ba7ecfbc64aab3587f713f9fb16712fa7a55c954d198438140d0ba9a28940d82

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe
Size

408KB
MD5

5554270cbd6f37a1e271e3c409f2a433
SHA1

f0af2b66f5a8a5ae2590476aeb5e5e23aca548f7
SHA256

ba7ecfbc64aab3587f713f9fb16712fa7a55c954d198438140d0ba9a28940d82
SHA512

49523c5eed7fb53160a3ba7003caa20f4846e3fc38da611a121fe51dc4c1e76e822275f20a884a955d1a4125600d214796abf3e5b94c649471e202429eda9404
SSDEEP

3072:CEGh0oGl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGYldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}\stubpath = "C:\\Windows\\{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe"	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C8FA2DD-DCE1-4fff-900B-242E69482B53}\stubpath = "C:\\Windows\\{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe"	{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B43D563-054A-4ae1-A741-89D6FDB01DBB}	{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7918624-5757-44a6-A9FF-09F8FAB10401}	{D8E9DF06-6E27-4e2c-9245-14EBDEC89AD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{147E23B3-8E5B-45be-A9CA-C0F00D29B0F1}\stubpath = "C:\\Windows\\{147E23B3-8E5B-45be-A9CA-C0F00D29B0F1}.exe"	{E7918624-5757-44a6-A9FF-09F8FAB10401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D6AFE71-964E-48cb-9F52-850FCB772CE2}	{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B43D563-054A-4ae1-A741-89D6FDB01DBB}\stubpath = "C:\\Windows\\{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe"	{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83508F8E-A154-40c1-A93C-8C3CFE842723}\stubpath = "C:\\Windows\\{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe"	{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA30ED5E-EA8B-4864-9B4C-6E200C726F95}\stubpath = "C:\\Windows\\{FA30ED5E-EA8B-4864-9B4C-6E200C726F95}.exe"	{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8E9DF06-6E27-4e2c-9245-14EBDEC89AD4}\stubpath = "C:\\Windows\\{D8E9DF06-6E27-4e2c-9245-14EBDEC89AD4}.exe"	{FA30ED5E-EA8B-4864-9B4C-6E200C726F95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7918624-5757-44a6-A9FF-09F8FAB10401}\stubpath = "C:\\Windows\\{E7918624-5757-44a6-A9FF-09F8FAB10401}.exe"	{D8E9DF06-6E27-4e2c-9245-14EBDEC89AD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F2E6622-A055-43b8-9598-636623608A87}\stubpath = "C:\\Windows\\{4F2E6622-A055-43b8-9598-636623608A87}.exe"	{147E23B3-8E5B-45be-A9CA-C0F00D29B0F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}	{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}\stubpath = "C:\\Windows\\{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe"	{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C8FA2DD-DCE1-4fff-900B-242E69482B53}	{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D6AFE71-964E-48cb-9F52-850FCB772CE2}\stubpath = "C:\\Windows\\{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe"	{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8F1CD60-4276-495e-9C1C-281E49F42EC9}	{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8E9DF06-6E27-4e2c-9245-14EBDEC89AD4}	{FA30ED5E-EA8B-4864-9B4C-6E200C726F95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F2E6622-A055-43b8-9598-636623608A87}	{147E23B3-8E5B-45be-A9CA-C0F00D29B0F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8F1CD60-4276-495e-9C1C-281E49F42EC9}\stubpath = "C:\\Windows\\{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe"	{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83508F8E-A154-40c1-A93C-8C3CFE842723}	{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA30ED5E-EA8B-4864-9B4C-6E200C726F95}	{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{147E23B3-8E5B-45be-A9CA-C0F00D29B0F1}	{E7918624-5757-44a6-A9FF-09F8FAB10401}.exe

Deletes itself 1 IoCs

pid	Process
2356	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2732	{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe
2684	{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe
2544	{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe
1792	{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe
2908	{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe
2156	{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe
2736	{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe
1588	{FA30ED5E-EA8B-4864-9B4C-6E200C726F95}.exe
2076	{D8E9DF06-6E27-4e2c-9245-14EBDEC89AD4}.exe
2084	{E7918624-5757-44a6-A9FF-09F8FAB10401}.exe
1532	{147E23B3-8E5B-45be-A9CA-C0F00D29B0F1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D8E9DF06-6E27-4e2c-9245-14EBDEC89AD4}.exe	{FA30ED5E-EA8B-4864-9B4C-6E200C726F95}.exe
File created	C:\Windows\{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe	{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe
File created	C:\Windows\{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe	{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe
File created	C:\Windows\{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe	{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe
File created	C:\Windows\{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe	{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe
File created	C:\Windows\{FA30ED5E-EA8B-4864-9B4C-6E200C726F95}.exe	{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe
File created	C:\Windows\{4F2E6622-A055-43b8-9598-636623608A87}.exe	{147E23B3-8E5B-45be-A9CA-C0F00D29B0F1}.exe
File created	C:\Windows\{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe
File created	C:\Windows\{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe	{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe
File created	C:\Windows\{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe	{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe
File created	C:\Windows\{E7918624-5757-44a6-A9FF-09F8FAB10401}.exe	{D8E9DF06-6E27-4e2c-9245-14EBDEC89AD4}.exe
File created	C:\Windows\{147E23B3-8E5B-45be-A9CA-C0F00D29B0F1}.exe	{E7918624-5757-44a6-A9FF-09F8FAB10401}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1764	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2732	{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe
Token: SeIncBasePriorityPrivilege	2684	{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe
Token: SeIncBasePriorityPrivilege	2544	{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe
Token: SeIncBasePriorityPrivilege	1792	{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe
Token: SeIncBasePriorityPrivilege	2908	{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe
Token: SeIncBasePriorityPrivilege	2156	{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe
Token: SeIncBasePriorityPrivilege	2736	{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe
Token: SeIncBasePriorityPrivilege	1588	{FA30ED5E-EA8B-4864-9B4C-6E200C726F95}.exe
Token: SeIncBasePriorityPrivilege	2076	{D8E9DF06-6E27-4e2c-9245-14EBDEC89AD4}.exe
Token: SeIncBasePriorityPrivilege	2084	{E7918624-5757-44a6-A9FF-09F8FAB10401}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2732	1764	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	28
PID 1764 wrote to memory of 2732	1764	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	28
PID 1764 wrote to memory of 2732	1764	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	28
PID 1764 wrote to memory of 2732	1764	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	28
PID 1764 wrote to memory of 2356	1764	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	29
PID 1764 wrote to memory of 2356	1764	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	29
PID 1764 wrote to memory of 2356	1764	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	29
PID 1764 wrote to memory of 2356	1764	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	29
PID 2732 wrote to memory of 2684	2732	{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe	30
PID 2732 wrote to memory of 2684	2732	{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe	30
PID 2732 wrote to memory of 2684	2732	{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe	30
PID 2732 wrote to memory of 2684	2732	{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe	30
PID 2732 wrote to memory of 2252	2732	{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe	31
PID 2732 wrote to memory of 2252	2732	{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe	31
PID 2732 wrote to memory of 2252	2732	{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe	31
PID 2732 wrote to memory of 2252	2732	{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe	31
PID 2684 wrote to memory of 2544	2684	{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe	34
PID 2684 wrote to memory of 2544	2684	{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe	34
PID 2684 wrote to memory of 2544	2684	{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe	34
PID 2684 wrote to memory of 2544	2684	{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe	34
PID 2684 wrote to memory of 2620	2684	{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe	35
PID 2684 wrote to memory of 2620	2684	{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe	35
PID 2684 wrote to memory of 2620	2684	{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe	35
PID 2684 wrote to memory of 2620	2684	{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe	35
PID 2544 wrote to memory of 1792	2544	{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe	36
PID 2544 wrote to memory of 1792	2544	{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe	36
PID 2544 wrote to memory of 1792	2544	{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe	36
PID 2544 wrote to memory of 1792	2544	{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe	36
PID 2544 wrote to memory of 2940	2544	{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe	37
PID 2544 wrote to memory of 2940	2544	{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe	37
PID 2544 wrote to memory of 2940	2544	{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe	37
PID 2544 wrote to memory of 2940	2544	{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe	37
PID 1792 wrote to memory of 2908	1792	{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe	38
PID 1792 wrote to memory of 2908	1792	{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe	38
PID 1792 wrote to memory of 2908	1792	{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe	38
PID 1792 wrote to memory of 2908	1792	{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe	38
PID 1792 wrote to memory of 2972	1792	{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe	39
PID 1792 wrote to memory of 2972	1792	{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe	39
PID 1792 wrote to memory of 2972	1792	{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe	39
PID 1792 wrote to memory of 2972	1792	{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe	39
PID 2908 wrote to memory of 2156	2908	{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe	40
PID 2908 wrote to memory of 2156	2908	{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe	40
PID 2908 wrote to memory of 2156	2908	{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe	40
PID 2908 wrote to memory of 2156	2908	{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe	40
PID 2908 wrote to memory of 1244	2908	{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe	41
PID 2908 wrote to memory of 1244	2908	{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe	41
PID 2908 wrote to memory of 1244	2908	{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe	41
PID 2908 wrote to memory of 1244	2908	{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe	41
PID 2156 wrote to memory of 2736	2156	{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe	42
PID 2156 wrote to memory of 2736	2156	{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe	42
PID 2156 wrote to memory of 2736	2156	{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe	42
PID 2156 wrote to memory of 2736	2156	{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe	42
PID 2156 wrote to memory of 2784	2156	{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe	43
PID 2156 wrote to memory of 2784	2156	{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe	43
PID 2156 wrote to memory of 2784	2156	{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe	43
PID 2156 wrote to memory of 2784	2156	{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe	43
PID 2736 wrote to memory of 1588	2736	{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe	44
PID 2736 wrote to memory of 1588	2736	{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe	44
PID 2736 wrote to memory of 1588	2736	{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe	44
PID 2736 wrote to memory of 1588	2736	{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe	44
PID 2736 wrote to memory of 2068	2736	{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe	45
PID 2736 wrote to memory of 2068	2736	{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe	45
PID 2736 wrote to memory of 2068	2736	{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe	45
PID 2736 wrote to memory of 2068	2736	{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe
  C:\Windows\{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe
    C:\Windows\{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe
      C:\Windows\{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe
        
        C:\Windows\{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
      - C:\Windows\{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe
        
        C:\Windows\{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe
        
        C:\Windows\{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe
        
        C:\Windows\{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{FA30ED5E-EA8B-4864-9B4C-6E200C726F95}.exe
        
        C:\Windows\{FA30ED5E-EA8B-4864-9B4C-6E200C726F95}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\{D8E9DF06-6E27-4e2c-9245-14EBDEC89AD4}.exe
        
        C:\Windows\{D8E9DF06-6E27-4e2c-9245-14EBDEC89AD4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\{E7918624-5757-44a6-A9FF-09F8FAB10401}.exe
        
        C:\Windows\{E7918624-5757-44a6-A9FF-09F8FAB10401}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{147E23B3-8E5B-45be-A9CA-C0F00D29B0F1}.exe
        
        C:\Windows\{147E23B3-8E5B-45be-A9CA-C0F00D29B0F1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1532
        
        C:\Windows\{4F2E6622-A055-43b8-9598-636623608A87}.exe
        
        C:\Windows\{4F2E6622-A055-43b8-9598-636623608A87}.exe
        13⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{147E2~1.EXE > nul
        13⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7918~1.EXE > nul
        12⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8E9D~1.EXE > nul
        11⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA30E~1.EXE > nul
        10⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83508~1.EXE > nul
        9⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8F1C~1.EXE > nul
        8⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B43D~1.EXE > nul
        7⤵
        
        PID:1244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D6AF~1.EXE > nul
        6⤵
        
        PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C8FA~1.EXE > nul
        5⤵
        
        PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DA9A5~1.EXE > nul
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B8F05~1.EXE > nul
    3⤵
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{147E23B3-8E5B-45be-A9CA-C0F00D29B0F1}.exe

Filesize
176KB

MD5
9b39ca03524d2af03db5766184733aba

SHA1
96397a077a04f3193421f30bec1568fd39174c2a

SHA256
5f67b34b3e50da33fd31e9f3246c856b6dba93276aa3f097d82d40e7475ceb9c

SHA512
f0c020fed818de03db3b0ee9bc2814a31bd014712ba7a02883c8049e1312b64036eabf60f15470fc054d32b255fcad5202286872669a39d49ab594e7895ff37e

Download Submit
C:\Windows\{147E23B3-8E5B-45be-A9CA-C0F00D29B0F1}.exe

Filesize
93KB

MD5
215ee238f126d792aa8a73a970efbbfd

SHA1
e4abe4963a94b6e9c45cdf76fc10335bc4cae24e

SHA256
3006baf5058dd821425b96a7466471509995b13e55289105020a412df5fb362b

SHA512
7b859525684cb26defa603add930ff3c818d52346737195f9a40296bf3c6d76c5a56e15c19e0bbfff3d48a2de1fc996be468b50e6eccf2b65c0cd77c2f77c3dd

Download Submit
C:\Windows\{3D6AFE71-964E-48cb-9F52-850FCB772CE2}.exe

Filesize
408KB

MD5
78661b9eec99e1da4f89f3e17bb220b4

SHA1
4e5a897330bdbc73ab4ca3842303ea87fa5b8f51

SHA256
55f0416854f837565bd96df43ee79d441c06509c87d1cf41c4d7310dddd7cb2d

SHA512
94b8f76fa05956094eea01b07285eca86bb4974e3a305af87e61a7323a7f4f3fce9a9dbd243685aa06abfcdb2c48a1d1a918cf8e78479546add1192038fa23bb

Download Submit
C:\Windows\{4B43D563-054A-4ae1-A741-89D6FDB01DBB}.exe

Filesize
408KB

MD5
756d248428ac745b6b98bbbf3e53f297

SHA1
9d38e637b8baee04380b51e139bbc4b112872dde

SHA256
03c60c56c2e20bb7f2471b8c3439f644e8c373d6895f7d60a9faeb4563532267

SHA512
bf0302f07d0935a7e08534cafe77b77b5fdb01f1062725ad48d53ff02b527e901eae87b9e0dae7f4d37b114c7d3eccc19ba85967d77db94e004776eaa91c1130

Download Submit
C:\Windows\{4F2E6622-A055-43b8-9598-636623608A87}.exe

Filesize
96KB

MD5
aafd6eb97a34621f01c33142fe3997e5

SHA1
c6ded797a2305c59acae35c6d882224a3d0d8a64

SHA256
fa2cf8a4eda626ddeb79d04eb2bc7f26c04d6adc74674bbf941ae63ec102dd28

SHA512
72dc500fe6cb2189073e0abad36a24d3da5aad4e28bd06f88a7476f6034ebe95d7e06ce572158cd0ea2a67d351b54ccdbe17acfa225baa84e64436cd2618e19c

Download Submit
C:\Windows\{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe

Filesize
220KB

MD5
6de9cc3705fd5028a164252bdc4e9379

SHA1
e2fbb75ad548d272ace59699b82b0ee32bfb6b5a

SHA256
4e2dd13d3d1c462e1d739914a753129aa84f0a0df338e7c3bd0e1e8172168338

SHA512
2e69c478bcd8044880ade3e3c5d0e768a940d7864e7902db7abdcd282932991bb26d852a8ed33e7a31eb92d455349ffa7f952bae0691d7a7337c1dbc9466965c

Download Submit
C:\Windows\{7C8FA2DD-DCE1-4fff-900B-242E69482B53}.exe

Filesize
183KB

MD5
fe86f2dea16ab2fe5770a3351b8d8d81

SHA1
db170b9ae9520004a0a2026f41c195f4cb988207

SHA256
fca16bba9759f2a6d4cfbdd9a7241f5fec617dd60be6d01ce87b5c684eb042f1

SHA512
494f7dd9a4e8b80293f89b35b5588501e353f2c9a4b9e44964b29ea808fe937a92e9ee39a76b1b549a5266c649ec9a02ca86dff0b2393ec26ed6cde8acf6180c

Download Submit
C:\Windows\{83508F8E-A154-40c1-A93C-8C3CFE842723}.exe

Filesize
408KB

MD5
78055cab404694a882d561651092db7f

SHA1
ab0bd08003874b711fba3ef2c6c90b46d58dc699

SHA256
80d2197836b9f727a5061ec953ccdc9c98780918c10858004e8842c0b97efe98

SHA512
c812cc643e75d1178bd73a7c98fe66d28e49f6040275d1d4ff016ed253c30e935d9161c7721b1e52a1d2ca51cfef14019c18dabaec923a078ae4097b7da32120

Download Submit
C:\Windows\{B8F05631-1FC6-43c0-B4FA-874EBF0ECE9A}.exe

Filesize
408KB

MD5
8e1284750cb2fa978c6c763df5976fe5

SHA1
75dd0a8288aecd6c5e47a7e026088964e468e31d

SHA256
fc3553cf49ec7d9ec276acae4faab447f6092ac27111cec544b8d7f9395d4efc

SHA512
1bfb9bba3e79a52bc3391c414f252cb21d07dcc823679c1d92b6c60aed94e9f2e55e4459defd9cc262cbc22a086a91b18f90805a92f04bd609e68b241aee4ac3

Download Submit
C:\Windows\{B8F1CD60-4276-495e-9C1C-281E49F42EC9}.exe

Filesize
408KB

MD5
fc922c7592dcb987af3a111fa175c14d

SHA1
52f9116364f2f139350f6c3335c54b2fa049438f

SHA256
ab8901cebe68ff155aa1148f01fff961fa9d383caef161947d95dd23da3271b6

SHA512
a8aa62e1c7d3790a1d24238a422f5eb51ffc1eb3b1f79ce4aef0b735f6ed4cb3a400770866e73748fa947eab476d41eb24cce157b68dfe7952894a45cbf57f8e

Download Submit
C:\Windows\{D8E9DF06-6E27-4e2c-9245-14EBDEC89AD4}.exe

Filesize
323KB

MD5
46607600aa4e79c0a816d53acccf3361

SHA1
a8c30926d965015344fd26aa887c7ee851ac5225

SHA256
e82c300977f041a37857570d7dce3303e59259021a67a2725d1aae7e830b6a99

SHA512
34bd54dc229d2a0c92f04d8f93fbc25c927f629d15b43f189a8b9efa5086819fb5c7af3ca99b7c366a117f31a5009b1a664e4578fb9dbd3545d79978dff3d8a7

Download Submit
C:\Windows\{D8E9DF06-6E27-4e2c-9245-14EBDEC89AD4}.exe

Filesize
281KB

MD5
a87c516c2ad19b4192bd70334df13870

SHA1
d67b7d881dc3f99f1fa9698c33c6b6d20e41477a

SHA256
ef4ec0f84c027bd825c2fc9e89251f9a3f6ddf230b351a16ec022878defa2c90

SHA512
8c72b5b0a5ca1bd334e156a7ac97261e14d35234306cf03a107b419751e25e23e78b2e8ce34584466a7adf07c2ac345c6ca32181f23d7cacb5f6a26c4eecd3c7

Download Submit
C:\Windows\{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe

Filesize
408KB

MD5
35407ee078ac31f47f6d052b2f1acfeb

SHA1
fd86c750010733eecc7c80889d35ebfc3d3448ba

SHA256
9d579c5095475d7bdd034403582f774592a139db9f07741637335351223631a6

SHA512
3b35b563d7575e27cffe06a49aad8c1b5b5e0e3d225447bfefcab178448a2e1b654959312c2f8d3345c5bb7206c1edbaf2975c1ad97dcc10bb86deb155f1bfd4

Download Submit
C:\Windows\{DA9A568D-B5A2-4a8d-8C17-AB9098A0CEDB}.exe

Filesize
269KB

MD5
f5e7ecf3d52f5b1cb393805bfeaebc9b

SHA1
8af4b9220a4a08a14fec3ba00b38b0bd01eecda8

SHA256
1cafebbfbc0b57baa8fea89245d4e25ecdaacd8e2b142cc20f8338a6741425f0

SHA512
d3873e04ebd888d337a8c170073a36d77e67a442db85b54eacf6fa1b2350da4e620f6a7625f403c1b0933a19db52fa280ff7f673e777fe16ea38baee4927bc09

Download Submit
C:\Windows\{E7918624-5757-44a6-A9FF-09F8FAB10401}.exe

Filesize
198KB

MD5
2808f4f93ee30209eeb0dd62ffc155d0

SHA1
56ab903b865864228aac0edee7f67eab5f19a6cf

SHA256
bf35225a74718670532a6b7e5e0de4d731d4605eeb4b7cec3f69d3f8e36926f6

SHA512
7554428577fa7a739c0390461e7f0fdc76372c1bed03572a54b68d73921014d57cea50821aa6c4a134bc31eb21e06655e7d2c67701a53a992d78337b9d099639

Download Submit
C:\Windows\{E7918624-5757-44a6-A9FF-09F8FAB10401}.exe

Filesize
163KB

MD5
92426bffaa22f74196c2e9ae40727829

SHA1
df0735cb1beff6b04575113eca89655876e99d94

SHA256
a5696ea6c314278f582390b4995e54eb3eb4cab260cb891c73b7d44af1b96505

SHA512
a72709601186901bbb58576908ce7c3a0232664da2f563f80169c55aaa0e88b4f4c1905c4a78ab00cd09a63cd0868b2e1a619c184aaec4ebd487b98b80afaccf

Download Submit
C:\Windows\{FA30ED5E-EA8B-4864-9B4C-6E200C726F95}.exe

Filesize
408KB

MD5
42e69186f33fdb049e97c49fb01cbe86

SHA1
62de42d7765f2c935920b0afdbc2ce20274a6e1a

SHA256
14faf1cba71d3396535235317d322e1c93379d67738d18ffdd27fd460b0f9a97

SHA512
b7902977815dca6e5ce8d92b56efc82022fc19df424bb73b5792eafee29b7028d9ba991026735ff6b77f82a0cca5ee8a0b174686290ffa0c8af26fc8be4e4ca3

Download Submit
C:\Windows\{FA30ED5E-EA8B-4864-9B4C-6E200C726F95}.exe

Filesize
392KB

MD5
5714f57b3182fd7c3f58b6bcb026b6c0

SHA1
b32a2c1f1efc30c19e8ad29a287f9145bb0ba68b

SHA256
d7caa6c7c358b34128489898c39a597b4e8136bd28fa96f02cd306897433e64a

SHA512
5d5653ed0e68dd9912893036d95841aa92bdf9feaf2cf9338356e014207f88272445972b9a384ae7982072a6deb8126f700b6e6c9e22199d32367d599cf8e424

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads