a95baf49606924e96121092be228b98b72dcc5af90e2993f01502106866c2465

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
23-09-2023 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe
Size

344KB
MD5

21db8f6917edabda8019067da20c4e20
SHA1

432f89d0e4d02231870f444ac329b1832037a6bb
SHA256

a95baf49606924e96121092be228b98b72dcc5af90e2993f01502106866c2465
SHA512

e7cfaabf08c2fef2ea73c6daa13dcb39db14748f39adb815262c594a6ff170398e0665cc8c22278e0084ddc30ebae90aa0879282835b3176f7a03912b3ee1eb3
SSDEEP

3072:mEGh0oMlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGilqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63334224-639C-416e-80DC-C55F21107F6C}\stubpath = "C:\\Windows\\{63334224-639C-416e-80DC-C55F21107F6C}.exe"	{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{418A0E19-E3CD-419d-932F-0B0EF404CEC2}\stubpath = "C:\\Windows\\{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe"	{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD3DAD90-4D83-4a44-95C2-C8A866972F77}\stubpath = "C:\\Windows\\{FD3DAD90-4D83-4a44-95C2-C8A866972F77}.exe"	{685364D5-867A-480e-936F-47953DD6A9E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C435299-8FAA-4473-B8B1-8DF0B77BC485}	{FD3DAD90-4D83-4a44-95C2-C8A866972F77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36EB0B19-36C4-4af5-8777-0DBED8A84061}	{5A57FE72-ACC7-400e-A897-7061B1414D2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF3DA0BF-60D1-4baa-8136-BB842575384B}	{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}	{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{418A0E19-E3CD-419d-932F-0B0EF404CEC2}	{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{685364D5-867A-480e-936F-47953DD6A9E8}	{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C435299-8FAA-4473-B8B1-8DF0B77BC485}\stubpath = "C:\\Windows\\{7C435299-8FAA-4473-B8B1-8DF0B77BC485}.exe"	{FD3DAD90-4D83-4a44-95C2-C8A866972F77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A57FE72-ACC7-400e-A897-7061B1414D2C}	{7C435299-8FAA-4473-B8B1-8DF0B77BC485}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}\stubpath = "C:\\Windows\\{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe"	{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}	{63334224-639C-416e-80DC-C55F21107F6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}\stubpath = "C:\\Windows\\{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe"	{63334224-639C-416e-80DC-C55F21107F6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36EB0B19-36C4-4af5-8777-0DBED8A84061}\stubpath = "C:\\Windows\\{36EB0B19-36C4-4af5-8777-0DBED8A84061}.exe"	{5A57FE72-ACC7-400e-A897-7061B1414D2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF3DA0BF-60D1-4baa-8136-BB842575384B}\stubpath = "C:\\Windows\\{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe"	{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{685364D5-867A-480e-936F-47953DD6A9E8}\stubpath = "C:\\Windows\\{685364D5-867A-480e-936F-47953DD6A9E8}.exe"	{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD3DAD90-4D83-4a44-95C2-C8A866972F77}	{685364D5-867A-480e-936F-47953DD6A9E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}\stubpath = "C:\\Windows\\{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe"	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63334224-639C-416e-80DC-C55F21107F6C}	{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A57FE72-ACC7-400e-A897-7061B1414D2C}\stubpath = "C:\\Windows\\{5A57FE72-ACC7-400e-A897-7061B1414D2C}.exe"	{7C435299-8FAA-4473-B8B1-8DF0B77BC485}.exe

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2372	{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe
2036	{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe
2944	{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe
2912	{63334224-639C-416e-80DC-C55F21107F6C}.exe
1996	{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe
2608	{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe
3040	{685364D5-867A-480e-936F-47953DD6A9E8}.exe
2888	{FD3DAD90-4D83-4a44-95C2-C8A866972F77}.exe
2844	{7C435299-8FAA-4473-B8B1-8DF0B77BC485}.exe
1888	{5A57FE72-ACC7-400e-A897-7061B1414D2C}.exe
2588	{36EB0B19-36C4-4af5-8777-0DBED8A84061}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe
File created	C:\Windows\{63334224-639C-416e-80DC-C55F21107F6C}.exe	{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe
File created	C:\Windows\{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe	{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe
File created	C:\Windows\{685364D5-867A-480e-936F-47953DD6A9E8}.exe	{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe
File created	C:\Windows\{FD3DAD90-4D83-4a44-95C2-C8A866972F77}.exe	{685364D5-867A-480e-936F-47953DD6A9E8}.exe
File created	C:\Windows\{7C435299-8FAA-4473-B8B1-8DF0B77BC485}.exe	{FD3DAD90-4D83-4a44-95C2-C8A866972F77}.exe
File created	C:\Windows\{5A57FE72-ACC7-400e-A897-7061B1414D2C}.exe	{7C435299-8FAA-4473-B8B1-8DF0B77BC485}.exe
File created	C:\Windows\{36EB0B19-36C4-4af5-8777-0DBED8A84061}.exe	{5A57FE72-ACC7-400e-A897-7061B1414D2C}.exe
File created	C:\Windows\{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe	{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe
File created	C:\Windows\{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe	{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe
File created	C:\Windows\{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe	{63334224-639C-416e-80DC-C55F21107F6C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2220	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2372	{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe
Token: SeIncBasePriorityPrivilege	2036	{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe
Token: SeIncBasePriorityPrivilege	2944	{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe
Token: SeIncBasePriorityPrivilege	2912	{63334224-639C-416e-80DC-C55F21107F6C}.exe
Token: SeIncBasePriorityPrivilege	1996	{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe
Token: SeIncBasePriorityPrivilege	2608	{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe
Token: SeIncBasePriorityPrivilege	3040	{685364D5-867A-480e-936F-47953DD6A9E8}.exe
Token: SeIncBasePriorityPrivilege	2888	{FD3DAD90-4D83-4a44-95C2-C8A866972F77}.exe
Token: SeIncBasePriorityPrivilege	2844	{7C435299-8FAA-4473-B8B1-8DF0B77BC485}.exe
Token: SeIncBasePriorityPrivilege	1888	{5A57FE72-ACC7-400e-A897-7061B1414D2C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2372	2220	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	28
PID 2220 wrote to memory of 2372	2220	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	28
PID 2220 wrote to memory of 2372	2220	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	28
PID 2220 wrote to memory of 2372	2220	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	28
PID 2220 wrote to memory of 2768	2220	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	29
PID 2220 wrote to memory of 2768	2220	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	29
PID 2220 wrote to memory of 2768	2220	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	29
PID 2220 wrote to memory of 2768	2220	2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe	29
PID 2372 wrote to memory of 2036	2372	{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe	30
PID 2372 wrote to memory of 2036	2372	{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe	30
PID 2372 wrote to memory of 2036	2372	{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe	30
PID 2372 wrote to memory of 2036	2372	{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe	30
PID 2372 wrote to memory of 2712	2372	{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe	31
PID 2372 wrote to memory of 2712	2372	{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe	31
PID 2372 wrote to memory of 2712	2372	{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe	31
PID 2372 wrote to memory of 2712	2372	{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe	31
PID 2036 wrote to memory of 2944	2036	{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe	35
PID 2036 wrote to memory of 2944	2036	{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe	35
PID 2036 wrote to memory of 2944	2036	{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe	35
PID 2036 wrote to memory of 2944	2036	{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe	35
PID 2036 wrote to memory of 1708	2036	{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe	34
PID 2036 wrote to memory of 1708	2036	{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe	34
PID 2036 wrote to memory of 1708	2036	{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe	34
PID 2036 wrote to memory of 1708	2036	{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe	34
PID 2944 wrote to memory of 2912	2944	{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe	36
PID 2944 wrote to memory of 2912	2944	{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe	36
PID 2944 wrote to memory of 2912	2944	{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe	36
PID 2944 wrote to memory of 2912	2944	{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe	36
PID 2944 wrote to memory of 2656	2944	{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe	37
PID 2944 wrote to memory of 2656	2944	{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe	37
PID 2944 wrote to memory of 2656	2944	{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe	37
PID 2944 wrote to memory of 2656	2944	{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe	37
PID 2912 wrote to memory of 1996	2912	{63334224-639C-416e-80DC-C55F21107F6C}.exe	38
PID 2912 wrote to memory of 1996	2912	{63334224-639C-416e-80DC-C55F21107F6C}.exe	38
PID 2912 wrote to memory of 1996	2912	{63334224-639C-416e-80DC-C55F21107F6C}.exe	38
PID 2912 wrote to memory of 1996	2912	{63334224-639C-416e-80DC-C55F21107F6C}.exe	38
PID 2912 wrote to memory of 2508	2912	{63334224-639C-416e-80DC-C55F21107F6C}.exe	39
PID 2912 wrote to memory of 2508	2912	{63334224-639C-416e-80DC-C55F21107F6C}.exe	39
PID 2912 wrote to memory of 2508	2912	{63334224-639C-416e-80DC-C55F21107F6C}.exe	39
PID 2912 wrote to memory of 2508	2912	{63334224-639C-416e-80DC-C55F21107F6C}.exe	39
PID 1996 wrote to memory of 2608	1996	{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe	40
PID 1996 wrote to memory of 2608	1996	{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe	40
PID 1996 wrote to memory of 2608	1996	{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe	40
PID 1996 wrote to memory of 2608	1996	{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe	40
PID 1996 wrote to memory of 2544	1996	{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe	41
PID 1996 wrote to memory of 2544	1996	{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe	41
PID 1996 wrote to memory of 2544	1996	{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe	41
PID 1996 wrote to memory of 2544	1996	{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe	41
PID 2608 wrote to memory of 3040	2608	{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe	43
PID 2608 wrote to memory of 3040	2608	{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe	43
PID 2608 wrote to memory of 3040	2608	{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe	43
PID 2608 wrote to memory of 3040	2608	{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe	43
PID 2608 wrote to memory of 1328	2608	{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe	42
PID 2608 wrote to memory of 1328	2608	{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe	42
PID 2608 wrote to memory of 1328	2608	{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe	42
PID 2608 wrote to memory of 1328	2608	{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe	42
PID 3040 wrote to memory of 2888	3040	{685364D5-867A-480e-936F-47953DD6A9E8}.exe	45
PID 3040 wrote to memory of 2888	3040	{685364D5-867A-480e-936F-47953DD6A9E8}.exe	45
PID 3040 wrote to memory of 2888	3040	{685364D5-867A-480e-936F-47953DD6A9E8}.exe	45
PID 3040 wrote to memory of 2888	3040	{685364D5-867A-480e-936F-47953DD6A9E8}.exe	45
PID 3040 wrote to memory of 2796	3040	{685364D5-867A-480e-936F-47953DD6A9E8}.exe	44
PID 3040 wrote to memory of 2796	3040	{685364D5-867A-480e-936F-47953DD6A9E8}.exe	44
PID 3040 wrote to memory of 2796	3040	{685364D5-867A-480e-936F-47953DD6A9E8}.exe	44
PID 3040 wrote to memory of 2796	3040	{685364D5-867A-480e-936F-47953DD6A9E8}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_21db8f6917edabda8019067da20c4e20_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe
  C:\Windows\{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe
    C:\Windows\{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DF3DA~1.EXE > nul
      4⤵
      PID:1708
  - - C:\Windows\{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe
      C:\Windows\{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\{63334224-639C-416e-80DC-C55F21107F6C}.exe
        
        C:\Windows\{63334224-639C-416e-80DC-C55F21107F6C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe
        
        C:\Windows\{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe
        
        C:\Windows\{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{418A0~1.EXE > nul
        8⤵
        
        PID:1328
        
        C:\Windows\{685364D5-867A-480e-936F-47953DD6A9E8}.exe
        
        C:\Windows\{685364D5-867A-480e-936F-47953DD6A9E8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68536~1.EXE > nul
        9⤵
        
        PID:2796
        
        C:\Windows\{FD3DAD90-4D83-4a44-95C2-C8A866972F77}.exe
        
        C:\Windows\{FD3DAD90-4D83-4a44-95C2-C8A866972F77}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\{7C435299-8FAA-4473-B8B1-8DF0B77BC485}.exe
        
        C:\Windows\{7C435299-8FAA-4473-B8B1-8DF0B77BC485}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{5A57FE72-ACC7-400e-A897-7061B1414D2C}.exe
        
        C:\Windows\{5A57FE72-ACC7-400e-A897-7061B1414D2C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A57F~1.EXE > nul
        12⤵
        
        PID:2168
        
        C:\Windows\{36EB0B19-36C4-4af5-8777-0DBED8A84061}.exe
        
        C:\Windows\{36EB0B19-36C4-4af5-8777-0DBED8A84061}.exe
        12⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C435~1.EXE > nul
        11⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD3DA~1.EXE > nul
        10⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A52A9~1.EXE > nul
        7⤵
        
        PID:2544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63334~1.EXE > nul
        6⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A903~1.EXE > nul
        5⤵
        
        PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AAC74~1.EXE > nul
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{36EB0B19-36C4-4af5-8777-0DBED8A84061}.exe

Filesize
344KB

MD5
c8a651298490749c187493562f2ba58d

SHA1
82fff0d25ecb57d5da58b2832861a6e55061765b

SHA256
2dfb00d599737e006d356550860b7667301f4646da7bd2516cedf3426326e6e1

SHA512
1a4876f0e539b6a21a7fc0e072f068194850143552a6445dbd5bdd8a4d19d79f0136c2ed5c1182b89e766deb2f7d40bc221c39dba17c48c0fd0d3f6a8e686017

Download Submit
C:\Windows\{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe

Filesize
344KB

MD5
a86eec131dab38ab26a5661232a76cc0

SHA1
12aa45a1d4ad7bce1aa434d909d689ccafcadbab

SHA256
3ccdeebefe6f645edd41f1fb79018da4da42df2596e4b54e594cf5ef159fe186

SHA512
3c69db1943bf24662b2a90b127a6b1e338b612086e30ecfb8796e1dd19ff759bcd92629f1025c1d1ca96903f4caa2edf6b39c61297df1a490ceb44151a85bf14

Download Submit
C:\Windows\{418A0E19-E3CD-419d-932F-0B0EF404CEC2}.exe

Filesize
344KB

MD5
a86eec131dab38ab26a5661232a76cc0

SHA1
12aa45a1d4ad7bce1aa434d909d689ccafcadbab

SHA256
3ccdeebefe6f645edd41f1fb79018da4da42df2596e4b54e594cf5ef159fe186

SHA512
3c69db1943bf24662b2a90b127a6b1e338b612086e30ecfb8796e1dd19ff759bcd92629f1025c1d1ca96903f4caa2edf6b39c61297df1a490ceb44151a85bf14

Download Submit
C:\Windows\{5A57FE72-ACC7-400e-A897-7061B1414D2C}.exe

Filesize
344KB

MD5
c76350f56f3362023090199f79049938

SHA1
6e78935a2a28a5a02e2b75a9201b0a75f594f2bc

SHA256
3558683e9b69b3f1db0aca7b23984b7304f1f9548d5d31b73352d3f8b8db2335

SHA512
4b2e931531430b34130fa54339c2e60e479e29074d4cb77ecc38eaf5c73e33e601a392ae257a8b242747c6b405e4bf4fce88a2622d09c244dbff37fe922c0424

Download Submit
C:\Windows\{5A57FE72-ACC7-400e-A897-7061B1414D2C}.exe

Filesize
344KB

MD5
c76350f56f3362023090199f79049938

SHA1
6e78935a2a28a5a02e2b75a9201b0a75f594f2bc

SHA256
3558683e9b69b3f1db0aca7b23984b7304f1f9548d5d31b73352d3f8b8db2335

SHA512
4b2e931531430b34130fa54339c2e60e479e29074d4cb77ecc38eaf5c73e33e601a392ae257a8b242747c6b405e4bf4fce88a2622d09c244dbff37fe922c0424

Download Submit
C:\Windows\{63334224-639C-416e-80DC-C55F21107F6C}.exe

Filesize
344KB

MD5
4bb6fecc6a7e560f5997205f2e41a692

SHA1
50984ce4f3b644101489cc352c81a19330ef1925

SHA256
fe1f558db95614e5d700dffdeb3dc68ae50f7c51e6a9377c150406f2dc8f60fc

SHA512
4cb19d5697ad67dd02bced5f425d491766de83a9f9e299dc24fa5f49698af6b534eb640a8515e4f35f95d4da44507a205128789601459800327aefd52375e3d7

Download Submit
C:\Windows\{63334224-639C-416e-80DC-C55F21107F6C}.exe

Filesize
344KB

MD5
4bb6fecc6a7e560f5997205f2e41a692

SHA1
50984ce4f3b644101489cc352c81a19330ef1925

SHA256
fe1f558db95614e5d700dffdeb3dc68ae50f7c51e6a9377c150406f2dc8f60fc

SHA512
4cb19d5697ad67dd02bced5f425d491766de83a9f9e299dc24fa5f49698af6b534eb640a8515e4f35f95d4da44507a205128789601459800327aefd52375e3d7

Download Submit
C:\Windows\{685364D5-867A-480e-936F-47953DD6A9E8}.exe

Filesize
344KB

MD5
8527a5ecc9f753506411d537153044bf

SHA1
9e1f376f8369c9d4fc158cfb93f4e9383d4116cb

SHA256
8786582de76790ac9cb8b7835a33f9f9ac5f4f92b3240288d57be4eef273b39a

SHA512
f81dc3785e325aceeae38617b72163f4022196b3de2c5b416dafadb7d0d24d32323cd220d3e9a1645d63bd69872ac187f6f7d5105d1ff5ea16507376c1ba79c7

Download Submit
C:\Windows\{685364D5-867A-480e-936F-47953DD6A9E8}.exe

Filesize
344KB

MD5
8527a5ecc9f753506411d537153044bf

SHA1
9e1f376f8369c9d4fc158cfb93f4e9383d4116cb

SHA256
8786582de76790ac9cb8b7835a33f9f9ac5f4f92b3240288d57be4eef273b39a

SHA512
f81dc3785e325aceeae38617b72163f4022196b3de2c5b416dafadb7d0d24d32323cd220d3e9a1645d63bd69872ac187f6f7d5105d1ff5ea16507376c1ba79c7

Download Submit
C:\Windows\{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe

Filesize
344KB

MD5
874956fb6bdbe29c3aafbf9cdc3b543d

SHA1
678936ea4c83f10f11633386763da3327a014839

SHA256
0b98df6ee977f86cb76169fe8b6a3e9079f84f7dfc0926d007316fe4090e8394

SHA512
e8991f5670404760d8afc51bb894742fc658c74bdb7c3f623d8a7f40e9d8be21862f66de4f3e36fe98b928a2ef2e4fd469b6759d1439d4ab4f6082e870c00128

Download Submit
C:\Windows\{6A903A4F-4F99-4cb5-BBDE-F3741BB687C7}.exe

Filesize
344KB

MD5
874956fb6bdbe29c3aafbf9cdc3b543d

SHA1
678936ea4c83f10f11633386763da3327a014839

SHA256
0b98df6ee977f86cb76169fe8b6a3e9079f84f7dfc0926d007316fe4090e8394

SHA512
e8991f5670404760d8afc51bb894742fc658c74bdb7c3f623d8a7f40e9d8be21862f66de4f3e36fe98b928a2ef2e4fd469b6759d1439d4ab4f6082e870c00128

Download Submit
C:\Windows\{7C435299-8FAA-4473-B8B1-8DF0B77BC485}.exe

Filesize
344KB

MD5
b144bcf2800002df8c1a6fcdafaf1cbe

SHA1
b59f908f4b2f70a593f93cb066d56da1cd18e986

SHA256
8de51873c488cf5dfa769aa95f6b61bf33c5860d093de1a50e32b93b0dabe453

SHA512
4c511969b83c8a807ae05c8c0e8fd652c90c01c133bc7eb62121811f8277f3224cb2af71a2c799aa94c147bca9c631157db4a64288febf17e519d66046a9f499

Download Submit
C:\Windows\{7C435299-8FAA-4473-B8B1-8DF0B77BC485}.exe

Filesize
344KB

MD5
b144bcf2800002df8c1a6fcdafaf1cbe

SHA1
b59f908f4b2f70a593f93cb066d56da1cd18e986

SHA256
8de51873c488cf5dfa769aa95f6b61bf33c5860d093de1a50e32b93b0dabe453

SHA512
4c511969b83c8a807ae05c8c0e8fd652c90c01c133bc7eb62121811f8277f3224cb2af71a2c799aa94c147bca9c631157db4a64288febf17e519d66046a9f499

Download Submit
C:\Windows\{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe

Filesize
344KB

MD5
ad049ff93806d242ddab865c7a8a9d43

SHA1
dbc44f0f36b3ed18b3da82a75b1a4b11873097d6

SHA256
c8c0415626a9174cdd7d67e39686036c1a57679de9567dbd2feeb2d2ed82e658

SHA512
8f238ee912a869a4bd54c75b26644774c842100b60f4932c5c2fe7a00f7725c4211951253d243a68e4f6fb7b77a681a5e5bb029386f0e134a126f5f3389a7c28

Download Submit
C:\Windows\{A52A9E9C-D145-4cdb-BDFD-12F89863A2A7}.exe

Filesize
344KB

MD5
ad049ff93806d242ddab865c7a8a9d43

SHA1
dbc44f0f36b3ed18b3da82a75b1a4b11873097d6

SHA256
c8c0415626a9174cdd7d67e39686036c1a57679de9567dbd2feeb2d2ed82e658

SHA512
8f238ee912a869a4bd54c75b26644774c842100b60f4932c5c2fe7a00f7725c4211951253d243a68e4f6fb7b77a681a5e5bb029386f0e134a126f5f3389a7c28

Download Submit
C:\Windows\{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe

Filesize
344KB

MD5
cc518bf468bb7c075593de4bbbf21ec5

SHA1
2bb5c27dd7e2136477496c75082bae75bd872201

SHA256
1c97c671fb01bcf94b8c594e792cb73ce27683908f79832ca2fc11cf36c6e000

SHA512
29c6ebacafb60ac78f8f3c9e6d950febabdd30fa9cb165ff22164887af697637150482aea0fd3d8b89ad199132cf7eea99f88b8d0aeb347ecdf3b6fd28dc243d

Download Submit
C:\Windows\{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe

Filesize
344KB

MD5
cc518bf468bb7c075593de4bbbf21ec5

SHA1
2bb5c27dd7e2136477496c75082bae75bd872201

SHA256
1c97c671fb01bcf94b8c594e792cb73ce27683908f79832ca2fc11cf36c6e000

SHA512
29c6ebacafb60ac78f8f3c9e6d950febabdd30fa9cb165ff22164887af697637150482aea0fd3d8b89ad199132cf7eea99f88b8d0aeb347ecdf3b6fd28dc243d

Download Submit
C:\Windows\{AAC74176-1B45-4de5-8634-E2AE4DE95F6F}.exe

Filesize
344KB

MD5
cc518bf468bb7c075593de4bbbf21ec5

SHA1
2bb5c27dd7e2136477496c75082bae75bd872201

SHA256
1c97c671fb01bcf94b8c594e792cb73ce27683908f79832ca2fc11cf36c6e000

SHA512
29c6ebacafb60ac78f8f3c9e6d950febabdd30fa9cb165ff22164887af697637150482aea0fd3d8b89ad199132cf7eea99f88b8d0aeb347ecdf3b6fd28dc243d

Download Submit
C:\Windows\{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe

Filesize
344KB

MD5
f8a75a07771a9199ace25fc97744749f

SHA1
1b6cbaef8683a76aa2e1f8251cd5edd73ce9ce44

SHA256
62aefede630c66145f2a3352e426c9abe5e70295f3cfaf441617fcce45545385

SHA512
e42d55511f8a5f481d5adeae614d33688c95896f0a5229ea18154a05e6e14204ca5ce81ce70ec4243aee6a3a170c37ee366295d509b1a98d59f2c71737e7a5fe

Download Submit
C:\Windows\{DF3DA0BF-60D1-4baa-8136-BB842575384B}.exe

Filesize
344KB

MD5
f8a75a07771a9199ace25fc97744749f

SHA1
1b6cbaef8683a76aa2e1f8251cd5edd73ce9ce44

SHA256
62aefede630c66145f2a3352e426c9abe5e70295f3cfaf441617fcce45545385

SHA512
e42d55511f8a5f481d5adeae614d33688c95896f0a5229ea18154a05e6e14204ca5ce81ce70ec4243aee6a3a170c37ee366295d509b1a98d59f2c71737e7a5fe

Download Submit
C:\Windows\{FD3DAD90-4D83-4a44-95C2-C8A866972F77}.exe

Filesize
344KB

MD5
46e8e7b1bc6fb6caf01cafb380533950

SHA1
cc82d70fd9fcc7cabf6a45a66381cbf20824ae79

SHA256
feabd569d7fd0633577ff566eb5da5f92ba0c1ddabf3bed7d0a004aea61e2e88

SHA512
5554116b84fdaa7c55b6c29de49596294c3e04cd2242f827ccf8a9d44cb9a2f7f121231c036b2a61a557aced849700aeb0d57a18539d61e693b060d9d3171246

Download Submit
C:\Windows\{FD3DAD90-4D83-4a44-95C2-C8A866972F77}.exe

Filesize
344KB

MD5
46e8e7b1bc6fb6caf01cafb380533950

SHA1
cc82d70fd9fcc7cabf6a45a66381cbf20824ae79

SHA256
feabd569d7fd0633577ff566eb5da5f92ba0c1ddabf3bed7d0a004aea61e2e88

SHA512
5554116b84fdaa7c55b6c29de49596294c3e04cd2242f827ccf8a9d44cb9a2f7f121231c036b2a61a557aced849700aeb0d57a18539d61e693b060d9d3171246

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads