1a408f20ee16e900bd6e2449d6448738309b91f4a3f9bd2c131b2e2e070df0ad

Analysis

max time kernel
151s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe
Size

372KB
MD5

a85a7770d21302a2e2cacf1bb2403108
SHA1

cf05e8b5a0f5ce02cde942f0de15a49047600089
SHA256

1a408f20ee16e900bd6e2449d6448738309b91f4a3f9bd2c131b2e2e070df0ad
SHA512

af815bd963b0c9c40d1ba8299a865158e37c667c59d255284ddc33cb1156fc8653baf285c4073500c0a7e11c5dfe6f38d76d0b0d9cc863347ab432e3685823c0
SSDEEP

3072:CEGh0oflMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG9lkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}\stubpath = "C:\\Windows\\{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe"	2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E021A8F5-1677-447d-A951-C694CF895C85}	{0E3AFD1A-1450-47b3-B4BA-656F2B9F0943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{944C3F71-DFCB-42b8-B105-8E9D24F56CA0}	{39C249D6-07D6-425a-9EAE-31F7CC49D52B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}\stubpath = "C:\\Windows\\{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe"	{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D911E2CD-76B5-4797-BFA3-763CC19469F5}	{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D911E2CD-76B5-4797-BFA3-763CC19469F5}\stubpath = "C:\\Windows\\{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe"	{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}	{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A911E31D-30B0-478d-B284-1C229E6C9709}\stubpath = "C:\\Windows\\{A911E31D-30B0-478d-B284-1C229E6C9709}.exe"	{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E3AFD1A-1450-47b3-B4BA-656F2B9F0943}\stubpath = "C:\\Windows\\{0E3AFD1A-1450-47b3-B4BA-656F2B9F0943}.exe"	{A911E31D-30B0-478d-B284-1C229E6C9709}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39C249D6-07D6-425a-9EAE-31F7CC49D52B}\stubpath = "C:\\Windows\\{39C249D6-07D6-425a-9EAE-31F7CC49D52B}.exe"	{E021A8F5-1677-447d-A951-C694CF895C85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}	{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16454AE5-64A4-414b-B25E-9F69DDC30E53}\stubpath = "C:\\Windows\\{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe"	{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}\stubpath = "C:\\Windows\\{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe"	{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A911E31D-30B0-478d-B284-1C229E6C9709}	{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E3AFD1A-1450-47b3-B4BA-656F2B9F0943}	{A911E31D-30B0-478d-B284-1C229E6C9709}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{944C3F71-DFCB-42b8-B105-8E9D24F56CA0}\stubpath = "C:\\Windows\\{944C3F71-DFCB-42b8-B105-8E9D24F56CA0}.exe"	{39C249D6-07D6-425a-9EAE-31F7CC49D52B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06C941B7-037C-4f0b-9543-C6F106E402C3}	{944C3F71-DFCB-42b8-B105-8E9D24F56CA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}	2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FFDA76B-AC01-448d-B035-5338BF697FE0}	{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FFDA76B-AC01-448d-B035-5338BF697FE0}\stubpath = "C:\\Windows\\{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe"	{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16454AE5-64A4-414b-B25E-9F69DDC30E53}	{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E021A8F5-1677-447d-A951-C694CF895C85}\stubpath = "C:\\Windows\\{E021A8F5-1677-447d-A951-C694CF895C85}.exe"	{0E3AFD1A-1450-47b3-B4BA-656F2B9F0943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39C249D6-07D6-425a-9EAE-31F7CC49D52B}	{E021A8F5-1677-447d-A951-C694CF895C85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06C941B7-037C-4f0b-9543-C6F106E402C3}\stubpath = "C:\\Windows\\{06C941B7-037C-4f0b-9543-C6F106E402C3}.exe"	{944C3F71-DFCB-42b8-B105-8E9D24F56CA0}.exe

Deletes itself 1 IoCs

pid	Process
2400	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2116	{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe
2808	{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe
2564	{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe
2420	{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe
1456	{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe
2928	{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe
2532	{A911E31D-30B0-478d-B284-1C229E6C9709}.exe
756	{0E3AFD1A-1450-47b3-B4BA-656F2B9F0943}.exe
2428	{E021A8F5-1677-447d-A951-C694CF895C85}.exe
1736	{39C249D6-07D6-425a-9EAE-31F7CC49D52B}.exe
2380	{944C3F71-DFCB-42b8-B105-8E9D24F56CA0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe	{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe
File created	C:\Windows\{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe	{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe
File created	C:\Windows\{A911E31D-30B0-478d-B284-1C229E6C9709}.exe	{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe
File created	C:\Windows\{06C941B7-037C-4f0b-9543-C6F106E402C3}.exe	{944C3F71-DFCB-42b8-B105-8E9D24F56CA0}.exe
File created	C:\Windows\{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe	{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe
File created	C:\Windows\{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe	{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe
File created	C:\Windows\{0E3AFD1A-1450-47b3-B4BA-656F2B9F0943}.exe	{A911E31D-30B0-478d-B284-1C229E6C9709}.exe
File created	C:\Windows\{E021A8F5-1677-447d-A951-C694CF895C85}.exe	{0E3AFD1A-1450-47b3-B4BA-656F2B9F0943}.exe
File created	C:\Windows\{39C249D6-07D6-425a-9EAE-31F7CC49D52B}.exe	{E021A8F5-1677-447d-A951-C694CF895C85}.exe
File created	C:\Windows\{944C3F71-DFCB-42b8-B105-8E9D24F56CA0}.exe	{39C249D6-07D6-425a-9EAE-31F7CC49D52B}.exe
File created	C:\Windows\{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe	2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe
File created	C:\Windows\{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe	{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1180	2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2116	{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe
Token: SeIncBasePriorityPrivilege	2808	{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe
Token: SeIncBasePriorityPrivilege	2564	{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe
Token: SeIncBasePriorityPrivilege	2420	{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe
Token: SeIncBasePriorityPrivilege	1456	{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe
Token: SeIncBasePriorityPrivilege	2928	{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe
Token: SeIncBasePriorityPrivilege	2532	{A911E31D-30B0-478d-B284-1C229E6C9709}.exe
Token: SeIncBasePriorityPrivilege	756	{0E3AFD1A-1450-47b3-B4BA-656F2B9F0943}.exe
Token: SeIncBasePriorityPrivilege	2428	{E021A8F5-1677-447d-A951-C694CF895C85}.exe
Token: SeIncBasePriorityPrivilege	1736	{39C249D6-07D6-425a-9EAE-31F7CC49D52B}.exe
Token: SeIncBasePriorityPrivilege	2380	{944C3F71-DFCB-42b8-B105-8E9D24F56CA0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2116	1180	2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe	28
PID 1180 wrote to memory of 2116	1180	2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe	28
PID 1180 wrote to memory of 2116	1180	2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe	28
PID 1180 wrote to memory of 2116	1180	2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe	28
PID 1180 wrote to memory of 2400	1180	2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe	29
PID 1180 wrote to memory of 2400	1180	2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe	29
PID 1180 wrote to memory of 2400	1180	2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe	29
PID 1180 wrote to memory of 2400	1180	2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe	29
PID 2116 wrote to memory of 2808	2116	{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe	32
PID 2116 wrote to memory of 2808	2116	{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe	32
PID 2116 wrote to memory of 2808	2116	{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe	32
PID 2116 wrote to memory of 2808	2116	{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe	32
PID 2116 wrote to memory of 2884	2116	{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe	33
PID 2116 wrote to memory of 2884	2116	{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe	33
PID 2116 wrote to memory of 2884	2116	{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe	33
PID 2116 wrote to memory of 2884	2116	{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe	33
PID 2808 wrote to memory of 2564	2808	{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe	34
PID 2808 wrote to memory of 2564	2808	{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe	34
PID 2808 wrote to memory of 2564	2808	{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe	34
PID 2808 wrote to memory of 2564	2808	{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe	34
PID 2808 wrote to memory of 2620	2808	{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe	35
PID 2808 wrote to memory of 2620	2808	{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe	35
PID 2808 wrote to memory of 2620	2808	{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe	35
PID 2808 wrote to memory of 2620	2808	{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe	35
PID 2564 wrote to memory of 2420	2564	{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe	36
PID 2564 wrote to memory of 2420	2564	{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe	36
PID 2564 wrote to memory of 2420	2564	{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe	36
PID 2564 wrote to memory of 2420	2564	{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe	36
PID 2564 wrote to memory of 532	2564	{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe	37
PID 2564 wrote to memory of 532	2564	{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe	37
PID 2564 wrote to memory of 532	2564	{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe	37
PID 2564 wrote to memory of 532	2564	{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe	37
PID 2420 wrote to memory of 1456	2420	{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe	38
PID 2420 wrote to memory of 1456	2420	{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe	38
PID 2420 wrote to memory of 1456	2420	{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe	38
PID 2420 wrote to memory of 1456	2420	{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe	38
PID 2420 wrote to memory of 368	2420	{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe	39
PID 2420 wrote to memory of 368	2420	{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe	39
PID 2420 wrote to memory of 368	2420	{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe	39
PID 2420 wrote to memory of 368	2420	{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe	39
PID 1456 wrote to memory of 2928	1456	{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe	40
PID 1456 wrote to memory of 2928	1456	{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe	40
PID 1456 wrote to memory of 2928	1456	{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe	40
PID 1456 wrote to memory of 2928	1456	{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe	40
PID 1456 wrote to memory of 2940	1456	{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe	41
PID 1456 wrote to memory of 2940	1456	{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe	41
PID 1456 wrote to memory of 2940	1456	{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe	41
PID 1456 wrote to memory of 2940	1456	{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe	41
PID 2928 wrote to memory of 2532	2928	{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe	42
PID 2928 wrote to memory of 2532	2928	{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe	42
PID 2928 wrote to memory of 2532	2928	{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe	42
PID 2928 wrote to memory of 2532	2928	{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe	42
PID 2928 wrote to memory of 752	2928	{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe	43
PID 2928 wrote to memory of 752	2928	{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe	43
PID 2928 wrote to memory of 752	2928	{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe	43
PID 2928 wrote to memory of 752	2928	{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe	43
PID 2532 wrote to memory of 756	2532	{A911E31D-30B0-478d-B284-1C229E6C9709}.exe	44
PID 2532 wrote to memory of 756	2532	{A911E31D-30B0-478d-B284-1C229E6C9709}.exe	44
PID 2532 wrote to memory of 756	2532	{A911E31D-30B0-478d-B284-1C229E6C9709}.exe	44
PID 2532 wrote to memory of 756	2532	{A911E31D-30B0-478d-B284-1C229E6C9709}.exe	44
PID 2532 wrote to memory of 2604	2532	{A911E31D-30B0-478d-B284-1C229E6C9709}.exe	45
PID 2532 wrote to memory of 2604	2532	{A911E31D-30B0-478d-B284-1C229E6C9709}.exe	45
PID 2532 wrote to memory of 2604	2532	{A911E31D-30B0-478d-B284-1C229E6C9709}.exe	45
PID 2532 wrote to memory of 2604	2532	{A911E31D-30B0-478d-B284-1C229E6C9709}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_a85a7770d21302a2e2cacf1bb2403108_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe
  C:\Windows\{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe
    C:\Windows\{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe
      C:\Windows\{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe
        
        C:\Windows\{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Windows\{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe
        
        C:\Windows\{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe
        
        C:\Windows\{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{A911E31D-30B0-478d-B284-1C229E6C9709}.exe
        
        C:\Windows\{A911E31D-30B0-478d-B284-1C229E6C9709}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\{0E3AFD1A-1450-47b3-B4BA-656F2B9F0943}.exe
        
        C:\Windows\{0E3AFD1A-1450-47b3-B4BA-656F2B9F0943}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\{E021A8F5-1677-447d-A951-C694CF895C85}.exe
        
        C:\Windows\{E021A8F5-1677-447d-A951-C694CF895C85}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\{39C249D6-07D6-425a-9EAE-31F7CC49D52B}.exe
        
        C:\Windows\{39C249D6-07D6-425a-9EAE-31F7CC49D52B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\{944C3F71-DFCB-42b8-B105-8E9D24F56CA0}.exe
        
        C:\Windows\{944C3F71-DFCB-42b8-B105-8E9D24F56CA0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\{06C941B7-037C-4f0b-9543-C6F106E402C3}.exe
        
        C:\Windows\{06C941B7-037C-4f0b-9543-C6F106E402C3}.exe
        13⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{944C3~1.EXE > nul
        13⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39C24~1.EXE > nul
        12⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E021A~1.EXE > nul
        11⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E3AF~1.EXE > nul
        10⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A911E~1.EXE > nul
        9⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04490~1.EXE > nul
        8⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D911E~1.EXE > nul
        7⤵
        
        PID:2940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16454~1.EXE > nul
        6⤵
        
        PID:368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EE2D~1.EXE > nul
        5⤵
        
        PID:532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4FFDA~1.EXE > nul
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5587A~1.EXE > nul
    3⤵
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{044906D5-68B3-4a00-B0BE-E18B6CDDDCC6}.exe

Filesize
372KB

MD5
4c592c1aae9c6684c3f991f5f71e4a46

SHA1
c7cd42479459dde1d22ae99054db1ba83914cde9

SHA256
275b7a366cc67f44895778d9cec393efcc5a0828d81bc3de86857633f529a73c

SHA512
c3df57271a1e3f3bdf8e7fe96caaf144f99cefc8e72f7cde3717d88e8148c14897529654e7a98f5c8a122467099750ec72431ff33020b3267963d6327e32b67e

Download Submit
C:\Windows\{0E3AFD1A-1450-47b3-B4BA-656F2B9F0943}.exe

Filesize
372KB

MD5
df364d373294227c8344fe1d2554f000

SHA1
a1c68d28450f0e09ff359f1dd42207ef72d673b5

SHA256
f01aab0ffb5decc7393c0b05e72338a63c25843a401fd8dab4d1d04566418f8b

SHA512
03f562d962b96fdb524aa527e24bfef5049da0ac9f2470b1f8bf6dacecd43e2f9ace02069c96f4f6b0c0046a0fb7eabeef05d94f30f10fde986c21196aef9782

Download Submit
C:\Windows\{16454AE5-64A4-414b-B25E-9F69DDC30E53}.exe

Filesize
372KB

MD5
83821a3a912d78e4aba588aaf791528c

SHA1
37e4e7f21a5d54b00e4a3e8edc97763db169f825

SHA256
dc0f65564e20d2f748ac67ffdd397f99c56be6b53618869cb06f7a306587f3d8

SHA512
dfc9b4ceca27e39704662a4eeff21685e0c228a0dbc817ed0271deeb9e795a0536b0a88773d144d18c7d527e01bd636eed568643b1de6384573767c76834f668

Download Submit
C:\Windows\{39C249D6-07D6-425a-9EAE-31F7CC49D52B}.exe

Filesize
372KB

MD5
89bdccdeba2b90f4b71f8cb9786e344d

SHA1
95b929676ebf934e7d33fa904c1d20ee3021c59c

SHA256
adc87361fe99242e9f21dff8f816b554abebe248df16a86faf287c21226a0687

SHA512
2ada20cb5cdc550ddbf6035c10859982790b069d2776fec861e3c082962bf58e10f2b3fa38bc42c42d4ca9a00fa02ed7215c93b1d06f7a31f8a83f78bb094a3e

Download Submit
C:\Windows\{4EE2DCD1-ED42-4b01-8F41-FFB1A93231F5}.exe

Filesize
372KB

MD5
dddb08f36b94f9296c3d6fc2af86f779

SHA1
9db07c049f73028db9236f30fbe351a7fb957127

SHA256
f50204c41f16c7c1606ad5249a78b9c0fb6a89d03af41ccc06b13aa899d65252

SHA512
4fbad07ed9f1cd4de16a42fa4d16ab74aec007a75ed4408fb6187c6252226760eb9da8cb548a4f45db0d010a033b81c6438e9e22e08da2c7a994b5d9ac670bf4

Download Submit
C:\Windows\{4FFDA76B-AC01-448d-B035-5338BF697FE0}.exe

Filesize
372KB

MD5
5a3e7defc686dd1db7c48c0aac8cf363

SHA1
986b40224a40c72d4d4a49128614d3d30dfb3dd3

SHA256
e43e1ca764ee8d802a6218909a5174442a02fea10490c690a68851dcd92032ff

SHA512
34214c69bbd487a1bf3a6fdaa9028a758435065f899ceae357c336c1ff8048258e6980fc09ae0cadb54459ffa598f552c04460ec35bb709de1feb8e2eaa03dda

Download Submit
C:\Windows\{5587ADF8-4D36-43d4-A92A-2DCAFA311B0F}.exe

Filesize
372KB

MD5
c6c5accf17d28cfd7736bec9f6f0c91d

SHA1
cc826402dd4c6283211f3aaf09a2b2d31bd805a2

SHA256
7cc44bfa68d8560b961f4215378b0e205cc58f216b3284b435ee328776dbc325

SHA512
a21f7886926efdcfe92898d217c0f5d1af39b1a275732c8a21a8c45893919b89544d353844aa47aadc0e2c8a1cf0729f8fdc8fce898ecfb1ca3785ef437ecf45

Download Submit
C:\Windows\{944C3F71-DFCB-42b8-B105-8E9D24F56CA0}.exe

Filesize
372KB

MD5
206838677882caafabd179ae185b40e1

SHA1
5c9124b28dcbe344c40819f8bd1be73a563a9958

SHA256
3fac6bbb4617b5840fbc132ffa2f839d9068d8be1e407dccd306040294d4b956

SHA512
2d67dc4e97ab2941b7f566a9272f586d375591d47638671a188906693df449d4aa6169b0b021c101869b0ad089792ad370e82bf2d44618f34cdb6521d5a6eaf1

Download Submit
C:\Windows\{A911E31D-30B0-478d-B284-1C229E6C9709}.exe

Filesize
372KB

MD5
e9a2a1c669c2a8921a3d8e536444a288

SHA1
849ccbac389ac237e7a0c516b2b0873844aa068b

SHA256
ad430bf0547edf5f7bc5496ab55d95d6cc17a5e3f8f22e9b1ae31a022e926b49

SHA512
6e56975febed26bc1fa3605a90e1c7979b2e5abccdb2a93aa628eae6db7faf7f4471eed04170e65356eb569a8078b392836d4c6c3074155001db93b25ab87258

Download Submit
C:\Windows\{D911E2CD-76B5-4797-BFA3-763CC19469F5}.exe

Filesize
372KB

MD5
567874967129774249251dbc9b10fcb7

SHA1
3c817586a01672723ca58890cc3a1e6a7680f17c

SHA256
c4d260fbf9922bd4cc1a726e7204eb9e8c7fd289d59d9c205216258a795c7fff

SHA512
a37f2479e8ab62db69ff7cdb79c46a1eaf40e9b7beff3566985835aee261e99a949d409456873e0bc45a464e264264ec7ace66c87b0791ac995e9e386c3b4907

Download Submit
C:\Windows\{E021A8F5-1677-447d-A951-C694CF895C85}.exe

Filesize
372KB

MD5
b9903a26d0e887337ffc002a40bb5428

SHA1
5fcdcc2adc06935b6aaeb57f4359391a4e72df0f

SHA256
56847bb9627e582bef2ef0012f4441fba7a853f7608633b0eb25d6e91d110886

SHA512
58f80bc076019cc9c5c2a4399408915066090d6596f7a02845524c521613fe3b813c245a104bc15164aa9368f2fefd1f706fbf9d7000cd3b7ac556d1f6c01225

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads