7b12f44a112acb050ba85a3d31269faeb8ecf4c2e2b280b0ca3441f9315b1975

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe
Size

180KB
MD5

9611d42d44b42c10afbb4d238b8ff817
SHA1

31350b33cde0866b38be1a89040b1f1544f246e9
SHA256

7b12f44a112acb050ba85a3d31269faeb8ecf4c2e2b280b0ca3441f9315b1975
SHA512

4479d1619609c38056a383c15a4d24530139ccabf48fd7e694c5bb16d2b50b64e494da6c814e911cfd1eb4c03bf13fef79f7a6cd4f6e8f4b6cda339e8fd45b44
SSDEEP

3072:jEGh0oflfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGdl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A160102C-1274-4fc4-9D96-5067CDE64FF8}	{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}\stubpath = "C:\\Windows\\{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe"	{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}\stubpath = "C:\\Windows\\{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe"	{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}	{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B01B2C6-AB8E-4e2f-8711-6ACDFEA8696F}	{70BE924E-36D0-452c-A169-B94487803AFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70BE924E-36D0-452c-A169-B94487803AFE}	{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B01B2C6-AB8E-4e2f-8711-6ACDFEA8696F}\stubpath = "C:\\Windows\\{0B01B2C6-AB8E-4e2f-8711-6ACDFEA8696F}.exe"	{70BE924E-36D0-452c-A169-B94487803AFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA7E1C29-8623-4936-9708-E3E87D01A6B7}\stubpath = "C:\\Windows\\{CA7E1C29-8623-4936-9708-E3E87D01A6B7}.exe"	{0B01B2C6-AB8E-4e2f-8711-6ACDFEA8696F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65B034D9-552F-41f1-9165-56694FC449F1}\stubpath = "C:\\Windows\\{65B034D9-552F-41f1-9165-56694FC449F1}.exe"	{DD61EF4D-8C53-4c61-9AD0-A5A6F58E7F25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6803B17-9A27-4db1-9167-69BD419C93BE}	2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C8D0F3-0E10-4748-92B8-9638DB5001C7}	{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}\stubpath = "C:\\Windows\\{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe"	{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65B034D9-552F-41f1-9165-56694FC449F1}	{DD61EF4D-8C53-4c61-9AD0-A5A6F58E7F25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6803B17-9A27-4db1-9167-69BD419C93BE}\stubpath = "C:\\Windows\\{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe"	2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A160102C-1274-4fc4-9D96-5067CDE64FF8}\stubpath = "C:\\Windows\\{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe"	{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}	{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}	{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C8D0F3-0E10-4748-92B8-9638DB5001C7}\stubpath = "C:\\Windows\\{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe"	{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70BE924E-36D0-452c-A169-B94487803AFE}\stubpath = "C:\\Windows\\{70BE924E-36D0-452c-A169-B94487803AFE}.exe"	{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA7E1C29-8623-4936-9708-E3E87D01A6B7}	{0B01B2C6-AB8E-4e2f-8711-6ACDFEA8696F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD61EF4D-8C53-4c61-9AD0-A5A6F58E7F25}	{CA7E1C29-8623-4936-9708-E3E87D01A6B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD61EF4D-8C53-4c61-9AD0-A5A6F58E7F25}\stubpath = "C:\\Windows\\{DD61EF4D-8C53-4c61-9AD0-A5A6F58E7F25}.exe"	{CA7E1C29-8623-4936-9708-E3E87D01A6B7}.exe

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2636	{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe
2552	{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe
1664	{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe
2604	{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe
2432	{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe
2924	{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe
2056	{70BE924E-36D0-452c-A169-B94487803AFE}.exe
2776	{0B01B2C6-AB8E-4e2f-8711-6ACDFEA8696F}.exe
1924	{CA7E1C29-8623-4936-9708-E3E87D01A6B7}.exe
1212	{DD61EF4D-8C53-4c61-9AD0-A5A6F58E7F25}.exe
2748	{65B034D9-552F-41f1-9165-56694FC449F1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0B01B2C6-AB8E-4e2f-8711-6ACDFEA8696F}.exe	{70BE924E-36D0-452c-A169-B94487803AFE}.exe
File created	C:\Windows\{65B034D9-552F-41f1-9165-56694FC449F1}.exe	{DD61EF4D-8C53-4c61-9AD0-A5A6F58E7F25}.exe
File created	C:\Windows\{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe	2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe
File created	C:\Windows\{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe	{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe
File created	C:\Windows\{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe	{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe
File created	C:\Windows\{70BE924E-36D0-452c-A169-B94487803AFE}.exe	{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe
File created	C:\Windows\{DD61EF4D-8C53-4c61-9AD0-A5A6F58E7F25}.exe	{CA7E1C29-8623-4936-9708-E3E87D01A6B7}.exe
File created	C:\Windows\{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe	{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe
File created	C:\Windows\{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe	{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe
File created	C:\Windows\{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe	{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe
File created	C:\Windows\{CA7E1C29-8623-4936-9708-E3E87D01A6B7}.exe	{0B01B2C6-AB8E-4e2f-8711-6ACDFEA8696F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2180	2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2636	{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe
Token: SeIncBasePriorityPrivilege	2552	{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe
Token: SeIncBasePriorityPrivilege	1664	{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe
Token: SeIncBasePriorityPrivilege	2604	{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe
Token: SeIncBasePriorityPrivilege	2432	{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe
Token: SeIncBasePriorityPrivilege	2924	{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe
Token: SeIncBasePriorityPrivilege	2056	{70BE924E-36D0-452c-A169-B94487803AFE}.exe
Token: SeIncBasePriorityPrivilege	2776	{0B01B2C6-AB8E-4e2f-8711-6ACDFEA8696F}.exe
Token: SeIncBasePriorityPrivilege	1924	{CA7E1C29-8623-4936-9708-E3E87D01A6B7}.exe
Token: SeIncBasePriorityPrivilege	1212	{DD61EF4D-8C53-4c61-9AD0-A5A6F58E7F25}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2636	2180	2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe	28
PID 2180 wrote to memory of 2636	2180	2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe	28
PID 2180 wrote to memory of 2636	2180	2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe	28
PID 2180 wrote to memory of 2636	2180	2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe	28
PID 2180 wrote to memory of 2796	2180	2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe	29
PID 2180 wrote to memory of 2796	2180	2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe	29
PID 2180 wrote to memory of 2796	2180	2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe	29
PID 2180 wrote to memory of 2796	2180	2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe	29
PID 2636 wrote to memory of 2552	2636	{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe	32
PID 2636 wrote to memory of 2552	2636	{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe	32
PID 2636 wrote to memory of 2552	2636	{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe	32
PID 2636 wrote to memory of 2552	2636	{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe	32
PID 2636 wrote to memory of 2700	2636	{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe	33
PID 2636 wrote to memory of 2700	2636	{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe	33
PID 2636 wrote to memory of 2700	2636	{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe	33
PID 2636 wrote to memory of 2700	2636	{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe	33
PID 2552 wrote to memory of 1664	2552	{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe	34
PID 2552 wrote to memory of 1664	2552	{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe	34
PID 2552 wrote to memory of 1664	2552	{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe	34
PID 2552 wrote to memory of 1664	2552	{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe	34
PID 2552 wrote to memory of 2548	2552	{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe	35
PID 2552 wrote to memory of 2548	2552	{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe	35
PID 2552 wrote to memory of 2548	2552	{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe	35
PID 2552 wrote to memory of 2548	2552	{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe	35
PID 1664 wrote to memory of 2604	1664	{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe	36
PID 1664 wrote to memory of 2604	1664	{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe	36
PID 1664 wrote to memory of 2604	1664	{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe	36
PID 1664 wrote to memory of 2604	1664	{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe	36
PID 1664 wrote to memory of 3032	1664	{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe	37
PID 1664 wrote to memory of 3032	1664	{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe	37
PID 1664 wrote to memory of 3032	1664	{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe	37
PID 1664 wrote to memory of 3032	1664	{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe	37
PID 2604 wrote to memory of 2432	2604	{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe	38
PID 2604 wrote to memory of 2432	2604	{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe	38
PID 2604 wrote to memory of 2432	2604	{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe	38
PID 2604 wrote to memory of 2432	2604	{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe	38
PID 2604 wrote to memory of 2208	2604	{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe	39
PID 2604 wrote to memory of 2208	2604	{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe	39
PID 2604 wrote to memory of 2208	2604	{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe	39
PID 2604 wrote to memory of 2208	2604	{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe	39
PID 2432 wrote to memory of 2924	2432	{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe	40
PID 2432 wrote to memory of 2924	2432	{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe	40
PID 2432 wrote to memory of 2924	2432	{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe	40
PID 2432 wrote to memory of 2924	2432	{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe	40
PID 2432 wrote to memory of 3060	2432	{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe	41
PID 2432 wrote to memory of 3060	2432	{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe	41
PID 2432 wrote to memory of 3060	2432	{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe	41
PID 2432 wrote to memory of 3060	2432	{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe	41
PID 2924 wrote to memory of 2056	2924	{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe	42
PID 2924 wrote to memory of 2056	2924	{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe	42
PID 2924 wrote to memory of 2056	2924	{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe	42
PID 2924 wrote to memory of 2056	2924	{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe	42
PID 2924 wrote to memory of 2704	2924	{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe	43
PID 2924 wrote to memory of 2704	2924	{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe	43
PID 2924 wrote to memory of 2704	2924	{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe	43
PID 2924 wrote to memory of 2704	2924	{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe	43
PID 2056 wrote to memory of 2776	2056	{70BE924E-36D0-452c-A169-B94487803AFE}.exe	44
PID 2056 wrote to memory of 2776	2056	{70BE924E-36D0-452c-A169-B94487803AFE}.exe	44
PID 2056 wrote to memory of 2776	2056	{70BE924E-36D0-452c-A169-B94487803AFE}.exe	44
PID 2056 wrote to memory of 2776	2056	{70BE924E-36D0-452c-A169-B94487803AFE}.exe	44
PID 2056 wrote to memory of 1244	2056	{70BE924E-36D0-452c-A169-B94487803AFE}.exe	45
PID 2056 wrote to memory of 1244	2056	{70BE924E-36D0-452c-A169-B94487803AFE}.exe	45
PID 2056 wrote to memory of 1244	2056	{70BE924E-36D0-452c-A169-B94487803AFE}.exe	45
PID 2056 wrote to memory of 1244	2056	{70BE924E-36D0-452c-A169-B94487803AFE}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-25_9611d42d44b42c10afbb4d238b8ff817_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe
  C:\Windows\{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe
    C:\Windows\{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe
      C:\Windows\{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe
        
        C:\Windows\{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe
        
        C:\Windows\{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe
        
        C:\Windows\{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{70BE924E-36D0-452c-A169-B94487803AFE}.exe
        
        C:\Windows\{70BE924E-36D0-452c-A169-B94487803AFE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\{0B01B2C6-AB8E-4e2f-8711-6ACDFEA8696F}.exe
        
        C:\Windows\{0B01B2C6-AB8E-4e2f-8711-6ACDFEA8696F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B01B~1.EXE > nul
        10⤵
        
        PID:2856
        
        C:\Windows\{CA7E1C29-8623-4936-9708-E3E87D01A6B7}.exe
        
        C:\Windows\{CA7E1C29-8623-4936-9708-E3E87D01A6B7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{DD61EF4D-8C53-4c61-9AD0-A5A6F58E7F25}.exe
        
        C:\Windows\{DD61EF4D-8C53-4c61-9AD0-A5A6F58E7F25}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD61E~1.EXE > nul
        12⤵
        
        PID:596
        
        C:\Windows\{65B034D9-552F-41f1-9165-56694FC449F1}.exe
        
        C:\Windows\{65B034D9-552F-41f1-9165-56694FC449F1}.exe
        12⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA7E1~1.EXE > nul
        11⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70BE9~1.EXE > nul
        9⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE4F7~1.EXE > nul
        8⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65C8D~1.EXE > nul
        7⤵
        
        PID:3060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7456~1.EXE > nul
        6⤵
        
        PID:2208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E234~1.EXE > nul
        5⤵
        
        PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A1601~1.EXE > nul
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F6803~1.EXE > nul
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B01B2C6-AB8E-4e2f-8711-6ACDFEA8696F}.exe

Filesize
180KB

MD5
2e697b2f08e7fc3a63d0d8044056e864

SHA1
0475fcb8bb795cae169fe0988a91ba85dd76b743

SHA256
ddc7355b77812b6bcb59a8286dddcf0741dcf19a6178e606073b2a8aa1488010

SHA512
8a83b99640b2b382c76bf8eade97f797bba067247d42e6d4b7ed671f53ad4abd98b3f6e67fe48948df0cb1f16f65389a15c7f86dee3b73a27c307fe6f4e7bd7b

Download Submit
C:\Windows\{0B01B2C6-AB8E-4e2f-8711-6ACDFEA8696F}.exe

Filesize
180KB

MD5
2e697b2f08e7fc3a63d0d8044056e864

SHA1
0475fcb8bb795cae169fe0988a91ba85dd76b743

SHA256
ddc7355b77812b6bcb59a8286dddcf0741dcf19a6178e606073b2a8aa1488010

SHA512
8a83b99640b2b382c76bf8eade97f797bba067247d42e6d4b7ed671f53ad4abd98b3f6e67fe48948df0cb1f16f65389a15c7f86dee3b73a27c307fe6f4e7bd7b

Download Submit
C:\Windows\{65B034D9-552F-41f1-9165-56694FC449F1}.exe

Filesize
180KB

MD5
bc5e3ae004dbe6be180e88c59bce8c6d

SHA1
26e4427dcfd195493eb5116ea58b961b801a8303

SHA256
76a570446b6b893bf8a1678c5fab038c1070f89d1cdbd506b169bbafa38db055

SHA512
e03c34a01b401f57adc5c16cece194234c62ca5e5089f4a55d2f1ae5dda68e2c49691c76f45bca0dbbe34f743c96375adf06bf1fde09118a680629efefb0e4e0

Download Submit
C:\Windows\{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe

Filesize
180KB

MD5
9dcd6539ed1f20658e3ab4f6a28e1387

SHA1
b77be52f0a5a5c9b71ad796291ffe70f0d2a8f05

SHA256
79ad63d9f2d4c55b67a8a8b3760f861b6d9709bb09310d939fd1e4c808993d16

SHA512
8facbdc806058915513b9fd70cfeba0c689e7823e0426a48f233361299e5c6e263e2cf32a5932dcc0e36f411b9919114dc1c9550ead424877b918e118e9acb10

Download Submit
C:\Windows\{65C8D0F3-0E10-4748-92B8-9638DB5001C7}.exe

Filesize
180KB

MD5
9dcd6539ed1f20658e3ab4f6a28e1387

SHA1
b77be52f0a5a5c9b71ad796291ffe70f0d2a8f05

SHA256
79ad63d9f2d4c55b67a8a8b3760f861b6d9709bb09310d939fd1e4c808993d16

SHA512
8facbdc806058915513b9fd70cfeba0c689e7823e0426a48f233361299e5c6e263e2cf32a5932dcc0e36f411b9919114dc1c9550ead424877b918e118e9acb10

Download Submit
C:\Windows\{70BE924E-36D0-452c-A169-B94487803AFE}.exe

Filesize
180KB

MD5
a43845e53d6c7f09bd1de827f44ccbaa

SHA1
fc354d9b28f175e039bdb22c66994d16fa61fc68

SHA256
ab5e80088d067fe5174529c912af2e3545b0ea200384a2b99844d0b76c044009

SHA512
2ba47bb607f11f7668538c7a939ce1547de958c470b2779d4075c8ef8ad285d8b72c229996ab3446338221c5557c76f5834a0551e6625fb2ec95dd5e9cd42ceb

Download Submit
C:\Windows\{70BE924E-36D0-452c-A169-B94487803AFE}.exe

Filesize
180KB

MD5
a43845e53d6c7f09bd1de827f44ccbaa

SHA1
fc354d9b28f175e039bdb22c66994d16fa61fc68

SHA256
ab5e80088d067fe5174529c912af2e3545b0ea200384a2b99844d0b76c044009

SHA512
2ba47bb607f11f7668538c7a939ce1547de958c470b2779d4075c8ef8ad285d8b72c229996ab3446338221c5557c76f5834a0551e6625fb2ec95dd5e9cd42ceb

Download Submit
C:\Windows\{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe

Filesize
180KB

MD5
f20684bc762144954214ec62ea08f378

SHA1
3dd7075a97b2612fbafa64b2bcdc745d058581ef

SHA256
3c42832bf52e0ab7ff8fbd4e8cd8c7f4d948d35a5c68cf467ab8971baf1a31af

SHA512
079f455d8873ce1be1eb3f86840355b5e8defd5263611f7f6b9aa24b23567a2c22b093c0808c3a8bc18980b52309d1b87d15d86836c68869f97ded4067e22476

Download Submit
C:\Windows\{9E234FFE-F0A2-4e78-9934-103AEDC6D6D9}.exe

Filesize
180KB

MD5
f20684bc762144954214ec62ea08f378

SHA1
3dd7075a97b2612fbafa64b2bcdc745d058581ef

SHA256
3c42832bf52e0ab7ff8fbd4e8cd8c7f4d948d35a5c68cf467ab8971baf1a31af

SHA512
079f455d8873ce1be1eb3f86840355b5e8defd5263611f7f6b9aa24b23567a2c22b093c0808c3a8bc18980b52309d1b87d15d86836c68869f97ded4067e22476

Download Submit
C:\Windows\{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe

Filesize
180KB

MD5
9a275bcf503a75b539b93f4fe8f122f6

SHA1
179775208b98731b9cdf83e4626e6a605a69b19a

SHA256
d8717a5d96d82cf072cc6cf73ff61a62c19cdf9493f38ab688c6ba87f810bbfa

SHA512
e3d3f701d306125755eed41a1eb627d945c81f05eef56c33f99ad34cf5c8dda9ba34a78e1787f871b080e919a96aefc78e5b780742e5ccfca7379f2cb359729d

Download Submit
C:\Windows\{A160102C-1274-4fc4-9D96-5067CDE64FF8}.exe

Filesize
180KB

MD5
9a275bcf503a75b539b93f4fe8f122f6

SHA1
179775208b98731b9cdf83e4626e6a605a69b19a

SHA256
d8717a5d96d82cf072cc6cf73ff61a62c19cdf9493f38ab688c6ba87f810bbfa

SHA512
e3d3f701d306125755eed41a1eb627d945c81f05eef56c33f99ad34cf5c8dda9ba34a78e1787f871b080e919a96aefc78e5b780742e5ccfca7379f2cb359729d

Download Submit
C:\Windows\{CA7E1C29-8623-4936-9708-E3E87D01A6B7}.exe

Filesize
180KB

MD5
4298615b32a9e746ae3da585e2c7b35b

SHA1
35c47baece9b29125dbf13107bcf6b2982a636c4

SHA256
0df822bf62ce04854e0a8f19d70fcae42e0b25ba3a923b4061de8f2ed3af5c98

SHA512
5dfdc2a9ac16b159326714890916c3687f2df8f4feef4bdde40e92cc12fcfcc49c93766417d79e914d28ab0237e4c159b553b36443f045ab0363ba5b96be6bf3

Download Submit
C:\Windows\{CA7E1C29-8623-4936-9708-E3E87D01A6B7}.exe

Filesize
180KB

MD5
4298615b32a9e746ae3da585e2c7b35b

SHA1
35c47baece9b29125dbf13107bcf6b2982a636c4

SHA256
0df822bf62ce04854e0a8f19d70fcae42e0b25ba3a923b4061de8f2ed3af5c98

SHA512
5dfdc2a9ac16b159326714890916c3687f2df8f4feef4bdde40e92cc12fcfcc49c93766417d79e914d28ab0237e4c159b553b36443f045ab0363ba5b96be6bf3

Download Submit
C:\Windows\{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe

Filesize
180KB

MD5
e4dff956bcef3fca83e1fc889008d8b3

SHA1
21e6dc2042d854047afafe8ea35b854af8bfa3f0

SHA256
ccc86002327319b1df39fa38ae6bb73485cc0f806467e0ee94c7f24420a34af5

SHA512
0938a7b2c58e9e33d811fe2c2153d49fa45bafe27d5204f6388ed72f794333346a9ea9c6d23444c85abe5ba8883b9cd4a3914d5d9eb49dd3085122c0038dfa56

Download Submit
C:\Windows\{D7456D59-BEF4-43fc-AB03-405CAF2BF3E9}.exe

Filesize
180KB

MD5
e4dff956bcef3fca83e1fc889008d8b3

SHA1
21e6dc2042d854047afafe8ea35b854af8bfa3f0

SHA256
ccc86002327319b1df39fa38ae6bb73485cc0f806467e0ee94c7f24420a34af5

SHA512
0938a7b2c58e9e33d811fe2c2153d49fa45bafe27d5204f6388ed72f794333346a9ea9c6d23444c85abe5ba8883b9cd4a3914d5d9eb49dd3085122c0038dfa56

Download Submit
C:\Windows\{DD61EF4D-8C53-4c61-9AD0-A5A6F58E7F25}.exe

Filesize
180KB

MD5
48bea539a143c06f9e9ad737820ac19c

SHA1
4b51f374da2db6d2961842df9bcd4675f37302de

SHA256
5b12284e4ccc010745cd9556092c20a16c87451c3639cb2337a66a0ac5b92837

SHA512
d5a255424829bcdb9b6314cb1fd9b2ad12de68bd9131737cd3c383e83d399d417a7d967e03850bd83bdcecfe68c79d3a1f0fcf2f0782ad851bff050fb748fbee

Download Submit
C:\Windows\{DD61EF4D-8C53-4c61-9AD0-A5A6F58E7F25}.exe

Filesize
180KB

MD5
48bea539a143c06f9e9ad737820ac19c

SHA1
4b51f374da2db6d2961842df9bcd4675f37302de

SHA256
5b12284e4ccc010745cd9556092c20a16c87451c3639cb2337a66a0ac5b92837

SHA512
d5a255424829bcdb9b6314cb1fd9b2ad12de68bd9131737cd3c383e83d399d417a7d967e03850bd83bdcecfe68c79d3a1f0fcf2f0782ad851bff050fb748fbee

Download Submit
C:\Windows\{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe

Filesize
180KB

MD5
f7826d5955e6ffb982b272a83e6e82d0

SHA1
a1a5b7ac96f0b4bc275f23378511407e65e32459

SHA256
465345d4f867377b7d9e8541653b6a20a3f4e6a2ad06f2ebd5b23531118c3284

SHA512
7d395752ec04c0af464f225a5097d1d441e29769f66505105be8f36d5a31a8ce1d93f3b1cdd865a8c4c17037f2711199c9d214e78bbfc712ff5738d27b4ba68b

Download Submit
C:\Windows\{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe

Filesize
180KB

MD5
f7826d5955e6ffb982b272a83e6e82d0

SHA1
a1a5b7ac96f0b4bc275f23378511407e65e32459

SHA256
465345d4f867377b7d9e8541653b6a20a3f4e6a2ad06f2ebd5b23531118c3284

SHA512
7d395752ec04c0af464f225a5097d1d441e29769f66505105be8f36d5a31a8ce1d93f3b1cdd865a8c4c17037f2711199c9d214e78bbfc712ff5738d27b4ba68b

Download Submit
C:\Windows\{F6803B17-9A27-4db1-9167-69BD419C93BE}.exe

Filesize
180KB

MD5
f7826d5955e6ffb982b272a83e6e82d0

SHA1
a1a5b7ac96f0b4bc275f23378511407e65e32459

SHA256
465345d4f867377b7d9e8541653b6a20a3f4e6a2ad06f2ebd5b23531118c3284

SHA512
7d395752ec04c0af464f225a5097d1d441e29769f66505105be8f36d5a31a8ce1d93f3b1cdd865a8c4c17037f2711199c9d214e78bbfc712ff5738d27b4ba68b

Download Submit
C:\Windows\{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe

Filesize
180KB

MD5
c27e849e0785c53e7e45ed33712a7004

SHA1
0b1073052795f33f6107020de5e2debc7ed14fc5

SHA256
12b0ebf3ad359f258ef5d78b6665bf6fb6889ab9c22434568a02674e459035e5

SHA512
c46d656d77e9d46c4664970386f92251dbfada020f763136541d98a4e81e3fd8aa116b2f28d8effd06c548d81a4b0e662ad2cd2de958d7f03c9202725e8fc3e6

Download Submit
C:\Windows\{FE4F7526-F876-4352-A8A9-0BA3D3D4AA8E}.exe

Filesize
180KB

MD5
c27e849e0785c53e7e45ed33712a7004

SHA1
0b1073052795f33f6107020de5e2debc7ed14fc5

SHA256
12b0ebf3ad359f258ef5d78b6665bf6fb6889ab9c22434568a02674e459035e5

SHA512
c46d656d77e9d46c4664970386f92251dbfada020f763136541d98a4e81e3fd8aa116b2f28d8effd06c548d81a4b0e662ad2cd2de958d7f03c9202725e8fc3e6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads