2ad843e71b1266755649879ef93b882292dd4e3ce8509ce01daaa8e7790b01ed

Analysis

max time kernel
138s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe
Size

344KB
MD5

b0fda38a27f54302777e961897fddf66
SHA1

cecf15fbbd8c38ac8e0933af874ca867f3f9446e
SHA256

2ad843e71b1266755649879ef93b882292dd4e3ce8509ce01daaa8e7790b01ed
SHA512

1fd8a528f224ed0a59f4647bad78561e7773fa1c146e08781a4766661f03c9dd4bd95a8c8d10f6b97ed169cf377e52f681cb9f731e2d1f7d3363d15f59dd1e7d
SSDEEP

3072:mEGh0otlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG3lqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}	{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E392A66-E462-4115-9685-C258A17DD245}	{83AD5B85-61B9-4452-861E-386675A1F89B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E392A66-E462-4115-9685-C258A17DD245}\stubpath = "C:\\Windows\\{8E392A66-E462-4115-9685-C258A17DD245}.exe"	{83AD5B85-61B9-4452-861E-386675A1F89B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6CCC524-D550-42f9-A537-16669897672A}	{8E392A66-E462-4115-9685-C258A17DD245}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E89A8805-9B19-4f6d-BA28-0BE4F64736D8}	{83AA7953-B4A9-4fcd-8406-34E49792F3E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}	2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6899478A-470C-43ed-9FED-C62E9E0F9326}\stubpath = "C:\\Windows\\{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe"	{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0440BF71-A753-490f-BA62-15F1FF968373}\stubpath = "C:\\Windows\\{0440BF71-A753-490f-BA62-15F1FF968373}.exe"	{C6CCC524-D550-42f9-A537-16669897672A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83AA7953-B4A9-4fcd-8406-34E49792F3E4}	{0440BF71-A753-490f-BA62-15F1FF968373}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}\stubpath = "C:\\Windows\\{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe"	2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6CCC524-D550-42f9-A537-16669897672A}\stubpath = "C:\\Windows\\{C6CCC524-D550-42f9-A537-16669897672A}.exe"	{8E392A66-E462-4115-9685-C258A17DD245}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83AA7953-B4A9-4fcd-8406-34E49792F3E4}\stubpath = "C:\\Windows\\{83AA7953-B4A9-4fcd-8406-34E49792F3E4}.exe"	{0440BF71-A753-490f-BA62-15F1FF968373}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}	{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}\stubpath = "C:\\Windows\\{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe"	{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{792716DE-6108-40ee-9234-A7460E18094E}	{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{792716DE-6108-40ee-9234-A7460E18094E}\stubpath = "C:\\Windows\\{792716DE-6108-40ee-9234-A7460E18094E}.exe"	{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83AD5B85-61B9-4452-861E-386675A1F89B}	{792716DE-6108-40ee-9234-A7460E18094E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83AD5B85-61B9-4452-861E-386675A1F89B}\stubpath = "C:\\Windows\\{83AD5B85-61B9-4452-861E-386675A1F89B}.exe"	{792716DE-6108-40ee-9234-A7460E18094E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0440BF71-A753-490f-BA62-15F1FF968373}	{C6CCC524-D550-42f9-A537-16669897672A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E89A8805-9B19-4f6d-BA28-0BE4F64736D8}\stubpath = "C:\\Windows\\{E89A8805-9B19-4f6d-BA28-0BE4F64736D8}.exe"	{83AA7953-B4A9-4fcd-8406-34E49792F3E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}\stubpath = "C:\\Windows\\{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe"	{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6899478A-470C-43ed-9FED-C62E9E0F9326}	{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1308	{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe
2772	{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe
2800	{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe
1156	{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe
3056	{792716DE-6108-40ee-9234-A7460E18094E}.exe
2008	{83AD5B85-61B9-4452-861E-386675A1F89B}.exe
2680	{8E392A66-E462-4115-9685-C258A17DD245}.exe
1996	{C6CCC524-D550-42f9-A537-16669897672A}.exe
2120	{0440BF71-A753-490f-BA62-15F1FF968373}.exe
3008	{83AA7953-B4A9-4fcd-8406-34E49792F3E4}.exe
1036	{E89A8805-9B19-4f6d-BA28-0BE4F64736D8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe	2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe
File created	C:\Windows\{8E392A66-E462-4115-9685-C258A17DD245}.exe	{83AD5B85-61B9-4452-861E-386675A1F89B}.exe
File created	C:\Windows\{C6CCC524-D550-42f9-A537-16669897672A}.exe	{8E392A66-E462-4115-9685-C258A17DD245}.exe
File created	C:\Windows\{0440BF71-A753-490f-BA62-15F1FF968373}.exe	{C6CCC524-D550-42f9-A537-16669897672A}.exe
File created	C:\Windows\{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe	{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe
File created	C:\Windows\{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe	{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe
File created	C:\Windows\{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe	{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe
File created	C:\Windows\{792716DE-6108-40ee-9234-A7460E18094E}.exe	{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe
File created	C:\Windows\{83AD5B85-61B9-4452-861E-386675A1F89B}.exe	{792716DE-6108-40ee-9234-A7460E18094E}.exe
File created	C:\Windows\{83AA7953-B4A9-4fcd-8406-34E49792F3E4}.exe	{0440BF71-A753-490f-BA62-15F1FF968373}.exe
File created	C:\Windows\{E89A8805-9B19-4f6d-BA28-0BE4F64736D8}.exe	{83AA7953-B4A9-4fcd-8406-34E49792F3E4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1308	{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe
Token: SeIncBasePriorityPrivilege	2772	{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe
Token: SeIncBasePriorityPrivilege	2800	{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe
Token: SeIncBasePriorityPrivilege	1156	{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe
Token: SeIncBasePriorityPrivilege	3056	{792716DE-6108-40ee-9234-A7460E18094E}.exe
Token: SeIncBasePriorityPrivilege	2008	{83AD5B85-61B9-4452-861E-386675A1F89B}.exe
Token: SeIncBasePriorityPrivilege	2680	{8E392A66-E462-4115-9685-C258A17DD245}.exe
Token: SeIncBasePriorityPrivilege	1996	{C6CCC524-D550-42f9-A537-16669897672A}.exe
Token: SeIncBasePriorityPrivilege	2120	{0440BF71-A753-490f-BA62-15F1FF968373}.exe
Token: SeIncBasePriorityPrivilege	3008	{83AA7953-B4A9-4fcd-8406-34E49792F3E4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1308	2236	2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe	28
PID 2236 wrote to memory of 1308	2236	2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe	28
PID 2236 wrote to memory of 1308	2236	2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe	28
PID 2236 wrote to memory of 1308	2236	2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe	28
PID 2236 wrote to memory of 2712	2236	2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe	29
PID 2236 wrote to memory of 2712	2236	2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe	29
PID 2236 wrote to memory of 2712	2236	2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe	29
PID 2236 wrote to memory of 2712	2236	2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe	29
PID 1308 wrote to memory of 2772	1308	{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe	30
PID 1308 wrote to memory of 2772	1308	{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe	30
PID 1308 wrote to memory of 2772	1308	{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe	30
PID 1308 wrote to memory of 2772	1308	{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe	30
PID 1308 wrote to memory of 2728	1308	{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe	31
PID 1308 wrote to memory of 2728	1308	{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe	31
PID 1308 wrote to memory of 2728	1308	{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe	31
PID 1308 wrote to memory of 2728	1308	{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe	31
PID 2772 wrote to memory of 2800	2772	{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe	33
PID 2772 wrote to memory of 2800	2772	{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe	33
PID 2772 wrote to memory of 2800	2772	{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe	33
PID 2772 wrote to memory of 2800	2772	{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe	33
PID 2772 wrote to memory of 2844	2772	{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe	32
PID 2772 wrote to memory of 2844	2772	{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe	32
PID 2772 wrote to memory of 2844	2772	{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe	32
PID 2772 wrote to memory of 2844	2772	{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe	32
PID 2800 wrote to memory of 1156	2800	{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe	36
PID 2800 wrote to memory of 1156	2800	{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe	36
PID 2800 wrote to memory of 1156	2800	{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe	36
PID 2800 wrote to memory of 1156	2800	{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe	36
PID 2800 wrote to memory of 1808	2800	{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe	37
PID 2800 wrote to memory of 1808	2800	{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe	37
PID 2800 wrote to memory of 1808	2800	{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe	37
PID 2800 wrote to memory of 1808	2800	{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe	37
PID 1156 wrote to memory of 3056	1156	{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe	38
PID 1156 wrote to memory of 3056	1156	{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe	38
PID 1156 wrote to memory of 3056	1156	{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe	38
PID 1156 wrote to memory of 3056	1156	{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe	38
PID 1156 wrote to memory of 2160	1156	{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe	39
PID 1156 wrote to memory of 2160	1156	{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe	39
PID 1156 wrote to memory of 2160	1156	{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe	39
PID 1156 wrote to memory of 2160	1156	{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe	39
PID 3056 wrote to memory of 2008	3056	{792716DE-6108-40ee-9234-A7460E18094E}.exe	41
PID 3056 wrote to memory of 2008	3056	{792716DE-6108-40ee-9234-A7460E18094E}.exe	41
PID 3056 wrote to memory of 2008	3056	{792716DE-6108-40ee-9234-A7460E18094E}.exe	41
PID 3056 wrote to memory of 2008	3056	{792716DE-6108-40ee-9234-A7460E18094E}.exe	41
PID 3056 wrote to memory of 624	3056	{792716DE-6108-40ee-9234-A7460E18094E}.exe	40
PID 3056 wrote to memory of 624	3056	{792716DE-6108-40ee-9234-A7460E18094E}.exe	40
PID 3056 wrote to memory of 624	3056	{792716DE-6108-40ee-9234-A7460E18094E}.exe	40
PID 3056 wrote to memory of 624	3056	{792716DE-6108-40ee-9234-A7460E18094E}.exe	40
PID 2008 wrote to memory of 2680	2008	{83AD5B85-61B9-4452-861E-386675A1F89B}.exe	42
PID 2008 wrote to memory of 2680	2008	{83AD5B85-61B9-4452-861E-386675A1F89B}.exe	42
PID 2008 wrote to memory of 2680	2008	{83AD5B85-61B9-4452-861E-386675A1F89B}.exe	42
PID 2008 wrote to memory of 2680	2008	{83AD5B85-61B9-4452-861E-386675A1F89B}.exe	42
PID 2008 wrote to memory of 1652	2008	{83AD5B85-61B9-4452-861E-386675A1F89B}.exe	43
PID 2008 wrote to memory of 1652	2008	{83AD5B85-61B9-4452-861E-386675A1F89B}.exe	43
PID 2008 wrote to memory of 1652	2008	{83AD5B85-61B9-4452-861E-386675A1F89B}.exe	43
PID 2008 wrote to memory of 1652	2008	{83AD5B85-61B9-4452-861E-386675A1F89B}.exe	43
PID 2680 wrote to memory of 1996	2680	{8E392A66-E462-4115-9685-C258A17DD245}.exe	44
PID 2680 wrote to memory of 1996	2680	{8E392A66-E462-4115-9685-C258A17DD245}.exe	44
PID 2680 wrote to memory of 1996	2680	{8E392A66-E462-4115-9685-C258A17DD245}.exe	44
PID 2680 wrote to memory of 1996	2680	{8E392A66-E462-4115-9685-C258A17DD245}.exe	44
PID 2680 wrote to memory of 636	2680	{8E392A66-E462-4115-9685-C258A17DD245}.exe	45
PID 2680 wrote to memory of 636	2680	{8E392A66-E462-4115-9685-C258A17DD245}.exe	45
PID 2680 wrote to memory of 636	2680	{8E392A66-E462-4115-9685-C258A17DD245}.exe	45
PID 2680 wrote to memory of 636	2680	{8E392A66-E462-4115-9685-C258A17DD245}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_b0fda38a27f54302777e961897fddf66_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe
  C:\Windows\{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe
    C:\Windows\{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC72~1.EXE > nul
      4⤵
      PID:2844
  - - C:\Windows\{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe
      C:\Windows\{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe
        
        C:\Windows\{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\{792716DE-6108-40ee-9234-A7460E18094E}.exe
        
        C:\Windows\{792716DE-6108-40ee-9234-A7460E18094E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79271~1.EXE > nul
        7⤵
        
        PID:624
        
        C:\Windows\{83AD5B85-61B9-4452-861E-386675A1F89B}.exe
        
        C:\Windows\{83AD5B85-61B9-4452-861E-386675A1F89B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\{8E392A66-E462-4115-9685-C258A17DD245}.exe
        
        C:\Windows\{8E392A66-E462-4115-9685-C258A17DD245}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\{C6CCC524-D550-42f9-A537-16669897672A}.exe
        
        C:\Windows\{C6CCC524-D550-42f9-A537-16669897672A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6CCC~1.EXE > nul
        10⤵
        
        PID:2092
        
        C:\Windows\{0440BF71-A753-490f-BA62-15F1FF968373}.exe
        
        C:\Windows\{0440BF71-A753-490f-BA62-15F1FF968373}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0440B~1.EXE > nul
        11⤵
        
        PID:2124
        
        C:\Windows\{83AA7953-B4A9-4fcd-8406-34E49792F3E4}.exe
        
        C:\Windows\{83AA7953-B4A9-4fcd-8406-34E49792F3E4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\{E89A8805-9B19-4f6d-BA28-0BE4F64736D8}.exe
        
        C:\Windows\{E89A8805-9B19-4f6d-BA28-0BE4F64736D8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83AA7~1.EXE > nul
        12⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E392~1.EXE > nul
        9⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83AD5~1.EXE > nul
        8⤵
        
        PID:1652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D7E4~1.EXE > nul
        6⤵
        
        PID:2160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68994~1.EXE > nul
        5⤵
        
        PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FFAF8~1.EXE > nul
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0440BF71-A753-490f-BA62-15F1FF968373}.exe

Filesize
344KB

MD5
f2f4d106f865cc2b37c124de7b0e8e18

SHA1
54c8d5e1d9b700b4867575783142b5f442582c51

SHA256
8a39e4e496cdf158b748cc694e2cbe840fbbf40f7a2db28c0b4f9a7afecc244e

SHA512
2b349e10cc00041b4be95ff3498c90872906ae9056949535efab9cc537c091bc35965df613d2ff08937ff5f72820ea25f8e47db912fc8337b22f14ff3d3b1107

Download Submit
C:\Windows\{2D7E4C7A-56A2-461f-BDF8-BCB5F2069520}.exe

Filesize
344KB

MD5
14583cbce964f36a877f865187a11643

SHA1
8fb5c90f17e8436c0b6d8446df5fd77d92de0004

SHA256
9e1bbff3e44695178a3e8d21011bde45f85b96d72a5a9af10cda2545ed2b5eeb

SHA512
66c261694a9358718f066396800ec224a88f5042b35b156fd29d2fdd2296c35dacdce4d25d217e662703dee6508da512d3fe022b788a97bea20f3e4d8b5c1e4f

Download Submit
C:\Windows\{6899478A-470C-43ed-9FED-C62E9E0F9326}.exe

Filesize
344KB

MD5
2a4087d4c85189df2136a5c3dcc5f493

SHA1
7eb8bf4ca80fe70f779034ec1a387ed3d804c5ce

SHA256
2ac03fc343ab14ec67a6224347b92393a78efd08b3ee172389e304a40faedb9f

SHA512
39ed28b5753d7027a13fbf1a9f41e4233de84a511dc1e02eff92fb138242451b495cc87da51509c03bba95062ef1b976bf5d6cf4298fce1ed3ce72493a573e6a

Download Submit
C:\Windows\{792716DE-6108-40ee-9234-A7460E18094E}.exe

Filesize
142KB

MD5
bf46e9151be9dbb418b4d42765549e71

SHA1
cae2945621c6c6230b601768a770f6dc447a00ae

SHA256
758996b66584d12aa72e166ecf95ba7f26fe7476205bf581fe026996d90537c8

SHA512
9daf3186a738419cc4a65960d3a24455b325b72e8c039ba3534f6bcb5dc564ff1bf55c65fc07974d799d392b1d6a5b77c534c597ac02f7134694dab150fd75df

Download Submit
C:\Windows\{83AA7953-B4A9-4fcd-8406-34E49792F3E4}.exe

Filesize
344KB

MD5
fbb0f1434f4911d669fd19b0c37c3130

SHA1
27db237031aecfe9e4575619465dbc71dff364b4

SHA256
2b7d443656dd58e3e8556848fa2d283189b17e7a1d3ac1a50f47148983abcdb6

SHA512
76f43cbc93b14a84e187f61e4744946f5ee09d9391304215751c993108ac56df96abf25b0f059c04a81dc4ec633dd70ee8ee4c21394552fdc4771a72aa837a39

Download Submit
C:\Windows\{83AD5B85-61B9-4452-861E-386675A1F89B}.exe

Filesize
344KB

MD5
dc2b6541de900df55a059b0a3e60b688

SHA1
ade6e358197789fdbe5a37797fe5bf660c04b16e

SHA256
66300219189a2fa998320625de0f5eda7694b29dba00abb52a5b1153f87cdf73

SHA512
b6a37e3f1626081903760939267f91d9b7a966ad83b90289b68f4c79e35ce3b7a35e75c8fdb96285432978309a7459e56a75d84431589e847f5a811f9562f1cc

Download Submit
C:\Windows\{8E392A66-E462-4115-9685-C258A17DD245}.exe

Filesize
344KB

MD5
7e17ced46ed9ec40a93d3522c9379fc5

SHA1
ec9f7c56c24b5416abdefe863a9739be3bc7d26a

SHA256
09c95c2b1abd575a4f746dd452341ada4b374f76e8140cc329b8d64505c601c8

SHA512
a4d7ab059a538a0fa9b23b2af31df8e51244dd171cece61f1ddb3e6e5433355c84b5dc7a56b96a97b49e95aaac63323d4d0393b1b1a8bc8c000af1252b3d233a

Download Submit
C:\Windows\{BCC72A81-491A-4ef0-B7DE-9FD187664EB6}.exe

Filesize
344KB

MD5
3ce8b1a751572c7aebbdafab2a5373a6

SHA1
371ed5d99c8f4de06c155a7eecb7f94e8fe65ecb

SHA256
8f345e559e1c3991f3a399d89723cb0c6a32ebf31f59df8f70707633cb2fa539

SHA512
4dc6f1f8bf9ef6a70e88ebe5284c2cc9d8c77a9822f88f67ae4d87c37b1ad440cabb6b698e5a5253f53a5d00c419f46910ef36651bbac1e60adf9e12ba623e95

Download Submit
C:\Windows\{C6CCC524-D550-42f9-A537-16669897672A}.exe

Filesize
344KB

MD5
5cf9935f7ec48aac098d3d5ce72bcd93

SHA1
d0405be6a4e5c9967dec01b8d064b3da26f6e719

SHA256
afa3561fb087a07fd27db2d0cc2611949bf8d0d175b5608c42b1d282d967c121

SHA512
7a1dfb7c250193198c783392fb9f36a8228b95a1e5c902ea11666b911d060e46cca29e9c09d119be1ead2ef6d4b0f4071ac6a4985c78c6dd13da19f87ef3c0e4

Download Submit
C:\Windows\{C6CCC524-D550-42f9-A537-16669897672A}.exe

Filesize
341KB

MD5
cc3bc968026fdd2e3add46cb943a5c8e

SHA1
dd349a99b9d45ae14d096222858e924c57868043

SHA256
06456b54dc87c93e8fbdc10968bb263b9e21614e9907f683f08844badeed134d

SHA512
b47ab464b650e912e60f0fc5381909c145fc2f81d73e16a681e2a350d8f34f826f3f83262d6661614573a1e4816e8229544c1910256810de0f7fd2c24008dc3b

Download Submit
C:\Windows\{FFAF8D3B-E6B9-402a-AC3D-4A3ACD5CC665}.exe

Filesize
344KB

MD5
8d55bdc95358cceca9c1e4e9e72f0245

SHA1
ccabb9de3cf283159a6c9a4e78ec9b8a729c6eb1

SHA256
cd6f888637773d2be7a7387ec9d7383b118e3616028fcf649e9e978fbca932b2

SHA512
14ac4a96f69afe25ba0eb3209338437da72b06c168e27b05ca1307e792882e970c675c71adde5b513691f5e7077c342c635e788245288557937220ad140d6347

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads