7ce31488e8e95348042cc7e02eb62db910dfdda9878998894468db5906ef550b

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe
Size

180KB
MD5

9734b89b91f4cb005a2c1f4700876df9
SHA1

b60998717d8a053a7ee147ac7eccba410a6cfeba
SHA256

7ce31488e8e95348042cc7e02eb62db910dfdda9878998894468db5906ef550b
SHA512

0c184fa09629749e9a282560f870df02a7a80f046627521651e92ec150bf750a5873b24725438e1789e113e4eb80bf1150c8fdaf0887bab1fdc87df483b60186
SSDEEP

3072:jEGh0o/lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGVl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E39E895E-81EC-48ea-A7D6-E58A12AF8032}\stubpath = "C:\\Windows\\{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe"	{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{381D755D-1FEE-4f33-A491-044DF599A15B}	{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02F36C32-3A58-4e5e-A8AF-429225CB8450}	{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC1D77A1-571E-4f2d-90DE-E22A2041A40A}	{43E26E6A-E18D-4b62-97EA-3816C1918884}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC1D77A1-571E-4f2d-90DE-E22A2041A40A}\stubpath = "C:\\Windows\\{AC1D77A1-571E-4f2d-90DE-E22A2041A40A}.exe"	{43E26E6A-E18D-4b62-97EA-3816C1918884}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1061508A-808F-4910-836D-A9978CA94C36}	{AC1D77A1-571E-4f2d-90DE-E22A2041A40A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26AE163D-C3EC-48ee-8309-CF1CFB0679E5}	{1061508A-808F-4910-836D-A9978CA94C36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEC11922-02D4-4c6c-B52D-B4B17E343344}\stubpath = "C:\\Windows\\{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe"	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8D87E76-E2FB-491f-84A8-EFDECA194780}\stubpath = "C:\\Windows\\{C8D87E76-E2FB-491f-84A8-EFDECA194780}.exe"	{26AE163D-C3EC-48ee-8309-CF1CFB0679E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}\stubpath = "C:\\Windows\\{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe"	{381D755D-1FEE-4f33-A491-044DF599A15B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02F36C32-3A58-4e5e-A8AF-429225CB8450}\stubpath = "C:\\Windows\\{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe"	{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43E26E6A-E18D-4b62-97EA-3816C1918884}	{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43E26E6A-E18D-4b62-97EA-3816C1918884}\stubpath = "C:\\Windows\\{43E26E6A-E18D-4b62-97EA-3816C1918884}.exe"	{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26AE163D-C3EC-48ee-8309-CF1CFB0679E5}\stubpath = "C:\\Windows\\{26AE163D-C3EC-48ee-8309-CF1CFB0679E5}.exe"	{1061508A-808F-4910-836D-A9978CA94C36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEC11922-02D4-4c6c-B52D-B4B17E343344}	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}\stubpath = "C:\\Windows\\{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe"	{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E39E895E-81EC-48ea-A7D6-E58A12AF8032}	{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{381D755D-1FEE-4f33-A491-044DF599A15B}\stubpath = "C:\\Windows\\{381D755D-1FEE-4f33-A491-044DF599A15B}.exe"	{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1061508A-808F-4910-836D-A9978CA94C36}\stubpath = "C:\\Windows\\{1061508A-808F-4910-836D-A9978CA94C36}.exe"	{AC1D77A1-571E-4f2d-90DE-E22A2041A40A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8D87E76-E2FB-491f-84A8-EFDECA194780}	{26AE163D-C3EC-48ee-8309-CF1CFB0679E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}	{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}	{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}\stubpath = "C:\\Windows\\{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe"	{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}	{381D755D-1FEE-4f33-A491-044DF599A15B}.exe

Deletes itself 1 IoCs

pid	Process
2220	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
1640	{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe
2532	{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe
2524	{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe
2464	{381D755D-1FEE-4f33-A491-044DF599A15B}.exe
1604	{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe
2748	{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe
1236	{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe
2768	{43E26E6A-E18D-4b62-97EA-3816C1918884}.exe
1704	{AC1D77A1-571E-4f2d-90DE-E22A2041A40A}.exe
984	{1061508A-808F-4910-836D-A9978CA94C36}.exe
2172	{26AE163D-C3EC-48ee-8309-CF1CFB0679E5}.exe
1128	{C8D87E76-E2FB-491f-84A8-EFDECA194780}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe	{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe
File created	C:\Windows\{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe	{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe
File created	C:\Windows\{26AE163D-C3EC-48ee-8309-CF1CFB0679E5}.exe	{1061508A-808F-4910-836D-A9978CA94C36}.exe
File created	C:\Windows\{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe
File created	C:\Windows\{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe	{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe
File created	C:\Windows\{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe	{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe
File created	C:\Windows\{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe	{381D755D-1FEE-4f33-A491-044DF599A15B}.exe
File created	C:\Windows\{C8D87E76-E2FB-491f-84A8-EFDECA194780}.exe	{26AE163D-C3EC-48ee-8309-CF1CFB0679E5}.exe
File created	C:\Windows\{381D755D-1FEE-4f33-A491-044DF599A15B}.exe	{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe
File created	C:\Windows\{43E26E6A-E18D-4b62-97EA-3816C1918884}.exe	{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe
File created	C:\Windows\{AC1D77A1-571E-4f2d-90DE-E22A2041A40A}.exe	{43E26E6A-E18D-4b62-97EA-3816C1918884}.exe
File created	C:\Windows\{1061508A-808F-4910-836D-A9978CA94C36}.exe	{AC1D77A1-571E-4f2d-90DE-E22A2041A40A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1740	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe
Token: SeIncBasePriorityPrivilege	1640	{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe
Token: SeIncBasePriorityPrivilege	2532	{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe
Token: SeIncBasePriorityPrivilege	2524	{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe
Token: SeIncBasePriorityPrivilege	2464	{381D755D-1FEE-4f33-A491-044DF599A15B}.exe
Token: SeIncBasePriorityPrivilege	1604	{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe
Token: SeIncBasePriorityPrivilege	2748	{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe
Token: SeIncBasePriorityPrivilege	1236	{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe
Token: SeIncBasePriorityPrivilege	2768	{43E26E6A-E18D-4b62-97EA-3816C1918884}.exe
Token: SeIncBasePriorityPrivilege	1704	{AC1D77A1-571E-4f2d-90DE-E22A2041A40A}.exe
Token: SeIncBasePriorityPrivilege	984	{1061508A-808F-4910-836D-A9978CA94C36}.exe
Token: SeIncBasePriorityPrivilege	2172	{26AE163D-C3EC-48ee-8309-CF1CFB0679E5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1640	1740	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	28
PID 1740 wrote to memory of 1640	1740	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	28
PID 1740 wrote to memory of 1640	1740	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	28
PID 1740 wrote to memory of 1640	1740	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	28
PID 1740 wrote to memory of 2220	1740	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	29
PID 1740 wrote to memory of 2220	1740	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	29
PID 1740 wrote to memory of 2220	1740	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	29
PID 1740 wrote to memory of 2220	1740	202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe	29
PID 1640 wrote to memory of 2532	1640	{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe	30
PID 1640 wrote to memory of 2532	1640	{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe	30
PID 1640 wrote to memory of 2532	1640	{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe	30
PID 1640 wrote to memory of 2532	1640	{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe	30
PID 1640 wrote to memory of 2624	1640	{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe	31
PID 1640 wrote to memory of 2624	1640	{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe	31
PID 1640 wrote to memory of 2624	1640	{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe	31
PID 1640 wrote to memory of 2624	1640	{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe	31
PID 2532 wrote to memory of 2524	2532	{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe	34
PID 2532 wrote to memory of 2524	2532	{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe	34
PID 2532 wrote to memory of 2524	2532	{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe	34
PID 2532 wrote to memory of 2524	2532	{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe	34
PID 2532 wrote to memory of 2660	2532	{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe	35
PID 2532 wrote to memory of 2660	2532	{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe	35
PID 2532 wrote to memory of 2660	2532	{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe	35
PID 2532 wrote to memory of 2660	2532	{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe	35
PID 2524 wrote to memory of 2464	2524	{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe	36
PID 2524 wrote to memory of 2464	2524	{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe	36
PID 2524 wrote to memory of 2464	2524	{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe	36
PID 2524 wrote to memory of 2464	2524	{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe	36
PID 2524 wrote to memory of 2544	2524	{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe	37
PID 2524 wrote to memory of 2544	2524	{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe	37
PID 2524 wrote to memory of 2544	2524	{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe	37
PID 2524 wrote to memory of 2544	2524	{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe	37
PID 2464 wrote to memory of 1604	2464	{381D755D-1FEE-4f33-A491-044DF599A15B}.exe	38
PID 2464 wrote to memory of 1604	2464	{381D755D-1FEE-4f33-A491-044DF599A15B}.exe	38
PID 2464 wrote to memory of 1604	2464	{381D755D-1FEE-4f33-A491-044DF599A15B}.exe	38
PID 2464 wrote to memory of 1604	2464	{381D755D-1FEE-4f33-A491-044DF599A15B}.exe	38
PID 2464 wrote to memory of 2760	2464	{381D755D-1FEE-4f33-A491-044DF599A15B}.exe	39
PID 2464 wrote to memory of 2760	2464	{381D755D-1FEE-4f33-A491-044DF599A15B}.exe	39
PID 2464 wrote to memory of 2760	2464	{381D755D-1FEE-4f33-A491-044DF599A15B}.exe	39
PID 2464 wrote to memory of 2760	2464	{381D755D-1FEE-4f33-A491-044DF599A15B}.exe	39
PID 1604 wrote to memory of 2748	1604	{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe	40
PID 1604 wrote to memory of 2748	1604	{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe	40
PID 1604 wrote to memory of 2748	1604	{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe	40
PID 1604 wrote to memory of 2748	1604	{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe	40
PID 1604 wrote to memory of 1172	1604	{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe	41
PID 1604 wrote to memory of 1172	1604	{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe	41
PID 1604 wrote to memory of 1172	1604	{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe	41
PID 1604 wrote to memory of 1172	1604	{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe	41
PID 2748 wrote to memory of 1236	2748	{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe	42
PID 2748 wrote to memory of 1236	2748	{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe	42
PID 2748 wrote to memory of 1236	2748	{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe	42
PID 2748 wrote to memory of 1236	2748	{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe	42
PID 2748 wrote to memory of 1872	2748	{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe	43
PID 2748 wrote to memory of 1872	2748	{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe	43
PID 2748 wrote to memory of 1872	2748	{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe	43
PID 2748 wrote to memory of 1872	2748	{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe	43
PID 1236 wrote to memory of 2768	1236	{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe	44
PID 1236 wrote to memory of 2768	1236	{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe	44
PID 1236 wrote to memory of 2768	1236	{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe	44
PID 1236 wrote to memory of 2768	1236	{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe	44
PID 1236 wrote to memory of 1332	1236	{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe	45
PID 1236 wrote to memory of 1332	1236	{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe	45
PID 1236 wrote to memory of 1332	1236	{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe	45
PID 1236 wrote to memory of 1332	1236	{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe	45

C:\Users\Admin\AppData\Local\Temp\202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\202404149734b89b91f4cb005a2c1f4700876df9goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe
  C:\Windows\{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe
    C:\Windows\{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe
      C:\Windows\{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\{381D755D-1FEE-4f33-A491-044DF599A15B}.exe
        
        C:\Windows\{381D755D-1FEE-4f33-A491-044DF599A15B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Windows\{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe
        
        C:\Windows\{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe
        
        C:\Windows\{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe
        
        C:\Windows\{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\{43E26E6A-E18D-4b62-97EA-3816C1918884}.exe
        
        C:\Windows\{43E26E6A-E18D-4b62-97EA-3816C1918884}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\{AC1D77A1-571E-4f2d-90DE-E22A2041A40A}.exe
        
        C:\Windows\{AC1D77A1-571E-4f2d-90DE-E22A2041A40A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\{1061508A-808F-4910-836D-A9978CA94C36}.exe
        
        C:\Windows\{1061508A-808F-4910-836D-A9978CA94C36}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\{26AE163D-C3EC-48ee-8309-CF1CFB0679E5}.exe
        
        C:\Windows\{26AE163D-C3EC-48ee-8309-CF1CFB0679E5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\{C8D87E76-E2FB-491f-84A8-EFDECA194780}.exe
        
        C:\Windows\{C8D87E76-E2FB-491f-84A8-EFDECA194780}.exe
        13⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26AE1~1.EXE > nul
        13⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10615~1.EXE > nul
        12⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC1D7~1.EXE > nul
        11⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43E26~1.EXE > nul
        10⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02F36~1.EXE > nul
        9⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23DE1~1.EXE > nul
        8⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{490AA~1.EXE > nul
        7⤵
        
        PID:1172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{381D7~1.EXE > nul
        6⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E39E8~1.EXE > nul
        5⤵
        
        PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{73B95~1.EXE > nul
      4⤵
      PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EEC11~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202404~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02F36C32-3A58-4e5e-A8AF-429225CB8450}.exe

Filesize
180KB

MD5
a35abdfa922854e51e8b98230eca74cd

SHA1
8cfddde0b8d17b39fa6ea53ab11ffabddef577f1

SHA256
43c2bf35fcce55934a016e390da69bf984515a13dccd61b456324c499e06569c

SHA512
a23fa1a923ad860dc97630168f4f4c56244ac3568f079e2d0fbcb109603b82b57a7f5e019855171965215bfe02ace1a70dc23272f1c56fa138f45290b33116d0

Download Submit
C:\Windows\{1061508A-808F-4910-836D-A9978CA94C36}.exe

Filesize
180KB

MD5
0ec5e3b6bf9d4c75bfe72ba7e113acc7

SHA1
cce596519b53ac0b00e3a72f2de1b7463cec06f0

SHA256
c1fd105264921db2ffb493747c8b0a96486cea075e8d25a5eb9486533113a466

SHA512
74aa51abe7d688d42afb2980db07725d96ef39670ce39c6f1dbf87a9ac6717685aa5193c0eb1260840c28b6344d89e21567caac6598359095edd7a389f5ccc7e

Download Submit
C:\Windows\{23DE15D9-C4F5-4ee1-829A-3C9F13A0EBF4}.exe

Filesize
180KB

MD5
072035ba4d83bd23777a580474268ad9

SHA1
61f16f1ca174dccde8d695b3b21e1db78eafcf74

SHA256
26d70a8964896a81994439c9ca0afb053e08663b728328c9bb3926af1e858057

SHA512
3c089a08eb37e037463c7850970b43328f565adaff247d435c99358ab6958d8df2755f0ee06f51bd521f438d26b4408169a2f0774b518767df582dd0aa10ecf0

Download Submit
C:\Windows\{26AE163D-C3EC-48ee-8309-CF1CFB0679E5}.exe

Filesize
180KB

MD5
7293abcf14dfdbb661ec6eeeefcfea0e

SHA1
81ac4f662f61f5778be1dbb125bd9d9f176c33df

SHA256
a4020bce1ed4f10245dc6d777a3c63c1e109944ea86608f23b2a9e0a88679078

SHA512
10353d3a388b77b73273f9ab1fb24135804122db7b37e2006f615908e0dffbf7cc86ff0814cba54ee9ef9735c0d8a6356c15d11cfbe7b46a9c02f5f43e266ae9

Download Submit
C:\Windows\{381D755D-1FEE-4f33-A491-044DF599A15B}.exe

Filesize
180KB

MD5
c833a7f11c0b096fd19b0132c20f3ba8

SHA1
5747a031b4f9a54550bbaa8271d010f37214d6af

SHA256
99778e330f9db2fcefe0722c0a2821768a8b55b516f78c489050d7a5824b38c3

SHA512
67b04b0eac957a488eb3c7dd5a2b659ac0014daf557098d1ca451e98a2af396b64759a37aa0fe72c54bd0faf60394f9d4c30c37a236205d9a5549c9b47d9e159

Download Submit
C:\Windows\{43E26E6A-E18D-4b62-97EA-3816C1918884}.exe

Filesize
180KB

MD5
90ee6d6d1389713eafafbd3474aa9421

SHA1
c6e7fe7a2ac6df1a577815cffd02826c6b286ee8

SHA256
cf3693ae0f0192d261e9f963cf4d6278786e7e3c8ec32f81a90252050984373a

SHA512
fea1963057bbd14f921a356b3187ac3e69bce7560784531bd2941c8e98aea045044fa4de13d26e97e4ef120c624b908e7841b086a579da13fdb82de356c451ee

Download Submit
C:\Windows\{490AAB66-FA6C-4710-9C64-EF3F0FE1257E}.exe

Filesize
180KB

MD5
94d7bde3cb1720a8d3e50490fa743614

SHA1
0f6fd19abe0118e4d1e86e6e93f8b390ddb5ac87

SHA256
1d1a107aa5c548c0a52e8485a45581fc5982b9fb7011635a6cd9d7517bdf3102

SHA512
b1d2b163dafe3a575424f26638bb5cad8cf6cb15a857bba13c1d5431fced396ef12289bcbe877cd3eedd5a25c19569a013608af3185b75adf7d89bb8b0c774d0

Download Submit
C:\Windows\{73B95B9B-A44C-48e6-925E-6F9EBFF988AE}.exe

Filesize
180KB

MD5
076b3f538514d961f939a1f9128eb47f

SHA1
c6dee52efaf11ace27e8f69fd30647df7f429280

SHA256
eb145e43ed2947e9743ac0d5348e6075b725c2109be0276b5764aa26554019ad

SHA512
fba8cbd48ad249686bbd20062cc43c468e30bcac2416b55099a3a3613c428801f178d92c0b81c2be5b89051884a70d817a0a9caee1a0244478b5803089fcc805

Download Submit
C:\Windows\{AC1D77A1-571E-4f2d-90DE-E22A2041A40A}.exe

Filesize
180KB

MD5
b02335a00433dc61ca984f7d9d24aae8

SHA1
24cd02ef207e64207d846ec6281aca26092e0539

SHA256
9f70e63332b2a0a7860fbaedd3287a1edd731f888efb59abc33f9773f03c4d8d

SHA512
3694679d3c338e05587549d4e9949eeda00231c8572e75269b74d0bc6e2521fed92b9accdfef7b7132053ba9921557eb9c4d28c4758b249add05bc80998432fb

Download Submit
C:\Windows\{C8D87E76-E2FB-491f-84A8-EFDECA194780}.exe

Filesize
180KB

MD5
03bc13e6878bf02ebb7d73a4bde54722

SHA1
00f6c057c60ad81982e91583ba65df444c4feab6

SHA256
5c0e478dad4782aa2c502f57988482153a9823001cdfb402404ec00933c5892c

SHA512
1fb85947e8890da630b93e82b12739b335b9bb0d21a19c67dac087e6e61b6f9df93214a4b205ea8b7978d25834c8f945fb7d9dda269d51cd47bab74d818a3415

Download Submit
C:\Windows\{E39E895E-81EC-48ea-A7D6-E58A12AF8032}.exe

Filesize
180KB

MD5
da0beabcace0c15c10dcb3d042145405

SHA1
b2a416cff9950c6a1e96dff852bddce3cf42fb2c

SHA256
7fb82c55ac8255e950ec9a9314c9376a36020ffcac5fbd6ef1dd28b575cb7024

SHA512
e5f87e1db2fbd3078a4f5d1ed9e18d3c1761c2991f6fc6e8124f7a54b061c8651eccd5edab7e88c27d7ac052f0b301242c8a2027f7d5e193101973ea4ecbbdb9

Download Submit
C:\Windows\{EEC11922-02D4-4c6c-B52D-B4B17E343344}.exe

Filesize
180KB

MD5
560a86be713d53a853009809e5a4a860

SHA1
723f245f386dcc752fb2b0cef2c4da0bb85538d5

SHA256
843de079a2f7dafb63a1aa52ad364001c2184de052db70c56327a73995afcc24

SHA512
319e8d16989702b756538e454e60dc69ca0983ba76a6440950d216daa4778dfad64592c59070e6848e1855512f5128c5cd897ff8a86071ae09df341a1c9a5df7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads