79c0e6f25ff6506693e104b37d380b0d1129edc350f66e347415b8f1fbe1ade9

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 21:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe
Size

168KB
MD5

639181dfbac8a52c5b7b0c8012f77aef
SHA1

712e7714e7ce33244d0ff66d5af43fc9f0269322
SHA256

79c0e6f25ff6506693e104b37d380b0d1129edc350f66e347415b8f1fbe1ade9
SHA512

0904f04e22db50c84f895558a81aa102964d071f2aecc72944541f691cea84c05d2cbbf904fd0bec614a16f626d5f58e59bdc0b8e5d9c234a7c85b21a9c80b10
SSDEEP

1536:1EGh0oMli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oMliOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}\stubpath = "C:\\Windows\\{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe"	{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06E04454-2AB9-4148-BDE2-50E7AA053914}	{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06E04454-2AB9-4148-BDE2-50E7AA053914}\stubpath = "C:\\Windows\\{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe"	{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{524D9A64-BA42-4231-A2DC-8B5C12571152}\stubpath = "C:\\Windows\\{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe"	{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}	20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}\stubpath = "C:\\Windows\\{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe"	20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}	{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}	{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}	{DA73A090-264C-434d-9CE5-6D981116FD61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DCB82C8-DAE8-40b4-9330-2E43DBA405CA}\stubpath = "C:\\Windows\\{0DCB82C8-DAE8-40b4-9330-2E43DBA405CA}.exe"	{10D925CB-5F90-4ee4-9519-B3620F1AB35F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{282BE095-099B-4207-96A1-7D7ECC314D2E}	{CDFE65DA-D88C-4c99-8995-7EAA91927B31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA73A090-264C-434d-9CE5-6D981116FD61}	{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA73A090-264C-434d-9CE5-6D981116FD61}\stubpath = "C:\\Windows\\{DA73A090-264C-434d-9CE5-6D981116FD61}.exe"	{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}\stubpath = "C:\\Windows\\{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe"	{DA73A090-264C-434d-9CE5-6D981116FD61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{524D9A64-BA42-4231-A2DC-8B5C12571152}	{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10D925CB-5F90-4ee4-9519-B3620F1AB35F}	{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DCB82C8-DAE8-40b4-9330-2E43DBA405CA}	{10D925CB-5F90-4ee4-9519-B3620F1AB35F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDFE65DA-D88C-4c99-8995-7EAA91927B31}	{0DCB82C8-DAE8-40b4-9330-2E43DBA405CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}\stubpath = "C:\\Windows\\{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe"	{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10D925CB-5F90-4ee4-9519-B3620F1AB35F}\stubpath = "C:\\Windows\\{10D925CB-5F90-4ee4-9519-B3620F1AB35F}.exe"	{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDFE65DA-D88C-4c99-8995-7EAA91927B31}\stubpath = "C:\\Windows\\{CDFE65DA-D88C-4c99-8995-7EAA91927B31}.exe"	{0DCB82C8-DAE8-40b4-9330-2E43DBA405CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{282BE095-099B-4207-96A1-7D7ECC314D2E}\stubpath = "C:\\Windows\\{282BE095-099B-4207-96A1-7D7ECC314D2E}.exe"	{CDFE65DA-D88C-4c99-8995-7EAA91927B31}.exe

Deletes itself 1 IoCs

pid	Process
3032	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1536	{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe
2652	{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe
2352	{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe
2844	{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe
1368	{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe
2600	{DA73A090-264C-434d-9CE5-6D981116FD61}.exe
2016	{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe
1984	{10D925CB-5F90-4ee4-9519-B3620F1AB35F}.exe
1696	{0DCB82C8-DAE8-40b4-9330-2E43DBA405CA}.exe
2728	{CDFE65DA-D88C-4c99-8995-7EAA91927B31}.exe
2788	{282BE095-099B-4207-96A1-7D7ECC314D2E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe	20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe
File created	C:\Windows\{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe	{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe
File created	C:\Windows\{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe	{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe
File created	C:\Windows\{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe	{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe
File created	C:\Windows\{282BE095-099B-4207-96A1-7D7ECC314D2E}.exe	{CDFE65DA-D88C-4c99-8995-7EAA91927B31}.exe
File created	C:\Windows\{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe	{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe
File created	C:\Windows\{DA73A090-264C-434d-9CE5-6D981116FD61}.exe	{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe
File created	C:\Windows\{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe	{DA73A090-264C-434d-9CE5-6D981116FD61}.exe
File created	C:\Windows\{10D925CB-5F90-4ee4-9519-B3620F1AB35F}.exe	{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe
File created	C:\Windows\{0DCB82C8-DAE8-40b4-9330-2E43DBA405CA}.exe	{10D925CB-5F90-4ee4-9519-B3620F1AB35F}.exe
File created	C:\Windows\{CDFE65DA-D88C-4c99-8995-7EAA91927B31}.exe	{0DCB82C8-DAE8-40b4-9330-2E43DBA405CA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2292	20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe
Token: SeIncBasePriorityPrivilege	1536	{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe
Token: SeIncBasePriorityPrivilege	2652	{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe
Token: SeIncBasePriorityPrivilege	2352	{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe
Token: SeIncBasePriorityPrivilege	2844	{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe
Token: SeIncBasePriorityPrivilege	1368	{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe
Token: SeIncBasePriorityPrivilege	2600	{DA73A090-264C-434d-9CE5-6D981116FD61}.exe
Token: SeIncBasePriorityPrivilege	2016	{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe
Token: SeIncBasePriorityPrivilege	1984	{10D925CB-5F90-4ee4-9519-B3620F1AB35F}.exe
Token: SeIncBasePriorityPrivilege	1696	{0DCB82C8-DAE8-40b4-9330-2E43DBA405CA}.exe
Token: SeIncBasePriorityPrivilege	2728	{CDFE65DA-D88C-4c99-8995-7EAA91927B31}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1536	2292	20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe	28
PID 2292 wrote to memory of 1536	2292	20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe	28
PID 2292 wrote to memory of 1536	2292	20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe	28
PID 2292 wrote to memory of 1536	2292	20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe	28
PID 2292 wrote to memory of 3032	2292	20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe	29
PID 2292 wrote to memory of 3032	2292	20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe	29
PID 2292 wrote to memory of 3032	2292	20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe	29
PID 2292 wrote to memory of 3032	2292	20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe	29
PID 1536 wrote to memory of 2652	1536	{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe	32
PID 1536 wrote to memory of 2652	1536	{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe	32
PID 1536 wrote to memory of 2652	1536	{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe	32
PID 1536 wrote to memory of 2652	1536	{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe	32
PID 1536 wrote to memory of 2456	1536	{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe	33
PID 1536 wrote to memory of 2456	1536	{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe	33
PID 1536 wrote to memory of 2456	1536	{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe	33
PID 1536 wrote to memory of 2456	1536	{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe	33
PID 2652 wrote to memory of 2352	2652	{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe	34
PID 2652 wrote to memory of 2352	2652	{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe	34
PID 2652 wrote to memory of 2352	2652	{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe	34
PID 2652 wrote to memory of 2352	2652	{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe	34
PID 2652 wrote to memory of 2396	2652	{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe	35
PID 2652 wrote to memory of 2396	2652	{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe	35
PID 2652 wrote to memory of 2396	2652	{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe	35
PID 2652 wrote to memory of 2396	2652	{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe	35
PID 2352 wrote to memory of 2844	2352	{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe	36
PID 2352 wrote to memory of 2844	2352	{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe	36
PID 2352 wrote to memory of 2844	2352	{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe	36
PID 2352 wrote to memory of 2844	2352	{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe	36
PID 2352 wrote to memory of 2332	2352	{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe	37
PID 2352 wrote to memory of 2332	2352	{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe	37
PID 2352 wrote to memory of 2332	2352	{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe	37
PID 2352 wrote to memory of 2332	2352	{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe	37
PID 2844 wrote to memory of 1368	2844	{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe	38
PID 2844 wrote to memory of 1368	2844	{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe	38
PID 2844 wrote to memory of 1368	2844	{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe	38
PID 2844 wrote to memory of 1368	2844	{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe	38
PID 2844 wrote to memory of 556	2844	{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe	39
PID 2844 wrote to memory of 556	2844	{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe	39
PID 2844 wrote to memory of 556	2844	{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe	39
PID 2844 wrote to memory of 556	2844	{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe	39
PID 1368 wrote to memory of 2600	1368	{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe	40
PID 1368 wrote to memory of 2600	1368	{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe	40
PID 1368 wrote to memory of 2600	1368	{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe	40
PID 1368 wrote to memory of 2600	1368	{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe	40
PID 1368 wrote to memory of 2588	1368	{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe	41
PID 1368 wrote to memory of 2588	1368	{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe	41
PID 1368 wrote to memory of 2588	1368	{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe	41
PID 1368 wrote to memory of 2588	1368	{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe	41
PID 2600 wrote to memory of 2016	2600	{DA73A090-264C-434d-9CE5-6D981116FD61}.exe	42
PID 2600 wrote to memory of 2016	2600	{DA73A090-264C-434d-9CE5-6D981116FD61}.exe	42
PID 2600 wrote to memory of 2016	2600	{DA73A090-264C-434d-9CE5-6D981116FD61}.exe	42
PID 2600 wrote to memory of 2016	2600	{DA73A090-264C-434d-9CE5-6D981116FD61}.exe	42
PID 2600 wrote to memory of 1916	2600	{DA73A090-264C-434d-9CE5-6D981116FD61}.exe	43
PID 2600 wrote to memory of 1916	2600	{DA73A090-264C-434d-9CE5-6D981116FD61}.exe	43
PID 2600 wrote to memory of 1916	2600	{DA73A090-264C-434d-9CE5-6D981116FD61}.exe	43
PID 2600 wrote to memory of 1916	2600	{DA73A090-264C-434d-9CE5-6D981116FD61}.exe	43
PID 2016 wrote to memory of 1984	2016	{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe	44
PID 2016 wrote to memory of 1984	2016	{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe	44
PID 2016 wrote to memory of 1984	2016	{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe	44
PID 2016 wrote to memory of 1984	2016	{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe	44
PID 2016 wrote to memory of 2180	2016	{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe	45
PID 2016 wrote to memory of 2180	2016	{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe	45
PID 2016 wrote to memory of 2180	2016	{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe	45
PID 2016 wrote to memory of 2180	2016	{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe	45

C:\Users\Admin\AppData\Local\Temp\20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\20240524639181dfbac8a52c5b7b0c8012f77aefgoldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe
  C:\Windows\{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe
    C:\Windows\{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe
      C:\Windows\{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe
        
        C:\Windows\{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe
        
        C:\Windows\{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\{DA73A090-264C-434d-9CE5-6D981116FD61}.exe
        
        C:\Windows\{DA73A090-264C-434d-9CE5-6D981116FD61}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe
        
        C:\Windows\{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\{10D925CB-5F90-4ee4-9519-B3620F1AB35F}.exe
        
        C:\Windows\{10D925CB-5F90-4ee4-9519-B3620F1AB35F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\{0DCB82C8-DAE8-40b4-9330-2E43DBA405CA}.exe
        
        C:\Windows\{0DCB82C8-DAE8-40b4-9330-2E43DBA405CA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\{CDFE65DA-D88C-4c99-8995-7EAA91927B31}.exe
        
        C:\Windows\{CDFE65DA-D88C-4c99-8995-7EAA91927B31}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{282BE095-099B-4207-96A1-7D7ECC314D2E}.exe
        
        C:\Windows\{282BE095-099B-4207-96A1-7D7ECC314D2E}.exe
        12⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDFE6~1.EXE > nul
        12⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DCB8~1.EXE > nul
        11⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10D92~1.EXE > nul
        10⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EEB8~1.EXE > nul
        9⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA73A~1.EXE > nul
        8⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{524D9~1.EXE > nul
        7⤵
        
        PID:2588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06E04~1.EXE > nul
        6⤵
        
        PID:556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4BD7~1.EXE > nul
        5⤵
        
        PID:2332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9F353~1.EXE > nul
      4⤵
      PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{93DE1~1.EXE > nul
    3⤵
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202405~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06E04454-2AB9-4148-BDE2-50E7AA053914}.exe

Filesize
168KB

MD5
2676f2a8806dbc424496851a65219262

SHA1
146c3aee3176deee75a669e62edace617a60ed2c

SHA256
e513c4834ebdd251f6aab502d74bb3dab45ee6fd13d98469fde00647d7a6dec3

SHA512
ae20826391f98f855b942c3b00c5a070c0e3322254edcf4594dad42b19d34fa53bbaddf745edd71a30d627cd80e2422c7cccf277e3f4e193ff0e6aada2fce5b6

Download Submit
C:\Windows\{0DCB82C8-DAE8-40b4-9330-2E43DBA405CA}.exe

Filesize
168KB

MD5
a684e14ee668f304f1272ada8245c344

SHA1
995c1bc059a5d5ee9d55da1e6529088eff5353db

SHA256
78b6a0e457f2492a64b6e93fad282b868d8febe6100fa4d110189a7c85c67d9c

SHA512
a8359defe0027229221cdfd8f94c753a9d488c352f62062dc5ab3f7f63939640f88e04fe0a56bcc8852590d3ecdfdef43a390a0d4cc7fe31eb753141cb6affb8

Download Submit
C:\Windows\{10D925CB-5F90-4ee4-9519-B3620F1AB35F}.exe

Filesize
168KB

MD5
a73abe51fdd2442eb923424e71e8ae30

SHA1
0029d35d58b2ec8ecc8694609a55aa81f654a20f

SHA256
51b4b4683b556a3fb6960d6d06803aa40b0c09b939ad1b7ad81084972fd58d6f

SHA512
e4280470ef9fdf1c48ee15b8a27513285eb1bc53e9467433b0e9657f36deb23d87a262c4b025c552d1a5cfc34c6b10e25306e506a8f765085deceabe0a8ce84c

Download Submit
C:\Windows\{282BE095-099B-4207-96A1-7D7ECC314D2E}.exe

Filesize
168KB

MD5
3d84f4eedc52e2d74f0a0903b447c5b3

SHA1
e8c149fc6d5193b5dcc506967bf26350c6a447ee

SHA256
16180548baff5c6a2c175b6c40aec9b6349b05f539cbdec371efb6df957d8cde

SHA512
8e4083f371e15db0a9c70e173710245b0ee3138dab23ee8bafde07bd972ec16bab53dcb64f137039ae7ee5e6c76614cc55757b18682f1d9377a781e1512a55be

Download Submit
C:\Windows\{524D9A64-BA42-4231-A2DC-8B5C12571152}.exe

Filesize
168KB

MD5
f0eab6e6d29f63ea90679ba2380071a3

SHA1
2391f15ba98547bed6e06356c8086b656f7b6f1d

SHA256
aebd60e1fb79f4894772b00c4cc878d2a00d463c035815e7889b4912e4a5d2d6

SHA512
776c17884ca2c7275ce80d4a8b332db5f8c1cf04b27c13e21bff60ea7a1c7bbfddffef3f48791afea1c58110e38dc0854b51c4419f8e4622c460ccfe1cb8cb7a

Download Submit
C:\Windows\{8EEB8420-286A-44e0-B5C5-00FFA0A8A4D3}.exe

Filesize
168KB

MD5
9c2b003bc48c719549b82119f886a962

SHA1
4f1fffe91e10e0a144c4d7bfb6f3f3d36cbe8bca

SHA256
2a942b6f91fbba9bed4b7310f639d5d4581b6dbbe83a19bff2a985d07ec390d3

SHA512
f94fdb8940b60daaf72396e9149fbb7f402a90139ce787f18b305d0574a89bed2af1249adf5e37b935dbf121d707651eb9b4141c426dc04c2a0342c6d111a512

Download Submit
C:\Windows\{93DE18FB-F4CE-46fa-AF09-04B9442ED21F}.exe

Filesize
168KB

MD5
ec1e7c08ca743e9ceb53a3169b4bb510

SHA1
a4d5831c7ae0032cf841645b0d6633d245bc273b

SHA256
9cfff59d36e3e16822250ad8d52e92ac90679ee576ddf8c71a5e98580dc63beb

SHA512
0e892b7822a0c2a63c63bb28d657f0119dd21b0be0c87ddcdc4268c318c166b280b60bdfefde59272c4f2d61a8e74ca3e75fb7843dc70918cb93113fee8f8b2b

Download Submit
C:\Windows\{9F35346B-4177-445c-BB48-0A8B4CDD3DB7}.exe

Filesize
168KB

MD5
c6ad47ff78e559df9f90ab0dfc8f27e0

SHA1
72885cccf6919a0cbc0e0291568e8b193178c2e9

SHA256
8f4bbb4ae767c4aab5b2285c497c2f9c8d4cb53cc29353a9b4d3c4decec7e551

SHA512
8d95f3c6d7bae5cf806e33b550617bbf11deb276d2602bf745d97ceb3fe65a543613f0279e39cea2c6e2d2550dcdfd2702a06381c824a603586326dc000a4ef5

Download Submit
C:\Windows\{B4BD7C25-8CB9-4e0d-AE7A-5558987EB883}.exe

Filesize
168KB

MD5
c86919c77f882c3067a0464ced9a0edf

SHA1
465166b8ca6704cbf157f252739f67b1ed2cd1af

SHA256
37dea1fd28d70c63adbb5f8e1b3e0f732e5fd847aa827505478a357812e17eaa

SHA512
57baf57b5fab27de19a8020588150d177b5614c80a9c40bdf92180e58d23b34da5a8cb2ba899b442790b05da4fd30aa020a27c0d2bab86657a8e93c63e5bc865

Download Submit
C:\Windows\{CDFE65DA-D88C-4c99-8995-7EAA91927B31}.exe

Filesize
168KB

MD5
0b51fe42d4c39cffa1ce5838773436a6

SHA1
5766b1b293ee06b289c6f981329ae6d80b7c44e1

SHA256
561e700f572402cef7f9375501e6bb17fef0096a6119436a748736255a4fc718

SHA512
6da5dbcc990168aac33233f69cf4876a6c08fdf5d4322a06cab13d46f8e42ed1d3584d0201376def11462e6fe12436819c4977a663d5ee71e90fc97653e99897

Download Submit
C:\Windows\{DA73A090-264C-434d-9CE5-6D981116FD61}.exe

Filesize
168KB

MD5
ffc54f951c70b8bf85efe8004a03a2e8

SHA1
2445825f818508407294c3aeb2ea6bd28498e2dd

SHA256
7c688ebc89a89f5ff8586c2a698d042ed8226ae90d75e7917dd9476989595873

SHA512
ccc8f58f55295cab6c8aff9582339e9a378f3c2a1d9718f08a435de1130680d4f32d4a4a1b886f3cde55b691fc3dd9107faa25ce0ae5fa9d753d9c916902e90d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads