3bc5bc83ad3dbea6e0c65783be4c837d51be389fd65811a16702189b1b53d2a4

Analysis

max time kernel
157s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe
Size

180KB
MD5

0de931adc01c63cd69043ec38cc399bd
SHA1

a69acffdfd1115140334b3f77b3ca76034aed313
SHA256

3bc5bc83ad3dbea6e0c65783be4c837d51be389fd65811a16702189b1b53d2a4
SHA512

9042a9bc730843871e7761b7d39e7ef503f86b713ec035f34e18effb57f6857398c8d1a952404df6c7d8ed99152c593114ec8ef926343092d8fb5584b5610a8a
SSDEEP

3072:jEGh0ojlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGFl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88CA3C49-D324-4a9d-8588-36CCF187E085}\stubpath = "C:\\Windows\\{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe"	{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F612A36C-577A-4fdb-B796-63934BC47924}\stubpath = "C:\\Windows\\{F612A36C-577A-4fdb-B796-63934BC47924}.exe"	{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18D075CA-D131-46f7-8E9F-57BF72214910}	{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3742D265-A9FF-46e5-A570-06CB643B914A}\stubpath = "C:\\Windows\\{3742D265-A9FF-46e5-A570-06CB643B914A}.exe"	{EDEE9872-2C3E-4857-9165-ED68E48B269F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF3278CB-7B85-4e6f-9681-7C1152F7858E}\stubpath = "C:\\Windows\\{AF3278CB-7B85-4e6f-9681-7C1152F7858E}.exe"	{FFB7E010-40FC-46c8-9F3A-F5A7DFE1E3BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C29A9C48-0CB2-44c1-9050-FE3922A403F6}	2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}\stubpath = "C:\\Windows\\{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe"	{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{181EBA8E-6B40-4d89-A2E5-2E40AA9F94E5}\stubpath = "C:\\Windows\\{181EBA8E-6B40-4d89-A2E5-2E40AA9F94E5}.exe"	{18D075CA-D131-46f7-8E9F-57BF72214910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDEE9872-2C3E-4857-9165-ED68E48B269F}\stubpath = "C:\\Windows\\{EDEE9872-2C3E-4857-9165-ED68E48B269F}.exe"	{181EBA8E-6B40-4d89-A2E5-2E40AA9F94E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3742D265-A9FF-46e5-A570-06CB643B914A}	{EDEE9872-2C3E-4857-9165-ED68E48B269F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF3278CB-7B85-4e6f-9681-7C1152F7858E}	{FFB7E010-40FC-46c8-9F3A-F5A7DFE1E3BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88CA3C49-D324-4a9d-8588-36CCF187E085}	{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F612A36C-577A-4fdb-B796-63934BC47924}	{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}	{F612A36C-577A-4fdb-B796-63934BC47924}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}	{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{394E4820-53F4-43c7-99E5-7FFA392B54DF}	{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18D075CA-D131-46f7-8E9F-57BF72214910}\stubpath = "C:\\Windows\\{18D075CA-D131-46f7-8E9F-57BF72214910}.exe"	{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFB7E010-40FC-46c8-9F3A-F5A7DFE1E3BF}\stubpath = "C:\\Windows\\{FFB7E010-40FC-46c8-9F3A-F5A7DFE1E3BF}.exe"	{3742D265-A9FF-46e5-A570-06CB643B914A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C29A9C48-0CB2-44c1-9050-FE3922A403F6}\stubpath = "C:\\Windows\\{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe"	2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}\stubpath = "C:\\Windows\\{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe"	{F612A36C-577A-4fdb-B796-63934BC47924}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{394E4820-53F4-43c7-99E5-7FFA392B54DF}\stubpath = "C:\\Windows\\{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe"	{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{181EBA8E-6B40-4d89-A2E5-2E40AA9F94E5}	{18D075CA-D131-46f7-8E9F-57BF72214910}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDEE9872-2C3E-4857-9165-ED68E48B269F}	{181EBA8E-6B40-4d89-A2E5-2E40AA9F94E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFB7E010-40FC-46c8-9F3A-F5A7DFE1E3BF}	{3742D265-A9FF-46e5-A570-06CB643B914A}.exe

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2772	{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe
2508	{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe
3044	{F612A36C-577A-4fdb-B796-63934BC47924}.exe
2692	{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe
1020	{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe
1776	{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe
1840	{18D075CA-D131-46f7-8E9F-57BF72214910}.exe
3008	{181EBA8E-6B40-4d89-A2E5-2E40AA9F94E5}.exe
3032	{EDEE9872-2C3E-4857-9165-ED68E48B269F}.exe
2268	{3742D265-A9FF-46e5-A570-06CB643B914A}.exe
1700	{FFB7E010-40FC-46c8-9F3A-F5A7DFE1E3BF}.exe
1112	{AF3278CB-7B85-4e6f-9681-7C1152F7858E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FFB7E010-40FC-46c8-9F3A-F5A7DFE1E3BF}.exe	{3742D265-A9FF-46e5-A570-06CB643B914A}.exe
File created	C:\Windows\{AF3278CB-7B85-4e6f-9681-7C1152F7858E}.exe	{FFB7E010-40FC-46c8-9F3A-F5A7DFE1E3BF}.exe
File created	C:\Windows\{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe	{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe
File created	C:\Windows\{18D075CA-D131-46f7-8E9F-57BF72214910}.exe	{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe
File created	C:\Windows\{181EBA8E-6B40-4d89-A2E5-2E40AA9F94E5}.exe	{18D075CA-D131-46f7-8E9F-57BF72214910}.exe
File created	C:\Windows\{EDEE9872-2C3E-4857-9165-ED68E48B269F}.exe	{181EBA8E-6B40-4d89-A2E5-2E40AA9F94E5}.exe
File created	C:\Windows\{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe	{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe
File created	C:\Windows\{3742D265-A9FF-46e5-A570-06CB643B914A}.exe	{EDEE9872-2C3E-4857-9165-ED68E48B269F}.exe
File created	C:\Windows\{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe	2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe
File created	C:\Windows\{F612A36C-577A-4fdb-B796-63934BC47924}.exe	{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe
File created	C:\Windows\{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe	{F612A36C-577A-4fdb-B796-63934BC47924}.exe
File created	C:\Windows\{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe	{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2896	2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2772	{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe
Token: SeIncBasePriorityPrivilege	2508	{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe
Token: SeIncBasePriorityPrivilege	3044	{F612A36C-577A-4fdb-B796-63934BC47924}.exe
Token: SeIncBasePriorityPrivilege	2692	{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe
Token: SeIncBasePriorityPrivilege	1020	{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe
Token: SeIncBasePriorityPrivilege	1776	{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe
Token: SeIncBasePriorityPrivilege	1840	{18D075CA-D131-46f7-8E9F-57BF72214910}.exe
Token: SeIncBasePriorityPrivilege	3008	{181EBA8E-6B40-4d89-A2E5-2E40AA9F94E5}.exe
Token: SeIncBasePriorityPrivilege	3032	{EDEE9872-2C3E-4857-9165-ED68E48B269F}.exe
Token: SeIncBasePriorityPrivilege	2268	{3742D265-A9FF-46e5-A570-06CB643B914A}.exe
Token: SeIncBasePriorityPrivilege	1700	{FFB7E010-40FC-46c8-9F3A-F5A7DFE1E3BF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2772	2896	2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe	27
PID 2896 wrote to memory of 2772	2896	2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe	27
PID 2896 wrote to memory of 2772	2896	2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe	27
PID 2896 wrote to memory of 2772	2896	2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe	27
PID 2896 wrote to memory of 2660	2896	2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe	28
PID 2896 wrote to memory of 2660	2896	2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe	28
PID 2896 wrote to memory of 2660	2896	2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe	28
PID 2896 wrote to memory of 2660	2896	2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe	28
PID 2772 wrote to memory of 2508	2772	{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe	31
PID 2772 wrote to memory of 2508	2772	{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe	31
PID 2772 wrote to memory of 2508	2772	{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe	31
PID 2772 wrote to memory of 2508	2772	{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe	31
PID 2772 wrote to memory of 2572	2772	{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe	32
PID 2772 wrote to memory of 2572	2772	{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe	32
PID 2772 wrote to memory of 2572	2772	{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe	32
PID 2772 wrote to memory of 2572	2772	{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe	32
PID 2508 wrote to memory of 3044	2508	{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe	33
PID 2508 wrote to memory of 3044	2508	{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe	33
PID 2508 wrote to memory of 3044	2508	{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe	33
PID 2508 wrote to memory of 3044	2508	{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe	33
PID 2508 wrote to memory of 1548	2508	{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe	34
PID 2508 wrote to memory of 1548	2508	{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe	34
PID 2508 wrote to memory of 1548	2508	{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe	34
PID 2508 wrote to memory of 1548	2508	{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe	34
PID 3044 wrote to memory of 2692	3044	{F612A36C-577A-4fdb-B796-63934BC47924}.exe	35
PID 3044 wrote to memory of 2692	3044	{F612A36C-577A-4fdb-B796-63934BC47924}.exe	35
PID 3044 wrote to memory of 2692	3044	{F612A36C-577A-4fdb-B796-63934BC47924}.exe	35
PID 3044 wrote to memory of 2692	3044	{F612A36C-577A-4fdb-B796-63934BC47924}.exe	35
PID 3044 wrote to memory of 2860	3044	{F612A36C-577A-4fdb-B796-63934BC47924}.exe	36
PID 3044 wrote to memory of 2860	3044	{F612A36C-577A-4fdb-B796-63934BC47924}.exe	36
PID 3044 wrote to memory of 2860	3044	{F612A36C-577A-4fdb-B796-63934BC47924}.exe	36
PID 3044 wrote to memory of 2860	3044	{F612A36C-577A-4fdb-B796-63934BC47924}.exe	36
PID 2692 wrote to memory of 1020	2692	{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe	38
PID 2692 wrote to memory of 1020	2692	{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe	38
PID 2692 wrote to memory of 1020	2692	{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe	38
PID 2692 wrote to memory of 1020	2692	{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe	38
PID 2692 wrote to memory of 1556	2692	{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe	37
PID 2692 wrote to memory of 1556	2692	{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe	37
PID 2692 wrote to memory of 1556	2692	{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe	37
PID 2692 wrote to memory of 1556	2692	{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe	37
PID 1020 wrote to memory of 1776	1020	{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe	39
PID 1020 wrote to memory of 1776	1020	{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe	39
PID 1020 wrote to memory of 1776	1020	{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe	39
PID 1020 wrote to memory of 1776	1020	{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe	39
PID 1020 wrote to memory of 1236	1020	{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe	40
PID 1020 wrote to memory of 1236	1020	{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe	40
PID 1020 wrote to memory of 1236	1020	{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe	40
PID 1020 wrote to memory of 1236	1020	{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe	40
PID 1776 wrote to memory of 1840	1776	{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe	41
PID 1776 wrote to memory of 1840	1776	{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe	41
PID 1776 wrote to memory of 1840	1776	{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe	41
PID 1776 wrote to memory of 1840	1776	{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe	41
PID 1776 wrote to memory of 976	1776	{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe	42
PID 1776 wrote to memory of 976	1776	{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe	42
PID 1776 wrote to memory of 976	1776	{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe	42
PID 1776 wrote to memory of 976	1776	{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe	42
PID 1840 wrote to memory of 3008	1840	{18D075CA-D131-46f7-8E9F-57BF72214910}.exe	43
PID 1840 wrote to memory of 3008	1840	{18D075CA-D131-46f7-8E9F-57BF72214910}.exe	43
PID 1840 wrote to memory of 3008	1840	{18D075CA-D131-46f7-8E9F-57BF72214910}.exe	43
PID 1840 wrote to memory of 3008	1840	{18D075CA-D131-46f7-8E9F-57BF72214910}.exe	43
PID 1840 wrote to memory of 2020	1840	{18D075CA-D131-46f7-8E9F-57BF72214910}.exe	44
PID 1840 wrote to memory of 2020	1840	{18D075CA-D131-46f7-8E9F-57BF72214910}.exe	44
PID 1840 wrote to memory of 2020	1840	{18D075CA-D131-46f7-8E9F-57BF72214910}.exe	44
PID 1840 wrote to memory of 2020	1840	{18D075CA-D131-46f7-8E9F-57BF72214910}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_0de931adc01c63cd69043ec38cc399bd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe
  C:\Windows\{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe
    C:\Windows\{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\{F612A36C-577A-4fdb-B796-63934BC47924}.exe
      C:\Windows\{F612A36C-577A-4fdb-B796-63934BC47924}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe
        
        C:\Windows\{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79B3B~1.EXE > nul
        6⤵
        
        PID:1556
      - C:\Windows\{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe
        
        C:\Windows\{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe
        
        C:\Windows\{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{18D075CA-D131-46f7-8E9F-57BF72214910}.exe
        
        C:\Windows\{18D075CA-D131-46f7-8E9F-57BF72214910}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\{181EBA8E-6B40-4d89-A2E5-2E40AA9F94E5}.exe
        
        C:\Windows\{181EBA8E-6B40-4d89-A2E5-2E40AA9F94E5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\{EDEE9872-2C3E-4857-9165-ED68E48B269F}.exe
        
        C:\Windows\{EDEE9872-2C3E-4857-9165-ED68E48B269F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\{3742D265-A9FF-46e5-A570-06CB643B914A}.exe
        
        C:\Windows\{3742D265-A9FF-46e5-A570-06CB643B914A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3742D~1.EXE > nul
        12⤵
        
        PID:2980
        
        C:\Windows\{FFB7E010-40FC-46c8-9F3A-F5A7DFE1E3BF}.exe
        
        C:\Windows\{FFB7E010-40FC-46c8-9F3A-F5A7DFE1E3BF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\{AF3278CB-7B85-4e6f-9681-7C1152F7858E}.exe
        
        C:\Windows\{AF3278CB-7B85-4e6f-9681-7C1152F7858E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFB7E~1.EXE > nul
        13⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDEE9~1.EXE > nul
        11⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{181EB~1.EXE > nul
        10⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18D07~1.EXE > nul
        9⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{394E4~1.EXE > nul
        8⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D784~1.EXE > nul
        7⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F612A~1.EXE > nul
        5⤵
        
        PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{88CA3~1.EXE > nul
      4⤵
      PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C29A9~1.EXE > nul
    3⤵
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{181EBA8E-6B40-4d89-A2E5-2E40AA9F94E5}.exe

Filesize
180KB

MD5
6c325eae760d7d469c062747322e2f96

SHA1
d5c6a01cfc841a32ae58bdc4ca9ab965f7bac688

SHA256
08706869e4a43af32f373664da7e1ff2950dbe5e50bf58b20f56874009471675

SHA512
8a2d3eb0769e90b193d2df527d0e7bb52456d2b6a6c9a928800fadf3ba15d2e8b8751cb31324c6818d7b04735ceabc8c452179d8ea72c45e083c78a658f0b5c1

Download Submit
C:\Windows\{18D075CA-D131-46f7-8E9F-57BF72214910}.exe

Filesize
180KB

MD5
4a99b4fd7cd9f4c883c7add2b4ff3ae9

SHA1
92c9b6b3d7c6d41c038aef309d96f12f44e9b7c4

SHA256
f94b792361545da69efff33cf83154970a125eef159dab1e8a1717fee49d96a6

SHA512
b412bf8908103c0d43bda44c7b7cc7e1784e4686db98e150f94b0e8ee692388e9d73fa9301a8048cd37d01b43d4d6b55b058ab27fba01eb71f680aeefa9027de

Download Submit
C:\Windows\{3742D265-A9FF-46e5-A570-06CB643B914A}.exe

Filesize
180KB

MD5
34b67efd74a68396a880de38424a4914

SHA1
c6d99d63aee4679637b617f6a389abfc68f487d5

SHA256
6f277187bc6b02c2e0ea13cd3b93ea8efc3199abe45543082e27622711a1affc

SHA512
94cc0b228313da2a87c5583268c50b02482c9459a8bdc16d2c31db751bcadd817acecdcb7758486daf9c3c1da00b9b4152d7242ee4c9c1b8b380ef507ffe02e9

Download Submit
C:\Windows\{394E4820-53F4-43c7-99E5-7FFA392B54DF}.exe

Filesize
180KB

MD5
d9faf9372ec93b68744c1934d4191880

SHA1
8e7eb0346d9c4329ee40792b9603b9f768e4c883

SHA256
7227e738333a4585d4d8f9aaf5224f5d817068915b8a179156b557d3b0bb883b

SHA512
45a5b249c69a1f586ce1d1f8fdb4e4db1d33aa706d6db61a81f985c6e128165a9df1dd43fd62b4822141e462ad0af2f611b9fd18684a6879b6d78b7c13fc979f

Download Submit
C:\Windows\{5D784CA9-B28B-41ca-A5CC-930C86EFDBB0}.exe

Filesize
180KB

MD5
7dfb155713179d6c75d06ba9d8e7f480

SHA1
e151dd1835af7b3e5731607954de981ea01ade8a

SHA256
f5df28a8aadaf3c64c18f111bd3b26c4e27612dd5571ce68297c450f9bd8931d

SHA512
08eaa6492d012cee2c8cf3ee42ede8c6005b17d7007af33c5b61ef866b456171d1e6bdbbcf553ed20333efe2b5650f23ed6efa6602d365ea06d044375dc1ddb9

Download Submit
C:\Windows\{79B3B6FB-9B6C-40d2-A41A-0BCC61B657B0}.exe

Filesize
180KB

MD5
3d4c3e8af941f3799d97a76a9025a1d3

SHA1
00461b4936b91d928a5305f1ed054567b72cee4a

SHA256
44ccf41b15152376e199174280efbace6226c729299eaf2dbbfdf3d9b69f87e6

SHA512
8b190ae261ac4044ce288717a321de58fcc5937310265ba7802b47f29e1664bc4bd3fbd4b65feef3d23c0428765a8f51bf7ce379fcc12517c22217df5b56a12c

Download Submit
C:\Windows\{88CA3C49-D324-4a9d-8588-36CCF187E085}.exe

Filesize
180KB

MD5
c87e2e4e456e6e0302a550ac95aa20fe

SHA1
6f6eff505f9b4770bff8b93788be23a6d364f910

SHA256
af172401e05d4a5c54a8c6154dfdb29f18dfb0ac0b9ad290447ef0d114259c66

SHA512
9cf90f4af7bd7bfdf1a95cbcce8f1ee03d62c3e692853694c424c361f6f6f9cdf3b9b8a70913b012160291bc7e39e53cb83595842f0343830acf6b2eac4bb543

Download Submit
C:\Windows\{AF3278CB-7B85-4e6f-9681-7C1152F7858E}.exe

Filesize
180KB

MD5
1033c57b9d6c9be7be35f3acac5127a3

SHA1
e6e0afc74dbe32d36264ae8e920d91f5557b321a

SHA256
2505e07d6e65a01830b82fee3db013c1177e84534c0aca05979e013880bf3ffe

SHA512
3cbcb2e2054594c8fa74c022c8bd53513b1b3d2b81a8c109b638c2017d88b8f11d9587338ec5a80d5758b4d37c5f6f3565a6d025a06fa2fb24e0128284bb6d57

Download Submit
C:\Windows\{C29A9C48-0CB2-44c1-9050-FE3922A403F6}.exe

Filesize
180KB

MD5
45c73be20289d90b788b675a806c3801

SHA1
a0faa4d44917b94ec347e33e286a3e4d6b9a5d0b

SHA256
3a221efcbf14531d55ed652b19f294df18bbe5a1e5ea454ca8aab6679eac4b60

SHA512
2aae822e1e206365b9ad918b1a82578eb3f7c5f382b250773ba54a39a2b1b589be81ed56f8a37cd4ebecc115add1df84552ea8ea74388c297069589eca3ec805

Download Submit
C:\Windows\{EDEE9872-2C3E-4857-9165-ED68E48B269F}.exe

Filesize
180KB

MD5
ea1001a11a76a22329e9b2199787868f

SHA1
d37ea68f1b4f235ffa6ce39c81e50e314358e7d6

SHA256
cf1e1cffce8fa6dd0387a6dbaeb8db85ee2930a4f6e80fb9ef8113d697e9d538

SHA512
87184ab95d9b557d4acb2f1e2d6312adae90d21c6bffb96bd8beca313160a72fdc8842caae01e38b21abb1ba283db3109de13efe6184d5f5de33a2a90af22f0f

Download Submit
C:\Windows\{F612A36C-577A-4fdb-B796-63934BC47924}.exe

Filesize
180KB

MD5
d937e2fb9e83946fde692fbc8af4ce84

SHA1
65c4849c715042cd003ae895caa70ed6d8e1941f

SHA256
f9d65b7bcfe6c084ef53ebc3e01ef8e85d2bcddaacd284bf189a9177e0b9bd7d

SHA512
6ec70a1aa7c310f1e305a77b316c29a791c9d63128a510bc3ab7043d7175fd749cd25cb245c775d4d77fc6fba0ceed726d38ad3a3bc6e69cf367125fdfa9e908

Download Submit
C:\Windows\{FFB7E010-40FC-46c8-9F3A-F5A7DFE1E3BF}.exe

Filesize
180KB

MD5
90271b883da10e60db49d88bda0df5de

SHA1
a86f9430520c3f05936040149fdb6f01bf8375d8

SHA256
141cf4bcf080ed8b1f33f4d90a828951ff09190bc48ddc3e176e9463cbd42289

SHA512
bdfedfb0d5ce9fd1824e80bdd065882840a9bf8eccde444d20d3fdafec1476dcecd17fdf95a75b078e7cf45a031ae8e7ec10f3423a5bd91316fc2c1be4c454ba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads