0184dceec8ff786009c1a7dee97166c117efbb68055d3c5e2e7c9620d5329db8

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/09/2023, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe
Size

204KB
MD5

ebfbaeb76ed3c7295e435d66601537c1
SHA1

4b2f7b11aab22259f99c7a0988598a0e54604f51
SHA256

0184dceec8ff786009c1a7dee97166c117efbb68055d3c5e2e7c9620d5329db8
SHA512

7e7fa766fcd7da0fc25f7a513e17bf9496e6de8298218b2f4487b8037872ae5f182bfaa9bfbfe85c80ab6e41acba381a69788150277009e168a1a6e8d91ed477
SSDEEP

1536:1EGh0oPl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oPl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}	{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E555BD-B89A-4644-8B2F-D6254CA36B05}\stubpath = "C:\\Windows\\{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe"	{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74127BCD-0132-497f-9295-400B17FA852E}	{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D06958E6-3D3F-4d2b-B3D0-16C536E5CABF}\stubpath = "C:\\Windows\\{D06958E6-3D3F-4d2b-B3D0-16C536E5CABF}.exe"	{74127BCD-0132-497f-9295-400B17FA852E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5A00529-B20D-4af1-8BF6-EBB2D6186901}\stubpath = "C:\\Windows\\{D5A00529-B20D-4af1-8BF6-EBB2D6186901}.exe"	{9B9A04BF-5A93-49b0-AEB0-6650F75E2082}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F44C4CCC-774B-4062-AD57-E6DA03B35365}	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F44C4CCC-774B-4062-AD57-E6DA03B35365}\stubpath = "C:\\Windows\\{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe"	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42BB43F2-34B5-413c-870D-C177FE878FFE}	{D057062B-879E-42cd-8916-E1103EC20443}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1950011-F7C5-48dd-83F8-66F9EA4A9896}\stubpath = "C:\\Windows\\{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe"	{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D15C7B79-7009-4408-9656-16576A2DD80E}\stubpath = "C:\\Windows\\{D15C7B79-7009-4408-9656-16576A2DD80E}.exe"	{D06958E6-3D3F-4d2b-B3D0-16C536E5CABF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B9A04BF-5A93-49b0-AEB0-6650F75E2082}	{D15C7B79-7009-4408-9656-16576A2DD80E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5A00529-B20D-4af1-8BF6-EBB2D6186901}	{9B9A04BF-5A93-49b0-AEB0-6650F75E2082}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FB12291-2230-4b3e-B195-97D24B5AB145}\stubpath = "C:\\Windows\\{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe"	{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D057062B-879E-42cd-8916-E1103EC20443}\stubpath = "C:\\Windows\\{D057062B-879E-42cd-8916-E1103EC20443}.exe"	{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D057062B-879E-42cd-8916-E1103EC20443}	{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42BB43F2-34B5-413c-870D-C177FE878FFE}\stubpath = "C:\\Windows\\{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe"	{D057062B-879E-42cd-8916-E1103EC20443}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D06958E6-3D3F-4d2b-B3D0-16C536E5CABF}	{74127BCD-0132-497f-9295-400B17FA852E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D15C7B79-7009-4408-9656-16576A2DD80E}	{D06958E6-3D3F-4d2b-B3D0-16C536E5CABF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B9A04BF-5A93-49b0-AEB0-6650F75E2082}\stubpath = "C:\\Windows\\{9B9A04BF-5A93-49b0-AEB0-6650F75E2082}.exe"	{D15C7B79-7009-4408-9656-16576A2DD80E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E555BD-B89A-4644-8B2F-D6254CA36B05}	{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FB12291-2230-4b3e-B195-97D24B5AB145}	{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74127BCD-0132-497f-9295-400B17FA852E}\stubpath = "C:\\Windows\\{74127BCD-0132-497f-9295-400B17FA852E}.exe"	{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}\stubpath = "C:\\Windows\\{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe"	{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1950011-F7C5-48dd-83F8-66F9EA4A9896}	{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2232	{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe
2636	{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe
2796	{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe
2792	{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe
2488	{D057062B-879E-42cd-8916-E1103EC20443}.exe
3056	{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe
3064	{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe
2856	{74127BCD-0132-497f-9295-400B17FA852E}.exe
2900	{D06958E6-3D3F-4d2b-B3D0-16C536E5CABF}.exe
2740	{D15C7B79-7009-4408-9656-16576A2DD80E}.exe
1652	{9B9A04BF-5A93-49b0-AEB0-6650F75E2082}.exe
1444	{D5A00529-B20D-4af1-8BF6-EBB2D6186901}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D057062B-879E-42cd-8916-E1103EC20443}.exe	{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe
File created	C:\Windows\{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe	{D057062B-879E-42cd-8916-E1103EC20443}.exe
File created	C:\Windows\{D06958E6-3D3F-4d2b-B3D0-16C536E5CABF}.exe	{74127BCD-0132-497f-9295-400B17FA852E}.exe
File created	C:\Windows\{D15C7B79-7009-4408-9656-16576A2DD80E}.exe	{D06958E6-3D3F-4d2b-B3D0-16C536E5CABF}.exe
File created	C:\Windows\{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe	{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe
File created	C:\Windows\{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe	{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe
File created	C:\Windows\{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe	{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe
File created	C:\Windows\{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe	{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe
File created	C:\Windows\{74127BCD-0132-497f-9295-400B17FA852E}.exe	{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe
File created	C:\Windows\{9B9A04BF-5A93-49b0-AEB0-6650F75E2082}.exe	{D15C7B79-7009-4408-9656-16576A2DD80E}.exe
File created	C:\Windows\{D5A00529-B20D-4af1-8BF6-EBB2D6186901}.exe	{9B9A04BF-5A93-49b0-AEB0-6650F75E2082}.exe
File created	C:\Windows\{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2200	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2232	{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe
Token: SeIncBasePriorityPrivilege	2636	{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe
Token: SeIncBasePriorityPrivilege	2796	{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe
Token: SeIncBasePriorityPrivilege	2792	{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe
Token: SeIncBasePriorityPrivilege	2488	{D057062B-879E-42cd-8916-E1103EC20443}.exe
Token: SeIncBasePriorityPrivilege	3056	{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe
Token: SeIncBasePriorityPrivilege	3064	{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe
Token: SeIncBasePriorityPrivilege	2856	{74127BCD-0132-497f-9295-400B17FA852E}.exe
Token: SeIncBasePriorityPrivilege	2900	{D06958E6-3D3F-4d2b-B3D0-16C536E5CABF}.exe
Token: SeIncBasePriorityPrivilege	2740	{D15C7B79-7009-4408-9656-16576A2DD80E}.exe
Token: SeIncBasePriorityPrivilege	1652	{9B9A04BF-5A93-49b0-AEB0-6650F75E2082}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2232	2200	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	28
PID 2200 wrote to memory of 2232	2200	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	28
PID 2200 wrote to memory of 2232	2200	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	28
PID 2200 wrote to memory of 2232	2200	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	28
PID 2200 wrote to memory of 2680	2200	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	29
PID 2200 wrote to memory of 2680	2200	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	29
PID 2200 wrote to memory of 2680	2200	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	29
PID 2200 wrote to memory of 2680	2200	2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe	29
PID 2232 wrote to memory of 2636	2232	{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe	30
PID 2232 wrote to memory of 2636	2232	{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe	30
PID 2232 wrote to memory of 2636	2232	{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe	30
PID 2232 wrote to memory of 2636	2232	{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe	30
PID 2232 wrote to memory of 2700	2232	{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe	31
PID 2232 wrote to memory of 2700	2232	{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe	31
PID 2232 wrote to memory of 2700	2232	{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe	31
PID 2232 wrote to memory of 2700	2232	{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe	31
PID 2636 wrote to memory of 2796	2636	{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe	35
PID 2636 wrote to memory of 2796	2636	{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe	35
PID 2636 wrote to memory of 2796	2636	{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe	35
PID 2636 wrote to memory of 2796	2636	{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe	35
PID 2636 wrote to memory of 1180	2636	{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe	34
PID 2636 wrote to memory of 1180	2636	{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe	34
PID 2636 wrote to memory of 1180	2636	{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe	34
PID 2636 wrote to memory of 1180	2636	{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe	34
PID 2796 wrote to memory of 2792	2796	{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe	37
PID 2796 wrote to memory of 2792	2796	{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe	37
PID 2796 wrote to memory of 2792	2796	{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe	37
PID 2796 wrote to memory of 2792	2796	{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe	37
PID 2796 wrote to memory of 2712	2796	{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe	36
PID 2796 wrote to memory of 2712	2796	{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe	36
PID 2796 wrote to memory of 2712	2796	{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe	36
PID 2796 wrote to memory of 2712	2796	{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe	36
PID 2792 wrote to memory of 2488	2792	{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe	39
PID 2792 wrote to memory of 2488	2792	{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe	39
PID 2792 wrote to memory of 2488	2792	{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe	39
PID 2792 wrote to memory of 2488	2792	{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe	39
PID 2792 wrote to memory of 2544	2792	{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe	38
PID 2792 wrote to memory of 2544	2792	{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe	38
PID 2792 wrote to memory of 2544	2792	{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe	38
PID 2792 wrote to memory of 2544	2792	{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe	38
PID 2488 wrote to memory of 3056	2488	{D057062B-879E-42cd-8916-E1103EC20443}.exe	40
PID 2488 wrote to memory of 3056	2488	{D057062B-879E-42cd-8916-E1103EC20443}.exe	40
PID 2488 wrote to memory of 3056	2488	{D057062B-879E-42cd-8916-E1103EC20443}.exe	40
PID 2488 wrote to memory of 3056	2488	{D057062B-879E-42cd-8916-E1103EC20443}.exe	40
PID 2488 wrote to memory of 2356	2488	{D057062B-879E-42cd-8916-E1103EC20443}.exe	41
PID 2488 wrote to memory of 2356	2488	{D057062B-879E-42cd-8916-E1103EC20443}.exe	41
PID 2488 wrote to memory of 2356	2488	{D057062B-879E-42cd-8916-E1103EC20443}.exe	41
PID 2488 wrote to memory of 2356	2488	{D057062B-879E-42cd-8916-E1103EC20443}.exe	41
PID 3056 wrote to memory of 3064	3056	{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe	43
PID 3056 wrote to memory of 3064	3056	{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe	43
PID 3056 wrote to memory of 3064	3056	{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe	43
PID 3056 wrote to memory of 3064	3056	{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe	43
PID 3056 wrote to memory of 2384	3056	{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe	42
PID 3056 wrote to memory of 2384	3056	{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe	42
PID 3056 wrote to memory of 2384	3056	{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe	42
PID 3056 wrote to memory of 2384	3056	{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe	42
PID 3064 wrote to memory of 2856	3064	{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe	45
PID 3064 wrote to memory of 2856	3064	{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe	45
PID 3064 wrote to memory of 2856	3064	{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe	45
PID 3064 wrote to memory of 2856	3064	{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe	45
PID 3064 wrote to memory of 2828	3064	{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe	44
PID 3064 wrote to memory of 2828	3064	{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe	44
PID 3064 wrote to memory of 2828	3064	{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe	44
PID 3064 wrote to memory of 2828	3064	{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_ebfbaeb76ed3c7295e435d66601537c1_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe
  C:\Windows\{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe
    C:\Windows\{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{553FE~1.EXE > nul
      4⤵
      PID:1180
  - - C:\Windows\{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe
      C:\Windows\{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76E55~1.EXE > nul
        5⤵
        
        PID:2712
    - - C:\Windows\{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe
        
        C:\Windows\{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FB12~1.EXE > nul
        6⤵
        
        PID:2544
      - C:\Windows\{D057062B-879E-42cd-8916-E1103EC20443}.exe
        
        C:\Windows\{D057062B-879E-42cd-8916-E1103EC20443}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe
        
        C:\Windows\{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42BB4~1.EXE > nul
        8⤵
        
        PID:2384
        
        C:\Windows\{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe
        
        C:\Windows\{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1950~1.EXE > nul
        9⤵
        
        PID:2828
        
        C:\Windows\{74127BCD-0132-497f-9295-400B17FA852E}.exe
        
        C:\Windows\{74127BCD-0132-497f-9295-400B17FA852E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74127~1.EXE > nul
        10⤵
        
        PID:1556
        
        C:\Windows\{D06958E6-3D3F-4d2b-B3D0-16C536E5CABF}.exe
        
        C:\Windows\{D06958E6-3D3F-4d2b-B3D0-16C536E5CABF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\{D15C7B79-7009-4408-9656-16576A2DD80E}.exe
        
        C:\Windows\{D15C7B79-7009-4408-9656-16576A2DD80E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D15C7~1.EXE > nul
        12⤵
        
        PID:1504
        
        C:\Windows\{9B9A04BF-5A93-49b0-AEB0-6650F75E2082}.exe
        
        C:\Windows\{9B9A04BF-5A93-49b0-AEB0-6650F75E2082}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\{D5A00529-B20D-4af1-8BF6-EBB2D6186901}.exe
        
        C:\Windows\{D5A00529-B20D-4af1-8BF6-EBB2D6186901}.exe
        13⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B9A0~1.EXE > nul
        13⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0695~1.EXE > nul
        11⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0570~1.EXE > nul
        7⤵
        
        PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F44C4~1.EXE > nul
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe

Filesize
204KB

MD5
1c1903cd110ed3bd35bef4ea82d1d171

SHA1
1bf99c13b6ad2240130da2e3939c073939a766b9

SHA256
3cddbd67661cc15028f257c1bd862b6c488e12de4e6246fc2dd66c157fad30be

SHA512
925f398c5617b2fbc27dd4b2bef5320cd48109f740b2a2562a617976e561528f906ef9ca82d47c52726b056bb726373bb307cb956d8cde1465aa3a1814f1e772

Download Submit
C:\Windows\{42BB43F2-34B5-413c-870D-C177FE878FFE}.exe

Filesize
204KB

MD5
1c1903cd110ed3bd35bef4ea82d1d171

SHA1
1bf99c13b6ad2240130da2e3939c073939a766b9

SHA256
3cddbd67661cc15028f257c1bd862b6c488e12de4e6246fc2dd66c157fad30be

SHA512
925f398c5617b2fbc27dd4b2bef5320cd48109f740b2a2562a617976e561528f906ef9ca82d47c52726b056bb726373bb307cb956d8cde1465aa3a1814f1e772

Download Submit
C:\Windows\{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe

Filesize
204KB

MD5
5b0221169f9f54e7b5b36e91306c23b4

SHA1
e7deedbb7d8bd9ef974c69b64ba616f07094fad4

SHA256
6595a794a0599c6872ecd946771899e5bb34ea07b9fad3914ec56cf8452ccf98

SHA512
34a67e57a6ee12fe5c86bfb130e2286d7f36f80ac7565ded657d6d6c66c9c4d56d8a137f92e7ae72beda868b068bd5f900eb15a594ace9294a889523a2680622

Download Submit
C:\Windows\{553FEA5A-8C1E-4b2a-BCC6-57BAE7A3E3E6}.exe

Filesize
204KB

MD5
5b0221169f9f54e7b5b36e91306c23b4

SHA1
e7deedbb7d8bd9ef974c69b64ba616f07094fad4

SHA256
6595a794a0599c6872ecd946771899e5bb34ea07b9fad3914ec56cf8452ccf98

SHA512
34a67e57a6ee12fe5c86bfb130e2286d7f36f80ac7565ded657d6d6c66c9c4d56d8a137f92e7ae72beda868b068bd5f900eb15a594ace9294a889523a2680622

Download Submit
C:\Windows\{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe

Filesize
204KB

MD5
14b11559064350bf032105854785add0

SHA1
282053c034e41a462a12d3723b9e084932747915

SHA256
d7c2cdfd2dd20d0031a5920576688161e03c43dc2726ed86046b2f8c55fac0a4

SHA512
0299505d100aa8bc8c3c9aa0fab8ea91c135f16fa1b6481d25b2335ae1bb953c340c4906df6b9e9ab69b89d7bb99a18ef91e6c00fb408aa52c73ca494d69179b

Download Submit
C:\Windows\{6FB12291-2230-4b3e-B195-97D24B5AB145}.exe

Filesize
204KB

MD5
14b11559064350bf032105854785add0

SHA1
282053c034e41a462a12d3723b9e084932747915

SHA256
d7c2cdfd2dd20d0031a5920576688161e03c43dc2726ed86046b2f8c55fac0a4

SHA512
0299505d100aa8bc8c3c9aa0fab8ea91c135f16fa1b6481d25b2335ae1bb953c340c4906df6b9e9ab69b89d7bb99a18ef91e6c00fb408aa52c73ca494d69179b

Download Submit
C:\Windows\{74127BCD-0132-497f-9295-400B17FA852E}.exe

Filesize
204KB

MD5
dc77b2ecffd68b6c0596e6e906f9d02f

SHA1
816cfc886e3b87822cb7c7b8ce8265d76acef0cc

SHA256
8162b3253400abdbec5b941dbf0441fadbe05e78505ca8cb480a7a75fa64f8e1

SHA512
3597ad670a6cbc6315cb520912b510ffcbc2d525f5e359a1243d294c8f62c62e257b3d31b44643abfac5c3b2902b253c4f23715deab16e07284acfbaf4e9b262

Download Submit
C:\Windows\{74127BCD-0132-497f-9295-400B17FA852E}.exe

Filesize
204KB

MD5
dc77b2ecffd68b6c0596e6e906f9d02f

SHA1
816cfc886e3b87822cb7c7b8ce8265d76acef0cc

SHA256
8162b3253400abdbec5b941dbf0441fadbe05e78505ca8cb480a7a75fa64f8e1

SHA512
3597ad670a6cbc6315cb520912b510ffcbc2d525f5e359a1243d294c8f62c62e257b3d31b44643abfac5c3b2902b253c4f23715deab16e07284acfbaf4e9b262

Download Submit
C:\Windows\{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe

Filesize
204KB

MD5
de2d81d6fefdb37913d37bc212bc69a7

SHA1
8a62fe5f8df6bb7aeef36397afb7dbc1166568d0

SHA256
af8bc8df8d3e2e9ffe3dfc11c0faac43f03b007875524cee698f044a767ff118

SHA512
b012cacff7827f896bb84d3c334e3d9e9a29e77253cda8fec61b06fa43746090e5ee7b07484d66011498959638834de5635e3100f69b5051a0b92281a17c12fb

Download Submit
C:\Windows\{76E555BD-B89A-4644-8B2F-D6254CA36B05}.exe

Filesize
204KB

MD5
de2d81d6fefdb37913d37bc212bc69a7

SHA1
8a62fe5f8df6bb7aeef36397afb7dbc1166568d0

SHA256
af8bc8df8d3e2e9ffe3dfc11c0faac43f03b007875524cee698f044a767ff118

SHA512
b012cacff7827f896bb84d3c334e3d9e9a29e77253cda8fec61b06fa43746090e5ee7b07484d66011498959638834de5635e3100f69b5051a0b92281a17c12fb

Download Submit
C:\Windows\{9B9A04BF-5A93-49b0-AEB0-6650F75E2082}.exe

Filesize
204KB

MD5
540fb5169e63ba39416761f0a4f1a994

SHA1
0faade605ec2b3c60134bd7e60434755e1bffbfd

SHA256
16aecc765555de7bc64d843c8cefe4d461d3807c45dcc2755a6ff81d50ce51ea

SHA512
1d79fab6c0c4d1d7b85735ff8c0fe64e1fbe6614fb4779429c351b4ec1f31945f0a718eacdacec5149cff5a830dd21a4e0ca54bd7b60919c3fd8fc6acc9493d2

Download Submit
C:\Windows\{9B9A04BF-5A93-49b0-AEB0-6650F75E2082}.exe

Filesize
204KB

MD5
540fb5169e63ba39416761f0a4f1a994

SHA1
0faade605ec2b3c60134bd7e60434755e1bffbfd

SHA256
16aecc765555de7bc64d843c8cefe4d461d3807c45dcc2755a6ff81d50ce51ea

SHA512
1d79fab6c0c4d1d7b85735ff8c0fe64e1fbe6614fb4779429c351b4ec1f31945f0a718eacdacec5149cff5a830dd21a4e0ca54bd7b60919c3fd8fc6acc9493d2

Download Submit
C:\Windows\{D057062B-879E-42cd-8916-E1103EC20443}.exe

Filesize
204KB

MD5
74e453cc0d0bbb0e2e5252a12ca1e1f6

SHA1
8a959b6065fa65c41cd8dab495fa2bf0c5e39e57

SHA256
8c00a22d3a9b973cb6115309b272ecff3cab0691fff68414e1d7be3ea1d42d28

SHA512
3880c557d82136ccd6fcf86f678de21d265b61118de67d57a3cdd6dc501110dd62eb245b87604df5ef1f4593a33ac2ff988d2107137bc0c800c1d2b2e557cf94

Download Submit
C:\Windows\{D057062B-879E-42cd-8916-E1103EC20443}.exe

Filesize
204KB

MD5
74e453cc0d0bbb0e2e5252a12ca1e1f6

SHA1
8a959b6065fa65c41cd8dab495fa2bf0c5e39e57

SHA256
8c00a22d3a9b973cb6115309b272ecff3cab0691fff68414e1d7be3ea1d42d28

SHA512
3880c557d82136ccd6fcf86f678de21d265b61118de67d57a3cdd6dc501110dd62eb245b87604df5ef1f4593a33ac2ff988d2107137bc0c800c1d2b2e557cf94

Download Submit
C:\Windows\{D06958E6-3D3F-4d2b-B3D0-16C536E5CABF}.exe

Filesize
204KB

MD5
fb9d48c75fe5bfd7d0aad78075a2ee5d

SHA1
153ae342180e8ef0afedc5116460dc3a779069da

SHA256
a0d674fc6f4ba6a2ab076c0b00f6f9292e5821fcda30b90c947ee01893e0cc5c

SHA512
06e8dfefbcae39ddc1d13ac44351329e35eb41ccaebe48b5a1fb547c94bace7e10ace9b42d13e813d776328ff1d49b6514924ba288322b8bfacaa1ccd6a949fb

Download Submit
C:\Windows\{D06958E6-3D3F-4d2b-B3D0-16C536E5CABF}.exe

Filesize
204KB

MD5
fb9d48c75fe5bfd7d0aad78075a2ee5d

SHA1
153ae342180e8ef0afedc5116460dc3a779069da

SHA256
a0d674fc6f4ba6a2ab076c0b00f6f9292e5821fcda30b90c947ee01893e0cc5c

SHA512
06e8dfefbcae39ddc1d13ac44351329e35eb41ccaebe48b5a1fb547c94bace7e10ace9b42d13e813d776328ff1d49b6514924ba288322b8bfacaa1ccd6a949fb

Download Submit
C:\Windows\{D15C7B79-7009-4408-9656-16576A2DD80E}.exe

Filesize
204KB

MD5
2a668b470027f39845a956176bf706e2

SHA1
023c551e44b1010219580933ca9711453f5bb08d

SHA256
ad55f318d62178f1025cdcd213f06d4e626bcbddc8f9b8df8de6adbb8104cb38

SHA512
b0418394531d24258965bf6ab7c7921793be5e4f9dbca3817029fae9b148e087cc36e3af2b8167007d2ae9b037f1eda0405311abbe4c446fa8dee7356538051a

Download Submit
C:\Windows\{D15C7B79-7009-4408-9656-16576A2DD80E}.exe

Filesize
204KB

MD5
2a668b470027f39845a956176bf706e2

SHA1
023c551e44b1010219580933ca9711453f5bb08d

SHA256
ad55f318d62178f1025cdcd213f06d4e626bcbddc8f9b8df8de6adbb8104cb38

SHA512
b0418394531d24258965bf6ab7c7921793be5e4f9dbca3817029fae9b148e087cc36e3af2b8167007d2ae9b037f1eda0405311abbe4c446fa8dee7356538051a

Download Submit
C:\Windows\{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe

Filesize
204KB

MD5
73c7add75e1454635e4006ac4959e4ef

SHA1
e6c4f26c80d2b2e2eb912af459b406cc977e9e6f

SHA256
77a801f5499720beab1fa7f1a0bed8904238364d25c0bc2f6a2b05280d80f5a0

SHA512
b24c3966f450e60bdd1376856ff06deaa6631dfa32e28b61a031fc74b9fed1f7bce9048493ff154e552dcb768a4f7a45194714adaadb675c93d774597463e6e4

Download Submit
C:\Windows\{D1950011-F7C5-48dd-83F8-66F9EA4A9896}.exe

Filesize
204KB

MD5
73c7add75e1454635e4006ac4959e4ef

SHA1
e6c4f26c80d2b2e2eb912af459b406cc977e9e6f

SHA256
77a801f5499720beab1fa7f1a0bed8904238364d25c0bc2f6a2b05280d80f5a0

SHA512
b24c3966f450e60bdd1376856ff06deaa6631dfa32e28b61a031fc74b9fed1f7bce9048493ff154e552dcb768a4f7a45194714adaadb675c93d774597463e6e4

Download Submit
C:\Windows\{D5A00529-B20D-4af1-8BF6-EBB2D6186901}.exe

Filesize
204KB

MD5
705c85a9db5fec89bb503a198bb6c262

SHA1
9949ce2ff60661ad2a2ee1be32b7c591a9911f9d

SHA256
0bbeeaa7f79515d555883d74adcb8eab2241a5756c01c9ae7ae38d1b12b4e713

SHA512
cad9e6d3766e90b359eb254fa7b075b576bc7cadd6e06af0d763ff243fded281e04537b0f12b065ca25f44637403e6b42b1f337f62605d16204cc55d76fe2582

Download Submit
C:\Windows\{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe

Filesize
204KB

MD5
0b6ef21ea449c2e1778456ccdb7f230e

SHA1
49f67c4d94b4bf25e1c0835b621236278df82a72

SHA256
79541e0aac9087a43e6468c9e10f947b6c8cb9752c869aaafb61306d52234e4d

SHA512
2a5d559223e4b834477c42dd329d9e1137c07b88acad3550716cbf51d11d6e0b37c199eee60c401d74a14c8d9a299d50c0cff6a7ac3dceca7b9645a3f040e351

Download Submit
C:\Windows\{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe

Filesize
204KB

MD5
0b6ef21ea449c2e1778456ccdb7f230e

SHA1
49f67c4d94b4bf25e1c0835b621236278df82a72

SHA256
79541e0aac9087a43e6468c9e10f947b6c8cb9752c869aaafb61306d52234e4d

SHA512
2a5d559223e4b834477c42dd329d9e1137c07b88acad3550716cbf51d11d6e0b37c199eee60c401d74a14c8d9a299d50c0cff6a7ac3dceca7b9645a3f040e351

Download Submit
C:\Windows\{F44C4CCC-774B-4062-AD57-E6DA03B35365}.exe

Filesize
204KB

MD5
0b6ef21ea449c2e1778456ccdb7f230e

SHA1
49f67c4d94b4bf25e1c0835b621236278df82a72

SHA256
79541e0aac9087a43e6468c9e10f947b6c8cb9752c869aaafb61306d52234e4d

SHA512
2a5d559223e4b834477c42dd329d9e1137c07b88acad3550716cbf51d11d6e0b37c199eee60c401d74a14c8d9a299d50c0cff6a7ac3dceca7b9645a3f040e351

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads