f99ab039eba070cb905cd67d4955e91fe04117ae808e7bbe9adfef5714342b87

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 06:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe
Size

408KB
MD5

45958133f9780f4eca0b25c92fd0a0fe
SHA1

15751b2ab7d43c48354a0b5b9f1a223a7eeaf662
SHA256

f99ab039eba070cb905cd67d4955e91fe04117ae808e7bbe9adfef5714342b87
SHA512

52fe873f0ae41d915cf124ef8812ea464de78688e19c6badb1f00c343f94abdd8d08179f75d2650a870472a9b273f1b3adc8b23a2eca6f10b239e42d31fe6dea
SSDEEP

3072:CEGh0opl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGPldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0BAACB8-8967-4e36-9544-C8892BE7EF58}	{46770AFC-D9C2-4284-B886-29261541030C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0666FE75-2B58-4bc4-9C9C-81430ADAD550}	{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9970C9A2-0E13-43eb-9A20-82E19BE35D48}\stubpath = "C:\\Windows\\{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe"	{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03EC866B-0C4C-4d9c-90A5-2B99EBFAC6C0}	{9DEC7665-2BB9-4c44-9F18-1F9FAFE9DBAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBA310C3-D7C7-4918-B82A-1261FB45A4B9}	{03EC866B-0C4C-4d9c-90A5-2B99EBFAC6C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{118D2A1C-2664-41d5-A671-E47D24AD1196}\stubpath = "C:\\Windows\\{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe"	2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46770AFC-D9C2-4284-B886-29261541030C}\stubpath = "C:\\Windows\\{46770AFC-D9C2-4284-B886-29261541030C}.exe"	{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10C74A74-E38A-4c47-820A-32FF5B95BA00}\stubpath = "C:\\Windows\\{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe"	{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03EC866B-0C4C-4d9c-90A5-2B99EBFAC6C0}\stubpath = "C:\\Windows\\{03EC866B-0C4C-4d9c-90A5-2B99EBFAC6C0}.exe"	{9DEC7665-2BB9-4c44-9F18-1F9FAFE9DBAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBA310C3-D7C7-4918-B82A-1261FB45A4B9}\stubpath = "C:\\Windows\\{FBA310C3-D7C7-4918-B82A-1261FB45A4B9}.exe"	{03EC866B-0C4C-4d9c-90A5-2B99EBFAC6C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46770AFC-D9C2-4284-B886-29261541030C}	{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10C74A74-E38A-4c47-820A-32FF5B95BA00}	{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE4C519F-4C93-4678-9498-092FD55B0DD7}\stubpath = "C:\\Windows\\{FE4C519F-4C93-4678-9498-092FD55B0DD7}.exe"	{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DEC7665-2BB9-4c44-9F18-1F9FAFE9DBAD}	{FE4C519F-4C93-4678-9498-092FD55B0DD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{118D2A1C-2664-41d5-A671-E47D24AD1196}	2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0BAACB8-8967-4e36-9544-C8892BE7EF58}\stubpath = "C:\\Windows\\{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe"	{46770AFC-D9C2-4284-B886-29261541030C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B83FD30-E81A-46ca-8395-513C46B08F70}\stubpath = "C:\\Windows\\{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe"	{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9970C9A2-0E13-43eb-9A20-82E19BE35D48}	{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE4C519F-4C93-4678-9498-092FD55B0DD7}	{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DEC7665-2BB9-4c44-9F18-1F9FAFE9DBAD}\stubpath = "C:\\Windows\\{9DEC7665-2BB9-4c44-9F18-1F9FAFE9DBAD}.exe"	{FE4C519F-4C93-4678-9498-092FD55B0DD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0666FE75-2B58-4bc4-9C9C-81430ADAD550}\stubpath = "C:\\Windows\\{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe"	{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B83FD30-E81A-46ca-8395-513C46B08F70}	{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe

Deletes itself 1 IoCs

pid	Process
2276	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2036	{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe
2992	{46770AFC-D9C2-4284-B886-29261541030C}.exe
2800	{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe
1156	{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe
3056	{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe
2008	{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe
1456	{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe
1200	{FE4C519F-4C93-4678-9498-092FD55B0DD7}.exe
2120	{9DEC7665-2BB9-4c44-9F18-1F9FAFE9DBAD}.exe
3008	{03EC866B-0C4C-4d9c-90A5-2B99EBFAC6C0}.exe
1036	{FBA310C3-D7C7-4918-B82A-1261FB45A4B9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe	2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe
File created	C:\Windows\{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe	{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe
File created	C:\Windows\{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe	{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe
File created	C:\Windows\{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe	{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe
File created	C:\Windows\{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe	{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe
File created	C:\Windows\{FE4C519F-4C93-4678-9498-092FD55B0DD7}.exe	{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe
File created	C:\Windows\{9DEC7665-2BB9-4c44-9F18-1F9FAFE9DBAD}.exe	{FE4C519F-4C93-4678-9498-092FD55B0DD7}.exe
File created	C:\Windows\{03EC866B-0C4C-4d9c-90A5-2B99EBFAC6C0}.exe	{9DEC7665-2BB9-4c44-9F18-1F9FAFE9DBAD}.exe
File created	C:\Windows\{46770AFC-D9C2-4284-B886-29261541030C}.exe	{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe
File created	C:\Windows\{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe	{46770AFC-D9C2-4284-B886-29261541030C}.exe
File created	C:\Windows\{FBA310C3-D7C7-4918-B82A-1261FB45A4B9}.exe	{03EC866B-0C4C-4d9c-90A5-2B99EBFAC6C0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2212	2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2036	{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe
Token: SeIncBasePriorityPrivilege	2992	{46770AFC-D9C2-4284-B886-29261541030C}.exe
Token: SeIncBasePriorityPrivilege	2800	{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe
Token: SeIncBasePriorityPrivilege	1156	{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe
Token: SeIncBasePriorityPrivilege	3056	{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe
Token: SeIncBasePriorityPrivilege	2008	{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe
Token: SeIncBasePriorityPrivilege	1456	{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe
Token: SeIncBasePriorityPrivilege	1200	{FE4C519F-4C93-4678-9498-092FD55B0DD7}.exe
Token: SeIncBasePriorityPrivilege	2120	{9DEC7665-2BB9-4c44-9F18-1F9FAFE9DBAD}.exe
Token: SeIncBasePriorityPrivilege	3008	{03EC866B-0C4C-4d9c-90A5-2B99EBFAC6C0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2036	2212	2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe	28
PID 2212 wrote to memory of 2036	2212	2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe	28
PID 2212 wrote to memory of 2036	2212	2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe	28
PID 2212 wrote to memory of 2036	2212	2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe	28
PID 2212 wrote to memory of 2276	2212	2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe	29
PID 2212 wrote to memory of 2276	2212	2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe	29
PID 2212 wrote to memory of 2276	2212	2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe	29
PID 2212 wrote to memory of 2276	2212	2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe	29
PID 2036 wrote to memory of 2992	2036	{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe	31
PID 2036 wrote to memory of 2992	2036	{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe	31
PID 2036 wrote to memory of 2992	2036	{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe	31
PID 2036 wrote to memory of 2992	2036	{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe	31
PID 2036 wrote to memory of 2112	2036	{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe	30
PID 2036 wrote to memory of 2112	2036	{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe	30
PID 2036 wrote to memory of 2112	2036	{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe	30
PID 2036 wrote to memory of 2112	2036	{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe	30
PID 2992 wrote to memory of 2800	2992	{46770AFC-D9C2-4284-B886-29261541030C}.exe	32
PID 2992 wrote to memory of 2800	2992	{46770AFC-D9C2-4284-B886-29261541030C}.exe	32
PID 2992 wrote to memory of 2800	2992	{46770AFC-D9C2-4284-B886-29261541030C}.exe	32
PID 2992 wrote to memory of 2800	2992	{46770AFC-D9C2-4284-B886-29261541030C}.exe	32
PID 2992 wrote to memory of 2844	2992	{46770AFC-D9C2-4284-B886-29261541030C}.exe	33
PID 2992 wrote to memory of 2844	2992	{46770AFC-D9C2-4284-B886-29261541030C}.exe	33
PID 2992 wrote to memory of 2844	2992	{46770AFC-D9C2-4284-B886-29261541030C}.exe	33
PID 2992 wrote to memory of 2844	2992	{46770AFC-D9C2-4284-B886-29261541030C}.exe	33
PID 2800 wrote to memory of 1156	2800	{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe	37
PID 2800 wrote to memory of 1156	2800	{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe	37
PID 2800 wrote to memory of 1156	2800	{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe	37
PID 2800 wrote to memory of 1156	2800	{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe	37
PID 2800 wrote to memory of 1808	2800	{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe	36
PID 2800 wrote to memory of 1808	2800	{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe	36
PID 2800 wrote to memory of 1808	2800	{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe	36
PID 2800 wrote to memory of 1808	2800	{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe	36
PID 1156 wrote to memory of 3056	1156	{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe	38
PID 1156 wrote to memory of 3056	1156	{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe	38
PID 1156 wrote to memory of 3056	1156	{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe	38
PID 1156 wrote to memory of 3056	1156	{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe	38
PID 1156 wrote to memory of 2160	1156	{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe	39
PID 1156 wrote to memory of 2160	1156	{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe	39
PID 1156 wrote to memory of 2160	1156	{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe	39
PID 1156 wrote to memory of 2160	1156	{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe	39
PID 3056 wrote to memory of 2008	3056	{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe	40
PID 3056 wrote to memory of 2008	3056	{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe	40
PID 3056 wrote to memory of 2008	3056	{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe	40
PID 3056 wrote to memory of 2008	3056	{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe	40
PID 3056 wrote to memory of 624	3056	{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe	41
PID 3056 wrote to memory of 624	3056	{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe	41
PID 3056 wrote to memory of 624	3056	{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe	41
PID 3056 wrote to memory of 624	3056	{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe	41
PID 2008 wrote to memory of 1456	2008	{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe	43
PID 2008 wrote to memory of 1456	2008	{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe	43
PID 2008 wrote to memory of 1456	2008	{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe	43
PID 2008 wrote to memory of 1456	2008	{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe	43
PID 2008 wrote to memory of 312	2008	{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe	42
PID 2008 wrote to memory of 312	2008	{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe	42
PID 2008 wrote to memory of 312	2008	{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe	42
PID 2008 wrote to memory of 312	2008	{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe	42
PID 1456 wrote to memory of 1200	1456	{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe	45
PID 1456 wrote to memory of 1200	1456	{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe	45
PID 1456 wrote to memory of 1200	1456	{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe	45
PID 1456 wrote to memory of 1200	1456	{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe	45
PID 1456 wrote to memory of 840	1456	{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe	44
PID 1456 wrote to memory of 840	1456	{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe	44
PID 1456 wrote to memory of 840	1456	{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe	44
PID 1456 wrote to memory of 840	1456	{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_45958133f9780f4eca0b25c92fd0a0fe_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe
  C:\Windows\{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{118D2~1.EXE > nul
    3⤵
    PID:2112
- - C:\Windows\{46770AFC-D9C2-4284-B886-29261541030C}.exe
    C:\Windows\{46770AFC-D9C2-4284-B886-29261541030C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe
      C:\Windows\{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0BAA~1.EXE > nul
        5⤵
        
        PID:1808
    - - C:\Windows\{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe
        
        C:\Windows\{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe
        
        C:\Windows\{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe
        
        C:\Windows\{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B83F~1.EXE > nul
        8⤵
        
        PID:312
        
        C:\Windows\{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe
        
        C:\Windows\{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9970C~1.EXE > nul
        9⤵
        
        PID:840
        
        C:\Windows\{FE4C519F-4C93-4678-9498-092FD55B0DD7}.exe
        
        C:\Windows\{FE4C519F-4C93-4678-9498-092FD55B0DD7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE4C5~1.EXE > nul
        10⤵
        
        PID:2092
        
        C:\Windows\{9DEC7665-2BB9-4c44-9F18-1F9FAFE9DBAD}.exe
        
        C:\Windows\{9DEC7665-2BB9-4c44-9F18-1F9FAFE9DBAD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DEC7~1.EXE > nul
        11⤵
        
        PID:2124
        
        C:\Windows\{03EC866B-0C4C-4d9c-90A5-2B99EBFAC6C0}.exe
        
        C:\Windows\{03EC866B-0C4C-4d9c-90A5-2B99EBFAC6C0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03EC8~1.EXE > nul
        12⤵
        
        PID:2404
        
        C:\Windows\{FBA310C3-D7C7-4918-B82A-1261FB45A4B9}.exe
        
        C:\Windows\{FBA310C3-D7C7-4918-B82A-1261FB45A4B9}.exe
        12⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10C74~1.EXE > nul
        7⤵
        
        PID:624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0666F~1.EXE > nul
        6⤵
        
        PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{46770~1.EXE > nul
      4⤵
      PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03EC866B-0C4C-4d9c-90A5-2B99EBFAC6C0}.exe

Filesize
408KB

MD5
d9ec892e9c8e448ac9961231fbdfa27a

SHA1
77c01ce78fe309025667e1c7b59484ca63c47fef

SHA256
02ea381a1f0634ccfe080ad090af521e814809e321417b75181f7b3d8966e342

SHA512
8b09cc0b7ab094ab94d94b3f04fdf519a5922c0a9af35a1944ebf3c176ef707ad698214e9ff92c7ebb562e4d28c5ba7955d7963a6f1dfb09d26dd5c43eac5451

Download Submit
C:\Windows\{0666FE75-2B58-4bc4-9C9C-81430ADAD550}.exe

Filesize
408KB

MD5
f65105745ad2816d6de496666c270912

SHA1
671f3c3383ad07875b37ae35067bf699be69e2ee

SHA256
ae1abf8339387f44cad256176dd0ed1ae3526689544cefed05971cb4b23a796f

SHA512
82e7bb77020b2942e3a56015322bf136bf8320619a0ab9f6f6c2a2e136a5a8f1a4f304f4f8c67536ab792fee4cb83b3cfd561b7cdefadf8f0281e55763581d08

Download Submit
C:\Windows\{10C74A74-E38A-4c47-820A-32FF5B95BA00}.exe

Filesize
408KB

MD5
bf888274ebdf1ae8957766770b92ac79

SHA1
d04ce5a7f7060f18f8c615e1084784dc2198be46

SHA256
627cf7a03a525ad9e498789ea0266d0343007045cc118d42103b3d2fd5204f94

SHA512
27bd1a3b5bef206dc7f7a403e6b2ac46c31cf1102e8bd3575682e64c74286c5e190c0a3a3e95b6bb348c46e2f7256a47c862915a9ecb63e08aa2eaf429a08680

Download Submit
C:\Windows\{118D2A1C-2664-41d5-A671-E47D24AD1196}.exe

Filesize
408KB

MD5
713ffa295c39dd60769496abaab3581e

SHA1
a6f67fa9c8255478898b1072920fbaa7f8979ac3

SHA256
a96c333205b0cc89a3ec890f81e2622aa39b47588118a3398be14952419649d8

SHA512
c5c5420ee37b81c477a3c5915a22cb564aeb9013896fe44afda18aaea55874e16533e716c31fa5e9b6e182333d1aed651aa63a3e089ae5b6db1eccf731ba85dc

Download Submit
C:\Windows\{46770AFC-D9C2-4284-B886-29261541030C}.exe

Filesize
408KB

MD5
55695df3c0acd44a8b779a29e743d67d

SHA1
083d948aa2189212549889f1704f005e9114897d

SHA256
8820d98e549cf51bdf7ba10ba798b3247c43f29baa44ae500ea9ac791ae9ae9d

SHA512
a16fd413ebc27f9ca760ad649e15928605f332d8f56c1ae49643cd9326247a4e94957fb96754833aa0d54281f29abe2c64657cc7c3e0d942c842cc84e4b98710

Download Submit
C:\Windows\{46770AFC-D9C2-4284-B886-29261541030C}.exe

Filesize
54KB

MD5
28189fc397dc398ed18610226612971a

SHA1
c6998f6f3bd3d734e266be7c04e8e80c418edfd1

SHA256
253eb6670755cca471b02f7d5b2eb855789a519e1cfb7bf5f6f868d686295527

SHA512
c0801f9f3e25896f043d0ff9220b75d2f3cc8ce333d07b61b5195ac4976e19f5093e8938c83d8bb751a44a3b5844b78db99f16b4e879f6db89b808591f673a7e

Download Submit
C:\Windows\{9970C9A2-0E13-43eb-9A20-82E19BE35D48}.exe

Filesize
408KB

MD5
e3bbbd6194eb47ee58e8262f1c8801a9

SHA1
97910536ca022fdf4fd28f7514d29188a144e80c

SHA256
af7dc467003cde046c9843fcd9cdee8af04c7390652ac87db4213c14968d6638

SHA512
5af89187f6dbc20cc640cd6cee3c4faa5c5c7181aea7bad5cba33e0a2d3415931ae7e56505633a901b731f985308ad4020391adf6170a71f12b21081899229bd

Download Submit
C:\Windows\{9B83FD30-E81A-46ca-8395-513C46B08F70}.exe

Filesize
408KB

MD5
4ccbb2f7498f8525d5e65cc0f389afd1

SHA1
e85f7f3753483bab46f445db063cf059c4cfbbb2

SHA256
9936aac94f72e1c9ce8a4a23942999a4491870ad2c28597436a0b44343a785d7

SHA512
d4e1ad3b313613b029b541a99852b14a29275a656a6d50939e2906c9d5d8a3f1390ec76ae278ecb05ff9052bcf3e4f40a48dfcb788cf3cbb6fb79e642bce1387

Download Submit
C:\Windows\{9DEC7665-2BB9-4c44-9F18-1F9FAFE9DBAD}.exe

Filesize
408KB

MD5
72a68ca6b4d184749149c48313569cc4

SHA1
93ffa737af93de34f75cdc34ab3c96194f501e8f

SHA256
2056fda78bbbdb1d164d9cc35c55f2df5ad9cea43b732571439405d8eae172e6

SHA512
fb357f1090398a9bf8d77cbe02d0b072c68badcbb1a89a0564e51d429df2d9e02de74973addbd09260164b645363c4f253d4719145e93e700f346e46138ea170

Download Submit
C:\Windows\{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe

Filesize
45KB

MD5
3ffa53db617e4416cbe3a43e4ece5c79

SHA1
a3f3d8e9e300192a6b7dc97ccc6bc9c42280f2de

SHA256
3dfd591076b53d0e575af65033f4a7b5ba515e3c1574e9544a9c59fa8ea8def4

SHA512
727c945613d53394c1d9c2159ed59b969751b30eab26f34a11da9fa62916d4d536666a056a5c8620f02494155301c27780d94f98d025d5079b132315d94210fa

Download Submit
C:\Windows\{B0BAACB8-8967-4e36-9544-C8892BE7EF58}.exe

Filesize
408KB

MD5
aa6cc15a2c88fac48bdb53fd0a1e56cf

SHA1
d4f187b5dfda6b4c86aac17e06fbba81cc9c6b07

SHA256
aefe0110091852399791af8125f71ff91c0e394789bd07111522cf0d93cc3f6e

SHA512
15893f7da7e311bb476d2690bf3d9982bde06d7061c6ff9f57db7d6d60703e07b452a57793da6f7421e576eaa2db332d34cd1e2c2c88dcf15c8c5acde30785dd

Download Submit
C:\Windows\{FBA310C3-D7C7-4918-B82A-1261FB45A4B9}.exe

Filesize
408KB

MD5
1e8f7a6758df98b8f704cc3e5496ec01

SHA1
b6fd0d77136147107c75dd3c2b3e41cb4463466b

SHA256
ed3e931ee8aafb61f7b54c802cce9e1c6d1f0d9bd74dfe3baaba541a5f79b6f1

SHA512
9e6375d0b8343c15b6ccb0e5333dfd8dbe93e136f19a2a4e41999f4f05f062e9cb006a77b6101bb890e795fe54d367877a7ae40a2e92e0a0afebab1faa5a61a3

Download Submit
C:\Windows\{FE4C519F-4C93-4678-9498-092FD55B0DD7}.exe

Filesize
408KB

MD5
51ae4c5a18757567ba7c98932cec4f61

SHA1
0923f2b8059cc01f9facc84dfe1277b2a99a20c6

SHA256
77060a697e29d75096119161260506da79915113b2fefb9b226db4ee5deba172

SHA512
debc42565da8cdb433ef8b8bc598d16db3759cdb9aba8f06ecd45eafdaf4fa4cd9b400a3ee21e4f8898ed634f2eaacec2ed2d48b5c5a3882933b0a567f9a58f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads