2fbbef8d00ef090bf87a77a5c8337fc7610626bedceda328c4d2b75da25bc22e

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 12:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe
Size

180KB
MD5

60eac2616ad8192e3f7451b4b6168802
SHA1

e9e57001f7379efc976a4cfde9afa593cbf2ed2d
SHA256

2fbbef8d00ef090bf87a77a5c8337fc7610626bedceda328c4d2b75da25bc22e
SHA512

4fadccc60ec2f2c1c9ea5f2373adb3ba92e4a47ed3b44082b136ddbe65da43770ff2482ee9591e3ab465dbbd4781f2856da5d59f4535d3da44648045b6f438f8
SSDEEP

3072:jEGh0o8lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGal5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{292B6211-888D-4703-86BA-0B61C4B646A9}	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E05F682-CAE6-4564-A643-78517C99C511}\stubpath = "C:\\Windows\\{2E05F682-CAE6-4564-A643-78517C99C511}.exe"	{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30DC5965-ED59-4150-9C37-FAFDA1D653CB}\stubpath = "C:\\Windows\\{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe"	{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F437A971-A250-4d94-9439-F500B0C97CEE}	{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D13010E-D62C-46c9-A684-D0D96AFD5E31}\stubpath = "C:\\Windows\\{4D13010E-D62C-46c9-A684-D0D96AFD5E31}.exe"	{F437A971-A250-4d94-9439-F500B0C97CEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C3DFD17-5E97-468f-8274-4302A6925494}	{4D13010E-D62C-46c9-A684-D0D96AFD5E31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}\stubpath = "C:\\Windows\\{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe"	{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F437A971-A250-4d94-9439-F500B0C97CEE}\stubpath = "C:\\Windows\\{F437A971-A250-4d94-9439-F500B0C97CEE}.exe"	{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADC91560-8247-444a-AEBF-339082FC3AC3}	{9C3DFD17-5E97-468f-8274-4302A6925494}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{292B6211-888D-4703-86BA-0B61C4B646A9}\stubpath = "C:\\Windows\\{292B6211-888D-4703-86BA-0B61C4B646A9}.exe"	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F23035B9-B9F6-44cf-8FB8-B973216F9306}	{292B6211-888D-4703-86BA-0B61C4B646A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E05F682-CAE6-4564-A643-78517C99C511}	{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D3E84AE-036F-4065-A5B5-41586D146D7E}\stubpath = "C:\\Windows\\{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe"	{2E05F682-CAE6-4564-A643-78517C99C511}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{757628C7-2516-43cc-8365-44E525DAB654}	{ADC91560-8247-444a-AEBF-339082FC3AC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{757628C7-2516-43cc-8365-44E525DAB654}\stubpath = "C:\\Windows\\{757628C7-2516-43cc-8365-44E525DAB654}.exe"	{ADC91560-8247-444a-AEBF-339082FC3AC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F23035B9-B9F6-44cf-8FB8-B973216F9306}\stubpath = "C:\\Windows\\{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe"	{292B6211-888D-4703-86BA-0B61C4B646A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D3E84AE-036F-4065-A5B5-41586D146D7E}	{2E05F682-CAE6-4564-A643-78517C99C511}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}	{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30DC5965-ED59-4150-9C37-FAFDA1D653CB}	{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D13010E-D62C-46c9-A684-D0D96AFD5E31}	{F437A971-A250-4d94-9439-F500B0C97CEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C3DFD17-5E97-468f-8274-4302A6925494}\stubpath = "C:\\Windows\\{9C3DFD17-5E97-468f-8274-4302A6925494}.exe"	{4D13010E-D62C-46c9-A684-D0D96AFD5E31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADC91560-8247-444a-AEBF-339082FC3AC3}\stubpath = "C:\\Windows\\{ADC91560-8247-444a-AEBF-339082FC3AC3}.exe"	{9C3DFD17-5E97-468f-8274-4302A6925494}.exe

Deletes itself 1 IoCs

pid	Process
2876	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2672	{292B6211-888D-4703-86BA-0B61C4B646A9}.exe
2704	{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe
2628	{2E05F682-CAE6-4564-A643-78517C99C511}.exe
524	{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe
564	{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe
2276	{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe
280	{F437A971-A250-4d94-9439-F500B0C97CEE}.exe
2816	{4D13010E-D62C-46c9-A684-D0D96AFD5E31}.exe
884	{9C3DFD17-5E97-468f-8274-4302A6925494}.exe
2548	{ADC91560-8247-444a-AEBF-339082FC3AC3}.exe
2040	{757628C7-2516-43cc-8365-44E525DAB654}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{292B6211-888D-4703-86BA-0B61C4B646A9}.exe	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe
File created	C:\Windows\{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe	{2E05F682-CAE6-4564-A643-78517C99C511}.exe
File created	C:\Windows\{ADC91560-8247-444a-AEBF-339082FC3AC3}.exe	{9C3DFD17-5E97-468f-8274-4302A6925494}.exe
File created	C:\Windows\{757628C7-2516-43cc-8365-44E525DAB654}.exe	{ADC91560-8247-444a-AEBF-339082FC3AC3}.exe
File created	C:\Windows\{F437A971-A250-4d94-9439-F500B0C97CEE}.exe	{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe
File created	C:\Windows\{4D13010E-D62C-46c9-A684-D0D96AFD5E31}.exe	{F437A971-A250-4d94-9439-F500B0C97CEE}.exe
File created	C:\Windows\{9C3DFD17-5E97-468f-8274-4302A6925494}.exe	{4D13010E-D62C-46c9-A684-D0D96AFD5E31}.exe
File created	C:\Windows\{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe	{292B6211-888D-4703-86BA-0B61C4B646A9}.exe
File created	C:\Windows\{2E05F682-CAE6-4564-A643-78517C99C511}.exe	{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe
File created	C:\Windows\{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe	{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe
File created	C:\Windows\{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe	{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1092	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2672	{292B6211-888D-4703-86BA-0B61C4B646A9}.exe
Token: SeIncBasePriorityPrivilege	2704	{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe
Token: SeIncBasePriorityPrivilege	2628	{2E05F682-CAE6-4564-A643-78517C99C511}.exe
Token: SeIncBasePriorityPrivilege	524	{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe
Token: SeIncBasePriorityPrivilege	564	{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe
Token: SeIncBasePriorityPrivilege	2276	{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe
Token: SeIncBasePriorityPrivilege	280	{F437A971-A250-4d94-9439-F500B0C97CEE}.exe
Token: SeIncBasePriorityPrivilege	2816	{4D13010E-D62C-46c9-A684-D0D96AFD5E31}.exe
Token: SeIncBasePriorityPrivilege	884	{9C3DFD17-5E97-468f-8274-4302A6925494}.exe
Token: SeIncBasePriorityPrivilege	2548	{ADC91560-8247-444a-AEBF-339082FC3AC3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 2672	1092	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	28
PID 1092 wrote to memory of 2672	1092	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	28
PID 1092 wrote to memory of 2672	1092	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	28
PID 1092 wrote to memory of 2672	1092	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	28
PID 1092 wrote to memory of 2876	1092	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	29
PID 1092 wrote to memory of 2876	1092	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	29
PID 1092 wrote to memory of 2876	1092	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	29
PID 1092 wrote to memory of 2876	1092	2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe	29
PID 2672 wrote to memory of 2704	2672	{292B6211-888D-4703-86BA-0B61C4B646A9}.exe	30
PID 2672 wrote to memory of 2704	2672	{292B6211-888D-4703-86BA-0B61C4B646A9}.exe	30
PID 2672 wrote to memory of 2704	2672	{292B6211-888D-4703-86BA-0B61C4B646A9}.exe	30
PID 2672 wrote to memory of 2704	2672	{292B6211-888D-4703-86BA-0B61C4B646A9}.exe	30
PID 2672 wrote to memory of 2712	2672	{292B6211-888D-4703-86BA-0B61C4B646A9}.exe	31
PID 2672 wrote to memory of 2712	2672	{292B6211-888D-4703-86BA-0B61C4B646A9}.exe	31
PID 2672 wrote to memory of 2712	2672	{292B6211-888D-4703-86BA-0B61C4B646A9}.exe	31
PID 2672 wrote to memory of 2712	2672	{292B6211-888D-4703-86BA-0B61C4B646A9}.exe	31
PID 2704 wrote to memory of 2628	2704	{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe	33
PID 2704 wrote to memory of 2628	2704	{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe	33
PID 2704 wrote to memory of 2628	2704	{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe	33
PID 2704 wrote to memory of 2628	2704	{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe	33
PID 2704 wrote to memory of 2600	2704	{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe	34
PID 2704 wrote to memory of 2600	2704	{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe	34
PID 2704 wrote to memory of 2600	2704	{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe	34
PID 2704 wrote to memory of 2600	2704	{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe	34
PID 2628 wrote to memory of 524	2628	{2E05F682-CAE6-4564-A643-78517C99C511}.exe	36
PID 2628 wrote to memory of 524	2628	{2E05F682-CAE6-4564-A643-78517C99C511}.exe	36
PID 2628 wrote to memory of 524	2628	{2E05F682-CAE6-4564-A643-78517C99C511}.exe	36
PID 2628 wrote to memory of 524	2628	{2E05F682-CAE6-4564-A643-78517C99C511}.exe	36
PID 2628 wrote to memory of 468	2628	{2E05F682-CAE6-4564-A643-78517C99C511}.exe	37
PID 2628 wrote to memory of 468	2628	{2E05F682-CAE6-4564-A643-78517C99C511}.exe	37
PID 2628 wrote to memory of 468	2628	{2E05F682-CAE6-4564-A643-78517C99C511}.exe	37
PID 2628 wrote to memory of 468	2628	{2E05F682-CAE6-4564-A643-78517C99C511}.exe	37
PID 524 wrote to memory of 564	524	{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe	38
PID 524 wrote to memory of 564	524	{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe	38
PID 524 wrote to memory of 564	524	{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe	38
PID 524 wrote to memory of 564	524	{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe	38
PID 524 wrote to memory of 2968	524	{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe	39
PID 524 wrote to memory of 2968	524	{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe	39
PID 524 wrote to memory of 2968	524	{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe	39
PID 524 wrote to memory of 2968	524	{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe	39
PID 564 wrote to memory of 2276	564	{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe	40
PID 564 wrote to memory of 2276	564	{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe	40
PID 564 wrote to memory of 2276	564	{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe	40
PID 564 wrote to memory of 2276	564	{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe	40
PID 564 wrote to memory of 2788	564	{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe	41
PID 564 wrote to memory of 2788	564	{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe	41
PID 564 wrote to memory of 2788	564	{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe	41
PID 564 wrote to memory of 2788	564	{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe	41
PID 2276 wrote to memory of 280	2276	{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe	42
PID 2276 wrote to memory of 280	2276	{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe	42
PID 2276 wrote to memory of 280	2276	{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe	42
PID 2276 wrote to memory of 280	2276	{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe	42
PID 2276 wrote to memory of 2568	2276	{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe	43
PID 2276 wrote to memory of 2568	2276	{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe	43
PID 2276 wrote to memory of 2568	2276	{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe	43
PID 2276 wrote to memory of 2568	2276	{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe	43
PID 280 wrote to memory of 2816	280	{F437A971-A250-4d94-9439-F500B0C97CEE}.exe	44
PID 280 wrote to memory of 2816	280	{F437A971-A250-4d94-9439-F500B0C97CEE}.exe	44
PID 280 wrote to memory of 2816	280	{F437A971-A250-4d94-9439-F500B0C97CEE}.exe	44
PID 280 wrote to memory of 2816	280	{F437A971-A250-4d94-9439-F500B0C97CEE}.exe	44
PID 280 wrote to memory of 1548	280	{F437A971-A250-4d94-9439-F500B0C97CEE}.exe	45
PID 280 wrote to memory of 1548	280	{F437A971-A250-4d94-9439-F500B0C97CEE}.exe	45
PID 280 wrote to memory of 1548	280	{F437A971-A250-4d94-9439-F500B0C97CEE}.exe	45
PID 280 wrote to memory of 1548	280	{F437A971-A250-4d94-9439-F500B0C97CEE}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_60eac2616ad8192e3f7451b4b6168802_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\{292B6211-888D-4703-86BA-0B61C4B646A9}.exe
  C:\Windows\{292B6211-888D-4703-86BA-0B61C4B646A9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe
    C:\Windows\{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{2E05F682-CAE6-4564-A643-78517C99C511}.exe
      C:\Windows\{2E05F682-CAE6-4564-A643-78517C99C511}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe
        
        C:\Windows\{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:524
      - C:\Windows\{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe
        
        C:\Windows\{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe
        
        C:\Windows\{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\{F437A971-A250-4d94-9439-F500B0C97CEE}.exe
        
        C:\Windows\{F437A971-A250-4d94-9439-F500B0C97CEE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\{4D13010E-D62C-46c9-A684-D0D96AFD5E31}.exe
        
        C:\Windows\{4D13010E-D62C-46c9-A684-D0D96AFD5E31}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\{9C3DFD17-5E97-468f-8274-4302A6925494}.exe
        
        C:\Windows\{9C3DFD17-5E97-468f-8274-4302A6925494}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\{ADC91560-8247-444a-AEBF-339082FC3AC3}.exe
        
        C:\Windows\{ADC91560-8247-444a-AEBF-339082FC3AC3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\{757628C7-2516-43cc-8365-44E525DAB654}.exe
        
        C:\Windows\{757628C7-2516-43cc-8365-44E525DAB654}.exe
        12⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADC91~1.EXE > nul
        12⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C3DF~1.EXE > nul
        11⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D130~1.EXE > nul
        10⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F437A~1.EXE > nul
        9⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30DC5~1.EXE > nul
        8⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBB0A~1.EXE > nul
        7⤵
        
        PID:2788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D3E8~1.EXE > nul
        6⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E05F~1.EXE > nul
        5⤵
        
        PID:468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F2303~1.EXE > nul
      4⤵
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{292B6~1.EXE > nul
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{292B6211-888D-4703-86BA-0B61C4B646A9}.exe

Filesize
180KB

MD5
a00871e1972c5f3245d5483bc2b44f59

SHA1
5708525f8714f98c243eec8ade6b34d73c4c2c42

SHA256
db4103d4eb9a2c78c56049e138286939ab67c3823eb975a29fd94410dc8f1bf6

SHA512
d9a3861168f3d2e909c54821e36707bf7e6bb2efc1d807514550e7c06436438e61d6c26f0e04b93cb080398d11213f2dff5a3f87f983abb2c3cbc8e4591b7a16

Download Submit
C:\Windows\{2E05F682-CAE6-4564-A643-78517C99C511}.exe

Filesize
180KB

MD5
47a63dc76fb9c5cbb27f2165f2112bec

SHA1
768c1af3307d0239ebd13a264b4b5b0767681039

SHA256
ef1b77cb620b3f8c1dcbd42df8ec540d3769ff65d3a0883901b25490085fd88f

SHA512
bdb052be5973fca0234b85428086b881299e9c830758e96253a65ab98092a3decdc9f912582262e53c534eaed1f5bdf0ef9b172bbe879899e3bf8673847e71ab

Download Submit
C:\Windows\{30DC5965-ED59-4150-9C37-FAFDA1D653CB}.exe

Filesize
180KB

MD5
e9ff732591e2817c1a94db068c92cbea

SHA1
e7bfe4252b033ce1038f4d81fcf5c2b804f71fee

SHA256
8b4596aab4bb0d439f3bac880eb0d2beab4afe1d4464bcf69460538141040a94

SHA512
fca72af8d7f246cfb3c70d113007ffb978348701d556ed605cf9d9b3e310d6c70bf3c25ff0d3fa2732e424aedfd59b4798171bfe989fbf9d7f895c38caae922a

Download Submit
C:\Windows\{4D13010E-D62C-46c9-A684-D0D96AFD5E31}.exe

Filesize
180KB

MD5
3eda333e47599416ac6177cb95148a5f

SHA1
e56145b7b858d97b5a5256ee75842f8b7a04c91f

SHA256
aa8f0bcf7014d69a4114a50c5af0f575a6ae704c44d5cb6cb4479a68c06a1969

SHA512
1cf0a0462a9cbb74b253a6adcee584c20f552033419672f820e4600d336fee6d424808a2329b74fae50a2dd7e88589d7314d31498c30b18288e11dd3db631fd6

Download Submit
C:\Windows\{5D3E84AE-036F-4065-A5B5-41586D146D7E}.exe

Filesize
180KB

MD5
1c9d906c2f71c044ce5d31c4f2c32674

SHA1
f2fe62a779cbb6d57d27d17cae1053e3c045894d

SHA256
4417b84c3c967b3f4be4ee6cf930e96595fd6075efaaa6a6d872d4ccfafce9cb

SHA512
66634d142798ecc6096c035e69dc964f44d013738bf9d3d34f43e31871a1ff46de906d553cf01885d717642b56e7f0e6013fc25f78e260a50c1cf1792a0d672b

Download Submit
C:\Windows\{757628C7-2516-43cc-8365-44E525DAB654}.exe

Filesize
180KB

MD5
e9397671198829ec1db54259ff29070c

SHA1
e404fa59ecf6deed6a99c2c721a4076480c2232d

SHA256
afb45c7974807d0a24632cd9228733be721f776dec6023f34c1695ff09ba2083

SHA512
27c7e32c777a4f34a0a7aea980bf4911b60793a2c754496d61d8b505a97db6adaa8171658171e2d63c625d8ad109942969ee9b64f42db3b499a20b522ce4270c

Download Submit
C:\Windows\{9C3DFD17-5E97-468f-8274-4302A6925494}.exe

Filesize
180KB

MD5
332c54564a36bddc6e8a90f638205bc2

SHA1
31c3ebcbe69d158a5de58d934c578ad65fe694fc

SHA256
a6968e57da20c1076583595214a252faa01d79aaf9caa3df8761e40d05020b4f

SHA512
60c2b2ce94bbcf85456a321c24d7d61139de6a5f85d34d66ba7f22a53a833206e4f68a1e825878f158a4dbe279f54ab2d70c5f4a99e2726c85ef28d7be684ee1

Download Submit
C:\Windows\{ADC91560-8247-444a-AEBF-339082FC3AC3}.exe

Filesize
180KB

MD5
cfdf3e096c5815069e86e646820a7f11

SHA1
6befd98d1d580609deb201c108bb66147f822f4a

SHA256
a37b603b61048a8c7dbe51bb096d65bc204737310ff299984ce66f580247bbad

SHA512
2e6f050f8da53f40e77104f5c57f07bba8a0c48f7ab9deb6ad18bd017cb3158afa88d38531e931aa1ac313355bfefa9d8d1fcdf94cdebe58a8a65abae5cfd3f2

Download Submit
C:\Windows\{EBB0AA1A-96CF-47dd-8039-ED05190A97AA}.exe

Filesize
180KB

MD5
54d5b452e2af1daebde43ef62f6508b2

SHA1
1387714bb19de636b8610d8ebb1a0fc8ba35352f

SHA256
afd59d928d49fec57af4ba2bb24c16772256c35531fa11f07f8ac17a3fcb0653

SHA512
8c37fba977a3dafae64ff28f22134272a6c7a7c5da42bc025d8171feb5fa6a0af9a0c23adc6ce3f8edcff6952644bc3db239fcdfb32650186cba0f9fdbe095a3

Download Submit
C:\Windows\{F23035B9-B9F6-44cf-8FB8-B973216F9306}.exe

Filesize
180KB

MD5
0cdea8fc77f7af31eb3d78d9817e4b30

SHA1
17745e86d0f7ae2b25be4a882273d70d2977d558

SHA256
205df3d6416ba383f310c3563ef15987fed3b815f24d3b69bd3170fc79ef75c3

SHA512
d4322253e2fcc4c9fedcf445b4317c44549a26dd4bed20068821a9287f059ee8177a82aac9aea8fced7029aaa1f6ca95bcd551d88ebd0a6a1c0e0cc779d504ad

Download Submit
C:\Windows\{F437A971-A250-4d94-9439-F500B0C97CEE}.exe

Filesize
180KB

MD5
ea447a57d0cd3a6b853e325ad4fc5cbf

SHA1
4b86b095fe8b652fa6123431f79f3af65c7f9b5b

SHA256
8e8522e9190a1b320b0c8e040e9a417dafc4cf08843d3e70e22b4ecb55e03df2

SHA512
60e9bc52642fe8ce386a603d3fd62eb78a92803f0b922e2b79c0ef1fea5c227e465b720974552ceaa8fe0e2d05b2ba2f308a64b8aa86ed8d902daaaac0eb857e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads