d210ed055a93107ca757c129f1277a3a1f0e13a43443acfebf4ce335e705690e

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2023 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_60023a1193d54cee131d00283ae4353e_goldeneye_JC.exe
Size

168KB
MD5

60023a1193d54cee131d00283ae4353e
SHA1

2bbed9f72a0cf9f9d1bd2bf80e5871c3f27aadb8
SHA256

d210ed055a93107ca757c129f1277a3a1f0e13a43443acfebf4ce335e705690e
SHA512

3176407aa87f44d334127ebb01f14cfd2b02758a2919865dcc8f792d7fcb620aca0e09ff65eeb938f3f4f1f26d2921021891f45701d8785c0b52c3dae877a19e
SSDEEP

1536:1EGh0o+lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o+lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E87A7D9A-A6D4-435c-B071-F959149FBAEF}	{C3B47946-43C3-45da-BC23-D509D542BB29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}	{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43C25216-45EC-4170-8784-45694039FD83}\stubpath = "C:\\Windows\\{43C25216-45EC-4170-8784-45694039FD83}.exe"	{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}\stubpath = "C:\\Windows\\{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe"	{43C25216-45EC-4170-8784-45694039FD83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}	{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08C2157D-996E-4df0-B51A-855DFE5BE813}\stubpath = "C:\\Windows\\{08C2157D-996E-4df0-B51A-855DFE5BE813}.exe"	{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{484AC95B-7CDD-494a-A0CD-43BB07ED272D}\stubpath = "C:\\Windows\\{484AC95B-7CDD-494a-A0CD-43BB07ED272D}.exe"	{08C2157D-996E-4df0-B51A-855DFE5BE813}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3B47946-43C3-45da-BC23-D509D542BB29}\stubpath = "C:\\Windows\\{C3B47946-43C3-45da-BC23-D509D542BB29}.exe"	2023-08-27_60023a1193d54cee131d00283ae4353e_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E3D2209-9F3C-4347-96CF-A69610DB631B}	{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8045F6FF-764F-44e8-AEB2-25D17476FC42}\stubpath = "C:\\Windows\\{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe"	{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}	{43C25216-45EC-4170-8784-45694039FD83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32355706-9C0A-45c0-A4F4-734BF28D1BD2}	{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32355706-9C0A-45c0-A4F4-734BF28D1BD2}\stubpath = "C:\\Windows\\{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe"	{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFFA7202-0064-49f1-8983-BAD62872DB36}\stubpath = "C:\\Windows\\{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe"	{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}\stubpath = "C:\\Windows\\{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe"	{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3B47946-43C3-45da-BC23-D509D542BB29}	2023-08-27_60023a1193d54cee131d00283ae4353e_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E87A7D9A-A6D4-435c-B071-F959149FBAEF}\stubpath = "C:\\Windows\\{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe"	{C3B47946-43C3-45da-BC23-D509D542BB29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E3D2209-9F3C-4347-96CF-A69610DB631B}\stubpath = "C:\\Windows\\{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe"	{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8045F6FF-764F-44e8-AEB2-25D17476FC42}	{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08C2157D-996E-4df0-B51A-855DFE5BE813}	{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{484AC95B-7CDD-494a-A0CD-43BB07ED272D}	{08C2157D-996E-4df0-B51A-855DFE5BE813}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}\stubpath = "C:\\Windows\\{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe"	{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFFA7202-0064-49f1-8983-BAD62872DB36}	{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43C25216-45EC-4170-8784-45694039FD83}	{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe

Executes dropped EXE 12 IoCs

pid	Process
1528	{C3B47946-43C3-45da-BC23-D509D542BB29}.exe
3908	{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe
1424	{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe
4836	{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe
2088	{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe
4896	{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe
5088	{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe
3172	{43C25216-45EC-4170-8784-45694039FD83}.exe
1592	{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe
2728	{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe
3220	{08C2157D-996E-4df0-B51A-855DFE5BE813}.exe
2412	{484AC95B-7CDD-494a-A0CD-43BB07ED272D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe	{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe
File created	C:\Windows\{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe	{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe
File created	C:\Windows\{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe	{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe
File created	C:\Windows\{43C25216-45EC-4170-8784-45694039FD83}.exe	{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe
File created	C:\Windows\{484AC95B-7CDD-494a-A0CD-43BB07ED272D}.exe	{08C2157D-996E-4df0-B51A-855DFE5BE813}.exe
File created	C:\Windows\{08C2157D-996E-4df0-B51A-855DFE5BE813}.exe	{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe
File created	C:\Windows\{C3B47946-43C3-45da-BC23-D509D542BB29}.exe	2023-08-27_60023a1193d54cee131d00283ae4353e_goldeneye_JC.exe
File created	C:\Windows\{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe	{C3B47946-43C3-45da-BC23-D509D542BB29}.exe
File created	C:\Windows\{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe	{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe
File created	C:\Windows\{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe	{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe
File created	C:\Windows\{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe	{43C25216-45EC-4170-8784-45694039FD83}.exe
File created	C:\Windows\{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe	{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4104	2023-08-27_60023a1193d54cee131d00283ae4353e_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	1528	{C3B47946-43C3-45da-BC23-D509D542BB29}.exe
Token: SeIncBasePriorityPrivilege	3908	{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe
Token: SeIncBasePriorityPrivilege	1424	{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe
Token: SeIncBasePriorityPrivilege	4836	{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe
Token: SeIncBasePriorityPrivilege	2088	{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe
Token: SeIncBasePriorityPrivilege	4896	{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe
Token: SeIncBasePriorityPrivilege	5088	{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe
Token: SeIncBasePriorityPrivilege	3172	{43C25216-45EC-4170-8784-45694039FD83}.exe
Token: SeIncBasePriorityPrivilege	1592	{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe
Token: SeIncBasePriorityPrivilege	2728	{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe
Token: SeIncBasePriorityPrivilege	3220	{08C2157D-996E-4df0-B51A-855DFE5BE813}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 1528	4104	2023-08-27_60023a1193d54cee131d00283ae4353e_goldeneye_JC.exe	90
PID 4104 wrote to memory of 1528	4104	2023-08-27_60023a1193d54cee131d00283ae4353e_goldeneye_JC.exe	90
PID 4104 wrote to memory of 1528	4104	2023-08-27_60023a1193d54cee131d00283ae4353e_goldeneye_JC.exe	90
PID 4104 wrote to memory of 5000	4104	2023-08-27_60023a1193d54cee131d00283ae4353e_goldeneye_JC.exe	91
PID 4104 wrote to memory of 5000	4104	2023-08-27_60023a1193d54cee131d00283ae4353e_goldeneye_JC.exe	91
PID 4104 wrote to memory of 5000	4104	2023-08-27_60023a1193d54cee131d00283ae4353e_goldeneye_JC.exe	91
PID 1528 wrote to memory of 3908	1528	{C3B47946-43C3-45da-BC23-D509D542BB29}.exe	97
PID 1528 wrote to memory of 3908	1528	{C3B47946-43C3-45da-BC23-D509D542BB29}.exe	97
PID 1528 wrote to memory of 3908	1528	{C3B47946-43C3-45da-BC23-D509D542BB29}.exe	97
PID 1528 wrote to memory of 752	1528	{C3B47946-43C3-45da-BC23-D509D542BB29}.exe	98
PID 1528 wrote to memory of 752	1528	{C3B47946-43C3-45da-BC23-D509D542BB29}.exe	98
PID 1528 wrote to memory of 752	1528	{C3B47946-43C3-45da-BC23-D509D542BB29}.exe	98
PID 3908 wrote to memory of 1424	3908	{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe	101
PID 3908 wrote to memory of 1424	3908	{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe	101
PID 3908 wrote to memory of 1424	3908	{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe	101
PID 3908 wrote to memory of 1860	3908	{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe	100
PID 3908 wrote to memory of 1860	3908	{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe	100
PID 3908 wrote to memory of 1860	3908	{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe	100
PID 1424 wrote to memory of 4836	1424	{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe	103
PID 1424 wrote to memory of 4836	1424	{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe	103
PID 1424 wrote to memory of 4836	1424	{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe	103
PID 1424 wrote to memory of 700	1424	{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe	104
PID 1424 wrote to memory of 700	1424	{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe	104
PID 1424 wrote to memory of 700	1424	{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe	104
PID 4836 wrote to memory of 2088	4836	{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe	105
PID 4836 wrote to memory of 2088	4836	{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe	105
PID 4836 wrote to memory of 2088	4836	{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe	105
PID 4836 wrote to memory of 2544	4836	{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe	106
PID 4836 wrote to memory of 2544	4836	{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe	106
PID 4836 wrote to memory of 2544	4836	{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe	106
PID 2088 wrote to memory of 4896	2088	{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe	108
PID 2088 wrote to memory of 4896	2088	{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe	108
PID 2088 wrote to memory of 4896	2088	{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe	108
PID 2088 wrote to memory of 1692	2088	{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe	109
PID 2088 wrote to memory of 1692	2088	{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe	109
PID 2088 wrote to memory of 1692	2088	{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe	109
PID 4896 wrote to memory of 5088	4896	{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe	110
PID 4896 wrote to memory of 5088	4896	{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe	110
PID 4896 wrote to memory of 5088	4896	{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe	110
PID 4896 wrote to memory of 1956	4896	{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe	111
PID 4896 wrote to memory of 1956	4896	{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe	111
PID 4896 wrote to memory of 1956	4896	{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe	111
PID 5088 wrote to memory of 3172	5088	{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe	112
PID 5088 wrote to memory of 3172	5088	{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe	112
PID 5088 wrote to memory of 3172	5088	{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe	112
PID 5088 wrote to memory of 8	5088	{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe	113
PID 5088 wrote to memory of 8	5088	{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe	113
PID 5088 wrote to memory of 8	5088	{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe	113
PID 3172 wrote to memory of 1592	3172	{43C25216-45EC-4170-8784-45694039FD83}.exe	121
PID 3172 wrote to memory of 1592	3172	{43C25216-45EC-4170-8784-45694039FD83}.exe	121
PID 3172 wrote to memory of 1592	3172	{43C25216-45EC-4170-8784-45694039FD83}.exe	121
PID 3172 wrote to memory of 1512	3172	{43C25216-45EC-4170-8784-45694039FD83}.exe	122
PID 3172 wrote to memory of 1512	3172	{43C25216-45EC-4170-8784-45694039FD83}.exe	122
PID 3172 wrote to memory of 1512	3172	{43C25216-45EC-4170-8784-45694039FD83}.exe	122
PID 1592 wrote to memory of 2728	1592	{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe	124
PID 1592 wrote to memory of 2728	1592	{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe	124
PID 1592 wrote to memory of 2728	1592	{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe	124
PID 1592 wrote to memory of 2056	1592	{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe	125
PID 1592 wrote to memory of 2056	1592	{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe	125
PID 1592 wrote to memory of 2056	1592	{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe	125
PID 2728 wrote to memory of 3220	2728	{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe	126
PID 2728 wrote to memory of 3220	2728	{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe	126
PID 2728 wrote to memory of 3220	2728	{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe	126
PID 2728 wrote to memory of 4872	2728	{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe	127

C:\Users\Admin\AppData\Local\Temp\2023-08-27_60023a1193d54cee131d00283ae4353e_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_60023a1193d54cee131d00283ae4353e_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\{C3B47946-43C3-45da-BC23-D509D542BB29}.exe
  C:\Windows\{C3B47946-43C3-45da-BC23-D509D542BB29}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe
    C:\Windows\{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E87A7~1.EXE > nul
      4⤵
      PID:1860
  - - C:\Windows\{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe
      C:\Windows\{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Windows\{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe
        
        C:\Windows\{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\Windows\{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe
        
        C:\Windows\{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe
        
        C:\Windows\{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe
        
        C:\Windows\{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\{43C25216-45EC-4170-8784-45694039FD83}.exe
        
        C:\Windows\{43C25216-45EC-4170-8784-45694039FD83}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe
        
        C:\Windows\{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe
        
        C:\Windows\{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{08C2157D-996E-4df0-B51A-855DFE5BE813}.exe
        
        C:\Windows\{08C2157D-996E-4df0-B51A-855DFE5BE813}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
        
        C:\Windows\{484AC95B-7CDD-494a-A0CD-43BB07ED272D}.exe
        
        C:\Windows\{484AC95B-7CDD-494a-A0CD-43BB07ED272D}.exe
        13⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08C21~1.EXE > nul
        13⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{539FE~1.EXE > nul
        12⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{261FF~1.EXE > nul
        11⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43C25~1.EXE > nul
        10⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFFA7~1.EXE > nul
        9⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32355~1.EXE > nul
        8⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8045F~1.EXE > nul
        7⤵
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5BCF~1.EXE > nul
        6⤵
        
        PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E3D2~1.EXE > nul
        5⤵
        
        PID:700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C3B47~1.EXE > nul
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08C2157D-996E-4df0-B51A-855DFE5BE813}.exe

Filesize
168KB

MD5
d01d6c9a6a6b8d87ef52ace26daac30a

SHA1
d80025b23b384e4de6dc41bc75416e46f8b1ef0a

SHA256
403be5be0d861a6c052e2bcea25779c473303a4504200e3d1672c99711492120

SHA512
773af826c4e173c8c0d1a0d4dd0422e6d74bf47cd98314c23abfa29bd798034a5c7be12190426203a59bf94718ccbdac50a482c1e70b4fa0f4d5e261757053a7

Download Submit
C:\Windows\{08C2157D-996E-4df0-B51A-855DFE5BE813}.exe

Filesize
168KB

MD5
d01d6c9a6a6b8d87ef52ace26daac30a

SHA1
d80025b23b384e4de6dc41bc75416e46f8b1ef0a

SHA256
403be5be0d861a6c052e2bcea25779c473303a4504200e3d1672c99711492120

SHA512
773af826c4e173c8c0d1a0d4dd0422e6d74bf47cd98314c23abfa29bd798034a5c7be12190426203a59bf94718ccbdac50a482c1e70b4fa0f4d5e261757053a7

Download Submit
C:\Windows\{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe

Filesize
168KB

MD5
59b2d8c7f2b2e5af98ea3e31d99870d3

SHA1
f30c1833ae4e39db319282d081280b9aa1df1fce

SHA256
87417e012db1052d137502c9f70cbfb7965aea4a0ce274a931c2a85890777c3a

SHA512
8b7d51629c722e21d915b797c523b42d99c0f54bb20ea27253b4769d931725dd610ac05966f77e6007e1adc848a25e99ae1d03309eb38859722e7ec545a4fc37

Download Submit
C:\Windows\{261FF61C-BFE0-4607-B1A7-927FDAFAC4EC}.exe

Filesize
168KB

MD5
59b2d8c7f2b2e5af98ea3e31d99870d3

SHA1
f30c1833ae4e39db319282d081280b9aa1df1fce

SHA256
87417e012db1052d137502c9f70cbfb7965aea4a0ce274a931c2a85890777c3a

SHA512
8b7d51629c722e21d915b797c523b42d99c0f54bb20ea27253b4769d931725dd610ac05966f77e6007e1adc848a25e99ae1d03309eb38859722e7ec545a4fc37

Download Submit
C:\Windows\{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe

Filesize
168KB

MD5
a15d91f39ac535c1e834b5ecea04e0a5

SHA1
cf54536c9b03267f5171f7eddfa8a476544273aa

SHA256
2e8b78897263c979c9eab1acc4c040a145b1b9e700fbedcaf1d9e84b18f5bca7

SHA512
950eb749cda1108390439e54fce5640471cf99465de29889b7d798b66f683fb5ae5ff10d4069a8cf4bd782bfe4a33bf43325403c4a5fef99a0c9f0c34239ec76

Download Submit
C:\Windows\{32355706-9C0A-45c0-A4F4-734BF28D1BD2}.exe

Filesize
168KB

MD5
a15d91f39ac535c1e834b5ecea04e0a5

SHA1
cf54536c9b03267f5171f7eddfa8a476544273aa

SHA256
2e8b78897263c979c9eab1acc4c040a145b1b9e700fbedcaf1d9e84b18f5bca7

SHA512
950eb749cda1108390439e54fce5640471cf99465de29889b7d798b66f683fb5ae5ff10d4069a8cf4bd782bfe4a33bf43325403c4a5fef99a0c9f0c34239ec76

Download Submit
C:\Windows\{43C25216-45EC-4170-8784-45694039FD83}.exe

Filesize
168KB

MD5
8f2f3edecdc38c825cc0fa02d455681f

SHA1
de0706dc6798d9c85ee1fc9e3f0ef595dca1ad1f

SHA256
c27ed53432a67b98c0b49fe0a5e6f3c5d941cf6bc048b0d8d2350ccd380533ca

SHA512
a36e30c0d63cd8ba32061e8394cae29e5fbdb2543076e399217850cf3ebe7eefe5b904d6ad95d9d0e81ae2433d1e2316dc399761604b2706ce30beab2478d3cb

Download Submit
C:\Windows\{43C25216-45EC-4170-8784-45694039FD83}.exe

Filesize
168KB

MD5
8f2f3edecdc38c825cc0fa02d455681f

SHA1
de0706dc6798d9c85ee1fc9e3f0ef595dca1ad1f

SHA256
c27ed53432a67b98c0b49fe0a5e6f3c5d941cf6bc048b0d8d2350ccd380533ca

SHA512
a36e30c0d63cd8ba32061e8394cae29e5fbdb2543076e399217850cf3ebe7eefe5b904d6ad95d9d0e81ae2433d1e2316dc399761604b2706ce30beab2478d3cb

Download Submit
C:\Windows\{484AC95B-7CDD-494a-A0CD-43BB07ED272D}.exe

Filesize
168KB

MD5
f022968dfbc59a39a028cee238b3b405

SHA1
b7c9acb52682a977dffd10787283f1a640226785

SHA256
17cd1677fc657f5366f0f1980e0354184ea0e1ca6d73bf2cb6cf33eb7977833c

SHA512
5d07f8975a080f6d04cadfc43db368f119299e2640327ba02e3e7cac8a78dfd76e7e290ff39a44292a5e72e6fee2a36f0c1e36011ccabd5476a573729416862d

Download Submit
C:\Windows\{484AC95B-7CDD-494a-A0CD-43BB07ED272D}.exe

Filesize
168KB

MD5
f022968dfbc59a39a028cee238b3b405

SHA1
b7c9acb52682a977dffd10787283f1a640226785

SHA256
17cd1677fc657f5366f0f1980e0354184ea0e1ca6d73bf2cb6cf33eb7977833c

SHA512
5d07f8975a080f6d04cadfc43db368f119299e2640327ba02e3e7cac8a78dfd76e7e290ff39a44292a5e72e6fee2a36f0c1e36011ccabd5476a573729416862d

Download Submit
C:\Windows\{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe

Filesize
168KB

MD5
293df768eba2df77681b350a34e52552

SHA1
b540a954adc77bfeb7764ee45fdedb92c1944e4a

SHA256
d869406453fc1ff64eac5a46fa48fb7aaadd783d52a73cb87c10b147e1916d6f

SHA512
6e0532b0296b4c5370f5c8ce94ddd6e79fbee551604f8594adb33fc0edd17a5b92ce48efa7c50ea07d43e97103ae7c082bd1459595c32e667651608e31b6d247

Download Submit
C:\Windows\{539FE6C3-1EA2-4057-93B1-A4E1B048AC2F}.exe

Filesize
168KB

MD5
293df768eba2df77681b350a34e52552

SHA1
b540a954adc77bfeb7764ee45fdedb92c1944e4a

SHA256
d869406453fc1ff64eac5a46fa48fb7aaadd783d52a73cb87c10b147e1916d6f

SHA512
6e0532b0296b4c5370f5c8ce94ddd6e79fbee551604f8594adb33fc0edd17a5b92ce48efa7c50ea07d43e97103ae7c082bd1459595c32e667651608e31b6d247

Download Submit
C:\Windows\{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe

Filesize
168KB

MD5
5f0d6f9a2ee9c44a270b77055356c73a

SHA1
529803ce10f6fcd77866c3812aa7ac3ca4329429

SHA256
0d5dbe3a08f56e998eb27080bebbbe2e50008d1cdb1036de406be1529cbef671

SHA512
6d91a3114f0a628a460ba737de604384bd4784551fdd9390f0479b7ebe72d549de58d9b3a8c97ed8b6b0aae16081837204921f0e988a013dcb56cf78694d3abd

Download Submit
C:\Windows\{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe

Filesize
168KB

MD5
5f0d6f9a2ee9c44a270b77055356c73a

SHA1
529803ce10f6fcd77866c3812aa7ac3ca4329429

SHA256
0d5dbe3a08f56e998eb27080bebbbe2e50008d1cdb1036de406be1529cbef671

SHA512
6d91a3114f0a628a460ba737de604384bd4784551fdd9390f0479b7ebe72d549de58d9b3a8c97ed8b6b0aae16081837204921f0e988a013dcb56cf78694d3abd

Download Submit
C:\Windows\{7E3D2209-9F3C-4347-96CF-A69610DB631B}.exe

Filesize
168KB

MD5
5f0d6f9a2ee9c44a270b77055356c73a

SHA1
529803ce10f6fcd77866c3812aa7ac3ca4329429

SHA256
0d5dbe3a08f56e998eb27080bebbbe2e50008d1cdb1036de406be1529cbef671

SHA512
6d91a3114f0a628a460ba737de604384bd4784551fdd9390f0479b7ebe72d549de58d9b3a8c97ed8b6b0aae16081837204921f0e988a013dcb56cf78694d3abd

Download Submit
C:\Windows\{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe

Filesize
168KB

MD5
d90d10328213071e3bcf5caf57f29d81

SHA1
6535c017b2ba44411982a6f5bfcad3ffa5ae925b

SHA256
eaddd6ac0c4b9f5ed54c31ec2fae427ff7b15092d1271d4e0f4da8451ba2fc37

SHA512
09d7a5e09af3989c6b276597c542224932807f2e9651e0bb0b9ad607962f2b91ea7d87861a1e99f1e792ebe9685c239063e3e41d4f7b978f8b43fafc3452ba60

Download Submit
C:\Windows\{8045F6FF-764F-44e8-AEB2-25D17476FC42}.exe

Filesize
168KB

MD5
d90d10328213071e3bcf5caf57f29d81

SHA1
6535c017b2ba44411982a6f5bfcad3ffa5ae925b

SHA256
eaddd6ac0c4b9f5ed54c31ec2fae427ff7b15092d1271d4e0f4da8451ba2fc37

SHA512
09d7a5e09af3989c6b276597c542224932807f2e9651e0bb0b9ad607962f2b91ea7d87861a1e99f1e792ebe9685c239063e3e41d4f7b978f8b43fafc3452ba60

Download Submit
C:\Windows\{C3B47946-43C3-45da-BC23-D509D542BB29}.exe

Filesize
168KB

MD5
3f05c282a88a765f6074376c1a97b072

SHA1
81e8527cbf9d7a49c58f7f05b7a5832b56049b52

SHA256
8073bcbd98244b31d06d4b508ea418a18e006054e647569ab046444d03873ef7

SHA512
0d176d3cf655733dd1dac2f1f9150bbad1a826efde24cb0e1eeb9e9789ae4a276b8113a8394b7eebe722175886cf7c583301446c4dd4f640f02c2b00443a4ceb

Download Submit
C:\Windows\{C3B47946-43C3-45da-BC23-D509D542BB29}.exe

Filesize
168KB

MD5
3f05c282a88a765f6074376c1a97b072

SHA1
81e8527cbf9d7a49c58f7f05b7a5832b56049b52

SHA256
8073bcbd98244b31d06d4b508ea418a18e006054e647569ab046444d03873ef7

SHA512
0d176d3cf655733dd1dac2f1f9150bbad1a826efde24cb0e1eeb9e9789ae4a276b8113a8394b7eebe722175886cf7c583301446c4dd4f640f02c2b00443a4ceb

Download Submit
C:\Windows\{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe

Filesize
168KB

MD5
42511b4f11c1d86ea698094d98746c35

SHA1
618d404fb2092948f0c85a69e83c6f93fb87839d

SHA256
0bcc9d15f8e04cd05b766bf99c3da2d2d3a501dadddf366f9b0bbfdef8aee749

SHA512
0eb5663ef980bbddaf05524ce1dd09e7d40316c8eb8cdc19fcd7b24f1d79d31200dfcbb3c8cc04517422c734d3527f016484f6c027d0487801995792c127cdc5

Download Submit
C:\Windows\{C5BCF201-5F1F-4846-BCCD-FCE8D1329C45}.exe

Filesize
168KB

MD5
42511b4f11c1d86ea698094d98746c35

SHA1
618d404fb2092948f0c85a69e83c6f93fb87839d

SHA256
0bcc9d15f8e04cd05b766bf99c3da2d2d3a501dadddf366f9b0bbfdef8aee749

SHA512
0eb5663ef980bbddaf05524ce1dd09e7d40316c8eb8cdc19fcd7b24f1d79d31200dfcbb3c8cc04517422c734d3527f016484f6c027d0487801995792c127cdc5

Download Submit
C:\Windows\{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe

Filesize
168KB

MD5
88e38c0c90844f512114a0715654e17a

SHA1
3ed5d13fc52d5078b00fe44f0be9d5c53e3f8b20

SHA256
db7478cd9b3f3c1d1b844d4918612c01f9c05f05d94b790b099a8c7c7436a908

SHA512
b0bf8e7068f74c102233f47b1e7a264e6928f6e3abd6d518a5524daca485e3143704b4297984db4b97bdd635a5ba8906f949c8891c04b56df483f99e8aac7b7d

Download Submit
C:\Windows\{CFFA7202-0064-49f1-8983-BAD62872DB36}.exe

Filesize
168KB

MD5
88e38c0c90844f512114a0715654e17a

SHA1
3ed5d13fc52d5078b00fe44f0be9d5c53e3f8b20

SHA256
db7478cd9b3f3c1d1b844d4918612c01f9c05f05d94b790b099a8c7c7436a908

SHA512
b0bf8e7068f74c102233f47b1e7a264e6928f6e3abd6d518a5524daca485e3143704b4297984db4b97bdd635a5ba8906f949c8891c04b56df483f99e8aac7b7d

Download Submit
C:\Windows\{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe

Filesize
168KB

MD5
d9af81dd51c0c9fe07e62ea830c6931e

SHA1
313f37fbf217d4a2170c9211f5e0d752007fdf67

SHA256
b016760838188daad6f9c451e12c442cd40fc18470f7d3a9f05517cc1cdfd3a7

SHA512
b20216552fb8d3c0471d12389d6feeb78af74e59852882175cb909872a24d2436cf06a7ca65c716edf4e6153aaa5103c95aaae1d764f714b023ace308ee30bf8

Download Submit
C:\Windows\{E87A7D9A-A6D4-435c-B071-F959149FBAEF}.exe

Filesize
168KB

MD5
d9af81dd51c0c9fe07e62ea830c6931e

SHA1
313f37fbf217d4a2170c9211f5e0d752007fdf67

SHA256
b016760838188daad6f9c451e12c442cd40fc18470f7d3a9f05517cc1cdfd3a7

SHA512
b20216552fb8d3c0471d12389d6feeb78af74e59852882175cb909872a24d2436cf06a7ca65c716edf4e6153aaa5103c95aaae1d764f714b023ace308ee30bf8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads