f966abfad0983cf36184e5725b0961613cf7104833ad390b7a9710ba43eb1c46

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe
Size

168KB
MD5

6813224d0a52e9d893678d844bfe499f
SHA1

3bf440bfc3ced85fa68d470dfa7266f670bb7a22
SHA256

f966abfad0983cf36184e5725b0961613cf7104833ad390b7a9710ba43eb1c46
SHA512

8d03669c8fccf52a531a62efe17c26b502431b6ec9389450cc56d8fc43af5bd4aed1f06b5700332931e9cf52e132355422a6606c7abec6fa5ce7c448f45ab80f
SSDEEP

1536:1EGh0oqli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oqliOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}	{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}\stubpath = "C:\\Windows\\{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe"	{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{027BBF20-2822-4987-8EF0-215EAC3AC5C2}\stubpath = "C:\\Windows\\{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe"	{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D611CD27-7B50-4254-B4EA-1CB3A8035197}\stubpath = "C:\\Windows\\{D611CD27-7B50-4254-B4EA-1CB3A8035197}.exe"	{426441A3-BECA-4a07-B745-D58DFC735308}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08606378-CEBB-4bc3-86CE-F26614F0E6AE}\stubpath = "C:\\Windows\\{08606378-CEBB-4bc3-86CE-F26614F0E6AE}.exe"	{9F7F58AA-5F95-4fcd-9EE3-21FE1BFFFDAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}\stubpath = "C:\\Windows\\{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe"	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}\stubpath = "C:\\Windows\\{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe"	{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{027BBF20-2822-4987-8EF0-215EAC3AC5C2}	{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}	{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{426441A3-BECA-4a07-B745-D58DFC735308}\stubpath = "C:\\Windows\\{426441A3-BECA-4a07-B745-D58DFC735308}.exe"	{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F7F58AA-5F95-4fcd-9EE3-21FE1BFFFDAC}\stubpath = "C:\\Windows\\{9F7F58AA-5F95-4fcd-9EE3-21FE1BFFFDAC}.exe"	{D611CD27-7B50-4254-B4EA-1CB3A8035197}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D611CD27-7B50-4254-B4EA-1CB3A8035197}	{426441A3-BECA-4a07-B745-D58DFC735308}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08606378-CEBB-4bc3-86CE-F26614F0E6AE}	{9F7F58AA-5F95-4fcd-9EE3-21FE1BFFFDAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F7F58AA-5F95-4fcd-9EE3-21FE1BFFFDAC}	{D611CD27-7B50-4254-B4EA-1CB3A8035197}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}	{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42A8FD40-CACC-4f18-907F-60F1055436DD}	{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42A8FD40-CACC-4f18-907F-60F1055436DD}\stubpath = "C:\\Windows\\{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe"	{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}\stubpath = "C:\\Windows\\{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe"	{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}	{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}\stubpath = "C:\\Windows\\{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe"	{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{426441A3-BECA-4a07-B745-D58DFC735308}	{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2260	{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe
2672	{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe
2908	{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe
2036	{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe
2604	{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe
688	{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe
896	{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe
864	{426441A3-BECA-4a07-B745-D58DFC735308}.exe
1588	{D611CD27-7B50-4254-B4EA-1CB3A8035197}.exe
2296	{9F7F58AA-5F95-4fcd-9EE3-21FE1BFFFDAC}.exe
2288	{08606378-CEBB-4bc3-86CE-F26614F0E6AE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe	{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe
File created	C:\Windows\{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe	{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe
File created	C:\Windows\{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe	{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe
File created	C:\Windows\{426441A3-BECA-4a07-B745-D58DFC735308}.exe	{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe
File created	C:\Windows\{D611CD27-7B50-4254-B4EA-1CB3A8035197}.exe	{426441A3-BECA-4a07-B745-D58DFC735308}.exe
File created	C:\Windows\{9F7F58AA-5F95-4fcd-9EE3-21FE1BFFFDAC}.exe	{D611CD27-7B50-4254-B4EA-1CB3A8035197}.exe
File created	C:\Windows\{08606378-CEBB-4bc3-86CE-F26614F0E6AE}.exe	{9F7F58AA-5F95-4fcd-9EE3-21FE1BFFFDAC}.exe
File created	C:\Windows\{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe	{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe
File created	C:\Windows\{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe	{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe
File created	C:\Windows\{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe	{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe
File created	C:\Windows\{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1048	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe
Token: SeIncBasePriorityPrivilege	2260	{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe
Token: SeIncBasePriorityPrivilege	2672	{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe
Token: SeIncBasePriorityPrivilege	2908	{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe
Token: SeIncBasePriorityPrivilege	2036	{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe
Token: SeIncBasePriorityPrivilege	2604	{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe
Token: SeIncBasePriorityPrivilege	688	{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe
Token: SeIncBasePriorityPrivilege	896	{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe
Token: SeIncBasePriorityPrivilege	864	{426441A3-BECA-4a07-B745-D58DFC735308}.exe
Token: SeIncBasePriorityPrivilege	1588	{D611CD27-7B50-4254-B4EA-1CB3A8035197}.exe
Token: SeIncBasePriorityPrivilege	2296	{9F7F58AA-5F95-4fcd-9EE3-21FE1BFFFDAC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2260	1048	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	28
PID 1048 wrote to memory of 2260	1048	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	28
PID 1048 wrote to memory of 2260	1048	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	28
PID 1048 wrote to memory of 2260	1048	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	28
PID 1048 wrote to memory of 2528	1048	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	29
PID 1048 wrote to memory of 2528	1048	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	29
PID 1048 wrote to memory of 2528	1048	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	29
PID 1048 wrote to memory of 2528	1048	202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe	29
PID 2260 wrote to memory of 2672	2260	{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe	30
PID 2260 wrote to memory of 2672	2260	{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe	30
PID 2260 wrote to memory of 2672	2260	{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe	30
PID 2260 wrote to memory of 2672	2260	{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe	30
PID 2260 wrote to memory of 2684	2260	{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe	31
PID 2260 wrote to memory of 2684	2260	{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe	31
PID 2260 wrote to memory of 2684	2260	{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe	31
PID 2260 wrote to memory of 2684	2260	{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe	31
PID 2672 wrote to memory of 2908	2672	{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe	32
PID 2672 wrote to memory of 2908	2672	{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe	32
PID 2672 wrote to memory of 2908	2672	{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe	32
PID 2672 wrote to memory of 2908	2672	{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe	32
PID 2672 wrote to memory of 2608	2672	{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe	33
PID 2672 wrote to memory of 2608	2672	{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe	33
PID 2672 wrote to memory of 2608	2672	{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe	33
PID 2672 wrote to memory of 2608	2672	{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe	33
PID 2908 wrote to memory of 2036	2908	{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe	36
PID 2908 wrote to memory of 2036	2908	{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe	36
PID 2908 wrote to memory of 2036	2908	{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe	36
PID 2908 wrote to memory of 2036	2908	{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe	36
PID 2908 wrote to memory of 2744	2908	{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe	37
PID 2908 wrote to memory of 2744	2908	{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe	37
PID 2908 wrote to memory of 2744	2908	{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe	37
PID 2908 wrote to memory of 2744	2908	{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe	37
PID 2036 wrote to memory of 2604	2036	{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe	38
PID 2036 wrote to memory of 2604	2036	{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe	38
PID 2036 wrote to memory of 2604	2036	{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe	38
PID 2036 wrote to memory of 2604	2036	{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe	38
PID 2036 wrote to memory of 2940	2036	{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe	39
PID 2036 wrote to memory of 2940	2036	{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe	39
PID 2036 wrote to memory of 2940	2036	{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe	39
PID 2036 wrote to memory of 2940	2036	{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe	39
PID 2604 wrote to memory of 688	2604	{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe	40
PID 2604 wrote to memory of 688	2604	{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe	40
PID 2604 wrote to memory of 688	2604	{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe	40
PID 2604 wrote to memory of 688	2604	{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe	40
PID 2604 wrote to memory of 364	2604	{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe	41
PID 2604 wrote to memory of 364	2604	{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe	41
PID 2604 wrote to memory of 364	2604	{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe	41
PID 2604 wrote to memory of 364	2604	{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe	41
PID 688 wrote to memory of 896	688	{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe	42
PID 688 wrote to memory of 896	688	{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe	42
PID 688 wrote to memory of 896	688	{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe	42
PID 688 wrote to memory of 896	688	{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe	42
PID 688 wrote to memory of 268	688	{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe	43
PID 688 wrote to memory of 268	688	{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe	43
PID 688 wrote to memory of 268	688	{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe	43
PID 688 wrote to memory of 268	688	{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe	43
PID 896 wrote to memory of 864	896	{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe	44
PID 896 wrote to memory of 864	896	{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe	44
PID 896 wrote to memory of 864	896	{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe	44
PID 896 wrote to memory of 864	896	{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe	44
PID 896 wrote to memory of 1500	896	{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe	45
PID 896 wrote to memory of 1500	896	{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe	45
PID 896 wrote to memory of 1500	896	{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe	45
PID 896 wrote to memory of 1500	896	{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe	45

C:\Users\Admin\AppData\Local\Temp\202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\202404146813224d0a52e9d893678d844bfe499fgoldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe
  C:\Windows\{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe
    C:\Windows\{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe
      C:\Windows\{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe
        
        C:\Windows\{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe
        
        C:\Windows\{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe
        
        C:\Windows\{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe
        
        C:\Windows\{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\{426441A3-BECA-4a07-B745-D58DFC735308}.exe
        
        C:\Windows\{426441A3-BECA-4a07-B745-D58DFC735308}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\{D611CD27-7B50-4254-B4EA-1CB3A8035197}.exe
        
        C:\Windows\{D611CD27-7B50-4254-B4EA-1CB3A8035197}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\{9F7F58AA-5F95-4fcd-9EE3-21FE1BFFFDAC}.exe
        
        C:\Windows\{9F7F58AA-5F95-4fcd-9EE3-21FE1BFFFDAC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\{08606378-CEBB-4bc3-86CE-F26614F0E6AE}.exe
        
        C:\Windows\{08606378-CEBB-4bc3-86CE-F26614F0E6AE}.exe
        12⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F7F5~1.EXE > nul
        12⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D611C~1.EXE > nul
        11⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42644~1.EXE > nul
        10⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8456~1.EXE > nul
        9⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60FC9~1.EXE > nul
        8⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42A8F~1.EXE > nul
        7⤵
        
        PID:364
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{027BB~1.EXE > nul
        6⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5A84~1.EXE > nul
        5⤵
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D63C4~1.EXE > nul
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{31545~1.EXE > nul
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202404~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{027BBF20-2822-4987-8EF0-215EAC3AC5C2}.exe

Filesize
168KB

MD5
df4d58998859ec14bc7beac6757ef9d5

SHA1
8a48c353117d6c72cec1c105ccd2f05068270fa3

SHA256
f6ec141aaadf33458fa37f721939b564d24ec94f76abaa59f0b70a67c243bb53

SHA512
4479c811c95cce08491563d178b45eea388f53fefdf48e196758ee3ec52030f8f8ced2dbbb6c6d41601de0b97e519e75abb6fc2e40f32e01735397ec1c0e6c92

Download Submit
C:\Windows\{08606378-CEBB-4bc3-86CE-F26614F0E6AE}.exe

Filesize
168KB

MD5
6bc1d7b7f6f3a05c1f5e18ec177d2a59

SHA1
82a89dbd5bb2542622335b13e1a44b9be469eaba

SHA256
647275538812731296f45f24687003bfb7a11a2af06706b640d2bbb24c7cfa51

SHA512
cd84bd3e58bc39977087e9a28fb5b8ed6c887e254e3e2a134fb71dff2e58b025570709af041b2f0311ef2506f0ae3463d21084db8d5dc9c40d08cbfbcc3da855

Download Submit
C:\Windows\{31545CB8-3EBC-4d19-B22D-D5E0ACED4E50}.exe

Filesize
168KB

MD5
beaaf4e284dda785c53dd82c7779866a

SHA1
7e405b6f27c63138cf4bd6df894dd6ebcd3bcac1

SHA256
cdcceb0eb55731bfc9a882ca683adb4bcf08c98bbe0e7ea831715ba843b2c07b

SHA512
07f9264aeaf24d751430f77e0edc4ba399245e95f8927b24dc16d4fc4972a3e9d72eae09e408de006571dfb0c6a4f348ba572df01be4ee0e4dd2e00fa33cf1b1

Download Submit
C:\Windows\{426441A3-BECA-4a07-B745-D58DFC735308}.exe

Filesize
168KB

MD5
da8e2c1ad49885ee4131670f5f4eb3a0

SHA1
da972bb0760b02c67e14a9e528db7479c39e5cfa

SHA256
ce8963845867ed3506bc9805726b04875975cf053ce50ba780db7e65e3f5838d

SHA512
a2d42a6bdb16e4e64bac7158db6cce5c6b891396e50e0b1fcebcc8f41f3642687957f8f8921d66a365e1b8c69a5daf0785c7ba1474d8f12423c50fa3430f3167

Download Submit
C:\Windows\{42A8FD40-CACC-4f18-907F-60F1055436DD}.exe

Filesize
168KB

MD5
7ce35cdbcdfb7319f38fa2d1f159b276

SHA1
e995ef60754cdd1845e41eb0c86232b73eab8274

SHA256
b4693a89a29670b8a639f21bd2705efbdf000045957e662a7a3472f9ca6118db

SHA512
d72dc0620b77c7ffd01986d421ea0ec53a77ff33f07db38eb3e9d8329ad1f2a68df3265dd43930254df30cbce8ba80ab7ee40e7827e0bef9a0630cd56f63aaac

Download Submit
C:\Windows\{60FC9F25-7790-43be-8BAF-440A1FCFCB6D}.exe

Filesize
168KB

MD5
94ccbfc427a207ba16a7a935f4e821fb

SHA1
4f36584956e07d2761863a4839049147f6bb98e6

SHA256
79b7f9ffcb77c3712660ce49abc6700fc6d55fcfe014f639dff2c420eafba155

SHA512
18ee42c16ef570323af7119032300080c50e17ba9f5986b77e9579baab3c9e825270976f96330e2a994dc7cbe63c797cdbe90442d83abe5b6f507bc21550846e

Download Submit
C:\Windows\{9F7F58AA-5F95-4fcd-9EE3-21FE1BFFFDAC}.exe

Filesize
168KB

MD5
71d22c29ef7b9cfe8e28d09b2bb627e4

SHA1
d2dd6f88297e454b820be075fd0cc413f4211ba1

SHA256
65afd88b78b645b2bc2b9dcbec6abc0297edca064db6a26be67abe3d915b0979

SHA512
17abe9af25f9f2fb048f6c62f133fcf8a32e2e6d96408bf8446e2ebe63d74b285bc4e9033f5814ff3bd679de172eeb2d002be2977c4c7a13eeaa8339d92cfd1c

Download Submit
C:\Windows\{A5A840B5-D36F-456e-A98C-2FEDE4E3EC30}.exe

Filesize
168KB

MD5
2bec286d9e36158b6e8f8b57f20820a6

SHA1
34dc6e3be1319b534f9765730018034de635b9f3

SHA256
e5e21c93969d6b1aba66f3113e85a63a4d392a3bc14501775cf2f6c243563b70

SHA512
427486b5f00d849d383d9a09cfa3f4f8502542b5890f581965a24086f2bd620410d97f0b6a3c781767a87b1c150a5b94101cedcac18418dcfd8e9d363d21dc49

Download Submit
C:\Windows\{C8456853-5AD8-42b9-ABFA-AB4E0C86690C}.exe

Filesize
168KB

MD5
6d037dea2d5997de102c8da6de65e8a3

SHA1
fb04aa55203b2f22bd03b8bd82d07072c1c8599a

SHA256
075a0e39369758f31ea5bfbf53faa0dbd630df937de7f9c2510b8db023692e2a

SHA512
a790820968e5ffe5bb12d1d233610e377d9ec59dd04e110d2b67d70f4e4f452fd00aae0ca2903a0596bc4eab5ba1492a7e63a44580ed057f6055d7ff1dfd654e

Download Submit
C:\Windows\{D611CD27-7B50-4254-B4EA-1CB3A8035197}.exe

Filesize
168KB

MD5
8002523f7247c84255770fe20759162b

SHA1
d505ee9ac93bc0ed3be11549fc95ff5211475798

SHA256
09c4f70ed3eb2a4106a4d4cd4a76843905ff4e75a49b8607b851e7902bd1a15f

SHA512
9612603d5de5a63996c09e73f29a500a70f841a05acd98117e3ffe2b668ff4659e62af785fd3363c56c0fe13287873a4a60928f4722623033ac6685d59688103

Download Submit
C:\Windows\{D63C4337-5B1E-4d9b-B843-14AB6ADD8D2E}.exe

Filesize
168KB

MD5
cf35c9df060e1cdd9a2a6f8976748a3a

SHA1
48a7fdcecfadebfae6474345096f31a262fdc35f

SHA256
eca76905b769eacd7add4bccae0183574d3ba6707be008e940f4128a35582677

SHA512
846137897443340178cb7fc51a51c9ebe8f083697d13ff869c84ca422106e4c5c2c7ebaced126b1386cf5fc01eaf37be19caa35645ac76571c191243e483ba01

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads