d68bad69edcdbf10e83f7c81a6c69efd4be09a87d213ca48d96a5008977dd922

Analysis

max time kernel
125s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe
Size

204KB
MD5

f6d490aa629a670aeff60be2fea1bb01
SHA1

30657646cdfa807647d1447a874342588a4b1789
SHA256

d68bad69edcdbf10e83f7c81a6c69efd4be09a87d213ca48d96a5008977dd922
SHA512

39ae7fffc241e311d9cd2a6aa93bb8ee8ad7d2e303633e6388c0ba20cc3127b70762d707f32e10021a80080ab45451069276cb59a03793fc96e2b0b94a67c653
SSDEEP

1536:1EGh0ogl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ogl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C090BC05-B506-45ab-89A6-28818459087C}\stubpath = "C:\\Windows\\{C090BC05-B506-45ab-89A6-28818459087C}.exe"	{C124860D-7205-453c-AF9D-15592FC86474}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5B4A7CB-1B5B-426f-B711-4655E76CF18B}	{9EE7D359-2274-4f9f-843F-CCC1C683DBBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C124860D-7205-453c-AF9D-15592FC86474}\stubpath = "C:\\Windows\\{C124860D-7205-453c-AF9D-15592FC86474}.exe"	{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C090BC05-B506-45ab-89A6-28818459087C}	{C124860D-7205-453c-AF9D-15592FC86474}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C124860D-7205-453c-AF9D-15592FC86474}	{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{077DAC8B-531B-478b-91C9-3C582748EC9D}\stubpath = "C:\\Windows\\{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe"	{C090BC05-B506-45ab-89A6-28818459087C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87B62935-2463-4a5a-B512-0A829E240B70}\stubpath = "C:\\Windows\\{87B62935-2463-4a5a-B512-0A829E240B70}.exe"	{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2947E6C1-BA68-4842-92D3-43E1AA37000A}	{87B62935-2463-4a5a-B512-0A829E240B70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}\stubpath = "C:\\Windows\\{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe"	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}\stubpath = "C:\\Windows\\{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe"	{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87B62935-2463-4a5a-B512-0A829E240B70}	{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2947E6C1-BA68-4842-92D3-43E1AA37000A}\stubpath = "C:\\Windows\\{2947E6C1-BA68-4842-92D3-43E1AA37000A}.exe"	{87B62935-2463-4a5a-B512-0A829E240B70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EE7D359-2274-4f9f-843F-CCC1C683DBBE}	{2947E6C1-BA68-4842-92D3-43E1AA37000A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{077DAC8B-531B-478b-91C9-3C582748EC9D}	{C090BC05-B506-45ab-89A6-28818459087C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}	{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}\stubpath = "C:\\Windows\\{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe"	{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EE7D359-2274-4f9f-843F-CCC1C683DBBE}\stubpath = "C:\\Windows\\{9EE7D359-2274-4f9f-843F-CCC1C683DBBE}.exe"	{2947E6C1-BA68-4842-92D3-43E1AA37000A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5B4A7CB-1B5B-426f-B711-4655E76CF18B}\stubpath = "C:\\Windows\\{E5B4A7CB-1B5B-426f-B711-4655E76CF18B}.exe"	{9EE7D359-2274-4f9f-843F-CCC1C683DBBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}	{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
2996	{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe
2280	{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe
2684	{C124860D-7205-453c-AF9D-15592FC86474}.exe
2496	{C090BC05-B506-45ab-89A6-28818459087C}.exe
2944	{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe
2420	{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe
1636	{87B62935-2463-4a5a-B512-0A829E240B70}.exe
2984	{2947E6C1-BA68-4842-92D3-43E1AA37000A}.exe
1832	{9EE7D359-2274-4f9f-843F-CCC1C683DBBE}.exe
2416	{E5B4A7CB-1B5B-426f-B711-4655E76CF18B}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{2947E6C1-BA68-4842-92D3-43E1AA37000A}.exe	{87B62935-2463-4a5a-B512-0A829E240B70}.exe
File created	C:\Windows\{C124860D-7205-453c-AF9D-15592FC86474}.exe	{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe
File created	C:\Windows\{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe	{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe
File created	C:\Windows\{C090BC05-B506-45ab-89A6-28818459087C}.exe	{C124860D-7205-453c-AF9D-15592FC86474}.exe
File created	C:\Windows\{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe	{C090BC05-B506-45ab-89A6-28818459087C}.exe
File created	C:\Windows\{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe	{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe
File created	C:\Windows\{87B62935-2463-4a5a-B512-0A829E240B70}.exe	{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe
File created	C:\Windows\{9EE7D359-2274-4f9f-843F-CCC1C683DBBE}.exe	{2947E6C1-BA68-4842-92D3-43E1AA37000A}.exe
File created	C:\Windows\{E5B4A7CB-1B5B-426f-B711-4655E76CF18B}.exe	{9EE7D359-2274-4f9f-843F-CCC1C683DBBE}.exe
File created	C:\Windows\{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2816	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2996	{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe
Token: SeIncBasePriorityPrivilege	2280	{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe
Token: SeIncBasePriorityPrivilege	2684	{C124860D-7205-453c-AF9D-15592FC86474}.exe
Token: SeIncBasePriorityPrivilege	2496	{C090BC05-B506-45ab-89A6-28818459087C}.exe
Token: SeIncBasePriorityPrivilege	2944	{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe
Token: SeIncBasePriorityPrivilege	2420	{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe
Token: SeIncBasePriorityPrivilege	1636	{87B62935-2463-4a5a-B512-0A829E240B70}.exe
Token: SeIncBasePriorityPrivilege	2984	{2947E6C1-BA68-4842-92D3-43E1AA37000A}.exe
Token: SeIncBasePriorityPrivilege	1832	{9EE7D359-2274-4f9f-843F-CCC1C683DBBE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2996	2816	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	29
PID 2816 wrote to memory of 2996	2816	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	29
PID 2816 wrote to memory of 2996	2816	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	29
PID 2816 wrote to memory of 2996	2816	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	29
PID 2816 wrote to memory of 3024	2816	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	28
PID 2816 wrote to memory of 3024	2816	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	28
PID 2816 wrote to memory of 3024	2816	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	28
PID 2816 wrote to memory of 3024	2816	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	28
PID 2996 wrote to memory of 2280	2996	{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe	31
PID 2996 wrote to memory of 2280	2996	{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe	31
PID 2996 wrote to memory of 2280	2996	{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe	31
PID 2996 wrote to memory of 2280	2996	{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe	31
PID 2996 wrote to memory of 2616	2996	{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe	30
PID 2996 wrote to memory of 2616	2996	{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe	30
PID 2996 wrote to memory of 2616	2996	{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe	30
PID 2996 wrote to memory of 2616	2996	{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe	30
PID 2280 wrote to memory of 2684	2280	{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe	32
PID 2280 wrote to memory of 2684	2280	{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe	32
PID 2280 wrote to memory of 2684	2280	{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe	32
PID 2280 wrote to memory of 2684	2280	{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe	32
PID 2280 wrote to memory of 2664	2280	{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe	33
PID 2280 wrote to memory of 2664	2280	{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe	33
PID 2280 wrote to memory of 2664	2280	{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe	33
PID 2280 wrote to memory of 2664	2280	{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe	33
PID 2684 wrote to memory of 2496	2684	{C124860D-7205-453c-AF9D-15592FC86474}.exe	37
PID 2684 wrote to memory of 2496	2684	{C124860D-7205-453c-AF9D-15592FC86474}.exe	37
PID 2684 wrote to memory of 2496	2684	{C124860D-7205-453c-AF9D-15592FC86474}.exe	37
PID 2684 wrote to memory of 2496	2684	{C124860D-7205-453c-AF9D-15592FC86474}.exe	37
PID 2684 wrote to memory of 2588	2684	{C124860D-7205-453c-AF9D-15592FC86474}.exe	36
PID 2684 wrote to memory of 2588	2684	{C124860D-7205-453c-AF9D-15592FC86474}.exe	36
PID 2684 wrote to memory of 2588	2684	{C124860D-7205-453c-AF9D-15592FC86474}.exe	36
PID 2684 wrote to memory of 2588	2684	{C124860D-7205-453c-AF9D-15592FC86474}.exe	36
PID 2496 wrote to memory of 2944	2496	{C090BC05-B506-45ab-89A6-28818459087C}.exe	38
PID 2496 wrote to memory of 2944	2496	{C090BC05-B506-45ab-89A6-28818459087C}.exe	38
PID 2496 wrote to memory of 2944	2496	{C090BC05-B506-45ab-89A6-28818459087C}.exe	38
PID 2496 wrote to memory of 2944	2496	{C090BC05-B506-45ab-89A6-28818459087C}.exe	38
PID 2496 wrote to memory of 2916	2496	{C090BC05-B506-45ab-89A6-28818459087C}.exe	39
PID 2496 wrote to memory of 2916	2496	{C090BC05-B506-45ab-89A6-28818459087C}.exe	39
PID 2496 wrote to memory of 2916	2496	{C090BC05-B506-45ab-89A6-28818459087C}.exe	39
PID 2496 wrote to memory of 2916	2496	{C090BC05-B506-45ab-89A6-28818459087C}.exe	39
PID 2944 wrote to memory of 2420	2944	{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe	40
PID 2944 wrote to memory of 2420	2944	{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe	40
PID 2944 wrote to memory of 2420	2944	{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe	40
PID 2944 wrote to memory of 2420	2944	{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe	40
PID 2944 wrote to memory of 1468	2944	{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe	41
PID 2944 wrote to memory of 1468	2944	{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe	41
PID 2944 wrote to memory of 1468	2944	{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe	41
PID 2944 wrote to memory of 1468	2944	{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe	41
PID 2420 wrote to memory of 1636	2420	{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe	43
PID 2420 wrote to memory of 1636	2420	{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe	43
PID 2420 wrote to memory of 1636	2420	{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe	43
PID 2420 wrote to memory of 1636	2420	{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe	43
PID 2420 wrote to memory of 2756	2420	{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe	42
PID 2420 wrote to memory of 2756	2420	{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe	42
PID 2420 wrote to memory of 2756	2420	{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe	42
PID 2420 wrote to memory of 2756	2420	{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe	42
PID 1636 wrote to memory of 2984	1636	{87B62935-2463-4a5a-B512-0A829E240B70}.exe	45
PID 1636 wrote to memory of 2984	1636	{87B62935-2463-4a5a-B512-0A829E240B70}.exe	45
PID 1636 wrote to memory of 2984	1636	{87B62935-2463-4a5a-B512-0A829E240B70}.exe	45
PID 1636 wrote to memory of 2984	1636	{87B62935-2463-4a5a-B512-0A829E240B70}.exe	45
PID 1636 wrote to memory of 1428	1636	{87B62935-2463-4a5a-B512-0A829E240B70}.exe	44
PID 1636 wrote to memory of 1428	1636	{87B62935-2463-4a5a-B512-0A829E240B70}.exe	44
PID 1636 wrote to memory of 1428	1636	{87B62935-2463-4a5a-B512-0A829E240B70}.exe	44
PID 1636 wrote to memory of 1428	1636	{87B62935-2463-4a5a-B512-0A829E240B70}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3024
- C:\Windows\{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe
  C:\Windows\{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D7A78~1.EXE > nul
    3⤵
    PID:2616
- - C:\Windows\{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe
    C:\Windows\{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\{C124860D-7205-453c-AF9D-15592FC86474}.exe
      C:\Windows\{C124860D-7205-453c-AF9D-15592FC86474}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1248~1.EXE > nul
        5⤵
        
        PID:2588
    - - C:\Windows\{C090BC05-B506-45ab-89A6-28818459087C}.exe
        
        C:\Windows\{C090BC05-B506-45ab-89A6-28818459087C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Windows\{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe
        
        C:\Windows\{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe
        
        C:\Windows\{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{405E2~1.EXE > nul
        8⤵
        
        PID:2756
        
        C:\Windows\{87B62935-2463-4a5a-B512-0A829E240B70}.exe
        
        C:\Windows\{87B62935-2463-4a5a-B512-0A829E240B70}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87B62~1.EXE > nul
        9⤵
        
        PID:1428
        
        C:\Windows\{2947E6C1-BA68-4842-92D3-43E1AA37000A}.exe
        
        C:\Windows\{2947E6C1-BA68-4842-92D3-43E1AA37000A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\{9EE7D359-2274-4f9f-843F-CCC1C683DBBE}.exe
        
        C:\Windows\{9EE7D359-2274-4f9f-843F-CCC1C683DBBE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EE7D~1.EXE > nul
        11⤵
        
        PID:1728
        
        C:\Windows\{E5B4A7CB-1B5B-426f-B711-4655E76CF18B}.exe
        
        C:\Windows\{E5B4A7CB-1B5B-426f-B711-4655E76CF18B}.exe
        11⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5B4A~1.EXE > nul
        12⤵
        
        PID:1652
        
        C:\Windows\{D9020837-3277-4895-8B8E-7B2A4B886DC9}.exe
        
        C:\Windows\{D9020837-3277-4895-8B8E-7B2A4B886DC9}.exe
        12⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2947E~1.EXE > nul
        10⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{077DA~1.EXE > nul
        7⤵
        
        PID:1468
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C090B~1.EXE > nul
        6⤵
        
        PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D414B~1.EXE > nul
      4⤵
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe

Filesize
32KB

MD5
fbd06bf7dc426973e51472b95551beff

SHA1
9def026d78844fd70665314b5c4dc6bcafd81c0c

SHA256
18e6f0746bcf9dd9494b4c9ffeda655b5322cd9e5eb78cb658d76175c58275ed

SHA512
fd8bb17f9657774f080aecc1b9aa296d4c613fc2b77fa42a7630fea5b323b074561970f0ed79de39fe0718b81b1b5a8b416132df4241651078c11a4f9f00e899

Download Submit
C:\Windows\{077DAC8B-531B-478b-91C9-3C582748EC9D}.exe

Filesize
64KB

MD5
bae0495548b1251df782cd2ae744f324

SHA1
3fa3d76298f5882b7ed214684c865804cdc0f467

SHA256
4b2122bdec0274913ac046476d5b18e044653b87070c38ffb24bbe8844168c1c

SHA512
feb2b04965fe2b21f0b838b7b12208762e5e6b9aea93b45fc603db8ee0e68cb3c75e3e050358cbc47544da5382dd447273cb07b9a8d9e811c013abd741bff6d6

Download Submit
C:\Windows\{2947E6C1-BA68-4842-92D3-43E1AA37000A}.exe

Filesize
204KB

MD5
7824f815b9c7e306cf4202c81feaca4e

SHA1
1fdca15e495d6904817ab75ef0d7204be203040a

SHA256
5aaae864e9929f98b6d691a2aad6ed9874266971cc3d2a4cc078e4c2106e85e6

SHA512
f611516700e420dd53f482ea63ca699a2581bd13c2744613c8260e62f4df89734c1783254bd3ad55bced0da8f49cfcf799f0e3dca89a4c6047d2c1696ec194dc

Download Submit
C:\Windows\{405E2D6A-C2DD-4541-8CA2-8E9B23F85EF2}.exe

Filesize
37KB

MD5
7f7b44b9adc13702b2fabdbeeeb7fceb

SHA1
ae52ba92dd92975d6d4c23756275d585d855ae93

SHA256
3bb377897b8457f0ee913adda333bdea07bebea53359e80482d7dca78e5bf416

SHA512
522e9a70c7595b0d3eebbce7111e4d13b4a2d8fbce8d826a627f25702c4526f1919134ee3c3aa156d643fa4dedaf887f46587b6fc79393ab71d158cf4e7527f5

Download Submit
C:\Windows\{87B62935-2463-4a5a-B512-0A829E240B70}.exe

Filesize
204KB

MD5
9f1f0e3a93f1a4e608d942a3e7554ecf

SHA1
5f7d6e4937fd82bd5f06b6d3fe0b6a24458d2901

SHA256
51c4418a4ade5ec8397a9e09e7e05b9272aa2a1a8a6f6c80b37a09b1f445d4f4

SHA512
36304b29c4e0807db039257dfd28b655e00da44603ae65223fc62b87de9f3e589660fc46b4da0c82e95758dbd8414ac8c89e151ac8aa8d9084602cc74ce299a3

Download Submit
C:\Windows\{C090BC05-B506-45ab-89A6-28818459087C}.exe

Filesize
204KB

MD5
2ad4dab556e6710ba1ddd2562a0239b4

SHA1
83f099b085db02c656ec803b83b29fcd63999d38

SHA256
2453f5cab68d2e3458611c329c1aa92baffbdca818b836f93d7828484236182b

SHA512
d12690a9ce09e785e49d9d911e1bcf5255b73a5d8268101bbdd4356dac3c84ff0b3dc5e896eb6cf4bb332cedf7b8c13b7a5921c0af76cf80b6cedee69fdd5d7a

Download Submit
C:\Windows\{C090BC05-B506-45ab-89A6-28818459087C}.exe

Filesize
32KB

MD5
022256717bb9942a9d3483e6d1108bf9

SHA1
4f50bbe7c94346e445d4c38a8c8c06719350eba9

SHA256
62d33c44e57b28d9b0a91531457b26f102200c8511bae6695ca7c28d4b8222dd

SHA512
ea85f62d6cf714f71df8bf3082c37efb4d6906d8f153ff1e4302f51806710934844505d3ca43c5278050a81d6bb9e87de993ac4ee432990281bb49dce8893b4c

Download Submit
C:\Windows\{C124860D-7205-453c-AF9D-15592FC86474}.exe

Filesize
204KB

MD5
9313c820056d136525364d2e63a604f1

SHA1
d11d5aa1c4abb19bc373e15eff6c613801c6f080

SHA256
aad3d2979dd02c0af77981fc8fec4299c325aa36b7110eb3563df56c6be12860

SHA512
f40f38da007a8f9b7f6eed49005a64f2eed5289514073849b995823c6f87af3de341b492d3f8cc5f0e5b876868ebdbaaee9c5caaaddaff677ec7a5df520193df

Download Submit
C:\Windows\{D414B42A-4E2C-4f0c-888B-587E38D3FDD7}.exe

Filesize
204KB

MD5
6bcd642496a8d8d2541f199f2cc26d77

SHA1
fb0217831131956c020a247eec7544c4ee3d412b

SHA256
448239498e84f9ada1606c790c4a754cd26b60a1581944b1bf04abac88e4a42e

SHA512
2c75d66572ba27d8a6ce9727e7e10642856d21b93f0400eb46af28194a7b7e8de0e5ae09abb5599b18c03896fe7fa469bea4e377e69bfd88552fc184d9e700d6

Download Submit
C:\Windows\{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe

Filesize
92KB

MD5
0dc5e4d3826fd27fe6a7c5c118026c72

SHA1
c1ae99264709d261e9d848e6b1af685f0c2681f3

SHA256
56c13563f67878b3f83996f77925816b1c20532aba06a13d46d6363db6f78bd2

SHA512
a404fd7717e335053d02d41d634bf7508d01b7e0aa8b48e83187e52ece404cbde70324fa12186b2c32b1cba59898f8940b2e1dfcc1d0483aaf8561c16fa7d066

Download Submit
C:\Windows\{D7A78CAB-050A-4554-B8A0-AD4884B3B3F1}.exe

Filesize
204KB

MD5
15c9a80b7a75f3031db6fa1ac0d724f0

SHA1
5297106248ad6df9455f692219d9b2fe79289fae

SHA256
3224d7f56dd4adeb3de1a778d357aa34bfbe986be23719de05a183036f2cfb6c

SHA512
2a3047ca3317438172f3080fb2c8d9d54ef308c104a66ffb1340023ad230d45ad49b299760b7a447592e68bc38344a798213215623cce1e6cf9f5a54e12a99cd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads