1883c1aca345f266478bd50a1b94522a70bd8081f50de5af29a5cfcf869dcac5

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe
Size

168KB
MD5

931a009c1c430c6d1bfcd56424666a23
SHA1

ae862029ba6e50ae9dd5e7ce6df58b4026d780d2
SHA256

1883c1aca345f266478bd50a1b94522a70bd8081f50de5af29a5cfcf869dcac5
SHA512

c08c38473ad74339ea5b3826f80fede1a103fadbe335d5e7ba6033a42fce26effec176027e855a3b7cc1305478acec79b7fdb4b44aca89fc6b07ac97feaa19d4
SSDEEP

1536:1EGh0oYlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oYlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}\stubpath = "C:\\Windows\\{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe"	{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}\stubpath = "C:\\Windows\\{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe"	{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F063B79-2633-46c1-A033-770A2ABDC39D}	{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6A6A316-D9DE-4e9f-B4DE-CEA38DCC2212}	{6ABC6418-3CA0-4448-9D32-DD66E75D24F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6A6A316-D9DE-4e9f-B4DE-CEA38DCC2212}\stubpath = "C:\\Windows\\{F6A6A316-D9DE-4e9f-B4DE-CEA38DCC2212}.exe"	{6ABC6418-3CA0-4448-9D32-DD66E75D24F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDEFB192-0ADF-4af4-93EA-1E0EB537670A}\stubpath = "C:\\Windows\\{CDEFB192-0ADF-4af4-93EA-1E0EB537670A}.exe"	{F6A6A316-D9DE-4e9f-B4DE-CEA38DCC2212}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}	{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}\stubpath = "C:\\Windows\\{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe"	{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}	{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}\stubpath = "C:\\Windows\\{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe"	{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ABC6418-3CA0-4448-9D32-DD66E75D24F7}\stubpath = "C:\\Windows\\{6ABC6418-3CA0-4448-9D32-DD66E75D24F7}.exe"	{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDEFB192-0ADF-4af4-93EA-1E0EB537670A}	{F6A6A316-D9DE-4e9f-B4DE-CEA38DCC2212}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CAD43EF-87FE-4a97-BF5A-A827FECB686F}	{CDEFB192-0ADF-4af4-93EA-1E0EB537670A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{130A2076-6AF5-422b-BD1E-6022D39BAA10}	{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{130A2076-6AF5-422b-BD1E-6022D39BAA10}\stubpath = "C:\\Windows\\{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe"	{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F063B79-2633-46c1-A033-770A2ABDC39D}\stubpath = "C:\\Windows\\{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe"	{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}\stubpath = "C:\\Windows\\{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe"	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}	{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}	{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6ABC6418-3CA0-4448-9D32-DD66E75D24F7}	{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CAD43EF-87FE-4a97-BF5A-A827FECB686F}\stubpath = "C:\\Windows\\{0CAD43EF-87FE-4a97-BF5A-A827FECB686F}.exe"	{CDEFB192-0ADF-4af4-93EA-1E0EB537670A}.exe

Deletes itself 1 IoCs

pid	Process
2116	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2120	{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe
2696	{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe
2632	{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe
2100	{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe
2540	{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe
1912	{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe
1324	{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe
612	{6ABC6418-3CA0-4448-9D32-DD66E75D24F7}.exe
2240	{F6A6A316-D9DE-4e9f-B4DE-CEA38DCC2212}.exe
2848	{CDEFB192-0ADF-4af4-93EA-1E0EB537670A}.exe
1148	{0CAD43EF-87FE-4a97-BF5A-A827FECB686F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe
File created	C:\Windows\{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe	{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe
File created	C:\Windows\{CDEFB192-0ADF-4af4-93EA-1E0EB537670A}.exe	{F6A6A316-D9DE-4e9f-B4DE-CEA38DCC2212}.exe
File created	C:\Windows\{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe	{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe
File created	C:\Windows\{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe	{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe
File created	C:\Windows\{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe	{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe
File created	C:\Windows\{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe	{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe
File created	C:\Windows\{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe	{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe
File created	C:\Windows\{6ABC6418-3CA0-4448-9D32-DD66E75D24F7}.exe	{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe
File created	C:\Windows\{F6A6A316-D9DE-4e9f-B4DE-CEA38DCC2212}.exe	{6ABC6418-3CA0-4448-9D32-DD66E75D24F7}.exe
File created	C:\Windows\{0CAD43EF-87FE-4a97-BF5A-A827FECB686F}.exe	{CDEFB192-0ADF-4af4-93EA-1E0EB537670A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2032	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2120	{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe
Token: SeIncBasePriorityPrivilege	2696	{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe
Token: SeIncBasePriorityPrivilege	2632	{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe
Token: SeIncBasePriorityPrivilege	2100	{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe
Token: SeIncBasePriorityPrivilege	2540	{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe
Token: SeIncBasePriorityPrivilege	1912	{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe
Token: SeIncBasePriorityPrivilege	1324	{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe
Token: SeIncBasePriorityPrivilege	612	{6ABC6418-3CA0-4448-9D32-DD66E75D24F7}.exe
Token: SeIncBasePriorityPrivilege	2240	{F6A6A316-D9DE-4e9f-B4DE-CEA38DCC2212}.exe
Token: SeIncBasePriorityPrivilege	2848	{CDEFB192-0ADF-4af4-93EA-1E0EB537670A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2120	2032	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	28
PID 2032 wrote to memory of 2120	2032	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	28
PID 2032 wrote to memory of 2120	2032	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	28
PID 2032 wrote to memory of 2120	2032	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	28
PID 2032 wrote to memory of 2116	2032	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	29
PID 2032 wrote to memory of 2116	2032	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	29
PID 2032 wrote to memory of 2116	2032	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	29
PID 2032 wrote to memory of 2116	2032	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	29
PID 2120 wrote to memory of 2696	2120	{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe	30
PID 2120 wrote to memory of 2696	2120	{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe	30
PID 2120 wrote to memory of 2696	2120	{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe	30
PID 2120 wrote to memory of 2696	2120	{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe	30
PID 2120 wrote to memory of 2596	2120	{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe	31
PID 2120 wrote to memory of 2596	2120	{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe	31
PID 2120 wrote to memory of 2596	2120	{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe	31
PID 2120 wrote to memory of 2596	2120	{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe	31
PID 2696 wrote to memory of 2632	2696	{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe	32
PID 2696 wrote to memory of 2632	2696	{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe	32
PID 2696 wrote to memory of 2632	2696	{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe	32
PID 2696 wrote to memory of 2632	2696	{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe	32
PID 2696 wrote to memory of 2720	2696	{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe	33
PID 2696 wrote to memory of 2720	2696	{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe	33
PID 2696 wrote to memory of 2720	2696	{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe	33
PID 2696 wrote to memory of 2720	2696	{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe	33
PID 2632 wrote to memory of 2100	2632	{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe	36
PID 2632 wrote to memory of 2100	2632	{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe	36
PID 2632 wrote to memory of 2100	2632	{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe	36
PID 2632 wrote to memory of 2100	2632	{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe	36
PID 2632 wrote to memory of 2144	2632	{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe	37
PID 2632 wrote to memory of 2144	2632	{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe	37
PID 2632 wrote to memory of 2144	2632	{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe	37
PID 2632 wrote to memory of 2144	2632	{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe	37
PID 2100 wrote to memory of 2540	2100	{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe	38
PID 2100 wrote to memory of 2540	2100	{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe	38
PID 2100 wrote to memory of 2540	2100	{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe	38
PID 2100 wrote to memory of 2540	2100	{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe	38
PID 2100 wrote to memory of 2772	2100	{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe	39
PID 2100 wrote to memory of 2772	2100	{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe	39
PID 2100 wrote to memory of 2772	2100	{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe	39
PID 2100 wrote to memory of 2772	2100	{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe	39
PID 2540 wrote to memory of 1912	2540	{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe	40
PID 2540 wrote to memory of 1912	2540	{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe	40
PID 2540 wrote to memory of 1912	2540	{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe	40
PID 2540 wrote to memory of 1912	2540	{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe	40
PID 2540 wrote to memory of 1288	2540	{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe	41
PID 2540 wrote to memory of 1288	2540	{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe	41
PID 2540 wrote to memory of 1288	2540	{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe	41
PID 2540 wrote to memory of 1288	2540	{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe	41
PID 1912 wrote to memory of 1324	1912	{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe	42
PID 1912 wrote to memory of 1324	1912	{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe	42
PID 1912 wrote to memory of 1324	1912	{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe	42
PID 1912 wrote to memory of 1324	1912	{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe	42
PID 1912 wrote to memory of 1296	1912	{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe	43
PID 1912 wrote to memory of 1296	1912	{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe	43
PID 1912 wrote to memory of 1296	1912	{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe	43
PID 1912 wrote to memory of 1296	1912	{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe	43
PID 1324 wrote to memory of 612	1324	{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe	44
PID 1324 wrote to memory of 612	1324	{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe	44
PID 1324 wrote to memory of 612	1324	{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe	44
PID 1324 wrote to memory of 612	1324	{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe	44
PID 1324 wrote to memory of 2368	1324	{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe	45
PID 1324 wrote to memory of 2368	1324	{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe	45
PID 1324 wrote to memory of 2368	1324	{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe	45
PID 1324 wrote to memory of 2368	1324	{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe
  C:\Windows\{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe
    C:\Windows\{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe
      C:\Windows\{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe
        
        C:\Windows\{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe
        
        C:\Windows\{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe
        
        C:\Windows\{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe
        
        C:\Windows\{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\{6ABC6418-3CA0-4448-9D32-DD66E75D24F7}.exe
        
        C:\Windows\{6ABC6418-3CA0-4448-9D32-DD66E75D24F7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\{F6A6A316-D9DE-4e9f-B4DE-CEA38DCC2212}.exe
        
        C:\Windows\{F6A6A316-D9DE-4e9f-B4DE-CEA38DCC2212}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\{CDEFB192-0ADF-4af4-93EA-1E0EB537670A}.exe
        
        C:\Windows\{CDEFB192-0ADF-4af4-93EA-1E0EB537670A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\{0CAD43EF-87FE-4a97-BF5A-A827FECB686F}.exe
        
        C:\Windows\{0CAD43EF-87FE-4a97-BF5A-A827FECB686F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDEFB~1.EXE > nul
        12⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6A6A~1.EXE > nul
        11⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ABC6~1.EXE > nul
        10⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F063~1.EXE > nul
        9⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE7F7~1.EXE > nul
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2991C~1.EXE > nul
        7⤵
        
        PID:1288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B251A~1.EXE > nul
        6⤵
        
        PID:2772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{130A2~1.EXE > nul
        5⤵
        
        PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{13D7F~1.EXE > nul
      4⤵
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{29101~1.EXE > nul
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CAD43EF-87FE-4a97-BF5A-A827FECB686F}.exe

Filesize
168KB

MD5
20c434751d339ae35b137cd60ea68a96

SHA1
38521f7e5fec53fb7aaabd73bd23e4d854df1fa4

SHA256
46c9bd0a50b592876c60d1c0343a39ddb3c318098fb99b579e29617e8b8bac13

SHA512
c98670d3328db3902aca238e0dadd954d5fd00e97a525a5a42c6bf5ff65945349dbadcd9269c652c59aad94dc6b6a0f8448bf9b32f5bf485d7e906c493f75292

Download Submit
C:\Windows\{0F063B79-2633-46c1-A033-770A2ABDC39D}.exe

Filesize
168KB

MD5
36f00e308b82c24550da5c53dde00e95

SHA1
5c2f1ee091c216a7bec0452698eead6ae7df5a55

SHA256
7b2a8a91304f27067ff81425018983938948a8d466f0338ae29c98f97a9d93f1

SHA512
801e9402db04bdefd53446cc61d91b86b1f9c0c48956cb21e2396cf22dc6b2d16117c1d30ff7f94d6bdb1ea9bb24f6b69f6b2735ec508593962a801e0945bd20

Download Submit
C:\Windows\{130A2076-6AF5-422b-BD1E-6022D39BAA10}.exe

Filesize
168KB

MD5
3b0da4655c70ff111547a198c9697623

SHA1
ba4542fd3e757d3ca971a24f40748f38e6b8a4df

SHA256
4a67aeaab4158f30cbec0a11776df65e2e2bbfabfaac27b7563265759d2c9cbb

SHA512
0df458a9c7c5e5a81d9fb9d27a9decd5834309109db1a5cfe2d6632e3648dda38c97ba1c023ad05cef9eba118ddf7f348e5d547d636a84ed76553a9452a43d7a

Download Submit
C:\Windows\{13D7FF05-D0F5-4f85-91E9-61A36D08A3A1}.exe

Filesize
168KB

MD5
8eeb8b9e75ffb02bcbb21f86a95e2017

SHA1
f43fdc05fe284b964bda12c7787ca2840530cff9

SHA256
77c1e616d302918a08f2cb960777262ecedb657765ed41a5bc8fc3c200e70f7a

SHA512
2c213ebd3085606e9900dac463f5cffae3cdb1387c682e8ff0c9387e897799fd9c0529e2f172b0321642939b4ff20b94d60257b711feafa356ff0099661938b8

Download Submit
C:\Windows\{2910194C-DE4D-484d-B2EE-594B9FDB2FEC}.exe

Filesize
168KB

MD5
ed2d1334f1cf2f4327dbb03c607ebae6

SHA1
028fee73b6c0c53806fcdc4639aad3110c1b849d

SHA256
13f5f700489012cdb9836c87c15619582963aa6bc40e0bd962e44cfe60c7766e

SHA512
32c0d8497e13f85d374c4aa18c7bb466b66b5977dcd76bc4ab16a0d27f2cd6dbb6d7c2cc77dfa946e230619528e3c927920f595c79f2a2591370f7721a2541ba

Download Submit
C:\Windows\{2991CA1B-6A67-4aa2-A2AC-63A424F724D0}.exe

Filesize
168KB

MD5
a75dd81eda591cbe481b05722c5d1a71

SHA1
c8e50cda900c2db7c0db757f9eefcab9866965a0

SHA256
c3e72cedf81aa273169efc83e5aa922a69a28247e00d4da0f67b8a44f808a0ac

SHA512
2e5a848aea09ad56a0dd680b3c7226f6bc23dd79bc3d45fed93a82e780c72681526796b120fc1164ddbec3f3982100924f650925e0eb926cb996dbc65c1b1e59

Download Submit
C:\Windows\{6ABC6418-3CA0-4448-9D32-DD66E75D24F7}.exe

Filesize
168KB

MD5
ac9c3920db625308222c2af82996aefa

SHA1
db84d13a72d1717ea49da4c91b822dd473433727

SHA256
63868ec0f8bc0eb4047acd3564790422f5b8284eee37ced883f980e43d0ed0c2

SHA512
1b4111be7d11e3f93df0fe5e47e55dc2a0617abcd12766e476d9781a03337b0f125ac6c3c077f258c10331b19d3a3f6b70eebdb6b1faf4f7e982708a421d6e4e

Download Submit
C:\Windows\{B251A6F1-66B3-48eb-AD67-5C31A4AE0DB1}.exe

Filesize
168KB

MD5
784b01ce9535b0fb03f957ce7ef8bdf8

SHA1
595e1404c7faca057a27c3503405e1148ff333ff

SHA256
5370309a6d1659974b6f7930961f253373293ca95122d455535fa986c004c78a

SHA512
0586a26fdd3a24077f64ffb5a5d8371bfff812d351780767afd23bd1a761d45db7079a1f3ddcc5efaea6f466f2af8df94905532591956dac4a11279554c6b48e

Download Submit
C:\Windows\{CDEFB192-0ADF-4af4-93EA-1E0EB537670A}.exe

Filesize
168KB

MD5
a128ab4552cce4d99fc9d064b371c22e

SHA1
0d48b1c977d1492bf7f359df8d3d9a2dc3048ac9

SHA256
227623eaa0766269d088b8cb482e737f0b47cb7c247906505f7360d8d30f83fa

SHA512
e6bd94ae2693c65e6377125ac359896061000dbe5ff8cd72566e0c466c34aa88ac40ba922f341d248646917ffe3686c56aad6599c7acbb0aeaa44c5d9db04acb

Download Submit
C:\Windows\{DE7F7CFE-7DAB-4058-BB42-1B0E1001DEE4}.exe

Filesize
168KB

MD5
2ddfb4c8c344412a355ede0ffa1514fb

SHA1
d823b2667c061f7538ecbfeb8ecba6da05140826

SHA256
2eea81c1ecb88f10c263cb67a65a0498f1dd35812c21e5610cfb1a35b7c9e42c

SHA512
1a81c93692ee765a66787745487c4516509022edbdcabf04b1384e65fe914898fa35f666d862902300dddc86ce990a2c7b5a643094ae781a0bd287778b97a610

Download Submit
C:\Windows\{F6A6A316-D9DE-4e9f-B4DE-CEA38DCC2212}.exe

Filesize
168KB

MD5
95b7e40dc70a0c9256c2b5623b58a7a7

SHA1
bcc5aef630758f58b4ce59a350f0ef110b463c0d

SHA256
2a255f3e6c9a4c5041fb7e9e9e1234b4d92cf6fdf8ca0e6d8a63b8074cf4a023

SHA512
2e9fc4cb009558670c5bdb4251298868b87409425ef26a89203761765508166cc8f02cc7f7e6a6ee6f7268f8f8f17e184c36a3c6a915a3035493249d6dbb04d3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads