233781f0f90d6b4ceae844aa50f3debbd498bd324dbf9ee1f67c5753e2dac90d

Analysis

max time kernel
213s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe
Size

344KB
MD5

ff5b74c217bcdb01ec4dd0084d0cae2e
SHA1

0943f469c574157a8474a77005ea0f284dcdeb02
SHA256

233781f0f90d6b4ceae844aa50f3debbd498bd324dbf9ee1f67c5753e2dac90d
SHA512

7582c393c85b949e6bdb671e565a258350c860ac93f0a093502cdcd4a37a239d5740015ea8b338ada5ff02805df67896fad6b942573831bcf8c79447e43cb846
SSDEEP

3072:mEGh0oilEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGAlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}	{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2672C76C-88F6-4e0f-8F66-9AD419E9E588}	{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2672C76C-88F6-4e0f-8F66-9AD419E9E588}\stubpath = "C:\\Windows\\{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe"	{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E6A1756-136E-4a22-B755-6D8239F17286}\stubpath = "C:\\Windows\\{4E6A1756-136E-4a22-B755-6D8239F17286}.exe"	{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BA67A46-7BEB-4896-BEE4-AEC96FC25315}\stubpath = "C:\\Windows\\{6BA67A46-7BEB-4896-BEE4-AEC96FC25315}.exe"	{05DAE023-8AC9-43f6-9AF6-98C8BDA6A664}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}	2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}\stubpath = "C:\\Windows\\{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe"	{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF47182A-305E-4487-9CE4-264394EF7A83}\stubpath = "C:\\Windows\\{EF47182A-305E-4487-9CE4-264394EF7A83}.exe"	{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05DAE023-8AC9-43f6-9AF6-98C8BDA6A664}\stubpath = "C:\\Windows\\{05DAE023-8AC9-43f6-9AF6-98C8BDA6A664}.exe"	{4E6A1756-136E-4a22-B755-6D8239F17286}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A143CBD-7F72-485a-BD05-4A07C699D1E7}	{EF47182A-305E-4487-9CE4-264394EF7A83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A143CBD-7F72-485a-BD05-4A07C699D1E7}\stubpath = "C:\\Windows\\{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe"	{EF47182A-305E-4487-9CE4-264394EF7A83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A3174F0-8A85-47b6-907E-5EACCA785E1B}	{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A3174F0-8A85-47b6-907E-5EACCA785E1B}\stubpath = "C:\\Windows\\{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe"	{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}\stubpath = "C:\\Windows\\{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe"	2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF47182A-305E-4487-9CE4-264394EF7A83}	{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E6A1756-136E-4a22-B755-6D8239F17286}	{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05DAE023-8AC9-43f6-9AF6-98C8BDA6A664}	{4E6A1756-136E-4a22-B755-6D8239F17286}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BA67A46-7BEB-4896-BEE4-AEC96FC25315}	{05DAE023-8AC9-43f6-9AF6-98C8BDA6A664}.exe

Deletes itself 1 IoCs

pid	Process
1944	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1644	{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe
2740	{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe
304	{EF47182A-305E-4487-9CE4-264394EF7A83}.exe
2920	{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe
1988	{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe
2440	{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe
3032	{4E6A1756-136E-4a22-B755-6D8239F17286}.exe
436	{05DAE023-8AC9-43f6-9AF6-98C8BDA6A664}.exe
1308	{6BA67A46-7BEB-4896-BEE4-AEC96FC25315}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe	{EF47182A-305E-4487-9CE4-264394EF7A83}.exe
File created	C:\Windows\{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe	{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe
File created	C:\Windows\{6BA67A46-7BEB-4896-BEE4-AEC96FC25315}.exe	{05DAE023-8AC9-43f6-9AF6-98C8BDA6A664}.exe
File created	C:\Windows\{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe	2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe
File created	C:\Windows\{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe	{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe
File created	C:\Windows\{EF47182A-305E-4487-9CE4-264394EF7A83}.exe	{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe
File created	C:\Windows\{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe	{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe
File created	C:\Windows\{4E6A1756-136E-4a22-B755-6D8239F17286}.exe	{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe
File created	C:\Windows\{05DAE023-8AC9-43f6-9AF6-98C8BDA6A664}.exe	{4E6A1756-136E-4a22-B755-6D8239F17286}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2276	2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1644	{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe
Token: SeIncBasePriorityPrivilege	2740	{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe
Token: SeIncBasePriorityPrivilege	304	{EF47182A-305E-4487-9CE4-264394EF7A83}.exe
Token: SeIncBasePriorityPrivilege	2920	{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe
Token: SeIncBasePriorityPrivilege	1988	{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe
Token: SeIncBasePriorityPrivilege	2440	{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe
Token: SeIncBasePriorityPrivilege	3032	{4E6A1756-136E-4a22-B755-6D8239F17286}.exe
Token: SeIncBasePriorityPrivilege	436	{05DAE023-8AC9-43f6-9AF6-98C8BDA6A664}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1644	2276	2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe	28
PID 2276 wrote to memory of 1644	2276	2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe	28
PID 2276 wrote to memory of 1644	2276	2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe	28
PID 2276 wrote to memory of 1644	2276	2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe	28
PID 2276 wrote to memory of 1944	2276	2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe	29
PID 2276 wrote to memory of 1944	2276	2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe	29
PID 2276 wrote to memory of 1944	2276	2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe	29
PID 2276 wrote to memory of 1944	2276	2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe	29
PID 1644 wrote to memory of 2740	1644	{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe	30
PID 1644 wrote to memory of 2740	1644	{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe	30
PID 1644 wrote to memory of 2740	1644	{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe	30
PID 1644 wrote to memory of 2740	1644	{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe	30
PID 1644 wrote to memory of 1176	1644	{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe	31
PID 1644 wrote to memory of 1176	1644	{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe	31
PID 1644 wrote to memory of 1176	1644	{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe	31
PID 1644 wrote to memory of 1176	1644	{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe	31
PID 2740 wrote to memory of 304	2740	{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe	32
PID 2740 wrote to memory of 304	2740	{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe	32
PID 2740 wrote to memory of 304	2740	{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe	32
PID 2740 wrote to memory of 304	2740	{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe	32
PID 2740 wrote to memory of 1952	2740	{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe	33
PID 2740 wrote to memory of 1952	2740	{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe	33
PID 2740 wrote to memory of 1952	2740	{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe	33
PID 2740 wrote to memory of 1952	2740	{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe	33
PID 304 wrote to memory of 2920	304	{EF47182A-305E-4487-9CE4-264394EF7A83}.exe	34
PID 304 wrote to memory of 2920	304	{EF47182A-305E-4487-9CE4-264394EF7A83}.exe	34
PID 304 wrote to memory of 2920	304	{EF47182A-305E-4487-9CE4-264394EF7A83}.exe	34
PID 304 wrote to memory of 2920	304	{EF47182A-305E-4487-9CE4-264394EF7A83}.exe	34
PID 304 wrote to memory of 596	304	{EF47182A-305E-4487-9CE4-264394EF7A83}.exe	35
PID 304 wrote to memory of 596	304	{EF47182A-305E-4487-9CE4-264394EF7A83}.exe	35
PID 304 wrote to memory of 596	304	{EF47182A-305E-4487-9CE4-264394EF7A83}.exe	35
PID 304 wrote to memory of 596	304	{EF47182A-305E-4487-9CE4-264394EF7A83}.exe	35
PID 2920 wrote to memory of 1988	2920	{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe	36
PID 2920 wrote to memory of 1988	2920	{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe	36
PID 2920 wrote to memory of 1988	2920	{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe	36
PID 2920 wrote to memory of 1988	2920	{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe	36
PID 2920 wrote to memory of 2228	2920	{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe	37
PID 2920 wrote to memory of 2228	2920	{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe	37
PID 2920 wrote to memory of 2228	2920	{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe	37
PID 2920 wrote to memory of 2228	2920	{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe	37
PID 1988 wrote to memory of 2440	1988	{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe	38
PID 1988 wrote to memory of 2440	1988	{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe	38
PID 1988 wrote to memory of 2440	1988	{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe	38
PID 1988 wrote to memory of 2440	1988	{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe	38
PID 1988 wrote to memory of 2372	1988	{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe	39
PID 1988 wrote to memory of 2372	1988	{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe	39
PID 1988 wrote to memory of 2372	1988	{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe	39
PID 1988 wrote to memory of 2372	1988	{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe	39
PID 2440 wrote to memory of 3032	2440	{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe	40
PID 2440 wrote to memory of 3032	2440	{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe	40
PID 2440 wrote to memory of 3032	2440	{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe	40
PID 2440 wrote to memory of 3032	2440	{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe	40
PID 2440 wrote to memory of 2532	2440	{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe	41
PID 2440 wrote to memory of 2532	2440	{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe	41
PID 2440 wrote to memory of 2532	2440	{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe	41
PID 2440 wrote to memory of 2532	2440	{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe	41
PID 3032 wrote to memory of 436	3032	{4E6A1756-136E-4a22-B755-6D8239F17286}.exe	42
PID 3032 wrote to memory of 436	3032	{4E6A1756-136E-4a22-B755-6D8239F17286}.exe	42
PID 3032 wrote to memory of 436	3032	{4E6A1756-136E-4a22-B755-6D8239F17286}.exe	42
PID 3032 wrote to memory of 436	3032	{4E6A1756-136E-4a22-B755-6D8239F17286}.exe	42
PID 3032 wrote to memory of 1524	3032	{4E6A1756-136E-4a22-B755-6D8239F17286}.exe	43
PID 3032 wrote to memory of 1524	3032	{4E6A1756-136E-4a22-B755-6D8239F17286}.exe	43
PID 3032 wrote to memory of 1524	3032	{4E6A1756-136E-4a22-B755-6D8239F17286}.exe	43
PID 3032 wrote to memory of 1524	3032	{4E6A1756-136E-4a22-B755-6D8239F17286}.exe	43

C:\Users\Admin\AppData\Local\Temp\2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_ff5b74c217bcdb01ec4dd0084d0cae2e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe
  C:\Windows\{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe
    C:\Windows\{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\{EF47182A-305E-4487-9CE4-264394EF7A83}.exe
      C:\Windows\{EF47182A-305E-4487-9CE4-264394EF7A83}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:304
    - - C:\Windows\{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe
        
        C:\Windows\{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe
        
        C:\Windows\{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe
        
        C:\Windows\{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\{4E6A1756-136E-4a22-B755-6D8239F17286}.exe
        
        C:\Windows\{4E6A1756-136E-4a22-B755-6D8239F17286}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\{05DAE023-8AC9-43f6-9AF6-98C8BDA6A664}.exe
        
        C:\Windows\{05DAE023-8AC9-43f6-9AF6-98C8BDA6A664}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        C:\Windows\{6BA67A46-7BEB-4896-BEE4-AEC96FC25315}.exe
        
        C:\Windows\{6BA67A46-7BEB-4896-BEE4-AEC96FC25315}.exe
        10⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05DAE~1.EXE > nul
        10⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E6A1~1.EXE > nul
        9⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A317~1.EXE > nul
        8⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2672C~1.EXE > nul
        7⤵
        
        PID:2372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A143~1.EXE > nul
        6⤵
        
        PID:2228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF471~1.EXE > nul
        5⤵
        
        PID:596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2F481~1.EXE > nul
      4⤵
      PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5AEF8~1.EXE > nul
    3⤵
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05DAE023-8AC9-43f6-9AF6-98C8BDA6A664}.exe

Filesize
344KB

MD5
2586b82736196fdd96eb3517835c68c7

SHA1
27ba289f90e758743385de9020371d1db8a8c10a

SHA256
5e01e838e797f42a5d8ca4a09ef50499434554d84e90aa3b7e0bab0b310dae2a

SHA512
a1cb1fdd846fc3b7750af766117383ceb287b2f877b2ffd5605fe91b2e9212030a476a69ee5a9e9f22946b4f8b715cbf5889d11aebbceeda75d599964b94f2a7

Download Submit
C:\Windows\{2672C76C-88F6-4e0f-8F66-9AD419E9E588}.exe

Filesize
344KB

MD5
646a1b78686e7762e7dfc9a97d4ef5f8

SHA1
04e7d33c8a63748955f71090bf29a84493225587

SHA256
a3e1d945501f7534f553ddbf1c1fda30e1a06334290fe00363e8bd9117586b59

SHA512
2eaa64dda8763bce41bca79234c288db9c9a31e7ee7e9be55f50a86955a3695bf17bcfe927263cb7721284083e711714df7d9637474651ff96a138eedf82dd47

Download Submit
C:\Windows\{2A143CBD-7F72-485a-BD05-4A07C699D1E7}.exe

Filesize
344KB

MD5
516edfea5dabd4919725891999cf40a6

SHA1
fcc44b6e148bf766258050bc482de9da35592915

SHA256
4ac2f11b80aeef114625cb1e8513ff861a9b3a08243e329c22dd5ed1c2ede2e4

SHA512
de15af4526a128671f3552374aa2fbe401e3be0b5994915ff6a06a4d95b40a67746463e0f98b5caa58a516b0cf5f94087e480c573ff54dbbded13bb91c5517bb

Download Submit
C:\Windows\{2F481696-ECDF-4e4f-905F-F7B0951FA4EB}.exe

Filesize
344KB

MD5
cc9df0a1db022c6ae9035341a5a5f7b8

SHA1
84637b341e4d945167cc7e1dd3fd08b5185ebfbf

SHA256
cdc5ae08fd55cb8f702ebefa09b9abd475f5d202b1fb013fcc54b5369579f214

SHA512
9361836a88b933fdd76847e60535c3b2eb733972dfb313843da5b19821319467308eaf6710068bf2a855ab20ca420c59d06cd9eba4a8cbda98ead2ccb27d2c15

Download Submit
C:\Windows\{3A3174F0-8A85-47b6-907E-5EACCA785E1B}.exe

Filesize
344KB

MD5
12fb787ccfe0728064ea402de26cbe38

SHA1
2a9bca44c73689adf9b45b20749045ea5a7f8107

SHA256
1c30fe0d014bd3f086b6844b53f7f0270b8362931c20b85cbb0ea54b28221188

SHA512
b6e51c38ea0b90459fa2bc84a40884dccb84871cfb573d4e801a63746c01bd570e10e4bc9f7b75400346f10e812fd08ec5d8d1bffa4b4032ff77d6d3e12f6dd5

Download Submit
C:\Windows\{4E6A1756-136E-4a22-B755-6D8239F17286}.exe

Filesize
344KB

MD5
6c0403297d276fbb09c8e7128110b69b

SHA1
42073a51bb82505ca6f88dcbdf664c79568a0c27

SHA256
508a505c20a80f0e370d9452c9bacca982dbb2139700388eaae9d403b22f226a

SHA512
1a0546604d81c989ab0f0a9e94c57a28430431e8a1b08354598cceba0768e99a9f3b46d13464d618c3a52742619aaa61c7402eb33119a37558ad2023034f44d0

Download Submit
C:\Windows\{5AEF88E8-5C83-4e36-8F89-26D28AE5593A}.exe

Filesize
344KB

MD5
12bb815205ce308b677c4e08ce58271a

SHA1
6360844c450b89a02c2805784b805130062c40df

SHA256
d219a73eb3d158504f1c8105e49a04fbd7f18c446eea43b69b3d2d28f215f77e

SHA512
a2d4aa8cab4a6915b12e23dad13717c9c3bf849ee928b66755a9570be9e6886129515de01e0b4b1a28986dd1f5e2e3c2d84fd10be2d6d60c581391f3e55c2051

Download Submit
C:\Windows\{6BA67A46-7BEB-4896-BEE4-AEC96FC25315}.exe

Filesize
32KB

MD5
752bb5dda94981ff8c56f0249c9fe02a

SHA1
bc03c36036ced5a7c7e32c783302eae7a1c3f7b2

SHA256
95c502008c523372135e16ac1cee2d7fe42774c0b2df960e896c79dbeaa92cdd

SHA512
f0168c0ff8504e13b3c9c985f8644f4afaff4134c151b3c6b0876edab893ed7faab84d50a892ae02c7709b339c981cb082c86b58365d9bcccd899c39d061d21b

Download Submit
C:\Windows\{EF47182A-305E-4487-9CE4-264394EF7A83}.exe

Filesize
344KB

MD5
04679ce400b237d32651148d4414f274

SHA1
9f9619c90a96614469f4a06b763d66fca1732835

SHA256
1ea987e94cb9658410ea4605b8e539b4677e42a2ba96eeb3f4996a76ea048faf

SHA512
655dd8ade7c6b8ffdb469c8d174ca0bdad4a11c66679059cc82583643e0e95d1e6a90ed252c44d4a32a7fee5d7b4d80535361dbe9c578aa912d973fc8af50085

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads