324c9ad34b8110ff24b8a47cd6a73238f89d850e1b5dcdb666b9243623fd5ce1

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe
Size

408KB
MD5

515e1e07f74b9e5df2ea97201ae95caf
SHA1

121100b20ca3de36bf1f4178eccc9a6e3aa22fbc
SHA256

324c9ad34b8110ff24b8a47cd6a73238f89d850e1b5dcdb666b9243623fd5ce1
SHA512

14efe8d28f21efb72fd15255544812d0d2ec77f7ac71a70e6deb232353912ee4cbb0f35999e5efb9c1014ff65c2d170fa56663ec0a71355d53f45e050bd83190
SSDEEP

3072:CEGh0o7l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG9ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}	{E20533F7-D596-44ad-81F5-75D761FDF189}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0206231B-B673-4372-AE70-26758565F9C9}	{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E4FE04-1507-463f-916B-7425D7F3DC9D}	{0206231B-B673-4372-AE70-26758565F9C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA2D91FE-4183-48da-B5F3-16D9B84D310D}\stubpath = "C:\\Windows\\{DA2D91FE-4183-48da-B5F3-16D9B84D310D}.exe"	{46E4FE04-1507-463f-916B-7425D7F3DC9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC68F769-25CC-4190-B897-3A90C1BBEABE}\stubpath = "C:\\Windows\\{FC68F769-25CC-4190-B897-3A90C1BBEABE}.exe"	{DA2D91FE-4183-48da-B5F3-16D9B84D310D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}\stubpath = "C:\\Windows\\{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe"	{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18C57CFF-9A84-40ea-B466-F71338EE0379}\stubpath = "C:\\Windows\\{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe"	{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E20533F7-D596-44ad-81F5-75D761FDF189}\stubpath = "C:\\Windows\\{E20533F7-D596-44ad-81F5-75D761FDF189}.exe"	{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0206231B-B673-4372-AE70-26758565F9C9}\stubpath = "C:\\Windows\\{0206231B-B673-4372-AE70-26758565F9C9}.exe"	{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46E4FE04-1507-463f-916B-7425D7F3DC9D}\stubpath = "C:\\Windows\\{46E4FE04-1507-463f-916B-7425D7F3DC9D}.exe"	{0206231B-B673-4372-AE70-26758565F9C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC68F769-25CC-4190-B897-3A90C1BBEABE}	{DA2D91FE-4183-48da-B5F3-16D9B84D310D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}\stubpath = "C:\\Windows\\{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe"	2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}\stubpath = "C:\\Windows\\{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe"	{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18C57CFF-9A84-40ea-B466-F71338EE0379}	{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CB688DA-6FFE-4560-B300-AF8E18AC2820}	{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CB688DA-6FFE-4560-B300-AF8E18AC2820}\stubpath = "C:\\Windows\\{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe"	{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}	{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E20533F7-D596-44ad-81F5-75D761FDF189}	{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}\stubpath = "C:\\Windows\\{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe"	{E20533F7-D596-44ad-81F5-75D761FDF189}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}	{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA2D91FE-4183-48da-B5F3-16D9B84D310D}	{46E4FE04-1507-463f-916B-7425D7F3DC9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}	2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
3040	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3032	{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe
2708	{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe
2872	{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe
3056	{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe
2772	{E20533F7-D596-44ad-81F5-75D761FDF189}.exe
1480	{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe
2832	{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe
1592	{0206231B-B673-4372-AE70-26758565F9C9}.exe
1376	{46E4FE04-1507-463f-916B-7425D7F3DC9D}.exe
700	{DA2D91FE-4183-48da-B5F3-16D9B84D310D}.exe
556	{FC68F769-25CC-4190-B897-3A90C1BBEABE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe	2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe
File created	C:\Windows\{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe	{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe
File created	C:\Windows\{E20533F7-D596-44ad-81F5-75D761FDF189}.exe	{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe
File created	C:\Windows\{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe	{E20533F7-D596-44ad-81F5-75D761FDF189}.exe
File created	C:\Windows\{46E4FE04-1507-463f-916B-7425D7F3DC9D}.exe	{0206231B-B673-4372-AE70-26758565F9C9}.exe
File created	C:\Windows\{FC68F769-25CC-4190-B897-3A90C1BBEABE}.exe	{DA2D91FE-4183-48da-B5F3-16D9B84D310D}.exe
File created	C:\Windows\{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe	{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe
File created	C:\Windows\{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe	{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe
File created	C:\Windows\{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe	{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe
File created	C:\Windows\{0206231B-B673-4372-AE70-26758565F9C9}.exe	{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe
File created	C:\Windows\{DA2D91FE-4183-48da-B5F3-16D9B84D310D}.exe	{46E4FE04-1507-463f-916B-7425D7F3DC9D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2040	2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3032	{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe
Token: SeIncBasePriorityPrivilege	2708	{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe
Token: SeIncBasePriorityPrivilege	2872	{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe
Token: SeIncBasePriorityPrivilege	3056	{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe
Token: SeIncBasePriorityPrivilege	2772	{E20533F7-D596-44ad-81F5-75D761FDF189}.exe
Token: SeIncBasePriorityPrivilege	1480	{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe
Token: SeIncBasePriorityPrivilege	2832	{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe
Token: SeIncBasePriorityPrivilege	1592	{0206231B-B673-4372-AE70-26758565F9C9}.exe
Token: SeIncBasePriorityPrivilege	1376	{46E4FE04-1507-463f-916B-7425D7F3DC9D}.exe
Token: SeIncBasePriorityPrivilege	700	{DA2D91FE-4183-48da-B5F3-16D9B84D310D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 3032	2040	2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe	28
PID 2040 wrote to memory of 3032	2040	2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe	28
PID 2040 wrote to memory of 3032	2040	2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe	28
PID 2040 wrote to memory of 3032	2040	2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe	28
PID 2040 wrote to memory of 3040	2040	2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe	29
PID 2040 wrote to memory of 3040	2040	2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe	29
PID 2040 wrote to memory of 3040	2040	2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe	29
PID 2040 wrote to memory of 3040	2040	2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe	29
PID 3032 wrote to memory of 2708	3032	{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe	30
PID 3032 wrote to memory of 2708	3032	{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe	30
PID 3032 wrote to memory of 2708	3032	{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe	30
PID 3032 wrote to memory of 2708	3032	{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe	30
PID 3032 wrote to memory of 2604	3032	{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe	31
PID 3032 wrote to memory of 2604	3032	{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe	31
PID 3032 wrote to memory of 2604	3032	{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe	31
PID 3032 wrote to memory of 2604	3032	{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe	31
PID 2708 wrote to memory of 2872	2708	{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe	33
PID 2708 wrote to memory of 2872	2708	{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe	33
PID 2708 wrote to memory of 2872	2708	{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe	33
PID 2708 wrote to memory of 2872	2708	{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe	33
PID 2708 wrote to memory of 2828	2708	{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe	32
PID 2708 wrote to memory of 2828	2708	{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe	32
PID 2708 wrote to memory of 2828	2708	{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe	32
PID 2708 wrote to memory of 2828	2708	{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe	32
PID 2872 wrote to memory of 3056	2872	{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe	36
PID 2872 wrote to memory of 3056	2872	{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe	36
PID 2872 wrote to memory of 3056	2872	{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe	36
PID 2872 wrote to memory of 3056	2872	{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe	36
PID 2872 wrote to memory of 2084	2872	{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe	37
PID 2872 wrote to memory of 2084	2872	{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe	37
PID 2872 wrote to memory of 2084	2872	{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe	37
PID 2872 wrote to memory of 2084	2872	{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe	37
PID 3056 wrote to memory of 2772	3056	{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe	39
PID 3056 wrote to memory of 2772	3056	{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe	39
PID 3056 wrote to memory of 2772	3056	{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe	39
PID 3056 wrote to memory of 2772	3056	{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe	39
PID 3056 wrote to memory of 2580	3056	{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe	38
PID 3056 wrote to memory of 2580	3056	{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe	38
PID 3056 wrote to memory of 2580	3056	{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe	38
PID 3056 wrote to memory of 2580	3056	{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe	38
PID 2772 wrote to memory of 1480	2772	{E20533F7-D596-44ad-81F5-75D761FDF189}.exe	40
PID 2772 wrote to memory of 1480	2772	{E20533F7-D596-44ad-81F5-75D761FDF189}.exe	40
PID 2772 wrote to memory of 1480	2772	{E20533F7-D596-44ad-81F5-75D761FDF189}.exe	40
PID 2772 wrote to memory of 1480	2772	{E20533F7-D596-44ad-81F5-75D761FDF189}.exe	40
PID 2772 wrote to memory of 2184	2772	{E20533F7-D596-44ad-81F5-75D761FDF189}.exe	41
PID 2772 wrote to memory of 2184	2772	{E20533F7-D596-44ad-81F5-75D761FDF189}.exe	41
PID 2772 wrote to memory of 2184	2772	{E20533F7-D596-44ad-81F5-75D761FDF189}.exe	41
PID 2772 wrote to memory of 2184	2772	{E20533F7-D596-44ad-81F5-75D761FDF189}.exe	41
PID 1480 wrote to memory of 2832	1480	{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe	42
PID 1480 wrote to memory of 2832	1480	{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe	42
PID 1480 wrote to memory of 2832	1480	{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe	42
PID 1480 wrote to memory of 2832	1480	{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe	42
PID 1480 wrote to memory of 2516	1480	{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe	43
PID 1480 wrote to memory of 2516	1480	{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe	43
PID 1480 wrote to memory of 2516	1480	{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe	43
PID 1480 wrote to memory of 2516	1480	{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe	43
PID 2832 wrote to memory of 1592	2832	{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe	44
PID 2832 wrote to memory of 1592	2832	{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe	44
PID 2832 wrote to memory of 1592	2832	{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe	44
PID 2832 wrote to memory of 1592	2832	{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe	44
PID 2832 wrote to memory of 1784	2832	{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe	45
PID 2832 wrote to memory of 1784	2832	{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe	45
PID 2832 wrote to memory of 1784	2832	{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe	45
PID 2832 wrote to memory of 1784	2832	{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_515e1e07f74b9e5df2ea97201ae95caf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe
  C:\Windows\{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe
    C:\Windows\{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{18C57~1.EXE > nul
      4⤵
      PID:2828
  - - C:\Windows\{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe
      C:\Windows\{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe
        
        C:\Windows\{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F19D9~1.EXE > nul
        6⤵
        
        PID:2580
      - C:\Windows\{E20533F7-D596-44ad-81F5-75D761FDF189}.exe
        
        C:\Windows\{E20533F7-D596-44ad-81F5-75D761FDF189}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe
        
        C:\Windows\{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe
        
        C:\Windows\{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{0206231B-B673-4372-AE70-26758565F9C9}.exe
        
        C:\Windows\{0206231B-B673-4372-AE70-26758565F9C9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02062~1.EXE > nul
        10⤵
        
        PID:2052
        
        C:\Windows\{46E4FE04-1507-463f-916B-7425D7F3DC9D}.exe
        
        C:\Windows\{46E4FE04-1507-463f-916B-7425D7F3DC9D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\{DA2D91FE-4183-48da-B5F3-16D9B84D310D}.exe
        
        C:\Windows\{DA2D91FE-4183-48da-B5F3-16D9B84D310D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\Windows\{FC68F769-25CC-4190-B897-3A90C1BBEABE}.exe
        
        C:\Windows\{FC68F769-25CC-4190-B897-3A90C1BBEABE}.exe
        12⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA2D9~1.EXE > nul
        12⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46E4F~1.EXE > nul
        11⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10EB3~1.EXE > nul
        9⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A97D6~1.EXE > nul
        8⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2053~1.EXE > nul
        7⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CB68~1.EXE > nul
        5⤵
        
        PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{94A0E~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0206231B-B673-4372-AE70-26758565F9C9}.exe

Filesize
408KB

MD5
61fc8cc501db40a70e4d0365d109e2f3

SHA1
5508a74af513cb1841b22062c896d27e81c8a6db

SHA256
8397abc7f21afd985f27976d7049c8b8a3b2e71e68bc3e55391f0a53fc4fb91a

SHA512
150ac0b4f5a6bacc4d9957cf4e2cffb910fd524fd1230b7ad418478a388f97ac1ef27608a72bb43f9383d00b53abc8a42e216e6243929e1628fa3f03233bb941

Download Submit
C:\Windows\{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe

Filesize
381KB

MD5
914e231deafb835e6a667e55302816f7

SHA1
e15a693b10013ff75dab495dbd268c612a2bcb9c

SHA256
69c9be66a85b847ea26aa7ebb07a549a9c8bd1c84e47e7b799cddb37e4932aaf

SHA512
eb1639ba4137e1063733992518a07d72046a26a26c09b79da588859c061f60d2149c8eb466192236858f0f95bf382645c9848e6503d80df225876406ae2c0ec2

Download Submit
C:\Windows\{10EB32EB-70DC-46f3-9EB8-6ED4FE4F7B4B}.exe

Filesize
408KB

MD5
6bdd73f1300e11e9d5202014e868d48a

SHA1
d3ae8dedca7ed8a39b1e1ffeb86e05e263bc6dfd

SHA256
f031f8d7ec68580a2af6ed13fd6f608f96951f7714200a0acb210e2a8bd17627

SHA512
1c362c236b64da8053fe3573fb5f1b75d7e474e8f8076bd1938acb6a7f20698c1bbb3af7aa39371d8553f24fcb60ca9e4d6b8ef23afa620b998c676f6f0b040d

Download Submit
C:\Windows\{18C57CFF-9A84-40ea-B466-F71338EE0379}.exe

Filesize
408KB

MD5
2c1c2bec9e2a62c309c2b36ee9893ceb

SHA1
3c028c1c844a98f82eda007931c16b66fafd8d6c

SHA256
6543df27ef729bde75d26415421c1470171df2216340b381188f18bbfa389fa2

SHA512
55a8e67fa9a04a9a0bd8e26fee81076720c85c6f7869b398e9d916cbdb14316b23fff92165176b86f0cdafac343b63e8e6293cc6e4a066a07dbc8cbcd58e9cf3

Download Submit
C:\Windows\{2CB688DA-6FFE-4560-B300-AF8E18AC2820}.exe

Filesize
408KB

MD5
052a5889eef42996823d298f268a939e

SHA1
75d4b1264edf10b1cac06a022182cc072792826e

SHA256
1885e83747b0759bfe768df3b6c3de35024ed6f9b821925405089dcd08462cd7

SHA512
b6970e5076d816f1d034c591b1b0e992df24bf9f99119b157eb29fc734a6e87b5f13f4d646f1b96cc51c95410908a0f02161d79c7c28ea1c97fa425713886a89

Download Submit
C:\Windows\{46E4FE04-1507-463f-916B-7425D7F3DC9D}.exe

Filesize
408KB

MD5
8137fb56fbca1e4a1e85203002be0d7b

SHA1
1b92abb51ea921851410465fc728f17d93fe51d8

SHA256
5542e16cf535289d7125144ef29e00f1c076998462f01715f2d8a2dab5a1f27e

SHA512
aeb4e1e7d320dc3dffc8f7a60eba5df91589f2cefc9271fe4d10b408d6abc91bc5f62ba0cb6cc888b85fab4da3029eb4500c0ed3f84d1c5944a1eaabce052582

Download Submit
C:\Windows\{46E4FE04-1507-463f-916B-7425D7F3DC9D}.exe

Filesize
93KB

MD5
10286570937f1d69774fa3b7c6336a09

SHA1
16b22f0133b22adfed1da7dd07ae78e6134ee230

SHA256
3509b4206028ec0df8116a5811d9181f6cbdbf78c4c6b94492ca83eac416e20c

SHA512
129ac9325f165de69046b7a7f408495ea3a00750b995aa73473f3114d946160d0488bb162455bd2191ef2447b6a1d703a0677a2ad66f78416dd7b827bbf2338d

Download Submit
C:\Windows\{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe

Filesize
408KB

MD5
cef486850404057f73ea84674ea666c2

SHA1
873ff70c365b324deada87cf7d0558e864663b65

SHA256
1112852a31f553b6a4e358392bbcb8cae150f75ef17d9d87d5d4880071398ea8

SHA512
71256a071133b5522fda5da185920b81a2ed09268b25eeda8b3a1d7d7fd86ffbe98bd45c8cf786231d28544c042b24faab616f67e5b6f8fedff57751254fa4f5

Download Submit
C:\Windows\{94A0EBB1-8EDD-4d0d-AA31-754809AC97D5}.exe

Filesize
320KB

MD5
37eca8305d6ce6f74022faa89669746f

SHA1
0e4e5f173addb13780db66408ee8156a0302c19a

SHA256
9b4f7d995cf655cb833cb77173492587e631bd1c74f9743d9f08bbc91b93a9e7

SHA512
eb48369624073ff951dd02530594e58717d362e57d1ab9a70a2473eddc9d0f9d1290013011b72ffd120a5d4aa32b5d64ecf5428cb225f6b757cde043ba0e8511

Download Submit
C:\Windows\{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe

Filesize
408KB

MD5
d9413fc1bf909f5a5b29d11e76354122

SHA1
aab8697d519974e9a07adf89089bc3fc3efc5297

SHA256
a0135870f4f81f3b745518c327238c12d4ef469cf4bef6159b18126124b40c5c

SHA512
a6bb235fbf6049cd1a0ba1e40ec494bcb5dd80d0605e755c1e4e730c156f7e10efb1d10df13cf60e7f6a3418e36d4c3375f70c1f9759afc00bda577d7a356d0b

Download Submit
C:\Windows\{A97D6EDC-62BE-47dc-A086-7AA401B2FCEE}.exe

Filesize
95KB

MD5
7afbcf8249caccac21d5f2ebe3ff04e1

SHA1
2b654998e4dcce848886845cb0d45b45da78013f

SHA256
0e4147179a669f8218b72f38671bf1fbc4baee4997b50c0b94f24f85f1d61ec9

SHA512
0b62ebc319749747845736cfa091a63b5923dce4f368b69f16f7a23a3b8ccc394ab4e0e20b14133cbef68b546a73cab931b9cef4495c2c89cd7551ab5e757f61

Download Submit
C:\Windows\{DA2D91FE-4183-48da-B5F3-16D9B84D310D}.exe

Filesize
408KB

MD5
3e27e1632d56d99715bcea42c7e44547

SHA1
9f7bb1a80efb7983f038bd2fa89f1605b1f85a6f

SHA256
7efb500c10d0972d388662630dbd74ae001339355655bed8dba7e51ac39287a8

SHA512
4677472b3d342d794630033a79e6dd32cd89ea6c72287dd52d63d0bde1bee73bde512e5c5d086c58f5648cd378ce7e252842b21b24b830ccea020d79600639bd

Download Submit
C:\Windows\{E20533F7-D596-44ad-81F5-75D761FDF189}.exe

Filesize
408KB

MD5
063e771665283711cbc6ba8a4f9f22eb

SHA1
0e2d0e4443c2afef765467d0c4804f7a4d4aa3c8

SHA256
ea5a1e070692a7465995388835b186e37e39a6ca930cf51f09cec1225d50161d

SHA512
df2c0b86917937ccd51e8d9916091960bf2997ed717e562fd2275ffb547f96c3c32c62a0ab78250cd9627cf4f79262d74cc9b3c2462fc7d241ee5844ac8bc8cd

Download Submit
C:\Windows\{F19D9AEC-4895-4fdc-9F4B-C5D304F5362C}.exe

Filesize
408KB

MD5
e4243c6488537d563b6ff5f05c4b4585

SHA1
ad3dc18d312ec8d1a9f54ad9b3652d9596b2faef

SHA256
6ca4450d133eea9307fb31f59eade5ef20239f4de208c61d850561e7af64ab4a

SHA512
f623037bcf081070abc6fc14c79fc7e771dfef6466d4a07b4d04b5b7a2246aeb48db2f4d1c6778c874cc5c2ee5c725d7a4aa201290fea9487b6dfe4924745f8e

Download Submit
C:\Windows\{FC68F769-25CC-4190-B897-3A90C1BBEABE}.exe

Filesize
92KB

MD5
65189edb0b962721dfe260a11770bb50

SHA1
89fb624a2e7f1fc821c30fbb2c96fd13436999ec

SHA256
24754499c26c3c153114ba8f7c938e5bc849181d3447ae4fa88abe4180969cb6

SHA512
f8225d9768c247caa1b538fb16e7ed3310d7d674c05efc3802bc7059dbe5dc65f23f1aac5dc4a68d960d6fc9f30a95edcc3e1adcf50e508a2959e22d072489a9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads