06bcc03e195db679630f5bdf8f3cf997c2bdc0e752b673b243b35339885bc5ae

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/09/2023, 14:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe
Size

180KB
MD5

012eb94f6c3d6c61ca55822a582120e0
SHA1

005095afb6cba8879b7c64bb9a1cdf882c59e944
SHA256

06bcc03e195db679630f5bdf8f3cf997c2bdc0e752b673b243b35339885bc5ae
SHA512

06a42d092d6aaa090e936df31039d3f598e0eb597f1cb8770258c73fb05af5203462875da682d080a72c3881dba474436322b8cb182239a0faf988e21c6114ff
SSDEEP

3072:jEGh0oylfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGEl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}	{305B542D-0B9E-45f6-99C9-59286523AED3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FFB31B1-0132-4689-8840-71840BA4F590}	{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41607AAF-51D9-4543-ACE2-D95306FA7E7F}\stubpath = "C:\\Windows\\{41607AAF-51D9-4543-ACE2-D95306FA7E7F}.exe"	{51C93392-B13C-4961-9851-8618458109D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61959947-B591-490d-BFAC-4CECA1AB9C1D}	2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61959947-B591-490d-BFAC-4CECA1AB9C1D}\stubpath = "C:\\Windows\\{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe"	2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{305B542D-0B9E-45f6-99C9-59286523AED3}	{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}\stubpath = "C:\\Windows\\{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe"	{305B542D-0B9E-45f6-99C9-59286523AED3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FFB31B1-0132-4689-8840-71840BA4F590}\stubpath = "C:\\Windows\\{3FFB31B1-0132-4689-8840-71840BA4F590}.exe"	{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B54DA47F-086B-46ed-AA12-4F67E8C87E78}\stubpath = "C:\\Windows\\{B54DA47F-086B-46ed-AA12-4F67E8C87E78}.exe"	{3FFB31B1-0132-4689-8840-71840BA4F590}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AFF64D7-F205-499e-93F9-B37E5D616B0E}	{B54DA47F-086B-46ed-AA12-4F67E8C87E78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41607AAF-51D9-4543-ACE2-D95306FA7E7F}	{51C93392-B13C-4961-9851-8618458109D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F592103E-DB77-4b61-95B2-0D365E621D04}\stubpath = "C:\\Windows\\{F592103E-DB77-4b61-95B2-0D365E621D04}.exe"	{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B472DA9-A53A-4d48-81A8-F31B68B76207}	{F592103E-DB77-4b61-95B2-0D365E621D04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479BD780-C36D-4266-A7C6-FBA84C0913C9}\stubpath = "C:\\Windows\\{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe"	{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AFF64D7-F205-499e-93F9-B37E5D616B0E}\stubpath = "C:\\Windows\\{9AFF64D7-F205-499e-93F9-B37E5D616B0E}.exe"	{B54DA47F-086B-46ed-AA12-4F67E8C87E78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51C93392-B13C-4961-9851-8618458109D0}	{9AFF64D7-F205-499e-93F9-B37E5D616B0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{305B542D-0B9E-45f6-99C9-59286523AED3}\stubpath = "C:\\Windows\\{305B542D-0B9E-45f6-99C9-59286523AED3}.exe"	{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479BD780-C36D-4266-A7C6-FBA84C0913C9}	{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B54DA47F-086B-46ed-AA12-4F67E8C87E78}	{3FFB31B1-0132-4689-8840-71840BA4F590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51C93392-B13C-4961-9851-8618458109D0}\stubpath = "C:\\Windows\\{51C93392-B13C-4961-9851-8618458109D0}.exe"	{9AFF64D7-F205-499e-93F9-B37E5D616B0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F592103E-DB77-4b61-95B2-0D365E621D04}	{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B472DA9-A53A-4d48-81A8-F31B68B76207}\stubpath = "C:\\Windows\\{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe"	{F592103E-DB77-4b61-95B2-0D365E621D04}.exe

Deletes itself 1 IoCs

pid	Process
1576	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2528	{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe
2664	{F592103E-DB77-4b61-95B2-0D365E621D04}.exe
2620	{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe
2580	{305B542D-0B9E-45f6-99C9-59286523AED3}.exe
2452	{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe
3012	{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe
584	{3FFB31B1-0132-4689-8840-71840BA4F590}.exe
436	{B54DA47F-086B-46ed-AA12-4F67E8C87E78}.exe
1384	{9AFF64D7-F205-499e-93F9-B37E5D616B0E}.exe
2848	{51C93392-B13C-4961-9851-8618458109D0}.exe
2980	{41607AAF-51D9-4543-ACE2-D95306FA7E7F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe	2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe
File created	C:\Windows\{305B542D-0B9E-45f6-99C9-59286523AED3}.exe	{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe
File created	C:\Windows\{41607AAF-51D9-4543-ACE2-D95306FA7E7F}.exe	{51C93392-B13C-4961-9851-8618458109D0}.exe
File created	C:\Windows\{3FFB31B1-0132-4689-8840-71840BA4F590}.exe	{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe
File created	C:\Windows\{B54DA47F-086B-46ed-AA12-4F67E8C87E78}.exe	{3FFB31B1-0132-4689-8840-71840BA4F590}.exe
File created	C:\Windows\{9AFF64D7-F205-499e-93F9-B37E5D616B0E}.exe	{B54DA47F-086B-46ed-AA12-4F67E8C87E78}.exe
File created	C:\Windows\{51C93392-B13C-4961-9851-8618458109D0}.exe	{9AFF64D7-F205-499e-93F9-B37E5D616B0E}.exe
File created	C:\Windows\{F592103E-DB77-4b61-95B2-0D365E621D04}.exe	{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe
File created	C:\Windows\{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe	{F592103E-DB77-4b61-95B2-0D365E621D04}.exe
File created	C:\Windows\{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe	{305B542D-0B9E-45f6-99C9-59286523AED3}.exe
File created	C:\Windows\{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe	{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1668	2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2528	{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe
Token: SeIncBasePriorityPrivilege	2664	{F592103E-DB77-4b61-95B2-0D365E621D04}.exe
Token: SeIncBasePriorityPrivilege	2620	{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe
Token: SeIncBasePriorityPrivilege	2580	{305B542D-0B9E-45f6-99C9-59286523AED3}.exe
Token: SeIncBasePriorityPrivilege	2452	{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe
Token: SeIncBasePriorityPrivilege	3012	{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe
Token: SeIncBasePriorityPrivilege	584	{3FFB31B1-0132-4689-8840-71840BA4F590}.exe
Token: SeIncBasePriorityPrivilege	436	{B54DA47F-086B-46ed-AA12-4F67E8C87E78}.exe
Token: SeIncBasePriorityPrivilege	1384	{9AFF64D7-F205-499e-93F9-B37E5D616B0E}.exe
Token: SeIncBasePriorityPrivilege	2848	{51C93392-B13C-4961-9851-8618458109D0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2528	1668	2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe	28
PID 1668 wrote to memory of 2528	1668	2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe	28
PID 1668 wrote to memory of 2528	1668	2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe	28
PID 1668 wrote to memory of 2528	1668	2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe	28
PID 1668 wrote to memory of 1576	1668	2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe	29
PID 1668 wrote to memory of 1576	1668	2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe	29
PID 1668 wrote to memory of 1576	1668	2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe	29
PID 1668 wrote to memory of 1576	1668	2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe	29
PID 2528 wrote to memory of 2664	2528	{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe	30
PID 2528 wrote to memory of 2664	2528	{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe	30
PID 2528 wrote to memory of 2664	2528	{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe	30
PID 2528 wrote to memory of 2664	2528	{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe	30
PID 2528 wrote to memory of 2692	2528	{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe	31
PID 2528 wrote to memory of 2692	2528	{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe	31
PID 2528 wrote to memory of 2692	2528	{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe	31
PID 2528 wrote to memory of 2692	2528	{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe	31
PID 2664 wrote to memory of 2620	2664	{F592103E-DB77-4b61-95B2-0D365E621D04}.exe	34
PID 2664 wrote to memory of 2620	2664	{F592103E-DB77-4b61-95B2-0D365E621D04}.exe	34
PID 2664 wrote to memory of 2620	2664	{F592103E-DB77-4b61-95B2-0D365E621D04}.exe	34
PID 2664 wrote to memory of 2620	2664	{F592103E-DB77-4b61-95B2-0D365E621D04}.exe	34
PID 2664 wrote to memory of 2632	2664	{F592103E-DB77-4b61-95B2-0D365E621D04}.exe	35
PID 2664 wrote to memory of 2632	2664	{F592103E-DB77-4b61-95B2-0D365E621D04}.exe	35
PID 2664 wrote to memory of 2632	2664	{F592103E-DB77-4b61-95B2-0D365E621D04}.exe	35
PID 2664 wrote to memory of 2632	2664	{F592103E-DB77-4b61-95B2-0D365E621D04}.exe	35
PID 2620 wrote to memory of 2580	2620	{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe	36
PID 2620 wrote to memory of 2580	2620	{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe	36
PID 2620 wrote to memory of 2580	2620	{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe	36
PID 2620 wrote to memory of 2580	2620	{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe	36
PID 2620 wrote to memory of 2496	2620	{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe	37
PID 2620 wrote to memory of 2496	2620	{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe	37
PID 2620 wrote to memory of 2496	2620	{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe	37
PID 2620 wrote to memory of 2496	2620	{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe	37
PID 2580 wrote to memory of 2452	2580	{305B542D-0B9E-45f6-99C9-59286523AED3}.exe	38
PID 2580 wrote to memory of 2452	2580	{305B542D-0B9E-45f6-99C9-59286523AED3}.exe	38
PID 2580 wrote to memory of 2452	2580	{305B542D-0B9E-45f6-99C9-59286523AED3}.exe	38
PID 2580 wrote to memory of 2452	2580	{305B542D-0B9E-45f6-99C9-59286523AED3}.exe	38
PID 2580 wrote to memory of 2492	2580	{305B542D-0B9E-45f6-99C9-59286523AED3}.exe	39
PID 2580 wrote to memory of 2492	2580	{305B542D-0B9E-45f6-99C9-59286523AED3}.exe	39
PID 2580 wrote to memory of 2492	2580	{305B542D-0B9E-45f6-99C9-59286523AED3}.exe	39
PID 2580 wrote to memory of 2492	2580	{305B542D-0B9E-45f6-99C9-59286523AED3}.exe	39
PID 2452 wrote to memory of 3012	2452	{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe	40
PID 2452 wrote to memory of 3012	2452	{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe	40
PID 2452 wrote to memory of 3012	2452	{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe	40
PID 2452 wrote to memory of 3012	2452	{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe	40
PID 2452 wrote to memory of 2368	2452	{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe	41
PID 2452 wrote to memory of 2368	2452	{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe	41
PID 2452 wrote to memory of 2368	2452	{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe	41
PID 2452 wrote to memory of 2368	2452	{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe	41
PID 3012 wrote to memory of 584	3012	{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe	42
PID 3012 wrote to memory of 584	3012	{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe	42
PID 3012 wrote to memory of 584	3012	{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe	42
PID 3012 wrote to memory of 584	3012	{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe	42
PID 3012 wrote to memory of 744	3012	{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe	43
PID 3012 wrote to memory of 744	3012	{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe	43
PID 3012 wrote to memory of 744	3012	{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe	43
PID 3012 wrote to memory of 744	3012	{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe	43
PID 584 wrote to memory of 436	584	{3FFB31B1-0132-4689-8840-71840BA4F590}.exe	44
PID 584 wrote to memory of 436	584	{3FFB31B1-0132-4689-8840-71840BA4F590}.exe	44
PID 584 wrote to memory of 436	584	{3FFB31B1-0132-4689-8840-71840BA4F590}.exe	44
PID 584 wrote to memory of 436	584	{3FFB31B1-0132-4689-8840-71840BA4F590}.exe	44
PID 584 wrote to memory of 1412	584	{3FFB31B1-0132-4689-8840-71840BA4F590}.exe	45
PID 584 wrote to memory of 1412	584	{3FFB31B1-0132-4689-8840-71840BA4F590}.exe	45
PID 584 wrote to memory of 1412	584	{3FFB31B1-0132-4689-8840-71840BA4F590}.exe	45
PID 584 wrote to memory of 1412	584	{3FFB31B1-0132-4689-8840-71840BA4F590}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-23_012eb94f6c3d6c61ca55822a582120e0_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe
  C:\Windows\{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\{F592103E-DB77-4b61-95B2-0D365E621D04}.exe
    C:\Windows\{F592103E-DB77-4b61-95B2-0D365E621D04}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe
      C:\Windows\{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\{305B542D-0B9E-45f6-99C9-59286523AED3}.exe
        
        C:\Windows\{305B542D-0B9E-45f6-99C9-59286523AED3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe
        
        C:\Windows\{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe
        
        C:\Windows\{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{3FFB31B1-0132-4689-8840-71840BA4F590}.exe
        
        C:\Windows\{3FFB31B1-0132-4689-8840-71840BA4F590}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\{B54DA47F-086B-46ed-AA12-4F67E8C87E78}.exe
        
        C:\Windows\{B54DA47F-086B-46ed-AA12-4F67E8C87E78}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        C:\Windows\{9AFF64D7-F205-499e-93F9-B37E5D616B0E}.exe
        
        C:\Windows\{9AFF64D7-F205-499e-93F9-B37E5D616B0E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\{51C93392-B13C-4961-9851-8618458109D0}.exe
        
        C:\Windows\{51C93392-B13C-4961-9851-8618458109D0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\{41607AAF-51D9-4543-ACE2-D95306FA7E7F}.exe
        
        C:\Windows\{41607AAF-51D9-4543-ACE2-D95306FA7E7F}.exe
        12⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51C93~1.EXE > nul
        12⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AFF6~1.EXE > nul
        11⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B54DA~1.EXE > nul
        10⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FFB3~1.EXE > nul
        9⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{479BD~1.EXE > nul
        8⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12E3A~1.EXE > nul
        7⤵
        
        PID:2368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{305B5~1.EXE > nul
        6⤵
        
        PID:2492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B472~1.EXE > nul
        5⤵
        
        PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F5921~1.EXE > nul
      4⤵
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{61959~1.EXE > nul
    3⤵
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe

Filesize
180KB

MD5
07fd026a4b7dd6c5b98598ee5e264ba9

SHA1
93f5fb22790e0a0f66d63fe702350aa6d3067843

SHA256
8ff141371f57d8d3c5b07858d6e89fadbc8c3978d25d1fa30cf05a0da3233548

SHA512
3bd129e4b79d4ce63fb732c3eab6829756873f1aa590716634e6b8a85f0011b19a11b4ebde75c700c5692c942e0ec421fc88cc3d7c88c6ef84cc99fa2430b754

Download Submit
C:\Windows\{12E3A5AE-CBE9-43f7-A6FF-EB1F2C1757B4}.exe

Filesize
180KB

MD5
07fd026a4b7dd6c5b98598ee5e264ba9

SHA1
93f5fb22790e0a0f66d63fe702350aa6d3067843

SHA256
8ff141371f57d8d3c5b07858d6e89fadbc8c3978d25d1fa30cf05a0da3233548

SHA512
3bd129e4b79d4ce63fb732c3eab6829756873f1aa590716634e6b8a85f0011b19a11b4ebde75c700c5692c942e0ec421fc88cc3d7c88c6ef84cc99fa2430b754

Download Submit
C:\Windows\{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe

Filesize
180KB

MD5
26a3b406e29b44bf8fbb578e61eb4f1c

SHA1
ce41cfc0ceabcd226e10f7d08d1bf9af67e1bd1c

SHA256
90c19fcbecfa1e1f0f575d5c44ee386166f0cef38261d655882f80e8f7070f70

SHA512
8d8becbfbead869eb6e26f57daf0e056afafddbf475abaafa92cb534612aa1d4dbb6a71902bbcd8136bd3e5f4569165fee905433e03f9910c43ee0b11b1d710a

Download Submit
C:\Windows\{2B472DA9-A53A-4d48-81A8-F31B68B76207}.exe

Filesize
180KB

MD5
26a3b406e29b44bf8fbb578e61eb4f1c

SHA1
ce41cfc0ceabcd226e10f7d08d1bf9af67e1bd1c

SHA256
90c19fcbecfa1e1f0f575d5c44ee386166f0cef38261d655882f80e8f7070f70

SHA512
8d8becbfbead869eb6e26f57daf0e056afafddbf475abaafa92cb534612aa1d4dbb6a71902bbcd8136bd3e5f4569165fee905433e03f9910c43ee0b11b1d710a

Download Submit
C:\Windows\{305B542D-0B9E-45f6-99C9-59286523AED3}.exe

Filesize
180KB

MD5
df0369b0ba5165479e3a774774c5acd7

SHA1
a93cb6da88509a0f31d49e05c2cb8aa88d020e51

SHA256
8034ae2f912b8762d61d3824d57700370862611302003c3cddc7511da279ab00

SHA512
4fd21009d81f3829ea461ac76213e73289e240ee4abe5e214265b9149cd20495a0ce4e3888d2e7a6729919df403de322721542f616e8c9fc1f6ade5a4d729154

Download Submit
C:\Windows\{305B542D-0B9E-45f6-99C9-59286523AED3}.exe

Filesize
180KB

MD5
df0369b0ba5165479e3a774774c5acd7

SHA1
a93cb6da88509a0f31d49e05c2cb8aa88d020e51

SHA256
8034ae2f912b8762d61d3824d57700370862611302003c3cddc7511da279ab00

SHA512
4fd21009d81f3829ea461ac76213e73289e240ee4abe5e214265b9149cd20495a0ce4e3888d2e7a6729919df403de322721542f616e8c9fc1f6ade5a4d729154

Download Submit
C:\Windows\{3FFB31B1-0132-4689-8840-71840BA4F590}.exe

Filesize
180KB

MD5
7fa0e982220941df29dab5513cc6f225

SHA1
2335f37c67661f034e3ff49f49dc3ddc5a96aae0

SHA256
5d289a7c2d4c94977bed0f488903eb4900f168273ba7e6bae701c765537d2568

SHA512
da16d594d43eaa95f3195aaac90744bf36c24143fba7d91abf0ac8a1f8c2044185848b75d6d6fc2b7acebc03fa7b288087c59164ac62c4bf104346e15a525939

Download Submit
C:\Windows\{3FFB31B1-0132-4689-8840-71840BA4F590}.exe

Filesize
180KB

MD5
7fa0e982220941df29dab5513cc6f225

SHA1
2335f37c67661f034e3ff49f49dc3ddc5a96aae0

SHA256
5d289a7c2d4c94977bed0f488903eb4900f168273ba7e6bae701c765537d2568

SHA512
da16d594d43eaa95f3195aaac90744bf36c24143fba7d91abf0ac8a1f8c2044185848b75d6d6fc2b7acebc03fa7b288087c59164ac62c4bf104346e15a525939

Download Submit
C:\Windows\{41607AAF-51D9-4543-ACE2-D95306FA7E7F}.exe

Filesize
180KB

MD5
fdba04324689d03481defcc015e7f9d5

SHA1
57cd8cbfedc2226c95c877b0abe4b72becf01a14

SHA256
c3925bab474d75f10e581651ea22177fc1991e19a7645b5e45749310fbf3c445

SHA512
890c59005019623a3a7ca88faa462c9b7f0194bb1fc7661254d1f4638af52abab9456fedd1ac6c891025a59b0a4fc2e02ce6b0177891a2eb3bc848588c8eba29

Download Submit
C:\Windows\{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe

Filesize
180KB

MD5
c319877cd9b92046a5fde6b7fecf1068

SHA1
c2ef8d0e96803072aa24b82ce5bd5e430b1c3be6

SHA256
f1a1fa6c051ba2ecd0e0aae77e32979f67e467e6a382943d072debd7f1fa3750

SHA512
f725f7e166ea5029a85068843f280eee8e0362ba37c089f7bef6fd363f0bfbda4e72cad4e1759af34c0ad244d4b00d8e72d81985dcba3f5b07710c178e89ccd6

Download Submit
C:\Windows\{479BD780-C36D-4266-A7C6-FBA84C0913C9}.exe

Filesize
180KB

MD5
c319877cd9b92046a5fde6b7fecf1068

SHA1
c2ef8d0e96803072aa24b82ce5bd5e430b1c3be6

SHA256
f1a1fa6c051ba2ecd0e0aae77e32979f67e467e6a382943d072debd7f1fa3750

SHA512
f725f7e166ea5029a85068843f280eee8e0362ba37c089f7bef6fd363f0bfbda4e72cad4e1759af34c0ad244d4b00d8e72d81985dcba3f5b07710c178e89ccd6

Download Submit
C:\Windows\{51C93392-B13C-4961-9851-8618458109D0}.exe

Filesize
180KB

MD5
1a6900eae372c9bfb9e471f34c79bdd8

SHA1
da09fbebf2e051841f9d9b63ea1ca938d733a82b

SHA256
b03bae89d921e65d06d197b0813fcae61d800a64ce27cb35983eab5cdbc72ee0

SHA512
7b29584264f33e54b80f82d78228b4d2e26ef827794cb6e5b43231f21db27ab451306efd197f28aa9aafc796aec70e2660e576a83da37ca53a7fb39f7d425126

Download Submit
C:\Windows\{51C93392-B13C-4961-9851-8618458109D0}.exe

Filesize
180KB

MD5
1a6900eae372c9bfb9e471f34c79bdd8

SHA1
da09fbebf2e051841f9d9b63ea1ca938d733a82b

SHA256
b03bae89d921e65d06d197b0813fcae61d800a64ce27cb35983eab5cdbc72ee0

SHA512
7b29584264f33e54b80f82d78228b4d2e26ef827794cb6e5b43231f21db27ab451306efd197f28aa9aafc796aec70e2660e576a83da37ca53a7fb39f7d425126

Download Submit
C:\Windows\{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe

Filesize
180KB

MD5
ae8175cfc6a1624c500d30ccda60c6ec

SHA1
2c63b0df27e830c3c89f2220979cd63a9389f884

SHA256
c45fd11f80467219e2e7b75e25931e54ca73148c7a7241be7f189f359b2f0d05

SHA512
c7a67876cbf904affc6e623ebc9403723d7e2847fe6d7322c74f4c4072148ae62241168bca6fd79474911d84b9ebdabb916a18791cbf3e5ae012cba6941602fa

Download Submit
C:\Windows\{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe

Filesize
180KB

MD5
ae8175cfc6a1624c500d30ccda60c6ec

SHA1
2c63b0df27e830c3c89f2220979cd63a9389f884

SHA256
c45fd11f80467219e2e7b75e25931e54ca73148c7a7241be7f189f359b2f0d05

SHA512
c7a67876cbf904affc6e623ebc9403723d7e2847fe6d7322c74f4c4072148ae62241168bca6fd79474911d84b9ebdabb916a18791cbf3e5ae012cba6941602fa

Download Submit
C:\Windows\{61959947-B591-490d-BFAC-4CECA1AB9C1D}.exe

Filesize
180KB

MD5
ae8175cfc6a1624c500d30ccda60c6ec

SHA1
2c63b0df27e830c3c89f2220979cd63a9389f884

SHA256
c45fd11f80467219e2e7b75e25931e54ca73148c7a7241be7f189f359b2f0d05

SHA512
c7a67876cbf904affc6e623ebc9403723d7e2847fe6d7322c74f4c4072148ae62241168bca6fd79474911d84b9ebdabb916a18791cbf3e5ae012cba6941602fa

Download Submit
C:\Windows\{9AFF64D7-F205-499e-93F9-B37E5D616B0E}.exe

Filesize
180KB

MD5
4d028d50bd9efb4b62d58f0fd3e4b87f

SHA1
e55f65795da991b3b4ae9c402c5e7b7b057f0a9d

SHA256
6e21b6d574b9942289d310cb6b7643e61dd6c335fac66e4f144e4086238771c7

SHA512
3bb3e9542448a1b7b6eeaa4b0a3dd8dd5f0043e7a58563e7dba5ef07cabc396b1b9da171239196798377a00bee07274c8254020d8a00725efc49ec0eec3e2109

Download Submit
C:\Windows\{9AFF64D7-F205-499e-93F9-B37E5D616B0E}.exe

Filesize
180KB

MD5
4d028d50bd9efb4b62d58f0fd3e4b87f

SHA1
e55f65795da991b3b4ae9c402c5e7b7b057f0a9d

SHA256
6e21b6d574b9942289d310cb6b7643e61dd6c335fac66e4f144e4086238771c7

SHA512
3bb3e9542448a1b7b6eeaa4b0a3dd8dd5f0043e7a58563e7dba5ef07cabc396b1b9da171239196798377a00bee07274c8254020d8a00725efc49ec0eec3e2109

Download Submit
C:\Windows\{B54DA47F-086B-46ed-AA12-4F67E8C87E78}.exe

Filesize
180KB

MD5
5d6d6cc6534ffc0db03343e7cca7bbd2

SHA1
c36090f8ce5061e244c2db09add089f297d7a5f2

SHA256
1dacacd9ec33ec0de2bd76d262ed3edcd701396eb542ff76a9ac3ff5215c7eb6

SHA512
3bd3f16525d4e7425d1c13a8802b2f07967a19e4848de6d5f1196e6a66af21599f91078034b5ac27059c128123df885e343fce0c5b27861f451075436d363727

Download Submit
C:\Windows\{B54DA47F-086B-46ed-AA12-4F67E8C87E78}.exe

Filesize
180KB

MD5
5d6d6cc6534ffc0db03343e7cca7bbd2

SHA1
c36090f8ce5061e244c2db09add089f297d7a5f2

SHA256
1dacacd9ec33ec0de2bd76d262ed3edcd701396eb542ff76a9ac3ff5215c7eb6

SHA512
3bd3f16525d4e7425d1c13a8802b2f07967a19e4848de6d5f1196e6a66af21599f91078034b5ac27059c128123df885e343fce0c5b27861f451075436d363727

Download Submit
C:\Windows\{F592103E-DB77-4b61-95B2-0D365E621D04}.exe

Filesize
180KB

MD5
3f20bd6bfff4be33cafd6792c227e1f9

SHA1
98fbf0c92202b4200ca7ae0e92e89c536475b41a

SHA256
437a7b61d8fe775920fad2a647e4611c248d391dffd9c985a0bc3165d2ba5f2b

SHA512
61dae35c350ccc23408f8e585f30f46e2292ccc67fbad6c8e5223d456ef1bbb0ce00fb003f8e69402902a4cbbb970e73733acc39f3fbb91d8a9c8bafa63ea36c

Download Submit
C:\Windows\{F592103E-DB77-4b61-95B2-0D365E621D04}.exe

Filesize
180KB

MD5
3f20bd6bfff4be33cafd6792c227e1f9

SHA1
98fbf0c92202b4200ca7ae0e92e89c536475b41a

SHA256
437a7b61d8fe775920fad2a647e4611c248d391dffd9c985a0bc3165d2ba5f2b

SHA512
61dae35c350ccc23408f8e585f30f46e2292ccc67fbad6c8e5223d456ef1bbb0ce00fb003f8e69402902a4cbbb970e73733acc39f3fbb91d8a9c8bafa63ea36c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads