f90ed7ee37fd19bbed7de0aa2bf80074e3fe1601b6fd9c31a839a6579866c6c3

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe
Size

180KB
MD5

5023229841ba263b955304597eaf84a5
SHA1

7e697e347b97da10a329fbab4044c59aa90399f0
SHA256

f90ed7ee37fd19bbed7de0aa2bf80074e3fe1601b6fd9c31a839a6579866c6c3
SHA512

487e469f4bfc1695b1ecf1b6923b0caac07043f893956815492fec1e51987a7d3bec903f4fc62b4acfdf38a8eab2ac6ccbb230ba2c8b4d939c6c8c568e615479
SSDEEP

3072:jEGh0oylfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGMl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBDD10F2-2D17-4455-9053-6B454E1B099E}\stubpath = "C:\\Windows\\{CBDD10F2-2D17-4455-9053-6B454E1B099E}.exe"	{7F5E8D7A-AB59-4cba-BAFE-33D9492A4D95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DC16D5C-1DFC-4d96-AB0A-D4463963A619}	{CBDD10F2-2D17-4455-9053-6B454E1B099E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A883A211-B058-4830-8978-CA3E1D979B77}\stubpath = "C:\\Windows\\{A883A211-B058-4830-8978-CA3E1D979B77}.exe"	{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}	{31026972-03B8-4dce-93CE-147EF7292B88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A883A211-B058-4830-8978-CA3E1D979B77}	{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}\stubpath = "C:\\Windows\\{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe"	{31026972-03B8-4dce-93CE-147EF7292B88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}	{86426239-1B14-46a5-96BA-780982BAEDA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{468ECB36-2BC1-4687-9533-3D7E0895E242}\stubpath = "C:\\Windows\\{468ECB36-2BC1-4687-9533-3D7E0895E242}.exe"	{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBDD10F2-2D17-4455-9053-6B454E1B099E}	{7F5E8D7A-AB59-4cba-BAFE-33D9492A4D95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF6AC7B8-B5F3-4ac0-BC33-A87128346625}	{9DC16D5C-1DFC-4d96-AB0A-D4463963A619}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA3FCB85-9FED-4e02-B719-0225AC7E5714}	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}	{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF6AC7B8-B5F3-4ac0-BC33-A87128346625}\stubpath = "C:\\Windows\\{FF6AC7B8-B5F3-4ac0-BC33-A87128346625}.exe"	{9DC16D5C-1DFC-4d96-AB0A-D4463963A619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86426239-1B14-46a5-96BA-780982BAEDA9}\stubpath = "C:\\Windows\\{86426239-1B14-46a5-96BA-780982BAEDA9}.exe"	{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}\stubpath = "C:\\Windows\\{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe"	{86426239-1B14-46a5-96BA-780982BAEDA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{468ECB36-2BC1-4687-9533-3D7E0895E242}	{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA3FCB85-9FED-4e02-B719-0225AC7E5714}\stubpath = "C:\\Windows\\{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe"	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}\stubpath = "C:\\Windows\\{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe"	{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86426239-1B14-46a5-96BA-780982BAEDA9}	{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F5E8D7A-AB59-4cba-BAFE-33D9492A4D95}	{468ECB36-2BC1-4687-9533-3D7E0895E242}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F5E8D7A-AB59-4cba-BAFE-33D9492A4D95}\stubpath = "C:\\Windows\\{7F5E8D7A-AB59-4cba-BAFE-33D9492A4D95}.exe"	{468ECB36-2BC1-4687-9533-3D7E0895E242}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DC16D5C-1DFC-4d96-AB0A-D4463963A619}\stubpath = "C:\\Windows\\{9DC16D5C-1DFC-4d96-AB0A-D4463963A619}.exe"	{CBDD10F2-2D17-4455-9053-6B454E1B099E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31026972-03B8-4dce-93CE-147EF7292B88}	{A883A211-B058-4830-8978-CA3E1D979B77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31026972-03B8-4dce-93CE-147EF7292B88}\stubpath = "C:\\Windows\\{31026972-03B8-4dce-93CE-147EF7292B88}.exe"	{A883A211-B058-4830-8978-CA3E1D979B77}.exe

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2376	{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe
2728	{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe
288	{A883A211-B058-4830-8978-CA3E1D979B77}.exe
2872	{31026972-03B8-4dce-93CE-147EF7292B88}.exe
3012	{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe
2512	{86426239-1B14-46a5-96BA-780982BAEDA9}.exe
524	{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe
1332	{468ECB36-2BC1-4687-9533-3D7E0895E242}.exe
2120	{7F5E8D7A-AB59-4cba-BAFE-33D9492A4D95}.exe
2516	{CBDD10F2-2D17-4455-9053-6B454E1B099E}.exe
2260	{9DC16D5C-1DFC-4d96-AB0A-D4463963A619}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A883A211-B058-4830-8978-CA3E1D979B77}.exe	{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe
File created	C:\Windows\{86426239-1B14-46a5-96BA-780982BAEDA9}.exe	{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe
File created	C:\Windows\{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe	{86426239-1B14-46a5-96BA-780982BAEDA9}.exe
File created	C:\Windows\{468ECB36-2BC1-4687-9533-3D7E0895E242}.exe	{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe
File created	C:\Windows\{7F5E8D7A-AB59-4cba-BAFE-33D9492A4D95}.exe	{468ECB36-2BC1-4687-9533-3D7E0895E242}.exe
File created	C:\Windows\{FF6AC7B8-B5F3-4ac0-BC33-A87128346625}.exe	{9DC16D5C-1DFC-4d96-AB0A-D4463963A619}.exe
File created	C:\Windows\{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe
File created	C:\Windows\{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe	{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe
File created	C:\Windows\{31026972-03B8-4dce-93CE-147EF7292B88}.exe	{A883A211-B058-4830-8978-CA3E1D979B77}.exe
File created	C:\Windows\{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe	{31026972-03B8-4dce-93CE-147EF7292B88}.exe
File created	C:\Windows\{CBDD10F2-2D17-4455-9053-6B454E1B099E}.exe	{7F5E8D7A-AB59-4cba-BAFE-33D9492A4D95}.exe
File created	C:\Windows\{9DC16D5C-1DFC-4d96-AB0A-D4463963A619}.exe	{CBDD10F2-2D17-4455-9053-6B454E1B099E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1132	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2376	{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe
Token: SeIncBasePriorityPrivilege	2728	{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe
Token: SeIncBasePriorityPrivilege	288	{A883A211-B058-4830-8978-CA3E1D979B77}.exe
Token: SeIncBasePriorityPrivilege	2872	{31026972-03B8-4dce-93CE-147EF7292B88}.exe
Token: SeIncBasePriorityPrivilege	3012	{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe
Token: SeIncBasePriorityPrivilege	2512	{86426239-1B14-46a5-96BA-780982BAEDA9}.exe
Token: SeIncBasePriorityPrivilege	524	{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe
Token: SeIncBasePriorityPrivilege	1332	{468ECB36-2BC1-4687-9533-3D7E0895E242}.exe
Token: SeIncBasePriorityPrivilege	2120	{7F5E8D7A-AB59-4cba-BAFE-33D9492A4D95}.exe
Token: SeIncBasePriorityPrivilege	2516	{CBDD10F2-2D17-4455-9053-6B454E1B099E}.exe
Token: SeIncBasePriorityPrivilege	2260	{9DC16D5C-1DFC-4d96-AB0A-D4463963A619}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 2376	1132	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	28
PID 1132 wrote to memory of 2376	1132	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	28
PID 1132 wrote to memory of 2376	1132	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	28
PID 1132 wrote to memory of 2376	1132	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	28
PID 1132 wrote to memory of 2840	1132	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	29
PID 1132 wrote to memory of 2840	1132	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	29
PID 1132 wrote to memory of 2840	1132	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	29
PID 1132 wrote to memory of 2840	1132	2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe	29
PID 2376 wrote to memory of 2728	2376	{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe	30
PID 2376 wrote to memory of 2728	2376	{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe	30
PID 2376 wrote to memory of 2728	2376	{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe	30
PID 2376 wrote to memory of 2728	2376	{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe	30
PID 2376 wrote to memory of 1084	2376	{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe	31
PID 2376 wrote to memory of 1084	2376	{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe	31
PID 2376 wrote to memory of 1084	2376	{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe	31
PID 2376 wrote to memory of 1084	2376	{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe	31
PID 2728 wrote to memory of 288	2728	{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe	32
PID 2728 wrote to memory of 288	2728	{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe	32
PID 2728 wrote to memory of 288	2728	{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe	32
PID 2728 wrote to memory of 288	2728	{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe	32
PID 2728 wrote to memory of 2604	2728	{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe	33
PID 2728 wrote to memory of 2604	2728	{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe	33
PID 2728 wrote to memory of 2604	2728	{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe	33
PID 2728 wrote to memory of 2604	2728	{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe	33
PID 288 wrote to memory of 2872	288	{A883A211-B058-4830-8978-CA3E1D979B77}.exe	36
PID 288 wrote to memory of 2872	288	{A883A211-B058-4830-8978-CA3E1D979B77}.exe	36
PID 288 wrote to memory of 2872	288	{A883A211-B058-4830-8978-CA3E1D979B77}.exe	36
PID 288 wrote to memory of 2872	288	{A883A211-B058-4830-8978-CA3E1D979B77}.exe	36
PID 288 wrote to memory of 2792	288	{A883A211-B058-4830-8978-CA3E1D979B77}.exe	37
PID 288 wrote to memory of 2792	288	{A883A211-B058-4830-8978-CA3E1D979B77}.exe	37
PID 288 wrote to memory of 2792	288	{A883A211-B058-4830-8978-CA3E1D979B77}.exe	37
PID 288 wrote to memory of 2792	288	{A883A211-B058-4830-8978-CA3E1D979B77}.exe	37
PID 2872 wrote to memory of 3012	2872	{31026972-03B8-4dce-93CE-147EF7292B88}.exe	38
PID 2872 wrote to memory of 3012	2872	{31026972-03B8-4dce-93CE-147EF7292B88}.exe	38
PID 2872 wrote to memory of 3012	2872	{31026972-03B8-4dce-93CE-147EF7292B88}.exe	38
PID 2872 wrote to memory of 3012	2872	{31026972-03B8-4dce-93CE-147EF7292B88}.exe	38
PID 2872 wrote to memory of 2588	2872	{31026972-03B8-4dce-93CE-147EF7292B88}.exe	39
PID 2872 wrote to memory of 2588	2872	{31026972-03B8-4dce-93CE-147EF7292B88}.exe	39
PID 2872 wrote to memory of 2588	2872	{31026972-03B8-4dce-93CE-147EF7292B88}.exe	39
PID 2872 wrote to memory of 2588	2872	{31026972-03B8-4dce-93CE-147EF7292B88}.exe	39
PID 3012 wrote to memory of 2512	3012	{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe	40
PID 3012 wrote to memory of 2512	3012	{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe	40
PID 3012 wrote to memory of 2512	3012	{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe	40
PID 3012 wrote to memory of 2512	3012	{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe	40
PID 3012 wrote to memory of 1668	3012	{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe	41
PID 3012 wrote to memory of 1668	3012	{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe	41
PID 3012 wrote to memory of 1668	3012	{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe	41
PID 3012 wrote to memory of 1668	3012	{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe	41
PID 2512 wrote to memory of 524	2512	{86426239-1B14-46a5-96BA-780982BAEDA9}.exe	42
PID 2512 wrote to memory of 524	2512	{86426239-1B14-46a5-96BA-780982BAEDA9}.exe	42
PID 2512 wrote to memory of 524	2512	{86426239-1B14-46a5-96BA-780982BAEDA9}.exe	42
PID 2512 wrote to memory of 524	2512	{86426239-1B14-46a5-96BA-780982BAEDA9}.exe	42
PID 2512 wrote to memory of 268	2512	{86426239-1B14-46a5-96BA-780982BAEDA9}.exe	43
PID 2512 wrote to memory of 268	2512	{86426239-1B14-46a5-96BA-780982BAEDA9}.exe	43
PID 2512 wrote to memory of 268	2512	{86426239-1B14-46a5-96BA-780982BAEDA9}.exe	43
PID 2512 wrote to memory of 268	2512	{86426239-1B14-46a5-96BA-780982BAEDA9}.exe	43
PID 524 wrote to memory of 1332	524	{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe	44
PID 524 wrote to memory of 1332	524	{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe	44
PID 524 wrote to memory of 1332	524	{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe	44
PID 524 wrote to memory of 1332	524	{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe	44
PID 524 wrote to memory of 300	524	{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe	45
PID 524 wrote to memory of 300	524	{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe	45
PID 524 wrote to memory of 300	524	{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe	45
PID 524 wrote to memory of 300	524	{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_5023229841ba263b955304597eaf84a5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe
  C:\Windows\{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe
    C:\Windows\{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{A883A211-B058-4830-8978-CA3E1D979B77}.exe
      C:\Windows\{A883A211-B058-4830-8978-CA3E1D979B77}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:288
    - - C:\Windows\{31026972-03B8-4dce-93CE-147EF7292B88}.exe
        
        C:\Windows\{31026972-03B8-4dce-93CE-147EF7292B88}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
      - C:\Windows\{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe
        
        C:\Windows\{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{86426239-1B14-46a5-96BA-780982BAEDA9}.exe
        
        C:\Windows\{86426239-1B14-46a5-96BA-780982BAEDA9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe
        
        C:\Windows\{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\{468ECB36-2BC1-4687-9533-3D7E0895E242}.exe
        
        C:\Windows\{468ECB36-2BC1-4687-9533-3D7E0895E242}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\{7F5E8D7A-AB59-4cba-BAFE-33D9492A4D95}.exe
        
        C:\Windows\{7F5E8D7A-AB59-4cba-BAFE-33D9492A4D95}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\{CBDD10F2-2D17-4455-9053-6B454E1B099E}.exe
        
        C:\Windows\{CBDD10F2-2D17-4455-9053-6B454E1B099E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\{9DC16D5C-1DFC-4d96-AB0A-D4463963A619}.exe
        
        C:\Windows\{9DC16D5C-1DFC-4d96-AB0A-D4463963A619}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\{FF6AC7B8-B5F3-4ac0-BC33-A87128346625}.exe
        
        C:\Windows\{FF6AC7B8-B5F3-4ac0-BC33-A87128346625}.exe
        13⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DC16~1.EXE > nul
        13⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBDD1~1.EXE > nul
        12⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F5E8~1.EXE > nul
        11⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{468EC~1.EXE > nul
        10⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23BB7~1.EXE > nul
        9⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86426~1.EXE > nul
        8⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47EE1~1.EXE > nul
        7⤵
        
        PID:1668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31026~1.EXE > nul
        6⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A883A~1.EXE > nul
        5⤵
        
        PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2C08E~1.EXE > nul
      4⤵
      PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EA3FC~1.EXE > nul
    3⤵
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23BB7FA6-EAF9-4a2b-9428-7474AD052C57}.exe

Filesize
180KB

MD5
a99d6691ce96663b0bbd2e8f3480b0ea

SHA1
20e4b85a163d0978ee79814ecac1357ee266a4e8

SHA256
ec19e92a41b90c05a52c65407489d63441f5b792859543b29cbf16c44cd723c1

SHA512
196348add1ff72986c26717fe7450ec530491f7e74f1907997b6475214ab72f4c0c9d1c69afa8fbfddf90921bf095f0b0f798f7063c3c732d0d87e3a6b66e8f8

Download Submit
C:\Windows\{2C08ED8D-068C-4173-A80B-8DEC0BCC6225}.exe

Filesize
180KB

MD5
7a3bd13d8c46bc53cbfa618d2be83061

SHA1
636c36d6f5111129695ce67e2adee017e8e94c9e

SHA256
fc3e44c2278d590b7bb5e0030ce08197084fbd0b541a9a9385728a5233254449

SHA512
687684c681324b9bee954f52945ce57802fac47cffd2b294075d84a1fea4596af7bfca4451ac1697ac7bb073bb9053530e12936bd2d6f1b9eeb26774e468c4db

Download Submit
C:\Windows\{31026972-03B8-4dce-93CE-147EF7292B88}.exe

Filesize
180KB

MD5
098a118cfe740d57846e7eeb190a5673

SHA1
12ec0821b85602f550f809200988fd877e4e2823

SHA256
3963ec2791ad47e9589379d8757e685a9835d6c61aed99d41a04ef6b4c164b3d

SHA512
8f051dd998374bc23c76b728e8ead2b7174c46ff03f4a4973655dedb6e770af9bf506a3f7dd4c04bc5eadeaf758cc88fa47fb986522d96acb73fd3099c4cbb64

Download Submit
C:\Windows\{468ECB36-2BC1-4687-9533-3D7E0895E242}.exe

Filesize
180KB

MD5
fc0fa06603036f30a97676d0c18cfa67

SHA1
b87c6c478f097151a6cf0fa49080dbc6820c1d8d

SHA256
61362713374973c64cecf975be753e58c9d646e85ff7491e6bb8c861e34d807a

SHA512
115189dbffcc1bf0cce1a918c420a28499768f74411d359f7491de13dba077c8ac75cb6eeff629cadd034df8c5cdc90faaa3b2e2f9d9550b23ba9cd64ade1fc2

Download Submit
C:\Windows\{47EE10AB-52D0-457f-AAD4-F2B208CBDF02}.exe

Filesize
180KB

MD5
f1dc85fd6c49df55f9934daca321192e

SHA1
c19e2270e17adb4e3907ce6622fb143ad9f47cb2

SHA256
2dc12ad45a7abea86a2f217ce7c4e1900a8deb0a986aff59bea1013c3ca3ee9d

SHA512
11d41de71e71d2335971a6a006522f5c099ffbbace8f5afc1562258becf6a6b17ef88ad577904a6d1b16665704831bafb08ccdd328ee707b32573e19034725d2

Download Submit
C:\Windows\{7F5E8D7A-AB59-4cba-BAFE-33D9492A4D95}.exe

Filesize
180KB

MD5
ebdc465bbbb589fb53574b5ab9caf66c

SHA1
70d9f1a29b7c7d0392d0a29e80d611f3c8bba36d

SHA256
9e447342674528d3099fa5cb5b5c98d982582015de26140a5616ec89d5664b7e

SHA512
185f3956997df67c36d6f862c0d0398bca490677ecfe4804168beb26c87c71b5eb6b990e7e4922b19a054aee639260a169924f62cee8117ab90c3576302b652b

Download Submit
C:\Windows\{86426239-1B14-46a5-96BA-780982BAEDA9}.exe

Filesize
180KB

MD5
4fe54686aa6ff6dc487478b9e9de93a6

SHA1
190b322e4eda56e427b8db94edcdd02b21a6776d

SHA256
627f32b10850255c4bd08b663ecd422dd4032edb07e3be6ba5ec6e35f1514732

SHA512
c65a6c169d91df9f553a0e90fbee12bd46f42a23bf35593b5969c1545dc8dbff23211eb0bf89eb3aaae61dcc55bd5e1a4776bb608a13b01c13bd3e73dfd9cb0c

Download Submit
C:\Windows\{9DC16D5C-1DFC-4d96-AB0A-D4463963A619}.exe

Filesize
180KB

MD5
443ad90151c4a655769fa53c7bfc3272

SHA1
75817b4baae4871a1b6a9bb3aea55b1cd260ae33

SHA256
8b72a9eaf0c55a4987db21572ab75dd58bfe54ee01a88d5daba32c622a54fa80

SHA512
537f74451d23f2e6ae2c70a43f7b1cfeafa079a199729a293500ebe03833d75581a5f684bce182e18798fb64d36c10fd8b72b62c7de10a98f8f325bc980761a8

Download Submit
C:\Windows\{A883A211-B058-4830-8978-CA3E1D979B77}.exe

Filesize
180KB

MD5
1d0f9b14229d3732738584b7f1eda430

SHA1
4851d36b347a1ed6a9a7ddd21a6cae82604e263e

SHA256
190c4224fcb84d844b57d041db9058eb76f6c6f6f06a3764fabc2d1ef2aea9d8

SHA512
99cec8426bab97ad3ff7b7ead2178252acbdb4b2200a6452dd4f58a6cdb3d822333b24f4a95593a01b15aac58a2fed0c22a7164883769f430a24fbbe24422317

Download Submit
C:\Windows\{CBDD10F2-2D17-4455-9053-6B454E1B099E}.exe

Filesize
180KB

MD5
f91d5cb42245d8880ecd6070aecb3c8f

SHA1
01338224ade8304a1126f671ddacff9357ebe075

SHA256
3a096f6ff56d823f6693851f79f035e638cf802da399060c23009c5a6592d13f

SHA512
b4450e10bbc842c413ee618cf39edb7f088815bc1346862c6377f5532762cebb30780156e9ee81c23e35fda6954b97eda964b5cf89d1ed1c26129ca158f9fa16

Download Submit
C:\Windows\{CBDD10F2-2D17-4455-9053-6B454E1B099E}.exe

Filesize
35KB

MD5
5667cefa7b1949c6718b2facb35b0837

SHA1
3fab607c99d6e5cd127351e1a3aa062378e3745f

SHA256
3dd67f2e02e4dc3cc736c2d87526cff4a1bf12355463dde1b067ed84a28d617c

SHA512
a0d60af7afc7e511fb5d6a0ce071abf5aa7a8500d05f8a9a1b5eb6ff3620dc82d66986ce4c6da075d18904221a135cceceeda3a2054dd9a05355f3b8d381f1c6

Download Submit
C:\Windows\{EA3FCB85-9FED-4e02-B719-0225AC7E5714}.exe

Filesize
180KB

MD5
ae5a5eee0564dc032ac3dd808a72e431

SHA1
dc7932f359bee3a67156b9b2e38b7dea814fd064

SHA256
df559ab89d70b2e967fdd846eaa220f7daf36e854724de1eabd3c5d2c7b6ad37

SHA512
ecbe360558c9d9b3d77e63dc2d9890beb4535573335a908b1ff9ae574a3bf778e8c0119a6fd8199b4bf7957b1cad336daeb3cd94bd879304524dab743134a9d8

Download Submit
C:\Windows\{FF6AC7B8-B5F3-4ac0-BC33-A87128346625}.exe

Filesize
180KB

MD5
7dc95bc14fa4b200f8016ad2d0619f2c

SHA1
a66f35f82a0e1c90e9e45cdd9071df2dddedfae2

SHA256
4669479379fb06732d9b1074a50fec467f027155084688c4f1224f390b7362a1

SHA512
3346f1066e59c692d4481fe01cd829f7e52ec1efb1d5a02e2c88d4f0057d288eb29a16d5095358563d9d9c291fbd031380914869551bc9279f57fe83f88c0424

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads