242cb6f91ebde413682271a2391efd8a06bd7b6734685f65b5c89b0448265c98

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02-09-2023 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe
Size

204KB
MD5

6a39fb81aff4d385b397cef69bc1b97a
SHA1

20d7c6e223534e5dca4955a85ac362971f876ad0
SHA256

242cb6f91ebde413682271a2391efd8a06bd7b6734685f65b5c89b0448265c98
SHA512

3c1dc97d3bd4e89688110b29882830f2eb407407ad3fb1a490df6ae2860f202d85331186bef55360d047470f97e5e248402485f347edf94820656e703aeaa181
SSDEEP

1536:1EGh0oILl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oUl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}	{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}\stubpath = "C:\\Windows\\{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe"	{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9460E453-BE27-4c80-9D13-3D35171181F7}\stubpath = "C:\\Windows\\{9460E453-BE27-4c80-9D13-3D35171181F7}.exe"	{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3945A18C-28A1-48e5-A781-33D07280846A}\stubpath = "C:\\Windows\\{3945A18C-28A1-48e5-A781-33D07280846A}.exe"	{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{546E64B3-6BE5-4d8c-B105-53A0F873DB01}	{3945A18C-28A1-48e5-A781-33D07280846A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9460E453-BE27-4c80-9D13-3D35171181F7}	{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}	{9460E453-BE27-4c80-9D13-3D35171181F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{013280FA-59B4-4dc0-B86C-1EA9E446F119}\stubpath = "C:\\Windows\\{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe"	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04BBC144-BAB1-48d3-BC02-1D549A74662D}	{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04BBC144-BAB1-48d3-BC02-1D549A74662D}\stubpath = "C:\\Windows\\{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe"	{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3945A18C-28A1-48e5-A781-33D07280846A}	{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A89ABFB9-E479-4bd1-A423-8F99B602DC17}\stubpath = "C:\\Windows\\{A89ABFB9-E479-4bd1-A423-8F99B602DC17}.exe"	{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9A96A12-E2A8-48f2-B670-F47AAEE5B07A}	{A89ABFB9-E479-4bd1-A423-8F99B602DC17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CF01268-291F-46d4-BD51-748AAADFBE75}\stubpath = "C:\\Windows\\{6CF01268-291F-46d4-BD51-748AAADFBE75}.exe"	{C9A96A12-E2A8-48f2-B670-F47AAEE5B07A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{458614E6-50C5-41d6-B249-812C115ADE02}\stubpath = "C:\\Windows\\{458614E6-50C5-41d6-B249-812C115ADE02}.exe"	{6CF01268-291F-46d4-BD51-748AAADFBE75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A89ABFB9-E479-4bd1-A423-8F99B602DC17}	{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9A96A12-E2A8-48f2-B670-F47AAEE5B07A}\stubpath = "C:\\Windows\\{C9A96A12-E2A8-48f2-B670-F47AAEE5B07A}.exe"	{A89ABFB9-E479-4bd1-A423-8F99B602DC17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CF01268-291F-46d4-BD51-748AAADFBE75}	{C9A96A12-E2A8-48f2-B670-F47AAEE5B07A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{013280FA-59B4-4dc0-B86C-1EA9E446F119}	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{546E64B3-6BE5-4d8c-B105-53A0F873DB01}\stubpath = "C:\\Windows\\{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe"	{3945A18C-28A1-48e5-A781-33D07280846A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}\stubpath = "C:\\Windows\\{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe"	{9460E453-BE27-4c80-9D13-3D35171181F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{458614E6-50C5-41d6-B249-812C115ADE02}	{6CF01268-291F-46d4-BD51-748AAADFBE75}.exe

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2172	{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe
2604	{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe
2760	{3945A18C-28A1-48e5-A781-33D07280846A}.exe
2520	{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe
2768	{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe
2568	{9460E453-BE27-4c80-9D13-3D35171181F7}.exe
2148	{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe
2816	{A89ABFB9-E479-4bd1-A423-8F99B602DC17}.exe
2996	{C9A96A12-E2A8-48f2-B670-F47AAEE5B07A}.exe
108	{6CF01268-291F-46d4-BD51-748AAADFBE75}.exe
2012	{458614E6-50C5-41d6-B249-812C115ADE02}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C9A96A12-E2A8-48f2-B670-F47AAEE5B07A}.exe	{A89ABFB9-E479-4bd1-A423-8F99B602DC17}.exe
File created	C:\Windows\{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe
File created	C:\Windows\{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe	{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe
File created	C:\Windows\{3945A18C-28A1-48e5-A781-33D07280846A}.exe	{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe
File created	C:\Windows\{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe	{3945A18C-28A1-48e5-A781-33D07280846A}.exe
File created	C:\Windows\{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe	{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe
File created	C:\Windows\{9460E453-BE27-4c80-9D13-3D35171181F7}.exe	{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe
File created	C:\Windows\{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe	{9460E453-BE27-4c80-9D13-3D35171181F7}.exe
File created	C:\Windows\{A89ABFB9-E479-4bd1-A423-8F99B602DC17}.exe	{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe
File created	C:\Windows\{6CF01268-291F-46d4-BD51-748AAADFBE75}.exe	{C9A96A12-E2A8-48f2-B670-F47AAEE5B07A}.exe
File created	C:\Windows\{458614E6-50C5-41d6-B249-812C115ADE02}.exe	{6CF01268-291F-46d4-BD51-748AAADFBE75}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2128	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2172	{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe
Token: SeIncBasePriorityPrivilege	2604	{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe
Token: SeIncBasePriorityPrivilege	2760	{3945A18C-28A1-48e5-A781-33D07280846A}.exe
Token: SeIncBasePriorityPrivilege	2520	{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe
Token: SeIncBasePriorityPrivilege	2768	{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe
Token: SeIncBasePriorityPrivilege	2568	{9460E453-BE27-4c80-9D13-3D35171181F7}.exe
Token: SeIncBasePriorityPrivilege	2148	{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe
Token: SeIncBasePriorityPrivilege	2816	{A89ABFB9-E479-4bd1-A423-8F99B602DC17}.exe
Token: SeIncBasePriorityPrivilege	2996	{C9A96A12-E2A8-48f2-B670-F47AAEE5B07A}.exe
Token: SeIncBasePriorityPrivilege	108	{6CF01268-291F-46d4-BD51-748AAADFBE75}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2172	2128	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	28
PID 2128 wrote to memory of 2172	2128	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	28
PID 2128 wrote to memory of 2172	2128	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	28
PID 2128 wrote to memory of 2172	2128	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	28
PID 2128 wrote to memory of 2796	2128	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	29
PID 2128 wrote to memory of 2796	2128	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	29
PID 2128 wrote to memory of 2796	2128	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	29
PID 2128 wrote to memory of 2796	2128	2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe	29
PID 2172 wrote to memory of 2604	2172	{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe	30
PID 2172 wrote to memory of 2604	2172	{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe	30
PID 2172 wrote to memory of 2604	2172	{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe	30
PID 2172 wrote to memory of 2604	2172	{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe	30
PID 2172 wrote to memory of 2736	2172	{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe	31
PID 2172 wrote to memory of 2736	2172	{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe	31
PID 2172 wrote to memory of 2736	2172	{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe	31
PID 2172 wrote to memory of 2736	2172	{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe	31
PID 2604 wrote to memory of 2760	2604	{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe	33
PID 2604 wrote to memory of 2760	2604	{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe	33
PID 2604 wrote to memory of 2760	2604	{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe	33
PID 2604 wrote to memory of 2760	2604	{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe	33
PID 2604 wrote to memory of 2652	2604	{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe	32
PID 2604 wrote to memory of 2652	2604	{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe	32
PID 2604 wrote to memory of 2652	2604	{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe	32
PID 2604 wrote to memory of 2652	2604	{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe	32
PID 2760 wrote to memory of 2520	2760	{3945A18C-28A1-48e5-A781-33D07280846A}.exe	36
PID 2760 wrote to memory of 2520	2760	{3945A18C-28A1-48e5-A781-33D07280846A}.exe	36
PID 2760 wrote to memory of 2520	2760	{3945A18C-28A1-48e5-A781-33D07280846A}.exe	36
PID 2760 wrote to memory of 2520	2760	{3945A18C-28A1-48e5-A781-33D07280846A}.exe	36
PID 2760 wrote to memory of 2632	2760	{3945A18C-28A1-48e5-A781-33D07280846A}.exe	37
PID 2760 wrote to memory of 2632	2760	{3945A18C-28A1-48e5-A781-33D07280846A}.exe	37
PID 2760 wrote to memory of 2632	2760	{3945A18C-28A1-48e5-A781-33D07280846A}.exe	37
PID 2760 wrote to memory of 2632	2760	{3945A18C-28A1-48e5-A781-33D07280846A}.exe	37
PID 2520 wrote to memory of 2768	2520	{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe	38
PID 2520 wrote to memory of 2768	2520	{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe	38
PID 2520 wrote to memory of 2768	2520	{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe	38
PID 2520 wrote to memory of 2768	2520	{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe	38
PID 2520 wrote to memory of 2512	2520	{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe	39
PID 2520 wrote to memory of 2512	2520	{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe	39
PID 2520 wrote to memory of 2512	2520	{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe	39
PID 2520 wrote to memory of 2512	2520	{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe	39
PID 2768 wrote to memory of 2568	2768	{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe	41
PID 2768 wrote to memory of 2568	2768	{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe	41
PID 2768 wrote to memory of 2568	2768	{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe	41
PID 2768 wrote to memory of 2568	2768	{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe	41
PID 2768 wrote to memory of 3028	2768	{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe	40
PID 2768 wrote to memory of 3028	2768	{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe	40
PID 2768 wrote to memory of 3028	2768	{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe	40
PID 2768 wrote to memory of 3028	2768	{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe	40
PID 2568 wrote to memory of 2148	2568	{9460E453-BE27-4c80-9D13-3D35171181F7}.exe	43
PID 2568 wrote to memory of 2148	2568	{9460E453-BE27-4c80-9D13-3D35171181F7}.exe	43
PID 2568 wrote to memory of 2148	2568	{9460E453-BE27-4c80-9D13-3D35171181F7}.exe	43
PID 2568 wrote to memory of 2148	2568	{9460E453-BE27-4c80-9D13-3D35171181F7}.exe	43
PID 2568 wrote to memory of 1992	2568	{9460E453-BE27-4c80-9D13-3D35171181F7}.exe	42
PID 2568 wrote to memory of 1992	2568	{9460E453-BE27-4c80-9D13-3D35171181F7}.exe	42
PID 2568 wrote to memory of 1992	2568	{9460E453-BE27-4c80-9D13-3D35171181F7}.exe	42
PID 2568 wrote to memory of 1992	2568	{9460E453-BE27-4c80-9D13-3D35171181F7}.exe	42
PID 2148 wrote to memory of 2816	2148	{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe	44
PID 2148 wrote to memory of 2816	2148	{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe	44
PID 2148 wrote to memory of 2816	2148	{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe	44
PID 2148 wrote to memory of 2816	2148	{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe	44
PID 2148 wrote to memory of 2844	2148	{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe	45
PID 2148 wrote to memory of 2844	2148	{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe	45
PID 2148 wrote to memory of 2844	2148	{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe	45
PID 2148 wrote to memory of 2844	2148	{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_6a39fb81aff4d385b397cef69bc1b97a_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe
  C:\Windows\{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe
    C:\Windows\{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{04BBC~1.EXE > nul
      4⤵
      PID:2652
  - - C:\Windows\{3945A18C-28A1-48e5-A781-33D07280846A}.exe
      C:\Windows\{3945A18C-28A1-48e5-A781-33D07280846A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe
        
        C:\Windows\{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe
        
        C:\Windows\{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB22B~1.EXE > nul
        7⤵
        
        PID:3028
        
        C:\Windows\{9460E453-BE27-4c80-9D13-3D35171181F7}.exe
        
        C:\Windows\{9460E453-BE27-4c80-9D13-3D35171181F7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9460E~1.EXE > nul
        8⤵
        
        PID:1992
        
        C:\Windows\{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe
        
        C:\Windows\{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\{A89ABFB9-E479-4bd1-A423-8F99B602DC17}.exe
        
        C:\Windows\{A89ABFB9-E479-4bd1-A423-8F99B602DC17}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\{C9A96A12-E2A8-48f2-B670-F47AAEE5B07A}.exe
        
        C:\Windows\{C9A96A12-E2A8-48f2-B670-F47AAEE5B07A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\{6CF01268-291F-46d4-BD51-748AAADFBE75}.exe
        
        C:\Windows\{6CF01268-291F-46d4-BD51-748AAADFBE75}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
        
        C:\Windows\{458614E6-50C5-41d6-B249-812C115ADE02}.exe
        
        C:\Windows\{458614E6-50C5-41d6-B249-812C115ADE02}.exe
        12⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CF01~1.EXE > nul
        12⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9A96~1.EXE > nul
        11⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A89AB~1.EXE > nul
        10⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79DFD~1.EXE > nul
        9⤵
        
        PID:2844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{546E6~1.EXE > nul
        6⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3945A~1.EXE > nul
        5⤵
        
        PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{01328~1.EXE > nul
    3⤵
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe

Filesize
204KB

MD5
d117759dacff2472f84f5aba85e7aaf0

SHA1
3ad4cdc90c6cf46cb2c1d1822427e6a60eac4249

SHA256
4750939c6d6d41dbd6cc9b7d8d977f9921780ad0b620d6da6b5135c9e986066b

SHA512
b5c4568cfde7726181c3595a1aaf8985526dabad73d4ca80efbe757935e7d6803e04d055b56bef7b674eafa93cf0e126986c837756d6a070c5ba36b6cc62b52c

Download Submit
C:\Windows\{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe

Filesize
204KB

MD5
d117759dacff2472f84f5aba85e7aaf0

SHA1
3ad4cdc90c6cf46cb2c1d1822427e6a60eac4249

SHA256
4750939c6d6d41dbd6cc9b7d8d977f9921780ad0b620d6da6b5135c9e986066b

SHA512
b5c4568cfde7726181c3595a1aaf8985526dabad73d4ca80efbe757935e7d6803e04d055b56bef7b674eafa93cf0e126986c837756d6a070c5ba36b6cc62b52c

Download Submit
C:\Windows\{013280FA-59B4-4dc0-B86C-1EA9E446F119}.exe

Filesize
204KB

MD5
d117759dacff2472f84f5aba85e7aaf0

SHA1
3ad4cdc90c6cf46cb2c1d1822427e6a60eac4249

SHA256
4750939c6d6d41dbd6cc9b7d8d977f9921780ad0b620d6da6b5135c9e986066b

SHA512
b5c4568cfde7726181c3595a1aaf8985526dabad73d4ca80efbe757935e7d6803e04d055b56bef7b674eafa93cf0e126986c837756d6a070c5ba36b6cc62b52c

Download Submit
C:\Windows\{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe

Filesize
204KB

MD5
d97e3b2397b451fe3c8fcf3589cdf174

SHA1
1a6486b1bd7fa5530360feb9f51c0a2a77452bf7

SHA256
156184ec1339720a4e78212cee713fd30070e8366967288c48147610630352b0

SHA512
648cabf0b38309e5ba878bf4553bc0cc4aebc8f810f909aab0fe3a8224a6b5c3eded10313b3aad7b25e9f73f1ce9695324ac62b3ec212f35ed0d49038286ff7a

Download Submit
C:\Windows\{04BBC144-BAB1-48d3-BC02-1D549A74662D}.exe

Filesize
204KB

MD5
d97e3b2397b451fe3c8fcf3589cdf174

SHA1
1a6486b1bd7fa5530360feb9f51c0a2a77452bf7

SHA256
156184ec1339720a4e78212cee713fd30070e8366967288c48147610630352b0

SHA512
648cabf0b38309e5ba878bf4553bc0cc4aebc8f810f909aab0fe3a8224a6b5c3eded10313b3aad7b25e9f73f1ce9695324ac62b3ec212f35ed0d49038286ff7a

Download Submit
C:\Windows\{3945A18C-28A1-48e5-A781-33D07280846A}.exe

Filesize
204KB

MD5
72beee9d1bc1854dd51d28478e437013

SHA1
3dda38c126c11c6e3505986e63b284a315717d01

SHA256
db69493476dc9bb4590b470a62d9df0457ce576cf87f2659e7fb3061fb072864

SHA512
4622aaca7b9ff39cc164d83e065ea202e34f4d54c282287e08a5450b72232a52f6627ce088c2855a17c571db04d25f8dd823ad0ed17bc8b20e4d6d37026b83a5

Download Submit
C:\Windows\{3945A18C-28A1-48e5-A781-33D07280846A}.exe

Filesize
204KB

MD5
72beee9d1bc1854dd51d28478e437013

SHA1
3dda38c126c11c6e3505986e63b284a315717d01

SHA256
db69493476dc9bb4590b470a62d9df0457ce576cf87f2659e7fb3061fb072864

SHA512
4622aaca7b9ff39cc164d83e065ea202e34f4d54c282287e08a5450b72232a52f6627ce088c2855a17c571db04d25f8dd823ad0ed17bc8b20e4d6d37026b83a5

Download Submit
C:\Windows\{458614E6-50C5-41d6-B249-812C115ADE02}.exe

Filesize
204KB

MD5
01d0a6e7e9bab94c868e40a965314d8e

SHA1
b6433ba7d5e477c80f489e7d16d7157a2e201a36

SHA256
29f531cd0b147dc6f667ff442230cc0dce0bb48d0623e8d800f5e209a6dbc162

SHA512
5b371511b7535914b4d35cc47827fc976d8e49b775b2ea448c3b3f7147cab529b606203cec305a95b2cd1b68fabccec9d8e863218050c37aab5e3d6231c4d8bc

Download Submit
C:\Windows\{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe

Filesize
204KB

MD5
89f5928657005203880fa83b1e178b37

SHA1
4623a812b8579feec081b19bfeb317b0c4c97453

SHA256
1948bc34d8d8fb2d77af8b7466ea355f9de114509083116ebac9a7c0337e277c

SHA512
4804e8964ecc9d1f0d5898810d3e470435fede7c286785cdc694a9b06b06f42302bb930a716164c9173d0ac324d3caef5c8ca54fdf4f3f0e77ce527a5758e926

Download Submit
C:\Windows\{546E64B3-6BE5-4d8c-B105-53A0F873DB01}.exe

Filesize
204KB

MD5
89f5928657005203880fa83b1e178b37

SHA1
4623a812b8579feec081b19bfeb317b0c4c97453

SHA256
1948bc34d8d8fb2d77af8b7466ea355f9de114509083116ebac9a7c0337e277c

SHA512
4804e8964ecc9d1f0d5898810d3e470435fede7c286785cdc694a9b06b06f42302bb930a716164c9173d0ac324d3caef5c8ca54fdf4f3f0e77ce527a5758e926

Download Submit
C:\Windows\{6CF01268-291F-46d4-BD51-748AAADFBE75}.exe

Filesize
204KB

MD5
4bd1a89ca147bae8353c011d216da057

SHA1
4a9a67bdae61be0a0039b815e573dc7e17da1d69

SHA256
3b1981a4aa270a934ddc63da17583cd72e58ea463b3d4e4c839afed402c32d3b

SHA512
356ceac72f0b4965c9bd0fca07115a4522f7d6a59e36bb78cd7c73bd22c9c9590e6a17b0fb3c64887ad013bf650660297df8a2201d5c665ea5683e1dc18ab1be

Download Submit
C:\Windows\{6CF01268-291F-46d4-BD51-748AAADFBE75}.exe

Filesize
204KB

MD5
4bd1a89ca147bae8353c011d216da057

SHA1
4a9a67bdae61be0a0039b815e573dc7e17da1d69

SHA256
3b1981a4aa270a934ddc63da17583cd72e58ea463b3d4e4c839afed402c32d3b

SHA512
356ceac72f0b4965c9bd0fca07115a4522f7d6a59e36bb78cd7c73bd22c9c9590e6a17b0fb3c64887ad013bf650660297df8a2201d5c665ea5683e1dc18ab1be

Download Submit
C:\Windows\{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe

Filesize
204KB

MD5
d687951db4ca764bd62c77c0c29afb99

SHA1
f021ff07c7708af8d5a9cc783db5be058302b6cf

SHA256
c7230b4e6f501e173cd2634eeb09956c9cb3c89e0cf618dc1e6d99e3a8366857

SHA512
b513dc387955350b7b33669b20d6943335d13c0194e4587cc2e78a16d5582b83e31576878cf47061c8a2114dcbf5759a4ebbc79fed9c0a4988e7a2edfc9deef1

Download Submit
C:\Windows\{79DFD9A0-ECA7-4fb0-96A1-51CC77DE7962}.exe

Filesize
204KB

MD5
d687951db4ca764bd62c77c0c29afb99

SHA1
f021ff07c7708af8d5a9cc783db5be058302b6cf

SHA256
c7230b4e6f501e173cd2634eeb09956c9cb3c89e0cf618dc1e6d99e3a8366857

SHA512
b513dc387955350b7b33669b20d6943335d13c0194e4587cc2e78a16d5582b83e31576878cf47061c8a2114dcbf5759a4ebbc79fed9c0a4988e7a2edfc9deef1

Download Submit
C:\Windows\{9460E453-BE27-4c80-9D13-3D35171181F7}.exe

Filesize
204KB

MD5
b1a553ac861613e0dd954675f3f5743a

SHA1
b1eeaf29825dd31f4acfa898fe2846c1b8c9b848

SHA256
4ca7cfd87fcded526d1e3d30894c61c8e502425617906ce333f3985b5503692f

SHA512
df68096483940e1604770916fed296ead902d1d9c2bd2418b0bf1bb576d841116572272d6923e5877e119b6f3397b431031c6c98f2e7b0670de244d7e0879499

Download Submit
C:\Windows\{9460E453-BE27-4c80-9D13-3D35171181F7}.exe

Filesize
204KB

MD5
b1a553ac861613e0dd954675f3f5743a

SHA1
b1eeaf29825dd31f4acfa898fe2846c1b8c9b848

SHA256
4ca7cfd87fcded526d1e3d30894c61c8e502425617906ce333f3985b5503692f

SHA512
df68096483940e1604770916fed296ead902d1d9c2bd2418b0bf1bb576d841116572272d6923e5877e119b6f3397b431031c6c98f2e7b0670de244d7e0879499

Download Submit
C:\Windows\{A89ABFB9-E479-4bd1-A423-8F99B602DC17}.exe

Filesize
204KB

MD5
755295f2856c25e2aab0534634983639

SHA1
1117948720a407cb9e96aeaafae8bf8cd2a45eb6

SHA256
3de55a48259dd954335cd46458f9a50393e88b335878a800a3df433bd661f0e0

SHA512
1ad5c2a6365ea2646c82feae918e22e06fdf6f2b98357461915e310a58b48bf5463fc7610eeed84f4e1f96a349374eb77d3fc6be8336af317988d162087a8f49

Download Submit
C:\Windows\{A89ABFB9-E479-4bd1-A423-8F99B602DC17}.exe

Filesize
204KB

MD5
755295f2856c25e2aab0534634983639

SHA1
1117948720a407cb9e96aeaafae8bf8cd2a45eb6

SHA256
3de55a48259dd954335cd46458f9a50393e88b335878a800a3df433bd661f0e0

SHA512
1ad5c2a6365ea2646c82feae918e22e06fdf6f2b98357461915e310a58b48bf5463fc7610eeed84f4e1f96a349374eb77d3fc6be8336af317988d162087a8f49

Download Submit
C:\Windows\{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe

Filesize
204KB

MD5
2b358b8339fa7b834218c7ff5e747fdc

SHA1
3ecd1b8ab796f8de118055b76087cdfe2e48babf

SHA256
b64e943ac870c8738b3481bade02ed3de3e25214bfc72023fda551a75f57bc53

SHA512
191a2686042cd5185b67ef4da75263dcc752c84514fc00c89fddf9db0bf5da3bb885af370ce107f3b6d6124abc97ae85c487ff77d39a484d7175e3a0faee8b48

Download Submit
C:\Windows\{AB22BCCD-7FE5-4170-A459-9C4BB53ABE3A}.exe

Filesize
204KB

MD5
2b358b8339fa7b834218c7ff5e747fdc

SHA1
3ecd1b8ab796f8de118055b76087cdfe2e48babf

SHA256
b64e943ac870c8738b3481bade02ed3de3e25214bfc72023fda551a75f57bc53

SHA512
191a2686042cd5185b67ef4da75263dcc752c84514fc00c89fddf9db0bf5da3bb885af370ce107f3b6d6124abc97ae85c487ff77d39a484d7175e3a0faee8b48

Download Submit
C:\Windows\{C9A96A12-E2A8-48f2-B670-F47AAEE5B07A}.exe

Filesize
204KB

MD5
a8c8a6c0aea8df5feae80bbb23ed7c10

SHA1
e58e07a4d0fe691fb1fd6a74f37f5234c5634a71

SHA256
b029e9bc358c71d6708503e284943b778bc3e8999eb336d4d308a47690cb4e6f

SHA512
886bce2342a6a2fc9f2d28a7300f8acfec9beef78822798fa1e134e3dddedbb44a1ef6e351ed306d94647c117410aa65afc66ce25063315bff1462a1da32a738

Download Submit
C:\Windows\{C9A96A12-E2A8-48f2-B670-F47AAEE5B07A}.exe

Filesize
204KB

MD5
a8c8a6c0aea8df5feae80bbb23ed7c10

SHA1
e58e07a4d0fe691fb1fd6a74f37f5234c5634a71

SHA256
b029e9bc358c71d6708503e284943b778bc3e8999eb336d4d308a47690cb4e6f

SHA512
886bce2342a6a2fc9f2d28a7300f8acfec9beef78822798fa1e134e3dddedbb44a1ef6e351ed306d94647c117410aa65afc66ce25063315bff1462a1da32a738

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads