4cdbeb0ab3396c457894d1f108c1b0d20898927eb2ddbbe2f6187814125885da

Analysis

max time kernel
151s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 05:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe
Size

204KB
MD5

fc5e4604047e42a2678396a632f70db5
SHA1

49e7f08a6f23856abde14c160fdf78abfef1136c
SHA256

4cdbeb0ab3396c457894d1f108c1b0d20898927eb2ddbbe2f6187814125885da
SHA512

cec7581937f1045ca903d99201db0d9b07027a69005c684f8810b8d8c2c63f6ee9d7377d98b671b84b1f1e0d85e8445ca1480d9c67e1766f4d37808de52341e2
SSDEEP

1536:1EGh0oUl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oUl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{680F0788-819F-4e74-AD5E-069C173E718E}\stubpath = "C:\\Windows\\{680F0788-819F-4e74-AD5E-069C173E718E}.exe"	{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}	{680F0788-819F-4e74-AD5E-069C173E718E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}	{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{849692A1-AC08-42c9-83E6-58D757562E41}	{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6511AFE8-E1AE-40f0-8912-93278BCC637B}	{849692A1-AC08-42c9-83E6-58D757562E41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{485E921F-363E-4008-9256-7DD539B557C9}\stubpath = "C:\\Windows\\{485E921F-363E-4008-9256-7DD539B557C9}.exe"	{29050617-B134-4299-B5F9-951CE3249D47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}	{485E921F-363E-4008-9256-7DD539B557C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{680F0788-819F-4e74-AD5E-069C173E718E}	{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B405F76-F11A-423a-AA3C-CA05F87311AB}\stubpath = "C:\\Windows\\{6B405F76-F11A-423a-AA3C-CA05F87311AB}.exe"	{6511AFE8-E1AE-40f0-8912-93278BCC637B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6511AFE8-E1AE-40f0-8912-93278BCC637B}\stubpath = "C:\\Windows\\{6511AFE8-E1AE-40f0-8912-93278BCC637B}.exe"	{849692A1-AC08-42c9-83E6-58D757562E41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B405F76-F11A-423a-AA3C-CA05F87311AB}	{6511AFE8-E1AE-40f0-8912-93278BCC637B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65966B0F-0FBB-4f87-A9AD-5DF6E6FDC90E}	{6B405F76-F11A-423a-AA3C-CA05F87311AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6489A78-8A01-4fa7-8F8F-0035BB7152DF}\stubpath = "C:\\Windows\\{C6489A78-8A01-4fa7-8F8F-0035BB7152DF}.exe"	{65966B0F-0FBB-4f87-A9AD-5DF6E6FDC90E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29050617-B134-4299-B5F9-951CE3249D47}\stubpath = "C:\\Windows\\{29050617-B134-4299-B5F9-951CE3249D47}.exe"	2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{485E921F-363E-4008-9256-7DD539B557C9}	{29050617-B134-4299-B5F9-951CE3249D47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{849692A1-AC08-42c9-83E6-58D757562E41}\stubpath = "C:\\Windows\\{849692A1-AC08-42c9-83E6-58D757562E41}.exe"	{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6489A78-8A01-4fa7-8F8F-0035BB7152DF}	{65966B0F-0FBB-4f87-A9AD-5DF6E6FDC90E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D166E080-9653-4cdc-909C-5E87DE0EE58C}	{C6489A78-8A01-4fa7-8F8F-0035BB7152DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D166E080-9653-4cdc-909C-5E87DE0EE58C}\stubpath = "C:\\Windows\\{D166E080-9653-4cdc-909C-5E87DE0EE58C}.exe"	{C6489A78-8A01-4fa7-8F8F-0035BB7152DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}\stubpath = "C:\\Windows\\{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe"	{485E921F-363E-4008-9256-7DD539B557C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}\stubpath = "C:\\Windows\\{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe"	{680F0788-819F-4e74-AD5E-069C173E718E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}\stubpath = "C:\\Windows\\{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe"	{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29050617-B134-4299-B5F9-951CE3249D47}	2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65966B0F-0FBB-4f87-A9AD-5DF6E6FDC90E}\stubpath = "C:\\Windows\\{65966B0F-0FBB-4f87-A9AD-5DF6E6FDC90E}.exe"	{6B405F76-F11A-423a-AA3C-CA05F87311AB}.exe

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2660	{29050617-B134-4299-B5F9-951CE3249D47}.exe
844	{485E921F-363E-4008-9256-7DD539B557C9}.exe
2644	{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe
2220	{680F0788-819F-4e74-AD5E-069C173E718E}.exe
268	{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe
2000	{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe
1624	{849692A1-AC08-42c9-83E6-58D757562E41}.exe
2636	{6511AFE8-E1AE-40f0-8912-93278BCC637B}.exe
1372	{6B405F76-F11A-423a-AA3C-CA05F87311AB}.exe
2204	{65966B0F-0FBB-4f87-A9AD-5DF6E6FDC90E}.exe
2988	{C6489A78-8A01-4fa7-8F8F-0035BB7152DF}.exe
396	{D166E080-9653-4cdc-909C-5E87DE0EE58C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe	{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe
File created	C:\Windows\{849692A1-AC08-42c9-83E6-58D757562E41}.exe	{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe
File created	C:\Windows\{6511AFE8-E1AE-40f0-8912-93278BCC637B}.exe	{849692A1-AC08-42c9-83E6-58D757562E41}.exe
File created	C:\Windows\{6B405F76-F11A-423a-AA3C-CA05F87311AB}.exe	{6511AFE8-E1AE-40f0-8912-93278BCC637B}.exe
File created	C:\Windows\{65966B0F-0FBB-4f87-A9AD-5DF6E6FDC90E}.exe	{6B405F76-F11A-423a-AA3C-CA05F87311AB}.exe
File created	C:\Windows\{C6489A78-8A01-4fa7-8F8F-0035BB7152DF}.exe	{65966B0F-0FBB-4f87-A9AD-5DF6E6FDC90E}.exe
File created	C:\Windows\{29050617-B134-4299-B5F9-951CE3249D47}.exe	2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe
File created	C:\Windows\{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe	{485E921F-363E-4008-9256-7DD539B557C9}.exe
File created	C:\Windows\{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe	{680F0788-819F-4e74-AD5E-069C173E718E}.exe
File created	C:\Windows\{D166E080-9653-4cdc-909C-5E87DE0EE58C}.exe	{C6489A78-8A01-4fa7-8F8F-0035BB7152DF}.exe
File created	C:\Windows\{485E921F-363E-4008-9256-7DD539B557C9}.exe	{29050617-B134-4299-B5F9-951CE3249D47}.exe
File created	C:\Windows\{680F0788-819F-4e74-AD5E-069C173E718E}.exe	{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3068	2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2660	{29050617-B134-4299-B5F9-951CE3249D47}.exe
Token: SeIncBasePriorityPrivilege	844	{485E921F-363E-4008-9256-7DD539B557C9}.exe
Token: SeIncBasePriorityPrivilege	2644	{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe
Token: SeIncBasePriorityPrivilege	2220	{680F0788-819F-4e74-AD5E-069C173E718E}.exe
Token: SeIncBasePriorityPrivilege	268	{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe
Token: SeIncBasePriorityPrivilege	2000	{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe
Token: SeIncBasePriorityPrivilege	1624	{849692A1-AC08-42c9-83E6-58D757562E41}.exe
Token: SeIncBasePriorityPrivilege	2636	{6511AFE8-E1AE-40f0-8912-93278BCC637B}.exe
Token: SeIncBasePriorityPrivilege	1372	{6B405F76-F11A-423a-AA3C-CA05F87311AB}.exe
Token: SeIncBasePriorityPrivilege	2204	{65966B0F-0FBB-4f87-A9AD-5DF6E6FDC90E}.exe
Token: SeIncBasePriorityPrivilege	2988	{C6489A78-8A01-4fa7-8F8F-0035BB7152DF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2660	3068	2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe	28
PID 3068 wrote to memory of 2660	3068	2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe	28
PID 3068 wrote to memory of 2660	3068	2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe	28
PID 3068 wrote to memory of 2660	3068	2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe	28
PID 3068 wrote to memory of 2804	3068	2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe	29
PID 3068 wrote to memory of 2804	3068	2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe	29
PID 3068 wrote to memory of 2804	3068	2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe	29
PID 3068 wrote to memory of 2804	3068	2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe	29
PID 2660 wrote to memory of 844	2660	{29050617-B134-4299-B5F9-951CE3249D47}.exe	33
PID 2660 wrote to memory of 844	2660	{29050617-B134-4299-B5F9-951CE3249D47}.exe	33
PID 2660 wrote to memory of 844	2660	{29050617-B134-4299-B5F9-951CE3249D47}.exe	33
PID 2660 wrote to memory of 844	2660	{29050617-B134-4299-B5F9-951CE3249D47}.exe	33
PID 2660 wrote to memory of 2776	2660	{29050617-B134-4299-B5F9-951CE3249D47}.exe	32
PID 2660 wrote to memory of 2776	2660	{29050617-B134-4299-B5F9-951CE3249D47}.exe	32
PID 2660 wrote to memory of 2776	2660	{29050617-B134-4299-B5F9-951CE3249D47}.exe	32
PID 2660 wrote to memory of 2776	2660	{29050617-B134-4299-B5F9-951CE3249D47}.exe	32
PID 844 wrote to memory of 2644	844	{485E921F-363E-4008-9256-7DD539B557C9}.exe	35
PID 844 wrote to memory of 2644	844	{485E921F-363E-4008-9256-7DD539B557C9}.exe	35
PID 844 wrote to memory of 2644	844	{485E921F-363E-4008-9256-7DD539B557C9}.exe	35
PID 844 wrote to memory of 2644	844	{485E921F-363E-4008-9256-7DD539B557C9}.exe	35
PID 844 wrote to memory of 3048	844	{485E921F-363E-4008-9256-7DD539B557C9}.exe	34
PID 844 wrote to memory of 3048	844	{485E921F-363E-4008-9256-7DD539B557C9}.exe	34
PID 844 wrote to memory of 3048	844	{485E921F-363E-4008-9256-7DD539B557C9}.exe	34
PID 844 wrote to memory of 3048	844	{485E921F-363E-4008-9256-7DD539B557C9}.exe	34
PID 2644 wrote to memory of 2220	2644	{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe	37
PID 2644 wrote to memory of 2220	2644	{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe	37
PID 2644 wrote to memory of 2220	2644	{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe	37
PID 2644 wrote to memory of 2220	2644	{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe	37
PID 2644 wrote to memory of 524	2644	{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe	36
PID 2644 wrote to memory of 524	2644	{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe	36
PID 2644 wrote to memory of 524	2644	{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe	36
PID 2644 wrote to memory of 524	2644	{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe	36
PID 2220 wrote to memory of 268	2220	{680F0788-819F-4e74-AD5E-069C173E718E}.exe	38
PID 2220 wrote to memory of 268	2220	{680F0788-819F-4e74-AD5E-069C173E718E}.exe	38
PID 2220 wrote to memory of 268	2220	{680F0788-819F-4e74-AD5E-069C173E718E}.exe	38
PID 2220 wrote to memory of 268	2220	{680F0788-819F-4e74-AD5E-069C173E718E}.exe	38
PID 2220 wrote to memory of 3064	2220	{680F0788-819F-4e74-AD5E-069C173E718E}.exe	39
PID 2220 wrote to memory of 3064	2220	{680F0788-819F-4e74-AD5E-069C173E718E}.exe	39
PID 2220 wrote to memory of 3064	2220	{680F0788-819F-4e74-AD5E-069C173E718E}.exe	39
PID 2220 wrote to memory of 3064	2220	{680F0788-819F-4e74-AD5E-069C173E718E}.exe	39
PID 268 wrote to memory of 2000	268	{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe	40
PID 268 wrote to memory of 2000	268	{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe	40
PID 268 wrote to memory of 2000	268	{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe	40
PID 268 wrote to memory of 2000	268	{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe	40
PID 268 wrote to memory of 2468	268	{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe	41
PID 268 wrote to memory of 2468	268	{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe	41
PID 268 wrote to memory of 2468	268	{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe	41
PID 268 wrote to memory of 2468	268	{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe	41
PID 2000 wrote to memory of 1624	2000	{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe	42
PID 2000 wrote to memory of 1624	2000	{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe	42
PID 2000 wrote to memory of 1624	2000	{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe	42
PID 2000 wrote to memory of 1624	2000	{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe	42
PID 2000 wrote to memory of 296	2000	{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe	43
PID 2000 wrote to memory of 296	2000	{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe	43
PID 2000 wrote to memory of 296	2000	{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe	43
PID 2000 wrote to memory of 296	2000	{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe	43
PID 1624 wrote to memory of 2636	1624	{849692A1-AC08-42c9-83E6-58D757562E41}.exe	44
PID 1624 wrote to memory of 2636	1624	{849692A1-AC08-42c9-83E6-58D757562E41}.exe	44
PID 1624 wrote to memory of 2636	1624	{849692A1-AC08-42c9-83E6-58D757562E41}.exe	44
PID 1624 wrote to memory of 2636	1624	{849692A1-AC08-42c9-83E6-58D757562E41}.exe	44
PID 1624 wrote to memory of 2520	1624	{849692A1-AC08-42c9-83E6-58D757562E41}.exe	45
PID 1624 wrote to memory of 2520	1624	{849692A1-AC08-42c9-83E6-58D757562E41}.exe	45
PID 1624 wrote to memory of 2520	1624	{849692A1-AC08-42c9-83E6-58D757562E41}.exe	45
PID 1624 wrote to memory of 2520	1624	{849692A1-AC08-42c9-83E6-58D757562E41}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_fc5e4604047e42a2678396a632f70db5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\{29050617-B134-4299-B5F9-951CE3249D47}.exe
  C:\Windows\{29050617-B134-4299-B5F9-951CE3249D47}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{29050~1.EXE > nul
    3⤵
    PID:2776
- - C:\Windows\{485E921F-363E-4008-9256-7DD539B557C9}.exe
    C:\Windows\{485E921F-363E-4008-9256-7DD539B557C9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{485E9~1.EXE > nul
      4⤵
      PID:3048
  - - C:\Windows\{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe
      C:\Windows\{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C6EF~1.EXE > nul
        5⤵
        
        PID:524
    - - C:\Windows\{680F0788-819F-4e74-AD5E-069C173E718E}.exe
        
        C:\Windows\{680F0788-819F-4e74-AD5E-069C173E718E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Windows\{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe
        
        C:\Windows\{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe
        
        C:\Windows\{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{849692A1-AC08-42c9-83E6-58D757562E41}.exe
        
        C:\Windows\{849692A1-AC08-42c9-83E6-58D757562E41}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{6511AFE8-E1AE-40f0-8912-93278BCC637B}.exe
        
        C:\Windows\{6511AFE8-E1AE-40f0-8912-93278BCC637B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\{6B405F76-F11A-423a-AA3C-CA05F87311AB}.exe
        
        C:\Windows\{6B405F76-F11A-423a-AA3C-CA05F87311AB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\{65966B0F-0FBB-4f87-A9AD-5DF6E6FDC90E}.exe
        
        C:\Windows\{65966B0F-0FBB-4f87-A9AD-5DF6E6FDC90E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\{C6489A78-8A01-4fa7-8F8F-0035BB7152DF}.exe
        
        C:\Windows\{C6489A78-8A01-4fa7-8F8F-0035BB7152DF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\{D166E080-9653-4cdc-909C-5E87DE0EE58C}.exe
        
        C:\Windows\{D166E080-9653-4cdc-909C-5E87DE0EE58C}.exe
        13⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6489~1.EXE > nul
        13⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65966~1.EXE > nul
        12⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B405~1.EXE > nul
        11⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6511A~1.EXE > nul
        10⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84969~1.EXE > nul
        9⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56D64~1.EXE > nul
        8⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBFCC~1.EXE > nul
        7⤵
        
        PID:2468
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{680F0~1.EXE > nul
        6⤵
        
        PID:3064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{29050617-B134-4299-B5F9-951CE3249D47}.exe

Filesize
115KB

MD5
f550e3e9ff1e9bb31230abc428372a28

SHA1
7f7f54b059de477b69249f8bd349c6b3881eca89

SHA256
b098196716ea612b17f18c48a76e7319dcd26ed2a1bdff316b9e1fbb8ef9f9a9

SHA512
21c9364dcbd4a3059e0e3c8c8264a5234bf32c3b46920456c251d68c7558cead7ccc40a7b0e9d76813f956c3a377438c197e5eded66568570c1770ffe707c0cc

Download Submit
C:\Windows\{29050617-B134-4299-B5F9-951CE3249D47}.exe

Filesize
204KB

MD5
6fc723f9e66b2d143abc8485601ef71b

SHA1
c0ac676930ecbf92544ea208b79ce5e65b85d737

SHA256
f0e3118fca8ec91fde69598017745e9238080bb54df9da4fb179bd35945e96cb

SHA512
cb42ad9d9a86f11f140f66cabea14c29ff77571f0da8d981d400dce2846803a06b296905ea9b488b90a51ec582bf282923dd2b1910d574b8f8b81fa7dee12771

Download Submit
C:\Windows\{29050617-B134-4299-B5F9-951CE3249D47}.exe

Filesize
153KB

MD5
1d19f772b26a811812663e15a278c51c

SHA1
bf5a7aa68fd7a1f41e02489815c148a85db650ed

SHA256
4fcc0dff19579da072fa734dd61200ac1bbf27b27878b132494f4ebd49b7dc21

SHA512
3b5361e4e2be6fdc2bc5d4b93311770a7f13d0f570d75b86cbe19f645d872bf8712bb666f67ecdc3300ae08b10857833d80023ca26df72a075a9782925725571

Download Submit
C:\Windows\{485E921F-363E-4008-9256-7DD539B557C9}.exe

Filesize
204KB

MD5
9d809bcf0e5cd910285ae1d2297ea933

SHA1
826bbf279ae2c841cf1ade3b640cc222612540a1

SHA256
9bc5720323b45907319d559802c7a04c30eb9271cc788b6ab3dd17f2854b68cb

SHA512
28979974aff69850ad6fcdd75907a1bcf9f8d0b5bf169c0de8adaf765b7f9f44df56d4dbceb4676bfbd9fe39d4d453b109af050e297bf276fa6ec18196d39d57

Download Submit
C:\Windows\{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe

Filesize
81KB

MD5
bb25fa5075b7e6f1e599dfdda875a50a

SHA1
9b86c2b68e9891d3cfcad3a0b6508d880876dac8

SHA256
45d7e72d65a563011136f5748434528b005dc437ed1af67888b97ef9762e2a48

SHA512
9da7fd960e6ee13e648e547ebbf741003c2f6eb7f1b1ce5f4e3e0f2d26ecc29cc39bc6e599046cc9f964d65e3e105a746daa54811adceb8c0c0314dcc677a444

Download Submit
C:\Windows\{56D64DE7-CBD0-4adf-8BBC-4D83557ECBDD}.exe

Filesize
204KB

MD5
6df101011ba307867f5f3dfbade80046

SHA1
2345020e214ce4f56962300fd0a86650125c9f01

SHA256
7d0ddaa5cabf3722ec3f4605e64e2b34817485f9fd5e0782f5eb09aa2e28ef81

SHA512
9717536690c3568e55fcd910e8284b7bc297464b1e7c8487d531bac543cb6ec23b4388e0223d8f54c792c15dfe7f4af67a31139e2e3d39a9e117211b2680178b

Download Submit
C:\Windows\{6511AFE8-E1AE-40f0-8912-93278BCC637B}.exe

Filesize
204KB

MD5
0e0d0083bda8335dd891eef3b4e9c5a7

SHA1
89e577d54582de985cb4f1346f0d26f738e47ed3

SHA256
696c5649c6cda68f7f569a62f35cf0237353a0619687d2028571507baef67c9c

SHA512
98994f7cec5d27255b5807cbeea893f74d3b6e62418a2393c411243251d40afee31460d9d2d0b7d28f188074ed2e37a748caa40b23a73ed617dca8079c66f6c5

Download Submit
C:\Windows\{65966B0F-0FBB-4f87-A9AD-5DF6E6FDC90E}.exe

Filesize
204KB

MD5
bff69dfb2f66463c51f92ae799eab42b

SHA1
98cbbc2acf0598eb5ead70b0dcaf5a7fb0e72f72

SHA256
a7d24cc7bc13b7ea0010bda6c2b17611cead770a47926477439ea6e18dd4160e

SHA512
827e504c6d82cfe5fee685494c12027e88979339c756cad92dba67d0d83ba5fbac847fad72ab5b687ed5989309eaaabe6d74cc1a2d0145332d2fc70b5f8072f8

Download Submit
C:\Windows\{680F0788-819F-4e74-AD5E-069C173E718E}.exe

Filesize
204KB

MD5
59b1c3c2d88e0cc76c9f3ac67f4e0ae5

SHA1
1a38c80ba470b40d9384529c0234a4e20d85798b

SHA256
e5b565ff51d7cd31741e7da03c9f3bf7c9d11cb268c0adb240c4cf4e5c1e8504

SHA512
4a8c3ac2601831a7ff79315a6852ce105a72dcea2f654c3f75b9e49657cbed7d3d3cface493517cdf3cada46cb75d93ee0ff4e11c71d2434786e20318f7b284b

Download Submit
C:\Windows\{6B405F76-F11A-423a-AA3C-CA05F87311AB}.exe

Filesize
204KB

MD5
b53cccef7e5c03d8c557ebd50a446914

SHA1
b8ee5feb4ff8d26c9b9b06912c478ea07e5636ea

SHA256
35efe3c183b41bf3f13654bc7cf131d84ac7ac01708e33d2595254bcc61fc71d

SHA512
a4bd7f8a8ce03618eca748aee817df4c5aa9271c777749a3f4ec579ae3f754174a45a2fff235148f758ee6e817e3e863dd2ea261635ad289a9400febd3a66129

Download Submit
C:\Windows\{849692A1-AC08-42c9-83E6-58D757562E41}.exe

Filesize
204KB

MD5
e90a329dfe1aa42646ca8f42640d6d2d

SHA1
2a797104fc968e2a6585834d0aee17726d917079

SHA256
08698d5d51c4fd686d28e1f336741d66e4b583cf906cac49caa9f9a6a5b6c541

SHA512
a895bfda9355080573e53ac21f75f99b9cc9fc3b4ccb44c7f581839cb3545cde7dea2d4207824a7aa3722dcbf943fb09fc3c0494a845379a34c58ef99889fcaa

Download Submit
C:\Windows\{9C6EF466-F450-4e73-9CD8-C2D1E87FA034}.exe

Filesize
204KB

MD5
0baf4fd35c99aeb4e41f414910d17576

SHA1
e1693d2cb5833dbc3a8c778452ec8171b4c228b8

SHA256
59b70aac7040166d41faf4daf4f257e288921d17dc87c1b09026489be208a41e

SHA512
3e348bded544df73a4c0ab016164bbc67f713bb651b7cf9f6ccb3928e7f60fd68bf07e68af12f44e60ae250e04642dd5ca79997b8c522c1eace67495eb5fddf2

Download Submit
C:\Windows\{C6489A78-8A01-4fa7-8F8F-0035BB7152DF}.exe

Filesize
204KB

MD5
96ec3c5bc0ccafe56bced18c19205619

SHA1
9ddc87b388f1c1e04b173aef14a7d8422a033241

SHA256
15c5b907472fd2ef4a4e5fb36820e89644e6a040d867eca824c03ed1cc5781f9

SHA512
b15eb593ab12b21ddf0ac0d521660135526faffae5894cc82ffbb8dd8a45b95caf857f0ea7b7558c2c270b6ed2fc283d9d7916a8e4366acea45d7597e6a95901

Download Submit
C:\Windows\{CBFCC42B-EA8A-41db-8F86-1E0D3B3C7C72}.exe

Filesize
204KB

MD5
e52f7b0619f28197f8515098f4656f36

SHA1
aa8a02172b89ad310e7c9548efa39d6202163d9b

SHA256
d3409b13b914db1365710d54eec458203d102b6a4c0f72e69a8535fa142f136d

SHA512
12101b5219147d3e7b18f8333083056aae2311fd37b61c7f886d7cb52541f3e5267214301ad8d260e184639b15263872beb359c848d91049d383d4f224ee5e6c

Download Submit
C:\Windows\{D166E080-9653-4cdc-909C-5E87DE0EE58C}.exe

Filesize
204KB

MD5
e2dd2ecdf264c5aa2bb51fac9b3ff10d

SHA1
07dc4af51f46fbb6b70dd2d630f1c3b8084663d8

SHA256
c2b746f2b63ae61c781fee96cb1740254e8a173011ae4ff88e2a4b4e5181bb44

SHA512
fedfe51fbd1bef3e1ab3599e29882860e38e879a473ffae733c668ef0cebc6e355fbba2800c17866db8e72d45ecc48d62a8e6ebbb9eb95ba842e947aea7d2edc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads