1cbf044971148f547f247db4c2bf486e6f942bc9ee03b51a3aa57c959fac97ac

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2023, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe
Size

372KB
MD5

236abde9e5123a6174cbd3f89797d44e
SHA1

45aa644f08b6af6b0c7120aa6948a503fa67e361
SHA256

1cbf044971148f547f247db4c2bf486e6f942bc9ee03b51a3aa57c959fac97ac
SHA512

31ca9b2a03b4de72e24c0f2089ab9f819ac236d50ed448adcc5508f27f1e0bf99026aebc3218909ff4c84956fe328784d42f3fafca9803ac92673adc58954dae
SSDEEP

3072:CEGh0oFmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGCl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40B2134E-ED2D-4e3c-B231-3FC5578B3605}	{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40B2134E-ED2D-4e3c-B231-3FC5578B3605}\stubpath = "C:\\Windows\\{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe"	{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59D1BF72-7438-43ce-8B2B-BED7E82B4860}	{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2449BE9A-64F5-4c26-A586-35CD55858C53}	{3FF05078-044E-4d06-BF93-A3140B55F3B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03FC03BC-599A-4d38-BE06-E1B761E07AAC}	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}	{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C15AD876-55F4-4768-B7E9-ED39841760C6}\stubpath = "C:\\Windows\\{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe"	{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}	{8537BF81-A558-465a-A9A8-876AC32977BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2449BE9A-64F5-4c26-A586-35CD55858C53}\stubpath = "C:\\Windows\\{2449BE9A-64F5-4c26-A586-35CD55858C53}.exe"	{3FF05078-044E-4d06-BF93-A3140B55F3B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03FC03BC-599A-4d38-BE06-E1B761E07AAC}\stubpath = "C:\\Windows\\{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe"	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8537BF81-A558-465a-A9A8-876AC32977BE}	{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37A53732-69F4-4ab6-AE4C-09C053771BC1}	{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}	{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}\stubpath = "C:\\Windows\\{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe"	{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF05078-044E-4d06-BF93-A3140B55F3B6}	{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}\stubpath = "C:\\Windows\\{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe"	{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C15AD876-55F4-4768-B7E9-ED39841760C6}	{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8537BF81-A558-465a-A9A8-876AC32977BE}\stubpath = "C:\\Windows\\{8537BF81-A558-465a-A9A8-876AC32977BE}.exe"	{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59D1BF72-7438-43ce-8B2B-BED7E82B4860}\stubpath = "C:\\Windows\\{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe"	{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF05078-044E-4d06-BF93-A3140B55F3B6}\stubpath = "C:\\Windows\\{3FF05078-044E-4d06-BF93-A3140B55F3B6}.exe"	{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}\stubpath = "C:\\Windows\\{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe"	{8537BF81-A558-465a-A9A8-876AC32977BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37A53732-69F4-4ab6-AE4C-09C053771BC1}\stubpath = "C:\\Windows\\{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe"	{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}\stubpath = "C:\\Windows\\{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe"	{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}	{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe

Executes dropped EXE 12 IoCs

pid	Process
512	{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe
3104	{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe
4108	{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe
1512	{8537BF81-A558-465a-A9A8-876AC32977BE}.exe
1064	{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe
4812	{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe
2200	{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe
1112	{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe
4512	{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe
4900	{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe
2996	{3FF05078-044E-4d06-BF93-A3140B55F3B6}.exe
4104	{2449BE9A-64F5-4c26-A586-35CD55858C53}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe	{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe
File created	C:\Windows\{8537BF81-A558-465a-A9A8-876AC32977BE}.exe	{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe
File created	C:\Windows\{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe	{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe
File created	C:\Windows\{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe	{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe
File created	C:\Windows\{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe	{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe
File created	C:\Windows\{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe	{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe
File created	C:\Windows\{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe	{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe
File created	C:\Windows\{2449BE9A-64F5-4c26-A586-35CD55858C53}.exe	{3FF05078-044E-4d06-BF93-A3140B55F3B6}.exe
File created	C:\Windows\{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe
File created	C:\Windows\{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe	{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe
File created	C:\Windows\{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe	{8537BF81-A558-465a-A9A8-876AC32977BE}.exe
File created	C:\Windows\{3FF05078-044E-4d06-BF93-A3140B55F3B6}.exe	{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4068	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	512	{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe
Token: SeIncBasePriorityPrivilege	3104	{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe
Token: SeIncBasePriorityPrivilege	4108	{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe
Token: SeIncBasePriorityPrivilege	1512	{8537BF81-A558-465a-A9A8-876AC32977BE}.exe
Token: SeIncBasePriorityPrivilege	1064	{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe
Token: SeIncBasePriorityPrivilege	4812	{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe
Token: SeIncBasePriorityPrivilege	2200	{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe
Token: SeIncBasePriorityPrivilege	1112	{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe
Token: SeIncBasePriorityPrivilege	4512	{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe
Token: SeIncBasePriorityPrivilege	4900	{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe
Token: SeIncBasePriorityPrivilege	2996	{3FF05078-044E-4d06-BF93-A3140B55F3B6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 512	4068	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	89
PID 4068 wrote to memory of 512	4068	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	89
PID 4068 wrote to memory of 512	4068	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	89
PID 4068 wrote to memory of 2744	4068	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	90
PID 4068 wrote to memory of 2744	4068	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	90
PID 4068 wrote to memory of 2744	4068	2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe	90
PID 512 wrote to memory of 3104	512	{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe	91
PID 512 wrote to memory of 3104	512	{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe	91
PID 512 wrote to memory of 3104	512	{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe	91
PID 512 wrote to memory of 760	512	{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe	92
PID 512 wrote to memory of 760	512	{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe	92
PID 512 wrote to memory of 760	512	{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe	92
PID 3104 wrote to memory of 4108	3104	{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe	96
PID 3104 wrote to memory of 4108	3104	{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe	96
PID 3104 wrote to memory of 4108	3104	{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe	96
PID 3104 wrote to memory of 1688	3104	{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe	97
PID 3104 wrote to memory of 1688	3104	{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe	97
PID 3104 wrote to memory of 1688	3104	{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe	97
PID 4108 wrote to memory of 1512	4108	{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe	98
PID 4108 wrote to memory of 1512	4108	{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe	98
PID 4108 wrote to memory of 1512	4108	{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe	98
PID 4108 wrote to memory of 1452	4108	{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe	99
PID 4108 wrote to memory of 1452	4108	{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe	99
PID 4108 wrote to memory of 1452	4108	{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe	99
PID 1512 wrote to memory of 1064	1512	{8537BF81-A558-465a-A9A8-876AC32977BE}.exe	100
PID 1512 wrote to memory of 1064	1512	{8537BF81-A558-465a-A9A8-876AC32977BE}.exe	100
PID 1512 wrote to memory of 1064	1512	{8537BF81-A558-465a-A9A8-876AC32977BE}.exe	100
PID 1512 wrote to memory of 4756	1512	{8537BF81-A558-465a-A9A8-876AC32977BE}.exe	101
PID 1512 wrote to memory of 4756	1512	{8537BF81-A558-465a-A9A8-876AC32977BE}.exe	101
PID 1512 wrote to memory of 4756	1512	{8537BF81-A558-465a-A9A8-876AC32977BE}.exe	101
PID 1064 wrote to memory of 4812	1064	{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe	102
PID 1064 wrote to memory of 4812	1064	{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe	102
PID 1064 wrote to memory of 4812	1064	{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe	102
PID 1064 wrote to memory of 1992	1064	{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe	103
PID 1064 wrote to memory of 1992	1064	{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe	103
PID 1064 wrote to memory of 1992	1064	{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe	103
PID 4812 wrote to memory of 2200	4812	{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe	104
PID 4812 wrote to memory of 2200	4812	{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe	104
PID 4812 wrote to memory of 2200	4812	{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe	104
PID 4812 wrote to memory of 4252	4812	{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe	105
PID 4812 wrote to memory of 4252	4812	{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe	105
PID 4812 wrote to memory of 4252	4812	{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe	105
PID 2200 wrote to memory of 1112	2200	{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe	106
PID 2200 wrote to memory of 1112	2200	{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe	106
PID 2200 wrote to memory of 1112	2200	{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe	106
PID 2200 wrote to memory of 2524	2200	{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe	107
PID 2200 wrote to memory of 2524	2200	{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe	107
PID 2200 wrote to memory of 2524	2200	{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe	107
PID 1112 wrote to memory of 4512	1112	{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe	108
PID 1112 wrote to memory of 4512	1112	{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe	108
PID 1112 wrote to memory of 4512	1112	{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe	108
PID 1112 wrote to memory of 2900	1112	{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe	109
PID 1112 wrote to memory of 2900	1112	{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe	109
PID 1112 wrote to memory of 2900	1112	{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe	109
PID 4512 wrote to memory of 4900	4512	{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe	110
PID 4512 wrote to memory of 4900	4512	{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe	110
PID 4512 wrote to memory of 4900	4512	{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe	110
PID 4512 wrote to memory of 3876	4512	{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe	111
PID 4512 wrote to memory of 3876	4512	{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe	111
PID 4512 wrote to memory of 3876	4512	{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe	111
PID 4900 wrote to memory of 2996	4900	{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe	112
PID 4900 wrote to memory of 2996	4900	{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe	112
PID 4900 wrote to memory of 2996	4900	{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe	112
PID 4900 wrote to memory of 3764	4900	{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe	113

C:\Users\Admin\AppData\Local\Temp\2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-23_236abde9e5123a6174cbd3f89797d44e_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe
  C:\Windows\{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe
    C:\Windows\{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Windows\{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe
      C:\Windows\{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4108
    - - C:\Windows\{8537BF81-A558-465a-A9A8-876AC32977BE}.exe
        
        C:\Windows\{8537BF81-A558-465a-A9A8-876AC32977BE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Windows\{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe
        
        C:\Windows\{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe
        
        C:\Windows\{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe
        
        C:\Windows\{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe
        
        C:\Windows\{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe
        
        C:\Windows\{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe
        
        C:\Windows\{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{3FF05078-044E-4d06-BF93-A3140B55F3B6}.exe
        
        C:\Windows\{3FF05078-044E-4d06-BF93-A3140B55F3B6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\{2449BE9A-64F5-4c26-A586-35CD55858C53}.exe
        
        C:\Windows\{2449BE9A-64F5-4c26-A586-35CD55858C53}.exe
        13⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FF05~1.EXE > nul
        13⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D24AA~1.EXE > nul
        12⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59D1B~1.EXE > nul
        11⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4FF3~1.EXE > nul
        10⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37A53~1.EXE > nul
        9⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40B21~1.EXE > nul
        8⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C919D~1.EXE > nul
        7⤵
        
        PID:1992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8537B~1.EXE > nul
        6⤵
        
        PID:4756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C15AD~1.EXE > nul
        5⤵
        
        PID:1452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FB008~1.EXE > nul
      4⤵
      PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{03FC0~1.EXE > nul
    3⤵
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe

Filesize
372KB

MD5
965e9cb5dd2a87cc23423592b97ef894

SHA1
2e5381879fc936ad6470b575c32c4cbb5ffaa53d

SHA256
02428c33aa18f7c848142cf3c0ba5a16d60560f164b8f3d5f6186a25dfa960d3

SHA512
dccf595fd1ca1176ddc2614cbdd3b4ff1f328c12b11e044cc78dd202d3ee319360d8f8e155c5ee4afe5236529f1693ecbbe61568065f7fbfaae5086388f5d9f2

Download Submit
C:\Windows\{03FC03BC-599A-4d38-BE06-E1B761E07AAC}.exe

Filesize
372KB

MD5
965e9cb5dd2a87cc23423592b97ef894

SHA1
2e5381879fc936ad6470b575c32c4cbb5ffaa53d

SHA256
02428c33aa18f7c848142cf3c0ba5a16d60560f164b8f3d5f6186a25dfa960d3

SHA512
dccf595fd1ca1176ddc2614cbdd3b4ff1f328c12b11e044cc78dd202d3ee319360d8f8e155c5ee4afe5236529f1693ecbbe61568065f7fbfaae5086388f5d9f2

Download Submit
C:\Windows\{2449BE9A-64F5-4c26-A586-35CD55858C53}.exe

Filesize
372KB

MD5
49572c5bae19c8b5263df526627d8947

SHA1
31f0c3966707d726d57f4c7f68f8d2f0fe78dee8

SHA256
3fdf7d26e25884e6f2742819258817977d2d06fb65c2ff9539adc0010b9eb31a

SHA512
c8fbb2dfcead132901aa4a93585c9202fafc8bb46522c70edfc6fb3bfaac5e646c77be21816484a48edaec53c49325d65b57f6131146be81e65ff19bd6e5490b

Download Submit
C:\Windows\{2449BE9A-64F5-4c26-A586-35CD55858C53}.exe

Filesize
372KB

MD5
49572c5bae19c8b5263df526627d8947

SHA1
31f0c3966707d726d57f4c7f68f8d2f0fe78dee8

SHA256
3fdf7d26e25884e6f2742819258817977d2d06fb65c2ff9539adc0010b9eb31a

SHA512
c8fbb2dfcead132901aa4a93585c9202fafc8bb46522c70edfc6fb3bfaac5e646c77be21816484a48edaec53c49325d65b57f6131146be81e65ff19bd6e5490b

Download Submit
C:\Windows\{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe

Filesize
372KB

MD5
65e1144719f2dbeefe96f1d5dc15b4e4

SHA1
76e3d99f4aae2986c4f409f459b2b65709d402bf

SHA256
af283d0134a5c4e3404901092b1d99e5845b8d3a8ad87a0ccc8d9e43defe959e

SHA512
91e5ab64ae3bd3816e0699f872a42642fea688b8e8f46fcf53bdbeacb13fb783090a491293564c99d28d5b4952ac8cd4916f662ad4bbc4d39bf39a9a504cc573

Download Submit
C:\Windows\{37A53732-69F4-4ab6-AE4C-09C053771BC1}.exe

Filesize
372KB

MD5
65e1144719f2dbeefe96f1d5dc15b4e4

SHA1
76e3d99f4aae2986c4f409f459b2b65709d402bf

SHA256
af283d0134a5c4e3404901092b1d99e5845b8d3a8ad87a0ccc8d9e43defe959e

SHA512
91e5ab64ae3bd3816e0699f872a42642fea688b8e8f46fcf53bdbeacb13fb783090a491293564c99d28d5b4952ac8cd4916f662ad4bbc4d39bf39a9a504cc573

Download Submit
C:\Windows\{3FF05078-044E-4d06-BF93-A3140B55F3B6}.exe

Filesize
372KB

MD5
3f785ec50ed04bb63304524dd332dfa4

SHA1
559d40053fa05ae6c88762d03e5536ace2c73756

SHA256
5fdf5024a11d6d3aff69853dacbfa741870bcd7fe1b7e01dde5da319a8b805e1

SHA512
cdcebcaf994eccb44c1999f238d8fabbea60cd6f02b7e9bd3185fa413866a29051c710f35b18f99cb205e598b954c2adaf92f8b303e4d2bf8e4b200cda1d9dad

Download Submit
C:\Windows\{3FF05078-044E-4d06-BF93-A3140B55F3B6}.exe

Filesize
372KB

MD5
3f785ec50ed04bb63304524dd332dfa4

SHA1
559d40053fa05ae6c88762d03e5536ace2c73756

SHA256
5fdf5024a11d6d3aff69853dacbfa741870bcd7fe1b7e01dde5da319a8b805e1

SHA512
cdcebcaf994eccb44c1999f238d8fabbea60cd6f02b7e9bd3185fa413866a29051c710f35b18f99cb205e598b954c2adaf92f8b303e4d2bf8e4b200cda1d9dad

Download Submit
C:\Windows\{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe

Filesize
372KB

MD5
8d20e6b81fdf6b7c9d488f455e71da19

SHA1
b0db7727d5815bf01f49021176003d94ad48bf6d

SHA256
d6e0955deca59440cbde5fe028eb1c3e781c2619e3d412e043877d8d7640516b

SHA512
0db5221ccfe57ff176a2f7caa830396d138eb707c214da6449dfcec51ca8d2cd8537bd2be9283bd8f288408d94e5fe3c8866f3398d5473a7d25f930b13405494

Download Submit
C:\Windows\{40B2134E-ED2D-4e3c-B231-3FC5578B3605}.exe

Filesize
372KB

MD5
8d20e6b81fdf6b7c9d488f455e71da19

SHA1
b0db7727d5815bf01f49021176003d94ad48bf6d

SHA256
d6e0955deca59440cbde5fe028eb1c3e781c2619e3d412e043877d8d7640516b

SHA512
0db5221ccfe57ff176a2f7caa830396d138eb707c214da6449dfcec51ca8d2cd8537bd2be9283bd8f288408d94e5fe3c8866f3398d5473a7d25f930b13405494

Download Submit
C:\Windows\{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe

Filesize
372KB

MD5
446c403ffa782fc808beb49bcb122c9f

SHA1
b0f3a078a9140248a510f4447fea092f15725fba

SHA256
c45fc0ec090ecfed25b7d1f2178440cc5bad1292a3ad00c495b07b2aa2aa3ec6

SHA512
c2dd8464ecb08aa7a4cfc647ccd36c5ed5a160c0398e72ccbe79a29a1e6efbb5f1304923116f23c8f16a217f19b7303e6bc0b71e1092a8f020ed7366248e9446

Download Submit
C:\Windows\{59D1BF72-7438-43ce-8B2B-BED7E82B4860}.exe

Filesize
372KB

MD5
446c403ffa782fc808beb49bcb122c9f

SHA1
b0f3a078a9140248a510f4447fea092f15725fba

SHA256
c45fc0ec090ecfed25b7d1f2178440cc5bad1292a3ad00c495b07b2aa2aa3ec6

SHA512
c2dd8464ecb08aa7a4cfc647ccd36c5ed5a160c0398e72ccbe79a29a1e6efbb5f1304923116f23c8f16a217f19b7303e6bc0b71e1092a8f020ed7366248e9446

Download Submit
C:\Windows\{8537BF81-A558-465a-A9A8-876AC32977BE}.exe

Filesize
372KB

MD5
b2b8e5aa60cedcb5951125d098e2b8f8

SHA1
f05ca98a79c6b73ac0ae5710d960bb32c9af6e24

SHA256
202b6c07ee9696d268ba25637f935d57fa3caf29d67193ae81202068b6bfefd6

SHA512
12c15f781cf61e32131a72f7d03e97134d86061ae172bf64245d0411c385b5f905624e58a7a2ca619ef089fd46f099279d4ddd7aaa1f913492e55207e8c1c346

Download Submit
C:\Windows\{8537BF81-A558-465a-A9A8-876AC32977BE}.exe

Filesize
372KB

MD5
b2b8e5aa60cedcb5951125d098e2b8f8

SHA1
f05ca98a79c6b73ac0ae5710d960bb32c9af6e24

SHA256
202b6c07ee9696d268ba25637f935d57fa3caf29d67193ae81202068b6bfefd6

SHA512
12c15f781cf61e32131a72f7d03e97134d86061ae172bf64245d0411c385b5f905624e58a7a2ca619ef089fd46f099279d4ddd7aaa1f913492e55207e8c1c346

Download Submit
C:\Windows\{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe

Filesize
372KB

MD5
f696589ecbc93745725f8d9c56717706

SHA1
aecf47407f55c4ba1f35bda61e679302d625497d

SHA256
09300b470c14ceeb8fb76d9dc4d6c42a8f21f9a52d15df2285dc09f323727d83

SHA512
444e39d5a1d3bfd53e7ebb0e5f43e065cf93ebaffeb6c224e9eba0f4f93751ba3cb121b8b1ff85fe7addf949f9de9648dd7fb563fb302512768df1dfb15242a4

Download Submit
C:\Windows\{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe

Filesize
372KB

MD5
f696589ecbc93745725f8d9c56717706

SHA1
aecf47407f55c4ba1f35bda61e679302d625497d

SHA256
09300b470c14ceeb8fb76d9dc4d6c42a8f21f9a52d15df2285dc09f323727d83

SHA512
444e39d5a1d3bfd53e7ebb0e5f43e065cf93ebaffeb6c224e9eba0f4f93751ba3cb121b8b1ff85fe7addf949f9de9648dd7fb563fb302512768df1dfb15242a4

Download Submit
C:\Windows\{C15AD876-55F4-4768-B7E9-ED39841760C6}.exe

Filesize
372KB

MD5
f696589ecbc93745725f8d9c56717706

SHA1
aecf47407f55c4ba1f35bda61e679302d625497d

SHA256
09300b470c14ceeb8fb76d9dc4d6c42a8f21f9a52d15df2285dc09f323727d83

SHA512
444e39d5a1d3bfd53e7ebb0e5f43e065cf93ebaffeb6c224e9eba0f4f93751ba3cb121b8b1ff85fe7addf949f9de9648dd7fb563fb302512768df1dfb15242a4

Download Submit
C:\Windows\{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe

Filesize
372KB

MD5
c4c3cf3b01ae2eb113053e9724f4df4c

SHA1
83b81b07a8296c2e983ad75913c803008e7b23b7

SHA256
1dc4eba4151598e4f79e39dfb01f9fa4e00d84b7c9549f7fea264bf7ce74f575

SHA512
f425a264c316645284343a9f629ec6469b9b17857f407b5669c893bc06bdfce076cc3ea257951913924b18edbf2526a82de3b45c71701e0df6c3ab99ae8c9bb5

Download Submit
C:\Windows\{C919D576-CCCA-4f18-99F1-F8F26DBBEAD1}.exe

Filesize
372KB

MD5
c4c3cf3b01ae2eb113053e9724f4df4c

SHA1
83b81b07a8296c2e983ad75913c803008e7b23b7

SHA256
1dc4eba4151598e4f79e39dfb01f9fa4e00d84b7c9549f7fea264bf7ce74f575

SHA512
f425a264c316645284343a9f629ec6469b9b17857f407b5669c893bc06bdfce076cc3ea257951913924b18edbf2526a82de3b45c71701e0df6c3ab99ae8c9bb5

Download Submit
C:\Windows\{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe

Filesize
372KB

MD5
c67876fbaf40996de521888c0ccf61bb

SHA1
127e0158d6cd8e7b520ba081f74067ce7f231157

SHA256
823909ab360930db29a2f0c4a57884574650e41d0d979ff8a1c665d09451369d

SHA512
cf24e2b3bb3057b7c3c96eea9dde5b7412d6089297bc13ffe14e479649f4d6a7e1b5a9284cf088461a7e779d204b65b8fa4ebecf3775fb8d548a122f835c558b

Download Submit
C:\Windows\{D24AA970-562A-48e2-9E6C-BE4AEE7D20A2}.exe

Filesize
372KB

MD5
c67876fbaf40996de521888c0ccf61bb

SHA1
127e0158d6cd8e7b520ba081f74067ce7f231157

SHA256
823909ab360930db29a2f0c4a57884574650e41d0d979ff8a1c665d09451369d

SHA512
cf24e2b3bb3057b7c3c96eea9dde5b7412d6089297bc13ffe14e479649f4d6a7e1b5a9284cf088461a7e779d204b65b8fa4ebecf3775fb8d548a122f835c558b

Download Submit
C:\Windows\{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe

Filesize
372KB

MD5
e8e5584384df5b1fffe287a297a59ff9

SHA1
312e26fe669c36c15946f3265fe9f5e0e3d968de

SHA256
b97ccdb10ca67015fba91952e61401cdfbdcd56a27cc509cb5a8b6e3af43831d

SHA512
09d5a2b75a224dba243249f275631c58300d5230f7397cd732a36899f60480569f1668efe2618320bbee1c259f8a6fb8f9cd26634b5c6e7f5ca23781b8ab1497

Download Submit
C:\Windows\{F4FF31B5-0047-4ed9-ACB1-F6B2AFA1340B}.exe

Filesize
372KB

MD5
e8e5584384df5b1fffe287a297a59ff9

SHA1
312e26fe669c36c15946f3265fe9f5e0e3d968de

SHA256
b97ccdb10ca67015fba91952e61401cdfbdcd56a27cc509cb5a8b6e3af43831d

SHA512
09d5a2b75a224dba243249f275631c58300d5230f7397cd732a36899f60480569f1668efe2618320bbee1c259f8a6fb8f9cd26634b5c6e7f5ca23781b8ab1497

Download Submit
C:\Windows\{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe

Filesize
372KB

MD5
9eac1046bc2d0c3c30894dfd4f3bfc63

SHA1
2994899b43979e087ce9ab3a48c7e0fb36a0ca25

SHA256
d6c4c835ab20e8aebfc2e65491752973e70b3e53b16022a5a961058350bf53b5

SHA512
bc4e549290129a8b116369ed716d06712e629c009c8df28187f4cd8e34cb93c25e5b29594526c58992d0fc53fa470a8d877d9a391fdeffc47dcf365dd4925d0f

Download Submit
C:\Windows\{FB0085FB-1E0D-4f44-8D82-C4D9E0AE1CA3}.exe

Filesize
372KB

MD5
9eac1046bc2d0c3c30894dfd4f3bfc63

SHA1
2994899b43979e087ce9ab3a48c7e0fb36a0ca25

SHA256
d6c4c835ab20e8aebfc2e65491752973e70b3e53b16022a5a961058350bf53b5

SHA512
bc4e549290129a8b116369ed716d06712e629c009c8df28187f4cd8e34cb93c25e5b29594526c58992d0fc53fa470a8d877d9a391fdeffc47dcf365dd4925d0f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads