01b51bc50ab3fac97bba039bcf778aa4965626db8475765721fe259cbef146cf

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 05:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe
Size

408KB
MD5

0e24a835f1878de60bf1d300e4ae1d1f
SHA1

8255348bcd8349f850825089fe3b4d728d6a56a1
SHA256

01b51bc50ab3fac97bba039bcf778aa4965626db8475765721fe259cbef146cf
SHA512

06633ee2fa3067a8810894b229453ce36d5cc2cc1687f50678f1c99ea9ab727a310a59a8d5c2db9c3dba67fea4b2eb9055a1968303d3d28ea221dc3761ed6485
SSDEEP

3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGfldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71ED9427-8FEF-41f7-B01D-DB24682E27A6}\stubpath = "C:\\Windows\\{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe"	{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20E68F74-5855-4d3c-BDEA-35FB056F1466}	{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58C4689F-6D0E-465e-A039-3380128827D9}\stubpath = "C:\\Windows\\{58C4689F-6D0E-465e-A039-3380128827D9}.exe"	{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}\stubpath = "C:\\Windows\\{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe"	{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71ED9427-8FEF-41f7-B01D-DB24682E27A6}	{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}\stubpath = "C:\\Windows\\{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe"	{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B71028D3-B0E4-4dbc-B8C5-B045B0ED80C7}\stubpath = "C:\\Windows\\{B71028D3-B0E4-4dbc-B8C5-B045B0ED80C7}.exe"	{1A069E43-61E5-4a62-A3A3-5051AE04D6EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{598670DB-917A-4d13-9488-55E2B9CEAE7F}	{B71028D3-B0E4-4dbc-B8C5-B045B0ED80C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58C4689F-6D0E-465e-A039-3380128827D9}	{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C50AB4C1-7855-46dd-8177-C553FF65C329}	{58C4689F-6D0E-465e-A039-3380128827D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}	{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}	{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E9818EA-1912-4339-BE38-BBE4E7A4E748}	{20E68F74-5855-4d3c-BDEA-35FB056F1466}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E9818EA-1912-4339-BE38-BBE4E7A4E748}\stubpath = "C:\\Windows\\{8E9818EA-1912-4339-BE38-BBE4E7A4E748}.exe"	{20E68F74-5855-4d3c-BDEA-35FB056F1466}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E63D9897-8870-4bed-8CEE-B0089B7A1173}	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E63D9897-8870-4bed-8CEE-B0089B7A1173}\stubpath = "C:\\Windows\\{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe"	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}	{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A069E43-61E5-4a62-A3A3-5051AE04D6EC}	{8E9818EA-1912-4339-BE38-BBE4E7A4E748}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A069E43-61E5-4a62-A3A3-5051AE04D6EC}\stubpath = "C:\\Windows\\{1A069E43-61E5-4a62-A3A3-5051AE04D6EC}.exe"	{8E9818EA-1912-4339-BE38-BBE4E7A4E748}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B71028D3-B0E4-4dbc-B8C5-B045B0ED80C7}	{1A069E43-61E5-4a62-A3A3-5051AE04D6EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{598670DB-917A-4d13-9488-55E2B9CEAE7F}\stubpath = "C:\\Windows\\{598670DB-917A-4d13-9488-55E2B9CEAE7F}.exe"	{B71028D3-B0E4-4dbc-B8C5-B045B0ED80C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C50AB4C1-7855-46dd-8177-C553FF65C329}\stubpath = "C:\\Windows\\{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe"	{58C4689F-6D0E-465e-A039-3380128827D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}\stubpath = "C:\\Windows\\{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe"	{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20E68F74-5855-4d3c-BDEA-35FB056F1466}\stubpath = "C:\\Windows\\{20E68F74-5855-4d3c-BDEA-35FB056F1466}.exe"	{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe

Deletes itself 1 IoCs

pid	Process
1952	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2236	{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe
2696	{58C4689F-6D0E-465e-A039-3380128827D9}.exe
2632	{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe
2628	{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe
324	{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe
568	{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe
2636	{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe
3008	{20E68F74-5855-4d3c-BDEA-35FB056F1466}.exe
1208	{8E9818EA-1912-4339-BE38-BBE4E7A4E748}.exe
1216	{1A069E43-61E5-4a62-A3A3-5051AE04D6EC}.exe
1968	{B71028D3-B0E4-4dbc-B8C5-B045B0ED80C7}.exe
1600	{598670DB-917A-4d13-9488-55E2B9CEAE7F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{58C4689F-6D0E-465e-A039-3380128827D9}.exe	{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe
File created	C:\Windows\{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe	{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe
File created	C:\Windows\{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe	{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe
File created	C:\Windows\{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe	{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe
File created	C:\Windows\{20E68F74-5855-4d3c-BDEA-35FB056F1466}.exe	{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe
File created	C:\Windows\{8E9818EA-1912-4339-BE38-BBE4E7A4E748}.exe	{20E68F74-5855-4d3c-BDEA-35FB056F1466}.exe
File created	C:\Windows\{598670DB-917A-4d13-9488-55E2B9CEAE7F}.exe	{B71028D3-B0E4-4dbc-B8C5-B045B0ED80C7}.exe
File created	C:\Windows\{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe
File created	C:\Windows\{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe	{58C4689F-6D0E-465e-A039-3380128827D9}.exe
File created	C:\Windows\{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe	{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe
File created	C:\Windows\{1A069E43-61E5-4a62-A3A3-5051AE04D6EC}.exe	{8E9818EA-1912-4339-BE38-BBE4E7A4E748}.exe
File created	C:\Windows\{B71028D3-B0E4-4dbc-B8C5-B045B0ED80C7}.exe	{1A069E43-61E5-4a62-A3A3-5051AE04D6EC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2044	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2236	{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe
Token: SeIncBasePriorityPrivilege	2696	{58C4689F-6D0E-465e-A039-3380128827D9}.exe
Token: SeIncBasePriorityPrivilege	2632	{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe
Token: SeIncBasePriorityPrivilege	2628	{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe
Token: SeIncBasePriorityPrivilege	324	{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe
Token: SeIncBasePriorityPrivilege	568	{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe
Token: SeIncBasePriorityPrivilege	2636	{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe
Token: SeIncBasePriorityPrivilege	3008	{20E68F74-5855-4d3c-BDEA-35FB056F1466}.exe
Token: SeIncBasePriorityPrivilege	1208	{8E9818EA-1912-4339-BE38-BBE4E7A4E748}.exe
Token: SeIncBasePriorityPrivilege	1216	{1A069E43-61E5-4a62-A3A3-5051AE04D6EC}.exe
Token: SeIncBasePriorityPrivilege	1968	{B71028D3-B0E4-4dbc-B8C5-B045B0ED80C7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2236	2044	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	29
PID 2044 wrote to memory of 2236	2044	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	29
PID 2044 wrote to memory of 2236	2044	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	29
PID 2044 wrote to memory of 2236	2044	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	29
PID 2044 wrote to memory of 1952	2044	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	28
PID 2044 wrote to memory of 1952	2044	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	28
PID 2044 wrote to memory of 1952	2044	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	28
PID 2044 wrote to memory of 1952	2044	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	28
PID 2236 wrote to memory of 2696	2236	{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe	32
PID 2236 wrote to memory of 2696	2236	{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe	32
PID 2236 wrote to memory of 2696	2236	{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe	32
PID 2236 wrote to memory of 2696	2236	{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe	32
PID 2236 wrote to memory of 2860	2236	{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe	33
PID 2236 wrote to memory of 2860	2236	{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe	33
PID 2236 wrote to memory of 2860	2236	{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe	33
PID 2236 wrote to memory of 2860	2236	{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe	33
PID 2696 wrote to memory of 2632	2696	{58C4689F-6D0E-465e-A039-3380128827D9}.exe	34
PID 2696 wrote to memory of 2632	2696	{58C4689F-6D0E-465e-A039-3380128827D9}.exe	34
PID 2696 wrote to memory of 2632	2696	{58C4689F-6D0E-465e-A039-3380128827D9}.exe	34
PID 2696 wrote to memory of 2632	2696	{58C4689F-6D0E-465e-A039-3380128827D9}.exe	34
PID 2696 wrote to memory of 2592	2696	{58C4689F-6D0E-465e-A039-3380128827D9}.exe	35
PID 2696 wrote to memory of 2592	2696	{58C4689F-6D0E-465e-A039-3380128827D9}.exe	35
PID 2696 wrote to memory of 2592	2696	{58C4689F-6D0E-465e-A039-3380128827D9}.exe	35
PID 2696 wrote to memory of 2592	2696	{58C4689F-6D0E-465e-A039-3380128827D9}.exe	35
PID 2632 wrote to memory of 2628	2632	{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe	36
PID 2632 wrote to memory of 2628	2632	{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe	36
PID 2632 wrote to memory of 2628	2632	{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe	36
PID 2632 wrote to memory of 2628	2632	{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe	36
PID 2632 wrote to memory of 1892	2632	{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe	37
PID 2632 wrote to memory of 1892	2632	{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe	37
PID 2632 wrote to memory of 1892	2632	{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe	37
PID 2632 wrote to memory of 1892	2632	{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe	37
PID 2628 wrote to memory of 324	2628	{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe	38
PID 2628 wrote to memory of 324	2628	{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe	38
PID 2628 wrote to memory of 324	2628	{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe	38
PID 2628 wrote to memory of 324	2628	{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe	38
PID 2628 wrote to memory of 980	2628	{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe	39
PID 2628 wrote to memory of 980	2628	{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe	39
PID 2628 wrote to memory of 980	2628	{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe	39
PID 2628 wrote to memory of 980	2628	{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe	39
PID 324 wrote to memory of 568	324	{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe	40
PID 324 wrote to memory of 568	324	{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe	40
PID 324 wrote to memory of 568	324	{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe	40
PID 324 wrote to memory of 568	324	{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe	40
PID 324 wrote to memory of 2988	324	{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe	41
PID 324 wrote to memory of 2988	324	{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe	41
PID 324 wrote to memory of 2988	324	{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe	41
PID 324 wrote to memory of 2988	324	{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe	41
PID 568 wrote to memory of 2636	568	{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe	43
PID 568 wrote to memory of 2636	568	{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe	43
PID 568 wrote to memory of 2636	568	{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe	43
PID 568 wrote to memory of 2636	568	{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe	43
PID 568 wrote to memory of 2780	568	{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe	42
PID 568 wrote to memory of 2780	568	{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe	42
PID 568 wrote to memory of 2780	568	{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe	42
PID 568 wrote to memory of 2780	568	{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe	42
PID 2636 wrote to memory of 3008	2636	{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe	45
PID 2636 wrote to memory of 3008	2636	{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe	45
PID 2636 wrote to memory of 3008	2636	{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe	45
PID 2636 wrote to memory of 3008	2636	{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe	45
PID 2636 wrote to memory of 2968	2636	{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe	44
PID 2636 wrote to memory of 2968	2636	{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe	44
PID 2636 wrote to memory of 2968	2636	{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe	44
PID 2636 wrote to memory of 2968	2636	{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1952
- C:\Windows\{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe
  C:\Windows\{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\{58C4689F-6D0E-465e-A039-3380128827D9}.exe
    C:\Windows\{58C4689F-6D0E-465e-A039-3380128827D9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe
      C:\Windows\{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe
        
        C:\Windows\{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe
        
        C:\Windows\{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe
        
        C:\Windows\{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E432~1.EXE > nul
        8⤵
        
        PID:2780
        
        C:\Windows\{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe
        
        C:\Windows\{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71ED9~1.EXE > nul
        9⤵
        
        PID:2968
        
        C:\Windows\{20E68F74-5855-4d3c-BDEA-35FB056F1466}.exe
        
        C:\Windows\{20E68F74-5855-4d3c-BDEA-35FB056F1466}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20E68~1.EXE > nul
        10⤵
        
        PID:1652
        
        C:\Windows\{8E9818EA-1912-4339-BE38-BBE4E7A4E748}.exe
        
        C:\Windows\{8E9818EA-1912-4339-BE38-BBE4E7A4E748}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\{1A069E43-61E5-4a62-A3A3-5051AE04D6EC}.exe
        
        C:\Windows\{1A069E43-61E5-4a62-A3A3-5051AE04D6EC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\{B71028D3-B0E4-4dbc-B8C5-B045B0ED80C7}.exe
        
        C:\Windows\{B71028D3-B0E4-4dbc-B8C5-B045B0ED80C7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\{598670DB-917A-4d13-9488-55E2B9CEAE7F}.exe
        
        C:\Windows\{598670DB-917A-4d13-9488-55E2B9CEAE7F}.exe
        13⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7102~1.EXE > nul
        13⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A069~1.EXE > nul
        12⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E981~1.EXE > nul
        11⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F7A9~1.EXE > nul
        7⤵
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F4AD~1.EXE > nul
        6⤵
        
        PID:980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C50AB~1.EXE > nul
        5⤵
        
        PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58C46~1.EXE > nul
      4⤵
      PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E63D9~1.EXE > nul
    3⤵
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A069E43-61E5-4a62-A3A3-5051AE04D6EC}.exe

Filesize
408KB

MD5
bbfb3163f9f5381e6ea02d60d04887c5

SHA1
8a2f96bd644415e12b91bfd53f3459f6cee44a16

SHA256
4809dd37786298bc8825a256e885daec47a011b66eb281c1b249cc0a07760263

SHA512
b61547672b55e968bddc5c0b888c17bffd3841ee12f1b02a88bd7af93384243f89e32cc61c3a94c1731f6736b0d38c63b030ea30c9fea320cecc0d65d2580fa4

Download Submit
C:\Windows\{20E68F74-5855-4d3c-BDEA-35FB056F1466}.exe

Filesize
408KB

MD5
05941f3a0c5226998836541e16baf24a

SHA1
5fe24dbe6adc10c214d510a77e139c2992337d76

SHA256
47c919d0fbd6e38f8d4f138c18281f7c254cec0a87cdf526c099472fec8db96d

SHA512
7dd7d79026e97614a2f859ea7cf9ec1a0e6e852ae257af22a122a164b5ffcba13c96e8fbb6fd769b8f2830920f02f4755ee82bc776a88b86e819bac821a4bfdc

Download Submit
C:\Windows\{2F4AD435-C55D-4058-90EF-FBCE3E8DA6CA}.exe

Filesize
408KB

MD5
1cb315da10e745976a5ed035d4a97e31

SHA1
37c9fd1741ff21381d6ef4ab382f5ce69a77d633

SHA256
99d67376cee14db6285e2d43a65132527aaf4407f80b5fb10aaea964761ac719

SHA512
1403918250e22a82fcccc91a023351ece39ade682849248c30d3ab3d2b5e588a895fc8026a3592e62f3e4281c39ede949615a31564d86dfca82bb86b4a76019d

Download Submit
C:\Windows\{58C4689F-6D0E-465e-A039-3380128827D9}.exe

Filesize
92KB

MD5
f7386fa6477b89c68c31d8ba4f414fac

SHA1
d8d6ded88ead5a914fc5850357ad3678af0693c8

SHA256
bd2fbf2770ef385ea088a7e41a1dde550162b9f2a7e3fb504e50a608a11cdc39

SHA512
443230858ca1afb9c54b6ebe65f1b9be04203e0ba90a34a636886eb6155edc48bb774752cd936388e4b13f3baeeda5a3c157fe7bc503e937cfb5f8872c46da6d

Download Submit
C:\Windows\{58C4689F-6D0E-465e-A039-3380128827D9}.exe

Filesize
408KB

MD5
596be364e9fee0cd3d4b489ca8b229a7

SHA1
63ecd7d752ca17867d8008680d201bc707123b58

SHA256
77769ad8a17c05daf3240ed7d5c75372ffea7437796ea5222d05662e8f47013d

SHA512
e4863d7759c658cf5b77b51596bbe304c83d797f0e6c46ad51410cedbbbbcd76c67e65cdbaeaca2911307c2b3ebda4477fd376bd02f22ce020aefafcd5900b11

Download Submit
C:\Windows\{598670DB-917A-4d13-9488-55E2B9CEAE7F}.exe

Filesize
408KB

MD5
b4fc52f69ce591b02ee00701ddf4aec7

SHA1
4623bf0508186bd73b99a027fb0473183835a5a1

SHA256
c6bdf15621937cd0de6c7c7c22cb7f0d9df2333b47878e359335cb3c2b25807f

SHA512
b15e0b605bc1c9d90a80420f0c83c5f3bf835ff4ffe0f937ac4646abb54ed724c6b59eede40411462249145cc2b668985346bf46e5f477760f1f43eb71354f64

Download Submit
C:\Windows\{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe

Filesize
101KB

MD5
eaac00713fd04d8d4064055c0d83bbf0

SHA1
1cf4c37e30d18051761c5b7b210582b1112b84bb

SHA256
d25627aa010f36ecc6c60ab0d3d88f9dc0ffaa48519e0a504b07b9be36bf67e5

SHA512
ed005e72a094f983324f2cf5a6f29cacc1fcdc6ed00a0fdfd4b9e6843025b38f79c282d3d873634222b02dc4803d3cb843a1c42e9f8a33c6099a7aab4c48be75

Download Submit
C:\Windows\{71ED9427-8FEF-41f7-B01D-DB24682E27A6}.exe

Filesize
408KB

MD5
22ecd6454c02447da15285e85b38cfd8

SHA1
9e0f375c86a13d4023686d03a3a4235647eaceba

SHA256
40a1cf0d09504664aea8d588c6113bb40e772fb9cca0b3c3c83d01377925eca1

SHA512
43cb7428aeb347c3c831719d6343c4cea3d298eeab04e85685e13cde51730cba3a0fa79516aa9f7db8009775c33b9f8b16ad4f5af8802f911700cbb055b2dd0e

Download Submit
C:\Windows\{7F7A938C-BB14-44b6-8957-8D6FB9A2CEE7}.exe

Filesize
408KB

MD5
a2a8b1c18f132fa7fe0412872b146c3e

SHA1
bf07c0c00d996ba9937be1ca6bf5a278c284afc6

SHA256
8f86687bc45c0d471cd53e12926cc6bf4dd3b78b9dbaaf2b5addf9efdf9813f7

SHA512
8ca01b445946f0b5d1a63c292ddeca0b0cf1ecd8f6247f89c95cd15983801b8f0d0f1b7e0b1505db2dd30a6693a103e346fea0710f5c57b2b818b706974e955f

Download Submit
C:\Windows\{8E4329F9-BB12-4768-A2DD-66F5D2FAAF51}.exe

Filesize
408KB

MD5
7b05324fcc79583369df99fe54250e96

SHA1
b1eb63e6ed34d57a2872c172c300391196c53344

SHA256
d5a6cd618e9c935749b16decb1e8e648593eb393820d5da6435e57c63ff45720

SHA512
c108b4088853bf6bc2f0ca85ba41bf6e92408bc604969c0be8fc75e0858190cab7f643db929099acd0aa87bf6ae5fe11861630450429faccd230e757455f4589

Download Submit
C:\Windows\{8E9818EA-1912-4339-BE38-BBE4E7A4E748}.exe

Filesize
408KB

MD5
7c0fb4b46f515af7b38c7ebb8d6c62e0

SHA1
15c7fc6cb46cd80797d2de4241f38608e0ad4d8d

SHA256
e2578a923dfad8eef7e2f7a2fe70194d28faf0fe6f3f99ab124e583c183818d2

SHA512
12124c1d700983894bacf758464d13d4fcc34131631f046cc4047d485f6d0cf83b91a1f13c834342978071c83938babae371f506a3abdecbbccfb43a88469dac

Download Submit
C:\Windows\{B71028D3-B0E4-4dbc-B8C5-B045B0ED80C7}.exe

Filesize
408KB

MD5
1a08e54aff16116c5c3925a12c23a78f

SHA1
bb8352c05c584981f40750f1bb42341c627e207d

SHA256
eb990828c5b463d6da487f97081a42b94ccdd1e1f2b473335df482a7478f40d0

SHA512
fd9546a7bb93e0fdbc795b4da04662d34c9e3f1ba1b11c3a30af5fa7ec20cd473c300a3da66a0d6b8e8566f846a3198b14a162cf1a0bd4787e94bbbaeda1a4fa

Download Submit
C:\Windows\{C50AB4C1-7855-46dd-8177-C553FF65C329}.exe

Filesize
408KB

MD5
5b5ad5930426dfcc2daa7f51b33ded3b

SHA1
b82dc630d6286e9f034fdacee4fff9f7597b77aa

SHA256
cbe343aabad153ff53ac7866622314404f099af9318b1b5b1ca28e94d1aeea44

SHA512
0dc05b19558d815cc03708d0a065262c54e0ed265644474fbec6178d6d6b3d16df37bfe684cacb00a3b00875cf9e6a05051a75ceaae1e8ed34033ec7d4c76994

Download Submit
C:\Windows\{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe

Filesize
67KB

MD5
b4be7052a030d2804387fcda0b927b9d

SHA1
566668a6e21b8b9bd854ebf117a24437caabb46d

SHA256
c330e876ad8a11841d5c10710eab309f71261b5ff48899abf3fd418585d67e96

SHA512
bcf57a398970e778ca59f2be5bd4d76ea8b81b6dee0920dbe4ea2f3c3e15d9ff9bb6461ecb59a80dcdec317ef22dc39ffcb380b64b0eeb82227fcc3a05c80690

Download Submit
C:\Windows\{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe

Filesize
43KB

MD5
87653c6fbcb7ebba9b7dd35e6d4d4c88

SHA1
d9794b88338616d77cc7f9729223b86353200394

SHA256
cd2e36a0319b942a215938119158b94956ef1ef09f942cdb788da74ffc91af09

SHA512
36b55f31edef9b85b31e1e92ea0bc2b53c6135a2acce2ed3fcf6fd86646189cadc8b23aaae1f679f0023194a27acf860b5fb6f6553198eeb44300cf3521e105b

Download Submit
C:\Windows\{E63D9897-8870-4bed-8CEE-B0089B7A1173}.exe

Filesize
136KB

MD5
d14c986f17ca7bb0b7ac75d1cddd0516

SHA1
a385ed6d3c50376464f105b9233503903f2d584d

SHA256
f90b45e23dcc4fd60754b9656217d93f0017464355514b326f971057532de960

SHA512
b1bfb49747cad9b3b9337925f4a4ed57f85caff93211c390ff105c7be0ee87c5fc12862da256d81d5cd3c8e98b3c5688b7b2eaa4ffa98bfff9b0f1f7385fe60b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads