d535181fe62e30a171a3af14055028c92c2897e3c0563c2faf1d521d9a5da377

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe
Size

216KB
MD5

44bb71fa7eef02f8d57aa4ed6a841325
SHA1

468a6c2885afeb5bb8e59ba88bba522556d6f1c5
SHA256

d535181fe62e30a171a3af14055028c92c2897e3c0563c2faf1d521d9a5da377
SHA512

d1bba207c7023d484a023a52f6890c6363cbd3e94327658931b865d53c3659a356648661a6623e41bb95821d30505eea0b5686493e93014a2742f48db10bdde8
SSDEEP

3072:jEGh0oel+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGMlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63EA186C-FADD-4cf0-98E7-C350A1D95484}	2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9DD6D6F-86AC-496f-928F-4871D6529229}	{356546AE-588B-495c-AABA-32EFD840FAB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F952CF59-9AE0-48cb-992E-5C0672A4A763}\stubpath = "C:\\Windows\\{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe"	{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}	{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}\stubpath = "C:\\Windows\\{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe"	{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDF98C33-67E6-438d-8326-D93BA749D6C6}	{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{356546AE-588B-495c-AABA-32EFD840FAB0}\stubpath = "C:\\Windows\\{356546AE-588B-495c-AABA-32EFD840FAB0}.exe"	{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}	{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}	{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE150EA1-D885-4a9d-917B-AD598DA893B1}\stubpath = "C:\\Windows\\{EE150EA1-D885-4a9d-917B-AD598DA893B1}.exe"	{BDF98C33-67E6-438d-8326-D93BA749D6C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A311436C-7478-4296-8141-6B672589A4D8}\stubpath = "C:\\Windows\\{A311436C-7478-4296-8141-6B672589A4D8}.exe"	{F8A08BD8-0C39-4308-BC68-CAF56D36484C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63EA186C-FADD-4cf0-98E7-C350A1D95484}\stubpath = "C:\\Windows\\{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe"	2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F952CF59-9AE0-48cb-992E-5C0672A4A763}	{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}\stubpath = "C:\\Windows\\{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe"	{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}\stubpath = "C:\\Windows\\{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe"	{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDF98C33-67E6-438d-8326-D93BA749D6C6}\stubpath = "C:\\Windows\\{BDF98C33-67E6-438d-8326-D93BA749D6C6}.exe"	{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE150EA1-D885-4a9d-917B-AD598DA893B1}	{BDF98C33-67E6-438d-8326-D93BA749D6C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{356546AE-588B-495c-AABA-32EFD840FAB0}	{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9DD6D6F-86AC-496f-928F-4871D6529229}\stubpath = "C:\\Windows\\{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe"	{356546AE-588B-495c-AABA-32EFD840FAB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8A08BD8-0C39-4308-BC68-CAF56D36484C}	{EE150EA1-D885-4a9d-917B-AD598DA893B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8A08BD8-0C39-4308-BC68-CAF56D36484C}\stubpath = "C:\\Windows\\{F8A08BD8-0C39-4308-BC68-CAF56D36484C}.exe"	{EE150EA1-D885-4a9d-917B-AD598DA893B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A311436C-7478-4296-8141-6B672589A4D8}	{F8A08BD8-0C39-4308-BC68-CAF56D36484C}.exe

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2280	{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe
3060	{356546AE-588B-495c-AABA-32EFD840FAB0}.exe
2712	{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe
1224	{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe
2976	{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe
1740	{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe
2316	{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe
1284	{BDF98C33-67E6-438d-8326-D93BA749D6C6}.exe
1888	{EE150EA1-D885-4a9d-917B-AD598DA893B1}.exe
604	{F8A08BD8-0C39-4308-BC68-CAF56D36484C}.exe
2368	{A311436C-7478-4296-8141-6B672589A4D8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe	2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe
File created	C:\Windows\{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe	{356546AE-588B-495c-AABA-32EFD840FAB0}.exe
File created	C:\Windows\{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe	{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe
File created	C:\Windows\{EE150EA1-D885-4a9d-917B-AD598DA893B1}.exe	{BDF98C33-67E6-438d-8326-D93BA749D6C6}.exe
File created	C:\Windows\{A311436C-7478-4296-8141-6B672589A4D8}.exe	{F8A08BD8-0C39-4308-BC68-CAF56D36484C}.exe
File created	C:\Windows\{F8A08BD8-0C39-4308-BC68-CAF56D36484C}.exe	{EE150EA1-D885-4a9d-917B-AD598DA893B1}.exe
File created	C:\Windows\{356546AE-588B-495c-AABA-32EFD840FAB0}.exe	{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe
File created	C:\Windows\{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe	{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe
File created	C:\Windows\{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe	{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe
File created	C:\Windows\{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe	{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe
File created	C:\Windows\{BDF98C33-67E6-438d-8326-D93BA749D6C6}.exe	{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1520	2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2280	{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe
Token: SeIncBasePriorityPrivilege	3060	{356546AE-588B-495c-AABA-32EFD840FAB0}.exe
Token: SeIncBasePriorityPrivilege	2712	{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe
Token: SeIncBasePriorityPrivilege	1224	{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe
Token: SeIncBasePriorityPrivilege	2976	{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe
Token: SeIncBasePriorityPrivilege	1740	{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe
Token: SeIncBasePriorityPrivilege	2316	{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe
Token: SeIncBasePriorityPrivilege	1284	{BDF98C33-67E6-438d-8326-D93BA749D6C6}.exe
Token: SeIncBasePriorityPrivilege	1888	{EE150EA1-D885-4a9d-917B-AD598DA893B1}.exe
Token: SeIncBasePriorityPrivilege	604	{F8A08BD8-0C39-4308-BC68-CAF56D36484C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2280	1520	2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe	28
PID 1520 wrote to memory of 2280	1520	2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe	28
PID 1520 wrote to memory of 2280	1520	2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe	28
PID 1520 wrote to memory of 2280	1520	2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe	28
PID 1520 wrote to memory of 2688	1520	2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe	29
PID 1520 wrote to memory of 2688	1520	2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe	29
PID 1520 wrote to memory of 2688	1520	2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe	29
PID 1520 wrote to memory of 2688	1520	2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe	29
PID 2280 wrote to memory of 3060	2280	{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe	30
PID 2280 wrote to memory of 3060	2280	{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe	30
PID 2280 wrote to memory of 3060	2280	{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe	30
PID 2280 wrote to memory of 3060	2280	{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe	30
PID 2280 wrote to memory of 2816	2280	{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe	31
PID 2280 wrote to memory of 2816	2280	{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe	31
PID 2280 wrote to memory of 2816	2280	{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe	31
PID 2280 wrote to memory of 2816	2280	{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe	31
PID 3060 wrote to memory of 2712	3060	{356546AE-588B-495c-AABA-32EFD840FAB0}.exe	33
PID 3060 wrote to memory of 2712	3060	{356546AE-588B-495c-AABA-32EFD840FAB0}.exe	33
PID 3060 wrote to memory of 2712	3060	{356546AE-588B-495c-AABA-32EFD840FAB0}.exe	33
PID 3060 wrote to memory of 2712	3060	{356546AE-588B-495c-AABA-32EFD840FAB0}.exe	33
PID 3060 wrote to memory of 2812	3060	{356546AE-588B-495c-AABA-32EFD840FAB0}.exe	32
PID 3060 wrote to memory of 2812	3060	{356546AE-588B-495c-AABA-32EFD840FAB0}.exe	32
PID 3060 wrote to memory of 2812	3060	{356546AE-588B-495c-AABA-32EFD840FAB0}.exe	32
PID 3060 wrote to memory of 2812	3060	{356546AE-588B-495c-AABA-32EFD840FAB0}.exe	32
PID 2712 wrote to memory of 1224	2712	{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe	36
PID 2712 wrote to memory of 1224	2712	{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe	36
PID 2712 wrote to memory of 1224	2712	{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe	36
PID 2712 wrote to memory of 1224	2712	{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe	36
PID 2712 wrote to memory of 1384	2712	{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe	37
PID 2712 wrote to memory of 1384	2712	{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe	37
PID 2712 wrote to memory of 1384	2712	{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe	37
PID 2712 wrote to memory of 1384	2712	{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe	37
PID 1224 wrote to memory of 2976	1224	{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe	38
PID 1224 wrote to memory of 2976	1224	{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe	38
PID 1224 wrote to memory of 2976	1224	{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe	38
PID 1224 wrote to memory of 2976	1224	{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe	38
PID 1224 wrote to memory of 1780	1224	{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe	39
PID 1224 wrote to memory of 1780	1224	{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe	39
PID 1224 wrote to memory of 1780	1224	{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe	39
PID 1224 wrote to memory of 1780	1224	{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe	39
PID 2976 wrote to memory of 1740	2976	{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe	40
PID 2976 wrote to memory of 1740	2976	{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe	40
PID 2976 wrote to memory of 1740	2976	{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe	40
PID 2976 wrote to memory of 1740	2976	{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe	40
PID 2976 wrote to memory of 2272	2976	{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe	41
PID 2976 wrote to memory of 2272	2976	{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe	41
PID 2976 wrote to memory of 2272	2976	{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe	41
PID 2976 wrote to memory of 2272	2976	{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe	41
PID 1740 wrote to memory of 2316	1740	{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe	42
PID 1740 wrote to memory of 2316	1740	{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe	42
PID 1740 wrote to memory of 2316	1740	{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe	42
PID 1740 wrote to memory of 2316	1740	{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe	42
PID 1740 wrote to memory of 1468	1740	{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe	43
PID 1740 wrote to memory of 1468	1740	{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe	43
PID 1740 wrote to memory of 1468	1740	{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe	43
PID 1740 wrote to memory of 1468	1740	{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe	43
PID 2316 wrote to memory of 1284	2316	{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe	44
PID 2316 wrote to memory of 1284	2316	{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe	44
PID 2316 wrote to memory of 1284	2316	{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe	44
PID 2316 wrote to memory of 1284	2316	{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe	44
PID 2316 wrote to memory of 2192	2316	{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe	45
PID 2316 wrote to memory of 2192	2316	{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe	45
PID 2316 wrote to memory of 2192	2316	{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe	45
PID 2316 wrote to memory of 2192	2316	{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_44bb71fa7eef02f8d57aa4ed6a841325_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe
  C:\Windows\{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\{356546AE-588B-495c-AABA-32EFD840FAB0}.exe
    C:\Windows\{356546AE-588B-495c-AABA-32EFD840FAB0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{35654~1.EXE > nul
      4⤵
      PID:2812
  - - C:\Windows\{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe
      C:\Windows\{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe
        
        C:\Windows\{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe
        
        C:\Windows\{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe
        
        C:\Windows\{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe
        
        C:\Windows\{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\{BDF98C33-67E6-438d-8326-D93BA749D6C6}.exe
        
        C:\Windows\{BDF98C33-67E6-438d-8326-D93BA749D6C6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\{EE150EA1-D885-4a9d-917B-AD598DA893B1}.exe
        
        C:\Windows\{EE150EA1-D885-4a9d-917B-AD598DA893B1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE150~1.EXE > nul
        11⤵
        
        PID:1016
        
        C:\Windows\{F8A08BD8-0C39-4308-BC68-CAF56D36484C}.exe
        
        C:\Windows\{F8A08BD8-0C39-4308-BC68-CAF56D36484C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8A08~1.EXE > nul
        12⤵
        
        PID:1456
        
        C:\Windows\{A311436C-7478-4296-8141-6B672589A4D8}.exe
        
        C:\Windows\{A311436C-7478-4296-8141-6B672589A4D8}.exe
        12⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDF98~1.EXE > nul
        10⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBA70~1.EXE > nul
        9⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEFA0~1.EXE > nul
        8⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAA13~1.EXE > nul
        7⤵
        
        PID:2272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F952C~1.EXE > nul
        6⤵
        
        PID:1780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9DD6~1.EXE > nul
        5⤵
        
        PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{63EA1~1.EXE > nul
    3⤵
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{356546AE-588B-495c-AABA-32EFD840FAB0}.exe

Filesize
216KB

MD5
edbe5b974fe145106c6cc7f8b0ed5b12

SHA1
3eef6555aa5bbfad3c89476ef17eb04713c87324

SHA256
40fad306b2bbf848a565ec2b131254a897c962b5f20821fbdb6ef94a94000141

SHA512
bf171e8eafaf06925705d044947ea76a0c394232c149d716976fab5501809b78393dda0d93a50d64f9c293f0e7b770e20320d857b600952a37bcc99f1019b658

Download Submit
C:\Windows\{63EA186C-FADD-4cf0-98E7-C350A1D95484}.exe

Filesize
216KB

MD5
58244764877b60ca53a70fa751adfdb3

SHA1
4047ffddb313d09e2563624dbe30494b1fa41177

SHA256
4532d11795f8803c48457ef8b54520e2b7bd97b18d20b1ea9e296a203245601f

SHA512
91ec35a8f8973ccf0300d22873be4d1f8ed196773dc89d8ee4a922e0ed9fcd4d9cc5deb116fa290a53e8350a33b7c3f9e547e4330fff7f031add147d2b864758

Download Submit
C:\Windows\{A311436C-7478-4296-8141-6B672589A4D8}.exe

Filesize
216KB

MD5
d774929fa74dc72d351c62fa84b7928a

SHA1
b97ae354e0665418446678f4f5dd5a9ec4077040

SHA256
04dcc3b45e214d433457594be4516891d4bfb635b93dd1506bb994653cf7d240

SHA512
4af2a931c2568d237b4d65c4fe167925e70b158f06cca1646d2e3c08efaa00abc24dfae8c06fea3667070768314cd31dd99ae131953c05f4e56b014beb14bf1d

Download Submit
C:\Windows\{BDF98C33-67E6-438d-8326-D93BA749D6C6}.exe

Filesize
216KB

MD5
33264016ae5d7b2942aaee8bf10ea2fb

SHA1
17f1d00dee124c46beec5d887a5d799fdc495a5e

SHA256
15100e634f9b2afdea5b9008e23e06bddbb0c052f0afee8bcb4c1f0931e58d29

SHA512
7bb829929891406363ee6877408424b8df779dc1dfb06865416e12877af2e81817e5c6dfbb78fac612c554d84eac7f3aa0be775ea538a660707f32644e7d7557

Download Submit
C:\Windows\{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe

Filesize
152KB

MD5
ffa62ff0d3e8418d8638b16e0614509a

SHA1
d207eccb8d21e013d572cdc0e7256e1606c8d190

SHA256
8ba0eb1865a6f1bcdd64877e142b5e3d2984522fea772e36b764bc1b4926d958

SHA512
e5210d0fb08569a45de9d7be51cbb25615f274fafcb59ce1a5532f642bff9d0a9ba7b7680ea1be8641ca8177877a562819ce281903a37babd6ead44137752a80

Download Submit
C:\Windows\{CAA13FA8-7241-4af5-8E6D-F91294EDCA78}.exe

Filesize
216KB

MD5
8c3914cb57fdaf38003e8d1d9336ff28

SHA1
db1a573e8005923de007ad51a3e049a6ce07412d

SHA256
d438ce4047eb84d51d1571707a9ce7478a161eecdefbe78cb0d4b785aca90649

SHA512
196cf70d05bcce5cddde0c0ce84344f7d3c099806e843934b43c0d436b6094ee3acfeb1f49a0ce54fe9d94214ef45cd8e705d3b15e9210d4906acf3f6c30fd1c

Download Submit
C:\Windows\{D9DD6D6F-86AC-496f-928F-4871D6529229}.exe

Filesize
216KB

MD5
066dda00c50e961c27b80267e722a2e1

SHA1
1ddc8ffa97898b2db6e3ef68b129315881987cbc

SHA256
0a30b7732ab8525910341ee8e6307584c7598eb3eb22890dbec11488b4475cf7

SHA512
2d1cb1e10dae82e561535f7ea627e3352f8a484278ca1325773c5bbd7e662f216be49663eaa8b6c2dce3e10e7f4b4602db30a8550d1fd8fd01daddeafb0c06a1

Download Submit
C:\Windows\{EBA70EFC-BAF6-4d01-968D-7CEF8575C529}.exe

Filesize
216KB

MD5
707439f68d2f1364bff062b8ebcc7c4b

SHA1
e824614cdaac564edaaa2819e5a98a8b55fc153d

SHA256
bb22d58f86c45a14ba7bd7d14b2b08838b6cc3223d44d8294ec5c817367cdf5a

SHA512
eeb535c4a76072afbbc982f0877503e346a83d7def8bcaa3f9472f4b742a7fcc4e960af637092b81a428dd4effdba79ab88a02ca6ea2ca52eb172d7ad7733926

Download Submit
C:\Windows\{EE150EA1-D885-4a9d-917B-AD598DA893B1}.exe

Filesize
216KB

MD5
ff71433771209af3dd48ed4bd374fd3f

SHA1
f189a0dffd8c8c9509ab0dd384817fdb054eac16

SHA256
e0596aede4009085c4a3b809214b64832bb29d35639ac6a31f75db1feb57453a

SHA512
99b12855b50b60886e0edea3923bdf6f585e77a63db37bc367159cecc3963b022a9e17bf413edbef4e001484c4a1baa386f76d221584504545153647c41c718e

Download Submit
C:\Windows\{EEFA0F8B-F35B-4647-992F-773ABEC52EE1}.exe

Filesize
216KB

MD5
990d8e46f671bea158557354631f5184

SHA1
31d9ec650d486b2b61d4279c0746277c6853f556

SHA256
58495485273d8a3cb15726d551fce4967522959d48b72faaee0608037885b396

SHA512
30b355e3a781d647af1f0ada7637333dcf795864c50ee7b7a1dcf4f21d05c5752d47388792ef9c2c129c2e85d146d44c3935f01d4c10f59b98e147ad23cded1c

Download Submit
C:\Windows\{F8A08BD8-0C39-4308-BC68-CAF56D36484C}.exe

Filesize
216KB

MD5
f1aecac04c83962ed45778962e6caf5e

SHA1
12d688b3520b7c015d2124538fbb90a01ee961cc

SHA256
31e32447d660e1faa985f36233584524ca91a209318c82817e63f367603cb5ab

SHA512
1f68de8cc13935710815138e2b8f4508f9cc01dc84c6e222651874337b76fa9f5175328dcd3bc0a9612defefb01f7e8827d7c77934f45e636f1f6c2eb1c75059

Download Submit
C:\Windows\{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe

Filesize
216KB

MD5
22f654211ae53c871f26d9a02ab3cc69

SHA1
bffb5ab9f381881ee79012f8ef6ff59dd8769e1a

SHA256
c161ab95c0104e1a29da3a18c396341412649210bb4e49459770de2b99ef205d

SHA512
f4ce5b6b30860fa5cdad8626e72e978778d83e4f26d9d0573222d91e6b040300a27e8609ca76f4e6544c553929cf3d9f1704d1807d060cd27884dbf61497a077

Download Submit
C:\Windows\{F952CF59-9AE0-48cb-992E-5C0672A4A763}.exe

Filesize
128KB

MD5
dfad76a94ed9d851cb4dd4b305f32f5d

SHA1
59d2df05780e3b3816ab71738eed8a67cdb1f72a

SHA256
c034164eaf25330b4795d1439be843770bf696aa6960495d5dd2058279d1842f

SHA512
962591bf53c675fc0d9d19f4b40fe3fadad8181f8407f00391107f6b25b7ed35a183b94a3ff1a09e74a9769f22c1976f676799d47e1d152ac6e063f5aff79121

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads