ccaba7d551645f067b183d214126c59a91ceb5238e2446e95e527bffd984339d

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-25_ec8b436e5202dfc8dcf0a08cec35a4e0_goldeneye_JC.exe
Size

372KB
MD5

ec8b436e5202dfc8dcf0a08cec35a4e0
SHA1

f25a17c5bfeebb94f4d07234a62f397a071bdb1b
SHA256

ccaba7d551645f067b183d214126c59a91ceb5238e2446e95e527bffd984339d
SHA512

620ac13763d48e9eedd292d27f64a3ffad90b01c7c671449c0267b68fae225ce0c585fdef5462df28d1a9a1d56d7b280ab0d739653c4c297ea0a109c64e614fb
SSDEEP

3072:CEGh0ogmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGXl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2630E94-F411-4a21-A817-2841353E0B6B}	{38888BAC-D403-4778-8527-A560CDBC9EED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2630E94-F411-4a21-A817-2841353E0B6B}\stubpath = "C:\\Windows\\{A2630E94-F411-4a21-A817-2841353E0B6B}.exe"	{38888BAC-D403-4778-8527-A560CDBC9EED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}	{A2630E94-F411-4a21-A817-2841353E0B6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}\stubpath = "C:\\Windows\\{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe"	{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}\stubpath = "C:\\Windows\\{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe"	{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}	{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E023826-28D7-4ac9-AAE1-D652828C5A6D}	{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E023826-28D7-4ac9-AAE1-D652828C5A6D}\stubpath = "C:\\Windows\\{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe"	{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DCAB99D-02B9-4df3-9B9F-8B60965AE93B}	{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B279E7-569A-42c2-B3E7-DF6A41892EDB}	{1DCAB99D-02B9-4df3-9B9F-8B60965AE93B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64B279E7-569A-42c2-B3E7-DF6A41892EDB}\stubpath = "C:\\Windows\\{64B279E7-569A-42c2-B3E7-DF6A41892EDB}.exe"	{1DCAB99D-02B9-4df3-9B9F-8B60965AE93B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF59A828-BD2B-4433-A44D-B54E689A3323}	{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}	{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}	{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF59A828-BD2B-4433-A44D-B54E689A3323}\stubpath = "C:\\Windows\\{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe"	{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}\stubpath = "C:\\Windows\\{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe"	{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43F54A2C-8621-46bc-BF94-D5F94D86206E}\stubpath = "C:\\Windows\\{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe"	{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}\stubpath = "C:\\Windows\\{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe"	{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38888BAC-D403-4778-8527-A560CDBC9EED}	2023-08-25_ec8b436e5202dfc8dcf0a08cec35a4e0_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38888BAC-D403-4778-8527-A560CDBC9EED}\stubpath = "C:\\Windows\\{38888BAC-D403-4778-8527-A560CDBC9EED}.exe"	2023-08-25_ec8b436e5202dfc8dcf0a08cec35a4e0_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}\stubpath = "C:\\Windows\\{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe"	{A2630E94-F411-4a21-A817-2841353E0B6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}	{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43F54A2C-8621-46bc-BF94-D5F94D86206E}	{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DCAB99D-02B9-4df3-9B9F-8B60965AE93B}\stubpath = "C:\\Windows\\{1DCAB99D-02B9-4df3-9B9F-8B60965AE93B}.exe"	{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe

Executes dropped EXE 12 IoCs

pid	Process
3324	{38888BAC-D403-4778-8527-A560CDBC9EED}.exe
2548	{A2630E94-F411-4a21-A817-2841353E0B6B}.exe
1084	{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe
2312	{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe
2680	{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe
2072	{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe
2544	{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe
2632	{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe
1868	{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe
5024	{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe
636	{1DCAB99D-02B9-4df3-9B9F-8B60965AE93B}.exe
4800	{64B279E7-569A-42c2-B3E7-DF6A41892EDB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe	{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe
File created	C:\Windows\{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe	{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe
File created	C:\Windows\{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe	{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe
File created	C:\Windows\{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe	{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe
File created	C:\Windows\{1DCAB99D-02B9-4df3-9B9F-8B60965AE93B}.exe	{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe
File created	C:\Windows\{64B279E7-569A-42c2-B3E7-DF6A41892EDB}.exe	{1DCAB99D-02B9-4df3-9B9F-8B60965AE93B}.exe
File created	C:\Windows\{38888BAC-D403-4778-8527-A560CDBC9EED}.exe	2023-08-25_ec8b436e5202dfc8dcf0a08cec35a4e0_goldeneye_JC.exe
File created	C:\Windows\{A2630E94-F411-4a21-A817-2841353E0B6B}.exe	{38888BAC-D403-4778-8527-A560CDBC9EED}.exe
File created	C:\Windows\{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe	{A2630E94-F411-4a21-A817-2841353E0B6B}.exe
File created	C:\Windows\{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe	{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe
File created	C:\Windows\{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe	{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe
File created	C:\Windows\{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe	{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3184	2023-08-25_ec8b436e5202dfc8dcf0a08cec35a4e0_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3324	{38888BAC-D403-4778-8527-A560CDBC9EED}.exe
Token: SeIncBasePriorityPrivilege	2548	{A2630E94-F411-4a21-A817-2841353E0B6B}.exe
Token: SeIncBasePriorityPrivilege	1084	{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe
Token: SeIncBasePriorityPrivilege	2312	{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe
Token: SeIncBasePriorityPrivilege	2680	{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe
Token: SeIncBasePriorityPrivilege	2072	{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe
Token: SeIncBasePriorityPrivilege	2544	{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe
Token: SeIncBasePriorityPrivilege	2632	{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe
Token: SeIncBasePriorityPrivilege	1868	{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe
Token: SeIncBasePriorityPrivilege	5024	{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe
Token: SeIncBasePriorityPrivilege	636	{1DCAB99D-02B9-4df3-9B9F-8B60965AE93B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 3324	3184	2023-08-25_ec8b436e5202dfc8dcf0a08cec35a4e0_goldeneye_JC.exe	88
PID 3184 wrote to memory of 3324	3184	2023-08-25_ec8b436e5202dfc8dcf0a08cec35a4e0_goldeneye_JC.exe	88
PID 3184 wrote to memory of 3324	3184	2023-08-25_ec8b436e5202dfc8dcf0a08cec35a4e0_goldeneye_JC.exe	88
PID 3184 wrote to memory of 3328	3184	2023-08-25_ec8b436e5202dfc8dcf0a08cec35a4e0_goldeneye_JC.exe	89
PID 3184 wrote to memory of 3328	3184	2023-08-25_ec8b436e5202dfc8dcf0a08cec35a4e0_goldeneye_JC.exe	89
PID 3184 wrote to memory of 3328	3184	2023-08-25_ec8b436e5202dfc8dcf0a08cec35a4e0_goldeneye_JC.exe	89
PID 3324 wrote to memory of 2548	3324	{38888BAC-D403-4778-8527-A560CDBC9EED}.exe	98
PID 3324 wrote to memory of 2548	3324	{38888BAC-D403-4778-8527-A560CDBC9EED}.exe	98
PID 3324 wrote to memory of 2548	3324	{38888BAC-D403-4778-8527-A560CDBC9EED}.exe	98
PID 3324 wrote to memory of 4944	3324	{38888BAC-D403-4778-8527-A560CDBC9EED}.exe	99
PID 3324 wrote to memory of 4944	3324	{38888BAC-D403-4778-8527-A560CDBC9EED}.exe	99
PID 3324 wrote to memory of 4944	3324	{38888BAC-D403-4778-8527-A560CDBC9EED}.exe	99
PID 2548 wrote to memory of 1084	2548	{A2630E94-F411-4a21-A817-2841353E0B6B}.exe	101
PID 2548 wrote to memory of 1084	2548	{A2630E94-F411-4a21-A817-2841353E0B6B}.exe	101
PID 2548 wrote to memory of 1084	2548	{A2630E94-F411-4a21-A817-2841353E0B6B}.exe	101
PID 2548 wrote to memory of 3236	2548	{A2630E94-F411-4a21-A817-2841353E0B6B}.exe	102
PID 2548 wrote to memory of 3236	2548	{A2630E94-F411-4a21-A817-2841353E0B6B}.exe	102
PID 2548 wrote to memory of 3236	2548	{A2630E94-F411-4a21-A817-2841353E0B6B}.exe	102
PID 1084 wrote to memory of 2312	1084	{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe	103
PID 1084 wrote to memory of 2312	1084	{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe	103
PID 1084 wrote to memory of 2312	1084	{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe	103
PID 1084 wrote to memory of 4512	1084	{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe	104
PID 1084 wrote to memory of 4512	1084	{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe	104
PID 1084 wrote to memory of 4512	1084	{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe	104
PID 2312 wrote to memory of 2680	2312	{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe	105
PID 2312 wrote to memory of 2680	2312	{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe	105
PID 2312 wrote to memory of 2680	2312	{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe	105
PID 2312 wrote to memory of 3996	2312	{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe	106
PID 2312 wrote to memory of 3996	2312	{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe	106
PID 2312 wrote to memory of 3996	2312	{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe	106
PID 2680 wrote to memory of 2072	2680	{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe	107
PID 2680 wrote to memory of 2072	2680	{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe	107
PID 2680 wrote to memory of 2072	2680	{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe	107
PID 2680 wrote to memory of 1068	2680	{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe	108
PID 2680 wrote to memory of 1068	2680	{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe	108
PID 2680 wrote to memory of 1068	2680	{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe	108
PID 2072 wrote to memory of 2544	2072	{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe	109
PID 2072 wrote to memory of 2544	2072	{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe	109
PID 2072 wrote to memory of 2544	2072	{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe	109
PID 2072 wrote to memory of 3440	2072	{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe	110
PID 2072 wrote to memory of 3440	2072	{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe	110
PID 2072 wrote to memory of 3440	2072	{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe	110
PID 2544 wrote to memory of 2632	2544	{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe	111
PID 2544 wrote to memory of 2632	2544	{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe	111
PID 2544 wrote to memory of 2632	2544	{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe	111
PID 2544 wrote to memory of 4816	2544	{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe	112
PID 2544 wrote to memory of 4816	2544	{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe	112
PID 2544 wrote to memory of 4816	2544	{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe	112
PID 2632 wrote to memory of 1868	2632	{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe	113
PID 2632 wrote to memory of 1868	2632	{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe	113
PID 2632 wrote to memory of 1868	2632	{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe	113
PID 2632 wrote to memory of 2248	2632	{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe	114
PID 2632 wrote to memory of 2248	2632	{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe	114
PID 2632 wrote to memory of 2248	2632	{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe	114
PID 1868 wrote to memory of 5024	1868	{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe	115
PID 1868 wrote to memory of 5024	1868	{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe	115
PID 1868 wrote to memory of 5024	1868	{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe	115
PID 1868 wrote to memory of 3964	1868	{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe	116
PID 1868 wrote to memory of 3964	1868	{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe	116
PID 1868 wrote to memory of 3964	1868	{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe	116
PID 5024 wrote to memory of 636	5024	{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe	117
PID 5024 wrote to memory of 636	5024	{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe	117
PID 5024 wrote to memory of 636	5024	{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe	117
PID 5024 wrote to memory of 1564	5024	{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe	118

C:\Users\Admin\AppData\Local\Temp\2023-08-25_ec8b436e5202dfc8dcf0a08cec35a4e0_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-25_ec8b436e5202dfc8dcf0a08cec35a4e0_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\{38888BAC-D403-4778-8527-A560CDBC9EED}.exe
  C:\Windows\{38888BAC-D403-4778-8527-A560CDBC9EED}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\{A2630E94-F411-4a21-A817-2841353E0B6B}.exe
    C:\Windows\{A2630E94-F411-4a21-A817-2841353E0B6B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe
      C:\Windows\{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Windows\{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe
        
        C:\Windows\{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe
        
        C:\Windows\{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe
        
        C:\Windows\{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe
        
        C:\Windows\{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe
        
        C:\Windows\{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe
        
        C:\Windows\{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe
        
        C:\Windows\{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\{1DCAB99D-02B9-4df3-9B9F-8B60965AE93B}.exe
        
        C:\Windows\{1DCAB99D-02B9-4df3-9B9F-8B60965AE93B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\{64B279E7-569A-42c2-B3E7-DF6A41892EDB}.exe
        
        C:\Windows\{64B279E7-569A-42c2-B3E7-DF6A41892EDB}.exe
        13⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DCAB~1.EXE > nul
        13⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E023~1.EXE > nul
        12⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4D0C~1.EXE > nul
        11⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43F54~1.EXE > nul
        10⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D8F0~1.EXE > nul
        9⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F53D~1.EXE > nul
        8⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9371A~1.EXE > nul
        7⤵
        
        PID:1068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF59A~1.EXE > nul
        6⤵
        
        PID:3996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39772~1.EXE > nul
        5⤵
        
        PID:4512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A2630~1.EXE > nul
      4⤵
      PID:3236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{38888~1.EXE > nul
    3⤵
    PID:4944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe

Filesize
372KB

MD5
2e60078732eb2c5a157b2e60cabf2ed5

SHA1
ff035f36498b18d90d2c844ba8eca7e16a26724c

SHA256
d4aa6e3e6810009449cb7c92a8f9c003903ad8c6719261a5c0e6587232f50f25

SHA512
fc52961fb6d7babdb4950f3775522905bed71f3b5a0da4cf4ce4f1d2db99ded78e63594ec18b206d785a48c38048e3de1c2c86acbbcbf68399598829adf4d10d

Download Submit
C:\Windows\{0D8F035F-53CB-4c16-96EA-992E6F2AE7C6}.exe

Filesize
372KB

MD5
2e60078732eb2c5a157b2e60cabf2ed5

SHA1
ff035f36498b18d90d2c844ba8eca7e16a26724c

SHA256
d4aa6e3e6810009449cb7c92a8f9c003903ad8c6719261a5c0e6587232f50f25

SHA512
fc52961fb6d7babdb4950f3775522905bed71f3b5a0da4cf4ce4f1d2db99ded78e63594ec18b206d785a48c38048e3de1c2c86acbbcbf68399598829adf4d10d

Download Submit
C:\Windows\{1DCAB99D-02B9-4df3-9B9F-8B60965AE93B}.exe

Filesize
372KB

MD5
f0e2c1faaf9b0aa729fbea909aa99e0e

SHA1
b5c078ad25b74e090f496f8f9ee1d05ad802dda1

SHA256
ae1a5ecf2de6878349a5588854dfb3a0d3616e892c3465e1d7c0c1e2908f867f

SHA512
d188f5e8fffd649740802166a1335a59c6e224e9b4e9c3e6ceada214d2cb36e14c58e38cf0670d22838b84aa952f601acf3cbd5472d4de0f93a93329f2cbcf61

Download Submit
C:\Windows\{1DCAB99D-02B9-4df3-9B9F-8B60965AE93B}.exe

Filesize
372KB

MD5
f0e2c1faaf9b0aa729fbea909aa99e0e

SHA1
b5c078ad25b74e090f496f8f9ee1d05ad802dda1

SHA256
ae1a5ecf2de6878349a5588854dfb3a0d3616e892c3465e1d7c0c1e2908f867f

SHA512
d188f5e8fffd649740802166a1335a59c6e224e9b4e9c3e6ceada214d2cb36e14c58e38cf0670d22838b84aa952f601acf3cbd5472d4de0f93a93329f2cbcf61

Download Submit
C:\Windows\{38888BAC-D403-4778-8527-A560CDBC9EED}.exe

Filesize
372KB

MD5
88be1d9d6d8b32b7a4cceecdbc204f5b

SHA1
7571c9f930af2f82e776810b67e3bb24063e8b67

SHA256
7b56f7433abf9183b5ccfabc871dd83fe9c97b5ecaa3f29d900bb574c2afbccb

SHA512
806a390b2c470dd5572c71e8cf2650f840aa57c53ed7047ba86e26958c2700c624d00aeea5c574996803e19408a5eaa5a1a8a676cf55cb22a6eff345c28125d5

Download Submit
C:\Windows\{38888BAC-D403-4778-8527-A560CDBC9EED}.exe

Filesize
372KB

MD5
88be1d9d6d8b32b7a4cceecdbc204f5b

SHA1
7571c9f930af2f82e776810b67e3bb24063e8b67

SHA256
7b56f7433abf9183b5ccfabc871dd83fe9c97b5ecaa3f29d900bb574c2afbccb

SHA512
806a390b2c470dd5572c71e8cf2650f840aa57c53ed7047ba86e26958c2700c624d00aeea5c574996803e19408a5eaa5a1a8a676cf55cb22a6eff345c28125d5

Download Submit
C:\Windows\{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe

Filesize
372KB

MD5
2e453aa183571118da6e440c1ab78e5d

SHA1
5467c6ea951a66921689a54b6342b2ac124bd2db

SHA256
0af64d1884fd9fc3c4f846afc238e16ed13c9be23b06a5bd2134100945b958cb

SHA512
df0c332f82f6c593e13490594023c95095149db9b0fa2ba83f8a3b47da7436326163804660ce37487972b1a79468cabf7977e39eb4e3d075d4d8e5a6f29349c3

Download Submit
C:\Windows\{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe

Filesize
372KB

MD5
2e453aa183571118da6e440c1ab78e5d

SHA1
5467c6ea951a66921689a54b6342b2ac124bd2db

SHA256
0af64d1884fd9fc3c4f846afc238e16ed13c9be23b06a5bd2134100945b958cb

SHA512
df0c332f82f6c593e13490594023c95095149db9b0fa2ba83f8a3b47da7436326163804660ce37487972b1a79468cabf7977e39eb4e3d075d4d8e5a6f29349c3

Download Submit
C:\Windows\{39772BA7-9DF5-4842-B49E-2D3C0D0F5DF0}.exe

Filesize
372KB

MD5
2e453aa183571118da6e440c1ab78e5d

SHA1
5467c6ea951a66921689a54b6342b2ac124bd2db

SHA256
0af64d1884fd9fc3c4f846afc238e16ed13c9be23b06a5bd2134100945b958cb

SHA512
df0c332f82f6c593e13490594023c95095149db9b0fa2ba83f8a3b47da7436326163804660ce37487972b1a79468cabf7977e39eb4e3d075d4d8e5a6f29349c3

Download Submit
C:\Windows\{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe

Filesize
372KB

MD5
ce26a38928625387a79a98713eaf9c75

SHA1
a9a086f8648d040dd2a02258d58c2298126199e2

SHA256
20e54c64026f5ea91ca0833e8d0a279ed3c63b6fcbdc1cac7fb0dbcba3549c72

SHA512
a8b048ca8ee11f7e7b52ca794414a861a105f450d01c7ee8ea9e589eff0403f123a6fc0079571b743dd8d950824ecd41eb71f74010d8cf308748e51b966b9206

Download Submit
C:\Windows\{43F54A2C-8621-46bc-BF94-D5F94D86206E}.exe

Filesize
372KB

MD5
ce26a38928625387a79a98713eaf9c75

SHA1
a9a086f8648d040dd2a02258d58c2298126199e2

SHA256
20e54c64026f5ea91ca0833e8d0a279ed3c63b6fcbdc1cac7fb0dbcba3549c72

SHA512
a8b048ca8ee11f7e7b52ca794414a861a105f450d01c7ee8ea9e589eff0403f123a6fc0079571b743dd8d950824ecd41eb71f74010d8cf308748e51b966b9206

Download Submit
C:\Windows\{64B279E7-569A-42c2-B3E7-DF6A41892EDB}.exe

Filesize
372KB

MD5
cb04a8dfdc10c652d55557b81484a79c

SHA1
49a3dddd1441a31a2907c15bd1550c88e07d2bad

SHA256
36660aba251be0f9d204932725dff2c99a97d7359ca9271f3275334536771c78

SHA512
5c932874d480ae9cfa7399555d3b5c6b94524bc07af1d1b7bc009bdb2f23c6ae8c5c2a2b108eab50e803b842cd897b33852824ad01a05181546764dac7d0ac8e

Download Submit
C:\Windows\{64B279E7-569A-42c2-B3E7-DF6A41892EDB}.exe

Filesize
372KB

MD5
cb04a8dfdc10c652d55557b81484a79c

SHA1
49a3dddd1441a31a2907c15bd1550c88e07d2bad

SHA256
36660aba251be0f9d204932725dff2c99a97d7359ca9271f3275334536771c78

SHA512
5c932874d480ae9cfa7399555d3b5c6b94524bc07af1d1b7bc009bdb2f23c6ae8c5c2a2b108eab50e803b842cd897b33852824ad01a05181546764dac7d0ac8e

Download Submit
C:\Windows\{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe

Filesize
372KB

MD5
ca0c4f56784e124866a5639152c9cc61

SHA1
c743e6c85b1deda9ef5d6718422b5f4044118a2c

SHA256
825c7424070d5b96cd848cedccd0857b993418af2992fcca3f13e0f691d9b67a

SHA512
7f62bc9166dd855b1659031bfb07d5d62d58dc81159d31b5ec0a18be292d218f0f2e9c719399dc8d6a49b87db93316fbc08af89e182de920febb1dd1fd3f229d

Download Submit
C:\Windows\{6F53D4CE-010F-45f6-AE6E-9B82D228CE1E}.exe

Filesize
372KB

MD5
ca0c4f56784e124866a5639152c9cc61

SHA1
c743e6c85b1deda9ef5d6718422b5f4044118a2c

SHA256
825c7424070d5b96cd848cedccd0857b993418af2992fcca3f13e0f691d9b67a

SHA512
7f62bc9166dd855b1659031bfb07d5d62d58dc81159d31b5ec0a18be292d218f0f2e9c719399dc8d6a49b87db93316fbc08af89e182de920febb1dd1fd3f229d

Download Submit
C:\Windows\{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe

Filesize
372KB

MD5
75e20c519c1633277cbfef82b50e57b1

SHA1
17e0b05ac73ec8c2920d14188c9fb9a810e21e2b

SHA256
2a478dc14eab439451fd33c07419753f076245ef99ce0cfd8610914b032a0a12

SHA512
0df78b53e69813be47b5aa2b37752955f21a5ef98b2be9e4169f4936c342136b549f44d0c022a2c5c183fe7e40d7307c43cd0b490d29a9aa040bcb561bf41842

Download Submit
C:\Windows\{9371AA5D-1D6B-4dd1-BAC7-81F9B47E47EF}.exe

Filesize
372KB

MD5
75e20c519c1633277cbfef82b50e57b1

SHA1
17e0b05ac73ec8c2920d14188c9fb9a810e21e2b

SHA256
2a478dc14eab439451fd33c07419753f076245ef99ce0cfd8610914b032a0a12

SHA512
0df78b53e69813be47b5aa2b37752955f21a5ef98b2be9e4169f4936c342136b549f44d0c022a2c5c183fe7e40d7307c43cd0b490d29a9aa040bcb561bf41842

Download Submit
C:\Windows\{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe

Filesize
372KB

MD5
5c6652f7e5c687dc4dca357e50a85a84

SHA1
077751e9020d3e8d25c339a3837275a008260831

SHA256
37ae47a0f88ce876b8054283100de31c28cc5b618a38a46c6dd15b7195490e4a

SHA512
e0ebc1b533cbbeb4e867c742c6bbeacd45e23f8d8eef2ca73ff50540c9ca10515d26de01d6c878b94bf2b8883152c7f63294bd161e20b10474fe0cefbe4278ed

Download Submit
C:\Windows\{9E023826-28D7-4ac9-AAE1-D652828C5A6D}.exe

Filesize
372KB

MD5
5c6652f7e5c687dc4dca357e50a85a84

SHA1
077751e9020d3e8d25c339a3837275a008260831

SHA256
37ae47a0f88ce876b8054283100de31c28cc5b618a38a46c6dd15b7195490e4a

SHA512
e0ebc1b533cbbeb4e867c742c6bbeacd45e23f8d8eef2ca73ff50540c9ca10515d26de01d6c878b94bf2b8883152c7f63294bd161e20b10474fe0cefbe4278ed

Download Submit
C:\Windows\{A2630E94-F411-4a21-A817-2841353E0B6B}.exe

Filesize
372KB

MD5
6d0329e986808084dc25c0a30bfccc48

SHA1
332b3542ece8f928c4f97a58ad491e0b46e16ed1

SHA256
c678c8385f20ae17d837298525be553b14f6b09c5b5e3c5cee5379e15f78fc75

SHA512
906a03f568d1a21b94602f691688630373abde21c0407b477d6e76b541a509ff8e1682bb28062a56f80a84d1eab17efa7780596579ee313f3a6576fc04c27a90

Download Submit
C:\Windows\{A2630E94-F411-4a21-A817-2841353E0B6B}.exe

Filesize
372KB

MD5
6d0329e986808084dc25c0a30bfccc48

SHA1
332b3542ece8f928c4f97a58ad491e0b46e16ed1

SHA256
c678c8385f20ae17d837298525be553b14f6b09c5b5e3c5cee5379e15f78fc75

SHA512
906a03f568d1a21b94602f691688630373abde21c0407b477d6e76b541a509ff8e1682bb28062a56f80a84d1eab17efa7780596579ee313f3a6576fc04c27a90

Download Submit
C:\Windows\{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe

Filesize
372KB

MD5
7b8135098403cc80ab8c3763ee65371e

SHA1
e0c3984e8b9df75f05e3957d7dcf595611abbd7e

SHA256
927c853b44b6d37655fda4749d8a8605f58e3d01828ca74acdd72fa872c4ff15

SHA512
d01f2007c97b78f13796ccff62e88f4117e638779be3ef8a58796c746d2423bb710540ecace8add8f3d7d110dd9cbeefe136180f629f22182d9ffc8a195c8c88

Download Submit
C:\Windows\{C4D0C395-2939-4b81-8DA7-7E8CB19BA0BC}.exe

Filesize
372KB

MD5
7b8135098403cc80ab8c3763ee65371e

SHA1
e0c3984e8b9df75f05e3957d7dcf595611abbd7e

SHA256
927c853b44b6d37655fda4749d8a8605f58e3d01828ca74acdd72fa872c4ff15

SHA512
d01f2007c97b78f13796ccff62e88f4117e638779be3ef8a58796c746d2423bb710540ecace8add8f3d7d110dd9cbeefe136180f629f22182d9ffc8a195c8c88

Download Submit
C:\Windows\{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe

Filesize
372KB

MD5
d9cf06afd36a315bdd3a1ec7634c00fc

SHA1
cbdc2cb34b1b92637523a649ed460decc944b9b7

SHA256
2d45840b61924613d0314041af800a49878414d7be3e05aa759a7fa1bbee8edf

SHA512
9ae9b5faaf44373385f870aca04306d373a27210e4a41e0dbe8c300e6eb911ffe6808823fc76deb8952898ddc719d87812ec60d0db0f5eb9ecf6c3116f3ebf64

Download Submit
C:\Windows\{FF59A828-BD2B-4433-A44D-B54E689A3323}.exe

Filesize
372KB

MD5
d9cf06afd36a315bdd3a1ec7634c00fc

SHA1
cbdc2cb34b1b92637523a649ed460decc944b9b7

SHA256
2d45840b61924613d0314041af800a49878414d7be3e05aa759a7fa1bbee8edf

SHA512
9ae9b5faaf44373385f870aca04306d373a27210e4a41e0dbe8c300e6eb911ffe6808823fc76deb8952898ddc719d87812ec60d0db0f5eb9ecf6c3116f3ebf64

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads