dcbf7c6e4662150b8d1280fb0fe64e82de0af252cbbdb5258ffa7e7564e30e23

Analysis

max time kernel
125s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 06:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe
Size

216KB
MD5

6707da78b129081cefdbd02819287b50
SHA1

74eb3a8a39e3c07bf5395363224b82c8211b5a13
SHA256

dcbf7c6e4662150b8d1280fb0fe64e82de0af252cbbdb5258ffa7e7564e30e23
SHA512

4857a53ce40e9123482021118b2b2428bd33f2b802c5b25e9d5c73462fa8be8dd0cb29010ca6ae82207f0365ad3252ac0ca406a5f453a5d79f408f18f6d43f9f
SSDEEP

3072:jEGh0o+l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGclEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6878A18D-D5C2-43af-8155-88E109C05FEF}	{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAD0ADEA-417A-4482-9121-491CF61F58C3}\stubpath = "C:\\Windows\\{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe"	{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}\stubpath = "C:\\Windows\\{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe"	{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}	{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42DC1E47-D3A0-449a-9B13-7EC788756322}\stubpath = "C:\\Windows\\{42DC1E47-D3A0-449a-9B13-7EC788756322}.exe"	{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C468900-5248-40c8-96D5-D48EA16D13E8}	{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAD0ADEA-417A-4482-9121-491CF61F58C3}	{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{687014F7-4447-4ec8-A236-3E9F5BA4B88C}	{42DC1E47-D3A0-449a-9B13-7EC788756322}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}\stubpath = "C:\\Windows\\{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe"	{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D31064E6-05CD-4f28-8A5A-8676D35021BE}	{687014F7-4447-4ec8-A236-3E9F5BA4B88C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3143744-607B-4b54-B4F4-D82C8C966C1D}	2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3143744-607B-4b54-B4F4-D82C8C966C1D}\stubpath = "C:\\Windows\\{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe"	2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C468900-5248-40c8-96D5-D48EA16D13E8}\stubpath = "C:\\Windows\\{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe"	{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04AF86DB-4110-4715-A041-686E6ED6FEC7}	{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04AF86DB-4110-4715-A041-686E6ED6FEC7}\stubpath = "C:\\Windows\\{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe"	{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6878A18D-D5C2-43af-8155-88E109C05FEF}\stubpath = "C:\\Windows\\{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe"	{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}	{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42DC1E47-D3A0-449a-9B13-7EC788756322}	{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{687014F7-4447-4ec8-A236-3E9F5BA4B88C}\stubpath = "C:\\Windows\\{687014F7-4447-4ec8-A236-3E9F5BA4B88C}.exe"	{42DC1E47-D3A0-449a-9B13-7EC788756322}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D31064E6-05CD-4f28-8A5A-8676D35021BE}\stubpath = "C:\\Windows\\{D31064E6-05CD-4f28-8A5A-8676D35021BE}.exe"	{687014F7-4447-4ec8-A236-3E9F5BA4B88C}.exe

Deletes itself 1 IoCs

pid	Process
2192	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1092	{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe
2880	{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe
2812	{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe
2840	{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe
3044	{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe
1568	{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe
1536	{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe
2652	{42DC1E47-D3A0-449a-9B13-7EC788756322}.exe
2916	{687014F7-4447-4ec8-A236-3E9F5BA4B88C}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe	{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe
File created	C:\Windows\{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe	{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe
File created	C:\Windows\{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe	{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe
File created	C:\Windows\{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe	{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe
File created	C:\Windows\{42DC1E47-D3A0-449a-9B13-7EC788756322}.exe	{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe
File created	C:\Windows\{D31064E6-05CD-4f28-8A5A-8676D35021BE}.exe	{687014F7-4447-4ec8-A236-3E9F5BA4B88C}.exe
File created	C:\Windows\{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe	2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe
File created	C:\Windows\{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe	{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe
File created	C:\Windows\{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe	{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe
File created	C:\Windows\{687014F7-4447-4ec8-A236-3E9F5BA4B88C}.exe	{42DC1E47-D3A0-449a-9B13-7EC788756322}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1684	2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1092	{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe
Token: SeIncBasePriorityPrivilege	2880	{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe
Token: SeIncBasePriorityPrivilege	2812	{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe
Token: SeIncBasePriorityPrivilege	2840	{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe
Token: SeIncBasePriorityPrivilege	3044	{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe
Token: SeIncBasePriorityPrivilege	1568	{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe
Token: SeIncBasePriorityPrivilege	1536	{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe
Token: SeIncBasePriorityPrivilege	2652	{42DC1E47-D3A0-449a-9B13-7EC788756322}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1092	1684	2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe	28
PID 1684 wrote to memory of 1092	1684	2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe	28
PID 1684 wrote to memory of 1092	1684	2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe	28
PID 1684 wrote to memory of 1092	1684	2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe	28
PID 1684 wrote to memory of 2192	1684	2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe	29
PID 1684 wrote to memory of 2192	1684	2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe	29
PID 1684 wrote to memory of 2192	1684	2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe	29
PID 1684 wrote to memory of 2192	1684	2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe	29
PID 1092 wrote to memory of 2880	1092	{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe	31
PID 1092 wrote to memory of 2880	1092	{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe	31
PID 1092 wrote to memory of 2880	1092	{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe	31
PID 1092 wrote to memory of 2880	1092	{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe	31
PID 1092 wrote to memory of 2120	1092	{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe	30
PID 1092 wrote to memory of 2120	1092	{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe	30
PID 1092 wrote to memory of 2120	1092	{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe	30
PID 1092 wrote to memory of 2120	1092	{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe	30
PID 2880 wrote to memory of 2812	2880	{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe	33
PID 2880 wrote to memory of 2812	2880	{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe	33
PID 2880 wrote to memory of 2812	2880	{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe	33
PID 2880 wrote to memory of 2812	2880	{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe	33
PID 2880 wrote to memory of 2736	2880	{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe	32
PID 2880 wrote to memory of 2736	2880	{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe	32
PID 2880 wrote to memory of 2736	2880	{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe	32
PID 2880 wrote to memory of 2736	2880	{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe	32
PID 2812 wrote to memory of 2840	2812	{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe	36
PID 2812 wrote to memory of 2840	2812	{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe	36
PID 2812 wrote to memory of 2840	2812	{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe	36
PID 2812 wrote to memory of 2840	2812	{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe	36
PID 2812 wrote to memory of 2580	2812	{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe	37
PID 2812 wrote to memory of 2580	2812	{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe	37
PID 2812 wrote to memory of 2580	2812	{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe	37
PID 2812 wrote to memory of 2580	2812	{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe	37
PID 2840 wrote to memory of 3044	2840	{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe	38
PID 2840 wrote to memory of 3044	2840	{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe	38
PID 2840 wrote to memory of 3044	2840	{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe	38
PID 2840 wrote to memory of 3044	2840	{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe	38
PID 2840 wrote to memory of 3052	2840	{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe	39
PID 2840 wrote to memory of 3052	2840	{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe	39
PID 2840 wrote to memory of 3052	2840	{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe	39
PID 2840 wrote to memory of 3052	2840	{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe	39
PID 3044 wrote to memory of 1568	3044	{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe	41
PID 3044 wrote to memory of 1568	3044	{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe	41
PID 3044 wrote to memory of 1568	3044	{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe	41
PID 3044 wrote to memory of 1568	3044	{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe	41
PID 3044 wrote to memory of 1320	3044	{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe	40
PID 3044 wrote to memory of 1320	3044	{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe	40
PID 3044 wrote to memory of 1320	3044	{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe	40
PID 3044 wrote to memory of 1320	3044	{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe	40
PID 1568 wrote to memory of 1536	1568	{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe	43
PID 1568 wrote to memory of 1536	1568	{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe	43
PID 1568 wrote to memory of 1536	1568	{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe	43
PID 1568 wrote to memory of 1536	1568	{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe	43
PID 1568 wrote to memory of 1036	1568	{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe	42
PID 1568 wrote to memory of 1036	1568	{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe	42
PID 1568 wrote to memory of 1036	1568	{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe	42
PID 1568 wrote to memory of 1036	1568	{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe	42
PID 1536 wrote to memory of 2652	1536	{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe	45
PID 1536 wrote to memory of 2652	1536	{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe	45
PID 1536 wrote to memory of 2652	1536	{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe	45
PID 1536 wrote to memory of 2652	1536	{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe	45
PID 1536 wrote to memory of 1312	1536	{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe	44
PID 1536 wrote to memory of 1312	1536	{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe	44
PID 1536 wrote to memory of 1312	1536	{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe	44
PID 1536 wrote to memory of 1312	1536	{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_6707da78b129081cefdbd02819287b50_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe
  C:\Windows\{D3143744-607B-4b54-B4F4-D82C8C966C1D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3143~1.EXE > nul
    3⤵
    PID:2120
- - C:\Windows\{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe
    C:\Windows\{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6878A~1.EXE > nul
      4⤵
      PID:2736
  - - C:\Windows\{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe
      C:\Windows\{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe
        
        C:\Windows\{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe
        
        C:\Windows\{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CC17~1.EXE > nul
        7⤵
        
        PID:1320
        
        C:\Windows\{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe
        
        C:\Windows\{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04AF8~1.EXE > nul
        8⤵
        
        PID:1036
        
        C:\Windows\{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe
        
        C:\Windows\{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E074D~1.EXE > nul
        9⤵
        
        PID:1312
        
        C:\Windows\{42DC1E47-D3A0-449a-9B13-7EC788756322}.exe
        
        C:\Windows\{42DC1E47-D3A0-449a-9B13-7EC788756322}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42DC1~1.EXE > nul
        10⤵
        
        PID:2884
        
        C:\Windows\{687014F7-4447-4ec8-A236-3E9F5BA4B88C}.exe
        
        C:\Windows\{687014F7-4447-4ec8-A236-3E9F5BA4B88C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68701~1.EXE > nul
        11⤵
        
        PID:3064
        
        C:\Windows\{D31064E6-05CD-4f28-8A5A-8676D35021BE}.exe
        
        C:\Windows\{D31064E6-05CD-4f28-8A5A-8676D35021BE}.exe
        11⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3106~1.EXE > nul
        12⤵
        
        PID:1504
        
        C:\Windows\{94D58CB5-F90A-4a20-A932-27457D2A5EFF}.exe
        
        C:\Windows\{94D58CB5-F90A-4a20-A932-27457D2A5EFF}.exe
        12⤵
        
        PID:656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAD0A~1.EXE > nul
        6⤵
        
        PID:3052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C468~1.EXE > nul
        5⤵
        
        PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04AF86DB-4110-4715-A041-686E6ED6FEC7}.exe

Filesize
86KB

MD5
6a8810946dab8d8a39d556ee52938101

SHA1
34a2672d30ecac61b39d9975e72fa7e67b081f73

SHA256
b81390342710567e3df1e931e17d07ec5c0e29b72c19f9ecb4d39f3c0b9e6940

SHA512
d5378a0de8ae4c9e8a21381c80060d11bfe280f9a3e77667e18cfc74660a648be9467ed1af02756329b3fdd0c98f4378839dcb1d45614a6d9f0d028261058d0f

Download Submit
C:\Windows\{42DC1E47-D3A0-449a-9B13-7EC788756322}.exe

Filesize
216KB

MD5
44358bbf25c10ea2cfbc2099a6377164

SHA1
a37de73e6bbfb0664cc40efe41e1ba82e8752b8f

SHA256
2ad0f28ac58ac2ca5a72cc3bef66de21c53d87614fc6b6ab64d953e1a79d8a5d

SHA512
58a6d1afc47c2dd9d27f81b2a014a2c7f36f73cae2da64159bc2241ea5caea09a67a927bec31ed861b598f565c312e2a10db949e517bdbcbd8699006bd33ceb4

Download Submit
C:\Windows\{42DC1E47-D3A0-449a-9B13-7EC788756322}.exe

Filesize
36KB

MD5
c34fd54e00822325ce72d8a42411d5ae

SHA1
59d7a06fa827ce15734994801e0e39fe90f7ca24

SHA256
ba1afa8c43a5d4d56bb8c9a8ceb5594a668b11d3fbd5050fb4a45258582c3840

SHA512
1d857e3b18843ff1ff13a68e0d131bedd763ef13f00d7d6fbc2e85e4066517f1317ddfbece76de0a73875529457415470b523e8f8b85c5a986a68c249a1bbcac

Download Submit
C:\Windows\{687014F7-4447-4ec8-A236-3E9F5BA4B88C}.exe

Filesize
43KB

MD5
ffcc3637427820f9b434c18d187947e7

SHA1
c98da0cf7bcbf49fac38589656c3fc3ee042c669

SHA256
96b85752da8e16f34474d33767a5b8b6f3e14dbcbfd7372ace8a01539c413663

SHA512
6ad98951ce903c118223ead01d050733e05569137ff2f0ceb92a91bd2cef06b1b9ad006713d7ef7df2ef661c0f7e25ca6c392d9e0a7db192609d3e733a1957eb

Download Submit
C:\Windows\{687014F7-4447-4ec8-A236-3E9F5BA4B88C}.exe

Filesize
146KB

MD5
e688433f08aaa75b4e4b7d13c24a760a

SHA1
cc47367e946e9c097ac8eb907816d304a6a994fa

SHA256
97e8c9ba8a5a5c9c4c7e8c7ac4e5fa1bf0d42a929c23c1d6172d51a7b9dab38b

SHA512
b01c0be6d901e73839f994d7337a7cdebc36f09992c144c87770255ddefd4e132c82fb57008dd65e277f7cfbe98930a0ae11ee21b629946e5147bb41d474365d

Download Submit
C:\Windows\{6878A18D-D5C2-43af-8155-88E109C05FEF}.exe

Filesize
216KB

MD5
2820b85664cb7f0cdb2d925f6e56dd38

SHA1
514e139db0d8fe9fc5b31fcd6a9e1603f7567727

SHA256
307714afc19e31b5d97d2c103a9f59ed59497fd376315991f789c6947ab9ff3f

SHA512
f4bf5969342913abac7bc9b7c51a786fdda2c8abe2429a33022b5715e225ffca40d49cf895ff917b9d32e2d3ffbb1e245d748d77626ac7c55c9f553148f1282b

Download Submit
C:\Windows\{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe

Filesize
216KB

MD5
ea9222cb89ad1527ce05343791226045

SHA1
b0720c7c131ba3d7f493432508bee267c06fa4d3

SHA256
eb1a56995eb687cf2a59e38a4b55ffdefc97bcb667e4c757db5373809a9f0e46

SHA512
a8fb6fe88c184fd83d671d3ca1fd3c64847bb63d16db5053fe7194f924e8e3251ac27778ac7fb4798d723f8b072728688322e23f74547ea63ac81579c654a12e

Download Submit
C:\Windows\{7C468900-5248-40c8-96D5-D48EA16D13E8}.exe

Filesize
64KB

MD5
f5299439d761d803bfa96059a7669cdc

SHA1
acebd4f9cf14b7bcad9f1c5030d03f6feba6a6fd

SHA256
d51e505ee973fa346621fc6790bfc93755b54b0f52b1db403a00794c8de964f1

SHA512
e12313e2fc99239f6ee4759fb57d0c4c0308233bfd1d9aee1cbf06b9e8b6b5d9f13042513c67c02393d6ebb49585c3d66f15f0e8dfa9c884fb135399329b6045

Download Submit
C:\Windows\{7CC1730A-2A5C-4dda-B34A-8B8BBCBD4166}.exe

Filesize
216KB

MD5
a790292be69e81d7805925cc6244327c

SHA1
fa5d853a3631a295dd4a9358ccd29fef841c40ef

SHA256
da78c9601c85ebdbeeac236d727921dc63b7bc050f321005d1d1756981db66a9

SHA512
03b37a954465df41fa832070a3254c29d0a64ef1fe42318390cf4b65cc061fcc12ec4c4fa1eb29af5aeb153abb6c64d032435fef3d5fba01efd98db1138f48dd

Download Submit
C:\Windows\{D31064E6-05CD-4f28-8A5A-8676D35021BE}.exe

Filesize
93KB

MD5
bbe8958d6dfaaa441d5dbb188daa534b

SHA1
fc54ec6afd4e98db1afcb6ad2b4d4ad4aead7792

SHA256
26ca9e62dd2df514e39d9bd5c4f036fda9816b1f37c563f86dbfae4cce8fac8b

SHA512
3c2711b8620654cb701e8c253cbc7eb206000e08960a7d5409f56f125844016fbd316ff7a0dd67640f34a5656db22233140f30eee11dabe04f97a035f912d3d4

Download Submit
C:\Windows\{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe

Filesize
92KB

MD5
a265c791ac0f7c6d0277517451161472

SHA1
c6cc341ebcc0b90cd22ca15b23816ea5b859347a

SHA256
0e708c93d8455af197fece255f7c31310f746fac758b569706a191ede97cef90

SHA512
7163f865fa6c3dedb32cdfbb46c69e26662a5424cbdcda80137c606658cabeae14af0177b0992a58e93788754922258580f66fea6d2e9a1769722e21096c992c

Download Submit
C:\Windows\{E074DC66-94C2-49b0-AC81-8903DC3EB4AE}.exe

Filesize
216KB

MD5
81d7e5b8eb68ac6490e354007a5ffd6f

SHA1
31bfeaa21d85417c1f21de55597f55e7c426e878

SHA256
fe16959d9e9ddf8462ccef5574953ca600812fbb547210b3a1bf93b76638d841

SHA512
5a2daf40322bcb709c3134609257ae2f8fc40c0878f415535ad2d7db5fb1faee006ddd60eb5c29eaeebe5020add91e463fbc8c950cb8a533c7bd8f4bc40611f7

Download Submit
C:\Windows\{FAD0ADEA-417A-4482-9121-491CF61F58C3}.exe

Filesize
216KB

MD5
cd3d41f9349e6cec5345749e9004d778

SHA1
279a496aedb693396a722ffcfa036790828c9033

SHA256
a52e063d9940cd7fa427bdb49f583462fd7ce4485af0859d841576b1f1c90c94

SHA512
f339dbc99e4d9a96137c07db5c55b471b2ce571013d0dc8b7c4150806bc254f4bda5c65077b1875ead8e4fd8e41e089323a946932f4c5fb6f0797a581fbba9bd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads