d842f44ee3bd216677452d5b6cf7ea5e474606ab0e078d7da7b81224beb89452

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe
Size

372KB
MD5

8196297da593e9dfea891011b6ea9938
SHA1

92dfdc15952dc57818c4aa938535acb5213560b6
SHA256

d842f44ee3bd216677452d5b6cf7ea5e474606ab0e078d7da7b81224beb89452
SHA512

327515cebcbb23801befe41368bb5c6221cd2298d91d83db16ee46235d8b28d1daf74de897d2957f4e726a38f604dba182b50f40ca7eb3cc96de663e58a87265
SSDEEP

3072:CEGh0oTlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGZlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3232D981-B461-4f8c-B995-FD3469C91CC7}	{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3232D981-B461-4f8c-B995-FD3469C91CC7}\stubpath = "C:\\Windows\\{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe"	{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA08181C-7F82-4449-83F7-D27D18225F6C}\stubpath = "C:\\Windows\\{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe"	{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}	{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CF8DAD5-117E-4fc1-BAC8-63555E7238EC}	{D97DF714-87DD-4b2b-A9E6-714141ADCDE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CF8DAD5-117E-4fc1-BAC8-63555E7238EC}\stubpath = "C:\\Windows\\{2CF8DAD5-117E-4fc1-BAC8-63555E7238EC}.exe"	{D97DF714-87DD-4b2b-A9E6-714141ADCDE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83448114-B641-4029-A38E-6ACDB5A94422}\stubpath = "C:\\Windows\\{83448114-B641-4029-A38E-6ACDB5A94422}.exe"	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}	{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F09A600-C879-4bab-82F7-8387C1A0D250}\stubpath = "C:\\Windows\\{9F09A600-C879-4bab-82F7-8387C1A0D250}.exe"	{2CF8DAD5-117E-4fc1-BAC8-63555E7238EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83448114-B641-4029-A38E-6ACDB5A94422}	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CAA607F-DE90-4a46-A598-1AEBFC562506}\stubpath = "C:\\Windows\\{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe"	{83448114-B641-4029-A38E-6ACDB5A94422}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{393092BF-016F-4e88-ABC3-18C3AB0D209A}	{9F09A600-C879-4bab-82F7-8387C1A0D250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CAA607F-DE90-4a46-A598-1AEBFC562506}	{83448114-B641-4029-A38E-6ACDB5A94422}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B40BB1E-F1B6-4881-BC16-6648055F0697}	{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B40BB1E-F1B6-4881-BC16-6648055F0697}\stubpath = "C:\\Windows\\{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe"	{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA08181C-7F82-4449-83F7-D27D18225F6C}	{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}\stubpath = "C:\\Windows\\{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe"	{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}\stubpath = "C:\\Windows\\{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe"	{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D97DF714-87DD-4b2b-A9E6-714141ADCDE8}	{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D97DF714-87DD-4b2b-A9E6-714141ADCDE8}\stubpath = "C:\\Windows\\{D97DF714-87DD-4b2b-A9E6-714141ADCDE8}.exe"	{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F09A600-C879-4bab-82F7-8387C1A0D250}	{2CF8DAD5-117E-4fc1-BAC8-63555E7238EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{393092BF-016F-4e88-ABC3-18C3AB0D209A}\stubpath = "C:\\Windows\\{393092BF-016F-4e88-ABC3-18C3AB0D209A}.exe"	{9F09A600-C879-4bab-82F7-8387C1A0D250}.exe

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2132	{83448114-B641-4029-A38E-6ACDB5A94422}.exe
2744	{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe
1068	{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe
2544	{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe
2540	{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe
2956	{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe
2780	{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe
1268	{D97DF714-87DD-4b2b-A9E6-714141ADCDE8}.exe
1988	{2CF8DAD5-117E-4fc1-BAC8-63555E7238EC}.exe
1700	{9F09A600-C879-4bab-82F7-8387C1A0D250}.exe
816	{393092BF-016F-4e88-ABC3-18C3AB0D209A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2CF8DAD5-117E-4fc1-BAC8-63555E7238EC}.exe	{D97DF714-87DD-4b2b-A9E6-714141ADCDE8}.exe
File created	C:\Windows\{393092BF-016F-4e88-ABC3-18C3AB0D209A}.exe	{9F09A600-C879-4bab-82F7-8387C1A0D250}.exe
File created	C:\Windows\{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe	{83448114-B641-4029-A38E-6ACDB5A94422}.exe
File created	C:\Windows\{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe	{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe
File created	C:\Windows\{D97DF714-87DD-4b2b-A9E6-714141ADCDE8}.exe	{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe
File created	C:\Windows\{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe	{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe
File created	C:\Windows\{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe	{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe
File created	C:\Windows\{9F09A600-C879-4bab-82F7-8387C1A0D250}.exe	{2CF8DAD5-117E-4fc1-BAC8-63555E7238EC}.exe
File created	C:\Windows\{83448114-B641-4029-A38E-6ACDB5A94422}.exe	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe
File created	C:\Windows\{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe	{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe
File created	C:\Windows\{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe	{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2440	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2132	{83448114-B641-4029-A38E-6ACDB5A94422}.exe
Token: SeIncBasePriorityPrivilege	2744	{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe
Token: SeIncBasePriorityPrivilege	1068	{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe
Token: SeIncBasePriorityPrivilege	2544	{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe
Token: SeIncBasePriorityPrivilege	2540	{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe
Token: SeIncBasePriorityPrivilege	2956	{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe
Token: SeIncBasePriorityPrivilege	2780	{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe
Token: SeIncBasePriorityPrivilege	1268	{D97DF714-87DD-4b2b-A9E6-714141ADCDE8}.exe
Token: SeIncBasePriorityPrivilege	1988	{2CF8DAD5-117E-4fc1-BAC8-63555E7238EC}.exe
Token: SeIncBasePriorityPrivilege	1700	{9F09A600-C879-4bab-82F7-8387C1A0D250}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2132	2440	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	28
PID 2440 wrote to memory of 2132	2440	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	28
PID 2440 wrote to memory of 2132	2440	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	28
PID 2440 wrote to memory of 2132	2440	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	28
PID 2440 wrote to memory of 2636	2440	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	29
PID 2440 wrote to memory of 2636	2440	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	29
PID 2440 wrote to memory of 2636	2440	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	29
PID 2440 wrote to memory of 2636	2440	2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe	29
PID 2132 wrote to memory of 2744	2132	{83448114-B641-4029-A38E-6ACDB5A94422}.exe	30
PID 2132 wrote to memory of 2744	2132	{83448114-B641-4029-A38E-6ACDB5A94422}.exe	30
PID 2132 wrote to memory of 2744	2132	{83448114-B641-4029-A38E-6ACDB5A94422}.exe	30
PID 2132 wrote to memory of 2744	2132	{83448114-B641-4029-A38E-6ACDB5A94422}.exe	30
PID 2132 wrote to memory of 2728	2132	{83448114-B641-4029-A38E-6ACDB5A94422}.exe	31
PID 2132 wrote to memory of 2728	2132	{83448114-B641-4029-A38E-6ACDB5A94422}.exe	31
PID 2132 wrote to memory of 2728	2132	{83448114-B641-4029-A38E-6ACDB5A94422}.exe	31
PID 2132 wrote to memory of 2728	2132	{83448114-B641-4029-A38E-6ACDB5A94422}.exe	31
PID 2744 wrote to memory of 1068	2744	{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe	33
PID 2744 wrote to memory of 1068	2744	{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe	33
PID 2744 wrote to memory of 1068	2744	{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe	33
PID 2744 wrote to memory of 1068	2744	{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe	33
PID 2744 wrote to memory of 2648	2744	{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe	34
PID 2744 wrote to memory of 2648	2744	{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe	34
PID 2744 wrote to memory of 2648	2744	{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe	34
PID 2744 wrote to memory of 2648	2744	{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe	34
PID 1068 wrote to memory of 2544	1068	{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe	36
PID 1068 wrote to memory of 2544	1068	{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe	36
PID 1068 wrote to memory of 2544	1068	{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe	36
PID 1068 wrote to memory of 2544	1068	{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe	36
PID 1068 wrote to memory of 2500	1068	{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe	37
PID 1068 wrote to memory of 2500	1068	{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe	37
PID 1068 wrote to memory of 2500	1068	{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe	37
PID 1068 wrote to memory of 2500	1068	{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe	37
PID 2544 wrote to memory of 2540	2544	{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe	38
PID 2544 wrote to memory of 2540	2544	{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe	38
PID 2544 wrote to memory of 2540	2544	{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe	38
PID 2544 wrote to memory of 2540	2544	{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe	38
PID 2544 wrote to memory of 2404	2544	{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe	39
PID 2544 wrote to memory of 2404	2544	{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe	39
PID 2544 wrote to memory of 2404	2544	{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe	39
PID 2544 wrote to memory of 2404	2544	{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe	39
PID 2540 wrote to memory of 2956	2540	{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe	41
PID 2540 wrote to memory of 2956	2540	{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe	41
PID 2540 wrote to memory of 2956	2540	{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe	41
PID 2540 wrote to memory of 2956	2540	{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe	41
PID 2540 wrote to memory of 2116	2540	{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe	40
PID 2540 wrote to memory of 2116	2540	{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe	40
PID 2540 wrote to memory of 2116	2540	{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe	40
PID 2540 wrote to memory of 2116	2540	{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe	40
PID 2956 wrote to memory of 2780	2956	{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe	43
PID 2956 wrote to memory of 2780	2956	{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe	43
PID 2956 wrote to memory of 2780	2956	{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe	43
PID 2956 wrote to memory of 2780	2956	{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe	43
PID 2956 wrote to memory of 2828	2956	{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe	42
PID 2956 wrote to memory of 2828	2956	{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe	42
PID 2956 wrote to memory of 2828	2956	{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe	42
PID 2956 wrote to memory of 2828	2956	{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe	42
PID 2780 wrote to memory of 1268	2780	{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe	44
PID 2780 wrote to memory of 1268	2780	{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe	44
PID 2780 wrote to memory of 1268	2780	{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe	44
PID 2780 wrote to memory of 1268	2780	{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe	44
PID 2780 wrote to memory of 1708	2780	{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe	45
PID 2780 wrote to memory of 1708	2780	{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe	45
PID 2780 wrote to memory of 1708	2780	{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe	45
PID 2780 wrote to memory of 1708	2780	{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_8196297da593e9dfea891011b6ea9938_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\{83448114-B641-4029-A38E-6ACDB5A94422}.exe
  C:\Windows\{83448114-B641-4029-A38E-6ACDB5A94422}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe
    C:\Windows\{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe
      C:\Windows\{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe
        
        C:\Windows\{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe
        
        C:\Windows\{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA081~1.EXE > nul
        7⤵
        
        PID:2116
        
        C:\Windows\{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe
        
        C:\Windows\{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12A07~1.EXE > nul
        8⤵
        
        PID:2828
        
        C:\Windows\{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe
        
        C:\Windows\{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{D97DF714-87DD-4b2b-A9E6-714141ADCDE8}.exe
        
        C:\Windows\{D97DF714-87DD-4b2b-A9E6-714141ADCDE8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\{2CF8DAD5-117E-4fc1-BAC8-63555E7238EC}.exe
        
        C:\Windows\{2CF8DAD5-117E-4fc1-BAC8-63555E7238EC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\{9F09A600-C879-4bab-82F7-8387C1A0D250}.exe
        
        C:\Windows\{9F09A600-C879-4bab-82F7-8387C1A0D250}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F09A~1.EXE > nul
        12⤵
        
        PID:2800
        
        C:\Windows\{393092BF-016F-4e88-ABC3-18C3AB0D209A}.exe
        
        C:\Windows\{393092BF-016F-4e88-ABC3-18C3AB0D209A}.exe
        12⤵
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CF8D~1.EXE > nul
        11⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D97DF~1.EXE > nul
        10⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B64A~1.EXE > nul
        9⤵
        
        PID:1708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B40B~1.EXE > nul
        6⤵
        
        PID:2404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3232D~1.EXE > nul
        5⤵
        
        PID:2500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4CAA6~1.EXE > nul
      4⤵
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{83448~1.EXE > nul
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe

Filesize
372KB

MD5
9244a40646a0b83366510ae7da44431a

SHA1
650fddcf5be7f5f6a4ba191b77b562a9ca179aec

SHA256
32572e70bb78d92be89f64cab6a1ca2b521686ca4bdc03a61f3bf8f4fc08fbf4

SHA512
f894ffc40098664d5e2c27f1ef220e39fbd77c128c8879d5438432cb8d46314a01d4e965e776405fa532a6b8521e4655760815f81415099df2d85fcdff60a569

Download Submit
C:\Windows\{12A072B9-9E66-4a22-ABFB-C433DEB76C0B}.exe

Filesize
372KB

MD5
9244a40646a0b83366510ae7da44431a

SHA1
650fddcf5be7f5f6a4ba191b77b562a9ca179aec

SHA256
32572e70bb78d92be89f64cab6a1ca2b521686ca4bdc03a61f3bf8f4fc08fbf4

SHA512
f894ffc40098664d5e2c27f1ef220e39fbd77c128c8879d5438432cb8d46314a01d4e965e776405fa532a6b8521e4655760815f81415099df2d85fcdff60a569

Download Submit
C:\Windows\{2CF8DAD5-117E-4fc1-BAC8-63555E7238EC}.exe

Filesize
372KB

MD5
91d3446f7068ff5fad10f24ee577e67a

SHA1
4270040ba2e88421b882e9b919c04390cfe121f6

SHA256
72f62ad9affc9c8ffdcc4205c808d0c80c0e6f7b036976c440ff73449e644217

SHA512
534c7da159b94e861ec0f92b96e5ab5509c391402f0fda5651b520d2bd82baaa529f45000ade67faa607a76dc5b2da93c7bfb205d259919d865512e54da92dac

Download Submit
C:\Windows\{2CF8DAD5-117E-4fc1-BAC8-63555E7238EC}.exe

Filesize
372KB

MD5
91d3446f7068ff5fad10f24ee577e67a

SHA1
4270040ba2e88421b882e9b919c04390cfe121f6

SHA256
72f62ad9affc9c8ffdcc4205c808d0c80c0e6f7b036976c440ff73449e644217

SHA512
534c7da159b94e861ec0f92b96e5ab5509c391402f0fda5651b520d2bd82baaa529f45000ade67faa607a76dc5b2da93c7bfb205d259919d865512e54da92dac

Download Submit
C:\Windows\{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe

Filesize
372KB

MD5
5c3f23b703214e60a131244a462fab71

SHA1
85106551332447e3bc6586e5ce24082598b47761

SHA256
82f225c4e3a652d5e6934b84bdc59885271a1b3ac0f9b3db67aca7f1dbe34a67

SHA512
f4cb1c3bbac856805e092620946c590c518b0ffdff95bf3a41016c45d0a59b3274af7b84850ee6a5fef87303e2d880b20f202f5792239cf8b7e7623f7733e1d4

Download Submit
C:\Windows\{3232D981-B461-4f8c-B995-FD3469C91CC7}.exe

Filesize
372KB

MD5
5c3f23b703214e60a131244a462fab71

SHA1
85106551332447e3bc6586e5ce24082598b47761

SHA256
82f225c4e3a652d5e6934b84bdc59885271a1b3ac0f9b3db67aca7f1dbe34a67

SHA512
f4cb1c3bbac856805e092620946c590c518b0ffdff95bf3a41016c45d0a59b3274af7b84850ee6a5fef87303e2d880b20f202f5792239cf8b7e7623f7733e1d4

Download Submit
C:\Windows\{393092BF-016F-4e88-ABC3-18C3AB0D209A}.exe

Filesize
372KB

MD5
760bce95671f10d72285212f323ce2ab

SHA1
ea59798aa4abcb9bc2407ddd058e4245fa45480f

SHA256
37249d6a4e6ea5a0ee5d2d110eee7d261925973f09d217e73bf6344763fbfbbd

SHA512
2ec81ffebc9fb6cd9707e319ae454bfb74618aa542c4c4f8c53089855b7df6336a31a7361699e1deea2dceea048925e2af936b0b4e28efbd83e260cb7da2a0e0

Download Submit
C:\Windows\{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe

Filesize
372KB

MD5
33d211a2089850f32f746c08add5b726

SHA1
a2f8f031844112d78eea37ca5438cec706b63ddb

SHA256
9fc30211b78fe8fe729b0ac348bacdf7e0a1110e74cff9713a78319d7d84203a

SHA512
d079dfa101e0ccd2e3a4095529564b53c465acddb244a12dc0f9c3628b907d7c665309f6da4de409772b698afbe93762bb7459e7395f334abb27d93a107d2f85

Download Submit
C:\Windows\{4CAA607F-DE90-4a46-A598-1AEBFC562506}.exe

Filesize
372KB

MD5
33d211a2089850f32f746c08add5b726

SHA1
a2f8f031844112d78eea37ca5438cec706b63ddb

SHA256
9fc30211b78fe8fe729b0ac348bacdf7e0a1110e74cff9713a78319d7d84203a

SHA512
d079dfa101e0ccd2e3a4095529564b53c465acddb244a12dc0f9c3628b907d7c665309f6da4de409772b698afbe93762bb7459e7395f334abb27d93a107d2f85

Download Submit
C:\Windows\{83448114-B641-4029-A38E-6ACDB5A94422}.exe

Filesize
372KB

MD5
53b77f500f8829d3da29eb770f707001

SHA1
a6cfeecbdaa193392c037834f87223342e396138

SHA256
3751dda844efcead11d30638caf094f290abdfc60ee6235aa2b0c4e3b8498bb9

SHA512
e333c7e33c546da5d5b7b10df136de567b7a74e740a5f02041c94b888fedcd23c8af9ef0fa8dcf79d5a5043909e9c684e4bc0b95072763495e7127df7e57c168

Download Submit
C:\Windows\{83448114-B641-4029-A38E-6ACDB5A94422}.exe

Filesize
372KB

MD5
53b77f500f8829d3da29eb770f707001

SHA1
a6cfeecbdaa193392c037834f87223342e396138

SHA256
3751dda844efcead11d30638caf094f290abdfc60ee6235aa2b0c4e3b8498bb9

SHA512
e333c7e33c546da5d5b7b10df136de567b7a74e740a5f02041c94b888fedcd23c8af9ef0fa8dcf79d5a5043909e9c684e4bc0b95072763495e7127df7e57c168

Download Submit
C:\Windows\{83448114-B641-4029-A38E-6ACDB5A94422}.exe

Filesize
372KB

MD5
53b77f500f8829d3da29eb770f707001

SHA1
a6cfeecbdaa193392c037834f87223342e396138

SHA256
3751dda844efcead11d30638caf094f290abdfc60ee6235aa2b0c4e3b8498bb9

SHA512
e333c7e33c546da5d5b7b10df136de567b7a74e740a5f02041c94b888fedcd23c8af9ef0fa8dcf79d5a5043909e9c684e4bc0b95072763495e7127df7e57c168

Download Submit
C:\Windows\{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe

Filesize
372KB

MD5
2a74961cd6e7506de572bab7c166013f

SHA1
9edc0a9bf7d65a8d44f50e44af611bdac15cfa1c

SHA256
ae7c6058a5863274e9da99d03d349bdf4e4395b44f2248b62fe274246513d9ac

SHA512
d2d8182eb657a13fac94c072804286347ab1119b22342b0edfc530551a75a467197bef9199d7065a43955b572e522189a6712ec8648ffd97bcf46e0f5d0a8ed8

Download Submit
C:\Windows\{8B64A29A-89A3-4e7f-B220-77CC5F3EEABB}.exe

Filesize
372KB

MD5
2a74961cd6e7506de572bab7c166013f

SHA1
9edc0a9bf7d65a8d44f50e44af611bdac15cfa1c

SHA256
ae7c6058a5863274e9da99d03d349bdf4e4395b44f2248b62fe274246513d9ac

SHA512
d2d8182eb657a13fac94c072804286347ab1119b22342b0edfc530551a75a467197bef9199d7065a43955b572e522189a6712ec8648ffd97bcf46e0f5d0a8ed8

Download Submit
C:\Windows\{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe

Filesize
372KB

MD5
510150c8324853214d56dd75ea81a980

SHA1
6032d06d578712e94f3663335b3ac18aad5a58fb

SHA256
659dfd6c25ac9af118dd10d4b219b2dcd753f7b1b735ce6560f6d9afee035b0c

SHA512
83cc59fc736f2d930e78e8ad119326265d3d4718e53292544500545512d5633e8ffb04bb7a5a66bcabea4fa007b4682686375a9ff25fd65d423dfbd3bdda6996

Download Submit
C:\Windows\{9B40BB1E-F1B6-4881-BC16-6648055F0697}.exe

Filesize
372KB

MD5
510150c8324853214d56dd75ea81a980

SHA1
6032d06d578712e94f3663335b3ac18aad5a58fb

SHA256
659dfd6c25ac9af118dd10d4b219b2dcd753f7b1b735ce6560f6d9afee035b0c

SHA512
83cc59fc736f2d930e78e8ad119326265d3d4718e53292544500545512d5633e8ffb04bb7a5a66bcabea4fa007b4682686375a9ff25fd65d423dfbd3bdda6996

Download Submit
C:\Windows\{9F09A600-C879-4bab-82F7-8387C1A0D250}.exe

Filesize
372KB

MD5
7c18e0d6b483de1d35e9f0936d535f8d

SHA1
0ddf8da323e31e242c396b73b9eabe6d5ef208cb

SHA256
2fc92f3b449c93d980bbfb5b77ecc40fb764aed9deb22457f0ed8de6bbdbbf88

SHA512
3d0745d6dd881bfda841a1c8e3e93c0dfb16b6d8faa69cd69b54b2c86fc7812a5932512cd810a4f894232b02a8f5454c8c9553af66cd7ef7822dd06b070c6886

Download Submit
C:\Windows\{9F09A600-C879-4bab-82F7-8387C1A0D250}.exe

Filesize
372KB

MD5
7c18e0d6b483de1d35e9f0936d535f8d

SHA1
0ddf8da323e31e242c396b73b9eabe6d5ef208cb

SHA256
2fc92f3b449c93d980bbfb5b77ecc40fb764aed9deb22457f0ed8de6bbdbbf88

SHA512
3d0745d6dd881bfda841a1c8e3e93c0dfb16b6d8faa69cd69b54b2c86fc7812a5932512cd810a4f894232b02a8f5454c8c9553af66cd7ef7822dd06b070c6886

Download Submit
C:\Windows\{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe

Filesize
372KB

MD5
e3213ac749a6335c2d20b1ec9f95cd50

SHA1
3d2a97f4aa08ce4a0047af3b55d0b4b2b2c5f545

SHA256
644ef7a34b3282c35c9e15965d252ea265974fa72af27600033749403a4c322a

SHA512
68825aa6c55f75a73ff00b476961a8d0b4addaa1d93debd3fac63a67005dfc5fdd558ba218da5e028ae834f39bc3e29229c4b544b8125afcd9ded4c667cf3301

Download Submit
C:\Windows\{CA08181C-7F82-4449-83F7-D27D18225F6C}.exe

Filesize
372KB

MD5
e3213ac749a6335c2d20b1ec9f95cd50

SHA1
3d2a97f4aa08ce4a0047af3b55d0b4b2b2c5f545

SHA256
644ef7a34b3282c35c9e15965d252ea265974fa72af27600033749403a4c322a

SHA512
68825aa6c55f75a73ff00b476961a8d0b4addaa1d93debd3fac63a67005dfc5fdd558ba218da5e028ae834f39bc3e29229c4b544b8125afcd9ded4c667cf3301

Download Submit
C:\Windows\{D97DF714-87DD-4b2b-A9E6-714141ADCDE8}.exe

Filesize
372KB

MD5
83aa4068d4caff017349fba128d3425f

SHA1
9d5586cbf137526f68c99912c89908f3c7a67f3b

SHA256
7d83526f646da399ffb94d45997d9c1b3b5981f44c607e73f93302178cbcf95e

SHA512
d8b6d89fdbbec204a27ad3944b60dc4b5674b02f65c80ef6b1ba3f0da0474ff87483c44c656a9163dc0f0847fcf39721f1fbb81f152e4bc19ff0be86a9214beb

Download Submit
C:\Windows\{D97DF714-87DD-4b2b-A9E6-714141ADCDE8}.exe

Filesize
372KB

MD5
83aa4068d4caff017349fba128d3425f

SHA1
9d5586cbf137526f68c99912c89908f3c7a67f3b

SHA256
7d83526f646da399ffb94d45997d9c1b3b5981f44c607e73f93302178cbcf95e

SHA512
d8b6d89fdbbec204a27ad3944b60dc4b5674b02f65c80ef6b1ba3f0da0474ff87483c44c656a9163dc0f0847fcf39721f1fbb81f152e4bc19ff0be86a9214beb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads