0b085ae04be55c927ca560265dca477b7c246664e77a6ba7907e2487b802e215

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe
Size

380KB
MD5

1c3b0cac6ef7f77f5568e703e435e1ca
SHA1

72223b32312e2f879e834df12cdd5601fb03fca8
SHA256

0b085ae04be55c927ca560265dca477b7c246664e77a6ba7907e2487b802e215
SHA512

8d05c1deb2c92806ad0146c0a0409d829b22f5ac88f7642b0ae3551f53d42e8708372330986412f065857895fc141bd76fc10c039818e5961de4005c762e8009
SSDEEP

3072:mEGh0oZlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGvl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AA764AE-926B-42e7-A8E9-537C707EDE7C}\stubpath = "C:\\Windows\\{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe"	{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4159B75-2681-4069-901E-FC31729553BB}	{1F0EBA69-9433-4711-A471-7C8F88A6470B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D245783-0AC3-46d3-BB3B-33D1CE246243}	{A4159B75-2681-4069-901E-FC31729553BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26412C12-78D1-4e0a-B35C-198C95F99A1E}\stubpath = "C:\\Windows\\{26412C12-78D1-4e0a-B35C-198C95F99A1E}.exe"	{9D245783-0AC3-46d3-BB3B-33D1CE246243}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C49169ED-122E-445d-B93E-1C6329E57D12}\stubpath = "C:\\Windows\\{C49169ED-122E-445d-B93E-1C6329E57D12}.exe"	{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{324E46EB-B7DE-4e01-81D8-3AE937A4F053}	{C49169ED-122E-445d-B93E-1C6329E57D12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0346CA4-6CF0-459a-A02E-9D3825F49231}\stubpath = "C:\\Windows\\{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe"	{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F0EBA69-9433-4711-A471-7C8F88A6470B}\stubpath = "C:\\Windows\\{1F0EBA69-9433-4711-A471-7C8F88A6470B}.exe"	{C0355AAF-2C23-480f-B552-0307F10B214D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4159B75-2681-4069-901E-FC31729553BB}\stubpath = "C:\\Windows\\{A4159B75-2681-4069-901E-FC31729553BB}.exe"	{1F0EBA69-9433-4711-A471-7C8F88A6470B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D245783-0AC3-46d3-BB3B-33D1CE246243}\stubpath = "C:\\Windows\\{9D245783-0AC3-46d3-BB3B-33D1CE246243}.exe"	{A4159B75-2681-4069-901E-FC31729553BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26412C12-78D1-4e0a-B35C-198C95F99A1E}	{9D245783-0AC3-46d3-BB3B-33D1CE246243}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D716324-EACE-4905-914A-81660A507C9D}\stubpath = "C:\\Windows\\{7D716324-EACE-4905-914A-81660A507C9D}.exe"	2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C49169ED-122E-445d-B93E-1C6329E57D12}	{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{324E46EB-B7DE-4e01-81D8-3AE937A4F053}\stubpath = "C:\\Windows\\{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe"	{C49169ED-122E-445d-B93E-1C6329E57D12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0355AAF-2C23-480f-B552-0307F10B214D}\stubpath = "C:\\Windows\\{C0355AAF-2C23-480f-B552-0307F10B214D}.exe"	{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D716324-EACE-4905-914A-81660A507C9D}	2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}	{7D716324-EACE-4905-914A-81660A507C9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}\stubpath = "C:\\Windows\\{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe"	{7D716324-EACE-4905-914A-81660A507C9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AA764AE-926B-42e7-A8E9-537C707EDE7C}	{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0346CA4-6CF0-459a-A02E-9D3825F49231}	{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0355AAF-2C23-480f-B552-0307F10B214D}	{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F0EBA69-9433-4711-A471-7C8F88A6470B}	{C0355AAF-2C23-480f-B552-0307F10B214D}.exe

Executes dropped EXE 11 IoCs

pid	Process
2264	{7D716324-EACE-4905-914A-81660A507C9D}.exe
2556	{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe
2724	{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe
1960	{C49169ED-122E-445d-B93E-1C6329E57D12}.exe
1820	{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe
2024	{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe
1748	{C0355AAF-2C23-480f-B552-0307F10B214D}.exe
352	{1F0EBA69-9433-4711-A471-7C8F88A6470B}.exe
1228	{A4159B75-2681-4069-901E-FC31729553BB}.exe
792	{9D245783-0AC3-46d3-BB3B-33D1CE246243}.exe
1740	{26412C12-78D1-4e0a-B35C-198C95F99A1E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7D716324-EACE-4905-914A-81660A507C9D}.exe	2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe
File created	C:\Windows\{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe	{7D716324-EACE-4905-914A-81660A507C9D}.exe
File created	C:\Windows\{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe	{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe
File created	C:\Windows\{C49169ED-122E-445d-B93E-1C6329E57D12}.exe	{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe
File created	C:\Windows\{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe	{C49169ED-122E-445d-B93E-1C6329E57D12}.exe
File created	C:\Windows\{C0355AAF-2C23-480f-B552-0307F10B214D}.exe	{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe
File created	C:\Windows\{A4159B75-2681-4069-901E-FC31729553BB}.exe	{1F0EBA69-9433-4711-A471-7C8F88A6470B}.exe
File created	C:\Windows\{26412C12-78D1-4e0a-B35C-198C95F99A1E}.exe	{9D245783-0AC3-46d3-BB3B-33D1CE246243}.exe
File created	C:\Windows\{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe	{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe
File created	C:\Windows\{1F0EBA69-9433-4711-A471-7C8F88A6470B}.exe	{C0355AAF-2C23-480f-B552-0307F10B214D}.exe
File created	C:\Windows\{9D245783-0AC3-46d3-BB3B-33D1CE246243}.exe	{A4159B75-2681-4069-901E-FC31729553BB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2016	2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2264	{7D716324-EACE-4905-914A-81660A507C9D}.exe
Token: SeIncBasePriorityPrivilege	2556	{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe
Token: SeIncBasePriorityPrivilege	2724	{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe
Token: SeIncBasePriorityPrivilege	1960	{C49169ED-122E-445d-B93E-1C6329E57D12}.exe
Token: SeIncBasePriorityPrivilege	1820	{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe
Token: SeIncBasePriorityPrivilege	2024	{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe
Token: SeIncBasePriorityPrivilege	1748	{C0355AAF-2C23-480f-B552-0307F10B214D}.exe
Token: SeIncBasePriorityPrivilege	352	{1F0EBA69-9433-4711-A471-7C8F88A6470B}.exe
Token: SeIncBasePriorityPrivilege	1228	{A4159B75-2681-4069-901E-FC31729553BB}.exe
Token: SeIncBasePriorityPrivilege	792	{9D245783-0AC3-46d3-BB3B-33D1CE246243}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2264	2016	2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe	28
PID 2016 wrote to memory of 2264	2016	2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe	28
PID 2016 wrote to memory of 2264	2016	2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe	28
PID 2016 wrote to memory of 2264	2016	2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe	28
PID 2016 wrote to memory of 2700	2016	2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe	29
PID 2016 wrote to memory of 2700	2016	2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe	29
PID 2016 wrote to memory of 2700	2016	2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe	29
PID 2016 wrote to memory of 2700	2016	2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe	29
PID 2264 wrote to memory of 2556	2264	{7D716324-EACE-4905-914A-81660A507C9D}.exe	30
PID 2264 wrote to memory of 2556	2264	{7D716324-EACE-4905-914A-81660A507C9D}.exe	30
PID 2264 wrote to memory of 2556	2264	{7D716324-EACE-4905-914A-81660A507C9D}.exe	30
PID 2264 wrote to memory of 2556	2264	{7D716324-EACE-4905-914A-81660A507C9D}.exe	30
PID 2264 wrote to memory of 2712	2264	{7D716324-EACE-4905-914A-81660A507C9D}.exe	31
PID 2264 wrote to memory of 2712	2264	{7D716324-EACE-4905-914A-81660A507C9D}.exe	31
PID 2264 wrote to memory of 2712	2264	{7D716324-EACE-4905-914A-81660A507C9D}.exe	31
PID 2264 wrote to memory of 2712	2264	{7D716324-EACE-4905-914A-81660A507C9D}.exe	31
PID 2556 wrote to memory of 2724	2556	{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe	32
PID 2556 wrote to memory of 2724	2556	{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe	32
PID 2556 wrote to memory of 2724	2556	{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe	32
PID 2556 wrote to memory of 2724	2556	{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe	32
PID 2556 wrote to memory of 2500	2556	{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe	33
PID 2556 wrote to memory of 2500	2556	{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe	33
PID 2556 wrote to memory of 2500	2556	{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe	33
PID 2556 wrote to memory of 2500	2556	{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe	33
PID 2724 wrote to memory of 1960	2724	{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe	36
PID 2724 wrote to memory of 1960	2724	{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe	36
PID 2724 wrote to memory of 1960	2724	{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe	36
PID 2724 wrote to memory of 1960	2724	{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe	36
PID 2724 wrote to memory of 2152	2724	{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe	37
PID 2724 wrote to memory of 2152	2724	{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe	37
PID 2724 wrote to memory of 2152	2724	{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe	37
PID 2724 wrote to memory of 2152	2724	{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe	37
PID 1960 wrote to memory of 1820	1960	{C49169ED-122E-445d-B93E-1C6329E57D12}.exe	39
PID 1960 wrote to memory of 1820	1960	{C49169ED-122E-445d-B93E-1C6329E57D12}.exe	39
PID 1960 wrote to memory of 1820	1960	{C49169ED-122E-445d-B93E-1C6329E57D12}.exe	39
PID 1960 wrote to memory of 1820	1960	{C49169ED-122E-445d-B93E-1C6329E57D12}.exe	39
PID 1960 wrote to memory of 2848	1960	{C49169ED-122E-445d-B93E-1C6329E57D12}.exe	38
PID 1960 wrote to memory of 2848	1960	{C49169ED-122E-445d-B93E-1C6329E57D12}.exe	38
PID 1960 wrote to memory of 2848	1960	{C49169ED-122E-445d-B93E-1C6329E57D12}.exe	38
PID 1960 wrote to memory of 2848	1960	{C49169ED-122E-445d-B93E-1C6329E57D12}.exe	38
PID 1820 wrote to memory of 2024	1820	{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe	41
PID 1820 wrote to memory of 2024	1820	{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe	41
PID 1820 wrote to memory of 2024	1820	{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe	41
PID 1820 wrote to memory of 2024	1820	{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe	41
PID 1820 wrote to memory of 2204	1820	{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe	40
PID 1820 wrote to memory of 2204	1820	{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe	40
PID 1820 wrote to memory of 2204	1820	{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe	40
PID 1820 wrote to memory of 2204	1820	{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe	40
PID 2024 wrote to memory of 1748	2024	{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe	42
PID 2024 wrote to memory of 1748	2024	{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe	42
PID 2024 wrote to memory of 1748	2024	{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe	42
PID 2024 wrote to memory of 1748	2024	{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe	42
PID 2024 wrote to memory of 2144	2024	{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe	43
PID 2024 wrote to memory of 2144	2024	{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe	43
PID 2024 wrote to memory of 2144	2024	{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe	43
PID 2024 wrote to memory of 2144	2024	{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe	43
PID 1748 wrote to memory of 352	1748	{C0355AAF-2C23-480f-B552-0307F10B214D}.exe	44
PID 1748 wrote to memory of 352	1748	{C0355AAF-2C23-480f-B552-0307F10B214D}.exe	44
PID 1748 wrote to memory of 352	1748	{C0355AAF-2C23-480f-B552-0307F10B214D}.exe	44
PID 1748 wrote to memory of 352	1748	{C0355AAF-2C23-480f-B552-0307F10B214D}.exe	44
PID 1748 wrote to memory of 2416	1748	{C0355AAF-2C23-480f-B552-0307F10B214D}.exe	45
PID 1748 wrote to memory of 2416	1748	{C0355AAF-2C23-480f-B552-0307F10B214D}.exe	45
PID 1748 wrote to memory of 2416	1748	{C0355AAF-2C23-480f-B552-0307F10B214D}.exe	45
PID 1748 wrote to memory of 2416	1748	{C0355AAF-2C23-480f-B552-0307F10B214D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_1c3b0cac6ef7f77f5568e703e435e1ca_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\{7D716324-EACE-4905-914A-81660A507C9D}.exe
  C:\Windows\{7D716324-EACE-4905-914A-81660A507C9D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe
    C:\Windows\{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe
      C:\Windows\{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\{C49169ED-122E-445d-B93E-1C6329E57D12}.exe
        
        C:\Windows\{C49169ED-122E-445d-B93E-1C6329E57D12}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4916~1.EXE > nul
        6⤵
        
        PID:2848
      - C:\Windows\{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe
        
        C:\Windows\{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{324E4~1.EXE > nul
        7⤵
        
        PID:2204
        
        C:\Windows\{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe
        
        C:\Windows\{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{C0355AAF-2C23-480f-B552-0307F10B214D}.exe
        
        C:\Windows\{C0355AAF-2C23-480f-B552-0307F10B214D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\{1F0EBA69-9433-4711-A471-7C8F88A6470B}.exe
        
        C:\Windows\{1F0EBA69-9433-4711-A471-7C8F88A6470B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
        
        C:\Windows\{A4159B75-2681-4069-901E-FC31729553BB}.exe
        
        C:\Windows\{A4159B75-2681-4069-901E-FC31729553BB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\{9D245783-0AC3-46d3-BB3B-33D1CE246243}.exe
        
        C:\Windows\{9D245783-0AC3-46d3-BB3B-33D1CE246243}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Windows\{26412C12-78D1-4e0a-B35C-198C95F99A1E}.exe
        
        C:\Windows\{26412C12-78D1-4e0a-B35C-198C95F99A1E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D245~1.EXE > nul
        12⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4159~1.EXE > nul
        11⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F0EB~1.EXE > nul
        10⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0355~1.EXE > nul
        9⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0346~1.EXE > nul
        8⤵
        
        PID:2144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AA76~1.EXE > nul
        5⤵
        
        PID:2152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9CEB8~1.EXE > nul
      4⤵
      PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7D716~1.EXE > nul
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F0EBA69-9433-4711-A471-7C8F88A6470B}.exe

Filesize
380KB

MD5
d469d9c6b8a30385f923cd2a7e46a943

SHA1
ec94822ac5018dd756af7486649068152bad9c36

SHA256
39ed37db703691a279108538e9468d7f0f8fbdafb9fad61f9b63a1d8ce882add

SHA512
7460730c76f2538b51cbed7d6d45e1c9d6f2705086864f614dab01c907a1d058846ba036fd24d5f874da95ed8e3378b74a0a40579bba1282cc47b3c40045cc02

Download Submit
C:\Windows\{26412C12-78D1-4e0a-B35C-198C95F99A1E}.exe

Filesize
380KB

MD5
5dc9153b46894b8a8b6e9e05e131de83

SHA1
e53d0b35d3492d4af20e137466ed8241c384ef0c

SHA256
2986479cf4bbe7d9f013c9c28b72325d9f079121a504e2219d271070cc1a08f1

SHA512
2b5f206b980568e4bc1570af2cfa67ec64064a0491e196cf4b65d6be63c5a76876551d670dbacd5e8fb715e9a0afd9d84b04ef1cc200fd8ea7fd8a5eb4272a33

Download Submit
C:\Windows\{324E46EB-B7DE-4e01-81D8-3AE937A4F053}.exe

Filesize
380KB

MD5
6edc955766828b823f80fb1982dd21cd

SHA1
865f1862a440522034905a5e6404c47e9953f8fc

SHA256
1046f3c8b59c9b95cecacc9388457414bc152cef2a4b8ba04cf8976adbbc237f

SHA512
7d6bbafa57daab84ca70506c56b351f9cd7bea7bc07885d66a924e68aefc33570bcba55dcdaf938a4f35b5662b40483fbf37246fc8739601a6e1123fc272bd5b

Download Submit
C:\Windows\{5AA764AE-926B-42e7-A8E9-537C707EDE7C}.exe

Filesize
380KB

MD5
61c58ca5b31c23a7dc7563d8a9c658ea

SHA1
0ba28031651b32fe4edc6320d1f7d97a32257824

SHA256
4fb01ef9ad861d92f90cf7db701d89410828f551691445b08edefdccc3b4176c

SHA512
089047a49b5f7c0c72240891b9bc87db7f692195e5590bd86584617ad4b3fff352e4fce81b3acbbe7549f0bbf4494d8982a0ea4d70fedb4536056fdb1f821a7e

Download Submit
C:\Windows\{7D716324-EACE-4905-914A-81660A507C9D}.exe

Filesize
64KB

MD5
a885f03bed92d9062d30cdea6c6a2d55

SHA1
de97cdc77a5afea6e336b954a32a801f4c7af645

SHA256
168973db356b0dd59373748c2f538ed9059653fb39935d985bddb80731391920

SHA512
3c62f4c9e4369cd91a65951a384a748667b9dd5e879ed3d44a3eb7d8c8ab22a81fbd6e8cabd0a41c148e239c89ce86d13df167a8b613784a7c5150860a9d5dd1

Download Submit
C:\Windows\{7D716324-EACE-4905-914A-81660A507C9D}.exe

Filesize
108KB

MD5
77207d2e1c1d80bad848308816443358

SHA1
8069901adf8f92a67b3c79ba18d7d4c8d4026ac1

SHA256
cab03db7fa6d31c05a8ddbcbde25eb01df743caf30f0a0e64e89a3c508330bc5

SHA512
94a2651cb1c10c0c4637a7718821f367d968dcc4922980657c8d2f33a9c4377f3797e48f84454b4b0d51da0ee080b4996bfeb9e1634318187f50e7f477bb7964

Download Submit
C:\Windows\{7D716324-EACE-4905-914A-81660A507C9D}.exe

Filesize
380KB

MD5
c5d99ed83cba4b39c444b2c7dddf2773

SHA1
7add63535176cbe8b7cc6507b794e24a4a871dd6

SHA256
90703eda10eeb1dc3b152341f7442c7ed2755ab068cb8f097878ba4329e72abe

SHA512
381522d3f496b953b26bc3d01c44b1fcf841138212bcbbe06e6adbeb20f35ca76564842ce1da629c005db3037eb8a94048e7a4c233f400b424c73c1796a721dc

Download Submit
C:\Windows\{9CEB8742-F8F7-49a3-A4DF-3DBBA5A0B9CE}.exe

Filesize
380KB

MD5
1181039c1d2f8fb01ac76b6475edec17

SHA1
62186e471726f4d43a059dbf3c6206dccacf3ce0

SHA256
361bc601bb9bc921caa7ad97382d8d07498b4d3241da504df87de07707d5c4f4

SHA512
5da755ee217f0e79cce152079f333dfd2169b000d024f3e8b67b8ff2c0ad5932bfa63b02b57eeb9facffc061065b1715c91d62851b7c72249f63ac276473c71a

Download Submit
C:\Windows\{9D245783-0AC3-46d3-BB3B-33D1CE246243}.exe

Filesize
380KB

MD5
17c6a300efd0525ade672baad478437b

SHA1
e25c3874c87827aee1d20914994d73f48f7ea31e

SHA256
0fcac8fcc7669f216bf6659a792d60ffa5b23025c8d92d917e82e2e2fa67036f

SHA512
be4f4f30bdd272314af7c566107e663611a9dfd5f6d415319dd8a79d12ffe48683d3ad1273ccf0f948c3b1f0c4bef2f3733a3ef27bb2d2cad3eefb6d8c2ac01d

Download Submit
C:\Windows\{A4159B75-2681-4069-901E-FC31729553BB}.exe

Filesize
380KB

MD5
a202e86f649e57640a881acb564a4718

SHA1
da31f31ce5c27c0de205122c6ee7d1e94abb31ab

SHA256
72495a39f9172a564160094c29330f3977f3649f6c0dafdbdcff50b33a09067e

SHA512
b215a97413b4b45165e082655043bdd9f87b00b1184947808ccf425292037e585ed7f0921e4d1d43b4253c2a5ebcb77e4568d0d7a947a50e9d5d8f2557970ca3

Download Submit
C:\Windows\{B0346CA4-6CF0-459a-A02E-9D3825F49231}.exe

Filesize
380KB

MD5
38385611c3adfeb3f2de2e94b913774f

SHA1
8a1ca796a55143735e711182826885632e0376de

SHA256
7ef1821d43dc14cca1f634d8d1945eef4f9e19232acad27726a99a40c044bf4c

SHA512
52679ee78ac1d245a9f2ddf6f3cbd1c41d24ad3f4238175da7ec06cda49e718e673cdc0f6f8ca48ddf65b3c3fc7b94b34b7a611d0470624dc1a7a735d5055e72

Download Submit
C:\Windows\{C0355AAF-2C23-480f-B552-0307F10B214D}.exe

Filesize
380KB

MD5
620a63bf159be4d299373a175647cebb

SHA1
73a95dd363b96af09a340e36368557c3bd78da54

SHA256
727b2d301ee61dcf2945c4500eb1347d9cf47596e9c3fbb1e637f9b54f30578b

SHA512
7e8c042e853c68e629a6c68b7f056276cd9cf34241be2251308ebff2729b016b01a02c474e14a2b11669f2cf228ab4150da87b0e29386ed4573ea732f5d1432a

Download Submit
C:\Windows\{C49169ED-122E-445d-B93E-1C6329E57D12}.exe

Filesize
380KB

MD5
9e1943eab31dabf4301af1817474cc80

SHA1
27308bb35770feff912b9a8e2ad24bc67a193438

SHA256
6904412b2a45343debbcfa9bc35dfa1cadeafe01c2476da54e3ab1645e7f8018

SHA512
278dbe39bc210e2c3109f4780f766d22dd4f9328bf7f9a9c4802c3ac8d184ee3111be5efc79d19cd8647d601fc53a37b9e12871876a4152df71cbbbb4d4de851

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads