3162d9b0eb1775eb0c18074b80433e7dcc88c2c0f1f0bf5a0b1aad56ce41165e

Analysis

max time kernel
138s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe
Size

216KB
MD5

298e95b0fd35684f1a30a74755b35c10
SHA1

84710835fe4401153989c77945ff2285cb08f9fa
SHA256

3162d9b0eb1775eb0c18074b80433e7dcc88c2c0f1f0bf5a0b1aad56ce41165e
SHA512

176b61b1799d662abad1f00b240940f479ed313cc7b9f396aa910e81ef6f8cdec418c17d477c132eca00ff4c11cccd91f79b6798382284eafb40f3ae410d1fde
SSDEEP

3072:jEGh0oYl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGmlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}	{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC1101AB-EF56-4e72-B1F3-C357B7B4037F}\stubpath = "C:\\Windows\\{DC1101AB-EF56-4e72-B1F3-C357B7B4037F}.exe"	{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAE28C56-B774-419e-A206-50B1C377BB71}	{C2B34084-4625-4791-A590-B11F2E91EEC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BA60CDD-CA84-4c7a-AD4F-0259EF285929}\stubpath = "C:\\Windows\\{4BA60CDD-CA84-4c7a-AD4F-0259EF285929}.exe"	{DAE28C56-B774-419e-A206-50B1C377BB71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7608639E-CCC7-46f2-8389-618214B5A741}	{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}\stubpath = "C:\\Windows\\{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe"	{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}\stubpath = "C:\\Windows\\{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe"	{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A27D2019-BD10-4f27-ACF2-901EA120ACC2}	2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B331969-94AA-4c1f-B710-F8B13C69A02F}	{7608639E-CCC7-46f2-8389-618214B5A741}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAE28C56-B774-419e-A206-50B1C377BB71}\stubpath = "C:\\Windows\\{DAE28C56-B774-419e-A206-50B1C377BB71}.exe"	{C2B34084-4625-4791-A590-B11F2E91EEC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BA60CDD-CA84-4c7a-AD4F-0259EF285929}	{DAE28C56-B774-419e-A206-50B1C377BB71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B34084-4625-4791-A590-B11F2E91EEC6}	{DC1101AB-EF56-4e72-B1F3-C357B7B4037F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B34084-4625-4791-A590-B11F2E91EEC6}\stubpath = "C:\\Windows\\{C2B34084-4625-4791-A590-B11F2E91EEC6}.exe"	{DC1101AB-EF56-4e72-B1F3-C357B7B4037F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B331969-94AA-4c1f-B710-F8B13C69A02F}\stubpath = "C:\\Windows\\{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe"	{7608639E-CCC7-46f2-8389-618214B5A741}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBB828E9-A587-41a1-9686-7F752EEFFA4C}	{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBB828E9-A587-41a1-9686-7F752EEFFA4C}\stubpath = "C:\\Windows\\{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe"	{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}	{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}	{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}\stubpath = "C:\\Windows\\{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe"	{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A27D2019-BD10-4f27-ACF2-901EA120ACC2}\stubpath = "C:\\Windows\\{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe"	2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7608639E-CCC7-46f2-8389-618214B5A741}\stubpath = "C:\\Windows\\{7608639E-CCC7-46f2-8389-618214B5A741}.exe"	{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC1101AB-EF56-4e72-B1F3-C357B7B4037F}	{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2408	{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe
2744	{7608639E-CCC7-46f2-8389-618214B5A741}.exe
2572	{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe
1972	{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe
880	{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe
2700	{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe
1944	{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe
1216	{DC1101AB-EF56-4e72-B1F3-C357B7B4037F}.exe
2356	{C2B34084-4625-4791-A590-B11F2E91EEC6}.exe
2376	{DAE28C56-B774-419e-A206-50B1C377BB71}.exe
2340	{4BA60CDD-CA84-4c7a-AD4F-0259EF285929}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe	2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe
File created	C:\Windows\{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe	{7608639E-CCC7-46f2-8389-618214B5A741}.exe
File created	C:\Windows\{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe	{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe
File created	C:\Windows\{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe	{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe
File created	C:\Windows\{DC1101AB-EF56-4e72-B1F3-C357B7B4037F}.exe	{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe
File created	C:\Windows\{C2B34084-4625-4791-A590-B11F2E91EEC6}.exe	{DC1101AB-EF56-4e72-B1F3-C357B7B4037F}.exe
File created	C:\Windows\{7608639E-CCC7-46f2-8389-618214B5A741}.exe	{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe
File created	C:\Windows\{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe	{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe
File created	C:\Windows\{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe	{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe
File created	C:\Windows\{DAE28C56-B774-419e-A206-50B1C377BB71}.exe	{C2B34084-4625-4791-A590-B11F2E91EEC6}.exe
File created	C:\Windows\{4BA60CDD-CA84-4c7a-AD4F-0259EF285929}.exe	{DAE28C56-B774-419e-A206-50B1C377BB71}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1916	2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2408	{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe
Token: SeIncBasePriorityPrivilege	2744	{7608639E-CCC7-46f2-8389-618214B5A741}.exe
Token: SeIncBasePriorityPrivilege	2572	{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe
Token: SeIncBasePriorityPrivilege	1972	{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe
Token: SeIncBasePriorityPrivilege	880	{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe
Token: SeIncBasePriorityPrivilege	2700	{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe
Token: SeIncBasePriorityPrivilege	1944	{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe
Token: SeIncBasePriorityPrivilege	1216	{DC1101AB-EF56-4e72-B1F3-C357B7B4037F}.exe
Token: SeIncBasePriorityPrivilege	2356	{C2B34084-4625-4791-A590-B11F2E91EEC6}.exe
Token: SeIncBasePriorityPrivilege	2376	{DAE28C56-B774-419e-A206-50B1C377BB71}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2408	1916	2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe	29
PID 1916 wrote to memory of 2408	1916	2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe	29
PID 1916 wrote to memory of 2408	1916	2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe	29
PID 1916 wrote to memory of 2408	1916	2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe	29
PID 1916 wrote to memory of 2632	1916	2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe	28
PID 1916 wrote to memory of 2632	1916	2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe	28
PID 1916 wrote to memory of 2632	1916	2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe	28
PID 1916 wrote to memory of 2632	1916	2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe	28
PID 2408 wrote to memory of 2744	2408	{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe	33
PID 2408 wrote to memory of 2744	2408	{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe	33
PID 2408 wrote to memory of 2744	2408	{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe	33
PID 2408 wrote to memory of 2744	2408	{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe	33
PID 2408 wrote to memory of 2420	2408	{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe	32
PID 2408 wrote to memory of 2420	2408	{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe	32
PID 2408 wrote to memory of 2420	2408	{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe	32
PID 2408 wrote to memory of 2420	2408	{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe	32
PID 2744 wrote to memory of 2572	2744	{7608639E-CCC7-46f2-8389-618214B5A741}.exe	34
PID 2744 wrote to memory of 2572	2744	{7608639E-CCC7-46f2-8389-618214B5A741}.exe	34
PID 2744 wrote to memory of 2572	2744	{7608639E-CCC7-46f2-8389-618214B5A741}.exe	34
PID 2744 wrote to memory of 2572	2744	{7608639E-CCC7-46f2-8389-618214B5A741}.exe	34
PID 2744 wrote to memory of 3044	2744	{7608639E-CCC7-46f2-8389-618214B5A741}.exe	35
PID 2744 wrote to memory of 3044	2744	{7608639E-CCC7-46f2-8389-618214B5A741}.exe	35
PID 2744 wrote to memory of 3044	2744	{7608639E-CCC7-46f2-8389-618214B5A741}.exe	35
PID 2744 wrote to memory of 3044	2744	{7608639E-CCC7-46f2-8389-618214B5A741}.exe	35
PID 2572 wrote to memory of 1972	2572	{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe	36
PID 2572 wrote to memory of 1972	2572	{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe	36
PID 2572 wrote to memory of 1972	2572	{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe	36
PID 2572 wrote to memory of 1972	2572	{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe	36
PID 2572 wrote to memory of 560	2572	{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe	37
PID 2572 wrote to memory of 560	2572	{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe	37
PID 2572 wrote to memory of 560	2572	{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe	37
PID 2572 wrote to memory of 560	2572	{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe	37
PID 1972 wrote to memory of 880	1972	{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe	38
PID 1972 wrote to memory of 880	1972	{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe	38
PID 1972 wrote to memory of 880	1972	{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe	38
PID 1972 wrote to memory of 880	1972	{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe	38
PID 1972 wrote to memory of 564	1972	{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe	39
PID 1972 wrote to memory of 564	1972	{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe	39
PID 1972 wrote to memory of 564	1972	{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe	39
PID 1972 wrote to memory of 564	1972	{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe	39
PID 880 wrote to memory of 2700	880	{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe	40
PID 880 wrote to memory of 2700	880	{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe	40
PID 880 wrote to memory of 2700	880	{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe	40
PID 880 wrote to memory of 2700	880	{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe	40
PID 880 wrote to memory of 2752	880	{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe	41
PID 880 wrote to memory of 2752	880	{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe	41
PID 880 wrote to memory of 2752	880	{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe	41
PID 880 wrote to memory of 2752	880	{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe	41
PID 2700 wrote to memory of 1944	2700	{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe	42
PID 2700 wrote to memory of 1944	2700	{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe	42
PID 2700 wrote to memory of 1944	2700	{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe	42
PID 2700 wrote to memory of 1944	2700	{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe	42
PID 2700 wrote to memory of 1724	2700	{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe	43
PID 2700 wrote to memory of 1724	2700	{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe	43
PID 2700 wrote to memory of 1724	2700	{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe	43
PID 2700 wrote to memory of 1724	2700	{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe	43
PID 1944 wrote to memory of 1216	1944	{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe	45
PID 1944 wrote to memory of 1216	1944	{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe	45
PID 1944 wrote to memory of 1216	1944	{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe	45
PID 1944 wrote to memory of 1216	1944	{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe	45
PID 1944 wrote to memory of 1800	1944	{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe	44
PID 1944 wrote to memory of 1800	1944	{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe	44
PID 1944 wrote to memory of 1800	1944	{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe	44
PID 1944 wrote to memory of 1800	1944	{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_298e95b0fd35684f1a30a74755b35c10_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2632
- C:\Windows\{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe
  C:\Windows\{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A27D2~1.EXE > nul
    3⤵
    PID:2420
- - C:\Windows\{7608639E-CCC7-46f2-8389-618214B5A741}.exe
    C:\Windows\{7608639E-CCC7-46f2-8389-618214B5A741}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe
      C:\Windows\{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe
        
        C:\Windows\{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe
        
        C:\Windows\{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe
        
        C:\Windows\{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe
        
        C:\Windows\{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43CCB~1.EXE > nul
        9⤵
        
        PID:1800
        
        C:\Windows\{DC1101AB-EF56-4e72-B1F3-C357B7B4037F}.exe
        
        C:\Windows\{DC1101AB-EF56-4e72-B1F3-C357B7B4037F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC110~1.EXE > nul
        10⤵
        
        PID:2564
        
        C:\Windows\{C2B34084-4625-4791-A590-B11F2E91EEC6}.exe
        
        C:\Windows\{C2B34084-4625-4791-A590-B11F2E91EEC6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2B34~1.EXE > nul
        11⤵
        
        PID:2084
        
        C:\Windows\{DAE28C56-B774-419e-A206-50B1C377BB71}.exe
        
        C:\Windows\{DAE28C56-B774-419e-A206-50B1C377BB71}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\{4BA60CDD-CA84-4c7a-AD4F-0259EF285929}.exe
        
        C:\Windows\{4BA60CDD-CA84-4c7a-AD4F-0259EF285929}.exe
        12⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAE28~1.EXE > nul
        12⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8315~1.EXE > nul
        8⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBB6C~1.EXE > nul
        7⤵
        
        PID:2752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBB82~1.EXE > nul
        6⤵
        
        PID:564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B331~1.EXE > nul
        5⤵
        
        PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{76086~1.EXE > nul
      4⤵
      PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe

Filesize
85KB

MD5
533fea1e62af7a87f04e3ab657898893

SHA1
3588fd762e19b96f1be5cce72f67e44a8144623f

SHA256
67e6a2c9bb72c93546c8332e5a0ab97511eb96bb72ccc2ecfc2e5793e85a1ccd

SHA512
30e5496598590fc3037366ffdf248386ac88331778e16aee0753a0e86940a9a2a144a902a81013e64345c987f646e21c083738f56593348c79fe00c18d735c9e

Download Submit
C:\Windows\{43CCB8CF-335C-4baf-ADE5-F5B2EA0E39DF}.exe

Filesize
45KB

MD5
7e63234f57102f2a5b7f0031bb4372da

SHA1
33615d8a859f5187c25890986081e4c7b12722c6

SHA256
e4c53c697e8213e0429d18173d28b435415d49b25fd6ed18c03063724f41bdc1

SHA512
e407061afbe3a5d10ecebcf33d7c6d220670f6c032f7059f4f30efeccf92ce65157147fbd35187c0eff97dd7160b5f2b319ae02da0f28bbd1d2fee8017c111d9

Download Submit
C:\Windows\{4BA60CDD-CA84-4c7a-AD4F-0259EF285929}.exe

Filesize
28KB

MD5
e88d0619da23206f61a9afe3c5f9daa2

SHA1
e5883c41efb37c52c39144aa494913cf0c2503af

SHA256
0f15c146cd799f964054fd83bb0f9e754665d44c905776a890f9d00b6c55179f

SHA512
5f41e6959f475b95413c60352aa6dd39160658f86367ba549ef86b832e0183c07a42c0125d9c496487b51cdb4fdcb7dd555d9b4216e8ffc7699c7fb4229b51fb

Download Submit
C:\Windows\{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe

Filesize
216KB

MD5
895bad5bf3f5ddcd8a0f6e73c4d15a05

SHA1
b45db7c947f91413d8e0ab8011d8f0e9c5cfe2ac

SHA256
b02cdc6dba04988b3ccf6d99adc0fc9b049c219a6d776e965b526760eb3c9c1b

SHA512
7c32fd64a368fffdd29f2b880f4572076ab53a46fbcb4ad874ac687e1f22887760ed5edf7e07f32cab1e0b5a9454a06dddd4c24d7ea674ede170a90bed7331cd

Download Submit
C:\Windows\{6B331969-94AA-4c1f-B710-F8B13C69A02F}.exe

Filesize
37KB

MD5
42c8d5d59df45f0b9a5ce91de2d950d1

SHA1
667f4ab00ea830ec21367134f5dac8036fe779de

SHA256
9b176d16b7b3b93a1dad1ea14c830a4065d5f298efa9d386524653a5f5fa0574

SHA512
c273c4bd96a31c48d96ff24e0ae4713f6de925b8ce3f43569baa087729fd2681ffe5a5f43c4670f7745c465f1517c7879ab7020c58872fe25f4c6eaed36b8eb5

Download Submit
C:\Windows\{7608639E-CCC7-46f2-8389-618214B5A741}.exe

Filesize
216KB

MD5
654cbf1e55efd280f1db822433fc1af4

SHA1
99054d6f18614fecd72cc32431f97a39af485813

SHA256
1fbd4ac50722d36f6e19be9ea11e6427db85e6f21056feb0da94528a0642aaf0

SHA512
7bb24d9db4331c2874970fd2a79df0b0d45c3575c44ff78a18dddb0ce193a9aceb80f8a53d46264c4b92eaee8376b8addde08029013f680f7b85214f1fb823c1

Download Submit
C:\Windows\{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe

Filesize
26KB

MD5
37547d7b88b59a805c9cba4f113c8a00

SHA1
12714de6a4dc9aea50ac3bcddd2df5822b2e9525

SHA256
d82928a0b770c23d9cb32d3387e5576db54ba250a22bfddf998d020300438f64

SHA512
c359bdd63af15d732056dbd386da787f7274d5bfc9a64777512b0eb1b28afe1feaeca61436918b0bb15963866ac3e4131db57033f0d5b59370b45a232f08620d

Download Submit
C:\Windows\{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe

Filesize
92KB

MD5
d3c85611d8d607fef4a65da9b414e806

SHA1
f8a20a69163ecddbb2594f3f52e656b9467ca0c8

SHA256
71901c49ed2ecb703e66a54a206de9b48baeab6b93a686884ed2a90312b4e2d2

SHA512
318a6dc7a6a627711539eece03c715d9a17123d854c92dbf6a90b9e003eb40f1007ff22967f5dc0a202e2978f8c38618e3e7c76f09b6fd5d66e2de49445c3d87

Download Submit
C:\Windows\{A27D2019-BD10-4f27-ACF2-901EA120ACC2}.exe

Filesize
216KB

MD5
ff10d714f0cfea4aa066a8f478dcd68d

SHA1
9bdc5c678f06799af0d1f25931a06f8ac6ceca85

SHA256
a248038a4f0e672bc05381d22b446977e3409b3c09388df71b2884ee7897c31c

SHA512
44d9a429efb5e19039469b647d935054771f9400b8bb26f84aee197869f73d7c29d5062c9e4217b3ba70507b8049dc8b1c8b689ea9cbc305715a3db8622a1645

Download Submit
C:\Windows\{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe

Filesize
216KB

MD5
9e85e69f285a80f119634c0f6434f91b

SHA1
855c1161bca77ba0693cbdd3f9ba16238ac488c9

SHA256
b37df76fa6ce525cfad671763b4b017d0b60aaa3737661c9276fdc25180d736b

SHA512
9f2ed0818a6c0151586e197b20cbd29744e315def14678adc2e1c82695d36d8e95171faf3859803b10518f1aec6d1bea46194a8333a1f67e8fcda83674078e55

Download Submit
C:\Windows\{A8315CEF-11A1-4815-B3E5-42F44A29B8C2}.exe

Filesize
1KB

MD5
4bc0c8a9188ba80b6b1d123f1538b01c

SHA1
f970f1d1eb981593f5dce6c92a843c45a5c93db2

SHA256
8d808b2a37d78acca7fb3cf18ce2a6c378433f6f09a1700955074eec9d0673ec

SHA512
c9ee2ff3915c0df23c16a774bcd2e4a8584e4d938b10e998e95e7095975d88c825c7d1d681916823e64f9076d739769afadff629f6aa608e4e14a41b9d5b5bd4

Download Submit
C:\Windows\{C2B34084-4625-4791-A590-B11F2E91EEC6}.exe

Filesize
70KB

MD5
a8df4e19d24533a7c5c9be6ff2a2c849

SHA1
9c32b76030bc8554e617aa4e548812b4d79bbebd

SHA256
2bfd4fc9edaf406bed3c4741201ff8ce05013949da0dd83ee315cea91c6b1a34

SHA512
8deaf2f4d19c202e2a6b83a3c06799c002f716432e82b327a50a9017a1fae194e2224ad5ed38ad858ec86409eb61bc1e6d74b6f114fd3c82dbb69c30d8582579

Download Submit
C:\Windows\{C2B34084-4625-4791-A590-B11F2E91EEC6}.exe

Filesize
216KB

MD5
a965c6f6bb020913924240f259a4a4b6

SHA1
da0d155117204ae5a023a0d47b8b5be9353e1f78

SHA256
179a7eccf30eed851f8f5ae05c0ead87849eb47a153bf46b51d4b7a9998b86fe

SHA512
cba6419784d385c8ecbcb4ae57e5aa18c003298db634ea4b21f8ba9b8f6340213ea745611c57efdaa0201e99bb73fedf38f69532a28e2abd0e659ec911ee28c1

Download Submit
C:\Windows\{DAE28C56-B774-419e-A206-50B1C377BB71}.exe

Filesize
216KB

MD5
25072de8a4aa78c06c3154776dcb8c0c

SHA1
6bce996f075876134eb017fd284d9f84deda1b63

SHA256
0c33e09948fdcd988a2549c95334993cc2c88dcd69c44665454ac29553a03a0b

SHA512
7adeb4c0209af2dc7201bb518244bb229a43dbc92babbdd5afb4dd6d3f33e096fa1716bd04da0d0e90dda6ffcffd76adcb61b905a7dad9b7dc574347e1cb66d6

Download Submit
C:\Windows\{DBB6CFBE-86A7-40cd-B034-D7EA82867BF5}.exe

Filesize
216KB

MD5
4dd49acea626a0e3dc8056a14f9a5d88

SHA1
a6845896ebd498f783355eefe8e2823b1d616e69

SHA256
72ce021e1d9dece161a418805da3b9a6c9937713c7a5e49a7c0d286ec3b5caae

SHA512
1e464f7300be190ef9a6d4f37dca716dc3b2f5d4d4d6d8a9f6770de43395510e69e8a4f622d253057a8d409bd1205b453a8d5ed998a8cf1120a1c1711dbe7db0

Download Submit
C:\Windows\{DC1101AB-EF56-4e72-B1F3-C357B7B4037F}.exe

Filesize
113KB

MD5
7879eae455f918a0305999f5c0b4f816

SHA1
e2d301dcda67eebda09104835f404416e2268132

SHA256
0713f11a8b3f3c633edde3633a3c7eaa170ad6542ea85b974cd3823120e31642

SHA512
2d9d4731a6ebc1708060d30389d61bfa354d72f07af9d9849e52cf113b099b0d1589ce190d8db3a9e5f7ecb8df655fda02495411cb9db95db6f7ffb56027d284

Download Submit
C:\Windows\{DC1101AB-EF56-4e72-B1F3-C357B7B4037F}.exe

Filesize
90KB

MD5
fa641b77fb03e7865accb9244dbb4b0b

SHA1
5edc25c9706fd6dd874a582adf3b7fb938771c9a

SHA256
795a1c785dff216f06bf7c760830ecbb886ba32f0549b1cf1c33f92e15918992

SHA512
f8e3cfe8c22bfae392ee8235a000c221e8524ed7b91ed1e0e3c889452165d1186a8485937e76b62e45065bab92d23d97a336bced0f63a61199b05f1ebffd4206

Download Submit
C:\Windows\{EBB828E9-A587-41a1-9686-7F752EEFFA4C}.exe

Filesize
216KB

MD5
209a2992ef42e41161b4746f68df9cf2

SHA1
dae53f19c06b9a2b3e6f9cae013dcd2e7454162f

SHA256
54e608c7a2b045dc0f36567020467591b491600cafc11ef909ed6946da501ad0

SHA512
3fea26c20aa81d97f746d12633f55b2572dc8fbb958e134c3a3aa10e293d9d95382d9d347de7b6a0146fc25caf7bc9125d9493a558c1f9865afefd3969b753ab

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads