a69cc275b3780e00d0fd2d99e69c0fa7518649c9347124f7b2131ea8432d34db

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe
Size

372KB
MD5

cd3d64a9c892f356b7fc6c399772b069
SHA1

68067bbdd0517a804082004e64320b4578eaa146
SHA256

a69cc275b3780e00d0fd2d99e69c0fa7518649c9347124f7b2131ea8432d34db
SHA512

b273dccb7831258d20bf15c9ed09b82701050846fd2b62e895c42d75d9a5af707895c1078a07dd7f3c95330a870346e57d01f1edafaf35371b719b9a36b72773
SSDEEP

3072:CEGh0oimlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGFl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2BE42EB-88E4-4031-BF10-9B328D3B7D95}\stubpath = "C:\\Windows\\{B2BE42EB-88E4-4031-BF10-9B328D3B7D95}.exe"	{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C06D014D-2A13-48a7-B8E3-68F52FCCF96B}\stubpath = "C:\\Windows\\{C06D014D-2A13-48a7-B8E3-68F52FCCF96B}.exe"	{B2BE42EB-88E4-4031-BF10-9B328D3B7D95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE7DAEFC-041E-4c3d-8985-9086B108A268}	{549C542F-C330-4911-8BDF-7BCF2F4EC5B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A9EEE63-0E40-4898-A5A1-828996E55234}	2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}	{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2BE42EB-88E4-4031-BF10-9B328D3B7D95}	{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}\stubpath = "C:\\Windows\\{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe"	{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C06D014D-2A13-48a7-B8E3-68F52FCCF96B}	{B2BE42EB-88E4-4031-BF10-9B328D3B7D95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE7DAEFC-041E-4c3d-8985-9086B108A268}\stubpath = "C:\\Windows\\{CE7DAEFC-041E-4c3d-8985-9086B108A268}.exe"	{549C542F-C330-4911-8BDF-7BCF2F4EC5B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A04FDB60-5CE3-4b85-B606-FF25122D0A07}\stubpath = "C:\\Windows\\{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe"	{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}	{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}\stubpath = "C:\\Windows\\{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe"	{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53D8E346-C9B6-441c-8919-4566A83C92B5}	{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53D8E346-C9B6-441c-8919-4566A83C92B5}\stubpath = "C:\\Windows\\{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe"	{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}\stubpath = "C:\\Windows\\{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe"	{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{549C542F-C330-4911-8BDF-7BCF2F4EC5B3}	{C06D014D-2A13-48a7-B8E3-68F52FCCF96B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{549C542F-C330-4911-8BDF-7BCF2F4EC5B3}\stubpath = "C:\\Windows\\{549C542F-C330-4911-8BDF-7BCF2F4EC5B3}.exe"	{C06D014D-2A13-48a7-B8E3-68F52FCCF96B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67A09654-EF24-4e12-A380-DADA1D2CD4D4}	{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67A09654-EF24-4e12-A380-DADA1D2CD4D4}\stubpath = "C:\\Windows\\{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe"	{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A04FDB60-5CE3-4b85-B606-FF25122D0A07}	{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A9EEE63-0E40-4898-A5A1-828996E55234}\stubpath = "C:\\Windows\\{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe"	2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}	{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2876	{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe
2808	{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe
2952	{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe
3068	{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe
2648	{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe
848	{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe
548	{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe
2264	{B2BE42EB-88E4-4031-BF10-9B328D3B7D95}.exe
2032	{C06D014D-2A13-48a7-B8E3-68F52FCCF96B}.exe
2836	{549C542F-C330-4911-8BDF-7BCF2F4EC5B3}.exe
1488	{CE7DAEFC-041E-4c3d-8985-9086B108A268}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe	2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe
File created	C:\Windows\{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe	{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe
File created	C:\Windows\{C06D014D-2A13-48a7-B8E3-68F52FCCF96B}.exe	{B2BE42EB-88E4-4031-BF10-9B328D3B7D95}.exe
File created	C:\Windows\{549C542F-C330-4911-8BDF-7BCF2F4EC5B3}.exe	{C06D014D-2A13-48a7-B8E3-68F52FCCF96B}.exe
File created	C:\Windows\{CE7DAEFC-041E-4c3d-8985-9086B108A268}.exe	{549C542F-C330-4911-8BDF-7BCF2F4EC5B3}.exe
File created	C:\Windows\{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe	{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe
File created	C:\Windows\{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe	{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe
File created	C:\Windows\{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe	{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe
File created	C:\Windows\{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe	{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe
File created	C:\Windows\{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe	{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe
File created	C:\Windows\{B2BE42EB-88E4-4031-BF10-9B328D3B7D95}.exe	{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2512	2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2876	{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe
Token: SeIncBasePriorityPrivilege	2808	{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe
Token: SeIncBasePriorityPrivilege	2952	{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe
Token: SeIncBasePriorityPrivilege	3068	{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe
Token: SeIncBasePriorityPrivilege	2648	{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe
Token: SeIncBasePriorityPrivilege	848	{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe
Token: SeIncBasePriorityPrivilege	548	{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe
Token: SeIncBasePriorityPrivilege	2264	{B2BE42EB-88E4-4031-BF10-9B328D3B7D95}.exe
Token: SeIncBasePriorityPrivilege	2032	{C06D014D-2A13-48a7-B8E3-68F52FCCF96B}.exe
Token: SeIncBasePriorityPrivilege	2836	{549C542F-C330-4911-8BDF-7BCF2F4EC5B3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2876	2512	2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe	28
PID 2512 wrote to memory of 2876	2512	2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe	28
PID 2512 wrote to memory of 2876	2512	2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe	28
PID 2512 wrote to memory of 2876	2512	2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe	28
PID 2512 wrote to memory of 2740	2512	2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe	29
PID 2512 wrote to memory of 2740	2512	2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe	29
PID 2512 wrote to memory of 2740	2512	2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe	29
PID 2512 wrote to memory of 2740	2512	2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe	29
PID 2876 wrote to memory of 2808	2876	{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe	31
PID 2876 wrote to memory of 2808	2876	{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe	31
PID 2876 wrote to memory of 2808	2876	{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe	31
PID 2876 wrote to memory of 2808	2876	{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe	31
PID 2876 wrote to memory of 2616	2876	{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe	30
PID 2876 wrote to memory of 2616	2876	{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe	30
PID 2876 wrote to memory of 2616	2876	{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe	30
PID 2876 wrote to memory of 2616	2876	{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe	30
PID 2808 wrote to memory of 2952	2808	{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe	32
PID 2808 wrote to memory of 2952	2808	{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe	32
PID 2808 wrote to memory of 2952	2808	{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe	32
PID 2808 wrote to memory of 2952	2808	{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe	32
PID 2808 wrote to memory of 2748	2808	{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe	33
PID 2808 wrote to memory of 2748	2808	{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe	33
PID 2808 wrote to memory of 2748	2808	{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe	33
PID 2808 wrote to memory of 2748	2808	{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe	33
PID 2952 wrote to memory of 3068	2952	{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe	36
PID 2952 wrote to memory of 3068	2952	{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe	36
PID 2952 wrote to memory of 3068	2952	{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe	36
PID 2952 wrote to memory of 3068	2952	{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe	36
PID 2952 wrote to memory of 2788	2952	{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe	37
PID 2952 wrote to memory of 2788	2952	{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe	37
PID 2952 wrote to memory of 2788	2952	{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe	37
PID 2952 wrote to memory of 2788	2952	{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe	37
PID 3068 wrote to memory of 2648	3068	{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe	39
PID 3068 wrote to memory of 2648	3068	{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe	39
PID 3068 wrote to memory of 2648	3068	{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe	39
PID 3068 wrote to memory of 2648	3068	{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe	39
PID 3068 wrote to memory of 2296	3068	{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe	38
PID 3068 wrote to memory of 2296	3068	{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe	38
PID 3068 wrote to memory of 2296	3068	{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe	38
PID 3068 wrote to memory of 2296	3068	{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe	38
PID 2648 wrote to memory of 848	2648	{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe	40
PID 2648 wrote to memory of 848	2648	{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe	40
PID 2648 wrote to memory of 848	2648	{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe	40
PID 2648 wrote to memory of 848	2648	{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe	40
PID 2648 wrote to memory of 764	2648	{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe	41
PID 2648 wrote to memory of 764	2648	{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe	41
PID 2648 wrote to memory of 764	2648	{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe	41
PID 2648 wrote to memory of 764	2648	{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe	41
PID 848 wrote to memory of 548	848	{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe	43
PID 848 wrote to memory of 548	848	{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe	43
PID 848 wrote to memory of 548	848	{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe	43
PID 848 wrote to memory of 548	848	{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe	43
PID 848 wrote to memory of 320	848	{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe	42
PID 848 wrote to memory of 320	848	{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe	42
PID 848 wrote to memory of 320	848	{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe	42
PID 848 wrote to memory of 320	848	{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe	42
PID 548 wrote to memory of 2264	548	{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe	45
PID 548 wrote to memory of 2264	548	{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe	45
PID 548 wrote to memory of 2264	548	{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe	45
PID 548 wrote to memory of 2264	548	{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe	45
PID 548 wrote to memory of 1536	548	{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe	44
PID 548 wrote to memory of 1536	548	{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe	44
PID 548 wrote to memory of 1536	548	{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe	44
PID 548 wrote to memory of 1536	548	{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_cd3d64a9c892f356b7fc6c399772b069_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe
  C:\Windows\{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5A9EE~1.EXE > nul
    3⤵
    PID:2616
- - C:\Windows\{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe
    C:\Windows\{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe
      C:\Windows\{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe
        
        C:\Windows\{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53D8E~1.EXE > nul
        6⤵
        
        PID:2296
      - C:\Windows\{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe
        
        C:\Windows\{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe
        
        C:\Windows\{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD5F4~1.EXE > nul
        8⤵
        
        PID:320
        
        C:\Windows\{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe
        
        C:\Windows\{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{100EE~1.EXE > nul
        9⤵
        
        PID:1536
        
        C:\Windows\{B2BE42EB-88E4-4031-BF10-9B328D3B7D95}.exe
        
        C:\Windows\{B2BE42EB-88E4-4031-BF10-9B328D3B7D95}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2BE4~1.EXE > nul
        10⤵
        
        PID:1396
        
        C:\Windows\{C06D014D-2A13-48a7-B8E3-68F52FCCF96B}.exe
        
        C:\Windows\{C06D014D-2A13-48a7-B8E3-68F52FCCF96B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C06D0~1.EXE > nul
        11⤵
        
        PID:2204
        
        C:\Windows\{549C542F-C330-4911-8BDF-7BCF2F4EC5B3}.exe
        
        C:\Windows\{549C542F-C330-4911-8BDF-7BCF2F4EC5B3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{549C5~1.EXE > nul
        12⤵
        
        PID:1484
        
        C:\Windows\{CE7DAEFC-041E-4c3d-8985-9086B108A268}.exe
        
        C:\Windows\{CE7DAEFC-041E-4c3d-8985-9086B108A268}.exe
        12⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{305C7~1.EXE > nul
        7⤵
        
        PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A04FD~1.EXE > nul
        5⤵
        
        PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{67A09~1.EXE > nul
      4⤵
      PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{100EEC58-60E2-4df2-96D7-E451DE1BE5DF}.exe

Filesize
372KB

MD5
a0edfe95dc6f8af6d6b43f14a4f51287

SHA1
3bbe6b44b667d2188e0da126d93efecee4b2b35e

SHA256
a5b4c60d3a5714f5900c6c572d04384d93820aa50b851fe4b5e179573f0264e7

SHA512
edb3fafa6fa55738911d7eff11daf37d136b1b97b0df9020eecc34a21c053ba70bc15b60af3890f00645d7ffb8219959921ce3578556eb5253d5f9c8c679f256

Download Submit
C:\Windows\{305C7C0D-F440-4af2-AD8E-9F1B8E28BD36}.exe

Filesize
372KB

MD5
ea4f203c51060cbd6c9bf66126123c1e

SHA1
3f16c8f8457b6eb96039447caef0a2a7938ccd37

SHA256
0ddda887aa414f9b3b14f0bb49494e6534b99eb0f689b5ac73e521f2ab62249e

SHA512
18722d5b3b09caf9d49a7d8e58f2c7f60bd69fe77f4b4ed633ef2f87c6d77f1fbfea7f6ef1a822e84ca9a102748b58796055af4d4f3d54253f001a5438e8a80c

Download Submit
C:\Windows\{53D8E346-C9B6-441c-8919-4566A83C92B5}.exe

Filesize
372KB

MD5
dca437ac9f3496b0d4d7fab53d5be71d

SHA1
79c63bd31ce401a1e92b4d6c3892fcf31888cb25

SHA256
f8705c086983863805d24df6f4dc4ea6f53f3fdf77fb9a4282b2ba80122ee43c

SHA512
57207587960c42efbe0c20cfa97c64565f19ec2aefff89e522da5d19fb2e514b9719193c28bd012dfe5e7fb792b09082c8f030514aacdf946cea79f882c0d2b3

Download Submit
C:\Windows\{549C542F-C330-4911-8BDF-7BCF2F4EC5B3}.exe

Filesize
372KB

MD5
07607095d5f1b6ac5d73a174ef9a14a3

SHA1
d09ff176e0f6a3426b1582f842a9357a942e08f7

SHA256
4f91cef17c28df014041b919813df6608fe1914d36f19658b40e9a6526c614e5

SHA512
c260284bb157d2faf55d2eb9a0ba4920f08c83e84f3f395f31aea7887733c626aea319faefed00c730d3782ca26f5fa306a6a6f4d29cf043270b7341623d954b

Download Submit
C:\Windows\{5A9EEE63-0E40-4898-A5A1-828996E55234}.exe

Filesize
372KB

MD5
069d7e222bee43e667ce7fc588f15080

SHA1
bef9dba9c420e9cd950db2423a6abcc9d6f0b3f9

SHA256
7e1617c18077cf3b35a77387871a89e58ad2cffd17fe5a6a977340d3a4848233

SHA512
e87d103c7d901b475849e09563927f577ebb32013094abc650c2204b6b66cb626f0126fe2d519f509ea68081122a3a2121563e8626ad5359956be0e88fb22594

Download Submit
C:\Windows\{67A09654-EF24-4e12-A380-DADA1D2CD4D4}.exe

Filesize
143KB

MD5
1fb79b203039992747b24d0cbb7380f8

SHA1
0481910576a18d67b81074fc154dcd6eaf12841e

SHA256
2f1bc7faccfc6beb68dfc77e453fd2ae45963f85383a6e309a7236e8aa58e12e

SHA512
39b6afd52d2cf85ebd2d1fd7ac3bc5e6788003d148a60941a06f90f136d2302f3619aa912d9167ff0166e6dbab5a0ca17c3aebf318fb7499ed6f0ef0ddfc977b

Download Submit
C:\Windows\{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe

Filesize
139KB

MD5
9dccf2066bbb0bc07c285115b12ba850

SHA1
05defde8d8398d92f22076354e1ab41a71b28b9b

SHA256
6ea3f29213c7dc3454bc318305aa6ad7de766d3b5dbdb99548ece46a6b4c1e4c

SHA512
c98afb4a41f9e3a3d8550274f249c31db0da6eea87a77edae004b24766b152ac88f199aa021166494774755e53e18f98eac55a40d1675ce2811bf8a87537665d

Download Submit
C:\Windows\{A04FDB60-5CE3-4b85-B606-FF25122D0A07}.exe

Filesize
372KB

MD5
a430c7c25c6440ff3ebc03008ad22a8b

SHA1
ea54edf00a299debe56ff86d9becae6777ba5524

SHA256
289f8cdd656760c46a1c18a747782dc5c319eb54e8cf69b27180129d845a5e4e

SHA512
9e80f3f1853559488ad303494c4113fc45933fae98d785f5f6129353c5a261238ea6cbe006e5a4b9fac7def3d7f70fcec48ac416092744f654687653b5f6a1bd

Download Submit
C:\Windows\{B2BE42EB-88E4-4031-BF10-9B328D3B7D95}.exe

Filesize
372KB

MD5
ebb01b7beecdb4fb1d31ea39a23f97eb

SHA1
0e347986c0cf29889e63e8b098ca288786bb3d7d

SHA256
d13c82397448035aa3258b5e061bda4dc64737b6a94032033e75467117ab5643

SHA512
f675f5f64cee24c8b21c0997c6e3eb64f823db7a4cadeceb004ce331cfa4fa1f2bd68f5e449804a26fa9b90404f899ba91fd9c1a459f9fd97d2cb29a0ae1e1dc

Download Submit
C:\Windows\{BD5F4EE7-F9F6-4f7e-A2F5-1197A4BDADD8}.exe

Filesize
372KB

MD5
939b64823af5fe3a73955125edf92799

SHA1
4e1541c3d4068e93da95dcdeb03e355947c2018c

SHA256
55e5dd955cfaeb11d4d6ac02b37ef303a6016b4f862ec813fff1a6137c3e2162

SHA512
a8e59447bcd9190cae37d6a672686396e96902516b086372d5c1a094a69cb20d0dc7b827ecc0c6bb2f5ac8d70e2d938ca88751ad9144febc1cceb37ef8cdb3ef

Download Submit
C:\Windows\{C06D014D-2A13-48a7-B8E3-68F52FCCF96B}.exe

Filesize
372KB

MD5
44a6d26885a93c9319030fe3bf1ff749

SHA1
f9b99425cb661fb0314c461a280da46cac1cab0a

SHA256
036dc15e6193f5b4160aaaa4910535008d63fdc6a4b0cb7ae95e126533072f5b

SHA512
eb1f76c8ee17fa914f3e35ae7918c4539018207181b6d06155e345c535b48f9f36676473a6cf0fd7aba4b9857c8b3de63dc06dd7266a3c5a3683561e9381d854

Download Submit
C:\Windows\{CE7DAEFC-041E-4c3d-8985-9086B108A268}.exe

Filesize
372KB

MD5
c76d6590bc42382e49a3238f63c2a942

SHA1
1975097394fa6f1478edb8ce303d97831f50a095

SHA256
23be532b8f08230460d243fad298a44b5862ce70eeea330449be6b5f237c379e

SHA512
09f6d029d208fc3ad14cc0a2f38704b37b8fb762cae6599489a26735e7ddc833710e0bbaafc265e733d07f74135828e3ea31956ad0385541661804f43da9f880

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads