2d2b7386666cd6b648982997446adc84095cceae45f8de083cd2e53ae272b8e0

Analysis

max time kernel
152s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_686284c34e3bd92d771dcbad30808854_goldeneye_JC.exe
Size

180KB
MD5

686284c34e3bd92d771dcbad30808854
SHA1

f2ff7d8608bb6f77e656fc7c611fe25abbb8c418
SHA256

2d2b7386666cd6b648982997446adc84095cceae45f8de083cd2e53ae272b8e0
SHA512

3926c170a6b477e9fe4df92e760e7a582ee3d39141b91909a2be86bc6109aa611e50a3ab4d9b706767dfc14d3fbfed99a377ab4740ba62c5fd465b1dd9629133
SSDEEP

3072:jEGh0oRlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGfl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{287038DE-94F2-478f-9C5B-BD8549FD1EB0}	{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02426588-17DE-47fe-9A49-EC036242213A}\stubpath = "C:\\Windows\\{02426588-17DE-47fe-9A49-EC036242213A}.exe"	2023-08-26_686284c34e3bd92d771dcbad30808854_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}\stubpath = "C:\\Windows\\{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe"	{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2064FB49-1469-462a-9ED8-D83F0905094B}	{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}\stubpath = "C:\\Windows\\{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe"	{2064FB49-1469-462a-9ED8-D83F0905094B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}	{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}	{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}\stubpath = "C:\\Windows\\{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe"	{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{287038DE-94F2-478f-9C5B-BD8549FD1EB0}\stubpath = "C:\\Windows\\{287038DE-94F2-478f-9C5B-BD8549FD1EB0}.exe"	{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}	{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5207107-20BC-4afb-A892-F0076DFE94F1}\stubpath = "C:\\Windows\\{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe"	{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}	{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02426588-17DE-47fe-9A49-EC036242213A}	2023-08-26_686284c34e3bd92d771dcbad30808854_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}	{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2064FB49-1469-462a-9ED8-D83F0905094B}\stubpath = "C:\\Windows\\{2064FB49-1469-462a-9ED8-D83F0905094B}.exe"	{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}\stubpath = "C:\\Windows\\{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe"	{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}	{02426588-17DE-47fe-9A49-EC036242213A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}\stubpath = "C:\\Windows\\{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe"	{02426588-17DE-47fe-9A49-EC036242213A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}	{2064FB49-1469-462a-9ED8-D83F0905094B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}\stubpath = "C:\\Windows\\{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe"	{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}\stubpath = "C:\\Windows\\{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe"	{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5207107-20BC-4afb-A892-F0076DFE94F1}	{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe

Executes dropped EXE 11 IoCs

pid	Process
4432	{02426588-17DE-47fe-9A49-EC036242213A}.exe
3232	{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe
4696	{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe
4728	{2064FB49-1469-462a-9ED8-D83F0905094B}.exe
4804	{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe
2512	{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe
4484	{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe
652	{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe
1336	{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe
3816	{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe
4608	{287038DE-94F2-478f-9C5B-BD8549FD1EB0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe	{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe
File created	C:\Windows\{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe	{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe
File created	C:\Windows\{287038DE-94F2-478f-9C5B-BD8549FD1EB0}.exe	{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe
File created	C:\Windows\{02426588-17DE-47fe-9A49-EC036242213A}.exe	2023-08-26_686284c34e3bd92d771dcbad30808854_goldeneye_JC.exe
File created	C:\Windows\{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe	{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe
File created	C:\Windows\{2064FB49-1469-462a-9ED8-D83F0905094B}.exe	{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe
File created	C:\Windows\{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe	{2064FB49-1469-462a-9ED8-D83F0905094B}.exe
File created	C:\Windows\{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe	{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe
File created	C:\Windows\{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe	{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe
File created	C:\Windows\{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe	{02426588-17DE-47fe-9A49-EC036242213A}.exe
File created	C:\Windows\{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe	{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	412	2023-08-26_686284c34e3bd92d771dcbad30808854_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	4432	{02426588-17DE-47fe-9A49-EC036242213A}.exe
Token: SeIncBasePriorityPrivilege	3232	{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe
Token: SeIncBasePriorityPrivilege	4696	{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe
Token: SeIncBasePriorityPrivilege	4728	{2064FB49-1469-462a-9ED8-D83F0905094B}.exe
Token: SeIncBasePriorityPrivilege	4804	{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe
Token: SeIncBasePriorityPrivilege	2512	{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe
Token: SeIncBasePriorityPrivilege	4484	{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe
Token: SeIncBasePriorityPrivilege	652	{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe
Token: SeIncBasePriorityPrivilege	1336	{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe
Token: SeIncBasePriorityPrivilege	3816	{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 4432	412	2023-08-26_686284c34e3bd92d771dcbad30808854_goldeneye_JC.exe	87
PID 412 wrote to memory of 4432	412	2023-08-26_686284c34e3bd92d771dcbad30808854_goldeneye_JC.exe	87
PID 412 wrote to memory of 4432	412	2023-08-26_686284c34e3bd92d771dcbad30808854_goldeneye_JC.exe	87
PID 412 wrote to memory of 3708	412	2023-08-26_686284c34e3bd92d771dcbad30808854_goldeneye_JC.exe	88
PID 412 wrote to memory of 3708	412	2023-08-26_686284c34e3bd92d771dcbad30808854_goldeneye_JC.exe	88
PID 412 wrote to memory of 3708	412	2023-08-26_686284c34e3bd92d771dcbad30808854_goldeneye_JC.exe	88
PID 4432 wrote to memory of 3232	4432	{02426588-17DE-47fe-9A49-EC036242213A}.exe	91
PID 4432 wrote to memory of 3232	4432	{02426588-17DE-47fe-9A49-EC036242213A}.exe	91
PID 4432 wrote to memory of 3232	4432	{02426588-17DE-47fe-9A49-EC036242213A}.exe	91
PID 4432 wrote to memory of 3472	4432	{02426588-17DE-47fe-9A49-EC036242213A}.exe	92
PID 4432 wrote to memory of 3472	4432	{02426588-17DE-47fe-9A49-EC036242213A}.exe	92
PID 4432 wrote to memory of 3472	4432	{02426588-17DE-47fe-9A49-EC036242213A}.exe	92
PID 3232 wrote to memory of 4696	3232	{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe	97
PID 3232 wrote to memory of 4696	3232	{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe	97
PID 3232 wrote to memory of 4696	3232	{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe	97
PID 3232 wrote to memory of 4452	3232	{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe	96
PID 3232 wrote to memory of 4452	3232	{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe	96
PID 3232 wrote to memory of 4452	3232	{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe	96
PID 4696 wrote to memory of 4728	4696	{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe	100
PID 4696 wrote to memory of 4728	4696	{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe	100
PID 4696 wrote to memory of 4728	4696	{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe	100
PID 4696 wrote to memory of 4720	4696	{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe	101
PID 4696 wrote to memory of 4720	4696	{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe	101
PID 4696 wrote to memory of 4720	4696	{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe	101
PID 4728 wrote to memory of 4804	4728	{2064FB49-1469-462a-9ED8-D83F0905094B}.exe	106
PID 4728 wrote to memory of 4804	4728	{2064FB49-1469-462a-9ED8-D83F0905094B}.exe	106
PID 4728 wrote to memory of 4804	4728	{2064FB49-1469-462a-9ED8-D83F0905094B}.exe	106
PID 4728 wrote to memory of 3264	4728	{2064FB49-1469-462a-9ED8-D83F0905094B}.exe	108
PID 4728 wrote to memory of 3264	4728	{2064FB49-1469-462a-9ED8-D83F0905094B}.exe	108
PID 4728 wrote to memory of 3264	4728	{2064FB49-1469-462a-9ED8-D83F0905094B}.exe	108
PID 4804 wrote to memory of 2512	4804	{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe	109
PID 4804 wrote to memory of 2512	4804	{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe	109
PID 4804 wrote to memory of 2512	4804	{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe	109
PID 4804 wrote to memory of 4204	4804	{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe	110
PID 4804 wrote to memory of 4204	4804	{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe	110
PID 4804 wrote to memory of 4204	4804	{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe	110
PID 2512 wrote to memory of 4484	2512	{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe	112
PID 2512 wrote to memory of 4484	2512	{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe	112
PID 2512 wrote to memory of 4484	2512	{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe	112
PID 2512 wrote to memory of 736	2512	{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe	113
PID 2512 wrote to memory of 736	2512	{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe	113
PID 2512 wrote to memory of 736	2512	{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe	113
PID 4484 wrote to memory of 652	4484	{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe	114
PID 4484 wrote to memory of 652	4484	{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe	114
PID 4484 wrote to memory of 652	4484	{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe	114
PID 4484 wrote to memory of 2900	4484	{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe	115
PID 4484 wrote to memory of 2900	4484	{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe	115
PID 4484 wrote to memory of 2900	4484	{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe	115
PID 652 wrote to memory of 1336	652	{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe	116
PID 652 wrote to memory of 1336	652	{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe	116
PID 652 wrote to memory of 1336	652	{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe	116
PID 652 wrote to memory of 4704	652	{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe	117
PID 652 wrote to memory of 4704	652	{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe	117
PID 652 wrote to memory of 4704	652	{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe	117
PID 1336 wrote to memory of 3816	1336	{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe	118
PID 1336 wrote to memory of 3816	1336	{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe	118
PID 1336 wrote to memory of 3816	1336	{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe	118
PID 1336 wrote to memory of 3832	1336	{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe	119
PID 1336 wrote to memory of 3832	1336	{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe	119
PID 1336 wrote to memory of 3832	1336	{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe	119
PID 3816 wrote to memory of 4608	3816	{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe	122
PID 3816 wrote to memory of 4608	3816	{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe	122
PID 3816 wrote to memory of 4608	3816	{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe	122
PID 3816 wrote to memory of 3384	3816	{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe	123

C:\Users\Admin\AppData\Local\Temp\2023-08-26_686284c34e3bd92d771dcbad30808854_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_686284c34e3bd92d771dcbad30808854_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\{02426588-17DE-47fe-9A49-EC036242213A}.exe
  C:\Windows\{02426588-17DE-47fe-9A49-EC036242213A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe
    C:\Windows\{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{15DF4~1.EXE > nul
      4⤵
      PID:4452
  - - C:\Windows\{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe
      C:\Windows\{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Windows\{2064FB49-1469-462a-9ED8-D83F0905094B}.exe
        
        C:\Windows\{2064FB49-1469-462a-9ED8-D83F0905094B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
      - C:\Windows\{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe
        
        C:\Windows\{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe
        
        C:\Windows\{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe
        
        C:\Windows\{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe
        
        C:\Windows\{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe
        
        C:\Windows\{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe
        
        C:\Windows\{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\{287038DE-94F2-478f-9C5B-BD8549FD1EB0}.exe
        
        C:\Windows\{287038DE-94F2-478f-9C5B-BD8549FD1EB0}.exe
        12⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58B57~1.EXE > nul
        12⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A889A~1.EXE > nul
        11⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5207~1.EXE > nul
        10⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{627C9~1.EXE > nul
        9⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFCE1~1.EXE > nul
        8⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15EE6~1.EXE > nul
        7⤵
        
        PID:4204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2064F~1.EXE > nul
        6⤵
        
        PID:3264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E45D~1.EXE > nul
        5⤵
        
        PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{02426~1.EXE > nul
    3⤵
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02426588-17DE-47fe-9A49-EC036242213A}.exe

Filesize
180KB

MD5
81779261ba90a1349ea7717fc682ad66

SHA1
4c83f1701d94939d3f9d6dd2bea7085baff25708

SHA256
1e7057b45ae1fa4a42d7fdf555a4442c8584b796e222e56a9f09fcf7a6f49d3b

SHA512
9f00d2a7b01df19657a8c7908033de1986839c5dc3a3502633f2fd56473355c9916f97adf70b6e615f82e7ed2e00d67ae3789c02899226d4aa587dad8ba8e254

Download Submit
C:\Windows\{02426588-17DE-47fe-9A49-EC036242213A}.exe

Filesize
180KB

MD5
81779261ba90a1349ea7717fc682ad66

SHA1
4c83f1701d94939d3f9d6dd2bea7085baff25708

SHA256
1e7057b45ae1fa4a42d7fdf555a4442c8584b796e222e56a9f09fcf7a6f49d3b

SHA512
9f00d2a7b01df19657a8c7908033de1986839c5dc3a3502633f2fd56473355c9916f97adf70b6e615f82e7ed2e00d67ae3789c02899226d4aa587dad8ba8e254

Download Submit
C:\Windows\{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe

Filesize
180KB

MD5
dadc4d9d730567a7d2a6fc57db78d6da

SHA1
cbbb1066bbf0ddf2440352e681efcef256b76f8a

SHA256
a974e0c13728616756aea134779b03f942c924ad1348703be123ce89d38325f1

SHA512
62a15310ebdf8116ad24cfd490b24f9f801d261d3ef03256acf629e33a49b9094875234015a967b59057301e112d27e7d632d30d206a6f5091bd47d1442b195d

Download Submit
C:\Windows\{15DF498F-22AD-4728-88F2-7C7EDCE49EC7}.exe

Filesize
180KB

MD5
dadc4d9d730567a7d2a6fc57db78d6da

SHA1
cbbb1066bbf0ddf2440352e681efcef256b76f8a

SHA256
a974e0c13728616756aea134779b03f942c924ad1348703be123ce89d38325f1

SHA512
62a15310ebdf8116ad24cfd490b24f9f801d261d3ef03256acf629e33a49b9094875234015a967b59057301e112d27e7d632d30d206a6f5091bd47d1442b195d

Download Submit
C:\Windows\{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe

Filesize
180KB

MD5
817b6c4f542431caeb1ca5716e4762f6

SHA1
53c2c58f6a79cefa95ea08061306325d2beeca68

SHA256
f1cfa9e82b88cb29ebe5219ff8f88e86f1bac5e5445b76a05b014dfdf58ae716

SHA512
7855e23bb650ce44d9646706110d46eb20dd702ddab2e08b2b931d2cffebd0e7b04f25ba58403e47d4b3992a6e6cbe527f58537d9d959fddecbb2372835d0fdf

Download Submit
C:\Windows\{15EE6D1B-71EF-4d6e-AF53-A4EB2A202B0D}.exe

Filesize
180KB

MD5
817b6c4f542431caeb1ca5716e4762f6

SHA1
53c2c58f6a79cefa95ea08061306325d2beeca68

SHA256
f1cfa9e82b88cb29ebe5219ff8f88e86f1bac5e5445b76a05b014dfdf58ae716

SHA512
7855e23bb650ce44d9646706110d46eb20dd702ddab2e08b2b931d2cffebd0e7b04f25ba58403e47d4b3992a6e6cbe527f58537d9d959fddecbb2372835d0fdf

Download Submit
C:\Windows\{2064FB49-1469-462a-9ED8-D83F0905094B}.exe

Filesize
180KB

MD5
3394e44ead5df275921d870b6caea727

SHA1
4fd911c3d4b71654dff5b987a635f5fffa4b1db8

SHA256
717b2f1cd32d40f8ba06f24c54571899175d463b384ee7e4dc1a7a736969c007

SHA512
5c601c5744008873313f8b71a14d5f1a835aa775134929b19e53dea34632c21d5616e845d4abc53e5ada69bcd2b1c83ca27f0aba911d5ed0cdf48f00ba883b52

Download Submit
C:\Windows\{2064FB49-1469-462a-9ED8-D83F0905094B}.exe

Filesize
180KB

MD5
3394e44ead5df275921d870b6caea727

SHA1
4fd911c3d4b71654dff5b987a635f5fffa4b1db8

SHA256
717b2f1cd32d40f8ba06f24c54571899175d463b384ee7e4dc1a7a736969c007

SHA512
5c601c5744008873313f8b71a14d5f1a835aa775134929b19e53dea34632c21d5616e845d4abc53e5ada69bcd2b1c83ca27f0aba911d5ed0cdf48f00ba883b52

Download Submit
C:\Windows\{287038DE-94F2-478f-9C5B-BD8549FD1EB0}.exe

Filesize
180KB

MD5
5ec98228044927cb9b50c10a1e55330d

SHA1
25a159b2a669204548476fe1c1a3b39122be879e

SHA256
62be4f18fec08e9823d53629e6af3fbf6b4d2cdeb655da931b7582e2bdd45ebc

SHA512
74818d88bd6694a0384d56be940bb233f6dcdbca321543df9941518a1c11c133e29a84c7563ae7aa2e14c17834dabe10e34733508737d319e3468af318990eaa

Download Submit
C:\Windows\{287038DE-94F2-478f-9C5B-BD8549FD1EB0}.exe

Filesize
180KB

MD5
5ec98228044927cb9b50c10a1e55330d

SHA1
25a159b2a669204548476fe1c1a3b39122be879e

SHA256
62be4f18fec08e9823d53629e6af3fbf6b4d2cdeb655da931b7582e2bdd45ebc

SHA512
74818d88bd6694a0384d56be940bb233f6dcdbca321543df9941518a1c11c133e29a84c7563ae7aa2e14c17834dabe10e34733508737d319e3468af318990eaa

Download Submit
C:\Windows\{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe

Filesize
180KB

MD5
75e177f39185f83c0be220483799e87b

SHA1
33f964fbb4518cde421753855e91ef8056c68568

SHA256
2df24beed5b52aca7596a0fbdb33fd433509aa0fd05a6953f56767eac569bdaf

SHA512
0281d6dae8abc3ba19636926eff725a5fd4da9cd1dca52de69060011688de76e48e9c232d7bcb782826a687e17fb354524345648743cfd53f41d0074c8ea045b

Download Submit
C:\Windows\{58B57104-F39F-4e1a-BC15-06CBC1F89FBB}.exe

Filesize
180KB

MD5
75e177f39185f83c0be220483799e87b

SHA1
33f964fbb4518cde421753855e91ef8056c68568

SHA256
2df24beed5b52aca7596a0fbdb33fd433509aa0fd05a6953f56767eac569bdaf

SHA512
0281d6dae8abc3ba19636926eff725a5fd4da9cd1dca52de69060011688de76e48e9c232d7bcb782826a687e17fb354524345648743cfd53f41d0074c8ea045b

Download Submit
C:\Windows\{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe

Filesize
180KB

MD5
acadc057afd0863c91e3e35c351dafda

SHA1
f2cbca3a82ef2bf22100e34c5a3d5db1abc28dfa

SHA256
ecddb4441dbe5e8f5ad9b4daaeb02d7bcf093216b4572d40f8719f82dcd0407b

SHA512
77bc771add5363f94bbc68d51bd82312116bbbe6f913f922b209b10c1309f71c19eda791798d5ef246105b4b58391a9dda6b7763f4f073509235031893936866

Download Submit
C:\Windows\{627C9F9A-9431-4cc0-BD89-91A4D7056F7C}.exe

Filesize
180KB

MD5
acadc057afd0863c91e3e35c351dafda

SHA1
f2cbca3a82ef2bf22100e34c5a3d5db1abc28dfa

SHA256
ecddb4441dbe5e8f5ad9b4daaeb02d7bcf093216b4572d40f8719f82dcd0407b

SHA512
77bc771add5363f94bbc68d51bd82312116bbbe6f913f922b209b10c1309f71c19eda791798d5ef246105b4b58391a9dda6b7763f4f073509235031893936866

Download Submit
C:\Windows\{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe

Filesize
180KB

MD5
f34252ed648c08c4a275ae10613569e7

SHA1
b368b3215ae29521c2399f5956b47c1214f286af

SHA256
6e3505c8536f40b017b9c26b8d8fb19faf3a18684aab649511f683eb4e52cbeb

SHA512
7036e7a797a205a8b57ef9d0ef0015b58b2278ee7fb9462f38b2c6c47b171c2280b0035e66dc73f626a411433d6ac839e5cb7344f5b792cd9178ba0f2d84ab1a

Download Submit
C:\Windows\{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe

Filesize
180KB

MD5
f34252ed648c08c4a275ae10613569e7

SHA1
b368b3215ae29521c2399f5956b47c1214f286af

SHA256
6e3505c8536f40b017b9c26b8d8fb19faf3a18684aab649511f683eb4e52cbeb

SHA512
7036e7a797a205a8b57ef9d0ef0015b58b2278ee7fb9462f38b2c6c47b171c2280b0035e66dc73f626a411433d6ac839e5cb7344f5b792cd9178ba0f2d84ab1a

Download Submit
C:\Windows\{7E45DA36-DAF2-4724-A93D-969B57CA1E0E}.exe

Filesize
180KB

MD5
f34252ed648c08c4a275ae10613569e7

SHA1
b368b3215ae29521c2399f5956b47c1214f286af

SHA256
6e3505c8536f40b017b9c26b8d8fb19faf3a18684aab649511f683eb4e52cbeb

SHA512
7036e7a797a205a8b57ef9d0ef0015b58b2278ee7fb9462f38b2c6c47b171c2280b0035e66dc73f626a411433d6ac839e5cb7344f5b792cd9178ba0f2d84ab1a

Download Submit
C:\Windows\{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe

Filesize
180KB

MD5
82e0bc7c24e2a78c02c4cd38d4306bba

SHA1
694bfe257d692f3911c2bf35db7a7762c26ba833

SHA256
60047a51ce775a87844446b89938154fb7e374b13914c4103497dddf17a4a082

SHA512
a16d965475ed17b68246550fbd01553bc6e9f1ea14b67b607348a98b2d927f0b90ad5ebfbbf56bbcd1c0c171c6690fb48798d4bb60c2ac95858cfbed497a4d3b

Download Submit
C:\Windows\{A889A8DF-EE18-43c9-ADAF-D50BA989A4E0}.exe

Filesize
180KB

MD5
82e0bc7c24e2a78c02c4cd38d4306bba

SHA1
694bfe257d692f3911c2bf35db7a7762c26ba833

SHA256
60047a51ce775a87844446b89938154fb7e374b13914c4103497dddf17a4a082

SHA512
a16d965475ed17b68246550fbd01553bc6e9f1ea14b67b607348a98b2d927f0b90ad5ebfbbf56bbcd1c0c171c6690fb48798d4bb60c2ac95858cfbed497a4d3b

Download Submit
C:\Windows\{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe

Filesize
180KB

MD5
11a748012a36dcdfc71327ed6983aefd

SHA1
63612da440b378bc96361e905578bfd66e6c2ca3

SHA256
f6fde3c617cde345114d396723c5076034c012651712a7adead94bc9717e7575

SHA512
2a062986957c50bb0933a99f6a7ed75b976ad96ef43c8fb76da22bb0d822fadf36dd5905f7ea8c75290aea8ce4b7b6d54f16837116d075d3ea24e760f8d62cf8

Download Submit
C:\Windows\{B5207107-20BC-4afb-A892-F0076DFE94F1}.exe

Filesize
180KB

MD5
11a748012a36dcdfc71327ed6983aefd

SHA1
63612da440b378bc96361e905578bfd66e6c2ca3

SHA256
f6fde3c617cde345114d396723c5076034c012651712a7adead94bc9717e7575

SHA512
2a062986957c50bb0933a99f6a7ed75b976ad96ef43c8fb76da22bb0d822fadf36dd5905f7ea8c75290aea8ce4b7b6d54f16837116d075d3ea24e760f8d62cf8

Download Submit
C:\Windows\{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe

Filesize
180KB

MD5
4e3ba382307e37e96bbae57e38d2aad8

SHA1
27990b32cde6be956a52644b4713d145b5891e0d

SHA256
74c46d562d4b0776c921e6a4e23857078662ca313d0cbcd61b5dd9e97c2d2629

SHA512
6427350972d9d25dbe75bbbf3d644f95f709afc43decdd32ac64d8a303f5d62d464bd5b0a47ec2fb79f8a8526a0515be1971772c73688e72678573777213522a

Download Submit
C:\Windows\{EFCE16BF-3C6A-4cde-BF88-FFFAC42BD2E3}.exe

Filesize
180KB

MD5
4e3ba382307e37e96bbae57e38d2aad8

SHA1
27990b32cde6be956a52644b4713d145b5891e0d

SHA256
74c46d562d4b0776c921e6a4e23857078662ca313d0cbcd61b5dd9e97c2d2629

SHA512
6427350972d9d25dbe75bbbf3d644f95f709afc43decdd32ac64d8a303f5d62d464bd5b0a47ec2fb79f8a8526a0515be1971772c73688e72678573777213522a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads