e98e60e0b2552944d874c91b1678a94ebc4a5e3c1d0f3291e9da0b155715f839

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202405240740051a483ba3199f183a02f3e56439goldeneye.exe
Size

380KB
MD5

0740051a483ba3199f183a02f3e56439
SHA1

8efd8ecba542fbe9aa4416ed7777d4f24ed60624
SHA256

e98e60e0b2552944d874c91b1678a94ebc4a5e3c1d0f3291e9da0b155715f839
SHA512

462665170ed77d28a0a625fde3137c584df82dfc221031aa68d63ee0189ed7a69202ae69d4af28cd73bf5969bf220c510ed31b1a8d3980712cbfb3e883b52af6
SSDEEP

3072:mEGh0oalPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG8l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DED8B6BB-84DB-43f6-9495-9128EE24CD08}\stubpath = "C:\\Windows\\{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe"	{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D521416A-C8E1-47dd-923B-C24DD17A9E6F}	202405240740051a483ba3199f183a02f3e56439goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D521416A-C8E1-47dd-923B-C24DD17A9E6F}\stubpath = "C:\\Windows\\{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe"	202405240740051a483ba3199f183a02f3e56439goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A14DF71-A19C-462c-B020-9F634779D9E3}\stubpath = "C:\\Windows\\{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe"	{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACEF5853-D655-4dfb-80B8-DDA270820968}	{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACEF5853-D655-4dfb-80B8-DDA270820968}\stubpath = "C:\\Windows\\{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe"	{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{582E5AEA-8B94-483c-8EA4-35111F1C5902}	{F5605BAB-1AA6-480e-8FD9-CA9A465236B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67B246E5-18F0-4aeb-B00E-92C27328A6B4}\stubpath = "C:\\Windows\\{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe"	{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A14DF71-A19C-462c-B020-9F634779D9E3}	{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E60A31F-F7F5-452b-81DF-CCA748F5C595}\stubpath = "C:\\Windows\\{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe"	{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC204F9D-BB95-4c4b-B8A1-6FC9A824E9A2}	{55FD9E3F-A5C4-4417-BE29-4750534C287A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5605BAB-1AA6-480e-8FD9-CA9A465236B8}\stubpath = "C:\\Windows\\{F5605BAB-1AA6-480e-8FD9-CA9A465236B8}.exe"	{AC204F9D-BB95-4c4b-B8A1-6FC9A824E9A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5605BAB-1AA6-480e-8FD9-CA9A465236B8}	{AC204F9D-BB95-4c4b-B8A1-6FC9A824E9A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}	{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}\stubpath = "C:\\Windows\\{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe"	{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DED8B6BB-84DB-43f6-9495-9128EE24CD08}	{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55FD9E3F-A5C4-4417-BE29-4750534C287A}	{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55FD9E3F-A5C4-4417-BE29-4750534C287A}\stubpath = "C:\\Windows\\{55FD9E3F-A5C4-4417-BE29-4750534C287A}.exe"	{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67B246E5-18F0-4aeb-B00E-92C27328A6B4}	{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E60A31F-F7F5-452b-81DF-CCA748F5C595}	{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC204F9D-BB95-4c4b-B8A1-6FC9A824E9A2}\stubpath = "C:\\Windows\\{AC204F9D-BB95-4c4b-B8A1-6FC9A824E9A2}.exe"	{55FD9E3F-A5C4-4417-BE29-4750534C287A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{582E5AEA-8B94-483c-8EA4-35111F1C5902}\stubpath = "C:\\Windows\\{582E5AEA-8B94-483c-8EA4-35111F1C5902}.exe"	{F5605BAB-1AA6-480e-8FD9-CA9A465236B8}.exe

Deletes itself 1 IoCs

pid	Process
2268	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2264	{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe
2608	{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe
2668	{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe
2512	{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe
2984	{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe
1940	{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe
1876	{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe
1304	{55FD9E3F-A5C4-4417-BE29-4750534C287A}.exe
2860	{AC204F9D-BB95-4c4b-B8A1-6FC9A824E9A2}.exe
2440	{F5605BAB-1AA6-480e-8FD9-CA9A465236B8}.exe
580	{582E5AEA-8B94-483c-8EA4-35111F1C5902}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AC204F9D-BB95-4c4b-B8A1-6FC9A824E9A2}.exe	{55FD9E3F-A5C4-4417-BE29-4750534C287A}.exe
File created	C:\Windows\{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe	202405240740051a483ba3199f183a02f3e56439goldeneye.exe
File created	C:\Windows\{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe	{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe
File created	C:\Windows\{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe	{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe
File created	C:\Windows\{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe	{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe
File created	C:\Windows\{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe	{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe
File created	C:\Windows\{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe	{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe
File created	C:\Windows\{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe	{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe
File created	C:\Windows\{55FD9E3F-A5C4-4417-BE29-4750534C287A}.exe	{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe
File created	C:\Windows\{F5605BAB-1AA6-480e-8FD9-CA9A465236B8}.exe	{AC204F9D-BB95-4c4b-B8A1-6FC9A824E9A2}.exe
File created	C:\Windows\{582E5AEA-8B94-483c-8EA4-35111F1C5902}.exe	{F5605BAB-1AA6-480e-8FD9-CA9A465236B8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2348	202405240740051a483ba3199f183a02f3e56439goldeneye.exe
Token: SeIncBasePriorityPrivilege	2264	{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe
Token: SeIncBasePriorityPrivilege	2608	{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe
Token: SeIncBasePriorityPrivilege	2668	{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe
Token: SeIncBasePriorityPrivilege	2512	{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe
Token: SeIncBasePriorityPrivilege	2984	{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe
Token: SeIncBasePriorityPrivilege	1940	{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe
Token: SeIncBasePriorityPrivilege	1876	{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe
Token: SeIncBasePriorityPrivilege	1304	{55FD9E3F-A5C4-4417-BE29-4750534C287A}.exe
Token: SeIncBasePriorityPrivilege	2860	{AC204F9D-BB95-4c4b-B8A1-6FC9A824E9A2}.exe
Token: SeIncBasePriorityPrivilege	2440	{F5605BAB-1AA6-480e-8FD9-CA9A465236B8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2264	2348	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	28
PID 2348 wrote to memory of 2264	2348	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	28
PID 2348 wrote to memory of 2264	2348	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	28
PID 2348 wrote to memory of 2264	2348	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	28
PID 2348 wrote to memory of 2268	2348	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	29
PID 2348 wrote to memory of 2268	2348	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	29
PID 2348 wrote to memory of 2268	2348	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	29
PID 2348 wrote to memory of 2268	2348	202405240740051a483ba3199f183a02f3e56439goldeneye.exe	29
PID 2264 wrote to memory of 2608	2264	{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe	30
PID 2264 wrote to memory of 2608	2264	{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe	30
PID 2264 wrote to memory of 2608	2264	{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe	30
PID 2264 wrote to memory of 2608	2264	{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe	30
PID 2264 wrote to memory of 2624	2264	{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe	31
PID 2264 wrote to memory of 2624	2264	{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe	31
PID 2264 wrote to memory of 2624	2264	{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe	31
PID 2264 wrote to memory of 2624	2264	{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe	31
PID 2608 wrote to memory of 2668	2608	{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe	32
PID 2608 wrote to memory of 2668	2608	{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe	32
PID 2608 wrote to memory of 2668	2608	{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe	32
PID 2608 wrote to memory of 2668	2608	{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe	32
PID 2608 wrote to memory of 2648	2608	{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe	33
PID 2608 wrote to memory of 2648	2608	{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe	33
PID 2608 wrote to memory of 2648	2608	{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe	33
PID 2608 wrote to memory of 2648	2608	{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe	33
PID 2668 wrote to memory of 2512	2668	{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe	36
PID 2668 wrote to memory of 2512	2668	{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe	36
PID 2668 wrote to memory of 2512	2668	{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe	36
PID 2668 wrote to memory of 2512	2668	{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe	36
PID 2668 wrote to memory of 2560	2668	{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe	37
PID 2668 wrote to memory of 2560	2668	{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe	37
PID 2668 wrote to memory of 2560	2668	{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe	37
PID 2668 wrote to memory of 2560	2668	{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe	37
PID 2512 wrote to memory of 2984	2512	{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe	38
PID 2512 wrote to memory of 2984	2512	{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe	38
PID 2512 wrote to memory of 2984	2512	{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe	38
PID 2512 wrote to memory of 2984	2512	{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe	38
PID 2512 wrote to memory of 1152	2512	{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe	39
PID 2512 wrote to memory of 1152	2512	{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe	39
PID 2512 wrote to memory of 1152	2512	{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe	39
PID 2512 wrote to memory of 1152	2512	{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe	39
PID 2984 wrote to memory of 1940	2984	{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe	40
PID 2984 wrote to memory of 1940	2984	{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe	40
PID 2984 wrote to memory of 1940	2984	{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe	40
PID 2984 wrote to memory of 1940	2984	{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe	40
PID 2984 wrote to memory of 1656	2984	{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe	41
PID 2984 wrote to memory of 1656	2984	{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe	41
PID 2984 wrote to memory of 1656	2984	{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe	41
PID 2984 wrote to memory of 1656	2984	{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe	41
PID 1940 wrote to memory of 1876	1940	{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe	42
PID 1940 wrote to memory of 1876	1940	{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe	42
PID 1940 wrote to memory of 1876	1940	{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe	42
PID 1940 wrote to memory of 1876	1940	{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe	42
PID 1940 wrote to memory of 1328	1940	{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe	43
PID 1940 wrote to memory of 1328	1940	{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe	43
PID 1940 wrote to memory of 1328	1940	{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe	43
PID 1940 wrote to memory of 1328	1940	{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe	43
PID 1876 wrote to memory of 1304	1876	{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe	44
PID 1876 wrote to memory of 1304	1876	{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe	44
PID 1876 wrote to memory of 1304	1876	{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe	44
PID 1876 wrote to memory of 1304	1876	{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe	44
PID 1876 wrote to memory of 1236	1876	{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe	45
PID 1876 wrote to memory of 1236	1876	{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe	45
PID 1876 wrote to memory of 1236	1876	{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe	45
PID 1876 wrote to memory of 1236	1876	{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe	45

C:\Users\Admin\AppData\Local\Temp\202405240740051a483ba3199f183a02f3e56439goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\202405240740051a483ba3199f183a02f3e56439goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe
  C:\Windows\{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe
    C:\Windows\{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe
      C:\Windows\{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe
        
        C:\Windows\{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe
        
        C:\Windows\{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe
        
        C:\Windows\{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe
        
        C:\Windows\{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\{55FD9E3F-A5C4-4417-BE29-4750534C287A}.exe
        
        C:\Windows\{55FD9E3F-A5C4-4417-BE29-4750534C287A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\{AC204F9D-BB95-4c4b-B8A1-6FC9A824E9A2}.exe
        
        C:\Windows\{AC204F9D-BB95-4c4b-B8A1-6FC9A824E9A2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\{F5605BAB-1AA6-480e-8FD9-CA9A465236B8}.exe
        
        C:\Windows\{F5605BAB-1AA6-480e-8FD9-CA9A465236B8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\{582E5AEA-8B94-483c-8EA4-35111F1C5902}.exe
        
        C:\Windows\{582E5AEA-8B94-483c-8EA4-35111F1C5902}.exe
        12⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5605~1.EXE > nul
        12⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC204~1.EXE > nul
        11⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55FD9~1.EXE > nul
        10⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DED8B~1.EXE > nul
        9⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACEF5~1.EXE > nul
        8⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E60A~1.EXE > nul
        7⤵
        
        PID:1656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A14D~1.EXE > nul
        6⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A26C5~1.EXE > nul
        5⤵
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{67B24~1.EXE > nul
      4⤵
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D5214~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202405~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4E60A31F-F7F5-452b-81DF-CCA748F5C595}.exe

Filesize
380KB

MD5
27a1080c7b1cc00e946a8af2a1448a31

SHA1
04ed556dd5e2ac74444d830e46cd00bd79cdf98c

SHA256
8f87d316ef8a184faa815a0eb76d17ac8f3a382dba37e62996be15e4e05f5a4e

SHA512
f6b84cb4ef70550b5e3b4e04cc841907ca2c0c0bfed562e1b220b5139ee28406ad8060114fa4642a8eeeebc398ef1d4880455566022eb60e6383262ea8c20ac5

Download Submit
C:\Windows\{55FD9E3F-A5C4-4417-BE29-4750534C287A}.exe

Filesize
380KB

MD5
f42ba26eb4fd11826747a0bbf3e94e1d

SHA1
93beda752b1c6983e20abafbeaefb68ced02606c

SHA256
400cacfe9bab85d59a662e988e4c5b23d57b0d23e68b48365b452640905be432

SHA512
0cefd0a141ee1c91b60d95662deb50689ac85fc0b9bd2624d3651f833577fbd75f68b4f6d87aef85e56f42a4c7e7f7c18535e7828cb37a1ef83044ed81d75c66

Download Submit
C:\Windows\{582E5AEA-8B94-483c-8EA4-35111F1C5902}.exe

Filesize
380KB

MD5
3398c85910adbd9ffec1367be9b5511e

SHA1
c1bc99a1b71a0578c5e2e483e9150e542fd29a91

SHA256
86be066da751abdd562e71f9ac6aa2a65475e19847e470bfd4e005db9d83e00f

SHA512
8fc9c8ac4b111a9477ef44e0f30a83a391ab70b319ba870067ec4415f245a9bafd620f9b639e091eeaac30caaab9445bee44dbeadd9060258c166600f4642097

Download Submit
C:\Windows\{67B246E5-18F0-4aeb-B00E-92C27328A6B4}.exe

Filesize
380KB

MD5
fb55ec2b8385e6cec29cf9b77cef5e32

SHA1
48ddfa94ae9b1967038a8b8f1243d78a0b82810b

SHA256
b66397927c3c18e953ad26938a5b5d84893c75f562e3754e6e26fd1937414060

SHA512
9005ad15d59eecfe7ef7d9718136d0f1c9e193fd100378ebb80ad1cf551ceb79144a63018605a00d7fd5cb0bebc3ae21adcfdf752c3104de6e35582cc0a983c0

Download Submit
C:\Windows\{9A14DF71-A19C-462c-B020-9F634779D9E3}.exe

Filesize
380KB

MD5
4b258c1e1f436daa520efd441002e1aa

SHA1
f1047f2a1c8298b8085d452367efc4468ad63dd7

SHA256
2cb9b666258e5ed2df7bb826459f832912eab29b4514d6db285e9cf33e569ebb

SHA512
989ebf4b427b59a3b6c0115014dac2b6eafa6bb6f05632ab572801c5009f947b527e1b4055f3bb71b36a1c6eb5be17960ccad377d85995cead115814e5028d50

Download Submit
C:\Windows\{A26C5F7C-BE87-4a90-AFAE-01254C57E3F4}.exe

Filesize
380KB

MD5
53fd34a5313da2c90ef20f5d7ee9e5be

SHA1
c6ceac525a73d21d9cdb90b852e30d49d0f3b379

SHA256
5521b1bda7b0803edcf143c3d750dc40cc40e269b94b5854532b22b41c340594

SHA512
e5c4a5ead4a9993217f703c7e5b4bf2799e1283df947f88ab6cf9ec64f4d0e5e92958b5f4bd04d25811d0764fa99eabdd9e77ab4d1f54bebc8978518b00dab1b

Download Submit
C:\Windows\{AC204F9D-BB95-4c4b-B8A1-6FC9A824E9A2}.exe

Filesize
380KB

MD5
d4317a4cd44fe35e9165d0f8ef4e3aeb

SHA1
73e80f697533a4fa24c6f52987a8d869726d8e3c

SHA256
e77f536e1be3e102854de695d6679bbc6c66a795b7e3e7c9dc3baff523b4986d

SHA512
ea4f0bd3969d3209e063997308038c5c99ef742ef43478764c0a1142fef159d4ecd8e4d17e04b8c15e9e014b2deb416800f128dc62156b184378e56485b802a3

Download Submit
C:\Windows\{ACEF5853-D655-4dfb-80B8-DDA270820968}.exe

Filesize
380KB

MD5
3af4c92ef13aa4cf4c6dfdc899043106

SHA1
a576d9dde2c7ea9fab3832d179ba0de9db0989b1

SHA256
fc9d5a88bdc2c2de1aaf4d522148701389716f4204ba5178f5059c7598ede381

SHA512
05b4c809da17ec19cbde0e925dc71f31d7029173d73ea1510e010c4b8726fa470af1cb359156dbc2d4497c9ffd0749edb676cc0636c4853ad5ad484464799366

Download Submit
C:\Windows\{D521416A-C8E1-47dd-923B-C24DD17A9E6F}.exe

Filesize
380KB

MD5
cb76caa1aaaa734fad2913e2160afc87

SHA1
bac7a9bfbbc0065c8f8c0511fe6ab8a5e0a2853d

SHA256
c3c2d1e664b58e957946637d797713e064e2fa5b6251d0d4fdb110392dc009a8

SHA512
36b9243838a21337f8d9dd3975670c57c9b63ff83e0a86f2e988364b234fe65b7d61b41cb52145518f317ef91668991f2a45039ae6cfaf8796fbf3b6604c6823

Download Submit
C:\Windows\{DED8B6BB-84DB-43f6-9495-9128EE24CD08}.exe

Filesize
380KB

MD5
b011a67b39af79dde8cac47b04097651

SHA1
32395c574e88a51bc5bfd3998d35cfd8f8bc8958

SHA256
fd3c35c5b2334cb1cd816635f3dcf25ab68b3337c2b3f5a8fac34bbab70b1408

SHA512
dece7ff2567958f80e458671c09964e131734665e7463ae41364ab903ec10ef8a7339b299ddf7d0d5f8ece6698c5a316da32a6a28683b24c8268eb8a5ff9ee18

Download Submit
C:\Windows\{F5605BAB-1AA6-480e-8FD9-CA9A465236B8}.exe

Filesize
380KB

MD5
2744a8bf3e060ed56fd5aec8225aaf3a

SHA1
e2469a1046601905bcf612a8ffb2a443e04c0a02

SHA256
52be543f59d0634130bc9f5a28b8b57393d158615aba189939a0b89e2e96e32d

SHA512
2dbd3725079aef660991a43dbaf7bedb85dc1930934b3f86d9e31d49890a48c35de4a7703b645ce8c62d153aed9ba5bacd5ed74f1e180fb444fc30d6bb174902

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads