963b2a5eaf539f894e19e81f563d64cf6bd61eb1d14b961d0a8e5c430796c7a1

Analysis

max time kernel
126s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe
Size

204KB
MD5

5d15801d3f6bf697fbf24e53fdae93bb
SHA1

2263d19e581f093200265cc6d09059376549a9df
SHA256

963b2a5eaf539f894e19e81f563d64cf6bd61eb1d14b961d0a8e5c430796c7a1
SHA512

e750f4fa079ae0d794e9721b35ea6ba5d8057d8aed7ae0b00e87c039cabe89e5015c9b95f8044521bfea1a8519aa24efc6de4e365ccbba32b237e697e73458fe
SSDEEP

1536:1EGh0oRl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oRl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8560559E-F238-4738-8936-9204181F1C1F}	{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95A76C86-8214-4e32-A194-416DAC50A015}	{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7617AFDD-39E2-4ff3-A3BC-62EB1869A444}	{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}\stubpath = "C:\\Windows\\{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe"	2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E376CB8-0A81-4962-9F82-1EC6101682DD}\stubpath = "C:\\Windows\\{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe"	{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}	{95A76C86-8214-4e32-A194-416DAC50A015}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31478097-D001-45ad-BA68-DAB9FA0DDB80}	{7617AFDD-39E2-4ff3-A3BC-62EB1869A444}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF033C33-9A82-40ab-A89B-C86CA473A8F3}	{31478097-D001-45ad-BA68-DAB9FA0DDB80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E376CB8-0A81-4962-9F82-1EC6101682DD}	{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA990002-5AE0-470a-8F88-CAC437F98194}	{8560559E-F238-4738-8936-9204181F1C1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA990002-5AE0-470a-8F88-CAC437F98194}\stubpath = "C:\\Windows\\{FA990002-5AE0-470a-8F88-CAC437F98194}.exe"	{8560559E-F238-4738-8936-9204181F1C1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}\stubpath = "C:\\Windows\\{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe"	{FA990002-5AE0-470a-8F88-CAC437F98194}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31478097-D001-45ad-BA68-DAB9FA0DDB80}\stubpath = "C:\\Windows\\{31478097-D001-45ad-BA68-DAB9FA0DDB80}.exe"	{7617AFDD-39E2-4ff3-A3BC-62EB1869A444}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF033C33-9A82-40ab-A89B-C86CA473A8F3}\stubpath = "C:\\Windows\\{CF033C33-9A82-40ab-A89B-C86CA473A8F3}.exe"	{31478097-D001-45ad-BA68-DAB9FA0DDB80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}	2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8560559E-F238-4738-8936-9204181F1C1F}\stubpath = "C:\\Windows\\{8560559E-F238-4738-8936-9204181F1C1F}.exe"	{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}	{FA990002-5AE0-470a-8F88-CAC437F98194}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95A76C86-8214-4e32-A194-416DAC50A015}\stubpath = "C:\\Windows\\{95A76C86-8214-4e32-A194-416DAC50A015}.exe"	{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}\stubpath = "C:\\Windows\\{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe"	{95A76C86-8214-4e32-A194-416DAC50A015}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7617AFDD-39E2-4ff3-A3BC-62EB1869A444}\stubpath = "C:\\Windows\\{7617AFDD-39E2-4ff3-A3BC-62EB1869A444}.exe"	{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe

Deletes itself 1 IoCs

pid	Process
2976	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
2828	{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe
3060	{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe
3064	{8560559E-F238-4738-8936-9204181F1C1F}.exe
2900	{FA990002-5AE0-470a-8F88-CAC437F98194}.exe
2304	{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe
1824	{95A76C86-8214-4e32-A194-416DAC50A015}.exe
2648	{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe
988	{7617AFDD-39E2-4ff3-A3BC-62EB1869A444}.exe
2328	{31478097-D001-45ad-BA68-DAB9FA0DDB80}.exe
2544	{CF033C33-9A82-40ab-A89B-C86CA473A8F3}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe	{95A76C86-8214-4e32-A194-416DAC50A015}.exe
File created	C:\Windows\{31478097-D001-45ad-BA68-DAB9FA0DDB80}.exe	{7617AFDD-39E2-4ff3-A3BC-62EB1869A444}.exe
File created	C:\Windows\{CF033C33-9A82-40ab-A89B-C86CA473A8F3}.exe	{31478097-D001-45ad-BA68-DAB9FA0DDB80}.exe
File created	C:\Windows\{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe	2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe
File created	C:\Windows\{8560559E-F238-4738-8936-9204181F1C1F}.exe	{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe
File created	C:\Windows\{FA990002-5AE0-470a-8F88-CAC437F98194}.exe	{8560559E-F238-4738-8936-9204181F1C1F}.exe
File created	C:\Windows\{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe	{FA990002-5AE0-470a-8F88-CAC437F98194}.exe
File created	C:\Windows\{95A76C86-8214-4e32-A194-416DAC50A015}.exe	{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe
File created	C:\Windows\{7617AFDD-39E2-4ff3-A3BC-62EB1869A444}.exe	{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe
File created	C:\Windows\{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe	{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3036	2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2828	{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe
Token: SeIncBasePriorityPrivilege	3060	{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe
Token: SeIncBasePriorityPrivilege	3064	{8560559E-F238-4738-8936-9204181F1C1F}.exe
Token: SeIncBasePriorityPrivilege	2900	{FA990002-5AE0-470a-8F88-CAC437F98194}.exe
Token: SeIncBasePriorityPrivilege	2304	{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe
Token: SeIncBasePriorityPrivilege	1824	{95A76C86-8214-4e32-A194-416DAC50A015}.exe
Token: SeIncBasePriorityPrivilege	2648	{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe
Token: SeIncBasePriorityPrivilege	988	{7617AFDD-39E2-4ff3-A3BC-62EB1869A444}.exe
Token: SeIncBasePriorityPrivilege	2328	{31478097-D001-45ad-BA68-DAB9FA0DDB80}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2828	3036	2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe	28
PID 3036 wrote to memory of 2828	3036	2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe	28
PID 3036 wrote to memory of 2828	3036	2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe	28
PID 3036 wrote to memory of 2828	3036	2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe	28
PID 3036 wrote to memory of 2976	3036	2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe	29
PID 3036 wrote to memory of 2976	3036	2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe	29
PID 3036 wrote to memory of 2976	3036	2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe	29
PID 3036 wrote to memory of 2976	3036	2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe	29
PID 2828 wrote to memory of 3060	2828	{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe	32
PID 2828 wrote to memory of 3060	2828	{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe	32
PID 2828 wrote to memory of 3060	2828	{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe	32
PID 2828 wrote to memory of 3060	2828	{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe	32
PID 2828 wrote to memory of 2752	2828	{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe	31
PID 2828 wrote to memory of 2752	2828	{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe	31
PID 2828 wrote to memory of 2752	2828	{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe	31
PID 2828 wrote to memory of 2752	2828	{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe	31
PID 3060 wrote to memory of 3064	3060	{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe	35
PID 3060 wrote to memory of 3064	3060	{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe	35
PID 3060 wrote to memory of 3064	3060	{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe	35
PID 3060 wrote to memory of 3064	3060	{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe	35
PID 3060 wrote to memory of 2560	3060	{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe	34
PID 3060 wrote to memory of 2560	3060	{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe	34
PID 3060 wrote to memory of 2560	3060	{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe	34
PID 3060 wrote to memory of 2560	3060	{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe	34
PID 3064 wrote to memory of 2900	3064	{8560559E-F238-4738-8936-9204181F1C1F}.exe	36
PID 3064 wrote to memory of 2900	3064	{8560559E-F238-4738-8936-9204181F1C1F}.exe	36
PID 3064 wrote to memory of 2900	3064	{8560559E-F238-4738-8936-9204181F1C1F}.exe	36
PID 3064 wrote to memory of 2900	3064	{8560559E-F238-4738-8936-9204181F1C1F}.exe	36
PID 3064 wrote to memory of 2928	3064	{8560559E-F238-4738-8936-9204181F1C1F}.exe	37
PID 3064 wrote to memory of 2928	3064	{8560559E-F238-4738-8936-9204181F1C1F}.exe	37
PID 3064 wrote to memory of 2928	3064	{8560559E-F238-4738-8936-9204181F1C1F}.exe	37
PID 3064 wrote to memory of 2928	3064	{8560559E-F238-4738-8936-9204181F1C1F}.exe	37
PID 2900 wrote to memory of 2304	2900	{FA990002-5AE0-470a-8F88-CAC437F98194}.exe	39
PID 2900 wrote to memory of 2304	2900	{FA990002-5AE0-470a-8F88-CAC437F98194}.exe	39
PID 2900 wrote to memory of 2304	2900	{FA990002-5AE0-470a-8F88-CAC437F98194}.exe	39
PID 2900 wrote to memory of 2304	2900	{FA990002-5AE0-470a-8F88-CAC437F98194}.exe	39
PID 2900 wrote to memory of 1988	2900	{FA990002-5AE0-470a-8F88-CAC437F98194}.exe	38
PID 2900 wrote to memory of 1988	2900	{FA990002-5AE0-470a-8F88-CAC437F98194}.exe	38
PID 2900 wrote to memory of 1988	2900	{FA990002-5AE0-470a-8F88-CAC437F98194}.exe	38
PID 2900 wrote to memory of 1988	2900	{FA990002-5AE0-470a-8F88-CAC437F98194}.exe	38
PID 2304 wrote to memory of 1824	2304	{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe	41
PID 2304 wrote to memory of 1824	2304	{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe	41
PID 2304 wrote to memory of 1824	2304	{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe	41
PID 2304 wrote to memory of 1824	2304	{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe	41
PID 2304 wrote to memory of 796	2304	{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe	40
PID 2304 wrote to memory of 796	2304	{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe	40
PID 2304 wrote to memory of 796	2304	{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe	40
PID 2304 wrote to memory of 796	2304	{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe	40
PID 1824 wrote to memory of 2648	1824	{95A76C86-8214-4e32-A194-416DAC50A015}.exe	43
PID 1824 wrote to memory of 2648	1824	{95A76C86-8214-4e32-A194-416DAC50A015}.exe	43
PID 1824 wrote to memory of 2648	1824	{95A76C86-8214-4e32-A194-416DAC50A015}.exe	43
PID 1824 wrote to memory of 2648	1824	{95A76C86-8214-4e32-A194-416DAC50A015}.exe	43
PID 1824 wrote to memory of 1100	1824	{95A76C86-8214-4e32-A194-416DAC50A015}.exe	42
PID 1824 wrote to memory of 1100	1824	{95A76C86-8214-4e32-A194-416DAC50A015}.exe	42
PID 1824 wrote to memory of 1100	1824	{95A76C86-8214-4e32-A194-416DAC50A015}.exe	42
PID 1824 wrote to memory of 1100	1824	{95A76C86-8214-4e32-A194-416DAC50A015}.exe	42
PID 2648 wrote to memory of 988	2648	{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe	45
PID 2648 wrote to memory of 988	2648	{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe	45
PID 2648 wrote to memory of 988	2648	{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe	45
PID 2648 wrote to memory of 988	2648	{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe	45
PID 2648 wrote to memory of 1524	2648	{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe	44
PID 2648 wrote to memory of 1524	2648	{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe	44
PID 2648 wrote to memory of 1524	2648	{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe	44
PID 2648 wrote to memory of 1524	2648	{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_5d15801d3f6bf697fbf24e53fdae93bb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe
  C:\Windows\{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E7ADF~1.EXE > nul
    3⤵
    PID:2752
- - C:\Windows\{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe
    C:\Windows\{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9E376~1.EXE > nul
      4⤵
      PID:2560
  - - C:\Windows\{8560559E-F238-4738-8936-9204181F1C1F}.exe
      C:\Windows\{8560559E-F238-4738-8936-9204181F1C1F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\{FA990002-5AE0-470a-8F88-CAC437F98194}.exe
        
        C:\Windows\{FA990002-5AE0-470a-8F88-CAC437F98194}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA990~1.EXE > nul
        6⤵
        
        PID:1988
      - C:\Windows\{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe
        
        C:\Windows\{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C73C2~1.EXE > nul
        7⤵
        
        PID:796
        
        C:\Windows\{95A76C86-8214-4e32-A194-416DAC50A015}.exe
        
        C:\Windows\{95A76C86-8214-4e32-A194-416DAC50A015}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95A76~1.EXE > nul
        8⤵
        
        PID:1100
        
        C:\Windows\{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe
        
        C:\Windows\{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6BD3~1.EXE > nul
        9⤵
        
        PID:1524
        
        C:\Windows\{7617AFDD-39E2-4ff3-A3BC-62EB1869A444}.exe
        
        C:\Windows\{7617AFDD-39E2-4ff3-A3BC-62EB1869A444}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7617A~1.EXE > nul
        10⤵
        
        PID:2316
        
        C:\Windows\{31478097-D001-45ad-BA68-DAB9FA0DDB80}.exe
        
        C:\Windows\{31478097-D001-45ad-BA68-DAB9FA0DDB80}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\{CF033C33-9A82-40ab-A89B-C86CA473A8F3}.exe
        
        C:\Windows\{CF033C33-9A82-40ab-A89B-C86CA473A8F3}.exe
        11⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF033~1.EXE > nul
        12⤵
        
        PID:624
        
        C:\Windows\{6F30B0B0-8AA8-47dc-A99F-574F7CB1985A}.exe
        
        C:\Windows\{6F30B0B0-8AA8-47dc-A99F-574F7CB1985A}.exe
        12⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31478~1.EXE > nul
        11⤵
        
        PID:2296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85605~1.EXE > nul
        5⤵
        
        PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{31478097-D001-45ad-BA68-DAB9FA0DDB80}.exe

Filesize
82KB

MD5
17267ac20d76a5aaa39fcc6223a15a1d

SHA1
3f57441d7bdf0966dd9fe7f9955ff73224161822

SHA256
d248b3c58923df5270cef56ee97dc8690d6b260db8b82f89118d4998d5838cf1

SHA512
c440737e018662c157e7ecc40b98c9eca94327e543f47d5fae1cb2d25aec2a8a3b18e6908e38b38c668870a8cb6c4d04dd76e1c1c5212f2dfa03ba674cae94f2

Download Submit
C:\Windows\{31478097-D001-45ad-BA68-DAB9FA0DDB80}.exe

Filesize
24KB

MD5
f718f313047a2b9bd43908b3114b1bcb

SHA1
bb6e01e7e53f26a0602148cf48419291894f2a31

SHA256
c5450019a18c8e1581109a8e2c861d6332dc7ab402747cef5a3cbbb5b06d9b84

SHA512
1c6354f1599df413ae6820bacba30aa6ea9e0162edcb3354f06b4b4f8fe9f4e0cd68d429f062d0d3941fd05c2298b7c8e5e5cbe4121574a829432acb48578d63

Download Submit
C:\Windows\{6F30B0B0-8AA8-47dc-A99F-574F7CB1985A}.exe

Filesize
173KB

MD5
49f164723c7dbdf912f299ce34231713

SHA1
989fcb9d23a58b082561fe09355ce61d81c7c2ae

SHA256
35b8f5299ec855b652a8e0765da1fce5f414ddff7d00a361205abd25646c3507

SHA512
cc076d31e1f051c0e498f623a7040a283ede913da6e290e1cbfaba3040240c4385e5dfeb98436948cfb4ff0dacb78da75fc242d0a3d6b14e18369a446d376298

Download Submit
C:\Windows\{7617AFDD-39E2-4ff3-A3BC-62EB1869A444}.exe

Filesize
14KB

MD5
c441277b17ae6965f0b0618292b451e4

SHA1
41d837e45cc74102faaf5ef58216340cdf975fc0

SHA256
c123025ceb241c07685cd0ed8bc6243896662e1e6d22901122dfd8af1d765e7c

SHA512
3c227506a8cc9cc9e3582e8c80baeaf0a8f7885fb45b5c35a8330e13da4152041dd6853a0b35fa91cdb27b2dc09ef6015c4054572391aadfa48924f9fe09a1bb

Download Submit
C:\Windows\{7617AFDD-39E2-4ff3-A3BC-62EB1869A444}.exe

Filesize
63KB

MD5
e45d1e0fbfd673487725398fd81f4307

SHA1
0817f13aa50486f53cb969965439a828820f77ef

SHA256
79ab95d6da51f777c47ece75c2a073eafd2f2eabd76c09052b5c42239bc498e0

SHA512
b16740cdd25bcc507440d0c2618bb490ff1e3ba26b9d3debcc370668d6afa7f786b0c66eca0a3edabd20736986cedf35b4776c626e31fdb6634fa4ead4a7442e

Download Submit
C:\Windows\{8560559E-F238-4738-8936-9204181F1C1F}.exe

Filesize
92KB

MD5
599ce74073ad3c59d13bca84c4883551

SHA1
b4602ad1fae6af613bcde8a133a0e96a630184c7

SHA256
a22959b9034084e4b463e3ff269ffe5a5233b6d16ddd9752f5e3e1aa0032b82d

SHA512
9db695db39c6c3139801c32e56fb3139c80e0e4abd0a5036450ff4fa3d42470d0d1e4b6902b7d0a5a69aacf20cb613ff67955c1e277a60168a67a19364076ba6

Download Submit
C:\Windows\{8560559E-F238-4738-8936-9204181F1C1F}.exe

Filesize
65KB

MD5
e18ccce59c15c0a80a67a52573d264f6

SHA1
6d383db9aeffabf7303696dc34e86eba8bb9d4e6

SHA256
af9aabc0f82110480217f3f4fdf72f768047d59466f4710037a6a64d8545d867

SHA512
5a33dc96790b35b485966f3a5fa876717937fad4be81628544d65fb7a01a35b3841373bc93769849a5cc8ce771b1beecf849eb868dae82b3074e57e565a6b827

Download Submit
C:\Windows\{95A76C86-8214-4e32-A194-416DAC50A015}.exe

Filesize
25KB

MD5
f0f3e43cfe7ef9b52e8dd4a4bd7a7052

SHA1
3a1d682e4d8213907982ee743507baa44acf9a0f

SHA256
16d145cda49ac9374f19d716e482931126fa6b2a585122cf799d8f612fe1abb0

SHA512
b7c7093628a8389aeef520693019a93a21c5245054b0583e2c151db041574b5352744f7a5430bbcf9ac6860419dbe6a896ef57cc96bb8da3e003be3125173989

Download Submit
C:\Windows\{95A76C86-8214-4e32-A194-416DAC50A015}.exe

Filesize
31KB

MD5
8586d8834386cc33df972f5c7a9e33b3

SHA1
66a9f64c8459e20a31b2ce5b4c0a2a01f87a92db

SHA256
ae44798afec00ffc7a2733554207a9f69f2dc7b455c6f3e90f1b766cf50136e9

SHA512
88c3a23f2a7059b6484684d7702006f2bf614c56c910a38040711a5a3e9887bdbf1471014020f2d4fcdd372843cb6092671285196d3c45065ec8ad526a172c12

Download Submit
C:\Windows\{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe

Filesize
29KB

MD5
9e2c13f6ae8b4a11e27d158aee47c9da

SHA1
2cf0ac334d42e85be89803b4000dec6fc276ff3e

SHA256
a7f7b55d5109f56bf67bb01e9256170718bd7312d21c4e7ffd7f54da0033aaee

SHA512
2e05ef3b950c40fde018aecebfd0a037e91bbd4f6520c41c51c0c8bea98c2f09eabbec845649600f3fc9b3a3c1e6f734eaec2b812790b6154fc714611ae776e6

Download Submit
C:\Windows\{9E376CB8-0A81-4962-9F82-1EC6101682DD}.exe

Filesize
61KB

MD5
a3948a1d0d006d0ce8d4431947b9cf1c

SHA1
8a1289c19b97f9eb053f16a0af72b3ed5907796d

SHA256
2c71fd43c34e6a1659270cca3f233a2491f23f94e1df8bc3d89141c0222ccfef

SHA512
e77009523e815276cbcfb216550a48a8cbbdcd2236454cf52784deb5ab86e2d210bfd97a7fb67cb23bd81cbc5efd9c7233537f2958335ad94a9f9626213074f7

Download Submit
C:\Windows\{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe

Filesize
65KB

MD5
e79b804d50d9705364d2ee25eaf78e9b

SHA1
aa25a5f670ea8179c65c6042322a8ab1dd8c25e7

SHA256
add0854cead14465b95c2b876326e5d4884e20d954c712de2b1e088aefe0d7d6

SHA512
0c9b195d7d0002c0c9aed22b02a197e17af62677b93537454dfdbe36d442f79be026b4b96c964bd5553604411e8a09c53c40db72dda57ac8741b3cdfebc54d9d

Download Submit
C:\Windows\{B6BD3F03-B07E-4ecf-8F87-698CE4D7E06C}.exe

Filesize
5KB

MD5
12485d738b8a065e5b934421a8b5bce4

SHA1
c22bdee1a4c64202da865403de3f64a1ca6e6554

SHA256
8f0fd24a39aa155182d9e4870231e2c3c270b2c3c2311ef628a089c8426b777e

SHA512
d718c31ab79d8c112e7ef47e5cad1a70cf77d3cfd99d0bc47eac02cad11d58ec1f650bcc1fc616763bbfddbfa919fea4b411ca89d0b73fd10458b08a2c0d30d5

Download Submit
C:\Windows\{C73C26A8-D5C1-42b6-A46A-B8DC8EF9BD01}.exe

Filesize
40KB

MD5
400c3bfea1cf20cdb4991166909ec4ce

SHA1
a2f473feb1ba34f94287d03223e24a87fe3ede92

SHA256
9179e6fbe5c5d3399847c96433466ed13fcd3cdc4c1a63d304c58e1b47291dde

SHA512
ce6d1e7996faa7d4f37a3e1ccaad4f3039c310f5228570e2e07717c168fa2f871e131cfbcd0e2e1f21c6402a08efc65a39bc3f413b3c98a231a2e5f97b2e72cc

Download Submit
C:\Windows\{CF033C33-9A82-40ab-A89B-C86CA473A8F3}.exe

Filesize
35KB

MD5
d30469044b28f9002ce93237cb55bb6f

SHA1
10f81577aaff30099e3c446ad15b8c44dc47db40

SHA256
fe07376a9128893a47615b0e1431b999be4d2c20dafb2c024c64ea00811ec2b7

SHA512
4dc471123517fd8f1896246364e4d9d6cff31aed0fd4a69f5ceee634d266ef835aec137168e5ae781ed9ae97ea0befbfdd586e5c01e6a7744e527bb9109a6131

Download Submit
C:\Windows\{CF033C33-9A82-40ab-A89B-C86CA473A8F3}.exe

Filesize
204KB

MD5
8e0e71151dbe8622a4db37d4f5bbc083

SHA1
b643709492a50322760389fbb9c04f1361fbfa60

SHA256
c26d348b3877c0d933ecf57699bb7e2c22b77e12cadae07b7f3d95cf35a10427

SHA512
22955797253e8895923f727c957d70adcfd1a35728be6e8f1ec4d8361978d70d44074f23457877914b1e7724203c1947110332fb95f58acb8daff6be40dab5ce

Download Submit
C:\Windows\{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe

Filesize
43KB

MD5
945a9a839ceb8a30f7c0d22d70c03e76

SHA1
3056f5f1efb1e646b5a0958eb4d81e2bab312ce7

SHA256
b75082678b4b49f2feb9f478c39fd73398d48e26a54069f4d840ff0cf7bfc153

SHA512
cb1c33f909a7dc1521705dadbc06a7119f398983f9f31dc67a9c3f11662ccea46112575f1f6c1b5adef70dafe6393e92fe1605ba877c832bef1cf4f369612d85

Download Submit
C:\Windows\{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe

Filesize
11KB

MD5
794e88ae6baa746faf246bfd53f65543

SHA1
62e79e522870ce812d4bbd8865932109f4360e62

SHA256
832df91ffddde77bb68c5a73e88f0ac8ed64c8396daebb93f26693a010d94cea

SHA512
8b3fe3bf07a27ad5a230656cee1bad6924e661ab592e29bb4a600605955647c178cfa415ed6688ec721f110043f4f435d04e195fd3fc7dd983ec4587f75a317f

Download Submit
C:\Windows\{E7ADF5EF-ED2B-43c9-B923-94AB2B02E25D}.exe

Filesize
1KB

MD5
b228397504b8fc94b59ced1aa1106388

SHA1
ae8b4968e5f828aa7b8f4895a9ad359b0f7ba1ff

SHA256
10c558a88626acfc67baee1f538772c101dfa71d0600a9d08841878f906a835d

SHA512
007e971715f32664e618c6ee7500bc8befcfcf413d9b900eeeb14c2e8cebb65d2f96d271882541fcfc540f1e53f6414c4073b0858b9ff7ad9b64de61fee22ec2

Download Submit
C:\Windows\{FA990002-5AE0-470a-8F88-CAC437F98194}.exe

Filesize
9KB

MD5
c4b795de76a3aa59f85c4e301bc1eb9a

SHA1
a86f24691dfdbce65b8b2d3d894100e7c0ea25fc

SHA256
8a26ccc96dafd09001f119287c07353bdf776a6e30dd11e8ff56a7b78182c97e

SHA512
ac203d78f9cb14f605258ba1db6a63afee413fef0068010afdbc2a6dad69fd6caa84a15b9eaeab7aeb9fe0fd8acf024092b59cd36ebf35cf83d037270c7c775d

Download Submit
C:\Windows\{FA990002-5AE0-470a-8F88-CAC437F98194}.exe

Filesize
12KB

MD5
7a50a475c770b200d8d9bdcd6426c9bc

SHA1
4af856a3ed8280ba6eb8b89ed8b6dd1a9185155b

SHA256
261daf2d05b2224d307a87c88d64799a3d428898b50253a6d1b72a2b64fa885f

SHA512
e10b947da5203a8f376ddf2d708780a3f0770a8f4685d6776ff428ab2300f7391ba34a6b04ed924d356a8c21805e9bc78bd0abfc2480591886c50fd9795a6968

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads