1d0dd6d8e4cdfcfa609f149d370d95ee3959d6acf7c28afbc033115d1acccce6

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_3c7769f4620c2f20e76606aba6e87419_goldeneye_JC.exe
Size

216KB
MD5

3c7769f4620c2f20e76606aba6e87419
SHA1

75eef44f9adf7c635324f87d06f6c13da57c42d1
SHA256

1d0dd6d8e4cdfcfa609f149d370d95ee3959d6acf7c28afbc033115d1acccce6
SHA512

656bbacd84d850e2ed8d72800ea47301fe784f31d35204cb67f5d9a14c29e91d9d81b75b14b9dc6d66e672fc695f666d6dfdf652a10f2d0e999e5ecbc10c955c
SSDEEP

3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGYlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C052FE6-FD8E-4779-A565-5AC08487BDEF}	2023-08-27_3c7769f4620c2f20e76606aba6e87419_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C052FE6-FD8E-4779-A565-5AC08487BDEF}\stubpath = "C:\\Windows\\{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe"	2023-08-27_3c7769f4620c2f20e76606aba6e87419_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}\stubpath = "C:\\Windows\\{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe"	{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}	{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}	{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}\stubpath = "C:\\Windows\\{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe"	{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AE271C7-BA2A-48e4-867F-6A5BD6A2C22E}	{ABB83FD5-837F-43c6-9E22-E34096ED37DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}	{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}\stubpath = "C:\\Windows\\{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe"	{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}\stubpath = "C:\\Windows\\{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe"	{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}	{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}\stubpath = "C:\\Windows\\{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe"	{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABB83FD5-837F-43c6-9E22-E34096ED37DF}	{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}\stubpath = "C:\\Windows\\{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe"	{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}\stubpath = "C:\\Windows\\{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe"	{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{575E09BF-87B0-45ea-A105-8EED96F8CE60}	{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}	{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7230B84A-FC22-4dbc-AD80-0775C98AFE73}\stubpath = "C:\\Windows\\{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe"	{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AE271C7-BA2A-48e4-867F-6A5BD6A2C22E}\stubpath = "C:\\Windows\\{5AE271C7-BA2A-48e4-867F-6A5BD6A2C22E}.exe"	{ABB83FD5-837F-43c6-9E22-E34096ED37DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}	{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{575E09BF-87B0-45ea-A105-8EED96F8CE60}\stubpath = "C:\\Windows\\{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe"	{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}	{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7230B84A-FC22-4dbc-AD80-0775C98AFE73}	{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABB83FD5-837F-43c6-9E22-E34096ED37DF}\stubpath = "C:\\Windows\\{ABB83FD5-837F-43c6-9E22-E34096ED37DF}.exe"	{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe

Executes dropped EXE 12 IoCs

pid	Process
4268	{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe
4772	{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe
1880	{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe
1624	{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe
3840	{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe
1436	{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe
5024	{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe
1232	{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe
5080	{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe
3548	{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe
1840	{ABB83FD5-837F-43c6-9E22-E34096ED37DF}.exe
1616	{5AE271C7-BA2A-48e4-867F-6A5BD6A2C22E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe	{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe
File created	C:\Windows\{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe	{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe
File created	C:\Windows\{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe	{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe
File created	C:\Windows\{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe	{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe
File created	C:\Windows\{ABB83FD5-837F-43c6-9E22-E34096ED37DF}.exe	{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe
File created	C:\Windows\{5AE271C7-BA2A-48e4-867F-6A5BD6A2C22E}.exe	{ABB83FD5-837F-43c6-9E22-E34096ED37DF}.exe
File created	C:\Windows\{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe	2023-08-27_3c7769f4620c2f20e76606aba6e87419_goldeneye_JC.exe
File created	C:\Windows\{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe	{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe
File created	C:\Windows\{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe	{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe
File created	C:\Windows\{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe	{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe
File created	C:\Windows\{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe	{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe
File created	C:\Windows\{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe	{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4960	2023-08-27_3c7769f4620c2f20e76606aba6e87419_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4268	{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe
Token: SeIncBasePriorityPrivilege	4772	{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe
Token: SeIncBasePriorityPrivilege	1880	{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe
Token: SeIncBasePriorityPrivilege	1624	{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe
Token: SeIncBasePriorityPrivilege	3840	{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe
Token: SeIncBasePriorityPrivilege	1436	{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe
Token: SeIncBasePriorityPrivilege	5024	{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe
Token: SeIncBasePriorityPrivilege	1232	{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe
Token: SeIncBasePriorityPrivilege	5080	{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe
Token: SeIncBasePriorityPrivilege	3548	{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe
Token: SeIncBasePriorityPrivilege	1840	{ABB83FD5-837F-43c6-9E22-E34096ED37DF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4268	4960	2023-08-27_3c7769f4620c2f20e76606aba6e87419_goldeneye_JC.exe	95
PID 4960 wrote to memory of 4268	4960	2023-08-27_3c7769f4620c2f20e76606aba6e87419_goldeneye_JC.exe	95
PID 4960 wrote to memory of 4268	4960	2023-08-27_3c7769f4620c2f20e76606aba6e87419_goldeneye_JC.exe	95
PID 4960 wrote to memory of 2832	4960	2023-08-27_3c7769f4620c2f20e76606aba6e87419_goldeneye_JC.exe	96
PID 4960 wrote to memory of 2832	4960	2023-08-27_3c7769f4620c2f20e76606aba6e87419_goldeneye_JC.exe	96
PID 4960 wrote to memory of 2832	4960	2023-08-27_3c7769f4620c2f20e76606aba6e87419_goldeneye_JC.exe	96
PID 4268 wrote to memory of 4772	4268	{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe	98
PID 4268 wrote to memory of 4772	4268	{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe	98
PID 4268 wrote to memory of 4772	4268	{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe	98
PID 4268 wrote to memory of 4368	4268	{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe	99
PID 4268 wrote to memory of 4368	4268	{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe	99
PID 4268 wrote to memory of 4368	4268	{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe	99
PID 4772 wrote to memory of 1880	4772	{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe	102
PID 4772 wrote to memory of 1880	4772	{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe	102
PID 4772 wrote to memory of 1880	4772	{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe	102
PID 4772 wrote to memory of 3544	4772	{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe	101
PID 4772 wrote to memory of 3544	4772	{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe	101
PID 4772 wrote to memory of 3544	4772	{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe	101
PID 1880 wrote to memory of 1624	1880	{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe	103
PID 1880 wrote to memory of 1624	1880	{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe	103
PID 1880 wrote to memory of 1624	1880	{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe	103
PID 1880 wrote to memory of 2120	1880	{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe	104
PID 1880 wrote to memory of 2120	1880	{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe	104
PID 1880 wrote to memory of 2120	1880	{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe	104
PID 1624 wrote to memory of 3840	1624	{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe	105
PID 1624 wrote to memory of 3840	1624	{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe	105
PID 1624 wrote to memory of 3840	1624	{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe	105
PID 1624 wrote to memory of 1748	1624	{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe	106
PID 1624 wrote to memory of 1748	1624	{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe	106
PID 1624 wrote to memory of 1748	1624	{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe	106
PID 3840 wrote to memory of 1436	3840	{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe	107
PID 3840 wrote to memory of 1436	3840	{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe	107
PID 3840 wrote to memory of 1436	3840	{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe	107
PID 3840 wrote to memory of 1332	3840	{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe	108
PID 3840 wrote to memory of 1332	3840	{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe	108
PID 3840 wrote to memory of 1332	3840	{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe	108
PID 1436 wrote to memory of 5024	1436	{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe	109
PID 1436 wrote to memory of 5024	1436	{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe	109
PID 1436 wrote to memory of 5024	1436	{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe	109
PID 1436 wrote to memory of 1984	1436	{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe	110
PID 1436 wrote to memory of 1984	1436	{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe	110
PID 1436 wrote to memory of 1984	1436	{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe	110
PID 5024 wrote to memory of 1232	5024	{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe	111
PID 5024 wrote to memory of 1232	5024	{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe	111
PID 5024 wrote to memory of 1232	5024	{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe	111
PID 5024 wrote to memory of 1564	5024	{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe	112
PID 5024 wrote to memory of 1564	5024	{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe	112
PID 5024 wrote to memory of 1564	5024	{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe	112
PID 1232 wrote to memory of 5080	1232	{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe	113
PID 1232 wrote to memory of 5080	1232	{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe	113
PID 1232 wrote to memory of 5080	1232	{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe	113
PID 1232 wrote to memory of 4196	1232	{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe	114
PID 1232 wrote to memory of 4196	1232	{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe	114
PID 1232 wrote to memory of 4196	1232	{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe	114
PID 5080 wrote to memory of 3548	5080	{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe	115
PID 5080 wrote to memory of 3548	5080	{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe	115
PID 5080 wrote to memory of 3548	5080	{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe	115
PID 5080 wrote to memory of 3608	5080	{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe	116
PID 5080 wrote to memory of 3608	5080	{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe	116
PID 5080 wrote to memory of 3608	5080	{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe	116
PID 3548 wrote to memory of 1840	3548	{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe	117
PID 3548 wrote to memory of 1840	3548	{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe	117
PID 3548 wrote to memory of 1840	3548	{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe	117
PID 3548 wrote to memory of 4848	3548	{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe	118

C:\Users\Admin\AppData\Local\Temp\2023-08-27_3c7769f4620c2f20e76606aba6e87419_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_3c7769f4620c2f20e76606aba6e87419_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe
  C:\Windows\{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe
    C:\Windows\{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DFC72~1.EXE > nul
      4⤵
      PID:3544
  - - C:\Windows\{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe
      C:\Windows\{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Windows\{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe
        
        C:\Windows\{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe
        
        C:\Windows\{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe
        
        C:\Windows\{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe
        
        C:\Windows\{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe
        
        C:\Windows\{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe
        
        C:\Windows\{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe
        
        C:\Windows\{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\{ABB83FD5-837F-43c6-9E22-E34096ED37DF}.exe
        
        C:\Windows\{ABB83FD5-837F-43c6-9E22-E34096ED37DF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\{5AE271C7-BA2A-48e4-867F-6A5BD6A2C22E}.exe
        
        C:\Windows\{5AE271C7-BA2A-48e4-867F-6A5BD6A2C22E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABB83~1.EXE > nul
        13⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7230B~1.EXE > nul
        12⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A51A~1.EXE > nul
        11⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3A26~1.EXE > nul
        10⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22350~1.EXE > nul
        9⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{575E0~1.EXE > nul
        8⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B05B~1.EXE > nul
        7⤵
        
        PID:1332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEC05~1.EXE > nul
        6⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59E11~1.EXE > nul
        5⤵
        
        PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9C052~1.EXE > nul
    3⤵
    PID:4368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe

Filesize
216KB

MD5
4917579fa1cea9d6e65a57bc7a991e65

SHA1
2218f1e53d8e5ec535974d965d613ea11056453b

SHA256
1c5c9077bbe223e3628511fbad364429a1ccc1f028bf0677e731cc95c30846ae

SHA512
96292d53708a6d46a25b0bbbdc8ef49568255f29910db2494a97d7e15323f313c43ae1c94e7978c92f550710f6b8ef4291ba9fc843a30ad963f4a2f11a6c0155

Download Submit
C:\Windows\{22350D3F-6B21-4aae-9C8D-0018DAAA00EE}.exe

Filesize
216KB

MD5
4917579fa1cea9d6e65a57bc7a991e65

SHA1
2218f1e53d8e5ec535974d965d613ea11056453b

SHA256
1c5c9077bbe223e3628511fbad364429a1ccc1f028bf0677e731cc95c30846ae

SHA512
96292d53708a6d46a25b0bbbdc8ef49568255f29910db2494a97d7e15323f313c43ae1c94e7978c92f550710f6b8ef4291ba9fc843a30ad963f4a2f11a6c0155

Download Submit
C:\Windows\{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe

Filesize
216KB

MD5
302d2e81a8692b15f9cc2755134bf519

SHA1
7634a0735abfecd0c0fea40e1a7495f2d291452c

SHA256
f40d4e25e82081a9d89eb96aafa8ddd7dbd125e3f94caba5e34e872efbcf5087

SHA512
62447830587cc85c7ee5f62e49f7b2828e5d180dc39ea61f3c56775e7672b4a6a5aad5a151db8b33fc37b8408b4e8128e83a00299fed58158769f27f9cf81fd8

Download Submit
C:\Windows\{2A51ADDE-ECF2-47c8-9C81-CA4FE0A4958D}.exe

Filesize
216KB

MD5
302d2e81a8692b15f9cc2755134bf519

SHA1
7634a0735abfecd0c0fea40e1a7495f2d291452c

SHA256
f40d4e25e82081a9d89eb96aafa8ddd7dbd125e3f94caba5e34e872efbcf5087

SHA512
62447830587cc85c7ee5f62e49f7b2828e5d180dc39ea61f3c56775e7672b4a6a5aad5a151db8b33fc37b8408b4e8128e83a00299fed58158769f27f9cf81fd8

Download Submit
C:\Windows\{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe

Filesize
216KB

MD5
5580aea197cb2f62da37b4deb882c3e0

SHA1
503a867c44f54197ec04298530715caa6dd47ca0

SHA256
f57c97de78ec9ee9136e0800416c3ba07a58fe31753e47d953432585e78b8a17

SHA512
1bd35cae7fc25571657c56347aefc2ae33e4ef87d337a113b21c025da62a01e04ea27c62bfa8616f13007a8557754ad3d5fc36ab2595e2b35d029ebe4edb4f85

Download Submit
C:\Windows\{4B05BBA2-E3C4-4009-BC86-947DBDE4A9A0}.exe

Filesize
216KB

MD5
5580aea197cb2f62da37b4deb882c3e0

SHA1
503a867c44f54197ec04298530715caa6dd47ca0

SHA256
f57c97de78ec9ee9136e0800416c3ba07a58fe31753e47d953432585e78b8a17

SHA512
1bd35cae7fc25571657c56347aefc2ae33e4ef87d337a113b21c025da62a01e04ea27c62bfa8616f13007a8557754ad3d5fc36ab2595e2b35d029ebe4edb4f85

Download Submit
C:\Windows\{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe

Filesize
216KB

MD5
ba1b69a2abd2b22ad4ad0ea0e6764000

SHA1
a516598b73e702aa5f93f59083f45e7505a6d2a4

SHA256
00904fb68f6490f9c185e64fbf0afb0118fc01982be15e5ad4f11fcb3ffc59fb

SHA512
f1ef0eb0dca0c1d66dcd6e7df8f523d15bf42da26e4c935c92736962fd3a2656622bebc8672447b22ff313ccd1f19a19d690947d6804afdc54a9732449a8bd09

Download Submit
C:\Windows\{575E09BF-87B0-45ea-A105-8EED96F8CE60}.exe

Filesize
216KB

MD5
ba1b69a2abd2b22ad4ad0ea0e6764000

SHA1
a516598b73e702aa5f93f59083f45e7505a6d2a4

SHA256
00904fb68f6490f9c185e64fbf0afb0118fc01982be15e5ad4f11fcb3ffc59fb

SHA512
f1ef0eb0dca0c1d66dcd6e7df8f523d15bf42da26e4c935c92736962fd3a2656622bebc8672447b22ff313ccd1f19a19d690947d6804afdc54a9732449a8bd09

Download Submit
C:\Windows\{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe

Filesize
216KB

MD5
7852a8026e1ca60ac27d1e05ccbfc333

SHA1
39d0b7e5ad9d418eb5c9cd5b7f1813e2e88cd753

SHA256
66a7e7379ab1c6a64679d66978c7df860a1a912d1d6d6995cd4b2759a128ddb0

SHA512
1295751cfd921eb847044e842217ef82bc5390ead70f3d6d912c7aa5cb0f030fad50d8fe5655067e7e75b9539c2ca2ddd284dc632b5ae6ef253aa8a60177931f

Download Submit
C:\Windows\{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe

Filesize
216KB

MD5
7852a8026e1ca60ac27d1e05ccbfc333

SHA1
39d0b7e5ad9d418eb5c9cd5b7f1813e2e88cd753

SHA256
66a7e7379ab1c6a64679d66978c7df860a1a912d1d6d6995cd4b2759a128ddb0

SHA512
1295751cfd921eb847044e842217ef82bc5390ead70f3d6d912c7aa5cb0f030fad50d8fe5655067e7e75b9539c2ca2ddd284dc632b5ae6ef253aa8a60177931f

Download Submit
C:\Windows\{59E112A1-5A52-4deb-A4FE-DC0EB1BF4494}.exe

Filesize
216KB

MD5
7852a8026e1ca60ac27d1e05ccbfc333

SHA1
39d0b7e5ad9d418eb5c9cd5b7f1813e2e88cd753

SHA256
66a7e7379ab1c6a64679d66978c7df860a1a912d1d6d6995cd4b2759a128ddb0

SHA512
1295751cfd921eb847044e842217ef82bc5390ead70f3d6d912c7aa5cb0f030fad50d8fe5655067e7e75b9539c2ca2ddd284dc632b5ae6ef253aa8a60177931f

Download Submit
C:\Windows\{5AE271C7-BA2A-48e4-867F-6A5BD6A2C22E}.exe

Filesize
216KB

MD5
0371bf147e8b3bbfae82b9a923c17125

SHA1
50568433367f66ac74a770869f522d4dd9039cc3

SHA256
f78f37ed2301480de10673ebe2e473a8943c3af416b909499f58aa549b35a803

SHA512
392acbfe278a942ee4728f4d12cd869b02ac126b638f41713ef72879f3541950f4a739a8c4dad6d13ebb44890e7e98ab4ec7daa67ee971cbd34c406847ff4be3

Download Submit
C:\Windows\{5AE271C7-BA2A-48e4-867F-6A5BD6A2C22E}.exe

Filesize
216KB

MD5
0371bf147e8b3bbfae82b9a923c17125

SHA1
50568433367f66ac74a770869f522d4dd9039cc3

SHA256
f78f37ed2301480de10673ebe2e473a8943c3af416b909499f58aa549b35a803

SHA512
392acbfe278a942ee4728f4d12cd869b02ac126b638f41713ef72879f3541950f4a739a8c4dad6d13ebb44890e7e98ab4ec7daa67ee971cbd34c406847ff4be3

Download Submit
C:\Windows\{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe

Filesize
216KB

MD5
3f5cbf302fcab11aca02cf2617b349f3

SHA1
fea1e676865f09b2386c74026ee6c229c16c827f

SHA256
a936c738a320368d8836726635f919fd0da8c216419b3090e45039e1ec106c6f

SHA512
8c772dd4d85461dc1b21ab574623bee671537edf45386fea71fe5d39e5f3cd86e799d0fec2102514d3028839e5f812b29a953c6f5d021024ca61400502297f1a

Download Submit
C:\Windows\{7230B84A-FC22-4dbc-AD80-0775C98AFE73}.exe

Filesize
216KB

MD5
3f5cbf302fcab11aca02cf2617b349f3

SHA1
fea1e676865f09b2386c74026ee6c229c16c827f

SHA256
a936c738a320368d8836726635f919fd0da8c216419b3090e45039e1ec106c6f

SHA512
8c772dd4d85461dc1b21ab574623bee671537edf45386fea71fe5d39e5f3cd86e799d0fec2102514d3028839e5f812b29a953c6f5d021024ca61400502297f1a

Download Submit
C:\Windows\{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe

Filesize
216KB

MD5
928b5185cc530799b39b7419684eda3d

SHA1
894a86ce13e11d20495422131d55489bf2f88daa

SHA256
9c21989b8a4ec136092cdd95d9cb56f22fe06fb4c8e09d54b2b2807475b70067

SHA512
828794890e10ec019531d517b1542b67fe8063f6a887f3fa1f6417b05333a2729ec97bcaf20454eff102f3e7e92b79f67065435f2e3f1a2aa2f0e9c9e219e019

Download Submit
C:\Windows\{9C052FE6-FD8E-4779-A565-5AC08487BDEF}.exe

Filesize
216KB

MD5
928b5185cc530799b39b7419684eda3d

SHA1
894a86ce13e11d20495422131d55489bf2f88daa

SHA256
9c21989b8a4ec136092cdd95d9cb56f22fe06fb4c8e09d54b2b2807475b70067

SHA512
828794890e10ec019531d517b1542b67fe8063f6a887f3fa1f6417b05333a2729ec97bcaf20454eff102f3e7e92b79f67065435f2e3f1a2aa2f0e9c9e219e019

Download Submit
C:\Windows\{ABB83FD5-837F-43c6-9E22-E34096ED37DF}.exe

Filesize
216KB

MD5
7a57c1288dde0d07b2b16d333afac9f4

SHA1
5e39e73579ee7dc29f052e8a562d257050f440aa

SHA256
7af586c6308337e8136273c8ec55a9fec4613a2ec5da54ca2f86b894442473fa

SHA512
62c140695963c8eadddd3c3e1b88ee85c740fd8c28c80f4f203a0341271875c1e85d77f390d059e64fad8fa0a41fff5a86c601154a176e04f11659d5ac227c63

Download Submit
C:\Windows\{ABB83FD5-837F-43c6-9E22-E34096ED37DF}.exe

Filesize
216KB

MD5
7a57c1288dde0d07b2b16d333afac9f4

SHA1
5e39e73579ee7dc29f052e8a562d257050f440aa

SHA256
7af586c6308337e8136273c8ec55a9fec4613a2ec5da54ca2f86b894442473fa

SHA512
62c140695963c8eadddd3c3e1b88ee85c740fd8c28c80f4f203a0341271875c1e85d77f390d059e64fad8fa0a41fff5a86c601154a176e04f11659d5ac227c63

Download Submit
C:\Windows\{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe

Filesize
216KB

MD5
7b3b44cae4981e78e938c5c499cb7f73

SHA1
3f4984fc873fcd6f29ea6a3590ee4acc3dec85ba

SHA256
fc8b473eb77b78352d3db92b3ac23b0236d61d7fbf373e1bafc74a74428c3114

SHA512
4ccbd6df66296fa45a614a3a6155cc1c44a65d7a0203abd35b5ed875c34d41629b4f203634b0c723149a786eb50648dffa71f51edf1bad5ca94870105cc6a7c0

Download Submit
C:\Windows\{DEC0552E-6AF6-4a1a-A9CB-AB1DCE22B367}.exe

Filesize
216KB

MD5
7b3b44cae4981e78e938c5c499cb7f73

SHA1
3f4984fc873fcd6f29ea6a3590ee4acc3dec85ba

SHA256
fc8b473eb77b78352d3db92b3ac23b0236d61d7fbf373e1bafc74a74428c3114

SHA512
4ccbd6df66296fa45a614a3a6155cc1c44a65d7a0203abd35b5ed875c34d41629b4f203634b0c723149a786eb50648dffa71f51edf1bad5ca94870105cc6a7c0

Download Submit
C:\Windows\{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe

Filesize
216KB

MD5
33b4e52ce7f6729bf72b6c676d1a5a03

SHA1
7aed9e6e9c2908125e10927316f66cf5a9d34fc4

SHA256
5632534d820bac0160f9e3dbf71170c267d595ce1d30a18c7b48cc893715104a

SHA512
3fe5dc356c0a2ebcf9140d8713bbd0b99cbeb5049ceb761184e43a1088f93808bb1f2ba77a5c82719619abbed912f05987b72b268bbd00c87ad0c449970b4375

Download Submit
C:\Windows\{DFC72DDC-9E3C-44e5-80C1-2401B34F8808}.exe

Filesize
216KB

MD5
33b4e52ce7f6729bf72b6c676d1a5a03

SHA1
7aed9e6e9c2908125e10927316f66cf5a9d34fc4

SHA256
5632534d820bac0160f9e3dbf71170c267d595ce1d30a18c7b48cc893715104a

SHA512
3fe5dc356c0a2ebcf9140d8713bbd0b99cbeb5049ceb761184e43a1088f93808bb1f2ba77a5c82719619abbed912f05987b72b268bbd00c87ad0c449970b4375

Download Submit
C:\Windows\{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe

Filesize
216KB

MD5
dfa66fbf33b07a85917c349e5c10bd31

SHA1
c6d8c523c5b42c986165c6a62e7f8538e0269dab

SHA256
7f87a6b3b208d31f36e220f84a01d654d41d4fbd5e2ad78518a3455ff4b2e50a

SHA512
acd4e15f1a692f89c78912c01d0d2a89e3c661d03280ee22a848d7c814b577b57739d8d18fb885a85e2479d5c8b735384ebdbe49c339cdeb761d3439905e0a3b

Download Submit
C:\Windows\{E3A26A48-8F00-43a1-98A7-61EFEF82B5DE}.exe

Filesize
216KB

MD5
dfa66fbf33b07a85917c349e5c10bd31

SHA1
c6d8c523c5b42c986165c6a62e7f8538e0269dab

SHA256
7f87a6b3b208d31f36e220f84a01d654d41d4fbd5e2ad78518a3455ff4b2e50a

SHA512
acd4e15f1a692f89c78912c01d0d2a89e3c661d03280ee22a848d7c814b577b57739d8d18fb885a85e2479d5c8b735384ebdbe49c339cdeb761d3439905e0a3b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads