772e39cfbdbbc007daee216be24fe70cd6cecc5e54915de0288c2505842acb5d

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe
Size

180KB
MD5

31f7b4798c74d1b96897b7504e0f807f
SHA1

c3703db1b73f0a9d50d2f7610d02dcf8140a2365
SHA256

772e39cfbdbbc007daee216be24fe70cd6cecc5e54915de0288c2505842acb5d
SHA512

8a6b96f4d12e3eb27fb709e0727b0e0aabd2067137f7bfb1c335573f8ef7e6d2c11e73b5c8e1f92357e16d0e637a1b83181ff1caa351803e6f1a8c018fac9bd8
SSDEEP

3072:jEGh0oElfeso7ie+rMC4F0fJGRIS8Rfd7eQEsGcr:jEGelJeKMAEs

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}\stubpath = "C:\\Windows\\{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe"	{F94A536C-5D80-4268-89B2-874E44A539BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}\stubpath = "C:\\Windows\\{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe"	{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F6E883C-4F11-44e6-8F45-FCEECA885827}	{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD95057E-2F9E-45c1-8E42-026FCA6E1430}\stubpath = "C:\\Windows\\{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe"	{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90461123-D212-410b-A2CC-63091B2C9DFD}	{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AA3FCED-9668-49d9-ABE7-4332CDBA0237}	{90461123-D212-410b-A2CC-63091B2C9DFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B53F566-3B52-4185-828A-FBE6851F2278}\stubpath = "C:\\Windows\\{9B53F566-3B52-4185-828A-FBE6851F2278}.exe"	{7AA3FCED-9668-49d9-ABE7-4332CDBA0237}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1E7F215-7973-4f8b-89DA-E255E4103C5F}\stubpath = "C:\\Windows\\{A1E7F215-7973-4f8b-89DA-E255E4103C5F}.exe"	{9B53F566-3B52-4185-828A-FBE6851F2278}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94A536C-5D80-4268-89B2-874E44A539BA}\stubpath = "C:\\Windows\\{F94A536C-5D80-4268-89B2-874E44A539BA}.exe"	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}	{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}	{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F6E883C-4F11-44e6-8F45-FCEECA885827}\stubpath = "C:\\Windows\\{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe"	{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D85B11B-7A36-4a0c-883B-A09DF798BE50}	{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD95057E-2F9E-45c1-8E42-026FCA6E1430}	{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1E7F215-7973-4f8b-89DA-E255E4103C5F}	{9B53F566-3B52-4185-828A-FBE6851F2278}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90461123-D212-410b-A2CC-63091B2C9DFD}\stubpath = "C:\\Windows\\{90461123-D212-410b-A2CC-63091B2C9DFD}.exe"	{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AA3FCED-9668-49d9-ABE7-4332CDBA0237}\stubpath = "C:\\Windows\\{7AA3FCED-9668-49d9-ABE7-4332CDBA0237}.exe"	{90461123-D212-410b-A2CC-63091B2C9DFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B53F566-3B52-4185-828A-FBE6851F2278}	{7AA3FCED-9668-49d9-ABE7-4332CDBA0237}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F94A536C-5D80-4268-89B2-874E44A539BA}	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}	{F94A536C-5D80-4268-89B2-874E44A539BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}\stubpath = "C:\\Windows\\{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe"	{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D85B11B-7A36-4a0c-883B-A09DF798BE50}\stubpath = "C:\\Windows\\{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe"	{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe

Executes dropped EXE 11 IoCs

pid	Process
3064	{F94A536C-5D80-4268-89B2-874E44A539BA}.exe
2700	{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe
2628	{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe
3024	{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe
2444	{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe
1084	{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe
2764	{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe
1376	{90461123-D212-410b-A2CC-63091B2C9DFD}.exe
2280	{7AA3FCED-9668-49d9-ABE7-4332CDBA0237}.exe
692	{9B53F566-3B52-4185-828A-FBE6851F2278}.exe
868	{A1E7F215-7973-4f8b-89DA-E255E4103C5F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9B53F566-3B52-4185-828A-FBE6851F2278}.exe	{7AA3FCED-9668-49d9-ABE7-4332CDBA0237}.exe
File created	C:\Windows\{F94A536C-5D80-4268-89B2-874E44A539BA}.exe	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe
File created	C:\Windows\{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe	{F94A536C-5D80-4268-89B2-874E44A539BA}.exe
File created	C:\Windows\{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe	{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe
File created	C:\Windows\{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe	{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe
File created	C:\Windows\{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe	{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe
File created	C:\Windows\{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe	{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe
File created	C:\Windows\{7AA3FCED-9668-49d9-ABE7-4332CDBA0237}.exe	{90461123-D212-410b-A2CC-63091B2C9DFD}.exe
File created	C:\Windows\{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe	{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe
File created	C:\Windows\{90461123-D212-410b-A2CC-63091B2C9DFD}.exe	{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe
File created	C:\Windows\{A1E7F215-7973-4f8b-89DA-E255E4103C5F}.exe	{9B53F566-3B52-4185-828A-FBE6851F2278}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2548	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3064	{F94A536C-5D80-4268-89B2-874E44A539BA}.exe
Token: SeIncBasePriorityPrivilege	2700	{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe
Token: SeIncBasePriorityPrivilege	2628	{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe
Token: SeIncBasePriorityPrivilege	3024	{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe
Token: SeIncBasePriorityPrivilege	2444	{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe
Token: SeIncBasePriorityPrivilege	1084	{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe
Token: SeIncBasePriorityPrivilege	2764	{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe
Token: SeIncBasePriorityPrivilege	1376	{90461123-D212-410b-A2CC-63091B2C9DFD}.exe
Token: SeIncBasePriorityPrivilege	2280	{7AA3FCED-9668-49d9-ABE7-4332CDBA0237}.exe
Token: SeIncBasePriorityPrivilege	692	{9B53F566-3B52-4185-828A-FBE6851F2278}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3064	2548	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	28
PID 2548 wrote to memory of 3064	2548	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	28
PID 2548 wrote to memory of 3064	2548	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	28
PID 2548 wrote to memory of 3064	2548	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	28
PID 2548 wrote to memory of 2172	2548	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	29
PID 2548 wrote to memory of 2172	2548	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	29
PID 2548 wrote to memory of 2172	2548	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	29
PID 2548 wrote to memory of 2172	2548	2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe	29
PID 3064 wrote to memory of 2700	3064	{F94A536C-5D80-4268-89B2-874E44A539BA}.exe	30
PID 3064 wrote to memory of 2700	3064	{F94A536C-5D80-4268-89B2-874E44A539BA}.exe	30
PID 3064 wrote to memory of 2700	3064	{F94A536C-5D80-4268-89B2-874E44A539BA}.exe	30
PID 3064 wrote to memory of 2700	3064	{F94A536C-5D80-4268-89B2-874E44A539BA}.exe	30
PID 3064 wrote to memory of 2732	3064	{F94A536C-5D80-4268-89B2-874E44A539BA}.exe	31
PID 3064 wrote to memory of 2732	3064	{F94A536C-5D80-4268-89B2-874E44A539BA}.exe	31
PID 3064 wrote to memory of 2732	3064	{F94A536C-5D80-4268-89B2-874E44A539BA}.exe	31
PID 3064 wrote to memory of 2732	3064	{F94A536C-5D80-4268-89B2-874E44A539BA}.exe	31
PID 2700 wrote to memory of 2628	2700	{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe	33
PID 2700 wrote to memory of 2628	2700	{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe	33
PID 2700 wrote to memory of 2628	2700	{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe	33
PID 2700 wrote to memory of 2628	2700	{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe	33
PID 2700 wrote to memory of 2848	2700	{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe	32
PID 2700 wrote to memory of 2848	2700	{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe	32
PID 2700 wrote to memory of 2848	2700	{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe	32
PID 2700 wrote to memory of 2848	2700	{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe	32
PID 2628 wrote to memory of 3024	2628	{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe	37
PID 2628 wrote to memory of 3024	2628	{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe	37
PID 2628 wrote to memory of 3024	2628	{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe	37
PID 2628 wrote to memory of 3024	2628	{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe	37
PID 2628 wrote to memory of 2284	2628	{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe	36
PID 2628 wrote to memory of 2284	2628	{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe	36
PID 2628 wrote to memory of 2284	2628	{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe	36
PID 2628 wrote to memory of 2284	2628	{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe	36
PID 3024 wrote to memory of 2444	3024	{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe	38
PID 3024 wrote to memory of 2444	3024	{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe	38
PID 3024 wrote to memory of 2444	3024	{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe	38
PID 3024 wrote to memory of 2444	3024	{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe	38
PID 3024 wrote to memory of 780	3024	{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe	39
PID 3024 wrote to memory of 780	3024	{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe	39
PID 3024 wrote to memory of 780	3024	{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe	39
PID 3024 wrote to memory of 780	3024	{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe	39
PID 2444 wrote to memory of 1084	2444	{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe	40
PID 2444 wrote to memory of 1084	2444	{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe	40
PID 2444 wrote to memory of 1084	2444	{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe	40
PID 2444 wrote to memory of 1084	2444	{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe	40
PID 2444 wrote to memory of 320	2444	{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe	41
PID 2444 wrote to memory of 320	2444	{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe	41
PID 2444 wrote to memory of 320	2444	{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe	41
PID 2444 wrote to memory of 320	2444	{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe	41
PID 1084 wrote to memory of 2764	1084	{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe	42
PID 1084 wrote to memory of 2764	1084	{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe	42
PID 1084 wrote to memory of 2764	1084	{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe	42
PID 1084 wrote to memory of 2764	1084	{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe	42
PID 1084 wrote to memory of 2756	1084	{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe	43
PID 1084 wrote to memory of 2756	1084	{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe	43
PID 1084 wrote to memory of 2756	1084	{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe	43
PID 1084 wrote to memory of 2756	1084	{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe	43
PID 2764 wrote to memory of 1376	2764	{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe	45
PID 2764 wrote to memory of 1376	2764	{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe	45
PID 2764 wrote to memory of 1376	2764	{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe	45
PID 2764 wrote to memory of 1376	2764	{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe	45
PID 2764 wrote to memory of 2564	2764	{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe	44
PID 2764 wrote to memory of 2564	2764	{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe	44
PID 2764 wrote to memory of 2564	2764	{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe	44
PID 2764 wrote to memory of 2564	2764	{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_31f7b4798c74d1b96897b7504e0f807f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\{F94A536C-5D80-4268-89B2-874E44A539BA}.exe
  C:\Windows\{F94A536C-5D80-4268-89B2-874E44A539BA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe
    C:\Windows\{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A1A63~1.EXE > nul
      4⤵
      PID:2848
  - - C:\Windows\{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe
      C:\Windows\{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A18A2~1.EXE > nul
        5⤵
        
        PID:2284
    - - C:\Windows\{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe
        
        C:\Windows\{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe
        
        C:\Windows\{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe
        
        C:\Windows\{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe
        
        C:\Windows\{BD95057E-2F9E-45c1-8E42-026FCA6E1430}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD950~1.EXE > nul
        9⤵
        
        PID:2564
        
        C:\Windows\{90461123-D212-410b-A2CC-63091B2C9DFD}.exe
        
        C:\Windows\{90461123-D212-410b-A2CC-63091B2C9DFD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\{7AA3FCED-9668-49d9-ABE7-4332CDBA0237}.exe
        
        C:\Windows\{7AA3FCED-9668-49d9-ABE7-4332CDBA0237}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{9B53F566-3B52-4185-828A-FBE6851F2278}.exe
        
        C:\Windows\{9B53F566-3B52-4185-828A-FBE6851F2278}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\{A1E7F215-7973-4f8b-89DA-E255E4103C5F}.exe
        
        C:\Windows\{A1E7F215-7973-4f8b-89DA-E255E4103C5F}.exe
        12⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B53F~1.EXE > nul
        12⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AA3F~1.EXE > nul
        11⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90461~1.EXE > nul
        10⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F6E8~1.EXE > nul
        8⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D85B~1.EXE > nul
        7⤵
        
        PID:320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5C70~1.EXE > nul
        6⤵
        
        PID:780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F94A5~1.EXE > nul
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F6E883C-4F11-44e6-8F45-FCEECA885827}.exe

Filesize
102KB

MD5
bd3eb19c1edb3d44370edb34fca9b7ed

SHA1
265ab08bce26e2dd63535b2bcd423f41d7930069

SHA256
0615a592b9ff556a0c547d8cb0541c96d549b094f987ba2101dd6f709f574411

SHA512
1933819bec94ffe8c1802e19cad6c1e3558be710283646e110f8b25ea208bcbd4affeaf7d20e499044f60d6577081321b3f50708cdfc76f14b027e898ecbb842

Download Submit
C:\Windows\{4D85B11B-7A36-4a0c-883B-A09DF798BE50}.exe

Filesize
180KB

MD5
93c5d60da569f36f8e6c3ebe12883097

SHA1
229d05e59d7c64ee5f765ee66ad36e0a754ec81a

SHA256
4ff8d8c0ae66b6afc24de2ff9379fc85773b48ac07ccf63964d7085572052995

SHA512
51f46a0245b4b19e0707dc9d4b3384d66cddcf77fe7075bbf8acaa40509e516ae96583f1d8aa87a1f935a4c9e9c769c91ff2daea5b67689a8bf516d8c1b9ef2c

Download Submit
C:\Windows\{7AA3FCED-9668-49d9-ABE7-4332CDBA0237}.exe

Filesize
180KB

MD5
05337ae3345ad6c33149c9b40e1a7843

SHA1
3037a14093dc25e57abc13a5fcf3fdd84c06f096

SHA256
8f117c9d4b3fc9b43578bbae6d030b6eda15bf93b01203296ee2c4d1b94e4685

SHA512
e8b91449c29fcb4b9646601a449bb7d3c598fcb2b60dad933166f46e57292e745ce462e0e069ef0af13939b4e9dba1525c812e45bed9c05df2af9a0b92d80df1

Download Submit
C:\Windows\{90461123-D212-410b-A2CC-63091B2C9DFD}.exe

Filesize
180KB

MD5
728a4d04660565c7d5b99222a25de4d7

SHA1
8e34e28f0df5da733c12f68d076b1780d4a3ba71

SHA256
581def88aece572b9105e0c2a33eab0e5af2a281fb2895e32658904faa8b8db6

SHA512
0aa137d2829ed54d1431075d1b10b31673fffba7ccc34e1d03043bd2182b8722fd7aab85a31cd38f75ef75259a9739c552a18a9782d7d57c6dcabeff4b9a8dae

Download Submit
C:\Windows\{9B53F566-3B52-4185-828A-FBE6851F2278}.exe

Filesize
180KB

MD5
a78487db1a63727b6de777bb8328da3a

SHA1
8be4968231b79397f6308233416935df20569d8f

SHA256
db2d2620a6f63093163bbadb3fa990efb42eae365aecf9743ef165551cb280a1

SHA512
f8875db3b7e717a129f29729b6ce70206640ec412ceab3464d7a9c27d3c9901d42b93c43c24d1e6b7295a5b3b179de41cb5b01926546adcdb6202950bda30647

Download Submit
C:\Windows\{A18A23F1-6ACA-48cc-A882-1373FA00D4C0}.exe

Filesize
180KB

MD5
e803e97772d56a82eb81e309bc0067a5

SHA1
ee07408d667155e14c85c14bbfbb643cd240338f

SHA256
481fafce4db5817304d6d5a5c2a145de6ed7cb3b706f6346a2612ef0eafbf00c

SHA512
76ef839db60c0db13d806d34d4d3af12a7718f64f61294fbba6698e62399833ffeb28392d7cf8d18a80925de0b4ad916f2d97276a45f527c09c2e588b3704ace

Download Submit
C:\Windows\{A1A635D4-0D3B-4dc8-A1DA-48B56715716D}.exe

Filesize
180KB

MD5
f19f6f4e62d12e48ad5c8e1439e3f789

SHA1
65d9ac9b63eb719d7baf867491ecab1929286514

SHA256
25632d8d26dae3b4ad62f2901713aa817a7226acc73e789750e2a6c38a09297d

SHA512
716f39569cf12b5ce3fe3f6308d9dfd0eb61c39cd596b1872bc026476deabdbd9b420e13ff99350700f6420d5b556dbafba92419de315c9854c940965a787b85

Download Submit
C:\Windows\{A1E7F215-7973-4f8b-89DA-E255E4103C5F}.exe

Filesize
180KB

MD5
3df505c1b612addde1955349f0ff6b0a

SHA1
84eda2575cade81a3a849458dbc617591405a2fb

SHA256
340f352f85a59329a1146adaa6a14a612e4a3734012221da05aab69a5951e142

SHA512
51e92abe31f7a3d48f145b1e29628040c3bdb642cfb9c8bda581b085ccee5c3184c13924eda4d53ad0fdbaeb7c74db6b7cc5185fd4b2b7c01deb23449bf927a5

Download Submit
C:\Windows\{A5C70F9A-A05C-45f0-BE66-8794F5765C8C}.exe

Filesize
180KB

MD5
71f1fd625700d2e7d3e58257311f0893

SHA1
d52be2cb6b0c239b6d4d5033cc43d0c4d0f5a698

SHA256
bc2133060cf0ba843ae0a9f56fdc4f7992d6d4898ea857e90973b728b0a75bf5

SHA512
0a43bcda54fbe77214155fd751fd0e5cf336f614a3556d54b7a11271365f8f272c305bb5fa42c4cae2ec3b0bac07cd9bbc93fa97a5edb04c9863ee4a675ffe19

Download Submit
C:\Windows\{F94A536C-5D80-4268-89B2-874E44A539BA}.exe

Filesize
180KB

MD5
6c3496742703cd7ccc8b052c82dabedf

SHA1
9bab0460b79b9158cc63d49d31f394110da9d6cb

SHA256
f7e3cfd2c8995a0e472b15d8ed0969a5eb092587a6895fc4c28a247cf8f86d51

SHA512
cab3c05b8d89ef61f1f5969cddb68cde6c53e048a51c16c05ad2aee8fc5b6db058732271b11bfa65535ab75f724e2317d29ef1801d3a2d78d2458c38c3f5263f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads