b06d54428903a8eaff7a8adeb677198c2af16e4eb461ae9ded6226ade713abbb

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe
Size

192KB
MD5

c2768aa47207aaf35ba5a89a52281dae
SHA1

7e166bb539ed1941728d826ebb8953808615dc69
SHA256

b06d54428903a8eaff7a8adeb677198c2af16e4eb461ae9ded6226ade713abbb
SHA512

802e91253df00872db6880185ed1d9eb028fdeb70c1208fea7971335dcbac1af955fb537642bc42540ddc846b0bbf58aab5d9e92889af6ce6a419145f07658ee
SSDEEP

1536:1EGh0osl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0osl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E00BF40C-7505-4e83-B719-CB6039C2F503}\stubpath = "C:\\Windows\\{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe"	{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4355F929-63DB-4455-84F3-FC4A3202C191}	{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A947E346-B02C-43e7-8E30-B02C61B67059}\stubpath = "C:\\Windows\\{A947E346-B02C-43e7-8E30-B02C61B67059}.exe"	{4355F929-63DB-4455-84F3-FC4A3202C191}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14AE3613-5C04-4a5d-8747-381D93D9D512}\stubpath = "C:\\Windows\\{14AE3613-5C04-4a5d-8747-381D93D9D512}.exe"	{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8492CD5-9214-457a-A7A1-FC9B09FB71F4}\stubpath = "C:\\Windows\\{C8492CD5-9214-457a-A7A1-FC9B09FB71F4}.exe"	{479F1A68-9A10-4b57-AF1C-BAB2EEC275A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00018094-EC8A-4250-94D4-4E6CF123160D}\stubpath = "C:\\Windows\\{00018094-EC8A-4250-94D4-4E6CF123160D}.exe"	{C8492CD5-9214-457a-A7A1-FC9B09FB71F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AEE951C-FAC1-4988-8765-33FACA0FB973}\stubpath = "C:\\Windows\\{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe"	2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F917109-5E71-48fe-AD3F-25B7D96CDBED}\stubpath = "C:\\Windows\\{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe"	{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14AE3613-5C04-4a5d-8747-381D93D9D512}	{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8492CD5-9214-457a-A7A1-FC9B09FB71F4}	{479F1A68-9A10-4b57-AF1C-BAB2EEC275A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00018094-EC8A-4250-94D4-4E6CF123160D}	{C8492CD5-9214-457a-A7A1-FC9B09FB71F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{945F75A1-397B-4dc3-9D0C-6147BF8AC206}\stubpath = "C:\\Windows\\{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe"	{A947E346-B02C-43e7-8E30-B02C61B67059}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B9F37C2-E396-4845-BF4E-DD46979C93A8}	{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B9F37C2-E396-4845-BF4E-DD46979C93A8}\stubpath = "C:\\Windows\\{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe"	{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2243E72B-923C-47c8-A5F1-156F802D63EB}\stubpath = "C:\\Windows\\{2243E72B-923C-47c8-A5F1-156F802D63EB}.exe"	{14AE3613-5C04-4a5d-8747-381D93D9D512}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479F1A68-9A10-4b57-AF1C-BAB2EEC275A9}	{2243E72B-923C-47c8-A5F1-156F802D63EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AEE951C-FAC1-4988-8765-33FACA0FB973}	2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4355F929-63DB-4455-84F3-FC4A3202C191}\stubpath = "C:\\Windows\\{4355F929-63DB-4455-84F3-FC4A3202C191}.exe"	{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A947E346-B02C-43e7-8E30-B02C61B67059}	{4355F929-63DB-4455-84F3-FC4A3202C191}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{945F75A1-397B-4dc3-9D0C-6147BF8AC206}	{A947E346-B02C-43e7-8E30-B02C61B67059}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F917109-5E71-48fe-AD3F-25B7D96CDBED}	{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2243E72B-923C-47c8-A5F1-156F802D63EB}	{14AE3613-5C04-4a5d-8747-381D93D9D512}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{479F1A68-9A10-4b57-AF1C-BAB2EEC275A9}\stubpath = "C:\\Windows\\{479F1A68-9A10-4b57-AF1C-BAB2EEC275A9}.exe"	{2243E72B-923C-47c8-A5F1-156F802D63EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E00BF40C-7505-4e83-B719-CB6039C2F503}	{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe

Deletes itself 1 IoCs

pid	Process
860	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2372	{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe
2772	{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe
2612	{4355F929-63DB-4455-84F3-FC4A3202C191}.exe
1728	{A947E346-B02C-43e7-8E30-B02C61B67059}.exe
2584	{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe
1292	{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe
1676	{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe
2760	{14AE3613-5C04-4a5d-8747-381D93D9D512}.exe
1612	{2243E72B-923C-47c8-A5F1-156F802D63EB}.exe
800	{479F1A68-9A10-4b57-AF1C-BAB2EEC275A9}.exe
1984	{C8492CD5-9214-457a-A7A1-FC9B09FB71F4}.exe
760	{00018094-EC8A-4250-94D4-4E6CF123160D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe	{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe
File created	C:\Windows\{14AE3613-5C04-4a5d-8747-381D93D9D512}.exe	{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe
File created	C:\Windows\{C8492CD5-9214-457a-A7A1-FC9B09FB71F4}.exe	{479F1A68-9A10-4b57-AF1C-BAB2EEC275A9}.exe
File created	C:\Windows\{00018094-EC8A-4250-94D4-4E6CF123160D}.exe	{C8492CD5-9214-457a-A7A1-FC9B09FB71F4}.exe
File created	C:\Windows\{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe	2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe
File created	C:\Windows\{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe	{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe
File created	C:\Windows\{A947E346-B02C-43e7-8E30-B02C61B67059}.exe	{4355F929-63DB-4455-84F3-FC4A3202C191}.exe
File created	C:\Windows\{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe	{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe
File created	C:\Windows\{4355F929-63DB-4455-84F3-FC4A3202C191}.exe	{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe
File created	C:\Windows\{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe	{A947E346-B02C-43e7-8E30-B02C61B67059}.exe
File created	C:\Windows\{2243E72B-923C-47c8-A5F1-156F802D63EB}.exe	{14AE3613-5C04-4a5d-8747-381D93D9D512}.exe
File created	C:\Windows\{479F1A68-9A10-4b57-AF1C-BAB2EEC275A9}.exe	{2243E72B-923C-47c8-A5F1-156F802D63EB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1368	2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2372	{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe
Token: SeIncBasePriorityPrivilege	2772	{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe
Token: SeIncBasePriorityPrivilege	2612	{4355F929-63DB-4455-84F3-FC4A3202C191}.exe
Token: SeIncBasePriorityPrivilege	1728	{A947E346-B02C-43e7-8E30-B02C61B67059}.exe
Token: SeIncBasePriorityPrivilege	2584	{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe
Token: SeIncBasePriorityPrivilege	1292	{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe
Token: SeIncBasePriorityPrivilege	1676	{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe
Token: SeIncBasePriorityPrivilege	2760	{14AE3613-5C04-4a5d-8747-381D93D9D512}.exe
Token: SeIncBasePriorityPrivilege	1612	{2243E72B-923C-47c8-A5F1-156F802D63EB}.exe
Token: SeIncBasePriorityPrivilege	800	{479F1A68-9A10-4b57-AF1C-BAB2EEC275A9}.exe
Token: SeIncBasePriorityPrivilege	1984	{C8492CD5-9214-457a-A7A1-FC9B09FB71F4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2372	1368	2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe	28
PID 1368 wrote to memory of 2372	1368	2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe	28
PID 1368 wrote to memory of 2372	1368	2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe	28
PID 1368 wrote to memory of 2372	1368	2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe	28
PID 1368 wrote to memory of 860	1368	2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe	29
PID 1368 wrote to memory of 860	1368	2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe	29
PID 1368 wrote to memory of 860	1368	2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe	29
PID 1368 wrote to memory of 860	1368	2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe	29
PID 2372 wrote to memory of 2772	2372	{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe	30
PID 2372 wrote to memory of 2772	2372	{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe	30
PID 2372 wrote to memory of 2772	2372	{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe	30
PID 2372 wrote to memory of 2772	2372	{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe	30
PID 2372 wrote to memory of 2808	2372	{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe	31
PID 2372 wrote to memory of 2808	2372	{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe	31
PID 2372 wrote to memory of 2808	2372	{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe	31
PID 2372 wrote to memory of 2808	2372	{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe	31
PID 2772 wrote to memory of 2612	2772	{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe	32
PID 2772 wrote to memory of 2612	2772	{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe	32
PID 2772 wrote to memory of 2612	2772	{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe	32
PID 2772 wrote to memory of 2612	2772	{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe	32
PID 2772 wrote to memory of 2716	2772	{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe	33
PID 2772 wrote to memory of 2716	2772	{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe	33
PID 2772 wrote to memory of 2716	2772	{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe	33
PID 2772 wrote to memory of 2716	2772	{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe	33
PID 2612 wrote to memory of 1728	2612	{4355F929-63DB-4455-84F3-FC4A3202C191}.exe	36
PID 2612 wrote to memory of 1728	2612	{4355F929-63DB-4455-84F3-FC4A3202C191}.exe	36
PID 2612 wrote to memory of 1728	2612	{4355F929-63DB-4455-84F3-FC4A3202C191}.exe	36
PID 2612 wrote to memory of 1728	2612	{4355F929-63DB-4455-84F3-FC4A3202C191}.exe	36
PID 2612 wrote to memory of 2528	2612	{4355F929-63DB-4455-84F3-FC4A3202C191}.exe	37
PID 2612 wrote to memory of 2528	2612	{4355F929-63DB-4455-84F3-FC4A3202C191}.exe	37
PID 2612 wrote to memory of 2528	2612	{4355F929-63DB-4455-84F3-FC4A3202C191}.exe	37
PID 2612 wrote to memory of 2528	2612	{4355F929-63DB-4455-84F3-FC4A3202C191}.exe	37
PID 1728 wrote to memory of 2584	1728	{A947E346-B02C-43e7-8E30-B02C61B67059}.exe	38
PID 1728 wrote to memory of 2584	1728	{A947E346-B02C-43e7-8E30-B02C61B67059}.exe	38
PID 1728 wrote to memory of 2584	1728	{A947E346-B02C-43e7-8E30-B02C61B67059}.exe	38
PID 1728 wrote to memory of 2584	1728	{A947E346-B02C-43e7-8E30-B02C61B67059}.exe	38
PID 1728 wrote to memory of 2992	1728	{A947E346-B02C-43e7-8E30-B02C61B67059}.exe	39
PID 1728 wrote to memory of 2992	1728	{A947E346-B02C-43e7-8E30-B02C61B67059}.exe	39
PID 1728 wrote to memory of 2992	1728	{A947E346-B02C-43e7-8E30-B02C61B67059}.exe	39
PID 1728 wrote to memory of 2992	1728	{A947E346-B02C-43e7-8E30-B02C61B67059}.exe	39
PID 2584 wrote to memory of 1292	2584	{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe	40
PID 2584 wrote to memory of 1292	2584	{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe	40
PID 2584 wrote to memory of 1292	2584	{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe	40
PID 2584 wrote to memory of 1292	2584	{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe	40
PID 2584 wrote to memory of 2488	2584	{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe	41
PID 2584 wrote to memory of 2488	2584	{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe	41
PID 2584 wrote to memory of 2488	2584	{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe	41
PID 2584 wrote to memory of 2488	2584	{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe	41
PID 1292 wrote to memory of 1676	1292	{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe	42
PID 1292 wrote to memory of 1676	1292	{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe	42
PID 1292 wrote to memory of 1676	1292	{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe	42
PID 1292 wrote to memory of 1676	1292	{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe	42
PID 1292 wrote to memory of 2740	1292	{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe	43
PID 1292 wrote to memory of 2740	1292	{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe	43
PID 1292 wrote to memory of 2740	1292	{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe	43
PID 1292 wrote to memory of 2740	1292	{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe	43
PID 1676 wrote to memory of 2760	1676	{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe	44
PID 1676 wrote to memory of 2760	1676	{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe	44
PID 1676 wrote to memory of 2760	1676	{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe	44
PID 1676 wrote to memory of 2760	1676	{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe	44
PID 1676 wrote to memory of 2844	1676	{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe	45
PID 1676 wrote to memory of 2844	1676	{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe	45
PID 1676 wrote to memory of 2844	1676	{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe	45
PID 1676 wrote to memory of 2844	1676	{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_c2768aa47207aaf35ba5a89a52281dae_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe
  C:\Windows\{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe
    C:\Windows\{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\{4355F929-63DB-4455-84F3-FC4A3202C191}.exe
      C:\Windows\{4355F929-63DB-4455-84F3-FC4A3202C191}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\{A947E346-B02C-43e7-8E30-B02C61B67059}.exe
        
        C:\Windows\{A947E346-B02C-43e7-8E30-B02C61B67059}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - C:\Windows\{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe
        
        C:\Windows\{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe
        
        C:\Windows\{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe
        
        C:\Windows\{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{14AE3613-5C04-4a5d-8747-381D93D9D512}.exe
        
        C:\Windows\{14AE3613-5C04-4a5d-8747-381D93D9D512}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\{2243E72B-923C-47c8-A5F1-156F802D63EB}.exe
        
        C:\Windows\{2243E72B-923C-47c8-A5F1-156F802D63EB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\{479F1A68-9A10-4b57-AF1C-BAB2EEC275A9}.exe
        
        C:\Windows\{479F1A68-9A10-4b57-AF1C-BAB2EEC275A9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\{C8492CD5-9214-457a-A7A1-FC9B09FB71F4}.exe
        
        C:\Windows\{C8492CD5-9214-457a-A7A1-FC9B09FB71F4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\{00018094-EC8A-4250-94D4-4E6CF123160D}.exe
        
        C:\Windows\{00018094-EC8A-4250-94D4-4E6CF123160D}.exe
        13⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8492~1.EXE > nul
        13⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{479F1~1.EXE > nul
        12⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2243E~1.EXE > nul
        11⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14AE3~1.EXE > nul
        10⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F917~1.EXE > nul
        9⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B9F3~1.EXE > nul
        8⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{945F7~1.EXE > nul
        7⤵
        
        PID:2488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A947E~1.EXE > nul
        6⤵
        
        PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4355F~1.EXE > nul
        5⤵
        
        PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E00BF~1.EXE > nul
      4⤵
      PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1AEE9~1.EXE > nul
    3⤵
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00018094-EC8A-4250-94D4-4E6CF123160D}.exe

Filesize
192KB

MD5
0fec23bebb002a1402e81cc914a91d0d

SHA1
392cf2b6524c183e13bd1a8fb2876584f5bba2ea

SHA256
007ed90ccad35689fd2b1b689ac8c2d5c7f9a0d23fccfc5055490f2d9ec60c15

SHA512
0afdfde2e00ea64b526b6d112408fde5e405122b6309a17fd65d8ff987081f6c89bfb39c7d1806579913db4b5e54e4dbd5fdae7a58f8e6d615f9856099ac5ab3

Download Submit
C:\Windows\{14AE3613-5C04-4a5d-8747-381D93D9D512}.exe

Filesize
192KB

MD5
93a9df63a952b276c5e05a73605bf6e3

SHA1
74ba612a7de3617696f74aaf87c233a24917e31b

SHA256
4a4fdae6dd3c7b821e2bc451f1a4fe8bcd4434e64b4908b06fe2a6daf3bbe5a1

SHA512
d071d10baa5ff13142db545b51725d3f4eb484e83768e03f74cd55ca86b0fa029314fcdf5be849eb555824e407c122d5cf2ac480ce1ff9960c90c892841bcda9

Download Submit
C:\Windows\{14AE3613-5C04-4a5d-8747-381D93D9D512}.exe

Filesize
192KB

MD5
93a9df63a952b276c5e05a73605bf6e3

SHA1
74ba612a7de3617696f74aaf87c233a24917e31b

SHA256
4a4fdae6dd3c7b821e2bc451f1a4fe8bcd4434e64b4908b06fe2a6daf3bbe5a1

SHA512
d071d10baa5ff13142db545b51725d3f4eb484e83768e03f74cd55ca86b0fa029314fcdf5be849eb555824e407c122d5cf2ac480ce1ff9960c90c892841bcda9

Download Submit
C:\Windows\{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe

Filesize
192KB

MD5
e540b802af9bedf19c359d77c4d497ab

SHA1
da5b914f036040f72a5186de0b2c1e61fec901dc

SHA256
be134b661ff2b9963ad7f0fb67b58c74d3ed1deacda27a2d33fe3f56fcfafd19

SHA512
ae89d24536306ad0808cef5390223e4cafd010d85257346556d0b4dfde7e620246ef93debb88a1dc7ad495c9d39f87e9ee05acf146e560e6e1181a60130a94cb

Download Submit
C:\Windows\{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe

Filesize
192KB

MD5
e540b802af9bedf19c359d77c4d497ab

SHA1
da5b914f036040f72a5186de0b2c1e61fec901dc

SHA256
be134b661ff2b9963ad7f0fb67b58c74d3ed1deacda27a2d33fe3f56fcfafd19

SHA512
ae89d24536306ad0808cef5390223e4cafd010d85257346556d0b4dfde7e620246ef93debb88a1dc7ad495c9d39f87e9ee05acf146e560e6e1181a60130a94cb

Download Submit
C:\Windows\{1AEE951C-FAC1-4988-8765-33FACA0FB973}.exe

Filesize
192KB

MD5
e540b802af9bedf19c359d77c4d497ab

SHA1
da5b914f036040f72a5186de0b2c1e61fec901dc

SHA256
be134b661ff2b9963ad7f0fb67b58c74d3ed1deacda27a2d33fe3f56fcfafd19

SHA512
ae89d24536306ad0808cef5390223e4cafd010d85257346556d0b4dfde7e620246ef93debb88a1dc7ad495c9d39f87e9ee05acf146e560e6e1181a60130a94cb

Download Submit
C:\Windows\{2243E72B-923C-47c8-A5F1-156F802D63EB}.exe

Filesize
192KB

MD5
f0c0369c174b8effee70eeea949be6b4

SHA1
5ef713e82392178127db148fed5811b0641f30a9

SHA256
3e55ffabb7ca55e1af0be39ad409db062689d2105254e39215731c14b126be77

SHA512
7d72cb483f8d0e1cf1c01b137f000de33e4bdccf495aaca6ba9790a1d6ab152f86193400bea513b6c0e578616313232fdabd03ee827a2a9640fdcf75813bff7b

Download Submit
C:\Windows\{2243E72B-923C-47c8-A5F1-156F802D63EB}.exe

Filesize
192KB

MD5
f0c0369c174b8effee70eeea949be6b4

SHA1
5ef713e82392178127db148fed5811b0641f30a9

SHA256
3e55ffabb7ca55e1af0be39ad409db062689d2105254e39215731c14b126be77

SHA512
7d72cb483f8d0e1cf1c01b137f000de33e4bdccf495aaca6ba9790a1d6ab152f86193400bea513b6c0e578616313232fdabd03ee827a2a9640fdcf75813bff7b

Download Submit
C:\Windows\{4355F929-63DB-4455-84F3-FC4A3202C191}.exe

Filesize
192KB

MD5
c41f1bc611d8fd8fa1a4422e24259e05

SHA1
4cff26cfcee76387e3a23ed3a7989179182dea26

SHA256
0bc63bcf039e192b14e4271954665f7bddf58f61e5dfe8f0cd247f01fb5a0b2d

SHA512
b76c2a1094fec59a4e74ee875bc4be3943cc6c64b9938ee2e52ec776e80f92a9f9780d2952f65d33cc63a38beb6ac14a27d40b23dc7ae102241ece4fe8a72068

Download Submit
C:\Windows\{4355F929-63DB-4455-84F3-FC4A3202C191}.exe

Filesize
192KB

MD5
c41f1bc611d8fd8fa1a4422e24259e05

SHA1
4cff26cfcee76387e3a23ed3a7989179182dea26

SHA256
0bc63bcf039e192b14e4271954665f7bddf58f61e5dfe8f0cd247f01fb5a0b2d

SHA512
b76c2a1094fec59a4e74ee875bc4be3943cc6c64b9938ee2e52ec776e80f92a9f9780d2952f65d33cc63a38beb6ac14a27d40b23dc7ae102241ece4fe8a72068

Download Submit
C:\Windows\{479F1A68-9A10-4b57-AF1C-BAB2EEC275A9}.exe

Filesize
192KB

MD5
11f4a379a9593e9bc9f9d7ba00ed198b

SHA1
a1f10384d31601f5aaabe2a9ecd1bc8e76875673

SHA256
5be7773a36129329e8c8426560374ef72f3fa0d203b52a27fdfbc9617249ce79

SHA512
8beba49bc06b04ee862af54cd0d391dc4eecab0b85e1d82351704b925f9a62790a9f7a21cbb452b6035501c6397f774953d79f44098aeaf00283399cbb0e4c4b

Download Submit
C:\Windows\{479F1A68-9A10-4b57-AF1C-BAB2EEC275A9}.exe

Filesize
192KB

MD5
11f4a379a9593e9bc9f9d7ba00ed198b

SHA1
a1f10384d31601f5aaabe2a9ecd1bc8e76875673

SHA256
5be7773a36129329e8c8426560374ef72f3fa0d203b52a27fdfbc9617249ce79

SHA512
8beba49bc06b04ee862af54cd0d391dc4eecab0b85e1d82351704b925f9a62790a9f7a21cbb452b6035501c6397f774953d79f44098aeaf00283399cbb0e4c4b

Download Submit
C:\Windows\{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe

Filesize
192KB

MD5
a8c17973de7b1f5c3b9f9cb00c9e4130

SHA1
f3f3ee90bda52d8b494657d42b00073c607220d5

SHA256
3a9f7567334acf96b3938d3e16adb9657abf9de132b86956cfab1cbcdaa8ebdb

SHA512
40914d093f5bdc97af03493df35b0e1e2c945fe7eb5be0390391a8cfd482a9448bf926a427d57571c76f254098dfbb8cdbf60c1c71e5889d2d6dd5d1a985ee4e

Download Submit
C:\Windows\{8F917109-5E71-48fe-AD3F-25B7D96CDBED}.exe

Filesize
192KB

MD5
a8c17973de7b1f5c3b9f9cb00c9e4130

SHA1
f3f3ee90bda52d8b494657d42b00073c607220d5

SHA256
3a9f7567334acf96b3938d3e16adb9657abf9de132b86956cfab1cbcdaa8ebdb

SHA512
40914d093f5bdc97af03493df35b0e1e2c945fe7eb5be0390391a8cfd482a9448bf926a427d57571c76f254098dfbb8cdbf60c1c71e5889d2d6dd5d1a985ee4e

Download Submit
C:\Windows\{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe

Filesize
192KB

MD5
ee10acf2255061f62f094d5bb9f229f1

SHA1
598abc31fc5f95fb798d28b20ce4aeefc66b0650

SHA256
9eb001b066f814c07ac09ce81f4c4fabed3c96b952232c8cfb1c60589e9cabb8

SHA512
db46c51495746d3fdf7c8e30ae0484f80494838fe023b01bd14635555539df037e8e26176c6cfc6ca8393c622bf3e67454425ac95ce6f4918198cdd55c18fef8

Download Submit
C:\Windows\{945F75A1-397B-4dc3-9D0C-6147BF8AC206}.exe

Filesize
192KB

MD5
ee10acf2255061f62f094d5bb9f229f1

SHA1
598abc31fc5f95fb798d28b20ce4aeefc66b0650

SHA256
9eb001b066f814c07ac09ce81f4c4fabed3c96b952232c8cfb1c60589e9cabb8

SHA512
db46c51495746d3fdf7c8e30ae0484f80494838fe023b01bd14635555539df037e8e26176c6cfc6ca8393c622bf3e67454425ac95ce6f4918198cdd55c18fef8

Download Submit
C:\Windows\{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe

Filesize
192KB

MD5
0aaca9cf598588447913bb116548bd4f

SHA1
e5f016747209e2e074fff308fd5d671aff7cf40e

SHA256
178775bccb149079d30bb4b5bf8f08aa4d48764d509c7ff4cf9b8094d84f24cc

SHA512
09410228bc2f900a01f8e79ef887d90ccccced7d4149ad65a1f4546a0d24a9fdbdfb4e7f08ee6c929c0bdef160a35e8e39a940e95dd4aad23eb6114753c2227c

Download Submit
C:\Windows\{9B9F37C2-E396-4845-BF4E-DD46979C93A8}.exe

Filesize
192KB

MD5
0aaca9cf598588447913bb116548bd4f

SHA1
e5f016747209e2e074fff308fd5d671aff7cf40e

SHA256
178775bccb149079d30bb4b5bf8f08aa4d48764d509c7ff4cf9b8094d84f24cc

SHA512
09410228bc2f900a01f8e79ef887d90ccccced7d4149ad65a1f4546a0d24a9fdbdfb4e7f08ee6c929c0bdef160a35e8e39a940e95dd4aad23eb6114753c2227c

Download Submit
C:\Windows\{A947E346-B02C-43e7-8E30-B02C61B67059}.exe

Filesize
192KB

MD5
b3447b133c8385ce334100348e7c2bdf

SHA1
2fdeda08b8446c9fe7727a01aab70bb30f8648b4

SHA256
87bf8ecf5ee498383090d7e30d2b294f16c83cd5afbc5803d5359555bd272ff6

SHA512
03041b99ce354fc0dbe21d8654c45ddebe2c1e640cfcf6da544123451beeef50941cf46fb4e1ff35a9afe69d7cf5f2785a45057a29104130411dace664e76367

Download Submit
C:\Windows\{A947E346-B02C-43e7-8E30-B02C61B67059}.exe

Filesize
192KB

MD5
b3447b133c8385ce334100348e7c2bdf

SHA1
2fdeda08b8446c9fe7727a01aab70bb30f8648b4

SHA256
87bf8ecf5ee498383090d7e30d2b294f16c83cd5afbc5803d5359555bd272ff6

SHA512
03041b99ce354fc0dbe21d8654c45ddebe2c1e640cfcf6da544123451beeef50941cf46fb4e1ff35a9afe69d7cf5f2785a45057a29104130411dace664e76367

Download Submit
C:\Windows\{C8492CD5-9214-457a-A7A1-FC9B09FB71F4}.exe

Filesize
192KB

MD5
ca16fa89782cfde4ea2735f8fee21338

SHA1
f92f8f3afd511f744396abb39f323f2c95d26788

SHA256
6c6c20014e8bec19290cd4988eb6f2ac435c56c81c57d2a6a5b2b2c666459faa

SHA512
857286ed541bb7da129830446ea3f0290817c140d26c35baae70a8256190a20f225e417f96ddd0818cd87d0f6bb27b4375f1256903de661de0709d9b8368dce2

Download Submit
C:\Windows\{C8492CD5-9214-457a-A7A1-FC9B09FB71F4}.exe

Filesize
192KB

MD5
ca16fa89782cfde4ea2735f8fee21338

SHA1
f92f8f3afd511f744396abb39f323f2c95d26788

SHA256
6c6c20014e8bec19290cd4988eb6f2ac435c56c81c57d2a6a5b2b2c666459faa

SHA512
857286ed541bb7da129830446ea3f0290817c140d26c35baae70a8256190a20f225e417f96ddd0818cd87d0f6bb27b4375f1256903de661de0709d9b8368dce2

Download Submit
C:\Windows\{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe

Filesize
192KB

MD5
e8fec5ce03d54321a957f0d4afc9e88c

SHA1
6e523cda7209ba95f662af56c9942d224a5aab64

SHA256
e0be0537ee5c2143ee0e81671c1c6079ee491d3d64f717efd1311ed8b89f9d1b

SHA512
a8f81fff3107988545aed705c1ea7e03c105c9311253bc71534250c2317a1db868cb0ea40bfb786919ba84df8501000e8822dbd0f23520c662298af8d6d9a9ed

Download Submit
C:\Windows\{E00BF40C-7505-4e83-B719-CB6039C2F503}.exe

Filesize
192KB

MD5
e8fec5ce03d54321a957f0d4afc9e88c

SHA1
6e523cda7209ba95f662af56c9942d224a5aab64

SHA256
e0be0537ee5c2143ee0e81671c1c6079ee491d3d64f717efd1311ed8b89f9d1b

SHA512
a8f81fff3107988545aed705c1ea7e03c105c9311253bc71534250c2317a1db868cb0ea40bfb786919ba84df8501000e8822dbd0f23520c662298af8d6d9a9ed

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads