233d48d4a8f94d9243d93ba471429a9735207ee779b5bd0eb63f3a47fecf6956

Analysis

max time kernel
138s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-01-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe
Size

380KB
MD5

9bd6d84b9e1b75e24f9a44328d075a37
SHA1

3d49ab463c4509706ce9ed8a241668ec87a73321
SHA256

233d48d4a8f94d9243d93ba471429a9735207ee779b5bd0eb63f3a47fecf6956
SHA512

dac19b4524e77bf83f40be95485207d0a798e3268059fc85316592ad216e7c17551eb420a01407c094f2f5fad50688bdac6a08dee1d847032e514d5f4b4651ec
SSDEEP

3072:mEGh0oelPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGIl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C4EEE27-98AF-49c3-83BE-031C7D5BF0A2}\stubpath = "C:\\Windows\\{0C4EEE27-98AF-49c3-83BE-031C7D5BF0A2}.exe"	{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DD75544-CF4F-4f9a-89D4-2069A9A71F08}\stubpath = "C:\\Windows\\{5DD75544-CF4F-4f9a-89D4-2069A9A71F08}.exe"	{29C9FFCB-FBA0-48ba-BFBD-6AD2191613E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E505C412-99A7-4d1a-8DB9-5FF767746FE9}	{5DD75544-CF4F-4f9a-89D4-2069A9A71F08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{840C3A32-F2EB-40b4-85F3-A916766ABFAB}	{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0D02E12-DBD3-431a-86AA-32269EE19C4C}\stubpath = "C:\\Windows\\{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe"	{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A62C0AA1-A49A-4196-A017-43A2668E0BA2}\stubpath = "C:\\Windows\\{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe"	{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0D02E12-DBD3-431a-86AA-32269EE19C4C}	{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}	{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C4EEE27-98AF-49c3-83BE-031C7D5BF0A2}	{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29C9FFCB-FBA0-48ba-BFBD-6AD2191613E2}\stubpath = "C:\\Windows\\{29C9FFCB-FBA0-48ba-BFBD-6AD2191613E2}.exe"	{0C4EEE27-98AF-49c3-83BE-031C7D5BF0A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E505C412-99A7-4d1a-8DB9-5FF767746FE9}\stubpath = "C:\\Windows\\{E505C412-99A7-4d1a-8DB9-5FF767746FE9}.exe"	{5DD75544-CF4F-4f9a-89D4-2069A9A71F08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{362FFA49-C777-41e8-96F3-A97EB9B68CAA}	2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{362FFA49-C777-41e8-96F3-A97EB9B68CAA}\stubpath = "C:\\Windows\\{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe"	2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{840C3A32-F2EB-40b4-85F3-A916766ABFAB}\stubpath = "C:\\Windows\\{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe"	{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A62C0AA1-A49A-4196-A017-43A2668E0BA2}	{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29C9FFCB-FBA0-48ba-BFBD-6AD2191613E2}	{0C4EEE27-98AF-49c3-83BE-031C7D5BF0A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}\stubpath = "C:\\Windows\\{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe"	{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}	{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}\stubpath = "C:\\Windows\\{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe"	{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30176734-ABAE-4a81-B534-433D03BB6EA7}	{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30176734-ABAE-4a81-B534-433D03BB6EA7}\stubpath = "C:\\Windows\\{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe"	{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DD75544-CF4F-4f9a-89D4-2069A9A71F08}	{29C9FFCB-FBA0-48ba-BFBD-6AD2191613E2}.exe

Deletes itself 1 IoCs

pid	Process
2188	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1740	{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe
2528	{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe
2632	{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe
2324	{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe
1512	{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe
2328	{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe
1684	{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe
2468	{0C4EEE27-98AF-49c3-83BE-031C7D5BF0A2}.exe
2640	{29C9FFCB-FBA0-48ba-BFBD-6AD2191613E2}.exe
2644	{5DD75544-CF4F-4f9a-89D4-2069A9A71F08}.exe
3068	{E505C412-99A7-4d1a-8DB9-5FF767746FE9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe	2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe
File created	C:\Windows\{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe	{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe
File created	C:\Windows\{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe	{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe
File created	C:\Windows\{5DD75544-CF4F-4f9a-89D4-2069A9A71F08}.exe	{29C9FFCB-FBA0-48ba-BFBD-6AD2191613E2}.exe
File created	C:\Windows\{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe	{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe
File created	C:\Windows\{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe	{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe
File created	C:\Windows\{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe	{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe
File created	C:\Windows\{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe	{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe
File created	C:\Windows\{0C4EEE27-98AF-49c3-83BE-031C7D5BF0A2}.exe	{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe
File created	C:\Windows\{29C9FFCB-FBA0-48ba-BFBD-6AD2191613E2}.exe	{0C4EEE27-98AF-49c3-83BE-031C7D5BF0A2}.exe
File created	C:\Windows\{E505C412-99A7-4d1a-8DB9-5FF767746FE9}.exe	{5DD75544-CF4F-4f9a-89D4-2069A9A71F08}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2616	2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1740	{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe
Token: SeIncBasePriorityPrivilege	2528	{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe
Token: SeIncBasePriorityPrivilege	2632	{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe
Token: SeIncBasePriorityPrivilege	2324	{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe
Token: SeIncBasePriorityPrivilege	1512	{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe
Token: SeIncBasePriorityPrivilege	2328	{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe
Token: SeIncBasePriorityPrivilege	1684	{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe
Token: SeIncBasePriorityPrivilege	2468	{0C4EEE27-98AF-49c3-83BE-031C7D5BF0A2}.exe
Token: SeIncBasePriorityPrivilege	2640	{29C9FFCB-FBA0-48ba-BFBD-6AD2191613E2}.exe
Token: SeIncBasePriorityPrivilege	2644	{5DD75544-CF4F-4f9a-89D4-2069A9A71F08}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1740	2616	2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe	28
PID 2616 wrote to memory of 1740	2616	2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe	28
PID 2616 wrote to memory of 1740	2616	2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe	28
PID 2616 wrote to memory of 1740	2616	2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe	28
PID 2616 wrote to memory of 2188	2616	2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe	29
PID 2616 wrote to memory of 2188	2616	2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe	29
PID 2616 wrote to memory of 2188	2616	2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe	29
PID 2616 wrote to memory of 2188	2616	2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe	29
PID 1740 wrote to memory of 2528	1740	{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe	30
PID 1740 wrote to memory of 2528	1740	{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe	30
PID 1740 wrote to memory of 2528	1740	{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe	30
PID 1740 wrote to memory of 2528	1740	{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe	30
PID 1740 wrote to memory of 2600	1740	{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe	31
PID 1740 wrote to memory of 2600	1740	{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe	31
PID 1740 wrote to memory of 2600	1740	{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe	31
PID 1740 wrote to memory of 2600	1740	{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe	31
PID 2528 wrote to memory of 2632	2528	{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe	35
PID 2528 wrote to memory of 2632	2528	{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe	35
PID 2528 wrote to memory of 2632	2528	{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe	35
PID 2528 wrote to memory of 2632	2528	{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe	35
PID 2528 wrote to memory of 2432	2528	{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe	34
PID 2528 wrote to memory of 2432	2528	{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe	34
PID 2528 wrote to memory of 2432	2528	{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe	34
PID 2528 wrote to memory of 2432	2528	{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe	34
PID 2632 wrote to memory of 2324	2632	{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe	36
PID 2632 wrote to memory of 2324	2632	{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe	36
PID 2632 wrote to memory of 2324	2632	{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe	36
PID 2632 wrote to memory of 2324	2632	{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe	36
PID 2632 wrote to memory of 2756	2632	{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe	37
PID 2632 wrote to memory of 2756	2632	{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe	37
PID 2632 wrote to memory of 2756	2632	{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe	37
PID 2632 wrote to memory of 2756	2632	{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe	37
PID 2324 wrote to memory of 1512	2324	{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe	38
PID 2324 wrote to memory of 1512	2324	{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe	38
PID 2324 wrote to memory of 1512	2324	{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe	38
PID 2324 wrote to memory of 1512	2324	{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe	38
PID 2324 wrote to memory of 588	2324	{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe	39
PID 2324 wrote to memory of 588	2324	{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe	39
PID 2324 wrote to memory of 588	2324	{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe	39
PID 2324 wrote to memory of 588	2324	{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe	39
PID 1512 wrote to memory of 2328	1512	{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe	40
PID 1512 wrote to memory of 2328	1512	{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe	40
PID 1512 wrote to memory of 2328	1512	{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe	40
PID 1512 wrote to memory of 2328	1512	{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe	40
PID 1512 wrote to memory of 2224	1512	{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe	41
PID 1512 wrote to memory of 2224	1512	{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe	41
PID 1512 wrote to memory of 2224	1512	{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe	41
PID 1512 wrote to memory of 2224	1512	{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe	41
PID 2328 wrote to memory of 1684	2328	{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe	42
PID 2328 wrote to memory of 1684	2328	{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe	42
PID 2328 wrote to memory of 1684	2328	{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe	42
PID 2328 wrote to memory of 1684	2328	{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe	42
PID 2328 wrote to memory of 1872	2328	{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe	43
PID 2328 wrote to memory of 1872	2328	{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe	43
PID 2328 wrote to memory of 1872	2328	{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe	43
PID 2328 wrote to memory of 1872	2328	{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe	43
PID 1684 wrote to memory of 2468	1684	{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe	44
PID 1684 wrote to memory of 2468	1684	{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe	44
PID 1684 wrote to memory of 2468	1684	{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe	44
PID 1684 wrote to memory of 2468	1684	{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe	44
PID 1684 wrote to memory of 2444	1684	{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe	45
PID 1684 wrote to memory of 2444	1684	{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe	45
PID 1684 wrote to memory of 2444	1684	{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe	45
PID 1684 wrote to memory of 2444	1684	{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_9bd6d84b9e1b75e24f9a44328d075a37_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe
  C:\Windows\{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe
    C:\Windows\{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{840C3~1.EXE > nul
      4⤵
      PID:2432
  - - C:\Windows\{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe
      C:\Windows\{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe
        
        C:\Windows\{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe
        
        C:\Windows\{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe
        
        C:\Windows\{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe
        
        C:\Windows\{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\{0C4EEE27-98AF-49c3-83BE-031C7D5BF0A2}.exe
        
        C:\Windows\{0C4EEE27-98AF-49c3-83BE-031C7D5BF0A2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\{29C9FFCB-FBA0-48ba-BFBD-6AD2191613E2}.exe
        
        C:\Windows\{29C9FFCB-FBA0-48ba-BFBD-6AD2191613E2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29C9F~1.EXE > nul
        11⤵
        
        PID:1720
        
        C:\Windows\{5DD75544-CF4F-4f9a-89D4-2069A9A71F08}.exe
        
        C:\Windows\{5DD75544-CF4F-4f9a-89D4-2069A9A71F08}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DD75~1.EXE > nul
        12⤵
        
        PID:692
        
        C:\Windows\{E505C412-99A7-4d1a-8DB9-5FF767746FE9}.exe
        
        C:\Windows\{E505C412-99A7-4d1a-8DB9-5FF767746FE9}.exe
        12⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C4EE~1.EXE > nul
        10⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A62C0~1.EXE > nul
        9⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{659CF~1.EXE > nul
        8⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B27F2~1.EXE > nul
        7⤵
        
        PID:2224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0D02~1.EXE > nul
        6⤵
        
        PID:588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30176~1.EXE > nul
        5⤵
        
        PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{362FF~1.EXE > nul
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C4EEE27-98AF-49c3-83BE-031C7D5BF0A2}.exe

Filesize
380KB

MD5
97d5ac95358c580a9b932c571cc691dd

SHA1
8af63cc7cf340efa2ffe6cb556e74794d5e33374

SHA256
57f88df5b5264fca758e596330a9827c2da5ffe03b0c8b85e2dcce45566b0895

SHA512
d4c086086a8e590b082ac7fc050cad08028d0c32c081d6c512ec43797dccf4e25974d76cad9e24692d346a792ce7fa356074d209ee796cc078d636b8b1055446

Download Submit
C:\Windows\{29C9FFCB-FBA0-48ba-BFBD-6AD2191613E2}.exe

Filesize
380KB

MD5
890f59a95c7c46ed7427fb1cf6d8be29

SHA1
a3f3dead41a4f44df589efb61b6bdad1aa7688ed

SHA256
5fdff066c74d6ee948461371cc82454c72adfec8dd68e15fb9fd3f272788102f

SHA512
4ce55906655745b1f632f640aa20aefb591a0bb0cad2ef6b1e1753383b782fb234b44149460573826dab4f482bc3f238afdf0a19eb02d6a64dc47e8cc5d6331a

Download Submit
C:\Windows\{29C9FFCB-FBA0-48ba-BFBD-6AD2191613E2}.exe

Filesize
92KB

MD5
3e79f883e15db73b2b198db17a3ee9a3

SHA1
6d3057403e036bc3468cd68e4162572f4191d795

SHA256
621614f14fe98f27ed3f407d0622a7b2ea22645c2165df2b5ebbf029a85f167f

SHA512
f0e4857d35131e8370ce9b4e6c48401b079c0f69fa1454036b7cc1fb3b12b82fb250815bfc9229e40d10794e16a740d3281ba0a7e57b0676d616b6e102e6207f

Download Submit
C:\Windows\{30176734-ABAE-4a81-B534-433D03BB6EA7}.exe

Filesize
380KB

MD5
ae9c9c2b69bcb5d2aff2a4f029bc2b78

SHA1
0d7d10b1330917335b1fbeacd9d977a445ae83b9

SHA256
a09782055cb82c500ad87e2732b4007cf4412f8d350703fadbeb4af8f6a7ac81

SHA512
07b51509e53c73a2af18224ab7222eacc46abba7211130765b0460e98e23d222e9a1557932b0639aa074ee91091d994aa8a19d7da878a8d3a7f402464d17ce55

Download Submit
C:\Windows\{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe

Filesize
380KB

MD5
5883c5598d26e04332526be78091522c

SHA1
513290858365630b5f7e57b01fae44576a7305a7

SHA256
289132085ac561b6a09780ba96f282695cf1083c1e051064067d2f687ec92912

SHA512
25775cdac448ea4a01eb9a6ba0e2d614b0568324dbed1b7789ec3b457aa28b9e25d61eee6825038efce1d326e32f7cd59a2bbbb97221fe90afe4237b73363a3f

Download Submit
C:\Windows\{362FFA49-C777-41e8-96F3-A97EB9B68CAA}.exe

Filesize
21KB

MD5
18831ae874e4ff83b4e04af7fd90b366

SHA1
5af2f7590f4046f33d87b2dc274ffa21359c62e5

SHA256
861cd3eb95bdb704e7f174ce284be51967ffba994f994f5f3fe3b6280322799f

SHA512
06601808b57ec50d01eb89888af1ae1a15b0eb3f9ba8544fc31d6f31555435f69635a3b0ce1db20632bdb3b75dc1707ca0aec6d3448a4361f20dbd6d0ef2fe02

Download Submit
C:\Windows\{5DD75544-CF4F-4f9a-89D4-2069A9A71F08}.exe

Filesize
59KB

MD5
b0321661d43894a9ca8242e11a3f181f

SHA1
103ca6d1137ec582234029a991f444730b58bb5f

SHA256
f693194418018bb42821fbfc8a44447d035d87ad0b5d11530ef56bda1f335445

SHA512
35d88caee82a26eb92804c5562334e5ba94b934fe3a4fcee936b6057f0aa6a60df2443a4c473916f02a2d99436d469a09a85fd7e08ec89b1967bc6d3bd46941c

Download Submit
C:\Windows\{5DD75544-CF4F-4f9a-89D4-2069A9A71F08}.exe

Filesize
84KB

MD5
538e0c071e9861b40f7f0fbd094fed95

SHA1
1971324f09ac5ae0c240a34e6f611edff8c95e0c

SHA256
bf279287f66bc29604b3efc949c4e7c0e793c0d61a3bbc416c09bf4a74da943e

SHA512
e375ef89041e4adf2ab9cda9b8ec0cdc02f8a2bd89b648317988d59f4280cdd260a71280275df513c4623942affcdda3c27481d5955d94f17aa5cc4338f77a54

Download Submit
C:\Windows\{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe

Filesize
92KB

MD5
0b41928e8c4a6c782ab62362db54e12a

SHA1
e057d26e19f1bb047043abd5a42185b7d1a3cb6e

SHA256
f33ec09b866210bf4c95e7fdde71f1eab8a2c72ada7fdca10b2c33647e78d167

SHA512
0bece1d07834c3cc850efba108f99321891cb118697180ebae21d91ca0825ea1fd39a85a2defd84201a5cbda5b2dc0a1c8405a712c659168a1a26d54b265b737

Download Submit
C:\Windows\{659CF0E3-AEFB-4f48-BA7F-5AFAA2BADCD6}.exe

Filesize
31KB

MD5
632c1cd9e316c4871c707b0cd7f821ea

SHA1
4b25b5970a66e3d4a84b66f2f591e7085cdad45f

SHA256
4e453ae8d0afafa938001ad044ba1452f6435e1f2ad52a3ceb878336e984acb1

SHA512
22661332a61e801690d3a7c0f4dfb8624d96cd2260dd0a9b4d14da74d6f791423ac1c95ddca960b94dddf352530b77c9c1cfbb8e7467bebcf16ad574e67b9b2f

Download Submit
C:\Windows\{840C3A32-F2EB-40b4-85F3-A916766ABFAB}.exe

Filesize
380KB

MD5
794ab021a5d6fddab617c1b0dbaa161a

SHA1
525c116ee9d8f75a6a87f5d212cc2113234610bf

SHA256
e23b8037dcf859455975a0ecb73e9e6d86271d90880538829a5385d0d9178f55

SHA512
f1968b9bc5b6fbbc638b13cc4d048963e007131b48ef0a820083e78e6019cf003c0c739392ef75fa55275c0a4837857d0c1f5253904389d1fba1eb85f9d2c0e5

Download Submit
C:\Windows\{A0D02E12-DBD3-431a-86AA-32269EE19C4C}.exe

Filesize
380KB

MD5
5156a94e8b43686d7fd99eabd312b6a4

SHA1
d1870e818485632d0f1fa106c8546905e1b35475

SHA256
d85972c6bfa196cf7c8a35fd2dc46039d6b853920067e17cf60895fc2ed99296

SHA512
4342ed1a7e4a13fdcc038a8fb0a3e9f2bc08557bd81c75b16391731f7b5c279f6b205a632d32272635ce12e6474ac2c5598059266c1770490dba3e9f30df761b

Download Submit
C:\Windows\{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe

Filesize
54KB

MD5
3634c4399a3e9e9a0cc0c4c95db6bc7b

SHA1
961c5a37298fb56b003f838ccd40afcac4176778

SHA256
a5400e775e0f5e7e1d910f06b0d869cc5707e4a9d03f87bbcc1165c6e0121c9e

SHA512
264eed4fbdf4f60f1031532c7a5558a311eca4eaf345d13224b4f6e414cf8c129fa9b48bca1f2b6f798ccb600da1a5878b0ff0f991b506c73d5ec3838af40375

Download Submit
C:\Windows\{A62C0AA1-A49A-4196-A017-43A2668E0BA2}.exe

Filesize
380KB

MD5
b375d9295a024310d6e2860cdaa2039f

SHA1
0167a807e631b572007580a97dafc1aac5dc3ea2

SHA256
3e5e1271d5d42d2590aea66625b4641d7455b5d3991eb9425296172e124053df

SHA512
7ea18f51011ee4b4600170e9bddeafefbffd5b3f31901a1a334b67e19df318bc4ff2279e77016ee1bbd67b07277fbdbd7a66e5beec4e327923b2d501806cafd4

Download Submit
C:\Windows\{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe

Filesize
380KB

MD5
204ba5cde089c801880a2cb8abcf7aae

SHA1
c5b8a1f549c4c7086503842496e12df1a714b66c

SHA256
85674d03fbe97409b2f48e15944a616fac13deb109ea8959a87b1cd00abfff1a

SHA512
63d7ef087478c8d72862799276257d8b1a19a4e6cfcda21469d208786a04ada0c8e896f95a0c90266d5f233e4a45189f2fb98a46e8f9da28c2c76e125f35d592

Download Submit
C:\Windows\{B27F2B14-1D9A-4026-9AE1-592DF1D91E78}.exe

Filesize
87KB

MD5
509ee2c1fd80a86bcce66e02cd245e0c

SHA1
b2710ca68d8bc357d9b851abacb90d146e0ade05

SHA256
056225fa8e376e0ef25540665bcd0a1807d0a33d80618078ae3192d5eae3c7ea

SHA512
df0f5adc662c339127e5b450e0a662794dd46c8722bbdea252ca2b8916b75ea574df34ecab2ac36123db22d68675ca70b0cf8c56f4e15f0b876180d7c531ce4c

Download Submit
C:\Windows\{E505C412-99A7-4d1a-8DB9-5FF767746FE9}.exe

Filesize
21KB

MD5
62d81a8e74118a19166cdec4541ce25c

SHA1
87059e95dfeed32882708e86a4d794632c9c8d08

SHA256
42aa4fd2298cb18c0d468e9490a6d3e959cb0824f72ece9668813003d1a95e03

SHA512
24f395ae51f5b7c0f29d2ba1b30b609dc36c2adda3266fa67d53d6a1349a677ca5267ae7803d378e3e3799371080f2bc51f610364aa4517a8732abf38975a9f8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads