b4f32d5bcf21bd1d3b25053c653aec40b8f98dcb3ae68667dbba5be4f633ba5a

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe
Size

408KB
MD5

9022259a9a557ca9471301f0225ac924
SHA1

990c820f56b8cc608693ce19dcade1f6cf375135
SHA256

b4f32d5bcf21bd1d3b25053c653aec40b8f98dcb3ae68667dbba5be4f633ba5a
SHA512

c3eaac7dc81ec4876a0a3ea3ef26920f4133a55a1b4487f099fe839cc83999c58ca2f0639f11aa4418d947fd4c17da83083bd5bcca00c3f202f1a3976c566c43
SSDEEP

3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG0ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6EED744-0678-444d-8BE4-2A02BCABB139}\stubpath = "C:\\Windows\\{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe"	{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D39FE4C-850B-426d-8AA1-557D6FB16C83}	{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE121CB6-36E2-4401-91FD-57E7B1981344}\stubpath = "C:\\Windows\\{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe"	{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED6E25FC-80EE-40be-9B1E-DD6B8FB55922}\stubpath = "C:\\Windows\\{ED6E25FC-80EE-40be-9B1E-DD6B8FB55922}.exe"	{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CBBE029-78F3-4e34-A284-44A6CEF4C51C}	{ED6E25FC-80EE-40be-9B1E-DD6B8FB55922}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46F24870-291F-4eb1-87D2-3CB859CE8F27}	{3CBBE029-78F3-4e34-A284-44A6CEF4C51C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46F24870-291F-4eb1-87D2-3CB859CE8F27}\stubpath = "C:\\Windows\\{46F24870-291F-4eb1-87D2-3CB859CE8F27}.exe"	{3CBBE029-78F3-4e34-A284-44A6CEF4C51C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DC202E2-61AE-4c8f-A5BB-5502B992B249}	{46F24870-291F-4eb1-87D2-3CB859CE8F27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95E79050-9639-4aab-A37F-3D07D2F6E8B8}\stubpath = "C:\\Windows\\{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe"	2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{988944BA-7C7D-4cc6-89C5-ACA075F7B648}\stubpath = "C:\\Windows\\{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe"	{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}\stubpath = "C:\\Windows\\{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe"	{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE121CB6-36E2-4401-91FD-57E7B1981344}	{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95E79050-9639-4aab-A37F-3D07D2F6E8B8}	2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6EED744-0678-444d-8BE4-2A02BCABB139}	{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{988944BA-7C7D-4cc6-89C5-ACA075F7B648}	{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}	{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}\stubpath = "C:\\Windows\\{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe"	{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}	{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D39FE4C-850B-426d-8AA1-557D6FB16C83}\stubpath = "C:\\Windows\\{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe"	{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4811684-4563-49a4-83F2-179AA8FE0C00}	{2DC202E2-61AE-4c8f-A5BB-5502B992B249}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED6E25FC-80EE-40be-9B1E-DD6B8FB55922}	{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CBBE029-78F3-4e34-A284-44A6CEF4C51C}\stubpath = "C:\\Windows\\{3CBBE029-78F3-4e34-A284-44A6CEF4C51C}.exe"	{ED6E25FC-80EE-40be-9B1E-DD6B8FB55922}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DC202E2-61AE-4c8f-A5BB-5502B992B249}\stubpath = "C:\\Windows\\{2DC202E2-61AE-4c8f-A5BB-5502B992B249}.exe"	{46F24870-291F-4eb1-87D2-3CB859CE8F27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4811684-4563-49a4-83F2-179AA8FE0C00}\stubpath = "C:\\Windows\\{C4811684-4563-49a4-83F2-179AA8FE0C00}.exe"	{2DC202E2-61AE-4c8f-A5BB-5502B992B249}.exe

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2680	{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe
2580	{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe
2488	{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe
524	{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe
2908	{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe
1956	{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe
2016	{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe
2864	{ED6E25FC-80EE-40be-9B1E-DD6B8FB55922}.exe
1608	{3CBBE029-78F3-4e34-A284-44A6CEF4C51C}.exe
1848	{46F24870-291F-4eb1-87D2-3CB859CE8F27}.exe
1696	{2DC202E2-61AE-4c8f-A5BB-5502B992B249}.exe
760	{C4811684-4563-49a4-83F2-179AA8FE0C00}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe	{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe
File created	C:\Windows\{ED6E25FC-80EE-40be-9B1E-DD6B8FB55922}.exe	{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe
File created	C:\Windows\{2DC202E2-61AE-4c8f-A5BB-5502B992B249}.exe	{46F24870-291F-4eb1-87D2-3CB859CE8F27}.exe
File created	C:\Windows\{C4811684-4563-49a4-83F2-179AA8FE0C00}.exe	{2DC202E2-61AE-4c8f-A5BB-5502B992B249}.exe
File created	C:\Windows\{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe	{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe
File created	C:\Windows\{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe	{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe
File created	C:\Windows\{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe	{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe
File created	C:\Windows\{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe	{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe
File created	C:\Windows\{3CBBE029-78F3-4e34-A284-44A6CEF4C51C}.exe	{ED6E25FC-80EE-40be-9B1E-DD6B8FB55922}.exe
File created	C:\Windows\{46F24870-291F-4eb1-87D2-3CB859CE8F27}.exe	{3CBBE029-78F3-4e34-A284-44A6CEF4C51C}.exe
File created	C:\Windows\{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe	2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe
File created	C:\Windows\{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe	{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2976	2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2680	{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe
Token: SeIncBasePriorityPrivilege	2580	{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe
Token: SeIncBasePriorityPrivilege	2488	{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe
Token: SeIncBasePriorityPrivilege	524	{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe
Token: SeIncBasePriorityPrivilege	2908	{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe
Token: SeIncBasePriorityPrivilege	1956	{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe
Token: SeIncBasePriorityPrivilege	2016	{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe
Token: SeIncBasePriorityPrivilege	2864	{ED6E25FC-80EE-40be-9B1E-DD6B8FB55922}.exe
Token: SeIncBasePriorityPrivilege	1608	{3CBBE029-78F3-4e34-A284-44A6CEF4C51C}.exe
Token: SeIncBasePriorityPrivilege	1848	{46F24870-291F-4eb1-87D2-3CB859CE8F27}.exe
Token: SeIncBasePriorityPrivilege	1696	{2DC202E2-61AE-4c8f-A5BB-5502B992B249}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2680	2976	2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe	28
PID 2976 wrote to memory of 2680	2976	2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe	28
PID 2976 wrote to memory of 2680	2976	2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe	28
PID 2976 wrote to memory of 2680	2976	2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe	28
PID 2976 wrote to memory of 2784	2976	2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe	29
PID 2976 wrote to memory of 2784	2976	2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe	29
PID 2976 wrote to memory of 2784	2976	2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe	29
PID 2976 wrote to memory of 2784	2976	2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe	29
PID 2680 wrote to memory of 2580	2680	{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe	30
PID 2680 wrote to memory of 2580	2680	{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe	30
PID 2680 wrote to memory of 2580	2680	{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe	30
PID 2680 wrote to memory of 2580	2680	{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe	30
PID 2680 wrote to memory of 2732	2680	{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe	31
PID 2680 wrote to memory of 2732	2680	{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe	31
PID 2680 wrote to memory of 2732	2680	{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe	31
PID 2680 wrote to memory of 2732	2680	{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe	31
PID 2580 wrote to memory of 2488	2580	{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe	34
PID 2580 wrote to memory of 2488	2580	{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe	34
PID 2580 wrote to memory of 2488	2580	{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe	34
PID 2580 wrote to memory of 2488	2580	{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe	34
PID 2580 wrote to memory of 2428	2580	{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe	35
PID 2580 wrote to memory of 2428	2580	{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe	35
PID 2580 wrote to memory of 2428	2580	{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe	35
PID 2580 wrote to memory of 2428	2580	{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe	35
PID 2488 wrote to memory of 524	2488	{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe	36
PID 2488 wrote to memory of 524	2488	{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe	36
PID 2488 wrote to memory of 524	2488	{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe	36
PID 2488 wrote to memory of 524	2488	{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe	36
PID 2488 wrote to memory of 2960	2488	{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe	37
PID 2488 wrote to memory of 2960	2488	{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe	37
PID 2488 wrote to memory of 2960	2488	{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe	37
PID 2488 wrote to memory of 2960	2488	{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe	37
PID 524 wrote to memory of 2908	524	{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe	38
PID 524 wrote to memory of 2908	524	{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe	38
PID 524 wrote to memory of 2908	524	{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe	38
PID 524 wrote to memory of 2908	524	{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe	38
PID 524 wrote to memory of 564	524	{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe	39
PID 524 wrote to memory of 564	524	{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe	39
PID 524 wrote to memory of 564	524	{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe	39
PID 524 wrote to memory of 564	524	{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe	39
PID 2908 wrote to memory of 1956	2908	{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe	40
PID 2908 wrote to memory of 1956	2908	{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe	40
PID 2908 wrote to memory of 1956	2908	{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe	40
PID 2908 wrote to memory of 1956	2908	{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe	40
PID 2908 wrote to memory of 2020	2908	{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe	41
PID 2908 wrote to memory of 2020	2908	{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe	41
PID 2908 wrote to memory of 2020	2908	{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe	41
PID 2908 wrote to memory of 2020	2908	{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe	41
PID 1956 wrote to memory of 2016	1956	{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe	42
PID 1956 wrote to memory of 2016	1956	{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe	42
PID 1956 wrote to memory of 2016	1956	{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe	42
PID 1956 wrote to memory of 2016	1956	{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe	42
PID 1956 wrote to memory of 1692	1956	{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe	43
PID 1956 wrote to memory of 1692	1956	{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe	43
PID 1956 wrote to memory of 1692	1956	{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe	43
PID 1956 wrote to memory of 1692	1956	{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe	43
PID 2016 wrote to memory of 2864	2016	{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe	44
PID 2016 wrote to memory of 2864	2016	{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe	44
PID 2016 wrote to memory of 2864	2016	{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe	44
PID 2016 wrote to memory of 2864	2016	{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe	44
PID 2016 wrote to memory of 2876	2016	{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe	45
PID 2016 wrote to memory of 2876	2016	{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe	45
PID 2016 wrote to memory of 2876	2016	{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe	45
PID 2016 wrote to memory of 2876	2016	{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_9022259a9a557ca9471301f0225ac924_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe
  C:\Windows\{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe
    C:\Windows\{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe
      C:\Windows\{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe
        
        C:\Windows\{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:524
      - C:\Windows\{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe
        
        C:\Windows\{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe
        
        C:\Windows\{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe
        
        C:\Windows\{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\{ED6E25FC-80EE-40be-9B1E-DD6B8FB55922}.exe
        
        C:\Windows\{ED6E25FC-80EE-40be-9B1E-DD6B8FB55922}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\{3CBBE029-78F3-4e34-A284-44A6CEF4C51C}.exe
        
        C:\Windows\{3CBBE029-78F3-4e34-A284-44A6CEF4C51C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\{46F24870-291F-4eb1-87D2-3CB859CE8F27}.exe
        
        C:\Windows\{46F24870-291F-4eb1-87D2-3CB859CE8F27}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\{2DC202E2-61AE-4c8f-A5BB-5502B992B249}.exe
        
        C:\Windows\{2DC202E2-61AE-4c8f-A5BB-5502B992B249}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\{C4811684-4563-49a4-83F2-179AA8FE0C00}.exe
        
        C:\Windows\{C4811684-4563-49a4-83F2-179AA8FE0C00}.exe
        13⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DC20~1.EXE > nul
        13⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46F24~1.EXE > nul
        12⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CBBE~1.EXE > nul
        11⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED6E2~1.EXE > nul
        10⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE121~1.EXE > nul
        9⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D39F~1.EXE > nul
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D842A~1.EXE > nul
        7⤵
        
        PID:2020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BDE0~1.EXE > nul
        6⤵
        
        PID:564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98894~1.EXE > nul
        5⤵
        
        PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D6EED~1.EXE > nul
      4⤵
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{95E79~1.EXE > nul
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2DC202E2-61AE-4c8f-A5BB-5502B992B249}.exe

Filesize
408KB

MD5
00b5e3d7ef24e6fbc569ff72d60b9c3b

SHA1
b9fbb838aeb10b4a5ed5f331790bb23990de3f15

SHA256
b2cd2ce9c67dfa089e19aaf04f3f1dea2c3f83ac60310f49ee3a5a725344f13a

SHA512
a109996b80065131a45a0629329631587212cad31425f2221fb827397b0778bfc841b1a688f20834bd3d4df358bc6a0b7dca45aae6adba2ac20f539438a45744

Download Submit
C:\Windows\{3CBBE029-78F3-4e34-A284-44A6CEF4C51C}.exe

Filesize
408KB

MD5
07dae189cc7247185a8ff7bd4e5555b7

SHA1
a4d0f7f35524c834e06f1364988fc0359b3abcd7

SHA256
b403d873c5ae4243a857b749c78003a37b56c228f493c6483bb95d41af51c9ac

SHA512
368070014e0b3920059775d5ceff6b94668f44131fff005891ed7c200234f21cc7dfaf89e9d9135d7b261c4aa9b343f3586e3de3cf03de988f9a4abe2cf2b967

Download Submit
C:\Windows\{46F24870-291F-4eb1-87D2-3CB859CE8F27}.exe

Filesize
408KB

MD5
479272a0e255f420c20ab4d3bf95b88b

SHA1
7d3bac5b6f99c4c327b8e9804d7ca5c6164bf1b8

SHA256
5ea378fc2d0b993025e149fd930cf38b56e4c5043d48b0ed13c5f00e1272bba2

SHA512
a6553abd0f632a7f611e22fa9f77ed252ea7019306507a0a8f37bced5cb8b5b65dbde9fc0484c7f1f5ddb4a726211db3e74e79ab496f1fddb98cfa6df7a47dd1

Download Submit
C:\Windows\{4BDE0A6B-9CE4-43ee-82A3-3024F6F09B0F}.exe

Filesize
408KB

MD5
fd5abc338966f8dad974c4736a849017

SHA1
c177e172502af2010edab1a2533d5a2aa6e4ce75

SHA256
975eaf2cc53b182f654bc8aaa0def7cc791d2a089982dac452703dd0cb94560c

SHA512
2a4d313f981a4d4aba348ae3935cca7aad044186141587446327c169b45da5e64a9d16857dea53625abdf86e866717846e862c1f291049e7bbcab0b02f0ca7dc

Download Submit
C:\Windows\{5D39FE4C-850B-426d-8AA1-557D6FB16C83}.exe

Filesize
408KB

MD5
8810e4c0da97b2475e481fa92db5fc90

SHA1
5dccd61fd3e46f9fa1c197289458ca4ff4f9581a

SHA256
aba03818f30c9c9a40c33431f858995399760ce8eb13c3d2d77eb7fcef6d5c8e

SHA512
f41e2fccc32e27f9fb54c1182b7b343e5bb395364f0f7081d1c6985bb6c43ba44ddb19599de7601bbde136e8f996537fab7852b47e2574188cbc4ae5faa4481f

Download Submit
C:\Windows\{95E79050-9639-4aab-A37F-3D07D2F6E8B8}.exe

Filesize
408KB

MD5
57d51791e797e82b82d15988a37626d5

SHA1
bb05a46132c20597c75f266485ad373a47ee40f8

SHA256
abb2ccf4d128a3905ee1ccf0a7c7c00b817a28e07f37dd47b4364bc7b58fb5fd

SHA512
46baebe1ce1256efe078f91deca3ae529780bba367cdb3f0e194db27d3b04272f71ef93f7abf69438bdd6dd48bf963223de5cbd6ec679036a38415c5b2f72efc

Download Submit
C:\Windows\{988944BA-7C7D-4cc6-89C5-ACA075F7B648}.exe

Filesize
408KB

MD5
3c55eb2112ffe4325fe99b4c29896620

SHA1
259282cdb4e6d0f79cf95b099879965482a8720e

SHA256
cddfd0a0712adfd80c7430998b3b6d85d4bd251351a436b6783854ef3047447f

SHA512
204f4253420420565d6d88a572e2adec4d96ac830cdbcfda76195e963c6ecb80ab5139013a88f9df9c1ecd07b543b21a11b338b7f6194fa1084d7b90c3ea3393

Download Submit
C:\Windows\{AE121CB6-36E2-4401-91FD-57E7B1981344}.exe

Filesize
408KB

MD5
190106a963f332f3b134be905c37782c

SHA1
152f5ed5c804a1b082efd35207a63989644d7933

SHA256
cb745f7a9f01de871446fb0f24e484e0dc868a13e0e49dd949b1cc606c91ce29

SHA512
3dc97329729016acd9ec2128fceb901047d6e94e4f7f6356fa6d1a84a6dda5f015db807a5812c86077a7c0ed3409c142c8c4cb7d526bde59487cf1e036180d89

Download Submit
C:\Windows\{C4811684-4563-49a4-83F2-179AA8FE0C00}.exe

Filesize
408KB

MD5
97dfb7805c758867841cb05341317fc4

SHA1
f316403f9cedc8dfeea4bee02136783a373db357

SHA256
2b467421f50adce6c7cbca0cfa22208bd062e8bb76243d101bcb933db56bd44d

SHA512
61ffba4dd5009b242947b1a79de97dba010a206a0a81c76f0d9d9aacfdf4981aee0e2dfc40362177e25715536b72ada16d18f13a18348ae4c3da5c0afd5f8dab

Download Submit
C:\Windows\{D6EED744-0678-444d-8BE4-2A02BCABB139}.exe

Filesize
408KB

MD5
7b402e6c265a8afd01e6fc66f93f97c2

SHA1
4b867539d0a5ee1ab9ff12c067fb96912adc3ce6

SHA256
f03fbf092387772f332ea6a43cbcf89e72fe93193749a0ac263008360f32d79d

SHA512
ff800b387b297ed8fe2427bf9da7ef72dc3f75aa08669fdc50d80369ff5e78e2305d0b0be117812293495a25080fd1de071a59b670e3695edb19f4106eb50bb2

Download Submit
C:\Windows\{D842AC5F-249E-48fa-B9E6-B2C49DB076F8}.exe

Filesize
408KB

MD5
f2f6ee67afdcfa8caa70f2fba3bd3158

SHA1
b952732b8605115046cc3678561380d6af89aa5e

SHA256
364cda0c43c969485c0bf4cf72d1476baa0f365935b501ac26be3117297b0638

SHA512
59e618073f2a5b5aa2850c6486a4621759e1827bd9172cc11c1f867abca90e5f03b8bff6749e730fdf4b94ed4d30993a69b096bbebe2789590e992fc4d4a090a

Download Submit
C:\Windows\{ED6E25FC-80EE-40be-9B1E-DD6B8FB55922}.exe

Filesize
408KB

MD5
220235cedd5e984e1376c63118cff154

SHA1
fa07cb87a32ba6c9b40414a98b84582aef9aeb86

SHA256
6d905e1e593ed96d77258c47be288f8f6f20b78454cf190facda145e6ce94339

SHA512
15c34d30cc58814b1737913db0f3688bae0a38e3f40bd0a3ed12ce8e3335bd359d9c0d1def77b99036910f23aca11c40e8cbb2161edd5e83a4970770cd5f136c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads