93920a4e006fec59d532afe79033e087876010bad4191c4a150f4a08d2e1a2a2

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe
Size

168KB
MD5

d7e0f7f76c7ffe50cf75beaa83f76610
SHA1

96b60d70a418f2b08fec4493945315ccda8a85b9
SHA256

93920a4e006fec59d532afe79033e087876010bad4191c4a150f4a08d2e1a2a2
SHA512

adc2e3305a15c621f0b037ae7ed2358868814cbd78cd5526c10ecc203abce57ebc8f5631dc19ef8f657736d9ee9fd6418bbb41ec1af100bff3c442330d6a9474
SSDEEP

1536:1EGh0oUlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oUlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B566FFB-73DE-433f-8811-5CFD27CF116B}\stubpath = "C:\\Windows\\{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe"	{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEE55D1C-9780-4f79-9626-242346CDE4B9}	{726307AF-2198-4900-988B-2467D0C530A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEE55D1C-9780-4f79-9626-242346CDE4B9}\stubpath = "C:\\Windows\\{BEE55D1C-9780-4f79-9626-242346CDE4B9}.exe"	{726307AF-2198-4900-988B-2467D0C530A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE728552-496C-4a23-92EA-EE612D46DF90}\stubpath = "C:\\Windows\\{EE728552-496C-4a23-92EA-EE612D46DF90}.exe"	{BEE55D1C-9780-4f79-9626-242346CDE4B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF08E24A-1AAC-4e22-925B-3C2AEC40B0FF}	{EE728552-496C-4a23-92EA-EE612D46DF90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFC22D15-3AE5-4266-A19F-C76E9CB77059}	{EF08E24A-1AAC-4e22-925B-3C2AEC40B0FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFC22D15-3AE5-4266-A19F-C76E9CB77059}\stubpath = "C:\\Windows\\{BFC22D15-3AE5-4266-A19F-C76E9CB77059}.exe"	{EF08E24A-1AAC-4e22-925B-3C2AEC40B0FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B566FFB-73DE-433f-8811-5CFD27CF116B}	{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C67AF87E-D969-4f5f-9433-8DB02A517A02}	{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{874E522C-A2F4-461b-A99B-EF44C49CDA03}	{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{874E522C-A2F4-461b-A99B-EF44C49CDA03}\stubpath = "C:\\Windows\\{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe"	{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8827E701-EB11-4159-9C2A-10F11599D4A2}	{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE728552-496C-4a23-92EA-EE612D46DF90}	{BEE55D1C-9780-4f79-9626-242346CDE4B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF08E24A-1AAC-4e22-925B-3C2AEC40B0FF}\stubpath = "C:\\Windows\\{EF08E24A-1AAC-4e22-925B-3C2AEC40B0FF}.exe"	{EE728552-496C-4a23-92EA-EE612D46DF90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937EC1EF-4D22-4f10-A4F3-F28C76947471}\stubpath = "C:\\Windows\\{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe"	{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{726307AF-2198-4900-988B-2467D0C530A9}	{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{726307AF-2198-4900-988B-2467D0C530A9}\stubpath = "C:\\Windows\\{726307AF-2198-4900-988B-2467D0C530A9}.exe"	{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D38CCF6E-68B7-4158-9F40-6585421C08B4}	2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D38CCF6E-68B7-4158-9F40-6585421C08B4}\stubpath = "C:\\Windows\\{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe"	2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C67AF87E-D969-4f5f-9433-8DB02A517A02}\stubpath = "C:\\Windows\\{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe"	{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8827E701-EB11-4159-9C2A-10F11599D4A2}\stubpath = "C:\\Windows\\{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe"	{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937EC1EF-4D22-4f10-A4F3-F28C76947471}	{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2696	{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe
2816	{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe
2756	{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe
2524	{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe
2992	{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe
868	{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe
2908	{726307AF-2198-4900-988B-2467D0C530A9}.exe
288	{BEE55D1C-9780-4f79-9626-242346CDE4B9}.exe
2456	{EE728552-496C-4a23-92EA-EE612D46DF90}.exe
3056	{EF08E24A-1AAC-4e22-925B-3C2AEC40B0FF}.exe
2332	{BFC22D15-3AE5-4266-A19F-C76E9CB77059}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EF08E24A-1AAC-4e22-925B-3C2AEC40B0FF}.exe	{EE728552-496C-4a23-92EA-EE612D46DF90}.exe
File created	C:\Windows\{BFC22D15-3AE5-4266-A19F-C76E9CB77059}.exe	{EF08E24A-1AAC-4e22-925B-3C2AEC40B0FF}.exe
File created	C:\Windows\{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe	{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe
File created	C:\Windows\{726307AF-2198-4900-988B-2467D0C530A9}.exe	{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe
File created	C:\Windows\{BEE55D1C-9780-4f79-9626-242346CDE4B9}.exe	{726307AF-2198-4900-988B-2467D0C530A9}.exe
File created	C:\Windows\{EE728552-496C-4a23-92EA-EE612D46DF90}.exe	{BEE55D1C-9780-4f79-9626-242346CDE4B9}.exe
File created	C:\Windows\{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe	{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe
File created	C:\Windows\{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe	2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe
File created	C:\Windows\{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe	{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe
File created	C:\Windows\{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe	{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe
File created	C:\Windows\{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe	{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2132	2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2696	{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe
Token: SeIncBasePriorityPrivilege	2816	{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe
Token: SeIncBasePriorityPrivilege	2756	{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe
Token: SeIncBasePriorityPrivilege	2524	{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe
Token: SeIncBasePriorityPrivilege	2992	{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe
Token: SeIncBasePriorityPrivilege	868	{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe
Token: SeIncBasePriorityPrivilege	2908	{726307AF-2198-4900-988B-2467D0C530A9}.exe
Token: SeIncBasePriorityPrivilege	288	{BEE55D1C-9780-4f79-9626-242346CDE4B9}.exe
Token: SeIncBasePriorityPrivilege	2456	{EE728552-496C-4a23-92EA-EE612D46DF90}.exe
Token: SeIncBasePriorityPrivilege	3056	{EF08E24A-1AAC-4e22-925B-3C2AEC40B0FF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2696	2132	2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe	28
PID 2132 wrote to memory of 2696	2132	2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe	28
PID 2132 wrote to memory of 2696	2132	2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe	28
PID 2132 wrote to memory of 2696	2132	2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe	28
PID 2132 wrote to memory of 2812	2132	2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe	29
PID 2132 wrote to memory of 2812	2132	2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe	29
PID 2132 wrote to memory of 2812	2132	2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe	29
PID 2132 wrote to memory of 2812	2132	2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe	29
PID 2696 wrote to memory of 2816	2696	{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe	31
PID 2696 wrote to memory of 2816	2696	{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe	31
PID 2696 wrote to memory of 2816	2696	{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe	31
PID 2696 wrote to memory of 2816	2696	{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe	31
PID 2696 wrote to memory of 2856	2696	{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe	30
PID 2696 wrote to memory of 2856	2696	{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe	30
PID 2696 wrote to memory of 2856	2696	{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe	30
PID 2696 wrote to memory of 2856	2696	{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe	30
PID 2816 wrote to memory of 2756	2816	{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe	33
PID 2816 wrote to memory of 2756	2816	{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe	33
PID 2816 wrote to memory of 2756	2816	{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe	33
PID 2816 wrote to memory of 2756	2816	{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe	33
PID 2816 wrote to memory of 2588	2816	{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe	32
PID 2816 wrote to memory of 2588	2816	{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe	32
PID 2816 wrote to memory of 2588	2816	{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe	32
PID 2816 wrote to memory of 2588	2816	{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe	32
PID 2756 wrote to memory of 2524	2756	{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe	36
PID 2756 wrote to memory of 2524	2756	{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe	36
PID 2756 wrote to memory of 2524	2756	{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe	36
PID 2756 wrote to memory of 2524	2756	{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe	36
PID 2756 wrote to memory of 2964	2756	{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe	37
PID 2756 wrote to memory of 2964	2756	{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe	37
PID 2756 wrote to memory of 2964	2756	{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe	37
PID 2756 wrote to memory of 2964	2756	{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe	37
PID 2524 wrote to memory of 2992	2524	{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe	38
PID 2524 wrote to memory of 2992	2524	{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe	38
PID 2524 wrote to memory of 2992	2524	{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe	38
PID 2524 wrote to memory of 2992	2524	{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe	38
PID 2524 wrote to memory of 1908	2524	{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe	39
PID 2524 wrote to memory of 1908	2524	{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe	39
PID 2524 wrote to memory of 1908	2524	{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe	39
PID 2524 wrote to memory of 1908	2524	{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe	39
PID 2992 wrote to memory of 868	2992	{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe	40
PID 2992 wrote to memory of 868	2992	{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe	40
PID 2992 wrote to memory of 868	2992	{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe	40
PID 2992 wrote to memory of 868	2992	{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe	40
PID 2992 wrote to memory of 2576	2992	{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe	41
PID 2992 wrote to memory of 2576	2992	{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe	41
PID 2992 wrote to memory of 2576	2992	{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe	41
PID 2992 wrote to memory of 2576	2992	{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe	41
PID 868 wrote to memory of 2908	868	{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe	42
PID 868 wrote to memory of 2908	868	{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe	42
PID 868 wrote to memory of 2908	868	{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe	42
PID 868 wrote to memory of 2908	868	{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe	42
PID 868 wrote to memory of 2924	868	{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe	43
PID 868 wrote to memory of 2924	868	{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe	43
PID 868 wrote to memory of 2924	868	{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe	43
PID 868 wrote to memory of 2924	868	{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe	43
PID 2908 wrote to memory of 288	2908	{726307AF-2198-4900-988B-2467D0C530A9}.exe	44
PID 2908 wrote to memory of 288	2908	{726307AF-2198-4900-988B-2467D0C530A9}.exe	44
PID 2908 wrote to memory of 288	2908	{726307AF-2198-4900-988B-2467D0C530A9}.exe	44
PID 2908 wrote to memory of 288	2908	{726307AF-2198-4900-988B-2467D0C530A9}.exe	44
PID 2908 wrote to memory of 1640	2908	{726307AF-2198-4900-988B-2467D0C530A9}.exe	45
PID 2908 wrote to memory of 1640	2908	{726307AF-2198-4900-988B-2467D0C530A9}.exe	45
PID 2908 wrote to memory of 1640	2908	{726307AF-2198-4900-988B-2467D0C530A9}.exe	45
PID 2908 wrote to memory of 1640	2908	{726307AF-2198-4900-988B-2467D0C530A9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_d7e0f7f76c7ffe50cf75beaa83f76610_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe
  C:\Windows\{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D38CC~1.EXE > nul
    3⤵
    PID:2856
- - C:\Windows\{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe
    C:\Windows\{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7B566~1.EXE > nul
      4⤵
      PID:2588
  - - C:\Windows\{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe
      C:\Windows\{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe
        
        C:\Windows\{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe
        
        C:\Windows\{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe
        
        C:\Windows\{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\{726307AF-2198-4900-988B-2467D0C530A9}.exe
        
        C:\Windows\{726307AF-2198-4900-988B-2467D0C530A9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\{BEE55D1C-9780-4f79-9626-242346CDE4B9}.exe
        
        C:\Windows\{BEE55D1C-9780-4f79-9626-242346CDE4B9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEE55~1.EXE > nul
        10⤵
        
        PID:1048
        
        C:\Windows\{EE728552-496C-4a23-92EA-EE612D46DF90}.exe
        
        C:\Windows\{EE728552-496C-4a23-92EA-EE612D46DF90}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\{EF08E24A-1AAC-4e22-925B-3C2AEC40B0FF}.exe
        
        C:\Windows\{EF08E24A-1AAC-4e22-925B-3C2AEC40B0FF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\{BFC22D15-3AE5-4266-A19F-C76E9CB77059}.exe
        
        C:\Windows\{BFC22D15-3AE5-4266-A19F-C76E9CB77059}.exe
        12⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF08E~1.EXE > nul
        12⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE728~1.EXE > nul
        11⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72630~1.EXE > nul
        9⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{937EC~1.EXE > nul
        8⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8827E~1.EXE > nul
        7⤵
        
        PID:2576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{874E5~1.EXE > nul
        6⤵
        
        PID:1908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C67AF~1.EXE > nul
        5⤵
        
        PID:2964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{726307AF-2198-4900-988B-2467D0C530A9}.exe

Filesize
168KB

MD5
647d19d806c685fffbaa31d0e2b9877a

SHA1
4efce60b39e019f17bf74bfcf66585b9444f292d

SHA256
d04f8cd9af450cb1a2ac2df6b8bc8140085409e80d36f10c28057abb19b5e8d4

SHA512
ead5764d0e34b4d633d97a6e81eb9d533e6c872329ec89b9ba7b2c23ce500c080dc0a0c171fa09133625ad5c1135e16dfdae11a571ca525189827b55eee506ab

Download Submit
C:\Windows\{7B566FFB-73DE-433f-8811-5CFD27CF116B}.exe

Filesize
168KB

MD5
72ed8d6be73bbd57222bdeef9dec5335

SHA1
d63bb38a429a6b48b244dab48555eb7098ab6041

SHA256
4b5ae0acc88db30abdb48eab986ed53660e95bcce092a0ee8a20e6bbcc019485

SHA512
157b473a0299bd71f28fee2d8da629ea47a0b3591de72fdbf99389759a9a64d631178778951fae66334a8808c745e550439702f317ba1f8a88c320a9da534e52

Download Submit
C:\Windows\{874E522C-A2F4-461b-A99B-EF44C49CDA03}.exe

Filesize
168KB

MD5
45456c0398da63456846829f4c3170ba

SHA1
16fd1043ee361a6edbafd6293bb66da7db0430a1

SHA256
d853025ccf6bfd5b0579eb3083fa09a1dd4579dcc325099843a7b4b19f43879e

SHA512
0a47dc3a48f9ad0c9c959278a56bc5fa50a408fd7890ca170105e010476c9209354ec742ee7b2833c06d5951a63a185798cd9548fb3833bd6b16996be03fa18c

Download Submit
C:\Windows\{8827E701-EB11-4159-9C2A-10F11599D4A2}.exe

Filesize
168KB

MD5
fee1df32688a19d5473f6d64b64852f8

SHA1
29d19232651a978f338dac65c0904474a91a0827

SHA256
cb0ecc82eedadacf890fad751f16dcaaf8641fa22249792ef57b668418028272

SHA512
7ac9ccd1967f719ea38c64f9a920791388d427874522df1c7918c78e4030f1ee7e18921b51546cb22e7ad1e3e9b7473b9874e5850ae056b5dd47740b600b5090

Download Submit
C:\Windows\{937EC1EF-4D22-4f10-A4F3-F28C76947471}.exe

Filesize
168KB

MD5
1772f420f61129f25e250efbc61441cc

SHA1
58fc00f7ae7907020f44e1ba28f3ef8b33781e49

SHA256
04e7608d112c7214e52e28541f0ea0ed1b7f00a9b646556d597db07b465a745e

SHA512
d7192171ad00d4a621372925f940e16afc4ff0aa1243bbf4c7537e1e1a93dbcf3ad06315be93614979638eb2e994b74778f6ab194a9f42498da714a9d6c19b28

Download Submit
C:\Windows\{BEE55D1C-9780-4f79-9626-242346CDE4B9}.exe

Filesize
168KB

MD5
36aea7c29775e200a3fcf1bab1f1fd6c

SHA1
70293bd3fadb96610a2bd94dd4c0cd16d7ca8891

SHA256
381d15b9185210bfc736ba1a8337668eb5df754d12c1dc0f34153d3fc737aeb1

SHA512
fff1866f1319a6458d2ab6b1c6e76d2a00b3f5d1581050a20c8e2db054d76a068267715cb32260ae5671a485c6ea01e3dd5b95ebdb9b8af7663a90c2d3a994e7

Download Submit
C:\Windows\{BFC22D15-3AE5-4266-A19F-C76E9CB77059}.exe

Filesize
168KB

MD5
7adb0d58d60ea38fa7eb7f383b022a8b

SHA1
9b01387e71deb48c82256f5181a34128ae71d244

SHA256
ac6a649eab463e27a8df65eef1a6e9c9e9394a2ac67cabc93d2c303a6fead4ee

SHA512
ef1c51d4ae4991d9317fa4c6731dfe37719de34d396a3888af480fac7c8b8adc886b2e2b35ddbc8f64b9f65f2b84d8fd5aae6db828903d24e76327dec94c6f37

Download Submit
C:\Windows\{C67AF87E-D969-4f5f-9433-8DB02A517A02}.exe

Filesize
168KB

MD5
62915e52e98a4632efccd138c10a6ab4

SHA1
e31f0f63a123ffb00cd10f3aa757c1ef950550a5

SHA256
e5d08746888033b0d2a25d6fd5e7a7f7b07602b8bd70e08dddebbbbed2c4f284

SHA512
9c8e52cb25d5d985202764f34c652a54d998cb0b336a61f490f433ee9ed50ba02a315f31b8289135c921d9bb22258788c73d5841cf49ef855c1c7ddae2bbef78

Download Submit
C:\Windows\{D38CCF6E-68B7-4158-9F40-6585421C08B4}.exe

Filesize
168KB

MD5
506de01a1bf14248eaf92068253998c9

SHA1
972bffd5d08733e3b212b392da0a4ce1044dfc0f

SHA256
6be5031c9ac34be9400773a63a5690ff3d10dfa31af255898d3781ab7134c3cf

SHA512
d88909a6af222eb38a58101d0f1c0dccca85bfde901487d270695fa207d06901f4d174c423c1af2fdcea9653a4f4da35c75df519d924922643d867065e752c40

Download Submit
C:\Windows\{EE728552-496C-4a23-92EA-EE612D46DF90}.exe

Filesize
168KB

MD5
4a2f49fbd4309c69e2d28e29aa417f55

SHA1
c8db3631d24488626ef6f6b65a3720ef16bb6751

SHA256
9cfede1a2a9e4a8521819c4d93cce0361a49b98546a5432212f65283084e450b

SHA512
0fc007460d4c4ca4ddef1e283303a884864f52f5c98ec1bbbf24e3a837b271a3a9ab87c2b22255e156ed4d3959bfd16cf7e3face7663ea72aad95469d25f12e3

Download Submit
C:\Windows\{EE728552-496C-4a23-92EA-EE612D46DF90}.exe

Filesize
27KB

MD5
087bd66da9dbb2f8abf8f17ebb55a99f

SHA1
e310e8194303cf27d1fd2a118ff9eaac191a3097

SHA256
5b67f5d616585876b0f7b41942d37459b689e497fa7b7fdacc5bfb8dc11a1c11

SHA512
926ab8349dcfe072f8064a8f5eb090b8754783a3e6789ca6cb14a19ad0570afb617be89624c330622e1ce96a7655dcda8387ffec9a53eff26dbe4de6e34aeacf

Download Submit
C:\Windows\{EF08E24A-1AAC-4e22-925B-3C2AEC40B0FF}.exe

Filesize
168KB

MD5
c663315de59af3bb4cb5f954a5153310

SHA1
1e1dea157782a672520c29a87fd85e135c45727d

SHA256
fa94056a38d908b799c04ec0dfbf9d9191d611c8d7904ca29cc79311df974af7

SHA512
77ddc8ddafadefd60e13c42f57b2a324b7cbd9959105a452b12b6336a0b0aba5cabd9d458d1f757c2b459e334513d959581c8b0b3d0173cb585d6f450772ce56

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads