491c5eb2efe35e6a0fa840b2e919f3fbb6654465c57e6f763c3f4d688a2c279a

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 12:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe
Size

408KB
MD5

a2fb72ace11abef6a1d5371f4ae710c9
SHA1

32b060e6de11bc2dc4ec1cd174052c32a8dbbc7f
SHA256

491c5eb2efe35e6a0fa840b2e919f3fbb6654465c57e6f763c3f4d688a2c279a
SHA512

18fc70c53a68bbee7be6ca31752993350da42f51f0775e36ca349aabc94c7dbdc51c7e771d6a229e5136849a1456eeafb484825eaf7042e71066e23455bb4c50
SSDEEP

3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG7ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}\stubpath = "C:\\Windows\\{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe"	{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{651754B8-6958-49a3-A358-86DEA73BE95C}\stubpath = "C:\\Windows\\{651754B8-6958-49a3-A358-86DEA73BE95C}.exe"	{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF3D068D-2937-402f-8604-7C43EA9AF1A2}\stubpath = "C:\\Windows\\{BF3D068D-2937-402f-8604-7C43EA9AF1A2}.exe"	{4032E864-0B6F-4dc1-B73A-467BFA9816C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D91BF1E6-D492-4700-B618-F39C5B7A3681}	{4E35346C-210F-4d39-89CD-FB82607409FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D91BF1E6-D492-4700-B618-F39C5B7A3681}\stubpath = "C:\\Windows\\{D91BF1E6-D492-4700-B618-F39C5B7A3681}.exe"	{4E35346C-210F-4d39-89CD-FB82607409FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4032E864-0B6F-4dc1-B73A-467BFA9816C3}	{D91BF1E6-D492-4700-B618-F39C5B7A3681}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5895BC1-AD76-46a5-92EF-A107DD08AE3D}	{BF3D068D-2937-402f-8604-7C43EA9AF1A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71BE1797-3843-41e9-B53D-72F231B09DE7}\stubpath = "C:\\Windows\\{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe"	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ADA7AD5-4263-449c-9144-FF976AF17557}\stubpath = "C:\\Windows\\{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe"	{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}\stubpath = "C:\\Windows\\{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe"	{651754B8-6958-49a3-A358-86DEA73BE95C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}	{651754B8-6958-49a3-A358-86DEA73BE95C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}	{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5895BC1-AD76-46a5-92EF-A107DD08AE3D}\stubpath = "C:\\Windows\\{A5895BC1-AD76-46a5-92EF-A107DD08AE3D}.exe"	{BF3D068D-2937-402f-8604-7C43EA9AF1A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71BE1797-3843-41e9-B53D-72F231B09DE7}	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}	{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ADA7AD5-4263-449c-9144-FF976AF17557}	{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E35346C-210F-4d39-89CD-FB82607409FB}\stubpath = "C:\\Windows\\{4E35346C-210F-4d39-89CD-FB82607409FB}.exe"	{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4032E864-0B6F-4dc1-B73A-467BFA9816C3}\stubpath = "C:\\Windows\\{4032E864-0B6F-4dc1-B73A-467BFA9816C3}.exe"	{D91BF1E6-D492-4700-B618-F39C5B7A3681}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF3D068D-2937-402f-8604-7C43EA9AF1A2}	{4032E864-0B6F-4dc1-B73A-467BFA9816C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{651754B8-6958-49a3-A358-86DEA73BE95C}	{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}\stubpath = "C:\\Windows\\{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe"	{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E35346C-210F-4d39-89CD-FB82607409FB}	{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe

Deletes itself 1 IoCs

pid	Process
1736	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2528	{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe
2800	{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe
2904	{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe
2916	{651754B8-6958-49a3-A358-86DEA73BE95C}.exe
2976	{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe
2844	{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe
304	{4E35346C-210F-4d39-89CD-FB82607409FB}.exe
2948	{D91BF1E6-D492-4700-B618-F39C5B7A3681}.exe
1764	{4032E864-0B6F-4dc1-B73A-467BFA9816C3}.exe
3064	{BF3D068D-2937-402f-8604-7C43EA9AF1A2}.exe
1096	{A5895BC1-AD76-46a5-92EF-A107DD08AE3D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe	{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe
File created	C:\Windows\{D91BF1E6-D492-4700-B618-F39C5B7A3681}.exe	{4E35346C-210F-4d39-89CD-FB82607409FB}.exe
File created	C:\Windows\{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe
File created	C:\Windows\{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe	{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe
File created	C:\Windows\{651754B8-6958-49a3-A358-86DEA73BE95C}.exe	{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe
File created	C:\Windows\{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe	{651754B8-6958-49a3-A358-86DEA73BE95C}.exe
File created	C:\Windows\{4E35346C-210F-4d39-89CD-FB82607409FB}.exe	{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe
File created	C:\Windows\{4032E864-0B6F-4dc1-B73A-467BFA9816C3}.exe	{D91BF1E6-D492-4700-B618-F39C5B7A3681}.exe
File created	C:\Windows\{BF3D068D-2937-402f-8604-7C43EA9AF1A2}.exe	{4032E864-0B6F-4dc1-B73A-467BFA9816C3}.exe
File created	C:\Windows\{A5895BC1-AD76-46a5-92EF-A107DD08AE3D}.exe	{BF3D068D-2937-402f-8604-7C43EA9AF1A2}.exe
File created	C:\Windows\{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe	{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1644	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2528	{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe
Token: SeIncBasePriorityPrivilege	2800	{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe
Token: SeIncBasePriorityPrivilege	2904	{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe
Token: SeIncBasePriorityPrivilege	2916	{651754B8-6958-49a3-A358-86DEA73BE95C}.exe
Token: SeIncBasePriorityPrivilege	2976	{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe
Token: SeIncBasePriorityPrivilege	2844	{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe
Token: SeIncBasePriorityPrivilege	304	{4E35346C-210F-4d39-89CD-FB82607409FB}.exe
Token: SeIncBasePriorityPrivilege	2948	{D91BF1E6-D492-4700-B618-F39C5B7A3681}.exe
Token: SeIncBasePriorityPrivilege	1764	{4032E864-0B6F-4dc1-B73A-467BFA9816C3}.exe
Token: SeIncBasePriorityPrivilege	3064	{BF3D068D-2937-402f-8604-7C43EA9AF1A2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2528	1644	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	28
PID 1644 wrote to memory of 2528	1644	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	28
PID 1644 wrote to memory of 2528	1644	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	28
PID 1644 wrote to memory of 2528	1644	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	28
PID 1644 wrote to memory of 1736	1644	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	29
PID 1644 wrote to memory of 1736	1644	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	29
PID 1644 wrote to memory of 1736	1644	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	29
PID 1644 wrote to memory of 1736	1644	2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe	29
PID 2528 wrote to memory of 2800	2528	{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe	30
PID 2528 wrote to memory of 2800	2528	{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe	30
PID 2528 wrote to memory of 2800	2528	{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe	30
PID 2528 wrote to memory of 2800	2528	{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe	30
PID 2528 wrote to memory of 2884	2528	{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe	31
PID 2528 wrote to memory of 2884	2528	{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe	31
PID 2528 wrote to memory of 2884	2528	{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe	31
PID 2528 wrote to memory of 2884	2528	{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe	31
PID 2800 wrote to memory of 2904	2800	{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe	32
PID 2800 wrote to memory of 2904	2800	{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe	32
PID 2800 wrote to memory of 2904	2800	{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe	32
PID 2800 wrote to memory of 2904	2800	{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe	32
PID 2800 wrote to memory of 2632	2800	{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe	33
PID 2800 wrote to memory of 2632	2800	{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe	33
PID 2800 wrote to memory of 2632	2800	{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe	33
PID 2800 wrote to memory of 2632	2800	{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe	33
PID 2904 wrote to memory of 2916	2904	{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe	36
PID 2904 wrote to memory of 2916	2904	{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe	36
PID 2904 wrote to memory of 2916	2904	{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe	36
PID 2904 wrote to memory of 2916	2904	{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe	36
PID 2904 wrote to memory of 2764	2904	{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe	37
PID 2904 wrote to memory of 2764	2904	{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe	37
PID 2904 wrote to memory of 2764	2904	{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe	37
PID 2904 wrote to memory of 2764	2904	{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe	37
PID 2916 wrote to memory of 2976	2916	{651754B8-6958-49a3-A358-86DEA73BE95C}.exe	38
PID 2916 wrote to memory of 2976	2916	{651754B8-6958-49a3-A358-86DEA73BE95C}.exe	38
PID 2916 wrote to memory of 2976	2916	{651754B8-6958-49a3-A358-86DEA73BE95C}.exe	38
PID 2916 wrote to memory of 2976	2916	{651754B8-6958-49a3-A358-86DEA73BE95C}.exe	38
PID 2916 wrote to memory of 3008	2916	{651754B8-6958-49a3-A358-86DEA73BE95C}.exe	39
PID 2916 wrote to memory of 3008	2916	{651754B8-6958-49a3-A358-86DEA73BE95C}.exe	39
PID 2916 wrote to memory of 3008	2916	{651754B8-6958-49a3-A358-86DEA73BE95C}.exe	39
PID 2916 wrote to memory of 3008	2916	{651754B8-6958-49a3-A358-86DEA73BE95C}.exe	39
PID 2976 wrote to memory of 2844	2976	{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe	40
PID 2976 wrote to memory of 2844	2976	{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe	40
PID 2976 wrote to memory of 2844	2976	{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe	40
PID 2976 wrote to memory of 2844	2976	{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe	40
PID 2976 wrote to memory of 2324	2976	{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe	41
PID 2976 wrote to memory of 2324	2976	{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe	41
PID 2976 wrote to memory of 2324	2976	{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe	41
PID 2976 wrote to memory of 2324	2976	{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe	41
PID 2844 wrote to memory of 304	2844	{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe	42
PID 2844 wrote to memory of 304	2844	{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe	42
PID 2844 wrote to memory of 304	2844	{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe	42
PID 2844 wrote to memory of 304	2844	{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe	42
PID 2844 wrote to memory of 1016	2844	{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe	43
PID 2844 wrote to memory of 1016	2844	{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe	43
PID 2844 wrote to memory of 1016	2844	{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe	43
PID 2844 wrote to memory of 1016	2844	{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe	43
PID 304 wrote to memory of 2948	304	{4E35346C-210F-4d39-89CD-FB82607409FB}.exe	45
PID 304 wrote to memory of 2948	304	{4E35346C-210F-4d39-89CD-FB82607409FB}.exe	45
PID 304 wrote to memory of 2948	304	{4E35346C-210F-4d39-89CD-FB82607409FB}.exe	45
PID 304 wrote to memory of 2948	304	{4E35346C-210F-4d39-89CD-FB82607409FB}.exe	45
PID 304 wrote to memory of 320	304	{4E35346C-210F-4d39-89CD-FB82607409FB}.exe	44
PID 304 wrote to memory of 320	304	{4E35346C-210F-4d39-89CD-FB82607409FB}.exe	44
PID 304 wrote to memory of 320	304	{4E35346C-210F-4d39-89CD-FB82607409FB}.exe	44
PID 304 wrote to memory of 320	304	{4E35346C-210F-4d39-89CD-FB82607409FB}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_a2fb72ace11abef6a1d5371f4ae710c9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe
  C:\Windows\{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe
    C:\Windows\{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe
      C:\Windows\{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\{651754B8-6958-49a3-A358-86DEA73BE95C}.exe
        
        C:\Windows\{651754B8-6958-49a3-A358-86DEA73BE95C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe
        
        C:\Windows\{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe
        
        C:\Windows\{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{4E35346C-210F-4d39-89CD-FB82607409FB}.exe
        
        C:\Windows\{4E35346C-210F-4d39-89CD-FB82607409FB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E353~1.EXE > nul
        9⤵
        
        PID:320
        
        C:\Windows\{D91BF1E6-D492-4700-B618-F39C5B7A3681}.exe
        
        C:\Windows\{D91BF1E6-D492-4700-B618-F39C5B7A3681}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\{4032E864-0B6F-4dc1-B73A-467BFA9816C3}.exe
        
        C:\Windows\{4032E864-0B6F-4dc1-B73A-467BFA9816C3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4032E~1.EXE > nul
        11⤵
        
        PID:1808
        
        C:\Windows\{BF3D068D-2937-402f-8604-7C43EA9AF1A2}.exe
        
        C:\Windows\{BF3D068D-2937-402f-8604-7C43EA9AF1A2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF3D0~1.EXE > nul
        12⤵
        
        PID:592
        
        C:\Windows\{A5895BC1-AD76-46a5-92EF-A107DD08AE3D}.exe
        
        C:\Windows\{A5895BC1-AD76-46a5-92EF-A107DD08AE3D}.exe
        12⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D91BF~1.EXE > nul
        10⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CDA1~1.EXE > nul
        8⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16655~1.EXE > nul
        7⤵
        
        PID:2324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65175~1.EXE > nul
        6⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1ADA7~1.EXE > nul
        5⤵
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{66624~1.EXE > nul
      4⤵
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{71BE1~1.EXE > nul
    3⤵
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16655BE2-8BEC-4f53-992A-8A3EA7D6636D}.exe

Filesize
408KB

MD5
c050edc232ba81e4df816a2817a4f386

SHA1
a2806207627dea3da3426e4097fd8bd0f307772f

SHA256
38dba4b72d92878f000cdc543cd1edba9c9a0bcfcd3265124ed54cb096e33b5d

SHA512
b7569c8625945d68867ffddfda6f9967ff78f543bc20ce6a374c462f4917e0cd7fd7960677ff2e1afb3b884dd62ad76a9c74e7ca076e3cbb38d46ab1e67a07b3

Download Submit
C:\Windows\{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe

Filesize
408KB

MD5
f5cc5f99697ea112d99a2d73945ec75f

SHA1
d3de4852e91aa6960df1559f0fcc2bf6f95acc09

SHA256
07dc3c9ae6547763344e93473257b44e2e78e0990f7cc3a3d94fb075104ff4a3

SHA512
e2d5931971ed95258064eda820697af4926aaba8a4e2528bb01d2eef6473e9c3704c54d978272629c06c88bdfeea5f102a9a5ad88463aa023f8ba35ce9aa3aa5

Download Submit
C:\Windows\{1ADA7AD5-4263-449c-9144-FF976AF17557}.exe

Filesize
45KB

MD5
f806f38835e3fe3bfcadd99c68766d88

SHA1
bd1e1eca2cb808c44831b550df3ec0bd12e8585a

SHA256
23b1fec9eadc2abbb6292bc3667f17ca366f4672e519632228027dc87bd591fd

SHA512
79ab62f32eb8839921ebc47ed373762a03ff09403bb5106ccf1f8bd1e6137d153dd9b7cce3fd7d2145bff9db6d5ff2dc8b25f568dc1e1544d3c2910d2fa9a526

Download Submit
C:\Windows\{4032E864-0B6F-4dc1-B73A-467BFA9816C3}.exe

Filesize
408KB

MD5
b1548b1373251069059eab556030b362

SHA1
cd9d54a0683513a6a95e33ab09ca9c18d2a99b80

SHA256
e9e0910d8958717823764dd15cb7302ff56a3c4c447f7234e82a4ef15f257ee1

SHA512
378a725d8033eb29aad9f8fac2f548532f9485fb14ed977c6f0986f51f96bb8def547ab18b45c1c27e4e913f5acae53bfeb548c21f86747c7440a9a1d9691cd3

Download Submit
C:\Windows\{651754B8-6958-49a3-A358-86DEA73BE95C}.exe

Filesize
408KB

MD5
931e4c86a9322d63f6ae6f40b8bb964c

SHA1
b9b15b9d9082f1a1aa29c7f22fb0f0eb4320e801

SHA256
a4003c9d4e4e73331b98d069113b1706517d35047866147696563ea782e989b7

SHA512
c189fa5b8179353e56c50fd34544b7b6280441140d4651ff130a83cc457f6f98e71c740d3f221ec24aa81cd831b0199d12d72e8be6715f15eb48685e3a0f62dd

Download Submit
C:\Windows\{666240DA-6E09-4e9e-ABE7-5ABA3010B5BC}.exe

Filesize
408KB

MD5
e52683b31cb926c8e63bd7d247ee57ad

SHA1
ca8e3f1a8ce842561040cc4ab497f3cb019464f1

SHA256
30f439109f89e2fc010843d3e5ff8e11dbfd508cc7d268cda5e6af2c29e26b4a

SHA512
174c529fa63ed89bcd8dc98b775219a93e28e679d8d047e1910df660671c035a93fee21b663389ba6b7135a6fee3f3fc8073917780a383a6917c099aa5785d48

Download Submit
C:\Windows\{6CDA1696-1F55-42ed-A64A-35DE9C78DE61}.exe

Filesize
408KB

MD5
269e71e055054537ad1846a353927b21

SHA1
ae3de919dfe9f81856ac22a4a9b396a6bdb964aa

SHA256
363e193731fb1fe19200534e1ed51ddda0c6c6f16cc7eff60a2fc813c2292b7b

SHA512
e1c095f7c93ef36017a51fa2a63b320237762de34b889449ae3bbe5576f8904f082e9768ddc24f001c1a87e8249f422561e0632068c9bf2cb3b92bf2d71b488d

Download Submit
C:\Windows\{71BE1797-3843-41e9-B53D-72F231B09DE7}.exe

Filesize
408KB

MD5
700eb3aca2076c10f777b58fb556f52b

SHA1
d2349dc8f439b17a1f60c85f3fbc99fd1b83f63a

SHA256
1b0b4c44d2260afceb2b154f86182a12f63c7ad9d505f6d893c2c0ab2e775e24

SHA512
e1c25e93fa042215bedd8c2411224a496925796d5847124bcc6f1c95a9e593e07d9dc0ba39f082de0fa41a807524be5f7192d17d619bcb13dffef391224587a8

Download Submit
C:\Windows\{A5895BC1-AD76-46a5-92EF-A107DD08AE3D}.exe

Filesize
408KB

MD5
a034bd45689465c95f7f9be10d004496

SHA1
7fb790f8e4b2468bd48554939cb00890f3526712

SHA256
26f0fb09c58a18dc6a75f13a6190a4580ed38b112fcc91531c25e929bab8755e

SHA512
626e9f9fc87af4068392d1b0778dda832f9ad6de20b431969c29fef41e5730156ad94083ffed6ff8951f6d10996ef63997cea80b536ef9b929ca3dc650b5d818

Download Submit
C:\Windows\{BF3D068D-2937-402f-8604-7C43EA9AF1A2}.exe

Filesize
408KB

MD5
58c7371ce6ceab86747d2aa51663c50e

SHA1
b14c65a5c1daf24a1b978e797f1e025ba3857228

SHA256
fbb2d161b4fa769aa9f299624ac423a6eed31327d624fac425fff39f08959005

SHA512
48d303c87bc5a9837491d7c48af6e6c947f3437584d136e0e74cfe27ce32e919eb320ca5b3d7515fd0be4c68f3ce7f4f404993f81bcc47c7e50264b493c57063

Download Submit
C:\Windows\{D91BF1E6-D492-4700-B618-F39C5B7A3681}.exe

Filesize
408KB

MD5
556533dc43cfe5c94ca98066159e1370

SHA1
6dd0fc6335237aebab5d5d74860479f461ca14d2

SHA256
ffddca4ce816f65156d05dfd73f93ddab5692dd42708297dd6a484f4c16775da

SHA512
3bf129349acc0cdeb265e9273a793d6acefbc2cad941159262017ab8af42da1ad8fa0450a168d0351244c00b3bde496aabdf42805d722ea0125fabe2bbf39fe9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads