fa1a31b881034b5733f7ed773cbb8752032bee5ba5fbd93a8079604a6acff23b

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe
Size

408KB
MD5

31e1d0be76fc5945c88a648974d8a509
SHA1

8c8ca569532c713b25ea6774e5b7aaf1ad957661
SHA256

fa1a31b881034b5733f7ed773cbb8752032bee5ba5fbd93a8079604a6acff23b
SHA512

b167b0fa7adc5a4c6c793715b5314c5f627f87be50ea13f05829ffce5003ac71840727e8ee5b8d82a8c1b073163a4913f0d86800b299c875b69107830eb107d0
SSDEEP

3072:CEGh0o5l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGDldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}\stubpath = "C:\\Windows\\{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe"	{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B2A4E62-6A1B-4629-BD44-AD850A0CC8E1}\stubpath = "C:\\Windows\\{8B2A4E62-6A1B-4629-BD44-AD850A0CC8E1}.exe"	{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8780BE8-C642-4397-9CE7-8A9BD3FF65EE}\stubpath = "C:\\Windows\\{A8780BE8-C642-4397-9CE7-8A9BD3FF65EE}.exe"	{8B2A4E62-6A1B-4629-BD44-AD850A0CC8E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}\stubpath = "C:\\Windows\\{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe"	2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}	{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}\stubpath = "C:\\Windows\\{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe"	{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8780BE8-C642-4397-9CE7-8A9BD3FF65EE}	{8B2A4E62-6A1B-4629-BD44-AD850A0CC8E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{552B9240-9DE9-42f4-B8BE-64CC8D1A0C81}	{A8780BE8-C642-4397-9CE7-8A9BD3FF65EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02BF920E-B4ED-4992-8404-1CDB071B53D9}	{552B9240-9DE9-42f4-B8BE-64CC8D1A0C81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}	2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}	{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}	{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}\stubpath = "C:\\Windows\\{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe"	{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{552B9240-9DE9-42f4-B8BE-64CC8D1A0C81}\stubpath = "C:\\Windows\\{552B9240-9DE9-42f4-B8BE-64CC8D1A0C81}.exe"	{A8780BE8-C642-4397-9CE7-8A9BD3FF65EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1EB118D-7E8A-4477-BF84-7283553A1506}	{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1EB118D-7E8A-4477-BF84-7283553A1506}\stubpath = "C:\\Windows\\{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe"	{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}\stubpath = "C:\\Windows\\{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe"	{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B2A4E62-6A1B-4629-BD44-AD850A0CC8E1}	{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02BF920E-B4ED-4992-8404-1CDB071B53D9}\stubpath = "C:\\Windows\\{02BF920E-B4ED-4992-8404-1CDB071B53D9}.exe"	{552B9240-9DE9-42f4-B8BE-64CC8D1A0C81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}	{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}	{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}\stubpath = "C:\\Windows\\{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe"	{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe

Deletes itself 1 IoCs

pid	Process
1980	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2140	{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe
2688	{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe
2728	{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe
1728	{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe
1660	{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe
1604	{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe
1420	{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe
2036	{8B2A4E62-6A1B-4629-BD44-AD850A0CC8E1}.exe
2324	{A8780BE8-C642-4397-9CE7-8A9BD3FF65EE}.exe
700	{552B9240-9DE9-42f4-B8BE-64CC8D1A0C81}.exe
1732	{02BF920E-B4ED-4992-8404-1CDB071B53D9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe	2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe
File created	C:\Windows\{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe	{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe
File created	C:\Windows\{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe	{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe
File created	C:\Windows\{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe	{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe
File created	C:\Windows\{A8780BE8-C642-4397-9CE7-8A9BD3FF65EE}.exe	{8B2A4E62-6A1B-4629-BD44-AD850A0CC8E1}.exe
File created	C:\Windows\{02BF920E-B4ED-4992-8404-1CDB071B53D9}.exe	{552B9240-9DE9-42f4-B8BE-64CC8D1A0C81}.exe
File created	C:\Windows\{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe	{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe
File created	C:\Windows\{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe	{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe
File created	C:\Windows\{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe	{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe
File created	C:\Windows\{8B2A4E62-6A1B-4629-BD44-AD850A0CC8E1}.exe	{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe
File created	C:\Windows\{552B9240-9DE9-42f4-B8BE-64CC8D1A0C81}.exe	{A8780BE8-C642-4397-9CE7-8A9BD3FF65EE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1752	2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2140	{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe
Token: SeIncBasePriorityPrivilege	2688	{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe
Token: SeIncBasePriorityPrivilege	2728	{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe
Token: SeIncBasePriorityPrivilege	1728	{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe
Token: SeIncBasePriorityPrivilege	1660	{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe
Token: SeIncBasePriorityPrivilege	1604	{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe
Token: SeIncBasePriorityPrivilege	1420	{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe
Token: SeIncBasePriorityPrivilege	2036	{8B2A4E62-6A1B-4629-BD44-AD850A0CC8E1}.exe
Token: SeIncBasePriorityPrivilege	2324	{A8780BE8-C642-4397-9CE7-8A9BD3FF65EE}.exe
Token: SeIncBasePriorityPrivilege	700	{552B9240-9DE9-42f4-B8BE-64CC8D1A0C81}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2140	1752	2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe	28
PID 1752 wrote to memory of 2140	1752	2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe	28
PID 1752 wrote to memory of 2140	1752	2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe	28
PID 1752 wrote to memory of 2140	1752	2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe	28
PID 1752 wrote to memory of 1980	1752	2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe	29
PID 1752 wrote to memory of 1980	1752	2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe	29
PID 1752 wrote to memory of 1980	1752	2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe	29
PID 1752 wrote to memory of 1980	1752	2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe	29
PID 2140 wrote to memory of 2688	2140	{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe	30
PID 2140 wrote to memory of 2688	2140	{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe	30
PID 2140 wrote to memory of 2688	2140	{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe	30
PID 2140 wrote to memory of 2688	2140	{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe	30
PID 2140 wrote to memory of 2824	2140	{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe	31
PID 2140 wrote to memory of 2824	2140	{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe	31
PID 2140 wrote to memory of 2824	2140	{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe	31
PID 2140 wrote to memory of 2824	2140	{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe	31
PID 2688 wrote to memory of 2728	2688	{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe	32
PID 2688 wrote to memory of 2728	2688	{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe	32
PID 2688 wrote to memory of 2728	2688	{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe	32
PID 2688 wrote to memory of 2728	2688	{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe	32
PID 2688 wrote to memory of 2516	2688	{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe	33
PID 2688 wrote to memory of 2516	2688	{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe	33
PID 2688 wrote to memory of 2516	2688	{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe	33
PID 2688 wrote to memory of 2516	2688	{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe	33
PID 2728 wrote to memory of 1728	2728	{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe	36
PID 2728 wrote to memory of 1728	2728	{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe	36
PID 2728 wrote to memory of 1728	2728	{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe	36
PID 2728 wrote to memory of 1728	2728	{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe	36
PID 2728 wrote to memory of 2972	2728	{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe	37
PID 2728 wrote to memory of 2972	2728	{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe	37
PID 2728 wrote to memory of 2972	2728	{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe	37
PID 2728 wrote to memory of 2972	2728	{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe	37
PID 1728 wrote to memory of 1660	1728	{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe	38
PID 1728 wrote to memory of 1660	1728	{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe	38
PID 1728 wrote to memory of 1660	1728	{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe	38
PID 1728 wrote to memory of 1660	1728	{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe	38
PID 1728 wrote to memory of 1652	1728	{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe	39
PID 1728 wrote to memory of 1652	1728	{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe	39
PID 1728 wrote to memory of 1652	1728	{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe	39
PID 1728 wrote to memory of 1652	1728	{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe	39
PID 1660 wrote to memory of 1604	1660	{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe	40
PID 1660 wrote to memory of 1604	1660	{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe	40
PID 1660 wrote to memory of 1604	1660	{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe	40
PID 1660 wrote to memory of 1604	1660	{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe	40
PID 1660 wrote to memory of 2408	1660	{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe	41
PID 1660 wrote to memory of 2408	1660	{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe	41
PID 1660 wrote to memory of 2408	1660	{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe	41
PID 1660 wrote to memory of 2408	1660	{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe	41
PID 1604 wrote to memory of 1420	1604	{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe	42
PID 1604 wrote to memory of 1420	1604	{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe	42
PID 1604 wrote to memory of 1420	1604	{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe	42
PID 1604 wrote to memory of 1420	1604	{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe	42
PID 1604 wrote to memory of 1568	1604	{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe	43
PID 1604 wrote to memory of 1568	1604	{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe	43
PID 1604 wrote to memory of 1568	1604	{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe	43
PID 1604 wrote to memory of 1568	1604	{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe	43
PID 1420 wrote to memory of 2036	1420	{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe	44
PID 1420 wrote to memory of 2036	1420	{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe	44
PID 1420 wrote to memory of 2036	1420	{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe	44
PID 1420 wrote to memory of 2036	1420	{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe	44
PID 1420 wrote to memory of 2784	1420	{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe	45
PID 1420 wrote to memory of 2784	1420	{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe	45
PID 1420 wrote to memory of 2784	1420	{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe	45
PID 1420 wrote to memory of 2784	1420	{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_31e1d0be76fc5945c88a648974d8a509_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe
  C:\Windows\{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe
    C:\Windows\{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe
      C:\Windows\{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe
        
        C:\Windows\{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - C:\Windows\{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe
        
        C:\Windows\{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe
        
        C:\Windows\{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe
        
        C:\Windows\{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\{8B2A4E62-6A1B-4629-BD44-AD850A0CC8E1}.exe
        
        C:\Windows\{8B2A4E62-6A1B-4629-BD44-AD850A0CC8E1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\{A8780BE8-C642-4397-9CE7-8A9BD3FF65EE}.exe
        
        C:\Windows\{A8780BE8-C642-4397-9CE7-8A9BD3FF65EE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\{552B9240-9DE9-42f4-B8BE-64CC8D1A0C81}.exe
        
        C:\Windows\{552B9240-9DE9-42f4-B8BE-64CC8D1A0C81}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\Windows\{02BF920E-B4ED-4992-8404-1CDB071B53D9}.exe
        
        C:\Windows\{02BF920E-B4ED-4992-8404-1CDB071B53D9}.exe
        12⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{552B9~1.EXE > nul
        12⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8780~1.EXE > nul
        11⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B2A4~1.EXE > nul
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEAB6~1.EXE > nul
        9⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56D0B~1.EXE > nul
        8⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FC51~1.EXE > nul
        7⤵
        
        PID:2408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9069C~1.EXE > nul
        6⤵
        
        PID:1652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3EED~1.EXE > nul
        5⤵
        
        PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C1EB1~1.EXE > nul
      4⤵
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CF2A9~1.EXE > nul
    3⤵
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02BF920E-B4ED-4992-8404-1CDB071B53D9}.exe

Filesize
408KB

MD5
f7f45d07c9f071127122efbeb4042be1

SHA1
26bc889502e0b7926b6eaf4f1d45f9d221962f83

SHA256
69aa5e52fe7e9df534a5680030ecf34d174c2fe469c8aad5cf45bb4921579e70

SHA512
8b031c69c821d494e19f178069014771951f20a38ff5ddae6a450e1c72718a43dfa210c4b6e042ad5595420d6b6587eb3368955f1237a1731a1b2d374be85e9c

Download Submit
C:\Windows\{552B9240-9DE9-42f4-B8BE-64CC8D1A0C81}.exe

Filesize
408KB

MD5
30617b51b7ace0ad0ee7a6fdaae69dd3

SHA1
b3e748ced3010127fe64a030b94984ffc724036c

SHA256
6c2df004a5f31b046649ed296ec14d6517e5a69816321b74bb29660138b125bf

SHA512
f6fd9ef8d6275e9510304c1ac0799f1204ba495fa7535cf9f00b7dc3dfc6bb959491630b00d84a6286daf50e405c0bcff872a7167014488cc987e8f341e134cd

Download Submit
C:\Windows\{56D0BC90-6C0B-4ce4-A70E-3966B977CB9C}.exe

Filesize
408KB

MD5
d6444992b230fcdedc22d625ad1f0a5d

SHA1
ca34b43541249685107bd4af8a0923da5aee178b

SHA256
7a4a2e23461cd27b1bb0f924440f03898b0b032bd0c2ceae343b08a30259cc02

SHA512
9a54cd14ffbbe6606b3e970c496e192c3f4586a4c5dfb0729a7e68221eb6d4b1111c5d46d5aaf2df8187c44604d6cf0df167cdd8b787135baf0596da1ea0d1b5

Download Submit
C:\Windows\{6FC5184F-50DB-45f1-B0C7-E22A3C8E54CD}.exe

Filesize
408KB

MD5
f79b9e7baea5c4ebb8bc6b7eec177e07

SHA1
35d32c9d108cee8a63a12c9ea0cb920bce1cd440

SHA256
cd512178f4df4ab633316973a0c06427a3a3b9f49541509a3710485ed43f15d9

SHA512
b081d73b08f605831fd0e3ffaf8ea9a11211e8d68c6a97a3d680e2e84f4cca5fb4a8d1df6717d57266f825b19a1c75b294c2529f27679297775b3e5358bc9669

Download Submit
C:\Windows\{8B2A4E62-6A1B-4629-BD44-AD850A0CC8E1}.exe

Filesize
408KB

MD5
413229dc1ae133f8b29fdc3caaf07e74

SHA1
34982073d42d8cea4dac8eb9f4828bd8cf3caa99

SHA256
fc77abb48542633770e8f04291ef8bb6516af2d988b0a5cc0ad0e23025aee251

SHA512
4e5aa83538cd4cf14b867c88f7afd1551cdce8ef743727e00eda1144f0434a7faa33ac744716da0c6633c46b13e27e5f06a199db4fc26e6ec0bc1a3ebfcdb051

Download Submit
C:\Windows\{9069C0C3-8DA4-433f-B7BB-166A79C9E99A}.exe

Filesize
408KB

MD5
7c296bb44a4fbb620df500b4b11e4899

SHA1
90f39dc8be6211ff30c6f6e3dcc6325681cec4c0

SHA256
212f4e24c7d16dbd9d05a154f00484cf05c9803c8930dd8428d77e01d216474f

SHA512
eed79c5616b84e14ee728bff45a9daa71d1f59beb31793bc64850ce412c3dd2bc1d2bff6434e157de8dc19f56dbab3ef0e179cf558c862c9a083b9511ec06df7

Download Submit
C:\Windows\{A8780BE8-C642-4397-9CE7-8A9BD3FF65EE}.exe

Filesize
408KB

MD5
4bee50a29abe7b153587c51c7cebb127

SHA1
abaf0cda6899e09ac21a5a4b66d1c68d14116a4f

SHA256
7f2bb0aca642d50279f86a3b759836398d8e22a7db7bb1619656708ed281be54

SHA512
bd0b9ea185bec38a708be64c1860e0e3e533abfa342021010dacae06fc2ffc6a62f0a51422304e505e7bcb3ef4c7c4f86112750f43bdd2ca0c5ce19223110f73

Download Submit
C:\Windows\{B3EEDB0B-0BA6-4041-9178-84EC05BF4F98}.exe

Filesize
408KB

MD5
83fdc76530ad5ae741f42cad41f86bdf

SHA1
3b38c7bca5931533a4ab0be1e4f2547009bdcf19

SHA256
44833a09cd5cb3f53082be2e33af253fed9fdfb96b13a1bc9a8f7975cb6d52b7

SHA512
ff91dca294308b098a8c722fc5b44944bcc4618217a56d4ad3e5d8898c3c5118cd0296050eb45635ce01a17a4724bd29f3ffdaa73af2f0175d0dd2e873a1fc18

Download Submit
C:\Windows\{BEAB65E9-4251-4c0c-9E1A-8409E00E5933}.exe

Filesize
408KB

MD5
3153954f39bc4f557a6c89a98008b595

SHA1
8a8a841957db534b9caa4a2f725ffabcbd502e03

SHA256
3b92da1ca3d27c095debc34f22bb1fc452df0ee41738cd45bd734aba0cacc2c6

SHA512
0fff69f69f895d4f0cf0b897af42286235c0a8bb04f276ec167a8967ba6140db7fbc8e13781cb0035e0826cb053915342ddcd6f8e7241fbebcadb5e128fc3c32

Download Submit
C:\Windows\{C1EB118D-7E8A-4477-BF84-7283553A1506}.exe

Filesize
408KB

MD5
a49e72b32e6ba274b43ec43d839d5b48

SHA1
8622f9bff9d705e4ab7b6d41cfd01f1ecf0de0bb

SHA256
026708203536051f0dbcade3c74a4b35160faf1e343145f69cb67fe6eaaedbdb

SHA512
774ad4ed6d17fe5005434f6bd8c9b2e12219248b5278dead20e319b2b30b7ac30a1023873862b2fe8feab15b419e9df2a2cceb9ecfb97be15ece94c60c44e2ca

Download Submit
C:\Windows\{CF2A9FC3-BEEB-4bf1-93DB-2C59D86467A3}.exe

Filesize
408KB

MD5
daf207f7591175dfe5b1141738b416d9

SHA1
ab65276fd82fd3a80bc4e7cc7c25229e00e92f81

SHA256
cdbe02e09a3cc997b2b310a8f9e6c7f9bdf62abc043d08418a5fcbf5288e4fb1

SHA512
0a8f779fadf0dfffe8f25f6859a21b438827f731aafa07b02ba41f5fc5cf9881e1766e3cbbb97b7f21cfa68a54bd0c396fc47013c9f1ac56f38ce4d51fcd94d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads