05d07562955cfc44a6f03ddb38a9c25891ed86a4dceb9d4a01727b59e08a2c5e

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe
Size

408KB
MD5

3e58b2b5e3456f10d210d40065c08a39
SHA1

4bf0439dd3b7ab7dc592c8b30f2bd2ea19baa1ac
SHA256

05d07562955cfc44a6f03ddb38a9c25891ed86a4dceb9d4a01727b59e08a2c5e
SHA512

ebe0f2f9380b7b7520287036b8d3c2be0d02f26b4543819d6a04a37741a5049e1749da9db70d1696aa352a03e15d9194b9888efaee2a49c5c3ea7d4a0f4e627c
SSDEEP

3072:CEGh0oLl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGtldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}	{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC000AFD-6ECD-4716-B771-2DA99EE4F387}	{D573C71B-718B-4720-BA38-FF14EC49521F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBCD3F06-2723-42f9-9551-923571D76119}\stubpath = "C:\\Windows\\{EBCD3F06-2723-42f9-9551-923571D76119}.exe"	{CC000AFD-6ECD-4716-B771-2DA99EE4F387}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83938FC5-1BD2-42d2-9E34-0B9D78A36AFF}	{FC2D2CC3-0E6A-4178-991A-BDFC41795EC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC000AFD-6ECD-4716-B771-2DA99EE4F387}\stubpath = "C:\\Windows\\{CC000AFD-6ECD-4716-B771-2DA99EE4F387}.exe"	{D573C71B-718B-4720-BA38-FF14EC49521F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC2D2CC3-0E6A-4178-991A-BDFC41795EC7}\stubpath = "C:\\Windows\\{FC2D2CC3-0E6A-4178-991A-BDFC41795EC7}.exe"	{EBCD3F06-2723-42f9-9551-923571D76119}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CDD2349-2065-4541-9D64-99D23D6122A0}	{83938FC5-1BD2-42d2-9E34-0B9D78A36AFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}\stubpath = "C:\\Windows\\{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe"	{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}	{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}\stubpath = "C:\\Windows\\{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe"	{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D573C71B-718B-4720-BA38-FF14EC49521F}	{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D573C71B-718B-4720-BA38-FF14EC49521F}\stubpath = "C:\\Windows\\{D573C71B-718B-4720-BA38-FF14EC49521F}.exe"	{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CDD2349-2065-4541-9D64-99D23D6122A0}\stubpath = "C:\\Windows\\{1CDD2349-2065-4541-9D64-99D23D6122A0}.exe"	{83938FC5-1BD2-42d2-9E34-0B9D78A36AFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}	{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}\stubpath = "C:\\Windows\\{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe"	{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}	{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBCD3F06-2723-42f9-9551-923571D76119}	{CC000AFD-6ECD-4716-B771-2DA99EE4F387}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}	2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}\stubpath = "C:\\Windows\\{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe"	2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}\stubpath = "C:\\Windows\\{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe"	{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}	{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}\stubpath = "C:\\Windows\\{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe"	{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC2D2CC3-0E6A-4178-991A-BDFC41795EC7}	{EBCD3F06-2723-42f9-9551-923571D76119}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83938FC5-1BD2-42d2-9E34-0B9D78A36AFF}\stubpath = "C:\\Windows\\{83938FC5-1BD2-42d2-9E34-0B9D78A36AFF}.exe"	{FC2D2CC3-0E6A-4178-991A-BDFC41795EC7}.exe

Deletes itself 1 IoCs

pid	Process
2424	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
3032	{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe
1648	{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe
2976	{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe
2676	{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe
2512	{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe
2748	{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe
2508	{D573C71B-718B-4720-BA38-FF14EC49521F}.exe
1056	{CC000AFD-6ECD-4716-B771-2DA99EE4F387}.exe
2948	{EBCD3F06-2723-42f9-9551-923571D76119}.exe
2364	{FC2D2CC3-0E6A-4178-991A-BDFC41795EC7}.exe
2864	{83938FC5-1BD2-42d2-9E34-0B9D78A36AFF}.exe
2780	{1CDD2349-2065-4541-9D64-99D23D6122A0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe	{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe
File created	C:\Windows\{D573C71B-718B-4720-BA38-FF14EC49521F}.exe	{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe
File created	C:\Windows\{FC2D2CC3-0E6A-4178-991A-BDFC41795EC7}.exe	{EBCD3F06-2723-42f9-9551-923571D76119}.exe
File created	C:\Windows\{83938FC5-1BD2-42d2-9E34-0B9D78A36AFF}.exe	{FC2D2CC3-0E6A-4178-991A-BDFC41795EC7}.exe
File created	C:\Windows\{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe	{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe
File created	C:\Windows\{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe	{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe
File created	C:\Windows\{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe	{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe
File created	C:\Windows\{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe	{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe
File created	C:\Windows\{CC000AFD-6ECD-4716-B771-2DA99EE4F387}.exe	{D573C71B-718B-4720-BA38-FF14EC49521F}.exe
File created	C:\Windows\{EBCD3F06-2723-42f9-9551-923571D76119}.exe	{CC000AFD-6ECD-4716-B771-2DA99EE4F387}.exe
File created	C:\Windows\{1CDD2349-2065-4541-9D64-99D23D6122A0}.exe	{83938FC5-1BD2-42d2-9E34-0B9D78A36AFF}.exe
File created	C:\Windows\{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe	2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3000	2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe
Token: SeIncBasePriorityPrivilege	3032	{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe
Token: SeIncBasePriorityPrivilege	1648	{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe
Token: SeIncBasePriorityPrivilege	2976	{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe
Token: SeIncBasePriorityPrivilege	2676	{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe
Token: SeIncBasePriorityPrivilege	2512	{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe
Token: SeIncBasePriorityPrivilege	2748	{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe
Token: SeIncBasePriorityPrivilege	2508	{D573C71B-718B-4720-BA38-FF14EC49521F}.exe
Token: SeIncBasePriorityPrivilege	1056	{CC000AFD-6ECD-4716-B771-2DA99EE4F387}.exe
Token: SeIncBasePriorityPrivilege	2948	{EBCD3F06-2723-42f9-9551-923571D76119}.exe
Token: SeIncBasePriorityPrivilege	2364	{FC2D2CC3-0E6A-4178-991A-BDFC41795EC7}.exe
Token: SeIncBasePriorityPrivilege	2864	{83938FC5-1BD2-42d2-9E34-0B9D78A36AFF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 3032	3000	2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe	28
PID 3000 wrote to memory of 3032	3000	2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe	28
PID 3000 wrote to memory of 3032	3000	2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe	28
PID 3000 wrote to memory of 3032	3000	2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe	28
PID 3000 wrote to memory of 2424	3000	2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe	29
PID 3000 wrote to memory of 2424	3000	2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe	29
PID 3000 wrote to memory of 2424	3000	2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe	29
PID 3000 wrote to memory of 2424	3000	2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe	29
PID 3032 wrote to memory of 1648	3032	{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe	30
PID 3032 wrote to memory of 1648	3032	{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe	30
PID 3032 wrote to memory of 1648	3032	{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe	30
PID 3032 wrote to memory of 1648	3032	{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe	30
PID 3032 wrote to memory of 2396	3032	{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe	31
PID 3032 wrote to memory of 2396	3032	{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe	31
PID 3032 wrote to memory of 2396	3032	{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe	31
PID 3032 wrote to memory of 2396	3032	{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe	31
PID 1648 wrote to memory of 2976	1648	{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe	35
PID 1648 wrote to memory of 2976	1648	{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe	35
PID 1648 wrote to memory of 2976	1648	{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe	35
PID 1648 wrote to memory of 2976	1648	{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe	35
PID 1648 wrote to memory of 2600	1648	{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe	34
PID 1648 wrote to memory of 2600	1648	{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe	34
PID 1648 wrote to memory of 2600	1648	{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe	34
PID 1648 wrote to memory of 2600	1648	{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe	34
PID 2976 wrote to memory of 2676	2976	{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe	36
PID 2976 wrote to memory of 2676	2976	{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe	36
PID 2976 wrote to memory of 2676	2976	{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe	36
PID 2976 wrote to memory of 2676	2976	{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe	36
PID 2976 wrote to memory of 2592	2976	{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe	37
PID 2976 wrote to memory of 2592	2976	{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe	37
PID 2976 wrote to memory of 2592	2976	{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe	37
PID 2976 wrote to memory of 2592	2976	{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe	37
PID 2676 wrote to memory of 2512	2676	{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe	38
PID 2676 wrote to memory of 2512	2676	{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe	38
PID 2676 wrote to memory of 2512	2676	{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe	38
PID 2676 wrote to memory of 2512	2676	{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe	38
PID 2676 wrote to memory of 1580	2676	{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe	39
PID 2676 wrote to memory of 1580	2676	{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe	39
PID 2676 wrote to memory of 1580	2676	{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe	39
PID 2676 wrote to memory of 1580	2676	{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe	39
PID 2512 wrote to memory of 2748	2512	{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe	41
PID 2512 wrote to memory of 2748	2512	{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe	41
PID 2512 wrote to memory of 2748	2512	{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe	41
PID 2512 wrote to memory of 2748	2512	{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe	41
PID 2512 wrote to memory of 2480	2512	{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe	40
PID 2512 wrote to memory of 2480	2512	{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe	40
PID 2512 wrote to memory of 2480	2512	{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe	40
PID 2512 wrote to memory of 2480	2512	{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe	40
PID 2748 wrote to memory of 2508	2748	{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe	42
PID 2748 wrote to memory of 2508	2748	{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe	42
PID 2748 wrote to memory of 2508	2748	{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe	42
PID 2748 wrote to memory of 2508	2748	{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe	42
PID 2748 wrote to memory of 2596	2748	{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe	43
PID 2748 wrote to memory of 2596	2748	{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe	43
PID 2748 wrote to memory of 2596	2748	{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe	43
PID 2748 wrote to memory of 2596	2748	{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe	43
PID 2508 wrote to memory of 1056	2508	{D573C71B-718B-4720-BA38-FF14EC49521F}.exe	44
PID 2508 wrote to memory of 1056	2508	{D573C71B-718B-4720-BA38-FF14EC49521F}.exe	44
PID 2508 wrote to memory of 1056	2508	{D573C71B-718B-4720-BA38-FF14EC49521F}.exe	44
PID 2508 wrote to memory of 1056	2508	{D573C71B-718B-4720-BA38-FF14EC49521F}.exe	44
PID 2508 wrote to memory of 2732	2508	{D573C71B-718B-4720-BA38-FF14EC49521F}.exe	45
PID 2508 wrote to memory of 2732	2508	{D573C71B-718B-4720-BA38-FF14EC49521F}.exe	45
PID 2508 wrote to memory of 2732	2508	{D573C71B-718B-4720-BA38-FF14EC49521F}.exe	45
PID 2508 wrote to memory of 2732	2508	{D573C71B-718B-4720-BA38-FF14EC49521F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-25_3e58b2b5e3456f10d210d40065c08a39_goldeneye_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe
  C:\Windows\{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe
    C:\Windows\{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E1D0A~1.EXE > nul
      4⤵
      PID:2600
  - - C:\Windows\{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe
      C:\Windows\{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe
        
        C:\Windows\{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe
        
        C:\Windows\{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DA43~1.EXE > nul
        7⤵
        
        PID:2480
        
        C:\Windows\{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe
        
        C:\Windows\{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{D573C71B-718B-4720-BA38-FF14EC49521F}.exe
        
        C:\Windows\{D573C71B-718B-4720-BA38-FF14EC49521F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\{CC000AFD-6ECD-4716-B771-2DA99EE4F387}.exe
        
        C:\Windows\{CC000AFD-6ECD-4716-B771-2DA99EE4F387}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\{EBCD3F06-2723-42f9-9551-923571D76119}.exe
        
        C:\Windows\{EBCD3F06-2723-42f9-9551-923571D76119}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\{FC2D2CC3-0E6A-4178-991A-BDFC41795EC7}.exe
        
        C:\Windows\{FC2D2CC3-0E6A-4178-991A-BDFC41795EC7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\{83938FC5-1BD2-42d2-9E34-0B9D78A36AFF}.exe
        
        C:\Windows\{83938FC5-1BD2-42d2-9E34-0B9D78A36AFF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\{1CDD2349-2065-4541-9D64-99D23D6122A0}.exe
        
        C:\Windows\{1CDD2349-2065-4541-9D64-99D23D6122A0}.exe
        13⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83938~1.EXE > nul
        13⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC2D2~1.EXE > nul
        12⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBCD3~1.EXE > nul
        11⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC000~1.EXE > nul
        10⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D573C~1.EXE > nul
        9⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F00C7~1.EXE > nul
        8⤵
        
        PID:2596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AE9F~1.EXE > nul
        6⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F015~1.EXE > nul
        5⤵
        
        PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4AD02~1.EXE > nul
    3⤵
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2023-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CDD2349-2065-4541-9D64-99D23D6122A0}.exe

Filesize
408KB

MD5
ff46117fe0a6075b3c6d4d81e2cfde5a

SHA1
89480df3ea23f2f914370aed9f2998a07b73b425

SHA256
16bac4ff716d4ac19a75a711c59a6653587e26ebf9f8f56aa3d976eab77867d9

SHA512
348e9f5f40e8646e5081c869f9469f5113671b2f742db94f1a6b35439f78ae99539de6f2caf21186565c88506ed76ca00ffbd26ba1448c63dc2d47455a0b8269

Download Submit
C:\Windows\{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe

Filesize
408KB

MD5
6427889e3d922dd1843cc82db0793057

SHA1
1b26414cc4e0adfcf3aa9cb1ca6640af32465b55

SHA256
8a15fe7feb454f3dacca7207494015550893c0a0eeeef256ef73329d1384bc14

SHA512
4b24a2d7fa4416b2a19bbb1a3947ed5e3a0700558876090913426c60a395546dc177d874baf74ef9188114f534ff6361466cc422473c1c2d652677b05faaf0d1

Download Submit
C:\Windows\{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe

Filesize
408KB

MD5
6427889e3d922dd1843cc82db0793057

SHA1
1b26414cc4e0adfcf3aa9cb1ca6640af32465b55

SHA256
8a15fe7feb454f3dacca7207494015550893c0a0eeeef256ef73329d1384bc14

SHA512
4b24a2d7fa4416b2a19bbb1a3947ed5e3a0700558876090913426c60a395546dc177d874baf74ef9188114f534ff6361466cc422473c1c2d652677b05faaf0d1

Download Submit
C:\Windows\{4AD020EF-A532-4bb2-BA2F-F5BCE7490A9D}.exe

Filesize
408KB

MD5
6427889e3d922dd1843cc82db0793057

SHA1
1b26414cc4e0adfcf3aa9cb1ca6640af32465b55

SHA256
8a15fe7feb454f3dacca7207494015550893c0a0eeeef256ef73329d1384bc14

SHA512
4b24a2d7fa4416b2a19bbb1a3947ed5e3a0700558876090913426c60a395546dc177d874baf74ef9188114f534ff6361466cc422473c1c2d652677b05faaf0d1

Download Submit
C:\Windows\{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe

Filesize
408KB

MD5
7819ed5d6cfbfc2313b1699a699dcc08

SHA1
8599ec08d51f65842d3bff6ad568f0fd90aceddd

SHA256
82147c314e939fc85f5a08b52df219ee828e2118156edad4584fb79629f456a3

SHA512
e69cb16e55a7de4d91290e2b95aa669311a935e0353593d668c56f7fff2057bc4b5679e1773718ef66d22a48edc9a35fcb6c3990f8c3c8700fd7eeda845efb49

Download Submit
C:\Windows\{4AE9F19F-F1C0-4c36-B344-360BD1305BCF}.exe

Filesize
408KB

MD5
7819ed5d6cfbfc2313b1699a699dcc08

SHA1
8599ec08d51f65842d3bff6ad568f0fd90aceddd

SHA256
82147c314e939fc85f5a08b52df219ee828e2118156edad4584fb79629f456a3

SHA512
e69cb16e55a7de4d91290e2b95aa669311a935e0353593d668c56f7fff2057bc4b5679e1773718ef66d22a48edc9a35fcb6c3990f8c3c8700fd7eeda845efb49

Download Submit
C:\Windows\{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe

Filesize
408KB

MD5
618114ffbba2cc3473990e10be04b705

SHA1
f68e571373e2bf3a4945a785ac222678101310af

SHA256
228eada38fbef385abbcd7735d943b3e70005b507761b221bdb83e78b527d8de

SHA512
7f9d563a09c5c9e53c18e64e5a9cc8c84f33f0c7961d7d7ef4e0dae893b381969c070989da0807e56e377271f30701de41d7dda17ce6367ebe9af5d1aba9ee10

Download Submit
C:\Windows\{6DA43946-F7A8-4669-B2F2-F0D210A1E0F0}.exe

Filesize
408KB

MD5
618114ffbba2cc3473990e10be04b705

SHA1
f68e571373e2bf3a4945a785ac222678101310af

SHA256
228eada38fbef385abbcd7735d943b3e70005b507761b221bdb83e78b527d8de

SHA512
7f9d563a09c5c9e53c18e64e5a9cc8c84f33f0c7961d7d7ef4e0dae893b381969c070989da0807e56e377271f30701de41d7dda17ce6367ebe9af5d1aba9ee10

Download Submit
C:\Windows\{83938FC5-1BD2-42d2-9E34-0B9D78A36AFF}.exe

Filesize
408KB

MD5
5ff9d36d4b822aba37adf2d5164c76a5

SHA1
5bb1b437f39e6169927c0be480a7e73cf1fdb146

SHA256
b9b7cd6feb701dfd6608b8fcbc42f4e0ef276fdc209ab306268d697d4f34c927

SHA512
e0bb022b0d18e9381ebfc53646928e106b59acc6fa38291f501bfdd3637a3f540d78039c1566a5b6409e71fa06efbaa583c26b88fe727a00da7c1c94d8a9c9a3

Download Submit
C:\Windows\{83938FC5-1BD2-42d2-9E34-0B9D78A36AFF}.exe

Filesize
408KB

MD5
5ff9d36d4b822aba37adf2d5164c76a5

SHA1
5bb1b437f39e6169927c0be480a7e73cf1fdb146

SHA256
b9b7cd6feb701dfd6608b8fcbc42f4e0ef276fdc209ab306268d697d4f34c927

SHA512
e0bb022b0d18e9381ebfc53646928e106b59acc6fa38291f501bfdd3637a3f540d78039c1566a5b6409e71fa06efbaa583c26b88fe727a00da7c1c94d8a9c9a3

Download Submit
C:\Windows\{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe

Filesize
408KB

MD5
26f06815dd52c6e77766b4b01f3b1fb8

SHA1
a0aaf623048f955d5b3e70fb3b4d8fbbc6a9fc34

SHA256
e98ee6e0920f1bcc8ebe9253af150c16469f8d01892dfdb1125e9716cd1d8a93

SHA512
cc4d7afa53ecc18505c4595c3f1c822ce678167fe6743676416fcf0cb1dba58424cfa57520b84853587d7e094a47167cf914e97c281b3b2f8ad1a81900f48c62

Download Submit
C:\Windows\{8F015F3A-3AC2-4f68-BF2A-7AC10593F010}.exe

Filesize
408KB

MD5
26f06815dd52c6e77766b4b01f3b1fb8

SHA1
a0aaf623048f955d5b3e70fb3b4d8fbbc6a9fc34

SHA256
e98ee6e0920f1bcc8ebe9253af150c16469f8d01892dfdb1125e9716cd1d8a93

SHA512
cc4d7afa53ecc18505c4595c3f1c822ce678167fe6743676416fcf0cb1dba58424cfa57520b84853587d7e094a47167cf914e97c281b3b2f8ad1a81900f48c62

Download Submit
C:\Windows\{CC000AFD-6ECD-4716-B771-2DA99EE4F387}.exe

Filesize
408KB

MD5
6e24cbeeb9f60672060df101ca9a4616

SHA1
477d66495bcdb2003174df49ff368378c1a6a5e3

SHA256
3ac9520132d86211df7d6d1d60560c7491f1e8e81860d2cab145e72c50eedfb5

SHA512
c180e1f655c897820ba679c2d5ec617d3ee0649c1659be5ed7850eb3d1b72a228aa6554e76a20a09e95c4514972cbd63dd7a5e7c8d7850081634a75f296bfbbc

Download Submit
C:\Windows\{CC000AFD-6ECD-4716-B771-2DA99EE4F387}.exe

Filesize
408KB

MD5
6e24cbeeb9f60672060df101ca9a4616

SHA1
477d66495bcdb2003174df49ff368378c1a6a5e3

SHA256
3ac9520132d86211df7d6d1d60560c7491f1e8e81860d2cab145e72c50eedfb5

SHA512
c180e1f655c897820ba679c2d5ec617d3ee0649c1659be5ed7850eb3d1b72a228aa6554e76a20a09e95c4514972cbd63dd7a5e7c8d7850081634a75f296bfbbc

Download Submit
C:\Windows\{D573C71B-718B-4720-BA38-FF14EC49521F}.exe

Filesize
408KB

MD5
2735783e597021c941b64d3fe6f673da

SHA1
a3357859fd2c78ee72acceffbb17a5b93364e4b4

SHA256
a6ed4888c68f58015db3176f2a05fa7c555900857c1b05cd6dc40d307c024184

SHA512
fd9aa0fe966c590c9758f80cc3acf2497257754377e93decfc436d2a81df9f8a6a084174ff36beab07825305140ccef29f753120031161e7fba0014a3793bdb0

Download Submit
C:\Windows\{D573C71B-718B-4720-BA38-FF14EC49521F}.exe

Filesize
408KB

MD5
2735783e597021c941b64d3fe6f673da

SHA1
a3357859fd2c78ee72acceffbb17a5b93364e4b4

SHA256
a6ed4888c68f58015db3176f2a05fa7c555900857c1b05cd6dc40d307c024184

SHA512
fd9aa0fe966c590c9758f80cc3acf2497257754377e93decfc436d2a81df9f8a6a084174ff36beab07825305140ccef29f753120031161e7fba0014a3793bdb0

Download Submit
C:\Windows\{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe

Filesize
408KB

MD5
30e4acca01a510ed5ebced66ec435bac

SHA1
70e902a86f25556551f0aaff5514dea7ea54eaef

SHA256
1980b77b6f6d599feacdab91db6da359b926bac99519c1ec0fc255c52e8fb760

SHA512
3388dee321aac8b5d740b2a4b25912bd54236192f59e52fcb717a03cb07e7cc5fc4db00d287b21fd634e431ba7c10f0bac48cde46cd3136ecd9c17dfbbb127a7

Download Submit
C:\Windows\{E1D0A9DE-D32D-4484-8AB9-9C74C81FC6B2}.exe

Filesize
408KB

MD5
30e4acca01a510ed5ebced66ec435bac

SHA1
70e902a86f25556551f0aaff5514dea7ea54eaef

SHA256
1980b77b6f6d599feacdab91db6da359b926bac99519c1ec0fc255c52e8fb760

SHA512
3388dee321aac8b5d740b2a4b25912bd54236192f59e52fcb717a03cb07e7cc5fc4db00d287b21fd634e431ba7c10f0bac48cde46cd3136ecd9c17dfbbb127a7

Download Submit
C:\Windows\{EBCD3F06-2723-42f9-9551-923571D76119}.exe

Filesize
408KB

MD5
4f4afb88dc56b5a819ba8721783640f9

SHA1
0bdbff7b8c7ee96cd003f096e60ab3d9c5dca40f

SHA256
683d673a4f6fb5b2f3f7dc96052fd01563c9b83b4934c09ca88fe613cc7d6254

SHA512
1c80c0872fc5efbc7e77e3342714b7cc516b8d80b60ec4ab6b3b69593a5de90d304bd68d60b99606311d31cc732b6bf690d82e3b10c03f1ad0a2ec84e6f5b8c2

Download Submit
C:\Windows\{EBCD3F06-2723-42f9-9551-923571D76119}.exe

Filesize
408KB

MD5
4f4afb88dc56b5a819ba8721783640f9

SHA1
0bdbff7b8c7ee96cd003f096e60ab3d9c5dca40f

SHA256
683d673a4f6fb5b2f3f7dc96052fd01563c9b83b4934c09ca88fe613cc7d6254

SHA512
1c80c0872fc5efbc7e77e3342714b7cc516b8d80b60ec4ab6b3b69593a5de90d304bd68d60b99606311d31cc732b6bf690d82e3b10c03f1ad0a2ec84e6f5b8c2

Download Submit
C:\Windows\{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe

Filesize
408KB

MD5
67868b49f12d1c2f123d86a721f272ad

SHA1
2f105c2cdf59f5c787fccff452e419f4d35cebf5

SHA256
f66faf85ad8ac73b52b80f34faa2deab59ab978cd2ebac6f39f6897d34e4142e

SHA512
bcf3b78746044d8cd8f70e4822c014ced935e0ec34b55f28a672f862ac99252376aa44731eea43c433cba29f26f0aafaa7d4b950f69392ec731fe301393c4f01

Download Submit
C:\Windows\{F00C7D8C-67A1-4d27-94DA-B78C2D9C58B3}.exe

Filesize
408KB

MD5
67868b49f12d1c2f123d86a721f272ad

SHA1
2f105c2cdf59f5c787fccff452e419f4d35cebf5

SHA256
f66faf85ad8ac73b52b80f34faa2deab59ab978cd2ebac6f39f6897d34e4142e

SHA512
bcf3b78746044d8cd8f70e4822c014ced935e0ec34b55f28a672f862ac99252376aa44731eea43c433cba29f26f0aafaa7d4b950f69392ec731fe301393c4f01

Download Submit
C:\Windows\{FC2D2CC3-0E6A-4178-991A-BDFC41795EC7}.exe

Filesize
408KB

MD5
43dbb36f84769ac8df5a3498656865f5

SHA1
f7564da0ae38abf1596025ef9d5a91ee36458bf5

SHA256
060ae3074dce448933eeaf3bf96fe1065651a3909876947cb8067aa0ae8a7dce

SHA512
40c267d19a256f44f8a921f6bbf9127d1e4f54f3b9d421ed1145b49b89b11609e16dac95c403c84762ac955e73762330c20e7b62cdfbdf6c1c02746d51745805

Download Submit
C:\Windows\{FC2D2CC3-0E6A-4178-991A-BDFC41795EC7}.exe

Filesize
408KB

MD5
43dbb36f84769ac8df5a3498656865f5

SHA1
f7564da0ae38abf1596025ef9d5a91ee36458bf5

SHA256
060ae3074dce448933eeaf3bf96fe1065651a3909876947cb8067aa0ae8a7dce

SHA512
40c267d19a256f44f8a921f6bbf9127d1e4f54f3b9d421ed1145b49b89b11609e16dac95c403c84762ac955e73762330c20e7b62cdfbdf6c1c02746d51745805

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads