adfb5f54a4643ab7efe8039790859457454e3f0c42ce6b6cf04c9918c56702ea

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10-01-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe
Size

344KB
MD5

43b19b7550cec9af5031f21bcadf6959
SHA1

4d2fea351796a9d9765e9a08743a93b04f152a48
SHA256

adfb5f54a4643ab7efe8039790859457454e3f0c42ce6b6cf04c9918c56702ea
SHA512

9fd50cf8b8b4b6ec62c21a93caa01135adbb4722712cdabae1c301bcfb6da0404542bd3dfda88396bb81e9a590039e1dd67d1f7e5d5115961a5a137745da34b1
SSDEEP

3072:mEGh0oslEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGqlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{741427DE-184D-4b5b-B39F-06F2BB532249}\stubpath = "C:\\Windows\\{741427DE-184D-4b5b-B39F-06F2BB532249}.exe"	{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}	{741427DE-184D-4b5b-B39F-06F2BB532249}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47575508-8C68-494f-AAD6-EA5DF43B7940}\stubpath = "C:\\Windows\\{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe"	{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}	2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}\stubpath = "C:\\Windows\\{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe"	2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50BDF35E-4437-4b86-837C-FCD18F003166}\stubpath = "C:\\Windows\\{50BDF35E-4437-4b86-837C-FCD18F003166}.exe"	{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD13AD56-11FD-400e-8BEB-13A78BF5273A}\stubpath = "C:\\Windows\\{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe"	{50BDF35E-4437-4b86-837C-FCD18F003166}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{741427DE-184D-4b5b-B39F-06F2BB532249}	{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B06A2D8E-504D-4beb-A1D8-FA0E40F781CD}	{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B06A2D8E-504D-4beb-A1D8-FA0E40F781CD}\stubpath = "C:\\Windows\\{B06A2D8E-504D-4beb-A1D8-FA0E40F781CD}.exe"	{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD26527C-CEFC-479f-9D57-32D8FE809CC5}	{B06A2D8E-504D-4beb-A1D8-FA0E40F781CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}	{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}\stubpath = "C:\\Windows\\{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe"	{741427DE-184D-4b5b-B39F-06F2BB532249}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD26527C-CEFC-479f-9D57-32D8FE809CC5}\stubpath = "C:\\Windows\\{BD26527C-CEFC-479f-9D57-32D8FE809CC5}.exe"	{B06A2D8E-504D-4beb-A1D8-FA0E40F781CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50BDF35E-4437-4b86-837C-FCD18F003166}	{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD13AD56-11FD-400e-8BEB-13A78BF5273A}	{50BDF35E-4437-4b86-837C-FCD18F003166}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47575508-8C68-494f-AAD6-EA5DF43B7940}	{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{953AAFF9-8F23-4269-B88F-596A37196347}	{BD26527C-CEFC-479f-9D57-32D8FE809CC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D87545DA-8354-4e57-A5B6-FD47065A6E37}	{953AAFF9-8F23-4269-B88F-596A37196347}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}\stubpath = "C:\\Windows\\{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe"	{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{953AAFF9-8F23-4269-B88F-596A37196347}\stubpath = "C:\\Windows\\{953AAFF9-8F23-4269-B88F-596A37196347}.exe"	{BD26527C-CEFC-479f-9D57-32D8FE809CC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D87545DA-8354-4e57-A5B6-FD47065A6E37}\stubpath = "C:\\Windows\\{D87545DA-8354-4e57-A5B6-FD47065A6E37}.exe"	{953AAFF9-8F23-4269-B88F-596A37196347}.exe

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1996	{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe
2800	{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe
2952	{50BDF35E-4437-4b86-837C-FCD18F003166}.exe
3040	{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe
2644	{741427DE-184D-4b5b-B39F-06F2BB532249}.exe
1044	{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe
356	{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe
1304	{B06A2D8E-504D-4beb-A1D8-FA0E40F781CD}.exe
2936	{BD26527C-CEFC-479f-9D57-32D8FE809CC5}.exe
1268	{953AAFF9-8F23-4269-B88F-596A37196347}.exe
1488	{D87545DA-8354-4e57-A5B6-FD47065A6E37}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe	2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe
File created	C:\Windows\{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe	{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe
File created	C:\Windows\{B06A2D8E-504D-4beb-A1D8-FA0E40F781CD}.exe	{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe
File created	C:\Windows\{D87545DA-8354-4e57-A5B6-FD47065A6E37}.exe	{953AAFF9-8F23-4269-B88F-596A37196347}.exe
File created	C:\Windows\{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe	{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe
File created	C:\Windows\{50BDF35E-4437-4b86-837C-FCD18F003166}.exe	{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe
File created	C:\Windows\{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe	{50BDF35E-4437-4b86-837C-FCD18F003166}.exe
File created	C:\Windows\{741427DE-184D-4b5b-B39F-06F2BB532249}.exe	{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe
File created	C:\Windows\{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe	{741427DE-184D-4b5b-B39F-06F2BB532249}.exe
File created	C:\Windows\{BD26527C-CEFC-479f-9D57-32D8FE809CC5}.exe	{B06A2D8E-504D-4beb-A1D8-FA0E40F781CD}.exe
File created	C:\Windows\{953AAFF9-8F23-4269-B88F-596A37196347}.exe	{BD26527C-CEFC-479f-9D57-32D8FE809CC5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1972	2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1996	{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe
Token: SeIncBasePriorityPrivilege	2800	{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe
Token: SeIncBasePriorityPrivilege	2952	{50BDF35E-4437-4b86-837C-FCD18F003166}.exe
Token: SeIncBasePriorityPrivilege	3040	{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe
Token: SeIncBasePriorityPrivilege	2644	{741427DE-184D-4b5b-B39F-06F2BB532249}.exe
Token: SeIncBasePriorityPrivilege	1044	{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe
Token: SeIncBasePriorityPrivilege	356	{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe
Token: SeIncBasePriorityPrivilege	1304	{B06A2D8E-504D-4beb-A1D8-FA0E40F781CD}.exe
Token: SeIncBasePriorityPrivilege	2936	{BD26527C-CEFC-479f-9D57-32D8FE809CC5}.exe
Token: SeIncBasePriorityPrivilege	1268	{953AAFF9-8F23-4269-B88F-596A37196347}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1996	1972	2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe	28
PID 1972 wrote to memory of 1996	1972	2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe	28
PID 1972 wrote to memory of 1996	1972	2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe	28
PID 1972 wrote to memory of 1996	1972	2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe	28
PID 1972 wrote to memory of 2816	1972	2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe	29
PID 1972 wrote to memory of 2816	1972	2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe	29
PID 1972 wrote to memory of 2816	1972	2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe	29
PID 1972 wrote to memory of 2816	1972	2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe	29
PID 1996 wrote to memory of 2800	1996	{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe	30
PID 1996 wrote to memory of 2800	1996	{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe	30
PID 1996 wrote to memory of 2800	1996	{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe	30
PID 1996 wrote to memory of 2800	1996	{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe	30
PID 1996 wrote to memory of 2836	1996	{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe	31
PID 1996 wrote to memory of 2836	1996	{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe	31
PID 1996 wrote to memory of 2836	1996	{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe	31
PID 1996 wrote to memory of 2836	1996	{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe	31
PID 2800 wrote to memory of 2952	2800	{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe	32
PID 2800 wrote to memory of 2952	2800	{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe	32
PID 2800 wrote to memory of 2952	2800	{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe	32
PID 2800 wrote to memory of 2952	2800	{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe	32
PID 2800 wrote to memory of 2860	2800	{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe	33
PID 2800 wrote to memory of 2860	2800	{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe	33
PID 2800 wrote to memory of 2860	2800	{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe	33
PID 2800 wrote to memory of 2860	2800	{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe	33
PID 2952 wrote to memory of 3040	2952	{50BDF35E-4437-4b86-837C-FCD18F003166}.exe	36
PID 2952 wrote to memory of 3040	2952	{50BDF35E-4437-4b86-837C-FCD18F003166}.exe	36
PID 2952 wrote to memory of 3040	2952	{50BDF35E-4437-4b86-837C-FCD18F003166}.exe	36
PID 2952 wrote to memory of 3040	2952	{50BDF35E-4437-4b86-837C-FCD18F003166}.exe	36
PID 2952 wrote to memory of 2388	2952	{50BDF35E-4437-4b86-837C-FCD18F003166}.exe	37
PID 2952 wrote to memory of 2388	2952	{50BDF35E-4437-4b86-837C-FCD18F003166}.exe	37
PID 2952 wrote to memory of 2388	2952	{50BDF35E-4437-4b86-837C-FCD18F003166}.exe	37
PID 2952 wrote to memory of 2388	2952	{50BDF35E-4437-4b86-837C-FCD18F003166}.exe	37
PID 3040 wrote to memory of 2644	3040	{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe	39
PID 3040 wrote to memory of 2644	3040	{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe	39
PID 3040 wrote to memory of 2644	3040	{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe	39
PID 3040 wrote to memory of 2644	3040	{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe	39
PID 3040 wrote to memory of 2908	3040	{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe	38
PID 3040 wrote to memory of 2908	3040	{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe	38
PID 3040 wrote to memory of 2908	3040	{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe	38
PID 3040 wrote to memory of 2908	3040	{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe	38
PID 2644 wrote to memory of 1044	2644	{741427DE-184D-4b5b-B39F-06F2BB532249}.exe	40
PID 2644 wrote to memory of 1044	2644	{741427DE-184D-4b5b-B39F-06F2BB532249}.exe	40
PID 2644 wrote to memory of 1044	2644	{741427DE-184D-4b5b-B39F-06F2BB532249}.exe	40
PID 2644 wrote to memory of 1044	2644	{741427DE-184D-4b5b-B39F-06F2BB532249}.exe	40
PID 2644 wrote to memory of 1612	2644	{741427DE-184D-4b5b-B39F-06F2BB532249}.exe	41
PID 2644 wrote to memory of 1612	2644	{741427DE-184D-4b5b-B39F-06F2BB532249}.exe	41
PID 2644 wrote to memory of 1612	2644	{741427DE-184D-4b5b-B39F-06F2BB532249}.exe	41
PID 2644 wrote to memory of 1612	2644	{741427DE-184D-4b5b-B39F-06F2BB532249}.exe	41
PID 1044 wrote to memory of 356	1044	{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe	43
PID 1044 wrote to memory of 356	1044	{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe	43
PID 1044 wrote to memory of 356	1044	{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe	43
PID 1044 wrote to memory of 356	1044	{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe	43
PID 1044 wrote to memory of 1892	1044	{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe	42
PID 1044 wrote to memory of 1892	1044	{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe	42
PID 1044 wrote to memory of 1892	1044	{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe	42
PID 1044 wrote to memory of 1892	1044	{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe	42
PID 356 wrote to memory of 1304	356	{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe	44
PID 356 wrote to memory of 1304	356	{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe	44
PID 356 wrote to memory of 1304	356	{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe	44
PID 356 wrote to memory of 1304	356	{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe	44
PID 356 wrote to memory of 2808	356	{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe	45
PID 356 wrote to memory of 2808	356	{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe	45
PID 356 wrote to memory of 2808	356	{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe	45
PID 356 wrote to memory of 2808	356	{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_43b19b7550cec9af5031f21bcadf6959_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe
  C:\Windows\{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe
    C:\Windows\{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\{50BDF35E-4437-4b86-837C-FCD18F003166}.exe
      C:\Windows\{50BDF35E-4437-4b86-837C-FCD18F003166}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe
        
        C:\Windows\{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD13A~1.EXE > nul
        6⤵
        
        PID:2908
      - C:\Windows\{741427DE-184D-4b5b-B39F-06F2BB532249}.exe
        
        C:\Windows\{741427DE-184D-4b5b-B39F-06F2BB532249}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe
        
        C:\Windows\{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A484F~1.EXE > nul
        8⤵
        
        PID:1892
        
        C:\Windows\{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe
        
        C:\Windows\{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:356
        
        C:\Windows\{B06A2D8E-504D-4beb-A1D8-FA0E40F781CD}.exe
        
        C:\Windows\{B06A2D8E-504D-4beb-A1D8-FA0E40F781CD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B06A2~1.EXE > nul
        10⤵
        
        PID:1716
        
        C:\Windows\{BD26527C-CEFC-479f-9D57-32D8FE809CC5}.exe
        
        C:\Windows\{BD26527C-CEFC-479f-9D57-32D8FE809CC5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\{953AAFF9-8F23-4269-B88F-596A37196347}.exe
        
        C:\Windows\{953AAFF9-8F23-4269-B88F-596A37196347}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{953AA~1.EXE > nul
        12⤵
        
        PID:1876
        
        C:\Windows\{D87545DA-8354-4e57-A5B6-FD47065A6E37}.exe
        
        C:\Windows\{D87545DA-8354-4e57-A5B6-FD47065A6E37}.exe
        12⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD265~1.EXE > nul
        11⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47575~1.EXE > nul
        9⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74142~1.EXE > nul
        7⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50BDF~1.EXE > nul
        5⤵
        
        PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{573EE~1.EXE > nul
      4⤵
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BEC62~1.EXE > nul
    3⤵
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{47575508-8C68-494f-AAD6-EA5DF43B7940}.exe

Filesize
344KB

MD5
b64f2e037ea009907684d03f90fc1e77

SHA1
c318893ff34cd6c743b23dea1b9286cf0e1c5548

SHA256
e6836c3dfc25d401a620893abc50ea52ca4e8be0f3e81a414c184e28f1d2b8e1

SHA512
d09afcbfbd5a10a918fa986ea326e40d940e5ed8bbae826f60d32d2bae2a6746e7749e50e2c104ba50c7b3481b23ba399533bc53a91222f47a7ab6bed33ad618

Download Submit
C:\Windows\{50BDF35E-4437-4b86-837C-FCD18F003166}.exe

Filesize
265KB

MD5
739bd1d9f629b93f9e6f87bb6bb17c9e

SHA1
cbf528069021822e578dee92e02c69e71fff65bd

SHA256
c96157baeba0abd03b6e4fdfa9926d38f6cd9b6a9038ef6a581ecbfaef6327ae

SHA512
e22ec278031dc9b31cdf868875e34ecc8ac2cccfd008ce60104036e34e980ba4940d6e6e3aabd8ccc4b48a664755c741018f5bfd28915d633df9f379d57d31ea

Download Submit
C:\Windows\{50BDF35E-4437-4b86-837C-FCD18F003166}.exe

Filesize
6KB

MD5
acb592ecca344c509e89b5694d288a9a

SHA1
2514339de935baaa7ce52ddcfdcc4ae6bcf917a7

SHA256
326d3e0383e73a84a0104e29e03d9ab78acb485101cf825b5f8368933fcaf71a

SHA512
be06d9f9c8e97f1b11d6132ae3e7a7c8b526b8a29016dfc282ca8ea3575a8b9a7b1fe3b4ad19548703a666cc8759fb3af1e05626935848580108b33e444a1578

Download Submit
C:\Windows\{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe

Filesize
344KB

MD5
1d9a001d542216b90a29ae6f93e0b230

SHA1
1f3276d7cf68741674649d3a315142d46d8471ce

SHA256
1483f06daddc3a90e128b5a5458705d219963a076324dac4dab27664cd1b74f1

SHA512
1ec9fe7fbc31bcd2fbff48e1b497ba21f7b74a11a3b6c327685f5f4172f2d80149eb72c88da4186b73f93f1ad35c8fe018626d3ae20a0ec0ed6096948dd3b729

Download Submit
C:\Windows\{573EEFCD-4D4F-4a84-9185-CD05E3AA9CEF}.exe

Filesize
275KB

MD5
643744247ce26bb07bb56ea7c44ec8dd

SHA1
47a22090ec2938daaf6a301eae3dfe1b5a948d22

SHA256
90bf9bbb130f4dfb3551e738afc00a91221310c94dd5140020e5dce1195c0a59

SHA512
40237a4a8b2cbab52347fc3be73cacd422efd5b1dffcadf309cca75cc10a4bf3d177cf5960560341364a5a7a4c118688d1842acd32d045aea1217c05c6339b6e

Download Submit
C:\Windows\{741427DE-184D-4b5b-B39F-06F2BB532249}.exe

Filesize
344KB

MD5
5bcba3c705c388754ac03157a2020ef4

SHA1
0cbf61b885ef7d91007a4c095888efe4e7680f67

SHA256
d2d3ac832bf825280959b1a82d4070908dcec0d4fe1477e45b1ab85964bd9091

SHA512
e38a0c7f161b8e2e1bbe03b961bba0f335e6f2b1462201abf806d6c56fce3ba7b7797295c7a8c5837884f8aefba29f4197db1a35702ddca5d7fb20270101ae4f

Download Submit
C:\Windows\{953AAFF9-8F23-4269-B88F-596A37196347}.exe

Filesize
344KB

MD5
3c342307d31d4291c4498a3e99d17ea4

SHA1
ed67dc3b5f69e2ebbe1e82eb58674af01e48440a

SHA256
c3f87080a2bbf78060662818216acb2be3122d04a857961fd954d1c750f2f96c

SHA512
44994f7fdb2f2df0cc127713156704d610288474785d139cce59baae1ebfcc9697f0e0cbff341303846133f553c7c926b17e7da792cf14af9c7d5b477f3abf99

Download Submit
C:\Windows\{A484F964-E8D8-4aa5-A184-EEF09CB4CEFA}.exe

Filesize
344KB

MD5
56ac7ca83d9877e75a555a8d0d9ac174

SHA1
e46c390aab19398abe097ae42acaae5248abe0f3

SHA256
ce1b587066b9828544bad938c17ee0a6bdc9330acb061ca5111e850281d635b9

SHA512
05e9faebdcca8c90b0c122e6cfbf03bef0575915e65313a40120a23fa37dd426c3fd57995aa4ab7ee7c1b5414924817724f6a6a54e06d7935a51a278e2fb0361

Download Submit
C:\Windows\{B06A2D8E-504D-4beb-A1D8-FA0E40F781CD}.exe

Filesize
344KB

MD5
9e0a71e6c31f9b4d504f415f637c9bfb

SHA1
d195eb5e7bfdb6ddbdd858b54b6c0c7406ef8856

SHA256
dd393933a53060bc1a632132fb82b6e4eadf053dc2ae4ed33ffce5054f516229

SHA512
73e26b703d878bef489e05f8d5216de6511e2ba1519cf35c8cad530a6e8690c9b7a4695e6f7b88b6d8ec4f415fa76d3e64d94d8fd19bdd417bf67702d99f80cb

Download Submit
C:\Windows\{BD26527C-CEFC-479f-9D57-32D8FE809CC5}.exe

Filesize
344KB

MD5
05c44ddd2d4f92f2cc876c3c7d804784

SHA1
82a0e873ef85d8197667ca5539638f2e8cdef977

SHA256
de7ed26ea37915ae8e19fc57a06be2ced05f8dc0266ed356ae495e54ca51a6e8

SHA512
1fdd066d9e7b8a4690181bca6f21f544f826ca18a0f19be863301008d4cbbec6898456234db641f8571b73fbfa5233d3ad0eb4d86d036590f79ef3293e373887

Download Submit
C:\Windows\{BEC62BD3-10C9-48b9-80D3-5AAB0E86BF76}.exe

Filesize
344KB

MD5
2db71cf3c035104a0b5a78448b30c7f7

SHA1
6b81183b1471660b1d1d7a0d809b6f372c4f05f4

SHA256
56d571f3474313b95b35d7c450366dc760244c278ffe0db64ebd3c7abf4e3f39

SHA512
4de6999d2860386c19304e6b56767c6d25729faba7e5157b9cc011d22952c0ca77eb7f4e16dc46a20a980181dd5ec8125c57137a3c5d2239fb574f182827f061

Download Submit
C:\Windows\{D87545DA-8354-4e57-A5B6-FD47065A6E37}.exe

Filesize
344KB

MD5
094f201d96d5f2652d80ae4d0ad91612

SHA1
854db31018070ef16606c3cfa8b80d360b969550

SHA256
91c5dd1693eacf562f7a37a2879ae569097f7cd51017c01eb6f82b1f14cba207

SHA512
28db59bba219c208bd6e9feec5458f39f5da1f78364758655ca2237f594d7cb17af22bf08c71827fca037745536be6eae91cd0eb905a7e45d5016b74c753b010

Download Submit
C:\Windows\{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe

Filesize
57KB

MD5
4274e817b4aa7f3d4af11fe54d806005

SHA1
07ef45d4fd1b5da59620ce03554f25b57c769651

SHA256
d71d8de0730f5d2ebeee61f398d363108a8d82fa7a51e21c1a72e41f1b42d389

SHA512
65e8bc5a2c58090f6d538f552c0bbfb1b6892312bc224497bff6ef0bc0abb5507f5e26b87a6ff4aca2fea3d8211cb0a6ca7fe82089e7f4f452e65406904214c4

Download Submit
C:\Windows\{DD13AD56-11FD-400e-8BEB-13A78BF5273A}.exe

Filesize
344KB

MD5
4adbdda5fdbc34bbdb477109ef41788f

SHA1
9af9ae7ee382a688487d9bd4e03ae64525dd1c18

SHA256
e7108560a6c9116c99a726dce33552f3c603931e6063dc51fbe94882d6b773de

SHA512
9cdb50994725c986dd90fe0158e3e5d95e10910cce75e6e6489cbc6c6ca5603aaa678c93db64deab4ae4aeddd578f99ed98b1642edfb227d0741fc9bdd5f70ca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads