dd7efd97bf0f38f0016777a3902c76793aac2af25624538f6db0588deea3a3ab

Analysis

max time kernel
138s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe
Size

344KB
MD5

f1a5f2088ba21ca8e7419192986f77b1
SHA1

d9e9cbfa0e57b83e9ffa96e53823e7fbc241d5c3
SHA256

dd7efd97bf0f38f0016777a3902c76793aac2af25624538f6db0588deea3a3ab
SHA512

063ec4a7607d48d14346615f48cddd0e7397bbd73adf4a90e1ac8a1281be23300154ef9a1e0fc9daf016588ad130e782fffc72871ba243fbc0694919bbbb867f
SSDEEP

3072:mEGh0o7lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGplqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3B01093-685C-466a-B85B-71CDA712000D}\stubpath = "C:\\Windows\\{F3B01093-685C-466a-B85B-71CDA712000D}.exe"	{26434B07-F237-43be-8467-749084F0770E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE8862E2-E1BE-40e8-9C19-5194D144742A}	{F3B01093-685C-466a-B85B-71CDA712000D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23798815-4ED0-4e61-9B35-A03FB38530E3}	{BBDC2797-615E-411a-A904-196EAF0411D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1E8DE0B-848D-4f4c-A322-A0BCA36D4BC6}	{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF61C97F-103F-473c-9CC6-10114C6404CB}	{B1E8DE0B-848D-4f4c-A322-A0BCA36D4BC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3B01093-685C-466a-B85B-71CDA712000D}	{26434B07-F237-43be-8467-749084F0770E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBDC2797-615E-411a-A904-196EAF0411D4}	{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4010889E-DCC0-47e1-B29F-8537CDD6345A}	{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E519BF1F-0255-4ead-8A6A-245B83BB406C}	{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF61C97F-103F-473c-9CC6-10114C6404CB}\stubpath = "C:\\Windows\\{BF61C97F-103F-473c-9CC6-10114C6404CB}.exe"	{B1E8DE0B-848D-4f4c-A322-A0BCA36D4BC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB19782D-4562-4beb-86E4-9DDB319A3201}	{D0B8E076-50E1-4baf-A876-FDAF7263AA0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB19782D-4562-4beb-86E4-9DDB319A3201}\stubpath = "C:\\Windows\\{EB19782D-4562-4beb-86E4-9DDB319A3201}.exe"	{D0B8E076-50E1-4baf-A876-FDAF7263AA0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26434B07-F237-43be-8467-749084F0770E}	2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE8862E2-E1BE-40e8-9C19-5194D144742A}\stubpath = "C:\\Windows\\{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe"	{F3B01093-685C-466a-B85B-71CDA712000D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26434B07-F237-43be-8467-749084F0770E}\stubpath = "C:\\Windows\\{26434B07-F237-43be-8467-749084F0770E}.exe"	2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23798815-4ED0-4e61-9B35-A03FB38530E3}\stubpath = "C:\\Windows\\{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe"	{BBDC2797-615E-411a-A904-196EAF0411D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4010889E-DCC0-47e1-B29F-8537CDD6345A}\stubpath = "C:\\Windows\\{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe"	{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E519BF1F-0255-4ead-8A6A-245B83BB406C}\stubpath = "C:\\Windows\\{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe"	{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1E8DE0B-848D-4f4c-A322-A0BCA36D4BC6}\stubpath = "C:\\Windows\\{B1E8DE0B-848D-4f4c-A322-A0BCA36D4BC6}.exe"	{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0B8E076-50E1-4baf-A876-FDAF7263AA0D}	{BF61C97F-103F-473c-9CC6-10114C6404CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0B8E076-50E1-4baf-A876-FDAF7263AA0D}\stubpath = "C:\\Windows\\{D0B8E076-50E1-4baf-A876-FDAF7263AA0D}.exe"	{BF61C97F-103F-473c-9CC6-10114C6404CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBDC2797-615E-411a-A904-196EAF0411D4}\stubpath = "C:\\Windows\\{BBDC2797-615E-411a-A904-196EAF0411D4}.exe"	{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1272	{26434B07-F237-43be-8467-749084F0770E}.exe
2828	{F3B01093-685C-466a-B85B-71CDA712000D}.exe
2672	{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe
2588	{BBDC2797-615E-411a-A904-196EAF0411D4}.exe
2644	{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe
676	{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe
2220	{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe
2172	{B1E8DE0B-848D-4f4c-A322-A0BCA36D4BC6}.exe
2472	{BF61C97F-103F-473c-9CC6-10114C6404CB}.exe
2856	{D0B8E076-50E1-4baf-A876-FDAF7263AA0D}.exe
928	{EB19782D-4562-4beb-86E4-9DDB319A3201}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe	{F3B01093-685C-466a-B85B-71CDA712000D}.exe
File created	C:\Windows\{B1E8DE0B-848D-4f4c-A322-A0BCA36D4BC6}.exe	{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe
File created	C:\Windows\{D0B8E076-50E1-4baf-A876-FDAF7263AA0D}.exe	{BF61C97F-103F-473c-9CC6-10114C6404CB}.exe
File created	C:\Windows\{EB19782D-4562-4beb-86E4-9DDB319A3201}.exe	{D0B8E076-50E1-4baf-A876-FDAF7263AA0D}.exe
File created	C:\Windows\{26434B07-F237-43be-8467-749084F0770E}.exe	2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe
File created	C:\Windows\{F3B01093-685C-466a-B85B-71CDA712000D}.exe	{26434B07-F237-43be-8467-749084F0770E}.exe
File created	C:\Windows\{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe	{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe
File created	C:\Windows\{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe	{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe
File created	C:\Windows\{BF61C97F-103F-473c-9CC6-10114C6404CB}.exe	{B1E8DE0B-848D-4f4c-A322-A0BCA36D4BC6}.exe
File created	C:\Windows\{BBDC2797-615E-411a-A904-196EAF0411D4}.exe	{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe
File created	C:\Windows\{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe	{BBDC2797-615E-411a-A904-196EAF0411D4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2252	2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1272	{26434B07-F237-43be-8467-749084F0770E}.exe
Token: SeIncBasePriorityPrivilege	2828	{F3B01093-685C-466a-B85B-71CDA712000D}.exe
Token: SeIncBasePriorityPrivilege	2672	{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe
Token: SeIncBasePriorityPrivilege	2588	{BBDC2797-615E-411a-A904-196EAF0411D4}.exe
Token: SeIncBasePriorityPrivilege	2644	{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe
Token: SeIncBasePriorityPrivilege	676	{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe
Token: SeIncBasePriorityPrivilege	2220	{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe
Token: SeIncBasePriorityPrivilege	2172	{B1E8DE0B-848D-4f4c-A322-A0BCA36D4BC6}.exe
Token: SeIncBasePriorityPrivilege	2472	{BF61C97F-103F-473c-9CC6-10114C6404CB}.exe
Token: SeIncBasePriorityPrivilege	2856	{D0B8E076-50E1-4baf-A876-FDAF7263AA0D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1272	2252	2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe	28
PID 2252 wrote to memory of 1272	2252	2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe	28
PID 2252 wrote to memory of 1272	2252	2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe	28
PID 2252 wrote to memory of 1272	2252	2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe	28
PID 2252 wrote to memory of 2676	2252	2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe	29
PID 2252 wrote to memory of 2676	2252	2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe	29
PID 2252 wrote to memory of 2676	2252	2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe	29
PID 2252 wrote to memory of 2676	2252	2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe	29
PID 1272 wrote to memory of 2828	1272	{26434B07-F237-43be-8467-749084F0770E}.exe	31
PID 1272 wrote to memory of 2828	1272	{26434B07-F237-43be-8467-749084F0770E}.exe	31
PID 1272 wrote to memory of 2828	1272	{26434B07-F237-43be-8467-749084F0770E}.exe	31
PID 1272 wrote to memory of 2828	1272	{26434B07-F237-43be-8467-749084F0770E}.exe	31
PID 1272 wrote to memory of 2712	1272	{26434B07-F237-43be-8467-749084F0770E}.exe	30
PID 1272 wrote to memory of 2712	1272	{26434B07-F237-43be-8467-749084F0770E}.exe	30
PID 1272 wrote to memory of 2712	1272	{26434B07-F237-43be-8467-749084F0770E}.exe	30
PID 1272 wrote to memory of 2712	1272	{26434B07-F237-43be-8467-749084F0770E}.exe	30
PID 2828 wrote to memory of 2672	2828	{F3B01093-685C-466a-B85B-71CDA712000D}.exe	33
PID 2828 wrote to memory of 2672	2828	{F3B01093-685C-466a-B85B-71CDA712000D}.exe	33
PID 2828 wrote to memory of 2672	2828	{F3B01093-685C-466a-B85B-71CDA712000D}.exe	33
PID 2828 wrote to memory of 2672	2828	{F3B01093-685C-466a-B85B-71CDA712000D}.exe	33
PID 2828 wrote to memory of 1716	2828	{F3B01093-685C-466a-B85B-71CDA712000D}.exe	32
PID 2828 wrote to memory of 1716	2828	{F3B01093-685C-466a-B85B-71CDA712000D}.exe	32
PID 2828 wrote to memory of 1716	2828	{F3B01093-685C-466a-B85B-71CDA712000D}.exe	32
PID 2828 wrote to memory of 1716	2828	{F3B01093-685C-466a-B85B-71CDA712000D}.exe	32
PID 2672 wrote to memory of 2588	2672	{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe	36
PID 2672 wrote to memory of 2588	2672	{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe	36
PID 2672 wrote to memory of 2588	2672	{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe	36
PID 2672 wrote to memory of 2588	2672	{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe	36
PID 2672 wrote to memory of 1816	2672	{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe	37
PID 2672 wrote to memory of 1816	2672	{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe	37
PID 2672 wrote to memory of 1816	2672	{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe	37
PID 2672 wrote to memory of 1816	2672	{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe	37
PID 2588 wrote to memory of 2644	2588	{BBDC2797-615E-411a-A904-196EAF0411D4}.exe	38
PID 2588 wrote to memory of 2644	2588	{BBDC2797-615E-411a-A904-196EAF0411D4}.exe	38
PID 2588 wrote to memory of 2644	2588	{BBDC2797-615E-411a-A904-196EAF0411D4}.exe	38
PID 2588 wrote to memory of 2644	2588	{BBDC2797-615E-411a-A904-196EAF0411D4}.exe	38
PID 2588 wrote to memory of 2780	2588	{BBDC2797-615E-411a-A904-196EAF0411D4}.exe	39
PID 2588 wrote to memory of 2780	2588	{BBDC2797-615E-411a-A904-196EAF0411D4}.exe	39
PID 2588 wrote to memory of 2780	2588	{BBDC2797-615E-411a-A904-196EAF0411D4}.exe	39
PID 2588 wrote to memory of 2780	2588	{BBDC2797-615E-411a-A904-196EAF0411D4}.exe	39
PID 2644 wrote to memory of 676	2644	{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe	40
PID 2644 wrote to memory of 676	2644	{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe	40
PID 2644 wrote to memory of 676	2644	{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe	40
PID 2644 wrote to memory of 676	2644	{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe	40
PID 2644 wrote to memory of 328	2644	{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe	41
PID 2644 wrote to memory of 328	2644	{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe	41
PID 2644 wrote to memory of 328	2644	{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe	41
PID 2644 wrote to memory of 328	2644	{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe	41
PID 676 wrote to memory of 2220	676	{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe	42
PID 676 wrote to memory of 2220	676	{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe	42
PID 676 wrote to memory of 2220	676	{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe	42
PID 676 wrote to memory of 2220	676	{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe	42
PID 676 wrote to memory of 1200	676	{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe	43
PID 676 wrote to memory of 1200	676	{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe	43
PID 676 wrote to memory of 1200	676	{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe	43
PID 676 wrote to memory of 1200	676	{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe	43
PID 2220 wrote to memory of 2172	2220	{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe	45
PID 2220 wrote to memory of 2172	2220	{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe	45
PID 2220 wrote to memory of 2172	2220	{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe	45
PID 2220 wrote to memory of 2172	2220	{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe	45
PID 2220 wrote to memory of 1604	2220	{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe	44
PID 2220 wrote to memory of 1604	2220	{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe	44
PID 2220 wrote to memory of 1604	2220	{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe	44
PID 2220 wrote to memory of 1604	2220	{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_f1a5f2088ba21ca8e7419192986f77b1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\{26434B07-F237-43be-8467-749084F0770E}.exe
  C:\Windows\{26434B07-F237-43be-8467-749084F0770E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{26434~1.EXE > nul
    3⤵
    PID:2712
- - C:\Windows\{F3B01093-685C-466a-B85B-71CDA712000D}.exe
    C:\Windows\{F3B01093-685C-466a-B85B-71CDA712000D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F3B01~1.EXE > nul
      4⤵
      PID:1716
  - - C:\Windows\{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe
      C:\Windows\{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\{BBDC2797-615E-411a-A904-196EAF0411D4}.exe
        
        C:\Windows\{BBDC2797-615E-411a-A904-196EAF0411D4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Windows\{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe
        
        C:\Windows\{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe
        
        C:\Windows\{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe
        
        C:\Windows\{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E519B~1.EXE > nul
        9⤵
        
        PID:1604
        
        C:\Windows\{B1E8DE0B-848D-4f4c-A322-A0BCA36D4BC6}.exe
        
        C:\Windows\{B1E8DE0B-848D-4f4c-A322-A0BCA36D4BC6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1E8D~1.EXE > nul
        10⤵
        
        PID:2280
        
        C:\Windows\{BF61C97F-103F-473c-9CC6-10114C6404CB}.exe
        
        C:\Windows\{BF61C97F-103F-473c-9CC6-10114C6404CB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF61C~1.EXE > nul
        11⤵
        
        PID:1916
        
        C:\Windows\{D0B8E076-50E1-4baf-A876-FDAF7263AA0D}.exe
        
        C:\Windows\{D0B8E076-50E1-4baf-A876-FDAF7263AA0D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0B8E~1.EXE > nul
        12⤵
        
        PID:600
        
        C:\Windows\{EB19782D-4562-4beb-86E4-9DDB319A3201}.exe
        
        C:\Windows\{EB19782D-4562-4beb-86E4-9DDB319A3201}.exe
        12⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40108~1.EXE > nul
        8⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23798~1.EXE > nul
        7⤵
        
        PID:328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBDC2~1.EXE > nul
        6⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE886~1.EXE > nul
        5⤵
        
        PID:1816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe

Filesize
344KB

MD5
2b7382672a676c77fb0456015ba9067a

SHA1
a2f5040e7436de26e0f65b8a4c8c35648a7f1c16

SHA256
cbbd7cdd11465713b5ee2eb603309ea7a3015f7c5e54be5916dd73ca47bff095

SHA512
e605f38c99d7c64c30c1276b7a46e9fbc879d928acc5dcaeb7e005df164adaed664a7ef9b5234c5b04227ea3f3492077da8405063f0cddca25c98165464da9de

Download Submit
C:\Windows\{23798815-4ED0-4e61-9B35-A03FB38530E3}.exe

Filesize
99KB

MD5
8e7b49d0f2077d2ecd78fde75defe524

SHA1
36b64f89b4dc59339ad1f6e9bcf770b149471f8a

SHA256
480be1a37c93a5279ad829cfc9e065f688dad89842e82fcb93a400b10e771963

SHA512
1551851f5fe13acbf67e239f50c5ab35c3ecf86450ee6df09c8e7eefe2a8e7907e6592bb449b0dc6116fd2cf9ee2bae695f2e82e0647844c21d0c87eee39340e

Download Submit
C:\Windows\{4010889E-DCC0-47e1-B29F-8537CDD6345A}.exe

Filesize
344KB

MD5
e407673f888e99fba17e843c2d95adae

SHA1
71ebf5d85d6c982dbac0a370f276265930ecb6b9

SHA256
8712be861711616bd484f7f90e53fa2d6208f9fda608b340c6341c53245692a0

SHA512
cbaccab1358e26e0424c0b2648d8913fef10cb08fdf5992cf39cc429e7eab4bc906ea1d58f85440782990119341c53b1e06ccf7dda9b9603334e5d9cef1d0de6

Download Submit
C:\Windows\{B1E8DE0B-848D-4f4c-A322-A0BCA36D4BC6}.exe

Filesize
129KB

MD5
247cf5094c616bf5892fba912d44501d

SHA1
bd20b0b59ad80572e40fc1d45530afd01c993d58

SHA256
52aeaa9b01362b24f178e4c90c889b0c24f59bdc4d30e795aafe99c6c0f31a8c

SHA512
44e106bc2ec15785c1ecd855761b54a8873b20160af9f0de04daa4148054cd9aba157242c94188af364f60f17f75a2b9511ceacefcde8ddc43e1f99af7b338b1

Download Submit
C:\Windows\{B1E8DE0B-848D-4f4c-A322-A0BCA36D4BC6}.exe

Filesize
344KB

MD5
4bb4d8bc6330e8da6feb76da63318e82

SHA1
178e487da5736cd1cf82058976e3c375acdec595

SHA256
0f029557c1c8c6444e64d3a61972b1f1bd8a19b95a1555b042007dec4521cc2d

SHA512
ffd998a41e4358931294abfae83cc2fa3b7aed80a089c0c8e29f60c63769119b76821f01f80f674faebf2649e4b05e95adb96bcb7a35ac2b8bff515cdfe19eb1

Download Submit
C:\Windows\{BBDC2797-615E-411a-A904-196EAF0411D4}.exe

Filesize
344KB

MD5
68fc8722fa2e2d4263f7312a0aecbca7

SHA1
44b37448d206677a4cba91e8e06284dd126c271b

SHA256
9e4ac3528147c8e418085915113e3579b7a9826298815f5591f5691abb3fe4bd

SHA512
a1cd98c12db1cf3690ebf0e2170f80190d42cb24cf2afc1f748df3582fd04d0e0c6407ada5fce0a794be3291dd2e9133218ec3c56cf01b1d09b80458f9f48ac1

Download Submit
C:\Windows\{BE8862E2-E1BE-40e8-9C19-5194D144742A}.exe

Filesize
344KB

MD5
bee51425e8a3acb71a01073716ac1549

SHA1
e96b30bc1cfe5767a9eed52da19cc1f9047f5f85

SHA256
56487a3b75060f295bfd37bc3643a5287c1c7c02d3a918fdd31174ef16e519b0

SHA512
a036fb2aae0c2a4849cb05d8c41dceeb060dcad82af640186c864e1632f82276d96133e8cec901ef7530beec789e90307865c90d21c10be8b7bf0e2bd102d125

Download Submit
C:\Windows\{BF61C97F-103F-473c-9CC6-10114C6404CB}.exe

Filesize
344KB

MD5
fa039e8193f1ccc39694edd2d0ad47fd

SHA1
9bc81145ff1514f46564dd0b43b8427232d2accb

SHA256
e99ec393b01f046d074c9dc3514fb5b61ff4c46b639399c4ed60fc2c8740b779

SHA512
2413e2bc34df948f9ac229eb7e4c954ce8398af8df08cacf32e7b4a37f94e1b682bf4506444cded5c56f031826c3e9081738ec2e37dbc2bf813a6a60b95449e1

Download Submit
C:\Windows\{D0B8E076-50E1-4baf-A876-FDAF7263AA0D}.exe

Filesize
92KB

MD5
27fe54cc2ccbba9e7f1a786fc0e1ddd0

SHA1
03e2409bc115af9593fd2291e03189673c1d2e12

SHA256
6d1c831e756c1bfd1a1115aa9a0d71ab6589017688d0a52988e857110f22e58c

SHA512
46db53c43bfded571a76780d1c1d1aee44d0b5acdf6e69c80aef52579f3c2a5bf63d983f6deb85744d07ea8857e6b37775acf8182ac428d82ecb25c2ec926cca

Download Submit
C:\Windows\{D0B8E076-50E1-4baf-A876-FDAF7263AA0D}.exe

Filesize
344KB

MD5
7e8c09eee14feec300925781103f26d8

SHA1
413e67bef7e9f511a6c6108e2912abea21fce76b

SHA256
2dcd53ca8d487d81f1dfacb0c9dda8c3345fea46f0e56bcf04f5e4a08b237527

SHA512
239ecaa9a92066eadcf9734fd84d3199f9b3ee539e031e405375a74b2323eab3cf497c3818c5e6175ecf6cb53920da37ea59a0c87cef5fbbca8c895352883a8f

Download Submit
C:\Windows\{E519BF1F-0255-4ead-8A6A-245B83BB406C}.exe

Filesize
344KB

MD5
ea1d962d8b8c6b532b6bed207a72861d

SHA1
70d0405b1b3c23b3a6d00ad48df9766536c0f9e8

SHA256
942834006426c35739aad8513dd56f60dda61af0ed7d7d0544d14cc58a4e48d5

SHA512
cc482107f47e3af47591100425087641d83248fb155f139be55f6bb7f6436df90a21f2e5cfd4bfefd3341ad5caf512f3862e86e531858a95d446abe85a8b64d4

Download Submit
C:\Windows\{EB19782D-4562-4beb-86E4-9DDB319A3201}.exe

Filesize
344KB

MD5
b88928af4bdb3e54b273728a11ecfe3a

SHA1
0e15db86d181b315675c981ade84e849c9236bea

SHA256
3f16b5dbc02a92b3225aa967b22072b143606c3f23c7d67b68c573227df1253e

SHA512
d1af5f439e2070254b1dc0af0c31c05a701f1732ca0e1970901dd818cb0648d1cf0c5c492a92a60cfc6002935072b04cc80a04294b7fc31e8af20df6479e8d02

Download Submit
C:\Windows\{F3B01093-685C-466a-B85B-71CDA712000D}.exe

Filesize
93KB

MD5
6daa5b4c313b1e74561b71aa40c1f3c1

SHA1
03d61d3ee8edd5153e79606981685030c9bce436

SHA256
e7bdfc8cdb096d2ce41225a5334e2c43ab27ffee0f0f236d807a208a22eaaf83

SHA512
de544b4e0c8ffbfbeff04a939e7473ff6869f01c0a0d5c96bc238822d2df29f39ce5df0b4d317417684866326624bb127a1295c813914dcf6a787c260662fe5d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads