9b180b5398d23aa4c3ef6ae010aae68f88a4b6b58a4b62fad9bec6e1df88172b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe
Size

180KB
MD5

fe60fcadf4e3c6769a49f86cd633cb50
SHA1

3e164f0f6a72811aed6daa3b55ebd2f2a9370df3
SHA256

9b180b5398d23aa4c3ef6ae010aae68f88a4b6b58a4b62fad9bec6e1df88172b
SHA512

db0f817793d193b0157dd04fa0ceda9d1111bf6e6914df4f0b48d72a905205564b99f84919aa192ccf4b2ffaa075d71aae9853fe273601c8d60ec18d7a14c55e
SSDEEP

3072:jEGh0oDlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG1l5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}\stubpath = "C:\\Windows\\{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe"	{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}\stubpath = "C:\\Windows\\{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe"	{6B313A6C-1599-4c62-B370-BA423BB84722}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B175613F-5E93-43f5-BDA5-92FF49A647BC}\stubpath = "C:\\Windows\\{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe"	{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3D27FF3-7B66-4cb8-93A4-20ECAB15745B}	{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3D27FF3-7B66-4cb8-93A4-20ECAB15745B}\stubpath = "C:\\Windows\\{A3D27FF3-7B66-4cb8-93A4-20ECAB15745B}.exe"	{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2373E5B9-F9AB-431a-B7C0-6EAC7EC02AEC}	{D9022ED8-69F8-45e7-8003-50EBC338DC8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D84BCB8D-04DF-447d-A538-4B5600E5C07C}\stubpath = "C:\\Windows\\{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe"	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}	{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}\stubpath = "C:\\Windows\\{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe"	{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}	{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2373E5B9-F9AB-431a-B7C0-6EAC7EC02AEC}\stubpath = "C:\\Windows\\{2373E5B9-F9AB-431a-B7C0-6EAC7EC02AEC}.exe"	{D9022ED8-69F8-45e7-8003-50EBC338DC8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0434D780-A393-41aa-B604-1407DA7077B3}	{2373E5B9-F9AB-431a-B7C0-6EAC7EC02AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B313A6C-1599-4c62-B370-BA423BB84722}	{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35107A8E-A881-4e7a-93DB-2FA20B87D328}	{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35107A8E-A881-4e7a-93DB-2FA20B87D328}\stubpath = "C:\\Windows\\{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe"	{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B175613F-5E93-43f5-BDA5-92FF49A647BC}	{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9022ED8-69F8-45e7-8003-50EBC338DC8F}	{A3D27FF3-7B66-4cb8-93A4-20ECAB15745B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9022ED8-69F8-45e7-8003-50EBC338DC8F}\stubpath = "C:\\Windows\\{D9022ED8-69F8-45e7-8003-50EBC338DC8F}.exe"	{A3D27FF3-7B66-4cb8-93A4-20ECAB15745B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0434D780-A393-41aa-B604-1407DA7077B3}\stubpath = "C:\\Windows\\{0434D780-A393-41aa-B604-1407DA7077B3}.exe"	{2373E5B9-F9AB-431a-B7C0-6EAC7EC02AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D84BCB8D-04DF-447d-A538-4B5600E5C07C}	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B313A6C-1599-4c62-B370-BA423BB84722}\stubpath = "C:\\Windows\\{6B313A6C-1599-4c62-B370-BA423BB84722}.exe"	{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}	{6B313A6C-1599-4c62-B370-BA423BB84722}.exe

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2928	{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe
2736	{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe
2492	{6B313A6C-1599-4c62-B370-BA423BB84722}.exe
572	{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe
1504	{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe
3028	{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe
1888	{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe
1996	{A3D27FF3-7B66-4cb8-93A4-20ECAB15745B}.exe
1540	{D9022ED8-69F8-45e7-8003-50EBC338DC8F}.exe
2288	{2373E5B9-F9AB-431a-B7C0-6EAC7EC02AEC}.exe
3008	{0434D780-A393-41aa-B604-1407DA7077B3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe	{6B313A6C-1599-4c62-B370-BA423BB84722}.exe
File created	C:\Windows\{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe	{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe
File created	C:\Windows\{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe	{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe
File created	C:\Windows\{6B313A6C-1599-4c62-B370-BA423BB84722}.exe	{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe
File created	C:\Windows\{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe	{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe
File created	C:\Windows\{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe	{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe
File created	C:\Windows\{A3D27FF3-7B66-4cb8-93A4-20ECAB15745B}.exe	{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe
File created	C:\Windows\{D9022ED8-69F8-45e7-8003-50EBC338DC8F}.exe	{A3D27FF3-7B66-4cb8-93A4-20ECAB15745B}.exe
File created	C:\Windows\{2373E5B9-F9AB-431a-B7C0-6EAC7EC02AEC}.exe	{D9022ED8-69F8-45e7-8003-50EBC338DC8F}.exe
File created	C:\Windows\{0434D780-A393-41aa-B604-1407DA7077B3}.exe	{2373E5B9-F9AB-431a-B7C0-6EAC7EC02AEC}.exe
File created	C:\Windows\{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2200	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2928	{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe
Token: SeIncBasePriorityPrivilege	2736	{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe
Token: SeIncBasePriorityPrivilege	2492	{6B313A6C-1599-4c62-B370-BA423BB84722}.exe
Token: SeIncBasePriorityPrivilege	572	{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe
Token: SeIncBasePriorityPrivilege	1504	{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe
Token: SeIncBasePriorityPrivilege	3028	{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe
Token: SeIncBasePriorityPrivilege	1888	{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe
Token: SeIncBasePriorityPrivilege	1996	{A3D27FF3-7B66-4cb8-93A4-20ECAB15745B}.exe
Token: SeIncBasePriorityPrivilege	1540	{D9022ED8-69F8-45e7-8003-50EBC338DC8F}.exe
Token: SeIncBasePriorityPrivilege	2288	{2373E5B9-F9AB-431a-B7C0-6EAC7EC02AEC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2928	2200	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	28
PID 2200 wrote to memory of 2928	2200	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	28
PID 2200 wrote to memory of 2928	2200	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	28
PID 2200 wrote to memory of 2928	2200	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	28
PID 2200 wrote to memory of 2616	2200	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	29
PID 2200 wrote to memory of 2616	2200	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	29
PID 2200 wrote to memory of 2616	2200	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	29
PID 2200 wrote to memory of 2616	2200	2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe	29
PID 2928 wrote to memory of 2736	2928	{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe	30
PID 2928 wrote to memory of 2736	2928	{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe	30
PID 2928 wrote to memory of 2736	2928	{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe	30
PID 2928 wrote to memory of 2736	2928	{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe	30
PID 2928 wrote to memory of 2820	2928	{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe	31
PID 2928 wrote to memory of 2820	2928	{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe	31
PID 2928 wrote to memory of 2820	2928	{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe	31
PID 2928 wrote to memory of 2820	2928	{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe	31
PID 2736 wrote to memory of 2492	2736	{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe	34
PID 2736 wrote to memory of 2492	2736	{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe	34
PID 2736 wrote to memory of 2492	2736	{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe	34
PID 2736 wrote to memory of 2492	2736	{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe	34
PID 2736 wrote to memory of 2548	2736	{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe	35
PID 2736 wrote to memory of 2548	2736	{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe	35
PID 2736 wrote to memory of 2548	2736	{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe	35
PID 2736 wrote to memory of 2548	2736	{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe	35
PID 2492 wrote to memory of 572	2492	{6B313A6C-1599-4c62-B370-BA423BB84722}.exe	36
PID 2492 wrote to memory of 572	2492	{6B313A6C-1599-4c62-B370-BA423BB84722}.exe	36
PID 2492 wrote to memory of 572	2492	{6B313A6C-1599-4c62-B370-BA423BB84722}.exe	36
PID 2492 wrote to memory of 572	2492	{6B313A6C-1599-4c62-B370-BA423BB84722}.exe	36
PID 2492 wrote to memory of 684	2492	{6B313A6C-1599-4c62-B370-BA423BB84722}.exe	37
PID 2492 wrote to memory of 684	2492	{6B313A6C-1599-4c62-B370-BA423BB84722}.exe	37
PID 2492 wrote to memory of 684	2492	{6B313A6C-1599-4c62-B370-BA423BB84722}.exe	37
PID 2492 wrote to memory of 684	2492	{6B313A6C-1599-4c62-B370-BA423BB84722}.exe	37
PID 572 wrote to memory of 1504	572	{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe	38
PID 572 wrote to memory of 1504	572	{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe	38
PID 572 wrote to memory of 1504	572	{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe	38
PID 572 wrote to memory of 1504	572	{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe	38
PID 572 wrote to memory of 2696	572	{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe	39
PID 572 wrote to memory of 2696	572	{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe	39
PID 572 wrote to memory of 2696	572	{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe	39
PID 572 wrote to memory of 2696	572	{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe	39
PID 1504 wrote to memory of 3028	1504	{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe	40
PID 1504 wrote to memory of 3028	1504	{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe	40
PID 1504 wrote to memory of 3028	1504	{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe	40
PID 1504 wrote to memory of 3028	1504	{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe	40
PID 1504 wrote to memory of 932	1504	{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe	41
PID 1504 wrote to memory of 932	1504	{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe	41
PID 1504 wrote to memory of 932	1504	{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe	41
PID 1504 wrote to memory of 932	1504	{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe	41
PID 3028 wrote to memory of 1888	3028	{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe	42
PID 3028 wrote to memory of 1888	3028	{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe	42
PID 3028 wrote to memory of 1888	3028	{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe	42
PID 3028 wrote to memory of 1888	3028	{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe	42
PID 3028 wrote to memory of 1684	3028	{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe	43
PID 3028 wrote to memory of 1684	3028	{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe	43
PID 3028 wrote to memory of 1684	3028	{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe	43
PID 3028 wrote to memory of 1684	3028	{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe	43
PID 1888 wrote to memory of 1996	1888	{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe	44
PID 1888 wrote to memory of 1996	1888	{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe	44
PID 1888 wrote to memory of 1996	1888	{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe	44
PID 1888 wrote to memory of 1996	1888	{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe	44
PID 1888 wrote to memory of 2560	1888	{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe	45
PID 1888 wrote to memory of 2560	1888	{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe	45
PID 1888 wrote to memory of 2560	1888	{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe	45
PID 1888 wrote to memory of 2560	1888	{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_fe60fcadf4e3c6769a49f86cd633cb50_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe
  C:\Windows\{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe
    C:\Windows\{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\{6B313A6C-1599-4c62-B370-BA423BB84722}.exe
      C:\Windows\{6B313A6C-1599-4c62-B370-BA423BB84722}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe
        
        C:\Windows\{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
      - C:\Windows\{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe
        
        C:\Windows\{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe
        
        C:\Windows\{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe
        
        C:\Windows\{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\{A3D27FF3-7B66-4cb8-93A4-20ECAB15745B}.exe
        
        C:\Windows\{A3D27FF3-7B66-4cb8-93A4-20ECAB15745B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\{D9022ED8-69F8-45e7-8003-50EBC338DC8F}.exe
        
        C:\Windows\{D9022ED8-69F8-45e7-8003-50EBC338DC8F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\{2373E5B9-F9AB-431a-B7C0-6EAC7EC02AEC}.exe
        
        C:\Windows\{2373E5B9-F9AB-431a-B7C0-6EAC7EC02AEC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\{0434D780-A393-41aa-B604-1407DA7077B3}.exe
        
        C:\Windows\{0434D780-A393-41aa-B604-1407DA7077B3}.exe
        12⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2373E~1.EXE > nul
        12⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9022~1.EXE > nul
        11⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3D27~1.EXE > nul
        10⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1756~1.EXE > nul
        9⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{879AB~1.EXE > nul
        8⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35107~1.EXE > nul
        7⤵
        
        PID:932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE1C7~1.EXE > nul
        6⤵
        
        PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B313~1.EXE > nul
        5⤵
        
        PID:684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{09211~1.EXE > nul
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D84BC~1.EXE > nul
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0434D780-A393-41aa-B604-1407DA7077B3}.exe

Filesize
180KB

MD5
d2b0d3dbb0a7ae3067f73582dc30c073

SHA1
5cb70eff4b5eb81ab8fb50a89a46c8f9868bb1b5

SHA256
fa77b65ea1809f7284c20e23f25c84313f2a72bb3b9cc4bd5b88259456b55860

SHA512
04a4d83dc0720234ca7a93dfc6fbb5b294ec53a74866bbd8f735500ed0ab0861c5fe33f618df0927f94eec7aecdaf4f4d35ca14f82e6e13799639bcad23b735f

Download Submit
C:\Windows\{09211B93-4A8E-46a1-BF2F-C1E6E25DDEC4}.exe

Filesize
180KB

MD5
9c98e9246d8af57cda2460fdef1a7300

SHA1
3208a7cd70691cbd5b676b2e091afafc61617fbb

SHA256
ccd924a097c3dbacd452c7cf92e5332aefbbf65f1c0bf3f0994f7d2ed9449f5b

SHA512
5a9503365a8930b86d71ae925d8f80c7cbd19dac78873d50346f5b809c438cf1406eed6d30b123ae0e2444e728ec382ca6e4d7226c55a4dc5ae786483ffc4327

Download Submit
C:\Windows\{2373E5B9-F9AB-431a-B7C0-6EAC7EC02AEC}.exe

Filesize
180KB

MD5
ecad4bd092a8e5f2325af156afde2046

SHA1
1629437da393e6020df72b87e4899c51457f3bb7

SHA256
c5a0dab47ac73595c3881bd607bf4472782c486513fc77f601b986327c7d52c7

SHA512
16ab558443bae18388c37b894159bb1f1fbf6c38d16a2093d91fda8b1f7bf872bb940959fbf50a9bc3e12e3ed07501d491deface32239d82c1ed6d5acd0890d0

Download Submit
C:\Windows\{35107A8E-A881-4e7a-93DB-2FA20B87D328}.exe

Filesize
180KB

MD5
0d1b6d2936d9df6cf18aea867b692249

SHA1
b74c806e625549a506acea750a2a7e5216c2dd75

SHA256
5a264b81b4078e14699a4bbc90db993ac27918695f8ec44159c899420924b528

SHA512
38cdc28767bc69a35b791f805adafadba325ad04630a3bcb515fd884be4eb956690faf40f2be1cba5932b0a1ba46122a66fc8ff7aff8241f8930390fada21a3e

Download Submit
C:\Windows\{6B313A6C-1599-4c62-B370-BA423BB84722}.exe

Filesize
180KB

MD5
a6a21a8f4b21b9326e80e2065aaeda65

SHA1
cf15eeb63ba4c73a5feef0e1b0aa512c1b42630e

SHA256
1b550347ce84f1aa2ed59601e961e1c82628691920b269dd59bb340fa9a29e13

SHA512
e253e5a4bb667fa7c72a61cc77c261006d1da0ccbc0cd693b52e54333986d6c7e7992deff73211ba04e9fc90f7c9bccf4753c2173f866afff475c3854bebd88f

Download Submit
C:\Windows\{879AB5BF-8D6D-4f45-8CEB-A8C581EA9C1F}.exe

Filesize
180KB

MD5
f2ebf8fd8bb72485fe096a9f9da45b21

SHA1
9c7a78dec1db87edd1a37539965e7c91163d29b1

SHA256
339d95f86347d3d5b6e06b07d521784ce79d42b42c1c42a63d31d6ea81747d53

SHA512
0d0e65cd23c57ebf8b7f9d05bf0513db43878b71f0d221dafcece93526fcb0d7a45c0f1244447eb86a0aa7b75a19ddef2a754db91c897ed8a123828841fe968c

Download Submit
C:\Windows\{A3D27FF3-7B66-4cb8-93A4-20ECAB15745B}.exe

Filesize
180KB

MD5
81971d1ebb8a11c62b63ad7253060139

SHA1
ff4b1aac5584f8d1720a7b399f5483d1572985a0

SHA256
0702b6adf229d539f2705344778b02d23db74d654139556dcaaaee9bb3469fe5

SHA512
e62e79dfa28b4bc79af73b3606d73fd50c6c293dcb827f7aab5b57933eab90e5262d360c70f46e02fde1011dd895385421b3161c14819e78f6f163504607c322

Download Submit
C:\Windows\{B175613F-5E93-43f5-BDA5-92FF49A647BC}.exe

Filesize
180KB

MD5
e117937a7f5805f17b4b8e26604272ae

SHA1
106255934a5592a7568ca91a8731c318e1314717

SHA256
d026518398c657d28d6a7d38ec0aa114e543257db76022b5ecc84912536b759c

SHA512
ead740b5966353c78a61375cd099165dfe308d9d63cd008c49ff6f4bf09662cbe3de0b05df7416102de352eedf99d2e0e434f39ef00ebb12dacf04655da5020f

Download Submit
C:\Windows\{D84BCB8D-04DF-447d-A538-4B5600E5C07C}.exe

Filesize
180KB

MD5
0d710fdfbad711e0dd2d4952ac50b14a

SHA1
920b7c1dfcac1ae1042b7eb0f5c17cb604218009

SHA256
fb0e121bfba57d9031a5d16be1d90fc230a82640896dad2c6ab31a19b7302bf8

SHA512
7d7122bdf35296826ea3cf01090901b7611f2cfe65f1c3df1f3281107e2b17c2f81998b0001f18a679c11178baa840a7a5ec3690bc2f0c5fd55f97019e575912

Download Submit
C:\Windows\{D9022ED8-69F8-45e7-8003-50EBC338DC8F}.exe

Filesize
180KB

MD5
4755f922ac28478d1230da5ed3132ad2

SHA1
68895662a78b4926406340b7e60da705ae949b16

SHA256
27b6afcd3d24b332f9853bc562ca63da0b5e5d57a66dd6d40a77bbdd25e46d8f

SHA512
2fb337fc691bb55c00573df59e755e301617eef8610311f1401da5fd4b4cdd0c2a07c18f2822c8aaca306d7e7f21439f25513669c1cd5957f089a02427786000

Download Submit
C:\Windows\{DE1C72B2-3F7C-4530-9917-C3A8A8A8E531}.exe

Filesize
180KB

MD5
e142ca0eeb7407f8544ee9ccaf8f1d53

SHA1
d432979970d12a01b735bd20ce5c77234fb4ca8e

SHA256
8f2dd210a4b4725d04523f73b9f13e6b112411370b975812af2a3631c7ef7ce5

SHA512
4a94febdd76c2b8b632ec76cc02daf8c7fdec05ca72e8ff51273a46128be0c02d1ca6b3d89123871a4228d8ee4be63652fae7abdfe88c018c7c48420532ada6d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads