1b58cc07cb73cc43f5ef55a7bcf9a69ac3ef0936f67c6e4925f0379e4f165a1b

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 05:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe
Size

380KB
MD5

41711efce360ef96928dfcd05993272e
SHA1

e427b3f523ccaaaec8ec1f343468e6d91f933605
SHA256

1b58cc07cb73cc43f5ef55a7bcf9a69ac3ef0936f67c6e4925f0379e4f165a1b
SHA512

4803db238990c5dbd8815c6b69d0e8afbafd8a99bf6c19432eff54087ca6081eb49fe79facaea7e50b5e9066c5f093f92c70795b3630e1ff519d56ec281fb497
SSDEEP

3072:mEGh0oPlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGJl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}\stubpath = "C:\\Windows\\{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe"	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}\stubpath = "C:\\Windows\\{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe"	{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0520E17A-AD22-45da-A66A-8DB3BD01408A}	{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0520E17A-AD22-45da-A66A-8DB3BD01408A}\stubpath = "C:\\Windows\\{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe"	{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}	{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A0EB0CE-0C82-4141-9A75-286933C4864B}\stubpath = "C:\\Windows\\{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe"	{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}\stubpath = "C:\\Windows\\{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe"	{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B8B2693-4A97-4f3b-9202-52BCD4166BB0}\stubpath = "C:\\Windows\\{6B8B2693-4A97-4f3b-9202-52BCD4166BB0}.exe"	{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB0F1FB8-4097-451a-B532-676E385311B2}\stubpath = "C:\\Windows\\{FB0F1FB8-4097-451a-B532-676E385311B2}.exe"	{0F8D345E-8E35-4b56-A448-39ED3D83FB73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60842335-EE3F-4a95-BA24-BEEA5E06D8ED}	{FB0F1FB8-4097-451a-B532-676E385311B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}\stubpath = "C:\\Windows\\{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe"	{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E99F341-5BB0-4c4c-BF56-C812972E032F}\stubpath = "C:\\Windows\\{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe"	{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}	{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}	{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB0F1FB8-4097-451a-B532-676E385311B2}	{0F8D345E-8E35-4b56-A448-39ED3D83FB73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E99F341-5BB0-4c4c-BF56-C812972E032F}	{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A0EB0CE-0C82-4141-9A75-286933C4864B}	{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B8B2693-4A97-4f3b-9202-52BCD4166BB0}	{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8D345E-8E35-4b56-A448-39ED3D83FB73}	{6B8B2693-4A97-4f3b-9202-52BCD4166BB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F8D345E-8E35-4b56-A448-39ED3D83FB73}\stubpath = "C:\\Windows\\{0F8D345E-8E35-4b56-A448-39ED3D83FB73}.exe"	{6B8B2693-4A97-4f3b-9202-52BCD4166BB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60842335-EE3F-4a95-BA24-BEEA5E06D8ED}\stubpath = "C:\\Windows\\{60842335-EE3F-4a95-BA24-BEEA5E06D8ED}.exe"	{FB0F1FB8-4097-451a-B532-676E385311B2}.exe

Deletes itself 1 IoCs

pid	Process
1892	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2760	{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe
2704	{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe
2636	{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe
1924	{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe
2920	{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe
1996	{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe
1056	{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe
1096	{6B8B2693-4A97-4f3b-9202-52BCD4166BB0}.exe
1492	{0F8D345E-8E35-4b56-A448-39ED3D83FB73}.exe
1140	{FB0F1FB8-4097-451a-B532-676E385311B2}.exe
1252	{60842335-EE3F-4a95-BA24-BEEA5E06D8ED}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe	{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe
File created	C:\Windows\{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe	{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe
File created	C:\Windows\{FB0F1FB8-4097-451a-B532-676E385311B2}.exe	{0F8D345E-8E35-4b56-A448-39ED3D83FB73}.exe
File created	C:\Windows\{60842335-EE3F-4a95-BA24-BEEA5E06D8ED}.exe	{FB0F1FB8-4097-451a-B532-676E385311B2}.exe
File created	C:\Windows\{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe
File created	C:\Windows\{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe	{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe
File created	C:\Windows\{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe	{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe
File created	C:\Windows\{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe	{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe
File created	C:\Windows\{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe	{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe
File created	C:\Windows\{6B8B2693-4A97-4f3b-9202-52BCD4166BB0}.exe	{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe
File created	C:\Windows\{0F8D345E-8E35-4b56-A448-39ED3D83FB73}.exe	{6B8B2693-4A97-4f3b-9202-52BCD4166BB0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2480	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2760	{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe
Token: SeIncBasePriorityPrivilege	2704	{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe
Token: SeIncBasePriorityPrivilege	2636	{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe
Token: SeIncBasePriorityPrivilege	1924	{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe
Token: SeIncBasePriorityPrivilege	2920	{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe
Token: SeIncBasePriorityPrivilege	1996	{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe
Token: SeIncBasePriorityPrivilege	1056	{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe
Token: SeIncBasePriorityPrivilege	1096	{6B8B2693-4A97-4f3b-9202-52BCD4166BB0}.exe
Token: SeIncBasePriorityPrivilege	1492	{0F8D345E-8E35-4b56-A448-39ED3D83FB73}.exe
Token: SeIncBasePriorityPrivilege	1140	{FB0F1FB8-4097-451a-B532-676E385311B2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2760	2480	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	28
PID 2480 wrote to memory of 2760	2480	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	28
PID 2480 wrote to memory of 2760	2480	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	28
PID 2480 wrote to memory of 2760	2480	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	28
PID 2480 wrote to memory of 1892	2480	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	29
PID 2480 wrote to memory of 1892	2480	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	29
PID 2480 wrote to memory of 1892	2480	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	29
PID 2480 wrote to memory of 1892	2480	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	29
PID 2760 wrote to memory of 2704	2760	{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe	30
PID 2760 wrote to memory of 2704	2760	{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe	30
PID 2760 wrote to memory of 2704	2760	{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe	30
PID 2760 wrote to memory of 2704	2760	{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe	30
PID 2760 wrote to memory of 1936	2760	{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe	31
PID 2760 wrote to memory of 1936	2760	{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe	31
PID 2760 wrote to memory of 1936	2760	{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe	31
PID 2760 wrote to memory of 1936	2760	{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe	31
PID 2704 wrote to memory of 2636	2704	{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe	35
PID 2704 wrote to memory of 2636	2704	{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe	35
PID 2704 wrote to memory of 2636	2704	{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe	35
PID 2704 wrote to memory of 2636	2704	{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe	35
PID 2704 wrote to memory of 1704	2704	{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe	34
PID 2704 wrote to memory of 1704	2704	{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe	34
PID 2704 wrote to memory of 1704	2704	{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe	34
PID 2704 wrote to memory of 1704	2704	{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe	34
PID 2636 wrote to memory of 1924	2636	{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe	36
PID 2636 wrote to memory of 1924	2636	{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe	36
PID 2636 wrote to memory of 1924	2636	{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe	36
PID 2636 wrote to memory of 1924	2636	{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe	36
PID 2636 wrote to memory of 2560	2636	{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe	37
PID 2636 wrote to memory of 2560	2636	{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe	37
PID 2636 wrote to memory of 2560	2636	{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe	37
PID 2636 wrote to memory of 2560	2636	{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe	37
PID 1924 wrote to memory of 2920	1924	{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe	39
PID 1924 wrote to memory of 2920	1924	{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe	39
PID 1924 wrote to memory of 2920	1924	{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe	39
PID 1924 wrote to memory of 2920	1924	{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe	39
PID 1924 wrote to memory of 3056	1924	{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe	38
PID 1924 wrote to memory of 3056	1924	{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe	38
PID 1924 wrote to memory of 3056	1924	{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe	38
PID 1924 wrote to memory of 3056	1924	{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe	38
PID 2920 wrote to memory of 1996	2920	{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe	40
PID 2920 wrote to memory of 1996	2920	{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe	40
PID 2920 wrote to memory of 1996	2920	{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe	40
PID 2920 wrote to memory of 1996	2920	{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe	40
PID 2920 wrote to memory of 1052	2920	{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe	41
PID 2920 wrote to memory of 1052	2920	{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe	41
PID 2920 wrote to memory of 1052	2920	{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe	41
PID 2920 wrote to memory of 1052	2920	{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe	41
PID 1996 wrote to memory of 1056	1996	{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe	42
PID 1996 wrote to memory of 1056	1996	{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe	42
PID 1996 wrote to memory of 1056	1996	{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe	42
PID 1996 wrote to memory of 1056	1996	{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe	42
PID 1996 wrote to memory of 524	1996	{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe	43
PID 1996 wrote to memory of 524	1996	{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe	43
PID 1996 wrote to memory of 524	1996	{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe	43
PID 1996 wrote to memory of 524	1996	{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe	43
PID 1056 wrote to memory of 1096	1056	{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe	44
PID 1056 wrote to memory of 1096	1056	{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe	44
PID 1056 wrote to memory of 1096	1056	{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe	44
PID 1056 wrote to memory of 1096	1056	{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe	44
PID 1056 wrote to memory of 1000	1056	{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe	45
PID 1056 wrote to memory of 1000	1056	{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe	45
PID 1056 wrote to memory of 1000	1056	{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe	45
PID 1056 wrote to memory of 1000	1056	{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe
  C:\Windows\{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe
    C:\Windows\{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{62C43~1.EXE > nul
      4⤵
      PID:1704
  - - C:\Windows\{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe
      C:\Windows\{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe
        
        C:\Windows\{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFF35~1.EXE > nul
        6⤵
        
        PID:3056
      - C:\Windows\{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe
        
        C:\Windows\{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe
        
        C:\Windows\{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe
        
        C:\Windows\{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\{6B8B2693-4A97-4f3b-9202-52BCD4166BB0}.exe
        
        C:\Windows\{6B8B2693-4A97-4f3b-9202-52BCD4166BB0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\{0F8D345E-8E35-4b56-A448-39ED3D83FB73}.exe
        
        C:\Windows\{0F8D345E-8E35-4b56-A448-39ED3D83FB73}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F8D3~1.EXE > nul
        11⤵
        
        PID:1880
        
        C:\Windows\{FB0F1FB8-4097-451a-B532-676E385311B2}.exe
        
        C:\Windows\{FB0F1FB8-4097-451a-B532-676E385311B2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB0F1~1.EXE > nul
        12⤵
        
        PID:2272
        
        C:\Windows\{60842335-EE3F-4a95-BA24-BEEA5E06D8ED}.exe
        
        C:\Windows\{60842335-EE3F-4a95-BA24-BEEA5E06D8ED}.exe
        12⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B8B2~1.EXE > nul
        10⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0520E~1.EXE > nul
        9⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A25AF~1.EXE > nul
        8⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A0EB~1.EXE > nul
        7⤵
        
        PID:1052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E99F~1.EXE > nul
        5⤵
        
        PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B44D1~1.EXE > nul
    3⤵
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0520E17A-AD22-45da-A66A-8DB3BD01408A}.exe

Filesize
380KB

MD5
438f8aaea170f76704199aeef889d81b

SHA1
cea543471cd87e470796e3a842c3c75ee70c875d

SHA256
bf300f1ab0ab3b5bf2a01c6cc7578d8c9cf6db45298148a00ecf4ded5d595c2b

SHA512
057417a910eb42ded7836f193c1713b917aa5f4933e8320b284bf5b794ef6d319638822ccf33229137ab81038c0be599284198dc01db416025324c6be816425b

Download Submit
C:\Windows\{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe

Filesize
380KB

MD5
dc65d4926084a04ecd8ebde8a24aa521

SHA1
350eda0e6bfc37266783a3dbbb72b7704caeeb73

SHA256
2d68f312b4cab930d48d4463324b73b29ac461f3752c64bff9358abc501d0c20

SHA512
1ea7186147b45de2e6e19c648df197f27c5bd99450c20a4b3e146371ceb870adaadee60359f22ea22f9983e39923ea5a5a10aaa9085dca6355710a590003759e

Download Submit
C:\Windows\{0E99F341-5BB0-4c4c-BF56-C812972E032F}.exe

Filesize
30KB

MD5
a64feacd9afe467d5469a529231d3027

SHA1
12458c542ce6697b4b59bc2d2ba92e4912e2eb23

SHA256
d4d595d9e137f942271e195af330993364faec29d2541cccc3aa9d5d79d64a24

SHA512
4928cc1542aecf1290c052be12f721e6dbc153878e8bbe486dedb8a135a19fd189b92ffcb49b18e68584e99ed332d8d137621fb6834e949b2625c7d7fadaa401

Download Submit
C:\Windows\{0F8D345E-8E35-4b56-A448-39ED3D83FB73}.exe

Filesize
73KB

MD5
842ab21152d2fa553963e421aba3da29

SHA1
db2a8ecb04264a7140305654817326016b6ba9a5

SHA256
f6b16488d77cd0800b8320a7a884057e90da7454faba2007741b844c804c8b55

SHA512
c42aabf681d79ea8ed0d8d80391fa7118a93670cd51d1ad450d87b20f4685d3f5e9a6e08c02b06cdf95db76140ab2df6050af05aa27fe1f4269f2a5502b8276d

Download Submit
C:\Windows\{0F8D345E-8E35-4b56-A448-39ED3D83FB73}.exe

Filesize
380KB

MD5
3c94dd6146356bcef996f05d25e683ed

SHA1
500ffbac55836f7c7f4dbab1d73d2439f341fe33

SHA256
8bca7d263afee3a1a8139c900c6fcac5db5a6499890c8e73adbd3db5d2ddb794

SHA512
4078d5879c2bebca902df4396cf8e115297e607aaa51473b55662a8099beddebdc159ba7ec5ec080c4280a3293e394edaab5a048e1fc39b226c292f7b7be9970

Download Submit
C:\Windows\{60842335-EE3F-4a95-BA24-BEEA5E06D8ED}.exe

Filesize
130KB

MD5
9d339a8fb2d9753d5227434949a118bd

SHA1
26894d97c071893b71ed66a9be7d4d59f1340352

SHA256
bfe97e6916b06149598aa3061afcfbd8c3a5ad6369a4e5471513d2b644b9af1f

SHA512
155fdcc3d7f2652a1fad7552728cc4893f6066638996fe72cb8c3096f595773d9cc732ce671eff5ae3ae230f9518a4c3e79c385376f8af3be47ed2c91c8a84b3

Download Submit
C:\Windows\{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe

Filesize
85KB

MD5
c2871df8990e2d287f5dd748506e74c7

SHA1
b129b535af44952159792ae9175988638d39d30f

SHA256
c797d0a43feb2ebfc115a07a3a89ebe8578064f0c449d30116293294493b9e43

SHA512
a1f9eade5b0fb12ce14c3e23903afd030edbdc3e01aafcd80e97a997ef91bec9b94abd63c96497a888c80adba38cc60c037e6e8b0bb50f969592c3eccd1356aa

Download Submit
C:\Windows\{62C43568-6FC2-43a9-AE54-C6B1D3DD75BA}.exe

Filesize
380KB

MD5
c2b8030e2d8a898c6a4284f508032e17

SHA1
d34f0e44405902b7dc078317c9f0027fbad524eb

SHA256
ee352ce5f94f9ffa99fe2bd1c9884316f7b0abbd41dabd80b338fe273a9670bf

SHA512
e812b3e8ac818d1b6b61e4e7553bb157a865bbe4ad80d4b4591d45cc0ea7c7173b4b173f391e59c3018d8a62e1342b35aec1176c0dd63abc43017c57db262348

Download Submit
C:\Windows\{6B8B2693-4A97-4f3b-9202-52BCD4166BB0}.exe

Filesize
150KB

MD5
2eb5d02dc09afae7913006f5727c9b30

SHA1
98c2214d41b65c1acea6ad2a702d0ed60d6cf4ea

SHA256
a4250dca1b77192ce6983744e211e54d7e7f1225cff9a39c66b0c00f4e050cf7

SHA512
f37d9b908c17a8d5570405d83f7e4e7339aaa40fe1eb74ce0a6b9f4f1e2d3e144faa28f70c54a955d5047fa0cd20854ab7e7b87ad2f3e7bf51a4a35e43057215

Download Submit
C:\Windows\{6B8B2693-4A97-4f3b-9202-52BCD4166BB0}.exe

Filesize
85KB

MD5
f561035dfa6f9799b9c60bbcb7a90eef

SHA1
6c174f82f808348898e6733955ecb33f758aeb78

SHA256
bf5be99dc9418c45d2517a7d6381300e5b24c03ec6568583028c49ae246fc04b

SHA512
87f2d48a53d0cd22131c3e40a20068b609fac9eab8c88a68f74e9d784a21360a8246629f66467c1037ceba1111178a51f50c80656d19f9c3e396db72af75402d

Download Submit
C:\Windows\{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe

Filesize
25KB

MD5
d42e1d70784f5e1d3c00c059797a5233

SHA1
4ef981cc87920f2933512a260f6787cc01b0da26

SHA256
d7cb50da4cb85e26ea06aa5cc2bfaf83e98207a68dc00a871b6c70df2b412bbc

SHA512
d39be454893a911fe5b5c3834f137c8460e78348b7f236218ce6ac8728967e34073f753551a6797496ffbea510f9a820599065942e6d8b616da2831b7db6ac00

Download Submit
C:\Windows\{9A0EB0CE-0C82-4141-9A75-286933C4864B}.exe

Filesize
380KB

MD5
18480660be06e79c4f8b1490f25d0cc0

SHA1
b5d839e2242084b961200607d5fd6080eb9245d7

SHA256
08724436f40af6ab6a4bb3524b01cb868a5988a925f05b40e829f43d629de5db

SHA512
454533018302a51e6d9a90d0403c27879b61424ceda60ea38131d16dca5c07237f6fe8018ef3ec6392eb404ef4510ec430317a1b3154a191176e468287c62d44

Download Submit
C:\Windows\{A25AF770-BB4B-4f43-A4FF-44E93E5340A2}.exe

Filesize
380KB

MD5
7a915b633b4195d610e407bc3e5b8439

SHA1
91273bae654ef559db4554e02f5f5046edbba52c

SHA256
f0577189c6d992d15e5ad2bd970f5e101a43ae6ff46ad1cf205632f00c2f5e87

SHA512
0dd0702ed5461d225d447b6373b3c227e923037cdca16ba57f56389f1215bf9f622662f32bb52744710534acbf2394d7435424f7499a8536e8623e94397932f6

Download Submit
C:\Windows\{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe

Filesize
77KB

MD5
fd8c6c4e905fc6447b0dd58f2a054ac7

SHA1
8afd3764ab7d2a520e62ff4425b4a0fb23ea8dee

SHA256
d306fce660b52ac516e5aa7aed2617d076a2a0ec3a7ca420866385ae968dd63f

SHA512
ec03d6d55bf8763ac3876c08263c1cc757b11638746273e340df0adff2dd0e1e6566b8ae509ec71602740c112d00059686ffb7e6936ffd3a1e2885cfd7ffc874

Download Submit
C:\Windows\{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe

Filesize
63KB

MD5
e31b4bfdcda0b469bed165f83aba7080

SHA1
fccf83e7a5aa00baa8ce5ba3f7f99776eb5fc4a6

SHA256
91c8671512bdea0c7af3fed6d1ae318a908b861175f5daee01f40b20dea56092

SHA512
d011ed45a526a96affa0b0d7d80de342bf767bbb727c68568ec60289555107079139340f1983b8fdbbf044b5fc220c4d149ff784b5612271f76b66542c80faf3

Download Submit
C:\Windows\{B44D1997-97C1-4c75-ADD3-1EBA2C834C2D}.exe

Filesize
84KB

MD5
84f95a705eb7a966f58d61f82da7cf7d

SHA1
bf293a49ef7da10fabf8b2227f7d2406105bfaea

SHA256
3b46e46e38076208ff7b0e2c10ad86fa01460d6d499d37346cb88677690c942a

SHA512
d74d7d646017759eef81b17c3a5a2b1063781f024f2019716fdd8c5c4b20160286ad6fe8f6949ee629ae582db7a4ff281cff27f8954a6efefb363ae54362359d

Download Submit
C:\Windows\{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe

Filesize
53KB

MD5
d344cd2c51f12e33be78d6d12d99c176

SHA1
007367a14bdafe53de07ff3452792bcfde7de48a

SHA256
2c0244f9c8a6d054e37858edf13ec8fcf6ce20e38ea8e0f5c83ba7e3759d88b6

SHA512
e596c15b2706c0e6f5ca3394500eede4c718041898190487a0ba2eba8bacbba1b8b4a624695567524758c2c7dd1373db099e3bb5720d9a3ba3199271f8373288

Download Submit
C:\Windows\{BFF357D4-C48B-4b39-AC3C-E6C27C00357B}.exe

Filesize
73KB

MD5
7f2731e94e04e84c06c2b4284addcac3

SHA1
8252afc8eaa432e2ea6a792746008df563833c72

SHA256
03af4d5df6fb84fc20d4bf0ca1ba4717e17b304119bfc4d50fdce9168d0f349e

SHA512
a13dea9a171f498ee54bf172a0c88ee1f61cc65eb7315180429ea6e7dfd96da50785d669ef125097e83ab37da4ed6d3912dac6252e3016fffc4f8238b406ac9f

Download Submit
C:\Windows\{FB0F1FB8-4097-451a-B532-676E385311B2}.exe

Filesize
380KB

MD5
274d18a075e1a1adca0350656877df1f

SHA1
d784357c5760ac10231259d3162e01cde3318489

SHA256
3a620d558f39a3f475338dfe85610ea0b969dab67ef360f1df5d5dee89d1107a

SHA512
6055ea47f516964d39ff0f971097f1010e914af2679e08a76eb2b3ea058080b21d207ed5fce4316ac37d5e4e6c6562e7481d1bf2c411d014535d3b8c891453a7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads