77811f7bdc11884f24f64188d461081d4c58f17f013e776a496cc8cca62349a9

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 10:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe
Size

168KB
MD5

374d929c471ff39e76dfe4f703391113
SHA1

85b3369fc68ab23fc7a5a32aa4d5dea235499a88
SHA256

77811f7bdc11884f24f64188d461081d4c58f17f013e776a496cc8cca62349a9
SHA512

e2715e21b9de25337b2c669c8da774025b074b9742defd605d3dddb9c4b923803fda5041ad14d4585a61dc7288f6995de5bd6e84e708d37ef8e7b464932c96fd
SSDEEP

1536:1EGh0oJlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oJlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3665075C-D740-4218-86B8-E33951DACBCE}\stubpath = "C:\\Windows\\{3665075C-D740-4218-86B8-E33951DACBCE}.exe"	{2224A4DC-7B43-48c9-8A13-77D75FC465D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BCABEFD-050E-4567-98CA-796522FC0658}	{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}\stubpath = "C:\\Windows\\{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe"	{8BCABEFD-050E-4567-98CA-796522FC0658}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA499BF-6F55-40cd-957F-5C0036742F04}	{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E89D127-DD62-4008-997F-69282BC79C35}\stubpath = "C:\\Windows\\{6E89D127-DD62-4008-997F-69282BC79C35}.exe"	{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25E54B4F-0215-4b1b-AED4-9D1292EE332F}\stubpath = "C:\\Windows\\{25E54B4F-0215-4b1b-AED4-9D1292EE332F}.exe"	{FBA991D7-B3AE-439d-95B2-A4C86FBFB7D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B02265A-1F6C-46fa-8690-8E38AA9603B4}	{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E89D127-DD62-4008-997F-69282BC79C35}	{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBA991D7-B3AE-439d-95B2-A4C86FBFB7D3}	{3665075C-D740-4218-86B8-E33951DACBCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25E54B4F-0215-4b1b-AED4-9D1292EE332F}	{FBA991D7-B3AE-439d-95B2-A4C86FBFB7D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}	{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2224A4DC-7B43-48c9-8A13-77D75FC465D2}	{6E89D127-DD62-4008-997F-69282BC79C35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3665075C-D740-4218-86B8-E33951DACBCE}	{2224A4DC-7B43-48c9-8A13-77D75FC465D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}\stubpath = "C:\\Windows\\{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe"	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BCABEFD-050E-4567-98CA-796522FC0658}\stubpath = "C:\\Windows\\{8BCABEFD-050E-4567-98CA-796522FC0658}.exe"	{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}	{8BCABEFD-050E-4567-98CA-796522FC0658}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBA991D7-B3AE-439d-95B2-A4C86FBFB7D3}\stubpath = "C:\\Windows\\{FBA991D7-B3AE-439d-95B2-A4C86FBFB7D3}.exe"	{3665075C-D740-4218-86B8-E33951DACBCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B02265A-1F6C-46fa-8690-8E38AA9603B4}\stubpath = "C:\\Windows\\{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe"	{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}\stubpath = "C:\\Windows\\{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe"	{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA499BF-6F55-40cd-957F-5C0036742F04}\stubpath = "C:\\Windows\\{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe"	{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2224A4DC-7B43-48c9-8A13-77D75FC465D2}\stubpath = "C:\\Windows\\{2224A4DC-7B43-48c9-8A13-77D75FC465D2}.exe"	{6E89D127-DD62-4008-997F-69282BC79C35}.exe

Executes dropped EXE 11 IoCs

pid	Process
3020	{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe
2052	{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe
2180	{8BCABEFD-050E-4567-98CA-796522FC0658}.exe
2500	{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe
2908	{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe
292	{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe
1644	{6E89D127-DD62-4008-997F-69282BC79C35}.exe
864	{2224A4DC-7B43-48c9-8A13-77D75FC465D2}.exe
2028	{3665075C-D740-4218-86B8-E33951DACBCE}.exe
560	{FBA991D7-B3AE-439d-95B2-A4C86FBFB7D3}.exe
2276	{25E54B4F-0215-4b1b-AED4-9D1292EE332F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8BCABEFD-050E-4567-98CA-796522FC0658}.exe	{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe
File created	C:\Windows\{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe	{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe
File created	C:\Windows\{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe	{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe
File created	C:\Windows\{6E89D127-DD62-4008-997F-69282BC79C35}.exe	{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe
File created	C:\Windows\{2224A4DC-7B43-48c9-8A13-77D75FC465D2}.exe	{6E89D127-DD62-4008-997F-69282BC79C35}.exe
File created	C:\Windows\{3665075C-D740-4218-86B8-E33951DACBCE}.exe	{2224A4DC-7B43-48c9-8A13-77D75FC465D2}.exe
File created	C:\Windows\{FBA991D7-B3AE-439d-95B2-A4C86FBFB7D3}.exe	{3665075C-D740-4218-86B8-E33951DACBCE}.exe
File created	C:\Windows\{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe	{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe
File created	C:\Windows\{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe	{8BCABEFD-050E-4567-98CA-796522FC0658}.exe
File created	C:\Windows\{25E54B4F-0215-4b1b-AED4-9D1292EE332F}.exe	{FBA991D7-B3AE-439d-95B2-A4C86FBFB7D3}.exe
File created	C:\Windows\{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2984	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3020	{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe
Token: SeIncBasePriorityPrivilege	2052	{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe
Token: SeIncBasePriorityPrivilege	2180	{8BCABEFD-050E-4567-98CA-796522FC0658}.exe
Token: SeIncBasePriorityPrivilege	2500	{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe
Token: SeIncBasePriorityPrivilege	2908	{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe
Token: SeIncBasePriorityPrivilege	292	{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe
Token: SeIncBasePriorityPrivilege	1644	{6E89D127-DD62-4008-997F-69282BC79C35}.exe
Token: SeIncBasePriorityPrivilege	864	{2224A4DC-7B43-48c9-8A13-77D75FC465D2}.exe
Token: SeIncBasePriorityPrivilege	2028	{3665075C-D740-4218-86B8-E33951DACBCE}.exe
Token: SeIncBasePriorityPrivilege	560	{FBA991D7-B3AE-439d-95B2-A4C86FBFB7D3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 3020	2984	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	28
PID 2984 wrote to memory of 3020	2984	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	28
PID 2984 wrote to memory of 3020	2984	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	28
PID 2984 wrote to memory of 3020	2984	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	28
PID 2984 wrote to memory of 2556	2984	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	29
PID 2984 wrote to memory of 2556	2984	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	29
PID 2984 wrote to memory of 2556	2984	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	29
PID 2984 wrote to memory of 2556	2984	2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe	29
PID 3020 wrote to memory of 2052	3020	{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe	30
PID 3020 wrote to memory of 2052	3020	{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe	30
PID 3020 wrote to memory of 2052	3020	{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe	30
PID 3020 wrote to memory of 2052	3020	{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe	30
PID 3020 wrote to memory of 2720	3020	{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe	31
PID 3020 wrote to memory of 2720	3020	{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe	31
PID 3020 wrote to memory of 2720	3020	{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe	31
PID 3020 wrote to memory of 2720	3020	{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe	31
PID 2052 wrote to memory of 2180	2052	{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe	32
PID 2052 wrote to memory of 2180	2052	{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe	32
PID 2052 wrote to memory of 2180	2052	{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe	32
PID 2052 wrote to memory of 2180	2052	{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe	32
PID 2052 wrote to memory of 108	2052	{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe	33
PID 2052 wrote to memory of 108	2052	{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe	33
PID 2052 wrote to memory of 108	2052	{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe	33
PID 2052 wrote to memory of 108	2052	{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe	33
PID 2180 wrote to memory of 2500	2180	{8BCABEFD-050E-4567-98CA-796522FC0658}.exe	36
PID 2180 wrote to memory of 2500	2180	{8BCABEFD-050E-4567-98CA-796522FC0658}.exe	36
PID 2180 wrote to memory of 2500	2180	{8BCABEFD-050E-4567-98CA-796522FC0658}.exe	36
PID 2180 wrote to memory of 2500	2180	{8BCABEFD-050E-4567-98CA-796522FC0658}.exe	36
PID 2180 wrote to memory of 2632	2180	{8BCABEFD-050E-4567-98CA-796522FC0658}.exe	37
PID 2180 wrote to memory of 2632	2180	{8BCABEFD-050E-4567-98CA-796522FC0658}.exe	37
PID 2180 wrote to memory of 2632	2180	{8BCABEFD-050E-4567-98CA-796522FC0658}.exe	37
PID 2180 wrote to memory of 2632	2180	{8BCABEFD-050E-4567-98CA-796522FC0658}.exe	37
PID 2500 wrote to memory of 2908	2500	{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe	38
PID 2500 wrote to memory of 2908	2500	{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe	38
PID 2500 wrote to memory of 2908	2500	{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe	38
PID 2500 wrote to memory of 2908	2500	{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe	38
PID 2500 wrote to memory of 2948	2500	{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe	39
PID 2500 wrote to memory of 2948	2500	{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe	39
PID 2500 wrote to memory of 2948	2500	{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe	39
PID 2500 wrote to memory of 2948	2500	{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe	39
PID 2908 wrote to memory of 292	2908	{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe	40
PID 2908 wrote to memory of 292	2908	{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe	40
PID 2908 wrote to memory of 292	2908	{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe	40
PID 2908 wrote to memory of 292	2908	{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe	40
PID 2908 wrote to memory of 780	2908	{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe	41
PID 2908 wrote to memory of 780	2908	{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe	41
PID 2908 wrote to memory of 780	2908	{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe	41
PID 2908 wrote to memory of 780	2908	{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe	41
PID 292 wrote to memory of 1644	292	{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe	42
PID 292 wrote to memory of 1644	292	{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe	42
PID 292 wrote to memory of 1644	292	{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe	42
PID 292 wrote to memory of 1644	292	{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe	42
PID 292 wrote to memory of 2480	292	{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe	43
PID 292 wrote to memory of 2480	292	{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe	43
PID 292 wrote to memory of 2480	292	{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe	43
PID 292 wrote to memory of 2480	292	{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe	43
PID 1644 wrote to memory of 864	1644	{6E89D127-DD62-4008-997F-69282BC79C35}.exe	44
PID 1644 wrote to memory of 864	1644	{6E89D127-DD62-4008-997F-69282BC79C35}.exe	44
PID 1644 wrote to memory of 864	1644	{6E89D127-DD62-4008-997F-69282BC79C35}.exe	44
PID 1644 wrote to memory of 864	1644	{6E89D127-DD62-4008-997F-69282BC79C35}.exe	44
PID 1644 wrote to memory of 1200	1644	{6E89D127-DD62-4008-997F-69282BC79C35}.exe	45
PID 1644 wrote to memory of 1200	1644	{6E89D127-DD62-4008-997F-69282BC79C35}.exe	45
PID 1644 wrote to memory of 1200	1644	{6E89D127-DD62-4008-997F-69282BC79C35}.exe	45
PID 1644 wrote to memory of 1200	1644	{6E89D127-DD62-4008-997F-69282BC79C35}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_374d929c471ff39e76dfe4f703391113_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe
  C:\Windows\{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe
    C:\Windows\{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\{8BCABEFD-050E-4567-98CA-796522FC0658}.exe
      C:\Windows\{8BCABEFD-050E-4567-98CA-796522FC0658}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe
        
        C:\Windows\{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe
        
        C:\Windows\{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe
        
        C:\Windows\{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\{6E89D127-DD62-4008-997F-69282BC79C35}.exe
        
        C:\Windows\{6E89D127-DD62-4008-997F-69282BC79C35}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{2224A4DC-7B43-48c9-8A13-77D75FC465D2}.exe
        
        C:\Windows\{2224A4DC-7B43-48c9-8A13-77D75FC465D2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\{3665075C-D740-4218-86B8-E33951DACBCE}.exe
        
        C:\Windows\{3665075C-D740-4218-86B8-E33951DACBCE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{FBA991D7-B3AE-439d-95B2-A4C86FBFB7D3}.exe
        
        C:\Windows\{FBA991D7-B3AE-439d-95B2-A4C86FBFB7D3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\{25E54B4F-0215-4b1b-AED4-9D1292EE332F}.exe
        
        C:\Windows\{25E54B4F-0215-4b1b-AED4-9D1292EE332F}.exe
        12⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBA99~1.EXE > nul
        12⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36650~1.EXE > nul
        11⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2224A~1.EXE > nul
        10⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E89D~1.EXE > nul
        9⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DA49~1.EXE > nul
        8⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC6B8~1.EXE > nul
        7⤵
        
        PID:780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD4CD~1.EXE > nul
        6⤵
        
        PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BCAB~1.EXE > nul
        5⤵
        
        PID:2632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3B022~1.EXE > nul
      4⤵
      PID:108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{87D3D~1.EXE > nul
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2224A4DC-7B43-48c9-8A13-77D75FC465D2}.exe

Filesize
168KB

MD5
cb9f9715617d1ac501d140fea52f2002

SHA1
6204ee505dc27ba5384f7c7ab9a3ea2a6a86728a

SHA256
5e4207e3f91d95b03d4a89088864fe8ac8d2b689b629fce49a77dc34b1444293

SHA512
405c6b1dd439f8db7a91280e6ef6389870d3db6d6eeac474923529b08bbb9088ef0dfb15e17f5deb7b34c6c78c1abbc63133af5075f0e389a594268c46c0dc84

Download Submit
C:\Windows\{25E54B4F-0215-4b1b-AED4-9D1292EE332F}.exe

Filesize
168KB

MD5
fe18bcbf9fe663a62650661abaffae33

SHA1
c5f691a24eec615c54e7c2eddaa020b832408e91

SHA256
87650fe96d4adb6fc35849b921c3034bfc9db13eab4eacc640153493dd3f3876

SHA512
54a757cbc106bbeddc080535e4052038557cc99d914ea1872fd3e14a4d1c5caa92a4dc2e9dfd94c66fbb3b802bd5d1ac0f532231daae97f2c37d595085c85f6e

Download Submit
C:\Windows\{3665075C-D740-4218-86B8-E33951DACBCE}.exe

Filesize
168KB

MD5
308b9fb8e4ad495ffe80ed455a63efbd

SHA1
896adaf0bb6b62880f57fa7bfd3b1ca521d0dc1d

SHA256
b0655fc2c75fa890736a612926c7aef3de79bab3e5f34fd9743e8c71cb522000

SHA512
ad0e997602b18d55f22b2f4600aa3deba483eff2d02a1d0e6cc346582b54b516b52767dd18d421c1b22ab6749c6236f4856c0d1236e0331e83da15e5585ce93f

Download Submit
C:\Windows\{3B02265A-1F6C-46fa-8690-8E38AA9603B4}.exe

Filesize
168KB

MD5
86f8fa4457ec49855f5534984ca7f6e9

SHA1
60a89a916cca20c4c89a076fa320526ea7fb5bbc

SHA256
21bbba8024d2e4bdfc06f6f1c42e48cbe8a342341393dcdb1cdce97f3d0938a6

SHA512
de1341ade845075378d62a360deeab1c132586c2b2ec601c293aea0eb1d96f2b94b092a6b769e87a7dc00275d3052abe9d18efb4a3679f957267d174051f752b

Download Submit
C:\Windows\{5DA499BF-6F55-40cd-957F-5C0036742F04}.exe

Filesize
168KB

MD5
216437c950f924c8ff1ad40525593e06

SHA1
4f3369fe6d4360ba96d003b01df265cd98210d7f

SHA256
db2944b0e25e04c4c68b02199c7b893e98156b4644a89414c2b0c6c6773ef0a0

SHA512
7cdbdb339b3b98dfd33a0c547dac635c708b556215c3b56c0fc0a3b2fe68248dcaffeaf134252a22996235344da43bc4a882aac7601a9edd4baa0f45305917cc

Download Submit
C:\Windows\{6E89D127-DD62-4008-997F-69282BC79C35}.exe

Filesize
168KB

MD5
930a4821da6869d7b6b87e11ec9e6005

SHA1
59c56139a34df1dc5ba6a435b7c63a5482918f2c

SHA256
a737e779d1b6bed2c446e21de12b0b18fad5a368f4f72120eaa10021dab04588

SHA512
3ca8db3cade37468282bb30f87cfff3a24d7374badc70772cc45749e5fad7771ada481ccae1556dbf2d522f39bc04691602b403044ad7b28546668b8ce3daed5

Download Submit
C:\Windows\{87D3D50D-C87A-4ae9-BFEB-321DE9E521D3}.exe

Filesize
168KB

MD5
20dee841abe794eaaa6a1740d5557cc1

SHA1
f9f4e49afa072d7f58556964d3fc193b6661e480

SHA256
e06390b6f0f25c497df3244864fd50fc9dce5fd938235ee7fd41762c68c9c2f8

SHA512
5022714c229da506abeec22222bbd3f8b907a842991f7d684b08b3f333da59fe7d2b1e0449321d9404b06cd6307581a97e366d6d58a738cb246fd982b6d515b0

Download Submit
C:\Windows\{8BCABEFD-050E-4567-98CA-796522FC0658}.exe

Filesize
168KB

MD5
53026870c1d74e404c603ac39b928ece

SHA1
33913b1d4c8d2e26f8edc4a50f5e606419c8dc6d

SHA256
28e489e105d054203617b158cb0d5db3cbeceea6cd03b4b8d094ea19d76f2e43

SHA512
56c290dda877d8ae1bd927ea7da94ae095433e751da01e07393072632ba67e8cd17df0b45a7b671877c23e26d17c64d432f785080124a5e934cefe609e062f89

Download Submit
C:\Windows\{BC6B8429-720B-4e40-A5D6-8B6993BD17CA}.exe

Filesize
168KB

MD5
50d5b4a5abddb5acd5e1f7b4fbf4c0dd

SHA1
39a190d09274620d973a1f657ac063871d969abd

SHA256
11c775535e8b00d2b722dfc2719cfa25e45f78e25f5a2c6102186a1e91303cf4

SHA512
3ff210400b9bea1a143bb7c6d20e21967853b616b9b57a18ae7fa2cfa535b671c4a82a4b29206d84edbb1e16eecfd036abe07df12d95d75a60edb1efe0904098

Download Submit
C:\Windows\{BD4CDA2E-D4F8-41f1-9CFD-54ABE3052F05}.exe

Filesize
168KB

MD5
dd60a65ab6b147d30c6480571175f29d

SHA1
ebb344036ad68ddfdef7a3eb16c4a90cc08f2cf0

SHA256
332404760ca798c051547179899dac83aa7cfb17142683112bf46355d0d96bf0

SHA512
e8bb0f14dbf216ac0ca5f2c0ea3a73c1bf3f8376371901aaa55851a2b49fa334cef4e138e12cd67a8ef32b90d2591c7a96b15f09c7f8e0cc3d0ffa2f89a6ea1b

Download Submit
C:\Windows\{FBA991D7-B3AE-439d-95B2-A4C86FBFB7D3}.exe

Filesize
168KB

MD5
def3467b13b232e9726fa47042c64d20

SHA1
11f0e07c2026fd0f6684b0db8732defec8210812

SHA256
fafc8c2560d31148469d1b8e33d0c7e15ecfffadeb7fe6a2f501b6001d519afb

SHA512
c7e34cb8809da9fed5586b3a4dc791a40acab70be9974f74c4da39adbe9ceaba4a6a8d8799df0bf4557f2083d385f8fd50d787bb98f94f57067826b13cacf00e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads