58019f8d6b9fdc18d526a39f1b0b1b78c792d1146f7d67f7d14bb187c98da4c7

Analysis

max time kernel
238s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe
Size

408KB
MD5

4a380fbc8f12cffc01f946e7b1c07223
SHA1

bed45e2ddda481186767f7b5dd8213f0dd54c328
SHA256

58019f8d6b9fdc18d526a39f1b0b1b78c792d1146f7d67f7d14bb187c98da4c7
SHA512

291d902321aac267c9cb50b05d63dbcbaf9df0f49a188a9a2379a230c7609db81a168553d99cdcfc0ec6ccd4f45aff0ffe4f8cc1b55d1f1c5cef2a1b2bb0835f
SSDEEP

3072:CEGh0oOl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGEldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}\stubpath = "C:\\Windows\\{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe"	{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AED991F2-8123-4ab6-BA16-060B67E98B59}	{389927AA-1AC8-408a-B8CC-49570FBCFEFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{310382F1-50A9-4098-B6DF-B0EBFF83F737}\stubpath = "C:\\Windows\\{310382F1-50A9-4098-B6DF-B0EBFF83F737}.exe"	{AED991F2-8123-4ab6-BA16-060B67E98B59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}\stubpath = "C:\\Windows\\{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe"	{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}\stubpath = "C:\\Windows\\{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe"	{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}	{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}\stubpath = "C:\\Windows\\{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe"	{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}	{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AC45936-A1B2-49b0-A4C5-9042BADBF6B7}\stubpath = "C:\\Windows\\{9AC45936-A1B2-49b0-A4C5-9042BADBF6B7}.exe"	{310382F1-50A9-4098-B6DF-B0EBFF83F737}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}\stubpath = "C:\\Windows\\{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe"	{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{389927AA-1AC8-408a-B8CC-49570FBCFEFD}	{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{310382F1-50A9-4098-B6DF-B0EBFF83F737}	{AED991F2-8123-4ab6-BA16-060B67E98B59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{884A317B-CC6E-47da-9FE9-4096FF09FF83}	{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{884A317B-CC6E-47da-9FE9-4096FF09FF83}\stubpath = "C:\\Windows\\{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe"	{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}	{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AED991F2-8123-4ab6-BA16-060B67E98B59}\stubpath = "C:\\Windows\\{AED991F2-8123-4ab6-BA16-060B67E98B59}.exe"	{389927AA-1AC8-408a-B8CC-49570FBCFEFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AC45936-A1B2-49b0-A4C5-9042BADBF6B7}	{310382F1-50A9-4098-B6DF-B0EBFF83F737}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61DB87F4-E3C6-4372-A0B7-B72A05860A76}	2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61DB87F4-E3C6-4372-A0B7-B72A05860A76}\stubpath = "C:\\Windows\\{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe"	2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}	{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}	{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{389927AA-1AC8-408a-B8CC-49570FBCFEFD}\stubpath = "C:\\Windows\\{389927AA-1AC8-408a-B8CC-49570FBCFEFD}.exe"	{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe

Deletes itself 1 IoCs

pid	Process
640	cmd.exe

Executes dropped EXE 10 IoCs

pid	Process
3044	{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe
2244	{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe
1916	{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe
2744	{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe
1976	{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe
2988	{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe
2420	{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe
1568	{389927AA-1AC8-408a-B8CC-49570FBCFEFD}.exe
696	{AED991F2-8123-4ab6-BA16-060B67E98B59}.exe
1504	{310382F1-50A9-4098-B6DF-B0EBFF83F737}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9AC45936-A1B2-49b0-A4C5-9042BADBF6B7}.exe	{310382F1-50A9-4098-B6DF-B0EBFF83F737}.exe
File created	C:\Windows\{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe	2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe
File created	C:\Windows\{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe	{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe
File created	C:\Windows\{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe	{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe
File created	C:\Windows\{AED991F2-8123-4ab6-BA16-060B67E98B59}.exe	{389927AA-1AC8-408a-B8CC-49570FBCFEFD}.exe
File created	C:\Windows\{389927AA-1AC8-408a-B8CC-49570FBCFEFD}.exe	{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe
File created	C:\Windows\{310382F1-50A9-4098-B6DF-B0EBFF83F737}.exe	{AED991F2-8123-4ab6-BA16-060B67E98B59}.exe
File created	C:\Windows\{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe	{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe
File created	C:\Windows\{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe	{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe
File created	C:\Windows\{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe	{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe
File created	C:\Windows\{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe	{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1940	2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3044	{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe
Token: SeIncBasePriorityPrivilege	2244	{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe
Token: SeIncBasePriorityPrivilege	1916	{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe
Token: SeIncBasePriorityPrivilege	2744	{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe
Token: SeIncBasePriorityPrivilege	1976	{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe
Token: SeIncBasePriorityPrivilege	2988	{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe
Token: SeIncBasePriorityPrivilege	2420	{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe
Token: SeIncBasePriorityPrivilege	1568	{389927AA-1AC8-408a-B8CC-49570FBCFEFD}.exe
Token: SeIncBasePriorityPrivilege	696	{AED991F2-8123-4ab6-BA16-060B67E98B59}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 3044	1940	2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe	27
PID 1940 wrote to memory of 3044	1940	2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe	27
PID 1940 wrote to memory of 3044	1940	2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe	27
PID 1940 wrote to memory of 3044	1940	2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe	27
PID 1940 wrote to memory of 640	1940	2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe	28
PID 1940 wrote to memory of 640	1940	2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe	28
PID 1940 wrote to memory of 640	1940	2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe	28
PID 1940 wrote to memory of 640	1940	2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe	28
PID 3044 wrote to memory of 2244	3044	{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe	29
PID 3044 wrote to memory of 2244	3044	{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe	29
PID 3044 wrote to memory of 2244	3044	{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe	29
PID 3044 wrote to memory of 2244	3044	{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe	29
PID 3044 wrote to memory of 1536	3044	{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe	30
PID 3044 wrote to memory of 1536	3044	{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe	30
PID 3044 wrote to memory of 1536	3044	{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe	30
PID 3044 wrote to memory of 1536	3044	{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe	30
PID 2244 wrote to memory of 1916	2244	{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe	31
PID 2244 wrote to memory of 1916	2244	{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe	31
PID 2244 wrote to memory of 1916	2244	{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe	31
PID 2244 wrote to memory of 1916	2244	{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe	31
PID 2244 wrote to memory of 2496	2244	{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe	32
PID 2244 wrote to memory of 2496	2244	{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe	32
PID 2244 wrote to memory of 2496	2244	{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe	32
PID 2244 wrote to memory of 2496	2244	{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe	32
PID 1916 wrote to memory of 2744	1916	{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe	33
PID 1916 wrote to memory of 2744	1916	{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe	33
PID 1916 wrote to memory of 2744	1916	{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe	33
PID 1916 wrote to memory of 2744	1916	{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe	33
PID 1916 wrote to memory of 1328	1916	{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe	34
PID 1916 wrote to memory of 1328	1916	{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe	34
PID 1916 wrote to memory of 1328	1916	{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe	34
PID 1916 wrote to memory of 1328	1916	{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe	34
PID 2744 wrote to memory of 1976	2744	{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe	35
PID 2744 wrote to memory of 1976	2744	{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe	35
PID 2744 wrote to memory of 1976	2744	{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe	35
PID 2744 wrote to memory of 1976	2744	{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe	35
PID 2744 wrote to memory of 2372	2744	{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe	36
PID 2744 wrote to memory of 2372	2744	{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe	36
PID 2744 wrote to memory of 2372	2744	{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe	36
PID 2744 wrote to memory of 2372	2744	{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe	36
PID 1976 wrote to memory of 2988	1976	{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe	37
PID 1976 wrote to memory of 2988	1976	{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe	37
PID 1976 wrote to memory of 2988	1976	{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe	37
PID 1976 wrote to memory of 2988	1976	{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe	37
PID 1976 wrote to memory of 1148	1976	{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe	38
PID 1976 wrote to memory of 1148	1976	{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe	38
PID 1976 wrote to memory of 1148	1976	{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe	38
PID 1976 wrote to memory of 1148	1976	{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe	38
PID 2988 wrote to memory of 2420	2988	{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe	39
PID 2988 wrote to memory of 2420	2988	{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe	39
PID 2988 wrote to memory of 2420	2988	{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe	39
PID 2988 wrote to memory of 2420	2988	{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe	39
PID 2988 wrote to memory of 1932	2988	{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe	40
PID 2988 wrote to memory of 1932	2988	{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe	40
PID 2988 wrote to memory of 1932	2988	{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe	40
PID 2988 wrote to memory of 1932	2988	{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe	40
PID 2420 wrote to memory of 1568	2420	{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe	41
PID 2420 wrote to memory of 1568	2420	{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe	41
PID 2420 wrote to memory of 1568	2420	{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe	41
PID 2420 wrote to memory of 1568	2420	{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe	41
PID 2420 wrote to memory of 1948	2420	{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe	42
PID 2420 wrote to memory of 1948	2420	{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe	42
PID 2420 wrote to memory of 1948	2420	{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe	42
PID 2420 wrote to memory of 1948	2420	{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe	42

C:\Users\Admin\AppData\Local\Temp\2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_4a380fbc8f12cffc01f946e7b1c07223_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe
  C:\Windows\{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe
    C:\Windows\{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe
      C:\Windows\{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe
        
        C:\Windows\{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe
        
        C:\Windows\{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe
        
        C:\Windows\{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe
        
        C:\Windows\{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\{389927AA-1AC8-408a-B8CC-49570FBCFEFD}.exe
        
        C:\Windows\{389927AA-1AC8-408a-B8CC-49570FBCFEFD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\{AED991F2-8123-4ab6-BA16-060B67E98B59}.exe
        
        C:\Windows\{AED991F2-8123-4ab6-BA16-060B67E98B59}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
        
        C:\Windows\{310382F1-50A9-4098-B6DF-B0EBFF83F737}.exe
        
        C:\Windows\{310382F1-50A9-4098-B6DF-B0EBFF83F737}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AED99~1.EXE > nul
        11⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38992~1.EXE > nul
        10⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBC26~1.EXE > nul
        9⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{462C1~1.EXE > nul
        8⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E58F~1.EXE > nul
        7⤵
        
        PID:1148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{884A3~1.EXE > nul
        6⤵
        
        PID:2372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B895D~1.EXE > nul
        5⤵
        
        PID:1328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B1C1D~1.EXE > nul
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{61DB8~1.EXE > nul
    3⤵
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{310382F1-50A9-4098-B6DF-B0EBFF83F737}.exe

Filesize
408KB

MD5
27fb45bb5f34f206d711d43dfd09a958

SHA1
c0c542edfae0eed44b6d1e6f343d4b29e1f0fba7

SHA256
25a2243178ba8014b7472dec64e2ac6ea4e340c31d2ba512caa7d72b2db972c5

SHA512
1f1200dd3b0a67f64936782a6eaf68e0044be1f9a8a5e6926d63a50bab7469ffe84707d2cfef08599117b79192fa0ce345d608f9a233617bc5528ae1e0796105

Download Submit
C:\Windows\{310382F1-50A9-4098-B6DF-B0EBFF83F737}.exe

Filesize
401KB

MD5
9115a13ff9928d7abf6ff84122271488

SHA1
486d9796bdfbb3ea45ec2ec25990dc14165d6ec3

SHA256
afbdc0afd71b88d6d9280caf42cdcd9295e78a30c99a0accd86c7063d5d758be

SHA512
358ea78713029c0f0e61899458cff7865a20cb57e1d95024cb3fbb41368ba2590e11c7b0ee489d8f8bf7c7d1a08609cd2231123145555d9d0c54e5041a09817d

Download Submit
C:\Windows\{389927AA-1AC8-408a-B8CC-49570FBCFEFD}.exe

Filesize
408KB

MD5
e4d39c2b9b444fd9d794e7502fc3f90a

SHA1
8d07d35babfb6e5672ad380c2f5d89f4de425cf2

SHA256
eb5b7d5fbbd10f65121f03f4ba3a7c7d62eff51a07f7c3cbec4349f66678867f

SHA512
f6548b6dff8df24057e055615c444b9897f7b80e2699e0dae92c4fe4ffce6041b6dbef639d7afaa1bcb48fcff8ccfaf366b5c4c43c19aba4b22b0308b196202c

Download Submit
C:\Windows\{462C1521-BE5C-40c6-9E5B-EA6747EFBC32}.exe

Filesize
408KB

MD5
59013abeb5b475a6e32be0acd0416060

SHA1
9aa64b582e07afaa2bd3e252a0448b542a61a635

SHA256
2a63ab3f802fbdb11619337b4500ac5dd11ad96c757c6184c869bff0127ff448

SHA512
8effdf3f46d0411ce2a61916ecac3e1993896c3557ae2c674bfcb989fbf6a3bb4518427282c853f8350536f6594223adbc3cf84377b8f8f6876258567ddcdca4

Download Submit
C:\Windows\{4E58FA95-19D8-40ba-8735-EC370CCBC3B7}.exe

Filesize
408KB

MD5
a52dddd5dd054c78f9e2e38c3ad56dbd

SHA1
abaeb8825fb1dd8e529adce9636ad51774c27044

SHA256
592e9bbf57e1f8cb8b6d672b253921b1a11e9f913b1b7c04de0005bf4d50e69e

SHA512
13c1753cd3e1043b08aa08c0c9f521264e8a2cc566e0954037f9754789bad73527708096940e46dd55a8d3881057e32a32d07a7822a5e843a75c9714b390aff3

Download Submit
C:\Windows\{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe

Filesize
408KB

MD5
cd304ada92eea736704aba2382fb562f

SHA1
5b5edaf1f4188a6847bea3e683f58db175348815

SHA256
f171659c4a060d898474ff348f666624ca4c3eae7706e4971d8344f3eaee2d09

SHA512
e518d188ae4f069fefd01c15e5f659026d06ff11b6aa3024c7c2a16303114551f8326f6bafca0dd76b2542e61e129e537ae75b25578e35569ccf8e5b30507af3

Download Submit
C:\Windows\{61DB87F4-E3C6-4372-A0B7-B72A05860A76}.exe

Filesize
301KB

MD5
146e24a15784c021d65b2c2bffb067d1

SHA1
f14b6e6241199a2f491469090c6e8ad7a7b9bd1f

SHA256
b7c8255a655ff2fdfdb3fc0a9338ee86cd01504bc937e76f8c8d862c89159c49

SHA512
9b232e7f9e9c2b663f4ac8d118d7f49e02cf258d029c321158a96ad270fc29636cbfab78adf0442c32a362f814400c8d5dfa926fa3e8966baab5568ee7711397

Download Submit
C:\Windows\{884A317B-CC6E-47da-9FE9-4096FF09FF83}.exe

Filesize
408KB

MD5
d6ca3b540a95f2149c6977c138819f83

SHA1
bb0493011f60c126a7c43c270424036bf00c45a2

SHA256
9e9300e4b5c92953821a9dd3a5f1b9b45bce224fcc07b8128cd715cd8db24ff3

SHA512
58750189e8f042bafd73a8166d5cc7757ce724bfd4fefd722ba8eafa5de3b73257604232f902e3b741ab37481ac5c6ab5abfe2ac4158438d0585b7d46280ee97

Download Submit
C:\Windows\{AED991F2-8123-4ab6-BA16-060B67E98B59}.exe

Filesize
408KB

MD5
e3ecf2d188998c8a6fa3d99875670850

SHA1
1b372cab9ac9593b376ec438e7e2849d8d5d075d

SHA256
3a2a662a18a53eab5e1bf9c06f5dd58abc0216341cd7963067debf2a42290ac3

SHA512
4e1de84e7c6ef6fea31f920ecea9cdbe13ffb2d0cbb2b835aa8b64b9efbf56424a7cb36d20fdf59aa190e300958472f4a81653d7c4e38f17f029b09ee51f376e

Download Submit
C:\Windows\{B1C1D4D6-1485-4205-B77E-BC4DDDFC1D79}.exe

Filesize
408KB

MD5
47ce5be8900c390150877ac1e4d09ab8

SHA1
bcb36e4bb84e45291060add9b764fa85a359e935

SHA256
4a5f713d51021441af4b850c2ebb1aac2eab6605dc15981b4ad3d106da1480ba

SHA512
74a893a0662b44baaf78e31d1327be0a2ac9f91c63a9f88cf000a8e19a814e3eb7595f57a202e61e6ca32207090da961d0034a97865bb0eac8cd720fa52ac321

Download Submit
C:\Windows\{B895DB62-F97A-4a37-9FDB-4B3A7AE9CB09}.exe

Filesize
408KB

MD5
66cfe67facb9d35afc85207c7fa594e6

SHA1
fb1618c27d46f83c73cc0ae8f142acaa54eb73f9

SHA256
bb3f5f24bbb44f1f12893c0ced94f739c86f97be51f4b20639d1ba2de663d156

SHA512
596b23e4b7d6fb64d1552bdae1a3e194f99e64c9bdc8641d5711ab7e079556530e048cd0cf00e9e294cb4a9039b16f9475fba576f72e54c13096402562e1f277

Download Submit
C:\Windows\{BBC260DC-100C-44ab-B5F4-F8DDA0A3B50F}.exe

Filesize
408KB

MD5
3c6d78409cf6fcd78ed0e273596520e8

SHA1
23f810c4bbf3b4813fb84b480f080a6bf7542326

SHA256
4dc17f217acc8521e2b4b3c4e538c976c1c927c474079810ef96699334ac941f

SHA512
696a8b6d178d152cfe45e8cefcb3ef9b52c3d5e57377eac6e76010b43cfa8cba3bbb1afb970e7202b9e392cd81dc0abe954d5779cf48de546df30e383352a026

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads