c5cd44292970870d42a878d44d5e4ea219c3c83b602a2ac7967a96f5f17f89df

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
05/10/2023, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe
Size

380KB
MD5

7cfbf6f1aaa6026a57804ac67a268e57
SHA1

311ff0824af4eb39e4658cf6c3777a0738e535d5
SHA256

c5cd44292970870d42a878d44d5e4ea219c3c83b602a2ac7967a96f5f17f89df
SHA512

50a27edf298ccfcd24fe615245b3404e13ca0f5e86f7bf714dcf064da1944dbb886cead942104821731d0c489e5c918265eea37c4adc5d3b50c8a4c3bff029a9
SSDEEP

3072:mEGh0oplPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGnl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C6319A5-811D-4f6e-9051-1EADBB9E8200}\stubpath = "C:\\Windows\\{0C6319A5-811D-4f6e-9051-1EADBB9E8200}.exe"	{8C5BDD97-2316-4eae-9275-617EBD004791}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E65011F8-9537-4e9c-93D2-DA7DD6027393}	{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFABB36A-DCE7-406c-B01B-1D246621C140}\stubpath = "C:\\Windows\\{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe"	{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}\stubpath = "C:\\Windows\\{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe"	{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6CEF12E-25AE-448e-BBC6-4E9B2FC6BD5E}	{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C5BDD97-2316-4eae-9275-617EBD004791}\stubpath = "C:\\Windows\\{8C5BDD97-2316-4eae-9275-617EBD004791}.exe"	{5D3AADAD-91DD-41da-A726-668A72F15F1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D3AADAD-91DD-41da-A726-668A72F15F1A}\stubpath = "C:\\Windows\\{5D3AADAD-91DD-41da-A726-668A72F15F1A}.exe"	{D6CEF12E-25AE-448e-BBC6-4E9B2FC6BD5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}\stubpath = "C:\\Windows\\{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe"	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A6753CB-276B-4eeb-85EE-126AE07D3356}	{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A6753CB-276B-4eeb-85EE-126AE07D3356}\stubpath = "C:\\Windows\\{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe"	{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{089B3322-5305-4f3d-8578-8AE25865D3C9}	{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{089B3322-5305-4f3d-8578-8AE25865D3C9}\stubpath = "C:\\Windows\\{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe"	{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6CEF12E-25AE-448e-BBC6-4E9B2FC6BD5E}\stubpath = "C:\\Windows\\{D6CEF12E-25AE-448e-BBC6-4E9B2FC6BD5E}.exe"	{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E65011F8-9537-4e9c-93D2-DA7DD6027393}\stubpath = "C:\\Windows\\{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe"	{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AFABB36A-DCE7-406c-B01B-1D246621C140}	{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D3AADAD-91DD-41da-A726-668A72F15F1A}	{D6CEF12E-25AE-448e-BBC6-4E9B2FC6BD5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}	{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2646715F-02AC-4ee5-956C-BFC6C14425FE}	{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2646715F-02AC-4ee5-956C-BFC6C14425FE}\stubpath = "C:\\Windows\\{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe"	{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C5BDD97-2316-4eae-9275-617EBD004791}	{5D3AADAD-91DD-41da-A726-668A72F15F1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C6319A5-811D-4f6e-9051-1EADBB9E8200}	{8C5BDD97-2316-4eae-9275-617EBD004791}.exe

Deletes itself 1 IoCs

pid	Process
320	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2092	{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe
2976	{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe
2624	{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe
2612	{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe
2728	{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe
2500	{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe
2916	{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe
2476	{D6CEF12E-25AE-448e-BBC6-4E9B2FC6BD5E}.exe
2448	{5D3AADAD-91DD-41da-A726-668A72F15F1A}.exe
2440	{8C5BDD97-2316-4eae-9275-617EBD004791}.exe
2444	{0C6319A5-811D-4f6e-9051-1EADBB9E8200}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D6CEF12E-25AE-448e-BBC6-4E9B2FC6BD5E}.exe	{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe
File created	C:\Windows\{8C5BDD97-2316-4eae-9275-617EBD004791}.exe	{5D3AADAD-91DD-41da-A726-668A72F15F1A}.exe
File created	C:\Windows\{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe	{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe
File created	C:\Windows\{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe	{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe
File created	C:\Windows\{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe	{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe
File created	C:\Windows\{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe	{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe
File created	C:\Windows\{5D3AADAD-91DD-41da-A726-668A72F15F1A}.exe	{D6CEF12E-25AE-448e-BBC6-4E9B2FC6BD5E}.exe
File created	C:\Windows\{0C6319A5-811D-4f6e-9051-1EADBB9E8200}.exe	{8C5BDD97-2316-4eae-9275-617EBD004791}.exe
File created	C:\Windows\{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe
File created	C:\Windows\{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe	{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe
File created	C:\Windows\{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe	{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2088	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2092	{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe
Token: SeIncBasePriorityPrivilege	2976	{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe
Token: SeIncBasePriorityPrivilege	2624	{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe
Token: SeIncBasePriorityPrivilege	2612	{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe
Token: SeIncBasePriorityPrivilege	2728	{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe
Token: SeIncBasePriorityPrivilege	2500	{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe
Token: SeIncBasePriorityPrivilege	2916	{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe
Token: SeIncBasePriorityPrivilege	2476	{D6CEF12E-25AE-448e-BBC6-4E9B2FC6BD5E}.exe
Token: SeIncBasePriorityPrivilege	2448	{5D3AADAD-91DD-41da-A726-668A72F15F1A}.exe
Token: SeIncBasePriorityPrivilege	2440	{8C5BDD97-2316-4eae-9275-617EBD004791}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2092	2088	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	28
PID 2088 wrote to memory of 2092	2088	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	28
PID 2088 wrote to memory of 2092	2088	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	28
PID 2088 wrote to memory of 2092	2088	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	28
PID 2088 wrote to memory of 320	2088	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	29
PID 2088 wrote to memory of 320	2088	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	29
PID 2088 wrote to memory of 320	2088	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	29
PID 2088 wrote to memory of 320	2088	2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe	29
PID 2092 wrote to memory of 2976	2092	{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe	30
PID 2092 wrote to memory of 2976	2092	{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe	30
PID 2092 wrote to memory of 2976	2092	{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe	30
PID 2092 wrote to memory of 2976	2092	{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe	30
PID 2092 wrote to memory of 1612	2092	{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe	31
PID 2092 wrote to memory of 1612	2092	{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe	31
PID 2092 wrote to memory of 1612	2092	{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe	31
PID 2092 wrote to memory of 1612	2092	{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe	31
PID 2976 wrote to memory of 2624	2976	{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe	33
PID 2976 wrote to memory of 2624	2976	{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe	33
PID 2976 wrote to memory of 2624	2976	{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe	33
PID 2976 wrote to memory of 2624	2976	{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe	33
PID 2976 wrote to memory of 2720	2976	{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe	32
PID 2976 wrote to memory of 2720	2976	{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe	32
PID 2976 wrote to memory of 2720	2976	{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe	32
PID 2976 wrote to memory of 2720	2976	{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe	32
PID 2624 wrote to memory of 2612	2624	{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe	36
PID 2624 wrote to memory of 2612	2624	{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe	36
PID 2624 wrote to memory of 2612	2624	{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe	36
PID 2624 wrote to memory of 2612	2624	{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe	36
PID 2624 wrote to memory of 2520	2624	{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe	37
PID 2624 wrote to memory of 2520	2624	{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe	37
PID 2624 wrote to memory of 2520	2624	{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe	37
PID 2624 wrote to memory of 2520	2624	{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe	37
PID 2612 wrote to memory of 2728	2612	{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe	39
PID 2612 wrote to memory of 2728	2612	{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe	39
PID 2612 wrote to memory of 2728	2612	{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe	39
PID 2612 wrote to memory of 2728	2612	{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe	39
PID 2612 wrote to memory of 2540	2612	{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe	38
PID 2612 wrote to memory of 2540	2612	{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe	38
PID 2612 wrote to memory of 2540	2612	{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe	38
PID 2612 wrote to memory of 2540	2612	{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe	38
PID 2728 wrote to memory of 2500	2728	{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe	40
PID 2728 wrote to memory of 2500	2728	{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe	40
PID 2728 wrote to memory of 2500	2728	{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe	40
PID 2728 wrote to memory of 2500	2728	{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe	40
PID 2728 wrote to memory of 2544	2728	{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe	41
PID 2728 wrote to memory of 2544	2728	{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe	41
PID 2728 wrote to memory of 2544	2728	{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe	41
PID 2728 wrote to memory of 2544	2728	{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe	41
PID 2500 wrote to memory of 2916	2500	{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe	42
PID 2500 wrote to memory of 2916	2500	{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe	42
PID 2500 wrote to memory of 2916	2500	{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe	42
PID 2500 wrote to memory of 2916	2500	{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe	42
PID 2500 wrote to memory of 2920	2500	{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe	43
PID 2500 wrote to memory of 2920	2500	{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe	43
PID 2500 wrote to memory of 2920	2500	{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe	43
PID 2500 wrote to memory of 2920	2500	{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe	43
PID 2916 wrote to memory of 2476	2916	{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe	44
PID 2916 wrote to memory of 2476	2916	{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe	44
PID 2916 wrote to memory of 2476	2916	{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe	44
PID 2916 wrote to memory of 2476	2916	{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe	44
PID 2916 wrote to memory of 1028	2916	{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe	45
PID 2916 wrote to memory of 1028	2916	{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe	45
PID 2916 wrote to memory of 1028	2916	{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe	45
PID 2916 wrote to memory of 1028	2916	{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_7cfbf6f1aaa6026a57804ac67a268e57_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe
  C:\Windows\{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe
    C:\Windows\{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E6501~1.EXE > nul
      4⤵
      PID:2720
  - - C:\Windows\{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe
      C:\Windows\{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe
        
        C:\Windows\{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A675~1.EXE > nul
        6⤵
        
        PID:2540
      - C:\Windows\{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe
        
        C:\Windows\{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe
        
        C:\Windows\{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe
        
        C:\Windows\{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{D6CEF12E-25AE-448e-BBC6-4E9B2FC6BD5E}.exe
        
        C:\Windows\{D6CEF12E-25AE-448e-BBC6-4E9B2FC6BD5E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6CEF~1.EXE > nul
        10⤵
        
        PID:1716
        
        C:\Windows\{5D3AADAD-91DD-41da-A726-668A72F15F1A}.exe
        
        C:\Windows\{5D3AADAD-91DD-41da-A726-668A72F15F1A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\{8C5BDD97-2316-4eae-9275-617EBD004791}.exe
        
        C:\Windows\{8C5BDD97-2316-4eae-9275-617EBD004791}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\{0C6319A5-811D-4f6e-9051-1EADBB9E8200}.exe
        
        C:\Windows\{0C6319A5-811D-4f6e-9051-1EADBB9E8200}.exe
        12⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C5BD~1.EXE > nul
        12⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D3AA~1.EXE > nul
        11⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26467~1.EXE > nul
        9⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{641BC~1.EXE > nul
        8⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{089B3~1.EXE > nul
        7⤵
        
        PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFABB~1.EXE > nul
        5⤵
        
        PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1EB0B~1.EXE > nul
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe

Filesize
380KB

MD5
f430fe882afa1130d675acca9d040c9f

SHA1
6563afae78b1594ec91c4d4c91b1cfafab69fb3a

SHA256
3c4e8cc4758858b9518a9a016bb1a0a540771bec56fd3854b3eed5cd44e32f6c

SHA512
518f1d7133ffcf60f6bde56ab3b437c360145a2bc176e827f996099683111438853407393dfd5bc76471676e5a29b63decc605e05acda0291a2ad48cfbf48a21

Download Submit
C:\Windows\{089B3322-5305-4f3d-8578-8AE25865D3C9}.exe

Filesize
380KB

MD5
f430fe882afa1130d675acca9d040c9f

SHA1
6563afae78b1594ec91c4d4c91b1cfafab69fb3a

SHA256
3c4e8cc4758858b9518a9a016bb1a0a540771bec56fd3854b3eed5cd44e32f6c

SHA512
518f1d7133ffcf60f6bde56ab3b437c360145a2bc176e827f996099683111438853407393dfd5bc76471676e5a29b63decc605e05acda0291a2ad48cfbf48a21

Download Submit
C:\Windows\{0C6319A5-811D-4f6e-9051-1EADBB9E8200}.exe

Filesize
380KB

MD5
1254114f144dc9528859b4aecfe82f7c

SHA1
3dd11bdbb912e539f598ff91ec272de14812db76

SHA256
67976afb4a48e66c3be69a86bcfb3b95756c2d8517cbc112413fcd2237f8dce5

SHA512
6a6936785d9a87afb58a06b8b47574a296f6d8032f76a8c634d067fcc740aabb841ab0d8a9edf6c5447f88b955b27664fa43312fb60c6071144e25de6caa4b5a

Download Submit
C:\Windows\{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe

Filesize
380KB

MD5
32355dc992ac75e88090d17198aeb381

SHA1
6bd9cbd199cf58aeff37c59b43e3257bc9acead7

SHA256
df60c86ce7cb93f010443e3d5c78a5d6623fb4c477eb4ca7c5421bb03c994aac

SHA512
0d89d30908c913658e078b9ba198b434882144a4dd6e123656e956c2ceda95b764f76da0b402c6d7aadeccc44394d1e3f1fd5eaf12191c669d002895b12b58a8

Download Submit
C:\Windows\{1A6753CB-276B-4eeb-85EE-126AE07D3356}.exe

Filesize
380KB

MD5
32355dc992ac75e88090d17198aeb381

SHA1
6bd9cbd199cf58aeff37c59b43e3257bc9acead7

SHA256
df60c86ce7cb93f010443e3d5c78a5d6623fb4c477eb4ca7c5421bb03c994aac

SHA512
0d89d30908c913658e078b9ba198b434882144a4dd6e123656e956c2ceda95b764f76da0b402c6d7aadeccc44394d1e3f1fd5eaf12191c669d002895b12b58a8

Download Submit
C:\Windows\{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe

Filesize
380KB

MD5
52f5994e344868a7c0f2d0f65388921c

SHA1
8c01722ca7579a946ac8c608b721d74a630c5027

SHA256
08c711e0be91ed0b7d62a9250378bbcee588b362bc33392b62187c9ddc24c744

SHA512
82c6655e55d846b830f32f719679ec564d015e8c466b9782386e51ca96225e9b8ffdd3b3718c3a24238a5d75f725e6315bc23a676a2d401761d85bddb690a2f4

Download Submit
C:\Windows\{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe

Filesize
380KB

MD5
52f5994e344868a7c0f2d0f65388921c

SHA1
8c01722ca7579a946ac8c608b721d74a630c5027

SHA256
08c711e0be91ed0b7d62a9250378bbcee588b362bc33392b62187c9ddc24c744

SHA512
82c6655e55d846b830f32f719679ec564d015e8c466b9782386e51ca96225e9b8ffdd3b3718c3a24238a5d75f725e6315bc23a676a2d401761d85bddb690a2f4

Download Submit
C:\Windows\{1EB0B5B0-3972-42ab-80B6-B91AB2652BA3}.exe

Filesize
380KB

MD5
52f5994e344868a7c0f2d0f65388921c

SHA1
8c01722ca7579a946ac8c608b721d74a630c5027

SHA256
08c711e0be91ed0b7d62a9250378bbcee588b362bc33392b62187c9ddc24c744

SHA512
82c6655e55d846b830f32f719679ec564d015e8c466b9782386e51ca96225e9b8ffdd3b3718c3a24238a5d75f725e6315bc23a676a2d401761d85bddb690a2f4

Download Submit
C:\Windows\{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe

Filesize
380KB

MD5
2a3e80b2c682422aecce0bf904b85769

SHA1
0a4c516380c39b55bbca9cc89f5d0527f67ff401

SHA256
7d3ed6983cde8812a32e3afba655ab24ccddee54eaf6d4154f48b60e720d883a

SHA512
ef2cb6f5e82dfddc6f9edc2da1d95b1f270b472d60c1d758275de460ede74b217662c9483048fa55fc681227bdf4ddfa5450b47655e9a3c3b9a4b35feca11a0b

Download Submit
C:\Windows\{2646715F-02AC-4ee5-956C-BFC6C14425FE}.exe

Filesize
380KB

MD5
2a3e80b2c682422aecce0bf904b85769

SHA1
0a4c516380c39b55bbca9cc89f5d0527f67ff401

SHA256
7d3ed6983cde8812a32e3afba655ab24ccddee54eaf6d4154f48b60e720d883a

SHA512
ef2cb6f5e82dfddc6f9edc2da1d95b1f270b472d60c1d758275de460ede74b217662c9483048fa55fc681227bdf4ddfa5450b47655e9a3c3b9a4b35feca11a0b

Download Submit
C:\Windows\{5D3AADAD-91DD-41da-A726-668A72F15F1A}.exe

Filesize
380KB

MD5
e1eb3000f04b8d217c6dbcac5c5d9240

SHA1
a72d7ba37e916eabf76f3dae18da4143805dc32e

SHA256
9665ac97e3c175b2b116a1eabeb93f7739383667c62558987a6bbd9cb041f763

SHA512
ad4e603a13970b817abbcf4abc8db412031d6a62ff6a3d4efe27197cc39b0361724414dd13cca931d92f2a225182d99b452842d01d27f7a667f44fb89d591e0a

Download Submit
C:\Windows\{5D3AADAD-91DD-41da-A726-668A72F15F1A}.exe

Filesize
380KB

MD5
e1eb3000f04b8d217c6dbcac5c5d9240

SHA1
a72d7ba37e916eabf76f3dae18da4143805dc32e

SHA256
9665ac97e3c175b2b116a1eabeb93f7739383667c62558987a6bbd9cb041f763

SHA512
ad4e603a13970b817abbcf4abc8db412031d6a62ff6a3d4efe27197cc39b0361724414dd13cca931d92f2a225182d99b452842d01d27f7a667f44fb89d591e0a

Download Submit
C:\Windows\{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe

Filesize
380KB

MD5
f77ca3416a960f2f305269356c5904c4

SHA1
2cc0bada398d8d5d3c12ae08600b06e64ea917ff

SHA256
242472301f2a92d61a0dee7b5b9feb893b2db3ea1a1c8c27067db0dbe6c72f8f

SHA512
01d03511eeea8b89c2ee693dc3fa3f5a64eed0259b3eb22f43e8da5dbf7bab7779ae0edd95bde8858faf4c46f845c9cc4479dc914c700fe5d51f7990fa1994c7

Download Submit
C:\Windows\{641BCE9D-F6E9-4bf4-8E2B-C03DC59ACA9D}.exe

Filesize
380KB

MD5
f77ca3416a960f2f305269356c5904c4

SHA1
2cc0bada398d8d5d3c12ae08600b06e64ea917ff

SHA256
242472301f2a92d61a0dee7b5b9feb893b2db3ea1a1c8c27067db0dbe6c72f8f

SHA512
01d03511eeea8b89c2ee693dc3fa3f5a64eed0259b3eb22f43e8da5dbf7bab7779ae0edd95bde8858faf4c46f845c9cc4479dc914c700fe5d51f7990fa1994c7

Download Submit
C:\Windows\{8C5BDD97-2316-4eae-9275-617EBD004791}.exe

Filesize
380KB

MD5
2683d8410eed22de43070af24130fa57

SHA1
1337c4e726d0b73c64a6aa6cecbd80703d95fca7

SHA256
b5c06ce75329bc0de7108b8679cc657a57aacd4b1436b81e2c8337880a460050

SHA512
de29ac4c22447bb0bb09922f2e4cf7daf6e1d881260d2c0e73ba8415b95dbbd9b698044bf8ade7ffece5845750aaab92676144c74270b0de905a564e88f341e7

Download Submit
C:\Windows\{8C5BDD97-2316-4eae-9275-617EBD004791}.exe

Filesize
380KB

MD5
2683d8410eed22de43070af24130fa57

SHA1
1337c4e726d0b73c64a6aa6cecbd80703d95fca7

SHA256
b5c06ce75329bc0de7108b8679cc657a57aacd4b1436b81e2c8337880a460050

SHA512
de29ac4c22447bb0bb09922f2e4cf7daf6e1d881260d2c0e73ba8415b95dbbd9b698044bf8ade7ffece5845750aaab92676144c74270b0de905a564e88f341e7

Download Submit
C:\Windows\{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe

Filesize
380KB

MD5
1f572b396f8ba604aca03a8d7861b6d3

SHA1
fdd0f503dc53bcf8e0999f37b06bda0b3c45cef9

SHA256
b27c332991adc7c0459781191cf167b890a1e56132c46689e5ca80090e84ed76

SHA512
fb5e18dd423109a468b451dda485a8fe4f76207addfc320a0b7bc6965ef53c6ae27f95e7b85319a11d313a1fd1c16354ae9f03229ac20c31f941341a61134036

Download Submit
C:\Windows\{AFABB36A-DCE7-406c-B01B-1D246621C140}.exe

Filesize
380KB

MD5
1f572b396f8ba604aca03a8d7861b6d3

SHA1
fdd0f503dc53bcf8e0999f37b06bda0b3c45cef9

SHA256
b27c332991adc7c0459781191cf167b890a1e56132c46689e5ca80090e84ed76

SHA512
fb5e18dd423109a468b451dda485a8fe4f76207addfc320a0b7bc6965ef53c6ae27f95e7b85319a11d313a1fd1c16354ae9f03229ac20c31f941341a61134036

Download Submit
C:\Windows\{D6CEF12E-25AE-448e-BBC6-4E9B2FC6BD5E}.exe

Filesize
380KB

MD5
fb5e7dadaac7e3628b8ce073e64759d1

SHA1
7c62029261952e51e3a3ad3d661a51e5a2292b72

SHA256
497d361dc30954d96748fbec829bc42fa2b74b20edc7c55616632ea3edb16e42

SHA512
37acedd0c554efeeaf688f9754fe0853bc4f814ebfc4d9e164e7fa162f03e11ba2777b38e33022ec093b6e902ace394bef562eca813432be0d22f91f57cb9fae

Download Submit
C:\Windows\{D6CEF12E-25AE-448e-BBC6-4E9B2FC6BD5E}.exe

Filesize
380KB

MD5
fb5e7dadaac7e3628b8ce073e64759d1

SHA1
7c62029261952e51e3a3ad3d661a51e5a2292b72

SHA256
497d361dc30954d96748fbec829bc42fa2b74b20edc7c55616632ea3edb16e42

SHA512
37acedd0c554efeeaf688f9754fe0853bc4f814ebfc4d9e164e7fa162f03e11ba2777b38e33022ec093b6e902ace394bef562eca813432be0d22f91f57cb9fae

Download Submit
C:\Windows\{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe

Filesize
380KB

MD5
527d2e1d39d165e54c436f2fe19f09bd

SHA1
fd649c4c575a9885f428522c166c9d155dc2ea0d

SHA256
046e106778bd8e544a3a683bbeba903ba1b074af6464525f6777e80658899559

SHA512
6463a35c4c8130960ed273c7153133f832cdceb08bc2fd614384d412515d3ec9d0a6d6dcd062ae1e7bb9a7f08a8dd6d1fb07094a3805748470d9f134398f16af

Download Submit
C:\Windows\{E65011F8-9537-4e9c-93D2-DA7DD6027393}.exe

Filesize
380KB

MD5
527d2e1d39d165e54c436f2fe19f09bd

SHA1
fd649c4c575a9885f428522c166c9d155dc2ea0d

SHA256
046e106778bd8e544a3a683bbeba903ba1b074af6464525f6777e80658899559

SHA512
6463a35c4c8130960ed273c7153133f832cdceb08bc2fd614384d412515d3ec9d0a6d6dcd062ae1e7bb9a7f08a8dd6d1fb07094a3805748470d9f134398f16af

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads