4938200e569d7106411424af464e06e2ecf7a42204f6afbfb95970aa9e25fc17

Analysis

max time kernel
163s
max time network
136s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe
Size

180KB
MD5

13e6d0b934ba7e616c91b56480774ebc
SHA1

ec0e0d80b0a27d3c9217affd1d89eab72bd8f2b6
SHA256

4938200e569d7106411424af464e06e2ecf7a42204f6afbfb95970aa9e25fc17
SHA512

26d7842654e836c7c71a08d23f41cc0e3b201ff08f651dcf1d58d32104b6712f75d6e994318abb2ec0d6be6b8a2fb7ac581b9216e6ac031bf915bb854cc0097f
SSDEEP

3072:jEGh0ozlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGJl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44A9C245-1529-432f-A427-B196249CC0C7}\stubpath = "C:\\Windows\\{44A9C245-1529-432f-A427-B196249CC0C7}.exe"	{2D9DE2F7-1250-4479-90D6-25EDCF099989}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{973FCCC3-C9A1-4f02-878D-A2E23280EC54}	{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D14F987E-3407-40a8-B901-D6E2F3E70B56}\stubpath = "C:\\Windows\\{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe"	{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{277D752F-9D20-49dd-A40E-3F6FFA28B445}	{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B69EA1EA-5C9E-490e-999C-571B00CB091C}\stubpath = "C:\\Windows\\{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe"	{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68B9A7A2-936F-4c94-ADA2-1BC3FBFBD225}	{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB827AA8-11FE-4a5d-8954-8BFC5548B13E}	{911120A3-F891-4cad-B647-5B8BCF0F8E1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB827AA8-11FE-4a5d-8954-8BFC5548B13E}\stubpath = "C:\\Windows\\{BB827AA8-11FE-4a5d-8954-8BFC5548B13E}.exe"	{911120A3-F891-4cad-B647-5B8BCF0F8E1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D9DE2F7-1250-4479-90D6-25EDCF099989}	{BB827AA8-11FE-4a5d-8954-8BFC5548B13E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D14F987E-3407-40a8-B901-D6E2F3E70B56}	{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B69EA1EA-5C9E-490e-999C-571B00CB091C}	{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0BDA090-0B93-4095-AB5F-2EDDD8847588}\stubpath = "C:\\Windows\\{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe"	{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{911120A3-F891-4cad-B647-5B8BCF0F8E1B}	{68B9A7A2-936F-4c94-ADA2-1BC3FBFBD225}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{911120A3-F891-4cad-B647-5B8BCF0F8E1B}\stubpath = "C:\\Windows\\{911120A3-F891-4cad-B647-5B8BCF0F8E1B}.exe"	{68B9A7A2-936F-4c94-ADA2-1BC3FBFBD225}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D9DE2F7-1250-4479-90D6-25EDCF099989}\stubpath = "C:\\Windows\\{2D9DE2F7-1250-4479-90D6-25EDCF099989}.exe"	{BB827AA8-11FE-4a5d-8954-8BFC5548B13E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}	2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F861503-1055-49a1-AD9C-0E0EF39F3631}	{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F861503-1055-49a1-AD9C-0E0EF39F3631}\stubpath = "C:\\Windows\\{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe"	{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68B9A7A2-936F-4c94-ADA2-1BC3FBFBD225}\stubpath = "C:\\Windows\\{68B9A7A2-936F-4c94-ADA2-1BC3FBFBD225}.exe"	{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}\stubpath = "C:\\Windows\\{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe"	2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{973FCCC3-C9A1-4f02-878D-A2E23280EC54}\stubpath = "C:\\Windows\\{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe"	{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{277D752F-9D20-49dd-A40E-3F6FFA28B445}\stubpath = "C:\\Windows\\{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe"	{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0BDA090-0B93-4095-AB5F-2EDDD8847588}	{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44A9C245-1529-432f-A427-B196249CC0C7}	{2D9DE2F7-1250-4479-90D6-25EDCF099989}.exe

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2160	{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe
2496	{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe
2708	{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe
2756	{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe
2540	{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe
3024	{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe
2996	{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe
3064	{68B9A7A2-936F-4c94-ADA2-1BC3FBFBD225}.exe
1312	{911120A3-F891-4cad-B647-5B8BCF0F8E1B}.exe
1368	{BB827AA8-11FE-4a5d-8954-8BFC5548B13E}.exe
2736	{2D9DE2F7-1250-4479-90D6-25EDCF099989}.exe
1804	{44A9C245-1529-432f-A427-B196249CC0C7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe	{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe
File created	C:\Windows\{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe	{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe
File created	C:\Windows\{68B9A7A2-936F-4c94-ADA2-1BC3FBFBD225}.exe	{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe
File created	C:\Windows\{BB827AA8-11FE-4a5d-8954-8BFC5548B13E}.exe	{911120A3-F891-4cad-B647-5B8BCF0F8E1B}.exe
File created	C:\Windows\{2D9DE2F7-1250-4479-90D6-25EDCF099989}.exe	{BB827AA8-11FE-4a5d-8954-8BFC5548B13E}.exe
File created	C:\Windows\{44A9C245-1529-432f-A427-B196249CC0C7}.exe	{2D9DE2F7-1250-4479-90D6-25EDCF099989}.exe
File created	C:\Windows\{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe	{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe
File created	C:\Windows\{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe	{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe
File created	C:\Windows\{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe	{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe
File created	C:\Windows\{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe	{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe
File created	C:\Windows\{911120A3-F891-4cad-B647-5B8BCF0F8E1B}.exe	{68B9A7A2-936F-4c94-ADA2-1BC3FBFBD225}.exe
File created	C:\Windows\{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe	2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1700	2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2160	{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe
Token: SeIncBasePriorityPrivilege	2496	{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe
Token: SeIncBasePriorityPrivilege	2708	{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe
Token: SeIncBasePriorityPrivilege	2756	{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe
Token: SeIncBasePriorityPrivilege	2540	{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe
Token: SeIncBasePriorityPrivilege	3024	{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe
Token: SeIncBasePriorityPrivilege	2996	{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe
Token: SeIncBasePriorityPrivilege	3064	{68B9A7A2-936F-4c94-ADA2-1BC3FBFBD225}.exe
Token: SeIncBasePriorityPrivilege	1312	{911120A3-F891-4cad-B647-5B8BCF0F8E1B}.exe
Token: SeIncBasePriorityPrivilege	1368	{BB827AA8-11FE-4a5d-8954-8BFC5548B13E}.exe
Token: SeIncBasePriorityPrivilege	2736	{2D9DE2F7-1250-4479-90D6-25EDCF099989}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2160	1700	2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe	27
PID 1700 wrote to memory of 2160	1700	2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe	27
PID 1700 wrote to memory of 2160	1700	2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe	27
PID 1700 wrote to memory of 2160	1700	2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe	27
PID 1700 wrote to memory of 2584	1700	2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe	28
PID 1700 wrote to memory of 2584	1700	2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe	28
PID 1700 wrote to memory of 2584	1700	2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe	28
PID 1700 wrote to memory of 2584	1700	2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe	28
PID 2160 wrote to memory of 2496	2160	{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe	31
PID 2160 wrote to memory of 2496	2160	{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe	31
PID 2160 wrote to memory of 2496	2160	{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe	31
PID 2160 wrote to memory of 2496	2160	{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe	31
PID 2160 wrote to memory of 2604	2160	{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe	32
PID 2160 wrote to memory of 2604	2160	{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe	32
PID 2160 wrote to memory of 2604	2160	{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe	32
PID 2160 wrote to memory of 2604	2160	{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe	32
PID 2496 wrote to memory of 2708	2496	{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe	33
PID 2496 wrote to memory of 2708	2496	{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe	33
PID 2496 wrote to memory of 2708	2496	{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe	33
PID 2496 wrote to memory of 2708	2496	{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe	33
PID 2496 wrote to memory of 2624	2496	{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe	34
PID 2496 wrote to memory of 2624	2496	{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe	34
PID 2496 wrote to memory of 2624	2496	{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe	34
PID 2496 wrote to memory of 2624	2496	{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe	34
PID 2708 wrote to memory of 2756	2708	{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe	35
PID 2708 wrote to memory of 2756	2708	{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe	35
PID 2708 wrote to memory of 2756	2708	{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe	35
PID 2708 wrote to memory of 2756	2708	{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe	35
PID 2708 wrote to memory of 2484	2708	{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe	36
PID 2708 wrote to memory of 2484	2708	{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe	36
PID 2708 wrote to memory of 2484	2708	{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe	36
PID 2708 wrote to memory of 2484	2708	{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe	36
PID 2756 wrote to memory of 2540	2756	{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe	37
PID 2756 wrote to memory of 2540	2756	{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe	37
PID 2756 wrote to memory of 2540	2756	{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe	37
PID 2756 wrote to memory of 2540	2756	{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe	37
PID 2756 wrote to memory of 3020	2756	{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe	38
PID 2756 wrote to memory of 3020	2756	{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe	38
PID 2756 wrote to memory of 3020	2756	{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe	38
PID 2756 wrote to memory of 3020	2756	{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe	38
PID 2540 wrote to memory of 3024	2540	{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe	40
PID 2540 wrote to memory of 3024	2540	{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe	40
PID 2540 wrote to memory of 3024	2540	{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe	40
PID 2540 wrote to memory of 3024	2540	{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe	40
PID 2540 wrote to memory of 2468	2540	{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe	39
PID 2540 wrote to memory of 2468	2540	{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe	39
PID 2540 wrote to memory of 2468	2540	{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe	39
PID 2540 wrote to memory of 2468	2540	{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe	39
PID 3024 wrote to memory of 2996	3024	{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe	42
PID 3024 wrote to memory of 2996	3024	{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe	42
PID 3024 wrote to memory of 2996	3024	{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe	42
PID 3024 wrote to memory of 2996	3024	{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe	42
PID 3024 wrote to memory of 3016	3024	{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe	41
PID 3024 wrote to memory of 3016	3024	{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe	41
PID 3024 wrote to memory of 3016	3024	{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe	41
PID 3024 wrote to memory of 3016	3024	{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe	41
PID 2996 wrote to memory of 3064	2996	{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe	43
PID 2996 wrote to memory of 3064	2996	{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe	43
PID 2996 wrote to memory of 3064	2996	{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe	43
PID 2996 wrote to memory of 3064	2996	{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe	43
PID 2996 wrote to memory of 3044	2996	{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe	44
PID 2996 wrote to memory of 3044	2996	{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe	44
PID 2996 wrote to memory of 3044	2996	{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe	44
PID 2996 wrote to memory of 3044	2996	{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe	44

C:\Users\Admin\AppData\Local\Temp\2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_13e6d0b934ba7e616c91b56480774ebc_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe
  C:\Windows\{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe
    C:\Windows\{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe
      C:\Windows\{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe
        
        C:\Windows\{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe
        
        C:\Windows\{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{277D7~1.EXE > nul
        7⤵
        
        PID:2468
        
        C:\Windows\{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe
        
        C:\Windows\{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B69EA~1.EXE > nul
        8⤵
        
        PID:3016
        
        C:\Windows\{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe
        
        C:\Windows\{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\{68B9A7A2-936F-4c94-ADA2-1BC3FBFBD225}.exe
        
        C:\Windows\{68B9A7A2-936F-4c94-ADA2-1BC3FBFBD225}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\{911120A3-F891-4cad-B647-5B8BCF0F8E1B}.exe
        
        C:\Windows\{911120A3-F891-4cad-B647-5B8BCF0F8E1B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91112~1.EXE > nul
        11⤵
        
        PID:2672
        
        C:\Windows\{BB827AA8-11FE-4a5d-8954-8BFC5548B13E}.exe
        
        C:\Windows\{BB827AA8-11FE-4a5d-8954-8BFC5548B13E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\{2D9DE2F7-1250-4479-90D6-25EDCF099989}.exe
        
        C:\Windows\{2D9DE2F7-1250-4479-90D6-25EDCF099989}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\{44A9C245-1529-432f-A427-B196249CC0C7}.exe
        
        C:\Windows\{44A9C245-1529-432f-A427-B196249CC0C7}.exe
        13⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D9DE~1.EXE > nul
        13⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB827~1.EXE > nul
        12⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68B9A~1.EXE > nul
        10⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0BDA~1.EXE > nul
        9⤵
        
        PID:3044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D14F9~1.EXE > nul
        6⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{973FC~1.EXE > nul
        5⤵
        
        PID:2484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0F861~1.EXE > nul
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F9FF4~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe

Filesize
180KB

MD5
7605b067d5ac8a2ac9bfb8d1243740c9

SHA1
f4296b686743e006d6215b404db5f7ae53fdec9f

SHA256
7ae2c71ada2c434dcffeecf3faf3562cb11f3ce88acc1bd3f3dc88be7d9044e9

SHA512
7479cdce909bf35d8bba716f14eea1a09edc9fbb7ad8776d1452fe8358fd5e1f8869f8e0e258fc571ceabd8c45094d993b298eb32a260bfb1d2857cd855d124b

Download Submit
C:\Windows\{0F861503-1055-49a1-AD9C-0E0EF39F3631}.exe

Filesize
180KB

MD5
7605b067d5ac8a2ac9bfb8d1243740c9

SHA1
f4296b686743e006d6215b404db5f7ae53fdec9f

SHA256
7ae2c71ada2c434dcffeecf3faf3562cb11f3ce88acc1bd3f3dc88be7d9044e9

SHA512
7479cdce909bf35d8bba716f14eea1a09edc9fbb7ad8776d1452fe8358fd5e1f8869f8e0e258fc571ceabd8c45094d993b298eb32a260bfb1d2857cd855d124b

Download Submit
C:\Windows\{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe

Filesize
180KB

MD5
001c02e01f8b7e9a78f9dc8327d822f6

SHA1
efadc1167bf9867ba60900a9e303ef8f8e331b14

SHA256
0b7d586595e56dd38a845ba5b54ac246e8e37c4cc4bbca2680158df7ba185965

SHA512
bb9c85ba5aa2f6532cc399afc468d1d618857645a704619c472d8119526777264da43935eec363d5120efc6686cfb52d64e9f35255d440918c66ef4d480c0d36

Download Submit
C:\Windows\{277D752F-9D20-49dd-A40E-3F6FFA28B445}.exe

Filesize
180KB

MD5
001c02e01f8b7e9a78f9dc8327d822f6

SHA1
efadc1167bf9867ba60900a9e303ef8f8e331b14

SHA256
0b7d586595e56dd38a845ba5b54ac246e8e37c4cc4bbca2680158df7ba185965

SHA512
bb9c85ba5aa2f6532cc399afc468d1d618857645a704619c472d8119526777264da43935eec363d5120efc6686cfb52d64e9f35255d440918c66ef4d480c0d36

Download Submit
C:\Windows\{2D9DE2F7-1250-4479-90D6-25EDCF099989}.exe

Filesize
180KB

MD5
47c1b8ef86a93d752819f5a8c49750c8

SHA1
28ed08dcce168c820cdc00679ae33798d36beb53

SHA256
d26b255f74edaaa2a76a86841e0adc7a464b42abf4a7ca8cdebcede1ebca624e

SHA512
569d26b38c3ca64a94bfbd07e68fcd03571180e843efb4a0e10b42fe089e0bb0472b6a9d8c3356a6e1208b4bff017bc9c4c85195cab90b7ca9ef1311f0ab3b24

Download Submit
C:\Windows\{2D9DE2F7-1250-4479-90D6-25EDCF099989}.exe

Filesize
180KB

MD5
47c1b8ef86a93d752819f5a8c49750c8

SHA1
28ed08dcce168c820cdc00679ae33798d36beb53

SHA256
d26b255f74edaaa2a76a86841e0adc7a464b42abf4a7ca8cdebcede1ebca624e

SHA512
569d26b38c3ca64a94bfbd07e68fcd03571180e843efb4a0e10b42fe089e0bb0472b6a9d8c3356a6e1208b4bff017bc9c4c85195cab90b7ca9ef1311f0ab3b24

Download Submit
C:\Windows\{44A9C245-1529-432f-A427-B196249CC0C7}.exe

Filesize
180KB

MD5
b5b53d1e21d5af6aba0839bdeda594a9

SHA1
81859aea0da327dc416634e1fefb6b0068bc21df

SHA256
e9826c96bd16b92a6a2815ebda595a0e8af52acace19d7a0e43ea131f312f104

SHA512
9491c31088958a637e93f71732dcd55d8c39c7b5906670019f3322c2cedd1803b2b5e970f38bc56c24cadbde2653447cd69aedbdf25828e51f33e6621faee053

Download Submit
C:\Windows\{68B9A7A2-936F-4c94-ADA2-1BC3FBFBD225}.exe

Filesize
180KB

MD5
83b4642ee6f8ec0c2b1f74cfb2bf688f

SHA1
b9c219da602c4e7b297940bdd94e1639ba5356b3

SHA256
e78c404378dc8f95cab02f44bce22ac28e42822d14e6e873754e8ae41e597c19

SHA512
708da8a70afd13fb1e2426c3915954b9ad7583879097ced14a03bf1121901539ab9e6d98aa181308f309ed5cb6ad0a591b75ba2420b8c1c03f3ebe396acf235a

Download Submit
C:\Windows\{68B9A7A2-936F-4c94-ADA2-1BC3FBFBD225}.exe

Filesize
180KB

MD5
83b4642ee6f8ec0c2b1f74cfb2bf688f

SHA1
b9c219da602c4e7b297940bdd94e1639ba5356b3

SHA256
e78c404378dc8f95cab02f44bce22ac28e42822d14e6e873754e8ae41e597c19

SHA512
708da8a70afd13fb1e2426c3915954b9ad7583879097ced14a03bf1121901539ab9e6d98aa181308f309ed5cb6ad0a591b75ba2420b8c1c03f3ebe396acf235a

Download Submit
C:\Windows\{911120A3-F891-4cad-B647-5B8BCF0F8E1B}.exe

Filesize
180KB

MD5
02f0084db865080caae84386086721c6

SHA1
fa783a3ac1f6e54cdf6ba2244b8a0364191b4b73

SHA256
f764cf87242f0b38a42cb8e880d494e6b6502de0b7f8029a2bfd56148dad7518

SHA512
472608bd5570e088fca026d6eeaa05c87d799361d9b457f3d594a0d1a13c65d3fb6efa0276195fb4da898e5960656c0b04b651f48f9266125d0ab2aa6d74f92b

Download Submit
C:\Windows\{911120A3-F891-4cad-B647-5B8BCF0F8E1B}.exe

Filesize
180KB

MD5
02f0084db865080caae84386086721c6

SHA1
fa783a3ac1f6e54cdf6ba2244b8a0364191b4b73

SHA256
f764cf87242f0b38a42cb8e880d494e6b6502de0b7f8029a2bfd56148dad7518

SHA512
472608bd5570e088fca026d6eeaa05c87d799361d9b457f3d594a0d1a13c65d3fb6efa0276195fb4da898e5960656c0b04b651f48f9266125d0ab2aa6d74f92b

Download Submit
C:\Windows\{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe

Filesize
180KB

MD5
578bd4af8eda4fbec2cf9a2ec2194536

SHA1
513006a8042ded5a32f1b271f2942c778a1f5c24

SHA256
d7d8c64f26660c7632debe544272aa1dcb88f363169e7badec5e0eea5c2b266d

SHA512
68e01be5182eb0e3ce8e5f56a8e4b786e031ed74c4caa4985d7bffdbe4c7f34439ee746e5d350df2ef1bb9f82a2ab9596b72bcf3e3088cb5f25871ff8215cc79

Download Submit
C:\Windows\{973FCCC3-C9A1-4f02-878D-A2E23280EC54}.exe

Filesize
180KB

MD5
578bd4af8eda4fbec2cf9a2ec2194536

SHA1
513006a8042ded5a32f1b271f2942c778a1f5c24

SHA256
d7d8c64f26660c7632debe544272aa1dcb88f363169e7badec5e0eea5c2b266d

SHA512
68e01be5182eb0e3ce8e5f56a8e4b786e031ed74c4caa4985d7bffdbe4c7f34439ee746e5d350df2ef1bb9f82a2ab9596b72bcf3e3088cb5f25871ff8215cc79

Download Submit
C:\Windows\{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe

Filesize
180KB

MD5
3b6bef0326e3f3e297d3a7127fa7e079

SHA1
e277c0896c7a342798db6fc4466ca1eb097007e2

SHA256
d43404a870c0926e562e8120e55c16986956067868a7876d259cab680577e1ac

SHA512
f27496d15931003bbcf3fd4f1e391d05b7e95303080d8b1c98147c2e410b969a5ead16e57a8be0940eab6a16479bb16cf7e0e3de73453fec201ddbfdbfbb1ae7

Download Submit
C:\Windows\{B0BDA090-0B93-4095-AB5F-2EDDD8847588}.exe

Filesize
180KB

MD5
3b6bef0326e3f3e297d3a7127fa7e079

SHA1
e277c0896c7a342798db6fc4466ca1eb097007e2

SHA256
d43404a870c0926e562e8120e55c16986956067868a7876d259cab680577e1ac

SHA512
f27496d15931003bbcf3fd4f1e391d05b7e95303080d8b1c98147c2e410b969a5ead16e57a8be0940eab6a16479bb16cf7e0e3de73453fec201ddbfdbfbb1ae7

Download Submit
C:\Windows\{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe

Filesize
180KB

MD5
1710ce9a33bb6f97dd86dd7befb4f3de

SHA1
ce18377e3c6e54735452e7af74372b483ed906ce

SHA256
6265df2d4bb4d54667ee5292ea46372fb010959f6bc7bc649ebd42aa956accb3

SHA512
33fa6a7748c53b969dfc0ad7374fe19bd5d4d46a829a8bc958442edb21aa6f28a16bed75f3777d64ac2a8e4ea1ba44bad949913f1dfb48f127bcaf91c8bcae16

Download Submit
C:\Windows\{B69EA1EA-5C9E-490e-999C-571B00CB091C}.exe

Filesize
180KB

MD5
1710ce9a33bb6f97dd86dd7befb4f3de

SHA1
ce18377e3c6e54735452e7af74372b483ed906ce

SHA256
6265df2d4bb4d54667ee5292ea46372fb010959f6bc7bc649ebd42aa956accb3

SHA512
33fa6a7748c53b969dfc0ad7374fe19bd5d4d46a829a8bc958442edb21aa6f28a16bed75f3777d64ac2a8e4ea1ba44bad949913f1dfb48f127bcaf91c8bcae16

Download Submit
C:\Windows\{BB827AA8-11FE-4a5d-8954-8BFC5548B13E}.exe

Filesize
180KB

MD5
2567e235e14bb20dae1a45fc53f80d05

SHA1
382bc5982a4b826531c7e21392b8e19c841cbd94

SHA256
224ab944046b328b8d0c9473e174ae02f7e35ac4cb784347f225a7c5395ab93b

SHA512
cc5ed1a80b06a1e949bfcb4340162ef1245b1555118cbde0784f4e46f7f4a24d7f0502eb651052fe9c8c297e8d88bf92df132d5cd6549a3cc7986be2f8a05741

Download Submit
C:\Windows\{BB827AA8-11FE-4a5d-8954-8BFC5548B13E}.exe

Filesize
180KB

MD5
2567e235e14bb20dae1a45fc53f80d05

SHA1
382bc5982a4b826531c7e21392b8e19c841cbd94

SHA256
224ab944046b328b8d0c9473e174ae02f7e35ac4cb784347f225a7c5395ab93b

SHA512
cc5ed1a80b06a1e949bfcb4340162ef1245b1555118cbde0784f4e46f7f4a24d7f0502eb651052fe9c8c297e8d88bf92df132d5cd6549a3cc7986be2f8a05741

Download Submit
C:\Windows\{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe

Filesize
180KB

MD5
1aeec51435e70c84e7e2c911aec0890b

SHA1
b93577ff13365618239fffadf708b299aacc14f6

SHA256
071bde56023cff79752d62e3400e61479ce29d20c34096a2bae298baa190baae

SHA512
749205c49409e1085aa28b71dc9529abda5e86e0af88e251fe097d1139d4b0cfa2c41f5697e14b563a66cccec8bc7009c0ebbed08c3c107b5332a8680ac814b8

Download Submit
C:\Windows\{D14F987E-3407-40a8-B901-D6E2F3E70B56}.exe

Filesize
180KB

MD5
1aeec51435e70c84e7e2c911aec0890b

SHA1
b93577ff13365618239fffadf708b299aacc14f6

SHA256
071bde56023cff79752d62e3400e61479ce29d20c34096a2bae298baa190baae

SHA512
749205c49409e1085aa28b71dc9529abda5e86e0af88e251fe097d1139d4b0cfa2c41f5697e14b563a66cccec8bc7009c0ebbed08c3c107b5332a8680ac814b8

Download Submit
C:\Windows\{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe

Filesize
180KB

MD5
d315741a920256bcf8ed8ab9f3968640

SHA1
0c420c9ff19c7bfccb7c91973b6fd2f823114c93

SHA256
4743f74a5e83eb94399f25eec8e7268dffe329a3601489e42053f64e16958b60

SHA512
3c0662d8e68e9eac778607d54b21df9e3ff4a4791cf3bee507162b395fec03ad5d6e671ae785111727f428eafc323daf81bd39025e90bfc1de9b4109cc89bec1

Download Submit
C:\Windows\{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe

Filesize
180KB

MD5
d315741a920256bcf8ed8ab9f3968640

SHA1
0c420c9ff19c7bfccb7c91973b6fd2f823114c93

SHA256
4743f74a5e83eb94399f25eec8e7268dffe329a3601489e42053f64e16958b60

SHA512
3c0662d8e68e9eac778607d54b21df9e3ff4a4791cf3bee507162b395fec03ad5d6e671ae785111727f428eafc323daf81bd39025e90bfc1de9b4109cc89bec1

Download Submit
C:\Windows\{F9FF4ED0-69FE-4dd4-9DF5-767B43E046B3}.exe

Filesize
180KB

MD5
d315741a920256bcf8ed8ab9f3968640

SHA1
0c420c9ff19c7bfccb7c91973b6fd2f823114c93

SHA256
4743f74a5e83eb94399f25eec8e7268dffe329a3601489e42053f64e16958b60

SHA512
3c0662d8e68e9eac778607d54b21df9e3ff4a4791cf3bee507162b395fec03ad5d6e671ae785111727f428eafc323daf81bd39025e90bfc1de9b4109cc89bec1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads