8d9a11308df2ff098273591def5f96f0a3b648b9c2368d6f99efd70849d6e646

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/10/2023, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe
Size

408KB
MD5

01de9a1d02c2505c42189d3df8943358
SHA1

1d2452fd9641069e04623dc961a86bcb8f8701f3
SHA256

8d9a11308df2ff098273591def5f96f0a3b648b9c2368d6f99efd70849d6e646
SHA512

b22c3cbf219e90f507dd40812d9a72799a7a1251b56521640638691ef08eeee97efac83bcda8471d17b277b6f873ec87beb88eb5c608eaea8aa32463174bd110
SSDEEP

3072:CEGh0osl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGSldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}	{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}\stubpath = "C:\\Windows\\{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe"	{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B739B635-B7A0-4169-89B5-ACD6961DF86A}\stubpath = "C:\\Windows\\{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe"	{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{614AF174-B8E4-488b-9286-B4EA7EFCCBC1}\stubpath = "C:\\Windows\\{614AF174-B8E4-488b-9286-B4EA7EFCCBC1}.exe"	{CAEB0603-2A7C-4163-864B-76A1FF27870E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{614AF174-B8E4-488b-9286-B4EA7EFCCBC1}	{CAEB0603-2A7C-4163-864B-76A1FF27870E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3587471E-7179-473d-9A9B-8AF832ADD419}	{614AF174-B8E4-488b-9286-B4EA7EFCCBC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3587471E-7179-473d-9A9B-8AF832ADD419}\stubpath = "C:\\Windows\\{3587471E-7179-473d-9A9B-8AF832ADD419}.exe"	{614AF174-B8E4-488b-9286-B4EA7EFCCBC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A33DF69-19C8-4f80-A1A8-760DB86FF996}	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CD96496-E7F2-4bbe-B417-032D2243AF89}\stubpath = "C:\\Windows\\{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe"	{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}\stubpath = "C:\\Windows\\{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe"	{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B739B635-B7A0-4169-89B5-ACD6961DF86A}	{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAEB0603-2A7C-4163-864B-76A1FF27870E}	{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA5FB761-0849-46c7-9A76-B6195DF31E77}\stubpath = "C:\\Windows\\{EA5FB761-0849-46c7-9A76-B6195DF31E77}.exe"	{3587471E-7179-473d-9A9B-8AF832ADD419}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}	{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAEB0603-2A7C-4163-864B-76A1FF27870E}\stubpath = "C:\\Windows\\{CAEB0603-2A7C-4163-864B-76A1FF27870E}.exe"	{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA5FB761-0849-46c7-9A76-B6195DF31E77}	{3587471E-7179-473d-9A9B-8AF832ADD419}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A33DF69-19C8-4f80-A1A8-760DB86FF996}\stubpath = "C:\\Windows\\{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe"	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}\stubpath = "C:\\Windows\\{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe"	{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CD96496-E7F2-4bbe-B417-032D2243AF89}	{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D5427BA-3259-4935-90BF-AB1D13D66C5E}	{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D5427BA-3259-4935-90BF-AB1D13D66C5E}\stubpath = "C:\\Windows\\{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe"	{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}	{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe

Deletes itself 1 IoCs

pid	Process
1480	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1868	{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe
2168	{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe
2240	{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe
2680	{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe
2520	{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe
2496	{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe
2472	{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe
3060	{CAEB0603-2A7C-4163-864B-76A1FF27870E}.exe
2824	{614AF174-B8E4-488b-9286-B4EA7EFCCBC1}.exe
2780	{3587471E-7179-473d-9A9B-8AF832ADD419}.exe
2772	{EA5FB761-0849-46c7-9A76-B6195DF31E77}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe	{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe
File created	C:\Windows\{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe	{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe
File created	C:\Windows\{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe	{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe
File created	C:\Windows\{614AF174-B8E4-488b-9286-B4EA7EFCCBC1}.exe	{CAEB0603-2A7C-4163-864B-76A1FF27870E}.exe
File created	C:\Windows\{EA5FB761-0849-46c7-9A76-B6195DF31E77}.exe	{3587471E-7179-473d-9A9B-8AF832ADD419}.exe
File created	C:\Windows\{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe
File created	C:\Windows\{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe	{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe
File created	C:\Windows\{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe	{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe
File created	C:\Windows\{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe	{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe
File created	C:\Windows\{CAEB0603-2A7C-4163-864B-76A1FF27870E}.exe	{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe
File created	C:\Windows\{3587471E-7179-473d-9A9B-8AF832ADD419}.exe	{614AF174-B8E4-488b-9286-B4EA7EFCCBC1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2440	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1868	{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe
Token: SeIncBasePriorityPrivilege	2168	{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe
Token: SeIncBasePriorityPrivilege	2240	{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe
Token: SeIncBasePriorityPrivilege	2680	{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe
Token: SeIncBasePriorityPrivilege	2520	{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe
Token: SeIncBasePriorityPrivilege	2496	{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe
Token: SeIncBasePriorityPrivilege	2472	{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe
Token: SeIncBasePriorityPrivilege	3060	{CAEB0603-2A7C-4163-864B-76A1FF27870E}.exe
Token: SeIncBasePriorityPrivilege	2824	{614AF174-B8E4-488b-9286-B4EA7EFCCBC1}.exe
Token: SeIncBasePriorityPrivilege	2780	{3587471E-7179-473d-9A9B-8AF832ADD419}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1868	2440	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	28
PID 2440 wrote to memory of 1868	2440	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	28
PID 2440 wrote to memory of 1868	2440	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	28
PID 2440 wrote to memory of 1868	2440	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	28
PID 2440 wrote to memory of 1480	2440	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	29
PID 2440 wrote to memory of 1480	2440	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	29
PID 2440 wrote to memory of 1480	2440	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	29
PID 2440 wrote to memory of 1480	2440	2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe	29
PID 1868 wrote to memory of 2168	1868	{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe	30
PID 1868 wrote to memory of 2168	1868	{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe	30
PID 1868 wrote to memory of 2168	1868	{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe	30
PID 1868 wrote to memory of 2168	1868	{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe	30
PID 1868 wrote to memory of 2356	1868	{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe	31
PID 1868 wrote to memory of 2356	1868	{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe	31
PID 1868 wrote to memory of 2356	1868	{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe	31
PID 1868 wrote to memory of 2356	1868	{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe	31
PID 2168 wrote to memory of 2240	2168	{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe	33
PID 2168 wrote to memory of 2240	2168	{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe	33
PID 2168 wrote to memory of 2240	2168	{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe	33
PID 2168 wrote to memory of 2240	2168	{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe	33
PID 2168 wrote to memory of 2716	2168	{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe	32
PID 2168 wrote to memory of 2716	2168	{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe	32
PID 2168 wrote to memory of 2716	2168	{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe	32
PID 2168 wrote to memory of 2716	2168	{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe	32
PID 2240 wrote to memory of 2680	2240	{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe	36
PID 2240 wrote to memory of 2680	2240	{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe	36
PID 2240 wrote to memory of 2680	2240	{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe	36
PID 2240 wrote to memory of 2680	2240	{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe	36
PID 2240 wrote to memory of 2900	2240	{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe	37
PID 2240 wrote to memory of 2900	2240	{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe	37
PID 2240 wrote to memory of 2900	2240	{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe	37
PID 2240 wrote to memory of 2900	2240	{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe	37
PID 2680 wrote to memory of 2520	2680	{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe	38
PID 2680 wrote to memory of 2520	2680	{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe	38
PID 2680 wrote to memory of 2520	2680	{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe	38
PID 2680 wrote to memory of 2520	2680	{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe	38
PID 2680 wrote to memory of 2668	2680	{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe	39
PID 2680 wrote to memory of 2668	2680	{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe	39
PID 2680 wrote to memory of 2668	2680	{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe	39
PID 2680 wrote to memory of 2668	2680	{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe	39
PID 2520 wrote to memory of 2496	2520	{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe	41
PID 2520 wrote to memory of 2496	2520	{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe	41
PID 2520 wrote to memory of 2496	2520	{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe	41
PID 2520 wrote to memory of 2496	2520	{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe	41
PID 2520 wrote to memory of 2528	2520	{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe	40
PID 2520 wrote to memory of 2528	2520	{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe	40
PID 2520 wrote to memory of 2528	2520	{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe	40
PID 2520 wrote to memory of 2528	2520	{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe	40
PID 2496 wrote to memory of 2472	2496	{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe	43
PID 2496 wrote to memory of 2472	2496	{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe	43
PID 2496 wrote to memory of 2472	2496	{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe	43
PID 2496 wrote to memory of 2472	2496	{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe	43
PID 2496 wrote to memory of 2688	2496	{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe	42
PID 2496 wrote to memory of 2688	2496	{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe	42
PID 2496 wrote to memory of 2688	2496	{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe	42
PID 2496 wrote to memory of 2688	2496	{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe	42
PID 2472 wrote to memory of 3060	2472	{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe	45
PID 2472 wrote to memory of 3060	2472	{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe	45
PID 2472 wrote to memory of 3060	2472	{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe	45
PID 2472 wrote to memory of 3060	2472	{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe	45
PID 2472 wrote to memory of 824	2472	{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe	44
PID 2472 wrote to memory of 824	2472	{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe	44
PID 2472 wrote to memory of 824	2472	{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe	44
PID 2472 wrote to memory of 824	2472	{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_01de9a1d02c2505c42189d3df8943358_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe
  C:\Windows\{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe
    C:\Windows\{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3ADD~1.EXE > nul
      4⤵
      PID:2716
  - - C:\Windows\{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe
      C:\Windows\{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe
        
        C:\Windows\{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe
        
        C:\Windows\{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D542~1.EXE > nul
        7⤵
        
        PID:2528
        
        C:\Windows\{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe
        
        C:\Windows\{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B1A3~1.EXE > nul
        8⤵
        
        PID:2688
        
        C:\Windows\{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe
        
        C:\Windows\{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B739B~1.EXE > nul
        9⤵
        
        PID:824
        
        C:\Windows\{CAEB0603-2A7C-4163-864B-76A1FF27870E}.exe
        
        C:\Windows\{CAEB0603-2A7C-4163-864B-76A1FF27870E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAEB0~1.EXE > nul
        10⤵
        
        PID:1584
        
        C:\Windows\{614AF174-B8E4-488b-9286-B4EA7EFCCBC1}.exe
        
        C:\Windows\{614AF174-B8E4-488b-9286-B4EA7EFCCBC1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{614AF~1.EXE > nul
        11⤵
        
        PID:1960
        
        C:\Windows\{3587471E-7179-473d-9A9B-8AF832ADD419}.exe
        
        C:\Windows\{3587471E-7179-473d-9A9B-8AF832ADD419}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35874~1.EXE > nul
        12⤵
        
        PID:536
        
        C:\Windows\{EA5FB761-0849-46c7-9A76-B6195DF31E77}.exe
        
        C:\Windows\{EA5FB761-0849-46c7-9A76-B6195DF31E77}.exe
        12⤵
        Executes dropped EXE
        
        PID:2772
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CD96~1.EXE > nul
        6⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDE23~1.EXE > nul
        5⤵
        
        PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0A33D~1.EXE > nul
    3⤵
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe

Filesize
408KB

MD5
8e46aac6bfa0dea86728062613e4db40

SHA1
249f9c19b7f346887c07b59cf7cce6830c9a44de

SHA256
9ba2dcff411cc73f2da192313803327e79a39cfc018c889d111205658ab31b0f

SHA512
a7dc9444d89aa29768acd5b2431a58784f665a16c521aa9510d5d467253db905b1bc5ddeea17a285db7e4254c5b43f5ae89432d4347084ec230d4197fa2a07e2

Download Submit
C:\Windows\{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe

Filesize
408KB

MD5
8e46aac6bfa0dea86728062613e4db40

SHA1
249f9c19b7f346887c07b59cf7cce6830c9a44de

SHA256
9ba2dcff411cc73f2da192313803327e79a39cfc018c889d111205658ab31b0f

SHA512
a7dc9444d89aa29768acd5b2431a58784f665a16c521aa9510d5d467253db905b1bc5ddeea17a285db7e4254c5b43f5ae89432d4347084ec230d4197fa2a07e2

Download Submit
C:\Windows\{0A33DF69-19C8-4f80-A1A8-760DB86FF996}.exe

Filesize
408KB

MD5
8e46aac6bfa0dea86728062613e4db40

SHA1
249f9c19b7f346887c07b59cf7cce6830c9a44de

SHA256
9ba2dcff411cc73f2da192313803327e79a39cfc018c889d111205658ab31b0f

SHA512
a7dc9444d89aa29768acd5b2431a58784f665a16c521aa9510d5d467253db905b1bc5ddeea17a285db7e4254c5b43f5ae89432d4347084ec230d4197fa2a07e2

Download Submit
C:\Windows\{3587471E-7179-473d-9A9B-8AF832ADD419}.exe

Filesize
408KB

MD5
d53b79a1ae828d4adf557df272606074

SHA1
3de03c533a18d11d05ee4ab8c6721bfc6233c510

SHA256
926dc1574905968d0aff6718dcbba625343ab77b7df874cc7d0dfef04f5eb09f

SHA512
ecba37d77d8de4e343b947cc119c6db117172fcc76d8543d1eb921bca3acb78afa3f6a229f2f5f01700ca5c3f80e3721a45cbed6f813a4d23ff3933eacff4d05

Download Submit
C:\Windows\{3587471E-7179-473d-9A9B-8AF832ADD419}.exe

Filesize
408KB

MD5
d53b79a1ae828d4adf557df272606074

SHA1
3de03c533a18d11d05ee4ab8c6721bfc6233c510

SHA256
926dc1574905968d0aff6718dcbba625343ab77b7df874cc7d0dfef04f5eb09f

SHA512
ecba37d77d8de4e343b947cc119c6db117172fcc76d8543d1eb921bca3acb78afa3f6a229f2f5f01700ca5c3f80e3721a45cbed6f813a4d23ff3933eacff4d05

Download Submit
C:\Windows\{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe

Filesize
408KB

MD5
a3229a6cdaac26d1fc889b274fb9499e

SHA1
57362c7af748964d67667187e011d5685bb966c2

SHA256
b6211e1165cf38941e728781cbda355c513a729f14b0ecc0da571ced370bed2f

SHA512
748a160cf33750b2a10fabea381bc7fdbdc4e77ad4d8e30885dfb2c617953851f3e7f2d5b8f779827a6f78e6e990e517cc7387b8c414e5ce380e1f1677a6e68f

Download Submit
C:\Windows\{4D5427BA-3259-4935-90BF-AB1D13D66C5E}.exe

Filesize
408KB

MD5
a3229a6cdaac26d1fc889b274fb9499e

SHA1
57362c7af748964d67667187e011d5685bb966c2

SHA256
b6211e1165cf38941e728781cbda355c513a729f14b0ecc0da571ced370bed2f

SHA512
748a160cf33750b2a10fabea381bc7fdbdc4e77ad4d8e30885dfb2c617953851f3e7f2d5b8f779827a6f78e6e990e517cc7387b8c414e5ce380e1f1677a6e68f

Download Submit
C:\Windows\{614AF174-B8E4-488b-9286-B4EA7EFCCBC1}.exe

Filesize
408KB

MD5
44e83047ca39cf86dd2bce681490322e

SHA1
767a558016834b25f03409df4a69895224e77878

SHA256
f633fe05c1c3bffe6336e0cf2247b02c8d05aeae2334935b800925f5d83e5464

SHA512
ca76c0a2ddb220638903cdb9fb6f7f2173180adbd77910f1df84e719c9ef90010e9a295b91075b658242956857919d1b5b710e2a524172ebb754aa097e65c030

Download Submit
C:\Windows\{614AF174-B8E4-488b-9286-B4EA7EFCCBC1}.exe

Filesize
408KB

MD5
44e83047ca39cf86dd2bce681490322e

SHA1
767a558016834b25f03409df4a69895224e77878

SHA256
f633fe05c1c3bffe6336e0cf2247b02c8d05aeae2334935b800925f5d83e5464

SHA512
ca76c0a2ddb220638903cdb9fb6f7f2173180adbd77910f1df84e719c9ef90010e9a295b91075b658242956857919d1b5b710e2a524172ebb754aa097e65c030

Download Submit
C:\Windows\{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe

Filesize
408KB

MD5
b72c8f59369c7935af40b1a3eab70084

SHA1
a885477176733d40310979920b6830da345303df

SHA256
a236a2a782cfcb1f6acc37a2245b334ccb643fb1255f5f2a7e0fa7e655b413ac

SHA512
e8940512ff1b0790329a538b510431a32b71e5d8447a0f4d0dbc6cab820e45e01c0da2279c86d8995b821063f12111f157d812c2e93cc54c4a2404ddf864197f

Download Submit
C:\Windows\{8CD96496-E7F2-4bbe-B417-032D2243AF89}.exe

Filesize
408KB

MD5
b72c8f59369c7935af40b1a3eab70084

SHA1
a885477176733d40310979920b6830da345303df

SHA256
a236a2a782cfcb1f6acc37a2245b334ccb643fb1255f5f2a7e0fa7e655b413ac

SHA512
e8940512ff1b0790329a538b510431a32b71e5d8447a0f4d0dbc6cab820e45e01c0da2279c86d8995b821063f12111f157d812c2e93cc54c4a2404ddf864197f

Download Submit
C:\Windows\{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe

Filesize
408KB

MD5
85ec1e9f03f9af2af1088e703c6d1a69

SHA1
9a73c6e7b5b1470e8f8232365c9f10020e8355c1

SHA256
a85462af073883d27c8dd1d22daf4cf5d883d10b0676d5733ecc3ba317447ccd

SHA512
acb29215643d440b37ec7af99187752d65fc6a5a22584878490eb6488314c0f661fc6306632a8809a4c14a78ef087043e25efe1fa82ff2641ca86c1746dfc920

Download Submit
C:\Windows\{9B1A3088-7485-499e-A5A6-BA4E7BD0EFB6}.exe

Filesize
408KB

MD5
85ec1e9f03f9af2af1088e703c6d1a69

SHA1
9a73c6e7b5b1470e8f8232365c9f10020e8355c1

SHA256
a85462af073883d27c8dd1d22daf4cf5d883d10b0676d5733ecc3ba317447ccd

SHA512
acb29215643d440b37ec7af99187752d65fc6a5a22584878490eb6488314c0f661fc6306632a8809a4c14a78ef087043e25efe1fa82ff2641ca86c1746dfc920

Download Submit
C:\Windows\{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe

Filesize
408KB

MD5
83fb7cd55d276de184803ef3914a918f

SHA1
1a6fda164832eec435f05d1ace1d21d2d023e7a6

SHA256
46ab01212134088148df3fb6eaa364c86a808bb94c6ccd9f61b0c7372cc4c300

SHA512
5d101339da5ddc2421c61d2f86cb89d176be74d8f3d82b060987240bfd6d025f1c9d4e07fcde3dd79dc333b05e013d2d769affcf33396c14e66adb45a04f2655

Download Submit
C:\Windows\{B3ADD8A2-32F9-4830-B0DA-7EE1784E21FD}.exe

Filesize
408KB

MD5
83fb7cd55d276de184803ef3914a918f

SHA1
1a6fda164832eec435f05d1ace1d21d2d023e7a6

SHA256
46ab01212134088148df3fb6eaa364c86a808bb94c6ccd9f61b0c7372cc4c300

SHA512
5d101339da5ddc2421c61d2f86cb89d176be74d8f3d82b060987240bfd6d025f1c9d4e07fcde3dd79dc333b05e013d2d769affcf33396c14e66adb45a04f2655

Download Submit
C:\Windows\{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe

Filesize
408KB

MD5
70007b4a0bc5d66599631b680f955558

SHA1
64cf042533a96570cf9b1996d42f592ddea55e5f

SHA256
ac1f1afddcc3da43962c05430dad9e12c907e28cc9c5fa6331ba23de0c703828

SHA512
9a15b34efdcc3211501d7b65f9eb8bf53c1b5dd6568c214341ed6482cd84c753c28611428efd6f7c6c4e954acce54575b530828125297e36452f79849d1fef86

Download Submit
C:\Windows\{B739B635-B7A0-4169-89B5-ACD6961DF86A}.exe

Filesize
408KB

MD5
70007b4a0bc5d66599631b680f955558

SHA1
64cf042533a96570cf9b1996d42f592ddea55e5f

SHA256
ac1f1afddcc3da43962c05430dad9e12c907e28cc9c5fa6331ba23de0c703828

SHA512
9a15b34efdcc3211501d7b65f9eb8bf53c1b5dd6568c214341ed6482cd84c753c28611428efd6f7c6c4e954acce54575b530828125297e36452f79849d1fef86

Download Submit
C:\Windows\{CAEB0603-2A7C-4163-864B-76A1FF27870E}.exe

Filesize
408KB

MD5
3ea07b7948fe503206293b14e31f4796

SHA1
9e9ec4a9fed846f0676b57fa51b5762c4c9d3e97

SHA256
67b00764d68dc06ddfab928f6bb23df89e819fe44e58e944cff2390d1fb65212

SHA512
c41f5cf0341202d5022761a2fea4ffd8c54cb2a65ea81322a57f1da0c3d66045728ef7d90ca8e178e3ac0b3d8f81b28ace4a1a206274a4026e12eed1b8f415c9

Download Submit
C:\Windows\{CAEB0603-2A7C-4163-864B-76A1FF27870E}.exe

Filesize
408KB

MD5
3ea07b7948fe503206293b14e31f4796

SHA1
9e9ec4a9fed846f0676b57fa51b5762c4c9d3e97

SHA256
67b00764d68dc06ddfab928f6bb23df89e819fe44e58e944cff2390d1fb65212

SHA512
c41f5cf0341202d5022761a2fea4ffd8c54cb2a65ea81322a57f1da0c3d66045728ef7d90ca8e178e3ac0b3d8f81b28ace4a1a206274a4026e12eed1b8f415c9

Download Submit
C:\Windows\{EA5FB761-0849-46c7-9A76-B6195DF31E77}.exe

Filesize
408KB

MD5
3d65976c8a16afc7b9e76e4d81b19a54

SHA1
3c2a2dc87e67b330817787d8575bb9e2d6b30c86

SHA256
4cb72272f7cdf4c52e1ff76b2d6a5509dc48a5f52e46e4b4c3789abee0f3f048

SHA512
ab924c781adb4853cb8c734b27a38e8838269d303549b73d767a5bcddaccfff61ed85839a6a4262f912f3b754300c04184afccd1d18a855c73281f1e8e465dc3

Download Submit
C:\Windows\{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe

Filesize
408KB

MD5
f3e75162a19dfea5fe768e90f39a126d

SHA1
48d0958e0800c91aa650bde54566659280c28929

SHA256
ea27ec43f68f7435d2816d63da6a74db4e8a9fa75ac608e3973b3da1069ca52a

SHA512
d93af8175f8d6bcc22b6b2ec10cf817d1e5fc617ea60710ecd41040c7770554eba0eeab1a0c837338df55d49fcf972b079bc1ef689489c9a93d0f2049d9322a5

Download Submit
C:\Windows\{FDE230F2-BD6F-4e49-BC31-C11CA580EC2E}.exe

Filesize
408KB

MD5
f3e75162a19dfea5fe768e90f39a126d

SHA1
48d0958e0800c91aa650bde54566659280c28929

SHA256
ea27ec43f68f7435d2816d63da6a74db4e8a9fa75ac608e3973b3da1069ca52a

SHA512
d93af8175f8d6bcc22b6b2ec10cf817d1e5fc617ea60710ecd41040c7770554eba0eeab1a0c837338df55d49fcf972b079bc1ef689489c9a93d0f2049d9322a5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads