d2e175588fe5ed613f374d4ef5486f3536a88e97d9f510970d8abfdc7127ee01

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe
Size

216KB
MD5

819f46a2012ce0cfd9460f36183f0ef3
SHA1

29f6a4b681bbc5a4724b5f6aaba6cb9f45567f8b
SHA256

d2e175588fe5ed613f374d4ef5486f3536a88e97d9f510970d8abfdc7127ee01
SHA512

0405ab6ef6e7e35564eecde754292a0851bfb49315a9ff74c4b6ce326f9a24b0bd0a851f91e59da2e7b85392af38ab6ad7179d86a859eb80b46c903b2a88149b
SSDEEP

3072:jEGh0oRl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGDlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}\stubpath = "C:\\Windows\\{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe"	{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B4C20BC-839F-4dab-A522-E0C672D4F494}\stubpath = "C:\\Windows\\{6B4C20BC-839F-4dab-A522-E0C672D4F494}.exe"	{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59185D0D-0D99-4c43-95CA-0B7DD47E70CC}	{D4298F8E-3B98-4a56-A3DE-B852A06FC10E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59185D0D-0D99-4c43-95CA-0B7DD47E70CC}\stubpath = "C:\\Windows\\{59185D0D-0D99-4c43-95CA-0B7DD47E70CC}.exe"	{D4298F8E-3B98-4a56-A3DE-B852A06FC10E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}	2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}	{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}\stubpath = "C:\\Windows\\{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe"	{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}	{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}	{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DDB98A6-57D9-4007-9418-071018F5AF0F}\stubpath = "C:\\Windows\\{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe"	{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4298F8E-3B98-4a56-A3DE-B852A06FC10E}	{6B4C20BC-839F-4dab-A522-E0C672D4F494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D53BAF53-E9CC-4d98-84F7-77FA5F2FB1B1}	{D7E6184E-03CB-49b3-8C2C-D0AC1C704AE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}\stubpath = "C:\\Windows\\{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe"	{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}	{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CE553DC-FF2E-44d7-A739-DB7A5705484E}	{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CE553DC-FF2E-44d7-A739-DB7A5705484E}\stubpath = "C:\\Windows\\{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe"	{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4298F8E-3B98-4a56-A3DE-B852A06FC10E}\stubpath = "C:\\Windows\\{D4298F8E-3B98-4a56-A3DE-B852A06FC10E}.exe"	{6B4C20BC-839F-4dab-A522-E0C672D4F494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7E6184E-03CB-49b3-8C2C-D0AC1C704AE3}	{59185D0D-0D99-4c43-95CA-0B7DD47E70CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}\stubpath = "C:\\Windows\\{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe"	2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}\stubpath = "C:\\Windows\\{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe"	{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2DDB98A6-57D9-4007-9418-071018F5AF0F}	{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B4C20BC-839F-4dab-A522-E0C672D4F494}	{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7E6184E-03CB-49b3-8C2C-D0AC1C704AE3}\stubpath = "C:\\Windows\\{D7E6184E-03CB-49b3-8C2C-D0AC1C704AE3}.exe"	{59185D0D-0D99-4c43-95CA-0B7DD47E70CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D53BAF53-E9CC-4d98-84F7-77FA5F2FB1B1}\stubpath = "C:\\Windows\\{D53BAF53-E9CC-4d98-84F7-77FA5F2FB1B1}.exe"	{D7E6184E-03CB-49b3-8C2C-D0AC1C704AE3}.exe

Deletes itself 1 IoCs

pid	Process
2484	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
344	{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe
2716	{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe
2556	{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe
2496	{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe
668	{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe
2516	{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe
1892	{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe
2760	{6B4C20BC-839F-4dab-A522-E0C672D4F494}.exe
3064	{D4298F8E-3B98-4a56-A3DE-B852A06FC10E}.exe
1144	{59185D0D-0D99-4c43-95CA-0B7DD47E70CC}.exe
2784	{D7E6184E-03CB-49b3-8C2C-D0AC1C704AE3}.exe
1252	{D53BAF53-E9CC-4d98-84F7-77FA5F2FB1B1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D7E6184E-03CB-49b3-8C2C-D0AC1C704AE3}.exe	{59185D0D-0D99-4c43-95CA-0B7DD47E70CC}.exe
File created	C:\Windows\{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe	2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe
File created	C:\Windows\{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe	{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe
File created	C:\Windows\{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe	{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe
File created	C:\Windows\{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe	{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe
File created	C:\Windows\{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe	{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe
File created	C:\Windows\{D4298F8E-3B98-4a56-A3DE-B852A06FC10E}.exe	{6B4C20BC-839F-4dab-A522-E0C672D4F494}.exe
File created	C:\Windows\{59185D0D-0D99-4c43-95CA-0B7DD47E70CC}.exe	{D4298F8E-3B98-4a56-A3DE-B852A06FC10E}.exe
File created	C:\Windows\{D53BAF53-E9CC-4d98-84F7-77FA5F2FB1B1}.exe	{D7E6184E-03CB-49b3-8C2C-D0AC1C704AE3}.exe
File created	C:\Windows\{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe	{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe
File created	C:\Windows\{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe	{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe
File created	C:\Windows\{6B4C20BC-839F-4dab-A522-E0C672D4F494}.exe	{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	344	{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe
Token: SeIncBasePriorityPrivilege	2716	{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe
Token: SeIncBasePriorityPrivilege	2556	{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe
Token: SeIncBasePriorityPrivilege	2496	{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe
Token: SeIncBasePriorityPrivilege	668	{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe
Token: SeIncBasePriorityPrivilege	2516	{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe
Token: SeIncBasePriorityPrivilege	1892	{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe
Token: SeIncBasePriorityPrivilege	2760	{6B4C20BC-839F-4dab-A522-E0C672D4F494}.exe
Token: SeIncBasePriorityPrivilege	3064	{D4298F8E-3B98-4a56-A3DE-B852A06FC10E}.exe
Token: SeIncBasePriorityPrivilege	1144	{59185D0D-0D99-4c43-95CA-0B7DD47E70CC}.exe
Token: SeIncBasePriorityPrivilege	2784	{D7E6184E-03CB-49b3-8C2C-D0AC1C704AE3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 344	2236	2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe	28
PID 2236 wrote to memory of 344	2236	2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe	28
PID 2236 wrote to memory of 344	2236	2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe	28
PID 2236 wrote to memory of 344	2236	2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe	28
PID 2236 wrote to memory of 2484	2236	2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe	29
PID 2236 wrote to memory of 2484	2236	2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe	29
PID 2236 wrote to memory of 2484	2236	2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe	29
PID 2236 wrote to memory of 2484	2236	2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe	29
PID 344 wrote to memory of 2716	344	{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe	32
PID 344 wrote to memory of 2716	344	{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe	32
PID 344 wrote to memory of 2716	344	{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe	32
PID 344 wrote to memory of 2716	344	{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe	32
PID 344 wrote to memory of 2904	344	{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe	33
PID 344 wrote to memory of 2904	344	{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe	33
PID 344 wrote to memory of 2904	344	{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe	33
PID 344 wrote to memory of 2904	344	{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe	33
PID 2716 wrote to memory of 2556	2716	{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe	34
PID 2716 wrote to memory of 2556	2716	{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe	34
PID 2716 wrote to memory of 2556	2716	{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe	34
PID 2716 wrote to memory of 2556	2716	{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe	34
PID 2716 wrote to memory of 2588	2716	{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe	35
PID 2716 wrote to memory of 2588	2716	{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe	35
PID 2716 wrote to memory of 2588	2716	{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe	35
PID 2716 wrote to memory of 2588	2716	{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe	35
PID 2556 wrote to memory of 2496	2556	{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe	36
PID 2556 wrote to memory of 2496	2556	{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe	36
PID 2556 wrote to memory of 2496	2556	{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe	36
PID 2556 wrote to memory of 2496	2556	{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe	36
PID 2556 wrote to memory of 1408	2556	{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe	37
PID 2556 wrote to memory of 1408	2556	{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe	37
PID 2556 wrote to memory of 1408	2556	{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe	37
PID 2556 wrote to memory of 1408	2556	{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe	37
PID 2496 wrote to memory of 668	2496	{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe	38
PID 2496 wrote to memory of 668	2496	{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe	38
PID 2496 wrote to memory of 668	2496	{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe	38
PID 2496 wrote to memory of 668	2496	{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe	38
PID 2496 wrote to memory of 1628	2496	{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe	39
PID 2496 wrote to memory of 1628	2496	{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe	39
PID 2496 wrote to memory of 1628	2496	{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe	39
PID 2496 wrote to memory of 1628	2496	{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe	39
PID 668 wrote to memory of 2516	668	{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe	40
PID 668 wrote to memory of 2516	668	{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe	40
PID 668 wrote to memory of 2516	668	{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe	40
PID 668 wrote to memory of 2516	668	{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe	40
PID 668 wrote to memory of 796	668	{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe	41
PID 668 wrote to memory of 796	668	{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe	41
PID 668 wrote to memory of 796	668	{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe	41
PID 668 wrote to memory of 796	668	{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe	41
PID 2516 wrote to memory of 1892	2516	{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe	42
PID 2516 wrote to memory of 1892	2516	{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe	42
PID 2516 wrote to memory of 1892	2516	{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe	42
PID 2516 wrote to memory of 1892	2516	{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe	42
PID 2516 wrote to memory of 2796	2516	{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe	43
PID 2516 wrote to memory of 2796	2516	{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe	43
PID 2516 wrote to memory of 2796	2516	{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe	43
PID 2516 wrote to memory of 2796	2516	{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe	43
PID 1892 wrote to memory of 2760	1892	{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe	44
PID 1892 wrote to memory of 2760	1892	{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe	44
PID 1892 wrote to memory of 2760	1892	{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe	44
PID 1892 wrote to memory of 2760	1892	{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe	44
PID 1892 wrote to memory of 1604	1892	{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe	45
PID 1892 wrote to memory of 1604	1892	{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe	45
PID 1892 wrote to memory of 1604	1892	{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe	45
PID 1892 wrote to memory of 1604	1892	{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_819f46a2012ce0cfd9460f36183f0ef3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe
  C:\Windows\{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe
    C:\Windows\{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe
      C:\Windows\{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe
        
        C:\Windows\{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Windows\{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe
        
        C:\Windows\{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe
        
        C:\Windows\{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe
        
        C:\Windows\{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\{6B4C20BC-839F-4dab-A522-E0C672D4F494}.exe
        
        C:\Windows\{6B4C20BC-839F-4dab-A522-E0C672D4F494}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B4C2~1.EXE > nul
        10⤵
        
        PID:2952
        
        C:\Windows\{D4298F8E-3B98-4a56-A3DE-B852A06FC10E}.exe
        
        C:\Windows\{D4298F8E-3B98-4a56-A3DE-B852A06FC10E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\{59185D0D-0D99-4c43-95CA-0B7DD47E70CC}.exe
        
        C:\Windows\{59185D0D-0D99-4c43-95CA-0B7DD47E70CC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\{D7E6184E-03CB-49b3-8C2C-D0AC1C704AE3}.exe
        
        C:\Windows\{D7E6184E-03CB-49b3-8C2C-D0AC1C704AE3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\{D53BAF53-E9CC-4d98-84F7-77FA5F2FB1B1}.exe
        
        C:\Windows\{D53BAF53-E9CC-4d98-84F7-77FA5F2FB1B1}.exe
        13⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7E61~1.EXE > nul
        13⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59185~1.EXE > nul
        12⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4298~1.EXE > nul
        11⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DDB9~1.EXE > nul
        9⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9F8B~1.EXE > nul
        8⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E67FC~1.EXE > nul
        7⤵
        
        PID:796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CE55~1.EXE > nul
        6⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91CBA~1.EXE > nul
        5⤵
        
        PID:1408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EAEF9~1.EXE > nul
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AEE0A~1.EXE > nul
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CE553DC-FF2E-44d7-A739-DB7A5705484E}.exe

Filesize
216KB

MD5
2b476617415983a0014ffc7dbd05a420

SHA1
16523f8735b2ad982760669da2d328764600df12

SHA256
b3e34fb9d81f7243ceb5969d58341c064112f1d8e42a6fe2b907334e643c98f9

SHA512
b1bae84fd38580314b2ab1ea6591e126b80da2580d1c9898f0b54374b2e7e6529a68ba32d72ebc5ad92920b645c52769fd28cc7895543f73b66b634c6eebe3fe

Download Submit
C:\Windows\{2DDB98A6-57D9-4007-9418-071018F5AF0F}.exe

Filesize
216KB

MD5
87c8e2cbe75ac9f1f03bd56299eb813a

SHA1
453ffc73d14fd161714c1247ebecccec5089c3d0

SHA256
c8e8e5ba58467b9d370c1fa92e9286eb88c1bc47f285e76237ffcccba2a1bb12

SHA512
10e2fe443536a8f5c45e837ed536898a88d04afcd601792fdefb9960ae910b07f1fb028d793b091c7a594d4f3822eab4e9c3004734a8074b8ce36308db9c1659

Download Submit
C:\Windows\{59185D0D-0D99-4c43-95CA-0B7DD47E70CC}.exe

Filesize
216KB

MD5
ae3e09d9a1deb203eb717487e6d47255

SHA1
c85b7b3b2a18c949ae2ad74281e45b0e75e627a8

SHA256
ea53c7b0d1970ddcbe27fa35cf83a4d0ba7a346e57742b0c00f2a675914f7e4f

SHA512
0ad3811c22f73a35f4b9d9f973de1f1990cc7384c083fec6c7bc1ea64a49ae4d8d37e3aa533ff28a5c84f6b82cad82b8f0cd478a52d4ef97e0d01ad267bc8c91

Download Submit
C:\Windows\{6B4C20BC-839F-4dab-A522-E0C672D4F494}.exe

Filesize
216KB

MD5
43c2c39c24f7ee336524e8a3940b50d8

SHA1
0725088962b0f5fc90c6e8876afe06d5645d4811

SHA256
91252e8021aa3318c04eafccdf4c46f99230a398d1d2c07eb7ab27de9a5c2f7c

SHA512
5c02122117008ba370a65fcddd032fb6ece26bb820cf9a5dbba9164200b793429931d0399d13cc09b4c51b130a72073b5cc3efee5b930054e84fe572cf4c2cd2

Download Submit
C:\Windows\{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe

Filesize
216KB

MD5
483014ede8963fc9280580370de1667f

SHA1
f2f85a2384d726b1e8c60241244c1ffa15ad6fee

SHA256
f079fe95dde86bcd7c39c112e6791a174293819a0a2676b2c6357a57af9dcfa6

SHA512
f258b1e4d4f3d4f86c8e823f3ec82cf5e0501c0443c954463d174790a134f53007b7f7b8ca719f5acb72e3947d05b32f44126ee2034f7b7bfb0728fee4b473ad

Download Submit
C:\Windows\{91CBA1EB-01D4-40b1-A653-C37F3DE8B5C2}.exe

Filesize
82KB

MD5
76d43bb5bd56e398f0c4bf7343535f6a

SHA1
f6200d7f22562a803419f103658d49bfffe6d972

SHA256
663f796569b3288013eba79a42c6b181c4ca82d7e27243ecf3858140d0c6b28c

SHA512
9245eeaa702bfdb6604f43ba1d474348855d4b6d4c807fd662945cbf9772fa9dc2b2ae896ac4434c0f0f10e48d50f955dba541e7d9d58edf5fcc5cd94e2b19d5

Download Submit
C:\Windows\{AEE0A955-9D35-4f69-A9C4-4865BDBF9DEA}.exe

Filesize
216KB

MD5
1778ccd24e2437b00ab1775ac46e5668

SHA1
098da045c80b22b424a5590a589397a611541ef0

SHA256
de5940c9b544e8dba2718b684300657baba6f1ea19d10b03b702a21d595d45fb

SHA512
580aa813ee982ec31ce30233460c93f9ce93713461104f212dbf8be33181aa2604922274b0302c17b9cd1025480cab8329593927303ce9b9d046f6e7488fcaa4

Download Submit
C:\Windows\{D4298F8E-3B98-4a56-A3DE-B852A06FC10E}.exe

Filesize
216KB

MD5
929e451d1181bd3e517d1580d9961aba

SHA1
7d89f23e0ff64f068ae1db53ece71a7fcce94fc1

SHA256
cac98b07ceb79568a79e082f82dc4ed98d4c0726b1b03802144188a3752b5e67

SHA512
abc4f1740251a288ed0851ad474cd4702f6e069f590e85812d5e4eaf16a91e06b917db70bc3ee359fba640448dbf1f74180fe0b3506f043eb7933d79d5d84b70

Download Submit
C:\Windows\{D53BAF53-E9CC-4d98-84F7-77FA5F2FB1B1}.exe

Filesize
216KB

MD5
f08e97dc2edeb686a8d7dfd9e98557cc

SHA1
ff9c3e7707c899efae502ad93383f0bfd52d8a6b

SHA256
175e6214ec7019894f51e61509efc6b90c1e4eed034754f2a8ac4ded54ef975e

SHA512
f4ae4b3a8682bec9a22dd1df39bdb089370cf8e259d9e69d2e9a699a675c50c9c65eeee4b570ef1391e0fbe6e6978970036de2b4a0f676310e77cc5d6ff38117

Download Submit
C:\Windows\{D7E6184E-03CB-49b3-8C2C-D0AC1C704AE3}.exe

Filesize
216KB

MD5
321e213637404dd17c2d5bf40315a440

SHA1
78c4b7681550d60cc014424e8fa246b5c757a353

SHA256
9161d6b9ba6299c366635360f7874fb5d6cc1c79f09c7b163804896658736ca6

SHA512
a81167e11b64d8c4a1650a347aea0479f941984e67026c48fd07a0d1f6c3e66d8be78348367fb01c19e04527aa81d78b5ec0e2e714c87257d5ea1c04318e1127

Download Submit
C:\Windows\{D9F8B19D-CD3F-42f5-B350-4F53A6FA27C6}.exe

Filesize
216KB

MD5
41b0dca7caf1b5abd071b9ac241282f6

SHA1
814fdb4eee84fac6de69077b8a71db5fba71967f

SHA256
aabaf57cb99bf431fce4ff83073d8c4bdda37fd44bdae2dbc37b36f4486d8e0c

SHA512
a4a5b08e021a6cc25e2daba276d038b897965d5fe226d4005881354178130d955154c16433fe229a72972e8f852efafb1bed7afa6103b4723f3c880a1c6977c8

Download Submit
C:\Windows\{E67FC77A-3080-44a5-A2C4-F0FB8E0FC4F3}.exe

Filesize
216KB

MD5
b28445438d637f8e43eb0317eef080b1

SHA1
48dfb372fd124921c5b0c38bfca3befbe7142f53

SHA256
4468e1deebca3cce0d03bd3cc5e52a0a33739537b38db25ca1ba1a2b14051692

SHA512
101cad0a1f43beb6e58e0bf0ea319ff01dfc771810d7bfb1d7ad26e9711e8cf1f83e115f280179c37e26a42bb061c33c56113d0fb322275039f1ff3f5871da26

Download Submit
C:\Windows\{EAEF9702-9B5B-4ed2-8861-9EF6C205BD3E}.exe

Filesize
216KB

MD5
a52bab978e5481b67b4bbc72a57a3913

SHA1
717b53138322c837bb3b17780eafc15319261ada

SHA256
1041b59001e9beb32f2f2d7d558361a85d33682bd56a9cb066ff5604fcba2756

SHA512
058762a7c49c125e2886d6189c9338723a81e8e2cdd52bcd571cd67e528f17673bdef977a89cb1692320eff58f3b93c0782396413344f318c9cbdd6b623e01ac

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads