a4075a0daa980a531743b164972c157887812b17011d93660deabf8b1b79f6f2

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe
Size

408KB
MD5

3181341835e55b25bdb6ffb490a799cd
SHA1

776e1366f10fdd09cb4bb9e07a7ae2ccf507b176
SHA256

a4075a0daa980a531743b164972c157887812b17011d93660deabf8b1b79f6f2
SHA512

b3c378d9915566c1cda37a9e9502e88b0b4128aac6cc11d6306b25535c8451c697c51b35d984f967af82761decf0b049789f1426c5b800e86061efd192964b12
SSDEEP

3072:CEGh0oil3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGYldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C83807E9-E4E0-4274-867B-AD0A433AD8CC}	{25195438-6DAC-4845-B245-7B57DCEA2533}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C83807E9-E4E0-4274-867B-AD0A433AD8CC}\stubpath = "C:\\Windows\\{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe"	{25195438-6DAC-4845-B245-7B57DCEA2533}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04F47FEB-FEBD-43a2-B748-17FB397E9C7F}	{F176E13C-5A1F-4622-A756-6F3DE4299302}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56E6F201-70D8-4013-900D-B54FEE49CEA6}	{E1C2C4A9-9F10-43f0-8D7C-F0BC92B3D6D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A683888-99DA-4a1a-B982-552C14BF2547}\stubpath = "C:\\Windows\\{0A683888-99DA-4a1a-B982-552C14BF2547}.exe"	2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}\stubpath = "C:\\Windows\\{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe"	{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0258F72E-1E13-426f-B7BD-F8D8869A967A}\stubpath = "C:\\Windows\\{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe"	{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F176E13C-5A1F-4622-A756-6F3DE4299302}	{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F176E13C-5A1F-4622-A756-6F3DE4299302}\stubpath = "C:\\Windows\\{F176E13C-5A1F-4622-A756-6F3DE4299302}.exe"	{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04F47FEB-FEBD-43a2-B748-17FB397E9C7F}\stubpath = "C:\\Windows\\{04F47FEB-FEBD-43a2-B748-17FB397E9C7F}.exe"	{F176E13C-5A1F-4622-A756-6F3DE4299302}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25195438-6DAC-4845-B245-7B57DCEA2533}	{0A683888-99DA-4a1a-B982-552C14BF2547}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}	{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0258F72E-1E13-426f-B7BD-F8D8869A967A}	{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}	{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}\stubpath = "C:\\Windows\\{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe"	{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56E6F201-70D8-4013-900D-B54FEE49CEA6}\stubpath = "C:\\Windows\\{56E6F201-70D8-4013-900D-B54FEE49CEA6}.exe"	{E1C2C4A9-9F10-43f0-8D7C-F0BC92B3D6D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A683888-99DA-4a1a-B982-552C14BF2547}	2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25195438-6DAC-4845-B245-7B57DCEA2533}\stubpath = "C:\\Windows\\{25195438-6DAC-4845-B245-7B57DCEA2533}.exe"	{0A683888-99DA-4a1a-B982-552C14BF2547}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40CE53BB-BAB7-47d0-BE2C-B13C88968320}	{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40CE53BB-BAB7-47d0-BE2C-B13C88968320}\stubpath = "C:\\Windows\\{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe"	{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1C2C4A9-9F10-43f0-8D7C-F0BC92B3D6D1}	{04F47FEB-FEBD-43a2-B748-17FB397E9C7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1C2C4A9-9F10-43f0-8D7C-F0BC92B3D6D1}\stubpath = "C:\\Windows\\{E1C2C4A9-9F10-43f0-8D7C-F0BC92B3D6D1}.exe"	{04F47FEB-FEBD-43a2-B748-17FB397E9C7F}.exe

Deletes itself 1 IoCs

pid	Process
2000	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1796	{0A683888-99DA-4a1a-B982-552C14BF2547}.exe
2788	{25195438-6DAC-4845-B245-7B57DCEA2533}.exe
2704	{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe
1292	{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe
2888	{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe
1352	{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe
1204	{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe
1820	{F176E13C-5A1F-4622-A756-6F3DE4299302}.exe
2456	{04F47FEB-FEBD-43a2-B748-17FB397E9C7F}.exe
1464	{E1C2C4A9-9F10-43f0-8D7C-F0BC92B3D6D1}.exe
568	{56E6F201-70D8-4013-900D-B54FEE49CEA6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{56E6F201-70D8-4013-900D-B54FEE49CEA6}.exe	{E1C2C4A9-9F10-43f0-8D7C-F0BC92B3D6D1}.exe
File created	C:\Windows\{0A683888-99DA-4a1a-B982-552C14BF2547}.exe	2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe
File created	C:\Windows\{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe	{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe
File created	C:\Windows\{04F47FEB-FEBD-43a2-B748-17FB397E9C7F}.exe	{F176E13C-5A1F-4622-A756-6F3DE4299302}.exe
File created	C:\Windows\{E1C2C4A9-9F10-43f0-8D7C-F0BC92B3D6D1}.exe	{04F47FEB-FEBD-43a2-B748-17FB397E9C7F}.exe
File created	C:\Windows\{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe	{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe
File created	C:\Windows\{F176E13C-5A1F-4622-A756-6F3DE4299302}.exe	{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe
File created	C:\Windows\{25195438-6DAC-4845-B245-7B57DCEA2533}.exe	{0A683888-99DA-4a1a-B982-552C14BF2547}.exe
File created	C:\Windows\{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe	{25195438-6DAC-4845-B245-7B57DCEA2533}.exe
File created	C:\Windows\{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe	{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe
File created	C:\Windows\{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe	{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2076	2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1796	{0A683888-99DA-4a1a-B982-552C14BF2547}.exe
Token: SeIncBasePriorityPrivilege	2788	{25195438-6DAC-4845-B245-7B57DCEA2533}.exe
Token: SeIncBasePriorityPrivilege	2704	{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe
Token: SeIncBasePriorityPrivilege	1292	{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe
Token: SeIncBasePriorityPrivilege	2888	{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe
Token: SeIncBasePriorityPrivilege	1352	{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe
Token: SeIncBasePriorityPrivilege	1204	{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe
Token: SeIncBasePriorityPrivilege	1820	{F176E13C-5A1F-4622-A756-6F3DE4299302}.exe
Token: SeIncBasePriorityPrivilege	2456	{04F47FEB-FEBD-43a2-B748-17FB397E9C7F}.exe
Token: SeIncBasePriorityPrivilege	1464	{E1C2C4A9-9F10-43f0-8D7C-F0BC92B3D6D1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1796	2076	2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe	28
PID 2076 wrote to memory of 1796	2076	2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe	28
PID 2076 wrote to memory of 1796	2076	2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe	28
PID 2076 wrote to memory of 1796	2076	2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe	28
PID 2076 wrote to memory of 2000	2076	2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe	29
PID 2076 wrote to memory of 2000	2076	2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe	29
PID 2076 wrote to memory of 2000	2076	2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe	29
PID 2076 wrote to memory of 2000	2076	2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe	29
PID 1796 wrote to memory of 2788	1796	{0A683888-99DA-4a1a-B982-552C14BF2547}.exe	30
PID 1796 wrote to memory of 2788	1796	{0A683888-99DA-4a1a-B982-552C14BF2547}.exe	30
PID 1796 wrote to memory of 2788	1796	{0A683888-99DA-4a1a-B982-552C14BF2547}.exe	30
PID 1796 wrote to memory of 2788	1796	{0A683888-99DA-4a1a-B982-552C14BF2547}.exe	30
PID 1796 wrote to memory of 3016	1796	{0A683888-99DA-4a1a-B982-552C14BF2547}.exe	31
PID 1796 wrote to memory of 3016	1796	{0A683888-99DA-4a1a-B982-552C14BF2547}.exe	31
PID 1796 wrote to memory of 3016	1796	{0A683888-99DA-4a1a-B982-552C14BF2547}.exe	31
PID 1796 wrote to memory of 3016	1796	{0A683888-99DA-4a1a-B982-552C14BF2547}.exe	31
PID 2788 wrote to memory of 2704	2788	{25195438-6DAC-4845-B245-7B57DCEA2533}.exe	33
PID 2788 wrote to memory of 2704	2788	{25195438-6DAC-4845-B245-7B57DCEA2533}.exe	33
PID 2788 wrote to memory of 2704	2788	{25195438-6DAC-4845-B245-7B57DCEA2533}.exe	33
PID 2788 wrote to memory of 2704	2788	{25195438-6DAC-4845-B245-7B57DCEA2533}.exe	33
PID 2788 wrote to memory of 2808	2788	{25195438-6DAC-4845-B245-7B57DCEA2533}.exe	32
PID 2788 wrote to memory of 2808	2788	{25195438-6DAC-4845-B245-7B57DCEA2533}.exe	32
PID 2788 wrote to memory of 2808	2788	{25195438-6DAC-4845-B245-7B57DCEA2533}.exe	32
PID 2788 wrote to memory of 2808	2788	{25195438-6DAC-4845-B245-7B57DCEA2533}.exe	32
PID 2704 wrote to memory of 1292	2704	{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe	36
PID 2704 wrote to memory of 1292	2704	{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe	36
PID 2704 wrote to memory of 1292	2704	{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe	36
PID 2704 wrote to memory of 1292	2704	{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe	36
PID 2704 wrote to memory of 2424	2704	{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe	37
PID 2704 wrote to memory of 2424	2704	{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe	37
PID 2704 wrote to memory of 2424	2704	{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe	37
PID 2704 wrote to memory of 2424	2704	{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe	37
PID 1292 wrote to memory of 2888	1292	{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe	38
PID 1292 wrote to memory of 2888	1292	{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe	38
PID 1292 wrote to memory of 2888	1292	{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe	38
PID 1292 wrote to memory of 2888	1292	{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe	38
PID 1292 wrote to memory of 2684	1292	{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe	39
PID 1292 wrote to memory of 2684	1292	{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe	39
PID 1292 wrote to memory of 2684	1292	{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe	39
PID 1292 wrote to memory of 2684	1292	{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe	39
PID 2888 wrote to memory of 1352	2888	{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe	40
PID 2888 wrote to memory of 1352	2888	{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe	40
PID 2888 wrote to memory of 1352	2888	{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe	40
PID 2888 wrote to memory of 1352	2888	{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe	40
PID 2888 wrote to memory of 2540	2888	{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe	41
PID 2888 wrote to memory of 2540	2888	{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe	41
PID 2888 wrote to memory of 2540	2888	{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe	41
PID 2888 wrote to memory of 2540	2888	{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe	41
PID 1352 wrote to memory of 1204	1352	{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe	42
PID 1352 wrote to memory of 1204	1352	{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe	42
PID 1352 wrote to memory of 1204	1352	{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe	42
PID 1352 wrote to memory of 1204	1352	{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe	42
PID 1352 wrote to memory of 472	1352	{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe	43
PID 1352 wrote to memory of 472	1352	{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe	43
PID 1352 wrote to memory of 472	1352	{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe	43
PID 1352 wrote to memory of 472	1352	{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe	43
PID 1204 wrote to memory of 1820	1204	{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe	44
PID 1204 wrote to memory of 1820	1204	{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe	44
PID 1204 wrote to memory of 1820	1204	{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe	44
PID 1204 wrote to memory of 1820	1204	{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe	44
PID 1204 wrote to memory of 1776	1204	{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe	45
PID 1204 wrote to memory of 1776	1204	{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe	45
PID 1204 wrote to memory of 1776	1204	{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe	45
PID 1204 wrote to memory of 1776	1204	{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_3181341835e55b25bdb6ffb490a799cd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\{0A683888-99DA-4a1a-B982-552C14BF2547}.exe
  C:\Windows\{0A683888-99DA-4a1a-B982-552C14BF2547}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\{25195438-6DAC-4845-B245-7B57DCEA2533}.exe
    C:\Windows\{25195438-6DAC-4845-B245-7B57DCEA2533}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{25195~1.EXE > nul
      4⤵
      PID:2808
  - - C:\Windows\{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe
      C:\Windows\{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe
        
        C:\Windows\{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Windows\{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe
        
        C:\Windows\{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe
        
        C:\Windows\{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe
        
        C:\Windows\{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{F176E13C-5A1F-4622-A756-6F3DE4299302}.exe
        
        C:\Windows\{F176E13C-5A1F-4622-A756-6F3DE4299302}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\{04F47FEB-FEBD-43a2-B748-17FB397E9C7F}.exe
        
        C:\Windows\{04F47FEB-FEBD-43a2-B748-17FB397E9C7F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\{E1C2C4A9-9F10-43f0-8D7C-F0BC92B3D6D1}.exe
        
        C:\Windows\{E1C2C4A9-9F10-43f0-8D7C-F0BC92B3D6D1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\{56E6F201-70D8-4013-900D-B54FEE49CEA6}.exe
        
        C:\Windows\{56E6F201-70D8-4013-900D-B54FEE49CEA6}.exe
        12⤵
        Executes dropped EXE
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1C2C~1.EXE > nul
        12⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04F47~1.EXE > nul
        11⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F176E~1.EXE > nul
        10⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7CEC~1.EXE > nul
        9⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40CE5~1.EXE > nul
        8⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0258F~1.EXE > nul
        7⤵
        
        PID:2540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6D9B~1.EXE > nul
        6⤵
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8380~1.EXE > nul
        5⤵
        
        PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0A683~1.EXE > nul
    3⤵
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0258F72E-1E13-426f-B7BD-F8D8869A967A}.exe

Filesize
408KB

MD5
88f55e6e898d9ff9da4928c87f7ddde1

SHA1
2d9305b57f1747f238cddda66f1e60cec4834cac

SHA256
c4ce9aa0703853d5718389caf7d3d9f899913c9d2106594f92a5f707a2e65da5

SHA512
4a8f915f0367fdd6c749b9b003a7359d0314491ccca171fbc1359e41f3fc1a81cbd165df6c286a32817fa36acfbe3f570d3ef58fa2725061db0111253bc8ed3e

Download Submit
C:\Windows\{04F47FEB-FEBD-43a2-B748-17FB397E9C7F}.exe

Filesize
408KB

MD5
b31cbc5395fe92c10b70a9671861378f

SHA1
210c9fc1471c219fdfce8f7af59efb368de2203a

SHA256
ec8f35c28e76fad7fe0fa7726e66b8d924539b08cad5727d95f54e9486d47530

SHA512
691c88486606ab83fdd106edd204edaf41d77d8785fb36f7deae757c00b588fcdc9edf018ee8a4878a8d5009db9cd990e94c3593f6fc3956276b29eb1c4fce13

Download Submit
C:\Windows\{0A683888-99DA-4a1a-B982-552C14BF2547}.exe

Filesize
73KB

MD5
bbfc32a9ca8ef891c720d7f05573fc85

SHA1
7658ce16cbd6a136badf25316d521d4bd4c572be

SHA256
79da52875ed11c36181ef8b93ae8cb5d89d019ba66e214d1dd2d59b0d3125921

SHA512
c73335488abf496b0ae1b1ef6070e4944f48d3c3abf9e200c31db157ff565fffbf3f856ed466aef8f5fc74fb80f5019486d33b094b966fad33a5a3482f042a92

Download Submit
C:\Windows\{0A683888-99DA-4a1a-B982-552C14BF2547}.exe

Filesize
68KB

MD5
63e9ef135176447f5dc2a59bb6180afc

SHA1
df87707697dd6e5d711533d3bc4a7bbff45e918b

SHA256
0eda1232076cc849e87e2bd9cfb240ff92dea573b23c6870dc999940e0773b7d

SHA512
4eddeb6e54e61bc1cfc5de4560c15f6f48df29b198eb4123978f005d618305b017348ba48c9319be155c7d9c5a02433728714cb7767670cb029d6691b0c042f3

Download Submit
C:\Windows\{0A683888-99DA-4a1a-B982-552C14BF2547}.exe

Filesize
33KB

MD5
6e84df5aeec90df602f5acec1fd622f8

SHA1
b72bd512c1e4f38d77a0be35c299ccb060d8bdd1

SHA256
39966a8be649f67505b5efe851e54e42cf36ccfe3f162e8aba05101076e56670

SHA512
36fc9d301a9ec53cdda968245453b416b8e62bb262ffac1a8ad10af1f74a906f01fb7bcb62020abe73d3173b940ea8e22f1417bef4fdb2add7448d7cc6f4f83c

Download Submit
C:\Windows\{25195438-6DAC-4845-B245-7B57DCEA2533}.exe

Filesize
33KB

MD5
13dc54282d95cf60524f36f423f71ece

SHA1
82ec8d7924ac3d64894ef67fc9f91205e3d32a9d

SHA256
b775d7a2fd3497687bd3cc2672da42695f4b02f2b68a3b1a56b9ac573c52badd

SHA512
62b01425da3527c9a10d9dd0ec9f79d59c7bd580135d0981d8ea2f196b5a50d5df80dabc9d9b483fba00f3f4691e4660538760854b971d34cbf3e0e6c9e549b4

Download Submit
C:\Windows\{25195438-6DAC-4845-B245-7B57DCEA2533}.exe

Filesize
408KB

MD5
0b741ceb646ac020edcbb1366c7d30c4

SHA1
b69d7125169439a20b6fa3d9d6f70bae462fbd25

SHA256
576d103ad8e48111abca8c77ca27b475ffca7670211406f236db39be2a0ea0ac

SHA512
dd12b3fdd8991b5e8a709838bf6a210717050c146f595025f8e3988c43c19c7156e94a0335a308af256512e813c488bd71977bb2ef94f4737fbc47b7a53c0281

Download Submit
C:\Windows\{40CE53BB-BAB7-47d0-BE2C-B13C88968320}.exe

Filesize
408KB

MD5
6c79fcc1bc1093240529f2f09a126da5

SHA1
1a4b84d6e8ca3df5258c817db77bddb7beb69c2d

SHA256
1739f534a5b0f78c1cdf43e7154bc55a5af544525b0946b58c0ee4091272bf3f

SHA512
556a4af4af1adaf4ea8bab70b1a6d0cc9a419ca4bd595506887b102bc9194e301b9c7b23b9e9e2b7b4df4deecfb13bff7062bb2701505e8ac5e57d65f2dec789

Download Submit
C:\Windows\{56E6F201-70D8-4013-900D-B54FEE49CEA6}.exe

Filesize
408KB

MD5
6b9dd2372112f74806f32cd0bb1ee64e

SHA1
7412780d1458b150cf3bd36f002d5c4deb5797c7

SHA256
04d773bc6180e8791acf28b3642c7dc498870246f9ebe2c0fcad7d7319902677

SHA512
6f6e71dd499dfcc41972e29faaf46d4db0783ccadf9f53377d9bef810d86170a455fddc2d16b855156a1d0f2675a46ee2ecececd03bf5c59f6d05abda5367d8f

Download Submit
C:\Windows\{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe

Filesize
403KB

MD5
33c9ffa7a2fd6339e2eb7a2b29e00c96

SHA1
f5c6fe5fc75289df300e5dfaf096ae7021f1d25b

SHA256
ce414c535f889dee509d961f5123362a98ac18029d21fa3f1a940dbfe7b93c8b

SHA512
8cb527ddd8d50fb60001758bd998a22f8eb0553bc4741b4a12211d8fe363b933fbba538fe0d06fc555617516b593441d38e2b8d231107af1ee89c257b12e59f5

Download Submit
C:\Windows\{C83807E9-E4E0-4274-867B-AD0A433AD8CC}.exe

Filesize
331KB

MD5
fa9b553bf172cafbd7697e76d1e3ef03

SHA1
f08a91630612c2dd3edba16ac467035382c2f174

SHA256
dff01b27b3663c296749a3e3e2f1a3c1a61b53067a954d6444621d218fe59341

SHA512
8b8be170a9a4de85caaa82ec71789f5e9ac8442769b7cf21c19c0b3f22f80a0391823171d3f6f872d7a4ed3cbf231e3c097d955ebeec0e20babe3a71acfd1d5f

Download Submit
C:\Windows\{E1C2C4A9-9F10-43f0-8D7C-F0BC92B3D6D1}.exe

Filesize
408KB

MD5
495bf876b21209af4b2678901821648c

SHA1
c78479087f6a47bfe720f584c58d1f069078b704

SHA256
107eaf0f0b06bc91f09c98c06da08f3b024dedce424b86ddec2d5209a2ce4f35

SHA512
3a70a5b995eff668f25b71706c1f65214b74fa52584cdcd01912302c847ae486a1c54ff2cd0244e6e7bff862f9b814f218a9b87059076c0986e94264462a586d

Download Submit
C:\Windows\{F176E13C-5A1F-4622-A756-6F3DE4299302}.exe

Filesize
140KB

MD5
4d2f81752ffb1f7db87865aff1c80f14

SHA1
dd3b19b639724088c3b540da86610921c65c1eb4

SHA256
fbef1d592db4d95c39d091a9f22355ca2e31c54df2d9cfbf63cab99e43b61617

SHA512
0de0b582135de618816b798d0bb152c5fbf20a327ae191295679dd73d2e5ffab347db50e747b28be214496eb4821c9f5ca3525eb6d96dc37a693bf6466fa4813

Download Submit
C:\Windows\{F176E13C-5A1F-4622-A756-6F3DE4299302}.exe

Filesize
408KB

MD5
45d2d5cf58b58849e412c57eeecf9163

SHA1
ff328e1f0c95a8efcfa28560ac7b4e6337ba2aa4

SHA256
af9ecd52559edb6cf5cfb1096eab0092791d75633689762f5c5b1c07599f5c04

SHA512
a968c9d9998d3470b2a90267ca4d5f7490bbc2219f3ee1f72c1779861308083fb79009b48a5e0821ee75fbead1d143db52aa0ccaf53fe899cdd4f51f7e50775c

Download Submit
C:\Windows\{F6D9BAA0-6BB6-4eb9-9E4F-BEA440EB3501}.exe

Filesize
408KB

MD5
9eb7972d19e77355e980e75fd1f17126

SHA1
11d9a13a60ec2680b84171b8b4d4242009c20c21

SHA256
e904714a9ca355ee069c5d3956a3964f8d40678972bbff3e239af0a1a9b78c18

SHA512
1fafe6ee4f3639dcefa9ee409777d9be288077a94667f62fd572f68d99cef7fb354610edc7f324bdac740204982ef5530086a166c5bc68fc5a18a60c047ffa7e

Download Submit
C:\Windows\{F7CEC0D7-7E9D-4c92-A198-1C713152BAF0}.exe

Filesize
408KB

MD5
9fbc1a3aed066da5478d71ba3d3fcdb9

SHA1
f1fd922e39d4ae1a2a38b6970cf5731e7025435b

SHA256
8ed88a4bdcc96c57da3885eea5f2cb7bbe2f4e74ebbc2484f214bcec09f50a16

SHA512
67f5d3865ea0182f7cf0cd94a4cb389b319c41882e6d176ab6fb98a181c1b730bf77aa7ef910ef53355d29803bd2b3f567d614783f04dab14da30ef573f958eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads