c12004646af549b1719a27a727b4575a43f99268d23cb7bd95da2e166689c463

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/09/2023, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe
Size

168KB
MD5

830b6271b3c5fc54beb5ec2016863bd1
SHA1

600c19f2fda91ebda4d0f30dc104f791d1afce52
SHA256

c12004646af549b1719a27a727b4575a43f99268d23cb7bd95da2e166689c463
SHA512

38791b5598ce1db48e53f2cb1cb51a7199c636942265d3870ca90ba9528dd631188034d2df2dda8716f32f0d63690215d435e73bc81f00329239c36bb86f7148
SSDEEP

1536:1EGh0oPlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oPlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21E09B2E-8809-4277-8ED4-B9F6C63D8512}	{4B5993AA-3300-44d2-8F6C-13955C0F9FD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BF2CC0C-9B82-43d5-AE2E-6C579FC07AC2}	{21E09B2E-8809-4277-8ED4-B9F6C63D8512}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BF2CC0C-9B82-43d5-AE2E-6C579FC07AC2}\stubpath = "C:\\Windows\\{9BF2CC0C-9B82-43d5-AE2E-6C579FC07AC2}.exe"	{21E09B2E-8809-4277-8ED4-B9F6C63D8512}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2742386D-F87F-4bb3-9F2C-BFBCB1300D87}\stubpath = "C:\\Windows\\{2742386D-F87F-4bb3-9F2C-BFBCB1300D87}.exe"	{9BF2CC0C-9B82-43d5-AE2E-6C579FC07AC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A946213D-EC25-418b-AC6D-B2E39C4CA313}	{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B5993AA-3300-44d2-8F6C-13955C0F9FD7}	{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60BEFA81-3B9F-4061-BD95-C1976951F67E}	{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B5993AA-3300-44d2-8F6C-13955C0F9FD7}\stubpath = "C:\\Windows\\{4B5993AA-3300-44d2-8F6C-13955C0F9FD7}.exe"	{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ECDFA17-F59C-4793-AB58-850F66E26DE8}	{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{674555B2-EB46-4d0c-BE70-4CBDA243EE61}	{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{674555B2-EB46-4d0c-BE70-4CBDA243EE61}\stubpath = "C:\\Windows\\{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe"	{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}\stubpath = "C:\\Windows\\{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe"	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A946213D-EC25-418b-AC6D-B2E39C4CA313}\stubpath = "C:\\Windows\\{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe"	{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ECDFA17-F59C-4793-AB58-850F66E26DE8}\stubpath = "C:\\Windows\\{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe"	{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60BEFA81-3B9F-4061-BD95-C1976951F67E}\stubpath = "C:\\Windows\\{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe"	{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}	{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}\stubpath = "C:\\Windows\\{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe"	{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21E09B2E-8809-4277-8ED4-B9F6C63D8512}\stubpath = "C:\\Windows\\{21E09B2E-8809-4277-8ED4-B9F6C63D8512}.exe"	{4B5993AA-3300-44d2-8F6C-13955C0F9FD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2742386D-F87F-4bb3-9F2C-BFBCB1300D87}	{9BF2CC0C-9B82-43d5-AE2E-6C579FC07AC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}	{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}\stubpath = "C:\\Windows\\{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe"	{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe

Deletes itself 1 IoCs

pid	Process
2392	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2192	{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe
2760	{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe
2648	{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe
2732	{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe
2588	{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe
2420	{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe
2512	{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe
2928	{4B5993AA-3300-44d2-8F6C-13955C0F9FD7}.exe
2780	{21E09B2E-8809-4277-8ED4-B9F6C63D8512}.exe
1312	{9BF2CC0C-9B82-43d5-AE2E-6C579FC07AC2}.exe
2720	{2742386D-F87F-4bb3-9F2C-BFBCB1300D87}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe	{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe
File created	C:\Windows\{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe	{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe
File created	C:\Windows\{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe	{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe
File created	C:\Windows\{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe	{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe
File created	C:\Windows\{4B5993AA-3300-44d2-8F6C-13955C0F9FD7}.exe	{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe
File created	C:\Windows\{21E09B2E-8809-4277-8ED4-B9F6C63D8512}.exe	{4B5993AA-3300-44d2-8F6C-13955C0F9FD7}.exe
File created	C:\Windows\{9BF2CC0C-9B82-43d5-AE2E-6C579FC07AC2}.exe	{21E09B2E-8809-4277-8ED4-B9F6C63D8512}.exe
File created	C:\Windows\{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe
File created	C:\Windows\{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe	{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe
File created	C:\Windows\{2742386D-F87F-4bb3-9F2C-BFBCB1300D87}.exe	{9BF2CC0C-9B82-43d5-AE2E-6C579FC07AC2}.exe
File created	C:\Windows\{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe	{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1824	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2192	{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe
Token: SeIncBasePriorityPrivilege	2760	{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe
Token: SeIncBasePriorityPrivilege	2648	{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe
Token: SeIncBasePriorityPrivilege	2732	{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe
Token: SeIncBasePriorityPrivilege	2588	{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe
Token: SeIncBasePriorityPrivilege	2420	{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe
Token: SeIncBasePriorityPrivilege	2512	{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe
Token: SeIncBasePriorityPrivilege	2928	{4B5993AA-3300-44d2-8F6C-13955C0F9FD7}.exe
Token: SeIncBasePriorityPrivilege	2780	{21E09B2E-8809-4277-8ED4-B9F6C63D8512}.exe
Token: SeIncBasePriorityPrivilege	1312	{9BF2CC0C-9B82-43d5-AE2E-6C579FC07AC2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2192	1824	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	28
PID 1824 wrote to memory of 2192	1824	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	28
PID 1824 wrote to memory of 2192	1824	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	28
PID 1824 wrote to memory of 2192	1824	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	28
PID 1824 wrote to memory of 2392	1824	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	29
PID 1824 wrote to memory of 2392	1824	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	29
PID 1824 wrote to memory of 2392	1824	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	29
PID 1824 wrote to memory of 2392	1824	2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe	29
PID 2192 wrote to memory of 2760	2192	{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe	30
PID 2192 wrote to memory of 2760	2192	{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe	30
PID 2192 wrote to memory of 2760	2192	{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe	30
PID 2192 wrote to memory of 2760	2192	{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe	30
PID 2192 wrote to memory of 2696	2192	{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe	31
PID 2192 wrote to memory of 2696	2192	{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe	31
PID 2192 wrote to memory of 2696	2192	{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe	31
PID 2192 wrote to memory of 2696	2192	{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe	31
PID 2760 wrote to memory of 2648	2760	{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe	32
PID 2760 wrote to memory of 2648	2760	{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe	32
PID 2760 wrote to memory of 2648	2760	{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe	32
PID 2760 wrote to memory of 2648	2760	{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe	32
PID 2760 wrote to memory of 2840	2760	{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe	33
PID 2760 wrote to memory of 2840	2760	{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe	33
PID 2760 wrote to memory of 2840	2760	{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe	33
PID 2760 wrote to memory of 2840	2760	{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe	33
PID 2648 wrote to memory of 2732	2648	{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe	36
PID 2648 wrote to memory of 2732	2648	{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe	36
PID 2648 wrote to memory of 2732	2648	{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe	36
PID 2648 wrote to memory of 2732	2648	{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe	36
PID 2648 wrote to memory of 2540	2648	{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe	37
PID 2648 wrote to memory of 2540	2648	{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe	37
PID 2648 wrote to memory of 2540	2648	{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe	37
PID 2648 wrote to memory of 2540	2648	{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe	37
PID 2732 wrote to memory of 2588	2732	{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe	38
PID 2732 wrote to memory of 2588	2732	{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe	38
PID 2732 wrote to memory of 2588	2732	{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe	38
PID 2732 wrote to memory of 2588	2732	{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe	38
PID 2732 wrote to memory of 2520	2732	{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe	39
PID 2732 wrote to memory of 2520	2732	{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe	39
PID 2732 wrote to memory of 2520	2732	{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe	39
PID 2732 wrote to memory of 2520	2732	{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe	39
PID 2588 wrote to memory of 2420	2588	{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe	41
PID 2588 wrote to memory of 2420	2588	{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe	41
PID 2588 wrote to memory of 2420	2588	{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe	41
PID 2588 wrote to memory of 2420	2588	{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe	41
PID 2588 wrote to memory of 2528	2588	{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe	40
PID 2588 wrote to memory of 2528	2588	{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe	40
PID 2588 wrote to memory of 2528	2588	{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe	40
PID 2588 wrote to memory of 2528	2588	{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe	40
PID 2420 wrote to memory of 2512	2420	{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe	43
PID 2420 wrote to memory of 2512	2420	{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe	43
PID 2420 wrote to memory of 2512	2420	{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe	43
PID 2420 wrote to memory of 2512	2420	{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe	43
PID 2420 wrote to memory of 2876	2420	{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe	42
PID 2420 wrote to memory of 2876	2420	{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe	42
PID 2420 wrote to memory of 2876	2420	{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe	42
PID 2420 wrote to memory of 2876	2420	{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe	42
PID 2512 wrote to memory of 2928	2512	{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe	45
PID 2512 wrote to memory of 2928	2512	{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe	45
PID 2512 wrote to memory of 2928	2512	{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe	45
PID 2512 wrote to memory of 2928	2512	{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe	45
PID 2512 wrote to memory of 2964	2512	{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe	44
PID 2512 wrote to memory of 2964	2512	{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe	44
PID 2512 wrote to memory of 2964	2512	{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe	44
PID 2512 wrote to memory of 2964	2512	{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_830b6271b3c5fc54beb5ec2016863bd1_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe
  C:\Windows\{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe
    C:\Windows\{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe
      C:\Windows\{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe
        
        C:\Windows\{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe
        
        C:\Windows\{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F21BD~1.EXE > nul
        7⤵
        
        PID:2528
        
        C:\Windows\{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe
        
        C:\Windows\{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9462~1.EXE > nul
        8⤵
        
        PID:2876
        
        C:\Windows\{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe
        
        C:\Windows\{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67455~1.EXE > nul
        9⤵
        
        PID:2964
        
        C:\Windows\{4B5993AA-3300-44d2-8F6C-13955C0F9FD7}.exe
        
        C:\Windows\{4B5993AA-3300-44d2-8F6C-13955C0F9FD7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\{21E09B2E-8809-4277-8ED4-B9F6C63D8512}.exe
        
        C:\Windows\{21E09B2E-8809-4277-8ED4-B9F6C63D8512}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21E09~1.EXE > nul
        11⤵
        
        PID:320
        
        C:\Windows\{9BF2CC0C-9B82-43d5-AE2E-6C579FC07AC2}.exe
        
        C:\Windows\{9BF2CC0C-9B82-43d5-AE2E-6C579FC07AC2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BF2C~1.EXE > nul
        12⤵
        
        PID:1972
        
        C:\Windows\{2742386D-F87F-4bb3-9F2C-BFBCB1300D87}.exe
        
        C:\Windows\{2742386D-F87F-4bb3-9F2C-BFBCB1300D87}.exe
        12⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B599~1.EXE > nul
        10⤵
        
        PID:2852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60BEF~1.EXE > nul
        6⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1ECDF~1.EXE > nul
        5⤵
        
        PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{811E9~1.EXE > nul
      4⤵
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7656C~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe

Filesize
168KB

MD5
9cbb89969f7ab260537423fd30f093d9

SHA1
81876f23af2d58162a0bfb3e7893bb7a2f390f51

SHA256
3627315ce9c5816b98760a7655b0af590ff79f41a1dc775bd70e04d9a1016b86

SHA512
9373ec6ff82b05313db07947a5d927fe4c35c8f470e57a6087a398015c20c6506a8bb05884575264bc03b9b28513a489bac82b6d2e56afd682192b8992768c1a

Download Submit
C:\Windows\{1ECDFA17-F59C-4793-AB58-850F66E26DE8}.exe

Filesize
168KB

MD5
9cbb89969f7ab260537423fd30f093d9

SHA1
81876f23af2d58162a0bfb3e7893bb7a2f390f51

SHA256
3627315ce9c5816b98760a7655b0af590ff79f41a1dc775bd70e04d9a1016b86

SHA512
9373ec6ff82b05313db07947a5d927fe4c35c8f470e57a6087a398015c20c6506a8bb05884575264bc03b9b28513a489bac82b6d2e56afd682192b8992768c1a

Download Submit
C:\Windows\{21E09B2E-8809-4277-8ED4-B9F6C63D8512}.exe

Filesize
168KB

MD5
502ce8b70ee937e6e2a6dab762f82989

SHA1
69477d0e55e981c9771815b92a15bfdce2dc7a41

SHA256
8b661153b1cfb54d9ecb9a0b5144ed182d969e4f75847468b619832c6ab7c1a4

SHA512
6dc6c41776881992feecab4857cc8be73b68831dbe85bd3bcdbe36b364f1f32bb88deaa80c4a1954c89e397fb93df3c3cd5a59111effeb49a07c84b506eab76c

Download Submit
C:\Windows\{21E09B2E-8809-4277-8ED4-B9F6C63D8512}.exe

Filesize
168KB

MD5
502ce8b70ee937e6e2a6dab762f82989

SHA1
69477d0e55e981c9771815b92a15bfdce2dc7a41

SHA256
8b661153b1cfb54d9ecb9a0b5144ed182d969e4f75847468b619832c6ab7c1a4

SHA512
6dc6c41776881992feecab4857cc8be73b68831dbe85bd3bcdbe36b364f1f32bb88deaa80c4a1954c89e397fb93df3c3cd5a59111effeb49a07c84b506eab76c

Download Submit
C:\Windows\{2742386D-F87F-4bb3-9F2C-BFBCB1300D87}.exe

Filesize
168KB

MD5
010681883a5af652ba4a0b5a23490dcb

SHA1
4a7fc30bddf7350f20bfcd2225cae9d643bcc79e

SHA256
367a54b53821c003f8e79d7924150abbea61604f8362dec0810dc5924defa3e9

SHA512
f68c62f3895ec36dc55e51cfd16a8971baffdf1660cd055b02b550a6e8fc24259c2de21700e02b31bb6eb1c9e6c6b4f8f1701c24a49b064f113f9555130d4e18

Download Submit
C:\Windows\{4B5993AA-3300-44d2-8F6C-13955C0F9FD7}.exe

Filesize
168KB

MD5
57ed1bcd040c87740b851dafcb09f83d

SHA1
ee0e3f5ca8272c2fce33c6bb86b0527cf92c7bdc

SHA256
81ad1f462350e22df88f8f0bc34d6f252cfc9c1cd13ee0ca668e0d0fc637987c

SHA512
2167565c16398171c019e5552dc5f110fb550a50504f3cfef3f0f392a288609a73d4b816d21b5dddf948834d996bba9dfeb62644acfe1b0fccc244598d60ee13

Download Submit
C:\Windows\{4B5993AA-3300-44d2-8F6C-13955C0F9FD7}.exe

Filesize
168KB

MD5
57ed1bcd040c87740b851dafcb09f83d

SHA1
ee0e3f5ca8272c2fce33c6bb86b0527cf92c7bdc

SHA256
81ad1f462350e22df88f8f0bc34d6f252cfc9c1cd13ee0ca668e0d0fc637987c

SHA512
2167565c16398171c019e5552dc5f110fb550a50504f3cfef3f0f392a288609a73d4b816d21b5dddf948834d996bba9dfeb62644acfe1b0fccc244598d60ee13

Download Submit
C:\Windows\{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe

Filesize
168KB

MD5
a1787e2fbd3c13482d757479fb7feabd

SHA1
dd8363f40f93954365cc385e0e0ad9c95b192066

SHA256
e34276e6e8a4c8b4c4a60a120e01691208b270080fd8422d117573b13905d719

SHA512
82453d09bebaa1cebcc3630cc32feadc31bc705fcfce4b132b75a5fb54181495612477d372bc80e72e951ad631acaedac06836738d15c707f4630f2aa47c06af

Download Submit
C:\Windows\{60BEFA81-3B9F-4061-BD95-C1976951F67E}.exe

Filesize
168KB

MD5
a1787e2fbd3c13482d757479fb7feabd

SHA1
dd8363f40f93954365cc385e0e0ad9c95b192066

SHA256
e34276e6e8a4c8b4c4a60a120e01691208b270080fd8422d117573b13905d719

SHA512
82453d09bebaa1cebcc3630cc32feadc31bc705fcfce4b132b75a5fb54181495612477d372bc80e72e951ad631acaedac06836738d15c707f4630f2aa47c06af

Download Submit
C:\Windows\{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe

Filesize
168KB

MD5
2f2c0b9d3cb852d6fc7587d17550cc16

SHA1
d13848bd1a322fd67e72b727ee83455501a75c32

SHA256
2fcbc1eb95d53d119e8b94b5a3ee6f904a7ce8cc2e32e802628354f0ee836558

SHA512
c688e3991ce2c6f69bfcb6ff1631e07afe105bb639f630b7d49bdd3d7774a177ec324ef837a77ab8cd92d2aed2c549ace79e8167cfbc7f088a78a5468faef99e

Download Submit
C:\Windows\{674555B2-EB46-4d0c-BE70-4CBDA243EE61}.exe

Filesize
168KB

MD5
2f2c0b9d3cb852d6fc7587d17550cc16

SHA1
d13848bd1a322fd67e72b727ee83455501a75c32

SHA256
2fcbc1eb95d53d119e8b94b5a3ee6f904a7ce8cc2e32e802628354f0ee836558

SHA512
c688e3991ce2c6f69bfcb6ff1631e07afe105bb639f630b7d49bdd3d7774a177ec324ef837a77ab8cd92d2aed2c549ace79e8167cfbc7f088a78a5468faef99e

Download Submit
C:\Windows\{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe

Filesize
168KB

MD5
5b4fcf0bda1d6f201a69bc7ad07cb13a

SHA1
c31136cafb455444f6465caabf79f406260e9833

SHA256
c7b0a00af592cb0b404bb793e79bb7a316452593f856f6eb017a7cccf6912a3d

SHA512
34a602c119eaa54dcee09feb35384aec8081436e4da5aa5f04c7e55fd96fc47c3c29bf1e660355613ad15437e23b9faf66a46d647ea44f29b5ac654f60c99a57

Download Submit
C:\Windows\{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe

Filesize
168KB

MD5
5b4fcf0bda1d6f201a69bc7ad07cb13a

SHA1
c31136cafb455444f6465caabf79f406260e9833

SHA256
c7b0a00af592cb0b404bb793e79bb7a316452593f856f6eb017a7cccf6912a3d

SHA512
34a602c119eaa54dcee09feb35384aec8081436e4da5aa5f04c7e55fd96fc47c3c29bf1e660355613ad15437e23b9faf66a46d647ea44f29b5ac654f60c99a57

Download Submit
C:\Windows\{7656CBE2-7599-45a4-A0A8-0F62E6F42E26}.exe

Filesize
168KB

MD5
5b4fcf0bda1d6f201a69bc7ad07cb13a

SHA1
c31136cafb455444f6465caabf79f406260e9833

SHA256
c7b0a00af592cb0b404bb793e79bb7a316452593f856f6eb017a7cccf6912a3d

SHA512
34a602c119eaa54dcee09feb35384aec8081436e4da5aa5f04c7e55fd96fc47c3c29bf1e660355613ad15437e23b9faf66a46d647ea44f29b5ac654f60c99a57

Download Submit
C:\Windows\{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe

Filesize
168KB

MD5
0ac3a1ec83487f5c38730bbe5e48f0dd

SHA1
f48473d34945d779ab097c85f3282e244b907279

SHA256
1ddf2b90c5b12d3d98316785a5f9ec3c3ef7627984aa6bc88d859b44f28f5aef

SHA512
336ee83c0d1bed643f3e1ac1595a95cc385ba8eb7a9d3c9e2116a070814a73c8bd57024eb10ac15c3959e7cac62c7096f7bf0a20353d0fd2843763647dca254a

Download Submit
C:\Windows\{811E9199-4D17-47dc-BF6B-7E6CAAAC8168}.exe

Filesize
168KB

MD5
0ac3a1ec83487f5c38730bbe5e48f0dd

SHA1
f48473d34945d779ab097c85f3282e244b907279

SHA256
1ddf2b90c5b12d3d98316785a5f9ec3c3ef7627984aa6bc88d859b44f28f5aef

SHA512
336ee83c0d1bed643f3e1ac1595a95cc385ba8eb7a9d3c9e2116a070814a73c8bd57024eb10ac15c3959e7cac62c7096f7bf0a20353d0fd2843763647dca254a

Download Submit
C:\Windows\{9BF2CC0C-9B82-43d5-AE2E-6C579FC07AC2}.exe

Filesize
168KB

MD5
93dc3afe5c47c73c8620d34eba31eea7

SHA1
26cc99aec2322eb3b90e0cfbe54704dd9f92e36a

SHA256
6e9790dec9b11ec8bed9a7ab83ce8db99bb369d461d599950eec411d669ced01

SHA512
135a7a47cf6c3773500657e07e2f141664b9b20c86101d585d838627f3041a0ebf237f501b6d195e4373e87b416b0a01276d1d04faa6ea21aaf1a27c27027660

Download Submit
C:\Windows\{9BF2CC0C-9B82-43d5-AE2E-6C579FC07AC2}.exe

Filesize
168KB

MD5
93dc3afe5c47c73c8620d34eba31eea7

SHA1
26cc99aec2322eb3b90e0cfbe54704dd9f92e36a

SHA256
6e9790dec9b11ec8bed9a7ab83ce8db99bb369d461d599950eec411d669ced01

SHA512
135a7a47cf6c3773500657e07e2f141664b9b20c86101d585d838627f3041a0ebf237f501b6d195e4373e87b416b0a01276d1d04faa6ea21aaf1a27c27027660

Download Submit
C:\Windows\{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe

Filesize
168KB

MD5
1f5c56db3461c2bfdbf0f2c01ea2ddb6

SHA1
bd39763aab91f659759b57fd8d0c1734f9e75db6

SHA256
48c227414116e257f1511c938351e1812e52484941646b4709d4605522d623e3

SHA512
7934617bad0dd493c92be08fbec5c9275f4fc226cf493ff6d6064d407df874a75bab8c046b4c95dbcd9c2ab9ea213a42b3241c5cf1b556d76a52c666426fb435

Download Submit
C:\Windows\{A946213D-EC25-418b-AC6D-B2E39C4CA313}.exe

Filesize
168KB

MD5
1f5c56db3461c2bfdbf0f2c01ea2ddb6

SHA1
bd39763aab91f659759b57fd8d0c1734f9e75db6

SHA256
48c227414116e257f1511c938351e1812e52484941646b4709d4605522d623e3

SHA512
7934617bad0dd493c92be08fbec5c9275f4fc226cf493ff6d6064d407df874a75bab8c046b4c95dbcd9c2ab9ea213a42b3241c5cf1b556d76a52c666426fb435

Download Submit
C:\Windows\{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe

Filesize
168KB

MD5
99f9ee2164a6a7eabc30027a04b4b61c

SHA1
851d90b70deccbfc006bbfd7736609068e4615fb

SHA256
a136bf2c43a14d035f6696ae22fc01b66d8d9951352c76b0f1184b00375bb89f

SHA512
83cb1e2ab813520080e41c9fbc499aec89c1d2e4c484114bd74d14580a4dff569b40c831193f68d1f18a41c4a1baaf02d8e90b6ca0b52ce9bf2c7834b202e9dc

Download Submit
C:\Windows\{F21BDE7C-BC72-4b98-9EE7-27D0121ED3C4}.exe

Filesize
168KB

MD5
99f9ee2164a6a7eabc30027a04b4b61c

SHA1
851d90b70deccbfc006bbfd7736609068e4615fb

SHA256
a136bf2c43a14d035f6696ae22fc01b66d8d9951352c76b0f1184b00375bb89f

SHA512
83cb1e2ab813520080e41c9fbc499aec89c1d2e4c484114bd74d14580a4dff569b40c831193f68d1f18a41c4a1baaf02d8e90b6ca0b52ce9bf2c7834b202e9dc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads