746e41b0ebe89f9912780645849a17e7506c1fd8e149e923d80ee17970a788ef

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe
Size

380KB
MD5

03db89c3f85ef8203a180a2b3cecc04e
SHA1

2fb12a1f9f57697914eae9f6a767eae647268b61
SHA256

746e41b0ebe89f9912780645849a17e7506c1fd8e149e923d80ee17970a788ef
SHA512

c515a40c54a8bc2fa781f5bf5acf8b1eb26420031183d616d4d5125bf9a9ae886e6bf33c390d62b5e84eb31b3ae6ec30d55a2a18be988e8c400b132669b37a48
SSDEEP

3072:mEGh0o3lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGll7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}\stubpath = "C:\\Windows\\{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe"	{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F01800F-F20B-4111-9575-436125D8953D}\stubpath = "C:\\Windows\\{8F01800F-F20B-4111-9575-436125D8953D}.exe"	{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E6D3AA3-7CF7-4e2d-AA01-53525F630EB1}	{E6E9F381-E2BF-4b2a-9C89-A2CCC74B0A11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E6D3AA3-7CF7-4e2d-AA01-53525F630EB1}\stubpath = "C:\\Windows\\{3E6D3AA3-7CF7-4e2d-AA01-53525F630EB1}.exe"	{E6E9F381-E2BF-4b2a-9C89-A2CCC74B0A11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5310CAD-D4DF-4dbc-9682-C76F46BDE556}\stubpath = "C:\\Windows\\{F5310CAD-D4DF-4dbc-9682-C76F46BDE556}.exe"	{3E6D3AA3-7CF7-4e2d-AA01-53525F630EB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A3B3096-CEE1-417a-855E-E27BF419878D}\stubpath = "C:\\Windows\\{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe"	{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9776116E-DEC9-4e46-A4FC-83531E0655F0}	{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}	{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6E9F381-E2BF-4b2a-9C89-A2CCC74B0A11}	{8F01800F-F20B-4111-9575-436125D8953D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51FAB993-AB3C-4214-9A2F-82D86F680CB0}\stubpath = "C:\\Windows\\{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe"	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAD78921-757F-4e0a-8557-CDC2B79CB546}	{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3201E64-8334-4cf2-BAAB-A932E79C6956}	{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3201E64-8334-4cf2-BAAB-A932E79C6956}\stubpath = "C:\\Windows\\{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe"	{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}	{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}\stubpath = "C:\\Windows\\{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe"	{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51FAB993-AB3C-4214-9A2F-82D86F680CB0}	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAD78921-757F-4e0a-8557-CDC2B79CB546}\stubpath = "C:\\Windows\\{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe"	{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F01800F-F20B-4111-9575-436125D8953D}	{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6E9F381-E2BF-4b2a-9C89-A2CCC74B0A11}\stubpath = "C:\\Windows\\{E6E9F381-E2BF-4b2a-9C89-A2CCC74B0A11}.exe"	{8F01800F-F20B-4111-9575-436125D8953D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5310CAD-D4DF-4dbc-9682-C76F46BDE556}	{3E6D3AA3-7CF7-4e2d-AA01-53525F630EB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A3B3096-CEE1-417a-855E-E27BF419878D}	{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9776116E-DEC9-4e46-A4FC-83531E0655F0}\stubpath = "C:\\Windows\\{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe"	{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe

Deletes itself 1 IoCs

pid	Process
2080	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2676	{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe
3000	{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe
2732	{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe
2820	{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe
2988	{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe
1972	{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe
2792	{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe
1448	{8F01800F-F20B-4111-9575-436125D8953D}.exe
2056	{E6E9F381-E2BF-4b2a-9C89-A2CCC74B0A11}.exe
540	{3E6D3AA3-7CF7-4e2d-AA01-53525F630EB1}.exe
332	{F5310CAD-D4DF-4dbc-9682-C76F46BDE556}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3E6D3AA3-7CF7-4e2d-AA01-53525F630EB1}.exe	{E6E9F381-E2BF-4b2a-9C89-A2CCC74B0A11}.exe
File created	C:\Windows\{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe	{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe
File created	C:\Windows\{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe	{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe
File created	C:\Windows\{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe	{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe
File created	C:\Windows\{8F01800F-F20B-4111-9575-436125D8953D}.exe	{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe
File created	C:\Windows\{E6E9F381-E2BF-4b2a-9C89-A2CCC74B0A11}.exe	{8F01800F-F20B-4111-9575-436125D8953D}.exe
File created	C:\Windows\{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe
File created	C:\Windows\{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe	{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe
File created	C:\Windows\{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe	{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe
File created	C:\Windows\{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe	{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe
File created	C:\Windows\{F5310CAD-D4DF-4dbc-9682-C76F46BDE556}.exe	{3E6D3AA3-7CF7-4e2d-AA01-53525F630EB1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2304	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2676	{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe
Token: SeIncBasePriorityPrivilege	3000	{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe
Token: SeIncBasePriorityPrivilege	2732	{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe
Token: SeIncBasePriorityPrivilege	2820	{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe
Token: SeIncBasePriorityPrivilege	2988	{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe
Token: SeIncBasePriorityPrivilege	1972	{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe
Token: SeIncBasePriorityPrivilege	2792	{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe
Token: SeIncBasePriorityPrivilege	1448	{8F01800F-F20B-4111-9575-436125D8953D}.exe
Token: SeIncBasePriorityPrivilege	2056	{E6E9F381-E2BF-4b2a-9C89-A2CCC74B0A11}.exe
Token: SeIncBasePriorityPrivilege	540	{3E6D3AA3-7CF7-4e2d-AA01-53525F630EB1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2676	2304	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	28
PID 2304 wrote to memory of 2676	2304	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	28
PID 2304 wrote to memory of 2676	2304	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	28
PID 2304 wrote to memory of 2676	2304	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	28
PID 2304 wrote to memory of 2080	2304	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	29
PID 2304 wrote to memory of 2080	2304	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	29
PID 2304 wrote to memory of 2080	2304	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	29
PID 2304 wrote to memory of 2080	2304	2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe	29
PID 2676 wrote to memory of 3000	2676	{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe	31
PID 2676 wrote to memory of 3000	2676	{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe	31
PID 2676 wrote to memory of 3000	2676	{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe	31
PID 2676 wrote to memory of 3000	2676	{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe	31
PID 2676 wrote to memory of 2604	2676	{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe	30
PID 2676 wrote to memory of 2604	2676	{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe	30
PID 2676 wrote to memory of 2604	2676	{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe	30
PID 2676 wrote to memory of 2604	2676	{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe	30
PID 3000 wrote to memory of 2732	3000	{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe	32
PID 3000 wrote to memory of 2732	3000	{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe	32
PID 3000 wrote to memory of 2732	3000	{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe	32
PID 3000 wrote to memory of 2732	3000	{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe	32
PID 3000 wrote to memory of 2564	3000	{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe	33
PID 3000 wrote to memory of 2564	3000	{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe	33
PID 3000 wrote to memory of 2564	3000	{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe	33
PID 3000 wrote to memory of 2564	3000	{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe	33
PID 2732 wrote to memory of 2820	2732	{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe	36
PID 2732 wrote to memory of 2820	2732	{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe	36
PID 2732 wrote to memory of 2820	2732	{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe	36
PID 2732 wrote to memory of 2820	2732	{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe	36
PID 2732 wrote to memory of 2960	2732	{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe	37
PID 2732 wrote to memory of 2960	2732	{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe	37
PID 2732 wrote to memory of 2960	2732	{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe	37
PID 2732 wrote to memory of 2960	2732	{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe	37
PID 2820 wrote to memory of 2988	2820	{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe	38
PID 2820 wrote to memory of 2988	2820	{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe	38
PID 2820 wrote to memory of 2988	2820	{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe	38
PID 2820 wrote to memory of 2988	2820	{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe	38
PID 2820 wrote to memory of 1184	2820	{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe	39
PID 2820 wrote to memory of 1184	2820	{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe	39
PID 2820 wrote to memory of 1184	2820	{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe	39
PID 2820 wrote to memory of 1184	2820	{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe	39
PID 2988 wrote to memory of 1972	2988	{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe	40
PID 2988 wrote to memory of 1972	2988	{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe	40
PID 2988 wrote to memory of 1972	2988	{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe	40
PID 2988 wrote to memory of 1972	2988	{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe	40
PID 2988 wrote to memory of 1596	2988	{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe	41
PID 2988 wrote to memory of 1596	2988	{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe	41
PID 2988 wrote to memory of 1596	2988	{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe	41
PID 2988 wrote to memory of 1596	2988	{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe	41
PID 1972 wrote to memory of 2792	1972	{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe	42
PID 1972 wrote to memory of 2792	1972	{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe	42
PID 1972 wrote to memory of 2792	1972	{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe	42
PID 1972 wrote to memory of 2792	1972	{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe	42
PID 1972 wrote to memory of 2752	1972	{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe	43
PID 1972 wrote to memory of 2752	1972	{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe	43
PID 1972 wrote to memory of 2752	1972	{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe	43
PID 1972 wrote to memory of 2752	1972	{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe	43
PID 2792 wrote to memory of 1448	2792	{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe	44
PID 2792 wrote to memory of 1448	2792	{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe	44
PID 2792 wrote to memory of 1448	2792	{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe	44
PID 2792 wrote to memory of 1448	2792	{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe	44
PID 2792 wrote to memory of 3060	2792	{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe	45
PID 2792 wrote to memory of 3060	2792	{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe	45
PID 2792 wrote to memory of 3060	2792	{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe	45
PID 2792 wrote to memory of 3060	2792	{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_03db89c3f85ef8203a180a2b3cecc04e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe
  C:\Windows\{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{51FAB~1.EXE > nul
    3⤵
    PID:2604
- - C:\Windows\{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe
    C:\Windows\{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe
      C:\Windows\{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe
        
        C:\Windows\{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe
        
        C:\Windows\{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe
        
        C:\Windows\{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe
        
        C:\Windows\{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{8F01800F-F20B-4111-9575-436125D8953D}.exe
        
        C:\Windows\{8F01800F-F20B-4111-9575-436125D8953D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\{E6E9F381-E2BF-4b2a-9C89-A2CCC74B0A11}.exe
        
        C:\Windows\{E6E9F381-E2BF-4b2a-9C89-A2CCC74B0A11}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6E9F~1.EXE > nul
        11⤵
        
        PID:880
        
        C:\Windows\{3E6D3AA3-7CF7-4e2d-AA01-53525F630EB1}.exe
        
        C:\Windows\{3E6D3AA3-7CF7-4e2d-AA01-53525F630EB1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E6D3~1.EXE > nul
        12⤵
        
        PID:1780
        
        C:\Windows\{F5310CAD-D4DF-4dbc-9682-C76F46BDE556}.exe
        
        C:\Windows\{F5310CAD-D4DF-4dbc-9682-C76F46BDE556}.exe
        12⤵
        Executes dropped EXE
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F018~1.EXE > nul
        10⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C3AB~1.EXE > nul
        9⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACB96~1.EXE > nul
        8⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97761~1.EXE > nul
        7⤵
        
        PID:1596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3201~1.EXE > nul
        6⤵
        
        PID:1184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAD78~1.EXE > nul
        5⤵
        
        PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9A3B3~1.EXE > nul
      4⤵
      PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3E6D3AA3-7CF7-4e2d-AA01-53525F630EB1}.exe

Filesize
380KB

MD5
3f3da6fda5782d9510e0fae0b7fbaa14

SHA1
ed4fb4453668d642a536b89eb41130234d807c3a

SHA256
d273aea77be36caaed11ea5318d3a6a790b649215628a6e2bb0f4c1c96e00f25

SHA512
eb084cd2023dd591be80f4b829128134aecd3fb7b48958be2530bf4e96f22a7e6af8019e2942c669a3faea53ec8e86b94f13dd1e625d348ef6b59963d6b6aa56

Download Submit
C:\Windows\{51FAB993-AB3C-4214-9A2F-82D86F680CB0}.exe

Filesize
380KB

MD5
29f1ab904552f131b31a8b94e63c9d0c

SHA1
a725fe116e130eb0f6c1aa1d00871cd515bb3c2b

SHA256
02342f6a365d95efcda2503e937e7d3a662b4fb8e81319cb97cca67648b94599

SHA512
18dd703e80e9ebec93a85b01dd65d641445fe78352afddb814804920fd13b887c075bbc499bd8ca824f120ad56b4dbb51d0844181b258ab59f195b05a2241715

Download Submit
C:\Windows\{8F01800F-F20B-4111-9575-436125D8953D}.exe

Filesize
380KB

MD5
141cd710b8ecdfb8938ff61cc0a8b970

SHA1
b022a536c046415bf2d6878572ee296405bcc769

SHA256
aa88c593f41888f6b9c95eda822d370b3f6e5929102df8bd34cf9ef5ce13ae60

SHA512
46aeb812f125476c34e14eb1c79e02e156e9b0ff77cfd38b7d92db7b0efa9a576adc68be307dc62602111c4f8690eae13c8cd15984f0ee7fb5875e0d28c4d31b

Download Submit
C:\Windows\{8F01800F-F20B-4111-9575-436125D8953D}.exe

Filesize
92KB

MD5
ce0d91cf8d9994da789467b95c2765b7

SHA1
b7498c83d17a73c86eee4450560a8cdd2bd46bbf

SHA256
26a556e2e88a47d7f79e661c4dcb9e44da918597d88757613b918c6b3ea6eeab

SHA512
b16f2d02b55da42ab390974b7f66891bf0c77d87825ff0168638b0e9661a8cfb7fbc2e2ca2a256ab1ac8e4f32233535fb4c484efadd553b86eb79a4f617d311a

Download Submit
C:\Windows\{9776116E-DEC9-4e46-A4FC-83531E0655F0}.exe

Filesize
380KB

MD5
20118204419b774348f7d8a16de5fed3

SHA1
1182022fabbf36172fdde8b8d0e7a70dc4c7faf0

SHA256
a8f076e1127343bf5c4be527c5b1174d2c0afe6c3b018177cf226f1216df356a

SHA512
a62444d11c25c79ed8d591594012abd90984f13dff8ef3729861ad512c56e9dc47eaaa504a87f7827db43dfa12155bfd3326ae274c0c2d85e8a86260b124c055

Download Submit
C:\Windows\{9A3B3096-CEE1-417a-855E-E27BF419878D}.exe

Filesize
380KB

MD5
b66b1eeddbb9f816b8e4ffd354dfe9c4

SHA1
a431ef0674705c0457f0cb43b2175b975b52ccfd

SHA256
6deb88fe3f5d3f5c27b5ba6640a1c342b8b7670eb8a2c6f56dfb3ea892773469

SHA512
1f9d260aa330616c35ae13fa590b9ec4dc8c7c20713846108160317b036257139ec9540d8b33f2f9972576f29db57884d9ce1df648ea15367f7e5c12e1305020

Download Submit
C:\Windows\{9C3ABBCD-79EC-455d-B863-1273DADB1FD8}.exe

Filesize
380KB

MD5
30afae06f4bcecf0c74970ceb5346709

SHA1
f062a3f47b1b3eebd3afc3c29e9183e39c9a2281

SHA256
c3c58e362600fa29f95cab54ee3b687d8fce14bb13cba80f74bb809d3a1a2ed9

SHA512
5119053f340c1f804ade219603cca786a996afe6eb106b2034c02795e8247403b94286041899ea5753a6aef5deb22ea730713dbf1aec6fb7b9268f84517d7514

Download Submit
C:\Windows\{ACB96B15-BB25-47e4-A49A-4E369EB95FBE}.exe

Filesize
380KB

MD5
460b73cbe3257c739fa68576690e4400

SHA1
562dc4ed09ce7bbfd19059fb6bf26fe62ba297aa

SHA256
5bb66196dc1fa264b118a10cc816f5a570abc1d5b98df59a7e34a7d218409989

SHA512
82ae8da8390223e0c1f6ea6f5508d104deb026106152f0b18d4d9f862fba88c03ca0ae7ee2a7ec422ef8e92b8e0aacdc2c57be41c61e196b13ee86187ac7d5ba

Download Submit
C:\Windows\{B3201E64-8334-4cf2-BAAB-A932E79C6956}.exe

Filesize
380KB

MD5
1c71a8119d8a48ef1df1df9c6eea01ab

SHA1
98f8ac5500b49047d361ab455046ddbccd95da17

SHA256
98f0930f2cf12f647d9f9737e8c564b44f0115b49daf4269110c106568dbad00

SHA512
b22a6b2bc6de2b68b4693786fc9755d0b9d6079a3636472e89fb8ed2a7b3797233aeea2df77cb44879a86d3fd93d367fbc49d7d22b26df8854d36c23548baf45

Download Submit
C:\Windows\{CAD78921-757F-4e0a-8557-CDC2B79CB546}.exe

Filesize
380KB

MD5
0888cc3bac70f5b254978a74168cff83

SHA1
aba87b0989992a6008935fe3010d68d92d935fe2

SHA256
84931c3f88937fe3276ba8cc1f95ae298b0ed427d627ad3feb9dd1984a3d930b

SHA512
fa1f4ea3044947b5e44c4454b151141457b9a5da8a5f6250b2046c72cd2a3f2575ec93070ddd138591ebb7b105d5dfef25d5a0d0649602644e024fcfcf28be36

Download Submit
C:\Windows\{F5310CAD-D4DF-4dbc-9682-C76F46BDE556}.exe

Filesize
380KB

MD5
c68f46e2f8611217da731a86d82ee1fb

SHA1
57a749d692cc683235d759f882e9701c6c9b7c17

SHA256
ddc3cf11480311b1eb1b39466f0ddbf6a7c215b3ae6eaff4e27867988e548749

SHA512
aeb39533a14e9291c85face8b03f85e8e0f9f717674fc9eed1020f17b603ce1aef5ecaf5b451fc7e2b6c8613bf98d03bffe2e64827e5333d3a4e58a3171645fe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads