c83ff9304997f8427dcfc7d6ed003843f80c6b883d6ff00befd35bdcd3fe5c28

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe
Size

344KB
MD5

e9688c5ebb1b08ecc154c69cfa47a037
SHA1

c21c5e6e4d98317905b7f703df03b26f3e1aae4d
SHA256

c83ff9304997f8427dcfc7d6ed003843f80c6b883d6ff00befd35bdcd3fe5c28
SHA512

c08c79abf1c0f9e91d4151571af9fe471a90f686f6ced9c2ceb5d24a686134eb86aaddf1f04fb2df7f2654f3e297d97086c760722df1dc6f5b07e12a3f899ae5
SSDEEP

3072:mEGh0o3lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGllqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}\stubpath = "C:\\Windows\\{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe"	{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}	{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4EF93AD-5D53-4830-AEEB-5C91AB8519B1}	{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BD90549-416C-4741-A1B6-B8B0630ECE71}	{AB94AE3B-4C96-46c0-B761-B07EF453DCE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}\stubpath = "C:\\Windows\\{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe"	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}\stubpath = "C:\\Windows\\{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe"	{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{054AFAF2-F578-4184-B9B1-A8D3A1223D24}	{D4EF93AD-5D53-4830-AEEB-5C91AB8519B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB94AE3B-4C96-46c0-B761-B07EF453DCE9}	{054AFAF2-F578-4184-B9B1-A8D3A1223D24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB94AE3B-4C96-46c0-B761-B07EF453DCE9}\stubpath = "C:\\Windows\\{AB94AE3B-4C96-46c0-B761-B07EF453DCE9}.exe"	{054AFAF2-F578-4184-B9B1-A8D3A1223D24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BD90549-416C-4741-A1B6-B8B0630ECE71}\stubpath = "C:\\Windows\\{7BD90549-416C-4741-A1B6-B8B0630ECE71}.exe"	{AB94AE3B-4C96-46c0-B761-B07EF453DCE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B7FA075-D67B-4a45-BDE8-259E68ABCCED}	{7BD90549-416C-4741-A1B6-B8B0630ECE71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}	{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}	{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B7FA075-D67B-4a45-BDE8-259E68ABCCED}\stubpath = "C:\\Windows\\{0B7FA075-D67B-4a45-BDE8-259E68ABCCED}.exe"	{7BD90549-416C-4741-A1B6-B8B0630ECE71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4EF93AD-5D53-4830-AEEB-5C91AB8519B1}\stubpath = "C:\\Windows\\{D4EF93AD-5D53-4830-AEEB-5C91AB8519B1}.exe"	{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FBA72F8-FF7A-431b-B144-BE04865F390C}\stubpath = "C:\\Windows\\{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe"	{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1909C4CF-2956-4112-9C35-C8B57DD81F1A}	{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1909C4CF-2956-4112-9C35-C8B57DD81F1A}\stubpath = "C:\\Windows\\{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe"	{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCA6EB62-D780-49de-9A0E-89A6737AEB78}	{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCA6EB62-D780-49de-9A0E-89A6737AEB78}\stubpath = "C:\\Windows\\{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe"	{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{054AFAF2-F578-4184-B9B1-A8D3A1223D24}\stubpath = "C:\\Windows\\{054AFAF2-F578-4184-B9B1-A8D3A1223D24}.exe"	{D4EF93AD-5D53-4830-AEEB-5C91AB8519B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FBA72F8-FF7A-431b-B144-BE04865F390C}	{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}\stubpath = "C:\\Windows\\{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe"	{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2196	{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe
2720	{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe
2036	{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe
2648	{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe
2264	{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe
2556	{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe
1920	{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe
2888	{D4EF93AD-5D53-4830-AEEB-5C91AB8519B1}.exe
1524	{054AFAF2-F578-4184-B9B1-A8D3A1223D24}.exe
2996	{AB94AE3B-4C96-46c0-B761-B07EF453DCE9}.exe
2492	{7BD90549-416C-4741-A1B6-B8B0630ECE71}.exe
2472	{0B7FA075-D67B-4a45-BDE8-259E68ABCCED}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe	{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe
File created	C:\Windows\{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe	{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe
File created	C:\Windows\{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe	{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe
File created	C:\Windows\{D4EF93AD-5D53-4830-AEEB-5C91AB8519B1}.exe	{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe
File created	C:\Windows\{054AFAF2-F578-4184-B9B1-A8D3A1223D24}.exe	{D4EF93AD-5D53-4830-AEEB-5C91AB8519B1}.exe
File created	C:\Windows\{7BD90549-416C-4741-A1B6-B8B0630ECE71}.exe	{AB94AE3B-4C96-46c0-B761-B07EF453DCE9}.exe
File created	C:\Windows\{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe
File created	C:\Windows\{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe	{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe
File created	C:\Windows\{AB94AE3B-4C96-46c0-B761-B07EF453DCE9}.exe	{054AFAF2-F578-4184-B9B1-A8D3A1223D24}.exe
File created	C:\Windows\{0B7FA075-D67B-4a45-BDE8-259E68ABCCED}.exe	{7BD90549-416C-4741-A1B6-B8B0630ECE71}.exe
File created	C:\Windows\{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe	{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe
File created	C:\Windows\{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe	{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1708	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2196	{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe
Token: SeIncBasePriorityPrivilege	2720	{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe
Token: SeIncBasePriorityPrivilege	2036	{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe
Token: SeIncBasePriorityPrivilege	2648	{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe
Token: SeIncBasePriorityPrivilege	2264	{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe
Token: SeIncBasePriorityPrivilege	2556	{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe
Token: SeIncBasePriorityPrivilege	1920	{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe
Token: SeIncBasePriorityPrivilege	2888	{D4EF93AD-5D53-4830-AEEB-5C91AB8519B1}.exe
Token: SeIncBasePriorityPrivilege	1524	{054AFAF2-F578-4184-B9B1-A8D3A1223D24}.exe
Token: SeIncBasePriorityPrivilege	2996	{AB94AE3B-4C96-46c0-B761-B07EF453DCE9}.exe
Token: SeIncBasePriorityPrivilege	2492	{7BD90549-416C-4741-A1B6-B8B0630ECE71}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2196	1708	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	28
PID 1708 wrote to memory of 2196	1708	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	28
PID 1708 wrote to memory of 2196	1708	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	28
PID 1708 wrote to memory of 2196	1708	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	28
PID 1708 wrote to memory of 2560	1708	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	29
PID 1708 wrote to memory of 2560	1708	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	29
PID 1708 wrote to memory of 2560	1708	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	29
PID 1708 wrote to memory of 2560	1708	2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe	29
PID 2196 wrote to memory of 2720	2196	{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe	30
PID 2196 wrote to memory of 2720	2196	{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe	30
PID 2196 wrote to memory of 2720	2196	{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe	30
PID 2196 wrote to memory of 2720	2196	{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe	30
PID 2196 wrote to memory of 2860	2196	{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe	31
PID 2196 wrote to memory of 2860	2196	{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe	31
PID 2196 wrote to memory of 2860	2196	{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe	31
PID 2196 wrote to memory of 2860	2196	{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe	31
PID 2720 wrote to memory of 2036	2720	{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe	32
PID 2720 wrote to memory of 2036	2720	{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe	32
PID 2720 wrote to memory of 2036	2720	{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe	32
PID 2720 wrote to memory of 2036	2720	{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe	32
PID 2720 wrote to memory of 2880	2720	{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe	33
PID 2720 wrote to memory of 2880	2720	{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe	33
PID 2720 wrote to memory of 2880	2720	{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe	33
PID 2720 wrote to memory of 2880	2720	{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe	33
PID 2036 wrote to memory of 2648	2036	{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe	36
PID 2036 wrote to memory of 2648	2036	{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe	36
PID 2036 wrote to memory of 2648	2036	{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe	36
PID 2036 wrote to memory of 2648	2036	{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe	36
PID 2036 wrote to memory of 1248	2036	{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe	37
PID 2036 wrote to memory of 1248	2036	{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe	37
PID 2036 wrote to memory of 1248	2036	{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe	37
PID 2036 wrote to memory of 1248	2036	{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe	37
PID 2648 wrote to memory of 2264	2648	{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe	39
PID 2648 wrote to memory of 2264	2648	{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe	39
PID 2648 wrote to memory of 2264	2648	{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe	39
PID 2648 wrote to memory of 2264	2648	{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe	39
PID 2648 wrote to memory of 2948	2648	{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe	38
PID 2648 wrote to memory of 2948	2648	{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe	38
PID 2648 wrote to memory of 2948	2648	{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe	38
PID 2648 wrote to memory of 2948	2648	{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe	38
PID 2264 wrote to memory of 2556	2264	{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe	40
PID 2264 wrote to memory of 2556	2264	{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe	40
PID 2264 wrote to memory of 2556	2264	{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe	40
PID 2264 wrote to memory of 2556	2264	{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe	40
PID 2264 wrote to memory of 984	2264	{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe	41
PID 2264 wrote to memory of 984	2264	{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe	41
PID 2264 wrote to memory of 984	2264	{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe	41
PID 2264 wrote to memory of 984	2264	{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe	41
PID 2556 wrote to memory of 1920	2556	{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe	42
PID 2556 wrote to memory of 1920	2556	{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe	42
PID 2556 wrote to memory of 1920	2556	{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe	42
PID 2556 wrote to memory of 1920	2556	{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe	42
PID 2556 wrote to memory of 528	2556	{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe	43
PID 2556 wrote to memory of 528	2556	{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe	43
PID 2556 wrote to memory of 528	2556	{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe	43
PID 2556 wrote to memory of 528	2556	{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe	43
PID 1920 wrote to memory of 2888	1920	{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe	44
PID 1920 wrote to memory of 2888	1920	{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe	44
PID 1920 wrote to memory of 2888	1920	{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe	44
PID 1920 wrote to memory of 2888	1920	{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe	44
PID 1920 wrote to memory of 1504	1920	{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe	45
PID 1920 wrote to memory of 1504	1920	{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe	45
PID 1920 wrote to memory of 1504	1920	{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe	45
PID 1920 wrote to memory of 1504	1920	{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_e9688c5ebb1b08ecc154c69cfa47a037_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe
  C:\Windows\{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe
    C:\Windows\{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe
      C:\Windows\{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe
        
        C:\Windows\{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9467E~1.EXE > nul
        6⤵
        
        PID:2948
      - C:\Windows\{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe
        
        C:\Windows\{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe
        
        C:\Windows\{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe
        
        C:\Windows\{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\{D4EF93AD-5D53-4830-AEEB-5C91AB8519B1}.exe
        
        C:\Windows\{D4EF93AD-5D53-4830-AEEB-5C91AB8519B1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\{054AFAF2-F578-4184-B9B1-A8D3A1223D24}.exe
        
        C:\Windows\{054AFAF2-F578-4184-B9B1-A8D3A1223D24}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\{AB94AE3B-4C96-46c0-B761-B07EF453DCE9}.exe
        
        C:\Windows\{AB94AE3B-4C96-46c0-B761-B07EF453DCE9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\{7BD90549-416C-4741-A1B6-B8B0630ECE71}.exe
        
        C:\Windows\{7BD90549-416C-4741-A1B6-B8B0630ECE71}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\{0B7FA075-D67B-4a45-BDE8-259E68ABCCED}.exe
        
        C:\Windows\{0B7FA075-D67B-4a45-BDE8-259E68ABCCED}.exe
        13⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BD90~1.EXE > nul
        13⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB94A~1.EXE > nul
        12⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{054AF~1.EXE > nul
        11⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4EF9~1.EXE > nul
        10⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCDEA~1.EXE > nul
        9⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCA6E~1.EXE > nul
        8⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1909C~1.EXE > nul
        7⤵
        
        PID:984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FBA7~1.EXE > nul
        5⤵
        
        PID:1248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{843E5~1.EXE > nul
      4⤵
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7D6F~1.EXE > nul
    3⤵
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{054AFAF2-F578-4184-B9B1-A8D3A1223D24}.exe

Filesize
344KB

MD5
3593fa1ddb7666464669290ee242da7d

SHA1
982d08c2e863275f4f39f6933ae37696598452c0

SHA256
6109ffd9c1201139ccee102976541cb9133b1870d4d16ee83e2b4de666599b12

SHA512
dc53a31aa7400d600efc64a3db5b013a95d1917075215d97b3d74355ff23e5182002ff1353c4f7267a6919914c72ed645f234b8b45d12310d6f829eaae51a338

Download Submit
C:\Windows\{0B7FA075-D67B-4a45-BDE8-259E68ABCCED}.exe

Filesize
344KB

MD5
9b8b11f8c1d7ce26b94c382befbe505c

SHA1
08fffe78d9c649904d98d8405c1229b3faca5df7

SHA256
ad7459cf4ba0d8c1dfdfacea2befd5ea2209be65fa9193a028f814d54e746fa2

SHA512
c710c22a535a9fbefb5e3dce64dbf72237d64d8ccd317d70fad0bff7103c67221955377e6cde64257ef03334992b0e8bcb78928894e9df6dea739bfb0f070ef7

Download Submit
C:\Windows\{1909C4CF-2956-4112-9C35-C8B57DD81F1A}.exe

Filesize
344KB

MD5
3782e6897fac56535e105dd28ca0e563

SHA1
4fbcfc5ebb9480ce05469e889eb408f367349678

SHA256
e07cc5497ce855b8a93676715e94f9d435871d0b195601a334132fcd64a8fc4f

SHA512
63e2685e5d46dfd49a1c7ae3eed304bfb1cbbeff1c70336d29d2e650fb08b9cc8ce0d1de6b9e6fcd33a7e2448c21236e4dec33c02e66dd99ee6d3e0979d596a9

Download Submit
C:\Windows\{7BD90549-416C-4741-A1B6-B8B0630ECE71}.exe

Filesize
344KB

MD5
e20a46b515085d0eeeab40ae29aa7a21

SHA1
97a7e86a7153dd3470b4c77d589ade4299d13adb

SHA256
a62a74f390919023aa326dd7ec2505f4747d0d61494c9745d9ab8d1f8d2feda6

SHA512
5428922cbb1df1750cae922a82ddbee3a163356224f3b5e53cd5698e6c70d1d3e3b11c2addd02c46dd8b97e18f6e3ec992aa5e8a9acf7cb63dc15c38bee3c56f

Download Submit
C:\Windows\{843E5C8A-A533-483a-AD06-AB6E8DD1DF6E}.exe

Filesize
344KB

MD5
2f132bc1d98eb202b10beb1179e89af6

SHA1
fb0c130527985175997cc27f36125825419243a5

SHA256
70a5d32f0aa3b8a61449a41f212bd2e84d5cd4aa3ea4df71da27d17e62f15fc5

SHA512
116644dc8db102e6cf2d022170cea3fb4d1daad141e1da75138c2db106737d1865bbcb2d6194e82cc702b167cb0d9b333daa87715715b2af29ad8e5871246378

Download Submit
C:\Windows\{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe

Filesize
344KB

MD5
df7c290ba1587260453a653b6489a4e6

SHA1
f7d6649cf5da01df941a4407a6747b82f6b3473e

SHA256
450f906c324683e809c2c04e117529fcc41ccdb818ccc94af0254503cafb81f4

SHA512
3900a14408dfcce25872360e632bb171c720cb7d16f3fb3350fd7e7a53a000fbe2cac01b24916fc02521f06ba055a38eeba690d500ca3e02e28914ced7161eef

Download Submit
C:\Windows\{8FBA72F8-FF7A-431b-B144-BE04865F390C}.exe

Filesize
47KB

MD5
46881d6dd2b9de887694810c9c84d8b7

SHA1
6ed66103e4e6c6f3099fb5573d5b9b328c225e03

SHA256
329add287a7919d30696309467bc2fd568a09aff7ca1f55038730b8a71c19c56

SHA512
b4802bbc47fc8b3962cc020083336ab09763b304b0abe4dd1add59041baa987acef98ece9114ce54bc339c711d978d3bcb9e347594c534b7c2abbd265ce4377d

Download Submit
C:\Windows\{9467EDE9-9247-40c3-BCCE-56588FE0F1BC}.exe

Filesize
344KB

MD5
197b0df1bb71a95ba808bc7ceb79c7f7

SHA1
f51317cf8c440fb206aa24b03b8e826e036b4d65

SHA256
00e422d07df926a0bcfa882979cfb302c7ff9849a55173faeffb9d3b673d82cc

SHA512
7eb4444a15762df6ba4e09a4ab80039ab762c02a921e587ad2915b3bb7ca4bb8ba859c4e9975480e56f69dbdd5fa590632cd6f7239d28698a6c52aa9c1ae5ffc

Download Submit
C:\Windows\{AB94AE3B-4C96-46c0-B761-B07EF453DCE9}.exe

Filesize
344KB

MD5
42dcbef050d48fb22445c1383ea1d8fc

SHA1
fdfa05fecc9f2e7cd6f8799afa4e9a834f851113

SHA256
dab6a69bebc3c9d8040ba7af361e7a59a57870ff05304c719cb876b1ae30ab3f

SHA512
75009aec7b94d350b936cf3ae5ae9671ee745af457df9fcf92a011513b295c8511d36f2577991aac27be8d353b0b7d301b8d8256f17e3158b2caf83b8f57815f

Download Submit
C:\Windows\{BCA6EB62-D780-49de-9A0E-89A6737AEB78}.exe

Filesize
344KB

MD5
c1d9f1178f7011eb1c85d94465150a20

SHA1
ccb8032c690fd36bd2ac0047c4e1a844f8c6ca0c

SHA256
cc6e6bbae62b281dde056928919e3eecd5b712ab5be47d9363ba194218e3a1c9

SHA512
46a2a2095fc2e32403ef512fadc869137e8522265d1f0ec3ce6b0fa13b82f331fd2c22200a6437075a96cd38a3a90231ae768248c16d1d9fd44e7101d67a705d

Download Submit
C:\Windows\{C7D6F4F8-A661-4c71-9BC9-E034A2A46670}.exe

Filesize
344KB

MD5
696261528ede8ecca91e3f544011e353

SHA1
ff393d0a7f37e16c1bbbeb963da518af24057a24

SHA256
7245cf7c217a6159eedfb2a26482478bd23d3bfe578ab63adf7ed59b29afd735

SHA512
82ed57dd1654d27aa418b18e720dd4949570d3bc2be2aa9d2a5f4ff33ef395ef780a6ca8d060fa73a9c39a0a77daf96a2592e22b154be76dbee2fd2583c41ea1

Download Submit
C:\Windows\{CCDEA1DE-437B-41d5-BC73-C2DE271D0448}.exe

Filesize
344KB

MD5
c05420f2319fbfbcb78cc130fe9071e1

SHA1
978274a07f37ac43da5bf773684df37fa3ca0ff4

SHA256
1c88de95cf4997e7c301d9c89f0f17bb18705a99d60cfecec1ef4c018ec89f1e

SHA512
c08ed8b6c66e601422c7e2d91cafbed29bf6ba6719039804030415af03dbb14e088a91d9e46c7df3b68b8612a40d8bbd8cfc50ae8f273bfa43ef53336ee88c67

Download Submit
C:\Windows\{D4EF93AD-5D53-4830-AEEB-5C91AB8519B1}.exe

Filesize
344KB

MD5
ac7f11226756c0378babb2e54b6a8cbf

SHA1
4fb8a1ee1ff57e6f0da4e5673e4b6001e60c7593

SHA256
ffb5b7eea051cd05074aa816e8af80750f2a32883108dd3ebe3a526c3b7e0f98

SHA512
099b76d7cbe292ee2070e66ab15f36629e22dcf591e6f0dfffb94a4485e3d2158abe5f58bb668719382675ae340bad116b4d7407fa9cd37f87495f8be4cb78cf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads