52067da7f636b7a01d09858e903b6be8b55ad377070958d87d4e656df028bae2

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe
Size

344KB
MD5

f3c51382c846d2f78709c9c58f96655f
SHA1

98d88a64138a4b79a6d62e136ac2837f5726a124
SHA256

52067da7f636b7a01d09858e903b6be8b55ad377070958d87d4e656df028bae2
SHA512

4f5f8b768f23c35ef10fa27d15e6e1f0d5747558dad0355059ea8abf60921efbeeffe7716d98ce64853e0889616f7a3b84eee0855b0d8d74dfc758711ee84ab0
SSDEEP

3072:mEGh0ojlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGVlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}\stubpath = "C:\\Windows\\{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe"	{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA2A36EE-C5F2-4258-83C4-381696D0206B}	{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA2A36EE-C5F2-4258-83C4-381696D0206B}\stubpath = "C:\\Windows\\{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe"	{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAA15B31-E5E5-4135-A969-25BCE13EB074}	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}\stubpath = "C:\\Windows\\{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe"	{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E659E7C-EAFC-422f-8528-F5130E1425FB}\stubpath = "C:\\Windows\\{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe"	{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD1E49DF-3581-4c28-B6D2-8443D531E58B}\stubpath = "C:\\Windows\\{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe"	{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CEE9E66-0CB1-449a-8373-3D801F71DF7D}	{9D00EB91-A8AE-4a24-81BC-DACE7B35DD17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{994017EA-A316-453d-9525-46870B568F21}	{3CEE9E66-0CB1-449a-8373-3D801F71DF7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CEE9E66-0CB1-449a-8373-3D801F71DF7D}\stubpath = "C:\\Windows\\{3CEE9E66-0CB1-449a-8373-3D801F71DF7D}.exe"	{9D00EB91-A8AE-4a24-81BC-DACE7B35DD17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{994017EA-A316-453d-9525-46870B568F21}\stubpath = "C:\\Windows\\{994017EA-A316-453d-9525-46870B568F21}.exe"	{3CEE9E66-0CB1-449a-8373-3D801F71DF7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}	{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F66796BB-960C-4f81-B9E6-74D2D3A112DB}\stubpath = "C:\\Windows\\{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe"	{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}	{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E659E7C-EAFC-422f-8528-F5130E1425FB}	{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D00EB91-A8AE-4a24-81BC-DACE7B35DD17}	{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D00EB91-A8AE-4a24-81BC-DACE7B35DD17}\stubpath = "C:\\Windows\\{9D00EB91-A8AE-4a24-81BC-DACE7B35DD17}.exe"	{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E8FA9D2-D5E3-4107-BEF5-542814E33887}	{994017EA-A316-453d-9525-46870B568F21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAA15B31-E5E5-4135-A969-25BCE13EB074}\stubpath = "C:\\Windows\\{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe"	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F66796BB-960C-4f81-B9E6-74D2D3A112DB}	{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD1E49DF-3581-4c28-B6D2-8443D531E58B}	{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E8FA9D2-D5E3-4107-BEF5-542814E33887}\stubpath = "C:\\Windows\\{9E8FA9D2-D5E3-4107-BEF5-542814E33887}.exe"	{994017EA-A316-453d-9525-46870B568F21}.exe

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2740	{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe
2936	{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe
2308	{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe
1976	{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe
284	{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe
3040	{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe
1324	{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe
1948	{9D00EB91-A8AE-4a24-81BC-DACE7B35DD17}.exe
1712	{3CEE9E66-0CB1-449a-8373-3D801F71DF7D}.exe
2028	{994017EA-A316-453d-9525-46870B568F21}.exe
2376	{9E8FA9D2-D5E3-4107-BEF5-542814E33887}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe
File created	C:\Windows\{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe	{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe
File created	C:\Windows\{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe	{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe
File created	C:\Windows\{9D00EB91-A8AE-4a24-81BC-DACE7B35DD17}.exe	{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe
File created	C:\Windows\{994017EA-A316-453d-9525-46870B568F21}.exe	{3CEE9E66-0CB1-449a-8373-3D801F71DF7D}.exe
File created	C:\Windows\{9E8FA9D2-D5E3-4107-BEF5-542814E33887}.exe	{994017EA-A316-453d-9525-46870B568F21}.exe
File created	C:\Windows\{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe	{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe
File created	C:\Windows\{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe	{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe
File created	C:\Windows\{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe	{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe
File created	C:\Windows\{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe	{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe
File created	C:\Windows\{3CEE9E66-0CB1-449a-8373-3D801F71DF7D}.exe	{9D00EB91-A8AE-4a24-81BC-DACE7B35DD17}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3012	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2740	{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe
Token: SeIncBasePriorityPrivilege	2936	{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe
Token: SeIncBasePriorityPrivilege	2308	{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe
Token: SeIncBasePriorityPrivilege	1976	{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe
Token: SeIncBasePriorityPrivilege	284	{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe
Token: SeIncBasePriorityPrivilege	3040	{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe
Token: SeIncBasePriorityPrivilege	1324	{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe
Token: SeIncBasePriorityPrivilege	1948	{9D00EB91-A8AE-4a24-81BC-DACE7B35DD17}.exe
Token: SeIncBasePriorityPrivilege	1712	{3CEE9E66-0CB1-449a-8373-3D801F71DF7D}.exe
Token: SeIncBasePriorityPrivilege	2028	{994017EA-A316-453d-9525-46870B568F21}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2740	3012	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	28
PID 3012 wrote to memory of 2740	3012	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	28
PID 3012 wrote to memory of 2740	3012	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	28
PID 3012 wrote to memory of 2740	3012	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	28
PID 3012 wrote to memory of 2828	3012	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	29
PID 3012 wrote to memory of 2828	3012	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	29
PID 3012 wrote to memory of 2828	3012	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	29
PID 3012 wrote to memory of 2828	3012	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	29
PID 2740 wrote to memory of 2936	2740	{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe	30
PID 2740 wrote to memory of 2936	2740	{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe	30
PID 2740 wrote to memory of 2936	2740	{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe	30
PID 2740 wrote to memory of 2936	2740	{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe	30
PID 2740 wrote to memory of 2624	2740	{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe	31
PID 2740 wrote to memory of 2624	2740	{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe	31
PID 2740 wrote to memory of 2624	2740	{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe	31
PID 2740 wrote to memory of 2624	2740	{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe	31
PID 2936 wrote to memory of 2308	2936	{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe	34
PID 2936 wrote to memory of 2308	2936	{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe	34
PID 2936 wrote to memory of 2308	2936	{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe	34
PID 2936 wrote to memory of 2308	2936	{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe	34
PID 2936 wrote to memory of 376	2936	{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe	35
PID 2936 wrote to memory of 376	2936	{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe	35
PID 2936 wrote to memory of 376	2936	{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe	35
PID 2936 wrote to memory of 376	2936	{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe	35
PID 2308 wrote to memory of 1976	2308	{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe	37
PID 2308 wrote to memory of 1976	2308	{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe	37
PID 2308 wrote to memory of 1976	2308	{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe	37
PID 2308 wrote to memory of 1976	2308	{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe	37
PID 2308 wrote to memory of 784	2308	{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe	36
PID 2308 wrote to memory of 784	2308	{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe	36
PID 2308 wrote to memory of 784	2308	{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe	36
PID 2308 wrote to memory of 784	2308	{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe	36
PID 1976 wrote to memory of 284	1976	{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe	38
PID 1976 wrote to memory of 284	1976	{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe	38
PID 1976 wrote to memory of 284	1976	{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe	38
PID 1976 wrote to memory of 284	1976	{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe	38
PID 1976 wrote to memory of 2896	1976	{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe	39
PID 1976 wrote to memory of 2896	1976	{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe	39
PID 1976 wrote to memory of 2896	1976	{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe	39
PID 1976 wrote to memory of 2896	1976	{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe	39
PID 284 wrote to memory of 3040	284	{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe	41
PID 284 wrote to memory of 3040	284	{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe	41
PID 284 wrote to memory of 3040	284	{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe	41
PID 284 wrote to memory of 3040	284	{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe	41
PID 284 wrote to memory of 2388	284	{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe	40
PID 284 wrote to memory of 2388	284	{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe	40
PID 284 wrote to memory of 2388	284	{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe	40
PID 284 wrote to memory of 2388	284	{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe	40
PID 3040 wrote to memory of 1324	3040	{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe	42
PID 3040 wrote to memory of 1324	3040	{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe	42
PID 3040 wrote to memory of 1324	3040	{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe	42
PID 3040 wrote to memory of 1324	3040	{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe	42
PID 3040 wrote to memory of 1740	3040	{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe	43
PID 3040 wrote to memory of 1740	3040	{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe	43
PID 3040 wrote to memory of 1740	3040	{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe	43
PID 3040 wrote to memory of 1740	3040	{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe	43
PID 1324 wrote to memory of 1948	1324	{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe	45
PID 1324 wrote to memory of 1948	1324	{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe	45
PID 1324 wrote to memory of 1948	1324	{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe	45
PID 1324 wrote to memory of 1948	1324	{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe	45
PID 1324 wrote to memory of 1600	1324	{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe	44
PID 1324 wrote to memory of 1600	1324	{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe	44
PID 1324 wrote to memory of 1600	1324	{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe	44
PID 1324 wrote to memory of 1600	1324	{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe
  C:\Windows\{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe
    C:\Windows\{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe
      C:\Windows\{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6679~1.EXE > nul
        5⤵
        
        PID:784
    - - C:\Windows\{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe
        
        C:\Windows\{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Windows\{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe
        
        C:\Windows\{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E659~1.EXE > nul
        7⤵
        
        PID:2388
        
        C:\Windows\{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe
        
        C:\Windows\{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe
        
        C:\Windows\{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA2A3~1.EXE > nul
        9⤵
        
        PID:1600
        
        C:\Windows\{9D00EB91-A8AE-4a24-81BC-DACE7B35DD17}.exe
        
        C:\Windows\{9D00EB91-A8AE-4a24-81BC-DACE7B35DD17}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\{3CEE9E66-0CB1-449a-8373-3D801F71DF7D}.exe
        
        C:\Windows\{3CEE9E66-0CB1-449a-8373-3D801F71DF7D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\{994017EA-A316-453d-9525-46870B568F21}.exe
        
        C:\Windows\{994017EA-A316-453d-9525-46870B568F21}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{9E8FA9D2-D5E3-4107-BEF5-542814E33887}.exe
        
        C:\Windows\{9E8FA9D2-D5E3-4107-BEF5-542814E33887}.exe
        12⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99401~1.EXE > nul
        12⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CEE9~1.EXE > nul
        11⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D00E~1.EXE > nul
        10⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD1E4~1.EXE > nul
        8⤵
        
        PID:1740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D01A~1.EXE > nul
        6⤵
        
        PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{47B71~1.EXE > nul
      4⤵
      PID:376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CAA15~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3CEE9E66-0CB1-449a-8373-3D801F71DF7D}.exe

Filesize
344KB

MD5
619166ebfbe785e381c27523f21ef0c3

SHA1
94c1f37c88fb1ff9c6be7d2871c10e816157a0b0

SHA256
4e8ba9d3ec690008d4759e3153e2739515b074221774b7a30b796c656b318e27

SHA512
35712bb6b41eabaa8a0d16b1982e1440dcc83b1792ced56827a0d1d03fadaddf5d339611a58f568c1d3c0f19ef17d9470c0e9df3c8767529a59ae8fa45b85958

Download Submit
C:\Windows\{47B717FE-5BCE-4fe3-87FC-75DEEDEA697A}.exe

Filesize
344KB

MD5
654b2f139074c25af12ed6e6542c6a8b

SHA1
e2a35fb4c2f9b8b2a84845bd18f270916f032382

SHA256
b6c2952f61df9409d69cd2925d8b11c3bb2f6a9b3d9573bca134962df406a63a

SHA512
1fbf4c595211d892adde1b8bb226df05095341f02065402f53c87207d82acf9ccb04368acfb3118fa8083ca9c51ef96de4707010a7638b425ad4e86d73f09451

Download Submit
C:\Windows\{8D01A6FE-330A-4aad-BB70-5649CAE4D85B}.exe

Filesize
344KB

MD5
755f739d955ce4307a241e71739a805f

SHA1
63a12eb1fa5b14b0f784f16439b89453e7c1db32

SHA256
7c771a84c8205b52fcff8cddb0392131d1b30766a7cbe7355067f3cb19982ccf

SHA512
0dc29af9ef203535df9c779b7527f6d57444c1b36764a2c37bccdbdcc99417550d49b8c3b7fc9dffa372c7489345bb43bfd7a1951c7ab958b99c37713c679bcf

Download Submit
C:\Windows\{8E659E7C-EAFC-422f-8528-F5130E1425FB}.exe

Filesize
344KB

MD5
e6eca1e23ec9fc00ad64b567547ba302

SHA1
fb4f9b196767e0db38af3b7ed9ab31396ee9a055

SHA256
7cba579f22a09b56f90fd79eff96f059ba54568e83dd95da4d3cc7b8a5578124

SHA512
ff0f1c728e28f53a83fe30c38ee8436fa75fda3755631c3562e4121a9aec2eb61c203db7c50416ac4519b06b5d2ea489bc0bd417931b84fc39a74c37a2bfff93

Download Submit
C:\Windows\{994017EA-A316-453d-9525-46870B568F21}.exe

Filesize
344KB

MD5
a2f7bf8bc0ca8425ff890379f3d651cb

SHA1
ccd40a590d059ab9fe5f00e54244be0a069aad42

SHA256
6767dcf92049f0c7c4098a7da9f5f4a631776a54a1458d6257255fdcc9c3182c

SHA512
ca3c93a79aedb598f22690f89240fe9346bdf05e94ccd103746fb9dfd1dfdd30103eb92e3cea032fd34938401a0db8947fdf9c81b2e0d7c868b7d1524c1145ca

Download Submit
C:\Windows\{9D00EB91-A8AE-4a24-81BC-DACE7B35DD17}.exe

Filesize
344KB

MD5
8b59e8d4d07e0ea33d72bc2c030d6d1d

SHA1
6b7d60e7239e620edba7edf08e7136cfa2a7dab1

SHA256
298cd62fce3e03d3c4f32e5ec412466baf87e57c7be9ebf1f9f2ae1990e102ff

SHA512
3a20cbf458d7d5fb83cd2562d4b798972cab8fb75bb1195f7ea063e5acc6705eb7f0fc137d18151288f1c858d86ea37dcc8244c7d7c54dac6395c2f5e9724561

Download Submit
C:\Windows\{9E8FA9D2-D5E3-4107-BEF5-542814E33887}.exe

Filesize
344KB

MD5
6e11886804eccd85404b04d068e74356

SHA1
8b544d40918ee3aaa648dcbcdd4f9757c23308aa

SHA256
68e5aab6987ade179ca74d1ac2f9a9c503aa17f1f90304a5f4b7de549b1e6237

SHA512
ef111a0ee0a0b208bd81e9906f7022d0104a43afec65bdfa646dad4ac3318148396e9f3e1901292610cc8772d4803a782d2f5887ccdf6bdf55c11adc1cfe4ddd

Download Submit
C:\Windows\{AD1E49DF-3581-4c28-B6D2-8443D531E58B}.exe

Filesize
344KB

MD5
5c45b6b0730033355aa5f9dfeb9d8585

SHA1
beecb91de2f43202c83761c6582b8fc572a03511

SHA256
5829747756332d520a651223ee57625debe0229ebabfd09a8a7b5d06dfa63f8f

SHA512
482ea11a709f55e58d11702e1a50593921df662b3cf760aaacadeafdc65fa967bc4960e789467979ebd3c59bb5dd0a4647d1fbea6de90445d51295aa68ddc420

Download Submit
C:\Windows\{CA2A36EE-C5F2-4258-83C4-381696D0206B}.exe

Filesize
344KB

MD5
4a86e4d66337ab8a5b9334b9e912bcde

SHA1
33b5fc18af2ff4642dc1836fc587b1b14d527da5

SHA256
0e0c8ca6c0b360a87fd6840be976c7249a0fdceae1ce1e69c4bfe74b2e8452c9

SHA512
f0d91b5f11bbc4513da8194203a909425a87fea51c16d45eacda49bce6d964af1b839d9d5a070699d1c7cfb102f9a69ddfd3d989c40f1032c0dc1264743df34d

Download Submit
C:\Windows\{CAA15B31-E5E5-4135-A969-25BCE13EB074}.exe

Filesize
344KB

MD5
d993effc736906341d794ee6b38654ed

SHA1
55aa67b2d0fe46fd7edab2b163c3c81f21c900cc

SHA256
bfecc5e473e2d44080fa912c4c7691051525b90ebb1cedba50963e3fc8cc4ee1

SHA512
45197a3c65d47468ef933418ad394e003f49eff8563ff8eaaf18e1f98790cda8e0932bbf80fda762a8fbebd094efd2a1ae2132e42e4d3fd3ee66637f8e55d246

Download Submit
C:\Windows\{F66796BB-960C-4f81-B9E6-74D2D3A112DB}.exe

Filesize
344KB

MD5
99808d3d35b4d96876f1b1197657ee90

SHA1
4bc1144ae589e6a68dc93b79ad1444ffb05c59e9

SHA256
1f0c5cbc72f61aff6d50fefe74691df98f6099a5cdf7cfa5c156fda65728e631

SHA512
5a1ebc4df244e4c0116cf9bd6df6a1a55b1c2744a8a64d1b998da44a557076e6d26470e0e6dbedb092de4c3f5458c3a751c05d006bbaef3e28dbb5b5d08a3057

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads