7f54746215b76151e25a466b5393b969fa68df6e72b144da557d99dc2b76bb6c

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 06:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe
Size

408KB
MD5

74cffa8e517ec3c7672c00fef2b24451
SHA1

07d735726514e8efbcf637f054483113bb53010a
SHA256

7f54746215b76151e25a466b5393b969fa68df6e72b144da557d99dc2b76bb6c
SHA512

19538f0e05d024c9435fc8030e9bb0c1b9e0104efc2ecd0900cb164fb58a5a0ae3fd4b9d0489d82856263bd7a6cefddf113988728bd1898ff5cab651260f0df4
SSDEEP

3072:CEGh0ofl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGdldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}	{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{006762F2-F713-48fc-9C21-F9EC837007D4}	{A42B7067-79BB-4deb-BE3A-07430C6879CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}\stubpath = "C:\\Windows\\{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe"	{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BE879A9-3611-48c5-B70F-75670B123B8B}\stubpath = "C:\\Windows\\{5BE879A9-3611-48c5-B70F-75670B123B8B}.exe"	{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8356C66E-8346-4a72-8B8B-63A9F6B22067}\stubpath = "C:\\Windows\\{8356C66E-8346-4a72-8B8B-63A9F6B22067}.exe"	{5BE879A9-3611-48c5-B70F-75670B123B8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}\stubpath = "C:\\Windows\\{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe"	{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{379416C8-0A9D-4b7a-944D-555AC9215C9A}	{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76418204-90B7-42ea-B141-F8AA66544E80}\stubpath = "C:\\Windows\\{76418204-90B7-42ea-B141-F8AA66544E80}.exe"	{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}	{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BE879A9-3611-48c5-B70F-75670B123B8B}	{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A42B7067-79BB-4deb-BE3A-07430C6879CB}	{8356C66E-8346-4a72-8B8B-63A9F6B22067}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A42B7067-79BB-4deb-BE3A-07430C6879CB}\stubpath = "C:\\Windows\\{A42B7067-79BB-4deb-BE3A-07430C6879CB}.exe"	{8356C66E-8346-4a72-8B8B-63A9F6B22067}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42148049-A1DB-4028-8639-2952B81AED5D}	{76418204-90B7-42ea-B141-F8AA66544E80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42148049-A1DB-4028-8639-2952B81AED5D}\stubpath = "C:\\Windows\\{42148049-A1DB-4028-8639-2952B81AED5D}.exe"	{76418204-90B7-42ea-B141-F8AA66544E80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1E57F82-05A8-4c92-94D5-52D1EF226C91}	{42148049-A1DB-4028-8639-2952B81AED5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76418204-90B7-42ea-B141-F8AA66544E80}	{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1E57F82-05A8-4c92-94D5-52D1EF226C91}\stubpath = "C:\\Windows\\{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe"	{42148049-A1DB-4028-8639-2952B81AED5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8356C66E-8346-4a72-8B8B-63A9F6B22067}	{5BE879A9-3611-48c5-B70F-75670B123B8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{006762F2-F713-48fc-9C21-F9EC837007D4}\stubpath = "C:\\Windows\\{006762F2-F713-48fc-9C21-F9EC837007D4}.exe"	{A42B7067-79BB-4deb-BE3A-07430C6879CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}	2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}\stubpath = "C:\\Windows\\{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe"	2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{379416C8-0A9D-4b7a-944D-555AC9215C9A}\stubpath = "C:\\Windows\\{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe"	{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2360	{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe
2732	{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe
2684	{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe
576	{76418204-90B7-42ea-B141-F8AA66544E80}.exe
1652	{42148049-A1DB-4028-8639-2952B81AED5D}.exe
2884	{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe
1672	{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe
2168	{5BE879A9-3611-48c5-B70F-75670B123B8B}.exe
1596	{8356C66E-8346-4a72-8B8B-63A9F6B22067}.exe
700	{A42B7067-79BB-4deb-BE3A-07430C6879CB}.exe
676	{006762F2-F713-48fc-9C21-F9EC837007D4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{76418204-90B7-42ea-B141-F8AA66544E80}.exe	{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe
File created	C:\Windows\{42148049-A1DB-4028-8639-2952B81AED5D}.exe	{76418204-90B7-42ea-B141-F8AA66544E80}.exe
File created	C:\Windows\{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe	{42148049-A1DB-4028-8639-2952B81AED5D}.exe
File created	C:\Windows\{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe	{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe
File created	C:\Windows\{5BE879A9-3611-48c5-B70F-75670B123B8B}.exe	{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe
File created	C:\Windows\{8356C66E-8346-4a72-8B8B-63A9F6B22067}.exe	{5BE879A9-3611-48c5-B70F-75670B123B8B}.exe
File created	C:\Windows\{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe	{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe
File created	C:\Windows\{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe	{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe
File created	C:\Windows\{006762F2-F713-48fc-9C21-F9EC837007D4}.exe	{A42B7067-79BB-4deb-BE3A-07430C6879CB}.exe
File created	C:\Windows\{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe	2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe
File created	C:\Windows\{A42B7067-79BB-4deb-BE3A-07430C6879CB}.exe	{8356C66E-8346-4a72-8B8B-63A9F6B22067}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2240	2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2360	{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe
Token: SeIncBasePriorityPrivilege	2732	{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe
Token: SeIncBasePriorityPrivilege	2684	{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe
Token: SeIncBasePriorityPrivilege	576	{76418204-90B7-42ea-B141-F8AA66544E80}.exe
Token: SeIncBasePriorityPrivilege	1652	{42148049-A1DB-4028-8639-2952B81AED5D}.exe
Token: SeIncBasePriorityPrivilege	2884	{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe
Token: SeIncBasePriorityPrivilege	1672	{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe
Token: SeIncBasePriorityPrivilege	2168	{5BE879A9-3611-48c5-B70F-75670B123B8B}.exe
Token: SeIncBasePriorityPrivilege	1596	{8356C66E-8346-4a72-8B8B-63A9F6B22067}.exe
Token: SeIncBasePriorityPrivilege	700	{A42B7067-79BB-4deb-BE3A-07430C6879CB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2360	2240	2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe	28
PID 2240 wrote to memory of 2360	2240	2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe	28
PID 2240 wrote to memory of 2360	2240	2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe	28
PID 2240 wrote to memory of 2360	2240	2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe	28
PID 2240 wrote to memory of 2756	2240	2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe	29
PID 2240 wrote to memory of 2756	2240	2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe	29
PID 2240 wrote to memory of 2756	2240	2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe	29
PID 2240 wrote to memory of 2756	2240	2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe	29
PID 2360 wrote to memory of 2732	2360	{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe	32
PID 2360 wrote to memory of 2732	2360	{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe	32
PID 2360 wrote to memory of 2732	2360	{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe	32
PID 2360 wrote to memory of 2732	2360	{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe	32
PID 2360 wrote to memory of 2728	2360	{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe	33
PID 2360 wrote to memory of 2728	2360	{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe	33
PID 2360 wrote to memory of 2728	2360	{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe	33
PID 2360 wrote to memory of 2728	2360	{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe	33
PID 2732 wrote to memory of 2684	2732	{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe	34
PID 2732 wrote to memory of 2684	2732	{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe	34
PID 2732 wrote to memory of 2684	2732	{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe	34
PID 2732 wrote to memory of 2684	2732	{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe	34
PID 2732 wrote to memory of 2980	2732	{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe	35
PID 2732 wrote to memory of 2980	2732	{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe	35
PID 2732 wrote to memory of 2980	2732	{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe	35
PID 2732 wrote to memory of 2980	2732	{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe	35
PID 2684 wrote to memory of 576	2684	{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe	37
PID 2684 wrote to memory of 576	2684	{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe	37
PID 2684 wrote to memory of 576	2684	{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe	37
PID 2684 wrote to memory of 576	2684	{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe	37
PID 2684 wrote to memory of 1628	2684	{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe	36
PID 2684 wrote to memory of 1628	2684	{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe	36
PID 2684 wrote to memory of 1628	2684	{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe	36
PID 2684 wrote to memory of 1628	2684	{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe	36
PID 576 wrote to memory of 1652	576	{76418204-90B7-42ea-B141-F8AA66544E80}.exe	38
PID 576 wrote to memory of 1652	576	{76418204-90B7-42ea-B141-F8AA66544E80}.exe	38
PID 576 wrote to memory of 1652	576	{76418204-90B7-42ea-B141-F8AA66544E80}.exe	38
PID 576 wrote to memory of 1652	576	{76418204-90B7-42ea-B141-F8AA66544E80}.exe	38
PID 576 wrote to memory of 1200	576	{76418204-90B7-42ea-B141-F8AA66544E80}.exe	39
PID 576 wrote to memory of 1200	576	{76418204-90B7-42ea-B141-F8AA66544E80}.exe	39
PID 576 wrote to memory of 1200	576	{76418204-90B7-42ea-B141-F8AA66544E80}.exe	39
PID 576 wrote to memory of 1200	576	{76418204-90B7-42ea-B141-F8AA66544E80}.exe	39
PID 1652 wrote to memory of 2884	1652	{42148049-A1DB-4028-8639-2952B81AED5D}.exe	40
PID 1652 wrote to memory of 2884	1652	{42148049-A1DB-4028-8639-2952B81AED5D}.exe	40
PID 1652 wrote to memory of 2884	1652	{42148049-A1DB-4028-8639-2952B81AED5D}.exe	40
PID 1652 wrote to memory of 2884	1652	{42148049-A1DB-4028-8639-2952B81AED5D}.exe	40
PID 1652 wrote to memory of 2188	1652	{42148049-A1DB-4028-8639-2952B81AED5D}.exe	41
PID 1652 wrote to memory of 2188	1652	{42148049-A1DB-4028-8639-2952B81AED5D}.exe	41
PID 1652 wrote to memory of 2188	1652	{42148049-A1DB-4028-8639-2952B81AED5D}.exe	41
PID 1652 wrote to memory of 2188	1652	{42148049-A1DB-4028-8639-2952B81AED5D}.exe	41
PID 2884 wrote to memory of 1672	2884	{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe	42
PID 2884 wrote to memory of 1672	2884	{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe	42
PID 2884 wrote to memory of 1672	2884	{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe	42
PID 2884 wrote to memory of 1672	2884	{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe	42
PID 2884 wrote to memory of 1280	2884	{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe	43
PID 2884 wrote to memory of 1280	2884	{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe	43
PID 2884 wrote to memory of 1280	2884	{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe	43
PID 2884 wrote to memory of 1280	2884	{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe	43
PID 1672 wrote to memory of 2168	1672	{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe	44
PID 1672 wrote to memory of 2168	1672	{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe	44
PID 1672 wrote to memory of 2168	1672	{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe	44
PID 1672 wrote to memory of 2168	1672	{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe	44
PID 1672 wrote to memory of 1812	1672	{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe	45
PID 1672 wrote to memory of 1812	1672	{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe	45
PID 1672 wrote to memory of 1812	1672	{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe	45
PID 1672 wrote to memory of 1812	1672	{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_74cffa8e517ec3c7672c00fef2b24451_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe
  C:\Windows\{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe
    C:\Windows\{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe
      C:\Windows\{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37941~1.EXE > nul
        5⤵
        
        PID:1628
    - - C:\Windows\{76418204-90B7-42ea-B141-F8AA66544E80}.exe
        
        C:\Windows\{76418204-90B7-42ea-B141-F8AA66544E80}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:576
      - C:\Windows\{42148049-A1DB-4028-8639-2952B81AED5D}.exe
        
        C:\Windows\{42148049-A1DB-4028-8639-2952B81AED5D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe
        
        C:\Windows\{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe
        
        C:\Windows\{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{5BE879A9-3611-48c5-B70F-75670B123B8B}.exe
        
        C:\Windows\{5BE879A9-3611-48c5-B70F-75670B123B8B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\{8356C66E-8346-4a72-8B8B-63A9F6B22067}.exe
        
        C:\Windows\{8356C66E-8346-4a72-8B8B-63A9F6B22067}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\{A42B7067-79BB-4deb-BE3A-07430C6879CB}.exe
        
        C:\Windows\{A42B7067-79BB-4deb-BE3A-07430C6879CB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\Windows\{006762F2-F713-48fc-9C21-F9EC837007D4}.exe
        
        C:\Windows\{006762F2-F713-48fc-9C21-F9EC837007D4}.exe
        12⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A42B7~1.EXE > nul
        12⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8356C~1.EXE > nul
        11⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BE87~1.EXE > nul
        10⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB5A3~1.EXE > nul
        9⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1E57~1.EXE > nul
        8⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42148~1.EXE > nul
        7⤵
        
        PID:2188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76418~1.EXE > nul
        6⤵
        
        PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2AE43~1.EXE > nul
      4⤵
      PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E3BEC~1.EXE > nul
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{006762F2-F713-48fc-9C21-F9EC837007D4}.exe

Filesize
408KB

MD5
a9d1309593e44bacef8af2ae39189565

SHA1
c765a73cc01dfb08b734708ceb70196cb7ad1091

SHA256
5c440fe4c4f80d5b8524bb858c383be98aeb70f81abaffc1fdae2debe87c683c

SHA512
ad3485a5539274074d752fbba8a7b75d0f168bb7da815ba7ebf2293cbfbe254270d2af9ca24c8ffed7127c8fef19a2133a1615dfb12aadca574ee87efdc4d9fc

Download Submit
C:\Windows\{2AE435E5-D8B4-41dd-85B8-E31DB96520DB}.exe

Filesize
408KB

MD5
01367364c8591fd38012f653556edb9a

SHA1
f0d3bcc183d81963c5d6bbed049083a7c29b6a2c

SHA256
ebe10937edd494a9318869a92c306d0728c582f2e522dc6797658f814c3d2f28

SHA512
bb4b44e41bfbcac0f247578ac92b92fc4c04ef72051295a3f77eea58abc63744993c3869e60600c9e8735789e5f01f4e9cfd1e195f11ee00fb604250efa8523e

Download Submit
C:\Windows\{379416C8-0A9D-4b7a-944D-555AC9215C9A}.exe

Filesize
408KB

MD5
5b1c95ce24b5762976da14fb1afcafba

SHA1
d57a68de231caaaa349f90b9bc8272090ecbb37d

SHA256
bb20bc4c80e84b922b1f45d915f5e8f07918469a637c90da2b7b6b12e9171fba

SHA512
ee1c1fe00dddc67be7cb177362843354c9ba7aa31402467e619ee7657d6263482b9a20c9abcd79d4ddc63bfa4c83a8779916ed95f942aff227cc9b8a1454e421

Download Submit
C:\Windows\{42148049-A1DB-4028-8639-2952B81AED5D}.exe

Filesize
408KB

MD5
2c4d762a3ec5fae0229cc808c1c59394

SHA1
8944f8c128bd64ae89712d55f25c8e7bbcf91499

SHA256
f8cadb272619647e69b993ff1c054b71821ea5c6afccfc19eca479907103503d

SHA512
d4a925bc2cacb88a1084ca8172ba28136b8a04da61deb9b97bc4dfe203f8d520a9facea2f4d3f49e6719161bdf12319c21aa5a6e8a74f43c94341f2fec63a4f5

Download Submit
C:\Windows\{5BE879A9-3611-48c5-B70F-75670B123B8B}.exe

Filesize
408KB

MD5
eb686b458a5ad985f62aae2d2fbfc08e

SHA1
f32ecd8258e0c18f64ca2bcf64630514520865c9

SHA256
0bdbddf6c72155b6a2c92474464b08af4e4af0dde2833e0f47aed6cb3f5c9d87

SHA512
fb8e8cdd6ad9aff8a7b828829e34b358b327d3837ce73c145c0a631166cb2ace06eee5014f8b6ff22e9a1f54a964aa36ec65a30a5be4107f5bc4e9855bb9bcfb

Download Submit
C:\Windows\{76418204-90B7-42ea-B141-F8AA66544E80}.exe

Filesize
408KB

MD5
9818e8e454de4f8b731d98d56659087f

SHA1
e45b41b874fa999abda3cdd31dd046b483818fdb

SHA256
af3401168943dac29568c1d5801fb14e1da95c3a9bfd549563f7e53d90ab72ef

SHA512
1934ddb2f99288f787bbd4c0dbc28e96c0163b0b92dec7e830697ca6d6675810079333b9d73ec5fe6770a536cb06fcab9b4d497c100ed2ed313826ccc8cf41d9

Download Submit
C:\Windows\{8356C66E-8346-4a72-8B8B-63A9F6B22067}.exe

Filesize
408KB

MD5
193897837d8e3ef6c077a220fd27944a

SHA1
ef07479fe97848dd57cc90d08cd888273c4b7a09

SHA256
e57cc5a12f58e293aba55f4461b42cb16ba623d28cce7684f2e3f6db1fb11981

SHA512
1b28b540c5255922d561acc30a82b862908f476c85ec1e22cbdb1e0222b2d962383a84bf871d1bbb432a7fbd157c00323b5a3df1546d291de743e3e438a41a44

Download Submit
C:\Windows\{A42B7067-79BB-4deb-BE3A-07430C6879CB}.exe

Filesize
408KB

MD5
20ebf27c4c0ae3fdaa4ab28f4262d1c9

SHA1
77533f623d4aef403c7e26b29427e6fbb270bcfc

SHA256
f01d744cc6bb21b8a10cc2bebcc927f612f6b8a2f26e20f5ba5e9bb911577343

SHA512
f374e7e21ea5bcb39226fc7046b0b0ffddb63744e3ccaee5eb685e85ff578a84beef60ac96a35fe2332c38bde7509cfb4025bb7d16e94cd6474e949aa3a1d7c1

Download Submit
C:\Windows\{E1E57F82-05A8-4c92-94D5-52D1EF226C91}.exe

Filesize
408KB

MD5
12d7ee9e41efa09342006deda016b488

SHA1
c94665114ab99373b412562379b79801725ad334

SHA256
de81b73f9b05477a332dedda6e390a9fd3700e075608d3a365f0b9567a9a7a25

SHA512
bef835fa0e17cc609887f5128b85c22151d3c1104f28816a19f7788d6d724231961e7a3c2d40540335c34cb19d84b3ad0fc2f3cefe43dd5b5b59836f38d311ef

Download Submit
C:\Windows\{E3BEC5AD-C938-4521-AE81-D50F0EF1E02E}.exe

Filesize
408KB

MD5
60c9e09ffc6694bff0e3f21b03f52c31

SHA1
6efc0ae2450edde4bfc835bfacc9532935ab2544

SHA256
c533be5e387c996a1b33e07055b107a33e2a0bac9e4771a39641b5ea58646b1a

SHA512
f9fcd00c1c51e596efd2a7676991c6d4675fc10a15245696559ccee69ceabc8b4ce130a10a7dc9a0b3bb79b76236af48154d98898b866e29459eb33265c5d545

Download Submit
C:\Windows\{FB5A3A86-B998-4391-95CB-C3BE62E16EB2}.exe

Filesize
408KB

MD5
8c9fa0984bd74d647ef42984c233341b

SHA1
f92ddf93894122d941ddf3dfcdf0b603da60ff3c

SHA256
4594b84832e13e62c4789ec644decb3637e500a8d038c90dd20e0abbd3820096

SHA512
89fefe78ea75458e34fbb8021fabf115355f24305256178bf47548418f22790da8babb50d7ceb46dbbca36020e2fa8653805529c9db1a6daafc2a175d792d3f3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads