c2112cafa52cf87e7ae0ee50ec0539b87fc154a04c9b2070fef51fbf7e22204f

Analysis

max time kernel
175s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe
Size

180KB
MD5

3cd7da474f975728c7a6858e88bbc988
SHA1

67462fb564581df2b43a5c34b5a32ddbf098e53f
SHA256

c2112cafa52cf87e7ae0ee50ec0539b87fc154a04c9b2070fef51fbf7e22204f
SHA512

99a94411e15648f18ad4faa61ce20e6a7603e7df358a980578639b0ee1c958fc3c3659774342995a5153a49a8e8e3e7232bdaa13e8968874af51af8de067a81f
SSDEEP

3072:jEGh0odlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG3l5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}\stubpath = "C:\\Windows\\{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe"	{B9025081-D37A-4e75-A9EE-0041EF923710}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}	{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6304329F-6831-48fe-BCCA-A384C7D21DB9}\stubpath = "C:\\Windows\\{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe"	{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{450DB8E7-49D9-4d6d-832A-66D2624ED71B}\stubpath = "C:\\Windows\\{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe"	{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1AE724E-983E-497c-BE37-E569914DC03C}	{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A24A206-DEC4-4367-AF58-5C37D14669CC}	{5655268C-DCBB-4594-874B-691326FE4CC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E17A4C5A-823D-41b6-B519-9CBDADE01C7D}	{4F323E6B-45DF-409f-A0A8-6E45C2C0FC8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8FBA087-2813-4e30-8D17-057939B8B41A}	{E17A4C5A-823D-41b6-B519-9CBDADE01C7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}	{B9025081-D37A-4e75-A9EE-0041EF923710}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}\stubpath = "C:\\Windows\\{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe"	{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6304329F-6831-48fe-BCCA-A384C7D21DB9}	{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{450DB8E7-49D9-4d6d-832A-66D2624ED71B}	{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5655268C-DCBB-4594-874B-691326FE4CC5}\stubpath = "C:\\Windows\\{5655268C-DCBB-4594-874B-691326FE4CC5}.exe"	{F1AE724E-983E-497c-BE37-E569914DC03C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F323E6B-45DF-409f-A0A8-6E45C2C0FC8B}\stubpath = "C:\\Windows\\{4F323E6B-45DF-409f-A0A8-6E45C2C0FC8B}.exe"	{9A24A206-DEC4-4367-AF58-5C37D14669CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E17A4C5A-823D-41b6-B519-9CBDADE01C7D}\stubpath = "C:\\Windows\\{E17A4C5A-823D-41b6-B519-9CBDADE01C7D}.exe"	{4F323E6B-45DF-409f-A0A8-6E45C2C0FC8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8FBA087-2813-4e30-8D17-057939B8B41A}\stubpath = "C:\\Windows\\{D8FBA087-2813-4e30-8D17-057939B8B41A}.exe"	{E17A4C5A-823D-41b6-B519-9CBDADE01C7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9025081-D37A-4e75-A9EE-0041EF923710}	2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9025081-D37A-4e75-A9EE-0041EF923710}\stubpath = "C:\\Windows\\{B9025081-D37A-4e75-A9EE-0041EF923710}.exe"	2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1AE724E-983E-497c-BE37-E569914DC03C}\stubpath = "C:\\Windows\\{F1AE724E-983E-497c-BE37-E569914DC03C}.exe"	{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5655268C-DCBB-4594-874B-691326FE4CC5}	{F1AE724E-983E-497c-BE37-E569914DC03C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A24A206-DEC4-4367-AF58-5C37D14669CC}\stubpath = "C:\\Windows\\{9A24A206-DEC4-4367-AF58-5C37D14669CC}.exe"	{5655268C-DCBB-4594-874B-691326FE4CC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E151235-7D4C-40be-9014-AFE7987EE5E2}	{D8FBA087-2813-4e30-8D17-057939B8B41A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E151235-7D4C-40be-9014-AFE7987EE5E2}\stubpath = "C:\\Windows\\{3E151235-7D4C-40be-9014-AFE7987EE5E2}.exe"	{D8FBA087-2813-4e30-8D17-057939B8B41A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F323E6B-45DF-409f-A0A8-6E45C2C0FC8B}	{9A24A206-DEC4-4367-AF58-5C37D14669CC}.exe

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2216	{B9025081-D37A-4e75-A9EE-0041EF923710}.exe
3004	{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe
2872	{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe
1568	{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe
1528	{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe
2824	{F1AE724E-983E-497c-BE37-E569914DC03C}.exe
1328	{5655268C-DCBB-4594-874B-691326FE4CC5}.exe
3024	{9A24A206-DEC4-4367-AF58-5C37D14669CC}.exe
2068	{4F323E6B-45DF-409f-A0A8-6E45C2C0FC8B}.exe
2268	{E17A4C5A-823D-41b6-B519-9CBDADE01C7D}.exe
1964	{D8FBA087-2813-4e30-8D17-057939B8B41A}.exe
1176	{3E151235-7D4C-40be-9014-AFE7987EE5E2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe	{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe
File created	C:\Windows\{F1AE724E-983E-497c-BE37-E569914DC03C}.exe	{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe
File created	C:\Windows\{3E151235-7D4C-40be-9014-AFE7987EE5E2}.exe	{D8FBA087-2813-4e30-8D17-057939B8B41A}.exe
File created	C:\Windows\{9A24A206-DEC4-4367-AF58-5C37D14669CC}.exe	{5655268C-DCBB-4594-874B-691326FE4CC5}.exe
File created	C:\Windows\{4F323E6B-45DF-409f-A0A8-6E45C2C0FC8B}.exe	{9A24A206-DEC4-4367-AF58-5C37D14669CC}.exe
File created	C:\Windows\{E17A4C5A-823D-41b6-B519-9CBDADE01C7D}.exe	{4F323E6B-45DF-409f-A0A8-6E45C2C0FC8B}.exe
File created	C:\Windows\{B9025081-D37A-4e75-A9EE-0041EF923710}.exe	2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe
File created	C:\Windows\{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe	{B9025081-D37A-4e75-A9EE-0041EF923710}.exe
File created	C:\Windows\{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe	{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe
File created	C:\Windows\{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe	{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe
File created	C:\Windows\{5655268C-DCBB-4594-874B-691326FE4CC5}.exe	{F1AE724E-983E-497c-BE37-E569914DC03C}.exe
File created	C:\Windows\{D8FBA087-2813-4e30-8D17-057939B8B41A}.exe	{E17A4C5A-823D-41b6-B519-9CBDADE01C7D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2332	2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2216	{B9025081-D37A-4e75-A9EE-0041EF923710}.exe
Token: SeIncBasePriorityPrivilege	3004	{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe
Token: SeIncBasePriorityPrivilege	2872	{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe
Token: SeIncBasePriorityPrivilege	1568	{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe
Token: SeIncBasePriorityPrivilege	1528	{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe
Token: SeIncBasePriorityPrivilege	2824	{F1AE724E-983E-497c-BE37-E569914DC03C}.exe
Token: SeIncBasePriorityPrivilege	1328	{5655268C-DCBB-4594-874B-691326FE4CC5}.exe
Token: SeIncBasePriorityPrivilege	3024	{9A24A206-DEC4-4367-AF58-5C37D14669CC}.exe
Token: SeIncBasePriorityPrivilege	2068	{4F323E6B-45DF-409f-A0A8-6E45C2C0FC8B}.exe
Token: SeIncBasePriorityPrivilege	2268	{E17A4C5A-823D-41b6-B519-9CBDADE01C7D}.exe
Token: SeIncBasePriorityPrivilege	1964	{D8FBA087-2813-4e30-8D17-057939B8B41A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2216	2332	2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe	29
PID 2332 wrote to memory of 2216	2332	2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe	29
PID 2332 wrote to memory of 2216	2332	2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe	29
PID 2332 wrote to memory of 2216	2332	2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe	29
PID 2332 wrote to memory of 2792	2332	2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe	30
PID 2332 wrote to memory of 2792	2332	2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe	30
PID 2332 wrote to memory of 2792	2332	2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe	30
PID 2332 wrote to memory of 2792	2332	2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe	30
PID 2216 wrote to memory of 3004	2216	{B9025081-D37A-4e75-A9EE-0041EF923710}.exe	31
PID 2216 wrote to memory of 3004	2216	{B9025081-D37A-4e75-A9EE-0041EF923710}.exe	31
PID 2216 wrote to memory of 3004	2216	{B9025081-D37A-4e75-A9EE-0041EF923710}.exe	31
PID 2216 wrote to memory of 3004	2216	{B9025081-D37A-4e75-A9EE-0041EF923710}.exe	31
PID 2216 wrote to memory of 2104	2216	{B9025081-D37A-4e75-A9EE-0041EF923710}.exe	32
PID 2216 wrote to memory of 2104	2216	{B9025081-D37A-4e75-A9EE-0041EF923710}.exe	32
PID 2216 wrote to memory of 2104	2216	{B9025081-D37A-4e75-A9EE-0041EF923710}.exe	32
PID 2216 wrote to memory of 2104	2216	{B9025081-D37A-4e75-A9EE-0041EF923710}.exe	32
PID 3004 wrote to memory of 2872	3004	{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe	33
PID 3004 wrote to memory of 2872	3004	{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe	33
PID 3004 wrote to memory of 2872	3004	{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe	33
PID 3004 wrote to memory of 2872	3004	{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe	33
PID 3004 wrote to memory of 2892	3004	{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe	34
PID 3004 wrote to memory of 2892	3004	{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe	34
PID 3004 wrote to memory of 2892	3004	{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe	34
PID 3004 wrote to memory of 2892	3004	{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe	34
PID 2872 wrote to memory of 1568	2872	{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe	35
PID 2872 wrote to memory of 1568	2872	{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe	35
PID 2872 wrote to memory of 1568	2872	{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe	35
PID 2872 wrote to memory of 1568	2872	{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe	35
PID 2872 wrote to memory of 2380	2872	{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe	36
PID 2872 wrote to memory of 2380	2872	{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe	36
PID 2872 wrote to memory of 2380	2872	{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe	36
PID 2872 wrote to memory of 2380	2872	{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe	36
PID 1568 wrote to memory of 1528	1568	{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe	37
PID 1568 wrote to memory of 1528	1568	{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe	37
PID 1568 wrote to memory of 1528	1568	{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe	37
PID 1568 wrote to memory of 1528	1568	{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe	37
PID 1568 wrote to memory of 1648	1568	{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe	38
PID 1568 wrote to memory of 1648	1568	{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe	38
PID 1568 wrote to memory of 1648	1568	{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe	38
PID 1568 wrote to memory of 1648	1568	{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe	38
PID 1528 wrote to memory of 2824	1528	{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe	39
PID 1528 wrote to memory of 2824	1528	{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe	39
PID 1528 wrote to memory of 2824	1528	{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe	39
PID 1528 wrote to memory of 2824	1528	{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe	39
PID 1528 wrote to memory of 668	1528	{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe	40
PID 1528 wrote to memory of 668	1528	{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe	40
PID 1528 wrote to memory of 668	1528	{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe	40
PID 1528 wrote to memory of 668	1528	{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe	40
PID 2824 wrote to memory of 1328	2824	{F1AE724E-983E-497c-BE37-E569914DC03C}.exe	41
PID 2824 wrote to memory of 1328	2824	{F1AE724E-983E-497c-BE37-E569914DC03C}.exe	41
PID 2824 wrote to memory of 1328	2824	{F1AE724E-983E-497c-BE37-E569914DC03C}.exe	41
PID 2824 wrote to memory of 1328	2824	{F1AE724E-983E-497c-BE37-E569914DC03C}.exe	41
PID 2824 wrote to memory of 1296	2824	{F1AE724E-983E-497c-BE37-E569914DC03C}.exe	42
PID 2824 wrote to memory of 1296	2824	{F1AE724E-983E-497c-BE37-E569914DC03C}.exe	42
PID 2824 wrote to memory of 1296	2824	{F1AE724E-983E-497c-BE37-E569914DC03C}.exe	42
PID 2824 wrote to memory of 1296	2824	{F1AE724E-983E-497c-BE37-E569914DC03C}.exe	42
PID 1328 wrote to memory of 3024	1328	{5655268C-DCBB-4594-874B-691326FE4CC5}.exe	43
PID 1328 wrote to memory of 3024	1328	{5655268C-DCBB-4594-874B-691326FE4CC5}.exe	43
PID 1328 wrote to memory of 3024	1328	{5655268C-DCBB-4594-874B-691326FE4CC5}.exe	43
PID 1328 wrote to memory of 3024	1328	{5655268C-DCBB-4594-874B-691326FE4CC5}.exe	43
PID 1328 wrote to memory of 1308	1328	{5655268C-DCBB-4594-874B-691326FE4CC5}.exe	44
PID 1328 wrote to memory of 1308	1328	{5655268C-DCBB-4594-874B-691326FE4CC5}.exe	44
PID 1328 wrote to memory of 1308	1328	{5655268C-DCBB-4594-874B-691326FE4CC5}.exe	44
PID 1328 wrote to memory of 1308	1328	{5655268C-DCBB-4594-874B-691326FE4CC5}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_3cd7da474f975728c7a6858e88bbc988_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\{B9025081-D37A-4e75-A9EE-0041EF923710}.exe
  C:\Windows\{B9025081-D37A-4e75-A9EE-0041EF923710}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe
    C:\Windows\{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe
      C:\Windows\{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe
        
        C:\Windows\{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Windows\{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe
        
        C:\Windows\{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\{F1AE724E-983E-497c-BE37-E569914DC03C}.exe
        
        C:\Windows\{F1AE724E-983E-497c-BE37-E569914DC03C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\{5655268C-DCBB-4594-874B-691326FE4CC5}.exe
        
        C:\Windows\{5655268C-DCBB-4594-874B-691326FE4CC5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\{9A24A206-DEC4-4367-AF58-5C37D14669CC}.exe
        
        C:\Windows\{9A24A206-DEC4-4367-AF58-5C37D14669CC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\{4F323E6B-45DF-409f-A0A8-6E45C2C0FC8B}.exe
        
        C:\Windows\{4F323E6B-45DF-409f-A0A8-6E45C2C0FC8B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{E17A4C5A-823D-41b6-B519-9CBDADE01C7D}.exe
        
        C:\Windows\{E17A4C5A-823D-41b6-B519-9CBDADE01C7D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\{D8FBA087-2813-4e30-8D17-057939B8B41A}.exe
        
        C:\Windows\{D8FBA087-2813-4e30-8D17-057939B8B41A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{3E151235-7D4C-40be-9014-AFE7987EE5E2}.exe
        
        C:\Windows\{3E151235-7D4C-40be-9014-AFE7987EE5E2}.exe
        13⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8FBA~1.EXE > nul
        13⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E17A4~1.EXE > nul
        12⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F323~1.EXE > nul
        11⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A24A~1.EXE > nul
        10⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56552~1.EXE > nul
        9⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1AE7~1.EXE > nul
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{450DB~1.EXE > nul
        7⤵
        
        PID:668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63043~1.EXE > nul
        6⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C152~1.EXE > nul
        5⤵
        
        PID:2380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4BA1E~1.EXE > nul
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B9025~1.EXE > nul
    3⤵
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3E151235-7D4C-40be-9014-AFE7987EE5E2}.exe

Filesize
180KB

MD5
6f6ab60124d1d7da30dd9f982285fa3d

SHA1
92b0ae9525873cd6d3cf20e86fdae6c0bba53a15

SHA256
9b89037ca57900390db23e6167b1166a9339e55b900acf3fd8460f5bd885c25c

SHA512
78a04774f947185668136dbb820bcdbae8b123e859b897a4100958ea99988ccc55ad7ac4c318c682d64ea953024d9d3a598b1172167cb1f75abcf755e967a742

Download Submit
C:\Windows\{450DB8E7-49D9-4d6d-832A-66D2624ED71B}.exe

Filesize
180KB

MD5
d92f4a76793860f24fc15af46f191d98

SHA1
dc20f830d103297a28ad121adf66fe3ac7065bf3

SHA256
ed1992f52b4309b8b9621a9ffb30ee12efa6796369958e372df41326ed5da446

SHA512
7444c082e58fdc82435c5cd945759d77d50406fd10d1af9bd911af04558efc1be4c49d8945c11076dbe82372e1a6a53793d15ad068b8ac79d1221b9e2a6c690d

Download Submit
C:\Windows\{4BA1E780-9B5F-4dab-89D2-C3C87D9BE098}.exe

Filesize
180KB

MD5
22f068060558cf92508af475a8644909

SHA1
b779fa2de4dd2fb2f1f9ab01efe5d5c9e1d1f073

SHA256
5a8833df048e6627a17337e8110394400244b5bd641fa9a053632d90be1d5740

SHA512
4696155b2fe324b54258684d3486b4e126fab2d31b7303d5f59fc23670be044ccff7d36b860284a4079184245f098017889edac8a0c25fa804445a68bfad29a1

Download Submit
C:\Windows\{4F323E6B-45DF-409f-A0A8-6E45C2C0FC8B}.exe

Filesize
180KB

MD5
d65d18d728223d6407977375b16ede4b

SHA1
cf1cf35ad203fd31d1b27de0603f2f876a5c8138

SHA256
03420a0cef51e120693f71f98c09cc1aef8e0f1a6d6c791d0536d49f25786772

SHA512
2a5abfed8e3a1af8a71d6d0a5e37f392fa613476f42c89a102a076d26fea69b31c5b4db3230d4d14a4ca4e794fd798cc34c6e2605008640ceccef3a6c91f05a6

Download Submit
C:\Windows\{5655268C-DCBB-4594-874B-691326FE4CC5}.exe

Filesize
180KB

MD5
1853ef50e2253a0489dca1094bd1d41a

SHA1
5fff2dac2f593180636029ea8604315ab9bdb8b0

SHA256
bb532f3b81cf74802a75b44f067ee20efc467844236374723d2cd2a441630a54

SHA512
b96d97bd772b3caa1de7a418b5fea31c22b91b5fc9a291e3483a45706f8f9afdc23d0e05c5dec219b75ae2cf0109b901f3caada60ae1d233a46b6bb5b07c0913

Download Submit
C:\Windows\{5C15239F-24A9-48a0-B8A9-DAC9E2F92EE5}.exe

Filesize
180KB

MD5
788e22c69963ceccc1750f7563f0f91e

SHA1
30ecc2e81576be596a4a937680a07f406dc45eec

SHA256
5fc8acff01d439e6162a55a516c0df62d4e4edd234a45006844b2ea79c43508c

SHA512
9a341f6e4911b4e39c0f93fc7363e90cc880bf41a4f9906ffba9f29949f950daffc0f225529bc8cd55bbfe9dcb8ebae1d3eb418cd589cfcc0c88285d90cc8e8d

Download Submit
C:\Windows\{6304329F-6831-48fe-BCCA-A384C7D21DB9}.exe

Filesize
180KB

MD5
816fc2f5858bfa4178ea247da004d204

SHA1
aa08fd234d26c022252ecff1d70590458c2f373e

SHA256
f5af37a551102498adf1bc0d559bba3b22bbabb65fb402858086a1aed8d6e385

SHA512
74a06fdaf833bf8504c819f3139e33f3a900605d9052c9fc44f82350841420915e722a860333985c40289be6462fd947f59f0a8f59f36a1e9852a523c513f92d

Download Submit
C:\Windows\{9A24A206-DEC4-4367-AF58-5C37D14669CC}.exe

Filesize
180KB

MD5
2b3d4d98a142dc4979a024f01a09d49f

SHA1
3373689c4d0c39387c50ba647bdfc1bc5949d459

SHA256
02ec58a4a20dcf967a15309598c59a809a5b830747c7ab035e64a8b8eeb9ec13

SHA512
282e90eb1b7f116bd62c597d195202692379542558183d75901ec961becb3bb411f4627b06a009f193c3923273cf96408b06e278d821036b17097506486f3a66

Download Submit
C:\Windows\{B9025081-D37A-4e75-A9EE-0041EF923710}.exe

Filesize
180KB

MD5
7e3d1123403643ad5a1fe5729a6f08f1

SHA1
4ea92da6eaa8418a285528ea0e725b4b7332ad1b

SHA256
b07886f6482e093e45f297a7891e0ed0db8985671abf00a8b7af5f14b9ae55cf

SHA512
2fd11ae9c7bac45696c7ad7a3e31866a85223aac40a877ad6646b20a90681418a0adfbe30e1fca56d5fee6b1e16f287d3039c1baacc7fe9133370f2842a2afdc

Download Submit
C:\Windows\{D8FBA087-2813-4e30-8D17-057939B8B41A}.exe

Filesize
180KB

MD5
0d4448e3d7d8f0e9d50f484e9c33fa97

SHA1
3a8e81ca6109bc4804c5fc07d6c0fe31955b0b02

SHA256
93fce93959cd96058b25dc066c33abba90dd9d524670dacfb57db6896ea52ed1

SHA512
58a54283204775a08b12b9b4ed4c8c069c66ba08bf85ca8545df786792d8a67d8feb9395ddea6b2ca6f8c4fa2b212a39e336c3fcea0cad901fc1660eb97e717c

Download Submit
C:\Windows\{E17A4C5A-823D-41b6-B519-9CBDADE01C7D}.exe

Filesize
180KB

MD5
5a2b461265935eee9bf2c31beb82f5fe

SHA1
a16cdb44cfc47f3af5be1062bb98cfa757e4c225

SHA256
e69cc4efa360263dc0e262892e13e6843e43fb7644c583c0b38c49fc073ab56e

SHA512
90c41677428ac18b1673cf66caf643e8e49722cc8bd98517f5e5d0ee3e22d384c0c0695ed5e630732d299976d34d07cde86e87eba86fb16fe00f6179d27d3e32

Download Submit
C:\Windows\{F1AE724E-983E-497c-BE37-E569914DC03C}.exe

Filesize
180KB

MD5
81d6c3f8677aed067ce3506ccd35a32f

SHA1
9cf3999b6f854c7b3c5698e98d2b23ed9ba8d631

SHA256
1e4d82d970d16f104afc7db1b477bf4b78a591e1adcda6e2a931f33b959f6aac

SHA512
3f6f072ed233a0b79e939ff74e0fb6d4289f0ad96baf9e7877e64d57a736e333ba3e4dde7ec27244c1eb12a5be7f32cb70e2d2905b48d46feaefad77fc737600

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads