d8c017dd39444cc5496ad22cf3be7502f00c739e01492d7288fab0118c5db4e0

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe
Size

380KB
MD5

de265f1d58d2189362a23041d25c9d13
SHA1

a59a7310b53180b2f8a4b54c82000413ccc97fe8
SHA256

d8c017dd39444cc5496ad22cf3be7502f00c739e01492d7288fab0118c5db4e0
SHA512

088fb3810e249783d1d8bcb360f08afed3b0904d4c648e6f89be131c0922ad16b932b2688faf9d057d4f81dcbd99277083a23be738e50425f1962d70be586f9f
SSDEEP

3072:mEGh0oElPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGal7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}\stubpath = "C:\\Windows\\{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe"	2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BF77623-2870-442a-A9BA-7659A15C0EE5}\stubpath = "C:\\Windows\\{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe"	{640377EC-81CF-495c-9A25-159385058C8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1C1CA91-3973-4d99-8E32-335C98A1DCBE}\stubpath = "C:\\Windows\\{E1C1CA91-3973-4d99-8E32-335C98A1DCBE}.exe"	{F27308C5-6203-44ce-88F0-747C605B37FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}	2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}\stubpath = "C:\\Windows\\{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe"	{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D23D0A1-C8F7-4525-A37A-845CFA39343E}	{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D23D0A1-C8F7-4525-A37A-845CFA39343E}\stubpath = "C:\\Windows\\{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe"	{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{165E62C7-0BCA-4c1d-B424-0C5C86877049}\stubpath = "C:\\Windows\\{165E62C7-0BCA-4c1d-B424-0C5C86877049}.exe"	{E1C1CA91-3973-4d99-8E32-335C98A1DCBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}	{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}	{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}\stubpath = "C:\\Windows\\{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe"	{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E05D7B9-50A6-4ce8-81E2-B98C6238A33A}	{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F27308C5-6203-44ce-88F0-747C605B37FE}	{5E05D7B9-50A6-4ce8-81E2-B98C6238A33A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1C1CA91-3973-4d99-8E32-335C98A1DCBE}	{F27308C5-6203-44ce-88F0-747C605B37FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BF77623-2870-442a-A9BA-7659A15C0EE5}	{640377EC-81CF-495c-9A25-159385058C8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{640377EC-81CF-495c-9A25-159385058C8D}\stubpath = "C:\\Windows\\{640377EC-81CF-495c-9A25-159385058C8D}.exe"	{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}	{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}\stubpath = "C:\\Windows\\{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe"	{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E05D7B9-50A6-4ce8-81E2-B98C6238A33A}\stubpath = "C:\\Windows\\{5E05D7B9-50A6-4ce8-81E2-B98C6238A33A}.exe"	{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F27308C5-6203-44ce-88F0-747C605B37FE}\stubpath = "C:\\Windows\\{F27308C5-6203-44ce-88F0-747C605B37FE}.exe"	{5E05D7B9-50A6-4ce8-81E2-B98C6238A33A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{165E62C7-0BCA-4c1d-B424-0C5C86877049}	{E1C1CA91-3973-4d99-8E32-335C98A1DCBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{640377EC-81CF-495c-9A25-159385058C8D}	{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe

Deletes itself 1 IoCs

pid	Process
2148	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3068	{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe
2672	{640377EC-81CF-495c-9A25-159385058C8D}.exe
2580	{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe
2972	{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe
2692	{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe
1320	{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe
1572	{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe
1452	{5E05D7B9-50A6-4ce8-81E2-B98C6238A33A}.exe
1856	{F27308C5-6203-44ce-88F0-747C605B37FE}.exe
576	{E1C1CA91-3973-4d99-8E32-335C98A1DCBE}.exe
1996	{165E62C7-0BCA-4c1d-B424-0C5C86877049}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe	{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe
File created	C:\Windows\{5E05D7B9-50A6-4ce8-81E2-B98C6238A33A}.exe	{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe
File created	C:\Windows\{F27308C5-6203-44ce-88F0-747C605B37FE}.exe	{5E05D7B9-50A6-4ce8-81E2-B98C6238A33A}.exe
File created	C:\Windows\{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe	2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe
File created	C:\Windows\{640377EC-81CF-495c-9A25-159385058C8D}.exe	{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe
File created	C:\Windows\{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe	{640377EC-81CF-495c-9A25-159385058C8D}.exe
File created	C:\Windows\{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe	{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe
File created	C:\Windows\{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe	{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe
File created	C:\Windows\{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe	{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe
File created	C:\Windows\{E1C1CA91-3973-4d99-8E32-335C98A1DCBE}.exe	{F27308C5-6203-44ce-88F0-747C605B37FE}.exe
File created	C:\Windows\{165E62C7-0BCA-4c1d-B424-0C5C86877049}.exe	{E1C1CA91-3973-4d99-8E32-335C98A1DCBE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2936	2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3068	{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe
Token: SeIncBasePriorityPrivilege	2672	{640377EC-81CF-495c-9A25-159385058C8D}.exe
Token: SeIncBasePriorityPrivilege	2580	{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe
Token: SeIncBasePriorityPrivilege	2972	{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe
Token: SeIncBasePriorityPrivilege	2692	{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe
Token: SeIncBasePriorityPrivilege	1320	{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe
Token: SeIncBasePriorityPrivilege	1572	{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe
Token: SeIncBasePriorityPrivilege	1452	{5E05D7B9-50A6-4ce8-81E2-B98C6238A33A}.exe
Token: SeIncBasePriorityPrivilege	1856	{F27308C5-6203-44ce-88F0-747C605B37FE}.exe
Token: SeIncBasePriorityPrivilege	576	{E1C1CA91-3973-4d99-8E32-335C98A1DCBE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 3068	2936	2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe	29
PID 2936 wrote to memory of 3068	2936	2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe	29
PID 2936 wrote to memory of 3068	2936	2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe	29
PID 2936 wrote to memory of 3068	2936	2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe	29
PID 2936 wrote to memory of 2148	2936	2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe	28
PID 2936 wrote to memory of 2148	2936	2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe	28
PID 2936 wrote to memory of 2148	2936	2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe	28
PID 2936 wrote to memory of 2148	2936	2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe	28
PID 3068 wrote to memory of 2672	3068	{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe	31
PID 3068 wrote to memory of 2672	3068	{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe	31
PID 3068 wrote to memory of 2672	3068	{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe	31
PID 3068 wrote to memory of 2672	3068	{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe	31
PID 3068 wrote to memory of 2664	3068	{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe	30
PID 3068 wrote to memory of 2664	3068	{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe	30
PID 3068 wrote to memory of 2664	3068	{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe	30
PID 3068 wrote to memory of 2664	3068	{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe	30
PID 2672 wrote to memory of 2580	2672	{640377EC-81CF-495c-9A25-159385058C8D}.exe	33
PID 2672 wrote to memory of 2580	2672	{640377EC-81CF-495c-9A25-159385058C8D}.exe	33
PID 2672 wrote to memory of 2580	2672	{640377EC-81CF-495c-9A25-159385058C8D}.exe	33
PID 2672 wrote to memory of 2580	2672	{640377EC-81CF-495c-9A25-159385058C8D}.exe	33
PID 2672 wrote to memory of 2856	2672	{640377EC-81CF-495c-9A25-159385058C8D}.exe	32
PID 2672 wrote to memory of 2856	2672	{640377EC-81CF-495c-9A25-159385058C8D}.exe	32
PID 2672 wrote to memory of 2856	2672	{640377EC-81CF-495c-9A25-159385058C8D}.exe	32
PID 2672 wrote to memory of 2856	2672	{640377EC-81CF-495c-9A25-159385058C8D}.exe	32
PID 2580 wrote to memory of 2972	2580	{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe	37
PID 2580 wrote to memory of 2972	2580	{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe	37
PID 2580 wrote to memory of 2972	2580	{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe	37
PID 2580 wrote to memory of 2972	2580	{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe	37
PID 2580 wrote to memory of 2028	2580	{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe	36
PID 2580 wrote to memory of 2028	2580	{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe	36
PID 2580 wrote to memory of 2028	2580	{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe	36
PID 2580 wrote to memory of 2028	2580	{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe	36
PID 2972 wrote to memory of 2692	2972	{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe	38
PID 2972 wrote to memory of 2692	2972	{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe	38
PID 2972 wrote to memory of 2692	2972	{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe	38
PID 2972 wrote to memory of 2692	2972	{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe	38
PID 2972 wrote to memory of 2784	2972	{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe	39
PID 2972 wrote to memory of 2784	2972	{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe	39
PID 2972 wrote to memory of 2784	2972	{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe	39
PID 2972 wrote to memory of 2784	2972	{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe	39
PID 2692 wrote to memory of 1320	2692	{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe	40
PID 2692 wrote to memory of 1320	2692	{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe	40
PID 2692 wrote to memory of 1320	2692	{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe	40
PID 2692 wrote to memory of 1320	2692	{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe	40
PID 2692 wrote to memory of 2360	2692	{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe	41
PID 2692 wrote to memory of 2360	2692	{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe	41
PID 2692 wrote to memory of 2360	2692	{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe	41
PID 2692 wrote to memory of 2360	2692	{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe	41
PID 1320 wrote to memory of 1572	1320	{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe	42
PID 1320 wrote to memory of 1572	1320	{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe	42
PID 1320 wrote to memory of 1572	1320	{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe	42
PID 1320 wrote to memory of 1572	1320	{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe	42
PID 1320 wrote to memory of 2812	1320	{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe	43
PID 1320 wrote to memory of 2812	1320	{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe	43
PID 1320 wrote to memory of 2812	1320	{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe	43
PID 1320 wrote to memory of 2812	1320	{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe	43
PID 1572 wrote to memory of 1452	1572	{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe	44
PID 1572 wrote to memory of 1452	1572	{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe	44
PID 1572 wrote to memory of 1452	1572	{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe	44
PID 1572 wrote to memory of 1452	1572	{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe	44
PID 1572 wrote to memory of 2984	1572	{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe	45
PID 1572 wrote to memory of 2984	1572	{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe	45
PID 1572 wrote to memory of 2984	1572	{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe	45
PID 1572 wrote to memory of 2984	1572	{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_de265f1d58d2189362a23041d25c9d13_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2148
- C:\Windows\{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe
  C:\Windows\{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DF2FE~1.EXE > nul
    3⤵
    PID:2664
- - C:\Windows\{640377EC-81CF-495c-9A25-159385058C8D}.exe
    C:\Windows\{640377EC-81CF-495c-9A25-159385058C8D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{64037~1.EXE > nul
      4⤵
      PID:2856
  - - C:\Windows\{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe
      C:\Windows\{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BF77~1.EXE > nul
        5⤵
        
        PID:2028
    - - C:\Windows\{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe
        
        C:\Windows\{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Windows\{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe
        
        C:\Windows\{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe
        
        C:\Windows\{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe
        
        C:\Windows\{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\{5E05D7B9-50A6-4ce8-81E2-B98C6238A33A}.exe
        
        C:\Windows\{5E05D7B9-50A6-4ce8-81E2-B98C6238A33A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E05D~1.EXE > nul
        10⤵
        
        PID:2092
        
        C:\Windows\{F27308C5-6203-44ce-88F0-747C605B37FE}.exe
        
        C:\Windows\{F27308C5-6203-44ce-88F0-747C605B37FE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\{E1C1CA91-3973-4d99-8E32-335C98A1DCBE}.exe
        
        C:\Windows\{E1C1CA91-3973-4d99-8E32-335C98A1DCBE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\{165E62C7-0BCA-4c1d-B424-0C5C86877049}.exe
        
        C:\Windows\{165E62C7-0BCA-4c1d-B424-0C5C86877049}.exe
        12⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1C1C~1.EXE > nul
        12⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2730~1.EXE > nul
        11⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D23D~1.EXE > nul
        9⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8830~1.EXE > nul
        8⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6C51~1.EXE > nul
        7⤵
        
        PID:2360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB2D5~1.EXE > nul
        6⤵
        
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D23D0A1-C8F7-4525-A37A-845CFA39343E}.exe

Filesize
380KB

MD5
7e82feab8c333afd46197136e79c5038

SHA1
24952088cc088178c4fd8066310f9be8efdcdaa0

SHA256
f47ccf593677a84253f31abea541e03d7312bbfcf5b9e1fcd62f9c3c2ee970b9

SHA512
99c21eb85b41f634c6bf6fabcfa698b77a7b9409cef14537700940379f75b3842905b2f5a9b3a1a5a48421a650e89b5c409fa11ce8c430069e9ab2785eb3d0f8

Download Submit
C:\Windows\{165E62C7-0BCA-4c1d-B424-0C5C86877049}.exe

Filesize
380KB

MD5
ce17fded4ff0b5a9462ee001c7bd7133

SHA1
4ddb813945054971b2656e6586ec7390d241fbaa

SHA256
2c59fa3a8785bec3411a76517bc50f2b9ae8d177662cba864cd4a159e46016c0

SHA512
d52981a25bd2f9abb5b4901dacb019d2893533fdab5fc6bd185da624692fafa45e7c801b5f7ce36eaae5f0b3ec23877b53c95585178d5d701ec450bb74da260d

Download Submit
C:\Windows\{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe

Filesize
372KB

MD5
a36fd9a4c384bb77d81a8085ddec0a47

SHA1
06baf01874f896c2aa184fe44f7378915a4c6279

SHA256
98ad10b05f435daab83dfea259cf136024dd07f07d6a361ff0c4eef72b3bbca1

SHA512
34fddca1d94b954f472cac2db410d03c3efc4d53da622948fb5c6d3383d9a4e02e08933afb0d32502db5c14355c598d6fcc117d685bb8f1cbba3d1f70e9e217b

Download Submit
C:\Windows\{2BF77623-2870-442a-A9BA-7659A15C0EE5}.exe

Filesize
380KB

MD5
4d3df2cbe535b296ff6384e82093232c

SHA1
5b223c96b1e6b0109f05fce56e530891a6e570bb

SHA256
e400fec3cc549b4139ecc1b7469eb9bf8d73434c0b46a265252d36dc33845ffe

SHA512
8a448b4131fc08abe54b6b17596b4c2737fd6c9240979444d34923ac38e6e4d718a8db75fb906090e39e19ea01d9bd9971e7d7c98ee09c74132d1e3b108aa13c

Download Submit
C:\Windows\{5E05D7B9-50A6-4ce8-81E2-B98C6238A33A}.exe

Filesize
380KB

MD5
84d830c0d1df7044d3a87dfa945e853a

SHA1
c50173d0b2210a06d40e4aa14ae5e0ebcdf3fbab

SHA256
de5568a00cf87e89a0a796cf4897589e858c33a2d5732b8e5c8f0a15a1755852

SHA512
d871fb14c8f331032a53030f4f26d6d72672c801219ce729d9ee02af392932c6bfcfb2d92b16368fffe797cb76df18953931ac3b8adf8ef02248207c19a82aac

Download Submit
C:\Windows\{640377EC-81CF-495c-9A25-159385058C8D}.exe

Filesize
106KB

MD5
2628c98164a959d4acf7142cc61843de

SHA1
09a7cc9fcb41f1f048ff276669c2da2ea64058d5

SHA256
81d1e9c4872ff8de9a2000990c69b9498474e1392dd371c193be0b01176bd315

SHA512
45a09775aedb23d5b53968052d238df5260ae1e9b361268649a150bcb445e8d88fc4147b9a865d74e10d4a25e0b844fa06916a98f42f464974895691bdfc915a

Download Submit
C:\Windows\{640377EC-81CF-495c-9A25-159385058C8D}.exe

Filesize
380KB

MD5
8cfd28f63a92306f7fc4f613e68c2f98

SHA1
c0600d1cfc660db486bfa97ce89921e99cf506f8

SHA256
656f4f76d7762ef4a83e3680d41a3989105ffc49a2b5c75f4bd41e76aa5ca637

SHA512
b93710e8d94f4e33caddf361817f5793efe3af7e4cb808f17224d4564a6b210129d767bba94a39c2ad620173b4bc8d2de1c5b8d14f36c56fe09fa3b9788150d6

Download Submit
C:\Windows\{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe

Filesize
267KB

MD5
477dd102f25a75f78c5310d690491605

SHA1
bbc00e49ea35a5dbe70848964619d00ba8f34cf3

SHA256
e157ad684db653638d74c77f2a0fc7a271f6ceafb0eea3ad2a61292b622fa1a7

SHA512
4ababe65d783c4900be8f7ac26e7f8b80ea4ad34b2032abcb50ceeab22a6ab5ddce6f96a24b0ed27a1dcdc17db0b72d64a458c23ff20b1375597dfd4c93d3a41

Download Submit
C:\Windows\{A8830FDD-0EC9-4a97-92FE-B0CE6F662D0E}.exe

Filesize
380KB

MD5
b15cc9dd1a7e04e5f72c6b6e3a3ef50f

SHA1
94eca843e6bb51ddb643ff0f1e5a85a8dd76b6aa

SHA256
4e080834c29fe4576c0d6e6a9fa0d4bd66118d0fd42c9ef44b458f2fd38ddbc0

SHA512
bce73543a6b6e3c1ff45ec5d5f4f933e655bba99bc12f034cdab8600faf2da6b704dbb248d4c830daff11dd05bde63b7ea7bd09b58c039a5f331e1cc98b45fa9

Download Submit
C:\Windows\{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe

Filesize
380KB

MD5
df53a60feceec0496204f51bd763c5ec

SHA1
2b0551487e4430d090a55e27b3b9acacb32ff7df

SHA256
d8fb5bc4ed1249c7c00280a3fbe51abaccfe50b6188344dc33f0e8277f9ad6ee

SHA512
c5126805d5f63f1723d898f22a7c5e6c0fe4f612b6a7d234f11319405b0483aba85fbb2964f845cc65660d0e67bf654573c647c2ed6d091e0941b91aa7498fa2

Download Submit
C:\Windows\{AB2D53A9-63C0-448b-A5DA-93AD0D8AFB19}.exe

Filesize
320KB

MD5
639a385cf62772177a613aa70f08d4d7

SHA1
eae4698590f82793be9be770cf98d13ecea06322

SHA256
b653391bf2a1fcf0eb94865c01f6ed7d1bec889576c4108abba9c022f387020b

SHA512
cb17572bc745545b6b4fbb38cdbc11e8e7c5e832767735531ea5c078425b6043b12ccc5242211240b27d77f130239a53d7c37005c31164d255441d14face031f

Download Submit
C:\Windows\{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe

Filesize
326KB

MD5
16a2790ff5a0142ea4005304f3db54aa

SHA1
f205f55f4ec168aeda293fa04826cf89ceef319b

SHA256
963b89b422b40e14704316a45a846f327e42edd2b1a35e8148e8499c0cda5d15

SHA512
14350dd1556b44edf98043e7da13fe547765d0cceaaaf4f29d8c825b66055c018b2e8dbe1fde1c0a1395edfb8d3098236ffc5d13892a11add3ec891099651606

Download Submit
C:\Windows\{C6C5111D-8B9D-4321-8121-AE693FBB1ADA}.exe

Filesize
357KB

MD5
2fc2a4c5d88866ffb789b50127abe108

SHA1
31731a9b2bd10241741e373393763c59f2413cf3

SHA256
de5bd659c2abe67d8f6b8f3c94d56e077c88c9c5ffd214cd7f940b2c36a618cd

SHA512
87d21365157888f3a95162e14c7e4d0a4e543a0c21bb4b90f3fd47f1118fef67d047f0a1d7cbfd285f566827fe7c9a424c1ad449c22be0eb099487f4382f7b41

Download Submit
C:\Windows\{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe

Filesize
63KB

MD5
d198edc908edd7f971c1d2f1d613c797

SHA1
42e0147ca99c0be13087cb3fa773306152a2d0aa

SHA256
aee75706bdb330e67896622896913d7c3672b765abaf57f0e0be3557e4d71ebf

SHA512
082dec4f5380fb2d55c533602c271d9cc6fd89b2fb191473eaece563891b648494d5926ad11a88623723f6d2df96a653d8b97eb6cb5e4e14de6becd94c4f4cea

Download Submit
C:\Windows\{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe

Filesize
89KB

MD5
cff6fcede1fef6ea0ba0dce1cccb00dc

SHA1
1aaca1098a45b5e813d072cb99d09a1ab3af1dcd

SHA256
4426e7c03f1c614eeb69ba5892ba5d4fc591d383db99f816a2ecb9ea1322f42b

SHA512
4b1ec01cc92601180ecf1e3e9892b1de01d6a02d50a1a6e0ed7100dfef413b15515efed32fd403d7e8b18332ee3b5d141684d23c7fd0493a10c4b6062ae3cbfc

Download Submit
C:\Windows\{DF2FEA68-6F83-4e63-AEED-70AF0546C9F1}.exe

Filesize
77KB

MD5
dbdafeb2d4079025f21e6c146bdda6cb

SHA1
d4c6423d19fd35416ac9e883bb73a3b7f3fcfbfe

SHA256
27bae2dd4d9810e45a917e69b6cef5db006557508564cf0ee5578eda7691ae45

SHA512
c19801056a620199023d82e64036bc4ef780e712ecfea00269b42741a82718d3123292f1d2ca9ba986b99822f8aa86ba2e4d53db00c167493552012737fc2d1d

Download Submit
C:\Windows\{E1C1CA91-3973-4d99-8E32-335C98A1DCBE}.exe

Filesize
380KB

MD5
a4dc78aae927b694d54ae7b088508a96

SHA1
960ecb0025f49ec04b93de272c24dc1dde8ed9e5

SHA256
b8d542733eacf2195c3ae1d9365c0b59b7a9523b206e020a24fbf17d7b104c0d

SHA512
6b3dadda57d85c89d43ee281daf05d738c020d6e6630eff0c1f585359e0e3ffe9c15d4baf5146369564cae243895647880ce0e488d0c3aa3fa90ddc0a75c8f7d

Download Submit
C:\Windows\{F27308C5-6203-44ce-88F0-747C605B37FE}.exe

Filesize
380KB

MD5
f3717aa16f0d444213876445962591f1

SHA1
90dbbbd4c648927c9ff2129b3faa8ff3c820f77e

SHA256
4d7489391e0dc64b27230bddc73b1bb4cd17fd08b94350b4f67bc55e55409f10

SHA512
d080e828d26267965a382c8c30a3fd6f7dd5dd95cb0a05f15f7db76899903aac0d7fe4411c990ea8f6672e9d579c24438cd6a299d23a33f4c0f4be2526283ff7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads