a573ccfd54f6b06429bb93fbe61e8f8a5aab987c4e76ef1ad866f283bb0896af

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
17/09/2023, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe
Size

380KB
MD5

176645ee628951b5a5b4215959c64568
SHA1

20bccd9a3e14dae0ad1c84732bcdfab9b44db601
SHA256

a573ccfd54f6b06429bb93fbe61e8f8a5aab987c4e76ef1ad866f283bb0896af
SHA512

ffe65511db859b84d84328ae7804f05d87a69b074af16bd81146c0b6ecc779650f2069db23d384b5cf11f98cc25885cc246439a42019749b83b78f9a020c7ef5
SSDEEP

3072:mEGh0ooZlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEct:mEGil7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27E252E0-353C-4d52-B958-DB5163AEFB46}\stubpath = "C:\\Windows\\{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe"	{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C21FD7AF-0654-4eb5-8205-0B374094E975}\stubpath = "C:\\Windows\\{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe"	{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F6D5536-67C9-4dde-88DD-475A098FC533}	{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F6D5536-67C9-4dde-88DD-475A098FC533}\stubpath = "C:\\Windows\\{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe"	{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}\stubpath = "C:\\Windows\\{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe"	{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{914E8A5D-E348-491a-9EBC-123668690108}\stubpath = "C:\\Windows\\{914E8A5D-E348-491a-9EBC-123668690108}.exe"	{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ABDC4C8-4AE1-4c68-82C2-E70C31F6C67C}\stubpath = "C:\\Windows\\{3ABDC4C8-4AE1-4c68-82C2-E70C31F6C67C}.exe"	{914E8A5D-E348-491a-9EBC-123668690108}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA657514-D583-4d23-812F-EBA219A1D8C6}	{3ABDC4C8-4AE1-4c68-82C2-E70C31F6C67C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDDB2132-411A-4cdb-9A48-56BEEB66402C}	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{914E8A5D-E348-491a-9EBC-123668690108}	{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA657514-D583-4d23-812F-EBA219A1D8C6}\stubpath = "C:\\Windows\\{AA657514-D583-4d23-812F-EBA219A1D8C6}.exe"	{3ABDC4C8-4AE1-4c68-82C2-E70C31F6C67C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DA5C5E1-AE27-491a-981A-0CCEE1113D11}\stubpath = "C:\\Windows\\{1DA5C5E1-AE27-491a-981A-0CCEE1113D11}.exe"	{68DCC4E9-BE5A-4f21-B72E-543C6F165C0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDDB2132-411A-4cdb-9A48-56BEEB66402C}\stubpath = "C:\\Windows\\{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe"	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27E252E0-353C-4d52-B958-DB5163AEFB46}	{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6691E84-4C18-4a98-AD99-8D662695B3EB}	{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6691E84-4C18-4a98-AD99-8D662695B3EB}\stubpath = "C:\\Windows\\{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe"	{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68DCC4E9-BE5A-4f21-B72E-543C6F165C0E}\stubpath = "C:\\Windows\\{68DCC4E9-BE5A-4f21-B72E-543C6F165C0E}.exe"	{AA657514-D583-4d23-812F-EBA219A1D8C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C21FD7AF-0654-4eb5-8205-0B374094E975}	{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}	{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3ABDC4C8-4AE1-4c68-82C2-E70C31F6C67C}	{914E8A5D-E348-491a-9EBC-123668690108}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68DCC4E9-BE5A-4f21-B72E-543C6F165C0E}	{AA657514-D583-4d23-812F-EBA219A1D8C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DA5C5E1-AE27-491a-981A-0CCEE1113D11}	{68DCC4E9-BE5A-4f21-B72E-543C6F165C0E}.exe

Deletes itself 1 IoCs

pid	Process
2428	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2360	{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe
2268	{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe
2784	{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe
2540	{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe
1860	{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe
2952	{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe
2500	{914E8A5D-E348-491a-9EBC-123668690108}.exe
2604	{3ABDC4C8-4AE1-4c68-82C2-E70C31F6C67C}.exe
1808	{AA657514-D583-4d23-812F-EBA219A1D8C6}.exe
112	{68DCC4E9-BE5A-4f21-B72E-543C6F165C0E}.exe
1804	{1DA5C5E1-AE27-491a-981A-0CCEE1113D11}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe
File created	C:\Windows\{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe	{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe
File created	C:\Windows\{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe	{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe
File created	C:\Windows\{1DA5C5E1-AE27-491a-981A-0CCEE1113D11}.exe	{68DCC4E9-BE5A-4f21-B72E-543C6F165C0E}.exe
File created	C:\Windows\{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe	{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe
File created	C:\Windows\{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe	{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe
File created	C:\Windows\{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe	{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe
File created	C:\Windows\{914E8A5D-E348-491a-9EBC-123668690108}.exe	{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe
File created	C:\Windows\{3ABDC4C8-4AE1-4c68-82C2-E70C31F6C67C}.exe	{914E8A5D-E348-491a-9EBC-123668690108}.exe
File created	C:\Windows\{AA657514-D583-4d23-812F-EBA219A1D8C6}.exe	{3ABDC4C8-4AE1-4c68-82C2-E70C31F6C67C}.exe
File created	C:\Windows\{68DCC4E9-BE5A-4f21-B72E-543C6F165C0E}.exe	{AA657514-D583-4d23-812F-EBA219A1D8C6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2024	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2360	{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe
Token: SeIncBasePriorityPrivilege	2268	{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe
Token: SeIncBasePriorityPrivilege	2784	{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe
Token: SeIncBasePriorityPrivilege	2540	{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe
Token: SeIncBasePriorityPrivilege	1860	{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe
Token: SeIncBasePriorityPrivilege	2952	{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe
Token: SeIncBasePriorityPrivilege	2500	{914E8A5D-E348-491a-9EBC-123668690108}.exe
Token: SeIncBasePriorityPrivilege	2604	{3ABDC4C8-4AE1-4c68-82C2-E70C31F6C67C}.exe
Token: SeIncBasePriorityPrivilege	1808	{AA657514-D583-4d23-812F-EBA219A1D8C6}.exe
Token: SeIncBasePriorityPrivilege	112	{68DCC4E9-BE5A-4f21-B72E-543C6F165C0E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2360	2024	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	28
PID 2024 wrote to memory of 2360	2024	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	28
PID 2024 wrote to memory of 2360	2024	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	28
PID 2024 wrote to memory of 2360	2024	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	28
PID 2024 wrote to memory of 2428	2024	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	29
PID 2024 wrote to memory of 2428	2024	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	29
PID 2024 wrote to memory of 2428	2024	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	29
PID 2024 wrote to memory of 2428	2024	2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe	29
PID 2360 wrote to memory of 2268	2360	{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe	30
PID 2360 wrote to memory of 2268	2360	{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe	30
PID 2360 wrote to memory of 2268	2360	{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe	30
PID 2360 wrote to memory of 2268	2360	{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe	30
PID 2360 wrote to memory of 2724	2360	{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe	31
PID 2360 wrote to memory of 2724	2360	{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe	31
PID 2360 wrote to memory of 2724	2360	{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe	31
PID 2360 wrote to memory of 2724	2360	{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe	31
PID 2268 wrote to memory of 2784	2268	{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe	32
PID 2268 wrote to memory of 2784	2268	{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe	32
PID 2268 wrote to memory of 2784	2268	{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe	32
PID 2268 wrote to memory of 2784	2268	{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe	32
PID 2268 wrote to memory of 2620	2268	{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe	33
PID 2268 wrote to memory of 2620	2268	{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe	33
PID 2268 wrote to memory of 2620	2268	{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe	33
PID 2268 wrote to memory of 2620	2268	{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe	33
PID 2784 wrote to memory of 2540	2784	{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe	36
PID 2784 wrote to memory of 2540	2784	{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe	36
PID 2784 wrote to memory of 2540	2784	{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe	36
PID 2784 wrote to memory of 2540	2784	{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe	36
PID 2784 wrote to memory of 2688	2784	{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe	37
PID 2784 wrote to memory of 2688	2784	{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe	37
PID 2784 wrote to memory of 2688	2784	{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe	37
PID 2784 wrote to memory of 2688	2784	{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe	37
PID 2540 wrote to memory of 1860	2540	{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe	38
PID 2540 wrote to memory of 1860	2540	{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe	38
PID 2540 wrote to memory of 1860	2540	{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe	38
PID 2540 wrote to memory of 1860	2540	{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe	38
PID 2540 wrote to memory of 2536	2540	{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe	39
PID 2540 wrote to memory of 2536	2540	{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe	39
PID 2540 wrote to memory of 2536	2540	{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe	39
PID 2540 wrote to memory of 2536	2540	{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe	39
PID 1860 wrote to memory of 2952	1860	{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe	41
PID 1860 wrote to memory of 2952	1860	{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe	41
PID 1860 wrote to memory of 2952	1860	{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe	41
PID 1860 wrote to memory of 2952	1860	{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe	41
PID 1860 wrote to memory of 2184	1860	{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe	40
PID 1860 wrote to memory of 2184	1860	{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe	40
PID 1860 wrote to memory of 2184	1860	{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe	40
PID 1860 wrote to memory of 2184	1860	{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe	40
PID 2952 wrote to memory of 2500	2952	{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe	43
PID 2952 wrote to memory of 2500	2952	{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe	43
PID 2952 wrote to memory of 2500	2952	{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe	43
PID 2952 wrote to memory of 2500	2952	{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe	43
PID 2952 wrote to memory of 1800	2952	{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe	42
PID 2952 wrote to memory of 1800	2952	{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe	42
PID 2952 wrote to memory of 1800	2952	{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe	42
PID 2952 wrote to memory of 1800	2952	{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe	42
PID 2500 wrote to memory of 2604	2500	{914E8A5D-E348-491a-9EBC-123668690108}.exe	45
PID 2500 wrote to memory of 2604	2500	{914E8A5D-E348-491a-9EBC-123668690108}.exe	45
PID 2500 wrote to memory of 2604	2500	{914E8A5D-E348-491a-9EBC-123668690108}.exe	45
PID 2500 wrote to memory of 2604	2500	{914E8A5D-E348-491a-9EBC-123668690108}.exe	45
PID 2500 wrote to memory of 2848	2500	{914E8A5D-E348-491a-9EBC-123668690108}.exe	44
PID 2500 wrote to memory of 2848	2500	{914E8A5D-E348-491a-9EBC-123668690108}.exe	44
PID 2500 wrote to memory of 2848	2500	{914E8A5D-E348-491a-9EBC-123668690108}.exe	44
PID 2500 wrote to memory of 2848	2500	{914E8A5D-E348-491a-9EBC-123668690108}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_176645ee628951b5a5b4215959c64568_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe
  C:\Windows\{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe
    C:\Windows\{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe
      C:\Windows\{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe
        
        C:\Windows\{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe
        
        C:\Windows\{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3946C~1.EXE > nul
        7⤵
        
        PID:2184
        
        C:\Windows\{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe
        
        C:\Windows\{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6691~1.EXE > nul
        8⤵
        
        PID:1800
        
        C:\Windows\{914E8A5D-E348-491a-9EBC-123668690108}.exe
        
        C:\Windows\{914E8A5D-E348-491a-9EBC-123668690108}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{914E8~1.EXE > nul
        9⤵
        
        PID:2848
        
        C:\Windows\{3ABDC4C8-4AE1-4c68-82C2-E70C31F6C67C}.exe
        
        C:\Windows\{3ABDC4C8-4AE1-4c68-82C2-E70C31F6C67C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ABDC~1.EXE > nul
        10⤵
        
        PID:1836
        
        C:\Windows\{AA657514-D583-4d23-812F-EBA219A1D8C6}.exe
        
        C:\Windows\{AA657514-D583-4d23-812F-EBA219A1D8C6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\{68DCC4E9-BE5A-4f21-B72E-543C6F165C0E}.exe
        
        C:\Windows\{68DCC4E9-BE5A-4f21-B72E-543C6F165C0E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68DCC~1.EXE > nul
        12⤵
        
        PID:1828
        
        C:\Windows\{1DA5C5E1-AE27-491a-981A-0CCEE1113D11}.exe
        
        C:\Windows\{1DA5C5E1-AE27-491a-981A-0CCEE1113D11}.exe
        12⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA657~1.EXE > nul
        11⤵
        
        PID:1536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F6D5~1.EXE > nul
        6⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C21FD~1.EXE > nul
        5⤵
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{27E25~1.EXE > nul
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FDDB2~1.EXE > nul
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1DA5C5E1-AE27-491a-981A-0CCEE1113D11}.exe

Filesize
380KB

MD5
5a0268ab65e722ea3ba6714a01fb8d77

SHA1
6217e8e25ee0c0358982d5451ee80486bfb29410

SHA256
e54833b2439b2e231027440caab0f1607e28729b7480bf3a8d1e2df6405a1553

SHA512
7ec59d97db9b7de21c738c03fbf74f9db73286bd6e07a016e29c27c87b0357c8ac223a1c2417a5033a5a8a0dfdd03dbda5e0b39ff573dac450593bfb9c553d27

Download Submit
C:\Windows\{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe

Filesize
380KB

MD5
81c854b64d7ff116b3aa91ebcfc50b1b

SHA1
1275ac6d794059a84bab143f4b3421eedeb1d8d0

SHA256
19e03e707d18eb34559b3eff748d26ce3ee08753fadb27cb5d5ad39b34302024

SHA512
37ab1d5a24ff910437e181dae2934e94c703b02f901f6019a923dd818f3ed831785d8e70c3e1b4f3bb521841832b79e8417eea130e45b5a495bcb471d06d7b80

Download Submit
C:\Windows\{27E252E0-353C-4d52-B958-DB5163AEFB46}.exe

Filesize
380KB

MD5
81c854b64d7ff116b3aa91ebcfc50b1b

SHA1
1275ac6d794059a84bab143f4b3421eedeb1d8d0

SHA256
19e03e707d18eb34559b3eff748d26ce3ee08753fadb27cb5d5ad39b34302024

SHA512
37ab1d5a24ff910437e181dae2934e94c703b02f901f6019a923dd818f3ed831785d8e70c3e1b4f3bb521841832b79e8417eea130e45b5a495bcb471d06d7b80

Download Submit
C:\Windows\{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe

Filesize
380KB

MD5
affee08fe89ba8d537bf3a8d1c72a96c

SHA1
beac3f8766016771b2d909c6628451aadccb17c1

SHA256
16f94e40e88aa541546c5206605d175853a36566d05a8c24d1c49fa4da1bfef1

SHA512
4a15afbae26a4bd79e0f0fee9b2c2c03c3b1cda14732e696016bd4f7a4366102bb40a32c96397827639dd58d894be26c4520f02e2bb71036292960d95263eeb8

Download Submit
C:\Windows\{3946C9D7-87CE-4011-874C-61DE3BB6EEF9}.exe

Filesize
380KB

MD5
affee08fe89ba8d537bf3a8d1c72a96c

SHA1
beac3f8766016771b2d909c6628451aadccb17c1

SHA256
16f94e40e88aa541546c5206605d175853a36566d05a8c24d1c49fa4da1bfef1

SHA512
4a15afbae26a4bd79e0f0fee9b2c2c03c3b1cda14732e696016bd4f7a4366102bb40a32c96397827639dd58d894be26c4520f02e2bb71036292960d95263eeb8

Download Submit
C:\Windows\{3ABDC4C8-4AE1-4c68-82C2-E70C31F6C67C}.exe

Filesize
380KB

MD5
9e67c57550ee11aaed2195e69e28fadd

SHA1
3c697a1654e9c949a895c8f5b0c47202b412bd72

SHA256
121edf350cc63e3a6ee2d078033ec6a9edd5e99c8081c750148bad965c0e2baf

SHA512
3e6e958c2d2235d27599fc29d25299d605cc35113b9700ccf5c2687adf99419e817ca847f4db617918431cd19a75f7a637887b34fd29e6303d92f3a8bd897098

Download Submit
C:\Windows\{3ABDC4C8-4AE1-4c68-82C2-E70C31F6C67C}.exe

Filesize
380KB

MD5
9e67c57550ee11aaed2195e69e28fadd

SHA1
3c697a1654e9c949a895c8f5b0c47202b412bd72

SHA256
121edf350cc63e3a6ee2d078033ec6a9edd5e99c8081c750148bad965c0e2baf

SHA512
3e6e958c2d2235d27599fc29d25299d605cc35113b9700ccf5c2687adf99419e817ca847f4db617918431cd19a75f7a637887b34fd29e6303d92f3a8bd897098

Download Submit
C:\Windows\{68DCC4E9-BE5A-4f21-B72E-543C6F165C0E}.exe

Filesize
380KB

MD5
07bdb721c95207ec609b570dd48b965e

SHA1
554cd40bd99b720ad825f5bb79e6aa9227c31523

SHA256
40e8be5e3b4dd70986815e7399408604d874f8e3adcc2a58466ed18ea34a9314

SHA512
473d7015ee5b30f3d266e90ab17a6740375f4b6b58d4d4d9058ce0df517c629d73bb9dc2c6978c4ab6453a70cde1a6d06ee57ee8701b8364e26febebe9826001

Download Submit
C:\Windows\{68DCC4E9-BE5A-4f21-B72E-543C6F165C0E}.exe

Filesize
380KB

MD5
07bdb721c95207ec609b570dd48b965e

SHA1
554cd40bd99b720ad825f5bb79e6aa9227c31523

SHA256
40e8be5e3b4dd70986815e7399408604d874f8e3adcc2a58466ed18ea34a9314

SHA512
473d7015ee5b30f3d266e90ab17a6740375f4b6b58d4d4d9058ce0df517c629d73bb9dc2c6978c4ab6453a70cde1a6d06ee57ee8701b8364e26febebe9826001

Download Submit
C:\Windows\{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe

Filesize
380KB

MD5
c54d81429af6ce5fe6c3c0524db89643

SHA1
311ae87af679ec3509217f8b414379535d1f8a48

SHA256
747134980ea7a1e0041f9a66e6e42d9fc6b7a81b4845d7fb854a9a7002cf527a

SHA512
1edef5c1b3a4b71ef3b9088df77cb3a7049d34e9eb42c5ce65b2718183e43a0480f6229492064978679ac80d173868c8cf6ddc0be0512b593686e6346b045c7a

Download Submit
C:\Windows\{6F6D5536-67C9-4dde-88DD-475A098FC533}.exe

Filesize
380KB

MD5
c54d81429af6ce5fe6c3c0524db89643

SHA1
311ae87af679ec3509217f8b414379535d1f8a48

SHA256
747134980ea7a1e0041f9a66e6e42d9fc6b7a81b4845d7fb854a9a7002cf527a

SHA512
1edef5c1b3a4b71ef3b9088df77cb3a7049d34e9eb42c5ce65b2718183e43a0480f6229492064978679ac80d173868c8cf6ddc0be0512b593686e6346b045c7a

Download Submit
C:\Windows\{914E8A5D-E348-491a-9EBC-123668690108}.exe

Filesize
380KB

MD5
79e92f25745b9886812abf35b73cf0b8

SHA1
e3950410ca5f045692c327de5441e1eb4a389084

SHA256
f9c99c3b90d35ee5ef9d617a74e1076607a5f7b71d5510e2f81a994efbba6783

SHA512
891d5c432b3de4239a9db2793c7ce0ac5ec6654eddadb1e4413b4b3748a448354e98d7dbad0bd19758cbcba78b832d412f0a2792a0e74941f4006d1e3a344597

Download Submit
C:\Windows\{914E8A5D-E348-491a-9EBC-123668690108}.exe

Filesize
380KB

MD5
79e92f25745b9886812abf35b73cf0b8

SHA1
e3950410ca5f045692c327de5441e1eb4a389084

SHA256
f9c99c3b90d35ee5ef9d617a74e1076607a5f7b71d5510e2f81a994efbba6783

SHA512
891d5c432b3de4239a9db2793c7ce0ac5ec6654eddadb1e4413b4b3748a448354e98d7dbad0bd19758cbcba78b832d412f0a2792a0e74941f4006d1e3a344597

Download Submit
C:\Windows\{AA657514-D583-4d23-812F-EBA219A1D8C6}.exe

Filesize
380KB

MD5
ae08976dd91c75ed9fdcbaac5a1723b8

SHA1
8caf97bab348ad89d7bbfec185f75c15d403fb20

SHA256
ef407f9416de298d6b308f5f5ae7db46612b75385b0bc66b2883e24a84f5e3ad

SHA512
21c70652afaa5a1dd6aa06406fe3a594078e9c2fb7a614b895f8015cce9c69da6ff7f306f18d74a3e50aa666d981732730843110f0e6d65cae498b485e493fbe

Download Submit
C:\Windows\{AA657514-D583-4d23-812F-EBA219A1D8C6}.exe

Filesize
380KB

MD5
ae08976dd91c75ed9fdcbaac5a1723b8

SHA1
8caf97bab348ad89d7bbfec185f75c15d403fb20

SHA256
ef407f9416de298d6b308f5f5ae7db46612b75385b0bc66b2883e24a84f5e3ad

SHA512
21c70652afaa5a1dd6aa06406fe3a594078e9c2fb7a614b895f8015cce9c69da6ff7f306f18d74a3e50aa666d981732730843110f0e6d65cae498b485e493fbe

Download Submit
C:\Windows\{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe

Filesize
380KB

MD5
754246c732261e72df57379b52172f46

SHA1
2c3f0e3a6a76947e5105f9fb19140622e31bbaff

SHA256
2505c8c1fa18509eed98323db4529c79dfd96a804bdec6f254dff7ac6eb69fc6

SHA512
6f60f97e316b9db512d7d3c35e9c70331e5a6eb1ceddfcaaecaa82e861cc3d7556cdcd60a6259f48dc84b6936bca7aebdda04656575d2dd241afb876a3d9cd64

Download Submit
C:\Windows\{C21FD7AF-0654-4eb5-8205-0B374094E975}.exe

Filesize
380KB

MD5
754246c732261e72df57379b52172f46

SHA1
2c3f0e3a6a76947e5105f9fb19140622e31bbaff

SHA256
2505c8c1fa18509eed98323db4529c79dfd96a804bdec6f254dff7ac6eb69fc6

SHA512
6f60f97e316b9db512d7d3c35e9c70331e5a6eb1ceddfcaaecaa82e861cc3d7556cdcd60a6259f48dc84b6936bca7aebdda04656575d2dd241afb876a3d9cd64

Download Submit
C:\Windows\{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe

Filesize
380KB

MD5
655bbac3e440663a5854640a8d3cb6e7

SHA1
66ef6c98ff81c5acce693869006a22ee4b514a28

SHA256
ff7f9e9400d46bb7cde9b61a396069c6a0a37cf586752e90002993125a506d85

SHA512
c18342163d2433f994949f0d47e4dc2fcbffcb85d81cc3d17c5a869ba4b83ca87bff939cc3ec0547fd2596ee184ad7eb1779bcd9ac61e8c7228fd8e950e345e3

Download Submit
C:\Windows\{F6691E84-4C18-4a98-AD99-8D662695B3EB}.exe

Filesize
380KB

MD5
655bbac3e440663a5854640a8d3cb6e7

SHA1
66ef6c98ff81c5acce693869006a22ee4b514a28

SHA256
ff7f9e9400d46bb7cde9b61a396069c6a0a37cf586752e90002993125a506d85

SHA512
c18342163d2433f994949f0d47e4dc2fcbffcb85d81cc3d17c5a869ba4b83ca87bff939cc3ec0547fd2596ee184ad7eb1779bcd9ac61e8c7228fd8e950e345e3

Download Submit
C:\Windows\{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe

Filesize
380KB

MD5
87cbb2aaad0ec45f9e826ae25ede9e4e

SHA1
552fa933547237c04156c1cd7882e967bc25dff0

SHA256
ac37722dabe77dd416329744e2c79010b6dad0ef30131f2173f9febc3cb580c7

SHA512
bff0ddc73dd311e43bc1afcf78dde2be1b9f3f41d28eb3b8f43ef60732db5fd0feb70f5d2f3cfdc4cac94d1382e1af6e79463cbc280b3532195235d8d34d778c

Download Submit
C:\Windows\{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe

Filesize
380KB

MD5
87cbb2aaad0ec45f9e826ae25ede9e4e

SHA1
552fa933547237c04156c1cd7882e967bc25dff0

SHA256
ac37722dabe77dd416329744e2c79010b6dad0ef30131f2173f9febc3cb580c7

SHA512
bff0ddc73dd311e43bc1afcf78dde2be1b9f3f41d28eb3b8f43ef60732db5fd0feb70f5d2f3cfdc4cac94d1382e1af6e79463cbc280b3532195235d8d34d778c

Download Submit
C:\Windows\{FDDB2132-411A-4cdb-9A48-56BEEB66402C}.exe

Filesize
380KB

MD5
87cbb2aaad0ec45f9e826ae25ede9e4e

SHA1
552fa933547237c04156c1cd7882e967bc25dff0

SHA256
ac37722dabe77dd416329744e2c79010b6dad0ef30131f2173f9febc3cb580c7

SHA512
bff0ddc73dd311e43bc1afcf78dde2be1b9f3f41d28eb3b8f43ef60732db5fd0feb70f5d2f3cfdc4cac94d1382e1af6e79463cbc280b3532195235d8d34d778c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads