be58fd51ce1f682bc52eb7bd58a4a699212da8aa83687c149474f24b158ea303

Analysis

max time kernel
175s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe
Size

380KB
MD5

c109bdf99dc6f488ddc1bf66f50c10d2
SHA1

33c61ceee8cb2157fa972f73ca1209952fbe9ea5
SHA256

be58fd51ce1f682bc52eb7bd58a4a699212da8aa83687c149474f24b158ea303
SHA512

1e8a151aea97905913cfc993c2d583b67083e95b995e28606b4f7d37e42a5ecae80f0ce8942aa43e059f0b5b54a29380b057ad64b4162fd909b719b2a491c519
SSDEEP

3072:mEGh0owlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGil7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}	{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}\stubpath = "C:\\Windows\\{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe"	{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD9754D-1BCC-4612-959C-8DBF180034B6}	{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D84D83D-8CDB-448b-AE7C-FE7DE619AFCF}	{CCD9754D-1BCC-4612-959C-8DBF180034B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD9AD33E-706D-4c68-8654-B46FD2DFE9DE}	{9D84D83D-8CDB-448b-AE7C-FE7DE619AFCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D4E1ADB-28D1-4b2e-8368-AA88DB31C866}\stubpath = "C:\\Windows\\{9D4E1ADB-28D1-4b2e-8368-AA88DB31C866}.exe"	{F8E9F1D6-FDB1-48eb-8065-C49322D8D3F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18C3AFFB-B4BE-4cd5-8790-53901728AB59}	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}	{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D84D83D-8CDB-448b-AE7C-FE7DE619AFCF}\stubpath = "C:\\Windows\\{9D84D83D-8CDB-448b-AE7C-FE7DE619AFCF}.exe"	{CCD9754D-1BCC-4612-959C-8DBF180034B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8E9F1D6-FDB1-48eb-8065-C49322D8D3F2}	{FD9AD33E-706D-4c68-8654-B46FD2DFE9DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8E9F1D6-FDB1-48eb-8065-C49322D8D3F2}\stubpath = "C:\\Windows\\{F8E9F1D6-FDB1-48eb-8065-C49322D8D3F2}.exe"	{FD9AD33E-706D-4c68-8654-B46FD2DFE9DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D4E1ADB-28D1-4b2e-8368-AA88DB31C866}	{F8E9F1D6-FDB1-48eb-8065-C49322D8D3F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18C3AFFB-B4BE-4cd5-8790-53901728AB59}\stubpath = "C:\\Windows\\{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe"	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49AC4506-C953-4c57-BE16-9BFD7D539FAC}\stubpath = "C:\\Windows\\{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe"	{AB02AF95-7994-4809-98FC-83F17528B985}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A5AAF09-2999-4914-BB41-6A58735E395D}	{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A5AAF09-2999-4914-BB41-6A58735E395D}\stubpath = "C:\\Windows\\{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe"	{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0C4C6FD-785A-4c71-A404-E0DDE540487C}	{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0C4C6FD-785A-4c71-A404-E0DDE540487C}\stubpath = "C:\\Windows\\{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe"	{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB02AF95-7994-4809-98FC-83F17528B985}	{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB02AF95-7994-4809-98FC-83F17528B985}\stubpath = "C:\\Windows\\{AB02AF95-7994-4809-98FC-83F17528B985}.exe"	{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49AC4506-C953-4c57-BE16-9BFD7D539FAC}	{AB02AF95-7994-4809-98FC-83F17528B985}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}\stubpath = "C:\\Windows\\{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe"	{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCD9754D-1BCC-4612-959C-8DBF180034B6}\stubpath = "C:\\Windows\\{CCD9754D-1BCC-4612-959C-8DBF180034B6}.exe"	{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD9AD33E-706D-4c68-8654-B46FD2DFE9DE}\stubpath = "C:\\Windows\\{FD9AD33E-706D-4c68-8654-B46FD2DFE9DE}.exe"	{9D84D83D-8CDB-448b-AE7C-FE7DE619AFCF}.exe

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2732	{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe
2668	{AB02AF95-7994-4809-98FC-83F17528B985}.exe
2788	{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe
2500	{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe
2628	{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe
2480	{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe
2956	{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe
2960	{CCD9754D-1BCC-4612-959C-8DBF180034B6}.exe
1228	{9D84D83D-8CDB-448b-AE7C-FE7DE619AFCF}.exe
296	{FD9AD33E-706D-4c68-8654-B46FD2DFE9DE}.exe
2764	{F8E9F1D6-FDB1-48eb-8065-C49322D8D3F2}.exe
2868	{9D4E1ADB-28D1-4b2e-8368-AA88DB31C866}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe
File created	C:\Windows\{AB02AF95-7994-4809-98FC-83F17528B985}.exe	{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe
File created	C:\Windows\{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe	{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe
File created	C:\Windows\{FD9AD33E-706D-4c68-8654-B46FD2DFE9DE}.exe	{9D84D83D-8CDB-448b-AE7C-FE7DE619AFCF}.exe
File created	C:\Windows\{9D84D83D-8CDB-448b-AE7C-FE7DE619AFCF}.exe	{CCD9754D-1BCC-4612-959C-8DBF180034B6}.exe
File created	C:\Windows\{F8E9F1D6-FDB1-48eb-8065-C49322D8D3F2}.exe	{FD9AD33E-706D-4c68-8654-B46FD2DFE9DE}.exe
File created	C:\Windows\{9D4E1ADB-28D1-4b2e-8368-AA88DB31C866}.exe	{F8E9F1D6-FDB1-48eb-8065-C49322D8D3F2}.exe
File created	C:\Windows\{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe	{AB02AF95-7994-4809-98FC-83F17528B985}.exe
File created	C:\Windows\{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe	{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe
File created	C:\Windows\{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe	{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe
File created	C:\Windows\{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe	{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe
File created	C:\Windows\{CCD9754D-1BCC-4612-959C-8DBF180034B6}.exe	{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2140	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2732	{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe
Token: SeIncBasePriorityPrivilege	2668	{AB02AF95-7994-4809-98FC-83F17528B985}.exe
Token: SeIncBasePriorityPrivilege	2788	{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe
Token: SeIncBasePriorityPrivilege	2500	{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe
Token: SeIncBasePriorityPrivilege	2628	{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe
Token: SeIncBasePriorityPrivilege	2480	{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe
Token: SeIncBasePriorityPrivilege	2956	{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe
Token: SeIncBasePriorityPrivilege	2960	{CCD9754D-1BCC-4612-959C-8DBF180034B6}.exe
Token: SeIncBasePriorityPrivilege	1228	{9D84D83D-8CDB-448b-AE7C-FE7DE619AFCF}.exe
Token: SeIncBasePriorityPrivilege	296	{FD9AD33E-706D-4c68-8654-B46FD2DFE9DE}.exe
Token: SeIncBasePriorityPrivilege	2764	{F8E9F1D6-FDB1-48eb-8065-C49322D8D3F2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2732	2140	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	30
PID 2140 wrote to memory of 2732	2140	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	30
PID 2140 wrote to memory of 2732	2140	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	30
PID 2140 wrote to memory of 2732	2140	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	30
PID 2140 wrote to memory of 2632	2140	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	31
PID 2140 wrote to memory of 2632	2140	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	31
PID 2140 wrote to memory of 2632	2140	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	31
PID 2140 wrote to memory of 2632	2140	2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe	31
PID 2732 wrote to memory of 2668	2732	{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe	32
PID 2732 wrote to memory of 2668	2732	{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe	32
PID 2732 wrote to memory of 2668	2732	{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe	32
PID 2732 wrote to memory of 2668	2732	{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe	32
PID 2732 wrote to memory of 2528	2732	{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe	33
PID 2732 wrote to memory of 2528	2732	{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe	33
PID 2732 wrote to memory of 2528	2732	{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe	33
PID 2732 wrote to memory of 2528	2732	{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe	33
PID 2668 wrote to memory of 2788	2668	{AB02AF95-7994-4809-98FC-83F17528B985}.exe	34
PID 2668 wrote to memory of 2788	2668	{AB02AF95-7994-4809-98FC-83F17528B985}.exe	34
PID 2668 wrote to memory of 2788	2668	{AB02AF95-7994-4809-98FC-83F17528B985}.exe	34
PID 2668 wrote to memory of 2788	2668	{AB02AF95-7994-4809-98FC-83F17528B985}.exe	34
PID 2668 wrote to memory of 2672	2668	{AB02AF95-7994-4809-98FC-83F17528B985}.exe	35
PID 2668 wrote to memory of 2672	2668	{AB02AF95-7994-4809-98FC-83F17528B985}.exe	35
PID 2668 wrote to memory of 2672	2668	{AB02AF95-7994-4809-98FC-83F17528B985}.exe	35
PID 2668 wrote to memory of 2672	2668	{AB02AF95-7994-4809-98FC-83F17528B985}.exe	35
PID 2788 wrote to memory of 2500	2788	{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe	36
PID 2788 wrote to memory of 2500	2788	{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe	36
PID 2788 wrote to memory of 2500	2788	{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe	36
PID 2788 wrote to memory of 2500	2788	{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe	36
PID 2788 wrote to memory of 2532	2788	{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe	37
PID 2788 wrote to memory of 2532	2788	{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe	37
PID 2788 wrote to memory of 2532	2788	{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe	37
PID 2788 wrote to memory of 2532	2788	{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe	37
PID 2500 wrote to memory of 2628	2500	{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe	38
PID 2500 wrote to memory of 2628	2500	{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe	38
PID 2500 wrote to memory of 2628	2500	{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe	38
PID 2500 wrote to memory of 2628	2500	{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe	38
PID 2500 wrote to memory of 2292	2500	{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe	39
PID 2500 wrote to memory of 2292	2500	{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe	39
PID 2500 wrote to memory of 2292	2500	{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe	39
PID 2500 wrote to memory of 2292	2500	{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe	39
PID 2628 wrote to memory of 2480	2628	{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe	40
PID 2628 wrote to memory of 2480	2628	{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe	40
PID 2628 wrote to memory of 2480	2628	{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe	40
PID 2628 wrote to memory of 2480	2628	{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe	40
PID 2628 wrote to memory of 2884	2628	{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe	41
PID 2628 wrote to memory of 2884	2628	{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe	41
PID 2628 wrote to memory of 2884	2628	{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe	41
PID 2628 wrote to memory of 2884	2628	{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe	41
PID 2480 wrote to memory of 2956	2480	{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe	42
PID 2480 wrote to memory of 2956	2480	{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe	42
PID 2480 wrote to memory of 2956	2480	{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe	42
PID 2480 wrote to memory of 2956	2480	{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe	42
PID 2480 wrote to memory of 2912	2480	{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe	43
PID 2480 wrote to memory of 2912	2480	{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe	43
PID 2480 wrote to memory of 2912	2480	{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe	43
PID 2480 wrote to memory of 2912	2480	{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe	43
PID 2956 wrote to memory of 2960	2956	{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe	45
PID 2956 wrote to memory of 2960	2956	{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe	45
PID 2956 wrote to memory of 2960	2956	{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe	45
PID 2956 wrote to memory of 2960	2956	{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe	45
PID 2956 wrote to memory of 2876	2956	{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe	44
PID 2956 wrote to memory of 2876	2956	{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe	44
PID 2956 wrote to memory of 2876	2956	{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe	44
PID 2956 wrote to memory of 2876	2956	{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_c109bdf99dc6f488ddc1bf66f50c10d2_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe
  C:\Windows\{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\{AB02AF95-7994-4809-98FC-83F17528B985}.exe
    C:\Windows\{AB02AF95-7994-4809-98FC-83F17528B985}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe
      C:\Windows\{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe
        
        C:\Windows\{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe
        
        C:\Windows\{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe
        
        C:\Windows\{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe
        
        C:\Windows\{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{764DD~1.EXE > nul
        9⤵
        
        PID:2876
        
        C:\Windows\{CCD9754D-1BCC-4612-959C-8DBF180034B6}.exe
        
        C:\Windows\{CCD9754D-1BCC-4612-959C-8DBF180034B6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCD97~1.EXE > nul
        10⤵
        
        PID:2008
        
        C:\Windows\{9D84D83D-8CDB-448b-AE7C-FE7DE619AFCF}.exe
        
        C:\Windows\{9D84D83D-8CDB-448b-AE7C-FE7DE619AFCF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D84D~1.EXE > nul
        11⤵
        
        PID:2488
        
        C:\Windows\{FD9AD33E-706D-4c68-8654-B46FD2DFE9DE}.exe
        
        C:\Windows\{FD9AD33E-706D-4c68-8654-B46FD2DFE9DE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD9AD~1.EXE > nul
        12⤵
        
        PID:304
        
        C:\Windows\{F8E9F1D6-FDB1-48eb-8065-C49322D8D3F2}.exe
        
        C:\Windows\{F8E9F1D6-FDB1-48eb-8065-C49322D8D3F2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8E9F~1.EXE > nul
        13⤵
        
        PID:2256
        
        C:\Windows\{9D4E1ADB-28D1-4b2e-8368-AA88DB31C866}.exe
        
        C:\Windows\{9D4E1ADB-28D1-4b2e-8368-AA88DB31C866}.exe
        13⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0C4C~1.EXE > nul
        8⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A5AA~1.EXE > nul
        7⤵
        
        PID:2884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6AF7~1.EXE > nul
        6⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49AC4~1.EXE > nul
        5⤵
        
        PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AB02A~1.EXE > nul
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{18C3A~1.EXE > nul
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe

Filesize
380KB

MD5
9c9bf1e96cb04c5ec38dd82e8b6d885f

SHA1
24b3f522cfadc5fbd9d410fbe41ebb333a765d8e

SHA256
600dc82b5b346901d64334634fa5671d3ab2897015e479ca7a9e2da3bd7eb330

SHA512
51194c50ea38f4795c7b0b9a72afc46ac01be0070e8c14bbd0ec16eb9826602059b34b95c83cfbf12c1b60eca2ae39e064fa83c8e8f1df6451d3ceee485fc539

Download Submit
C:\Windows\{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe

Filesize
380KB

MD5
9c9bf1e96cb04c5ec38dd82e8b6d885f

SHA1
24b3f522cfadc5fbd9d410fbe41ebb333a765d8e

SHA256
600dc82b5b346901d64334634fa5671d3ab2897015e479ca7a9e2da3bd7eb330

SHA512
51194c50ea38f4795c7b0b9a72afc46ac01be0070e8c14bbd0ec16eb9826602059b34b95c83cfbf12c1b60eca2ae39e064fa83c8e8f1df6451d3ceee485fc539

Download Submit
C:\Windows\{18C3AFFB-B4BE-4cd5-8790-53901728AB59}.exe

Filesize
380KB

MD5
9c9bf1e96cb04c5ec38dd82e8b6d885f

SHA1
24b3f522cfadc5fbd9d410fbe41ebb333a765d8e

SHA256
600dc82b5b346901d64334634fa5671d3ab2897015e479ca7a9e2da3bd7eb330

SHA512
51194c50ea38f4795c7b0b9a72afc46ac01be0070e8c14bbd0ec16eb9826602059b34b95c83cfbf12c1b60eca2ae39e064fa83c8e8f1df6451d3ceee485fc539

Download Submit
C:\Windows\{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe

Filesize
380KB

MD5
2be44768e145624234092380cf5da3e3

SHA1
9aa4079f8b0670df032dbe464c0854eb76c81e0f

SHA256
9a9cb6f4c963bf0916ec3469904c3743239a4f5148242e34b89bde2ac1dd14fe

SHA512
dc2157fa3e14e7070c35ddba6439470b7cf34ab72960f21e07c8f4ab66050d2a7754494d374a3c5097b49e2e407d8fd59c0ae47661dd7c658edf6e4d1ac7bffd

Download Submit
C:\Windows\{49AC4506-C953-4c57-BE16-9BFD7D539FAC}.exe

Filesize
380KB

MD5
2be44768e145624234092380cf5da3e3

SHA1
9aa4079f8b0670df032dbe464c0854eb76c81e0f

SHA256
9a9cb6f4c963bf0916ec3469904c3743239a4f5148242e34b89bde2ac1dd14fe

SHA512
dc2157fa3e14e7070c35ddba6439470b7cf34ab72960f21e07c8f4ab66050d2a7754494d374a3c5097b49e2e407d8fd59c0ae47661dd7c658edf6e4d1ac7bffd

Download Submit
C:\Windows\{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe

Filesize
380KB

MD5
a44120026a1170c3998864063da3ae2c

SHA1
d235c4ccf79e9b218d4dd1ce29bb15ff67158946

SHA256
10970e596297c4a1f672ddaa4f0f12ecacc6e7807aa3c046885b8a86d79d4fc0

SHA512
c1e2c6dfd84dea9490a8330ef187d91fd49267e819c1eb15aa7b81f67d7d6affcd1f61c288c3d5b121217dec8cb565cc988b6da46c2c78b2e9f596d1e0681f1a

Download Submit
C:\Windows\{5A5AAF09-2999-4914-BB41-6A58735E395D}.exe

Filesize
380KB

MD5
a44120026a1170c3998864063da3ae2c

SHA1
d235c4ccf79e9b218d4dd1ce29bb15ff67158946

SHA256
10970e596297c4a1f672ddaa4f0f12ecacc6e7807aa3c046885b8a86d79d4fc0

SHA512
c1e2c6dfd84dea9490a8330ef187d91fd49267e819c1eb15aa7b81f67d7d6affcd1f61c288c3d5b121217dec8cb565cc988b6da46c2c78b2e9f596d1e0681f1a

Download Submit
C:\Windows\{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe

Filesize
380KB

MD5
1df8c9d32d1063bddc092a3c7d0dd271

SHA1
acacc9008fe3410166d00c73f6b17096d965a657

SHA256
bd17590ee970589b6ee876df92b381906e6139275bbef5f900774719c6ed61ce

SHA512
0775a59ae23539766459fb8a5c5fd750656948e1195ac2836c9f1e8460e55ac9fd679eb5f1de5f4f1564aedb955e908ebcc67d5d2e56a8d184ab47a876305387

Download Submit
C:\Windows\{764DDF20-5771-4899-A0CD-CEE8B41B1A5F}.exe

Filesize
380KB

MD5
1df8c9d32d1063bddc092a3c7d0dd271

SHA1
acacc9008fe3410166d00c73f6b17096d965a657

SHA256
bd17590ee970589b6ee876df92b381906e6139275bbef5f900774719c6ed61ce

SHA512
0775a59ae23539766459fb8a5c5fd750656948e1195ac2836c9f1e8460e55ac9fd679eb5f1de5f4f1564aedb955e908ebcc67d5d2e56a8d184ab47a876305387

Download Submit
C:\Windows\{9D4E1ADB-28D1-4b2e-8368-AA88DB31C866}.exe

Filesize
380KB

MD5
675a161afa7be7083a79ed60360dbb88

SHA1
fc66801880e89f33e3fc2038b657256887622599

SHA256
2d5476f75dcb3b5d514360ca47d1e1b83bb91a89bf99d553a949ad1af714f0ea

SHA512
c117687d8ce1e16a4cc33f712f6ab3939c09f54bd74b6c1e6e9e4d5de5e117afe932e63591495b961791f1be18743876e7e6fba604aea85bba5f8aeb155e5785

Download Submit
C:\Windows\{9D84D83D-8CDB-448b-AE7C-FE7DE619AFCF}.exe

Filesize
380KB

MD5
62e2d2b8a47535178d9ae8094350cf2a

SHA1
9886e44629559f2fb00b55d0400789afd32fb0a5

SHA256
59c8c9ad276a1316fef09c4fd0ee138180e247c57003bacf71ff815aad6100c2

SHA512
6d19ab94a409c6f4058b433cc70ddc510414977a5894b8900f321ecb1bb6d51db1108f377f7a4b0f44e6d1735c9eef39afb87b7c4a9afed9c5ce59112e765c4a

Download Submit
C:\Windows\{9D84D83D-8CDB-448b-AE7C-FE7DE619AFCF}.exe

Filesize
380KB

MD5
62e2d2b8a47535178d9ae8094350cf2a

SHA1
9886e44629559f2fb00b55d0400789afd32fb0a5

SHA256
59c8c9ad276a1316fef09c4fd0ee138180e247c57003bacf71ff815aad6100c2

SHA512
6d19ab94a409c6f4058b433cc70ddc510414977a5894b8900f321ecb1bb6d51db1108f377f7a4b0f44e6d1735c9eef39afb87b7c4a9afed9c5ce59112e765c4a

Download Submit
C:\Windows\{AB02AF95-7994-4809-98FC-83F17528B985}.exe

Filesize
380KB

MD5
a0b0664c0c291a68f9b00737a8f7ea10

SHA1
033cb80479f173a5c0f2132469e5a378062e88ee

SHA256
480345883bf99eddf01aa1c51bc8ad6c2efa94449dcd2ea5d79682d6c079b8fb

SHA512
86fe0d496ed8f848be69a3412fbf623b7737135ae717b542861297b490ba35c5c9b3fa5ad84253b0c24f4960ae5b28d1450d137738954b074d1e4826d84944e0

Download Submit
C:\Windows\{AB02AF95-7994-4809-98FC-83F17528B985}.exe

Filesize
380KB

MD5
a0b0664c0c291a68f9b00737a8f7ea10

SHA1
033cb80479f173a5c0f2132469e5a378062e88ee

SHA256
480345883bf99eddf01aa1c51bc8ad6c2efa94449dcd2ea5d79682d6c079b8fb

SHA512
86fe0d496ed8f848be69a3412fbf623b7737135ae717b542861297b490ba35c5c9b3fa5ad84253b0c24f4960ae5b28d1450d137738954b074d1e4826d84944e0

Download Submit
C:\Windows\{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe

Filesize
380KB

MD5
0d07d7856579e1c4de2cac0bec38d9bf

SHA1
f9f64df76535dfbb965b62a65419fb3d0cb89ed5

SHA256
09252d0c62d9760ab9793715675c0d783e9a7f197e0ab4e36eb751a782f8d0df

SHA512
3c8a1a937b67d162529b787fb1a60573696273f1e497f9d9217c2ef07a20e089f21d95d4fa4cd3b2f45d1084175046a237503348b70dd07a466715c2e56ba2e1

Download Submit
C:\Windows\{B6AF7B1A-4C9B-47dc-B3B7-B409A8376713}.exe

Filesize
380KB

MD5
0d07d7856579e1c4de2cac0bec38d9bf

SHA1
f9f64df76535dfbb965b62a65419fb3d0cb89ed5

SHA256
09252d0c62d9760ab9793715675c0d783e9a7f197e0ab4e36eb751a782f8d0df

SHA512
3c8a1a937b67d162529b787fb1a60573696273f1e497f9d9217c2ef07a20e089f21d95d4fa4cd3b2f45d1084175046a237503348b70dd07a466715c2e56ba2e1

Download Submit
C:\Windows\{CCD9754D-1BCC-4612-959C-8DBF180034B6}.exe

Filesize
380KB

MD5
e541d9d6045b884af0a7947ca9ffcade

SHA1
b362262d1a9ac38d4863ab6c0a752526660eee6c

SHA256
06cf11a8e9ab0ad7cee537c2fce7a87e6409b99d073df70000ddd8ee1fdcb6cb

SHA512
52b945f928ba6da923b718fd867288b1b49aaaf4892c9dd04f2c40627bcc94075ac460902bb3ade93a52d7db290566a0ad0e96dfe284d4ddafafe32a20c5d440

Download Submit
C:\Windows\{CCD9754D-1BCC-4612-959C-8DBF180034B6}.exe

Filesize
380KB

MD5
e541d9d6045b884af0a7947ca9ffcade

SHA1
b362262d1a9ac38d4863ab6c0a752526660eee6c

SHA256
06cf11a8e9ab0ad7cee537c2fce7a87e6409b99d073df70000ddd8ee1fdcb6cb

SHA512
52b945f928ba6da923b718fd867288b1b49aaaf4892c9dd04f2c40627bcc94075ac460902bb3ade93a52d7db290566a0ad0e96dfe284d4ddafafe32a20c5d440

Download Submit
C:\Windows\{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe

Filesize
380KB

MD5
dad67eb829f72019e3278624682e498c

SHA1
864c0eea65e158b51a72876bd70e4164d0e98ba6

SHA256
2d5b8adb6eefd532400ecc26efd08be2c007a6830b28cfc48cd61e8e9ac9dce6

SHA512
144af7296795fa7656b8c1b047cccb2fff369d0f8612e5fda2f49baebaed03803f4f5950a49a19775290af1a48c1c41713a423a2228245d851e011b512c06b32

Download Submit
C:\Windows\{D0C4C6FD-785A-4c71-A404-E0DDE540487C}.exe

Filesize
380KB

MD5
dad67eb829f72019e3278624682e498c

SHA1
864c0eea65e158b51a72876bd70e4164d0e98ba6

SHA256
2d5b8adb6eefd532400ecc26efd08be2c007a6830b28cfc48cd61e8e9ac9dce6

SHA512
144af7296795fa7656b8c1b047cccb2fff369d0f8612e5fda2f49baebaed03803f4f5950a49a19775290af1a48c1c41713a423a2228245d851e011b512c06b32

Download Submit
C:\Windows\{F8E9F1D6-FDB1-48eb-8065-C49322D8D3F2}.exe

Filesize
380KB

MD5
93b5087743ab1d378d839f669a1e5e9b

SHA1
aa598c3521bc2f02b6335db007b19cf518d4add6

SHA256
299ca890f9ba6800447089fb1d3319cc20654c323448dba87963fd118a20611b

SHA512
11b16b503c9ddfce421e02d4ed1ec9e7ee1fa688daf148962755f0a8ab90c53f6e9bbe16fd2ea69c36b5ca9197a78def0dc44e287762eedbe1bb649a00fff635

Download Submit
C:\Windows\{F8E9F1D6-FDB1-48eb-8065-C49322D8D3F2}.exe

Filesize
380KB

MD5
93b5087743ab1d378d839f669a1e5e9b

SHA1
aa598c3521bc2f02b6335db007b19cf518d4add6

SHA256
299ca890f9ba6800447089fb1d3319cc20654c323448dba87963fd118a20611b

SHA512
11b16b503c9ddfce421e02d4ed1ec9e7ee1fa688daf148962755f0a8ab90c53f6e9bbe16fd2ea69c36b5ca9197a78def0dc44e287762eedbe1bb649a00fff635

Download Submit
C:\Windows\{FD9AD33E-706D-4c68-8654-B46FD2DFE9DE}.exe

Filesize
380KB

MD5
2cf088bbec5b9aa5c4220b8be85104b6

SHA1
b737c1be869152a5edfd706929bf08762f40bc81

SHA256
419a01bbb9d4ffb67ba05df73246fec5d056409f45866e3582f3c0398320aebf

SHA512
842a376e84cce23e2f3e46e6daed7d24ea986e8431ce9c5ad280ef9c1f8eeec946ccdd6fc22bb3371f86e7b6d8996b24ebef1ee3517fb06d752d218fb9240e50

Download Submit
C:\Windows\{FD9AD33E-706D-4c68-8654-B46FD2DFE9DE}.exe

Filesize
380KB

MD5
2cf088bbec5b9aa5c4220b8be85104b6

SHA1
b737c1be869152a5edfd706929bf08762f40bc81

SHA256
419a01bbb9d4ffb67ba05df73246fec5d056409f45866e3582f3c0398320aebf

SHA512
842a376e84cce23e2f3e46e6daed7d24ea986e8431ce9c5ad280ef9c1f8eeec946ccdd6fc22bb3371f86e7b6d8996b24ebef1ee3517fb06d752d218fb9240e50

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads