893820562a57268aadc67e5d18dabc2deb73d08f4db8a7bfd0ce6be750df12fa

Analysis

max time kernel
151s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe
Size

408KB
MD5

d10e2efb41a5a24b8253472f2124880f
SHA1

f4abcc793b27aeefb255c5ed90ad8521e45fac53
SHA256

893820562a57268aadc67e5d18dabc2deb73d08f4db8a7bfd0ce6be750df12fa
SHA512

cdb4d8e8bf7f549b86d684cfc9b27ad01216c0400213390387f870a926a485b666263e01e0606436a9371d60c6d9f0588628877d4a10cd40b9a35824aba15b69
SSDEEP

3072:CEGh0oBl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGrldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82955DA4-B168-486d-9048-3C26B8656AD7}\stubpath = "C:\\Windows\\{82955DA4-B168-486d-9048-3C26B8656AD7}.exe"	{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{069AB316-14E8-4c18-9A37-5AFD1BC348B5}	{82955DA4-B168-486d-9048-3C26B8656AD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}	{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97B59451-DCBE-49e4-A67E-D1706D3BA4EF}	{1C3AB15A-017F-4f3e-9261-98B0430EE7C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97B59451-DCBE-49e4-A67E-D1706D3BA4EF}\stubpath = "C:\\Windows\\{97B59451-DCBE-49e4-A67E-D1706D3BA4EF}.exe"	{1C3AB15A-017F-4f3e-9261-98B0430EE7C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88933B32-2C4B-4de5-A39C-0C68D284AE56}\stubpath = "C:\\Windows\\{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe"	{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}\stubpath = "C:\\Windows\\{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe"	{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82955DA4-B168-486d-9048-3C26B8656AD7}	{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}	{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}\stubpath = "C:\\Windows\\{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe"	{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C3AB15A-017F-4f3e-9261-98B0430EE7C7}\stubpath = "C:\\Windows\\{1C3AB15A-017F-4f3e-9261-98B0430EE7C7}.exe"	{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41893055-D935-4c63-89E6-88F64AD0764C}	{5A14E7D5-AD32-42fb-A51F-215859BE999A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}	2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88933B32-2C4B-4de5-A39C-0C68D284AE56}	{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{936C7A25-41C5-46f3-B7F4-B4ED964A509D}\stubpath = "C:\\Windows\\{936C7A25-41C5-46f3-B7F4-B4ED964A509D}.exe"	{97B59451-DCBE-49e4-A67E-D1706D3BA4EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A14E7D5-AD32-42fb-A51F-215859BE999A}\stubpath = "C:\\Windows\\{5A14E7D5-AD32-42fb-A51F-215859BE999A}.exe"	{936C7A25-41C5-46f3-B7F4-B4ED964A509D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41893055-D935-4c63-89E6-88F64AD0764C}\stubpath = "C:\\Windows\\{41893055-D935-4c63-89E6-88F64AD0764C}.exe"	{5A14E7D5-AD32-42fb-A51F-215859BE999A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}\stubpath = "C:\\Windows\\{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe"	2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}	{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C3AB15A-017F-4f3e-9261-98B0430EE7C7}	{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{936C7A25-41C5-46f3-B7F4-B4ED964A509D}	{97B59451-DCBE-49e4-A67E-D1706D3BA4EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A14E7D5-AD32-42fb-A51F-215859BE999A}	{936C7A25-41C5-46f3-B7F4-B4ED964A509D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{069AB316-14E8-4c18-9A37-5AFD1BC348B5}\stubpath = "C:\\Windows\\{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe"	{82955DA4-B168-486d-9048-3C26B8656AD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}\stubpath = "C:\\Windows\\{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe"	{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
3032	{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe
2620	{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe
2688	{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe
2492	{82955DA4-B168-486d-9048-3C26B8656AD7}.exe
2612	{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe
1396	{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe
2668	{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe
2944	{1C3AB15A-017F-4f3e-9261-98B0430EE7C7}.exe
1640	{97B59451-DCBE-49e4-A67E-D1706D3BA4EF}.exe
320	{936C7A25-41C5-46f3-B7F4-B4ED964A509D}.exe
1932	{5A14E7D5-AD32-42fb-A51F-215859BE999A}.exe
2036	{41893055-D935-4c63-89E6-88F64AD0764C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe	{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe
File created	C:\Windows\{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe	{82955DA4-B168-486d-9048-3C26B8656AD7}.exe
File created	C:\Windows\{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe	{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe
File created	C:\Windows\{97B59451-DCBE-49e4-A67E-D1706D3BA4EF}.exe	{1C3AB15A-017F-4f3e-9261-98B0430EE7C7}.exe
File created	C:\Windows\{5A14E7D5-AD32-42fb-A51F-215859BE999A}.exe	{936C7A25-41C5-46f3-B7F4-B4ED964A509D}.exe
File created	C:\Windows\{41893055-D935-4c63-89E6-88F64AD0764C}.exe	{5A14E7D5-AD32-42fb-A51F-215859BE999A}.exe
File created	C:\Windows\{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe	2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe
File created	C:\Windows\{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe	{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe
File created	C:\Windows\{82955DA4-B168-486d-9048-3C26B8656AD7}.exe	{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe
File created	C:\Windows\{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe	{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe
File created	C:\Windows\{1C3AB15A-017F-4f3e-9261-98B0430EE7C7}.exe	{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe
File created	C:\Windows\{936C7A25-41C5-46f3-B7F4-B4ED964A509D}.exe	{97B59451-DCBE-49e4-A67E-D1706D3BA4EF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2160	2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3032	{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe
Token: SeIncBasePriorityPrivilege	2620	{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe
Token: SeIncBasePriorityPrivilege	2688	{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe
Token: SeIncBasePriorityPrivilege	2492	{82955DA4-B168-486d-9048-3C26B8656AD7}.exe
Token: SeIncBasePriorityPrivilege	2612	{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe
Token: SeIncBasePriorityPrivilege	1396	{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe
Token: SeIncBasePriorityPrivilege	2668	{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe
Token: SeIncBasePriorityPrivilege	2944	{1C3AB15A-017F-4f3e-9261-98B0430EE7C7}.exe
Token: SeIncBasePriorityPrivilege	1640	{97B59451-DCBE-49e4-A67E-D1706D3BA4EF}.exe
Token: SeIncBasePriorityPrivilege	320	{936C7A25-41C5-46f3-B7F4-B4ED964A509D}.exe
Token: SeIncBasePriorityPrivilege	1932	{5A14E7D5-AD32-42fb-A51F-215859BE999A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 3032	2160	2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe	28
PID 2160 wrote to memory of 3032	2160	2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe	28
PID 2160 wrote to memory of 3032	2160	2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe	28
PID 2160 wrote to memory of 3032	2160	2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe	28
PID 2160 wrote to memory of 2600	2160	2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe	29
PID 2160 wrote to memory of 2600	2160	2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe	29
PID 2160 wrote to memory of 2600	2160	2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe	29
PID 2160 wrote to memory of 2600	2160	2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe	29
PID 3032 wrote to memory of 2620	3032	{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe	30
PID 3032 wrote to memory of 2620	3032	{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe	30
PID 3032 wrote to memory of 2620	3032	{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe	30
PID 3032 wrote to memory of 2620	3032	{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe	30
PID 3032 wrote to memory of 2732	3032	{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe	31
PID 3032 wrote to memory of 2732	3032	{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe	31
PID 3032 wrote to memory of 2732	3032	{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe	31
PID 3032 wrote to memory of 2732	3032	{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe	31
PID 2620 wrote to memory of 2688	2620	{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe	34
PID 2620 wrote to memory of 2688	2620	{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe	34
PID 2620 wrote to memory of 2688	2620	{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe	34
PID 2620 wrote to memory of 2688	2620	{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe	34
PID 2620 wrote to memory of 2664	2620	{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe	35
PID 2620 wrote to memory of 2664	2620	{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe	35
PID 2620 wrote to memory of 2664	2620	{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe	35
PID 2620 wrote to memory of 2664	2620	{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe	35
PID 2688 wrote to memory of 2492	2688	{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe	36
PID 2688 wrote to memory of 2492	2688	{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe	36
PID 2688 wrote to memory of 2492	2688	{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe	36
PID 2688 wrote to memory of 2492	2688	{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe	36
PID 2688 wrote to memory of 2524	2688	{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe	37
PID 2688 wrote to memory of 2524	2688	{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe	37
PID 2688 wrote to memory of 2524	2688	{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe	37
PID 2688 wrote to memory of 2524	2688	{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe	37
PID 2492 wrote to memory of 2612	2492	{82955DA4-B168-486d-9048-3C26B8656AD7}.exe	38
PID 2492 wrote to memory of 2612	2492	{82955DA4-B168-486d-9048-3C26B8656AD7}.exe	38
PID 2492 wrote to memory of 2612	2492	{82955DA4-B168-486d-9048-3C26B8656AD7}.exe	38
PID 2492 wrote to memory of 2612	2492	{82955DA4-B168-486d-9048-3C26B8656AD7}.exe	38
PID 2492 wrote to memory of 2960	2492	{82955DA4-B168-486d-9048-3C26B8656AD7}.exe	39
PID 2492 wrote to memory of 2960	2492	{82955DA4-B168-486d-9048-3C26B8656AD7}.exe	39
PID 2492 wrote to memory of 2960	2492	{82955DA4-B168-486d-9048-3C26B8656AD7}.exe	39
PID 2492 wrote to memory of 2960	2492	{82955DA4-B168-486d-9048-3C26B8656AD7}.exe	39
PID 2612 wrote to memory of 1396	2612	{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe	40
PID 2612 wrote to memory of 1396	2612	{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe	40
PID 2612 wrote to memory of 1396	2612	{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe	40
PID 2612 wrote to memory of 1396	2612	{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe	40
PID 2612 wrote to memory of 1048	2612	{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe	41
PID 2612 wrote to memory of 1048	2612	{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe	41
PID 2612 wrote to memory of 1048	2612	{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe	41
PID 2612 wrote to memory of 1048	2612	{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe	41
PID 1396 wrote to memory of 2668	1396	{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe	42
PID 1396 wrote to memory of 2668	1396	{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe	42
PID 1396 wrote to memory of 2668	1396	{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe	42
PID 1396 wrote to memory of 2668	1396	{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe	42
PID 1396 wrote to memory of 2764	1396	{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe	43
PID 1396 wrote to memory of 2764	1396	{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe	43
PID 1396 wrote to memory of 2764	1396	{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe	43
PID 1396 wrote to memory of 2764	1396	{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe	43
PID 2668 wrote to memory of 2944	2668	{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe	45
PID 2668 wrote to memory of 2944	2668	{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe	45
PID 2668 wrote to memory of 2944	2668	{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe	45
PID 2668 wrote to memory of 2944	2668	{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe	45
PID 2668 wrote to memory of 2028	2668	{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe	44
PID 2668 wrote to memory of 2028	2668	{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe	44
PID 2668 wrote to memory of 2028	2668	{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe	44
PID 2668 wrote to memory of 2028	2668	{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_d10e2efb41a5a24b8253472f2124880f_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe
  C:\Windows\{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe
    C:\Windows\{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe
      C:\Windows\{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\{82955DA4-B168-486d-9048-3C26B8656AD7}.exe
        
        C:\Windows\{82955DA4-B168-486d-9048-3C26B8656AD7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\Windows\{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe
        
        C:\Windows\{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe
        
        C:\Windows\{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe
        
        C:\Windows\{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F7C0~1.EXE > nul
        9⤵
        
        PID:2028
        
        C:\Windows\{1C3AB15A-017F-4f3e-9261-98B0430EE7C7}.exe
        
        C:\Windows\{1C3AB15A-017F-4f3e-9261-98B0430EE7C7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\{97B59451-DCBE-49e4-A67E-D1706D3BA4EF}.exe
        
        C:\Windows\{97B59451-DCBE-49e4-A67E-D1706D3BA4EF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\{936C7A25-41C5-46f3-B7F4-B4ED964A509D}.exe
        
        C:\Windows\{936C7A25-41C5-46f3-B7F4-B4ED964A509D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{936C7~1.EXE > nul
        12⤵
        
        PID:1324
        
        C:\Windows\{5A14E7D5-AD32-42fb-A51F-215859BE999A}.exe
        
        C:\Windows\{5A14E7D5-AD32-42fb-A51F-215859BE999A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\{41893055-D935-4c63-89E6-88F64AD0764C}.exe
        
        C:\Windows\{41893055-D935-4c63-89E6-88F64AD0764C}.exe
        13⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A14E~1.EXE > nul
        13⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97B59~1.EXE > nul
        11⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C3AB~1.EXE > nul
        10⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D21E3~1.EXE > nul
        8⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{069AB~1.EXE > nul
        7⤵
        
        PID:1048
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82955~1.EXE > nul
        6⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B3CE~1.EXE > nul
        5⤵
        
        PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{88933~1.EXE > nul
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{38D0C~1.EXE > nul
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe

Filesize
408KB

MD5
af858908fae621d6666153b6bd1af09b

SHA1
5fea2705ad0519f6855db1d490ccc24c91edb9c9

SHA256
fafae027b20222d866e2a8bf91b2596d9a33ccdcb536a5eed7dbcb78dcae107d

SHA512
c7b53eb96f3fc0cc9b3e48ac0710d49c84513416d6d06d4d9e167179b3d20a5d5137666c53e4f243703f96e8703082f3765bb409972ebf1eb282ed08c39330e8

Download Submit
C:\Windows\{069AB316-14E8-4c18-9A37-5AFD1BC348B5}.exe

Filesize
408KB

MD5
af858908fae621d6666153b6bd1af09b

SHA1
5fea2705ad0519f6855db1d490ccc24c91edb9c9

SHA256
fafae027b20222d866e2a8bf91b2596d9a33ccdcb536a5eed7dbcb78dcae107d

SHA512
c7b53eb96f3fc0cc9b3e48ac0710d49c84513416d6d06d4d9e167179b3d20a5d5137666c53e4f243703f96e8703082f3765bb409972ebf1eb282ed08c39330e8

Download Submit
C:\Windows\{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe

Filesize
408KB

MD5
1ff9453543c1fb17a864f27f7d2ac789

SHA1
ce0034dcc957c2c3e47133efca6c6ac524d19cfe

SHA256
ae18ccd231fbda736b92cb6a5ee832a8af73b1ea6ccefec1508e42cccb202f68

SHA512
89d69b56c8410c633c5b315ac93510b9ab075c3d702594e363e51125794f226319330b5d12e0ecc6592b351632c261c8ab6e262f4c5d6f9a4fad03ca61b2f095

Download Submit
C:\Windows\{1B3CE61A-2151-4f19-B8D9-AA426D1AD638}.exe

Filesize
408KB

MD5
1ff9453543c1fb17a864f27f7d2ac789

SHA1
ce0034dcc957c2c3e47133efca6c6ac524d19cfe

SHA256
ae18ccd231fbda736b92cb6a5ee832a8af73b1ea6ccefec1508e42cccb202f68

SHA512
89d69b56c8410c633c5b315ac93510b9ab075c3d702594e363e51125794f226319330b5d12e0ecc6592b351632c261c8ab6e262f4c5d6f9a4fad03ca61b2f095

Download Submit
C:\Windows\{1C3AB15A-017F-4f3e-9261-98B0430EE7C7}.exe

Filesize
408KB

MD5
668162e5c715d68d686916864ccae88d

SHA1
05be26815247c48722f683b12e7cad76667460d5

SHA256
f332fd40e8aa7a0eb6ba3749035b1529f9750469a6a25950ad3b1165cecb8b31

SHA512
19a160412c12ba77d9b7ad4e6e3499351bc70a6128cf82d65679bd692cf991c64c6e27f5223ec423998ffb25f1799d8c2407b3b1197b8113df6be79f5d06efc5

Download Submit
C:\Windows\{1C3AB15A-017F-4f3e-9261-98B0430EE7C7}.exe

Filesize
408KB

MD5
668162e5c715d68d686916864ccae88d

SHA1
05be26815247c48722f683b12e7cad76667460d5

SHA256
f332fd40e8aa7a0eb6ba3749035b1529f9750469a6a25950ad3b1165cecb8b31

SHA512
19a160412c12ba77d9b7ad4e6e3499351bc70a6128cf82d65679bd692cf991c64c6e27f5223ec423998ffb25f1799d8c2407b3b1197b8113df6be79f5d06efc5

Download Submit
C:\Windows\{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe

Filesize
408KB

MD5
ab6cc33a72b915b848ba8f8270112e81

SHA1
fa293f2b94297e0ea4a893a56a3de7932d7d1ffd

SHA256
9a51a98648c813b988d5bf56b8a0c73162cdc3f785031ba8bbaab6aee371b0c2

SHA512
21ef01f6e93eb6f0697395b329b23b5bc60d25899019a8c39d2ea5784264d748ff495e2b7f7ed1dc54e24b600c77942b3ae23695aa41b2369d005750fc70ceb4

Download Submit
C:\Windows\{1F7C0019-A5C2-4020-9E8C-C3A786B09AC1}.exe

Filesize
408KB

MD5
ab6cc33a72b915b848ba8f8270112e81

SHA1
fa293f2b94297e0ea4a893a56a3de7932d7d1ffd

SHA256
9a51a98648c813b988d5bf56b8a0c73162cdc3f785031ba8bbaab6aee371b0c2

SHA512
21ef01f6e93eb6f0697395b329b23b5bc60d25899019a8c39d2ea5784264d748ff495e2b7f7ed1dc54e24b600c77942b3ae23695aa41b2369d005750fc70ceb4

Download Submit
C:\Windows\{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe

Filesize
408KB

MD5
ed9bb1bbf8ac7504bb7e4d06811922b1

SHA1
cffc6c3a47806cfa4a161a1ebfd7216821f77422

SHA256
8d43c7c21d83c2b6c5c80c66bb712613dcec3e11636632b110e18fdd4e69ea80

SHA512
bc30f755b5afc832ab7c19234f328ee89b89a7b2884ca41d45dcb984d29b55692779418501330f6848658a36b35c88949f8931d036156db012743ff49c9622cc

Download Submit
C:\Windows\{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe

Filesize
408KB

MD5
ed9bb1bbf8ac7504bb7e4d06811922b1

SHA1
cffc6c3a47806cfa4a161a1ebfd7216821f77422

SHA256
8d43c7c21d83c2b6c5c80c66bb712613dcec3e11636632b110e18fdd4e69ea80

SHA512
bc30f755b5afc832ab7c19234f328ee89b89a7b2884ca41d45dcb984d29b55692779418501330f6848658a36b35c88949f8931d036156db012743ff49c9622cc

Download Submit
C:\Windows\{38D0C73B-5C83-4fa1-9AA2-CE9A31E86B6F}.exe

Filesize
408KB

MD5
ed9bb1bbf8ac7504bb7e4d06811922b1

SHA1
cffc6c3a47806cfa4a161a1ebfd7216821f77422

SHA256
8d43c7c21d83c2b6c5c80c66bb712613dcec3e11636632b110e18fdd4e69ea80

SHA512
bc30f755b5afc832ab7c19234f328ee89b89a7b2884ca41d45dcb984d29b55692779418501330f6848658a36b35c88949f8931d036156db012743ff49c9622cc

Download Submit
C:\Windows\{41893055-D935-4c63-89E6-88F64AD0764C}.exe

Filesize
408KB

MD5
aca5532e8a7ea01c38c0309760086f84

SHA1
4f50494b593106ccf7fa11a3381741947de3c917

SHA256
4f1fff23b4ed3fffffcd17a07dd71ae88c99969dd136a9e0c81c79547c24df12

SHA512
95886fa0c9cb837a1c2605f0871a7a93f9d7433fa20c469b0827622dc67eac7fb2c64e8ed8260fa2b261acff981e0cb459876f2ef92011cc95d1f752a0ec6577

Download Submit
C:\Windows\{5A14E7D5-AD32-42fb-A51F-215859BE999A}.exe

Filesize
408KB

MD5
bba37b3d7edd329a4f99317ec575272b

SHA1
86ae3c8ece57ade0ebd5abb246e0843c9d53287e

SHA256
8aa2bf778bef2bc7f269d72dfbb9138f3ecda50fdc55252a6971f5047cb76a4e

SHA512
243f442e125c054d65f818ca2947debcbc0ff3dca472caafc0ad02d25e3d3df39937c4dc4ebead1d3d262a033dd2428d1cf5b7b529fb2b571274ab6a0f72e84a

Download Submit
C:\Windows\{5A14E7D5-AD32-42fb-A51F-215859BE999A}.exe

Filesize
408KB

MD5
bba37b3d7edd329a4f99317ec575272b

SHA1
86ae3c8ece57ade0ebd5abb246e0843c9d53287e

SHA256
8aa2bf778bef2bc7f269d72dfbb9138f3ecda50fdc55252a6971f5047cb76a4e

SHA512
243f442e125c054d65f818ca2947debcbc0ff3dca472caafc0ad02d25e3d3df39937c4dc4ebead1d3d262a033dd2428d1cf5b7b529fb2b571274ab6a0f72e84a

Download Submit
C:\Windows\{82955DA4-B168-486d-9048-3C26B8656AD7}.exe

Filesize
408KB

MD5
d0b6d8d402a1d924e78b0ed4d5c2039a

SHA1
19da0f1ca6231db1b2f52b77fe544f5b233d3ccb

SHA256
d7335c67b05bc0c75e249fe465f5d2a8849e58cdf5428f6a035a6609995f9153

SHA512
a7fa69176f426c45e58d288e9823557fcb475af92bebeedf2258482c6f26da8c76b58224ad234e7f6c8172c0b3d5de2fb7e409d8867520ba01211cecb1039753

Download Submit
C:\Windows\{82955DA4-B168-486d-9048-3C26B8656AD7}.exe

Filesize
408KB

MD5
d0b6d8d402a1d924e78b0ed4d5c2039a

SHA1
19da0f1ca6231db1b2f52b77fe544f5b233d3ccb

SHA256
d7335c67b05bc0c75e249fe465f5d2a8849e58cdf5428f6a035a6609995f9153

SHA512
a7fa69176f426c45e58d288e9823557fcb475af92bebeedf2258482c6f26da8c76b58224ad234e7f6c8172c0b3d5de2fb7e409d8867520ba01211cecb1039753

Download Submit
C:\Windows\{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe

Filesize
408KB

MD5
eefc7ff0b9229bed0bdc93ae90da9f29

SHA1
d14c7ec6e6c70f4451b2ac180ec85c3a075c36e1

SHA256
44a802abe7e6d99950f360f8d8c1ce5d62947e91ca53d43793400433a9bc9e24

SHA512
934a78ab6ba480b4df2efbdfc5977c72f645227f93f2366721d7a0fcb764ab3fbc0dd816902eef614de2beea373cf5b3102b7057e823225a720e4da7e247ac1c

Download Submit
C:\Windows\{88933B32-2C4B-4de5-A39C-0C68D284AE56}.exe

Filesize
408KB

MD5
eefc7ff0b9229bed0bdc93ae90da9f29

SHA1
d14c7ec6e6c70f4451b2ac180ec85c3a075c36e1

SHA256
44a802abe7e6d99950f360f8d8c1ce5d62947e91ca53d43793400433a9bc9e24

SHA512
934a78ab6ba480b4df2efbdfc5977c72f645227f93f2366721d7a0fcb764ab3fbc0dd816902eef614de2beea373cf5b3102b7057e823225a720e4da7e247ac1c

Download Submit
C:\Windows\{936C7A25-41C5-46f3-B7F4-B4ED964A509D}.exe

Filesize
408KB

MD5
36065556c0686de57eaf215abcc71f1f

SHA1
7bc907dbeb6de2af63f19bbd489e072f456bbe97

SHA256
7e1327d520f5f726c60513da9465ee399204034e61ff059f33abce0960c86839

SHA512
b5b37b157cbf8fc473dd7bd8e099093ceae664df86a888bdde76ec91d838418a4461eceeb7b547ed008ea727e9da5dd8c2e204cd768f5e0ab695ba63ab84d1e6

Download Submit
C:\Windows\{936C7A25-41C5-46f3-B7F4-B4ED964A509D}.exe

Filesize
408KB

MD5
36065556c0686de57eaf215abcc71f1f

SHA1
7bc907dbeb6de2af63f19bbd489e072f456bbe97

SHA256
7e1327d520f5f726c60513da9465ee399204034e61ff059f33abce0960c86839

SHA512
b5b37b157cbf8fc473dd7bd8e099093ceae664df86a888bdde76ec91d838418a4461eceeb7b547ed008ea727e9da5dd8c2e204cd768f5e0ab695ba63ab84d1e6

Download Submit
C:\Windows\{97B59451-DCBE-49e4-A67E-D1706D3BA4EF}.exe

Filesize
408KB

MD5
e214778ae43a5912166e1eb0f4b6a131

SHA1
7b98843b61bcd0f64a749a3d1fb91fc82ccc0604

SHA256
11c818ae6194bd967a29100556a9728111876b375b5b9b0704e8cc64b8a52aa9

SHA512
3614900831133980e0c1d4118832b895eece664e8d46cdc57da9c035a1117d12564a43d6eabe4aca13c6ef8d4e63e67133cd815287fd7cf90e876eb774bf5a84

Download Submit
C:\Windows\{97B59451-DCBE-49e4-A67E-D1706D3BA4EF}.exe

Filesize
408KB

MD5
e214778ae43a5912166e1eb0f4b6a131

SHA1
7b98843b61bcd0f64a749a3d1fb91fc82ccc0604

SHA256
11c818ae6194bd967a29100556a9728111876b375b5b9b0704e8cc64b8a52aa9

SHA512
3614900831133980e0c1d4118832b895eece664e8d46cdc57da9c035a1117d12564a43d6eabe4aca13c6ef8d4e63e67133cd815287fd7cf90e876eb774bf5a84

Download Submit
C:\Windows\{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe

Filesize
408KB

MD5
fee2fa5330a003baa2064a92b2af82ae

SHA1
45fd42b25988b80db0b850b1ec1d01c1d7a3f01b

SHA256
5e9002b92b489bdee698a2053f5ed3fdb7d26252b6afe11428f02a39f585f76f

SHA512
857f0749e2b18f5db8e9fe257eee9ecfc05c2a1bead0745e6ddcea5d9eedbc84f5e1744401136a1a3c901555eee21871c95921207102815e4ba7fd6eaf12770e

Download Submit
C:\Windows\{D21E3AA7-B57B-4e49-A3D3-FF727F501A75}.exe

Filesize
408KB

MD5
fee2fa5330a003baa2064a92b2af82ae

SHA1
45fd42b25988b80db0b850b1ec1d01c1d7a3f01b

SHA256
5e9002b92b489bdee698a2053f5ed3fdb7d26252b6afe11428f02a39f585f76f

SHA512
857f0749e2b18f5db8e9fe257eee9ecfc05c2a1bead0745e6ddcea5d9eedbc84f5e1744401136a1a3c901555eee21871c95921207102815e4ba7fd6eaf12770e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads