6db0e0e3a7b5dc1b39be75838b05840fd8ba3cdfbe46168b832ea3654400436c

Analysis

max time kernel
144s
max time network
137s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
23-09-2023 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe
Size

372KB
MD5

212a544a00cb56ff02445c6c9b2d24fa
SHA1

c20ae76cb47fe0f159cbf1b62e55fdd7828785b8
SHA256

6db0e0e3a7b5dc1b39be75838b05840fd8ba3cdfbe46168b832ea3654400436c
SHA512

39f0220a505c62894df2086fc98b57bcf8fa4e1b14596ca7376b095af8cd60c53cd93eb427eb964078b32eaf51601666eeef0a159faaba3226effb730aa5d4a9
SSDEEP

3072:CEGh0o1lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGDlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{024E5DDF-CF75-4d21-AAFC-BB04602DEFE4}\stubpath = "C:\\Windows\\{024E5DDF-CF75-4d21-AAFC-BB04602DEFE4}.exe"	{2968D7B6-16D1-42d7-AB83-5EAC7CCD09DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F2BE98B-747D-42a6-B16A-EA6635328877}	{21618D88-28BB-4a0f-9EE8-8AFEA5764E4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BF778E-789D-42a8-BD0D-8072823FB47E}	{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2968D7B6-16D1-42d7-AB83-5EAC7CCD09DB}\stubpath = "C:\\Windows\\{2968D7B6-16D1-42d7-AB83-5EAC7CCD09DB}.exe"	{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DE06566-1713-4dcf-8C80-277861619A21}\stubpath = "C:\\Windows\\{2DE06566-1713-4dcf-8C80-277861619A21}.exe"	{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}\stubpath = "C:\\Windows\\{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe"	{2DE06566-1713-4dcf-8C80-277861619A21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{024E5DDF-CF75-4d21-AAFC-BB04602DEFE4}	{2968D7B6-16D1-42d7-AB83-5EAC7CCD09DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F2BE98B-747D-42a6-B16A-EA6635328877}\stubpath = "C:\\Windows\\{6F2BE98B-747D-42a6-B16A-EA6635328877}.exe"	{21618D88-28BB-4a0f-9EE8-8AFEA5764E4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{581237C0-2F89-4239-A1FC-8505554E614E}	{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{581237C0-2F89-4239-A1FC-8505554E614E}\stubpath = "C:\\Windows\\{581237C0-2F89-4239-A1FC-8505554E614E}.exe"	{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BF778E-789D-42a8-BD0D-8072823FB47E}\stubpath = "C:\\Windows\\{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe"	{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25C79278-F429-4ffa-8EAC-49F7F0922D1A}	{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{887EBC6F-BF60-4078-906A-18DB5BE7FE68}\stubpath = "C:\\Windows\\{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe"	{581237C0-2F89-4239-A1FC-8505554E614E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21618D88-28BB-4a0f-9EE8-8AFEA5764E4D}	{024E5DDF-CF75-4d21-AAFC-BB04602DEFE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}	2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}\stubpath = "C:\\Windows\\{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe"	2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DE06566-1713-4dcf-8C80-277861619A21}	{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}	{2DE06566-1713-4dcf-8C80-277861619A21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2968D7B6-16D1-42d7-AB83-5EAC7CCD09DB}	{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21618D88-28BB-4a0f-9EE8-8AFEA5764E4D}\stubpath = "C:\\Windows\\{21618D88-28BB-4a0f-9EE8-8AFEA5764E4D}.exe"	{024E5DDF-CF75-4d21-AAFC-BB04602DEFE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25C79278-F429-4ffa-8EAC-49F7F0922D1A}\stubpath = "C:\\Windows\\{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe"	{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{887EBC6F-BF60-4078-906A-18DB5BE7FE68}	{581237C0-2F89-4239-A1FC-8505554E614E}.exe

Deletes itself 1 IoCs

pid	Process
3056	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2672	{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe
2744	{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe
2668	{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe
2536	{581237C0-2F89-4239-A1FC-8505554E614E}.exe
2552	{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe
1976	{2DE06566-1713-4dcf-8C80-277861619A21}.exe
2476	{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe
2584	{2968D7B6-16D1-42d7-AB83-5EAC7CCD09DB}.exe
2548	{024E5DDF-CF75-4d21-AAFC-BB04602DEFE4}.exe
1692	{21618D88-28BB-4a0f-9EE8-8AFEA5764E4D}.exe
2020	{6F2BE98B-747D-42a6-B16A-EA6635328877}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe	{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe
File created	C:\Windows\{581237C0-2F89-4239-A1FC-8505554E614E}.exe	{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe
File created	C:\Windows\{024E5DDF-CF75-4d21-AAFC-BB04602DEFE4}.exe	{2968D7B6-16D1-42d7-AB83-5EAC7CCD09DB}.exe
File created	C:\Windows\{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe	{2DE06566-1713-4dcf-8C80-277861619A21}.exe
File created	C:\Windows\{2968D7B6-16D1-42d7-AB83-5EAC7CCD09DB}.exe	{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe
File created	C:\Windows\{21618D88-28BB-4a0f-9EE8-8AFEA5764E4D}.exe	{024E5DDF-CF75-4d21-AAFC-BB04602DEFE4}.exe
File created	C:\Windows\{6F2BE98B-747D-42a6-B16A-EA6635328877}.exe	{21618D88-28BB-4a0f-9EE8-8AFEA5764E4D}.exe
File created	C:\Windows\{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe	2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe
File created	C:\Windows\{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe	{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe
File created	C:\Windows\{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe	{581237C0-2F89-4239-A1FC-8505554E614E}.exe
File created	C:\Windows\{2DE06566-1713-4dcf-8C80-277861619A21}.exe	{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2972	2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2672	{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe
Token: SeIncBasePriorityPrivilege	2744	{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe
Token: SeIncBasePriorityPrivilege	2668	{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe
Token: SeIncBasePriorityPrivilege	2536	{581237C0-2F89-4239-A1FC-8505554E614E}.exe
Token: SeIncBasePriorityPrivilege	2552	{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe
Token: SeIncBasePriorityPrivilege	1976	{2DE06566-1713-4dcf-8C80-277861619A21}.exe
Token: SeIncBasePriorityPrivilege	2476	{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe
Token: SeIncBasePriorityPrivilege	2584	{2968D7B6-16D1-42d7-AB83-5EAC7CCD09DB}.exe
Token: SeIncBasePriorityPrivilege	2548	{024E5DDF-CF75-4d21-AAFC-BB04602DEFE4}.exe
Token: SeIncBasePriorityPrivilege	1692	{21618D88-28BB-4a0f-9EE8-8AFEA5764E4D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2672	2972	2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe	28
PID 2972 wrote to memory of 2672	2972	2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe	28
PID 2972 wrote to memory of 2672	2972	2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe	28
PID 2972 wrote to memory of 2672	2972	2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe	28
PID 2972 wrote to memory of 3056	2972	2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe	29
PID 2972 wrote to memory of 3056	2972	2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe	29
PID 2972 wrote to memory of 3056	2972	2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe	29
PID 2972 wrote to memory of 3056	2972	2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe	29
PID 2672 wrote to memory of 2744	2672	{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe	30
PID 2672 wrote to memory of 2744	2672	{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe	30
PID 2672 wrote to memory of 2744	2672	{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe	30
PID 2672 wrote to memory of 2744	2672	{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe	30
PID 2672 wrote to memory of 2728	2672	{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe	31
PID 2672 wrote to memory of 2728	2672	{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe	31
PID 2672 wrote to memory of 2728	2672	{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe	31
PID 2672 wrote to memory of 2728	2672	{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe	31
PID 2744 wrote to memory of 2668	2744	{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe	35
PID 2744 wrote to memory of 2668	2744	{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe	35
PID 2744 wrote to memory of 2668	2744	{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe	35
PID 2744 wrote to memory of 2668	2744	{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe	35
PID 2744 wrote to memory of 2200	2744	{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe	34
PID 2744 wrote to memory of 2200	2744	{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe	34
PID 2744 wrote to memory of 2200	2744	{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe	34
PID 2744 wrote to memory of 2200	2744	{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe	34
PID 2668 wrote to memory of 2536	2668	{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe	36
PID 2668 wrote to memory of 2536	2668	{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe	36
PID 2668 wrote to memory of 2536	2668	{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe	36
PID 2668 wrote to memory of 2536	2668	{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe	36
PID 2668 wrote to memory of 2484	2668	{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe	37
PID 2668 wrote to memory of 2484	2668	{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe	37
PID 2668 wrote to memory of 2484	2668	{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe	37
PID 2668 wrote to memory of 2484	2668	{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe	37
PID 2536 wrote to memory of 2552	2536	{581237C0-2F89-4239-A1FC-8505554E614E}.exe	39
PID 2536 wrote to memory of 2552	2536	{581237C0-2F89-4239-A1FC-8505554E614E}.exe	39
PID 2536 wrote to memory of 2552	2536	{581237C0-2F89-4239-A1FC-8505554E614E}.exe	39
PID 2536 wrote to memory of 2552	2536	{581237C0-2F89-4239-A1FC-8505554E614E}.exe	39
PID 2536 wrote to memory of 2940	2536	{581237C0-2F89-4239-A1FC-8505554E614E}.exe	38
PID 2536 wrote to memory of 2940	2536	{581237C0-2F89-4239-A1FC-8505554E614E}.exe	38
PID 2536 wrote to memory of 2940	2536	{581237C0-2F89-4239-A1FC-8505554E614E}.exe	38
PID 2536 wrote to memory of 2940	2536	{581237C0-2F89-4239-A1FC-8505554E614E}.exe	38
PID 2552 wrote to memory of 1976	2552	{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe	40
PID 2552 wrote to memory of 1976	2552	{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe	40
PID 2552 wrote to memory of 1976	2552	{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe	40
PID 2552 wrote to memory of 1976	2552	{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe	40
PID 2552 wrote to memory of 1992	2552	{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe	41
PID 2552 wrote to memory of 1992	2552	{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe	41
PID 2552 wrote to memory of 1992	2552	{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe	41
PID 2552 wrote to memory of 1992	2552	{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe	41
PID 1976 wrote to memory of 2476	1976	{2DE06566-1713-4dcf-8C80-277861619A21}.exe	43
PID 1976 wrote to memory of 2476	1976	{2DE06566-1713-4dcf-8C80-277861619A21}.exe	43
PID 1976 wrote to memory of 2476	1976	{2DE06566-1713-4dcf-8C80-277861619A21}.exe	43
PID 1976 wrote to memory of 2476	1976	{2DE06566-1713-4dcf-8C80-277861619A21}.exe	43
PID 1976 wrote to memory of 2804	1976	{2DE06566-1713-4dcf-8C80-277861619A21}.exe	42
PID 1976 wrote to memory of 2804	1976	{2DE06566-1713-4dcf-8C80-277861619A21}.exe	42
PID 1976 wrote to memory of 2804	1976	{2DE06566-1713-4dcf-8C80-277861619A21}.exe	42
PID 1976 wrote to memory of 2804	1976	{2DE06566-1713-4dcf-8C80-277861619A21}.exe	42
PID 2476 wrote to memory of 2584	2476	{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe	45
PID 2476 wrote to memory of 2584	2476	{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe	45
PID 2476 wrote to memory of 2584	2476	{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe	45
PID 2476 wrote to memory of 2584	2476	{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe	45
PID 2476 wrote to memory of 1152	2476	{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe	44
PID 2476 wrote to memory of 1152	2476	{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe	44
PID 2476 wrote to memory of 1152	2476	{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe	44
PID 2476 wrote to memory of 1152	2476	{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_212a544a00cb56ff02445c6c9b2d24fa_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe
  C:\Windows\{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe
    C:\Windows\{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{95BF7~1.EXE > nul
      4⤵
      PID:2200
  - - C:\Windows\{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe
      C:\Windows\{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\{581237C0-2F89-4239-A1FC-8505554E614E}.exe
        
        C:\Windows\{581237C0-2F89-4239-A1FC-8505554E614E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58123~1.EXE > nul
        6⤵
        
        PID:2940
      - C:\Windows\{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe
        
        C:\Windows\{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\{2DE06566-1713-4dcf-8C80-277861619A21}.exe
        
        C:\Windows\{2DE06566-1713-4dcf-8C80-277861619A21}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DE06~1.EXE > nul
        8⤵
        
        PID:2804
        
        C:\Windows\{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe
        
        C:\Windows\{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65182~1.EXE > nul
        9⤵
        
        PID:1152
        
        C:\Windows\{2968D7B6-16D1-42d7-AB83-5EAC7CCD09DB}.exe
        
        C:\Windows\{2968D7B6-16D1-42d7-AB83-5EAC7CCD09DB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2968D~1.EXE > nul
        10⤵
        
        PID:1688
        
        C:\Windows\{024E5DDF-CF75-4d21-AAFC-BB04602DEFE4}.exe
        
        C:\Windows\{024E5DDF-CF75-4d21-AAFC-BB04602DEFE4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{024E5~1.EXE > nul
        11⤵
        
        PID:2156
        
        C:\Windows\{21618D88-28BB-4a0f-9EE8-8AFEA5764E4D}.exe
        
        C:\Windows\{21618D88-28BB-4a0f-9EE8-8AFEA5764E4D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21618~1.EXE > nul
        12⤵
        
        PID:1972
        
        C:\Windows\{6F2BE98B-747D-42a6-B16A-EA6635328877}.exe
        
        C:\Windows\{6F2BE98B-747D-42a6-B16A-EA6635328877}.exe
        12⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{887EB~1.EXE > nul
        7⤵
        
        PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25C79~1.EXE > nul
        5⤵
        
        PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DD2B3~1.EXE > nul
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{024E5DDF-CF75-4d21-AAFC-BB04602DEFE4}.exe

Filesize
372KB

MD5
dbe9a3e8de7d68319eafb1df95ea34b2

SHA1
28ec77f08d201345105c6846bf7a85d8c15f22fc

SHA256
88b48a703aae4178feb1f57ee78116cd0467e8464d77e17cee4c2b4e30881b00

SHA512
d6153ad777f10aa2d49b3d80e6a4ec4052b0db295bd8592fc54feea1f2cec00801b529cd97f0011458d9172b6296f6370c16263c4cebf6ade0f3d4161f37af30

Download Submit
C:\Windows\{024E5DDF-CF75-4d21-AAFC-BB04602DEFE4}.exe

Filesize
372KB

MD5
dbe9a3e8de7d68319eafb1df95ea34b2

SHA1
28ec77f08d201345105c6846bf7a85d8c15f22fc

SHA256
88b48a703aae4178feb1f57ee78116cd0467e8464d77e17cee4c2b4e30881b00

SHA512
d6153ad777f10aa2d49b3d80e6a4ec4052b0db295bd8592fc54feea1f2cec00801b529cd97f0011458d9172b6296f6370c16263c4cebf6ade0f3d4161f37af30

Download Submit
C:\Windows\{21618D88-28BB-4a0f-9EE8-8AFEA5764E4D}.exe

Filesize
372KB

MD5
4b0d0eadeebd856cc70d4684289890e2

SHA1
538d2b3e156f2f246b8011f1429f4adf497ddb82

SHA256
6d7da85ac3efa60d59488b7a4f737c3af93dc4dba8f046d3a2d64690dd63d745

SHA512
0fb9483b7f8288929cbeb5a6aca4453eacb14b29aa91387e6d491c85785e62f8f0d1afd30b569e401eeb37cac100eea2988ac72166b6b5447cc7a984490a22dc

Download Submit
C:\Windows\{21618D88-28BB-4a0f-9EE8-8AFEA5764E4D}.exe

Filesize
372KB

MD5
4b0d0eadeebd856cc70d4684289890e2

SHA1
538d2b3e156f2f246b8011f1429f4adf497ddb82

SHA256
6d7da85ac3efa60d59488b7a4f737c3af93dc4dba8f046d3a2d64690dd63d745

SHA512
0fb9483b7f8288929cbeb5a6aca4453eacb14b29aa91387e6d491c85785e62f8f0d1afd30b569e401eeb37cac100eea2988ac72166b6b5447cc7a984490a22dc

Download Submit
C:\Windows\{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe

Filesize
372KB

MD5
79a27ac37a563d468720586e49200b44

SHA1
73b7a2d6230254a8d12335aa17415162ddefca01

SHA256
d39a4b5441ea482ebee8ae22895d9abdc7fc55364bcbdb02d3805b630c312090

SHA512
c25c156ff0c22ce019e4f337f20cd5f0ba0e706697afa198dc7d358d00fdfbf6fa1a94fef410a55f517f61020769bb067d567eaa8642d12357169cdfcc3d3b3e

Download Submit
C:\Windows\{25C79278-F429-4ffa-8EAC-49F7F0922D1A}.exe

Filesize
372KB

MD5
79a27ac37a563d468720586e49200b44

SHA1
73b7a2d6230254a8d12335aa17415162ddefca01

SHA256
d39a4b5441ea482ebee8ae22895d9abdc7fc55364bcbdb02d3805b630c312090

SHA512
c25c156ff0c22ce019e4f337f20cd5f0ba0e706697afa198dc7d358d00fdfbf6fa1a94fef410a55f517f61020769bb067d567eaa8642d12357169cdfcc3d3b3e

Download Submit
C:\Windows\{2968D7B6-16D1-42d7-AB83-5EAC7CCD09DB}.exe

Filesize
372KB

MD5
9894d3b7c030003de694f9863dd33d32

SHA1
0896010b6b7e74091f08fda0c93292b15bd81807

SHA256
3ed99c1dcacaf53988bd3e55c7958cf66d0a202c6a10bd96204ebfa03ff9c0e2

SHA512
5f24a5d51909320f7ec3d545e77f1ca2e704d022f8bfcebbb61f0babe69908236b10a90a83c64b015d5034c55ca627b300f5ab1d14de889be621df189762387b

Download Submit
C:\Windows\{2968D7B6-16D1-42d7-AB83-5EAC7CCD09DB}.exe

Filesize
372KB

MD5
9894d3b7c030003de694f9863dd33d32

SHA1
0896010b6b7e74091f08fda0c93292b15bd81807

SHA256
3ed99c1dcacaf53988bd3e55c7958cf66d0a202c6a10bd96204ebfa03ff9c0e2

SHA512
5f24a5d51909320f7ec3d545e77f1ca2e704d022f8bfcebbb61f0babe69908236b10a90a83c64b015d5034c55ca627b300f5ab1d14de889be621df189762387b

Download Submit
C:\Windows\{2DE06566-1713-4dcf-8C80-277861619A21}.exe

Filesize
372KB

MD5
401e45e4dc05927895fe933518adfc4b

SHA1
67a9de91224587354589caab8491d28226c90cd1

SHA256
ddf3e4437e021b712f75603badddc435edf8dad3771bbb95a50d39d8dfa625ee

SHA512
d0f37e79430e53979e929a2c5311ccac90c8dd03baf4671eb80a62d7bed6b8dd511d7d1167d18836079b8583c30ebc26369e1c62dd949ed7c12f9ea03e1e6bab

Download Submit
C:\Windows\{2DE06566-1713-4dcf-8C80-277861619A21}.exe

Filesize
372KB

MD5
401e45e4dc05927895fe933518adfc4b

SHA1
67a9de91224587354589caab8491d28226c90cd1

SHA256
ddf3e4437e021b712f75603badddc435edf8dad3771bbb95a50d39d8dfa625ee

SHA512
d0f37e79430e53979e929a2c5311ccac90c8dd03baf4671eb80a62d7bed6b8dd511d7d1167d18836079b8583c30ebc26369e1c62dd949ed7c12f9ea03e1e6bab

Download Submit
C:\Windows\{581237C0-2F89-4239-A1FC-8505554E614E}.exe

Filesize
372KB

MD5
3ddcc22d757b8c8d8e800807f0a93d19

SHA1
6146d0355ef64d271b20375808d04caa63204173

SHA256
977b000ff711e5c28812fdfd70a0c651aaee3bd0afec43c36fb2958af77dd7d3

SHA512
3f67db5f965aa96b315a277ef3e3ae3826126ca876473cb81043aa60dc283d5fe733ab770eb0780654c5013adc10fadd452dc37beab604aa21a8a97e6b29dbed

Download Submit
C:\Windows\{581237C0-2F89-4239-A1FC-8505554E614E}.exe

Filesize
372KB

MD5
3ddcc22d757b8c8d8e800807f0a93d19

SHA1
6146d0355ef64d271b20375808d04caa63204173

SHA256
977b000ff711e5c28812fdfd70a0c651aaee3bd0afec43c36fb2958af77dd7d3

SHA512
3f67db5f965aa96b315a277ef3e3ae3826126ca876473cb81043aa60dc283d5fe733ab770eb0780654c5013adc10fadd452dc37beab604aa21a8a97e6b29dbed

Download Submit
C:\Windows\{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe

Filesize
372KB

MD5
5dc37f227839b00ae557a0af3f220a69

SHA1
d2f806986eb307ce47369b41a93907f01f3ebe41

SHA256
a3d15cc81a85235bac395d44888ba64f28587a2f1c1aaac36e7c1f0fb9922131

SHA512
5055557e27f93c2fbc0907e7653e51e5d7dd6832733f27a534c0dcba6c4b36763f5656a3c31381b66ba3efbb9f77ed58095da40c03a86bf09596d308e6723f94

Download Submit
C:\Windows\{65182170-6D4D-45e9-BD4F-BC2EB6F48D59}.exe

Filesize
372KB

MD5
5dc37f227839b00ae557a0af3f220a69

SHA1
d2f806986eb307ce47369b41a93907f01f3ebe41

SHA256
a3d15cc81a85235bac395d44888ba64f28587a2f1c1aaac36e7c1f0fb9922131

SHA512
5055557e27f93c2fbc0907e7653e51e5d7dd6832733f27a534c0dcba6c4b36763f5656a3c31381b66ba3efbb9f77ed58095da40c03a86bf09596d308e6723f94

Download Submit
C:\Windows\{6F2BE98B-747D-42a6-B16A-EA6635328877}.exe

Filesize
372KB

MD5
867af554590ab33d5d197825be068c6d

SHA1
1d7e9ae7ec760bf3df7a2362326a6ddac93b68fc

SHA256
c9e67242c578df7da930d666475286e5cb9d4f312260d948e7c7af47da2c59f9

SHA512
b9869efbf385035d32d2b25d74c5918e8fc485774401ecc4a0e60695548c06ac2a4611c5168a4e9a20cfc3a79f870cfc49929a01df34398762e917149221633e

Download Submit
C:\Windows\{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe

Filesize
372KB

MD5
3f21be94287658154e870b0338ccb7b3

SHA1
b52190d54afded9752c7a98a0d09394756300bae

SHA256
cc525a3f29786043620621c4d6002c66aad9e719e83a7a39f8d7b8eb95061fcd

SHA512
510b2f251be8d0a78eb3a60412e576d5ccc5373d6e6bb0e102d402925a52dd266aad447a4b9e6398e52b4fd50b08af70540b848c9e341f43aeed2c7749f00c90

Download Submit
C:\Windows\{887EBC6F-BF60-4078-906A-18DB5BE7FE68}.exe

Filesize
372KB

MD5
3f21be94287658154e870b0338ccb7b3

SHA1
b52190d54afded9752c7a98a0d09394756300bae

SHA256
cc525a3f29786043620621c4d6002c66aad9e719e83a7a39f8d7b8eb95061fcd

SHA512
510b2f251be8d0a78eb3a60412e576d5ccc5373d6e6bb0e102d402925a52dd266aad447a4b9e6398e52b4fd50b08af70540b848c9e341f43aeed2c7749f00c90

Download Submit
C:\Windows\{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe

Filesize
372KB

MD5
397daa6dac810c33947eb3dcd82386a0

SHA1
00109672c6aa14ee28ea7383b63804c7219a4674

SHA256
efa3e0e3a5c2fa6988edf8405139861da4cfff64143f6b021dc30cd352267408

SHA512
8a72cfaff9733d5cd4b3584e0d15fc715274dea9f1e9e517037605f40bfc71073e9f5369737699f3592ffd3ab41b1fbb49d0c1ec153bf801eccf6a3ef171fa39

Download Submit
C:\Windows\{95BF778E-789D-42a8-BD0D-8072823FB47E}.exe

Filesize
372KB

MD5
397daa6dac810c33947eb3dcd82386a0

SHA1
00109672c6aa14ee28ea7383b63804c7219a4674

SHA256
efa3e0e3a5c2fa6988edf8405139861da4cfff64143f6b021dc30cd352267408

SHA512
8a72cfaff9733d5cd4b3584e0d15fc715274dea9f1e9e517037605f40bfc71073e9f5369737699f3592ffd3ab41b1fbb49d0c1ec153bf801eccf6a3ef171fa39

Download Submit
C:\Windows\{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe

Filesize
372KB

MD5
fb626a061c4d2a2b46bd0c50b83236c9

SHA1
2d1b3c0b5e697f90e0b724b78026f2eeae78bd00

SHA256
d1ee92ccd124745924e82ce1ad6a63e69929565cead88580b6ed8089ccf211d5

SHA512
eeb1a05b8f4e37e2d6aa49f737e14e9ae05cac7a697ec30fe80e7e8173fec585b9e5216b6ff2613e9cfeabac1449127cdaa2a62007d91ecc48402b22a51d3938

Download Submit
C:\Windows\{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe

Filesize
372KB

MD5
fb626a061c4d2a2b46bd0c50b83236c9

SHA1
2d1b3c0b5e697f90e0b724b78026f2eeae78bd00

SHA256
d1ee92ccd124745924e82ce1ad6a63e69929565cead88580b6ed8089ccf211d5

SHA512
eeb1a05b8f4e37e2d6aa49f737e14e9ae05cac7a697ec30fe80e7e8173fec585b9e5216b6ff2613e9cfeabac1449127cdaa2a62007d91ecc48402b22a51d3938

Download Submit
C:\Windows\{DD2B3FCC-6B25-40dd-B18A-18C366AB4EBE}.exe

Filesize
372KB

MD5
fb626a061c4d2a2b46bd0c50b83236c9

SHA1
2d1b3c0b5e697f90e0b724b78026f2eeae78bd00

SHA256
d1ee92ccd124745924e82ce1ad6a63e69929565cead88580b6ed8089ccf211d5

SHA512
eeb1a05b8f4e37e2d6aa49f737e14e9ae05cac7a697ec30fe80e7e8173fec585b9e5216b6ff2613e9cfeabac1449127cdaa2a62007d91ecc48402b22a51d3938

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads