f675a6e391114c4e3bbac5cc5f3d56d29fb3c127c394e7801f7cc283fcdfa02a

Analysis

max time kernel
238s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 05:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe
Size

192KB
MD5

924a082dee5a33d4e278492cdca55c1d
SHA1

9a3a5af481f308fc2ea74e3799b863a5462a282e
SHA256

f675a6e391114c4e3bbac5cc5f3d56d29fb3c127c394e7801f7cc283fcdfa02a
SHA512

a3b97369f5493d64463cc28a0118b6da31f23aeefa3ed71481dce3526cd6b431226b8fc794a621a6ff11b7485c33083f78f295f73065cb79af773373185a34b3
SSDEEP

1536:1EGh0o2l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o2l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}\stubpath = "C:\\Windows\\{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe"	{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A0E5DC7-4549-41a3-BCB5-0D174D278DCF}\stubpath = "C:\\Windows\\{1A0E5DC7-4549-41a3-BCB5-0D174D278DCF}.exe"	{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04F73A79-11AD-4c3f-813D-B7B91068D260}	{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}	{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB695331-3857-4a98-BC44-89A470B6CDFD}\stubpath = "C:\\Windows\\{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe"	{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}	{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A0E5DC7-4549-41a3-BCB5-0D174D278DCF}	{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F915E52C-443A-4c7c-A3BB-F70C3C6374D4}	{217B6D75-0678-432e-8CCB-5ABE8321344C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F915E52C-443A-4c7c-A3BB-F70C3C6374D4}\stubpath = "C:\\Windows\\{F915E52C-443A-4c7c-A3BB-F70C3C6374D4}.exe"	{217B6D75-0678-432e-8CCB-5ABE8321344C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}\stubpath = "C:\\Windows\\{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe"	2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}\stubpath = "C:\\Windows\\{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe"	{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}\stubpath = "C:\\Windows\\{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe"	{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04F73A79-11AD-4c3f-813D-B7B91068D260}\stubpath = "C:\\Windows\\{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe"	{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{217B6D75-0678-432e-8CCB-5ABE8321344C}	{1A0E5DC7-4549-41a3-BCB5-0D174D278DCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}	2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}\stubpath = "C:\\Windows\\{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe"	{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB695331-3857-4a98-BC44-89A470B6CDFD}	{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}	{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{217B6D75-0678-432e-8CCB-5ABE8321344C}\stubpath = "C:\\Windows\\{217B6D75-0678-432e-8CCB-5ABE8321344C}.exe"	{1A0E5DC7-4549-41a3-BCB5-0D174D278DCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}	{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe

Deletes itself 1 IoCs

pid	Process
2272	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
2892	{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe
2216	{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe
1052	{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe
2232	{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe
2352	{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe
1460	{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe
1084	{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe
828	{1A0E5DC7-4549-41a3-BCB5-0D174D278DCF}.exe
1376	{217B6D75-0678-432e-8CCB-5ABE8321344C}.exe
616	{F915E52C-443A-4c7c-A3BB-F70C3C6374D4}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe	{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe
File created	C:\Windows\{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe	{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe
File created	C:\Windows\{1A0E5DC7-4549-41a3-BCB5-0D174D278DCF}.exe	{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe
File created	C:\Windows\{F915E52C-443A-4c7c-A3BB-F70C3C6374D4}.exe	{217B6D75-0678-432e-8CCB-5ABE8321344C}.exe
File created	C:\Windows\{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe	2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe
File created	C:\Windows\{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe	{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe
File created	C:\Windows\{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe	{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe
File created	C:\Windows\{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe	{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe
File created	C:\Windows\{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe	{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe
File created	C:\Windows\{217B6D75-0678-432e-8CCB-5ABE8321344C}.exe	{1A0E5DC7-4549-41a3-BCB5-0D174D278DCF}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	580	2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2892	{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe
Token: SeIncBasePriorityPrivilege	2216	{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe
Token: SeIncBasePriorityPrivilege	1052	{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe
Token: SeIncBasePriorityPrivilege	2232	{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe
Token: SeIncBasePriorityPrivilege	2352	{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe
Token: SeIncBasePriorityPrivilege	1460	{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe
Token: SeIncBasePriorityPrivilege	1084	{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe
Token: SeIncBasePriorityPrivilege	828	{1A0E5DC7-4549-41a3-BCB5-0D174D278DCF}.exe
Token: SeIncBasePriorityPrivilege	1376	{217B6D75-0678-432e-8CCB-5ABE8321344C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 2892	580	2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe	27
PID 580 wrote to memory of 2892	580	2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe	27
PID 580 wrote to memory of 2892	580	2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe	27
PID 580 wrote to memory of 2892	580	2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe	27
PID 580 wrote to memory of 2272	580	2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe	28
PID 580 wrote to memory of 2272	580	2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe	28
PID 580 wrote to memory of 2272	580	2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe	28
PID 580 wrote to memory of 2272	580	2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe	28
PID 2892 wrote to memory of 2216	2892	{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe	29
PID 2892 wrote to memory of 2216	2892	{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe	29
PID 2892 wrote to memory of 2216	2892	{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe	29
PID 2892 wrote to memory of 2216	2892	{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe	29
PID 2892 wrote to memory of 1804	2892	{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe	30
PID 2892 wrote to memory of 1804	2892	{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe	30
PID 2892 wrote to memory of 1804	2892	{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe	30
PID 2892 wrote to memory of 1804	2892	{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe	30
PID 2216 wrote to memory of 1052	2216	{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe	31
PID 2216 wrote to memory of 1052	2216	{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe	31
PID 2216 wrote to memory of 1052	2216	{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe	31
PID 2216 wrote to memory of 1052	2216	{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe	31
PID 2216 wrote to memory of 2396	2216	{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe	32
PID 2216 wrote to memory of 2396	2216	{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe	32
PID 2216 wrote to memory of 2396	2216	{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe	32
PID 2216 wrote to memory of 2396	2216	{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe	32
PID 1052 wrote to memory of 2232	1052	{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe	33
PID 1052 wrote to memory of 2232	1052	{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe	33
PID 1052 wrote to memory of 2232	1052	{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe	33
PID 1052 wrote to memory of 2232	1052	{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe	33
PID 1052 wrote to memory of 2376	1052	{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe	34
PID 1052 wrote to memory of 2376	1052	{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe	34
PID 1052 wrote to memory of 2376	1052	{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe	34
PID 1052 wrote to memory of 2376	1052	{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe	34
PID 2232 wrote to memory of 2352	2232	{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe	35
PID 2232 wrote to memory of 2352	2232	{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe	35
PID 2232 wrote to memory of 2352	2232	{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe	35
PID 2232 wrote to memory of 2352	2232	{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe	35
PID 2232 wrote to memory of 840	2232	{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe	36
PID 2232 wrote to memory of 840	2232	{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe	36
PID 2232 wrote to memory of 840	2232	{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe	36
PID 2232 wrote to memory of 840	2232	{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe	36
PID 2352 wrote to memory of 1460	2352	{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe	37
PID 2352 wrote to memory of 1460	2352	{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe	37
PID 2352 wrote to memory of 1460	2352	{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe	37
PID 2352 wrote to memory of 1460	2352	{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe	37
PID 2352 wrote to memory of 2424	2352	{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe	38
PID 2352 wrote to memory of 2424	2352	{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe	38
PID 2352 wrote to memory of 2424	2352	{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe	38
PID 2352 wrote to memory of 2424	2352	{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe	38
PID 1460 wrote to memory of 1084	1460	{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe	39
PID 1460 wrote to memory of 1084	1460	{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe	39
PID 1460 wrote to memory of 1084	1460	{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe	39
PID 1460 wrote to memory of 1084	1460	{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe	39
PID 1460 wrote to memory of 2288	1460	{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe	40
PID 1460 wrote to memory of 2288	1460	{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe	40
PID 1460 wrote to memory of 2288	1460	{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe	40
PID 1460 wrote to memory of 2288	1460	{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe	40
PID 1084 wrote to memory of 828	1084	{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe	41
PID 1084 wrote to memory of 828	1084	{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe	41
PID 1084 wrote to memory of 828	1084	{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe	41
PID 1084 wrote to memory of 828	1084	{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe	41
PID 1084 wrote to memory of 1584	1084	{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe	42
PID 1084 wrote to memory of 1584	1084	{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe	42
PID 1084 wrote to memory of 1584	1084	{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe	42
PID 1084 wrote to memory of 1584	1084	{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe	42

C:\Users\Admin\AppData\Local\Temp\2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_924a082dee5a33d4e278492cdca55c1d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe
  C:\Windows\{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe
    C:\Windows\{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe
      C:\Windows\{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\Windows\{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe
        
        C:\Windows\{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe
        
        C:\Windows\{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe
        
        C:\Windows\{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe
        
        C:\Windows\{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\{1A0E5DC7-4549-41a3-BCB5-0D174D278DCF}.exe
        
        C:\Windows\{1A0E5DC7-4549-41a3-BCB5-0D174D278DCF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\{217B6D75-0678-432e-8CCB-5ABE8321344C}.exe
        
        C:\Windows\{217B6D75-0678-432e-8CCB-5ABE8321344C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\{F915E52C-443A-4c7c-A3BB-F70C3C6374D4}.exe
        
        C:\Windows\{F915E52C-443A-4c7c-A3BB-F70C3C6374D4}.exe
        11⤵
        Executes dropped EXE
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{217B6~1.EXE > nul
        11⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A0E5~1.EXE > nul
        10⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{431AD~1.EXE > nul
        9⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04F73~1.EXE > nul
        8⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74FEA~1.EXE > nul
        7⤵
        
        PID:2424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB695~1.EXE > nul
        6⤵
        
        PID:840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99E22~1.EXE > nul
        5⤵
        
        PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{894DE~1.EXE > nul
      4⤵
      PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A5693~1.EXE > nul
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04F73A79-11AD-4c3f-813D-B7B91068D260}.exe

Filesize
192KB

MD5
758dce5b62d16b712cba69b471a59f7b

SHA1
3662a3003252066b3e0fcf8a54d27ad3f74943d3

SHA256
97e07a5cfe8ab59f6b49f44dd9cb830d8fb46e4f5e9f88aeda958677af8cf243

SHA512
b44dfa23fab3b0026acd59bbdf0d5d5dc46040b98af4e991243f02b8a1af8b64cf87a07079ccdda6d90497547ef875e7ce392c26934697e5c569fee70e41744b

Download Submit
C:\Windows\{1A0E5DC7-4549-41a3-BCB5-0D174D278DCF}.exe

Filesize
192KB

MD5
f2488221f40f3db932cdb44c1a332941

SHA1
ab7f3712018e54b5d0eeb6d6e7c71d0612a1b96f

SHA256
cce9491339ba43ed63a4307c9c36dd524c81bdb48fe31f102263a7860e0d9702

SHA512
12f8d0c6037bd039afc9656f4a25420a323877bfe4a044c2710b72dc785f0a7d43f0f8d52a285fccad3dc0350aad5f470c9a5ac333d5350b75d12210a5b3a619

Download Submit
C:\Windows\{217B6D75-0678-432e-8CCB-5ABE8321344C}.exe

Filesize
192KB

MD5
be1decac0ff4516c0e4403ffe424adb7

SHA1
efae9dfb216680d236d8ceb24b3c2388c2b50bb4

SHA256
72acbaf739f93cde5cdda5c3492c2412eeba112f078094be2ed3a77af5528641

SHA512
2d77b036d1a08d4a14399b9041b8698457ba837af0aaa3ddc837818621fb54ed5593184b64e52c0d4c29554653c02d463e50d13579918fc2f2809c4c35c992d4

Download Submit
C:\Windows\{431AD8F5-DA58-4424-8FA3-4DB6BEFAC95E}.exe

Filesize
192KB

MD5
7f059d1c7ea58ae3014c0257c2b3c439

SHA1
87227ac87a1be42e7d278a01fe12610eba8d73d2

SHA256
8a6e043b7d11e4c6d540478804abf2faee83fb8ba5b045f802845af4b7bfc1e6

SHA512
96c03c5cff166e2e60f4c5817cd49f340a85b6bdca72d9bfd693e4ff4f35ea579b0af11e36e69aa260bc8676d87c6e8c0a559e4be73cb1bbcdd3614a140b52c8

Download Submit
C:\Windows\{74FEACAC-9F67-4124-AC83-427FCD6FC5C5}.exe

Filesize
192KB

MD5
513eeba5006d1327d8a4badf06535413

SHA1
e6981756e0897052882b6dfeba5d7d800c54f4ee

SHA256
7b13e59527b59aee4fbfe1ebe06acd1c48e544771104a2bd2a02776d18abbf70

SHA512
637104b5386e28acab93ce13192bf037b331834cbc1ffb70c93b4b6366eccde1cf0f982ef813428140404c3db9b5013534fbcc469c801d3650882e78bfedd991

Download Submit
C:\Windows\{894DE41F-8B2B-47ac-BAC5-0741EE3CC3E5}.exe

Filesize
192KB

MD5
35574d10f15e6da38313c4a86b91e88a

SHA1
680d5237a6db393d33c06e58eb7312bc05a320f8

SHA256
38626f2dc81042e959e24f71614fbf05f2730defd6f9ee1610b75ff41950b902

SHA512
379102eff28cd2fcd8a0231a5e918b8778d12bffd9bc727b1ec44dc04a28708f08bf28e1207c424ba3ec3178151ffb66395e0e193e2f1c254c49c64b6b25f28b

Download Submit
C:\Windows\{99E22D61-3B0A-4306-AEEC-9ACA950B3BB2}.exe

Filesize
192KB

MD5
3482377d7f7715f3271904125dd8d887

SHA1
c1c05d744dd08807270f629cca38df1b3afc5630

SHA256
89484056375f139d07d005ca609463f0c8192cbf27496593d3312b720d97bd5e

SHA512
83023f6e00080f890332bc6f7cd811b943f36a7b9b9d8924cea82854918ff7416170a725481371247bdd7a0c8e8c4d0eb1b92e3045dc0a44ef92a0c6268881ee

Download Submit
C:\Windows\{A5693DD8-69BC-4a15-B8FC-A1F3073D05AE}.exe

Filesize
192KB

MD5
7fa4d49103fb8f33a9c650c93e9b006f

SHA1
81e3adc03fc2aa5653949da4334eed1b5a423eaf

SHA256
4cb2d793618b03b822c125fbe5dab4971905fddfa578e47ed2a62ea31288e0e4

SHA512
000cd26bb32ea7a4a902e9ba951ff2547f8cb229840008b238052932df8e8dea7621f5ff2210b45c4c51b98297c7bd786c920952af8283860f35fd61d3aedf2a

Download Submit
C:\Windows\{EB695331-3857-4a98-BC44-89A470B6CDFD}.exe

Filesize
192KB

MD5
fffe0e0cfc0a521bd83ec249c98cd847

SHA1
9380b0d7e80dd8567dc9a81d10c842a54500c17c

SHA256
cf33b780a24bbee95ad1597ed7f1b0303ff560f4659633fa449eb265da2da38f

SHA512
449e57adc0187ca12a9ce3ff1392b0c273412a7ca792bc038d646bc65629714fc56cae35b4a5216f0954160a7ba59583c22193b2145e0eeb298846ad03f8dfa8

Download Submit
C:\Windows\{F915E52C-443A-4c7c-A3BB-F70C3C6374D4}.exe

Filesize
192KB

MD5
fceeb24b91765ad2b101e94b35bfc88a

SHA1
26c5115c5c0b95b002319dec1d43edb464d6f657

SHA256
ff1f8984c31fd775317298dbfd1051f5b4661fe054ed0adedda5b3ec6d3c3187

SHA512
ca48b0face58bbce40e9b429b657122d8b0382934fba1d2689c68ca1ccf85d907d97870687a2c344cdf8e2db1b052190c222411e28eb8c020223aec9e764524a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads