28
PID 1944 wrote to memory of 1528	1944	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	29
PID 1944 wrote to memory of 1528	1944	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	29
PID 1944 wrote to memory of 1528	1944	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	29
PID 1944 wrote to memory of 1528	1944	2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe	29
PID 2464 wrote to memory of 3000	2464	{D216108D-0740-437d-9154-2517C5B60909}.exe	30
PID 2464 wrote to memory of 3000	2464	{D216108D-0740-437d-9154-2517C5B60909}.exe	30
PID 2464 wrote to memory of 3000	2464	{D216108D-0740-437d-9154-2517C5B60909}.exe	30
PID 2464 wrote to memory of 3000	2464	{D216108D-0740-437d-9154-2517C5B60909}.exe	30
PID 2464 wrote to memory of 3032	2464	{D216108D-0740-437d-9154-2517C5B60909}.exe	31
PID 2464 wrote to memory of 3032	2464	{D216108D-0740-437d-9154-2517C5B60909}.exe	31
PID 2464 wrote to memory of 3032	2464	{D216108D-0740-437d-9154-2517C5B60909}.exe	31
PID 2464 wrote to memory of 3032	2464	{D216108D-0740-437d-9154-2517C5B60909}.exe	31
PID 3000 wrote to memory of 2672	3000	{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe	32
PID 3000 wrote to memory of 2672	3000	{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe	32
PID 3000 wrote to memory of 2672	3000	{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe	32
PID 3000 wrote to memory of 2672	3000	{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe	32
PID 3000 wrote to memory of 2756	3000	{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe	33
PID 3000 wrote to memory of 2756	3000	{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe	33
PID 3000 wrote to memory of 2756	3000	{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe	33
PID 3000 wrote to memory of 2756	3000	{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe	33
PID 2672 wrote to memory of 2696	2672	{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe	36
PID 2672 wrote to memory of 2696	2672	{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe	36
PID 2672 wrote to memory of 2696	2672	{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe	36
PID 2672 wrote to memory of 2696	2672	{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe	36
PID 2672 wrote to memory of 2408	2672	{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe	37
PID 2672 wrote to memory of 2408	2672	{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe	37
PID 2672 wrote to memory of 2408	2672	{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe	37
PID 2672 wrote to memory of 2408	2672	{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe	37
PID 2696 wrote to memory of 2544	2696	{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe	38
PID 2696 wrote to memory of 2544	2696	{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe	38
PID 2696 wrote to memory of 2544	2696	{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe	38
PID 2696 wrote to memory of 2544	2696	{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe	38
PID 2696 wrote to memory of 2568	2696	{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe	39
PID 2696 wrote to memory of 2568	2696	{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe	39
PID 2696 wrote to memory of 2568	2696	{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe	39
PID 2696 wrote to memory of 2568	2696	{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe	39
PID 2544 wrote to memory of 2536	2544	{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe	40
PID 2544 wrote to memory of 2536	2544	{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe	40
PID 2544 wrote to memory of 2536	2544	{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe	40
PID 2544 wrote to memory of 2536	2544	{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe	40
PID 2544 wrote to memory of 2592	2544	{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe	41
PID 2544 wrote to memory of 2592	2544	{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe	41
PID 2544 wrote to memory of 2592	2544	{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe	41
PID 2544 wrote to memory of 2592	2544	{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe	41
PID 2536 wrote to memory of 2932	2536	{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe	42
PID 2536 wrote to memory of 2932	2536	{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe	42
PID 2536 wrote to memory of 2932	2536	{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe	42
PID 2536 wrote to memory of 2932	2536	{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe	42
PID 2536 wrote to memory of 1664	2536	{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe	43
PID 2536 wrote to memory of 1664	2536	{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe	43
PID 2536 wrote to memory of 1664	2536	{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe	43
PID 2536 wrote to memory of 1664	2536	{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe	43
PID 2932 wrote to memory of 1608	2932	{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe	44
PID 2932 wrote to memory of 1608	2932	{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe	44
PID 2932 wrote to memory of 1608	2932	{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe	44
PID 2932 wrote to memory of 1608	2932	{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe	44
PID 2932 wrote to memory of 804	2932	{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe	45
PID 2932 wrote to memory of 804	2932	{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe	45
PID 2932 wrote to memory of 804	2932	{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe	45
PID 2932 wrote to memory of 804	2932	{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_27b114bbff31ed0e16d430d3dcdf08cd_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\{D216108D-0740-437d-9154-2517C5B60909}.exe
  C:\Windows\{D216108D-0740-437d-9154-2517C5B60909}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe
    C:\Windows\{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe
      C:\Windows\{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe
        
        C:\Windows\{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe
        
        C:\Windows\{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe
        
        C:\Windows\{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe
        
        C:\Windows\{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{D5651CA4-80B6-4ec3-84B8-D71AA332047D}.exe
        
        C:\Windows\{D5651CA4-80B6-4ec3-84B8-D71AA332047D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\{CFEC8561-5331-48e4-AB07-E4575F28C4E5}.exe
        
        C:\Windows\{CFEC8561-5331-48e4-AB07-E4575F28C4E5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\{557C1FCA-D6EB-4501-B6B7-B14AC566DAAF}.exe
        
        C:\Windows\{557C1FCA-D6EB-4501-B6B7-B14AC566DAAF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\{3E8A72CD-5F2E-4128-B65B-6862DD755CF5}.exe
        
        C:\Windows\{3E8A72CD-5F2E-4128-B65B-6862DD755CF5}.exe
        12⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{557C1~1.EXE > nul
        12⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFEC8~1.EXE > nul
        11⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5651~1.EXE > nul
        10⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0EAD~1.EXE > nul
        9⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{114DE~1.EXE > nul
        8⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBD0E~1.EXE > nul
        7⤵
        
        PID:2592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03791~1.EXE > nul
        6⤵
        
        PID:2568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46E2F~1.EXE > nul
        5⤵
        
        PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FAF7D~1.EXE > nul
      4⤵
      PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D2161~1.EXE > nul
    3⤵
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe

Filesize
344KB

MD5
159b0f36162af4e3790c12950f3e6a0f

SHA1
1e1687d3ce06fc61c3972ca8db2471032d5a7f18

SHA256
9547aded997cf67f1fde5606828785f33dd1fbec17cec68773a089d7fe0c68be

SHA512
a59eb2c118df75caac4dc7626a98048245e4615f31abbee4637138fbf1042b9c7b9b455384a4c2a3d69d60ec9aea52ca44d91a0ed2c61574000450fc35a855df

Download Submit
C:\Windows\{0379136E-E2AA-4852-87C5-0FF954D145BA}.exe

Filesize
344KB

MD5
159b0f36162af4e3790c12950f3e6a0f

SHA1
1e1687d3ce06fc61c3972ca8db2471032d5a7f18

SHA256
9547aded997cf67f1fde5606828785f33dd1fbec17cec68773a089d7fe0c68be

SHA512
a59eb2c118df75caac4dc7626a98048245e4615f31abbee4637138fbf1042b9c7b9b455384a4c2a3d69d60ec9aea52ca44d91a0ed2c61574000450fc35a855df

Download Submit
C:\Windows\{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe

Filesize
344KB

MD5
83b41f6360844b8beb156dcd0640eb48

SHA1
2925e133ccb82466d22bf3ae41090dc984ca4811

SHA256
40d436d577185a64dc0a07efc6ccd7ef0c63af1f87896026aceaf99040b3f00b

SHA512
283f97ecfaa636e1522b7f4ec39eb2a099b3277d8441936d949e52f15b9d6c119780ec0a6cccc2cfa0c860d108a686d00e870e32daee99028e5f3580e9919837

Download Submit
C:\Windows\{114DE422-21AB-446b-9B3E-A1A8DE551854}.exe

Filesize
344KB

MD5
83b41f6360844b8beb156dcd0640eb48

SHA1
2925e133ccb82466d22bf3ae41090dc984ca4811

SHA256
40d436d577185a64dc0a07efc6ccd7ef0c63af1f87896026aceaf99040b3f00b

SHA512
283f97ecfaa636e1522b7f4ec39eb2a099b3277d8441936d949e52f15b9d6c119780ec0a6cccc2cfa0c860d108a686d00e870e32daee99028e5f3580e9919837

Download Submit
C:\Windows\{3E8A72CD-5F2E-4128-B65B-6862DD755CF5}.exe

Filesize
344KB

MD5
9c107fd0623f0c4addd424f4eaab6262

SHA1
5a37da552b5d3e7842836d05dfeb6265ad142097

SHA256
310fddb9c735dfe86f0a8f940f8716dd46892357e8090344f299181fbf102c9e

SHA512
ded827ba472484817a8f2f429ea5d3c41c0c0ff852f1fa87aff68eaaba9902214143a8830778fae9a12e09307a00b270a0e55f87784c8587743a44be90e04e57

Download Submit
C:\Windows\{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe

Filesize
344KB

MD5
05c84e748bcbba7736416fcaae023fc6

SHA1
2026b8b6599c629a002979477ae91f9c91ddbd0e

SHA256
4ef276ce1d5c994375db6a3a3540518bb053595d7a324ceaf2ef1d0a8f6e803f

SHA512
62c64b81b43d2f95ad800fccc8d282337326e13152cca13b3d4e51a302ca96295d105d7bf29e58e0ad9268e2519dd99169fc9af72918027ca7b30c3f3a71dde6

Download Submit
C:\Windows\{46E2F925-EC0C-4c4f-AEB6-DF9B488862C1}.exe

Filesize
344KB

MD5
05c84e748bcbba7736416fcaae023fc6

SHA1
2026b8b6599c629a002979477ae91f9c91ddbd0e

SHA256
4ef276ce1d5c994375db6a3a3540518bb053595d7a324ceaf2ef1d0a8f6e803f

SHA512
62c64b81b43d2f95ad800fccc8d282337326e13152cca13b3d4e51a302ca96295d105d7bf29e58e0ad9268e2519dd99169fc9af72918027ca7b30c3f3a71dde6

Download Submit
C:\Windows\{557C1FCA-D6EB-4501-B6B7-B14AC566DAAF}.exe

Filesize
344KB

MD5
fe78b57a39518fd61f493002c09016fb

SHA1
92d065f42bb949fe6f8543c7d3aeffdf7877fb71

SHA256
e22d4b9cad51569ca44cadf289d1b1b3c9b432af75cd3c2e38123be5dcdd981a

SHA512
0d6ac7ae045945335ab2c9ab0827e8769c1a7ca8c3676902a2e738bfb26cecda6c93b263befdb790efbaa9cd307ab7db0b2649343d216c308204de6b417d08b2

Download Submit
C:\Windows\{557C1FCA-D6EB-4501-B6B7-B14AC566DAAF}.exe

Filesize
344KB

MD5
fe78b57a39518fd61f493002c09016fb

SHA1
92d065f42bb949fe6f8543c7d3aeffdf7877fb71

SHA256
e22d4b9cad51569ca44cadf289d1b1b3c9b432af75cd3c2e38123be5dcdd981a

SHA512
0d6ac7ae045945335ab2c9ab0827e8769c1a7ca8c3676902a2e738bfb26cecda6c93b263befdb790efbaa9cd307ab7db0b2649343d216c308204de6b417d08b2

Download Submit
C:\Windows\{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe

Filesize
344KB

MD5
bf067474144732cf29ebf66e317798a8

SHA1
97a38b91ac6645a7ab3d770622a4936b8524a00e

SHA256
018c4efd83b737b31c0d31116854a5467cbd366370cbd1321b226f8a1234d420

SHA512
2e27ca2f65de1b3f89f5b1b4529500e9ad78a0ea75cb6e3cd927325d2a41eaf1990d3f74de8ef3ae9a145b81e43895637bdbd27ee84913b1ebb97ff9dd536056

Download Submit
C:\Windows\{B0EAD7E0-7604-44f3-80C8-6CD4A968AF05}.exe

Filesize
344KB

MD5
bf067474144732cf29ebf66e317798a8

SHA1
97a38b91ac6645a7ab3d770622a4936b8524a00e

SHA256
018c4efd83b737b31c0d31116854a5467cbd366370cbd1321b226f8a1234d420

SHA512
2e27ca2f65de1b3f89f5b1b4529500e9ad78a0ea75cb6e3cd927325d2a41eaf1990d3f74de8ef3ae9a145b81e43895637bdbd27ee84913b1ebb97ff9dd536056

Download Submit
C:\Windows\{CFEC8561-5331-48e4-AB07-E4575F28C4E5}.exe

Filesize
344KB

MD5
cca311e52af35d64bbe475d2b7d0d21a

SHA1
d4ea680253ac78a91f520b6b9dcac293d0d4534f

SHA256
03e12c6264ba962fd4335a77290771d3f4ca1326d84fe947efc1448defecc8e5

SHA512
ecb3a52f29f220f4a135b4e25e9ddf980fa8242f6650241864a43c78d343cffb44bf1c69286a1fd1df43849b85d337375eff7909fd999454f44df7010fadc3ae

Download Submit
C:\Windows\{CFEC8561-5331-48e4-AB07-E4575F28C4E5}.exe

Filesize
344KB

MD5
cca311e52af35d64bbe475d2b7d0d21a

SHA1
d4ea680253ac78a91f520b6b9dcac293d0d4534f

SHA256
03e12c6264ba962fd4335a77290771d3f4ca1326d84fe947efc1448defecc8e5

SHA512
ecb3a52f29f220f4a135b4e25e9ddf980fa8242f6650241864a43c78d343cffb44bf1c69286a1fd1df43849b85d337375eff7909fd999454f44df7010fadc3ae

Download Submit
C:\Windows\{D216108D-0740-437d-9154-2517C5B60909}.exe

Filesize
344KB

MD5
c5711458feda2cc482f8752e57adfbbd

SHA1
b5c22a1db28a3a5be93610fe1dacc5d7081d33db

SHA256
dcc9d0dcb94717789a32b8cd1a753f6d138a4b4f38b126dcbe07ba1bd79b7dd0

SHA512
38e6ade2e7a9ead7348fe216c2b5a5c2725a41c7587c45894e93103fbd40ad00415bd2235b3f2de987762709b559a95289a5e8e9dd45528f166eb935cd573310

Download Submit
C:\Windows\{D216108D-0740-437d-9154-2517C5B60909}.exe

Filesize
344KB

MD5
c5711458feda2cc482f8752e57adfbbd

SHA1
b5c22a1db28a3a5be93610fe1dacc5d7081d33db

SHA256
dcc9d0dcb94717789a32b8cd1a753f6d138a4b4f38b126dcbe07ba1bd79b7dd0

SHA512
38e6ade2e7a9ead7348fe216c2b5a5c2725a41c7587c45894e93103fbd40ad00415bd2235b3f2de987762709b559a95289a5e8e9dd45528f166eb935cd573310

Download Submit
C:\Windows\{D216108D-0740-437d-9154-2517C5B60909}.exe

Filesize
344KB

MD5
c5711458feda2cc482f8752e57adfbbd

SHA1
b5c22a1db28a3a5be93610fe1dacc5d7081d33db

SHA256
dcc9d0dcb94717789a32b8cd1a753f6d138a4b4f38b126dcbe07ba1bd79b7dd0

SHA512
38e6ade2e7a9ead7348fe216c2b5a5c2725a41c7587c45894e93103fbd40ad00415bd2235b3f2de987762709b559a95289a5e8e9dd45528f166eb935cd573310

Download Submit
C:\Windows\{D5651CA4-80B6-4ec3-84B8-D71AA332047D}.exe

Filesize
344KB

MD5
f866f2d38d0e686cae39fe1743195834

SHA1
3814e4ca815a9b5402eb0f0b6e4e1127baaab3fd

SHA256
22edb5eff587c97d0ab9fbe90e065c306bc189649cc76f7c565dc18ca79713a6

SHA512
18d748d0e340a495a087de9fec2a11044469207a5fb811ea8028dc82fc953078d82bd1e8b2f46881bfcfaa5b1ea6bb4b007621cf9fb077431763d29d9b230633

Download Submit
C:\Windows\{D5651CA4-80B6-4ec3-84B8-D71AA332047D}.exe

Filesize
344KB

MD5
f866f2d38d0e686cae39fe1743195834

SHA1
3814e4ca815a9b5402eb0f0b6e4e1127baaab3fd

SHA256
22edb5eff587c97d0ab9fbe90e065c306bc189649cc76f7c565dc18ca79713a6

SHA512
18d748d0e340a495a087de9fec2a11044469207a5fb811ea8028dc82fc953078d82bd1e8b2f46881bfcfaa5b1ea6bb4b007621cf9fb077431763d29d9b230633

Download Submit
C:\Windows\{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe

Filesize
344KB

MD5
2995cf55a17614ed831c90cd7f01d175

SHA1
482b0024681a4e80e4497a0431e3dddc9c7fbedb

SHA256
cb7bd80f68dd20acf17677d23ac307184c9565789ec156741b455c1a54957c79

SHA512
1e5208e8b8fcaad5005b8f18126c736f718a77d1299b54a0b0440fc5c73ff53ed5b8b1c8d780363ff7efd7920191ca25dab7fb6657a5cb86321ece7fe353be55

Download Submit
C:\Windows\{FAF7D282-FCD5-4352-AAC4-FE8C6B114B90}.exe

Filesize
344KB

MD5
2995cf55a17614ed831c90cd7f01d175

SHA1
482b0024681a4e80e4497a0431e3dddc9c7fbedb

SHA256
cb7bd80f68dd20acf17677d23ac307184c9565789ec156741b455c1a54957c79

SHA512
1e5208e8b8fcaad5005b8f18126c736f718a77d1299b54a0b0440fc5c73ff53ed5b8b1c8d780363ff7efd7920191ca25dab7fb6657a5cb86321ece7fe353be55

Download Submit
C:\Windows\{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe

Filesize
344KB

MD5
f61c47f5b12ddc00260a9e34f4a5f4cc

SHA1
93e5dae774c5cc703a6cae002dd31d8828acff97

SHA256
692613600f624ece29c3003ab13bc718b324025b453d29c65c3688f75abbd73e

SHA512
6781373664e5d2e8f1ae738fbd9a2fa8b797d141bbcde6cd1ff060ae419cd3e4d25b837d39598115bf4756516c8d995edd1aa8bf58561bb6254094974e956053

Download Submit
C:\Windows\{FBD0E4EC-13B3-46b3-AB10-F932A77ED9EE}.exe

Filesize
344KB

MD5
f61c47f5b12ddc00260a9e34f4a5f4cc

SHA1
93e5dae774c5cc703a6cae002dd31d8828acff97

SHA256
692613600f624ece29c3003ab13bc718b324025b453d29c65c3688f75abbd73e

SHA512
6781373664e5d2e8f1ae738fbd9a2fa8b797d141bbcde6cd1ff060ae419cd3e4d25b837d39598115bf4756516c8d995edd1aa8bf58561bb6254094974e956053

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads