46023ab51c66439648792f92a8d086f5c89028ab4efa75e3d1dc265fc5eede61

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
23-09-2023 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe
Size

180KB
MD5

36056fe2e4a63a7771604c41181e2582
SHA1

d25a4b783342d5338bf7c096e6b75f35d4c7bf77
SHA256

46023ab51c66439648792f92a8d086f5c89028ab4efa75e3d1dc265fc5eede61
SHA512

10fb805bfbb81b0481c8cebe9f51970b6a3388202e165221fe97d43a19ec5b91b9043ed9c5733e29a8c2982acb8167f35bf4b3b586f1e306afdb48a2333b7103
SSDEEP

3072:jEGh0oWlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGMl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}	{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}\stubpath = "C:\\Windows\\{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe"	{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73DFD81D-37C8-4fd0-B275-C64654E92543}	{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{617A1CE1-B4FD-41f8-9B80-92D9FE18100F}\stubpath = "C:\\Windows\\{617A1CE1-B4FD-41f8-9B80-92D9FE18100F}.exe"	{7E1966D3-84D2-4eca-AD9E-A072D53DB03C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18EFBCC3-EE63-41ec-A681-5019962EC6EB}	{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}	{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37B5967E-6754-44cd-81CE-3EB682A0586D}	{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E20ED4F-2177-490c-81D2-BD619A6E26C4}\stubpath = "C:\\Windows\\{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe"	{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBA54570-EFB2-4b5d-8D2D-B30246A2EFE5}	{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBA54570-EFB2-4b5d-8D2D-B30246A2EFE5}\stubpath = "C:\\Windows\\{DBA54570-EFB2-4b5d-8D2D-B30246A2EFE5}.exe"	{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{617A1CE1-B4FD-41f8-9B80-92D9FE18100F}	{7E1966D3-84D2-4eca-AD9E-A072D53DB03C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD3D90A5-57B9-4c06-B219-3E1D37F6EF7E}\stubpath = "C:\\Windows\\{CD3D90A5-57B9-4c06-B219-3E1D37F6EF7E}.exe"	{617A1CE1-B4FD-41f8-9B80-92D9FE18100F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9BD4A95-BB5B-435f-816D-1612B6E10B85}	2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}\stubpath = "C:\\Windows\\{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe"	{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37B5967E-6754-44cd-81CE-3EB682A0586D}\stubpath = "C:\\Windows\\{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe"	{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73DFD81D-37C8-4fd0-B275-C64654E92543}\stubpath = "C:\\Windows\\{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe"	{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E20ED4F-2177-490c-81D2-BD619A6E26C4}	{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E1966D3-84D2-4eca-AD9E-A072D53DB03C}	{DBA54570-EFB2-4b5d-8D2D-B30246A2EFE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E1966D3-84D2-4eca-AD9E-A072D53DB03C}\stubpath = "C:\\Windows\\{7E1966D3-84D2-4eca-AD9E-A072D53DB03C}.exe"	{DBA54570-EFB2-4b5d-8D2D-B30246A2EFE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD3D90A5-57B9-4c06-B219-3E1D37F6EF7E}	{617A1CE1-B4FD-41f8-9B80-92D9FE18100F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9BD4A95-BB5B-435f-816D-1612B6E10B85}\stubpath = "C:\\Windows\\{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe"	2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18EFBCC3-EE63-41ec-A681-5019962EC6EB}\stubpath = "C:\\Windows\\{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe"	{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe

Deletes itself 1 IoCs

pid	Process
2264	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2140	{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe
2652	{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe
2996	{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe
2116	{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe
2496	{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe
3064	{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe
2480	{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe
2956	{DBA54570-EFB2-4b5d-8D2D-B30246A2EFE5}.exe
2540	{7E1966D3-84D2-4eca-AD9E-A072D53DB03C}.exe
2300	{617A1CE1-B4FD-41f8-9B80-92D9FE18100F}.exe
1700	{CD3D90A5-57B9-4c06-B219-3E1D37F6EF7E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe	{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe
File created	C:\Windows\{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe	{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe
File created	C:\Windows\{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe	{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe
File created	C:\Windows\{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe	{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe
File created	C:\Windows\{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe	{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe
File created	C:\Windows\{CD3D90A5-57B9-4c06-B219-3E1D37F6EF7E}.exe	{617A1CE1-B4FD-41f8-9B80-92D9FE18100F}.exe
File created	C:\Windows\{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe	2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe
File created	C:\Windows\{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe	{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe
File created	C:\Windows\{DBA54570-EFB2-4b5d-8D2D-B30246A2EFE5}.exe	{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe
File created	C:\Windows\{7E1966D3-84D2-4eca-AD9E-A072D53DB03C}.exe	{DBA54570-EFB2-4b5d-8D2D-B30246A2EFE5}.exe
File created	C:\Windows\{617A1CE1-B4FD-41f8-9B80-92D9FE18100F}.exe	{7E1966D3-84D2-4eca-AD9E-A072D53DB03C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2140	{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe
Token: SeIncBasePriorityPrivilege	2652	{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe
Token: SeIncBasePriorityPrivilege	2996	{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe
Token: SeIncBasePriorityPrivilege	2116	{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe
Token: SeIncBasePriorityPrivilege	2496	{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe
Token: SeIncBasePriorityPrivilege	3064	{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe
Token: SeIncBasePriorityPrivilege	2480	{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe
Token: SeIncBasePriorityPrivilege	2956	{DBA54570-EFB2-4b5d-8D2D-B30246A2EFE5}.exe
Token: SeIncBasePriorityPrivilege	2540	{7E1966D3-84D2-4eca-AD9E-A072D53DB03C}.exe
Token: SeIncBasePriorityPrivilege	2300	{617A1CE1-B4FD-41f8-9B80-92D9FE18100F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2140	2356	2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe	28
PID 2356 wrote to memory of 2140	2356	2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe	28
PID 2356 wrote to memory of 2140	2356	2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe	28
PID 2356 wrote to memory of 2140	2356	2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe	28
PID 2356 wrote to memory of 2264	2356	2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe	29
PID 2356 wrote to memory of 2264	2356	2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe	29
PID 2356 wrote to memory of 2264	2356	2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe	29
PID 2356 wrote to memory of 2264	2356	2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe	29
PID 2140 wrote to memory of 2652	2140	{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe	30
PID 2140 wrote to memory of 2652	2140	{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe	30
PID 2140 wrote to memory of 2652	2140	{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe	30
PID 2140 wrote to memory of 2652	2140	{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe	30
PID 2140 wrote to memory of 2716	2140	{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe	31
PID 2140 wrote to memory of 2716	2140	{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe	31
PID 2140 wrote to memory of 2716	2140	{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe	31
PID 2140 wrote to memory of 2716	2140	{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe	31
PID 2652 wrote to memory of 2996	2652	{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe	32
PID 2652 wrote to memory of 2996	2652	{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe	32
PID 2652 wrote to memory of 2996	2652	{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe	32
PID 2652 wrote to memory of 2996	2652	{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe	32
PID 2652 wrote to memory of 1968	2652	{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe	33
PID 2652 wrote to memory of 1968	2652	{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe	33
PID 2652 wrote to memory of 1968	2652	{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe	33
PID 2652 wrote to memory of 1968	2652	{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe	33
PID 2996 wrote to memory of 2116	2996	{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe	36
PID 2996 wrote to memory of 2116	2996	{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe	36
PID 2996 wrote to memory of 2116	2996	{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe	36
PID 2996 wrote to memory of 2116	2996	{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe	36
PID 2996 wrote to memory of 2724	2996	{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe	37
PID 2996 wrote to memory of 2724	2996	{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe	37
PID 2996 wrote to memory of 2724	2996	{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe	37
PID 2996 wrote to memory of 2724	2996	{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe	37
PID 2116 wrote to memory of 2496	2116	{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe	38
PID 2116 wrote to memory of 2496	2116	{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe	38
PID 2116 wrote to memory of 2496	2116	{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe	38
PID 2116 wrote to memory of 2496	2116	{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe	38
PID 2116 wrote to memory of 2552	2116	{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe	39
PID 2116 wrote to memory of 2552	2116	{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe	39
PID 2116 wrote to memory of 2552	2116	{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe	39
PID 2116 wrote to memory of 2552	2116	{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe	39
PID 2496 wrote to memory of 3064	2496	{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe	40
PID 2496 wrote to memory of 3064	2496	{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe	40
PID 2496 wrote to memory of 3064	2496	{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe	40
PID 2496 wrote to memory of 3064	2496	{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe	40
PID 2496 wrote to memory of 2680	2496	{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe	41
PID 2496 wrote to memory of 2680	2496	{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe	41
PID 2496 wrote to memory of 2680	2496	{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe	41
PID 2496 wrote to memory of 2680	2496	{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe	41
PID 3064 wrote to memory of 2480	3064	{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe	42
PID 3064 wrote to memory of 2480	3064	{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe	42
PID 3064 wrote to memory of 2480	3064	{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe	42
PID 3064 wrote to memory of 2480	3064	{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe	42
PID 3064 wrote to memory of 2884	3064	{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe	43
PID 3064 wrote to memory of 2884	3064	{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe	43
PID 3064 wrote to memory of 2884	3064	{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe	43
PID 3064 wrote to memory of 2884	3064	{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe	43
PID 2480 wrote to memory of 2956	2480	{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe	45
PID 2480 wrote to memory of 2956	2480	{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe	45
PID 2480 wrote to memory of 2956	2480	{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe	45
PID 2480 wrote to memory of 2956	2480	{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe	45
PID 2480 wrote to memory of 2912	2480	{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe	44
PID 2480 wrote to memory of 2912	2480	{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe	44
PID 2480 wrote to memory of 2912	2480	{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe	44
PID 2480 wrote to memory of 2912	2480	{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_36056fe2e4a63a7771604c41181e2582_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe
  C:\Windows\{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe
    C:\Windows\{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe
      C:\Windows\{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe
        
        C:\Windows\{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe
        
        C:\Windows\{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe
        
        C:\Windows\{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe
        
        C:\Windows\{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E20E~1.EXE > nul
        9⤵
        
        PID:2912
        
        C:\Windows\{DBA54570-EFB2-4b5d-8D2D-B30246A2EFE5}.exe
        
        C:\Windows\{DBA54570-EFB2-4b5d-8D2D-B30246A2EFE5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBA54~1.EXE > nul
        10⤵
        
        PID:1696
        
        C:\Windows\{7E1966D3-84D2-4eca-AD9E-A072D53DB03C}.exe
        
        C:\Windows\{7E1966D3-84D2-4eca-AD9E-A072D53DB03C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\{617A1CE1-B4FD-41f8-9B80-92D9FE18100F}.exe
        
        C:\Windows\{617A1CE1-B4FD-41f8-9B80-92D9FE18100F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\{CD3D90A5-57B9-4c06-B219-3E1D37F6EF7E}.exe
        
        C:\Windows\{CD3D90A5-57B9-4c06-B219-3E1D37F6EF7E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{617A1~1.EXE > nul
        12⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E196~1.EXE > nul
        11⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73DFD~1.EXE > nul
        8⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BA09~1.EXE > nul
        7⤵
        
        PID:2680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37B59~1.EXE > nul
        6⤵
        
        PID:2552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC6AF~1.EXE > nul
        5⤵
        
        PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{18EFB~1.EXE > nul
      4⤵
      PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B9BD4~1.EXE > nul
    3⤵
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe

Filesize
180KB

MD5
f422efaeab189963feab7908337ae1de

SHA1
a4a8e41eed7a9c28a35623f17809e3baba3ec815

SHA256
f4f22c9d328148936cd036fbd05791d781c6662d354bff10ec20ded2d9b216a9

SHA512
1ceb13137324ca620c4e96a8ce4906cbb9208024012479a8dfc50073f9b162de41d0609ded8c9edfe12001950501a22ba1fadcbd1ce0931ac7356b8b44c97a71

Download Submit
C:\Windows\{18EFBCC3-EE63-41ec-A681-5019962EC6EB}.exe

Filesize
180KB

MD5
f422efaeab189963feab7908337ae1de

SHA1
a4a8e41eed7a9c28a35623f17809e3baba3ec815

SHA256
f4f22c9d328148936cd036fbd05791d781c6662d354bff10ec20ded2d9b216a9

SHA512
1ceb13137324ca620c4e96a8ce4906cbb9208024012479a8dfc50073f9b162de41d0609ded8c9edfe12001950501a22ba1fadcbd1ce0931ac7356b8b44c97a71

Download Submit
C:\Windows\{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe

Filesize
180KB

MD5
d2f22bcdf83606d8f44bb1028f4582e6

SHA1
e7f73cd81a83370d983c4fe10c853f3f238b9cd0

SHA256
4ebd023408ecee77e423b227e3826a5615c1c26f45537b32931f4748e63f3b42

SHA512
959d84228eb7c96a7ff5560a3a08743b55012dfd4035c469935069004a7779a58e5f868250f0d726510fa8bf5ca00930eb10fa845e00c8f8b0f9a8977b76ad7a

Download Submit
C:\Windows\{2BA099B7-40CD-4f72-B4E6-3DF68D1C2292}.exe

Filesize
180KB

MD5
d2f22bcdf83606d8f44bb1028f4582e6

SHA1
e7f73cd81a83370d983c4fe10c853f3f238b9cd0

SHA256
4ebd023408ecee77e423b227e3826a5615c1c26f45537b32931f4748e63f3b42

SHA512
959d84228eb7c96a7ff5560a3a08743b55012dfd4035c469935069004a7779a58e5f868250f0d726510fa8bf5ca00930eb10fa845e00c8f8b0f9a8977b76ad7a

Download Submit
C:\Windows\{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe

Filesize
180KB

MD5
e3075b413e920f3b26451515eeb73c00

SHA1
e9bb4188b42a85e9a9d33bc8f30c426a01e1ff15

SHA256
773741b0687f8f178daf5dde3d0f9fd93caa74d46312f0511e8fc91c6d5f84be

SHA512
6e1f3173c7214561d1f0aff33454c27c8d87335ca9b013a714c75744fcc447dd238d910ad5074c418b15164c9bbcaa4e148b7a285bb4f7541364f3c95bccf268

Download Submit
C:\Windows\{37B5967E-6754-44cd-81CE-3EB682A0586D}.exe

Filesize
180KB

MD5
e3075b413e920f3b26451515eeb73c00

SHA1
e9bb4188b42a85e9a9d33bc8f30c426a01e1ff15

SHA256
773741b0687f8f178daf5dde3d0f9fd93caa74d46312f0511e8fc91c6d5f84be

SHA512
6e1f3173c7214561d1f0aff33454c27c8d87335ca9b013a714c75744fcc447dd238d910ad5074c418b15164c9bbcaa4e148b7a285bb4f7541364f3c95bccf268

Download Submit
C:\Windows\{617A1CE1-B4FD-41f8-9B80-92D9FE18100F}.exe

Filesize
180KB

MD5
0b8c243895c6bfbe6e61ff5a9dad53bd

SHA1
34e65bc16f5cb14de0b9696be2d030c4369a59f6

SHA256
0bba169d50acf9f7fdad4b079facf9b7eb45d180ab8f84be11c6a0402337cde3

SHA512
09fe61f9b2201c48394ae92cd940388d5a1e12733f9a346384f1b3df46a998d70754ad9015289ed7013d4f8b3aa9095e045675bb44a838939041fd8ba85388f3

Download Submit
C:\Windows\{617A1CE1-B4FD-41f8-9B80-92D9FE18100F}.exe

Filesize
180KB

MD5
0b8c243895c6bfbe6e61ff5a9dad53bd

SHA1
34e65bc16f5cb14de0b9696be2d030c4369a59f6

SHA256
0bba169d50acf9f7fdad4b079facf9b7eb45d180ab8f84be11c6a0402337cde3

SHA512
09fe61f9b2201c48394ae92cd940388d5a1e12733f9a346384f1b3df46a998d70754ad9015289ed7013d4f8b3aa9095e045675bb44a838939041fd8ba85388f3

Download Submit
C:\Windows\{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe

Filesize
180KB

MD5
4326113d5eec379ba1761bcf870bd218

SHA1
d867865fc546829a6b58d6cdca237854e022ac35

SHA256
29aa232e6add2c957b62d04dbad75aac9a1be62257853126afdbd314f5228815

SHA512
d08b8ec52090ad0fe063c5c031cd7e1a49c4d4251e14d59da0bfda93937253ecb26a58567088d176dd46a306ba462958424529d9a11d0c499492bca37509034c

Download Submit
C:\Windows\{73DFD81D-37C8-4fd0-B275-C64654E92543}.exe

Filesize
180KB

MD5
4326113d5eec379ba1761bcf870bd218

SHA1
d867865fc546829a6b58d6cdca237854e022ac35

SHA256
29aa232e6add2c957b62d04dbad75aac9a1be62257853126afdbd314f5228815

SHA512
d08b8ec52090ad0fe063c5c031cd7e1a49c4d4251e14d59da0bfda93937253ecb26a58567088d176dd46a306ba462958424529d9a11d0c499492bca37509034c

Download Submit
C:\Windows\{7E1966D3-84D2-4eca-AD9E-A072D53DB03C}.exe

Filesize
180KB

MD5
ba18c9d2dc897478b2cb028f1f081f30

SHA1
f392abb8092f2bcbaafa4eab5474dc2119983085

SHA256
c0e32e1706e4a272fac77f38608eeddc34263d9da25146cba337262eb887f3cc

SHA512
5c33804a69259943438e5e2c767b6aac7e67d8107dfc7c0f941db4317c3806ba420f5d5a9fbbd2086eddc22c7e204a3291a1ec4fe00fb404cb88863049c61adf

Download Submit
C:\Windows\{7E1966D3-84D2-4eca-AD9E-A072D53DB03C}.exe

Filesize
180KB

MD5
ba18c9d2dc897478b2cb028f1f081f30

SHA1
f392abb8092f2bcbaafa4eab5474dc2119983085

SHA256
c0e32e1706e4a272fac77f38608eeddc34263d9da25146cba337262eb887f3cc

SHA512
5c33804a69259943438e5e2c767b6aac7e67d8107dfc7c0f941db4317c3806ba420f5d5a9fbbd2086eddc22c7e204a3291a1ec4fe00fb404cb88863049c61adf

Download Submit
C:\Windows\{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe

Filesize
180KB

MD5
f1c21b8ec40eabc525d85b3b244326d3

SHA1
caf1cd54edb7ceaa28a8bf659cfcb1d46151d028

SHA256
ffbecaa51470feb6c8bbfb36edfd405a32e6b09d36089127d454063fc5c7b822

SHA512
e874e49b848c10d10d2614f264e01af6e903a9f1b52b96c3940d0f9e02f2187bda9248dc7607abcae2bde3b513afafbff1f50162c18b28edc4c1266edb507cb3

Download Submit
C:\Windows\{7E20ED4F-2177-490c-81D2-BD619A6E26C4}.exe

Filesize
180KB

MD5
f1c21b8ec40eabc525d85b3b244326d3

SHA1
caf1cd54edb7ceaa28a8bf659cfcb1d46151d028

SHA256
ffbecaa51470feb6c8bbfb36edfd405a32e6b09d36089127d454063fc5c7b822

SHA512
e874e49b848c10d10d2614f264e01af6e903a9f1b52b96c3940d0f9e02f2187bda9248dc7607abcae2bde3b513afafbff1f50162c18b28edc4c1266edb507cb3

Download Submit
C:\Windows\{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe

Filesize
180KB

MD5
1eee458eaab4a4d8f7a41687bbf3fe3b

SHA1
a0dbeeb0d3d2b7b5f336a276ab56c35730ad8646

SHA256
ab9094cd878b8802e55e20af2810ca753db78c3a25419e5d80f017ac22d8960b

SHA512
d1029eac9fc9ed6d17c6a2da3eaac1e1661b89f527e2982d11843cb1b9d6072ba8e327b3454b324ff430814e2753f4b2667611356cda1e5f9a8953e283444e0e

Download Submit
C:\Windows\{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe

Filesize
180KB

MD5
1eee458eaab4a4d8f7a41687bbf3fe3b

SHA1
a0dbeeb0d3d2b7b5f336a276ab56c35730ad8646

SHA256
ab9094cd878b8802e55e20af2810ca753db78c3a25419e5d80f017ac22d8960b

SHA512
d1029eac9fc9ed6d17c6a2da3eaac1e1661b89f527e2982d11843cb1b9d6072ba8e327b3454b324ff430814e2753f4b2667611356cda1e5f9a8953e283444e0e

Download Submit
C:\Windows\{B9BD4A95-BB5B-435f-816D-1612B6E10B85}.exe

Filesize
180KB

MD5
1eee458eaab4a4d8f7a41687bbf3fe3b

SHA1
a0dbeeb0d3d2b7b5f336a276ab56c35730ad8646

SHA256
ab9094cd878b8802e55e20af2810ca753db78c3a25419e5d80f017ac22d8960b

SHA512
d1029eac9fc9ed6d17c6a2da3eaac1e1661b89f527e2982d11843cb1b9d6072ba8e327b3454b324ff430814e2753f4b2667611356cda1e5f9a8953e283444e0e

Download Submit
C:\Windows\{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe

Filesize
180KB

MD5
08873e1193a4762d4702af6466b4c8d9

SHA1
58a2497aec6eedb9a6a12a133e6fd7c5d8fde1f4

SHA256
c7b31f086131a109526f744ea3f94911e7b348d6d31f38f084655bb5371ca58a

SHA512
a2983d505d29bfb31d81b40738f097f48811a2927b6066424d83b5c24c1964332fab22b3610dd3de3de955e54ffbf963ab3942e8dfb1cec4664ffc6c0a1363c4

Download Submit
C:\Windows\{CC6AFFCF-5163-4c52-A9ED-6D844AAFF645}.exe

Filesize
180KB

MD5
08873e1193a4762d4702af6466b4c8d9

SHA1
58a2497aec6eedb9a6a12a133e6fd7c5d8fde1f4

SHA256
c7b31f086131a109526f744ea3f94911e7b348d6d31f38f084655bb5371ca58a

SHA512
a2983d505d29bfb31d81b40738f097f48811a2927b6066424d83b5c24c1964332fab22b3610dd3de3de955e54ffbf963ab3942e8dfb1cec4664ffc6c0a1363c4

Download Submit
C:\Windows\{CD3D90A5-57B9-4c06-B219-3E1D37F6EF7E}.exe

Filesize
180KB

MD5
d61c75ca7aa94c83ddd703dfdc804145

SHA1
aa62e5ee575e4d50100f796fc69d67ea38330f0b

SHA256
9e44f0fa79d9e940c66aaa5f1fcec2613214ba7a4c5d81b9df6a53e44bdd5b63

SHA512
b22fc0375ef4e936badbec0587691810632ccd3f9dea8ce4f2aa3ef08d3b8d02f1db7ea0836fbf9e8fb0decb5ba65f7cbddfaf65e780d0684f8c131c0052745a

Download Submit
C:\Windows\{DBA54570-EFB2-4b5d-8D2D-B30246A2EFE5}.exe

Filesize
180KB

MD5
e502d4589463f340a066bc6b7681dc24

SHA1
24344a0b9f532823d549b6fbaf062e25300ede3d

SHA256
48f8e5d7124cc6c4a39cedc28f552579ff4f8d959d2cbe664b0924dfcb05b2eb

SHA512
20ebfd9a0c325feb77c437daaf42cbc5c34905b033a9d6bec5cc179354e9732c17c206a3ec1cdaa23e045646c3c0033aea175f74315a74bd5b4aacdbb88b063b

Download Submit
C:\Windows\{DBA54570-EFB2-4b5d-8D2D-B30246A2EFE5}.exe

Filesize
180KB

MD5
e502d4589463f340a066bc6b7681dc24

SHA1
24344a0b9f532823d549b6fbaf062e25300ede3d

SHA256
48f8e5d7124cc6c4a39cedc28f552579ff4f8d959d2cbe664b0924dfcb05b2eb

SHA512
20ebfd9a0c325feb77c437daaf42cbc5c34905b033a9d6bec5cc179354e9732c17c206a3ec1cdaa23e045646c3c0033aea175f74315a74bd5b4aacdbb88b063b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads