269943018e3e3e58f50c214ae524708fefd02ae71edcd9164be25374fdd367a0

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 05:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe
Size

168KB
MD5

2d276bfd3d0ac019ddcfb8813e1e9dc3
SHA1

0fe1c7dbbd12f18537aedc9094ee1ac7438e5c1a
SHA256

269943018e3e3e58f50c214ae524708fefd02ae71edcd9164be25374fdd367a0
SHA512

da0eae9f7fba3dd3d3b59a69138991504b90777e1fa243f2a94640174db51c67da5301ce5b1e12260d1fd2276536100e0f814eaab904d76cb903d26ea2abd4e0
SSDEEP

1536:1EGh0oGlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oGlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}\stubpath = "C:\\Windows\\{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe"	{95164B60-8C49-44dc-9405-1E694CB552E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9736DF62-C284-4677-93FE-B42DA41D5314}	{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6D985E6-12DE-43c5-89B7-F417F8743254}\stubpath = "C:\\Windows\\{F6D985E6-12DE-43c5-89B7-F417F8743254}.exe"	{9736DF62-C284-4677-93FE-B42DA41D5314}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B56E9C1-8B1B-4cd1-BD56-3B55F1018595}\stubpath = "C:\\Windows\\{8B56E9C1-8B1B-4cd1-BD56-3B55F1018595}.exe"	{F6D985E6-12DE-43c5-89B7-F417F8743254}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1774CE1-4330-49d2-BF9B-1E699FCAE119}	{D842A26F-8199-44ab-A9B2-DD32F81DCD10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}\stubpath = "C:\\Windows\\{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe"	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}	{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}	{95164B60-8C49-44dc-9405-1E694CB552E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{909915C7-BFFB-460e-8670-52D38F4D4684}\stubpath = "C:\\Windows\\{909915C7-BFFB-460e-8670-52D38F4D4684}.exe"	{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AC491BD-9043-4702-83D0-4F09DFEB6B12}\stubpath = "C:\\Windows\\{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe"	{909915C7-BFFB-460e-8670-52D38F4D4684}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9736DF62-C284-4677-93FE-B42DA41D5314}\stubpath = "C:\\Windows\\{9736DF62-C284-4677-93FE-B42DA41D5314}.exe"	{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1774CE1-4330-49d2-BF9B-1E699FCAE119}\stubpath = "C:\\Windows\\{E1774CE1-4330-49d2-BF9B-1E699FCAE119}.exe"	{D842A26F-8199-44ab-A9B2-DD32F81DCD10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}\stubpath = "C:\\Windows\\{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe"	{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95164B60-8C49-44dc-9405-1E694CB552E3}	{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{909915C7-BFFB-460e-8670-52D38F4D4684}	{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6D985E6-12DE-43c5-89B7-F417F8743254}	{9736DF62-C284-4677-93FE-B42DA41D5314}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B56E9C1-8B1B-4cd1-BD56-3B55F1018595}	{F6D985E6-12DE-43c5-89B7-F417F8743254}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D842A26F-8199-44ab-A9B2-DD32F81DCD10}\stubpath = "C:\\Windows\\{D842A26F-8199-44ab-A9B2-DD32F81DCD10}.exe"	{8B56E9C1-8B1B-4cd1-BD56-3B55F1018595}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}	{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}\stubpath = "C:\\Windows\\{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe"	{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D842A26F-8199-44ab-A9B2-DD32F81DCD10}	{8B56E9C1-8B1B-4cd1-BD56-3B55F1018595}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95164B60-8C49-44dc-9405-1E694CB552E3}\stubpath = "C:\\Windows\\{95164B60-8C49-44dc-9405-1E694CB552E3}.exe"	{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AC491BD-9043-4702-83D0-4F09DFEB6B12}	{909915C7-BFFB-460e-8670-52D38F4D4684}.exe

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
1884	{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe
2896	{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe
2636	{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe
536	{95164B60-8C49-44dc-9405-1E694CB552E3}.exe
1152	{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe
1084	{909915C7-BFFB-460e-8670-52D38F4D4684}.exe
1784	{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe
1488	{9736DF62-C284-4677-93FE-B42DA41D5314}.exe
272	{F6D985E6-12DE-43c5-89B7-F417F8743254}.exe
2320	{8B56E9C1-8B1B-4cd1-BD56-3B55F1018595}.exe
1672	{D842A26F-8199-44ab-A9B2-DD32F81DCD10}.exe
2408	{E1774CE1-4330-49d2-BF9B-1E699FCAE119}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe
File created	C:\Windows\{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe	{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe
File created	C:\Windows\{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe	{95164B60-8C49-44dc-9405-1E694CB552E3}.exe
File created	C:\Windows\{909915C7-BFFB-460e-8670-52D38F4D4684}.exe	{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe
File created	C:\Windows\{F6D985E6-12DE-43c5-89B7-F417F8743254}.exe	{9736DF62-C284-4677-93FE-B42DA41D5314}.exe
File created	C:\Windows\{8B56E9C1-8B1B-4cd1-BD56-3B55F1018595}.exe	{F6D985E6-12DE-43c5-89B7-F417F8743254}.exe
File created	C:\Windows\{D842A26F-8199-44ab-A9B2-DD32F81DCD10}.exe	{8B56E9C1-8B1B-4cd1-BD56-3B55F1018595}.exe
File created	C:\Windows\{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe	{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe
File created	C:\Windows\{95164B60-8C49-44dc-9405-1E694CB552E3}.exe	{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe
File created	C:\Windows\{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe	{909915C7-BFFB-460e-8670-52D38F4D4684}.exe
File created	C:\Windows\{9736DF62-C284-4677-93FE-B42DA41D5314}.exe	{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe
File created	C:\Windows\{E1774CE1-4330-49d2-BF9B-1E699FCAE119}.exe	{D842A26F-8199-44ab-A9B2-DD32F81DCD10}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1680	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1884	{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe
Token: SeIncBasePriorityPrivilege	2896	{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe
Token: SeIncBasePriorityPrivilege	2636	{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe
Token: SeIncBasePriorityPrivilege	536	{95164B60-8C49-44dc-9405-1E694CB552E3}.exe
Token: SeIncBasePriorityPrivilege	1152	{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe
Token: SeIncBasePriorityPrivilege	1084	{909915C7-BFFB-460e-8670-52D38F4D4684}.exe
Token: SeIncBasePriorityPrivilege	1784	{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe
Token: SeIncBasePriorityPrivilege	1488	{9736DF62-C284-4677-93FE-B42DA41D5314}.exe
Token: SeIncBasePriorityPrivilege	272	{F6D985E6-12DE-43c5-89B7-F417F8743254}.exe
Token: SeIncBasePriorityPrivilege	2320	{8B56E9C1-8B1B-4cd1-BD56-3B55F1018595}.exe
Token: SeIncBasePriorityPrivilege	1672	{D842A26F-8199-44ab-A9B2-DD32F81DCD10}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1884	1680	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	28
PID 1680 wrote to memory of 1884	1680	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	28
PID 1680 wrote to memory of 1884	1680	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	28
PID 1680 wrote to memory of 1884	1680	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	28
PID 1680 wrote to memory of 2704	1680	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	29
PID 1680 wrote to memory of 2704	1680	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	29
PID 1680 wrote to memory of 2704	1680	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	29
PID 1680 wrote to memory of 2704	1680	2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe	29
PID 1884 wrote to memory of 2896	1884	{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe	30
PID 1884 wrote to memory of 2896	1884	{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe	30
PID 1884 wrote to memory of 2896	1884	{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe	30
PID 1884 wrote to memory of 2896	1884	{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe	30
PID 1884 wrote to memory of 2820	1884	{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe	31
PID 1884 wrote to memory of 2820	1884	{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe	31
PID 1884 wrote to memory of 2820	1884	{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe	31
PID 1884 wrote to memory of 2820	1884	{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe	31
PID 2896 wrote to memory of 2636	2896	{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe	34
PID 2896 wrote to memory of 2636	2896	{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe	34
PID 2896 wrote to memory of 2636	2896	{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe	34
PID 2896 wrote to memory of 2636	2896	{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe	34
PID 2896 wrote to memory of 2128	2896	{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe	35
PID 2896 wrote to memory of 2128	2896	{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe	35
PID 2896 wrote to memory of 2128	2896	{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe	35
PID 2896 wrote to memory of 2128	2896	{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe	35
PID 2636 wrote to memory of 536	2636	{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe	36
PID 2636 wrote to memory of 536	2636	{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe	36
PID 2636 wrote to memory of 536	2636	{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe	36
PID 2636 wrote to memory of 536	2636	{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe	36
PID 2636 wrote to memory of 2932	2636	{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe	37
PID 2636 wrote to memory of 2932	2636	{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe	37
PID 2636 wrote to memory of 2932	2636	{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe	37
PID 2636 wrote to memory of 2932	2636	{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe	37
PID 536 wrote to memory of 1152	536	{95164B60-8C49-44dc-9405-1E694CB552E3}.exe	38
PID 536 wrote to memory of 1152	536	{95164B60-8C49-44dc-9405-1E694CB552E3}.exe	38
PID 536 wrote to memory of 1152	536	{95164B60-8C49-44dc-9405-1E694CB552E3}.exe	38
PID 536 wrote to memory of 1152	536	{95164B60-8C49-44dc-9405-1E694CB552E3}.exe	38
PID 536 wrote to memory of 596	536	{95164B60-8C49-44dc-9405-1E694CB552E3}.exe	39
PID 536 wrote to memory of 596	536	{95164B60-8C49-44dc-9405-1E694CB552E3}.exe	39
PID 536 wrote to memory of 596	536	{95164B60-8C49-44dc-9405-1E694CB552E3}.exe	39
PID 536 wrote to memory of 596	536	{95164B60-8C49-44dc-9405-1E694CB552E3}.exe	39
PID 1152 wrote to memory of 1084	1152	{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe	40
PID 1152 wrote to memory of 1084	1152	{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe	40
PID 1152 wrote to memory of 1084	1152	{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe	40
PID 1152 wrote to memory of 1084	1152	{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe	40
PID 1152 wrote to memory of 2644	1152	{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe	41
PID 1152 wrote to memory of 2644	1152	{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe	41
PID 1152 wrote to memory of 2644	1152	{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe	41
PID 1152 wrote to memory of 2644	1152	{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe	41
PID 1084 wrote to memory of 1784	1084	{909915C7-BFFB-460e-8670-52D38F4D4684}.exe	42
PID 1084 wrote to memory of 1784	1084	{909915C7-BFFB-460e-8670-52D38F4D4684}.exe	42
PID 1084 wrote to memory of 1784	1084	{909915C7-BFFB-460e-8670-52D38F4D4684}.exe	42
PID 1084 wrote to memory of 1784	1084	{909915C7-BFFB-460e-8670-52D38F4D4684}.exe	42
PID 1084 wrote to memory of 696	1084	{909915C7-BFFB-460e-8670-52D38F4D4684}.exe	43
PID 1084 wrote to memory of 696	1084	{909915C7-BFFB-460e-8670-52D38F4D4684}.exe	43
PID 1084 wrote to memory of 696	1084	{909915C7-BFFB-460e-8670-52D38F4D4684}.exe	43
PID 1084 wrote to memory of 696	1084	{909915C7-BFFB-460e-8670-52D38F4D4684}.exe	43
PID 1784 wrote to memory of 1488	1784	{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe	44
PID 1784 wrote to memory of 1488	1784	{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe	44
PID 1784 wrote to memory of 1488	1784	{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe	44
PID 1784 wrote to memory of 1488	1784	{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe	44
PID 1784 wrote to memory of 776	1784	{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe	45
PID 1784 wrote to memory of 776	1784	{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe	45
PID 1784 wrote to memory of 776	1784	{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe	45
PID 1784 wrote to memory of 776	1784	{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_2d276bfd3d0ac019ddcfb8813e1e9dc3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe
  C:\Windows\{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe
    C:\Windows\{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe
      C:\Windows\{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\{95164B60-8C49-44dc-9405-1E694CB552E3}.exe
        
        C:\Windows\{95164B60-8C49-44dc-9405-1E694CB552E3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
      - C:\Windows\{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe
        
        C:\Windows\{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{909915C7-BFFB-460e-8670-52D38F4D4684}.exe
        
        C:\Windows\{909915C7-BFFB-460e-8670-52D38F4D4684}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe
        
        C:\Windows\{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{9736DF62-C284-4677-93FE-B42DA41D5314}.exe
        
        C:\Windows\{9736DF62-C284-4677-93FE-B42DA41D5314}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\{F6D985E6-12DE-43c5-89B7-F417F8743254}.exe
        
        C:\Windows\{F6D985E6-12DE-43c5-89B7-F417F8743254}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:272
        
        C:\Windows\{8B56E9C1-8B1B-4cd1-BD56-3B55F1018595}.exe
        
        C:\Windows\{8B56E9C1-8B1B-4cd1-BD56-3B55F1018595}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\{D842A26F-8199-44ab-A9B2-DD32F81DCD10}.exe
        
        C:\Windows\{D842A26F-8199-44ab-A9B2-DD32F81DCD10}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D842A~1.EXE > nul
        13⤵
        
        PID:1456
        
        C:\Windows\{E1774CE1-4330-49d2-BF9B-1E699FCAE119}.exe
        
        C:\Windows\{E1774CE1-4330-49d2-BF9B-1E699FCAE119}.exe
        13⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B56E~1.EXE > nul
        12⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6D98~1.EXE > nul
        11⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9736D~1.EXE > nul
        10⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AC49~1.EXE > nul
        9⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90991~1.EXE > nul
        8⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FF70~1.EXE > nul
        7⤵
        
        PID:2644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95164~1.EXE > nul
        6⤵
        
        PID:596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7C7B~1.EXE > nul
        5⤵
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9D9D7~1.EXE > nul
      4⤵
      PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0D5BD~1.EXE > nul
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D5BDB17-1F5E-41b4-BA5B-186838878EB4}.exe

Filesize
168KB

MD5
b085b4779ba06e1d27b5957c1d5c523c

SHA1
5a53352070a643dafec952e80195f2a121658095

SHA256
12ef72c2bbdcc0ea63c7dbb952fc1fbe6cfdcfa3eaaaa5fa42f848632a7d2e3d

SHA512
a916c23baa988ef1c38522c27779d9930ef63bd79b390fff743c57d7f665a46b5995cfe04ec1764bdc27258290c6c17f7647a20fd9a6c987d676ae345a5e1a1e

Download Submit
C:\Windows\{2FF7020B-1DD1-44cc-ABDE-1144C04970BD}.exe

Filesize
168KB

MD5
88b0885f067534d23210726828505a16

SHA1
8db841f04aaf0b24452a43df98327d2ca3d930de

SHA256
e1f117929a9334af2de22fd4ab1b62d01283920fab13fb8d2e59fad9d3161921

SHA512
c7102573616660b44341d50e7d6f757d44a374b1885d756ac1933e5cf6215429283a869e2155de348e1eaed82d7176e69345cb71802b4b4001961778bb47ecd5

Download Submit
C:\Windows\{4AC491BD-9043-4702-83D0-4F09DFEB6B12}.exe

Filesize
168KB

MD5
792d9c955e562776d58b7dd94d5e4027

SHA1
cf1380bae3d55451de9d73b98827aa7a030ff623

SHA256
cc2341c2fd728bc3769978d56f2013c72fd1c3b8e56f48752853f884a584cd1a

SHA512
1a90490231d689280467ca4ff96df0374626c1ca5e9a8b0b8617b12d5991ff874bf931d4cbb0d00edfb16ea4fb4781a46cf32f25cf564f25d22c0c61b8a65950

Download Submit
C:\Windows\{8B56E9C1-8B1B-4cd1-BD56-3B55F1018595}.exe

Filesize
66KB

MD5
59a929a0153d61bdb800027cd5e6dbeb

SHA1
1ce5663eaa3add7689dfcc40abbc70555ab7ab3e

SHA256
d7cdceba86b28332ab1aafdcb4a763a998576964253510c4431614c69a8cfdf5

SHA512
1e9474cff2935d7f938bdc4c86e0b550c249b668081ddbbb980d7123489c140708536087d81580516ad37503756b25cc167ee4da04e0b87073b697e2d34bf68f

Download Submit
C:\Windows\{8B56E9C1-8B1B-4cd1-BD56-3B55F1018595}.exe

Filesize
168KB

MD5
f883774e0828085d1fb5e0225e1dad51

SHA1
4410cba5d12e2cc9df5822280b5e0e6814f9e265

SHA256
90490a5651645d0a6151c2038d7b4878694905a48a9dee8766fba76a57d55804

SHA512
388f6b3d240cfbed835d730ab4e8b35d90aafc22f3b61bb74c4c2d046cf4e3463a54e4fb408ea523a3c1abc5de95465f35a9ecc86d80c2f7fda19ef0d2b418e3

Download Submit
C:\Windows\{909915C7-BFFB-460e-8670-52D38F4D4684}.exe

Filesize
168KB

MD5
2832358cae072fa2b588230608db0110

SHA1
7b30e1cd0b942a75796b868ceaceb2dc0bd29399

SHA256
a25c40f9a92d1f61d16482174c6a8979923862bc3e1b275c5ed89c695c336543

SHA512
0bd6d54ea3d557629b0540384aeb362e0affcaf50462875c06658dbf5ee8a38ce1ff68e72fc5db9cafce8f88889d15cbcbc0112c226211f5d6f1fe441b506359

Download Submit
C:\Windows\{909915C7-BFFB-460e-8670-52D38F4D4684}.exe

Filesize
103KB

MD5
6fbd372c7ec921627b14078818117d0b

SHA1
a47df8a6f51e29942ea224cabe1e1029164d036f

SHA256
3a64623ab583e3cfced23eb152481d3fbdd20137500904ec9ac1d0600643c664

SHA512
9cf407d3a368979dd0c7354195c9071863a74253a609e9815da640f053b2256cff2ecd600b9299b4f0d911bf8628e081f58a18c97ea95d8c7aeeb7f6238ad39e

Download Submit
C:\Windows\{95164B60-8C49-44dc-9405-1E694CB552E3}.exe

Filesize
168KB

MD5
cba60e09001a1a2df1ef71d5fb3708de

SHA1
fa407a93986841d045700b271ad6dd07ee70c92e

SHA256
1081a88c949d70f4965723abb6aee7bdf9e8b9b2c9cd949b721921a3fb3257b6

SHA512
5232563a6c9b06e2ba99935fcbfbc806a928a3737bb5143b04b7e4f20cc106ac0dbcce6fd0c115f3d46d9404f13f2195bee2b9f55909034cb46872294fd7700a

Download Submit
C:\Windows\{9736DF62-C284-4677-93FE-B42DA41D5314}.exe

Filesize
168KB

MD5
7d727d1d947d4e7263cdc35a5b11c3fb

SHA1
927ef5f9fdd978176a6e4bbe9d89adc7a3e7f47e

SHA256
f5f3fbb0eaf9250cd1e75575f603ec704e70648ec3dc9261aff3fd97c63698cb

SHA512
d3160789e005a834540c07b39282d52f4b39a357f01ed3380aaa4d7c24c8b2627e168f3d36cf92dcd14060f4a81cb34a2600c95ee0f64b07b3a23064b9709585

Download Submit
C:\Windows\{9D9D78D2-DB01-417e-9ADF-63F8B22CCE98}.exe

Filesize
168KB

MD5
d3976352b5f04e742620c057e7e9ae5c

SHA1
ae9be83ad855266d5f9cd5d9843a8f3f02af5538

SHA256
d548efdce95fa0c5c7b0a4a801f8a3e6015e4b288fca21209dbc30c9ab2891b6

SHA512
399422e97ab515d4874160adb62bf9b11a5a304ef633d6feabd48e13b49be67f6548c11e318c4dcfb822a5b9fd70a607e746fac3b104dff2b64f848978078f92

Download Submit
C:\Windows\{D7C7B4C7-39C8-4e77-8855-06F4981C6FE1}.exe

Filesize
168KB

MD5
02094dafb2495e5b1828ab7d9a6a0154

SHA1
57820afcde1c82aab64685b2c0ee092dbf3cc8f4

SHA256
d47b2ed72096fe9c231687dfa61284260fc1cd75b8639297123df8e21442cf14

SHA512
25775131a6463ab01fc2cd61957708b2d6e0db9c64a757ad33410fa891d20404bd178929372c98c168f2645799a007400dfbfe4df1a6f8580df163eb57f90483

Download Submit
C:\Windows\{D842A26F-8199-44ab-A9B2-DD32F81DCD10}.exe

Filesize
168KB

MD5
27456d9825cfdef99dc5de7bbe6cc8f9

SHA1
1ae015b8014b47c9fca6d49158952f66c04ed56f

SHA256
a5a530cc1d375a2b6526bab943019798f9057239368622ecb085434e3e7f0d36

SHA512
5347da44d074ef20bee6d460242b86228e8964d774cc9ed413cf3d7524493ecff8b2d46b80fd269a846ea4ee5d4e9cac07acd0291ea93373ca13f6bf15ca475c

Download Submit
C:\Windows\{E1774CE1-4330-49d2-BF9B-1E699FCAE119}.exe

Filesize
168KB

MD5
41de930fd0533cbf833330b555160af2

SHA1
6311b763fdd8cca2ff39a19507a91749e2d6bc42

SHA256
79317c751bbf92335032248f8db25ed4cc39e0503d9e28588ae1fc70c7bedcd7

SHA512
5052b84a73cb55f9c62c5152c2ecd3a956994bd0b9cf31a1c615f0a4f851011164498b251ea66ea0f7757db9d06da71567e788f0e5c7f257aec85717c74837a8

Download Submit
C:\Windows\{F6D985E6-12DE-43c5-89B7-F417F8743254}.exe

Filesize
168KB

MD5
2d236c318a90fea7a74125ed7957ed90

SHA1
d7758c044a91b8dcdf1e4d3c1632a31f0cb9a32d

SHA256
6b8fa274c13da938a8d638db9f4754fc00005fc91d50237ad61d5e45d064371b

SHA512
b860518d1cd527e314ce693855507d1f3c358395bf602d79a56b66be6ecb0349b8a6ba53018f43aa6e5f2a2871670073693564253dc345224874f7a3f0bb0ce2

Download Submit
C:\Windows\{F6D985E6-12DE-43c5-89B7-F417F8743254}.exe

Filesize
45KB

MD5
b39cfa2d0d21009b2fd74e210d2ce856

SHA1
b14420886b120e61b672f9856f3a4fdb198fa7db

SHA256
9d42aa34b6489d7fba97a67b0680c65f9ef062122c588a76c9d9c41c372c3e24

SHA512
20f8f43186188399dfa5e2a32b9cc1e1a27820fdfba702cf1c69d1f05261ebbcebe23017e92a1f834c226d465c1299a8652880a826fc2a3eb96581769157fd12

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads