6addfbae25eaac73b2832aa448854a78722caa55fc6dee585be5c293b894b8ef

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 17:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20240414630d04548608b2298e91849cfa11470agoldeneye.exe
Size

168KB
MD5

630d04548608b2298e91849cfa11470a
SHA1

5c47892c957aed3df97b21cc53851bb395baecd2
SHA256

6addfbae25eaac73b2832aa448854a78722caa55fc6dee585be5c293b894b8ef
SHA512

acf0c57450633ff4299477792c91c935246f7a403fca334fc0bc61b40039d672b192c2054e32e24a04edef83d49902cad747be65973d2bc93bd069cc62a8e76b
SSDEEP

1536:1EGh0oVli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oVliOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4ED9180-E48D-454b-AD97-F59A1FAF170A}\stubpath = "C:\\Windows\\{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe"	20240414630d04548608b2298e91849cfa11470agoldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EABBD543-72F2-46b7-BBB0-E3DBCD324712}	{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}\stubpath = "C:\\Windows\\{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe"	{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F639B35-B348-4b79-8B78-1974012DD667}\stubpath = "C:\\Windows\\{5F639B35-B348-4b79-8B78-1974012DD667}.exe"	{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}	{5F639B35-B348-4b79-8B78-1974012DD667}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3A2C55C-4ECD-4bd7-8197-73965C743FF8}\stubpath = "C:\\Windows\\{D3A2C55C-4ECD-4bd7-8197-73965C743FF8}.exe"	{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E49FA46-289F-4dc9-BB0F-50CBF5998334}	{D3A2C55C-4ECD-4bd7-8197-73965C743FF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EABBD543-72F2-46b7-BBB0-E3DBCD324712}\stubpath = "C:\\Windows\\{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe"	{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F639B35-B348-4b79-8B78-1974012DD667}	{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96558965-0E7B-4b34-8677-90454EFDE2FA}\stubpath = "C:\\Windows\\{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe"	{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E49FA46-289F-4dc9-BB0F-50CBF5998334}\stubpath = "C:\\Windows\\{2E49FA46-289F-4dc9-BB0F-50CBF5998334}.exe"	{D3A2C55C-4ECD-4bd7-8197-73965C743FF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE350322-04BB-4aa6-AF34-339B5737EB04}\stubpath = "C:\\Windows\\{FE350322-04BB-4aa6-AF34-339B5737EB04}.exe"	{2E49FA46-289F-4dc9-BB0F-50CBF5998334}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAA47D71-29F4-4add-BF70-BF80D5A125E9}	{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A6C2B49-E5A3-4964-96EE-AFB1BE2469A4}	{FE350322-04BB-4aa6-AF34-339B5737EB04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4ED9180-E48D-454b-AD97-F59A1FAF170A}	20240414630d04548608b2298e91849cfa11470agoldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}	{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}\stubpath = "C:\\Windows\\{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe"	{5F639B35-B348-4b79-8B78-1974012DD667}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96558965-0E7B-4b34-8677-90454EFDE2FA}	{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAA47D71-29F4-4add-BF70-BF80D5A125E9}\stubpath = "C:\\Windows\\{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe"	{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3A2C55C-4ECD-4bd7-8197-73965C743FF8}	{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE350322-04BB-4aa6-AF34-339B5737EB04}	{2E49FA46-289F-4dc9-BB0F-50CBF5998334}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A6C2B49-E5A3-4964-96EE-AFB1BE2469A4}\stubpath = "C:\\Windows\\{6A6C2B49-E5A3-4964-96EE-AFB1BE2469A4}.exe"	{FE350322-04BB-4aa6-AF34-339B5737EB04}.exe

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2680	{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe
2660	{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe
2636	{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe
2588	{5F639B35-B348-4b79-8B78-1974012DD667}.exe
2716	{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe
2376	{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe
2228	{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe
268	{D3A2C55C-4ECD-4bd7-8197-73965C743FF8}.exe
1216	{2E49FA46-289F-4dc9-BB0F-50CBF5998334}.exe
340	{FE350322-04BB-4aa6-AF34-339B5737EB04}.exe
2828	{6A6C2B49-E5A3-4964-96EE-AFB1BE2469A4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6A6C2B49-E5A3-4964-96EE-AFB1BE2469A4}.exe	{FE350322-04BB-4aa6-AF34-339B5737EB04}.exe
File created	C:\Windows\{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe	20240414630d04548608b2298e91849cfa11470agoldeneye.exe
File created	C:\Windows\{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe	{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe
File created	C:\Windows\{5F639B35-B348-4b79-8B78-1974012DD667}.exe	{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe
File created	C:\Windows\{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe	{5F639B35-B348-4b79-8B78-1974012DD667}.exe
File created	C:\Windows\{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe	{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe
File created	C:\Windows\{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe	{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe
File created	C:\Windows\{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe	{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe
File created	C:\Windows\{D3A2C55C-4ECD-4bd7-8197-73965C743FF8}.exe	{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe
File created	C:\Windows\{2E49FA46-289F-4dc9-BB0F-50CBF5998334}.exe	{D3A2C55C-4ECD-4bd7-8197-73965C743FF8}.exe
File created	C:\Windows\{FE350322-04BB-4aa6-AF34-339B5737EB04}.exe	{2E49FA46-289F-4dc9-BB0F-50CBF5998334}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1184	20240414630d04548608b2298e91849cfa11470agoldeneye.exe
Token: SeIncBasePriorityPrivilege	2680	{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe
Token: SeIncBasePriorityPrivilege	2660	{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe
Token: SeIncBasePriorityPrivilege	2636	{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe
Token: SeIncBasePriorityPrivilege	2588	{5F639B35-B348-4b79-8B78-1974012DD667}.exe
Token: SeIncBasePriorityPrivilege	2716	{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe
Token: SeIncBasePriorityPrivilege	2376	{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe
Token: SeIncBasePriorityPrivilege	2228	{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe
Token: SeIncBasePriorityPrivilege	268	{D3A2C55C-4ECD-4bd7-8197-73965C743FF8}.exe
Token: SeIncBasePriorityPrivilege	1216	{2E49FA46-289F-4dc9-BB0F-50CBF5998334}.exe
Token: SeIncBasePriorityPrivilege	340	{FE350322-04BB-4aa6-AF34-339B5737EB04}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2680	1184	20240414630d04548608b2298e91849cfa11470agoldeneye.exe	28
PID 1184 wrote to memory of 2680	1184	20240414630d04548608b2298e91849cfa11470agoldeneye.exe	28
PID 1184 wrote to memory of 2680	1184	20240414630d04548608b2298e91849cfa11470agoldeneye.exe	28
PID 1184 wrote to memory of 2680	1184	20240414630d04548608b2298e91849cfa11470agoldeneye.exe	28
PID 1184 wrote to memory of 2496	1184	20240414630d04548608b2298e91849cfa11470agoldeneye.exe	29
PID 1184 wrote to memory of 2496	1184	20240414630d04548608b2298e91849cfa11470agoldeneye.exe	29
PID 1184 wrote to memory of 2496	1184	20240414630d04548608b2298e91849cfa11470agoldeneye.exe	29
PID 1184 wrote to memory of 2496	1184	20240414630d04548608b2298e91849cfa11470agoldeneye.exe	29
PID 2680 wrote to memory of 2660	2680	{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe	30
PID 2680 wrote to memory of 2660	2680	{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe	30
PID 2680 wrote to memory of 2660	2680	{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe	30
PID 2680 wrote to memory of 2660	2680	{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe	30
PID 2680 wrote to memory of 2552	2680	{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe	31
PID 2680 wrote to memory of 2552	2680	{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe	31
PID 2680 wrote to memory of 2552	2680	{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe	31
PID 2680 wrote to memory of 2552	2680	{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe	31
PID 2660 wrote to memory of 2636	2660	{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe	32
PID 2660 wrote to memory of 2636	2660	{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe	32
PID 2660 wrote to memory of 2636	2660	{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe	32
PID 2660 wrote to memory of 2636	2660	{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe	32
PID 2660 wrote to memory of 2768	2660	{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe	33
PID 2660 wrote to memory of 2768	2660	{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe	33
PID 2660 wrote to memory of 2768	2660	{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe	33
PID 2660 wrote to memory of 2768	2660	{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe	33
PID 2636 wrote to memory of 2588	2636	{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe	36
PID 2636 wrote to memory of 2588	2636	{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe	36
PID 2636 wrote to memory of 2588	2636	{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe	36
PID 2636 wrote to memory of 2588	2636	{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe	36
PID 2636 wrote to memory of 2384	2636	{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe	37
PID 2636 wrote to memory of 2384	2636	{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe	37
PID 2636 wrote to memory of 2384	2636	{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe	37
PID 2636 wrote to memory of 2384	2636	{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe	37
PID 2588 wrote to memory of 2716	2588	{5F639B35-B348-4b79-8B78-1974012DD667}.exe	38
PID 2588 wrote to memory of 2716	2588	{5F639B35-B348-4b79-8B78-1974012DD667}.exe	38
PID 2588 wrote to memory of 2716	2588	{5F639B35-B348-4b79-8B78-1974012DD667}.exe	38
PID 2588 wrote to memory of 2716	2588	{5F639B35-B348-4b79-8B78-1974012DD667}.exe	38
PID 2588 wrote to memory of 2672	2588	{5F639B35-B348-4b79-8B78-1974012DD667}.exe	39
PID 2588 wrote to memory of 2672	2588	{5F639B35-B348-4b79-8B78-1974012DD667}.exe	39
PID 2588 wrote to memory of 2672	2588	{5F639B35-B348-4b79-8B78-1974012DD667}.exe	39
PID 2588 wrote to memory of 2672	2588	{5F639B35-B348-4b79-8B78-1974012DD667}.exe	39
PID 2716 wrote to memory of 2376	2716	{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe	40
PID 2716 wrote to memory of 2376	2716	{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe	40
PID 2716 wrote to memory of 2376	2716	{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe	40
PID 2716 wrote to memory of 2376	2716	{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe	40
PID 2716 wrote to memory of 1128	2716	{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe	41
PID 2716 wrote to memory of 1128	2716	{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe	41
PID 2716 wrote to memory of 1128	2716	{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe	41
PID 2716 wrote to memory of 1128	2716	{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe	41
PID 2376 wrote to memory of 2228	2376	{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe	42
PID 2376 wrote to memory of 2228	2376	{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe	42
PID 2376 wrote to memory of 2228	2376	{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe	42
PID 2376 wrote to memory of 2228	2376	{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe	42
PID 2376 wrote to memory of 988	2376	{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe	43
PID 2376 wrote to memory of 988	2376	{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe	43
PID 2376 wrote to memory of 988	2376	{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe	43
PID 2376 wrote to memory of 988	2376	{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe	43
PID 2228 wrote to memory of 268	2228	{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe	44
PID 2228 wrote to memory of 268	2228	{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe	44
PID 2228 wrote to memory of 268	2228	{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe	44
PID 2228 wrote to memory of 268	2228	{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe	44
PID 2228 wrote to memory of 1200	2228	{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe	45
PID 2228 wrote to memory of 1200	2228	{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe	45
PID 2228 wrote to memory of 1200	2228	{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe	45
PID 2228 wrote to memory of 1200	2228	{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe	45

C:\Users\Admin\AppData\Local\Temp\20240414630d04548608b2298e91849cfa11470agoldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\20240414630d04548608b2298e91849cfa11470agoldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe
  C:\Windows\{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe
    C:\Windows\{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe
      C:\Windows\{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\{5F639B35-B348-4b79-8B78-1974012DD667}.exe
        
        C:\Windows\{5F639B35-B348-4b79-8B78-1974012DD667}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Windows\{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe
        
        C:\Windows\{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe
        
        C:\Windows\{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe
        
        C:\Windows\{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{D3A2C55C-4ECD-4bd7-8197-73965C743FF8}.exe
        
        C:\Windows\{D3A2C55C-4ECD-4bd7-8197-73965C743FF8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{2E49FA46-289F-4dc9-BB0F-50CBF5998334}.exe
        
        C:\Windows\{2E49FA46-289F-4dc9-BB0F-50CBF5998334}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\{FE350322-04BB-4aa6-AF34-339B5737EB04}.exe
        
        C:\Windows\{FE350322-04BB-4aa6-AF34-339B5737EB04}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\{6A6C2B49-E5A3-4964-96EE-AFB1BE2469A4}.exe
        
        C:\Windows\{6A6C2B49-E5A3-4964-96EE-AFB1BE2469A4}.exe
        12⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE350~1.EXE > nul
        12⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E49F~1.EXE > nul
        11⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3A2C~1.EXE > nul
        10⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAA47~1.EXE > nul
        9⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96558~1.EXE > nul
        8⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8D4F~1.EXE > nul
        7⤵
        
        PID:1128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F639~1.EXE > nul
        6⤵
        
        PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B7C4~1.EXE > nul
        5⤵
        
        PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EABBD~1.EXE > nul
      4⤵
      PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C4ED9~1.EXE > nul
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202404~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2E49FA46-289F-4dc9-BB0F-50CBF5998334}.exe

Filesize
168KB

MD5
bc64f3cd23575ed56bab87ac9828c3df

SHA1
99713883b12672d99a464aebeea2d4c4af0dac96

SHA256
91fdca50ca95c714054218a05adbe85495153c0a25f3a42ac1dfb4566c79bd53

SHA512
fba611a341b4d95587fdf5892dc45fc70436877f35c1dcdc93f2e9cceef1fed605e16af592ffb5f7e577cb3b2fe5a0024a48c830d6171ddf75d61d9a2fcfaa55

Download Submit
C:\Windows\{5B7C43C2-69C3-4d50-B405-8C096A4BBEC2}.exe

Filesize
168KB

MD5
d3acf706013f593c2e46387b13145a19

SHA1
bf7983ef999c74459c92d26a7933aee95fed21a0

SHA256
5872536c6e42187c8fa362fbbc34a8ce206ce609ef6aea2c6a8144d1ebab8489

SHA512
c0cd53e33c2b3ba613e9362f5da8ee9db17451c731dc977932a3421a7ad2e343ba9d5ff4a50735e619abcd1d586d89439f68b67d0f910acf015181b1fdb9a7ba

Download Submit
C:\Windows\{5F639B35-B348-4b79-8B78-1974012DD667}.exe

Filesize
168KB

MD5
bf80bded012bea1d84d162f68be420e3

SHA1
42feabffc2a1ae39770a5e067803523362cf2d10

SHA256
0d1130cb809b75cb864a404e89aa1f601310ff9f7f7c9ae9136d5e378ab0111e

SHA512
fe6769d6d7dbe48d7d58de6c40bd09202840bbae9520e2310f3e3a0205c7bda443a89a169ab9ade3fb2deae37ff0a6ebf06b87fffa120635ea21a9728af68c87

Download Submit
C:\Windows\{6A6C2B49-E5A3-4964-96EE-AFB1BE2469A4}.exe

Filesize
168KB

MD5
39ea4b74c519fca0447a04d3ccf6233d

SHA1
d898afc08a09057d9e788c3baa11439a391af4b1

SHA256
31392c78e3f969101ed0cfaa26eb66aab88964945404529a3811150cc8087159

SHA512
32486aa8016bfb6fdd4c0b5bcf683f697934b181881267f918542120bafc5fd1ec5bf95b839547789614a10c1a75f0cf21bd2842d1e1ae9b972829f08eb2cc7b

Download Submit
C:\Windows\{96558965-0E7B-4b34-8677-90454EFDE2FA}.exe

Filesize
168KB

MD5
4dd1c14d026bad8f73e9282f98aa492f

SHA1
c042635c89dee08fa30d55e82bc19a8f6419bab0

SHA256
daeeba07836618273a747fcab588deb859d619d426afa6a78218d8028e342820

SHA512
63f994f5abe27c57d083155e8b3322d65d189f2bddd001ce5e2660ed024a14f80dd9e1c17acd9a587cf2e89e3816de5bd6bbd6f075cd6c7b2cbf65ec7ac1f808

Download Submit
C:\Windows\{B8D4FFDA-22F6-449f-AA14-31DB76226A3B}.exe

Filesize
168KB

MD5
20845ba75660d59c9d9acb2f7648374a

SHA1
8cedc580a16fd79728de79ee5ae92c62f04bf7fd

SHA256
99ccaab5e302b8ecedf98bf10da916f0bc2bdab61317fb3498a26087326b9385

SHA512
0d01a78a0749263cbdff9d1fd0643742b99914b006ab0d94d6fd9911b78f6d8ea22f83af31eb620fac7a235fc8ca9b3f215c7597c665ef43481246e67ef2fea4

Download Submit
C:\Windows\{BAA47D71-29F4-4add-BF70-BF80D5A125E9}.exe

Filesize
168KB

MD5
3023641a0b7c22bd339c9617f4eb3c77

SHA1
fe3ad7f43d5e6249e7660003e197b9e14b570aae

SHA256
6979ce6bfe981bbc521aa73885360f664f21f19faa7ffdee0300a33d49fed641

SHA512
858f00e642a840b65d37644ad2e75f6913736ccb74638eefa9c9a94ba0ced7772d1f2eda1b5a0dd4e0842ffa45c421c3b853963d1c1516dfd76c3042227a6725

Download Submit
C:\Windows\{C4ED9180-E48D-454b-AD97-F59A1FAF170A}.exe

Filesize
168KB

MD5
77ddbb65faf92a91eacd8d8b0b33dc10

SHA1
2d03123c4531d0250987bdfaad8f5243292af712

SHA256
04fa6bb56df773f1442595c461ad32350e0f0f3fb49bae47dc120a440b46c4ae

SHA512
b745349b20754db34a01c792f62308ff65c839dcacfc1fd519a3189014303bc0d46374531ea28af2f5d6b324b49a4aaec3ab49cd34b5830d12d939c958ea9005

Download Submit
C:\Windows\{D3A2C55C-4ECD-4bd7-8197-73965C743FF8}.exe

Filesize
168KB

MD5
9fc1f0c688fbea70c260b50be6613f02

SHA1
f8bb4110c21b98a4b40fdb85ac6f7e0d2d9985e6

SHA256
1d45912796ad433d8fdbb22993ba521d8558bfad4e7e4c816d06eff1b0e4b7c8

SHA512
9cda5f1cc30cd1af4aac4696867f53f8e12a5aea49ceff7d53d98889429fa58e9ee4c3ad84c2b97c362d03c83ccdb449ef1fedd6afbf223f92549f8876898219

Download Submit
C:\Windows\{EABBD543-72F2-46b7-BBB0-E3DBCD324712}.exe

Filesize
168KB

MD5
a6317ed70e4ca0bc0d2eb03990ba338f

SHA1
8ee8511c7571203a2ea1b9a82e4459ff354ff2dd

SHA256
256b2aa81956a30b33cc735e1e3ae2a31ce1e4062f13259ce47dd51242ee263d

SHA512
5eb010c8081f97ae2cc97fdabeba29a12f3c3f46cf260023bf5964c98db52ebd102800d36a605bde864f9e5641924fa02bf96973b8c125a926ab30597fb78e98

Download Submit
C:\Windows\{FE350322-04BB-4aa6-AF34-339B5737EB04}.exe

Filesize
168KB

MD5
a1623b4f39de6fb139d45aab79413d1d

SHA1
c3f1bba48cf0ee05f220e4b5e0d1f42c22416fcb

SHA256
7d5e78d1abc075a2488b7b69943090508e9bbce74b348e40321066a70081c8ad

SHA512
ff30472176138aa1daac4c58ac1189e44e0778752fc88a12d5aafa24f351fbfa15d64a4fa2832faae6865385f164b3d6edad7279c560e24cd8084c57d51b5a40

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads