7f7802586d8a8472c44d6c32b1e5d1f146e98721b98df9e6f626bc904fd35d58

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe
Size

192KB
MD5

5e2f5924e8e7b011f89e6486a9e07f3e
SHA1

f1681304f8a245b5dacc83c715254f2b633c3865
SHA256

7f7802586d8a8472c44d6c32b1e5d1f146e98721b98df9e6f626bc904fd35d58
SHA512

6f7222fbccf0494ceba3abede9813576fe3563f6ef00bb0b619980472f4a031ae1025c5ee8739ac02463f847152108ef1f8aa467544a954b89ec18c8e8194c8d
SSDEEP

1536:1EGh0opl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0opl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9345CE2-2413-406d-B0B5-1DA6780A6BFB}\stubpath = "C:\\Windows\\{F9345CE2-2413-406d-B0B5-1DA6780A6BFB}.exe"	{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61B22536-DB13-4b6a-851A-2A825F7934F1}	{BE121007-D112-4921-931B-E955F73FE2FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F318AED-DFDD-42dd-9994-81F9191E7B89}	{61B22536-DB13-4b6a-851A-2A825F7934F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED1E0D71-E844-48b2-8079-3545BD841C02}	{1892DADC-8924-423c-8B51-1B080CCFE827}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}	{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}\stubpath = "C:\\Windows\\{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe"	{B90D651A-6E44-4593-8CA7-20671DB51992}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}\stubpath = "C:\\Windows\\{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe"	{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9345CE2-2413-406d-B0B5-1DA6780A6BFB}	{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}\stubpath = "C:\\Windows\\{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe"	{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1892DADC-8924-423c-8B51-1B080CCFE827}\stubpath = "C:\\Windows\\{1892DADC-8924-423c-8B51-1B080CCFE827}.exe"	{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED1E0D71-E844-48b2-8079-3545BD841C02}\stubpath = "C:\\Windows\\{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe"	{1892DADC-8924-423c-8B51-1B080CCFE827}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1892DADC-8924-423c-8B51-1B080CCFE827}	{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE121007-D112-4921-931B-E955F73FE2FD}\stubpath = "C:\\Windows\\{BE121007-D112-4921-931B-E955F73FE2FD}.exe"	{F9345CE2-2413-406d-B0B5-1DA6780A6BFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D5D08FF-C5C7-4a99-897D-5B11579EC681}	2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D5D08FF-C5C7-4a99-897D-5B11579EC681}\stubpath = "C:\\Windows\\{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe"	2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}	{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE121007-D112-4921-931B-E955F73FE2FD}	{F9345CE2-2413-406d-B0B5-1DA6780A6BFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61B22536-DB13-4b6a-851A-2A825F7934F1}\stubpath = "C:\\Windows\\{61B22536-DB13-4b6a-851A-2A825F7934F1}.exe"	{BE121007-D112-4921-931B-E955F73FE2FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F318AED-DFDD-42dd-9994-81F9191E7B89}\stubpath = "C:\\Windows\\{4F318AED-DFDD-42dd-9994-81F9191E7B89}.exe"	{61B22536-DB13-4b6a-851A-2A825F7934F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B90D651A-6E44-4593-8CA7-20671DB51992}	{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B90D651A-6E44-4593-8CA7-20671DB51992}\stubpath = "C:\\Windows\\{B90D651A-6E44-4593-8CA7-20671DB51992}.exe"	{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}	{B90D651A-6E44-4593-8CA7-20671DB51992}.exe

Deletes itself 1 IoCs

pid	Process
2236	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3008	{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe
2556	{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe
2548	{1892DADC-8924-423c-8B51-1B080CCFE827}.exe
1016	{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe
2500	{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe
2736	{B90D651A-6E44-4593-8CA7-20671DB51992}.exe
1044	{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe
1952	{F9345CE2-2413-406d-B0B5-1DA6780A6BFB}.exe
1872	{BE121007-D112-4921-931B-E955F73FE2FD}.exe
1292	{61B22536-DB13-4b6a-851A-2A825F7934F1}.exe
2104	{4F318AED-DFDD-42dd-9994-81F9191E7B89}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe	{1892DADC-8924-423c-8B51-1B080CCFE827}.exe
File created	C:\Windows\{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe	{B90D651A-6E44-4593-8CA7-20671DB51992}.exe
File created	C:\Windows\{F9345CE2-2413-406d-B0B5-1DA6780A6BFB}.exe	{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe
File created	C:\Windows\{BE121007-D112-4921-931B-E955F73FE2FD}.exe	{F9345CE2-2413-406d-B0B5-1DA6780A6BFB}.exe
File created	C:\Windows\{61B22536-DB13-4b6a-851A-2A825F7934F1}.exe	{BE121007-D112-4921-931B-E955F73FE2FD}.exe
File created	C:\Windows\{4F318AED-DFDD-42dd-9994-81F9191E7B89}.exe	{61B22536-DB13-4b6a-851A-2A825F7934F1}.exe
File created	C:\Windows\{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe	{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe
File created	C:\Windows\{1892DADC-8924-423c-8B51-1B080CCFE827}.exe	{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe
File created	C:\Windows\{B90D651A-6E44-4593-8CA7-20671DB51992}.exe	{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe
File created	C:\Windows\{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe	2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe
File created	C:\Windows\{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe	{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1032	2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3008	{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe
Token: SeIncBasePriorityPrivilege	2556	{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe
Token: SeIncBasePriorityPrivilege	2548	{1892DADC-8924-423c-8B51-1B080CCFE827}.exe
Token: SeIncBasePriorityPrivilege	1016	{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe
Token: SeIncBasePriorityPrivilege	2500	{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe
Token: SeIncBasePriorityPrivilege	2736	{B90D651A-6E44-4593-8CA7-20671DB51992}.exe
Token: SeIncBasePriorityPrivilege	1044	{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe
Token: SeIncBasePriorityPrivilege	1952	{F9345CE2-2413-406d-B0B5-1DA6780A6BFB}.exe
Token: SeIncBasePriorityPrivilege	1872	{BE121007-D112-4921-931B-E955F73FE2FD}.exe
Token: SeIncBasePriorityPrivilege	1292	{61B22536-DB13-4b6a-851A-2A825F7934F1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 3008	1032	2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe	28
PID 1032 wrote to memory of 3008	1032	2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe	28
PID 1032 wrote to memory of 3008	1032	2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe	28
PID 1032 wrote to memory of 3008	1032	2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe	28
PID 1032 wrote to memory of 2236	1032	2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe	29
PID 1032 wrote to memory of 2236	1032	2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe	29
PID 1032 wrote to memory of 2236	1032	2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe	29
PID 1032 wrote to memory of 2236	1032	2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe	29
PID 3008 wrote to memory of 2556	3008	{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe	32
PID 3008 wrote to memory of 2556	3008	{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe	32
PID 3008 wrote to memory of 2556	3008	{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe	32
PID 3008 wrote to memory of 2556	3008	{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe	32
PID 3008 wrote to memory of 2856	3008	{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe	33
PID 3008 wrote to memory of 2856	3008	{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe	33
PID 3008 wrote to memory of 2856	3008	{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe	33
PID 3008 wrote to memory of 2856	3008	{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe	33
PID 2556 wrote to memory of 2548	2556	{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe	34
PID 2556 wrote to memory of 2548	2556	{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe	34
PID 2556 wrote to memory of 2548	2556	{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe	34
PID 2556 wrote to memory of 2548	2556	{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe	34
PID 2556 wrote to memory of 2652	2556	{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe	35
PID 2556 wrote to memory of 2652	2556	{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe	35
PID 2556 wrote to memory of 2652	2556	{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe	35
PID 2556 wrote to memory of 2652	2556	{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe	35
PID 2548 wrote to memory of 1016	2548	{1892DADC-8924-423c-8B51-1B080CCFE827}.exe	36
PID 2548 wrote to memory of 1016	2548	{1892DADC-8924-423c-8B51-1B080CCFE827}.exe	36
PID 2548 wrote to memory of 1016	2548	{1892DADC-8924-423c-8B51-1B080CCFE827}.exe	36
PID 2548 wrote to memory of 1016	2548	{1892DADC-8924-423c-8B51-1B080CCFE827}.exe	36
PID 2548 wrote to memory of 652	2548	{1892DADC-8924-423c-8B51-1B080CCFE827}.exe	37
PID 2548 wrote to memory of 652	2548	{1892DADC-8924-423c-8B51-1B080CCFE827}.exe	37
PID 2548 wrote to memory of 652	2548	{1892DADC-8924-423c-8B51-1B080CCFE827}.exe	37
PID 2548 wrote to memory of 652	2548	{1892DADC-8924-423c-8B51-1B080CCFE827}.exe	37
PID 1016 wrote to memory of 2500	1016	{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe	38
PID 1016 wrote to memory of 2500	1016	{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe	38
PID 1016 wrote to memory of 2500	1016	{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe	38
PID 1016 wrote to memory of 2500	1016	{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe	38
PID 1016 wrote to memory of 1180	1016	{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe	39
PID 1016 wrote to memory of 1180	1016	{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe	39
PID 1016 wrote to memory of 1180	1016	{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe	39
PID 1016 wrote to memory of 1180	1016	{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe	39
PID 2500 wrote to memory of 2736	2500	{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe	40
PID 2500 wrote to memory of 2736	2500	{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe	40
PID 2500 wrote to memory of 2736	2500	{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe	40
PID 2500 wrote to memory of 2736	2500	{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe	40
PID 2500 wrote to memory of 2860	2500	{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe	41
PID 2500 wrote to memory of 2860	2500	{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe	41
PID 2500 wrote to memory of 2860	2500	{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe	41
PID 2500 wrote to memory of 2860	2500	{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe	41
PID 2736 wrote to memory of 1044	2736	{B90D651A-6E44-4593-8CA7-20671DB51992}.exe	42
PID 2736 wrote to memory of 1044	2736	{B90D651A-6E44-4593-8CA7-20671DB51992}.exe	42
PID 2736 wrote to memory of 1044	2736	{B90D651A-6E44-4593-8CA7-20671DB51992}.exe	42
PID 2736 wrote to memory of 1044	2736	{B90D651A-6E44-4593-8CA7-20671DB51992}.exe	42
PID 2736 wrote to memory of 1264	2736	{B90D651A-6E44-4593-8CA7-20671DB51992}.exe	43
PID 2736 wrote to memory of 1264	2736	{B90D651A-6E44-4593-8CA7-20671DB51992}.exe	43
PID 2736 wrote to memory of 1264	2736	{B90D651A-6E44-4593-8CA7-20671DB51992}.exe	43
PID 2736 wrote to memory of 1264	2736	{B90D651A-6E44-4593-8CA7-20671DB51992}.exe	43
PID 1044 wrote to memory of 1952	1044	{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe	44
PID 1044 wrote to memory of 1952	1044	{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe	44
PID 1044 wrote to memory of 1952	1044	{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe	44
PID 1044 wrote to memory of 1952	1044	{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe	44
PID 1044 wrote to memory of 2144	1044	{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe	45
PID 1044 wrote to memory of 2144	1044	{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe	45
PID 1044 wrote to memory of 2144	1044	{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe	45
PID 1044 wrote to memory of 2144	1044	{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_5e2f5924e8e7b011f89e6486a9e07f3e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe
  C:\Windows\{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe
    C:\Windows\{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\{1892DADC-8924-423c-8B51-1B080CCFE827}.exe
      C:\Windows\{1892DADC-8924-423c-8B51-1B080CCFE827}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe
        
        C:\Windows\{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Windows\{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe
        
        C:\Windows\{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{B90D651A-6E44-4593-8CA7-20671DB51992}.exe
        
        C:\Windows\{B90D651A-6E44-4593-8CA7-20671DB51992}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe
        
        C:\Windows\{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\{F9345CE2-2413-406d-B0B5-1DA6780A6BFB}.exe
        
        C:\Windows\{F9345CE2-2413-406d-B0B5-1DA6780A6BFB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\{BE121007-D112-4921-931B-E955F73FE2FD}.exe
        
        C:\Windows\{BE121007-D112-4921-931B-E955F73FE2FD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\{61B22536-DB13-4b6a-851A-2A825F7934F1}.exe
        
        C:\Windows\{61B22536-DB13-4b6a-851A-2A825F7934F1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\{4F318AED-DFDD-42dd-9994-81F9191E7B89}.exe
        
        C:\Windows\{4F318AED-DFDD-42dd-9994-81F9191E7B89}.exe
        12⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61B22~1.EXE > nul
        12⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE121~1.EXE > nul
        11⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9345~1.EXE > nul
        10⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ABF0~1.EXE > nul
        9⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B90D6~1.EXE > nul
        8⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ACC2~1.EXE > nul
        7⤵
        
        PID:2860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED1E0~1.EXE > nul
        6⤵
        
        PID:1180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1892D~1.EXE > nul
        5⤵
        
        PID:652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{130A6~1.EXE > nul
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0D5D0~1.EXE > nul
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D5D08FF-C5C7-4a99-897D-5B11579EC681}.exe

Filesize
192KB

MD5
6300d02a2d91e2b8862d92a4f15d0145

SHA1
06334bf2b7637fadd901152c7c57714821048d5a

SHA256
59229e4c631ed05d4730df21847e787fc32776aa7d415f05a55220769fed35c5

SHA512
5d08aa039fed7bae975bcbfcba1c6ad6a6bd7ae06eb3f9f419aed04e0c19334321a076ddfadd0632870a16ac9f9e62b5ca9ea3f071f8f956289444811009bc13

Download Submit
C:\Windows\{130A6F42-67C5-4b6b-BBE1-B326C029D1C5}.exe

Filesize
192KB

MD5
c454a967ffbfd120cdb2d10c17545c50

SHA1
c78b060fe7587c4a65a3425c6157765e45d973a4

SHA256
cd8c69851714aa6b2ee3b6bd6493cb7c92c5f69dfef62f6317d6da6cb3540a9c

SHA512
f9b22bdec118bea374ed48053326f5362316457691a8cfb52e6a6dc770d89aa4eb6abdff763c170bb32472795441f960d30ab2a54250fdb235099386f18a529f

Download Submit
C:\Windows\{1892DADC-8924-423c-8B51-1B080CCFE827}.exe

Filesize
192KB

MD5
d735be11c9f4b85b6b5f7cc766431db4

SHA1
4c496ed4f0d753fe1b45ea9c4f678c0eed1f282a

SHA256
e78cb499fc08b897b78d484a5e9d45479ebaab3017908a82a86c019dc879cb85

SHA512
32d28429136a6688d0571a9f26173763562360b920576b0715e3baa5e0471ae431dea9b9fd0d56de08b5f7e55309e9b0d8db9ae640dbc3c18b1c41139dfaad88

Download Submit
C:\Windows\{4F318AED-DFDD-42dd-9994-81F9191E7B89}.exe

Filesize
192KB

MD5
8d24e75e8e9ae1eafa50c5e0149b6d09

SHA1
26fdd0fa560433b2c864af3502a4be5de1d1a036

SHA256
8d3c2343228277db1593431037677ea9375a2c890170fe52697c3a41bcd7ce72

SHA512
afcec59ef5e4b4c9afa26dba24aeda1d5350cacf129753a927457bd10bd47ea5d2ae8a0383ba8ef23eeacc65f8e4dfcf0b7571caa4b888e9ce89d04b75c5f442

Download Submit
C:\Windows\{61B22536-DB13-4b6a-851A-2A825F7934F1}.exe

Filesize
192KB

MD5
6b8f15548b5ed95640ed18b3c3edfea5

SHA1
e17a570ad761d059afa71504456add673370a5f1

SHA256
e062428e4efb58111de041dcb0aa5afc68db0819753d6e495c147f11390e6a3d

SHA512
31e7dee71b33af05dd241ec32d453920a41f5b9b60d5940c3a22decb0dae231728e12b7673dff57c5d72d9990d768aec657d897311c728249142ef0e0acb838f

Download Submit
C:\Windows\{6ABF00BC-2EA1-4205-91B6-1A8220E41E91}.exe

Filesize
192KB

MD5
359c5139988242329a6fed7e4ba595eb

SHA1
11cab528bf1b4f23ecbf2f295db07ef409413670

SHA256
46c77e5273cf0c9bd65cda1142214a07c224c1b6d8c9020bc3e8495e94026513

SHA512
caad7e59eda4a6f82d621e35cd8ab4b0c7ffd1656273135b17ee582d7d0748f25cc95e5a1994105d77c6e78029aed39b87eb32c445c907b026a9082a82c9644f

Download Submit
C:\Windows\{7ACC2105-EC8A-4951-9023-72DE8EBC4CC1}.exe

Filesize
192KB

MD5
275e3cd02e0289654075125ff2a5b641

SHA1
147e689e66877b083e71cd547773fd0758edea5d

SHA256
0248e2e4fc44a265303f041b39b8018df91dbb1e800bc0aa301ffceaf09484ab

SHA512
6b8bde52a0442f1ec2386dd2eecc7596c62d4b0bf64c01fa1407b05b4621f94803e6cdd47c3c8837fcf4a69495f077fa71e6e1e50306b1686b6808b9f3298b57

Download Submit
C:\Windows\{B90D651A-6E44-4593-8CA7-20671DB51992}.exe

Filesize
192KB

MD5
dd4fb1db780794881e8b86b5862ddb64

SHA1
0d31ea7ad92a9495896e41ea48f9990b06cdf684

SHA256
aac5b02502307e19dc6266d3b3ddf769d38a6e33dc935a9f6aa3dcbc473e9404

SHA512
88b1a48bfc69f4130a6cc191bc1e58961f8aff4337304c312443fa92abdb495165958120a960aeacc702ac8a68b4ceb788e41cd9177cba6a573642aeae748f1e

Download Submit
C:\Windows\{BE121007-D112-4921-931B-E955F73FE2FD}.exe

Filesize
192KB

MD5
44544b378ebbccc121999097e6136ca7

SHA1
2845b4cb833aae791b2a6d29e8c25e78b2a905a2

SHA256
2957fcb733b2967a32451033c9be153ba83293aa8267aa06e7daa1bdc5e2fa65

SHA512
d17873015fdd77b7e18be0c743cc3008100d19a6039953ea4db524f56054436d7d710c00a644af907c032fe928a3ca117f88a8333bbf75a7d2bd69eb59c56917

Download Submit
C:\Windows\{ED1E0D71-E844-48b2-8079-3545BD841C02}.exe

Filesize
192KB

MD5
51313771505379e71f65a2bfdad7ae2c

SHA1
23fc91e27b88364c6895d6d34616f710d7535cb3

SHA256
69b3a28ee91f7ca660a919e5a46084fdb8340aeeec906e5c3343dc9ced4efd45

SHA512
bc13807382e417cf361d0955bdc5cae1df6e3cd075662e6d4a825e456a3c51eae952b87f8753c6bb8c7ffc2c20dea99f809302d780894f8db5cdcf7db5893b51

Download Submit
C:\Windows\{F9345CE2-2413-406d-B0B5-1DA6780A6BFB}.exe

Filesize
192KB

MD5
3c2c3775f1d9ffd2f60073bb7bc64608

SHA1
a1c4f049fd224e01644320afa928078eb0a54ab2

SHA256
fab158f02f2b11f7c21781a7e296cdd5db9d928f8bc10641919c3e12cb3736c4

SHA512
092d59d33356d3b325f056cb494891c7b12715732b9aeaf03e9d890219a2a0cf5bbc72755efc11275702445b5cb03d8cb97d51fa93124a6e0755f8afde4d1d32

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads