b58731615ac57e57e370eadec3b4621fbe61d7f6c2ae347a984b4e5010d6f634

Analysis

max time kernel
138s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-01-2024 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe
Size

380KB
MD5

384957d4b0664e9777c1244e130ba4a9
SHA1

04287983cf47b156caa91f84bd65b2f21fedd126
SHA256

b58731615ac57e57e370eadec3b4621fbe61d7f6c2ae347a984b4e5010d6f634
SHA512

0ee0af5807e0ed01b6278630a170aebeeb2025d888debba68b83049fe5c84c975bd2750058e62a36ca9152d4e32970169083aba0fdcbca6c5ac12c8bf2d863f1
SSDEEP

3072:mEGh0oLlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGJl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}	{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}\stubpath = "C:\\Windows\\{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe"	{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC7BBCEE-18D5-492a-B0F9-A57EAB71FD4D}	{45C3C893-50B9-41c4-8322-584F985D2648}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F451676-762F-42da-BE51-72A0B05EF256}	{EC7BBCEE-18D5-492a-B0F9-A57EAB71FD4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F474F79F-0684-4813-A959-07EFCA5D4BC2}	{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F474F79F-0684-4813-A959-07EFCA5D4BC2}\stubpath = "C:\\Windows\\{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe"	{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}	{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E5B2995-90BF-457c-A3A8-28CA0CA89393}	{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}	{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}\stubpath = "C:\\Windows\\{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe"	{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}	{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}\stubpath = "C:\\Windows\\{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe"	{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC7BBCEE-18D5-492a-B0F9-A57EAB71FD4D}\stubpath = "C:\\Windows\\{EC7BBCEE-18D5-492a-B0F9-A57EAB71FD4D}.exe"	{45C3C893-50B9-41c4-8322-584F985D2648}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45C3C893-50B9-41c4-8322-584F985D2648}\stubpath = "C:\\Windows\\{45C3C893-50B9-41c4-8322-584F985D2648}.exe"	{ADCC06FF-81BC-48db-A0F5-3F6FCF3A4F75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484E6D7E-7E14-431f-AA54-576165EAE0AE}	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484E6D7E-7E14-431f-AA54-576165EAE0AE}\stubpath = "C:\\Windows\\{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe"	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E5B2995-90BF-457c-A3A8-28CA0CA89393}\stubpath = "C:\\Windows\\{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe"	{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}\stubpath = "C:\\Windows\\{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe"	{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADCC06FF-81BC-48db-A0F5-3F6FCF3A4F75}	{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADCC06FF-81BC-48db-A0F5-3F6FCF3A4F75}\stubpath = "C:\\Windows\\{ADCC06FF-81BC-48db-A0F5-3F6FCF3A4F75}.exe"	{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45C3C893-50B9-41c4-8322-584F985D2648}	{ADCC06FF-81BC-48db-A0F5-3F6FCF3A4F75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F451676-762F-42da-BE51-72A0B05EF256}\stubpath = "C:\\Windows\\{3F451676-762F-42da-BE51-72A0B05EF256}.exe"	{EC7BBCEE-18D5-492a-B0F9-A57EAB71FD4D}.exe

Deletes itself 1 IoCs

pid	Process
2192	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3052	{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe
2688	{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe
2584	{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe
2960	{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe
2456	{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe
2780	{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe
2568	{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe
1564	{ADCC06FF-81BC-48db-A0F5-3F6FCF3A4F75}.exe
2024	{45C3C893-50B9-41c4-8322-584F985D2648}.exe
604	{EC7BBCEE-18D5-492a-B0F9-A57EAB71FD4D}.exe
584	{3F451676-762F-42da-BE51-72A0B05EF256}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{45C3C893-50B9-41c4-8322-584F985D2648}.exe	{ADCC06FF-81BC-48db-A0F5-3F6FCF3A4F75}.exe
File created	C:\Windows\{EC7BBCEE-18D5-492a-B0F9-A57EAB71FD4D}.exe	{45C3C893-50B9-41c4-8322-584F985D2648}.exe
File created	C:\Windows\{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe
File created	C:\Windows\{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe	{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe
File created	C:\Windows\{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe	{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe
File created	C:\Windows\{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe	{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe
File created	C:\Windows\{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe	{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe
File created	C:\Windows\{ADCC06FF-81BC-48db-A0F5-3F6FCF3A4F75}.exe	{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe
File created	C:\Windows\{3F451676-762F-42da-BE51-72A0B05EF256}.exe	{EC7BBCEE-18D5-492a-B0F9-A57EAB71FD4D}.exe
File created	C:\Windows\{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe	{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe
File created	C:\Windows\{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe	{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2552	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3052	{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe
Token: SeIncBasePriorityPrivilege	2688	{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe
Token: SeIncBasePriorityPrivilege	2584	{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe
Token: SeIncBasePriorityPrivilege	2960	{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe
Token: SeIncBasePriorityPrivilege	2456	{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe
Token: SeIncBasePriorityPrivilege	2780	{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe
Token: SeIncBasePriorityPrivilege	2568	{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe
Token: SeIncBasePriorityPrivilege	1564	{ADCC06FF-81BC-48db-A0F5-3F6FCF3A4F75}.exe
Token: SeIncBasePriorityPrivilege	2024	{45C3C893-50B9-41c4-8322-584F985D2648}.exe
Token: SeIncBasePriorityPrivilege	604	{EC7BBCEE-18D5-492a-B0F9-A57EAB71FD4D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 3052	2552	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	28
PID 2552 wrote to memory of 3052	2552	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	28
PID 2552 wrote to memory of 3052	2552	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	28
PID 2552 wrote to memory of 3052	2552	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	28
PID 2552 wrote to memory of 2192	2552	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	29
PID 2552 wrote to memory of 2192	2552	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	29
PID 2552 wrote to memory of 2192	2552	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	29
PID 2552 wrote to memory of 2192	2552	2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe	29
PID 3052 wrote to memory of 2688	3052	{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe	31
PID 3052 wrote to memory of 2688	3052	{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe	31
PID 3052 wrote to memory of 2688	3052	{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe	31
PID 3052 wrote to memory of 2688	3052	{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe	31
PID 3052 wrote to memory of 2620	3052	{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe	30
PID 3052 wrote to memory of 2620	3052	{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe	30
PID 3052 wrote to memory of 2620	3052	{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe	30
PID 3052 wrote to memory of 2620	3052	{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe	30
PID 2688 wrote to memory of 2584	2688	{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe	33
PID 2688 wrote to memory of 2584	2688	{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe	33
PID 2688 wrote to memory of 2584	2688	{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe	33
PID 2688 wrote to memory of 2584	2688	{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe	33
PID 2688 wrote to memory of 2840	2688	{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe	32
PID 2688 wrote to memory of 2840	2688	{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe	32
PID 2688 wrote to memory of 2840	2688	{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe	32
PID 2688 wrote to memory of 2840	2688	{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe	32
PID 2584 wrote to memory of 2960	2584	{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe	37
PID 2584 wrote to memory of 2960	2584	{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe	37
PID 2584 wrote to memory of 2960	2584	{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe	37
PID 2584 wrote to memory of 2960	2584	{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe	37
PID 2584 wrote to memory of 2180	2584	{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe	36
PID 2584 wrote to memory of 2180	2584	{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe	36
PID 2584 wrote to memory of 2180	2584	{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe	36
PID 2584 wrote to memory of 2180	2584	{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe	36
PID 2960 wrote to memory of 2456	2960	{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe	39
PID 2960 wrote to memory of 2456	2960	{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe	39
PID 2960 wrote to memory of 2456	2960	{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe	39
PID 2960 wrote to memory of 2456	2960	{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe	39
PID 2960 wrote to memory of 308	2960	{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe	38
PID 2960 wrote to memory of 308	2960	{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe	38
PID 2960 wrote to memory of 308	2960	{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe	38
PID 2960 wrote to memory of 308	2960	{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe	38
PID 2456 wrote to memory of 2780	2456	{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe	40
PID 2456 wrote to memory of 2780	2456	{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe	40
PID 2456 wrote to memory of 2780	2456	{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe	40
PID 2456 wrote to memory of 2780	2456	{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe	40
PID 2456 wrote to memory of 784	2456	{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe	41
PID 2456 wrote to memory of 784	2456	{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe	41
PID 2456 wrote to memory of 784	2456	{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe	41
PID 2456 wrote to memory of 784	2456	{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe	41
PID 2780 wrote to memory of 2568	2780	{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe	42
PID 2780 wrote to memory of 2568	2780	{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe	42
PID 2780 wrote to memory of 2568	2780	{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe	42
PID 2780 wrote to memory of 2568	2780	{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe	42
PID 2780 wrote to memory of 2812	2780	{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe	43
PID 2780 wrote to memory of 2812	2780	{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe	43
PID 2780 wrote to memory of 2812	2780	{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe	43
PID 2780 wrote to memory of 2812	2780	{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe	43
PID 2568 wrote to memory of 1564	2568	{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe	45
PID 2568 wrote to memory of 1564	2568	{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe	45
PID 2568 wrote to memory of 1564	2568	{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe	45
PID 2568 wrote to memory of 1564	2568	{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe	45
PID 2568 wrote to memory of 1784	2568	{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe	44
PID 2568 wrote to memory of 1784	2568	{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe	44
PID 2568 wrote to memory of 1784	2568	{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe	44
PID 2568 wrote to memory of 1784	2568	{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_384957d4b0664e9777c1244e130ba4a9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe
  C:\Windows\{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{484E6~1.EXE > nul
    3⤵
    PID:2620
- - C:\Windows\{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe
    C:\Windows\{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{46FA5~1.EXE > nul
      4⤵
      PID:2840
  - - C:\Windows\{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe
      C:\Windows\{9E5B2995-90BF-457c-A3A8-28CA0CA89393}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E5B2~1.EXE > nul
        5⤵
        
        PID:2180
    - - C:\Windows\{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe
        
        C:\Windows\{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F474F~1.EXE > nul
        6⤵
        
        PID:308
      - C:\Windows\{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe
        
        C:\Windows\{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe
        
        C:\Windows\{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe
        
        C:\Windows\{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AC3F~1.EXE > nul
        9⤵
        
        PID:1784
        
        C:\Windows\{ADCC06FF-81BC-48db-A0F5-3F6FCF3A4F75}.exe
        
        C:\Windows\{ADCC06FF-81BC-48db-A0F5-3F6FCF3A4F75}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADCC0~1.EXE > nul
        10⤵
        
        PID:2852
        
        C:\Windows\{45C3C893-50B9-41c4-8322-584F985D2648}.exe
        
        C:\Windows\{45C3C893-50B9-41c4-8322-584F985D2648}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{EC7BBCEE-18D5-492a-B0F9-A57EAB71FD4D}.exe
        
        C:\Windows\{EC7BBCEE-18D5-492a-B0F9-A57EAB71FD4D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Windows\{3F451676-762F-42da-BE51-72A0B05EF256}.exe
        
        C:\Windows\{3F451676-762F-42da-BE51-72A0B05EF256}.exe
        12⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC7BB~1.EXE > nul
        12⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45C3C~1.EXE > nul
        11⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42746~1.EXE > nul
        8⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B13D1~1.EXE > nul
        7⤵
        
        PID:784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{42746A10-F1EC-4ea5-ABB2-9F740DE45D7B}.exe

Filesize
380KB

MD5
f78226435ec6c363017bece46c266cd4

SHA1
88a5a1dcd3c4c7c320cebf0d2c35b9f1dedcb604

SHA256
5c4826f6b3423f0f4e065667d12c76d44501c8e870db8d53d3674629c666c326

SHA512
18b8043650519cf661db9e2b05c189fb4ec040dca609acb9a26cb8fd495b696cfa6da0a784449a198beb8cebd4a78d2c43230d9d9d82d0d00969ae43f56bd818

Download Submit
C:\Windows\{45C3C893-50B9-41c4-8322-584F985D2648}.exe

Filesize
380KB

MD5
ec21678bc5249fa18e26dbb8fbf7ef23

SHA1
6d47129ee6632570ba21c8945230402f65c00b1d

SHA256
6e70f2425384834d7d15de27c75634480908d517d3e5b8d541116f617950f401

SHA512
58641aef69963fc12862e4d4711e4c02aaf4d787ce8e2c4f7914c11a4ffffcf6e42e451f74f7a30a264cc20212e66d74c3fde51e4fb4c72faed7eba8a967cd82

Download Submit
C:\Windows\{46FA5D49-AA40-40ff-9ADE-FE48B1F96D31}.exe

Filesize
62KB

MD5
bd01cd4ca5d6d646f4a35ef0dea35b62

SHA1
4b3bb3407a8e4489ec8efd2f1213e2c8e8e24eda

SHA256
d5fed8cb919fb9f87ea3bd6fd64ad995aa11f2242351e99530cb57575fa19f97

SHA512
676ef1a428970a2090cdcc4425c47d612d931fefdd019e59284e089a06a8754e8ab4ba605e5f1d6633aa203e6045ffb751430d194600b0459f82c9e86fd105de

Download Submit
C:\Windows\{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe

Filesize
380KB

MD5
ccc2ad3d57bc2fe8290d7125bfcb2510

SHA1
ec1d65066e018d93da806ec5905721b6f8385449

SHA256
4edd33d93f2a2be82244565664c79790e364288eeebfbcb6472e1a061bb4356b

SHA512
4fb84a03ee2649d58c3663f03db5da6b5ed70131d3e78e5136b6efb3dec41af33245f82eed1ddd1e5239f67c0ec711e39910567174b207eebd64a70393453af1

Download Submit
C:\Windows\{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe

Filesize
122KB

MD5
b039bf72c17a987754e77c6628b7627f

SHA1
9b122053af7d6b0dcfc7509ab4729b5b7e8a2fd0

SHA256
6fcf1b6b3036c7d662b0703e3b66311b61eae97d5c4596445df25cd4b8351e9d

SHA512
a546fc6351abe4a3078cf5d09cf5cf9014edd48670f4a70655dc69aaf74fc96f0c83e50ecbba7caa87bfd13ab17972bbb585b99291ba10a40c5ad759d1166141

Download Submit
C:\Windows\{484E6D7E-7E14-431f-AA54-576165EAE0AE}.exe

Filesize
156KB

MD5
7c30e5c7ac9062755dd9c54805589ef2

SHA1
d21e146923a213c6269d1f1dd2fb01e216dc45a9

SHA256
ec975573fcfc90d7cfe06281f9630e6143320690b0e27a2cc9d2d223cebb6f0d

SHA512
fba4123a03d34b9ef67a8f8d1ea27e92ebe5eaddc59c60c8a43f1894d522c5fae9eb31a039983d6955172f12bc9914a4fd694f31fa3e2af6b6a9aa8c99ae78bd

Download Submit
C:\Windows\{6AC3F1CD-5EEA-42ac-B2ED-A70F1ECB1A31}.exe

Filesize
380KB

MD5
580e40ecabffcb765d03ac6096c3bc79

SHA1
dbdd336ed8bb78d6e8d5108da96a99291d4a069e

SHA256
f7a9b00158a698f8c215b944532653aca48a54ff3ffbbb60c007b4a772840996

SHA512
d34bc1017d01cd2500c0c7d8aad978300a26f2fd83cbc01e944f1bcb10e460c1155e88c48fd107d38368e7511e542344312c3ad629a66163374a8220f381621d

Download Submit
C:\Windows\{ADCC06FF-81BC-48db-A0F5-3F6FCF3A4F75}.exe

Filesize
380KB

MD5
8c388d48313cb1f562eb0db547ff304f

SHA1
cb105cb0219bb5c13ebce5cce722457ef7862633

SHA256
03b9845eacea48b7093d092c6b93f9f0bec24ed55f6a15ab3e95f403de9a2240

SHA512
b3d7a6d328895b76b3729c465e1aad4a930fd8effc2a4d1d9704691394a4d854ecd321733986d3221c1801cfd810cab2320fda3e12317a4aeed9e50e1aa85d64

Download Submit
C:\Windows\{B13D10FD-5E17-4a96-9BF3-E6388EDFB09D}.exe

Filesize
380KB

MD5
4bc8293d7e8c07919a6332cd971b9295

SHA1
f13260ab2288b769e36fb4a8a4da3a1be88942e9

SHA256
e75cace601340df9aeceb1db78780e814268ba1f094caf4c1f25b3e2e0e14472

SHA512
0f71a5b07e3e80a3c1402e0bee8f0dc6bd7e9c9497f5bde6567a01943109c55fe0db9757717120a623e7903901a39672e430739013577004408b9a02f9bf0be7

Download Submit
C:\Windows\{EC7BBCEE-18D5-492a-B0F9-A57EAB71FD4D}.exe

Filesize
380KB

MD5
7a4cc0072bfb437f76564a8e8da581ac

SHA1
63a9a3adbb9314985204cea5efaa04ccef4db13a

SHA256
b1999d3629bfb48c7eb698ef4f1f54be539279c9d1b41e72df316ef57a746bb7

SHA512
a24b577da6e06795a6acaa4f13e6ec20193103747679d2880b1bc60a69b95e02411e9453c2fed55830543abb0c9c0a933f5f7ce2ff81d7c6253dd848a9b19f76

Download Submit
C:\Windows\{F474F79F-0684-4813-A959-07EFCA5D4BC2}.exe

Filesize
380KB

MD5
2e1ff2d2d081fa385b05be338b830c80

SHA1
7ecb21d702511a139ac267c5ddfa0527b4418f84

SHA256
b76065fc1ec028e19bffd4242eb38589b82a91e4e7526e4d64ff746de3603bad

SHA512
6259542ba2aea1c1b0908e6164d1a9c07a0669a877fcf007db9ce8cb017bc6666f82c226af026bf717d9cfb881663572a43a1c233b2591193a57a8518d369c48

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads