76c89efd9046296fd749a4d2adefe2d25ecec24a6fc32bc9115eb3f67af2b6f1

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe
Size

180KB
MD5

424bdfb6215e11cb7f3204871f1b0f75
SHA1

563acaff34e134bb60d856795dc80e2dcc27549b
SHA256

76c89efd9046296fd749a4d2adefe2d25ecec24a6fc32bc9115eb3f67af2b6f1
SHA512

edfbe0f42d9d3c83a43e6ac0e139690cb3e9152129d85833a49147a11c0c36625d34590d275e5d77fd0db0fd48052a0b057cc84abd7388108168227bf18483cc
SSDEEP

3072:jEGh0oslfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG2l5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}\stubpath = "C:\\Windows\\{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe"	{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B5972A6-87F6-49cb-9B0D-A746690D4F33}	{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B5972A6-87F6-49cb-9B0D-A746690D4F33}\stubpath = "C:\\Windows\\{7B5972A6-87F6-49cb-9B0D-A746690D4F33}.exe"	{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46A5DB4A-FF28-4593-B215-D624E7F12FCB}	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46A5DB4A-FF28-4593-B215-D624E7F12FCB}\stubpath = "C:\\Windows\\{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe"	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49B59673-7B96-43c0-853D-EB08B80B9BDB}\stubpath = "C:\\Windows\\{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe"	{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{787ABAD4-E494-41f4-859E-AB2475976554}	{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{787ABAD4-E494-41f4-859E-AB2475976554}\stubpath = "C:\\Windows\\{787ABAD4-E494-41f4-859E-AB2475976554}.exe"	{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A1E620C-99E8-41be-8C57-697A15C4386F}	{787ABAD4-E494-41f4-859E-AB2475976554}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A1E620C-99E8-41be-8C57-697A15C4386F}\stubpath = "C:\\Windows\\{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe"	{787ABAD4-E494-41f4-859E-AB2475976554}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}	{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}\stubpath = "C:\\Windows\\{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe"	{51CF9675-8B26-423b-96E7-B7242B56145F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9F588E7-18DB-400e-99AA-88FDCE5558D3}\stubpath = "C:\\Windows\\{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe"	{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9F588E7-18DB-400e-99AA-88FDCE5558D3}	{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A965945-7F4D-4ace-A001-B7F5F03590C7}\stubpath = "C:\\Windows\\{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe"	{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71432868-EF19-429c-A3F9-F6B2CE2CD70E}	{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51CF9675-8B26-423b-96E7-B7242B56145F}\stubpath = "C:\\Windows\\{51CF9675-8B26-423b-96E7-B7242B56145F}.exe"	{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}	{51CF9675-8B26-423b-96E7-B7242B56145F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49B59673-7B96-43c0-853D-EB08B80B9BDB}	{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71432868-EF19-429c-A3F9-F6B2CE2CD70E}\stubpath = "C:\\Windows\\{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe"	{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4558D769-664C-44ee-828B-2750C6F6551F}	{7B5972A6-87F6-49cb-9B0D-A746690D4F33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4558D769-664C-44ee-828B-2750C6F6551F}\stubpath = "C:\\Windows\\{4558D769-664C-44ee-828B-2750C6F6551F}.exe"	{7B5972A6-87F6-49cb-9B0D-A746690D4F33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51CF9675-8B26-423b-96E7-B7242B56145F}	{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A965945-7F4D-4ace-A001-B7F5F03590C7}	{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe

Executes dropped EXE 12 IoCs

pid	Process
4228	{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe
2664	{51CF9675-8B26-423b-96E7-B7242B56145F}.exe
1412	{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe
4216	{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe
4556	{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe
3688	{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe
3384	{787ABAD4-E494-41f4-859E-AB2475976554}.exe
620	{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe
3552	{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe
2844	{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe
4236	{7B5972A6-87F6-49cb-9B0D-A746690D4F33}.exe
4192	{4558D769-664C-44ee-828B-2750C6F6551F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{787ABAD4-E494-41f4-859E-AB2475976554}.exe	{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe
File created	C:\Windows\{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe	{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe
File created	C:\Windows\{7B5972A6-87F6-49cb-9B0D-A746690D4F33}.exe	{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe
File created	C:\Windows\{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe	{51CF9675-8B26-423b-96E7-B7242B56145F}.exe
File created	C:\Windows\{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe	{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe
File created	C:\Windows\{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe	{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe
File created	C:\Windows\{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe	{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe
File created	C:\Windows\{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe	{787ABAD4-E494-41f4-859E-AB2475976554}.exe
File created	C:\Windows\{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe	{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe
File created	C:\Windows\{4558D769-664C-44ee-828B-2750C6F6551F}.exe	{7B5972A6-87F6-49cb-9B0D-A746690D4F33}.exe
File created	C:\Windows\{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe
File created	C:\Windows\{51CF9675-8B26-423b-96E7-B7242B56145F}.exe	{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4660	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4228	{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe
Token: SeIncBasePriorityPrivilege	2664	{51CF9675-8B26-423b-96E7-B7242B56145F}.exe
Token: SeIncBasePriorityPrivilege	1412	{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe
Token: SeIncBasePriorityPrivilege	4216	{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe
Token: SeIncBasePriorityPrivilege	4556	{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe
Token: SeIncBasePriorityPrivilege	3688	{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe
Token: SeIncBasePriorityPrivilege	3384	{787ABAD4-E494-41f4-859E-AB2475976554}.exe
Token: SeIncBasePriorityPrivilege	620	{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe
Token: SeIncBasePriorityPrivilege	3552	{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe
Token: SeIncBasePriorityPrivilege	2844	{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe
Token: SeIncBasePriorityPrivilege	4236	{7B5972A6-87F6-49cb-9B0D-A746690D4F33}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 4228	4660	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	95
PID 4660 wrote to memory of 4228	4660	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	95
PID 4660 wrote to memory of 4228	4660	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	95
PID 4660 wrote to memory of 4688	4660	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	96
PID 4660 wrote to memory of 4688	4660	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	96
PID 4660 wrote to memory of 4688	4660	2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe	96
PID 4228 wrote to memory of 2664	4228	{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe	97
PID 4228 wrote to memory of 2664	4228	{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe	97
PID 4228 wrote to memory of 2664	4228	{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe	97
PID 4228 wrote to memory of 712	4228	{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe	98
PID 4228 wrote to memory of 712	4228	{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe	98
PID 4228 wrote to memory of 712	4228	{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe	98
PID 2664 wrote to memory of 1412	2664	{51CF9675-8B26-423b-96E7-B7242B56145F}.exe	101
PID 2664 wrote to memory of 1412	2664	{51CF9675-8B26-423b-96E7-B7242B56145F}.exe	101
PID 2664 wrote to memory of 1412	2664	{51CF9675-8B26-423b-96E7-B7242B56145F}.exe	101
PID 2664 wrote to memory of 3712	2664	{51CF9675-8B26-423b-96E7-B7242B56145F}.exe	102
PID 2664 wrote to memory of 3712	2664	{51CF9675-8B26-423b-96E7-B7242B56145F}.exe	102
PID 2664 wrote to memory of 3712	2664	{51CF9675-8B26-423b-96E7-B7242B56145F}.exe	102
PID 1412 wrote to memory of 4216	1412	{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe	103
PID 1412 wrote to memory of 4216	1412	{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe	103
PID 1412 wrote to memory of 4216	1412	{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe	103
PID 1412 wrote to memory of 3296	1412	{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe	104
PID 1412 wrote to memory of 3296	1412	{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe	104
PID 1412 wrote to memory of 3296	1412	{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe	104
PID 4216 wrote to memory of 4556	4216	{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe	105
PID 4216 wrote to memory of 4556	4216	{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe	105
PID 4216 wrote to memory of 4556	4216	{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe	105
PID 4216 wrote to memory of 1596	4216	{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe	106
PID 4216 wrote to memory of 1596	4216	{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe	106
PID 4216 wrote to memory of 1596	4216	{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe	106
PID 4556 wrote to memory of 3688	4556	{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe	108
PID 4556 wrote to memory of 3688	4556	{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe	108
PID 4556 wrote to memory of 3688	4556	{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe	108
PID 4556 wrote to memory of 2564	4556	{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe	109
PID 4556 wrote to memory of 2564	4556	{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe	109
PID 4556 wrote to memory of 2564	4556	{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe	109
PID 3688 wrote to memory of 3384	3688	{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe	110
PID 3688 wrote to memory of 3384	3688	{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe	110
PID 3688 wrote to memory of 3384	3688	{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe	110
PID 3688 wrote to memory of 3584	3688	{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe	111
PID 3688 wrote to memory of 3584	3688	{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe	111
PID 3688 wrote to memory of 3584	3688	{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe	111
PID 3384 wrote to memory of 620	3384	{787ABAD4-E494-41f4-859E-AB2475976554}.exe	114
PID 3384 wrote to memory of 620	3384	{787ABAD4-E494-41f4-859E-AB2475976554}.exe	114
PID 3384 wrote to memory of 620	3384	{787ABAD4-E494-41f4-859E-AB2475976554}.exe	114
PID 3384 wrote to memory of 1284	3384	{787ABAD4-E494-41f4-859E-AB2475976554}.exe	115
PID 3384 wrote to memory of 1284	3384	{787ABAD4-E494-41f4-859E-AB2475976554}.exe	115
PID 3384 wrote to memory of 1284	3384	{787ABAD4-E494-41f4-859E-AB2475976554}.exe	115
PID 620 wrote to memory of 3552	620	{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe	121
PID 620 wrote to memory of 3552	620	{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe	121
PID 620 wrote to memory of 3552	620	{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe	121
PID 620 wrote to memory of 4672	620	{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe	122
PID 620 wrote to memory of 4672	620	{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe	122
PID 620 wrote to memory of 4672	620	{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe	122
PID 3552 wrote to memory of 2844	3552	{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe	123
PID 3552 wrote to memory of 2844	3552	{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe	123
PID 3552 wrote to memory of 2844	3552	{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe	123
PID 3552 wrote to memory of 1676	3552	{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe	124
PID 3552 wrote to memory of 1676	3552	{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe	124
PID 3552 wrote to memory of 1676	3552	{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe	124
PID 2844 wrote to memory of 4236	2844	{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe	126
PID 2844 wrote to memory of 4236	2844	{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe	126
PID 2844 wrote to memory of 4236	2844	{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe	126
PID 2844 wrote to memory of 940	2844	{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe	127

C:\Users\Admin\AppData\Local\Temp\2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_424bdfb6215e11cb7f3204871f1b0f75_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe
  C:\Windows\{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\{51CF9675-8B26-423b-96E7-B7242B56145F}.exe
    C:\Windows\{51CF9675-8B26-423b-96E7-B7242B56145F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe
      C:\Windows\{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe
        
        C:\Windows\{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
      - C:\Windows\{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe
        
        C:\Windows\{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe
        
        C:\Windows\{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\{787ABAD4-E494-41f4-859E-AB2475976554}.exe
        
        C:\Windows\{787ABAD4-E494-41f4-859E-AB2475976554}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe
        
        C:\Windows\{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe
        
        C:\Windows\{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe
        
        C:\Windows\{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{7B5972A6-87F6-49cb-9B0D-A746690D4F33}.exe
        
        C:\Windows\{7B5972A6-87F6-49cb-9B0D-A746690D4F33}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
        
        C:\Windows\{4558D769-664C-44ee-828B-2750C6F6551F}.exe
        
        C:\Windows\{4558D769-664C-44ee-828B-2750C6F6551F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B597~1.EXE > nul
        13⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5338~1.EXE > nul
        12⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71432~1.EXE > nul
        11⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A1E6~1.EXE > nul
        10⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{787AB~1.EXE > nul
        9⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49B59~1.EXE > nul
        8⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A965~1.EXE > nul
        7⤵
        
        PID:2564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9F58~1.EXE > nul
        6⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98A5D~1.EXE > nul
        5⤵
        
        PID:3296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{51CF9~1.EXE > nul
      4⤵
      PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{46A5D~1.EXE > nul
    3⤵
    PID:712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe

Filesize
180KB

MD5
bf5850ea4fd58c8d36c2c736fd21b541

SHA1
607bacdd068d37891e576d63c0ae8d64d48751d6

SHA256
844768c879ba0edeff89c0836a882b2f39bd6cba699287c07f62d11aaad362e8

SHA512
cd16ec51d69bc6441bf86324de49bfc8897e654a10c31ca01619671c35781acba7f656145547533250bc5687169bbf4e0b460324d31520521e4c91c99cba96f1

Download Submit
C:\Windows\{1A965945-7F4D-4ace-A001-B7F5F03590C7}.exe

Filesize
180KB

MD5
bf5850ea4fd58c8d36c2c736fd21b541

SHA1
607bacdd068d37891e576d63c0ae8d64d48751d6

SHA256
844768c879ba0edeff89c0836a882b2f39bd6cba699287c07f62d11aaad362e8

SHA512
cd16ec51d69bc6441bf86324de49bfc8897e654a10c31ca01619671c35781acba7f656145547533250bc5687169bbf4e0b460324d31520521e4c91c99cba96f1

Download Submit
C:\Windows\{4558D769-664C-44ee-828B-2750C6F6551F}.exe

Filesize
180KB

MD5
bbaf60de256a1f7f1853a4e95fce362a

SHA1
552ffc8472300c86b9cacda7ed3abb53712f77cc

SHA256
44a9463e123aeb8780f8349ab15362832af19d877aef8ecc221f1d7b5b0fa19f

SHA512
49303ec61684089b3990faffcccc6974494e0cd18bbc774c8480f4aa9150a6d84fe597a19d66812d64949a2acbd7b0a88ef4198d39c66a37e7bf9b8df5e49f4a

Download Submit
C:\Windows\{4558D769-664C-44ee-828B-2750C6F6551F}.exe

Filesize
180KB

MD5
bbaf60de256a1f7f1853a4e95fce362a

SHA1
552ffc8472300c86b9cacda7ed3abb53712f77cc

SHA256
44a9463e123aeb8780f8349ab15362832af19d877aef8ecc221f1d7b5b0fa19f

SHA512
49303ec61684089b3990faffcccc6974494e0cd18bbc774c8480f4aa9150a6d84fe597a19d66812d64949a2acbd7b0a88ef4198d39c66a37e7bf9b8df5e49f4a

Download Submit
C:\Windows\{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe

Filesize
180KB

MD5
d79a57c582602f5081ec595c39378ddd

SHA1
9d71d6e648540d2c8b092ea7fb83731a464ffa3c

SHA256
b23038c2bec5d75617727c086b71563d480c9ed60d6f2b1a6b4c2f6e143b5a66

SHA512
b8caff048db1d7980c486e150fe33a25698309c8eb64904f24c60f260ff43046f110593744eededca6be93b8c0340284148d1afd7cc710253471170bacea0c2d

Download Submit
C:\Windows\{46A5DB4A-FF28-4593-B215-D624E7F12FCB}.exe

Filesize
180KB

MD5
d79a57c582602f5081ec595c39378ddd

SHA1
9d71d6e648540d2c8b092ea7fb83731a464ffa3c

SHA256
b23038c2bec5d75617727c086b71563d480c9ed60d6f2b1a6b4c2f6e143b5a66

SHA512
b8caff048db1d7980c486e150fe33a25698309c8eb64904f24c60f260ff43046f110593744eededca6be93b8c0340284148d1afd7cc710253471170bacea0c2d

Download Submit
C:\Windows\{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe

Filesize
180KB

MD5
ab950789041ee06a172c7ba74b0d9fbf

SHA1
e806f44da1a8d272584255658cd8a319d80e9b65

SHA256
652427115f2c87899ff4644b1ffee40b58ce54aa41748fde168e5c6d9805e3cf

SHA512
41346fdc154e10de37905580f53049382040260da4a45ddbf9c3474bf9b0c338ecc135991809e9ff0bc9c4d350839b1bed22525eaf11992e130d927340f503a5

Download Submit
C:\Windows\{49B59673-7B96-43c0-853D-EB08B80B9BDB}.exe

Filesize
180KB

MD5
ab950789041ee06a172c7ba74b0d9fbf

SHA1
e806f44da1a8d272584255658cd8a319d80e9b65

SHA256
652427115f2c87899ff4644b1ffee40b58ce54aa41748fde168e5c6d9805e3cf

SHA512
41346fdc154e10de37905580f53049382040260da4a45ddbf9c3474bf9b0c338ecc135991809e9ff0bc9c4d350839b1bed22525eaf11992e130d927340f503a5

Download Submit
C:\Windows\{51CF9675-8B26-423b-96E7-B7242B56145F}.exe

Filesize
180KB

MD5
c50535cbd7db3b184f930c1160dbc933

SHA1
b18042b04e2274f7aec7bcdd8ab3d7ee4dbc43f3

SHA256
f373a67265bdb7ed946e3747a84b2621b2505977f59f88ebea1cce5e31628f15

SHA512
4bbc91edb75373eed5b2e7808f3f00a3e62f0f4d98239170158d2f4ff22bfc98f007959d3ca5b6e984d5f1bdffa07c7218bc62f9dee8489688e3a27df0004c9c

Download Submit
C:\Windows\{51CF9675-8B26-423b-96E7-B7242B56145F}.exe

Filesize
180KB

MD5
c50535cbd7db3b184f930c1160dbc933

SHA1
b18042b04e2274f7aec7bcdd8ab3d7ee4dbc43f3

SHA256
f373a67265bdb7ed946e3747a84b2621b2505977f59f88ebea1cce5e31628f15

SHA512
4bbc91edb75373eed5b2e7808f3f00a3e62f0f4d98239170158d2f4ff22bfc98f007959d3ca5b6e984d5f1bdffa07c7218bc62f9dee8489688e3a27df0004c9c

Download Submit
C:\Windows\{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe

Filesize
180KB

MD5
ccb875b81c9819d3a14014183ae95b6f

SHA1
550c75099bd7f6c94f9652db6f7aafe2fa968abd

SHA256
986aa2a04fa3a42bf196744b651323044ebf03576e6e84aa812a15aabb76205e

SHA512
d704d721be5072f68daaf8fecef2787a152239a950069b61ae85987dd1ccc27f71dde774a3dcaf653cbfa50838970ac288f12ce9c6ff57121fa0a194b2b64359

Download Submit
C:\Windows\{5A1E620C-99E8-41be-8C57-697A15C4386F}.exe

Filesize
180KB

MD5
ccb875b81c9819d3a14014183ae95b6f

SHA1
550c75099bd7f6c94f9652db6f7aafe2fa968abd

SHA256
986aa2a04fa3a42bf196744b651323044ebf03576e6e84aa812a15aabb76205e

SHA512
d704d721be5072f68daaf8fecef2787a152239a950069b61ae85987dd1ccc27f71dde774a3dcaf653cbfa50838970ac288f12ce9c6ff57121fa0a194b2b64359

Download Submit
C:\Windows\{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe

Filesize
180KB

MD5
210e3ef27585a1214bfd5ff508499035

SHA1
6d3aede7a8b0d1a99d630bce724375b9502c7527

SHA256
4d454560f63166c52de36446bde6bde98824fc011e365f3b9f3e29213cada8c2

SHA512
265d0498b221ef12a89fe1a3196f7cad8fe30b95f7ba8af182f3c92699afcfd760193c79cdd240b79cd2db379228a10df387633c2b36968944fed97521fe22f6

Download Submit
C:\Windows\{71432868-EF19-429c-A3F9-F6B2CE2CD70E}.exe

Filesize
180KB

MD5
210e3ef27585a1214bfd5ff508499035

SHA1
6d3aede7a8b0d1a99d630bce724375b9502c7527

SHA256
4d454560f63166c52de36446bde6bde98824fc011e365f3b9f3e29213cada8c2

SHA512
265d0498b221ef12a89fe1a3196f7cad8fe30b95f7ba8af182f3c92699afcfd760193c79cdd240b79cd2db379228a10df387633c2b36968944fed97521fe22f6

Download Submit
C:\Windows\{787ABAD4-E494-41f4-859E-AB2475976554}.exe

Filesize
180KB

MD5
320379fd4c20832ae0891effb5ac4715

SHA1
57d515fa5f215b86c771f4eb629abfa82ecaa180

SHA256
6492a4450a2ba88fd1b8f514aaa53a3b0554cef797897bcd5ae2aebbca06714d

SHA512
21b976fc9aec79a7eb45caa0beb8b6800634ea420d99007768e1741b9cdaf28499abcc452691f55e2acc62eab7ab7d0efdd685a3c170ee120341de9c49969082

Download Submit
C:\Windows\{787ABAD4-E494-41f4-859E-AB2475976554}.exe

Filesize
180KB

MD5
320379fd4c20832ae0891effb5ac4715

SHA1
57d515fa5f215b86c771f4eb629abfa82ecaa180

SHA256
6492a4450a2ba88fd1b8f514aaa53a3b0554cef797897bcd5ae2aebbca06714d

SHA512
21b976fc9aec79a7eb45caa0beb8b6800634ea420d99007768e1741b9cdaf28499abcc452691f55e2acc62eab7ab7d0efdd685a3c170ee120341de9c49969082

Download Submit
C:\Windows\{7B5972A6-87F6-49cb-9B0D-A746690D4F33}.exe

Filesize
180KB

MD5
715384d40d9a01cddb494d3dd4adcae9

SHA1
1b1056c868b900c2fe05e3f08a1736a005684115

SHA256
9082038a066214e2d9292778265e6c425250377641131836587e2f94f304cd17

SHA512
afc49e0db8a42267ece20959fe29520e61bd6848f5284645ff89b85ea3714ed7fe16eae91098b518593c9923869191fe07331ffb2a0a2394fdae2d5259504fef

Download Submit
C:\Windows\{7B5972A6-87F6-49cb-9B0D-A746690D4F33}.exe

Filesize
180KB

MD5
715384d40d9a01cddb494d3dd4adcae9

SHA1
1b1056c868b900c2fe05e3f08a1736a005684115

SHA256
9082038a066214e2d9292778265e6c425250377641131836587e2f94f304cd17

SHA512
afc49e0db8a42267ece20959fe29520e61bd6848f5284645ff89b85ea3714ed7fe16eae91098b518593c9923869191fe07331ffb2a0a2394fdae2d5259504fef

Download Submit
C:\Windows\{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe

Filesize
180KB

MD5
f92ba4f3d71ce18171c10b8b1f88e0cb

SHA1
3863cf203a8df1f553f9226e3a56e80484f7fdb3

SHA256
a8d4ea7b4f4539787ad6e4659af80d4a5be66bb8938a2dec09b0b80523fa3d01

SHA512
3f82379ccc722e800f8c1e8954ab201520be8b1d7191e8eab7990eb3606b889d4ef893af55fae395125c85118364a68bf84f635692a570cd343c9be2b592611e

Download Submit
C:\Windows\{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe

Filesize
180KB

MD5
f92ba4f3d71ce18171c10b8b1f88e0cb

SHA1
3863cf203a8df1f553f9226e3a56e80484f7fdb3

SHA256
a8d4ea7b4f4539787ad6e4659af80d4a5be66bb8938a2dec09b0b80523fa3d01

SHA512
3f82379ccc722e800f8c1e8954ab201520be8b1d7191e8eab7990eb3606b889d4ef893af55fae395125c85118364a68bf84f635692a570cd343c9be2b592611e

Download Submit
C:\Windows\{98A5DA8A-42C2-40d5-AE87-B699F8ECFB4F}.exe

Filesize
180KB

MD5
f92ba4f3d71ce18171c10b8b1f88e0cb

SHA1
3863cf203a8df1f553f9226e3a56e80484f7fdb3

SHA256
a8d4ea7b4f4539787ad6e4659af80d4a5be66bb8938a2dec09b0b80523fa3d01

SHA512
3f82379ccc722e800f8c1e8954ab201520be8b1d7191e8eab7990eb3606b889d4ef893af55fae395125c85118364a68bf84f635692a570cd343c9be2b592611e

Download Submit
C:\Windows\{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe

Filesize
180KB

MD5
4d0340e1977bc321aa51d71c5687e961

SHA1
0db552840c4079ae0eb59a8f2b72ddbb62b89b3b

SHA256
e1da5909644454ed8dcce0c70134bc4877208ca9afb3d4413c022c1a4413d361

SHA512
4d44ade17852eaf399dc82cfd4600ea3d98169b77e128210525b7242f8da511863989dca625d444114dec2caad681cce318797cd64c8a349ff12c06e29ab8e2d

Download Submit
C:\Windows\{A5338E3C-7522-4aa0-A28F-FF0A93435C1E}.exe

Filesize
180KB

MD5
4d0340e1977bc321aa51d71c5687e961

SHA1
0db552840c4079ae0eb59a8f2b72ddbb62b89b3b

SHA256
e1da5909644454ed8dcce0c70134bc4877208ca9afb3d4413c022c1a4413d361

SHA512
4d44ade17852eaf399dc82cfd4600ea3d98169b77e128210525b7242f8da511863989dca625d444114dec2caad681cce318797cd64c8a349ff12c06e29ab8e2d

Download Submit
C:\Windows\{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe

Filesize
180KB

MD5
5deb292fc84bc9b68c3db3d19ff634b7

SHA1
ad3ee2d90b087a4d676a31fb1533abacad2fbce9

SHA256
c785daaf249db363bfc1d9d91cb6b9b624e362b949ee692e9c02a97214b12e04

SHA512
479af250516bbba6e0f4e3ee871140d6dd190bb8936c665ac297cf363c0fdeb2670fc91c5d7adc7582bcfa52d4b58048e33fbcbc1e16b814ccd47f8f95927f69

Download Submit
C:\Windows\{F9F588E7-18DB-400e-99AA-88FDCE5558D3}.exe

Filesize
180KB

MD5
5deb292fc84bc9b68c3db3d19ff634b7

SHA1
ad3ee2d90b087a4d676a31fb1533abacad2fbce9

SHA256
c785daaf249db363bfc1d9d91cb6b9b624e362b949ee692e9c02a97214b12e04

SHA512
479af250516bbba6e0f4e3ee871140d6dd190bb8936c665ac297cf363c0fdeb2670fc91c5d7adc7582bcfa52d4b58048e33fbcbc1e16b814ccd47f8f95927f69

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads