cdb93bbfcdbbcb77ece19bae42a7af9ad532dc33cc59b0a7466bbba1430e26e7

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02-10-2023 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe
Size

408KB
MD5

3ee20f55e75bccf290bd1b81fdb78598
SHA1

a04085d08f771523573c711fb83aa70d8e59d8f6
SHA256

cdb93bbfcdbbcb77ece19bae42a7af9ad532dc33cc59b0a7466bbba1430e26e7
SHA512

3bc4b5dafa6c1adbab976d67a1ea636c3cbea615877c8b56122721584eaceb5114321cf747b0dec7ee822757576ad9fa7e73682ad7a14d542e58e06757e0f097
SSDEEP

3072:CEGh0oHl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGhldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}\stubpath = "C:\\Windows\\{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe"	{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C6B87A-6D5C-4383-92E3-69854976D09C}	{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C63857E0-B421-4e30-8D20-CFB727D0D32B}\stubpath = "C:\\Windows\\{C63857E0-B421-4e30-8D20-CFB727D0D32B}.exe"	{64C6B87A-6D5C-4383-92E3-69854976D09C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BE3CEB7-2FE5-4105-A7EF-2AED5C973DF0}	{936B0BFB-0792-4dd8-A063-5E29D6B43DCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BE3CEB7-2FE5-4105-A7EF-2AED5C973DF0}\stubpath = "C:\\Windows\\{4BE3CEB7-2FE5-4105-A7EF-2AED5C973DF0}.exe"	{936B0BFB-0792-4dd8-A063-5E29D6B43DCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}	{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}	{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{022F066C-93F0-4d70-A15F-30E19681EE2C}\stubpath = "C:\\Windows\\{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe"	{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64C6B87A-6D5C-4383-92E3-69854976D09C}\stubpath = "C:\\Windows\\{64C6B87A-6D5C-4383-92E3-69854976D09C}.exe"	{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}	{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}\stubpath = "C:\\Windows\\{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe"	{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}\stubpath = "C:\\Windows\\{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe"	{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}	{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C63857E0-B421-4e30-8D20-CFB727D0D32B}	{64C6B87A-6D5C-4383-92E3-69854976D09C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}\stubpath = "C:\\Windows\\{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe"	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}\stubpath = "C:\\Windows\\{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe"	{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}\stubpath = "C:\\Windows\\{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe"	{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{022F066C-93F0-4d70-A15F-30E19681EE2C}	{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{936B0BFB-0792-4dd8-A063-5E29D6B43DCA}	{C63857E0-B421-4e30-8D20-CFB727D0D32B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{936B0BFB-0792-4dd8-A063-5E29D6B43DCA}\stubpath = "C:\\Windows\\{936B0BFB-0792-4dd8-A063-5E29D6B43DCA}.exe"	{C63857E0-B421-4e30-8D20-CFB727D0D32B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}	{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1940	{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe
2984	{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe
2892	{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe
2820	{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe
2668	{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe
2512	{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe
2960	{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe
2480	{64C6B87A-6D5C-4383-92E3-69854976D09C}.exe
528	{C63857E0-B421-4e30-8D20-CFB727D0D32B}.exe
1064	{936B0BFB-0792-4dd8-A063-5E29D6B43DCA}.exe
1048	{4BE3CEB7-2FE5-4105-A7EF-2AED5C973DF0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{936B0BFB-0792-4dd8-A063-5E29D6B43DCA}.exe	{C63857E0-B421-4e30-8D20-CFB727D0D32B}.exe
File created	C:\Windows\{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe
File created	C:\Windows\{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe	{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe
File created	C:\Windows\{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe	{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe
File created	C:\Windows\{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe	{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe
File created	C:\Windows\{64C6B87A-6D5C-4383-92E3-69854976D09C}.exe	{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe
File created	C:\Windows\{C63857E0-B421-4e30-8D20-CFB727D0D32B}.exe	{64C6B87A-6D5C-4383-92E3-69854976D09C}.exe
File created	C:\Windows\{4BE3CEB7-2FE5-4105-A7EF-2AED5C973DF0}.exe	{936B0BFB-0792-4dd8-A063-5E29D6B43DCA}.exe
File created	C:\Windows\{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe	{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe
File created	C:\Windows\{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe	{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe
File created	C:\Windows\{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe	{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1292	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1940	{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe
Token: SeIncBasePriorityPrivilege	2984	{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe
Token: SeIncBasePriorityPrivilege	2892	{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe
Token: SeIncBasePriorityPrivilege	2820	{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe
Token: SeIncBasePriorityPrivilege	2668	{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe
Token: SeIncBasePriorityPrivilege	2512	{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe
Token: SeIncBasePriorityPrivilege	2960	{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe
Token: SeIncBasePriorityPrivilege	2480	{64C6B87A-6D5C-4383-92E3-69854976D09C}.exe
Token: SeIncBasePriorityPrivilege	528	{C63857E0-B421-4e30-8D20-CFB727D0D32B}.exe
Token: SeIncBasePriorityPrivilege	1064	{936B0BFB-0792-4dd8-A063-5E29D6B43DCA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1940	1292	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	28
PID 1292 wrote to memory of 1940	1292	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	28
PID 1292 wrote to memory of 1940	1292	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	28
PID 1292 wrote to memory of 1940	1292	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	28
PID 1292 wrote to memory of 2580	1292	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	29
PID 1292 wrote to memory of 2580	1292	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	29
PID 1292 wrote to memory of 2580	1292	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	29
PID 1292 wrote to memory of 2580	1292	2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe	29
PID 1940 wrote to memory of 2984	1940	{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe	30
PID 1940 wrote to memory of 2984	1940	{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe	30
PID 1940 wrote to memory of 2984	1940	{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe	30
PID 1940 wrote to memory of 2984	1940	{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe	30
PID 1940 wrote to memory of 2076	1940	{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe	31
PID 1940 wrote to memory of 2076	1940	{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe	31
PID 1940 wrote to memory of 2076	1940	{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe	31
PID 1940 wrote to memory of 2076	1940	{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe	31
PID 2984 wrote to memory of 2892	2984	{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe	34
PID 2984 wrote to memory of 2892	2984	{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe	34
PID 2984 wrote to memory of 2892	2984	{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe	34
PID 2984 wrote to memory of 2892	2984	{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe	34
PID 2984 wrote to memory of 1348	2984	{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe	35
PID 2984 wrote to memory of 1348	2984	{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe	35
PID 2984 wrote to memory of 1348	2984	{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe	35
PID 2984 wrote to memory of 1348	2984	{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe	35
PID 2892 wrote to memory of 2820	2892	{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe	36
PID 2892 wrote to memory of 2820	2892	{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe	36
PID 2892 wrote to memory of 2820	2892	{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe	36
PID 2892 wrote to memory of 2820	2892	{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe	36
PID 2892 wrote to memory of 2972	2892	{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe	37
PID 2892 wrote to memory of 2972	2892	{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe	37
PID 2892 wrote to memory of 2972	2892	{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe	37
PID 2892 wrote to memory of 2972	2892	{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe	37
PID 2820 wrote to memory of 2668	2820	{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe	38
PID 2820 wrote to memory of 2668	2820	{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe	38
PID 2820 wrote to memory of 2668	2820	{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe	38
PID 2820 wrote to memory of 2668	2820	{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe	38
PID 2820 wrote to memory of 2612	2820	{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe	39
PID 2820 wrote to memory of 2612	2820	{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe	39
PID 2820 wrote to memory of 2612	2820	{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe	39
PID 2820 wrote to memory of 2612	2820	{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe	39
PID 2668 wrote to memory of 2512	2668	{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe	40
PID 2668 wrote to memory of 2512	2668	{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe	40
PID 2668 wrote to memory of 2512	2668	{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe	40
PID 2668 wrote to memory of 2512	2668	{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe	40
PID 2668 wrote to memory of 2564	2668	{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe	41
PID 2668 wrote to memory of 2564	2668	{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe	41
PID 2668 wrote to memory of 2564	2668	{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe	41
PID 2668 wrote to memory of 2564	2668	{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe	41
PID 2512 wrote to memory of 2960	2512	{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe	43
PID 2512 wrote to memory of 2960	2512	{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe	43
PID 2512 wrote to memory of 2960	2512	{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe	43
PID 2512 wrote to memory of 2960	2512	{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe	43
PID 2512 wrote to memory of 2988	2512	{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe	42
PID 2512 wrote to memory of 2988	2512	{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe	42
PID 2512 wrote to memory of 2988	2512	{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe	42
PID 2512 wrote to memory of 2988	2512	{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe	42
PID 2960 wrote to memory of 2480	2960	{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe	44
PID 2960 wrote to memory of 2480	2960	{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe	44
PID 2960 wrote to memory of 2480	2960	{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe	44
PID 2960 wrote to memory of 2480	2960	{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe	44
PID 2960 wrote to memory of 324	2960	{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe	45
PID 2960 wrote to memory of 324	2960	{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe	45
PID 2960 wrote to memory of 324	2960	{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe	45
PID 2960 wrote to memory of 324	2960	{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_3ee20f55e75bccf290bd1b81fdb78598_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe
  C:\Windows\{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe
    C:\Windows\{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe
      C:\Windows\{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe
        
        C:\Windows\{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe
        
        C:\Windows\{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe
        
        C:\Windows\{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{022F0~1.EXE > nul
        8⤵
        
        PID:2988
        
        C:\Windows\{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe
        
        C:\Windows\{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{64C6B87A-6D5C-4383-92E3-69854976D09C}.exe
        
        C:\Windows\{64C6B87A-6D5C-4383-92E3-69854976D09C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\{C63857E0-B421-4e30-8D20-CFB727D0D32B}.exe
        
        C:\Windows\{C63857E0-B421-4e30-8D20-CFB727D0D32B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
        
        C:\Windows\{936B0BFB-0792-4dd8-A063-5E29D6B43DCA}.exe
        
        C:\Windows\{936B0BFB-0792-4dd8-A063-5E29D6B43DCA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\{4BE3CEB7-2FE5-4105-A7EF-2AED5C973DF0}.exe
        
        C:\Windows\{4BE3CEB7-2FE5-4105-A7EF-2AED5C973DF0}.exe
        12⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{936B0~1.EXE > nul
        12⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6385~1.EXE > nul
        11⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64C6B~1.EXE > nul
        10⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E3FC~1.EXE > nul
        9⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A8D0~1.EXE > nul
        7⤵
        
        PID:2564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2CAB~1.EXE > nul
        6⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E782~1.EXE > nul
        5⤵
        
        PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C51A8~1.EXE > nul
      4⤵
      PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{231CD~1.EXE > nul
    3⤵
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe

Filesize
408KB

MD5
96655328dae88536268ce5c11ffed98c

SHA1
06d4588518aeeca801c1d59c8a1e175d7739a6e5

SHA256
6e02d4f0a7a7ccdb0d0988af25eeb82c37ad3f3793bb3915fe67223a404d6c60

SHA512
0112a50eccb8f418293a16686ad71c04d82833544a74002267d8520b091c219ebfff5be2c66fa73e1e8d297ab0f1818c962f2a3d7814b7a10aeb94b562abbf8a

Download Submit
C:\Windows\{022F066C-93F0-4d70-A15F-30E19681EE2C}.exe

Filesize
408KB

MD5
96655328dae88536268ce5c11ffed98c

SHA1
06d4588518aeeca801c1d59c8a1e175d7739a6e5

SHA256
6e02d4f0a7a7ccdb0d0988af25eeb82c37ad3f3793bb3915fe67223a404d6c60

SHA512
0112a50eccb8f418293a16686ad71c04d82833544a74002267d8520b091c219ebfff5be2c66fa73e1e8d297ab0f1818c962f2a3d7814b7a10aeb94b562abbf8a

Download Submit
C:\Windows\{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe

Filesize
408KB

MD5
f485bda74d8105642c1b1a3ae1f8d829

SHA1
620e4a3344e190420f3d5647fd7087ff2ed52406

SHA256
0222e2351d88bb80b29be586d029c3861b7083914ae1d66a03bb3d3adf96e9c3

SHA512
016a5ba735dfaf56f7491d1d8d4e27c1e4afab2e1d52a9a49262b88b99de8694b77125957227b172aea14686ffe69ac41613cec2b100aaae754e17018ed98d2a

Download Submit
C:\Windows\{1E7825CE-FF29-44d6-81AA-81AF65E13CC7}.exe

Filesize
408KB

MD5
f485bda74d8105642c1b1a3ae1f8d829

SHA1
620e4a3344e190420f3d5647fd7087ff2ed52406

SHA256
0222e2351d88bb80b29be586d029c3861b7083914ae1d66a03bb3d3adf96e9c3

SHA512
016a5ba735dfaf56f7491d1d8d4e27c1e4afab2e1d52a9a49262b88b99de8694b77125957227b172aea14686ffe69ac41613cec2b100aaae754e17018ed98d2a

Download Submit
C:\Windows\{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe

Filesize
408KB

MD5
d8ba9efe121005d412888a3c3eba4319

SHA1
1aa23cacfcbf661eac49ddfb364756c588fe3490

SHA256
5fcfaab728193cde0d9d6e9f530f287f146c9fdc5f78f2008d0a0b13e1de0616

SHA512
93575b5fd19775b7ce8835f8bb10815b55d420b73652017c12eb37686e32ed2f6339c4634865f9921b488cf5973a60ad0dfd58868a7ab9e1aab73a846f1fb85d

Download Submit
C:\Windows\{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe

Filesize
408KB

MD5
d8ba9efe121005d412888a3c3eba4319

SHA1
1aa23cacfcbf661eac49ddfb364756c588fe3490

SHA256
5fcfaab728193cde0d9d6e9f530f287f146c9fdc5f78f2008d0a0b13e1de0616

SHA512
93575b5fd19775b7ce8835f8bb10815b55d420b73652017c12eb37686e32ed2f6339c4634865f9921b488cf5973a60ad0dfd58868a7ab9e1aab73a846f1fb85d

Download Submit
C:\Windows\{231CDD5D-DEB1-4f25-870E-B9BE97C28A12}.exe

Filesize
408KB

MD5
d8ba9efe121005d412888a3c3eba4319

SHA1
1aa23cacfcbf661eac49ddfb364756c588fe3490

SHA256
5fcfaab728193cde0d9d6e9f530f287f146c9fdc5f78f2008d0a0b13e1de0616

SHA512
93575b5fd19775b7ce8835f8bb10815b55d420b73652017c12eb37686e32ed2f6339c4634865f9921b488cf5973a60ad0dfd58868a7ab9e1aab73a846f1fb85d

Download Submit
C:\Windows\{4BE3CEB7-2FE5-4105-A7EF-2AED5C973DF0}.exe

Filesize
408KB

MD5
ccf028c864f810cd2466af4a0f9c342f

SHA1
92be430528189760c70a9d060aadbe42f9eacd96

SHA256
94c4864fe13f75f2c94f4a1d234253ccc7ba550b24b1c7438b37dab3495c601a

SHA512
7229509b0683654c1eefaf12d3a2c06c5bebe7201fa6ec2b21089fb47798a95d950ebc22c4e33085f773e349f9bd2c832298a5cefb3b8f9cc58ebdfc7e97f56b

Download Submit
C:\Windows\{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe

Filesize
408KB

MD5
fd10cf6a23ac7f381cf59de7df5f2de7

SHA1
79d0e7ee5beaa112ac27781d1521ba7b09c1cd84

SHA256
fad8279b2bb8f1f557b218d3baabd935fc92bcc2343fa252fe0d9e7162f07021

SHA512
3b39e82b695b104cbe0cfa0200a8f614b8bd6c18617a953fc69a55087a64e5a5c07dd132570327d2f1b602228b80d9ead45321997c435660fa5a87ab5c493bd0

Download Submit
C:\Windows\{4E3FCC2A-66B7-40ad-B2DF-6F2E656036A6}.exe

Filesize
408KB

MD5
fd10cf6a23ac7f381cf59de7df5f2de7

SHA1
79d0e7ee5beaa112ac27781d1521ba7b09c1cd84

SHA256
fad8279b2bb8f1f557b218d3baabd935fc92bcc2343fa252fe0d9e7162f07021

SHA512
3b39e82b695b104cbe0cfa0200a8f614b8bd6c18617a953fc69a55087a64e5a5c07dd132570327d2f1b602228b80d9ead45321997c435660fa5a87ab5c493bd0

Download Submit
C:\Windows\{64C6B87A-6D5C-4383-92E3-69854976D09C}.exe

Filesize
408KB

MD5
06af7a4e28da2fc76e0b51dea85e4a79

SHA1
81b812ef267b8417601a5c69212d7d00cb5bbad3

SHA256
90d9e68e716f7ef68204c4023ecf0ca6c597bea5640bec6df860de0772cdc3cc

SHA512
8d25f5056bfde75d285a3c6ec12ab90ae183132edd4c37993b7cda9d5c7cf5d6b0163fdca861d6360dfed597a2ccf82faa577b31399ace0a12f754b626f5bd68

Download Submit
C:\Windows\{64C6B87A-6D5C-4383-92E3-69854976D09C}.exe

Filesize
408KB

MD5
06af7a4e28da2fc76e0b51dea85e4a79

SHA1
81b812ef267b8417601a5c69212d7d00cb5bbad3

SHA256
90d9e68e716f7ef68204c4023ecf0ca6c597bea5640bec6df860de0772cdc3cc

SHA512
8d25f5056bfde75d285a3c6ec12ab90ae183132edd4c37993b7cda9d5c7cf5d6b0163fdca861d6360dfed597a2ccf82faa577b31399ace0a12f754b626f5bd68

Download Submit
C:\Windows\{936B0BFB-0792-4dd8-A063-5E29D6B43DCA}.exe

Filesize
408KB

MD5
0d5f39e87c9bf540c89eaf7bd627ee94

SHA1
f03898f3c8c6ce1ee542748e9e9e1aca54f058b8

SHA256
1a26a0190f7cc1e0b09ff18c3876e6a9ace598ea09ae33f3e250b3665d5dfb76

SHA512
55cd46346326f13d8756a407b021a94cf19d5c72f90c891e82c3ab7713f192d7ddd351990bdc6e125383838ea665a94324cc8360af141e697edc9c85641a407b

Download Submit
C:\Windows\{936B0BFB-0792-4dd8-A063-5E29D6B43DCA}.exe

Filesize
408KB

MD5
0d5f39e87c9bf540c89eaf7bd627ee94

SHA1
f03898f3c8c6ce1ee542748e9e9e1aca54f058b8

SHA256
1a26a0190f7cc1e0b09ff18c3876e6a9ace598ea09ae33f3e250b3665d5dfb76

SHA512
55cd46346326f13d8756a407b021a94cf19d5c72f90c891e82c3ab7713f192d7ddd351990bdc6e125383838ea665a94324cc8360af141e697edc9c85641a407b

Download Submit
C:\Windows\{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe

Filesize
408KB

MD5
8122c85dce5fe67a169a96ec0eb0b599

SHA1
0c0181343c82f39ab5d467b1e850b7a5f301602f

SHA256
39237c1e8aef9c9fc64268f7ccbb65ff80158e3eba302c9b811fcd9f838114ef

SHA512
a8fefde8f699a9d2a0785ac784608d59ce5537ceb650e9e9a954f787eb660c0c43f127dd8db729a1661105dfd29afb630f2e3bee752a5637c6ef1139bb82db57

Download Submit
C:\Windows\{9A8D0BBB-1961-4a01-8C2D-1B91C44DFD1B}.exe

Filesize
408KB

MD5
8122c85dce5fe67a169a96ec0eb0b599

SHA1
0c0181343c82f39ab5d467b1e850b7a5f301602f

SHA256
39237c1e8aef9c9fc64268f7ccbb65ff80158e3eba302c9b811fcd9f838114ef

SHA512
a8fefde8f699a9d2a0785ac784608d59ce5537ceb650e9e9a954f787eb660c0c43f127dd8db729a1661105dfd29afb630f2e3bee752a5637c6ef1139bb82db57

Download Submit
C:\Windows\{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe

Filesize
408KB

MD5
fd8ab2664bd3698165310293b484d6d4

SHA1
d551931e90c156b14dd60753ab4b7e8f4be88f25

SHA256
1276ae1c2463fe0221bae86f8eadbf164c1eb13cad7fc43f5c854bbc659c1df0

SHA512
e8cec91dd52efa2a79282b68d410c31bf7bd6427551ca49a2a145fa282e260958802c724e47b9cbe86eddc2c95270bd05fab5d329f5c187c6fbe854f61154d54

Download Submit
C:\Windows\{C2CABB7C-6D3E-4664-AABC-603C1BC164C6}.exe

Filesize
408KB

MD5
fd8ab2664bd3698165310293b484d6d4

SHA1
d551931e90c156b14dd60753ab4b7e8f4be88f25

SHA256
1276ae1c2463fe0221bae86f8eadbf164c1eb13cad7fc43f5c854bbc659c1df0

SHA512
e8cec91dd52efa2a79282b68d410c31bf7bd6427551ca49a2a145fa282e260958802c724e47b9cbe86eddc2c95270bd05fab5d329f5c187c6fbe854f61154d54

Download Submit
C:\Windows\{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe

Filesize
408KB

MD5
236be946b4c6fbce5641b3a8d3ad2ab0

SHA1
11d8e0cff5274ff97b40007a29a6f2e5110d716b

SHA256
2ef5681c9dd0eaeacf9d54d5bb6f1fdb2e439c2ca704e58288c4eb5b813ada4a

SHA512
17bf207c938e17f88efdb8249e0d068354e1542ff82b20c44e4d2035ab257e2998dcf32ce3b436302739c7a5ad5399b46df663a9f671ba4095d7aa72035da160

Download Submit
C:\Windows\{C51A82AA-AEA8-4618-9962-0FA273DD7DF0}.exe

Filesize
408KB

MD5
236be946b4c6fbce5641b3a8d3ad2ab0

SHA1
11d8e0cff5274ff97b40007a29a6f2e5110d716b

SHA256
2ef5681c9dd0eaeacf9d54d5bb6f1fdb2e439c2ca704e58288c4eb5b813ada4a

SHA512
17bf207c938e17f88efdb8249e0d068354e1542ff82b20c44e4d2035ab257e2998dcf32ce3b436302739c7a5ad5399b46df663a9f671ba4095d7aa72035da160

Download Submit
C:\Windows\{C63857E0-B421-4e30-8D20-CFB727D0D32B}.exe

Filesize
408KB

MD5
c8bff6a3fb8986378a571e05bc48e614

SHA1
9e38c42a77cb74b76d8d9010ad017cd5e37ef04a

SHA256
4a75d160028a0b450ecd0a6cd08edd3935638dc3c224864500b15fe34e61e706

SHA512
4208e1ce80a3504a2758c4e236e1b785cbc58a9e8267568af6954ab0ca6887020732e909bf7426742f3560ba11834cee7ecbe8d52849da29a52cbbd6e0120011

Download Submit
C:\Windows\{C63857E0-B421-4e30-8D20-CFB727D0D32B}.exe

Filesize
408KB

MD5
c8bff6a3fb8986378a571e05bc48e614

SHA1
9e38c42a77cb74b76d8d9010ad017cd5e37ef04a

SHA256
4a75d160028a0b450ecd0a6cd08edd3935638dc3c224864500b15fe34e61e706

SHA512
4208e1ce80a3504a2758c4e236e1b785cbc58a9e8267568af6954ab0ca6887020732e909bf7426742f3560ba11834cee7ecbe8d52849da29a52cbbd6e0120011

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads