76c89efd9046296fd749a4d2adefe2d25ecec24a6fc32bc9115eb3f67af2b6f1

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02-10-2023 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe
Size

180KB
MD5

424bdfb6215e11cb7f3204871f1b0f75
SHA1

563acaff34e134bb60d856795dc80e2dcc27549b
SHA256

76c89efd9046296fd749a4d2adefe2d25ecec24a6fc32bc9115eb3f67af2b6f1
SHA512

edfbe0f42d9d3c83a43e6ac0e139690cb3e9152129d85833a49147a11c0c36625d34590d275e5d77fd0db0fd48052a0b057cc84abd7388108168227bf18483cc
SSDEEP

3072:jEGh0oslfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG2l5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A372AEAA-2A12-4c4f-BD82-485C428977F5}	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}	{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83354E50-0783-44a3-8468-BE8F659F0CD2}	{2A6EB382-9B32-42fe-98B7-E2E8A1267059}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33032D4A-66CC-41ce-B632-EBC1A665E2F3}\stubpath = "C:\\Windows\\{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe"	{E644AA8A-44E2-4385-803D-C24CD177C614}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}	{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}\stubpath = "C:\\Windows\\{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe"	{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A372AEAA-2A12-4c4f-BD82-485C428977F5}\stubpath = "C:\\Windows\\{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe"	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}\stubpath = "C:\\Windows\\{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe"	{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23363E31-0548-47ff-B2C9-56E33F673FFB}\stubpath = "C:\\Windows\\{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe"	{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20B24B2D-DC24-49ac-B89C-B738D383F07B}	{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E644AA8A-44E2-4385-803D-C24CD177C614}	{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23363E31-0548-47ff-B2C9-56E33F673FFB}	{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20B24B2D-DC24-49ac-B89C-B738D383F07B}\stubpath = "C:\\Windows\\{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe"	{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0FDEA94-C7E1-4aaa-AE27-33FB1099EB7F}	{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A6EB382-9B32-42fe-98B7-E2E8A1267059}	{E0FDEA94-C7E1-4aaa-AE27-33FB1099EB7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{772142E3-0325-4089-941E-1A59817BF70B}\stubpath = "C:\\Windows\\{772142E3-0325-4089-941E-1A59817BF70B}.exe"	{83354E50-0783-44a3-8468-BE8F659F0CD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{772142E3-0325-4089-941E-1A59817BF70B}	{83354E50-0783-44a3-8468-BE8F659F0CD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E644AA8A-44E2-4385-803D-C24CD177C614}\stubpath = "C:\\Windows\\{E644AA8A-44E2-4385-803D-C24CD177C614}.exe"	{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33032D4A-66CC-41ce-B632-EBC1A665E2F3}	{E644AA8A-44E2-4385-803D-C24CD177C614}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0FDEA94-C7E1-4aaa-AE27-33FB1099EB7F}\stubpath = "C:\\Windows\\{E0FDEA94-C7E1-4aaa-AE27-33FB1099EB7F}.exe"	{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A6EB382-9B32-42fe-98B7-E2E8A1267059}\stubpath = "C:\\Windows\\{2A6EB382-9B32-42fe-98B7-E2E8A1267059}.exe"	{E0FDEA94-C7E1-4aaa-AE27-33FB1099EB7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83354E50-0783-44a3-8468-BE8F659F0CD2}\stubpath = "C:\\Windows\\{83354E50-0783-44a3-8468-BE8F659F0CD2}.exe"	{2A6EB382-9B32-42fe-98B7-E2E8A1267059}.exe

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2192	{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe
2740	{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe
3064	{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe
2688	{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe
2520	{E644AA8A-44E2-4385-803D-C24CD177C614}.exe
3044	{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe
2020	{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe
2708	{E0FDEA94-C7E1-4aaa-AE27-33FB1099EB7F}.exe
2764	{2A6EB382-9B32-42fe-98B7-E2E8A1267059}.exe
2440	{83354E50-0783-44a3-8468-BE8F659F0CD2}.exe
2256	{772142E3-0325-4089-941E-1A59817BF70B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe	{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe
File created	C:\Windows\{E644AA8A-44E2-4385-803D-C24CD177C614}.exe	{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe
File created	C:\Windows\{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe	{E644AA8A-44E2-4385-803D-C24CD177C614}.exe
File created	C:\Windows\{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe
File created	C:\Windows\{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe	{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe
File created	C:\Windows\{E0FDEA94-C7E1-4aaa-AE27-33FB1099EB7F}.exe	{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe
File created	C:\Windows\{2A6EB382-9B32-42fe-98B7-E2E8A1267059}.exe	{E0FDEA94-C7E1-4aaa-AE27-33FB1099EB7F}.exe
File created	C:\Windows\{83354E50-0783-44a3-8468-BE8F659F0CD2}.exe	{2A6EB382-9B32-42fe-98B7-E2E8A1267059}.exe
File created	C:\Windows\{772142E3-0325-4089-941E-1A59817BF70B}.exe	{83354E50-0783-44a3-8468-BE8F659F0CD2}.exe
File created	C:\Windows\{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe	{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe
File created	C:\Windows\{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe	{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2268	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2192	{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe
Token: SeIncBasePriorityPrivilege	2740	{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe
Token: SeIncBasePriorityPrivilege	3064	{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe
Token: SeIncBasePriorityPrivilege	2688	{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe
Token: SeIncBasePriorityPrivilege	2520	{E644AA8A-44E2-4385-803D-C24CD177C614}.exe
Token: SeIncBasePriorityPrivilege	3044	{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe
Token: SeIncBasePriorityPrivilege	2020	{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe
Token: SeIncBasePriorityPrivilege	2708	{E0FDEA94-C7E1-4aaa-AE27-33FB1099EB7F}.exe
Token: SeIncBasePriorityPrivilege	2764	{2A6EB382-9B32-42fe-98B7-E2E8A1267059}.exe
Token: SeIncBasePriorityPrivilege	2440	{83354E50-0783-44a3-8468-BE8F659F0CD2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2192	2268	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	28
PID 2268 wrote to memory of 2192	2268	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	28
PID 2268 wrote to memory of 2192	2268	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	28
PID 2268 wrote to memory of 2192	2268	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	28
PID 2268 wrote to memory of 2616	2268	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	29
PID 2268 wrote to memory of 2616	2268	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	29
PID 2268 wrote to memory of 2616	2268	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	29
PID 2268 wrote to memory of 2616	2268	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	29
PID 2192 wrote to memory of 2740	2192	{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe	30
PID 2192 wrote to memory of 2740	2192	{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe	30
PID 2192 wrote to memory of 2740	2192	{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe	30
PID 2192 wrote to memory of 2740	2192	{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe	30
PID 2192 wrote to memory of 2780	2192	{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe	31
PID 2192 wrote to memory of 2780	2192	{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe	31
PID 2192 wrote to memory of 2780	2192	{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe	31
PID 2192 wrote to memory of 2780	2192	{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe	31
PID 2740 wrote to memory of 3064	2740	{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe	32
PID 2740 wrote to memory of 3064	2740	{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe	32
PID 2740 wrote to memory of 3064	2740	{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe	32
PID 2740 wrote to memory of 3064	2740	{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe	32
PID 2740 wrote to memory of 2468	2740	{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe	33
PID 2740 wrote to memory of 2468	2740	{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe	33
PID 2740 wrote to memory of 2468	2740	{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe	33
PID 2740 wrote to memory of 2468	2740	{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe	33
PID 3064 wrote to memory of 2688	3064	{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe	36
PID 3064 wrote to memory of 2688	3064	{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe	36
PID 3064 wrote to memory of 2688	3064	{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe	36
PID 3064 wrote to memory of 2688	3064	{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe	36
PID 3064 wrote to memory of 2776	3064	{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe	37
PID 3064 wrote to memory of 2776	3064	{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe	37
PID 3064 wrote to memory of 2776	3064	{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe	37
PID 3064 wrote to memory of 2776	3064	{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe	37
PID 2688 wrote to memory of 2520	2688	{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe	38
PID 2688 wrote to memory of 2520	2688	{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe	38
PID 2688 wrote to memory of 2520	2688	{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe	38
PID 2688 wrote to memory of 2520	2688	{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe	38
PID 2688 wrote to memory of 2588	2688	{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe	39
PID 2688 wrote to memory of 2588	2688	{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe	39
PID 2688 wrote to memory of 2588	2688	{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe	39
PID 2688 wrote to memory of 2588	2688	{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe	39
PID 2520 wrote to memory of 3044	2520	{E644AA8A-44E2-4385-803D-C24CD177C614}.exe	40
PID 2520 wrote to memory of 3044	2520	{E644AA8A-44E2-4385-803D-C24CD177C614}.exe	40
PID 2520 wrote to memory of 3044	2520	{E644AA8A-44E2-4385-803D-C24CD177C614}.exe	40
PID 2520 wrote to memory of 3044	2520	{E644AA8A-44E2-4385-803D-C24CD177C614}.exe	40
PID 2520 wrote to memory of 2296	2520	{E644AA8A-44E2-4385-803D-C24CD177C614}.exe	41
PID 2520 wrote to memory of 2296	2520	{E644AA8A-44E2-4385-803D-C24CD177C614}.exe	41
PID 2520 wrote to memory of 2296	2520	{E644AA8A-44E2-4385-803D-C24CD177C614}.exe	41
PID 2520 wrote to memory of 2296	2520	{E644AA8A-44E2-4385-803D-C24CD177C614}.exe	41
PID 3044 wrote to memory of 2020	3044	{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe	42
PID 3044 wrote to memory of 2020	3044	{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe	42
PID 3044 wrote to memory of 2020	3044	{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe	42
PID 3044 wrote to memory of 2020	3044	{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe	42
PID 3044 wrote to memory of 2760	3044	{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe	43
PID 3044 wrote to memory of 2760	3044	{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe	43
PID 3044 wrote to memory of 2760	3044	{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe	43
PID 3044 wrote to memory of 2760	3044	{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe	43
PID 2020 wrote to memory of 2708	2020	{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe	44
PID 2020 wrote to memory of 2708	2020	{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe	44
PID 2020 wrote to memory of 2708	2020	{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe	44
PID 2020 wrote to memory of 2708	2020	{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe	44
PID 2020 wrote to memory of 2704	2020	{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe	45
PID 2020 wrote to memory of 2704	2020	{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe	45
PID 2020 wrote to memory of 2704	2020	{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe	45
PID 2020 wrote to memory of 2704	2020	{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe
  C:\Windows\{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe
    C:\Windows\{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe
      C:\Windows\{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe
        
        C:\Windows\{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\{E644AA8A-44E2-4385-803D-C24CD177C614}.exe
        
        C:\Windows\{E644AA8A-44E2-4385-803D-C24CD177C614}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe
        
        C:\Windows\{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe
        
        C:\Windows\{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\{E0FDEA94-C7E1-4aaa-AE27-33FB1099EB7F}.exe
        
        C:\Windows\{E0FDEA94-C7E1-4aaa-AE27-33FB1099EB7F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\{2A6EB382-9B32-42fe-98B7-E2E8A1267059}.exe
        
        C:\Windows\{2A6EB382-9B32-42fe-98B7-E2E8A1267059}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{83354E50-0783-44a3-8468-BE8F659F0CD2}.exe
        
        C:\Windows\{83354E50-0783-44a3-8468-BE8F659F0CD2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\{772142E3-0325-4089-941E-1A59817BF70B}.exe
        
        C:\Windows\{772142E3-0325-4089-941E-1A59817BF70B}.exe
        12⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83354~1.EXE > nul
        12⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A6EB~1.EXE > nul
        11⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0FDE~1.EXE > nul
        10⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{457BE~1.EXE > nul
        9⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33032~1.EXE > nul
        8⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E644A~1.EXE > nul
        7⤵
        
        PID:2296
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20B24~1.EXE > nul
        6⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23363~1.EXE > nul
        5⤵
        
        PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3068E~1.EXE > nul
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A372A~1.EXE > nul
    3⤵
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe

Filesize
180KB

MD5
473aa7eaf743a43907c195ea88aa0cd7

SHA1
fae397671954bcaff2548507c7c4d4a5a541ff38

SHA256
6b43da06a345504e60394f9ada3393c8bac052461bbdde5a212f529c9e87b76d

SHA512
fa54753a4a1962e2a99e8fe6dd9d4cabed64ab0ca97f566cce8f629501c80bff00563faa4cc339f97aecd1e5ba359c57cb18e1b5f5c258f30723e41e6136090e

Download Submit
C:\Windows\{20B24B2D-DC24-49ac-B89C-B738D383F07B}.exe

Filesize
180KB

MD5
473aa7eaf743a43907c195ea88aa0cd7

SHA1
fae397671954bcaff2548507c7c4d4a5a541ff38

SHA256
6b43da06a345504e60394f9ada3393c8bac052461bbdde5a212f529c9e87b76d

SHA512
fa54753a4a1962e2a99e8fe6dd9d4cabed64ab0ca97f566cce8f629501c80bff00563faa4cc339f97aecd1e5ba359c57cb18e1b5f5c258f30723e41e6136090e

Download Submit
C:\Windows\{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe

Filesize
180KB

MD5
a26c59baa6bac4903b09936bcd970045

SHA1
607252e54014224cc8f5bfbe6507b21bf6558e6d

SHA256
5b2e4e278f03b84e23f646af7620c4658e6d4320609d8743acb021a793fa8812

SHA512
ac55e488bda56b0c539ddc24d5b6b0562154095a0bb216227c29830d95634abf53a23c57ed391262995497d96bddde42ba80aa08cd11db33ddd4899f8ff385e9

Download Submit
C:\Windows\{23363E31-0548-47ff-B2C9-56E33F673FFB}.exe

Filesize
180KB

MD5
a26c59baa6bac4903b09936bcd970045

SHA1
607252e54014224cc8f5bfbe6507b21bf6558e6d

SHA256
5b2e4e278f03b84e23f646af7620c4658e6d4320609d8743acb021a793fa8812

SHA512
ac55e488bda56b0c539ddc24d5b6b0562154095a0bb216227c29830d95634abf53a23c57ed391262995497d96bddde42ba80aa08cd11db33ddd4899f8ff385e9

Download Submit
C:\Windows\{2A6EB382-9B32-42fe-98B7-E2E8A1267059}.exe

Filesize
180KB

MD5
fc9d9878454a57e6ea389cf6f2197adb

SHA1
d2e28f27ed06ccd2ea6c58a84fb0fc4fb9bdf20f

SHA256
082d52d4f4162ace1d598ce01c63219db0edd9ad940e5da0967556166bdd593a

SHA512
89b76496a7d89e4c3f2c7d7972fa1572ea323159b9ddfe419ebfd52be63d1e08b9ec8b409868e387febabf090789e0e652e7ea668109acf4ff1d2325082cf914

Download Submit
C:\Windows\{2A6EB382-9B32-42fe-98B7-E2E8A1267059}.exe

Filesize
180KB

MD5
fc9d9878454a57e6ea389cf6f2197adb

SHA1
d2e28f27ed06ccd2ea6c58a84fb0fc4fb9bdf20f

SHA256
082d52d4f4162ace1d598ce01c63219db0edd9ad940e5da0967556166bdd593a

SHA512
89b76496a7d89e4c3f2c7d7972fa1572ea323159b9ddfe419ebfd52be63d1e08b9ec8b409868e387febabf090789e0e652e7ea668109acf4ff1d2325082cf914

Download Submit
C:\Windows\{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe

Filesize
180KB

MD5
5559abc48d7180254fd8bd0bebdcf7da

SHA1
b23e9dcdc0af2531040df81beef363c990cf3991

SHA256
1935fc7d664b4f839e3f8b3a892155140d558205128707367d2c6aaca9e55f5c

SHA512
4a97383a6bb1ca7d165431c8b4d42903c0f609a83b0445a0ba996a88970cd69ea081fe554147a558382bf697c6fabef3a204c2841adac6b9a399edab594f3dad

Download Submit
C:\Windows\{3068EFD4-C2C7-4322-A0CB-F700A0C3AA1F}.exe

Filesize
180KB

MD5
5559abc48d7180254fd8bd0bebdcf7da

SHA1
b23e9dcdc0af2531040df81beef363c990cf3991

SHA256
1935fc7d664b4f839e3f8b3a892155140d558205128707367d2c6aaca9e55f5c

SHA512
4a97383a6bb1ca7d165431c8b4d42903c0f609a83b0445a0ba996a88970cd69ea081fe554147a558382bf697c6fabef3a204c2841adac6b9a399edab594f3dad

Download Submit
C:\Windows\{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe

Filesize
180KB

MD5
d32d665a64d010477a54afe6000dc8b3

SHA1
ba2f8df56eead3b54f5c9d85972e22ca098e1fed

SHA256
ebf9a3e4f77c36289bfefe218d6d0ba90434336db165b7a2761fdb18a167b773

SHA512
6015413312a2dc1b81365889ced65d062663d1bae6ced7e9e29e45786a1e08df659a26310a44e07199bcb778eeebcfa481b74fb2ac7eb337f172f47547d2e980

Download Submit
C:\Windows\{33032D4A-66CC-41ce-B632-EBC1A665E2F3}.exe

Filesize
180KB

MD5
d32d665a64d010477a54afe6000dc8b3

SHA1
ba2f8df56eead3b54f5c9d85972e22ca098e1fed

SHA256
ebf9a3e4f77c36289bfefe218d6d0ba90434336db165b7a2761fdb18a167b773

SHA512
6015413312a2dc1b81365889ced65d062663d1bae6ced7e9e29e45786a1e08df659a26310a44e07199bcb778eeebcfa481b74fb2ac7eb337f172f47547d2e980

Download Submit
C:\Windows\{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe

Filesize
180KB

MD5
3a5e544601d3e786b9dc80db57545f57

SHA1
fe5590241d90cfed2a24170d4e56c6f2b02f82a4

SHA256
6d5d78418c08891ef4eef1967fd05af28e939147ba3e245f28bfec8ae43b94b2

SHA512
df09ccbd6962f10c9b14852e808f2cd3eeff86ad816cefe790dd2734792054630cfb54804c68013e2f1fb48fbf29e8d798c82be1482cf6539d091efeb59d8640

Download Submit
C:\Windows\{457BEF50-BFD1-4b9c-82E8-3BEDB9903AA4}.exe

Filesize
180KB

MD5
3a5e544601d3e786b9dc80db57545f57

SHA1
fe5590241d90cfed2a24170d4e56c6f2b02f82a4

SHA256
6d5d78418c08891ef4eef1967fd05af28e939147ba3e245f28bfec8ae43b94b2

SHA512
df09ccbd6962f10c9b14852e808f2cd3eeff86ad816cefe790dd2734792054630cfb54804c68013e2f1fb48fbf29e8d798c82be1482cf6539d091efeb59d8640

Download Submit
C:\Windows\{772142E3-0325-4089-941E-1A59817BF70B}.exe

Filesize
180KB

MD5
932acf2813d698a8daf729ef9771867e

SHA1
3a29d0ef36925387fa7d2762987cb5d14374b193

SHA256
9c5be593b1e5f630712aef9f609ac76c92c90c72fcf2e6412dcf8e62e0308fae

SHA512
972ee3da96e36cf207ff8acf4342b546c62ef34671de5046bdc578a8fec51a9acb076ab3febd34107eabf055a277e450644afbb0ff5e34577324a9cf606bdc98

Download Submit
C:\Windows\{83354E50-0783-44a3-8468-BE8F659F0CD2}.exe

Filesize
180KB

MD5
d205d30813851e1af702fec3a1d16eb4

SHA1
22442620a36d19ef9769f42792404814caedbffd

SHA256
97708c2b3689c0c2fd451ca30455b080600932b8e321d7bd3cad3fa48738f75a

SHA512
8b542d3b22ded28ad8c4739144a9530d19b9b4b131beb69afb5a2d95b49c76749a38c648a0d474eb140984c0fbd3d740c64fd8aea6c93a3146a7aeaa211f158f

Download Submit
C:\Windows\{83354E50-0783-44a3-8468-BE8F659F0CD2}.exe

Filesize
180KB

MD5
d205d30813851e1af702fec3a1d16eb4

SHA1
22442620a36d19ef9769f42792404814caedbffd

SHA256
97708c2b3689c0c2fd451ca30455b080600932b8e321d7bd3cad3fa48738f75a

SHA512
8b542d3b22ded28ad8c4739144a9530d19b9b4b131beb69afb5a2d95b49c76749a38c648a0d474eb140984c0fbd3d740c64fd8aea6c93a3146a7aeaa211f158f

Download Submit
C:\Windows\{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe

Filesize
180KB

MD5
3d632ca6be02bb8732b89312b7923978

SHA1
904b646de037f10728404f7de1c1b268667e8eea

SHA256
1125076572cf7571e8baddfe0047201acb01b9bdd1be903e08615707d192e000

SHA512
57f4eb0c58bae4b61c80e4ad51e06fe8dd28bbe23d99ce3ebdeed2ed76c2e5980b1b318b4a524b7b0c7824b75441e1d696d4ee5aefc6a9e089268408098d00d4

Download Submit
C:\Windows\{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe

Filesize
180KB

MD5
3d632ca6be02bb8732b89312b7923978

SHA1
904b646de037f10728404f7de1c1b268667e8eea

SHA256
1125076572cf7571e8baddfe0047201acb01b9bdd1be903e08615707d192e000

SHA512
57f4eb0c58bae4b61c80e4ad51e06fe8dd28bbe23d99ce3ebdeed2ed76c2e5980b1b318b4a524b7b0c7824b75441e1d696d4ee5aefc6a9e089268408098d00d4

Download Submit
C:\Windows\{A372AEAA-2A12-4c4f-BD82-485C428977F5}.exe

Filesize
180KB

MD5
3d632ca6be02bb8732b89312b7923978

SHA1
904b646de037f10728404f7de1c1b268667e8eea

SHA256
1125076572cf7571e8baddfe0047201acb01b9bdd1be903e08615707d192e000

SHA512
57f4eb0c58bae4b61c80e4ad51e06fe8dd28bbe23d99ce3ebdeed2ed76c2e5980b1b318b4a524b7b0c7824b75441e1d696d4ee5aefc6a9e089268408098d00d4

Download Submit
C:\Windows\{E0FDEA94-C7E1-4aaa-AE27-33FB1099EB7F}.exe

Filesize
180KB

MD5
893ffa0456b2a8fd020a78ce3595d19d

SHA1
831976e277b43da1556e929abb1654f8db35f5f4

SHA256
aa6d96c6f58f8fd06f2e1fe1478edba6fa4858846a2f04d66ffaf3f61afd71b1

SHA512
d07992a0210bdc87c22090fdd555267df84dfb635e37ff3d15f8a4bc5f36aa2d1fff8a02d85f031ad55277dd673fc31a55d8f19858f7b18f5bde12cc5b2798f5

Download Submit
C:\Windows\{E0FDEA94-C7E1-4aaa-AE27-33FB1099EB7F}.exe

Filesize
180KB

MD5
893ffa0456b2a8fd020a78ce3595d19d

SHA1
831976e277b43da1556e929abb1654f8db35f5f4

SHA256
aa6d96c6f58f8fd06f2e1fe1478edba6fa4858846a2f04d66ffaf3f61afd71b1

SHA512
d07992a0210bdc87c22090fdd555267df84dfb635e37ff3d15f8a4bc5f36aa2d1fff8a02d85f031ad55277dd673fc31a55d8f19858f7b18f5bde12cc5b2798f5

Download Submit
C:\Windows\{E644AA8A-44E2-4385-803D-C24CD177C614}.exe

Filesize
180KB

MD5
775ee839d04a5ff8f5ac1a0766dc047d

SHA1
e770d824c7046dbe2e85ba6e5891c048c0e98e4b

SHA256
865f160c6e8af11426d866a2ec3114335b4db16f9d10352e8f0323f712aaa334

SHA512
8708c73336d11a16ba4d1d5df67705837e0a2c37c4cbb6ef65a600053e47ddd7a2bb6f0a6ab67e463484b3015e45591155beedd8e5101dcc59e78c0b18d184c6

Download Submit
C:\Windows\{E644AA8A-44E2-4385-803D-C24CD177C614}.exe

Filesize
180KB

MD5
775ee839d04a5ff8f5ac1a0766dc047d

SHA1
e770d824c7046dbe2e85ba6e5891c048c0e98e4b

SHA256
865f160c6e8af11426d866a2ec3114335b4db16f9d10352e8f0323f712aaa334

SHA512
8708c73336d11a16ba4d1d5df67705837e0a2c37c4cbb6ef65a600053e47ddd7a2bb6f0a6ab67e463484b3015e45591155beedd8e5101dcc59e78c0b18d184c6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads