6939d126b951bf14a7f051afadedbc62bb7981aedc2f3b81a7535e6dc15c9e67

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe
Size

408KB
MD5

4d1f0bb255adaf6982b51e4846ac2528
SHA1

1265f0e4c65d7c6da11f5be260fb28277d15ff81
SHA256

6939d126b951bf14a7f051afadedbc62bb7981aedc2f3b81a7535e6dc15c9e67
SHA512

e20e09383f81336608359d8dd2e5adc78910c1eccdbdec20192846ec6af2ed4507db3bff818e80ecc540959d2564de09d794a7361bcdc058263fd154f6f62b7d
SSDEEP

3072:CEGh0onl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGlldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{406F91B9-871F-4afc-8EA9-90C89282210C}\stubpath = "C:\\Windows\\{406F91B9-871F-4afc-8EA9-90C89282210C}.exe"	{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7D396EC-A872-448f-91E9-3E544B32B22B}\stubpath = "C:\\Windows\\{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe"	{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73DF4FAC-C11D-4740-8946-030881787FD4}	{EB247C8D-095F-4c35-B27A-3DF72AC56B76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73DF4FAC-C11D-4740-8946-030881787FD4}\stubpath = "C:\\Windows\\{73DF4FAC-C11D-4740-8946-030881787FD4}.exe"	{EB247C8D-095F-4c35-B27A-3DF72AC56B76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06D4813E-F44D-4b43-B4ED-2D0D1DE02C7D}\stubpath = "C:\\Windows\\{06D4813E-F44D-4b43-B4ED-2D0D1DE02C7D}.exe"	{73DF4FAC-C11D-4740-8946-030881787FD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06D4813E-F44D-4b43-B4ED-2D0D1DE02C7D}	{73DF4FAC-C11D-4740-8946-030881787FD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}	{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}	{406F91B9-871F-4afc-8EA9-90C89282210C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}	{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}\stubpath = "C:\\Windows\\{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe"	{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7D396EC-A872-448f-91E9-3E544B32B22B}	{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BACC493-A45C-4800-B649-CBD9194E8DB0}	{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB247C8D-095F-4c35-B27A-3DF72AC56B76}\stubpath = "C:\\Windows\\{EB247C8D-095F-4c35-B27A-3DF72AC56B76}.exe"	{B60E5F37-43D2-4d77-8615-7BD73BB38D7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7022F1E1-125E-4991-BEDE-8C5C9756B470}	{06D4813E-F44D-4b43-B4ED-2D0D1DE02C7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7022F1E1-125E-4991-BEDE-8C5C9756B470}\stubpath = "C:\\Windows\\{7022F1E1-125E-4991-BEDE-8C5C9756B470}.exe"	{06D4813E-F44D-4b43-B4ED-2D0D1DE02C7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}	2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{406F91B9-871F-4afc-8EA9-90C89282210C}	{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}\stubpath = "C:\\Windows\\{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe"	2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}\stubpath = "C:\\Windows\\{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe"	{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}\stubpath = "C:\\Windows\\{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe"	{406F91B9-871F-4afc-8EA9-90C89282210C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BACC493-A45C-4800-B649-CBD9194E8DB0}\stubpath = "C:\\Windows\\{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe"	{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B60E5F37-43D2-4d77-8615-7BD73BB38D7D}	{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B60E5F37-43D2-4d77-8615-7BD73BB38D7D}\stubpath = "C:\\Windows\\{B60E5F37-43D2-4d77-8615-7BD73BB38D7D}.exe"	{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB247C8D-095F-4c35-B27A-3DF72AC56B76}	{B60E5F37-43D2-4d77-8615-7BD73BB38D7D}.exe

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2340	{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe
2944	{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe
2620	{406F91B9-871F-4afc-8EA9-90C89282210C}.exe
2880	{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe
2392	{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe
1560	{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe
524	{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe
568	{B60E5F37-43D2-4d77-8615-7BD73BB38D7D}.exe
1320	{EB247C8D-095F-4c35-B27A-3DF72AC56B76}.exe
3032	{73DF4FAC-C11D-4740-8946-030881787FD4}.exe
1652	{06D4813E-F44D-4b43-B4ED-2D0D1DE02C7D}.exe
2276	{7022F1E1-125E-4991-BEDE-8C5C9756B470}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe	{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe
File created	C:\Windows\{406F91B9-871F-4afc-8EA9-90C89282210C}.exe	{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe
File created	C:\Windows\{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe	{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe
File created	C:\Windows\{EB247C8D-095F-4c35-B27A-3DF72AC56B76}.exe	{B60E5F37-43D2-4d77-8615-7BD73BB38D7D}.exe
File created	C:\Windows\{7022F1E1-125E-4991-BEDE-8C5C9756B470}.exe	{06D4813E-F44D-4b43-B4ED-2D0D1DE02C7D}.exe
File created	C:\Windows\{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe	2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe
File created	C:\Windows\{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe	{406F91B9-871F-4afc-8EA9-90C89282210C}.exe
File created	C:\Windows\{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe	{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe
File created	C:\Windows\{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe	{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe
File created	C:\Windows\{B60E5F37-43D2-4d77-8615-7BD73BB38D7D}.exe	{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe
File created	C:\Windows\{73DF4FAC-C11D-4740-8946-030881787FD4}.exe	{EB247C8D-095F-4c35-B27A-3DF72AC56B76}.exe
File created	C:\Windows\{06D4813E-F44D-4b43-B4ED-2D0D1DE02C7D}.exe	{73DF4FAC-C11D-4740-8946-030881787FD4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2156	2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2340	{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe
Token: SeIncBasePriorityPrivilege	2944	{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe
Token: SeIncBasePriorityPrivilege	2620	{406F91B9-871F-4afc-8EA9-90C89282210C}.exe
Token: SeIncBasePriorityPrivilege	2880	{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe
Token: SeIncBasePriorityPrivilege	2392	{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe
Token: SeIncBasePriorityPrivilege	1560	{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe
Token: SeIncBasePriorityPrivilege	524	{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe
Token: SeIncBasePriorityPrivilege	568	{B60E5F37-43D2-4d77-8615-7BD73BB38D7D}.exe
Token: SeIncBasePriorityPrivilege	1320	{EB247C8D-095F-4c35-B27A-3DF72AC56B76}.exe
Token: SeIncBasePriorityPrivilege	3032	{73DF4FAC-C11D-4740-8946-030881787FD4}.exe
Token: SeIncBasePriorityPrivilege	1652	{06D4813E-F44D-4b43-B4ED-2D0D1DE02C7D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2340	2156	2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe	28
PID 2156 wrote to memory of 2340	2156	2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe	28
PID 2156 wrote to memory of 2340	2156	2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe	28
PID 2156 wrote to memory of 2340	2156	2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe	28
PID 2156 wrote to memory of 2772	2156	2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe	29
PID 2156 wrote to memory of 2772	2156	2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe	29
PID 2156 wrote to memory of 2772	2156	2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe	29
PID 2156 wrote to memory of 2772	2156	2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe	29
PID 2340 wrote to memory of 2944	2340	{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe	30
PID 2340 wrote to memory of 2944	2340	{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe	30
PID 2340 wrote to memory of 2944	2340	{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe	30
PID 2340 wrote to memory of 2944	2340	{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe	30
PID 2340 wrote to memory of 2796	2340	{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe	31
PID 2340 wrote to memory of 2796	2340	{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe	31
PID 2340 wrote to memory of 2796	2340	{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe	31
PID 2340 wrote to memory of 2796	2340	{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe	31
PID 2944 wrote to memory of 2620	2944	{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe	35
PID 2944 wrote to memory of 2620	2944	{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe	35
PID 2944 wrote to memory of 2620	2944	{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe	35
PID 2944 wrote to memory of 2620	2944	{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe	35
PID 2944 wrote to memory of 2420	2944	{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe	34
PID 2944 wrote to memory of 2420	2944	{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe	34
PID 2944 wrote to memory of 2420	2944	{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe	34
PID 2944 wrote to memory of 2420	2944	{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe	34
PID 2620 wrote to memory of 2880	2620	{406F91B9-871F-4afc-8EA9-90C89282210C}.exe	36
PID 2620 wrote to memory of 2880	2620	{406F91B9-871F-4afc-8EA9-90C89282210C}.exe	36
PID 2620 wrote to memory of 2880	2620	{406F91B9-871F-4afc-8EA9-90C89282210C}.exe	36
PID 2620 wrote to memory of 2880	2620	{406F91B9-871F-4afc-8EA9-90C89282210C}.exe	36
PID 2620 wrote to memory of 2872	2620	{406F91B9-871F-4afc-8EA9-90C89282210C}.exe	37
PID 2620 wrote to memory of 2872	2620	{406F91B9-871F-4afc-8EA9-90C89282210C}.exe	37
PID 2620 wrote to memory of 2872	2620	{406F91B9-871F-4afc-8EA9-90C89282210C}.exe	37
PID 2620 wrote to memory of 2872	2620	{406F91B9-871F-4afc-8EA9-90C89282210C}.exe	37
PID 2880 wrote to memory of 2392	2880	{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe	38
PID 2880 wrote to memory of 2392	2880	{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe	38
PID 2880 wrote to memory of 2392	2880	{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe	38
PID 2880 wrote to memory of 2392	2880	{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe	38
PID 2880 wrote to memory of 624	2880	{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe	39
PID 2880 wrote to memory of 624	2880	{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe	39
PID 2880 wrote to memory of 624	2880	{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe	39
PID 2880 wrote to memory of 624	2880	{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe	39
PID 2392 wrote to memory of 1560	2392	{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe	40
PID 2392 wrote to memory of 1560	2392	{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe	40
PID 2392 wrote to memory of 1560	2392	{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe	40
PID 2392 wrote to memory of 1560	2392	{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe	40
PID 2392 wrote to memory of 2548	2392	{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe	41
PID 2392 wrote to memory of 2548	2392	{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe	41
PID 2392 wrote to memory of 2548	2392	{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe	41
PID 2392 wrote to memory of 2548	2392	{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe	41
PID 1560 wrote to memory of 524	1560	{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe	42
PID 1560 wrote to memory of 524	1560	{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe	42
PID 1560 wrote to memory of 524	1560	{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe	42
PID 1560 wrote to memory of 524	1560	{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe	42
PID 1560 wrote to memory of 436	1560	{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe	43
PID 1560 wrote to memory of 436	1560	{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe	43
PID 1560 wrote to memory of 436	1560	{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe	43
PID 1560 wrote to memory of 436	1560	{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe	43
PID 524 wrote to memory of 568	524	{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe	44
PID 524 wrote to memory of 568	524	{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe	44
PID 524 wrote to memory of 568	524	{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe	44
PID 524 wrote to memory of 568	524	{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe	44
PID 524 wrote to memory of 852	524	{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe	45
PID 524 wrote to memory of 852	524	{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe	45
PID 524 wrote to memory of 852	524	{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe	45
PID 524 wrote to memory of 852	524	{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_4d1f0bb255adaf6982b51e4846ac2528_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe
  C:\Windows\{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe
    C:\Windows\{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{02647~1.EXE > nul
      4⤵
      PID:2420
  - - C:\Windows\{406F91B9-871F-4afc-8EA9-90C89282210C}.exe
      C:\Windows\{406F91B9-871F-4afc-8EA9-90C89282210C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe
        
        C:\Windows\{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe
        
        C:\Windows\{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe
        
        C:\Windows\{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe
        
        C:\Windows\{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\{B60E5F37-43D2-4d77-8615-7BD73BB38D7D}.exe
        
        C:\Windows\{B60E5F37-43D2-4d77-8615-7BD73BB38D7D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\{EB247C8D-095F-4c35-B27A-3DF72AC56B76}.exe
        
        C:\Windows\{EB247C8D-095F-4c35-B27A-3DF72AC56B76}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\{73DF4FAC-C11D-4740-8946-030881787FD4}.exe
        
        C:\Windows\{73DF4FAC-C11D-4740-8946-030881787FD4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\{06D4813E-F44D-4b43-B4ED-2D0D1DE02C7D}.exe
        
        C:\Windows\{06D4813E-F44D-4b43-B4ED-2D0D1DE02C7D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06D48~1.EXE > nul
        13⤵
        
        PID:432
        
        C:\Windows\{7022F1E1-125E-4991-BEDE-8C5C9756B470}.exe
        
        C:\Windows\{7022F1E1-125E-4991-BEDE-8C5C9756B470}.exe
        13⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73DF4~1.EXE > nul
        12⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB247~1.EXE > nul
        11⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B60E5~1.EXE > nul
        10⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BACC~1.EXE > nul
        9⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7D39~1.EXE > nul
        8⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED0CA~1.EXE > nul
        7⤵
        
        PID:2548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5A6B~1.EXE > nul
        6⤵
        
        PID:624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{406F9~1.EXE > nul
        5⤵
        
        PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{03CE0~1.EXE > nul
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02647471-CEC9-4baf-8FEE-8B6FCB6E91DC}.exe

Filesize
408KB

MD5
11e28685c76b9559130b3cb10c08e6bb

SHA1
e5dd31e9b3dfc998fd7b1a71ee52430f3cef939a

SHA256
88e9177818f9c35d3d8e845d4e97b154be7a2eadbe7f71c55861c043a4bac487

SHA512
c08bb93764fc3c0742a577c6bdb03bedb1df51d41bea475d5f17a6aa530a8e270876a8720fb8a0ce42413b1b960b5e5e576bbc42d844434e681d5f33097e032e

Download Submit
C:\Windows\{03CE06FB-D4A9-49dc-A89B-A1A6EA8460BE}.exe

Filesize
408KB

MD5
b89ee60f6dbb6e7758a413329eb3c64f

SHA1
ffcc40478dbce9075e71c79a2d6521584f1bb227

SHA256
6b227a0067682f914cee3f4fae4adbf21f59714c1d9712d9de409af7c9510b46

SHA512
dfbd4d9a488e6600fcc23d9d4c154eea04057659069818e855b1f53707652a5ae9a574f90aa2347c46e08234861859f871a7538b78838600d55098186634b643

Download Submit
C:\Windows\{06D4813E-F44D-4b43-B4ED-2D0D1DE02C7D}.exe

Filesize
408KB

MD5
f693e3218c8808582ae3ca35c1ee1ffc

SHA1
56489041d6c7833fb3e4a2eae4b3d33399701301

SHA256
bb2b782bb15dbe5271e66697df6d179924e9100374b19c6f39a654f9bbd01f63

SHA512
881a20f6a6ad3b32ba18c24af57df19c09e02b8afc4fb86ce9fa641437ae11ac7f0d71b41d6f94570eb7afec73f92c82d117baca0c7ac61f3a3168388ca9b601

Download Submit
C:\Windows\{0BACC493-A45C-4800-B649-CBD9194E8DB0}.exe

Filesize
408KB

MD5
310fe35f8674f492848fce4323fabf83

SHA1
a212a4f1c0a1a4d18052a626ff3f2d68993be351

SHA256
2a5d3874911cef90d92fada9c1f9fe0610ef4678c302c751abf76e4ea4754b49

SHA512
dbdb2acbb791e3716577ec4c5abad7893696f347cd7186b7cf2442aff340af15ddb9aa9691590dd933c50ff178a3d2ed43860bd84912058a984fda58bc046de6

Download Submit
C:\Windows\{406F91B9-871F-4afc-8EA9-90C89282210C}.exe

Filesize
408KB

MD5
a1085f7e314ece2114491cfcf74b93bd

SHA1
6b49ed94a1384dd01d3ea573aeb455375fb487f1

SHA256
4d4e6a5ff4bf2836a3cca1f3ebd2412d991612c521cf20705981e52b09f2c5ae

SHA512
1ad180c31f505b07bac9b025fff26b0488037b0c9ace16eeceef8681aa960f3ce3d93a029b2f7d160437c1d554957ae9a0cfb8e3ec7efe12ba085c48b124386c

Download Submit
C:\Windows\{7022F1E1-125E-4991-BEDE-8C5C9756B470}.exe

Filesize
408KB

MD5
b62927cb1d4220aaa6ed03dcf5d62556

SHA1
560e3af08299959cdb89986536fdafda64a1eb64

SHA256
58cfb8ede0b0e289a72db656324bc37f411e40c27ee6a1417c492ffc9ec40881

SHA512
ddf336ef6c121ea40c5bb041df2856f119a586fd78ae459483e470674c602a3e651589b21b12773ebfec6502f32c38af03dc128e36bad90ecb8f7c11d3de47e6

Download Submit
C:\Windows\{73DF4FAC-C11D-4740-8946-030881787FD4}.exe

Filesize
408KB

MD5
a9dd413b906405c3121fcffa3599b461

SHA1
d422e96bafb6c85816f9ea75489ed6ff76f74d63

SHA256
c373a2955a5f4a18fb95c3e48015a94c6c3e2cf7ecfa8f7e9f8e84af15b31eb3

SHA512
acbe17686d17e2e76ee49f7c419b38c594fd08f0b58a2b9508ce11ad93aab8626e55ade1b009be9bbbf188f8ca038cd38d1a3eaaf91a7310505253b8d4001fd1

Download Submit
C:\Windows\{B5A6BE01-720A-41ba-B4C4-4854CE392EB8}.exe

Filesize
408KB

MD5
4d6092a4c1fceb505b4ad7135cf1367b

SHA1
a83178f40454ae7d58309a2d732557b89dd80b30

SHA256
23c3d2c9d1cddb214a3972986854ec60c16abdbc53b850f1bf6cf217f48d6694

SHA512
67ac9603db45ac378768d965e69a7c68eed5e196a3551985d95062630d339d43f930d304d5de55332596b51a89ac485f3f93349f69c5173b78881aced1690465

Download Submit
C:\Windows\{B60E5F37-43D2-4d77-8615-7BD73BB38D7D}.exe

Filesize
408KB

MD5
07909059bde31c69eaf6811f5664156c

SHA1
e5fb00d854a9fa0caf2b25ac843b2b831c8364f8

SHA256
419db74f4f745c9e59bedaf9d233670d04f47feb865744dd01eb4b5866229ecc

SHA512
8a3844083584178929ced5a8c859cafd68022e04754b4a17540cc30215f91da58c4e88d8b81e375b354606e82100c34a8ccadef22570c600d977121c9e6c0922

Download Submit
C:\Windows\{E7D396EC-A872-448f-91E9-3E544B32B22B}.exe

Filesize
408KB

MD5
cc228573605e913ee9055e141d304294

SHA1
4faae5fce3f633920e32d525029e941c25cce690

SHA256
9553d19ce10a05beb20e55edb6b1d68cc1c07d3e06c53377b6894543abeedce8

SHA512
8a20453a1fa88ab3b213d860610fefdd43f4471bf4ed75658f56e2d49387cf928231a41d528063698cca858ef62afe18af3d03d3405b4df1b1904e733c106c68

Download Submit
C:\Windows\{EB247C8D-095F-4c35-B27A-3DF72AC56B76}.exe

Filesize
408KB

MD5
ad4d3606bc5977839e7029cedc348211

SHA1
2459e2bf2c9fb4e5b8e4e1c07f82b6b87231ac24

SHA256
9118221c21067e3012bc5114c335a036f39c1f0b2a5767147412e754f1551dcc

SHA512
84c83a46e111b71d4a8d142f693db771e976d0841cd5b1533c5421dea3fb748f25acd88a86a0159c4fef859bafd7e7a51c2e22d39f160b7e0736d418729d6aec

Download Submit
C:\Windows\{ED0CA6C7-CC82-46d4-ACA2-AF4AEF221618}.exe

Filesize
408KB

MD5
6d37d28f96d56d769dca40bf70088645

SHA1
ecf39b7a5e9711f2b86ddd33e0b5a0ea7b318e6a

SHA256
886b336706ca528cc0fdc6a24f66eb687852dd243fca5511eae3b2c709860123

SHA512
41948c86ba4cf2dfc383199283a754f5418aef5a718285bc9dfc44134184b36b534e767ea5aefef78458cbc49e7e728bdf33dcaece651cc0aa0bee3800652720

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads