38c8fb05f8ce388a8ddd02e39dcc1928037e3a325c5e919ea0bb8b9753441393

Analysis

max time kernel
125s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe
Size

180KB
MD5

09b052b259a1146cfec5f332089c2d8e
SHA1

fb0718b51db55f120347de226cb3fa343f7950d8
SHA256

38c8fb05f8ce388a8ddd02e39dcc1928037e3a325c5e919ea0bb8b9753441393
SHA512

3a9d928f29e135e38c7e6b49c88c447de507c1ff5837503f7b224083f75bc3fe55efb2c2403c04a15aeb6407faeb8c27c057216dd00457b1e368af21881221bc
SSDEEP

3072:jEGh0oMlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGyl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}	{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{040A4F71-D95B-4c18-9C32-84EDDEDE6399}	{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67121170-5AC0-41bd-BFE8-F636271208F4}	{040A4F71-D95B-4c18-9C32-84EDDEDE6399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}\stubpath = "C:\\Windows\\{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe"	{DB251595-A393-45e8-9A34-9E016AB460F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61B3F524-4C99-42c2-BC6F-E41553F05324}	{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}\stubpath = "C:\\Windows\\{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe"	{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{746AE182-F0C2-4e3f-941A-268728467FB9}	{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{040A4F71-D95B-4c18-9C32-84EDDEDE6399}\stubpath = "C:\\Windows\\{040A4F71-D95B-4c18-9C32-84EDDEDE6399}.exe"	{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95B8C62D-5F5E-4357-B674-78AD60B73D53}	{67121170-5AC0-41bd-BFE8-F636271208F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB251595-A393-45e8-9A34-9E016AB460F2}\stubpath = "C:\\Windows\\{DB251595-A393-45e8-9A34-9E016AB460F2}.exe"	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61B3F524-4C99-42c2-BC6F-E41553F05324}\stubpath = "C:\\Windows\\{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe"	{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F65DA63D-64B8-4985-A379-94F710B0F80C}	{746AE182-F0C2-4e3f-941A-268728467FB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F65DA63D-64B8-4985-A379-94F710B0F80C}\stubpath = "C:\\Windows\\{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe"	{746AE182-F0C2-4e3f-941A-268728467FB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95B8C62D-5F5E-4357-B674-78AD60B73D53}\stubpath = "C:\\Windows\\{95B8C62D-5F5E-4357-B674-78AD60B73D53}.exe"	{67121170-5AC0-41bd-BFE8-F636271208F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB251595-A393-45e8-9A34-9E016AB460F2}	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{746AE182-F0C2-4e3f-941A-268728467FB9}\stubpath = "C:\\Windows\\{746AE182-F0C2-4e3f-941A-268728467FB9}.exe"	{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11831E63-4DD8-4128-B62F-4C2AA18BC26D}\stubpath = "C:\\Windows\\{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe"	{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67121170-5AC0-41bd-BFE8-F636271208F4}\stubpath = "C:\\Windows\\{67121170-5AC0-41bd-BFE8-F636271208F4}.exe"	{040A4F71-D95B-4c18-9C32-84EDDEDE6399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}	{DB251595-A393-45e8-9A34-9E016AB460F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11831E63-4DD8-4128-B62F-4C2AA18BC26D}	{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
2380	{DB251595-A393-45e8-9A34-9E016AB460F2}.exe
2876	{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe
3060	{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe
768	{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe
2888	{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe
1648	{746AE182-F0C2-4e3f-941A-268728467FB9}.exe
1984	{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe
1440	{040A4F71-D95B-4c18-9C32-84EDDEDE6399}.exe
2080	{67121170-5AC0-41bd-BFE8-F636271208F4}.exe
2064	{95B8C62D-5F5E-4357-B674-78AD60B73D53}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{DB251595-A393-45e8-9A34-9E016AB460F2}.exe	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe
File created	C:\Windows\{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe	{DB251595-A393-45e8-9A34-9E016AB460F2}.exe
File created	C:\Windows\{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe	{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe
File created	C:\Windows\{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe	{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe
File created	C:\Windows\{746AE182-F0C2-4e3f-941A-268728467FB9}.exe	{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe
File created	C:\Windows\{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe	{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe
File created	C:\Windows\{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe	{746AE182-F0C2-4e3f-941A-268728467FB9}.exe
File created	C:\Windows\{040A4F71-D95B-4c18-9C32-84EDDEDE6399}.exe	{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe
File created	C:\Windows\{67121170-5AC0-41bd-BFE8-F636271208F4}.exe	{040A4F71-D95B-4c18-9C32-84EDDEDE6399}.exe
File created	C:\Windows\{95B8C62D-5F5E-4357-B674-78AD60B73D53}.exe	{67121170-5AC0-41bd-BFE8-F636271208F4}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3012	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2380	{DB251595-A393-45e8-9A34-9E016AB460F2}.exe
Token: SeIncBasePriorityPrivilege	2876	{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe
Token: SeIncBasePriorityPrivilege	3060	{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe
Token: SeIncBasePriorityPrivilege	768	{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe
Token: SeIncBasePriorityPrivilege	2888	{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe
Token: SeIncBasePriorityPrivilege	1648	{746AE182-F0C2-4e3f-941A-268728467FB9}.exe
Token: SeIncBasePriorityPrivilege	1984	{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe
Token: SeIncBasePriorityPrivilege	1440	{040A4F71-D95B-4c18-9C32-84EDDEDE6399}.exe
Token: SeIncBasePriorityPrivilege	2080	{67121170-5AC0-41bd-BFE8-F636271208F4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2380	3012	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	28
PID 3012 wrote to memory of 2380	3012	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	28
PID 3012 wrote to memory of 2380	3012	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	28
PID 3012 wrote to memory of 2380	3012	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	28
PID 3012 wrote to memory of 2712	3012	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	29
PID 3012 wrote to memory of 2712	3012	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	29
PID 3012 wrote to memory of 2712	3012	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	29
PID 3012 wrote to memory of 2712	3012	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	29
PID 2380 wrote to memory of 2876	2380	{DB251595-A393-45e8-9A34-9E016AB460F2}.exe	30
PID 2380 wrote to memory of 2876	2380	{DB251595-A393-45e8-9A34-9E016AB460F2}.exe	30
PID 2380 wrote to memory of 2876	2380	{DB251595-A393-45e8-9A34-9E016AB460F2}.exe	30
PID 2380 wrote to memory of 2876	2380	{DB251595-A393-45e8-9A34-9E016AB460F2}.exe	30
PID 2380 wrote to memory of 2944	2380	{DB251595-A393-45e8-9A34-9E016AB460F2}.exe	31
PID 2380 wrote to memory of 2944	2380	{DB251595-A393-45e8-9A34-9E016AB460F2}.exe	31
PID 2380 wrote to memory of 2944	2380	{DB251595-A393-45e8-9A34-9E016AB460F2}.exe	31
PID 2380 wrote to memory of 2944	2380	{DB251595-A393-45e8-9A34-9E016AB460F2}.exe	31
PID 2876 wrote to memory of 3060	2876	{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe	32
PID 2876 wrote to memory of 3060	2876	{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe	32
PID 2876 wrote to memory of 3060	2876	{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe	32
PID 2876 wrote to memory of 3060	2876	{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe	32
PID 2876 wrote to memory of 2772	2876	{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe	33
PID 2876 wrote to memory of 2772	2876	{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe	33
PID 2876 wrote to memory of 2772	2876	{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe	33
PID 2876 wrote to memory of 2772	2876	{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe	33
PID 3060 wrote to memory of 768	3060	{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe	36
PID 3060 wrote to memory of 768	3060	{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe	36
PID 3060 wrote to memory of 768	3060	{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe	36
PID 3060 wrote to memory of 768	3060	{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe	36
PID 3060 wrote to memory of 1660	3060	{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe	37
PID 3060 wrote to memory of 1660	3060	{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe	37
PID 3060 wrote to memory of 1660	3060	{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe	37
PID 3060 wrote to memory of 1660	3060	{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe	37
PID 768 wrote to memory of 2888	768	{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe	38
PID 768 wrote to memory of 2888	768	{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe	38
PID 768 wrote to memory of 2888	768	{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe	38
PID 768 wrote to memory of 2888	768	{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe	38
PID 768 wrote to memory of 3004	768	{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe	39
PID 768 wrote to memory of 3004	768	{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe	39
PID 768 wrote to memory of 3004	768	{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe	39
PID 768 wrote to memory of 3004	768	{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe	39
PID 2888 wrote to memory of 1648	2888	{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe	40
PID 2888 wrote to memory of 1648	2888	{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe	40
PID 2888 wrote to memory of 1648	2888	{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe	40
PID 2888 wrote to memory of 1648	2888	{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe	40
PID 2888 wrote to memory of 1720	2888	{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe	41
PID 2888 wrote to memory of 1720	2888	{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe	41
PID 2888 wrote to memory of 1720	2888	{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe	41
PID 2888 wrote to memory of 1720	2888	{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe	41
PID 1648 wrote to memory of 1984	1648	{746AE182-F0C2-4e3f-941A-268728467FB9}.exe	42
PID 1648 wrote to memory of 1984	1648	{746AE182-F0C2-4e3f-941A-268728467FB9}.exe	42
PID 1648 wrote to memory of 1984	1648	{746AE182-F0C2-4e3f-941A-268728467FB9}.exe	42
PID 1648 wrote to memory of 1984	1648	{746AE182-F0C2-4e3f-941A-268728467FB9}.exe	42
PID 1648 wrote to memory of 1652	1648	{746AE182-F0C2-4e3f-941A-268728467FB9}.exe	43
PID 1648 wrote to memory of 1652	1648	{746AE182-F0C2-4e3f-941A-268728467FB9}.exe	43
PID 1648 wrote to memory of 1652	1648	{746AE182-F0C2-4e3f-941A-268728467FB9}.exe	43
PID 1648 wrote to memory of 1652	1648	{746AE182-F0C2-4e3f-941A-268728467FB9}.exe	43
PID 1984 wrote to memory of 1440	1984	{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe	44
PID 1984 wrote to memory of 1440	1984	{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe	44
PID 1984 wrote to memory of 1440	1984	{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe	44
PID 1984 wrote to memory of 1440	1984	{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe	44
PID 1984 wrote to memory of 1516	1984	{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe	45
PID 1984 wrote to memory of 1516	1984	{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe	45
PID 1984 wrote to memory of 1516	1984	{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe	45
PID 1984 wrote to memory of 1516	1984	{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\{DB251595-A393-45e8-9A34-9E016AB460F2}.exe
  C:\Windows\{DB251595-A393-45e8-9A34-9E016AB460F2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe
    C:\Windows\{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe
      C:\Windows\{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe
        
        C:\Windows\{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
      - C:\Windows\{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe
        
        C:\Windows\{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{746AE182-F0C2-4e3f-941A-268728467FB9}.exe
        
        C:\Windows\{746AE182-F0C2-4e3f-941A-268728467FB9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe
        
        C:\Windows\{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{040A4F71-D95B-4c18-9C32-84EDDEDE6399}.exe
        
        C:\Windows\{040A4F71-D95B-4c18-9C32-84EDDEDE6399}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\{67121170-5AC0-41bd-BFE8-F636271208F4}.exe
        
        C:\Windows\{67121170-5AC0-41bd-BFE8-F636271208F4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67121~1.EXE > nul
        11⤵
        
        PID:336
        
        C:\Windows\{95B8C62D-5F5E-4357-B674-78AD60B73D53}.exe
        
        C:\Windows\{95B8C62D-5F5E-4357-B674-78AD60B73D53}.exe
        11⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95B8C~1.EXE > nul
        12⤵
        
        PID:1800
        
        C:\Windows\{A80EBF89-54E3-45dc-A57F-4EA74E572AA8}.exe
        
        C:\Windows\{A80EBF89-54E3-45dc-A57F-4EA74E572AA8}.exe
        12⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{040A4~1.EXE > nul
        10⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F65DA~1.EXE > nul
        9⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{746AE~1.EXE > nul
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{094AB~1.EXE > nul
        7⤵
        
        PID:1720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11831~1.EXE > nul
        6⤵
        
        PID:3004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61B3F~1.EXE > nul
        5⤵
        
        PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B8551~1.EXE > nul
      4⤵
      PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DB251~1.EXE > nul
    3⤵
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{040A4F71-D95B-4c18-9C32-84EDDEDE6399}.exe

Filesize
180KB

MD5
14cc8c2363846693642475404bc3a681

SHA1
44fa6e3ded6940a3def29bbb1678014b8c2623b9

SHA256
4d1abf161cb2f24edbcb1d77cc15525c844907264c342d5ec270eeeaac9d5790

SHA512
db49cccca19f547e67c59b14b6595f6206150f8ce92159bb7dc32cdae7257e214d239d020b499a79bb5642d0a229118242ef95f20b14d980be9697acfba93560

Download Submit
C:\Windows\{040A4F71-D95B-4c18-9C32-84EDDEDE6399}.exe

Filesize
58KB

MD5
07525dbc3c41bb66f92232063414a66e

SHA1
313800a1fc58d58555b641eb6c0f86e7ed0041e6

SHA256
8929559b993ffba4770053ae5d37c53311c2e04d81713c51f7decd8fdda82fe9

SHA512
9b190b938b0399e2aaaf289a3ff4bebfd7c051e3d1d4b1c9564bbd7ffeb97e8c0d30ce47b62c64e23a126d1359f40ef2f47bf500d1f8953cb39f4ae56ee0682b

Download Submit
C:\Windows\{094ABA96-FF84-4cdc-AB6D-B45A3D2ACC9B}.exe

Filesize
180KB

MD5
de2d1169a5689b467836e1daca9de6ed

SHA1
f37841efdfbfcbd10f88120c0f320a75b1f39c3a

SHA256
32104cf9960f40d0772a8778155fd4f05e97ff03800007d9d402ffa3d7ae6d77

SHA512
0a6247a7e703d2b87f852a87c71db8803397078f593837eafe5be0049a6e9b58196d171481b276eb2dbcf39dcce642d1f18b527fff4e1563c3c0c70e9610307e

Download Submit
C:\Windows\{11831E63-4DD8-4128-B62F-4C2AA18BC26D}.exe

Filesize
180KB

MD5
8fb9ef5c65114b92c0098fa792202d43

SHA1
45a835038f3d85e685165099e8251f6a6872770c

SHA256
2eeab752274057fc57a833abfe3f0ead10f69f3ea840bf62c11f561c530c2b18

SHA512
64750f37fe3393047efb3712a77fbf2eb8dd26e42d206bfac90a7ca0b81e52d064ca74746785830f295ce8cd5b707f17544cc9fecfac518577b4265c078c86f8

Download Submit
C:\Windows\{61B3F524-4C99-42c2-BC6F-E41553F05324}.exe

Filesize
180KB

MD5
6ad435eb7707229c6ce69fea2a44e67a

SHA1
3a16ea7c3139473b8e2134e3cdcb451eb9d2fbe0

SHA256
731019431d3340dd71fb374a90043dcd5076729ce3dc1c617613d524ec92069a

SHA512
93ed66e4fd669ceb82e5ffed545f5ac0ddcdfe967c611a63974df04fa7848993d740095831be193f7ff969e34802f05cfe524bc70828cae9c63bbc7310b2ad40

Download Submit
C:\Windows\{67121170-5AC0-41bd-BFE8-F636271208F4}.exe

Filesize
50KB

MD5
a6c977959bb12b40929ffdb948e24e21

SHA1
a148e30f6805bc5996bf1b670196a3dd180e3cff

SHA256
6cc3a4405bce092af74f7c504721cec681ce6bd16ae5d318767dc6b6b02219b8

SHA512
f526549e8793787e1753597c1061c62ca0706fcc18d543a0a22e1c4d3a5fe7655c8181311e50a589c976ceaadf16a718eab1af85d004d497a1de17c5068ee507

Download Submit
C:\Windows\{67121170-5AC0-41bd-BFE8-F636271208F4}.exe

Filesize
43KB

MD5
d98c23d0c20ab126a2c3607f6c806abc

SHA1
cf2c125c9c69a8ebfecf9ca738fc024dc5f7695f

SHA256
43e180ed8eed5ea2aafcc61c5f16aad28788fd8187ccadce27793f7d02b9753b

SHA512
72056bcdf7d5b1cd030c2161d15c7630a53dbe8f72a3c56f09a89e26b11a7ff368882c49c2232331163a10fffc708f7d5ece08152cbc645dea1c59fe7ec43ef9

Download Submit
C:\Windows\{746AE182-F0C2-4e3f-941A-268728467FB9}.exe

Filesize
180KB

MD5
15635986f5c8773f601aab0a378ea214

SHA1
197fbdc18207bc8b51df04354c5223d8d6ecd3b9

SHA256
ee2b538f4496fe5069cc6d0e26cde9839951dc05470732f6f5489bdf29dd612c

SHA512
c1f14256cce825e8c49b57746e9beb1a6012bf804d55de649559f7ae31143afe8991c52a26a9279cdc846e4bb1f0df973c3addc4664a0a0abda0e34d704757a5

Download Submit
C:\Windows\{95B8C62D-5F5E-4357-B674-78AD60B73D53}.exe

Filesize
4KB

MD5
486b01f2deed18eba9662b6e3e1a76f8

SHA1
721ae9079f6ed223f043b71d8e171727630058a4

SHA256
492179e546be12b82949db272ec398c423d4609dba7d8747fc2ac7892ecbef3e

SHA512
a86d075febc9c56c871facbb4fcc09e4e7d2f87a3b557694f1b38525370780d383fa3edd6958352a3a9935d578fbca3d7fdbebc3a598beee0e366517fe8a53d7

Download Submit
C:\Windows\{95B8C62D-5F5E-4357-B674-78AD60B73D53}.exe

Filesize
18KB

MD5
7ec8f7a38fc796bbe65ecddda955eb7a

SHA1
ae279e3628e71d313127c3bfa50fbf5d94d50e06

SHA256
6e209430a10bd31d3e052cb4b8ab9f1a58489d27a4195bb152588eed3a128d07

SHA512
3640bb67ef05698bb4e06fb00081d19668bb9c34732ac077e7ef4511a0c4dd15c13b569446379307681d692e773cd30545c27c8a17b1f2ecdff7a2da0d87055f

Download Submit
C:\Windows\{A80EBF89-54E3-45dc-A57F-4EA74E572AA8}.exe

Filesize
15KB

MD5
2eb96cf52ad3bdc6a90046e334efd96e

SHA1
caf39cde8936d3d587bc492009e45071711ed68f

SHA256
f58942f7bb870c6d421c8949f257a45e0f7402552aac32f5c4553cacc0cfb51c

SHA512
8b64f5220ba42c550897b0d95abb44c0de53f6b6fe087ac962ff7ee2ae51a1da67cc1b38f37f5b8a35f0d79e01a5c793970c70243dd6ab961c1ea0e9fe9394de

Download Submit
C:\Windows\{B85510FB-F8CC-4bc1-8782-28BB9E01AC86}.exe

Filesize
180KB

MD5
9a400dbe0217ecf5f8ebccdecdf06107

SHA1
942e81d849226b7749a28dc27751a1a07df9ba39

SHA256
ce78826597e4c60a4ae23ee3412249dc7747fce58b9a823c6ddc55a47dc6a22b

SHA512
0c945247d1695308858d5d878baf163da7a6a0caf6449a5dbc70aa028b820f77b33b6ca9cc3aaa2f1e8e962ba72b2b5da778cd972301041b3952af839db5483e

Download Submit
C:\Windows\{DB251595-A393-45e8-9A34-9E016AB460F2}.exe

Filesize
180KB

MD5
5c4c08231625406a4b6fb5f68917ae7b

SHA1
8f923208916537b9836f3ab3ff73feb71adaa084

SHA256
c4c590dbbd1da17de1c5c782b46859633b4dc2a39250dfa805fb05427fac61f2

SHA512
78041cd9909f6dfaa39c3841ab2e13dbc324822b331971edd030d1400da905149f212e075e93c4fb8aa29f86fc9556b7c6458888e9abd8126ce814cbd1ac56a0

Download Submit
C:\Windows\{F65DA63D-64B8-4985-A379-94F710B0F80C}.exe

Filesize
180KB

MD5
de144eefe567325c130306d827fb2fff

SHA1
bb7a25fc8673b8632079a6e15508f3a4e1ea6df6

SHA256
5e60fcdaed9863fbf1bfab1c830c7928305610c45e82d938de9e668c720a26a6

SHA512
0ca97c4cffb23ba7f485f24f2ce4180dd6a64adb2f5877f112d1f6a545b1efa701c7ec1c30342729ea7a05c877bfedfd98dc14f562bee6727d926d441727a5e5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads