16f9ae14c1f04d1ebbc1eda01760c0cb746af9d53aaa1cb741f8eb26ae0c85e4

Analysis

max time kernel
113s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe
Size

192KB
MD5

ec883f931773477798b52bcb61b8b723
SHA1

22d500debcf96265cc6974b84ba3845314a1a120
SHA256

16f9ae14c1f04d1ebbc1eda01760c0cb746af9d53aaa1cb741f8eb26ae0c85e4
SHA512

3feb50a08d3558022c8e81c47123420b0cc1536f32e2689f284f3b8daec30e7d01c95d3df97adc77cafa7203392271fc041904b02c79f3503f3af40dd2f03641
SSDEEP

1536:1EGh0odl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0odl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}	{09421187-D27D-4ae0-A85B-0633043316D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55987562-983B-4020-8F66-DBAC44486834}	{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55987562-983B-4020-8F66-DBAC44486834}\stubpath = "C:\\Windows\\{55987562-983B-4020-8F66-DBAC44486834}.exe"	{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5FAD87D-CA74-4abd-9406-4C47196C4B25}	{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E4D7075-E76F-4adc-B419-BEA3F5ED5E1E}	{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E4D7075-E76F-4adc-B419-BEA3F5ED5E1E}\stubpath = "C:\\Windows\\{1E4D7075-E76F-4adc-B419-BEA3F5ED5E1E}.exe"	{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{502A8690-2E7D-4fcd-B9F7-7648360BEEE6}	{1E4D7075-E76F-4adc-B419-BEA3F5ED5E1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EC49467-5290-4e4e-85D4-3B67A93414E7}\stubpath = "C:\\Windows\\{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe"	{55987562-983B-4020-8F66-DBAC44486834}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}\stubpath = "C:\\Windows\\{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe"	{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}\stubpath = "C:\\Windows\\{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe"	{09421187-D27D-4ae0-A85B-0633043316D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{502A8690-2E7D-4fcd-B9F7-7648360BEEE6}\stubpath = "C:\\Windows\\{502A8690-2E7D-4fcd-B9F7-7648360BEEE6}.exe"	{1E4D7075-E76F-4adc-B419-BEA3F5ED5E1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}	2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5FAD87D-CA74-4abd-9406-4C47196C4B25}\stubpath = "C:\\Windows\\{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe"	{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09421187-D27D-4ae0-A85B-0633043316D4}	{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09421187-D27D-4ae0-A85B-0633043316D4}\stubpath = "C:\\Windows\\{09421187-D27D-4ae0-A85B-0633043316D4}.exe"	{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}\stubpath = "C:\\Windows\\{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe"	2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EC49467-5290-4e4e-85D4-3B67A93414E7}	{55987562-983B-4020-8F66-DBAC44486834}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}	{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2996	{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe
2780	{55987562-983B-4020-8F66-DBAC44486834}.exe
2668	{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe
2484	{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe
2424	{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe
2420	{09421187-D27D-4ae0-A85B-0633043316D4}.exe
1636	{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe
1444	{1E4D7075-E76F-4adc-B419-BEA3F5ED5E1E}.exe
2272	{502A8690-2E7D-4fcd-B9F7-7648360BEEE6}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe	2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe
File created	C:\Windows\{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe	{55987562-983B-4020-8F66-DBAC44486834}.exe
File created	C:\Windows\{09421187-D27D-4ae0-A85B-0633043316D4}.exe	{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe
File created	C:\Windows\{502A8690-2E7D-4fcd-B9F7-7648360BEEE6}.exe	{1E4D7075-E76F-4adc-B419-BEA3F5ED5E1E}.exe
File created	C:\Windows\{55987562-983B-4020-8F66-DBAC44486834}.exe	{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe
File created	C:\Windows\{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe	{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe
File created	C:\Windows\{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe	{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe
File created	C:\Windows\{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe	{09421187-D27D-4ae0-A85B-0633043316D4}.exe
File created	C:\Windows\{1E4D7075-E76F-4adc-B419-BEA3F5ED5E1E}.exe	{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2816	2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2996	{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe
Token: SeIncBasePriorityPrivilege	2780	{55987562-983B-4020-8F66-DBAC44486834}.exe
Token: SeIncBasePriorityPrivilege	2668	{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe
Token: SeIncBasePriorityPrivilege	2484	{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe
Token: SeIncBasePriorityPrivilege	2424	{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe
Token: SeIncBasePriorityPrivilege	2420	{09421187-D27D-4ae0-A85B-0633043316D4}.exe
Token: SeIncBasePriorityPrivilege	1636	{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe
Token: SeIncBasePriorityPrivilege	1444	{1E4D7075-E76F-4adc-B419-BEA3F5ED5E1E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2996	2816	2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe	29
PID 2816 wrote to memory of 2996	2816	2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe	29
PID 2816 wrote to memory of 2996	2816	2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe	29
PID 2816 wrote to memory of 2996	2816	2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe	29
PID 2816 wrote to memory of 3024	2816	2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe	28
PID 2816 wrote to memory of 3024	2816	2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe	28
PID 2816 wrote to memory of 3024	2816	2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe	28
PID 2816 wrote to memory of 3024	2816	2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe	28
PID 2996 wrote to memory of 2780	2996	{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe	31
PID 2996 wrote to memory of 2780	2996	{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe	31
PID 2996 wrote to memory of 2780	2996	{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe	31
PID 2996 wrote to memory of 2780	2996	{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe	31
PID 2996 wrote to memory of 2624	2996	{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe	30
PID 2996 wrote to memory of 2624	2996	{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe	30
PID 2996 wrote to memory of 2624	2996	{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe	30
PID 2996 wrote to memory of 2624	2996	{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe	30
PID 2780 wrote to memory of 2668	2780	{55987562-983B-4020-8F66-DBAC44486834}.exe	33
PID 2780 wrote to memory of 2668	2780	{55987562-983B-4020-8F66-DBAC44486834}.exe	33
PID 2780 wrote to memory of 2668	2780	{55987562-983B-4020-8F66-DBAC44486834}.exe	33
PID 2780 wrote to memory of 2668	2780	{55987562-983B-4020-8F66-DBAC44486834}.exe	33
PID 2780 wrote to memory of 2680	2780	{55987562-983B-4020-8F66-DBAC44486834}.exe	32
PID 2780 wrote to memory of 2680	2780	{55987562-983B-4020-8F66-DBAC44486834}.exe	32
PID 2780 wrote to memory of 2680	2780	{55987562-983B-4020-8F66-DBAC44486834}.exe	32
PID 2780 wrote to memory of 2680	2780	{55987562-983B-4020-8F66-DBAC44486834}.exe	32
PID 2668 wrote to memory of 2484	2668	{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe	37
PID 2668 wrote to memory of 2484	2668	{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe	37
PID 2668 wrote to memory of 2484	2668	{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe	37
PID 2668 wrote to memory of 2484	2668	{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe	37
PID 2668 wrote to memory of 2544	2668	{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe	36
PID 2668 wrote to memory of 2544	2668	{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe	36
PID 2668 wrote to memory of 2544	2668	{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe	36
PID 2668 wrote to memory of 2544	2668	{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe	36
PID 2484 wrote to memory of 2424	2484	{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe	39
PID 2484 wrote to memory of 2424	2484	{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe	39
PID 2484 wrote to memory of 2424	2484	{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe	39
PID 2484 wrote to memory of 2424	2484	{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe	39
PID 2484 wrote to memory of 1608	2484	{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe	38
PID 2484 wrote to memory of 1608	2484	{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe	38
PID 2484 wrote to memory of 1608	2484	{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe	38
PID 2484 wrote to memory of 1608	2484	{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe	38
PID 2424 wrote to memory of 2420	2424	{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe	41
PID 2424 wrote to memory of 2420	2424	{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe	41
PID 2424 wrote to memory of 2420	2424	{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe	41
PID 2424 wrote to memory of 2420	2424	{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe	41
PID 2424 wrote to memory of 1468	2424	{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe	40
PID 2424 wrote to memory of 1468	2424	{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe	40
PID 2424 wrote to memory of 1468	2424	{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe	40
PID 2424 wrote to memory of 1468	2424	{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe	40
PID 2420 wrote to memory of 1636	2420	{09421187-D27D-4ae0-A85B-0633043316D4}.exe	43
PID 2420 wrote to memory of 1636	2420	{09421187-D27D-4ae0-A85B-0633043316D4}.exe	43
PID 2420 wrote to memory of 1636	2420	{09421187-D27D-4ae0-A85B-0633043316D4}.exe	43
PID 2420 wrote to memory of 1636	2420	{09421187-D27D-4ae0-A85B-0633043316D4}.exe	43
PID 2420 wrote to memory of 2756	2420	{09421187-D27D-4ae0-A85B-0633043316D4}.exe	42
PID 2420 wrote to memory of 2756	2420	{09421187-D27D-4ae0-A85B-0633043316D4}.exe	42
PID 2420 wrote to memory of 2756	2420	{09421187-D27D-4ae0-A85B-0633043316D4}.exe	42
PID 2420 wrote to memory of 2756	2420	{09421187-D27D-4ae0-A85B-0633043316D4}.exe	42
PID 1636 wrote to memory of 1444	1636	{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe	45
PID 1636 wrote to memory of 1444	1636	{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe	45
PID 1636 wrote to memory of 1444	1636	{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe	45
PID 1636 wrote to memory of 1444	1636	{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe	45
PID 1636 wrote to memory of 2976	1636	{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe	44
PID 1636 wrote to memory of 2976	1636	{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe	44
PID 1636 wrote to memory of 2976	1636	{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe	44
PID 1636 wrote to memory of 2976	1636	{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_ec883f931773477798b52bcb61b8b723_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3024
- C:\Windows\{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe
  C:\Windows\{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5721F~1.EXE > nul
    3⤵
    PID:2624
- - C:\Windows\{55987562-983B-4020-8F66-DBAC44486834}.exe
    C:\Windows\{55987562-983B-4020-8F66-DBAC44486834}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{55987~1.EXE > nul
      4⤵
      PID:2680
  - - C:\Windows\{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe
      C:\Windows\{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EC49~1.EXE > nul
        5⤵
        
        PID:2544
    - - C:\Windows\{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe
        
        C:\Windows\{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5FAD~1.EXE > nul
        6⤵
        
        PID:1608
      - C:\Windows\{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe
        
        C:\Windows\{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{892FC~1.EXE > nul
        7⤵
        
        PID:1468
        
        C:\Windows\{09421187-D27D-4ae0-A85B-0633043316D4}.exe
        
        C:\Windows\{09421187-D27D-4ae0-A85B-0633043316D4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09421~1.EXE > nul
        8⤵
        
        PID:2756
        
        C:\Windows\{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe
        
        C:\Windows\{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{580A8~1.EXE > nul
        9⤵
        
        PID:2976
        
        C:\Windows\{1E4D7075-E76F-4adc-B419-BEA3F5ED5E1E}.exe
        
        C:\Windows\{1E4D7075-E76F-4adc-B419-BEA3F5ED5E1E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E4D7~1.EXE > nul
        10⤵
        
        PID:1884
        
        C:\Windows\{502A8690-2E7D-4fcd-B9F7-7648360BEEE6}.exe
        
        C:\Windows\{502A8690-2E7D-4fcd-B9F7-7648360BEEE6}.exe
        10⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{502A8~1.EXE > nul
        11⤵
        
        PID:536
        
        C:\Windows\{7E2295DE-FF8B-4516-AA78-178EB44E3AE6}.exe
        
        C:\Windows\{7E2295DE-FF8B-4516-AA78-178EB44E3AE6}.exe
        11⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E229~1.EXE > nul
        12⤵
        
        PID:1068
        
        C:\Windows\{53AD3470-CA8B-404e-9BD1-8561CF376B70}.exe
        
        C:\Windows\{53AD3470-CA8B-404e-9BD1-8561CF376B70}.exe
        12⤵
        
        PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09421187-D27D-4ae0-A85B-0633043316D4}.exe

Filesize
1KB

MD5
b228397504b8fc94b59ced1aa1106388

SHA1
ae8b4968e5f828aa7b8f4895a9ad359b0f7ba1ff

SHA256
10c558a88626acfc67baee1f538772c101dfa71d0600a9d08841878f906a835d

SHA512
007e971715f32664e618c6ee7500bc8befcfcf413d9b900eeeb14c2e8cebb65d2f96d271882541fcfc540f1e53f6414c4073b0858b9ff7ad9b64de61fee22ec2

Download Submit
C:\Windows\{09421187-D27D-4ae0-A85B-0633043316D4}.exe

Filesize
34KB

MD5
9b1a4d7c707525cd8d592f1d485de918

SHA1
edaa8305be192a508bee3592e419f5968e3320d6

SHA256
9636844f778e45523e5a283bc46727578021cca6098874f4b464b719ba02a328

SHA512
5085fc7e9382bfbff564740e7857073b72a2a11ed7441bb0cc725e3bc6246a39201ec4cd126f2105a67d203033a28de9cdacc0987eae09c4af059f4a0f7b51cc

Download Submit
C:\Windows\{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe

Filesize
181KB

MD5
3ad6c79c6f96aca6716f4f49e9e81972

SHA1
84a252e2b0c7e76b11145b36e1551b95d3ed5314

SHA256
0a7b0044aec7c27d5b210dd44ff54d10e8480643375deae04672e123ff6685b1

SHA512
b7111a58960381cfc040460bb1fda12b71b1d2a373ee84afd8603a16836dc5c6bd1115d736bfd23f69bca369844974d68ee0ea57c85ac95638f9b0b86e82fc6b

Download Submit
C:\Windows\{1EC49467-5290-4e4e-85D4-3B67A93414E7}.exe

Filesize
134KB

MD5
65b3ca48aeba11f4cd57d64ff4c9470b

SHA1
def5a1845ade85b9b27e11594f887b9c71d7e654

SHA256
bec2b9b9badd0a7e9ad4c410c0734561649c72abd49b7a68b78647d1dceae4b0

SHA512
677b164e86dc0dd9469dcdc15158dd319da85026ab000103216fefeafbe8bc24e41683ee65ab3762da4fab86146fab1ed79c4f89e172791e6276c8b902aa90d9

Download Submit
C:\Windows\{502A8690-2E7D-4fcd-B9F7-7648360BEEE6}.exe

Filesize
5KB

MD5
12485d738b8a065e5b934421a8b5bce4

SHA1
c22bdee1a4c64202da865403de3f64a1ca6e6554

SHA256
8f0fd24a39aa155182d9e4870231e2c3c270b2c3c2311ef628a089c8426b777e

SHA512
d718c31ab79d8c112e7ef47e5cad1a70cf77d3cfd99d0bc47eac02cad11d58ec1f650bcc1fc616763bbfddbfa919fea4b411ca89d0b73fd10458b08a2c0d30d5

Download Submit
C:\Windows\{502A8690-2E7D-4fcd-B9F7-7648360BEEE6}.exe

Filesize
19KB

MD5
fda8a0a73ef6798ec76aec821aad689c

SHA1
81312626217474be8e1ad6ec067de4fd9ceb5052

SHA256
31f1aef5dbe5ff36f02fbcf6b53d86063f12c14f392829adfa28751beb80b5f3

SHA512
151bb46479500d4503dfe1afbf876030c883e0f02f5d1e91f256edaba1bf81a9569402eee6ff8abeaff357a3fefa626e2f6c5db861a6cd4de08094681e1ea3c5

Download Submit
C:\Windows\{53AD3470-CA8B-404e-9BD1-8561CF376B70}.exe

Filesize
106KB

MD5
35102459bc229b9748e028514bda2788

SHA1
321f24d60cdbb7461c1a93150de74bb04751b118

SHA256
7ed41e013a3d5bc81b32f445e155fb5220dcdfbb9bcd0d072e8865f23e821841

SHA512
c92576ac1603ec80ef2bbb0252edec148dfa63d8d469485973f5a5fdd75e149eaa72963faee8ee561faa78587f89fe7c41746a4a92c7811786341dbaf539310e

Download Submit
C:\Windows\{55987562-983B-4020-8F66-DBAC44486834}.exe

Filesize
74KB

MD5
26120eb8170e9d8c61074eef128ad5b9

SHA1
432822202e4874898911ce209e549ad39bb923ab

SHA256
36dac2d76bb87f95acdbcc52032d4a8e880f5e89e5d73c5df6102908c4600512

SHA512
9ed00c66ff4a96836ab62d436c9178ceba6b939fb120aab23ce2813b1cdb673f52acf8702414f015865f585353a301da9c4852c8bfb4720db93b2d41f9f99b12

Download Submit
C:\Windows\{55987562-983B-4020-8F66-DBAC44486834}.exe

Filesize
180KB

MD5
604eeee716ea63c7a77a3df894b05269

SHA1
42a9875dba9f52741dcb1067abdbb476ff99e5ea

SHA256
91d5454d231eee72c538117c62ec459e09f07e3fd8d06eee475d50db39bd0653

SHA512
03008e6d5e0de55eb51944a23a57c06cd25a1b186bfaa8668b9d77368c6bb9d1d0bcabb9b4e731763087252ac0757741be6d24d0a249100fa36a120408ac3cf9

Download Submit
C:\Windows\{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe

Filesize
192KB

MD5
ca1b8941aa81f401b13c16213c42c855

SHA1
f57ac4c718f099ebe01300184515f6c26b0f871e

SHA256
78a1c6901a9bfdfc98190dde665e7c5af84e93c4bcc435bc52d66cecc2f8ec60

SHA512
8bcabc06c9f69b8e6e07182ee1af5aa101916dbdc1b1d646c070c2eace994eee86bf0f8d7f7151deb9fc7f2ed5336a8b00f5c5aae9227ac7a1f9fc6d4b339397

Download Submit
C:\Windows\{5721F464-EAD6-4a57-9761-7E2C83C6FFB7}.exe

Filesize
46KB

MD5
6efedb3d90f551de3bc95adb5e18bc09

SHA1
de1f4623921c24c3634de9db3f0b66e359d1270e

SHA256
7f5ff1635502dd1fe585f86b4c04793b9bd2ca4ed42efa04a2a4216b887fc949

SHA512
36b07ab9f0a3d19f7401ac3cd6ee1fff0286e0c1bc1f95d455bc1392d630dfc6cf101490ae81f817b3d2cf01722a7aed088c9f947e2c909ca463042d66422b88

Download Submit
C:\Windows\{580A8D2F-1106-4af4-8C7B-F4567FBC01CB}.exe

Filesize
16KB

MD5
89e8556cb741940e4d50c1ea57228804

SHA1
23e39f78f6500f3f3a7003d7b52c9845cfffe645

SHA256
8ab416e44cc188aa532a69e589885aab8b68e936a611816e76d571eae3fa1e3a

SHA512
b5283d2e89ac0fc7c789dae2f92d58241a5194168ecbc55f64566f3fc3a4217f393b09f92feebbf79b1ae751c3e3d0e2be3cb555c2fe1f141afaae7e384216e0

Download Submit
C:\Windows\{7E2295DE-FF8B-4516-AA78-178EB44E3AE6}.exe

Filesize
45KB

MD5
e5e9765721c89b348427dd36724ffef6

SHA1
596ee81d199fb9ce792a83bd0c5d5a094055c038

SHA256
47c7aee6bbd669c605dc926aae26a50e83b28cc0ee6f4a42f5510b3ec23311ed

SHA512
5d4951522fd7637a55daecfda6b5d08ee717461815f6727f8dbf84d1c8ef88c216a4d72ab7f5743dc6a7d000f2d52ce20e674c3c44f97b9789517dd4794acc22

Download Submit
C:\Windows\{7E2295DE-FF8B-4516-AA78-178EB44E3AE6}.exe

Filesize
72KB

MD5
5583adf503c2de1f4a5e3f1ea1d11386

SHA1
80e2f0bdd7fa39b799f958d93b46b81b0ab7960d

SHA256
fe328b1cd430c321c586c49f59ec4eaf48946396e40d974ac9db26d5847c1684

SHA512
c4da706167609cbaa1d3c433f6b896e6cc63c41687fdac1aec7d8144a876b84f7b398f47ae0d8e06ccbee6edc9975d97cc804070ec9c5c9f34b9f531621ec5e6

Download Submit
C:\Windows\{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe

Filesize
142KB

MD5
2d269d0341577cdc594a7593b64b74a3

SHA1
f7e7dff85404853e71192837ed80c101cb993507

SHA256
952f92ee66b62faf395ec98c268865b56abd714fe051e911dc1b4914cba96376

SHA512
af0f2846d9f927eff1ba9e41021b154c9495ccfec844c20261e46afc6f20a97e2e7b1dd9e5f0956ed07c6287d1b95de1fa557afbb3bbba636249534fc3d8ca9e

Download Submit
C:\Windows\{892FCACC-CE74-493c-9D4A-C5DF11A0F8FF}.exe

Filesize
192KB

MD5
6bb3e1f4e4688a557e050de3552040e2

SHA1
eb3098b1b584d231c0ee36f71ddd278f4ae56d20

SHA256
b8660d0398ea28b2cab88ea3ea57f846d55d7d16ecbeedc46b8359f2a1ff45fe

SHA512
c55b36afab89c4d7d5762f932ba19189152ed847e44056d2b46de3d65f3a741757b0a58c52e1e55f408752b0d5c301d402b8873fc427d30b44099d763c980b3c

Download Submit
C:\Windows\{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe

Filesize
17KB

MD5
64ada3be167afc60a946d3dacbe99e3f

SHA1
40e5e20f6c3cf5ef71124064d7cdf80182dbf25f

SHA256
bdebaf4696d1ec516f034a7845e586405544029a8ff1e3956c04f11470aad62c

SHA512
10592e425ce212332b60b6ec8765e80b286570e2118bef3ded1698ef9ca18763f0f47dd684de199465b1423324d0fde70f1e284b941c86ae897a1e2b98f21b5a

Download Submit
C:\Windows\{C5FAD87D-CA74-4abd-9406-4C47196C4B25}.exe

Filesize
140KB

MD5
605b7aea51b0c03539c89b8783b0bb69

SHA1
a66a6f63708dbd1bda79d5aad3b5da1660c93d53

SHA256
b00122ad152b552c028be17f6faaabc828049f5da5792891d623b03edebbca09

SHA512
a36af6535a9584e4c0c76866a3998ad534d5d3193ec21001590072a6efb91306f3c311cc73f060f3418a7d2f49e604c915a718fcf46b516decc1e75460ab29c2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads