036cc1e59438339d40bf888ec7e0cd4b9b18ee7b0bcb2b49a795dcfde1bf7d71

Analysis

max time kernel
269s
max time network
319s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe
Size

180KB
MD5

428059bf6fe64f508babe3a27550a395
SHA1

fd4468b844a0b41c027f9920ecb99b0175f2cfdf
SHA256

036cc1e59438339d40bf888ec7e0cd4b9b18ee7b0bcb2b49a795dcfde1bf7d71
SHA512

30093ffdf1e83a56b64827622971464854ab84ffe095781d71f4435d24b0e4bea1c388c5905e9569c95f1df615c1482392ab016ad036a2ae5828f2858b757739
SSDEEP

3072:jEGh0oelfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGEl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA0B11B3-A9B6-4758-9768-45766329F055}	{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B38B32C7-43CE-406b-B0C9-CC69758C023B}\stubpath = "C:\\Windows\\{B38B32C7-43CE-406b-B0C9-CC69758C023B}.exe"	{EA0B11B3-A9B6-4758-9768-45766329F055}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B231E2DD-4FD8-48cf-A94A-F32387002E0F}\stubpath = "C:\\Windows\\{B231E2DD-4FD8-48cf-A94A-F32387002E0F}.exe"	{B38B32C7-43CE-406b-B0C9-CC69758C023B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE57DE4D-389F-49cd-8D3E-5394697A2D59}	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE57DE4D-389F-49cd-8D3E-5394697A2D59}\stubpath = "C:\\Windows\\{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe"	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C633EA0E-853A-4673-9389-A0BFB60CF133}	{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5701B134-CBC3-460f-B542-B6B12F4E566F}	{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5701B134-CBC3-460f-B542-B6B12F4E566F}\stubpath = "C:\\Windows\\{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe"	{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81E70358-07D3-49c0-B76B-1BBD5180C22E}\stubpath = "C:\\Windows\\{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe"	{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C633EA0E-853A-4673-9389-A0BFB60CF133}\stubpath = "C:\\Windows\\{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe"	{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F6AE851-63F1-4077-80F0-5D88FF049193}	{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F6AE851-63F1-4077-80F0-5D88FF049193}\stubpath = "C:\\Windows\\{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe"	{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA0B11B3-A9B6-4758-9768-45766329F055}\stubpath = "C:\\Windows\\{EA0B11B3-A9B6-4758-9768-45766329F055}.exe"	{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD8F7AE0-1BFD-4b1b-B74E-BF1ECA400DB6}	{B231E2DD-4FD8-48cf-A94A-F32387002E0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD8F7AE0-1BFD-4b1b-B74E-BF1ECA400DB6}\stubpath = "C:\\Windows\\{DD8F7AE0-1BFD-4b1b-B74E-BF1ECA400DB6}.exe"	{B231E2DD-4FD8-48cf-A94A-F32387002E0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17AE10E5-1D5E-40cd-9755-4E10821D725B}	{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17AE10E5-1D5E-40cd-9755-4E10821D725B}\stubpath = "C:\\Windows\\{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe"	{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81E70358-07D3-49c0-B76B-1BBD5180C22E}	{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B38B32C7-43CE-406b-B0C9-CC69758C023B}	{EA0B11B3-A9B6-4758-9768-45766329F055}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B231E2DD-4FD8-48cf-A94A-F32387002E0F}	{B38B32C7-43CE-406b-B0C9-CC69758C023B}.exe

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
2548	{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe
3064	{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe
1260	{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe
2856	{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe
2892	{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe
2676	{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe
2028	{EA0B11B3-A9B6-4758-9768-45766329F055}.exe
2236	{B38B32C7-43CE-406b-B0C9-CC69758C023B}.exe
2480	{B231E2DD-4FD8-48cf-A94A-F32387002E0F}.exe
2724	{DD8F7AE0-1BFD-4b1b-B74E-BF1ECA400DB6}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe	{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe
File created	C:\Windows\{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe	{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe
File created	C:\Windows\{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe	{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe
File created	C:\Windows\{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe
File created	C:\Windows\{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe	{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe
File created	C:\Windows\{EA0B11B3-A9B6-4758-9768-45766329F055}.exe	{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe
File created	C:\Windows\{B38B32C7-43CE-406b-B0C9-CC69758C023B}.exe	{EA0B11B3-A9B6-4758-9768-45766329F055}.exe
File created	C:\Windows\{B231E2DD-4FD8-48cf-A94A-F32387002E0F}.exe	{B38B32C7-43CE-406b-B0C9-CC69758C023B}.exe
File created	C:\Windows\{DD8F7AE0-1BFD-4b1b-B74E-BF1ECA400DB6}.exe	{B231E2DD-4FD8-48cf-A94A-F32387002E0F}.exe
File created	C:\Windows\{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe	{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2840	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	2548	{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe
Token: SeIncBasePriorityPrivilege	3064	{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe
Token: SeIncBasePriorityPrivilege	1260	{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe
Token: SeIncBasePriorityPrivilege	2856	{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe
Token: SeIncBasePriorityPrivilege	2892	{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe
Token: SeIncBasePriorityPrivilege	2676	{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe
Token: SeIncBasePriorityPrivilege	2028	{EA0B11B3-A9B6-4758-9768-45766329F055}.exe
Token: SeIncBasePriorityPrivilege	2236	{B38B32C7-43CE-406b-B0C9-CC69758C023B}.exe
Token: SeIncBasePriorityPrivilege	2480	{B231E2DD-4FD8-48cf-A94A-F32387002E0F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2548	2840	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	27
PID 2840 wrote to memory of 2548	2840	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	27
PID 2840 wrote to memory of 2548	2840	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	27
PID 2840 wrote to memory of 2548	2840	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	27
PID 2840 wrote to memory of 2496	2840	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	28
PID 2840 wrote to memory of 2496	2840	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	28
PID 2840 wrote to memory of 2496	2840	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	28
PID 2840 wrote to memory of 2496	2840	2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe	28
PID 2548 wrote to memory of 3064	2548	{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe	29
PID 2548 wrote to memory of 3064	2548	{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe	29
PID 2548 wrote to memory of 3064	2548	{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe	29
PID 2548 wrote to memory of 3064	2548	{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe	29
PID 2548 wrote to memory of 2448	2548	{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe	30
PID 2548 wrote to memory of 2448	2548	{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe	30
PID 2548 wrote to memory of 2448	2548	{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe	30
PID 2548 wrote to memory of 2448	2548	{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe	30
PID 3064 wrote to memory of 1260	3064	{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe	31
PID 3064 wrote to memory of 1260	3064	{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe	31
PID 3064 wrote to memory of 1260	3064	{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe	31
PID 3064 wrote to memory of 1260	3064	{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe	31
PID 3064 wrote to memory of 2836	3064	{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe	32
PID 3064 wrote to memory of 2836	3064	{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe	32
PID 3064 wrote to memory of 2836	3064	{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe	32
PID 3064 wrote to memory of 2836	3064	{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe	32
PID 1260 wrote to memory of 2856	1260	{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe	33
PID 1260 wrote to memory of 2856	1260	{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe	33
PID 1260 wrote to memory of 2856	1260	{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe	33
PID 1260 wrote to memory of 2856	1260	{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe	33
PID 1260 wrote to memory of 2848	1260	{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe	34
PID 1260 wrote to memory of 2848	1260	{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe	34
PID 1260 wrote to memory of 2848	1260	{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe	34
PID 1260 wrote to memory of 2848	1260	{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe	34
PID 2856 wrote to memory of 2892	2856	{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe	35
PID 2856 wrote to memory of 2892	2856	{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe	35
PID 2856 wrote to memory of 2892	2856	{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe	35
PID 2856 wrote to memory of 2892	2856	{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe	35
PID 2856 wrote to memory of 2992	2856	{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe	36
PID 2856 wrote to memory of 2992	2856	{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe	36
PID 2856 wrote to memory of 2992	2856	{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe	36
PID 2856 wrote to memory of 2992	2856	{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe	36
PID 2892 wrote to memory of 2676	2892	{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe	37
PID 2892 wrote to memory of 2676	2892	{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe	37
PID 2892 wrote to memory of 2676	2892	{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe	37
PID 2892 wrote to memory of 2676	2892	{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe	37
PID 2892 wrote to memory of 1952	2892	{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe	38
PID 2892 wrote to memory of 1952	2892	{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe	38
PID 2892 wrote to memory of 1952	2892	{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe	38
PID 2892 wrote to memory of 1952	2892	{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe	38
PID 2676 wrote to memory of 2028	2676	{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe	39
PID 2676 wrote to memory of 2028	2676	{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe	39
PID 2676 wrote to memory of 2028	2676	{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe	39
PID 2676 wrote to memory of 2028	2676	{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe	39
PID 2676 wrote to memory of 2668	2676	{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe	40
PID 2676 wrote to memory of 2668	2676	{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe	40
PID 2676 wrote to memory of 2668	2676	{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe	40
PID 2676 wrote to memory of 2668	2676	{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe	40
PID 2028 wrote to memory of 2236	2028	{EA0B11B3-A9B6-4758-9768-45766329F055}.exe	41
PID 2028 wrote to memory of 2236	2028	{EA0B11B3-A9B6-4758-9768-45766329F055}.exe	41
PID 2028 wrote to memory of 2236	2028	{EA0B11B3-A9B6-4758-9768-45766329F055}.exe	41
PID 2028 wrote to memory of 2236	2028	{EA0B11B3-A9B6-4758-9768-45766329F055}.exe	41
PID 2028 wrote to memory of 756	2028	{EA0B11B3-A9B6-4758-9768-45766329F055}.exe	42
PID 2028 wrote to memory of 756	2028	{EA0B11B3-A9B6-4758-9768-45766329F055}.exe	42
PID 2028 wrote to memory of 756	2028	{EA0B11B3-A9B6-4758-9768-45766329F055}.exe	42
PID 2028 wrote to memory of 756	2028	{EA0B11B3-A9B6-4758-9768-45766329F055}.exe	42

C:\Users\Admin\AppData\Local\Temp\2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-25_428059bf6fe64f508babe3a27550a395_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe
  C:\Windows\{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe
    C:\Windows\{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe
      C:\Windows\{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\Windows\{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe
        
        C:\Windows\{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe
        
        C:\Windows\{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe
        
        C:\Windows\{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{EA0B11B3-A9B6-4758-9768-45766329F055}.exe
        
        C:\Windows\{EA0B11B3-A9B6-4758-9768-45766329F055}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{B38B32C7-43CE-406b-B0C9-CC69758C023B}.exe
        
        C:\Windows\{B38B32C7-43CE-406b-B0C9-CC69758C023B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B38B3~1.EXE > nul
        10⤵
        
        PID:600
        
        C:\Windows\{B231E2DD-4FD8-48cf-A94A-F32387002E0F}.exe
        
        C:\Windows\{B231E2DD-4FD8-48cf-A94A-F32387002E0F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\{DD8F7AE0-1BFD-4b1b-B74E-BF1ECA400DB6}.exe
        
        C:\Windows\{DD8F7AE0-1BFD-4b1b-B74E-BF1ECA400DB6}.exe
        11⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B231E~1.EXE > nul
        11⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA0B1~1.EXE > nul
        9⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F6AE~1.EXE > nul
        8⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81E70~1.EXE > nul
        7⤵
        
        PID:1952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17AE1~1.EXE > nul
        6⤵
        
        PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5701B~1.EXE > nul
        5⤵
        
        PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C633E~1.EXE > nul
      4⤵
      PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BE57D~1.EXE > nul
    3⤵
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe

Filesize
180KB

MD5
70efaa8523ed56a68c2b5bf88bd23d1a

SHA1
a7b639732d035b32b79001c248546c1399393ddd

SHA256
b2387927b635604d4790002b70ac6f3bf1aa7902f316954abf9c26e8f8247f79

SHA512
7a3f7707c5e057c28f076dfc576df1cafb41811e296c08fd1a33e3faf7f982c6d1fd7b4d37eeb7aa013c7da13238924f4e257aabad2ce324ab070cbe5b353a8c

Download Submit
C:\Windows\{17AE10E5-1D5E-40cd-9755-4E10821D725B}.exe

Filesize
180KB

MD5
70efaa8523ed56a68c2b5bf88bd23d1a

SHA1
a7b639732d035b32b79001c248546c1399393ddd

SHA256
b2387927b635604d4790002b70ac6f3bf1aa7902f316954abf9c26e8f8247f79

SHA512
7a3f7707c5e057c28f076dfc576df1cafb41811e296c08fd1a33e3faf7f982c6d1fd7b4d37eeb7aa013c7da13238924f4e257aabad2ce324ab070cbe5b353a8c

Download Submit
C:\Windows\{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe

Filesize
180KB

MD5
3b5bf3a2efb8d8bf8e193235775c2662

SHA1
344d073c27d186e42a3ba62084c985251f3b95b8

SHA256
6dbdc12f2c90760a04e1bb825131596d0c7104a6c91fd0c8e6cd9a76859a881b

SHA512
e742fea1b4052ca0ab56a192dd01edf5749956f69d2e38e9445ffe60265331c84e5dad3c8483353b955054d5509f762adb64ac1918b9ec8d6eb47836c981c6e6

Download Submit
C:\Windows\{4F6AE851-63F1-4077-80F0-5D88FF049193}.exe

Filesize
180KB

MD5
3b5bf3a2efb8d8bf8e193235775c2662

SHA1
344d073c27d186e42a3ba62084c985251f3b95b8

SHA256
6dbdc12f2c90760a04e1bb825131596d0c7104a6c91fd0c8e6cd9a76859a881b

SHA512
e742fea1b4052ca0ab56a192dd01edf5749956f69d2e38e9445ffe60265331c84e5dad3c8483353b955054d5509f762adb64ac1918b9ec8d6eb47836c981c6e6

Download Submit
C:\Windows\{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe

Filesize
180KB

MD5
cfd71e034aecad1ba0e2417b1a135bfa

SHA1
1fce4b19369286a5920ffc85a8a0e0d18178684e

SHA256
87e83cded9ef4a2f728c91ba1cdf1b64e9773db7eac3a1fdbfa1b74908a921e9

SHA512
801a74a990ff3a78193d57e047d81fb07ca3f6eceb03f633c0046be16976f60b3f7fb9975f1b28198b5559f000e0754c2822e1468789592cba1dba83031fcdce

Download Submit
C:\Windows\{5701B134-CBC3-460f-B542-B6B12F4E566F}.exe

Filesize
180KB

MD5
cfd71e034aecad1ba0e2417b1a135bfa

SHA1
1fce4b19369286a5920ffc85a8a0e0d18178684e

SHA256
87e83cded9ef4a2f728c91ba1cdf1b64e9773db7eac3a1fdbfa1b74908a921e9

SHA512
801a74a990ff3a78193d57e047d81fb07ca3f6eceb03f633c0046be16976f60b3f7fb9975f1b28198b5559f000e0754c2822e1468789592cba1dba83031fcdce

Download Submit
C:\Windows\{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe

Filesize
180KB

MD5
b4b1a8ce183a43d2cc39e9545256bb6b

SHA1
cfdd33eef6962ce4631694c21be98ae7e5c600ed

SHA256
97e391923c3aa481b722e3c896a8f4a719fec0f668fa9f886000a60ee2df52e9

SHA512
1e91293e0404621c10feb70f30d84cc31d26d15e81021f8549a88d5c3e9ef61cffe223be5343a9f4171632d243a3a97ea262b5969fc0700a407a48a9477502ae

Download Submit
C:\Windows\{81E70358-07D3-49c0-B76B-1BBD5180C22E}.exe

Filesize
180KB

MD5
b4b1a8ce183a43d2cc39e9545256bb6b

SHA1
cfdd33eef6962ce4631694c21be98ae7e5c600ed

SHA256
97e391923c3aa481b722e3c896a8f4a719fec0f668fa9f886000a60ee2df52e9

SHA512
1e91293e0404621c10feb70f30d84cc31d26d15e81021f8549a88d5c3e9ef61cffe223be5343a9f4171632d243a3a97ea262b5969fc0700a407a48a9477502ae

Download Submit
C:\Windows\{B231E2DD-4FD8-48cf-A94A-F32387002E0F}.exe

Filesize
180KB

MD5
34e12125ce7e5760a0f53a3a47a670f6

SHA1
e112cc04d0391157477b34d94d039d14442f708f

SHA256
b01b5fb2f93d5c0046813ab30919075feaf1eed93b1d8cf258b9d1c8a50235a6

SHA512
90f7115ac8a3b7ba411596ab8ec3ad15c660a991223ba7ca35908729a95d65b9d05a607c690e6cf846a191261ffe65e2244d7169982f87a115e0ccb35f41db8d

Download Submit
C:\Windows\{B231E2DD-4FD8-48cf-A94A-F32387002E0F}.exe

Filesize
180KB

MD5
34e12125ce7e5760a0f53a3a47a670f6

SHA1
e112cc04d0391157477b34d94d039d14442f708f

SHA256
b01b5fb2f93d5c0046813ab30919075feaf1eed93b1d8cf258b9d1c8a50235a6

SHA512
90f7115ac8a3b7ba411596ab8ec3ad15c660a991223ba7ca35908729a95d65b9d05a607c690e6cf846a191261ffe65e2244d7169982f87a115e0ccb35f41db8d

Download Submit
C:\Windows\{B38B32C7-43CE-406b-B0C9-CC69758C023B}.exe

Filesize
180KB

MD5
19406b727e78f0951d3d20ed60ac8800

SHA1
938a17b70fc82279b3b1a241d9a6db4a061791bf

SHA256
0343acfbbfe52b883287889403e57794ee43c58d6ae38b9fc22f9b855b2be767

SHA512
b684c1ec11566ef762e44064b466f0536e4b214d3ae9ad8b1ebfb74753dad7a451fb1753b3b08338b33c48a2e1c28513c6047266fe14b5c5a7fb82216950141a

Download Submit
C:\Windows\{B38B32C7-43CE-406b-B0C9-CC69758C023B}.exe

Filesize
180KB

MD5
19406b727e78f0951d3d20ed60ac8800

SHA1
938a17b70fc82279b3b1a241d9a6db4a061791bf

SHA256
0343acfbbfe52b883287889403e57794ee43c58d6ae38b9fc22f9b855b2be767

SHA512
b684c1ec11566ef762e44064b466f0536e4b214d3ae9ad8b1ebfb74753dad7a451fb1753b3b08338b33c48a2e1c28513c6047266fe14b5c5a7fb82216950141a

Download Submit
C:\Windows\{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe

Filesize
180KB

MD5
8e5a04f95dd9cb24f89ffd0ad21b64e8

SHA1
dc242be691870d140bf87a74afa9d243ee40b931

SHA256
96b4f36f2d0af0c9888cd455abd2c462473ae0f3b7f1d58c6c463d38fd8e56bc

SHA512
464d00d4635ea75244facbff6d0853bd9dafe275df88a1f9da8ed34380d1355313e783bc0f4b08e3749c4b20d3b4be8928a3e05567c8ff7b25aa25c0cd21ae2a

Download Submit
C:\Windows\{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe

Filesize
180KB

MD5
8e5a04f95dd9cb24f89ffd0ad21b64e8

SHA1
dc242be691870d140bf87a74afa9d243ee40b931

SHA256
96b4f36f2d0af0c9888cd455abd2c462473ae0f3b7f1d58c6c463d38fd8e56bc

SHA512
464d00d4635ea75244facbff6d0853bd9dafe275df88a1f9da8ed34380d1355313e783bc0f4b08e3749c4b20d3b4be8928a3e05567c8ff7b25aa25c0cd21ae2a

Download Submit
C:\Windows\{BE57DE4D-389F-49cd-8D3E-5394697A2D59}.exe

Filesize
180KB

MD5
8e5a04f95dd9cb24f89ffd0ad21b64e8

SHA1
dc242be691870d140bf87a74afa9d243ee40b931

SHA256
96b4f36f2d0af0c9888cd455abd2c462473ae0f3b7f1d58c6c463d38fd8e56bc

SHA512
464d00d4635ea75244facbff6d0853bd9dafe275df88a1f9da8ed34380d1355313e783bc0f4b08e3749c4b20d3b4be8928a3e05567c8ff7b25aa25c0cd21ae2a

Download Submit
C:\Windows\{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe

Filesize
180KB

MD5
53da86169d1e08f2886b4310a0cafed0

SHA1
a094a22ddd9d612a24baa39d58a593ba34ff4c01

SHA256
4a5f68cac2522f17f1e43ccbbc048aa543f0eabeb93b7442395825833395290f

SHA512
d73b5c1396f90bec2f67cc7a198107dda755787550e8418ea47586c63170b29f2a0232c32028ec7ff707ef623c09cbba0da77e1a98cbdff61c0bf96f16687aab

Download Submit
C:\Windows\{C633EA0E-853A-4673-9389-A0BFB60CF133}.exe

Filesize
180KB

MD5
53da86169d1e08f2886b4310a0cafed0

SHA1
a094a22ddd9d612a24baa39d58a593ba34ff4c01

SHA256
4a5f68cac2522f17f1e43ccbbc048aa543f0eabeb93b7442395825833395290f

SHA512
d73b5c1396f90bec2f67cc7a198107dda755787550e8418ea47586c63170b29f2a0232c32028ec7ff707ef623c09cbba0da77e1a98cbdff61c0bf96f16687aab

Download Submit
C:\Windows\{DD8F7AE0-1BFD-4b1b-B74E-BF1ECA400DB6}.exe

Filesize
180KB

MD5
9ea7515d02d42763006e6864d58c7b2d

SHA1
1eab3f6dd50778602f4b07d6f22c73841edc7f32

SHA256
7fbacb17cae9b44790264474739c183a01c01b7b4db93f497b13308bbfca6480

SHA512
cccd1bca9f3336de7eec76133491a21a8843fb49a41d2c401c5c9863fa3170b7e23abbd4913592d275b1ca61a2bd16b5dd774adebf59f2e87678797eddd336af

Download Submit
C:\Windows\{EA0B11B3-A9B6-4758-9768-45766329F055}.exe

Filesize
180KB

MD5
e2688c15da1b1bedfafa354b1a738f54

SHA1
8888a665f1d1a2a3956c997a39a95ea0d26a3340

SHA256
fa0c0465945a3d7ff9a6b1b08ec6e84bd1d27e6957707fc05b98ed0f661e6608

SHA512
18d69d2573dac1d42c900f075def218db78aac67a5e9f2ca11d768c66433c286d436684c18cdbce0b35d0dc5024d543346a9aa6f5238475ca9874d91cc3b73fc

Download Submit
C:\Windows\{EA0B11B3-A9B6-4758-9768-45766329F055}.exe

Filesize
180KB

MD5
e2688c15da1b1bedfafa354b1a738f54

SHA1
8888a665f1d1a2a3956c997a39a95ea0d26a3340

SHA256
fa0c0465945a3d7ff9a6b1b08ec6e84bd1d27e6957707fc05b98ed0f661e6608

SHA512
18d69d2573dac1d42c900f075def218db78aac67a5e9f2ca11d768c66433c286d436684c18cdbce0b35d0dc5024d543346a9aa6f5238475ca9874d91cc3b73fc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads