e085e458dea3be0f1031fcdb3c4bc2d2d074187c349bb89b61b5cff25a2db38e

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/09/2023, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe
Size

408KB
MD5

26ca6942dd85f99b76c9300d49188935
SHA1

aa07ee978002ab86e1ecdb29f2cb25ed22828954
SHA256

e085e458dea3be0f1031fcdb3c4bc2d2d074187c349bb89b61b5cff25a2db38e
SHA512

7832bce86947060edb7a4ee0ae2f1a2f6edd1c672d2d6122a3eee73b46d63f2cce194a21f9fc7a987020b3c1e1052cc0b3f4a615e753459cb42bf6fa941f635b
SSDEEP

3072:CEGh0oql3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGMldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A28030B9-4832-40b3-A9D6-51F68A1BB982}\stubpath = "C:\\Windows\\{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe"	{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}	{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}\stubpath = "C:\\Windows\\{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe"	{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}\stubpath = "C:\\Windows\\{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe"	{349EC410-251C-41eb-881F-AC57DDC216B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}\stubpath = "C:\\Windows\\{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe"	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}	{349EC410-251C-41eb-881F-AC57DDC216B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{685099BE-03D8-4651-9D16-EA1ABEF85A01}\stubpath = "C:\\Windows\\{685099BE-03D8-4651-9D16-EA1ABEF85A01}.exe"	{587E9D39-42AA-4719-8B6E-B61165813621}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}	{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}\stubpath = "C:\\Windows\\{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe"	{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}	{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}\stubpath = "C:\\Windows\\{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe"	{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B29972-1F8B-4450-A9A8-35DE0ED5BBBD}	{B969C4C3-D592-402e-B5AA-F38C7E5D8A54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A28030B9-4832-40b3-A9D6-51F68A1BB982}	{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{349EC410-251C-41eb-881F-AC57DDC216B6}	{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{587E9D39-42AA-4719-8B6E-B61165813621}\stubpath = "C:\\Windows\\{587E9D39-42AA-4719-8B6E-B61165813621}.exe"	{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{685099BE-03D8-4651-9D16-EA1ABEF85A01}	{587E9D39-42AA-4719-8B6E-B61165813621}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B969C4C3-D592-402e-B5AA-F38C7E5D8A54}	{685099BE-03D8-4651-9D16-EA1ABEF85A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B969C4C3-D592-402e-B5AA-F38C7E5D8A54}\stubpath = "C:\\Windows\\{B969C4C3-D592-402e-B5AA-F38C7E5D8A54}.exe"	{685099BE-03D8-4651-9D16-EA1ABEF85A01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B29972-1F8B-4450-A9A8-35DE0ED5BBBD}\stubpath = "C:\\Windows\\{50B29972-1F8B-4450-A9A8-35DE0ED5BBBD}.exe"	{B969C4C3-D592-402e-B5AA-F38C7E5D8A54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{349EC410-251C-41eb-881F-AC57DDC216B6}\stubpath = "C:\\Windows\\{349EC410-251C-41eb-881F-AC57DDC216B6}.exe"	{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{587E9D39-42AA-4719-8B6E-B61165813621}	{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2980	{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe
2700	{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe
2920	{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe
2424	{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe
2544	{349EC410-251C-41eb-881F-AC57DDC216B6}.exe
2892	{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe
588	{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe
1868	{587E9D39-42AA-4719-8B6E-B61165813621}.exe
1644	{685099BE-03D8-4651-9D16-EA1ABEF85A01}.exe
572	{B969C4C3-D592-402e-B5AA-F38C7E5D8A54}.exe
1752	{50B29972-1F8B-4450-A9A8-35DE0ED5BBBD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{685099BE-03D8-4651-9D16-EA1ABEF85A01}.exe	{587E9D39-42AA-4719-8B6E-B61165813621}.exe
File created	C:\Windows\{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe	{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe
File created	C:\Windows\{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe	{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe
File created	C:\Windows\{349EC410-251C-41eb-881F-AC57DDC216B6}.exe	{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe
File created	C:\Windows\{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe	{349EC410-251C-41eb-881F-AC57DDC216B6}.exe
File created	C:\Windows\{B969C4C3-D592-402e-B5AA-F38C7E5D8A54}.exe	{685099BE-03D8-4651-9D16-EA1ABEF85A01}.exe
File created	C:\Windows\{50B29972-1F8B-4450-A9A8-35DE0ED5BBBD}.exe	{B969C4C3-D592-402e-B5AA-F38C7E5D8A54}.exe
File created	C:\Windows\{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe
File created	C:\Windows\{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe	{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe
File created	C:\Windows\{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe	{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe
File created	C:\Windows\{587E9D39-42AA-4719-8B6E-B61165813621}.exe	{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2796	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2980	{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe
Token: SeIncBasePriorityPrivilege	2700	{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe
Token: SeIncBasePriorityPrivilege	2920	{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe
Token: SeIncBasePriorityPrivilege	2424	{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe
Token: SeIncBasePriorityPrivilege	2544	{349EC410-251C-41eb-881F-AC57DDC216B6}.exe
Token: SeIncBasePriorityPrivilege	2892	{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe
Token: SeIncBasePriorityPrivilege	588	{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe
Token: SeIncBasePriorityPrivilege	1868	{587E9D39-42AA-4719-8B6E-B61165813621}.exe
Token: SeIncBasePriorityPrivilege	1644	{685099BE-03D8-4651-9D16-EA1ABEF85A01}.exe
Token: SeIncBasePriorityPrivilege	572	{B969C4C3-D592-402e-B5AA-F38C7E5D8A54}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2980	2796	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	28
PID 2796 wrote to memory of 2980	2796	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	28
PID 2796 wrote to memory of 2980	2796	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	28
PID 2796 wrote to memory of 2980	2796	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	28
PID 2796 wrote to memory of 2572	2796	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	29
PID 2796 wrote to memory of 2572	2796	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	29
PID 2796 wrote to memory of 2572	2796	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	29
PID 2796 wrote to memory of 2572	2796	2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe	29
PID 2980 wrote to memory of 2700	2980	{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe	30
PID 2980 wrote to memory of 2700	2980	{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe	30
PID 2980 wrote to memory of 2700	2980	{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe	30
PID 2980 wrote to memory of 2700	2980	{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe	30
PID 2980 wrote to memory of 2568	2980	{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe	31
PID 2980 wrote to memory of 2568	2980	{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe	31
PID 2980 wrote to memory of 2568	2980	{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe	31
PID 2980 wrote to memory of 2568	2980	{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe	31
PID 2700 wrote to memory of 2920	2700	{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe	34
PID 2700 wrote to memory of 2920	2700	{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe	34
PID 2700 wrote to memory of 2920	2700	{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe	34
PID 2700 wrote to memory of 2920	2700	{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe	34
PID 2700 wrote to memory of 2684	2700	{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe	35
PID 2700 wrote to memory of 2684	2700	{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe	35
PID 2700 wrote to memory of 2684	2700	{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe	35
PID 2700 wrote to memory of 2684	2700	{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe	35
PID 2920 wrote to memory of 2424	2920	{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe	36
PID 2920 wrote to memory of 2424	2920	{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe	36
PID 2920 wrote to memory of 2424	2920	{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe	36
PID 2920 wrote to memory of 2424	2920	{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe	36
PID 2920 wrote to memory of 2468	2920	{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe	37
PID 2920 wrote to memory of 2468	2920	{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe	37
PID 2920 wrote to memory of 2468	2920	{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe	37
PID 2920 wrote to memory of 2468	2920	{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe	37
PID 2424 wrote to memory of 2544	2424	{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe	38
PID 2424 wrote to memory of 2544	2424	{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe	38
PID 2424 wrote to memory of 2544	2424	{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe	38
PID 2424 wrote to memory of 2544	2424	{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe	38
PID 2424 wrote to memory of 2884	2424	{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe	39
PID 2424 wrote to memory of 2884	2424	{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe	39
PID 2424 wrote to memory of 2884	2424	{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe	39
PID 2424 wrote to memory of 2884	2424	{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe	39
PID 2544 wrote to memory of 2892	2544	{349EC410-251C-41eb-881F-AC57DDC216B6}.exe	40
PID 2544 wrote to memory of 2892	2544	{349EC410-251C-41eb-881F-AC57DDC216B6}.exe	40
PID 2544 wrote to memory of 2892	2544	{349EC410-251C-41eb-881F-AC57DDC216B6}.exe	40
PID 2544 wrote to memory of 2892	2544	{349EC410-251C-41eb-881F-AC57DDC216B6}.exe	40
PID 2544 wrote to memory of 1660	2544	{349EC410-251C-41eb-881F-AC57DDC216B6}.exe	41
PID 2544 wrote to memory of 1660	2544	{349EC410-251C-41eb-881F-AC57DDC216B6}.exe	41
PID 2544 wrote to memory of 1660	2544	{349EC410-251C-41eb-881F-AC57DDC216B6}.exe	41
PID 2544 wrote to memory of 1660	2544	{349EC410-251C-41eb-881F-AC57DDC216B6}.exe	41
PID 2892 wrote to memory of 588	2892	{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe	42
PID 2892 wrote to memory of 588	2892	{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe	42
PID 2892 wrote to memory of 588	2892	{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe	42
PID 2892 wrote to memory of 588	2892	{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe	42
PID 2892 wrote to memory of 468	2892	{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe	43
PID 2892 wrote to memory of 468	2892	{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe	43
PID 2892 wrote to memory of 468	2892	{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe	43
PID 2892 wrote to memory of 468	2892	{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe	43
PID 588 wrote to memory of 1868	588	{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe	44
PID 588 wrote to memory of 1868	588	{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe	44
PID 588 wrote to memory of 1868	588	{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe	44
PID 588 wrote to memory of 1868	588	{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe	44
PID 588 wrote to memory of 2176	588	{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe	45
PID 588 wrote to memory of 2176	588	{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe	45
PID 588 wrote to memory of 2176	588	{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe	45
PID 588 wrote to memory of 2176	588	{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-23_26ca6942dd85f99b76c9300d49188935_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe
  C:\Windows\{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe
    C:\Windows\{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe
      C:\Windows\{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe
        
        C:\Windows\{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\{349EC410-251C-41eb-881F-AC57DDC216B6}.exe
        
        C:\Windows\{349EC410-251C-41eb-881F-AC57DDC216B6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe
        
        C:\Windows\{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe
        
        C:\Windows\{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\{587E9D39-42AA-4719-8B6E-B61165813621}.exe
        
        C:\Windows\{587E9D39-42AA-4719-8B6E-B61165813621}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\{685099BE-03D8-4651-9D16-EA1ABEF85A01}.exe
        
        C:\Windows\{685099BE-03D8-4651-9D16-EA1ABEF85A01}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{B969C4C3-D592-402e-B5AA-F38C7E5D8A54}.exe
        
        C:\Windows\{B969C4C3-D592-402e-B5AA-F38C7E5D8A54}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\{50B29972-1F8B-4450-A9A8-35DE0ED5BBBD}.exe
        
        C:\Windows\{50B29972-1F8B-4450-A9A8-35DE0ED5BBBD}.exe
        12⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B969C~1.EXE > nul
        12⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68509~1.EXE > nul
        11⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{587E9~1.EXE > nul
        10⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B4C9~1.EXE > nul
        9⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D61B4~1.EXE > nul
        8⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{349EC~1.EXE > nul
        7⤵
        
        PID:1660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D58A~1.EXE > nul
        6⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2803~1.EXE > nul
        5⤵
        
        PID:2468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{40A53~1.EXE > nul
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E6C49~1.EXE > nul
    3⤵
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{349EC410-251C-41eb-881F-AC57DDC216B6}.exe

Filesize
408KB

MD5
cf79cfeb6dd687e31015fd0b26eb600e

SHA1
902ca534b82bca0cd01871073d30f6b1ccd731b7

SHA256
ae7eadecbee0c2ffad637479310fb9d01a41387b345f52b53720590b07852681

SHA512
3b82096922822d2696aa9ae47a3ef8ed16b97345804f0762b9e2c25fda8bcdc0af9638b6454fb3a42658766a7ad9c16c99669626d16d796c23e1d0b6f9bbb7d4

Download Submit
C:\Windows\{349EC410-251C-41eb-881F-AC57DDC216B6}.exe

Filesize
408KB

MD5
cf79cfeb6dd687e31015fd0b26eb600e

SHA1
902ca534b82bca0cd01871073d30f6b1ccd731b7

SHA256
ae7eadecbee0c2ffad637479310fb9d01a41387b345f52b53720590b07852681

SHA512
3b82096922822d2696aa9ae47a3ef8ed16b97345804f0762b9e2c25fda8bcdc0af9638b6454fb3a42658766a7ad9c16c99669626d16d796c23e1d0b6f9bbb7d4

Download Submit
C:\Windows\{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe

Filesize
408KB

MD5
189c42dae75dc06db5de2c821d082afe

SHA1
d8f60c7d99d177db72769cb570028e93585208e2

SHA256
2b34e11659e006543460923d63186f80717989df19436e23bcdf58920f09705d

SHA512
324dddb1972a72b54582163758bf65cae4881246c6a272515f2f55180f9ab5fb55de14058612f8b97e9cbe95f66f299ef8148ae3e17c9d293ceb664891d707a5

Download Submit
C:\Windows\{40A53E93-5FC5-4f43-8CAC-B66020B35BA9}.exe

Filesize
408KB

MD5
189c42dae75dc06db5de2c821d082afe

SHA1
d8f60c7d99d177db72769cb570028e93585208e2

SHA256
2b34e11659e006543460923d63186f80717989df19436e23bcdf58920f09705d

SHA512
324dddb1972a72b54582163758bf65cae4881246c6a272515f2f55180f9ab5fb55de14058612f8b97e9cbe95f66f299ef8148ae3e17c9d293ceb664891d707a5

Download Submit
C:\Windows\{50B29972-1F8B-4450-A9A8-35DE0ED5BBBD}.exe

Filesize
408KB

MD5
37576d953f0ba385c0e44d6879c0ddac

SHA1
2ab0c1c774bffe8abb9ca33799552e7585d3917d

SHA256
4eba5a677fb4bd5f4a11d1986052f49488fbb3757f2d87edf79ec62ac9a22443

SHA512
12fd18a257fff142dbd1e46c08ffcc2a24422e9bcba9df1dbb43718f6226c6d8105c9fa57223f389dbdaf45931cf76b1201048f3f73db121845d81a32ea33207

Download Submit
C:\Windows\{587E9D39-42AA-4719-8B6E-B61165813621}.exe

Filesize
408KB

MD5
1deb2bf4c3ef390311c587c6872ef296

SHA1
a9b38c8423aeea8a045967046d5a88a24741ac26

SHA256
95cd59a57cee523245291527b76be0724bc065bcfa73af79f2a1cfc2099f5fcb

SHA512
4271388a08fc80b1a14f2a398c67760c846f7abcd18ff567b6f0869fc02ed98dc9b8df789805c4c659526e0eaaad616fee997d7224a364f75def089833738f11

Download Submit
C:\Windows\{587E9D39-42AA-4719-8B6E-B61165813621}.exe

Filesize
408KB

MD5
1deb2bf4c3ef390311c587c6872ef296

SHA1
a9b38c8423aeea8a045967046d5a88a24741ac26

SHA256
95cd59a57cee523245291527b76be0724bc065bcfa73af79f2a1cfc2099f5fcb

SHA512
4271388a08fc80b1a14f2a398c67760c846f7abcd18ff567b6f0869fc02ed98dc9b8df789805c4c659526e0eaaad616fee997d7224a364f75def089833738f11

Download Submit
C:\Windows\{685099BE-03D8-4651-9D16-EA1ABEF85A01}.exe

Filesize
408KB

MD5
797215d815f312d127423e9e4d1a1a92

SHA1
9f09ea370ae6b9ba626aeaa8b7f7912a20cc8bab

SHA256
ee5e7198ba1920207705c2aafe584c0b8ea2c0bd05b46d9a6443f7ad160fa144

SHA512
b4c7e523e278d2bc4201cf4eeb3349cf6e2a13e4d41d129aacd44b87aeae68adf6e774a4cb8ffdd80c2214de18a7ba2bf789675ba2596419198507e1005dbb23

Download Submit
C:\Windows\{685099BE-03D8-4651-9D16-EA1ABEF85A01}.exe

Filesize
408KB

MD5
797215d815f312d127423e9e4d1a1a92

SHA1
9f09ea370ae6b9ba626aeaa8b7f7912a20cc8bab

SHA256
ee5e7198ba1920207705c2aafe584c0b8ea2c0bd05b46d9a6443f7ad160fa144

SHA512
b4c7e523e278d2bc4201cf4eeb3349cf6e2a13e4d41d129aacd44b87aeae68adf6e774a4cb8ffdd80c2214de18a7ba2bf789675ba2596419198507e1005dbb23

Download Submit
C:\Windows\{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe

Filesize
408KB

MD5
4d04ee171819b32b789ba8b12f442e75

SHA1
11dc0a8803fe50047fbc4f065ef5efa9b575d3c0

SHA256
944a909d2a113b02518481beaff7ab9a8847197c760aed0476e139354eed26c4

SHA512
91d4c31ffed12b73a9859d4805f2245d8036fc2a1b355ad7c96bcacbddf1055d2beb1e2c451318ed7bcd2cae35f5a3e0a1dd3dd305a45745e6610dc95653bda7

Download Submit
C:\Windows\{6B4C9167-BF08-40e0-9A12-7EEC7D22FEA4}.exe

Filesize
408KB

MD5
4d04ee171819b32b789ba8b12f442e75

SHA1
11dc0a8803fe50047fbc4f065ef5efa9b575d3c0

SHA256
944a909d2a113b02518481beaff7ab9a8847197c760aed0476e139354eed26c4

SHA512
91d4c31ffed12b73a9859d4805f2245d8036fc2a1b355ad7c96bcacbddf1055d2beb1e2c451318ed7bcd2cae35f5a3e0a1dd3dd305a45745e6610dc95653bda7

Download Submit
C:\Windows\{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe

Filesize
408KB

MD5
a1b140fff0cb1644b9f3111b3065104b

SHA1
12d087baee81a8db55294d17fadcf4de95ec2462

SHA256
4f221f6c2fc551b0883645bee0599675daeb86bea6963b586f9413feb8d53651

SHA512
732cb336e1450d5faee4a8c894b07bc8510ebe50ba1ba399c0f70100ec2afb902d0f4ba2854900708e47100bfb30eb9a2216c5dbd253e68202914a0fc10962e1

Download Submit
C:\Windows\{7D58AF00-C2F6-4e7e-B932-93DAC2C78EC2}.exe

Filesize
408KB

MD5
a1b140fff0cb1644b9f3111b3065104b

SHA1
12d087baee81a8db55294d17fadcf4de95ec2462

SHA256
4f221f6c2fc551b0883645bee0599675daeb86bea6963b586f9413feb8d53651

SHA512
732cb336e1450d5faee4a8c894b07bc8510ebe50ba1ba399c0f70100ec2afb902d0f4ba2854900708e47100bfb30eb9a2216c5dbd253e68202914a0fc10962e1

Download Submit
C:\Windows\{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe

Filesize
408KB

MD5
4d7d71fddae6e7b6a62ba79bcb8d7d2c

SHA1
c370e552034e77959930fbaf3819f204a4fd943c

SHA256
ff828b90ece0b9f1eafc6103ff6eb0ab049670f131bf8e1a6843211f50307170

SHA512
b4078838142f0f07325784500b6e08cc3fbbc79cce9387d84b1b1c9f7b5c432037c64801e3aa08e38f3f013b4d30eb4c6fc253ba374e132336ef2e4d2fe1e37e

Download Submit
C:\Windows\{A28030B9-4832-40b3-A9D6-51F68A1BB982}.exe

Filesize
408KB

MD5
4d7d71fddae6e7b6a62ba79bcb8d7d2c

SHA1
c370e552034e77959930fbaf3819f204a4fd943c

SHA256
ff828b90ece0b9f1eafc6103ff6eb0ab049670f131bf8e1a6843211f50307170

SHA512
b4078838142f0f07325784500b6e08cc3fbbc79cce9387d84b1b1c9f7b5c432037c64801e3aa08e38f3f013b4d30eb4c6fc253ba374e132336ef2e4d2fe1e37e

Download Submit
C:\Windows\{B969C4C3-D592-402e-B5AA-F38C7E5D8A54}.exe

Filesize
408KB

MD5
7ef90dd6ea47fcf375079e0969137a48

SHA1
34ba032e18ea8a950a17f0a8909b7945e153f722

SHA256
2c629713f64300f1a2f97eed6382932e9e2e5a3de3ae09be6b9748d6ffe25282

SHA512
393a47f988919efc5a7e724541fc9002fd0eee9460e75f38f4623282d56c4225acd7e0f3bbefe5be9e37722710acc5bb6e808f79f6bb02837b3057a288173085

Download Submit
C:\Windows\{B969C4C3-D592-402e-B5AA-F38C7E5D8A54}.exe

Filesize
408KB

MD5
7ef90dd6ea47fcf375079e0969137a48

SHA1
34ba032e18ea8a950a17f0a8909b7945e153f722

SHA256
2c629713f64300f1a2f97eed6382932e9e2e5a3de3ae09be6b9748d6ffe25282

SHA512
393a47f988919efc5a7e724541fc9002fd0eee9460e75f38f4623282d56c4225acd7e0f3bbefe5be9e37722710acc5bb6e808f79f6bb02837b3057a288173085

Download Submit
C:\Windows\{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe

Filesize
408KB

MD5
2f2832422c6ef0980dc1b66a32232ce2

SHA1
f630b3616db30c493f7670c7dc9368a3db7a2319

SHA256
68a3ecd1f0ed3c8314efd6aef1de4c9e9f1bb8b96a2e5203c624508a80ef5ac7

SHA512
2a8f4c464e2bc3fbfdd38419907035d234646772458c47f9d5d5bd7ee7ebce5f799bccb5163e996007286ed4180e232bbf2b24269aa409af6a0296d1d21edf64

Download Submit
C:\Windows\{D61B4B76-1C96-42b8-B6FB-742EB9A65C24}.exe

Filesize
408KB

MD5
2f2832422c6ef0980dc1b66a32232ce2

SHA1
f630b3616db30c493f7670c7dc9368a3db7a2319

SHA256
68a3ecd1f0ed3c8314efd6aef1de4c9e9f1bb8b96a2e5203c624508a80ef5ac7

SHA512
2a8f4c464e2bc3fbfdd38419907035d234646772458c47f9d5d5bd7ee7ebce5f799bccb5163e996007286ed4180e232bbf2b24269aa409af6a0296d1d21edf64

Download Submit
C:\Windows\{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe

Filesize
408KB

MD5
97186627bb45ec4716815bad6acc3734

SHA1
dfa11df9b96c1ed9e380109198c72a1986f2f678

SHA256
9d2bc759fa02873e6a7cdce9e7326ea8c29c8e2451064c50664bb12beadedfcf

SHA512
f05e638edde0b0f877ca85383bf13adc82e4127f8a3fa59db1150ed2c501dcf9c30c1137b3cee2e1dc45efb250628afd262f886143d5ab6edc8d34b3a3528cf6

Download Submit
C:\Windows\{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe

Filesize
408KB

MD5
97186627bb45ec4716815bad6acc3734

SHA1
dfa11df9b96c1ed9e380109198c72a1986f2f678

SHA256
9d2bc759fa02873e6a7cdce9e7326ea8c29c8e2451064c50664bb12beadedfcf

SHA512
f05e638edde0b0f877ca85383bf13adc82e4127f8a3fa59db1150ed2c501dcf9c30c1137b3cee2e1dc45efb250628afd262f886143d5ab6edc8d34b3a3528cf6

Download Submit
C:\Windows\{E6C497CF-EAC0-4e89-96CE-1AE8A1B3690B}.exe

Filesize
408KB

MD5
97186627bb45ec4716815bad6acc3734

SHA1
dfa11df9b96c1ed9e380109198c72a1986f2f678

SHA256
9d2bc759fa02873e6a7cdce9e7326ea8c29c8e2451064c50664bb12beadedfcf

SHA512
f05e638edde0b0f877ca85383bf13adc82e4127f8a3fa59db1150ed2c501dcf9c30c1137b3cee2e1dc45efb250628afd262f886143d5ab6edc8d34b3a3528cf6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads