ccd1aa4f26b33be9ebfb8b66db9190f9512c8303cebefcfde469e2774f727f51

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe
Size

344KB
MD5

975f1c7d711db0e3636490b02189b018
SHA1

225339848712eb1d7de00806a9203950a1976c45
SHA256

ccd1aa4f26b33be9ebfb8b66db9190f9512c8303cebefcfde469e2774f727f51
SHA512

c8ed086793e54ce84266dd89ee7fc01e12750a34a8811b71eaa5400c49cbdad0a88c6a5be311891dedbbeca10fd62136174b21d321e32644cb23393d4425feba
SSDEEP

3072:mEGh0o5lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGTlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7498A98A-6672-425e-BED3-F1F36A859247}	{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7498A98A-6672-425e-BED3-F1F36A859247}\stubpath = "C:\\Windows\\{7498A98A-6672-425e-BED3-F1F36A859247}.exe"	{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA3F052C-702F-4098-A867-7C93C2D99A1F}\stubpath = "C:\\Windows\\{DA3F052C-702F-4098-A867-7C93C2D99A1F}.exe"	{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ED31251-9264-4266-8E8A-A9FE59AFAC13}\stubpath = "C:\\Windows\\{2ED31251-9264-4266-8E8A-A9FE59AFAC13}.exe"	{DA3F052C-702F-4098-A867-7C93C2D99A1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C25E598-F425-4206-A70A-CDC483EDFA0B}	{2ED31251-9264-4266-8E8A-A9FE59AFAC13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DFF0865-348D-49a7-894D-3BB0FF28D319}	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A72E6D4C-EB86-488e-8E57-D668C5F501C0}\stubpath = "C:\\Windows\\{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe"	{7498A98A-6672-425e-BED3-F1F36A859247}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}\stubpath = "C:\\Windows\\{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe"	{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DA652E1-017E-4a51-9877-17F9BF82DCF3}	{C8695373-B748-4c37-B3D3-887F561509C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D12892C-012D-4ff2-96AC-CB0AE0C29C98}	{7C25E598-F425-4206-A70A-CDC483EDFA0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A72E6D4C-EB86-488e-8E57-D668C5F501C0}	{7498A98A-6672-425e-BED3-F1F36A859247}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64216E97-0DCC-4753-8F0E-AA481DE56DA2}	{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}	{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DA652E1-017E-4a51-9877-17F9BF82DCF3}\stubpath = "C:\\Windows\\{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe"	{C8695373-B748-4c37-B3D3-887F561509C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA3F052C-702F-4098-A867-7C93C2D99A1F}	{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D12892C-012D-4ff2-96AC-CB0AE0C29C98}\stubpath = "C:\\Windows\\{4D12892C-012D-4ff2-96AC-CB0AE0C29C98}.exe"	{7C25E598-F425-4206-A70A-CDC483EDFA0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DFF0865-348D-49a7-894D-3BB0FF28D319}\stubpath = "C:\\Windows\\{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe"	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64216E97-0DCC-4753-8F0E-AA481DE56DA2}\stubpath = "C:\\Windows\\{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe"	{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8695373-B748-4c37-B3D3-887F561509C5}	{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8695373-B748-4c37-B3D3-887F561509C5}\stubpath = "C:\\Windows\\{C8695373-B748-4c37-B3D3-887F561509C5}.exe"	{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ED31251-9264-4266-8E8A-A9FE59AFAC13}	{DA3F052C-702F-4098-A867-7C93C2D99A1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C25E598-F425-4206-A70A-CDC483EDFA0B}\stubpath = "C:\\Windows\\{7C25E598-F425-4206-A70A-CDC483EDFA0B}.exe"	{2ED31251-9264-4266-8E8A-A9FE59AFAC13}.exe

Deletes itself 1 IoCs

pid	Process
1372	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2112	{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe
2696	{7498A98A-6672-425e-BED3-F1F36A859247}.exe
2568	{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe
636	{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe
2084	{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe
2168	{C8695373-B748-4c37-B3D3-887F561509C5}.exe
2972	{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe
2348	{DA3F052C-702F-4098-A867-7C93C2D99A1F}.exe
1364	{2ED31251-9264-4266-8E8A-A9FE59AFAC13}.exe
1872	{7C25E598-F425-4206-A70A-CDC483EDFA0B}.exe
540	{4D12892C-012D-4ff2-96AC-CB0AE0C29C98}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7498A98A-6672-425e-BED3-F1F36A859247}.exe	{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe
File created	C:\Windows\{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe	{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe
File created	C:\Windows\{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe	{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe
File created	C:\Windows\{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe	{C8695373-B748-4c37-B3D3-887F561509C5}.exe
File created	C:\Windows\{7C25E598-F425-4206-A70A-CDC483EDFA0B}.exe	{2ED31251-9264-4266-8E8A-A9FE59AFAC13}.exe
File created	C:\Windows\{4D12892C-012D-4ff2-96AC-CB0AE0C29C98}.exe	{7C25E598-F425-4206-A70A-CDC483EDFA0B}.exe
File created	C:\Windows\{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe
File created	C:\Windows\{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe	{7498A98A-6672-425e-BED3-F1F36A859247}.exe
File created	C:\Windows\{C8695373-B748-4c37-B3D3-887F561509C5}.exe	{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe
File created	C:\Windows\{DA3F052C-702F-4098-A867-7C93C2D99A1F}.exe	{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe
File created	C:\Windows\{2ED31251-9264-4266-8E8A-A9FE59AFAC13}.exe	{DA3F052C-702F-4098-A867-7C93C2D99A1F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2280	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2112	{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe
Token: SeIncBasePriorityPrivilege	2696	{7498A98A-6672-425e-BED3-F1F36A859247}.exe
Token: SeIncBasePriorityPrivilege	2568	{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe
Token: SeIncBasePriorityPrivilege	636	{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe
Token: SeIncBasePriorityPrivilege	2084	{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe
Token: SeIncBasePriorityPrivilege	2168	{C8695373-B748-4c37-B3D3-887F561509C5}.exe
Token: SeIncBasePriorityPrivilege	2972	{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe
Token: SeIncBasePriorityPrivilege	2348	{DA3F052C-702F-4098-A867-7C93C2D99A1F}.exe
Token: SeIncBasePriorityPrivilege	1364	{2ED31251-9264-4266-8E8A-A9FE59AFAC13}.exe
Token: SeIncBasePriorityPrivilege	1872	{7C25E598-F425-4206-A70A-CDC483EDFA0B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2112	2280	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	28
PID 2280 wrote to memory of 2112	2280	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	28
PID 2280 wrote to memory of 2112	2280	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	28
PID 2280 wrote to memory of 2112	2280	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	28
PID 2280 wrote to memory of 1372	2280	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	29
PID 2280 wrote to memory of 1372	2280	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	29
PID 2280 wrote to memory of 1372	2280	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	29
PID 2280 wrote to memory of 1372	2280	2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe	29
PID 2112 wrote to memory of 2696	2112	{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe	30
PID 2112 wrote to memory of 2696	2112	{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe	30
PID 2112 wrote to memory of 2696	2112	{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe	30
PID 2112 wrote to memory of 2696	2112	{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe	30
PID 2112 wrote to memory of 2672	2112	{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe	31
PID 2112 wrote to memory of 2672	2112	{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe	31
PID 2112 wrote to memory of 2672	2112	{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe	31
PID 2112 wrote to memory of 2672	2112	{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe	31
PID 2696 wrote to memory of 2568	2696	{7498A98A-6672-425e-BED3-F1F36A859247}.exe	32
PID 2696 wrote to memory of 2568	2696	{7498A98A-6672-425e-BED3-F1F36A859247}.exe	32
PID 2696 wrote to memory of 2568	2696	{7498A98A-6672-425e-BED3-F1F36A859247}.exe	32
PID 2696 wrote to memory of 2568	2696	{7498A98A-6672-425e-BED3-F1F36A859247}.exe	32
PID 2696 wrote to memory of 2896	2696	{7498A98A-6672-425e-BED3-F1F36A859247}.exe	33
PID 2696 wrote to memory of 2896	2696	{7498A98A-6672-425e-BED3-F1F36A859247}.exe	33
PID 2696 wrote to memory of 2896	2696	{7498A98A-6672-425e-BED3-F1F36A859247}.exe	33
PID 2696 wrote to memory of 2896	2696	{7498A98A-6672-425e-BED3-F1F36A859247}.exe	33
PID 2568 wrote to memory of 636	2568	{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe	36
PID 2568 wrote to memory of 636	2568	{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe	36
PID 2568 wrote to memory of 636	2568	{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe	36
PID 2568 wrote to memory of 636	2568	{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe	36
PID 2568 wrote to memory of 2812	2568	{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe	37
PID 2568 wrote to memory of 2812	2568	{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe	37
PID 2568 wrote to memory of 2812	2568	{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe	37
PID 2568 wrote to memory of 2812	2568	{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe	37
PID 636 wrote to memory of 2084	636	{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe	38
PID 636 wrote to memory of 2084	636	{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe	38
PID 636 wrote to memory of 2084	636	{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe	38
PID 636 wrote to memory of 2084	636	{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe	38
PID 636 wrote to memory of 1700	636	{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe	39
PID 636 wrote to memory of 1700	636	{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe	39
PID 636 wrote to memory of 1700	636	{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe	39
PID 636 wrote to memory of 1700	636	{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe	39
PID 2084 wrote to memory of 2168	2084	{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe	40
PID 2084 wrote to memory of 2168	2084	{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe	40
PID 2084 wrote to memory of 2168	2084	{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe	40
PID 2084 wrote to memory of 2168	2084	{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe	40
PID 2084 wrote to memory of 2800	2084	{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe	41
PID 2084 wrote to memory of 2800	2084	{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe	41
PID 2084 wrote to memory of 2800	2084	{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe	41
PID 2084 wrote to memory of 2800	2084	{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe	41
PID 2168 wrote to memory of 2972	2168	{C8695373-B748-4c37-B3D3-887F561509C5}.exe	42
PID 2168 wrote to memory of 2972	2168	{C8695373-B748-4c37-B3D3-887F561509C5}.exe	42
PID 2168 wrote to memory of 2972	2168	{C8695373-B748-4c37-B3D3-887F561509C5}.exe	42
PID 2168 wrote to memory of 2972	2168	{C8695373-B748-4c37-B3D3-887F561509C5}.exe	42
PID 2168 wrote to memory of 944	2168	{C8695373-B748-4c37-B3D3-887F561509C5}.exe	43
PID 2168 wrote to memory of 944	2168	{C8695373-B748-4c37-B3D3-887F561509C5}.exe	43
PID 2168 wrote to memory of 944	2168	{C8695373-B748-4c37-B3D3-887F561509C5}.exe	43
PID 2168 wrote to memory of 944	2168	{C8695373-B748-4c37-B3D3-887F561509C5}.exe	43
PID 2972 wrote to memory of 2348	2972	{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe	44
PID 2972 wrote to memory of 2348	2972	{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe	44
PID 2972 wrote to memory of 2348	2972	{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe	44
PID 2972 wrote to memory of 2348	2972	{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe	44
PID 2972 wrote to memory of 1672	2972	{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe	45
PID 2972 wrote to memory of 1672	2972	{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe	45
PID 2972 wrote to memory of 1672	2972	{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe	45
PID 2972 wrote to memory of 1672	2972	{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_975f1c7d711db0e3636490b02189b018_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe
  C:\Windows\{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\{7498A98A-6672-425e-BED3-F1F36A859247}.exe
    C:\Windows\{7498A98A-6672-425e-BED3-F1F36A859247}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe
      C:\Windows\{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe
        
        C:\Windows\{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:636
      - C:\Windows\{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe
        
        C:\Windows\{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{C8695373-B748-4c37-B3D3-887F561509C5}.exe
        
        C:\Windows\{C8695373-B748-4c37-B3D3-887F561509C5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe
        
        C:\Windows\{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\{DA3F052C-702F-4098-A867-7C93C2D99A1F}.exe
        
        C:\Windows\{DA3F052C-702F-4098-A867-7C93C2D99A1F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\{2ED31251-9264-4266-8E8A-A9FE59AFAC13}.exe
        
        C:\Windows\{2ED31251-9264-4266-8E8A-A9FE59AFAC13}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\{7C25E598-F425-4206-A70A-CDC483EDFA0B}.exe
        
        C:\Windows\{7C25E598-F425-4206-A70A-CDC483EDFA0B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\{4D12892C-012D-4ff2-96AC-CB0AE0C29C98}.exe
        
        C:\Windows\{4D12892C-012D-4ff2-96AC-CB0AE0C29C98}.exe
        12⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C25E~1.EXE > nul
        12⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2ED31~1.EXE > nul
        11⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA3F0~1.EXE > nul
        10⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DA65~1.EXE > nul
        9⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8695~1.EXE > nul
        8⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A555~1.EXE > nul
        7⤵
        
        PID:2800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64216~1.EXE > nul
        6⤵
        
        PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A72E6~1.EXE > nul
        5⤵
        
        PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7498A~1.EXE > nul
      4⤵
      PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3DFF0~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A5557BD-4DD2-47a9-B62A-2A78A81FC105}.exe

Filesize
344KB

MD5
98074f455e6bc0476d04bfdba8413495

SHA1
48c936846bfd9e66ac86f61b2f70c41f4c2db127

SHA256
0919d0fb8ca9d8c9508f90c67c21de25fa5a4b439ba70eab2872e45219f4c93a

SHA512
1e07e5bbc696a4e4917cb1ae4ed9acef37a2cf0f4bfe49282dfee9e33e488284ac3f14ebc288e0bd3ff8f750a47b1c1e31e501b26291bdd913e0d40d344639fd

Download Submit
C:\Windows\{2ED31251-9264-4266-8E8A-A9FE59AFAC13}.exe

Filesize
344KB

MD5
d5d984ad1055ac5c02998ef24ce8f5a8

SHA1
f1b3695fd8f4fd7c89e04c59105941b3a1186608

SHA256
51f11874b78f1b96b613deb695e570664147db1b3b5d4dacaff3708aa2c122a7

SHA512
e94f1e385799debdde0dcadefaa0a37a59a93f66dab10719c874f44f813ecedbeb8057d02c7851a4494d91401a05ed4b6cc5b5efa9a96c0a02029ca64c1e799b

Download Submit
C:\Windows\{3DFF0865-348D-49a7-894D-3BB0FF28D319}.exe

Filesize
344KB

MD5
1df2968179b0c9d4c6fcfcce16e14e64

SHA1
f76337c6d9795654e69166777fa7bae6c5542f7d

SHA256
7a84c60067d5720b1fc83af4c554f373b728bffb58beea11124e4acac36d4968

SHA512
0cc5828b3dee9dfe7fd903a2e702e9ceb6461cb64767aa144813a27b5d25f06da4d5b662005a46e65a32aa58b7c348208ce08415cb857dbea50b8c97c8875a74

Download Submit
C:\Windows\{4D12892C-012D-4ff2-96AC-CB0AE0C29C98}.exe

Filesize
344KB

MD5
762a18c4dc7d5b9f2dd3bbcceef69dc7

SHA1
c8daa90ff405d7e4dda297a6cf07023f24f76ada

SHA256
d993dfc042cdd215260549662bb62eb5377861cfd5d165b8beb82a1f636f8b72

SHA512
5badf76bf13c39af310cc01128607bde02be493cffc72072bbbe789a0bfc00673fac1c8099ed1ee40087a7957431f49d71afbdf2378d51489dadd657c924ad42

Download Submit
C:\Windows\{64216E97-0DCC-4753-8F0E-AA481DE56DA2}.exe

Filesize
344KB

MD5
5cc6f941fa222175ea8533aedd4f4a11

SHA1
fb561f8ac6d4913537ea41202cdd7f8f69306a90

SHA256
f37fae426d35372f4b384779a4bac34f52ce30ac85f78a38b1c394d249cc27a8

SHA512
486c2557326e794c968bbdf6ab3a4e17c707a6a4c121adf647bf93db0e25adefa256cd0f2f2a595848f75a0ec8335ae6e74631e13e4da299e6671260250a335a

Download Submit
C:\Windows\{6DA652E1-017E-4a51-9877-17F9BF82DCF3}.exe

Filesize
344KB

MD5
e9c2893964c34de195f24e56b18bd85b

SHA1
c9729dbcf2242625b7c6eee3f8f65e5d87d0cff7

SHA256
b12b9eab5ed278fa0795212f179674ffeee3e2753f4959b7e230dc57898b297d

SHA512
0ca05e91e0dea9f40bf3989157d570edbb210f8cc83c9a8b18d7546965b5c3ce1bc92d1b0f9b6febe3543721a0c83fc76d7d76671e67113b5f94e12a44c7abfb

Download Submit
C:\Windows\{7498A98A-6672-425e-BED3-F1F36A859247}.exe

Filesize
344KB

MD5
37513996fa333500b2437a23830f0a9a

SHA1
bc9f22a3148acaef0a1ab0c19930213bab13bc7f

SHA256
de32cb2114525bd410a3fc72ce8b99ee43e704b664f4ddbfeb1f2b4e1749d966

SHA512
bec310cfba1555a210a94688da7f185ac858275ccd6f90c6c86bac994d40713592fd69c5a5387953644c245b7fbbf917507392949df1347b1b82e73672c00c0c

Download Submit
C:\Windows\{7C25E598-F425-4206-A70A-CDC483EDFA0B}.exe

Filesize
344KB

MD5
6bd3983a8cbf96d1247cf7de2593c0de

SHA1
7b13bbb76181f0bfa9b7ac0e2125050f0a316a78

SHA256
37812ab672d34f6eb37b88396430667fb7d8c34d4e0274c08e419c106fa0324e

SHA512
10413c843c2bf17d72b539b0b37343d1944470ddbb60acc489c8bdef9d6ae9b4fc3f5438ac8ae1c92c71e4eecf6eedfce9a946027a1441ef1ab5f8f86d51ba07

Download Submit
C:\Windows\{A72E6D4C-EB86-488e-8E57-D668C5F501C0}.exe

Filesize
344KB

MD5
eb55d71e31a68fe4b2003b717c754908

SHA1
9895cdcb3a3b2241804f6f5146f3373f21df0a34

SHA256
1c1188aeea0cadf28d76d1a79cbec6ab064f937f4c16c07b92229293252b1ac1

SHA512
b148a9e9d7bdcd714d34f374efe20220629f66e574f5255a9e3a112e3b9a7a39f1c32c64e4459d2bc21f9164e8d433428de4aadf570489cb186e205564297ca9

Download Submit
C:\Windows\{C8695373-B748-4c37-B3D3-887F561509C5}.exe

Filesize
344KB

MD5
4104be448f11e0fbac0cf81161bad9a3

SHA1
c36e7d0e3babadfcc42dec0e0c0d266a7b0cbd77

SHA256
9cfca50b3436f4cb581984e3e6d5209161b2f5a3532e0cccbbe8092217315640

SHA512
5fd0f3c544bbea85bb73cd6cf6d5f5cdb98870656ee911c6321ced9796fdb7df16c44076b8a7a25715dc331d1fb1813f7763305eb4f1edd09146827d8893f14c

Download Submit
C:\Windows\{DA3F052C-702F-4098-A867-7C93C2D99A1F}.exe

Filesize
344KB

MD5
af3adea537334535cefab4bf4df625ee

SHA1
9175d237b32ccadf0196bf0526507037ded0b795

SHA256
f5d9101a7346951cbd210d06f5ca23c74b455ba13ea17db1e16d5ad9a79224cf

SHA512
34fe1745127ab33042cec06a0503fc4a8159e9ddd5bd7452a22cd9ca14ed11758c654ac6e6eeba17eb64158eeab4ab88fac2be6c134e92199958c09b978a1af3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads