88e90c46ed2a8f362e3cff2f878a1aa8feacbf23695022b6f8791100f0203da3

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe
Size

180KB
MD5

f07e742bdf130795758bc1fc3ffde82f
SHA1

3c79b1054a55f8cf9155f641e23ca2cf840755a8
SHA256

88e90c46ed2a8f362e3cff2f878a1aa8feacbf23695022b6f8791100f0203da3
SHA512

e65559e9bd110cfc81238569f9807102b9a65fe33487ef07fd21c053a77e6947adc00e0f61d5f03104921e41d11cee2fadd11db4a5c749a558ca79aa3b8f1925
SSDEEP

3072:jEGh0oLlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGRl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2560D045-CB5D-4772-9E41-C08FF53BC287}	{66FF6B03-2B50-4150-A203-6A05215E1338}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}	{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D11FB56-D857-4fdd-B151-2AAEB4779260}	{BB756240-5435-4765-8D30-871852215869}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CEF94D7-8238-4967-92ED-DA86E54F8D25}	{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF1B2460-CCD3-4d47-97E3-E97146C32A55}	{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66FF6B03-2B50-4150-A203-6A05215E1338}	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2560D045-CB5D-4772-9E41-C08FF53BC287}\stubpath = "C:\\Windows\\{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe"	{66FF6B03-2B50-4150-A203-6A05215E1338}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D3D1AA-4415-474c-B324-87C81E755EFC}	{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB756240-5435-4765-8D30-871852215869}\stubpath = "C:\\Windows\\{BB756240-5435-4765-8D30-871852215869}.exe"	{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E639AE1F-BA30-40e6-8CA4-AC022D2DD55D}\stubpath = "C:\\Windows\\{E639AE1F-BA30-40e6-8CA4-AC022D2DD55D}.exe"	{53278410-AEEF-4ce8-BE34-1F556A9DF610}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66FF6B03-2B50-4150-A203-6A05215E1338}\stubpath = "C:\\Windows\\{66FF6B03-2B50-4150-A203-6A05215E1338}.exe"	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D3D1AA-4415-474c-B324-87C81E755EFC}\stubpath = "C:\\Windows\\{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe"	{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB756240-5435-4765-8D30-871852215869}	{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF1B2460-CCD3-4d47-97E3-E97146C32A55}\stubpath = "C:\\Windows\\{CF1B2460-CCD3-4d47-97E3-E97146C32A55}.exe"	{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53278410-AEEF-4ce8-BE34-1F556A9DF610}	{D39EC010-DB08-4ac6-9272-8425A9348EC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53278410-AEEF-4ce8-BE34-1F556A9DF610}\stubpath = "C:\\Windows\\{53278410-AEEF-4ce8-BE34-1F556A9DF610}.exe"	{D39EC010-DB08-4ac6-9272-8425A9348EC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E639AE1F-BA30-40e6-8CA4-AC022D2DD55D}	{53278410-AEEF-4ce8-BE34-1F556A9DF610}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}\stubpath = "C:\\Windows\\{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe"	{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D11FB56-D857-4fdd-B151-2AAEB4779260}\stubpath = "C:\\Windows\\{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe"	{BB756240-5435-4765-8D30-871852215869}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CEF94D7-8238-4967-92ED-DA86E54F8D25}\stubpath = "C:\\Windows\\{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe"	{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D39EC010-DB08-4ac6-9272-8425A9348EC2}	{CF1B2460-CCD3-4d47-97E3-E97146C32A55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D39EC010-DB08-4ac6-9272-8425A9348EC2}\stubpath = "C:\\Windows\\{D39EC010-DB08-4ac6-9272-8425A9348EC2}.exe"	{CF1B2460-CCD3-4d47-97E3-E97146C32A55}.exe

Deletes itself 1 IoCs

pid	Process
1728	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2436	{66FF6B03-2B50-4150-A203-6A05215E1338}.exe
2372	{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe
2940	{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe
2700	{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe
2612	{BB756240-5435-4765-8D30-871852215869}.exe
2660	{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe
2524	{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe
3056	{CF1B2460-CCD3-4d47-97E3-E97146C32A55}.exe
2804	{D39EC010-DB08-4ac6-9272-8425A9348EC2}.exe
296	{53278410-AEEF-4ce8-BE34-1F556A9DF610}.exe
1056	{E639AE1F-BA30-40e6-8CA4-AC022D2DD55D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe	{BB756240-5435-4765-8D30-871852215869}.exe
File created	C:\Windows\{D39EC010-DB08-4ac6-9272-8425A9348EC2}.exe	{CF1B2460-CCD3-4d47-97E3-E97146C32A55}.exe
File created	C:\Windows\{53278410-AEEF-4ce8-BE34-1F556A9DF610}.exe	{D39EC010-DB08-4ac6-9272-8425A9348EC2}.exe
File created	C:\Windows\{E639AE1F-BA30-40e6-8CA4-AC022D2DD55D}.exe	{53278410-AEEF-4ce8-BE34-1F556A9DF610}.exe
File created	C:\Windows\{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe	{66FF6B03-2B50-4150-A203-6A05215E1338}.exe
File created	C:\Windows\{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe	{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe
File created	C:\Windows\{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe	{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe
File created	C:\Windows\{CF1B2460-CCD3-4d47-97E3-E97146C32A55}.exe	{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe
File created	C:\Windows\{66FF6B03-2B50-4150-A203-6A05215E1338}.exe	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe
File created	C:\Windows\{BB756240-5435-4765-8D30-871852215869}.exe	{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe
File created	C:\Windows\{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe	{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	320	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2436	{66FF6B03-2B50-4150-A203-6A05215E1338}.exe
Token: SeIncBasePriorityPrivilege	2372	{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe
Token: SeIncBasePriorityPrivilege	2940	{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe
Token: SeIncBasePriorityPrivilege	2700	{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe
Token: SeIncBasePriorityPrivilege	2612	{BB756240-5435-4765-8D30-871852215869}.exe
Token: SeIncBasePriorityPrivilege	2660	{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe
Token: SeIncBasePriorityPrivilege	2524	{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe
Token: SeIncBasePriorityPrivilege	3056	{CF1B2460-CCD3-4d47-97E3-E97146C32A55}.exe
Token: SeIncBasePriorityPrivilege	2804	{D39EC010-DB08-4ac6-9272-8425A9348EC2}.exe
Token: SeIncBasePriorityPrivilege	296	{53278410-AEEF-4ce8-BE34-1F556A9DF610}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2436	320	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	28
PID 320 wrote to memory of 2436	320	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	28
PID 320 wrote to memory of 2436	320	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	28
PID 320 wrote to memory of 2436	320	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	28
PID 320 wrote to memory of 1728	320	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	29
PID 320 wrote to memory of 1728	320	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	29
PID 320 wrote to memory of 1728	320	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	29
PID 320 wrote to memory of 1728	320	2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe	29
PID 2436 wrote to memory of 2372	2436	{66FF6B03-2B50-4150-A203-6A05215E1338}.exe	30
PID 2436 wrote to memory of 2372	2436	{66FF6B03-2B50-4150-A203-6A05215E1338}.exe	30
PID 2436 wrote to memory of 2372	2436	{66FF6B03-2B50-4150-A203-6A05215E1338}.exe	30
PID 2436 wrote to memory of 2372	2436	{66FF6B03-2B50-4150-A203-6A05215E1338}.exe	30
PID 2436 wrote to memory of 2912	2436	{66FF6B03-2B50-4150-A203-6A05215E1338}.exe	31
PID 2436 wrote to memory of 2912	2436	{66FF6B03-2B50-4150-A203-6A05215E1338}.exe	31
PID 2436 wrote to memory of 2912	2436	{66FF6B03-2B50-4150-A203-6A05215E1338}.exe	31
PID 2436 wrote to memory of 2912	2436	{66FF6B03-2B50-4150-A203-6A05215E1338}.exe	31
PID 2372 wrote to memory of 2940	2372	{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe	35
PID 2372 wrote to memory of 2940	2372	{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe	35
PID 2372 wrote to memory of 2940	2372	{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe	35
PID 2372 wrote to memory of 2940	2372	{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe	35
PID 2372 wrote to memory of 1648	2372	{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe	34
PID 2372 wrote to memory of 1648	2372	{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe	34
PID 2372 wrote to memory of 1648	2372	{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe	34
PID 2372 wrote to memory of 1648	2372	{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe	34
PID 2940 wrote to memory of 2700	2940	{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe	36
PID 2940 wrote to memory of 2700	2940	{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe	36
PID 2940 wrote to memory of 2700	2940	{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe	36
PID 2940 wrote to memory of 2700	2940	{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe	36
PID 2940 wrote to memory of 2692	2940	{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe	37
PID 2940 wrote to memory of 2692	2940	{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe	37
PID 2940 wrote to memory of 2692	2940	{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe	37
PID 2940 wrote to memory of 2692	2940	{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe	37
PID 2700 wrote to memory of 2612	2700	{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe	38
PID 2700 wrote to memory of 2612	2700	{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe	38
PID 2700 wrote to memory of 2612	2700	{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe	38
PID 2700 wrote to memory of 2612	2700	{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe	38
PID 2700 wrote to memory of 2876	2700	{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe	39
PID 2700 wrote to memory of 2876	2700	{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe	39
PID 2700 wrote to memory of 2876	2700	{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe	39
PID 2700 wrote to memory of 2876	2700	{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe	39
PID 2612 wrote to memory of 2660	2612	{BB756240-5435-4765-8D30-871852215869}.exe	41
PID 2612 wrote to memory of 2660	2612	{BB756240-5435-4765-8D30-871852215869}.exe	41
PID 2612 wrote to memory of 2660	2612	{BB756240-5435-4765-8D30-871852215869}.exe	41
PID 2612 wrote to memory of 2660	2612	{BB756240-5435-4765-8D30-871852215869}.exe	41
PID 2612 wrote to memory of 2492	2612	{BB756240-5435-4765-8D30-871852215869}.exe	40
PID 2612 wrote to memory of 2492	2612	{BB756240-5435-4765-8D30-871852215869}.exe	40
PID 2612 wrote to memory of 2492	2612	{BB756240-5435-4765-8D30-871852215869}.exe	40
PID 2612 wrote to memory of 2492	2612	{BB756240-5435-4765-8D30-871852215869}.exe	40
PID 2660 wrote to memory of 2524	2660	{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe	42
PID 2660 wrote to memory of 2524	2660	{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe	42
PID 2660 wrote to memory of 2524	2660	{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe	42
PID 2660 wrote to memory of 2524	2660	{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe	42
PID 2660 wrote to memory of 2204	2660	{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe	43
PID 2660 wrote to memory of 2204	2660	{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe	43
PID 2660 wrote to memory of 2204	2660	{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe	43
PID 2660 wrote to memory of 2204	2660	{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe	43
PID 2524 wrote to memory of 3056	2524	{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe	44
PID 2524 wrote to memory of 3056	2524	{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe	44
PID 2524 wrote to memory of 3056	2524	{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe	44
PID 2524 wrote to memory of 3056	2524	{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe	44
PID 2524 wrote to memory of 3020	2524	{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe	45
PID 2524 wrote to memory of 3020	2524	{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe	45
PID 2524 wrote to memory of 3020	2524	{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe	45
PID 2524 wrote to memory of 3020	2524	{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-25_f07e742bdf130795758bc1fc3ffde82f_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\{66FF6B03-2B50-4150-A203-6A05215E1338}.exe
  C:\Windows\{66FF6B03-2B50-4150-A203-6A05215E1338}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe
    C:\Windows\{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2560D~1.EXE > nul
      4⤵
      PID:1648
  - - C:\Windows\{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe
      C:\Windows\{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe
        
        C:\Windows\{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\{BB756240-5435-4765-8D30-871852215869}.exe
        
        C:\Windows\{BB756240-5435-4765-8D30-871852215869}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB756~1.EXE > nul
        7⤵
        
        PID:2492
        
        C:\Windows\{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe
        
        C:\Windows\{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe
        
        C:\Windows\{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{CF1B2460-CCD3-4d47-97E3-E97146C32A55}.exe
        
        C:\Windows\{CF1B2460-CCD3-4d47-97E3-E97146C32A55}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\{D39EC010-DB08-4ac6-9272-8425A9348EC2}.exe
        
        C:\Windows\{D39EC010-DB08-4ac6-9272-8425A9348EC2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\{53278410-AEEF-4ce8-BE34-1F556A9DF610}.exe
        
        C:\Windows\{53278410-AEEF-4ce8-BE34-1F556A9DF610}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\{E639AE1F-BA30-40e6-8CA4-AC022D2DD55D}.exe
        
        C:\Windows\{E639AE1F-BA30-40e6-8CA4-AC022D2DD55D}.exe
        12⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53278~1.EXE > nul
        12⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D39EC~1.EXE > nul
        11⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF1B2~1.EXE > nul
        10⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CEF9~1.EXE > nul
        9⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D11F~1.EXE > nul
        8⤵
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DACF9~1.EXE > nul
        6⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77D3D~1.EXE > nul
        5⤵
        
        PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{66FF6~1.EXE > nul
    3⤵
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe

Filesize
180KB

MD5
3bd147bac07aa75cbaa5e5d3beb526ab

SHA1
bf6f854e30e5c6940b907ed50c324f603307116b

SHA256
f8445a7d95156258b3de39491cc3ed711f195b37475199cb4e31b1d7c88c907f

SHA512
a5c5437ef740b55a1a483d1c6b30750ad833f773a334e7fef91b2b07580f31fff7462bd96ec4ac46efed7b261939688b9cadf02de98b40f8b29703019785874c

Download Submit
C:\Windows\{2560D045-CB5D-4772-9E41-C08FF53BC287}.exe

Filesize
180KB

MD5
3bd147bac07aa75cbaa5e5d3beb526ab

SHA1
bf6f854e30e5c6940b907ed50c324f603307116b

SHA256
f8445a7d95156258b3de39491cc3ed711f195b37475199cb4e31b1d7c88c907f

SHA512
a5c5437ef740b55a1a483d1c6b30750ad833f773a334e7fef91b2b07580f31fff7462bd96ec4ac46efed7b261939688b9cadf02de98b40f8b29703019785874c

Download Submit
C:\Windows\{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe

Filesize
180KB

MD5
75953e6b252b969b40712291104ccc97

SHA1
62189dcf5bc922601c2b752398e360cddded8c07

SHA256
08eee9c4c1cab1e6f81d1de1fff40f5fcc67ff6d94e8673e762346e7db611c5b

SHA512
b9ef2c3d5b63240daf7030be2f21229727294e4412d398b42882e2829881448687314ff2d683d9ebd0a0d5f93d5d1409e8c830a889f763ab27673a2fc6fef5ac

Download Submit
C:\Windows\{2D11FB56-D857-4fdd-B151-2AAEB4779260}.exe

Filesize
180KB

MD5
75953e6b252b969b40712291104ccc97

SHA1
62189dcf5bc922601c2b752398e360cddded8c07

SHA256
08eee9c4c1cab1e6f81d1de1fff40f5fcc67ff6d94e8673e762346e7db611c5b

SHA512
b9ef2c3d5b63240daf7030be2f21229727294e4412d398b42882e2829881448687314ff2d683d9ebd0a0d5f93d5d1409e8c830a889f763ab27673a2fc6fef5ac

Download Submit
C:\Windows\{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe

Filesize
180KB

MD5
f5b131d2a4922bf3f129a2f61963e2c0

SHA1
9aecf8771e9eb34146ccdb966e4395d417179816

SHA256
37c6d67bc6a6885ca1faccc9da4fbbe7946575c951dc1c4ef1db6921226390d1

SHA512
75797676c3067adbd53172dcba2883a8550f82f53a4a10fba87f6a3767c8f89ff3f44242fb74b197d2acebf4bb3b60c6aeb83e290744e96a02575bc1df718e0c

Download Submit
C:\Windows\{3CEF94D7-8238-4967-92ED-DA86E54F8D25}.exe

Filesize
180KB

MD5
f5b131d2a4922bf3f129a2f61963e2c0

SHA1
9aecf8771e9eb34146ccdb966e4395d417179816

SHA256
37c6d67bc6a6885ca1faccc9da4fbbe7946575c951dc1c4ef1db6921226390d1

SHA512
75797676c3067adbd53172dcba2883a8550f82f53a4a10fba87f6a3767c8f89ff3f44242fb74b197d2acebf4bb3b60c6aeb83e290744e96a02575bc1df718e0c

Download Submit
C:\Windows\{53278410-AEEF-4ce8-BE34-1F556A9DF610}.exe

Filesize
180KB

MD5
06baf9d65000b10aa05d6ccb172cd997

SHA1
2c641836d0104b00af1d542156be408e6304a05d

SHA256
906a30d034f1be21dca25b2834d63a16ec0312fff1a92ab2b84422713afcc98d

SHA512
9eebe99d9facfd655e7a87304f523f09fb1062707984eef5fa69f6cb73492033d7dc2e0632f12e19e22cec29fe5ff9dd2d99f99f9f6931b8980ab3b56699145f

Download Submit
C:\Windows\{53278410-AEEF-4ce8-BE34-1F556A9DF610}.exe

Filesize
180KB

MD5
06baf9d65000b10aa05d6ccb172cd997

SHA1
2c641836d0104b00af1d542156be408e6304a05d

SHA256
906a30d034f1be21dca25b2834d63a16ec0312fff1a92ab2b84422713afcc98d

SHA512
9eebe99d9facfd655e7a87304f523f09fb1062707984eef5fa69f6cb73492033d7dc2e0632f12e19e22cec29fe5ff9dd2d99f99f9f6931b8980ab3b56699145f

Download Submit
C:\Windows\{66FF6B03-2B50-4150-A203-6A05215E1338}.exe

Filesize
180KB

MD5
9d74f78f4b50057b5b08bafd06ad0aaf

SHA1
fe8ba84f091668de5ddf2d18f91e4dff390051e4

SHA256
5ff6b84966cbb055e64a88885baacdf717f40c393edaef2fbbdde2368200607f

SHA512
bb7c81b61c9d09eac789a9a1bc7779c65bcaf35955bd034e2f3086fbaaecb57fc198b1c438177ee838c02270ce145f06af77cd7ea593487de915624fc0852b32

Download Submit
C:\Windows\{66FF6B03-2B50-4150-A203-6A05215E1338}.exe

Filesize
180KB

MD5
9d74f78f4b50057b5b08bafd06ad0aaf

SHA1
fe8ba84f091668de5ddf2d18f91e4dff390051e4

SHA256
5ff6b84966cbb055e64a88885baacdf717f40c393edaef2fbbdde2368200607f

SHA512
bb7c81b61c9d09eac789a9a1bc7779c65bcaf35955bd034e2f3086fbaaecb57fc198b1c438177ee838c02270ce145f06af77cd7ea593487de915624fc0852b32

Download Submit
C:\Windows\{66FF6B03-2B50-4150-A203-6A05215E1338}.exe

Filesize
180KB

MD5
9d74f78f4b50057b5b08bafd06ad0aaf

SHA1
fe8ba84f091668de5ddf2d18f91e4dff390051e4

SHA256
5ff6b84966cbb055e64a88885baacdf717f40c393edaef2fbbdde2368200607f

SHA512
bb7c81b61c9d09eac789a9a1bc7779c65bcaf35955bd034e2f3086fbaaecb57fc198b1c438177ee838c02270ce145f06af77cd7ea593487de915624fc0852b32

Download Submit
C:\Windows\{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe

Filesize
180KB

MD5
1948bd536f630f571707cd9fe9015725

SHA1
383480570386c7ffe0bb49e035046fa5ff935486

SHA256
6379f4764f1cf479244d084c68ed1924d3a6e8a949c7b4b5c41a58a1d5443fee

SHA512
bb69225447c947866f9f57c96b631b3d59fe7a9c9256420e9b89155eb025df10752456a17dac71dac6cc65f3f1af3d60ab7ed148781c9ce4b2749e62bc5c96ee

Download Submit
C:\Windows\{77D3D1AA-4415-474c-B324-87C81E755EFC}.exe

Filesize
180KB

MD5
1948bd536f630f571707cd9fe9015725

SHA1
383480570386c7ffe0bb49e035046fa5ff935486

SHA256
6379f4764f1cf479244d084c68ed1924d3a6e8a949c7b4b5c41a58a1d5443fee

SHA512
bb69225447c947866f9f57c96b631b3d59fe7a9c9256420e9b89155eb025df10752456a17dac71dac6cc65f3f1af3d60ab7ed148781c9ce4b2749e62bc5c96ee

Download Submit
C:\Windows\{BB756240-5435-4765-8D30-871852215869}.exe

Filesize
180KB

MD5
26bc4723ca7b7df162ab128dfa117dee

SHA1
4175f7175f3f9f4c073db6cce308d0e6583d0ddf

SHA256
fa62259e62c1584258ec1baa1ee79489ffcdf5074c45b0772898492795aba2ee

SHA512
888651461f60286e7ee29c70d19190350e76be38bbae64593f13c55187101246e33ea2510f31b7355c22e001ecbc07b60a70279428603b8a14b008425a13c16e

Download Submit
C:\Windows\{BB756240-5435-4765-8D30-871852215869}.exe

Filesize
180KB

MD5
26bc4723ca7b7df162ab128dfa117dee

SHA1
4175f7175f3f9f4c073db6cce308d0e6583d0ddf

SHA256
fa62259e62c1584258ec1baa1ee79489ffcdf5074c45b0772898492795aba2ee

SHA512
888651461f60286e7ee29c70d19190350e76be38bbae64593f13c55187101246e33ea2510f31b7355c22e001ecbc07b60a70279428603b8a14b008425a13c16e

Download Submit
C:\Windows\{CF1B2460-CCD3-4d47-97E3-E97146C32A55}.exe

Filesize
180KB

MD5
fe011bd6cf72b2b40a207b8168c4d936

SHA1
6da09a6d7b5ee5ea9624542580bad0f01674b7fb

SHA256
96c689bd45cc029bae8328b65d4c41973dd100147e8558cbdcc6a0a49a534d4b

SHA512
be4414d97dd84d66139a6422b9ed0cb96d7a7ebdf031a9bf90255c0be06e35bebbdbe46ea8a8d619c576c307edbcf1631bfd98ce2a69e26a7055f94902572c7b

Download Submit
C:\Windows\{CF1B2460-CCD3-4d47-97E3-E97146C32A55}.exe

Filesize
180KB

MD5
fe011bd6cf72b2b40a207b8168c4d936

SHA1
6da09a6d7b5ee5ea9624542580bad0f01674b7fb

SHA256
96c689bd45cc029bae8328b65d4c41973dd100147e8558cbdcc6a0a49a534d4b

SHA512
be4414d97dd84d66139a6422b9ed0cb96d7a7ebdf031a9bf90255c0be06e35bebbdbe46ea8a8d619c576c307edbcf1631bfd98ce2a69e26a7055f94902572c7b

Download Submit
C:\Windows\{D39EC010-DB08-4ac6-9272-8425A9348EC2}.exe

Filesize
180KB

MD5
c01b35a13118addfae81c55ac3138a2b

SHA1
842c5fc1b68d2e0145a0238849600432c919ec2d

SHA256
fb4cd60c5d1d710f6b6661899726b1a2ca98632736e444bed667f70adb59f56e

SHA512
2e4d0aca6d121f6fbcda7ea2efdb9df30938f63bb1be0b91adcb12000166d74a94760b93c58a06b2f70af597c0bb374e8e04626387aa5820f8abacdca5974c43

Download Submit
C:\Windows\{D39EC010-DB08-4ac6-9272-8425A9348EC2}.exe

Filesize
180KB

MD5
c01b35a13118addfae81c55ac3138a2b

SHA1
842c5fc1b68d2e0145a0238849600432c919ec2d

SHA256
fb4cd60c5d1d710f6b6661899726b1a2ca98632736e444bed667f70adb59f56e

SHA512
2e4d0aca6d121f6fbcda7ea2efdb9df30938f63bb1be0b91adcb12000166d74a94760b93c58a06b2f70af597c0bb374e8e04626387aa5820f8abacdca5974c43

Download Submit
C:\Windows\{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe

Filesize
180KB

MD5
44e5a3791b42472073e32702096c570e

SHA1
d1863d8ab5568ec97978831e6bf88de75c1061e3

SHA256
a328155ff51258326231bc02b750bef000e1d9dd776ac7f777256a51343afc3a

SHA512
c68e3f9b729ec1ae0733dbf50455e9ea263e7f66bb9cc65eb6c5ae06d2d470e5ce3ff098e883447c19c513c18986593cb1ee1cff9d2dee4c2a173f915994a236

Download Submit
C:\Windows\{DACF9C09-AF07-4062-9DD8-6CB0F94EB61B}.exe

Filesize
180KB

MD5
44e5a3791b42472073e32702096c570e

SHA1
d1863d8ab5568ec97978831e6bf88de75c1061e3

SHA256
a328155ff51258326231bc02b750bef000e1d9dd776ac7f777256a51343afc3a

SHA512
c68e3f9b729ec1ae0733dbf50455e9ea263e7f66bb9cc65eb6c5ae06d2d470e5ce3ff098e883447c19c513c18986593cb1ee1cff9d2dee4c2a173f915994a236

Download Submit
C:\Windows\{E639AE1F-BA30-40e6-8CA4-AC022D2DD55D}.exe

Filesize
180KB

MD5
cf905a9f5032f495eb6c74804b594b0f

SHA1
2ee9e49c216d9a49ede38da3b7eee4f3041aff1d

SHA256
d9048b9a1d045544a25c928e70348e02fb3083be14a555170161e98856486dc6

SHA512
129d05fe2161377ad44955be4a38a4c9c5f2635cee18dbdd7188ecd10067b8b67cf0ae5f4acbe8654c289aa17de11c8bb3700a429d1041f346218fef1a7fdd57

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads